Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference, 4.1
name -- ospf transmit-delay
Downloads: This chapterpdf (PDF - 729.0KB) The complete bookPDF (PDF - 15.43MB) | Feedback

name through ospf transmit-delay Commands

Table Of Contents

name through ospf transmit-delay Commands

name

nameif

names

nat

nat-control

neighbor

neighbor (EIGRP)

neighbor password

neighbor remote-as

nem

network

network (EIGRP)

network area

network-object

nt-auth-domain-controller

object-group

ospf authentication

ospf authentication-key

ospf cost

ospf database-filter all out

ospf dead-interval

ospf hello-interval

ospf message-digest-key

ospf mtu-ignore

ospf network point-to-point non-broadcast

ospf priority

ospf retransmit-interval

ospf transmit-delay


name through ospf transmit-delay Commands


name

To associate a name with an IP address, use the name command in global configuration mode. To disable the use of the text names but not remove them from the configuration, use the no form of this command.

name ip_address name

no name ip_address [name]

Syntax Description

ip_address

Specifies an IP address of the host that is named.

name

Specifies the name assigned to the IP address. Use characters a to z, A to Z, 0 to 9, a dash, and an underscore. The name must be 63 characters or less. Also, the name cannot start with a number.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

To enable the association of a name with an IP address, use the names command. You can associate only one name with an IP address.

You must first use the names command before you use the name command. Use the name command immediately after you use the names command and before you use the write memory command.

The name command lets you identify a host by a text name and map text strings to IP addresses. The no name command allows you to disable the use of the text names but does not remove them from the configuration. Use the clear configure name command to clear the list of names from the configuration.

To disable displaying name values, use the no names command.

Both the name and names commands are saved in the configuration.

The name command does not support assigning a name to a network mask. For example, this command would be rejected:

hostname(config)# name 255.255.255.0 class-C-mask

Note None of the commands in which a mask is required can process a name as an accepted network mask.


Examples

This example shows that the names command allows you to enable use of the name command. The name command substitutes sa_inside for references to 192.168.42.3 and sa_outside for 209.165.201.3. You can use these names with the ip address commands when assigning IP addresses to the network interfaces. The no names command disables the name command values from displaying. Subsequent use of the names command again restores the name command value display.

hostname(config)# names
hostname(config)# name 192.168.42.3 sa_inside
hostname(config)# name 209.165.201.3 sa_outside

hostname(config-if)# ip address inside sa_inside 255.255.255.0
hostname(config-if)# ip address outside sa_outside 255.255.255.224

hostname(config)# show ip address
System IP Addresses:
inside ip address sa_inside mask 255.255.255.0
outside ip address sa_outside mask 255.255.255.224

hostname(config)# no names
hostname(config)# show ip address
System IP Addresses:
inside ip address 192.168.42.3 mask 255.255.255.0
outside ip address 209.165.201.3 mask 255.255.255.224

hostname(config)# names
hostname(config)# show ip address
System IP Addresses:
inside ip address sa_inside mask 255.255.255.0
outside ip address sa_outside mask 255.255.255.224

Related Commands

Command
Description

clear configure name

Clears the list of names from the configuration.

names

Enables the association of a name with an IP address.

show running-config name

Displays the names associated with an IP address.


nameif

To provide a name for an interface, use the nameif command in interface configuration mode. To remove the name, use the no form of this command.

nameif name

no nameif

Syntax Description

name

Sets a name up to 48 characters in length. The name is not case-sensitive.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

1.1(1)

This command was introduced.

3.1(1)

This command was changed from a global configuration command to an interface configuration mode command.


Usage Guidelines

The interface name is used in all configuration commands on the FWSM instead of the interface type and ID (such as gigabitethernet1), and is therefore required before traffic can pass through the interface.

You can change the name by reentering this command with a new value. Do not enter the no form, because that command causes all commands that refer to that name to be deleted.

Examples

The following example configures the names for two interfaces to be "inside" and "outside:"

hostname(config)# interface gigabitethernet1
hostname(config-if)# nameif inside
hostname(config-if)# security-level 100
hostname(config-if)# ip address 10.1.1.1 255.255.255.0
hostname(config-if)# no shutdown
hostname(config-if)# interface gigabitethernet0
hostname(config-if)# nameif outside
hostname(config-if)# security-level 0
hostname(config-if)# ip address 10.1.2.1 255.255.255.0
hostname(config-if)# no shutdown

Related Commands

Command
Description

clear xlate

Resets all translations for existing connections, causing the connections to be reset.

interface

Configures an interface and enters interface configuration mode.

security-level

Sets the security level for the interface.


names

To enable IP address to the name conversions that you can configured with the name command, use the names command in global configuration mode. To disable address to name conversion, use the no form of this command.

names

no names

Syntax Description

This command has no arguments or keywords.

Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The names command is used to enable the association of a name with an IP address that you configured with the name command. The order in which you enter the name or names commands is irrelevant.

Examples

The following example shows how to enable the association of a name with an IP address:

hostname(config)# names

Related Commands

Command
Description

clear configure name

Clears the list of names from the configuration.

name

Associates a name with an IP address.

show running-config name

Displays a list of names associated with IP addresses.

show running-config names

Displays the IP address-to-name conversions.


nat

To identify addresses on one interface that are translated to mapped addresses on another interface, use the nat command in global configuration mode. This command configures dynamic NAT or PAT, where an address is translated to one of a pool of mapped addresses. To remove the nat command, use the no form of this command.

For regular dynamic NAT:

nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]

no nat (real_ifc) nat_id real_ip [mask [dns] [outside] [[tcp] tcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]]

For policy dynamic NAT and NAT exemption:

nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcptcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]

no nat (real_ifc) nat_id access-list access_list_name [dns] [outside] [[tcptcp_max_conns [emb_limit]] [udp udp_max_conns] [norandomseq]

Syntax Description

access-list access_list_name

Identifies the real addresses and destination addresses using an extended access list, also known as policy NAT. Create the access list using the access-list command. This access list should include only permit ACEs. You can optionally specify the local and destination ports in the access list using the eq operator. If the NAT ID is 0, then the access list specifies addresses that are exempt from NAT. NAT exemption is not the same as policy NAT; you cannot specify the port addresses, for example.

dns

(Optional) Rewrites the A record, or address record, in DNS replies that match this command. For DNS replies traversing from a mapped interface to a real interface, the A record is rewritten from the mapped value to the real value. Inversely, for DNS replies traversing from a real interface to a mapped interface, the A record is rewritten from the real value to the mapped value.

If your NAT statement includes the address of a host that has an entry in a DNS server, and the DNS server is on a different interface from a client, then the client and the DNS server need different addresses for the host; one needs the global address and one needs the local address.The translated host needs to be on the same interface as either the client or the DNS server. Typically, hosts that need to allow access from other interfaces use a static translation, so this option is more likely to be used with the static command.

emb_limit

(Optional) Specifies the maximum number of embryonic connections per host. The default is 0, which means unlimited embryonic connections.

Limiting the number of embryonic connections protects you from a DoS attack. The FWSM uses the embryonic limit to trigger TCP Intercept, which protects inside systems from a DoS attack perpetrated by flooding an interface with TCP SYN packets. An embryonic connection is a connection request that has not finished the necessary handshake between source and destination.

mask

(Optional) Specifies the subnet mask for the real addresses. If you do not enter a mask, then the default mask for the IP address class is used.

nat_id

Specifies an integer for the NAT ID. This ID is referenced by the global command to associate a global pool with the real_ip.

For regular NAT, this integer is between 1 and 2147483647. For policy NAT (nat id access-list), this integer is between 1 and 65535.

Identity NAT (nat 0) and NAT exemption (nat 0 access-list) use the NAT ID of 0.

norandomseq

(Optional) Disables TCP ISN randomization protection. TCP initial sequence number randomization can be disabled if another in-line firewall is also randomizing the initial sequence numbers, because there is no need for both firewalls to be performing this action. However, leaving ISN randomization enabled on both firewalls does not affect the traffic.

Each TCP connection has two ISNs: one generated by the client and one generated by the server. The security appliance randomizes the ISN of the TCP SYN passing in the outbound direction. If the connection is between two interfaces with the same security level, then the ISN will be randomized in the SYN in both directions.

Randomizing the ISN of the protected host prevents an attacker from predecting the next ISN for a new connection and potentially hijacking the new session.

The norandomseq keyword does not apply to outside NAT. The firewall randomizes only the ISN that is generated by the host/server on the higher security interface. If you set norandomseq for outside NAT, the norandomseq keyword is ignored.

outside

(Optional) If this interface is on a lower security level than the interface you identify by the matching global statement, then you must enter outside. This feature is called outside NAT or bidirectional NAT.

real_ifc

Specifies the name of the interface connected to the real IP address network.

real_ip

Specifies the real address that you want to translate. You can use 0.0.0.0 (or the abbreviation 0) to specify all addresses.

tcp tcp_max_conns

(Optional) Specifies the maximum number of simultaneous TCP connections allowed to the local host. (See the local-host command for more information.) The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)

The recommended method for setting a connection limit is to use the modular policy framework by setting a connection limit on a class within a policy map.

udp udp_max_conns

(Optional) Specifies the maximum number of simultaneous TCP connections allowed to the local host. (See the local-host command for more information.) The default is 0, which means unlimited connections. (Idle connections are closed after the idle timeout specified by the timeout conn command.)

The recommended method for setting a connection limit is to use the modular policy framework by setting a connection limit on a class within a policy map.


Defaults

The default value for tcp_max_conns, emb_limit, and udp_max_conns is 0 (unlimited), which is the maximum available.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.

2.2(1)

This command was modified to support UDP maximum connections for local hosts.

2.3(1)

This command was modified to allow connection settings for outside NAT.

3.2.(1)

NAT is now supported in transparent firewall mode.


Usage Guidelines

For dynamic NAT and PAT, you first configure a nat command identifying the real addresses on a given interface that you want to translate. Then you configure a separate global command to specify the mapped addresses when exiting another interface (in the case of PAT, this is one address). Each nat command matches a global command by comparing the NAT ID, a number that you assign to each command.

The FWSM translates an address when a NAT rule matches the traffic. If no NAT rule matches, processing for the packet continues. The exception is when you enable NAT control using the nat-control command. NAT control requires that packets traversing from a higher security interface (inside) to a lower security interface (outside) match a NAT rule, or else processing for the packet stops. NAT is not required between same security level interfaces even if you enable NAT control. You can optionally configure NAT if desired.

Dynamic NAT translates a group of real addresses to a pool of mapped addresses that are routable on the destination network. The mapped pool can include fewer addresses than the real group. When a host you want to translate accesses the destination network, the FWSM assigns it an IP address from the mapped pool. The translation is added only when the real host initiates the connection. The translation is in place only for the duration of the connection, and a given user does not keep the same IP address after the translation times out (see the timeout xlate command). Users on the destination network, therefore, cannot reliably initiate a connection to a host that uses dynamic NAT (or PAT, even if the connection is allowed by an access list), and the FWSM rejects any attempt to connect to a real host address directly. See the static command for reliable access to hosts.

Dynamic NAT has these disadvantages:

If the mapped pool has fewer addresses than the real group, you could run out of addresses if the amount of traffic is more than expected.

Use PAT if this event occurs often, because PAT provides over 64,000 translations using ports of a single address.

You have to use a large number of routable addresses in the mapped pool; if the destination network requires registered addresses, such as the Internet, you might encounter a shortage of usable addresses.

The advantage of dynamic NAT is that some protocols cannot use PAT. For example, PAT does not work with IP protocols that do not have a port to overload, such as GRE version 0. PAT also does not work with some applications that have a data stream on one port and the control path on another and are not open standard, such as some multimedia applications.

PAT translates multiple real addresses to a single mapped IP address. Specifically, the FWSM translates the real address and source port (real socket) to the mapped address and a unique port above 1024 (mapped socket). Each connection requires a separate translation, because the source port differs for each connection. For example, 10.1.1.1:1025 requires a separate translation from 10.1.1.1:1026.

After the connection expires, the port translation also expires after 30 seconds of inactivity. The timeout is not configurable.

PAT lets you use a single mapped address, thus conserving routable addresses. You can even use the FWSM interface IP address as the PAT address. PAT does not work with some multimedia applications that have a data stream that is different from the control path.


Note For the duration of the translation, a remote host can initiate a connection to the translated host if an access list allows it. Because the address (both real and mapped) is unpredictable, a connection to the host is unlikely. However in this case, you can rely on the security of the access list.


If you enable NAT control, then inside hosts must match a NAT rule when accessing outside hosts. If you do not want to perform NAT for some hosts, then you can bypass NAT for those hosts (alternatively, you can disable NAT control). You might want to bypass NAT, for example, if you are using an application that does not support NAT. You can use the static command to bypass NAT, or one of the following options:

Identity NAT (nat 0 command)—When you configure identity NAT (which is similar to dynamic NAT), you do not limit translation for a host on specific interfaces; you must use identity NAT for connections through all interfaces. Therefore, you cannot choose to perform normal translation on real addresses when you access interface A, but use identity NAT when accessing interface B. Regular dynamic NAT, on the other hand, lets you specify a particular interface on which to translate the addresses. Make sure that the real addresses for which you use identity NAT are routable on all networks that are available according to your access lists.

For identity NAT, even though the mapped address is the same as the real address, you cannot initiate a connection from the outside to the inside (even if the interface access list allows it). Use static identity NAT or NAT exemption for this functionality.

NAT exemption (nat 0 access-list command)—NAT exemption allows both translated and remote hosts to initiate connections. Like identity NAT, you do not limit translation for a host on specific interfaces; you must use NAT exemption for connections through all interfaces. However, NAT exemption does let you specify the real and destination addresses when determining the real addresses to translate (similar to policy NAT), so you have greater control using NAT exemption. However unlike policy NAT, NAT exemption does not consider the ports in the access list.

Policy NAT lets you identify real addresses for address translation by specifying the source and destination addresses in an extended access list. You can also optionally specify the source and destination ports. Regular NAT can only consider the real addresses. For example, you can translate the real address to mapped address A when it accesses server A, but translate the real address to mapped address B when it accesses server B.

When you specify the ports in policy NAT for applications that require application inspection for secondary channels (FTP, VoIP, and so on.), the FWSM automatically translates the secondary ports.


Note All types of NAT support policy NAT except for NAT exemption. NAT exemption uses an access list to identify the real addresses, but differs from policy NAT in that the ports are not considered. You can accomplish the same result as NAT exemption using static identity NAT, which does support policy NAT.


You can alternatively set connection limits (but not embryonic connection limits) using the Modular Policy Framework. See the set connection commands for more information. You can only set embryonic connection limits using NAT. If you configure these settings for the same traffic using both methods, then the FWSM uses the lower limit. For TCP sequence randomization, if it is disabled using either method, then the FWSM disables TCP sequence randomization.

If you change the NAT configuration, and you do not want to wait for existing translations to time out before the new NAT information is used, you can clear the translation table using clear xlate command. However, clearing the translation table disconnects all of the current connections.

Examples

The following example shows how to translate the 10.1.1.0/24 network on the inside interface, enter the following command:

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.1-209.165.201.30

The following example shows how to identify a pool of addresses for dynamic NAT as well as a PAT address for when the NAT pool is exhausted, enter the following commands:

hostname(config)# nat (inside) 1 10.1.1.0 255.255.255.0
hostname(config)# global (outside) 1 209.165.201.5
hostname(config)# global (outside) 1 209.165.201.10-209.165.201.20

The following example shows how to translate the lower security DMZ network addresses so they appear to be on the same network as the inside network (10.1.1.0), for example, to simplify routing, enter the following commands:

hostname(config)# nat (dmz) 1 10.1.2.0 255.255.255.0 outside dns
hostname(config)# global (inside) 1 10.1.1.45

The following example shows how to identify a single real address with two different destination addresses using policy NAT, enter the following commands:

hostname(config)# access-list NET1 permit ip 10.1.2.0 255.255.255.0 209.165.201.0 
255.255.255.224
hostname(config)# access-list NET2 permit ip 10.1.2.0 255.255.255.0 209.165.200.224 
255.255.255.224
hostname(config)# nat (inside) 1 access-list NET1 tcp 0 2000 udp 10000
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list NET2 tcp 1000 500 udp 2000
hostname(config)# global (outside) 2 209.165.202.130

The following example shows how to identify a single real address/destination address pair that use different ports using policy NAT, enter the following commands:

hostname(config)# access-list WEB permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 
255.255.255.255 eq 80
hostname(config)# access-list TELNET permit tcp 10.1.2.0 255.255.255.0 209.165.201.11 
255.255.255.255 eq 23
hostname(config)# nat (inside) 1 access-list WEB
hostname(config)# global (outside) 1 209.165.202.129
hostname(config)# nat (inside) 2 access-list TELNET
hostname(config)# global (outside) 2 209.165.202.130

Related Commands

Command
Description

access-list deny-flow-max

Specifies the maximum number of concurrent deny flows that can be created.

clear configure nat

Removes the NAT configuration.

global

Creates entries from a pool of global addresses.

interface

Creates and configures an interface.

show running-config nat

Displays a pool of global IP addresses that are associated with the network.


nat-control

To enforce NAT control use the nat-control command in global configuration mode. NAT control requires NAT for inside hosts when they access the outside. To disable NAT control, use the no form of this command.

nat-control

no nat-control

Syntax Description

This command has no arguments or keywords.

Defaults

NAT control is disabled by default (no nat-control command). If you upgraded from an earlier version of software, however, NAT control might be enabled on your system because it was the default in some earlier versions.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

3.1(1)

This command was introduced.

3.2.(1)

NAT is now supported in transparent firewall mode.


Usage Guidelines

NAT control requires that packets traversing from an inside interface to an outside interface match a NAT rule; for any host on the inside network to access a host on the outside network, you must configure NAT to translate the inside host address.

Interfaces at the same security level are not required to use NAT to communicate.

By default, NAT control is disabled, so you do not need to perform NAT on any networks unless you choose to perform NAT.

If you want the added security of NAT control but do not want to translate inside addresses in some cases, you can apply a NAT exemption (nat 0 access-list) or identity NAT (nat 0 or static) rule on those addresses.


Note In multiple context mode, the packet classifier relies on the NAT configuration in some cases to assign packets to contexts. If you do not perform NAT because NAT control is disabled, then the classifier might require changes in your network configuration.


Examples

The following example enables NAT control:

hostname(config)# nat-control

Related Commands

Command
Description

nat

Defines an address on one interface that is translated to a mapped address on another interface.

show running-config nat-control

Shows the NAT configuration requirement.

static

Translates a real address to a mapped address.


neighbor

To define a static neighbor on a point-to-point, non-broadcast network, use the neighbor command in router configuration mode. To remove the statically defined neighbor from the configuration, use the no form of this command. The neighbor command is used to advertise OSPF routes over VPN tunnels.

neighbor ip_address [interface name]

no neighbor ip_address [interface name]

Syntax Description

interface name

(Optional) The interface name, as specified by the nameif command, through which the neighbor can be reached.

ip_address

IP address of the neighbor router.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

One neighbor entry must be included for each known non-broadcast network neighbor. The neighbor address must be on the primary address of the interface.

The interface option needs to be specified when the neighbor is not on the same network as any of the directly connected interfaces of the system. Additionally, a static route must be created to reach the neighbor.

Examples

The following example defines a neighbor router with an address of 192.168.1.1:

hostname(config-router)# neighbor 192.168.1.1

Related Commands

Command
Description

router ospf

Enters router configuration mode.

show running-config router

Displays the commands in the global router configuration.


neighbor (EIGRP)

To define an EIGRP neighbor router with which to exchange routing information, use the neighbor command in router configuration mode. To remove a neighbor entry, use the no form of this command.

neighbor ip_address interface name

no neighbor ip_address interface name

Syntax Description

interface name

The interface name, as specified by the nameif command, through which the neighbor can be reached.

ip_address

IP address of the neighbor router.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

You can use multiple neighbor statements to establish peering sessions with specific EIGRP neighbors. The interface through which EIGRP exchanges routing updates must be specified in the neighbor statement. The interfaces through which two EIGRP neighbors exchange routing updates must be configured with IP addresses from the same network.


Note Configuring the passive-interface command for an interface suppresses all incoming and outgoing routing updates and hello messages on that interface. EIGRP neighbor adjacencies cannot be established or maintained over an interface that is configured as passive.


EIGRP hello messages are sent as unicast messages to neighbors defined using the neighbor command.

Examples

The following example configures EIGRP peering sessions with the 192.168.1.1 and 192.168.2.2 neighbors:

hostname(config)# router eigrp 100
hostname(config-router)# network 192.168.0.0
hostname(config-router)# neighbor 192.168.1.1 interface outside
hostname(config-router)# neighbor 192.168.2.2 interface branch_office

Related Commands

Command
Description

debug eigrp neighbors

Displays debug information for EIGRP neighbor messages.

show eigrp neighbors

Displays the EIGRP neighbor table.


neighbor password

To specify MD5 authentication for the specified BGP neighbor, use the neighbor password command in router configuration mode. To remove the password, use the no form of this command.

neighbor ip-addr password [mode] password

no neighbor ip-addr password [mode] string

Syntax Description

ip-addr

The IP address of the BGP neighbor.

mode

A number from 0 to 7. DO NOT USE THIS OPTIONAL ARGUMENT. No one knows what it does and it could break the authentication.

password

A case-sensitive password of up to 25 characters. The password can contain alphanumeric characters and the following symbols:

` ~ ! @ # $ % ^ & * ( ) - _ = + | \ } ] { [ " ` : ; / > < . , ?

The password cannot contain spaces.


Defaults

There are no BGP neighbors defined.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context 1
System

Router configuration

1 This command is only available in the admin context.


Command History

Release
Modification

3.2(1)

This command was introduced.


Usage Guidelines

You can configure MD5 authentication between two BGP peers. Each segment sent on the TCP connection between the peers is verified. MD5 authentication must be configured with the same password on both BGP peers; otherwise, the connection between them will not be made.

In multiple context mode, this command is only available in the admin context. The admin context must be in routed mode. The BGP stub routing configuration entered in the admin context applies to all contexts configured on the device; you cannot configure BGP stub routing on a per-context basis.

Examples

The following example enables the authentication of BGP messages exchanged with the BGP neighbor. The neighbor device must be configured with the same password.

hostname(config)# router bgp 800
hostname(config-router)# bgp router-id 192.168.1.1
hostname(config-router)# neighbor 10.1.1.1 remote-as 800
hostname(config-router)# neighbor 10.1.1.1 password bQ2$f78t
hostname(config-router)# network 192.168.1.0 mask 255.255.255.0
hostname(config-router)# network 10.1.1.0 mask 255.255.255.0

Related Commands

Command
Description

neighbor remote-as

Defines a BGP neighbor.

router bgp

Creates a BGP routing process and enters router configuration mode for that process.

show running-config router

Displays the router commands in the running configuration.


neighbor remote-as

To specify the BGP neighbor, use the neighbor remote-as command in router configuration mode. To remove the neighbor, use the no form of this command.

neighbor ip-addr remote-as as-number

no neighbor ip-addr remote-as as-number

Syntax Description

as-number

Autonomous system to which the neighbor belongs.

ip-addr

The IP address of BGP neighbor.


Defaults

There are no BGP neighbors defined.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context 1
System

Router configuration

1 This command is only available in the admin context.


Command History

Release
Modification

3.2(1)

This command was introduced.


Usage Guidelines

The FWSM must be in the same AS as the defined neighbor.

In multiple context mode, this command is only available in the admin context. The admin context must be in routed mode. The BGP stub routing configuration entered in the admin context applies to all contexts configured on the device; you cannot configure BGP stub routing on a per-context basis.

Examples

The following example assigns the FWSM an AS number of 800. The BGP neighbor at 10.1.1.1 is also part of AS 800.

hostname(config)# router bgp 800
hostname(config-router)# bgp router-id 192.168.1.1
hostname(config-router)# neighbor 10.1.1.1 remote-as 800
hostname(config-router)# neighbor 10.1.1.1 password bQ2$f78t
hostname(config-router)# network 192.168.1.0 mask 255.255.255.0
hostname(config-router)# network 10.1.1.0 mask 255.255.255.0

Related Commands

Command
Description

neighbor password

Defines the password used for MD5 authentication of BGP messages exchanged with the BGP neighbor.

router bgp

Creates a BGP routing process and enters router configuration mode for that process.

show running-config router

Displays the router commands in the running configuration.


nem

To enable network extension mode for hardware clients, use the nem enable command in group-policy configuration mode. To disable NEM, use the nem disable command. To remove the NEM attribute from the running configuration, use the no form of this command. This option allows inheritance of a value from another group policy.

nem {enable | disable}

no nem

Syntax Description

disable

Disables Network Extension Mode.

enable

Enables Network Extension Mode.


Defaults

Network extension mode is disabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Group-policy configuration


Usage Guidelines

Network Extension mode lets hardware clients present a single, routable network to the remote private network over the VPN tunnel. IPSec encapsulates all traffic from the private network behind the hardware client to networks behind the FWSM. PAT does not apply. Therefore, devices behind the FWSM have direct access to devices on the private network behind the hardware client over the tunnel, and only over the tunnel, and vice versa. The hardware client must initiate the tunnel, but after the tunnel is up, either side can initiate data exchange.

Command History

Release
Modification

3.1(1)

This command was introduced.


Examples

The following example shows how to set NEM for the group policy named FirstGroup:

hostname(config)# group-policy FirstGroup attributes
hostname(config-group-policy)# nem enable

network

To specify the networks that are advertised by the BGP routing process, use the network command in router configuration mode. To remove the password, use the no form of this command.

network ip-addr mask mask

no network ip-addr mask mask

Syntax Description

ip-addr

The IP address of the network to advertise.

mask mask

The network mask applied to the ip-addr argument.


Defaults

There are no networks advertised.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context 1
System

Router configuration

1 This command is only available in the admin context.


Command History

Release
Modification

3.2(1)

This command was introduced.


Usage Guidelines

The network command determine which static or directly connected networks are advertised to the defined BGP neighbor. You can have a maximum of 200 network commands configured on the FWSM.

In multiple context mode, this command is only available in the admin context. The admin context must be in routed mode. The BGP stub routing configuration entered in the admin context applies to all contexts configured on the device; you cannot configure BGP stub routing on a per-context basis.

Examples

The following example causes the 192.168.1.0 and 10.1.1.0 networks to be included in BGP updates sent by the FWSM to the BGP neighbor:

hostname(config)# router bgp 800
hostname(config-router)# bgp router-id 192.168.1.1
hostname(config-router)# neighbor 10.1.1.1 remote-as 800
hostname(config-router)# neighbor 10.1.1.1 password bQ2$f78t
hostname(config-router)# network 192.168.1.0 mask 255.255.255.0
hostname(config-router)# network 10.1.1.0 mask 255.255.255.0

Related Commands

Command
Description

neighbor

Specifies the BGP neighbor.

router bgp

Creates a BGP routing process and enters router configuration mode for that process.

show running-config router

Displays the router commands in the running configuration.


network (EIGRP)

To specify a list of networks for the EIGRP routing process, use the network command in router configuration mode. To remove a network definition, use the no form of this command.

network ip_addr [mask]

no network ip_addr [mask]

Syntax Description

ip_addr

The IP address of a directly connected network. The interface connected to the specified network will participate in the EIGRP routing process.

mask

(Optional) The network mask for the IP address.


Defaults

No networks are specified.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

4.0(1)

This command was introduced.


Usage Guidelines

The network command starts EIGRP on all interfaces with at least one IP address in the specified network. It inserts the connected subnet from the specified network in the EIGRP topology table.

The FWSM then establishes neighbors through the matched interfaces. There is no limit to the number of network commands that can be configured on the FWSM.

Examples

The following example defines EIGRP as the routing protocol to be used on all interfaces connected to networks 10.0.0.0 and 192.168.7.0:

hostname(config)# router eigrp 100
hostname(config-router)# network 10.0.0.0 255.0.0.0
hostname(config-router)# network 192.168.7.0 255.255.255.0

Related Commands

Command
Description

show eigrp interfaces

Displays information about interfaces configured for EIGRP.

show eigrp topology

Displays the EIGRP topology table.


network area

To define the interfaces on which OSPF runs and to define the area ID for those interfaces, use the network area command in router configuration mode. To disable OSPF routing for interfaces defined with the address/netmask pair, use the no form of this command.

network addr mask area area_id

no network addr mask area area_id

Syntax Description

addr

IP address.

area area_id

Specifies the area that is to be associated with the OSPF address range. The area_id can be specified in either IP address format or in decimal format. When specified in decimal format, valid values range from 0 to 4294967295.

mask

The network mask.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Router configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

For OSPF to operate on the interface, the address of the interface must be covered by the network area command. If the network area command does not cover the IP address of the interface, it will not enable OSPF over that interface.

There is no limit to the number of network area commands you can use on the FWSM.

Examples

The following example enables OSPF on the 192.168.1.1 interface and assigns it to area 2:

hostname(config-router)# network 192.168.1.1 255.255.255.0 area 2

Related Commands

Command
Description

router ospf

Enters router configuration mode.

show running-config router

Displays the commands in the global router configuration.


network-object

To add a network object to a network object group, use the network-object command in network configuration mode. To remove network objects, use the no form of this command.

network-object host host_addr | host_name

no network-object host host_addr | host_name

network-object net_addr netmask

no network-object net_addr netmask

Syntax Description

host_addr

Host IP address (if the hostname is not already defined using the name command).

host_name

Hostname (if the hostname is defined using the name command.

net_addr

Network address; used with netmask to define a subnet object.

netmask

Netmask; used with net_addr to define a subnet object.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Network configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

The network-object command is used with the object-group command to define a host or a subnet object in network configuration mode.

Examples

The following example shows how to use the network-object command in network configuration mode to create a new network object group:

hostname(config)# object-group network sjj_eng_ftp_servers
hostname(config-network)# network-object host sjj.eng.ftp
hostname(config-network)# network-object host 172.16.56.195 
hostname(config-network)# network-object 192.168.1.0 255.255.255.224 
hostname(config-network)# group-object sjc_eng_ftp_servers
hostname(config-network)# quit
hostname(config)#

Related Commands

Command
Description

clear configure object-group

Removes all the object-group commands from the configuration.

group-object

Adds network object groups.

object-group

Defines object groups to optimize your configuration.

port-object

Adds a port object to a service object group.

show running-config object-group

Displays the current object groups.


nt-auth-domain-controller

To specify the name of the NT Primary Domain Controller for this server, use the nt-auth-domain-controller command in aaa-server host mode. To remove this specification, use the no form of this command.

nt-auth-domain-controller hostname

no nt-auth-domain-controller

Syntax Description

hostname

Specify the name, up to 16 characters long, of the Primary Domain Controller for this server.


Defaults

No default behaviors or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Aaa-server host configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

This command is valid only for NT authentication servers. You must have first used the aaa-server host command to enter host configuration mode. The name in the string variable must match the NT entry on the server itself.

Examples

The following example configures the name of the NT Primary Domain Controller for this server as "primary1".

hostname(config)# aaa-server svrgrp1 protocol nt
hostname(configaaa-server-group)# aaa-server svrgrp1 host 209.165.200.225
hostname(config-aaa-server-host)# nt-auth-domain-controller primary1

Related Commands

Command
Description

aaa-server

Enters aaa server host configuration mode so that you can configure AAA server parameters that are host-specific.

clear configure aaa-server

Remove all AAA command statements from the configuration.

show running-config aaa-server

Displays AAA server statistics for all AAA servers, for a particular server group, for a particular server within a particular group, or for a particular protocol.


object-group

To define object groups that you can use to optimize your configuration, use the object-group command in global configuration mode.To remove object groups from the configuration, use the no form of this comman. This command supports IPv4 and IPv6 addresses.

object-group {protocol | network | icmp-type} obj_grp_id

no object-group {protocol | network | icmp-type} obj_grp_id

object-group service obj_grp_id {tcp | udp | tcp-udp}

no object-group service obj_grp_id {tcp | udp | tcp-udp}

Syntax Description

icmp-type

Defines a group of ICMP types such as echo and echo-reply. After entering the main object-group icmp-type command, add ICMP objects to the ICMP type group with the icmp-object and the group-object commands.

network

Defines a group of hosts or subnet IP addresses. After entering the main object-group network command, add network objects to the network group with the network-object and the group-object commands.

obj_grp_id

Identifies the object group (one to 64 characters) and can be any combination of letters, digits, and the "_", "-", "." characters.

protocol

Defines a group of protocols such as TCP and UDP. After entering the main object-group protocol command, add protocol objects to the protocol group with the protocol-object and the group-object commands.

service

Defines a group of TCP/UDP port specifications such as "eq smtp" and "range 2000 2010." After entering the main object-group service command, add port objects to the service group with the port-object and the group-object commands.

tcp

Specifies that service group is used for TCP.

tcp-udp

Specifies that service group can be used for TCP and UDP.

udp

Specifies that service group is used for UDP.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Global configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

Objects such as hosts, protocols, or services can be grouped, and then you can issue a single command using the group name to apply to every item in the group.

When you define a group with the object-group command and then use any FWSM command, the command applies to every item in that group. This feature can significantly reduce your configuration size.

Once you define an object group, you must use the object-group keyword before the group name in all applicable FWSM commands as follows:

hostname# show running-config object-group group_name

where group_name is the name of the group.

This example shows the use of an object group once it is defined:

hostname(config)# access-list access_list_name permit tcp any object-group group_name

In addition, you can group access list command arguments:

Individual Arguments
Object Group Replacement

protocol

object-group protocol

host and subnet

object-group network

service

object-group service

icmp_type

object-group icmp_type


You can group commands hierarchically; an object group can be a member of another object group.

To use object groups, you must do the following:

Use the object-group keyword before the object group name in all commands as follows:

hostname(config)# access-list acl permit tcp object-group remotes object-group locals 
object-group eng_svc

where remotes and locals are sample object group names.

The object group must be nonempty.

You cannot remove or empty an object group if it is currently being used in a command.

After you enter a main object-group command, the command mode changes to its corresponding mode. The object group is defined in the new mode. The active mode is indicated in the command prompt format. For example, the prompt in the configuration terminal mode appears as follows:

hostname(config)#

where hostname is the name of the FWSM.

However, when you enter the object-group command, the prompt appears as follows:

hostname(config-type)#

where hostname is the name of the FWSM, and type is the object-group type.

Use the exit, quit, or any valid config-mode commands such as access-list to close an object-group mode and exit the object-group main command.

The show running-config object-group command displays all defined object groups by their grp_id when the show running-config object-group grp_id command is entered, and by their group type when you enter the show running-config object-group grp_type command. When you enter the show running-config object-group command without an argument, all defined object groups are shown.

Use the clear configure object-group command to remove a group of previously defined object-group commands. Without an argument, the clear configure object-group command lets you to remove all defined object groups that are not being used in a command. The grp_type argument removes all defined object groups that are not being used in a command for that group type only.

You can use all other FWSM commands in an object-group mode, including the show running-config and clear configure commands.

Commands within the object-group mode appear indented when displayed or saved by the show running-config object-group, write, or config commands.

Commands within the object-group mode have the same command privilege level as the main command.

When you use more than one object group in an access-list command, the elements of all object groups that are used in the command are linked together, starting with the elements of the first group with the elements of the second group, then the elements of the first and second groups together with the elements of the third group, and so on.

The starting position of the description text is the character right after the white space (a blank or a tab) following the description keyword.

Examples

The following example shows how to use the object-group icmp-type mode to create a new icmp-type object group:

hostname(config)# object-group icmp-type icmp-allowed
hostname(config-icmp-type)# icmp-object echo
hostname(config-icmp-type)# icmp-object time-exceeded
hostname(config-icmp-type)# exit

The following example shows how to use the object-group network command to create a new network object group:

hostname(config)# object-group network sjc_eng_ftp_servers
hostname(config-network)# network-object host sjc.eng.ftp.servcers 
hostname(config-network)# network-object host 172.23.56.194 
hostname(config-network)# network-object 192.1.1.0 255.255.255.224 
hostname(config-network)# exit

The following example shows how to use the object-group network command to create a new network object group and map it to an existing object-group:

hostname(config)# object-group network sjc_ftp_servers
hostname(config-network)# network-object host sjc.ftp.servers 
hostname(config-network)# network-object host 172.23.56.195 
hostname(config-network)# network-object 193.1.1.0 255.255.255.224 
hostname(config-network)# group-object sjc_eng_ftp_servers 
hostname(config-network)# exit

The following example shows how to use the object-group protocol mode to create a new protocol object group:

hostname(config)# object-group protocol proto_grp_1
hostname(config-protocol)# protocol-object udp
hostname(config-protocol)# protocol-object ipsec
hostname(config-protocol)# exit

hostname(config)# object-group protocol proto_grp_2
hostname(config-protocol)# protocol-object tcp
hostname(config-protocol)# group-object proto_grp_1
hostname(config-protocol)# exit

The following example shows how to use the object-group service mode to create a new port (service) object group:

hostname(config)# object-group service eng_service tcp
hostname(config-service)# group-object eng_www_service
hostname(config-service)# port-object eq ftp
hostname(config-service)# port-object range 2000 2005
hostname(config-service)# exit

The following example shows how to add and remove a text description to an object group:

hostname(config)# object-group protocol protos1
hostname(config-protocol)# description This group of protocols is for our internal network

hostname(config-protocol)# show running-config object-group id protos1
object-group protocol protos1
description: This group of protocols is for our internal network

hostname(config-protocol)# no description
hostname(config-protocol)# show running-config object-group id protos1
object-group protocol protos1

The following example shows how to use the group-object mode to create a new object group that consists of previously defined objects:

hostname(config)# object-group network host_grp_1
hostname(config-network)# network-object host 192.168.1.1
hostname(config-network)# network-object host 192.168.1.2
hostname(config-network)# exit

hostname(config)# object-group network host_grp_2
hostname(config-network)# network-object host 172.23.56.1
hostname(config-network)# network-object host 172.23.56.2
hostname(config-network)# exit

hostname(config)# object-group network all_hosts
hostname(config-network)# group-object host_grp_1
hostname(config-network)# group-object host_grp_2
hostname(config-network)# exit

hostname(config)# access-list grp_1 permit tcp object-group host_grp_1 any eq ftp
hostname(config)# access-list grp_2 permit tcp object-group host_grp_2 any eq smtp
hostname(config)# access-list all permit tcp object-group all_hosts any eq www

Without the group-object command, you need to define the all_hosts group to include all the IP addresses that have already been defined in host_grp_1 and host_grp_2. With the group-object command, the duplicated definitions of the hosts are eliminated.

The following examples show how to use object groups to simplify the access list configuration:

hostname(config)# object-group network remote
hostname(config-network)# network-object host kqk.suu.dri.ixx
hostname(config-network)# network-object host kqk.suu.pyl.gnl

hostname(config)# object-group network locals
hostname(config-network)# network-object host 172.23.56.10
hostname(config-network)# network-object host 172.23.56.20
hostname(config-network)# network-object host 172.23.56.194
hostname(config-network)# network-object host 172.23.56.195

hostname(config)# object-group service eng_svc ftp
hostname(config-service)# port-object eq www
hostname(config-service)# port-object eq smtp
hostname(config-service)# port-object range 25000 25100

This grouping enables the access list to be configured in 1 line instead of 24 lines, which would be needed if no grouping is used. Instead, with the grouping, the access list configuration is as follows:

hostname(config)# access-list acl permit tcp object-group remote object-group locals 
object-group eng_svc


Note The show running-config object-group and write commands allow you to display the access list as configured with the object group names. The show access-list command displays the access list entries that are expanded out into individual entries without their object groupings.


Related Commands

Command
Description

clear configure object-group

Removes all the object group commands from the configuration.

group-object

Adds network object groups.

network-object

Adds a network object to a network object group.

port-object

Adds a port object to a service object group.

show running-config object-group

Displays the current object groups.


ospf authentication

To enable the use of OSPF authentication, use the ospf authentication command in interface configuration mode. To restore the default authentication stance, use the no form of this command.

ospf authentication [message-digest | null]

no ospf authentication

Syntax Description

message-digest

(Optional) Specifies to use OSPF message digest authentication.

null

(Optional) Specifies to not use OSPF authentication.


Defaults

By default, OSPF authentication is not enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

Before using the ospf authentication command, configure a password for the interface using the ospf authentication-key command. If you use the message-digest keyword, configure the message-digest key for the interface with the ospf message-digest-key command.

For backward compatibility, authentication type for an area is still supported. If the authentication type is not specified for an interface, the authentication type for the area will be used (the area default is null authentication).

When this command is used without any options, simple password authentication is enabled.

Examples

The following example shows how to enable simple password authentication for OSPF on the selected interface:

hostname(config-if)# ospf authentication
hostname(config-if)# 

Related Commands

Command
Description

ospf authentication-key

Specifies the password used by neighboring routing devices.

ospf message-digest-key

Enables MD5 authentication and specifies the MD5 key.


ospf authentication-key

To specify the password used by neighboring routing devices, use the ospf authentication-key command in interface configuration mode. To remove the password, use the no form of this command.

ospf authentication-key password

no ospf authentication-key

Syntax Description<

password

Assigns an OSPF authentication password for use by neighboring routing devices. The password must be less than 9 characters. You can include blank space between two characters. Spaces at the beginning or end of the password are ignored.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The password created by this command is used as a key that is inserted directly into the OSPF header when routing protocol packets are originated. A separate password can be assigned to each network on a per-interface basis. All neighboring routers on the same network must have the same password to be able to exchange OSPF information.

ExamplesNote

The following example shows how to specify a password for OSPF authentication:

hostname(config-if)# ospf authentication-key ThisMyPW

Related Commands

Command
Description

area authentication

Enables OSPF authentication for the specified area.

ospf authentication

Enables the use of OSPF authentication.


ospf cost

To specify the cost of sending a packet through the interface, use the ospf cost command in interface configuration mode. To reset the interface cost to the default value, use the no form of this command.

ospf cost interface_cost

no ospf cost

Syntax Description

interface_cost

The cost (a link-state metric) of sending a packet through an interface. This is an unsigned integer value from 0 to 65535. 0 represents a network that is directly connected to the interface, and the higher the interface bandwidth, the lower the associated cost to send packets across that interface. In other words, a large cost value represents a low bandwidth interface and a small cost value represents a high bandwidth interface.

The OSPF interface default cost on the FWSM is 10. This default differs from Cisco IOS software, where the default cost is 1 for fast Ethernet and Gigabit Ethernet and 10 for 10BaseT. This is important to take into account if you are using ECMP in your network.


Defaults

The default interface_cost is 10.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The ospf cost command lets you explicitly specify the cost of sending a packet on an interface. The interface_cost parameter is an unsigned integer value from 0 to 65535.

The no ospf cost command lets you reset the path cost to the default value.

Examples

The following example show how to specify the cost of sending a packet on the selected interface:

hostname(config-if)# ospf cost 4

Related Commands

Command
Description

show running-config interface

Displays the configuration of the specified interface.


ospf database-filter all out

To filter out all outgoing LSAs to an OSPF interface during synchronization and flooding, use the ospf database-filter all out command in interface configuration mode. To restore the LSAs, use the no form of this command.

ospf database-filter all out

no ospf database-filter all out

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The ospf database-filter all out command filters outgoing LSAs to an OSPF interface. The no ospf database-filter all out command restores the forwarding of LSAs to the interface.

Examples

The following example shows how to use the ospf database-filter command to filter outgoing LSAs:

hostname(config-if)# ospf database-filter all out

Related Commands

Command
Description

show interface

Displays interface status information.


ospf dead-interval

To specify the interval before neighbors declare a router down, use the ospf dead-interval command in interface configuration mode. To restore the default value, use the no form of this command.

ospf dead-interval seconds

no ospf dead-interval

Syntax Description

seconds

The length of time during which no hello packets are seen. The default for seconds is four times the interval set by the ospf hello-interval command (which ranges from 1 to 65535).


Defaults

The default value for seconds is four times the interval set by the ospf hello-interval command.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The ospf dead-interval command lets you set the dead interval before neighbors declare the router down (the length of time during which no hello packets are seen). The seconds argument specifies the dead interval and must be the same for all nodes on the network. The default for seconds is four times the interval set by the ospf hello-interval command from 1 to 65535.

The no ospf dead-interval command restores the default interval value.

Examples

The following example sets the OSPF dead interval to 1 minute:

hostname(config-if)# ospf dead-interval 60

Related Commands

Command
Description

ospf hello-interval

Specifies the interval between hello packets sent on an interface.

show ospf interface

Displays OSPF-related interface information.


ospf hello-interval

To specify the interval between hello packets sent on an interface, use the ospf hello-interval command in interface configuration mode. To return the hello interval to the default value, use the no form of this command.

ospf hello-interval seconds

no ospf hello-interval

Syntax Description

seconds

Specifies the interval between hello packets that are sent on the interface; valid values are from 1 to 65535 seconds.


Defaults

The default value for hello-interval seconds is 10 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

This value is advertised in the hello packets. The smaller the hello interval, the faster topological changes will be detected, but more routing traffic will ensue. This value must be the same for all routers and access servers on a specific network.

Examples

The following example sets the OSPF hello interval to 5 seconds:

hostname(config-if)# ospf hello-interval 5

Related Commands

Command
Description

ospf dead-interval

Specifies the interval before neighbors declare a router down.

show ospf interface

Displays OSPF-related interface information.


ospf message-digest-key

To enable OSPF MD5 authentication, use the ospf message-digest-key command in interface configuration mode. To remove an MD5 key, use the no form of this command.

ospf message-digest-key key-id md5 key

no ospf message-digest-key

Syntax Description

key-id

Enables MD5 authentication and specifies the numerical authentication key ID number; valid values are from 1 to 255.

md5 key

Alphanumeric password of up to 16 bytes. You can include spaces between key characters. Spaces at the beginning or end of the key are ignored. MD5 authentication verifies the integrity of the communication, authenticates the origin, and checks for timeliness.


Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

The ospf message-digest-key command lets you enable MD5 authentication. The no form of the command removes an MD5 key. The key_id argument is a numerical identifier from 1 to 255 for the authentication key. The key argument is an alphanumeric password of up to 16 bytes. MD5 verifies the integrity of the communication, authenticates the origin, and checks for timeliness.

Examples

The following example shows how to specify an MD5 key for OSPF authentication:

hostname(config-if)# ospf message-digest-key 3 md5 ThisIsMyMd5Key

Related Commands

Command
Description

area authentication

Enables OSPF area authentication.

ospf authentication

Enables the use of OSPF authentication.


ospf mtu-ignore

To disable OSPF maximum transmission unit (MTU) mismatch detection on receiving database packets, use the ospf mtu-ignore command in interface configuration mode. To restore MTU mismatch detection, use the no form of this command.

ospf mtu-ignore

no ospf mtu-ignore

Syntax Description

This command has no arguments or keywords.

Defaults

By default, ospf mtu-ignore is enabled.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

OSPF checks whether neighbors are using the same MTU on a common interface. This check is performed when neighbors exchange Database Descriptor (DBD) packets. If the receiving MTU in the DBD packet is higher than the IP MTU configured on the incoming interface, OSPF adjacency will not be established.The ospf mtu-ignore command disables OSPF MTU mismatch detection on receiving DBD packets. It is enabled by default.

Examples

The following example shows how to disable the ospf mtu-ignore command:

hostname(config-if)# ospf mtu-ignore

Related Commands

Command
Description

show interface

Displays interface status information.


ospf network point-to-point non-broadcast

To configure the OSPF interface as a point-to-point, non-broadcast network, use the ospf network point-to-point non-broadcast command in interface configuration mode. To remove this command from the configuration, use the no form of this command. The ospf network point-to-point non-broadcast command lets you to transmit OSPF routes over VPN tunnels.

ospf network point-to-point non-broadcast

no ospf network point-to-point non-broadcast

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

3.1(1)

This command was introduced.


Usage Guidelines

When the interface is specified as point-to-point, the OSPF neighbors have to be manually configured; dynamic discovery is not possible. To manually configure OSPF neighbors, use the neighbor command in router configuration mode.

When an interface is configured as point-to-point, the following restrictions apply:

You can define only one neighbor for the interface.

You need to define a static route pointing to the crypto endpoint.

The interface cannot form adjacencies unless neighbors are configured explicitly.

If OSPF over the tunnel is running on the interface, regular OSPF with an upstream router cannot be run on the same interface.

You should bind the crypto-map to the interface before specifying the OSPF neighbor to ensure that the OSPF updates are passed through the VPN tunnel. If you bind the crypto-map to the interface after specifying the OSPF neighbor, use the clear local-host all command to clear OSPF connections so the OSPF adjacencies can be established over the VPN tunnel.

Examples

The following example shows how to configure the selected interface as a point-to-point, non-broadcast interface:

hostname(config-if)# ospf network point-to-point non-broadcast
hostname(config-if)#

Related Commands

Command
Description

neighbor

Specifies manually configured OSPF neighbors.

show interface

Displays interface status information.


ospf priority

To change the OSPF router priority, use the ospf priority command in interface configuration mode. To restore the default priority, use the no form of this command.

ospf priority number

no ospf priority [number]

Syntax Description

number

Specifies the priority of the router; valid values are from 0 to 255.


Defaults

The default value for number is 1.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

When two routers attached to a network both attempt to become the designated router, the one with the higher router priority takes precedence. If there is a tie, the router with the higher router ID takes precedence. A router with a router priority set to zero is ineligible to become the designated router or backup designated router. Router priority is configured only for interfaces to multiaccess networks (in other words, not to point-to-point networks).

Examples

The following example shows how to change the OSPF priority on the selected interface:

hostname(config-if)# ospf priority 4
hostname(config-if)# 

Related Commands

Command
Description

show ospf interface

Displays OSPF-related interface information.


ospf retransmit-interval

To specify the time between LSA retransmissions for adjacencies belonging to the interface, use the ospf retransmit-interval command in interface configuration mode. To restore the default value, use the no form of this command.

ospf retransmit-interval seconds

no ospf retransmit-interval [seconds]

Syntax Description

seconds

Specifies the time between LSA retransmissions for adjacent routers belonging to the interface; valid values are from 1 to 65535 seconds.


Defaults

The default value of retransmit-interval seconds is 5 seconds.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

When a router sends an LSA to its neighbor, it keeps the LSA until it receives the acknowledgment message. If the router receives no acknowledgment, it will resend the LSA.

The setting of this parameter should be conservative, or needless retransmission will result. The value should be larger for serial lines and virtual links.

Examples

The following example shows how to change the retransmit interval for LSAs:

hostname(config-if)# ospf retransmit-interval 15
hostname(config-if)# 

Related Commands

Command
Description

show ospf interface

Displays OSPF-related interface information.


ospf transmit-delay

To set the estimated time required to send a link-state update packet on the interface, use the ospf transmit-delay command in interface configuration mode. To restore the default value, use the no form of this command.

ospf transmit-delay seconds

no ospf transmit-delay [seconds]

Syntax Description

seconds

Sets the estimated time required to send a link-state update packet on the interface. The default value is 1 second with a range from 1 to 65535 seconds.


Defaults

The default value of seconds is 1 second.

Command Modes

The following table shows the modes in which you can enter the command:

Command Mode
Firewall Mode
Security Context
Routed
Transparent
Single
Multiple
Context
System

Interface configuration


Command History

Release
Modification

1.1(1)

This command was introduced.


Usage Guidelines

LSAs in the update packet must have their ages incremented by the amount specified in the seconds argument before transmission. The value assigned should take into account the transmission and propagation delays for the interface.

If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. This setting has more significance on very low-speed links.

Examples

The following example sets the transmit delay to 3 seconds for the selected interface:

hostname(config-if)# ospf restransmit-delay 3
hostname(config-if)#

Related Commands

Command
Description

show ospf interface

Displays OSPF-related interface information.