Access and Communication Servers Command Reference
IP Commands
Download this chapter
IP CommandsIP Commands
give_us_feedback

Table Of Contents

IP Commands

access-class

access-list (standard)

access-list (extended)

arp (global)

arp (interface)

arp timeout

clear access-list counters

clear arp-cache

clear host

clear ip accounting

clear ip nhrp

clear ip route

dnsix-dmdp retries

dnsix-nat authorized-redirection

dnsix-nat primary

dnsix-nat secondary

dnsix-nat source

dnsix-nat transmit-count

ip access-group

ip accounting

ip accounting-list

ip accounting-threshold

ip accounting-transits

ip address

ip broadcast-address

ip cache-invalidate-delay

ip classless

ip default-gateway

ip directed-broadcast

ip domain-list

ip domain-lookup

ip domain-name

ip forward-protocol

ip forward-protocol any-local-broadcast

ip gdp gdp

ip gdp igrp

ip gdp irdp

ip gdp rip

ip helper-address

ip host

ip hp-host

ip mask-reply

ip mtu

ip name-server

ip netmask-format

ip nhrp authentication

ip nhrp holdtime

ip nhrp interest

ip nhrp map

ip nhrp map multicast

ip nhrp network-id

ip nhrp nhs

ip nhrp record

ip nhrp responder

ip probe proxy

ip proxy-arp

ip redirects

ip route-cache

ip routing

ip security add

ip security aeso

ip security dedicated

ip security eso-info

ip security eso-max

ip security eso-min

ip security extended-allowed

ip security first

ip security ignore-authorities

ip security implicit-labelling

ip security multilevel

ip security reserved-allowed

ip security strip

ip source-route

ip subnet-zero

ip tcp compression-connections

ip tcp header-compression

ip tcp synwait-time

ip unnumbered

ip unreachables

ping (privileged)

ping (user)

show access-lists

show arp

show dnsix

show hosts

show ip access-list

show ip accounting

show ip aliases

show ip arp

show ip cache

show ip interface

show ip masks

show ip nhrp

show ip nhrp traffic

show ip redirects

show ip route

show ip route summary

show ip tcp header-compression

show ip traffic

show standby

standby authentication

standby ip

standby preempt

standby priority

standby timers

standby track

term ip netmask-format

trace (user)

trace (privileged)


IP Commands

The Internet Protocol (IP) is a packet-based protocol used to exchange data over computer networks. IP handles addressing, fragmentation, reassembly, and protocol demultiplexing. It is the foundation on which all other Internet protocols, collectively referred to as the Internet Protocol suite, are built. IP is a network-layer protocol that contains addressing information and some control information that allows data packets to be routed.

The Transmission Control Protocol (TCP) is built upon the IP layer. TCP is a connection-oriented protocol that specifies the format of data and acknowledgments used in the transfer of data. TCP also specifies the procedures that the computers use to ensure that the data arrives correctly. TCP allows multiple applications on a system to communicate concurrently because it handles all demultiplexing of the incoming traffic among the application programs.

Use the commands in this chapter to configure and monitor IP networks. For IP protocol configuration information and examples, refer to the chapter "Configuring IP" in the Access and Communication Servers Configuration Guide.

access-class

To restrict incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list, use the access-class line configuration command. To remove access restrictions, use the no form of this command.

access-class access-list-number {in | out}
no access-class access-list-number {in | out}

Syntax Description

access-list-number

Number of an access list. This is a decimal number from 1 through 99.

in

Restricts incoming connections between a particular Cisco device and the addresses in the access list.

out

Restricts outgoing connections between a particular Cisco device and the addresses in the access list.


Default

No access lists are defined.

Command Mode

Line configuration

Usage Guidelines

Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.

To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.

Examples

The following example defines an access list that permits only hosts on network 192.168.55.0 to connect to the virtual terminal ports on the access server: 

access-list 12 permit 192.168.55.0  0.0.0.255

line 1 5

access-class 12 in

The following example defines an access list that denies connections to networks other than network 10.36.0.0 on terminal lines 1 through 5: 

access-list 10 permit 10.36.0.0 0.255.255.255

line 1 5

access-class 10 out

Related Command

A dagger (†) indicates that the command is documented in another chapter.

show line

access-list (standard)

To define a standard IP access list, use the standard version of the access-list global configuration command. To remove a standard access lists, use the no form of this command.

access-list access-list-number {deny | permit} source [source-wildcard]
no access-list access-list-number

Caution   
Enhancements to this command are backward compatible; migrating from existing releases to Cisco IOS Release 10.3 will convert your access lists automatically. However, releases prior to Cisco IOS Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Cisco IOS Release 10.3, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images.

Syntax Description

access-list-number

Number of an access list. This is a decimal number from 1 through 99.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

source

Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:

Use a 32-bit quantity in four-part dotted-decimal format.

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

source-wildcard

(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.


Default

The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.

Command Mode

Global configuration

Usage Guidelines

Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.

You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates.

Use the show access-lists EXEC command to display the contents of all access lists.

Use the show ip access-list EXEC command to display the contents of one access list.

Examples

The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected. 

access-list 1 permit 192.5.34.0  0.0.0.255

access-list 1 permit 172.28.0.0  0.0.255.255

access-list 1 permit 10.36.0.0  0.255.255.255

! (Note: all other access implicitly denied)

To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeroes. Thus, the following two configuration commands are identical in effect: 

access-list 2 permit 10.48.0.3

access-list 2 permit 10.48.0.3  0.0.0.0

To specify a large number of individual addresses more easily, you can omit the address mask; that is, all zeros from the access-list command. Thus, the following two configuration commands are identical in effect: 

access-list 2 permit 10.48.0.3

access-list 2 permit 10.48.0.3  0.0.0.0

Related Commands

A dagger (†) indicates that the command is documented in another chapter.

access-class
access-list (extended)
distribute-list
ip access-group
priority-list
queue-list
show access-lists
show ip access-list

access-list (extended)

To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.

access-list access-list-number {deny | permit} protocol source source-wildcard destination
destination-wildcard [precedence precedence] [tos tos]
no access-list access-list-number

For ICMP, you can also use the following syntax:

access-list access-list-number {deny | permit} icmp source source-wildcard destination
destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence]
 [tos tos]

For IGMP, you can also use the following syntax:

access-list access-list-number {deny | permit} igmp source source-wildcard destination
destination-wildcard [igmp-type] [precedence precedence] [tos tos]

For TCP, you can also use the following syntax:

access-list access-list-number {deny | permit} tcp source source-wildcard
[operator port [port]] destination destination-wildcard
[operator port [port]] [established] [precedence precedence] [tos tos]

For UDP, you can also use the following syntax:

access-list access-list-number {deny | permit} udp source source-wildcard
[operator port [port]] destination destination-wildcard
[operator port [port]] [precedence precedence] [tos tos] [log]

Caution   
Enhancements to this command are backward compatible; migrating from existing releases to Cisco IOS Release 10.3 will convert your access lists automatically. However, releases prior to Cisco IOS Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Cisco IOS Release 10.3, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images.

Syntax Description

access-list-number

Number of an access list. This is a decimal number from 100 through 199.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

protocol

Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. Some protocols allow further qualifiers described below.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

Use a 32-bit quantity in four-part dotted-decimal format.

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.

Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

Use a 32-bit quantity in four-part dotted-decimal format.

Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

Use a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.

Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in Table 17-1 in the Usage Guidelines section for this command.

tos tos

(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed Table 17-1 in the Usage Guidelines section for this command.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the Usage Guidelines section for this command.

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the Usage Guidelines section for this command.

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names are listed in the section "Usage Guidelines." UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case enables the initial TCP datagram to form a connection.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.


Default

An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.

Command Mode

Global configuration

Usage Guidelines

You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict contents of routing updates. The access server stops checking the extended access list after a match occurs.

Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match against the TCP source port, the type of service value, or the packet's precedence.

Note   After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.

The following is a list of precedence names.

critical

flash

flash-override

immediate

internet

network

priority

routine

The following is a list of type of service (tos) names.

max-reliability

max-throughput

min-delay

min-monetary-cost

normal

The following is a list of ICMP message type names and ICMP message type and code names.

administratively-prohibited

alternate-address

conversion-error

dod-host-prohibited

dod-net-prohibited

echo

echo-reply

general-parameter-problem

host-isolated

host-precedence-unreachable

host-redirect

host-tos-redirect

host-tos-unreachable

host-unknown

host-unreachable

information-reply

information-request

mask-reply

mask-request

mobile-redirect

net-redirect

net-tos-redirect

net-tos-unreachable

net-unreachable

network-unknown

no-room-for-option

option-missing

packet-too-big

parameter-problem

port-unreachable

precedence-unreachable

protocol-unreachable

reassembly-timeout

redirect

router-advertisement

router-solicitation

source-quench

source-route-failed

time-exceeded

timestamp-reply

timestamp-request

traceroute

ttl-exceeded

unreachable

The following is a list of IGMP message names.

dvmrp

host-query

host-report

pim

trace

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

bgp

chargen

daytime

discard

domain

echo

finger

ftp

ftp-data

gopher

hostname

irc

klogin

kshell

lpd

nntp

pop2

pop3

smtp

sunrpc

syslog

tacacs-ds

talk

telnet

time

uucp

whois

www

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers that correspond to these protocols can also be found by typing a ? in the place of a port number.

biff

bootpc

bootps

discard

dns

dnsix

echo

mobile-ip

nameserver

netbios-dgm

netbios-ns

ntp

rip

snmp

snmptrap

sunrpc

syslog

tacacs-ds

talk

tftp

time

who

xdmcp

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers that correspond to these protocols can also be found by typing a ? in the place of a port number.

biff

bootpc

bootps

discard

dns

dnsix

echo

mobile-ip

nameserver

netbios-dgm

netbios-ns

ntp

rip

snmp

snmptrap

sunrpc

syslog

tacacs-ds

talk

tftp

time

who

xdmcp

Examples

In the following example, serial interface 0 is part of a Class B network with the address 172.28.0.0, and the mail host's address is 172.28.1.2. The keyword established is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection. 

access-list 102 permit tcp 0.0.0.0 255.255.255.255 182.28.0.0 0.0.255.255 established

access-list 102 permit tcp 0.0.0.0 255.255.255.255 172.28.1.2 0.0.0.0 eq 25

interface serial 0

ip access-group 102 in

The following example also permit DNS packets and ICMP echo and echo reply packets. 

access-list 102 permit tcp any 172.28.0.0 0.0.255.255 established

access-list 102 permit tcp any host 172.28.1.2 eq smtp

access-list 102 permit tcp any any eq domain

access-list 102 permit udp any any eq domain

access-list 102 permit icmp any any echo

access-list 102 permit icmp any any echo-reply

The following examples show how wildcardbits are used to indicate the bits of the prefix or mask that are relevant. They are similar to the bitmasks that are used with normal access-lists. Prefix/mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix/mask bits corresponding to wildcard bits set to 0 are used in comparison.

In the following example, permit 192.108.0.0 255.255.0.0 but deny any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0). 

access-list 101 permit ip 192.108.0.0 0.0.0.0             255.255.0.0 0.0.0.0 
access-list 101 deny    ip 192.108.0.0 0.0.255.255     255.255.0.0 0.0.255.255

In the following example, permit 131.108.0/24 but deny 131.108/16 and all other subnets of 131.108.0.0. 

access-list 101 permit ip 131.108.0.0 0.0.0.0     255.255.255.0 0.0.0.0 
accces-list 101 deny   ip 131.108.0.0 0.0.255.255 255.255.0.0   0.0.255.255

Related Commands

A dagger (†) indicates that the command is documented in another chapter.

access-class
access-list (standard)
distribute-list
ip access-group
priority-list
queue-list
show access-lists
show ip access-list

arp (global)

To add a permanent entry in the ARP cache, use the arp global configuration command. To remove an entry from the ARP cache, use the no form of this command.

arp ip-address hardware-address type [alias]
no arp ip-address hardware-address type [alias]

Syntax Description

ip-address

IP address in four-part dotted-decimal format corresponding to the local data link address.

hardware-address

Local data link address (a 48-bit address).

type

Encapsulation description. For Ethernet interfaces, this is typically the arpa keyword. For Token Ring interfaces, this is always snap.

alias

(Optional) Indicates that the access server should respond to ARP requests as if it were the owner of the specified address.


Default

No entries are permanently installed in the ARP cache.

Command Mode

Global configuration

Usage Guidelines

The access server uses ARP cache entries to translate 32-bit Internet Protocol addresses into 48-bit hardware addresses.

Because most hosts support dynamic resolution, you generally do not need to specify static ARP cache entries.

To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.

Example

The following is an example of a static ARP entry for a typical Ethernet host: 

arp 192.168.7.19 0800.0900.1834 arpa

Related Command

clear arp-cache

arp (interface)

To control the interface-specific handling of IP address resolution into 48-bit Ethernet, FDDI, and Token Ring hardware addresses, use the arp interface configuration command. To disable an encapsulation type, use the no form of this command.

arp {arpa | probe | snap}
no arp {arpa | probe | snap}

Syntax Description

arpa

Standard Ethernet-style ARP (RFC 826)

probe

HP Probe protocol for IEEE-802.3 networks

snap

ARP packets conforming to RFC 1042


Default

Standard Ethernet-style ARP

Command Mode

Interface configuration

Usage Guidelines

Unlike most commands that take multiple arguments, arguments to the arp command are not mutually exclusive. Each command enables or disables a specific type of ARP. For example, if you enter the arp arpa command followed by the arp probe command, the access server would send three (two for probe and one for arpa) packets each time it needed to discover a MAC address.

The arp probe command allows the access server to use the Probe protocol (in addition to ARP) whenever it attempts to resolve an IEEE-802.3 or Ethernet local data link address. The subset of Probe that performs address resolution is called Virtual Address Request and Reply. Using Probe, the access server can communicate transparently with Hewlett-Packard IEEE-802.3 hosts that use this type of data encapsulation.

Note   Cisco's support for HP Probe proxy support changed as of Software Release 8.3(2) and subsequent software releases. The no arp probe command is now the default. All interfaces that will use Probe must now be explicitly configured for arp probe.

The show interfaces EXEC command displays the type of ARP being used on a particular interface. To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.

Example

The following example enables probe services: 

interface ethernet 0

arp probe

Related Commands

A dagger (†) indicates that the command is documented in another chapter.

clear arp-cache
show interfaces

arp timeout

To configure how long an entry remains in the ARP cache, use the arp timeout interface configuration command. To restore the default value, use the no form of this command.

arp timeout seconds
no arp timeout seconds

Syntax Description

seconds

Time, in seconds, that an entry remains in the ARP cache. A value of zero means that entries are never cleared from the cache.


Default

14400 seconds (4 hours)

Command Mode

Interface configuration

Usage Guidelines

This command is ignored when issued on interfaces that do not use ARP. The show interfaces EXEC command displays the ARP timeout value. The value follows the "Entry Timeout:" heading, as seen in this sample show interfaces display: 

ARP type: ARPA, PROBE, Entry Timeout: 14400 sec

Example

The following example illustrates how to set the ARP timeout to 12000 seconds to allow entries to time out more quickly than the default: 

interface ethernet 0

arp timeout 12000

Related Command

A dagger (†) indicates that the command is documented in another chapter.

show interfaces

clear access-list counters

To clear the counters of an access list, use the clear access-list counters EXEC command.

clear access-list counters access-list-number

Syntax Description

access-list-number

Access list number from 0 to 1199 for which to clear the counters.


Command Mode

EXEC

Usage Guidelines

Some access lists keep counters that count the number of packets that pass each line of an access list. The show access-lists command displays the counters as a number of matches. Use the clear access-list counters command to restart the counters for a particular access list to 0.

Example

The following example clears the counters for access list 101: 

clear access-list counters 101

Related Command

show access-lists

clear arp-cache

To delete all dynamic entries from the ARP cache, to clear the fast-switching cache, and to clear the IP route cache, use the clear arp-cache EXEC command.

clear arp-cache

Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Example

The following example removes all dynamic entries from the ARP cache and clears the fast-switching cache: 

clear arp-cache

Related Commands

arp (global)
arp (interface)

clear host

To delete entries from the host-name-and-address cache, use the clear host EXEC command.

clear host {name | *}

Syntax Description

name

Particular host entry to remove.

*

Removes all entries.


Command Mode

EXEC

Usage Guidelines

The host name entries will not be removed from NVRAM, but will be cleared in running memory.

Example

The following example clears all entries from the host name-and-address cache: 

clear host *

Related Commands

ip host
show hosts

clear ip accounting

To clear the active or checkpointed database when IP accounting is enabled, use the clear ip accounting EXEC command.

clear ip accounting [checkpoint]

Syntax Description

checkpoint

(Optional) Clears the checkpointed database.


Command Mode

EXEC

Usage Guidelines

You can also clear the checkpointed database by issuing the clear ip accounting command twice in succession.

Example

The following example clears the active database when IP accounting is enabled: 

clear ip accounting

Related Commands

ip accounting
ip accounting-list
ip accounting-threshold
ip accounting-transits
show ip accounting

clear ip nhrp

To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the clear ip nhrp EXEC command.

clear ip nhrp

Syntax Description

This command has no arguments or keywords.

Command Mode

EXEC

Usage Guidelines

This command does not clear any static (configured) IP-to-NBMA address mappings from the NHRP cache.

Example

In the following example, all dynamic entries are cleared from the NHRP cache for the interface: 

clear ip nhrp

Related Command

show ip nhrp

clear ip route

To delete routes from the IP routing table, use the clear ip route EXEC command.

clear ip route {network [mask] | *}

Syntax Description

network

Network or subnet address to remove.

mask

(Optional) Subnet address to remove.

*

Removes all routing table entries.


Default

All entries are removed.

Command Mode

EXEC

Example

The following example removes a route to network 172.25.0.0 from the IP routing table: 

clear ip route 172.25.0.0

dnsix-dmdp retries

To set the retransmit count used by the DNSIX Message Delivery Protocol (DMDP), use the dnsix-dmdp retries global configuration command. To restore the default number of retries, use the no form of this command.

dnsix-dmdp retries count
no dnsix-dmdp retries count

Syntax Description

count

Number of times DMDP will retransmit a message. It can be a decimal integer from 0 through 200. The default is 4 retries, or until acknowledged.


Default

Retransmits messages up to 4 times, or until acknowledged.

Command Mode

Global configuration

Example

The following example sets the number of times DMDP will attempt to retransmit a message to 150: 

dnsix-dmdp retries 150

Related Commands

dnsix-nat authorized-redirection
dnsix-nat primary
dnsix-nat secondary
dnsix-nat source
dnsix-nat transmit-count

dnsix-nat authorized-redirection

To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection global configuration command. To delete an address, use the no form of this command.

dnsix-nat authorized-redirection ip-address
no dnsix-nat authorized-redirection ip-address

Syntax Description

ip-address

IP address of the host from which redirection requests are permitted.


Default

An empty list of addresses.

Command Mode

Global configuration

Usage Guidelines

Use multiple dnsix-nat authorized-redirection commands to specify a set of hosts that are authorized to change the destination for audit messages. Redirection requests are checked against the configured list, and if the address is not authorized the request is rejected and an audit message is generated. If no address is specified, no redirection messages are accepted.

Example

The following example specifies that the address of the collection center that is authorized to change the primary and secondary addresses is 192.168.1.1. 

dnsix-nat authorization-redirection 192.168.1.1.

dnsix-nat primary

To specify the IP address of the host to which DNSIX audit messages are sent, use the dnsix-nat primary global configuration command. To delete an entry, use the no form of this command.

dnsix-nat primary ip-address
no dnsix-nat primary ip-address

Syntax Description

ip-address

IP address for the primary collection center.


Default

Messages are not sent.

Command Mode

Global configuration

Usage Guidelines

An IP address must be configured before audit messages can be sent.

Example

The following example configures an IP address as the address of the host to which DNSIX audit messages are sent: 

dnsix-nat primary 192.168.1.1

dnsix-nat secondary

To specify an alternate IP address for the host to which DNSIX audit messages are sent, use the dnsix-nat secondary global configuration command. To delete an entry, use the no form of this command.

dnsix-nat secondary ip-address
no dnsix-nat secondary ip-address

Syntax Description

ip-address

IP address for the secondary collection center.


Default

No alternate IP address is known.

Command Mode

Global configuration

Usage Guidelines

When the primary collection center is unreachable, audit messages are sent to the secondary collection center instead.

Example

The following example configures an IP address as the address of an alternate host to which DNSIX audit messages are sent: 

dnsix-nat secondary 192.168.1.1

dnsix-nat source

To start the audit-writing module and to define audit trail source address, use the dnsix-nat source global configuration command. To disable the DNSIX audit trail writing module, use the no form of this command.

dnsix-nat source ip-address
no dnsix-nat source ip-address

Syntax Description

ip-address

Source IP address for DNSIX audit messages.


Default

Disabled

Command Mode

Global configuration

Usage Guidelines

You must issue the dnsix-nat source command before any of the other dnsix-nat commands. The configured IP address is used as the source IP address for DMDP protocol packets sent to any of the collection centers.

Example

The following example enables the audit trail writing module, and specifies that the source IP address for any generated audit messages should be the same as the primary IP address of Ethernet interface 0. 

dnsix-nat source 172.28.2.5 
interface ethernet 0 
ip address 172.28.2.5 255.255.255.0

dnsix-nat transmit-count

To have the audit writing module collect multiple audit messages in the buffer before sending the messages to a collection center, use the dnsix-nat transmit-count global configuration command. To revert to the default audit message count, use the no form of this command.

dnsix-nat transmit-count count
no dnsix-nat transmit-count count

Syntax Description

count

Number of audit messages to buffer before transmitting to the server. Integer from 1 through 200.


Default

One message is sent at a time.

Command Mode

Global configuration

Usage Guidelines

An audit message is sent as soon as the message is generated by the IP packet-processing code. The audit writing module can, instead, buffer up to several audit messages before transmitting to a collection center.

Example

The following example configures the system to buffer five audit messages before transmitting them to a collection center: 

dnsix-nat transmit-count 5

ip access-group

To control access to an interface, use the ip access-group interface configuration command. To remove the specified access group, use the no form of this command.

ip access-group access-list-number {in | out}
no ip access-group access-list-number {in | out}

Syntax Description

access-list-number

Number of an access list. This is a decimal number from 1 through 199.

in

Filters on inbound packets.

out

Filters on outbound packets.


Default

Entering a keyword is strongly recommended, but if a keyword is not specified, out is the default.

Command Mode

Interface configuration

Usage Guidelines

Access lists are applied on either outbound or inbound interfaces. For standard inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. For extended access lists, the router also checks the destination address against the access list. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.

For standard outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination address against the access list. If the access list permits the address, the software transmits the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.

Access lists are applied on either outbound or inbound interfaces.

If the specified access list does not exist, all packets are passed.

Example

The following example applies list 101 on packets outbound from Ethernet interface 0: 

interface ethernet 0

 ip access-group 101 out

Related Commands

access-list (extended)
show access-lists

ip accounting

To enable IP accounting on an interface, use the ip accounting interface configuration command. To disable IP accounting, use the no form of this command.

ip accounting [access-violations]
no ip accounting [access-violations]

Syntax Description

access-violations

(Optional) Enables IP accounting with the ability to identify IP traffic that fails IP access lists.


Default