Cisco IOS IP Command�Reference, Volume 1�of 3: Addressing and Services, Release�12.2
IP Services Commands: access-class Through ip mask-reply
Downloads: This chapterpdf (PDF - 514.0KB) The complete bookPDF (PDF - 3.64MB) | Feedback

IP Services Commands

Table Of Contents

IP Services Commands

access-class

access-list (IP extended)

access-list (IP standard)

access-list compiled

access-list remark

clear access-list counters

clear ip accounting

clear ip drp

clear tcp statistics

deny (IP)

dynamic

forwarding-agent

ip access-group

ip access-list

ip access-list log-update

ip accounting

ip accounting-list

ip accounting-threshold

ip accounting-transits

ip accounting mac-address

ip accounting precedence

ip casa

ip drp access-group

ip drp authentication key-chain

ip drp server

ip icmp rate-limit unreachable

ip icmp redirect

ip mask-reply


IP Services Commands


Use the commands in this chapter to configure various IP services. For configuration information and examples on IP services, refer to the "Configuring IP Services" chapter of the Cisco IOS IP Configuration Guide.

access-class

To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list, use the access-class command in line configuration mode. To remove access restrictions, use the no form of this command.

access-class access-list-number {in [vrf-also] | out}

no access-class access-list-number {in | out}

Syntax Description

access-list-number

Number of an IP access list. This is a decimal number from 1 to 199 or from 1300 to 2699.

in

Restricts incoming connections between a particular Cisco device and the addresses in the access list.

vrf-also

Accepts incoming connections from interfaces that belong to a VRF.

out

Restricts outgoing connections between a particular Cisco device and the addresses in the access list.


Defaults

No access lists are defined.

Command Modes

Line configuration

Command History

Release
Modification

10.0

This command was introduced.

12.2

The vrf-also keyword was added.


Usage Guidelines

Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.

To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.

If you do not specify the vrf-also keyword, incoming Telnet connections from interfaces that are part of a VRF are rejected.

Examples

The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:

access-list 12 permit 192.89.55.0  0.0.0.255
 line 1 5
 access-class 12 in 

The following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5:

access-list 10 permit 36.0.0.0 0.255.255.255
 line 1 5
 access-class 10 out

Related Commands

Command
Description

show line

Displays the parameters of a terminal line.


access-list (IP extended)

To define an extended IP access list, use the extended version of the access-list command in global configuration mode. To remove the access list, use the no form of this command.

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

no access-list access-list-number

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

Transmission Control Protocol (TCP)

For TCP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

User Datagram Protocol (UDP)

For UDP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

Syntax Description

access-list-number

Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.

dynamic dynamic-name

(Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.

timeout minutes

(Optional) Specifies the absolute length of time, in minutes, that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

protocol

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the ip keyword. Some protocols allow further qualifiers described below.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. Each wildcard bit 0 indicates the corresponding bit position in the source. Each wildcard bit set to 1 indicates that both a 0 bit and a 1 bit in the corresponding position of the IP address of the packet will be considered a match to this access list entry.

There are three alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted-decimal format. Place1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

Wildcard bits set to 1 need not be contiguous in the source wildcard. For example, a source wildcard of 0.255.0.64 would be valid.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the any keyword as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7, or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines."

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. By default, the message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.

log-input

(Optional) Includes the input interface and source MAC address or VC in the logging output.

time-range time-range-name

(Optional) Name of the time range that applies to this statement. The name of the time range and its restrictions are specified by the time-range command.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines."

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST control bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

fragments

(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.


Defaults

An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.

10.3

The following keywords and arguments were added:

source

source-wildcard

destination

destination-wildcard

precedence precedence

icmp-type

icm-code

icmp-message

igmp-type

operator

port

established

11.1

The dynamic dynamic-name keyword and argument were added.

11.1

The timeout minutes keyword and argument were added.

11.2

The log-input keyword was added.

12.0(1)T

The time-range time-range-name keyword and argument were added.

12.0(11) and 12.1(2)

The fragments keyword was added.


Usage Guidelines

You can use access lists to control the transmission of packets on an interface, control vty access, and restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control vty access or restrict the contents of routing updates must not match against the TCP source port, the type of service (ToS) value, or the precedence of the packet.


Note After a numbered access list is created, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific numbered access list.


The following is a list of precedence names:

critical

flash

flash-override

immediate

internet

network

priority

routine

The following is a list of ToS names:

max-reliability

max-throughput

min-delay

min-monetary-cost

normal

The following is a list of ICMP message type names and ICMP message type and code names:

administratively-prohibited

alternate-address

conversion-error

dod-host-prohibited

dod-net-prohibited

echo

echo-reply

general-parameter-problem

host-isolated

host-precedence-unreachable

host-redirect

host-tos-redirect

host-tos-unreachable

host-unknown

host-unreachable

information-reply

information-request

mask-reply

mask-request

mobile-redirect

net-redirect

net-tos-redirect

net-tos-unreachable

net-unreachable

network-unknown

no-room-for-option

option-missing

packet-too-big

parameter-problem

port-unreachable

precedence-unreachable

protocol-unreachable

reassembly-timeout

redirect

router-advertisement

router-solicitation

source-quench

source-route-failed

time-exceeded

timestamp-reply

timestamp-request

traceroute

ttl-exceeded

unreachable

The following is a list of IGMP message names:

dvmrp

host-query

host-report

pim

trace

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

bgp

chargen

daytime

discard

domain

echo

finger

ftp

ftp-data

gopher

hostname

irc

klogin

kshell

lpd

nntp

pop2

pop3

smtp

sunrpc

syslog

tacacs-ds

talk

telnet

time

uucp

whois

www

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

biff

bootpc

bootps

discard

dnsix

domain

echo

mobile-ip

nameserver

netbios-dgm

netbios-ns

ntp

rip

snmp

snmptrap

sunrpc

syslog

tacacs-ds

talk

tftp

time

who

xdmcp

Access List Processing of Fragments

The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:

If the Access-List Entry has...
Then..

...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,

For an access-list entry containing only Layer 3 information:

The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information:

The entry is applied to nonfragmented packets and initial fragments.

If the entry is a permit statement, the packet or fragment is permitted.

If the entry is a deny statement, the packet or fragment is denied.

The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and

If the entry is a permit statement, the noninitial fragment is permitted.

If the entry is a deny statement, the next access-list entry is processed.


Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.


...the fragments keyword, and assuming all of the access-list entry information matches,

The access-list entry is applied only to noninitial fragments.


Note The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.



Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.


Note The fragments keyword cannot solve all cases involving access lists and IP fragments.


Fragments and Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.

By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.

Examples

In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the address of the mail host is 128.88.1.2. The established keyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicates that the packet belongs to an existing connection.

access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
interface serial 0
 ip access-group 102 in

The following example permits Domain Naming System (DNS) packets and ICMP echo and echo reply packets:

access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp any host 128.88.1.2 eq smtp
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq domain
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply

The following examples show how wildcard bits are used to indicate the bits of the prefix or mask that are relevant. Wildcard bits are similar to the bitmasks that are used with normal access lists. Prefix or mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix or mask bits corresponding to wildcard bits set to 0 are used in comparison.

The following example permits 192.108.0.0 255.255.0.0 but denies any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0):

access-list 101 permit ip 192.108.0.0 0.0.0.0   255.255.0.0 0.0.0.0 
access-list 101 deny ip 192.108.0.0 0.0.255.255  255.255.0.0 0.0.255.255

The following example permits 131.108.0/24 but denies 131.108/16 and all other subnets of 131.108.0.0:

access-list 101 permit ip 131.108.0.0 0.0.0.0     255.255.255.0 0.0.0.0 
access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0   0.0.255.255

The following example uses a time range to deny HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.:

time-range no-http
 periodic weekdays 8:00 to 18:00
!
access-list 101 deny tcp any any eq http time-range no-http
!
interface ethernet 0
 ip access-group 101 in

Related Commands

Command
Description

access-class

Restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list.

access-list (IP standard)

Defines a standard IP access list.

access-list remark

Writes a helpful comment (remark) for an entry in a numbered IP access list.

clear access-template

Clears a temporary access list entry from a dynamic access list.

deny (IP)

Sets conditions under which a packet does not pass a named access list.

distribute-list in (IP)

Filters networks received in updates.

distribute-list out (IP)

Suppresses networks from being advertised in updates.

ip access-group

Controls access to an interface.

ip access-list

Defines an IP access list by name.

ip access-list log-update

Sets the threshold number of packets that cause a logging message.

ip accounting

Enables IP accounting on an interface.

logging console

Limits messages logged to the console, based on severity.

permit (IP)

Sets conditions under which a packet passes a named access list.

remark

Writes a helpful comment (remark) for an entry in a named IP access list.

show access-lists

Displays the contents of current IP and rate-limit access lists.

show ip access-list

Displays the contents of all current IP access lists.

time-range

Specifies when an access list or other feature is in effect.


access-list (IP standard)

To define a standard IP access list, use the standard version of the access-list command in global configuration mode. To remove a standard access list, use the no form of this command.

access-list access-list-number {deny | permit} source [source-wildcard] [log]

no access-list access-list-number


Caution Enhancements to this command are backward compatible; migrating from releases prior to Cisco IOS Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This condition could cause you severe security problems . Save your old configuration file before booting these images.

Syntax Description

access-list-number

Number of an access list. This is a decimal number from 1 to 99 or from 1300 to 1999.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

source

Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

source-wildcard

(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

Use the ip access-list log-update command to generate the logging messages to appear when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.


Defaults

The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.

Command Modes

Global configuration

Command History

Release
Modification

10.3

This command was introduced.

11.3(3)T

The log keyword was added.


Usage Guidelines

Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.

You can use access lists to control the transmission of packets on an interface, control vty access, and restrict the contents of routing updates.

Use the show access-lists EXEC command to display the contents of all access lists.

Use the show ip access-list EXEC command to display the contents of one access list.

Examples

The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected.

access-list 1 permit 192.5.34.0  0.0.0.255
access-list 1 permit 128.88.0.0  0.0.255.255
access-list 1 permit 36.0.0.0  0.255.255.255
! (Note: all other access implicitly denied) 

The following example of a standard access list allows access for devices with IP addresses in the range from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.

access-list 1 permit 10.29.2.64 0.0.0.63
! (Note: all other access implicitly denied)

To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect:

access-list 2 permit 36.48.0.3
access-list 2 permit 36.48.0.3  0.0.0.0

Related Commands

Command
Description

access-class

Restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list.

access-list (IP extended)

Defines an extended IP access list.

access-list remark

Writes a helpful comment (remark) for an entry in a numbered IP access list.

deny (IP)

Sets conditions under which a packet does not pass a named access list.

distribute-list in (IP)

Filters networks received in updates.

distribute-list out (IP)

Suppresses networks from being advertised in updates.

ip access-group

Controls access to an interface.

ip access-list log-update

Sets the threshold number of packets that cause a logging message.

logging console

Limits messages logged to the console based on severity.

permit (IP)

Sets conditions under which a packet passes a named access list.

remark (IP)

Writes a helpful comment (remark) for an entry in a named IP acces s list.

show access-lists

Displays the contents of current IP and rate-limit access lists.

show ip access-list

Displays the contents of all current IP access lists.


access-list compiled

To enable the Turbo Access Control Lists (Turbo ACL) feature, use the access-list compiled command in global configuration mode. To disable the Turbo ACL feature, use the no form of this command.

access-list compiled

no access-list compiled

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

12.0(6)S

This command was introduced.

12.1(1)E

This command was introduced for Cisco 7200 series routers on Release 12.1 E.

12.1(5)T

This command was integrated into Cisco IOS Release 12.1(5)T.


Usage Guidelines

By default, the Turbo ACL feature is disabled. When Turbo ACL is disabled, normal ACL processing is enabled, and no ACL acceleration occurs.

When the Turbo ACL feature is enabled using the access-list compiled command, the ACLs in the configuration are scanned and, if suitable, compiled for Turbo ACL acceleration. This scanning and compilation may take a few seconds when the system is processing large and complex ACLs, or when the system is processing a configuration that contains a large number of ACLs.

Any configuration change to an ACL that is being accelerated, such as the addition of new ACL entries or the deletion of the ACL, triggers a recompilation of that ACL.

When Turbo ACL tables are being built (or rebuilt) for a particular ACL, the normal sequential ACL search is used until the new tables are ready for installation.

Examples

The following example enables the Turbo ACL feature:

access-list compiled

access-list remark

To write a helpful comment (remark) for an entry in a numbered IP access list, use the access-list remark command in global configuration mode. To remove the remark, use the no form of this command.

access-list access-list-number remark remark

no access-list access-list-number remark remark

Syntax Description

access-list-number

Number of an IP access list.

remark

Comment that describes the access list entry, up to 100 characters long.


Defaults

The access list entries have no remarks.

Command Modes

Global configuration

Command History

Release
Modification

12.0(2)T

This command was introduced.


Usage Guidelines

The remark can be up to 100 characters long; anything longer is truncated.

If you want to write a comment about an entry in a named access list, use the remark command.

Examples

In the following example, the workstation belonging to Jones is allowed access, and the workstation belonging to Smith is not allowed access:

access-list 1 remark Permit only Jones workstation through
access-list 1 permit 171.69.2.88
access-list 1 remark Do not allow Smith workstation through
access-list 1 deny 171.69.3.13

Related Commands

Command
Description

access-list (IP extended)

Defines an extended IP access list.

access-list (IP standard)

Defines a standard IP access list.

ip access-list

Defines an IP access list by name.

remark

Writes a helpful comment (remark) for an entry in a named IP access list.


clear access-list counters

To clear the counters of an access list, use the clear access-list counters command in EXEC mode.

clear access-list counters {access-list-number | access-list-name}

Syntax Description

access-list-number

Access list number of the access list for which to clear the counters.

access-list-name

Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.


Command Modes

EXEC

Command History

Release
Modification

11.0

This command was introduced.


Usage Guidelines

Some access lists keep counters that count the number of packets that pass each line of an access list. The show access-lists command displays the counters as a number of matches. Use the clear access-list counters command to restart the counters for a particular access list to 0.

Examples

The following example clears the counters for access list 101:

Router> clear access-list counters 101

Related Commands

Command
Description

show access-lists

Displays the contents of current IP and rate-limit access lists.


clear ip accounting

To clear the active or checkpointed database when IP accounting is enabled, use the clear ip accounting command in EXEC mode.

clear ip accounting [checkpoint]

Syntax Description

checkpoint

(Optional) Clears the checkpointed database.


Command Modes

EXEC

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

You can also clear the checkpointed database by issuing the clear ip accounting command twice in succession.

Examples

The following example clears the active database when IP accounting is enabled:

Router> clear ip accounting

Related Commands

Command
Description

ip accounting

Enables IP accounting on an interface.

ip accounting-list

Defines filters to control the hosts for which IP accounting information is kept.

ip accounting-threshold

Sets the maximum number of accounting entries to be created.

ip accounting-transits

Controls the number of transit records that are stored in the IP accounting database.

show ip accounting

Displays the active accounting or checkpointed database or displays access list violations.


clear ip drp

To clear all statistics being collected on Director Response Protocol (DRP) requests and replies, use the clear ip drp command in EXEC mode.

clear ip drp

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release
Modification

11.2 F

This command was introduced.


Examples

The following example clears all DRP statistics:

Router> clear ip drp

Related Commands

Command
Description

ip drp access-group

Controls the sources of DRP queries to the DRP Server Agent.

ip drp authentication key-chain

Configures authentication on the DRP Server Agent for DistributedDirector.


clear tcp statistics

To clear TCP statistics, use the clear tcp statistics command in privileged EXEC mode.

clear tcp statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release
Modification

11.3

This command was introduced.


Examples

The following example clears all TCP statistics:

Router# clear tcp statistics

Related Commands

Command
Description

show tcp statistics

Displays TCP statistics.


deny (IP)

To set conditions for a named IP access list, use the deny command in access-list configuration mode.To remove a deny condition from an access list, use the no form of this command.

deny source [source-wildcard]

no deny source [source-wildcard]

deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

no deny protocol source source-wildcard destination destination-wildcard

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

deny igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Transmission Control Protocol (TCP)

For TCP, you can also use the following syntax:

deny tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

User Datagram Protocol (UDP)

For UDP, you can also use the following syntax:

deny udp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Syntax Description

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to the source. There are three alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

protocol

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the any keyword as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines" of the access-list (IP extended) command.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.

time-range time-range-name

(Optional) Name of the time range that applies to this deny statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.

TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

fragments

(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.


Defaults

There is no specific condition under which a packet is denied passing the named access list.

Command Modes

Access-list configuration

Command History

Release
Modification

11.2

This command was introduced.

12.0(1)T

The time-range time-range-name keyword and argument were added.

12.0(11) and 12.1(2)

The fragments keyword was added.


Usage Guidelines

Use this command following the ip access-list command to specify conditions under which a packet cannot pass the named access list.

The time-range option allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this deny statement is in effect.

Access List Processing of Fragments

The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:

If the Access-List Entry has...
Then..

...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,

For an access-list entry containing only Layer 3 information:

The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information:

The entry is applied to nonfragmented packets and initial fragments.

If the entry is a permit statement, the packet or fragment is permitted.

If the entry is a deny statement, the packet or fragment is denied.

The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and

If the entry is a permit statement, the noninitial fragment is permitted.

If the entry is a deny statement, the next access-list entry is processed.


Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.


...the fragments keyword, and assuming all of the access-list entry information matches,


Note The access-list entry is applied only to noninitial fragments.The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.



Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.


Note The fragments keyword cannot solve all cases involving access lists and IP fragments.


Fragments and Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.

By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.

Examples

The following example sets a deny condition for a standard access list named Internetfilter:

ip access-list standard Internetfilter
 deny 192.5.34.0  0.0.0.255
 permit 128.88.0.0  0.0.255.255
 permit 36.0.0.0  0.255.255.255
! (Note: all other access implicitly denied)

The following example denies HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.:

time-range no-http
 periodic weekdays 8:00 to 18:00
!
ip access-list extended strict
 deny tcp any any eq http time-range no-http
!
interface ethernet 0
 ip access-group strict in

Related Commands

Command
Description

access-list (IP extended)

Defines an extended IP access list.

access-list (IP standard)

Defines a standard IP access list.

ip access-group

Controls access to an interface.

ip access-list

Defines an IP access list by name.

ip access-list log-update

Sets the threshold number of packets that cause a logging message.

permit (IP)

Sets conditions under which a packet passes a named IP access list.

remark

Writes a helpful comment (remark) for an entry in a named IP access list.

show ip access-list

Displays the contents of all current IP access lists.

time-range

Specifies when an access list or other feature is in effect.


dynamic

To define a named dynamic IP access list, use the dynamic access-list configuration command. To remove the access lists, use the no form of this command.

dynamic dynamic-name [timeout minutes] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [fragments]

no dynamic dynamic-name

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

dynamic dynamic-name [timeout minutes] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [fragments]

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

dynamic dynamic-name [timeout minutes] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [fragments]

Transmission Control Protocol (TCP)

For TCP, you can also use the following syntax:

dynamic dynamic-name [timeout minutes] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [fragments]

User Datagram Protocol (UDP)

For UDP, you can also use the following syntax:

dynamic dynamic-name [timeout minutes] {deny | permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [fragments]


Caution Named IP access lists will not be recognized by any software release prior to Cisco IOS Release 11.2.

Syntax Description

dynamic-name

Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.

timeout minutes

(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

protocol

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

Use a 32-bit quantity in four-part, dotted decimal format.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

Use a 32-bit quantity in four-part, dotted decimal format.

Use the any keyword as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7, or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines."

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines" of the access-list (IP extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

fragments

(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.


Defaults

An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.

Command Modes

Access-list configuration

Command History

Release
Modification

11.2

This command was introduced.

12.0(11) and 12.1(2)

The fragments keyword was added.


Usage Guidelines

You can use named access lists to control the transmission of packets on an interface and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control vty access or restrict the contents of routing updates must not match against the TCP source port, the ToS value, or the precedence of the packet.


Note After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.


The following is a list of precedence names:

critical

flash

flash-override

immediate

internet

network

priority

routine

The following is a list of ToS names:

max-reliability

max-throughput

min-delay

min-monetary-cost

normal

The following is a list of ICMP message type names and ICMP message type and code names:

administratively-prohibited

alternate-address

conversion-error

dod-host-prohibited

dod-net-prohibited

echo

echo-reply

general-parameter-problem

host-isolated

host-precedence-unreachable

host-redirect

host-tos-redirect

host-tos-unreachable

host-unknown

host-unreachable

information-reply

information-request

mask-reply

mask-request

mobile-redirect

net-redirect

net-tos-redirect

net-tos-unreachable

net-unreachable

network-unknown

no-room-for-option

option-missing

packet-too-big

parameter-problem

port-unreachable

precedence-unreachable

protocol-unreachable

reassembly-timeout

redirect

router-advertisement

router-solicitation

source-quench

source-route-failed

time-exceeded

timestamp-reply

timestamp-request

traceroute

ttl-exceeded

unreachable

The following is a list of IGMP message names:

dvmrp

host-query

host-report

pim

trace

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

bgp

chargen

daytime

discard

domain

echo

finger

ftp

ftp-data

gopher

hostname

irc

klogin

kshell

lpd

nntp

pop2

pop3

smtp

sunrpc

syslog

tacacs-ds

talk

telnet

time

uucp

whois

www

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found if you type a ? in the place of a port number.

biff

bootpc

bootps

discard

dns

dnsix

echo

mobile-ip

nameserver

netbios-dgm

netbios-ns

ntp

rip

snmp

snmptrap

sunrpc

syslog

tacacs-ds

talk

tftp

time

who

xdmcp

Access List Processing of Fragments

The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:

If the Access-List Entry has...
Then..

...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,

For an access-list entry containing only Layer 3 information:

The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information:

The entry is applied to nonfragmented packets and initial fragments.

If the entry is a permit statement, the packet or fragment is permitted.

If the entry is a deny statement, the packet or fragment is denied.

The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and

If the entry is a permit statement, the noninitial fragment is permitted.

If the entry is a deny statement, the next access-list entry is processed.


Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.


...the fragments keyword, and assuming all of the access-list entry information matches,


Note The access-list entry is applied only to noninitial fragments.The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.



Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.


Note The fragments keyword cannot solve all cases involving access lists and IP fragments.


Fragments and Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.

By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.

Examples

The following example defines a dynamic access list named washington:

ip access-group washington in
!
ip access-list extended washington
 dynamic testlist timeout 5
 permit ip any any
 permit tcp any host 185.302.21.2 eq 23

Related Commands

Command
Description

clear access-template

Clears a temporary access list entry from a dynamic access list manually.

distribute-list in (IP)

Filters networks received in updates.

distribute-list out (IP)

Suppresses networks from being advertised in updates.

ip access-group

Controls access to an interface.

ip access-list

Defines an IP access list by name.

ip access-list log-update

Sets the threshold number of packets that cause a logging message.

logging console

Limits messages logged to the console based on severity.

show access-lists

Displays the contents of current IP and rate-limit access lists.

show ip access-list

Displays the contents of all current IP access lists.


forwarding-agent

To specify the port on which the Forwarding Agent will listen for wildcard and fixed affinities, use the forwarding-agent command in CASA-port configuration mode. To disable listening on that port, use the no form of the command.

forwarding-agent port-number [password [timeout]]

no forwarding-agent

Syntax Description

port-number

Port numbers on which the Forwarding Agent will listen for wildcards broadcast from the services manager. This must match the port number defined on the services manager.

password

(Optional) Text password used for generating the MD5 digest.

timeout

(Optional) Duration (in seconds) during which the Forwarding Agent will accept the new and old password. Valid range is from 0 to 3600 seconds. The default is 180 seconds.


Defaults

The default password timeout is 180 seconds.

The default port for the services manager is 1637.

Command Modes

CASA-port configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.


Examples

The following example specifies that the Forwarding Agent will listen for wildcard and fixed affinities on port 1637:

forwarding-agent 1637

Related Commands

Command
Description

show ip casa oper

Displays operational information about the Forwarding Agent.


ip access-group

To control access to an interface, use the ip access-group command in interface configuration mode. To remove the specified access group, use the no form of this command.

ip access-group {access-list-number | access-list-name}{in | out}

no ip access-group {access-list-number | access-list-name}{in | out}

Syntax Description

access-list-number

Number of an access list. This is a decimal number from 1 to 199 or from 1300 to 2699.

access-list-name

Name of an IP access list as specified by an ip access-list command.

in

Filters on inbound packets.

out

Filters on outbound packets.


Defaults

No access list is applied to the interface.

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.

11.2

The access-list-name argument was added.


Usage Guidelines

Access lists are applied on either outbound or inbound interfaces. For standard inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.

For standard outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP host unreachable message.

If the specified access list does not exist, all packets are passed.

When you enable outbound access lists, you automatically disable autonomous switching for that interface. When you enable input access lists on any CBus or CxBus interface, you automatically disable autonomous switching for all interfaces (with one exception—an SSE configured with simple access lists can still switch packets, on output only).

Examples

The following example applies list 101 on packets outbound from Ethernet interface 0:

interface ethernet 0
 ip access-group 101 out

Related Commands

Command
Description

access-list (IP extended)

Defines an extended IP access list.

access-list (IP standard)

Defines a standard IP access list.

ip access-list

Defines an IP access list by name.

show access-lists

Displays the contents of current IP and rate-limit access lists.


ip access-list

To define an IP access list by name, use the ip access-list command in global configuration mode. To remove a named IP access list, use the no form of this command.

ip access-list {standard | extended} access-list-name

no ip access-list {standard | extended} access-list-name


Caution Named access lists will not be recognized by any software release prior to Cisco IOS Release 11.2.

Syntax Description

standard

Specifies a standard IP access list.

extended

Specifies an extended IP access list.

access-list-name

Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists.


Defaults

No named IP access list is defined.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.


Usage Guidelines

Use this command to configure a named IP access list as opposed to a numbered IP access list. This command will take you into access-list configuration mode, where you must define the denied or permitted access conditions with the deny and permit commands.

Specifying the standard or extended keyword with the ip access-list command determines the prompt you get when you enter access-list configuration mode.

Use the ip access-group command to apply the access list to an interface.

Named access lists are not compatible with Cisco IOS releases prior to Release 11.2.

Examples

The following example defines a standard access list named Internetfilter:

ip access-list standard Internetfilter
 permit 192.5.34.0  0.0.0.255
 permit 128.88.0.0  0.0.255.255
 permit 36.0.0.0  0.255.255.255
! (Note: all other access implicitly denied)

Related Commands

Command
Description

access list (IP extended)

Defines an extended IP access list.

access list (IP standard)

Defines a standard IP access list.

access-list remark

Writes a helpful comment (remark) for an entry in a numbered access list.

deny (IP)

Sets conditions for a named IP access list.

ip access-group

Controls access to an interface.

permit (IP)

Sets conditions for a named IP access list.

remark

Writes a helpful comment (remark) for an entry in a named IP access list.

show ip access-list

Displays the contents of all current IP access lists.


ip access-list log-update

To set the threshold number of packets that generate a log message if they match an access list, use the ip access-list log-update command in global configuration mode. To remove the threshold, use the no form of this command.

ip access-list log-update threshold number-of-matches

no ip access-list log-update

Syntax Description

number-of-matches

Threshold number of packets necessary to match an access list before a log message is generated. The range is 0 to 2147483647. There is no default number of matches.


Defaults

Log messages are sent at the first matching packet and at 5-minute intervals after that.

Command Modes

Global configuration

Command History

Release
Modification

12.0(2)T

This command was introduced.


Usage Guidelines

Log messages are generated if you have specified the log keyword in the access-list (IP standard), access-list (IP extended), deny (IP), dynamic, or permit command.

Log messages provide information about the packets that are permitted or denied by an access list. By default, log messages appear at the console. (The level of messages logged to the console is controlled by the logging console command.) The log message includes the access list number, whether the packet was permitted or denied, and other information.

By default, the log messages are sent at the first matching packet and after that, identical messages are accumulated for 5-minute intervals, with a single message being sent with the number of packets permitted and denied during that interval. However, you can use the ip access-list log-update command to set the number of packets that, when match an access list (and are permitted or denied), cause the system to generate a log message. You might want to do this to receive log messages more frequently than at 5-minute intervals.


Caution If you set the number-of-matches argument to 1, a log message is sent right away, rather than caching it; every packet that matches an access list causes a log message. A setting of 1 is not recommended because the volume of log messages could overwhelm the system.

Even if you use the ip access-list log-update command, the 5-minute timer remains in effect, so the cache is emptied at the end of 5 minutes, regardless of the count of messages in the cache. Regardless of when the log message is sent, the cache is flushed and the count reset to 0 for that message the same way it is when a threshold is not specified.

If the syslog server is not directly connected to a LAN that the router shares, any intermediate router might drop the log messages because they are UDP (unreliable) messages.

Examples

The following example enables logging whenever the 1000th packet matches an access list entry:

ip access-list log-update threshold 1000

Related Commands

Command
Description

access-list (IP extended)

Defines an extended IP access list.

access-list (IP standard)

Defines a standard IP access list.

deny (IP)

Sets conditions under which a packet is denied by a named IP access list.

dynamic

Defines a named dynamic IP access list.

logging console

Limits messages logged to the console, based on severity.

permit

Sets conditions under which a packet passes a named IP access list.


ip accounting

To enable IP accounting on an interface, use the ip accounting command in interface configuration mode. To disable IP accounting, use the no form of this command.

ip accounting [access-violations] [output-packets]

no ip accounting [access-violations] [output-packets]

Syntax Description

access-violations

(Optional) Enables IP accounting with the ability to identify IP traffic that fails IP access lists.

output-packets

(Optional) Enables IP accounting based on the IP packets output on the interface.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.

10.3

The access-violations keyword was added.


Usage Guidelines

The ip accounting command records the number of bytes (IP header and data) and packets switched through the system on a source and destination IP address basis. Only transit IP traffic is measured and only on an outbound basis; traffic generated by the router access server or terminating in this device is not included in the accounting statistics. Traffic coming from a remote site and transiting through a router is also recorded.

If you specify the access-violations keyword, the ip accounting command provides information identifying IP traffic that fails IP access lists. Identifying IP source addresses that violate IP access lists alerts you to possible attempts to breach security. The data might also indicate that you should verify IP access list configurations.

To receive a logging message on the console when an extended access list entry denies a packet access (to log violations), you must include the log keyword in the access-list (IP extended) or access-list (IP standard) command.

Statistics are accurate even if IP fast switching or IP access lists are being used on the interface.

IP accounting disables autonomous switching, SSE switching, and distributed switching (dCEF) on the interface. IP accounting will cause packets to be switched on the Route Switch Processor (RSP) instead of the Versatile Interface Processor (VIP), which can cause performance degradation.

Examples

The following example enables IP accounting on Ethernet interface 0:

interface ethernet 0
 ip accounting

Related Commands

Command
Description

access-list (IP extended)

Defines an extended IP access list.

access-list (IP standard)

Defines a standard IP access list.

clear ip accounting

Clears the active or checkpointed database when IP accounting is enabled.

ip accounting-list

Defines filters to control the hosts for which IP accounting information is kept.

ip accounting-threshold

Sets the maximum number of accounting entries to be created.

ip accounting-transits

Controls the number of transit records that are stored in the IP accounting database.

show ip accounting

Displays the active accounting or checkpointed database or displays access list violations.


ip accounting-list

To define filters to control the hosts for which IP accounting information is kept, use the ip accounting-list command in global configuration mode. To remove a filter definition, use the no form of this command.

ip accounting-list ip-address wildcard

no ip accounting-list ip-address wildcard

Syntax Description

ip-address

IP address in dotted decimal format.

wildcard

Wildcard bits to be applied to the ip-address argument.


Defaults

No filters are defined.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The wildcard argument is a 32-bit quantity written in dotted-decimal format. Address bits corresponding to wildcard bits set to 1 are ignored in comparisons; address bits corresponding to wildcard bits set to zero are used in comparisons.

Examples

The following example adds all hosts with IP addresses beginning with 192.31 to the list of hosts for which accounting information will be kept:

ip accounting-list 192.31.0.0 0.0.255.255

Related Commands

Command
Description

clear ip accounting

Clears the active or checkpointed database when IP accounting is enabled.

ip accounting

Enables IP accounting on an interface.

ip accounting-threshold

Sets the maximum number of accounting entries to be created.

ip accounting-transits

Controls the number of transit records that are stored in the IP accounting database.

show ip accounting

Displays the active accounting or checkpointed database or displays access list violations.


ip accounting-threshold

To set the maximum number of accounting entries to be created, use the ip accounting-threshold command in global configuration mode. To restore the default number of entries, use the no form of this command.

ip accounting-threshold threshold

no ip accounting-threshold threshold

Syntax Description

threshold

Maximum number of entries (source and destination address pairs) that the Cisco IOS software accumulates.


Defaults

The default maximum number of accounting entries is 512 entries.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The accounting threshold defines the maximum number of entries (source and destination address pairs) that the software accumulates, preventing IP accounting from possibly consuming all available free memory. This level of memory consumption could occur in a router that is switching traffic for many hosts. Overflows will be recorded; see the monitoring commands for display formats.

The default accounting threshold of 512 entries results in a maximum table size of 12,928 bytes. Active and checkpointed tables can reach this size independently.

Examples

The following example sets the IP accounting threshold to only 500 entries:

ip accounting-threshold 500

Related Commands

Command
Description

clear ip accounting

Clears the active or checkpointed database when IP accounting is enabled.

ip accounting

Enables IP accounting on an interface.

ip accounting-list

Defines filters to control the hosts for which IP accounting information is kept.

ip accounting-transits

Controls the number of transit records that are stored in the IP accounting database.

show ip accounting

Displays the active accounting or checkpointed database or displays access list violations.


ip accounting-transits

To control the number of transit records that are stored in the IP accounting database, use the ip accounting-transits command in global configuration mode. To return to the default number of records, use the no form of this command.

ip accounting-transits count

no ip accounting-transits

Syntax Description

count

Number of transit records to store in the IP accounting database.


Defaults

The default number of transit records that are stored in the IP accounting database is 0.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Transit entries are those that do not match any of the filters specified by ip accounting-list global configuration commands. If no filters are defined, no transit entries are possible.

To maintain accurate accounting totals, the Cisco IOS software maintains two accounting databases: an active and a checkpointed database.

Examples

The following example specifies that no more than 100 transit records are stored:

ip accounting-transits 100

Related Commands

Command
Description

clear ip accounting

Clears the active or checkpointed database when IP accounting is enabled.

ip accounting

Enables IP accounting on an interface.

ip accounting-list

Defines filters to control the hosts for which IP accounting information is kept.

ip accounting-threshold

Sets the maximum number of accounting entries to be created.

show ip accounting

Displays the active accounting or checkpointed database or displays access list violations.


ip accounting mac-address

To enable IP accounting on a LAN interface based on the source and destination MAC address, use the ip accounting mac-address command in interface configuration mode. To disable IP accounting based on the source and destination MAC address, use the no form of this command.

ip accounting mac-address {input | output]

no ip accounting mac-address {input | output]

Syntax Description

input

Performs accounting based on the source MAC address on received packets.

output

Performs accounting based on the destination MAC address on transmitted packets.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

11.1CC

This command was introduced.


Usage Guidelines

This feature is supported on Ethernet, FastEthernet, and FDDI interfaces.

To display the MAC accounting information, use the show interface mac EXEC command.

MAC address accounting provides accounting information for IP traffic based on the source and destination MAC address on LAN interfaces. This calculates the total packet and byte counts for a LAN interface that receives or sends IP packets to or from a unique MAC address. It also records a timestamp for the last packet received or sent. With MAC address accounting, you can determine how much traffic is being sent to and/or received from various peers at NAPS/peering points.

Examples

The following example enables IP accounting based on the source and destination MAC address for received and transmitted packets:

interface ethernet 4/0/0
  ip accounting mac-address input
  ip accounting mac-address output

Related Commands

Command
Description

show interface mac

Displays MAC accounting information for interfaces configured for MAC accounting.


ip accounting precedence

To enable IP accounting on any interface based on IP precedence, use the ip accounting precedence command in interface configuration mode. To disable IP accounting based on IP precedence, use the no form of this command.

ip accounting precedence {input | output]

no ip accounting precedence {input | output]

Syntax Description

input

Performs accounting based on IP precedence on received packets.

output

Performs accounting based on IP precedence on transmitted packets.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

11.1CC

This command was introduced.


Usage Guidelines

To display IP precedence accounting information, use the show interface precedence EXEC command.

The precedence accounting feature provides accounting information for IP traffic, summarized by IP precedence value(s). This feature calculates the total packet and byte counts for an interface that receives or sends IP packets and sorts the results based on IP precedence. This feature is supported on all interfaces and subinterfaces and supports CEF, dCEF, flow, and optimum switching.

Examples

The following example enables IP accounting based on IP precedence for received and transmitted packets:

interface ethernet 4/0/0
  ip accounting precedence input
  ip accounting precedence output

Related Commands

Command
Description

show interface precedence

Displays precedence accounting information for an interface configured for precedence accounting.


ip casa

To configure the router to function as a forwarding agent, use the ip casa command in global configuration mode. To disable the forwarding agent, use the no form of this command.

ip casa control-address igmp-address

no ip casa

Syntax Description

control-address

IP address of the Forwarding Agent side of the services manager/Forwarding Agent tunnel used for sending signals. This address is unique for each Forwarding Agent.

igmp-address

IGMP address on which the Forwarding Agent will listen for wildcard and fixed affinities.


Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release
Modification

12.0(5)T

This command was introduced.


Examples

The following example specifies the Internet address (10.10.4.1) and IGMP address (224.0.1.2) for the Forwarding Agent:

ip-casa 10.10.4.1 224.0.1.2

Related Commands

Command
Description

forwarding-agent

Specifies the port on which the Forwarding Agent will listen for wildcard and fixed affinities.


ip drp access-group

To control the sources of Director Response Protocol (DRP) queries to the DRP Server Agent, use the ip drp access-group command in global configuration mode. To remove the access list, use the no form of this command.

ip drp access-group access-list-number

no ip drp access-group access-list-number

Syntax Description

access-list-number

Number of a standard IP access list in the range from 1 to 99 or from 1300 to 1999.


Defaults

The DRP Server Agent will answer all queries.

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

This command applies an access list to the interface, thereby controlling which devices can send queries to the DRP Server Agent.

If both an authentication key chain and an access group have been specified, both security measures must permit access before a request is processed.

Examples

The following example configures access list 1, which permits only queries from the host at 33.45.12.4:

access-list 1 permit 33.45.12.4
ip drp access-group 1

Related Commands

Command
Description

ip drp authentication key-chain

Configures authentication on the DRP Server Agent for DistributedDirector.

show ip drp

Displays information about the DRP Server Agent for DistributedDirector.


ip drp authentication key-chain

To configure authentication on the Director Response Protocol (DRP) Server Agent for DistributedDirector, use the ip drp authentication key-chain command in global configuration mode. To remove the key chain, use the no form of this command.

ip drp authentication key-chain name-of-chain

no ip drp authentication key-chain name-of-chain

Syntax Description

name-of-chain

Name of the key chain containing one or more authentication keys.


Defaults

No authentication is configured for the DRP Server Agent.

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

When a key chain and key are configured, the key is used to authenticate all DRP requests and responses. The active key on the DRP Server Agent must match the active key on the primary agent. Use the key and key-string commands to configure the key.

Examples

The following example configures a key chain named ddchain:

ip drp authentication key-chain ddchain

Related Commands

Command
Description

accept-lifetime

Sets the time period during which the authentication key on a key chain is received as valid.

ip drp access-group

Controls the sources of DRP queries to the DRP Server Agent.

key

Identifies an authentication key on a key chain.

key chain

Enables authentication for routing protocols.

key-string (authentication)

Specifies the authentication string for a key.

send-lifetime

Sets the time period during which an authentication key on a key chain is valid to be sent.

show ip drp

Displays information about the DRP Server Agent for DistributedDirector.

show key chain

Displays authentication key information.


ip drp server

To enable the Director Response Protocol (DRP) Server Agent that works with DistributedDirector, use the ip drp server command in global configuration mode. To disable the DRP Server Agent, use the no form of this command.

ip drp server

no ip drp server

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Examples

The following example enables the DRP Server Agent:

ip drp server

Related Commands

Command
Description

ip drp access-group

Controls the sources of DRP queries to the DRP Server Agent.

ip drp authentication key-chain

Configures authentication on the DRP Server Agent for DistributedDirector.

show ip drp

Displays information about the DRP Server Agent for DistributedDirector.


ip icmp rate-limit unreachable

To have the Cisco IOS software limit the rate that Internet Control Message Protocol (ICMP) destination unreachable messages are generated, use the ip icmp rate-limit unreachable command in global configuration mode. To remove the rate limit, use the no form of this command.

ip icmp rate-limit unreachable [df] milliseconds

no ip icmp rate-limit unreachable [df]

Syntax Description

df

(Optional) Limits the rate ICMP destination unreachable messages are sent when code 4, fragmentation is needed and DF set, is specified in the IP header of the ICMP destination unreachable message.

milliseconds

Time limit (in milliseconds) in which one ICMP destination unreachable message is sent. The range is 1 millisecond to 4294967295 milliseconds.


Defaults

The default value is one ICMP destination unreachable message per 500 milliseconds.

Command Modes

Global configuration

Command History

Release
Modification

12.0

This command was introduced.


Usage Guidelines

The no ip icmp rate-limit unreachable command turns off the previously configured rate limit. To re-set the rate limit to its default value, use the default ip icmp rate-limit unreachable command.

The Cisco IOS software maintains two timers: one for general destination unreachable messages and one for DF destination unreachable messages. Both share the same time limits and defaults. If the df option is not configured, the ip icmp rate-limit unreachable command sets the time values for DF destination unreachable messages. If the df option is configured, its time values remain independent from those of general destination unreachable messages.

Examples

The following example sets the rate of the ICMP destination unreachable message to one message every 10 milliseconds:

ip icmp rate-limit unreachable 10

The following example turns off the previously configured rate limit:

no ip icmp rate-limit unreachable

The following example sets the rate limit back to the default:

default ip icmp rate-limit unreachable

ip icmp redirect

To control the type of Internet Control Message Protocol (ICMP) redirect message that is sent by the Cisco IOS software, use the ip icmp redirect command in global configuration mode. To set the value back to the default, use the no form of this command.

ip icmp redirect [host | subnet]

no ip icmp redirect [host | subnet]

Syntax Description

host

(Optional) Sends ICMP host redirects.

subnet

(Optional) Sends ICMP subnet redirects.


Defaults

The router will send ICMP subnet redirect messages.

Because the ip icmp redirect subnet command is the default, the command will not be displayed in the configuration.

Command Modes

Global configuration

Command History

Release
Modification

12.0

This command was introduced.


Usage Guidelines

An ICMP redirect message can be generated by a router when a packet is received and transmitted on the same interface. In this situation, the router will forward the original packet and send a ICMP redirect message back to the sender of the original packet. This behavior allows the sender to bypass the router and forward future packets directly to the destination (or a router closer to the destination).

There are two types of ICMP redirect messages: redirect for a host address or redirect for an entire subnet.

The ip icmp redirect command determines the type of ICMP redirects sent by the system and is configured on a per system basis. Some hosts do not understand ICMP subnet redirects and need the router to send out ICMP host redirects. Use the ip icmp redirect host command to have the router send out ICMP host redirects. Use the ip icmp redirect subnet command to set the value back to the default, which is to send subnet redirects.

To prevent the router from sending ICMP redirects, use the no ip redirects interface configuration command.

Examples

The following example enables the router to send out ICMP host redirects:

ip icmp redirect hosts

The following example sets the value back to the default, which is subnet redirects:

ip icmp redirect subnet

Related Commands

Command
Description

ip redirects

Enables the sending of ICMP redirect messages.


ip mask-reply

To have the Cisco IOS software respond to Internet Control Message Protocol (ICMP) mask requests by sending ICMP mask reply messages, use the ip mask-reply command in interface configuration mode. To disable this function, use the no form of this command.

ip mask-reply

no ip mask-reply

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Examples

The following example enables the sending of ICMP mask reply messages on Ethernet interface 0:

interface ethernet 0
 ip address 131.108.1.0 255.255.255.0
 ip mask-reply