Table Of Contents
dnsix-nat authorized-redirection
ip forward-protocol any-local-broadcast
ip forward-protocol spanning-tree
ip forward-protocol turbo-flood
ip security ignore-authorities
ip security implicit-labelling
ip tcp compression-connections
show ip tcp header-compression
IP Commands
The Internet Protocol (IP) is a packet-based protocol used to exchange data over computer networks. IP handles addressing, fragmentation, reassembly, and protocol demultiplexing. It is the foundation on which all other Internet protocols, collectively referred to as the Internet Protocol suite, are built. IP is a network-layer protocol that contains addressing information and some control information that allows data packets to be routed.
The Transmission Control Protocol (TCP) is built upon the IP layer. TCP is a connection-oriented protocol that specifies the format of data and acknowledgments used in the transfer of data. TCP also specifies the procedures that the computers use to ensure that the data arrives correctly. TCP allows multiple applications on a system to communicate concurrently because it handles all demultiplexing of the incoming traffic among the application programs.
Use the commands in this chapter to configure and monitor IP networks. For IP protocol configuration information and examples, refer to the "Configuring IP" chapter of the Configuration Fundamentals Configuration Guide.
access-class
To restrict incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list, use the access-class line configuration command. To remove access restrictions, use the no form of this command.
access-class access-list-number {in | out}
no access-class access-list-number {in | out}Syntax Description
Default
No access lists are defined.
Command Mode
Line configuration
Usage Guidelines
Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.
To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.
Examples
The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:
access-list 12 permit 192.89.55.0 0.0.0.255line 1 5access-class 12 inThe following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5:
access-list 10 permit 36.0.0.0 0.255.255.255line 1 5access-class 10 outRelated Command
A dagger (†) indicates that the command is documented outside this chapter.
show line †
access-list (extended)
To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
protocol source source-wildcard destination destination-wildcard [precedence precedence]
[tos tos] [log]
no access-list access-list-numberFor ICMP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |
icmp-message] [precedence precedence] [tos tos] [log]For IGMP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
igmp source source-wildcard destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos] [log]For TCP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
tcp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [established] [precedence precedence] [tos tos] [log]For UDP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
udp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [precedence precedence] [tos tos] [log]
CautionEnhancements to this command are backward compatible; migrating from releases prior to Release 11.1 will convert your access lists automatically. However, releases prior to Release 11.1 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 11.1, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images.
Syntax Description
Default
An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.
Command Mode
Global configuration
Usage Guidelines
You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match against the TCP source port, the type of service value, or the packet's precedence.
Note
After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.
The following is a list of precedence names:
•
•
•
•
•
•
•
•
The following is a list of type of service (TOS) names:
•
•
•
•
•
The following is a list of ICMP message type names and ICMP message type and code names:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following is a list of IGMP message names:
•
•
•
•
•
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Examples
In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. The keyword established is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 establishedaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25interface serial 0ip access-group 102 inThe following example also permit DNS packets and ICMP echo and echo reply packets:
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 establishedaccess-list 102 permit tcp any host 128.88.1.2 eq smtpaccess-list 102 permit tcp any any eq domainaccess-list 102 permit udp any any eq domainaccess-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-replyThe following examples show how wildcardbits are used to indicate the bits of the prefix or mask that are relevant. They are similar to the bitmasks that are used with normal access-lists. Prefix/mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix/mask bits corresponding to wildcard bits set to 0 are used in comparison.
In the following example, permit 192.108.0.0 255.255.0.0 but deny any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0).
access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255In the following example, permit 131.108.0/24 but deny 131.108/16 and all other subnets of 131.108.0.0.
access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0 accces-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
access-class
access-list (standard)
clear access-temp †
distribute-list in †
distribute-list out †
ip access-group
logging console †
priority-list †
queue-list †
show access-lists
show ip access-listaccess-list (standard)
To define a standard IP access list, use the standard version of the access-list global configuration command. To remove a standard access lists, use the no form of this command.
access-list access-list-number {deny | permit} source [source-wildcard]
no access-list access-list-number
CautionEnhancements to this command are backward compatible; migrating from releases prior to Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images.
Syntax Description
Default
The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.
Command Mode
Global configuration
Usage Guidelines
Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.
You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates.
Use the show access-lists EXEC command to display the contents of all access lists.
Use the show ip access-list EXEC command to display the contents of one access list.
Examples
The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255access-list 1 permit 128.88.0.0 0.0.255.255access-list 1 permit 36.0.0.0 0.255.255.255! (Note: all other access implicitly denied)To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect:
access-list 2 permit 36.48.0.3access-list 2 permit 36.48.0.3 0.0.0.0Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
access-class
access-list (extended)
distribute-list in †
distribute-list out †
ip access-group
priority-list †
queue-list †
show access-lists
show ip access-listarp (global)
To add a permanent entry in the ARP cache, use the arp global configuration command. To remove an entry from the ARP cache, use the no form of this command.
arp ip-address hardware-address type [alias]
no arp ip-address hardware-address type [alias]Syntax Description
Default
No entries are permanently installed in the ARP cache.
Command Mode
Global configuration
Usage Guidelines
The Cisco IOS software uses ARP cache entries to translate 32-bit Internet Protocol (IP) addresses into 48-bit hardware addresses.
Because most hosts support dynamic resolution, you generally do not need to specify static ARP cache entries.
To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.
Example
The following is an example of a static ARP entry for a typical Ethernet host:
arp 192.31.7.19 0800.0900.1834 arpaRelated Command
arp (interface)
To control the interface-specific handling of IP address resolution into 48-bit Ethernet, FDDI, and Token Ring hardware addresses, use the arp interface configuration command. To disable an encapsulation type, use the no form of this command.
arp {arpa | probe | snap}
no arp {arpa | probe | snap}Syntax Description
arpa
Standard Ethernet-style ARP (RFC 826).
probe
HP Probe protocol for IEEE-802.3 networks.
snap
ARP packets conforming to RFC 1042.
Default
Standard Ethernet-style ARP
Command Mode
Interface configuration
Usage Guidelines
Unlike most commands that take multiple arguments, arguments to the arp command are not mutually exclusive. Each command enables or disables a specific type of ARP. For example, if you enter the arp arpa command followed by the arp probe command, the Cisco IOS software would send three (two for probe and one for arpa) packets each time it needed to discover a MAC address.
The arp probe command allows the software to use the Probe protocol (in addition to ARP) whenever it attempts to resolve an IEEE-802.3 or Ethernet local data link address. The subset of Probe that performs address resolution is called Virtual Address Request and Reply. Using Probe, the software can communicate transparently with Hewlett-Packard IEEE-802.3 hosts that use this type of data encapsulation.
Note
The show interfaces EXEC command displays the type of ARP being used on a particular interface. To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.
Example
The following example enables probe services:
interface ethernet 0arp probeRelated Commands
A dagger (†) indicates that the command is documented outside this chapter.
clear arp-cache
show interfaces †arp timeout
To configure how long an entry remains in the ARP cache, use the arp timeout interface configuration command. To restore the default value, use the no form of this command.
arp timeout seconds
no arp timeout secondsSyntax Description
seconds
Time, in seconds, that an entry remains in the ARP cache. A value of zero means that entries are never cleared from the cache.
Default
14400 seconds (4 hours)
Command Mode
Interface configuration
Usage Guidelines
This command is ignored when issued on interfaces that do not use ARP. The show interfaces EXEC command displays the ARP timeout value. The value follows the "Entry Timeout:" heading, as seen in this sample show interfaces display:
ARP type: ARPA, PROBE, Entry Timeout: 14400 secExample
The following example sets the ARP timeout to 12000 seconds to allow entries to time out more quickly than the default:
interface ethernet 0arp timeout 12000Related Command
A dagger (†) indicates that the command is documented outside this chapter.
show interfaces †
clear access-list counters
To clear the counters of an access list, use the clear access-list counters EXEC command.
clear access-list counters access-list-number
Syntax Description
Command Mode
EXEC
Usage Guidelines
Some access lists keep counters that count the number of packets that pass each line of an access list. The show access-lists command displays the counters as a number of matches. Use the clear access-list counters command to restart the counters for a particular access list to 0.
Example
The following example clears the counters for access list 101:
clear access-list counters 101Related Command
clear arp-cache
To delete all dynamic entries from the ARP cache, to clear the fast-switching cache, and to clear the IP route cache, use the clear arp-cache EXEC command.
clear arp-cache
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Example
The following example removes all dynamic entries from the ARP cache and clears the fast-switching cache:
clear arp-cacheRelated Commands
clear host
To delete entries from the host-name-and-address cache, use the clear host EXEC command.
clear host {name | *}
Syntax Description
Command Mode
EXEC
Usage Guidelines
The host name entries will not be removed from NVRAM, but will be cleared in running memory.
Example
The following example clears all entries from the host name-and-address cache:
clear host *Related Commands
clear ip accounting
To clear the active or checkpointed database when IP accounting is enabled, use the clear ip accounting EXEC command.
clear ip accounting [checkpoint]
Syntax Description
Command Mode
EXEC
Usage Guidelines
You can also clear the checkpointed database by issuing the clear ip accounting command twice in succession.
Example
The following example clears the active database when IP accounting is enabled:
clear ip accountingRelated Commands
ip accounting
ip accounting-list
ip accounting-threshold
ip accounting-transits
show ip accountingclear ip nhrp
To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the clear ip nhrp EXEC command.
clear ip nhrp
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Usage Guidelines
This command does not clear any static (configured) IP-to-NBMA address mappings from the NHRP cache.
Example
The following example clears all dynamic entries from the NHRP cache for the interface:
clear ip nhrpRelated Command
show ip nhrp
clear ip route
To delete routes from the IP routing table, use the clear ip route EXEC command.
clear ip route {network [mask] | *}
Syntax Description
network
Network or subnet address to remove.
mask
(Optional) Subnet address to remove.
*
Removes all routing table entries.
Default
All entries are removed.
Command Mode
EXEC
Example
The following example removes a route to network 132.5.0.0 from the IP routing table:
clear ip route 132.5.0.0clear ip sse
To have the route processor recompute the SSE program for IP on the Cisco 7000 series, use the clear ip sse privileged EXEC command.
clear ip sse
Syntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Privileged EXEC
Usage Guidelines
The silicon switching engine (SSE) is on the Silicon Switch Processor (SSP) board in the Cisco 7000.
This command also updates the SSE cache for IP.
Example
In the following example, the route processor recomputes the program for IP:
clear ip sseclear sse
To reinitialize the route processor on the Cisco 7000 series, use the clear sse EXEC command.
clear sse
Syntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
EXEC
Usage Guidelines
The silicon switching engine (SSE) is on the Silicon Switch Processor (SSP) board in the
Cisco 7000.Example
The following example reinitializes the route processor:
clear ssednsix-dmdp retries
To set the retransmit count used by the DNSIX Message Delivery Protocol (DMDP), use the dnsix-dmdp retries global configuration command. To restore the default number of retries, use the no form of this command.
dnsix-dmdp retries count
no dnsix-dmdp retries countSyntax Description
count
Number of times DMDP will retransmit a message. It can be a decimal integer from 0 through 200. The default is 4 retries, or until acknowledged.
Default
Retransmits messages up to 4 times, or until acknowledged
Command Mode
Global configuration
Example
The following example sets the number of times DMDP will attempt to retransmit a message to 150:
dnsix-dmdp retries 150Related Commands
dnsix-nat authorized-redirection
dnsix-nat primary
dnsix-nat secondary
dnsix-nat source
dnsix-nat transmit-countdnsix-nat authorized-redirection
To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection global configuration command. To delete an address, use the no form of this command.
dnsix-nat authorized-redirection ip-address
no dnsix-nat authorized-redirection ip-addressSyntax Description
Default
An empty list of addresses
Command Mode
Global configuration
Usage Guidelines
Use multiple dnsix-nat authorized-redirection commands to specify a set of hosts that are authorized to change the destination for audit messages. Redirection requests are checked against the configured list, and if the address is not authorized the request is rejected and an audit message is generated. If no address is specified, no redirection messages are accepted.
Example
The following example specifies that the address of the collection center that is authorized to change the primary and secondary addresses is 193.1.1.1.
dnsix-nat authorization-redirection 193.1.1.1.dnsix-nat primary
To specify the IP address of the host to which DNSIX audit messages are sent, use the dnsix-nat primary global configuration command. To delete an entry, use the no form of this command.
dnsix-nat primary ip-address
no dnsix-nat primary ip-addressSyntax Description
Default
Messages are not sent.
Command Mode
Global configuration
Usage Guidelines
An IP address must be configured before audit messages can be sent.
Example
The following example configures an IP address as the address of the host to which DNSIX audit messages are sent:
dnsix-nat primary 194.1.1.1dnsix-nat secondary
To specify an alternate IP address for the host to which DNSIX audit messages are sent, use the dnsix-nat secondary global configuration command. To delete an entry, use the no form of this command.
dnsix-nat secondary ip-address
no dnsix-nat secondary ip-addressSyntax Description
Default
No alternate IP address is known.
Command Mode
Global configuration
Usage Guidelines
When the primary collection center is unreachable, audit messages are sent to the secondary collection center instead.
Example
The following example configures an IP address as the address of an alternate host to which DNSIX audit messages are sent:
dnsix-nat secondary 193.1.1.1dnsix-nat source
To start the audit-writing module and to define audit trail source address, use the dnsix-nat source global configuration command. To disable the DNSIX audit trail writing module, use the no form of this command.
dnsix-nat source ip-address
no dnsix-nat source ip-addressSyntax Description
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
You must issue the dnsix-nat source command before any of the other dnsix-nat commands. The configured IP address is used as the source IP address for DMDP protocol packets sent to any of the collection centers.
Example
The following example enables the audit trail writing module, and specifies that the source IP address for any generated audit messages should be the same as the primary IP address of Ethernet interface 0.
dnsix-nat source 128.105.2.5 interface ethernet 0 ip address 128.105.2.5 255.255.255.0dnsix-nat transmit-count
To have the audit writing module collect multiple audit messages in the buffer before sending the messages to a collection center, use the dnsix-nat transmit-count global configuration command. To revert to the default audit message count, use the no form of this command.
dnsix-nat transmit-count count
no dnsix-nat transmit-count countSyntax Description
count
Number of audit messages to buffer before transmitting to the server. Integer from 1 through 200.
Default
One message is sent at a time.
Command Mode
Global configuration
Usage Guidelines
An audit message is sent as soon as the message is generated by the IP packet-processing code. The audit writing module can, instead, buffer up to several audit messages before transmitting to a collection center.
Example
The following example configures the system to buffer five audit messages before transmitting them to a collection center:
dnsix-nat transmit-count 5ip access-group
To control access to an interface, use the ip access-group interface configuration command. To remove the specified access group, use the no form of this command.
ip access-group access-list-number {in | out}
no ip access-group access-list-number {in | out}Syntax Description
access-list-number
Number of an access list. This is a decimal number from 1 through 199.
in
Filters on inbound packets.
out
Filters on outbound packets.
Default
Entering a keyword is strongly recommended, but if a keyword is not specified, out is the default.
Command Mode
Interface configuration
Usage Guidelines
Access lists are applied on either outbound or inbound interfaces. For standard inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. If the access list permits the address, the software continues to process the packet. For extended access lists, the router also checks the destination address against the access list. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.
For standard outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination address against the access list. If the access list permits the address, the software transmits the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.
If the specified access list does not exist, all packets are passed.
When you enable outbound access lists, you automatically disable autonomous switching for that interface.When you enable input access lists on any cBus or CxBus interface, you automatically disable autonomous switching for all interfaces (with one exception; an SSE configured with simple access lists can still switch packets, on output only).
Example
The following example applies list 101 on packets outbound from Ethernet interface 0:
interface ethernet 0ip access-group 101 outRelated Commands
access-list (extended)
show access-listsip accounting
To enable IP accounting on an interface, use the ip accounting interface configuration command. To disable IP accounting, use the no form of this command.
ip accounting [access-violations]
no ip accounting [access-violations]Syntax Description
access-violations
(Optional) Enables IP accounting with the ability to identify IP traffic that fails IP access lists.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
IP accounting records the number of bytes (IP header and data) and packets switched through the system on a source and destination IP address basis. Only transit IP traffic is measured and only on an outbound basis; traffic generated by the router access server or terminating in this device is not included in the accounting statistics.
If you specify the access-violations keyword, this command provides information identifying IP traffic that fails IP access lists. Identifying IP source addresses that violate IP access lists alerts you to possible attempts to breach security. The data might also indicate that you should verify IP access list configurations. To receive a logging message on the console when an extended access list entry denies a packet access (to log violations), include the log keyword in the access-list (extended) command.
Statistics are accurate even if IP fast switching or IP access lists are being used on the interface.
IP accounting disables autonomous switching on the interface.
Example
The following example enables IP accounting on Ethernet interface 0:
interface ethernet 0ip accountingRelated Commands
access-list (extended)
clear ip accounting
ip accounting-list
ip accounting-threshold
ip accounting-transits
show ip accountingip accounting-list
To define filters to control the hosts for which IP accounting information is kept, use the ip accounting-list global configuration command. To remove a filter definition, use the no form of this command.
ip accounting-list ip-address wildcard
no ip accounting-list ip-address wildcardSyntax Description
Default
No filters are defined.
Command Mode
Global configuration
Usage Guidelines
The source and destination address of each IP datagram is logically ANDed with ones-complement of the wildcard and compared with the ip-address. If there is a match, the information about the IP datagram will be entered into the accounting database. If there is no match, the IP datagram is considered a transit datagram and will be counted according to the setting of the ip accounting-transits global configuration command.
Example
The following example adds all hosts with IP addresses beginning with 192.31 to the list of hosts for which accounting information will be kept:
ip accounting-list 192.31.0.0 0.0.255.255Related Commands
clear ip accounting
ip accounting
ip accounting-threshold
ip accounting-transits
show ip accountingip accounting-threshold
To set the maximum number of accounting entries to be created, use the ip accounting-threshold global configuration command. To restore the default number of entries, use the no form of this command.
ip accounting-threshold threshold
no ip accounting-threshold thresholdSyntax Description
threshold
Maximum number of entries (source and destination address pairs) that the Cisco IOS software accumulates.
Default
512 entries
Command Mode
Global configuration
Usage Guidelines
The accounting threshold defines the maximum number of entries (source and destination address pairs) that the software accumulates, preventing IP accounting from possibly consuming all available free memory. This level of memory consumption could occur in a router that is switching traffic for many hosts. Overflows will be recorded; see the monitoring commands for display formats.
The default accounting threshold of 512 entries results in a maximumn table size of 12928 bytes. Active and checkpointed tables can reach this size independently.
Example
The following example sets the IP accounting threshold to only 500 entries:
ip accounting-threshold 500Related Commands
clear ip accounting
ip accounting
ip accounting-list
ip accounting-transits
show ip accountingip accounting-transits
To control the number of transit records that are stored in the IP accounting database, use the ip accounting-transits global configuration command. To return to the default number of records, use the no form of this command.
ip accounting-transits count
no ip accounting-transitsSyntax Description
Default
0
Command Mode
Global configuration
Usage Guidelines
Transit entries are those that do not match any of the filters specified by ip accounting-list global configuration commands. If no filters are defined, no transit entries are possible.
To maintain accurate accounting totals, the Cisco IOS software maintains two accounting databases: an active and a checkpointed database.
Example
The following example specifies that no more than 100 transit records are stored:
ip accounting-transits 100Related Commands
clear ip accounting
ip accounting
ip accounting-list
ip accounting-threshold
show ip accountingip address
To set a primary or secondary IP address for an interface, use the ip address interface configuration command. To remove an IP address or disable IP processing, use the no form of this command.
ip address ip-address mask [secondary]
no ip address ip-address mask [secondary]Syntax Description
Default
No IP address is defined for the interface.
Command Mode
Interface configuration
Usage Guidelines
An interface can have one primary IP address and multiple secondary IP addresses. Packets generated by the Cisco IOS software always use the primary IP address. Therefore, all routers and access servers on a segment should share the same primary network number.
Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) Mask Request message. Routers respond to this request with an ICMP Mask Reply message.
You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the software detects another host using one of its IP addresses, it will print an error message on the console.
The optional keyword secondary allows you to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and ARP requests are handled properly, as are interface routes in the IP routing table.
Secondary IP addresses can be used in a variety of situations. The following are the most common applications:
•
•
•
Note
Note
To transparently bridge IP on an interface, you must do two things:
•
•
To concurrently route and transparently bridge IP on an interface, see the bridge crb command.
Example
In the following example, 131.108.1.27 is the primary address and 192.31.7.17 and 192.31.8.17 are secondary addresses for Ethernet interface 0:
interface ethernet 0ip address 131.108.1.27 255.255.255.0ip address 192.31.7.17 255.255.255.0 secondaryip address 192.31.8.17 255.255.255.0 secondaryRelated Command
A dagger (†) indicates that the command is documented outside this chapter.
bridge crb †
bridge-group †ip broadcast-address
To define a broadcast address for an interface, use the ip broadcast-address interface configuration command. To restore the default IP broadcast address, use the no form of this command.
ip broadcast-address [ip-address]
no ip broadcast-address [ip-address]Syntax Description
Default
Default address: 255.255.255.255 (all ones)
Command Mode
Interface configuration
Example
The following example specifies an IP broadcast address of 0.0.0.0:
ip broadcast-address 0.0.0.0ip cache-invalidate-delay
To control the invalidation rate of the IP route cache, use the ip cache-invalidate-delay global configuration command. To allow the IP route cache to be immediately invalidated, use the no form of this command.
ip cache-invalidate-delay [minimum maximum quiet threshold]
no ip cache-invalidate-delaySyntax Description
Default
minimum = 2 seconds
maximum = 5 seconds, and 3 seconds with no more than zero invalidation requestsCommand Mode
Global configuration
Usage Guidelines
All cache invalidation requests are honored immediately.
This command should typically not be used except under the guidance of technical support personnel. Incorrect settings can seriously degrade network performance.
The IP fast switching and autonomous switching features maintain a cache of IP routes for rapid access. When a packet is to be forwarded and the corresponding route is not present in the cache, the packet is process-switched and a new cache entry is built. However, when routing table changes occur (such as when a link or an interface goes down), the route cache must be flushed so that it can be rebuilt with up-to-date routing information.
This command controls how the route cache is flushed. The intent is to delay invalidation of the cache until after routing has settled down, since there tend to be many route table changes clustered in a short period of time, and the cache may be flushed repeatedly, which may put a high CPU load on the router.
When this feature is enabled, and the system requests that the route cache be flushed, the request is held for at least minimum seconds. Then the system determines whether the cache has been "quiet," that is, less than threshold invalidation requests in the last quiet seconds. If the cache has been quiet, the cache is then flushed. If the cache does not become quiet within maximum seconds after the first request, it is flushed unconditionally.
Manipulation of these parameters trades off CPU utilization versus route convergence time. Note that this does not affect the timing of the routing protocols, but only of the removal of stale cache entries.
Example
The following example sets a minimum delay of 5 seconds, a maximum delay of 30 seconds, and a quiet threshold of no more than 5 invalidation requests in the previous 10 seconds:
ip cache-invalidate-delay 5 30 10 5Related Commands
ip classless
At times the router might receive packets destined for a subnet of a network that has no network default route. To have the Cisco IOS software forward such packets to the best supernet route possible, use the ip classless global configuration command. To disable this feature, use the no form of this command.
ip classless
no ip classlessSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command allows the software to forward packets that are destined for unrecognized subnets of directly connected networks. By default, when a router receives packets for a subnet that numerically falls within its subnetwork addressing scheme, if there is no such subnet number in the routing table and there is no network default route, the software discards the packets. However, when the ip classless command is enabled, the software instead forwards those packets to the best supernet route.
Example
The following example configures the software to forward packets destined for an unrecognized subnet to the best supernet possible:
ip classlessip default-gateway
To define a default gateway (router) when IP routing is disabled, use the ip default-gateway global configuration command. To disable this function, use the no form of this command.
ip default-gateway ip-address
no ip default-gateway ip-addressSyntax Description
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
The Cisco IOS software sends any packets that need the assistance of a gateway to the address you specify. If another gateway has a better route to the requested host, the default gateway sends an ICMP redirect message back. The ICMP redirect message indicates which local router the Cisco IOS software should use.
Example
The following example defines the router on IP address 192.31.7.18 as the default router:
ip default-gateway 192.31.7.18Related Command
ip directed-broadcast
To enable the translation of directed broadcast to physical broadcasts, use the ip directed-broadcast interface configuration command. To disable this function, use the no form of this command.
ip directed-broadcast [access-list-number]
no ip directed-broadcast [access-list-number]Syntax Description
access-list-number
(Optional) Number of the access list. If specified, a broadcast must pass the access list to be forwarded. If not specified, all broadcasts are forwarded.
Default
Enabled, with no list specified
Command Mode
Interface configuration
Usage Guidelines
This feature is enabled only for those protocols configured using the ip forward-protocol global configuration command. An access list may be specified to control which broadcasts are forwarded. When an access list is specified, only those IP packets permitted by the access list are eligible to be translated from directed broadcasts to physical broadcasts.
Example
The following example enables forwarding of IP directed broadcasts on Ethernet interface 0:
interface ethernet 0ip directed-broadcastRelated Command
ip domain-list
To define a list of default domain names to complete unqualified host names whose names do not end with a dot, use the ip domain-list global configuration command. To delete a name from a list, use the no form of this command.
ip domain-list name
no ip domain-list nameSyntax Description
name
Domain name. Do not include the initial period that separates an unqualified name from the domain name.
Default
No domain names are defined.
Command Mode
Global configuration
Usage Guidelines
If there is no domain list, the domain name that you specified with the ip domain-name global configuration command is used. If there is a domain list, the default domain name is not used. The ip domain-list command is similar to the ip domain-name command, except that with ip domain-list you can define a list of domains, each to be tried in turn.
The ip domain name command considers a name to be fully-qualified if it contains a dot anywhere in the name. Significantly, the ip domain-list command considers a name to be fully-qualified only if that name ends in a dot.
Examples
The following example adds several domain names to a list:
ip domain-list martinez.comip domain-list stanford.eduThe following example adds a name to and then deletes a name from the list:
ip domain-list sunya.eduno ip domain-list stanford.eduRelated Command
ip domain-lookup
To enable the IP Domain Name System-based host name-to-address translation, use the ip domain-lookup global configuration command. To disable the Domain Name System, use the no form of this command.
ip domain-lookup
no ip domain-lookupSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Global configuration
Example
The following example enables the IP Domain Name System-based host name-to-address translation:
ip domain-lookupRelated Commands
ip domain-lookup nsap
ip domain-name
ip name-serverip domain-lookup nsap
To allow Domain Name System (DNS) queries for CLNS addresses, use the ip domain-lookup nsap global configuration command. To disable this feature, use the no form of this command.
ip domain-lookup nsap
no ip domain-lookup nsapSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Global configuration
Usage Guidelines
With both IP and ISO CLNS enabled, this feature allows the Cisco IOS software to dynamically determine a CLNS address given a host name. This feature is useful for the ISO CLNS ping EXEC command and when making CLNS Telnet connections.
Example
The following example disables DNS queries of CLNS addresses:
no ip domain-lookup nsapRelated Commands
A dagger (†) indicates that the command is documented outside this chapter.
ip domain-lookup
ping (for ISO CLNS) †ip domain-name
To define a default domain name that the Cisco IOS software uses to complete unqualified host names (names that do not have dots in the name), use the ip domain-name global configuration command. To disable, use the no form of this command.
ip domain-name name
no ip domain-nameSyntax Description
name
Default domain name used to complete unqualified host names. Do not include the initial period that separates an unqualified name from the domain name.
Default
No domain name is defined
Command Mode
Global configuration
Usage Guidelines
Any IP host name that does not contain a domain name (that is, any name without a dot), will have the dot and cisco.com appended to it before being added to the host table.
The ip domain name command considers a name to be fully-qualified if it contains a dot anywhere in the name. Significantly, the ip domain-list command considers a name to be fully-qualified only if that name ends in a dot.
Example
The following example defines cisco.com as the default domain name:
ip domain-name cisco.comThe following example would not append the default domain name to the entered name before querying the DNS server because the name appears to be a fully-qualified domain name.
router>ping sales.marketingRelated Commands
ip domain-list
ip domain-lookup
ip name-serverip forward-protocol
To specify which protocols and ports the router forwards when forwarding broadcast packets, use the ip forward-protocol global configuration command. To remove a protocol or port, use the no form of this command.
ip forward-protocol {udp [port] | nd | sdns}
no ip forward-protocol {udp [port] | nd | sdns}Syntax Description
Default
If an IP helper address is defined, UDP forwarding is enabled on default ports. If UDP flooding is configured, UDP flooding is enabled on the default ports.
If a helper address is specified and UDP forwarding is enabled, broadcast packets destined to the following port numbers are forwarded by default:
•
•
•
•
•
•
•
Note
Command Mode
Global configuration
Usage Guidelines
Enabling a helper address or UDP flooding on an interface causes the Cisco IOS software to forward particular broadcast packets. You can use the ip forward-protocol command to specify exactly which types of broadcast packets you would like to have forwarded. A number of commonly forwarded applications are enabled by default. Enabling forwarding for some ports (for example, RIP) may be hazardous to your network.
If you use the ip forward-protocol command, specifying just UDP, without the port, enables forwarding and flooding on the default ports.
One common application that requires helper addresses is Dynamic Host Configuration Protocol (DHCP). DHCP is defined in RFC 1531. DHCP protocol information is carried inside of BOOTP packets. To enable BOOTP broadcast forwarding for a set of clients, configure a helper address on the router interface closest to the client. The helper address should specify the address of the DHCP server. If you have multiple servers, you can configure one helper address for each server. Since BOOTP packets are forwarded by default, DHCP information can now be forwarded by the software. The DHCP server now receives broadcasts from the DHCP clients.
Example
The following example uses the ip forward-protocol command to specify forwarding of UDP port 3001 in addition to the default ports, and then defines a helper address:
ip forward-protocol udp 3001!interface ethernet 1ip helper-address 131.120.1.0Related Commands
ip directed-broadcast
ip forward-protocol spanning-tree
ip forward-protocol turbo-flood
ip helper-addressip forward-protocol any-local-broadcast
To forward any broadcasts including local subnet broadcasts, use the ip forward-protocol any-local-broadcast global configuration command. To disable this type of forwarding, use the no form of this command.
ip forward-protocol any-local-broadcast
no ip forward-protocol any-local-broadcastSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
The ip forward-protocol any-local-broadcast command forwards packets similarly to how the ip forward-protocol spanning-tree command does. That is, it forwards packets whose contents are all ones (255.255.255.255), all zeros (0.0.0.0), and, if subnetting is enabled, all networks (131.108.255.255 as an example in the network number 131.108.0.0). This mechanism also forwards packets whose contents are the zeros version of the all-networks broadcast when subnetting is enabled (for example, 131.108.0.0). In addition, it forwards any local subnet broadcast packets.
Use the ip forward-protocol any-local-broadcast command in conjuction with the ip forward-protocol spanning-tree command, not as a replacement for it.
Example
Assume a router is directly connected to subnet 1 of network 131.108.0.0 and that the netmask is 255.255.255.0. The following command enables the forwarding of IP broadcasts destined to 131.108.1.255 and 131.108.1.0 in addition to the broadcast addresses mentioned in the "Usage Guidelines" section:
ip forward-protocol any-local-broadcastRelated Command
ip forward-protocol spanning-tree
ip forward-protocol spanning-tree
To permit IP broadcasts to be flooded throughout the internetwork in a controlled fashion, use the ip forward-protocol spanning-tree global configuration command. To disable the flooding of IP broadcasts, use the no form of this command.
ip forward-protocol spanning-tree
no ip forward-protocol spanning-treeSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
Packets must meet the following criteria to be considered for flooding:
•
•
•
•
A flooded UDP datagram is given the destination address specified by the ip broadcast-address interface configuration command on the output interface. The destination address can be set to any desired address. Thus, the destination address may change as the datagram propagates through the network. The source address is never changed. The TTL value is decremented.
After a decision has been made to send the datagram out on an interface (and the destination address possibly changed), the datagram is handed to the normal IP output routines and is therefore subject to access lists, if they are present on the output interface.
The ip forward-protocol spanning-tree command uses the database created by the bridging spanning-tree protocol. Therefore, the transparent bridging option must be in the routing software, and bridging must be configured on each interface that is to participate in the flooding in order to support this capability.
If an interface does not have bridging configured, it still will be able to receive broadcasts, but it will never forward broadcasts received on that interface, and it will never use that interface to send broadcasts received on a different interface.
If no actual bridging is desired, you can configure a type-code bridging filter that will deny all packet types from being bridged. Refer to the "Transparent Bridging" chapter in the Bridging and IBM Networking Configuration Guide for more information about using access lists to filter bridged traffic. The spanning-tree database is still available to the IP forwarding code to use for the flooding.
The spanning-tree-based flooding mechanism fowards packets whose contents are all ones (255.255.255.255), all zeros (0.0.0.0), and, if subnetting is enabled, all networks (131.108.255.255 as an example in the network number 131.108.0.0. This mechanism also forward packets whose contents are the zeros version of the all-networks braodcast when subnetting is enabled (for example, 131.108.0.0).
This command is an extension of the ip helper-address interface configuration command, in that the same packets that may be subject to the helper address and forwarded to a single network can now be flooded. Only one copy of the packet will be put on each network segment.
Example
The following example permits IP broadcasts to be flooded through the internetwork in a controlled fashion:
ip forward-protocol spanning-treeRelated Commands
ip broadcast-address
ip forward-protocol
ip forward-protocol turbo-flood
ip helper-addressip forward-protocol turbo-flood
To speed up flooding of User Datagram Protocol (UDP) datagrams using the spanning-tree algorithm, use the ip forward-protocol turbo-flood global configuration command. To disable this feature, use the no form of this command.
ip forward-protocol turbo-flood
no ip forward-protocol turbo-floodSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
Used in conjunction with the ip forward-protocol spanning-tree global configuration command, this feature is supported over ARPA-encapsulated Ethernets, FDDI, and HDLC-encapsulated serials, but is not supported on Token Rings. As long as the Token Rings and the non-HDLC serials are not part of the bridge group being used for UDP flooding, turbo flooding will behave normally.
Example
The following is an example of a two-port router (2E) using this feature:
ip forward-protocol turbo-floodip forward-protocol spanning-tree!interface ethernet 0ip address 128.9.1.1bridge-group 1!interface ethernet 1ip address 128.9.1.2bridge-group 1!!bridge 1 protocol decRelated Commands
ip forward-protocol
ip forward-protocol spanning-treeip gdp gdp
To configure the router discovery feature using the Cisco Gateway Discovery Protocol (GDP) routing protocol, use the ip gdp gdp interface configuration command. To disable this feature, use the no form of this command.
ip gdp gdp
no ip gdp gdpSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
In future Cisco IOS software releases, the Gateway Discovery Protocol will not be supported.
IP routing must be disabled before you can configure this feature.
Example
The following example configures router discovery using GDP on Ethernet interface 0:
interface ethernet 0ip gdp gdpip gdp igrp
To configure the router discovery feature using the Cisco Interior Gateway Routing Protocol (IGRP), use the ip gdp igrp interface configuration command. To disable this feature, use the no form of this command.
ip gdp igrp
no ip gdp igrpSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
In future Cisco IOS software releases, the Gateway Discovery Protocol will not be supported.
IP routing must be disabled before you can configure this feature.
Example
The following example configures router discovery using IGRP on Ethernet interface 1:
interface ethernet 1ip gdp igrpip gdp irdp
To configure the router discovery feature using the ICMP Router Discovery Protocol (IRDP), use the ip gdp irdp interface configuration command. To disable this feature, use the no form of this command.
ip gdp irdp
no ip gdp irdpSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
In future Cisco IOS software releases, the Gateway Discovery Protocol will not be supported.
IP routing must be disabled before you can configure this feature.
Example
The following example configures router discovery using IRDP on Ethernet interface 0:
interface ethernet 0ip gdp irdpip gdp rip
To configure the router discovery feature using the Routing Information Protocol (RIP), use the ip gdp rip interface configuration command. To disable this feature, use the no form of this command.
ip gdp rip
no ip gdp ripSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
In future Cisco IOS software releases, the Gateway Discovery Protocol will not be supported.
IP routing must be disabled before you can configure this feature.
Example
The following example configures router discovery using RIP on Ethernet interface 1:
interface ethernet 1ip gdp ripip helper-address
To have the Cisco IOS software forward User Datagram Protocol (UDP) broadcasts, including BOOTP, received on an interface, use the ip helper-address interface configuration command. To disable the forwarding of broadcast packets to specific addresses, use the no form of this command.
ip helper-address address
no ip helper-address addressSyntax Description
address
Destination broadcast or host address to be used when forwarding UDP broadcasts. There can be more than one helper address per interface.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
Combined with the ip forward-protocol global configuration command, the ip helper-address command allows you to control which broadcast packets and which protocols are forwarded.
One common application that requires helper addresses is Dynamic Host Configuration Protocol (DHCP). DHCP is defined in RFC 1531. DHCP protocol information is carried inside of BOOTP packets. To enable BOOTP broadcast forwarding for a set of clients, configure a helper address on the router interface closest to the client. The helper address should specify the address of the DHCP server. If you have multiple servers, you can configure one helper address for each server. Since BOOTP packets are forwarded by default, DHCP information can now be forwarded by the router. The DHCP server now receives broadcasts from the DHCP clients.
Note
Example
The following example defines an address that acts as a helper address:
interface ethernet 1ip helper-address 121.24.43.2Related Command
ip host
To define a static host name-to-address mapping in the host cache, use the ip host global configuration command. To remove the name-to-address mapping, use the no form of this command.
ip host name [tcp-port-number] address1 [address2...address8]
no ip host name addressSyntax Description
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
The first character can be either a letter or a number, but if you use a number, the operations you can perform (such as ping) are limited.
Example
The following example defines two static mappings:
ip host croff 192.31.7.18ip host bisso-gw 10.2.0.2 192.31.7.33ip hp-host
To enter into the host table the host name of an HP host to be used for HP Probe Proxy service, use the ip hp-host global configuration command. To remove a host name, use the no form of this command.
ip hp-host hostname ip-address
no ip hp-host hostname ip-addressSyntax Description
Default
No host names are defined.
Command Mode
Global configuration
Usage Guidelines
To use the HP Proxy service, you must first enter the host name of the HP host into the host table using this command.
Example
The following example specifies an HP host's name and address, and then enables Probe Proxy:
ip hp-host BCWjo 131.108.1.27interface ethernet 0ip probe proxyRelated Command
ip http port
To specify the port to be used by the Cisco IOS ClickStart software, use the ip http port global configuration command. To use the default port, use the no form of this command.
ip http port number
no ip http portSyntax Description
Default
80
Command Mode
Global
Example
The following command configures the router so that you can use ClickStart via port 60:
ip http serverip http port 60Related Command
ip http server
To enable a Cisco 1003 or Cisco 1004 ISDN router to be configured from a browser using the Cisco IOS ClickStart software, and to enable any router to be monitored or have its configuration modified from a browser using ClickStart, use the ip http server global configuration command. To disable this feature, use the no form of this command.
ip http server
no ip http serverSyntax Description
This command has no arguments or keywords.
Default
This feature is enabled on Cisco 1003 and Cisco 1004 routers that have not yet been configured. For Cisco 1003 and Cisco 1004 routers that have already been configured, and for all other routers, this feature is disabled.
Command Mode
Global
Example
The following command configures the router so that you can use ClickStart to monitor it:
ip http serverRelated Command
ip mask-reply
To have the Cisco IOS software to respond to Internet Control Message Protocol (ICMP) mask requests by sending ICMP Mask Reply messages, use the ip mask-reply interface configuration command. To disable this function, use the no form of this command.
ip mask-reply
no ip mask-replySyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Example
The following example enables the sending of ICMP Mask Reply messages on Ethernet interface 0:
interface ethernet 0ip address 131.108.1.0 255.255.255.0ip mask-replyip mobile arp
To enable local-area mobility, use the ip mobile arp interface configuration command. To disable local-area mobility, use the no form of this command.
ip mobile arp [timers keepalive hold-time] [access-group access-list-number]
no ip mobile arp [timers keepalive hold-time] [access-group access-list-number]Syntax Description
Default
Local-area mobility is disabled.
If you enable local-area mobility:
keepalive: 300 seconds (5 minutes)
hold-time: 900 seconds (15 minutes)Command Mode
Interface configuration
Usage Guidelines
Local-area mobility is supported on Ethernet, Token Ring, and FDDI interfaces only.
To create larger mobility areas, you must first redistribute the mobile routes into your IGP. The IGP must support host routes. You can use Enhanced IGRP, OSPF, or ISIS; you can also use RIP, but this is not recommended. The mobile area must consist of a contiguous set of subnets.
Using an access list to control the list of possible mobile nodes is strongly encouraged. Without an access list, misconfigured hosts can be taken for mobile nodes and disrupt normal operations.
Example
The following example configures local-area mobility on Ethernet interface 0:
bridge 1 protocol ieeeaccess-list 10 permit 198.92.37.114interface ethernet 0ip mobile arp access-group 10bridge-group 1Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
access-list (standard)
bridge-group †
bridge protocol †
default-metric (BGP, EGP, OSPF, and RIP) †
network †
redistribute †
router eigrp †
router isis †
router ospf †ip mtu
To set the maximum transmission unit (MTU) size of IP packets sent on an interface, use the ip mtu interface configuration command. To restore the default MTU size, use the no form of this command.
ip mtu bytes
no ip mtuSyntax Description
Default
Minimum is 128 bytes; maximum depends on interface medium.
Command Mode
Interface configuration
Usage Guidelines
If an IP packet exceeds the MTU set for the interface, the Cisco IOS software will fragment it.
All devices on a physical medium must have the same protocol MTU in order to operate.
Note
Example
The following example sets the maximum IP packet size for the first serial interface to 300 bytes:
interface serial 0ip mtu 300Related Command
A dagger (†) indicates that the command is documented outside this chapter.
mtu †
ip name-server
To specify the address of one or more name servers to use for name and address resolution, use the ip name-server global configuration command. To remove the addresses specified, use the no form of this command.
ip name-server server-address1 [[server-address2]... server-address6]
no ip name-server server-address1 [[server-address2]... server-address6]Syntax Description
server-address1
IP addresses of name server.
server-address2...server-address6
(Optional) IP addresses of additional name servers (a maximum of six name servers).
Default
No name server addresses are specified.
Command Mode
Global configuration
Example
The following example specifies host 131.108.1.111 as the primary name server and host 131.108.1.2 as the secondary server:
ip name-server 131.108.1.111 131.108.1.2This command will be reflected in the configuration file as follows:
ip name-server 131.108.1.111ip name-server 131.108.1.2Related Commands
ip domain-lookup
ip domain-nameip netmask-format
To specify the format in which netmasks are displayed in show command output, use the ip netmask-format line configuration command. To restore the default display format, use the no form of this command.
ip netmask-format {bitcount | decimal | hexadecimal}
no ip netmask-format [bitcount | decimal | hexadecimal]Syntax Description
Default
Netmasks are displayed in dotted decimal format.
Command Mode
Line configuration
Usage Guidelines
IP uses a 32-bit mask that indicates which address bits belong to the network and subnetwork fields and which bits belong to the host field. This is called a netmask. By default, show commands display an IP address and then its netmask in dotted decimal notation. For example, a subnet would be displayed as 131.108.11.0 255.255.255.0.
However, you can specify that the display of the network mask appear in hexadecimal format or bit count format instead. The hexadecimal format is commonly used on UNIX systems. The above example would be displayed as 131.108.11.0 0XFFFFFF00.
The bitcount format for displaying network masks is to append a slash (/) and the total number of bits in the netmask to the address itself. The above example would be displayed as 131.108.11.0/24.
Example
The following example configures network masks for the specified line to be displayed in bitcount notation in the output of show commands:
line vty 0 4ip netmask-format bitcountip nhrp authentication
To configure the authentication string for an interface using Next Hop Resolution Protocol (NHRP), use the ip nhrp authentication interface configuration command. To remove the authentication string, use the no form of this command.
ip nhrp authentication string
no ip nhrp authentication [string]Syntax Description
string
Authentication string configured for the source and destination stations that controls whether NHRP stations allow intercommunication. The string can be up to 8 characters long.
Default
No authentication string is configured; the Cisco IOS software adds no authentication option to NHRP packets it generates.
Command Mode
Interface configuration
Usage Guidelines
All routers configured with NHRP within one logical NBMA network must share the same authentication string.
Example
In the following example, the authentication string specialxx must be configured in all devices using NHRP on the interface before NHRP communication occurs:
ip nhrp authentication specialxxip nhrp holdtime
To change the number of seconds that NHRP nonbroadcast, multiaccess (NBMA) addresses are advertised as valid in authoritative NHRP responses, use the ip nhrp holdtime interface configuration command. To restore the default value, use the no form of this command.
ip nhrp holdtime seconds-positive [seconds-negative]
no ip nhrp holdtime [seconds-positive [seconds-negative]]Syntax Description
Default
7200 seconds (2 hours) for both arguments
Command Mode
Interface configuration
Usage Guidelines
The ip nhrp holdtime command affects authoritative responses only. The advertised holding time is the length of time the Cisco IOS software tells other routers to keep information that it is providing in authoritative NHRP responses. The cached IP-to-NBMA address mapping entries are discarded after the holding time expires.
The NHRP cache can contain static and dynamic entries. The static entries never expire. Dynamic entries expire regardless of whether they are authoritative or nonauthoritative.
If you want to change the valid time period for negative NHRP responses, you must also include a value for positive NHRP responses, as the arguments are position dependent.
Examples
In the following example, NHRP NBMA addresses are advertised as valid in positive authoritative NHRP responses for one hour:
ip nhrp holdtime 3600In the following example, NHRP NBMA addresses are advertised as valid in negative authoritative NHRP responses for one hour and in positive authoritative NHRP responses for two hours:
ip nhrp holdtime 7200 3600ip nhrp interest
To control which IP packets can trigger sending a Next Hop Resolution Protocol (NHRP) Request, use the ip nhrp interest interface configuration command. To restore the default value, use the no form of this command.
ip nhrp interest access-list-number
no ip nhrp interest [access-list-number]Syntax Description
Default
All non-NHRP packets can trigger NHRP requests.
Command Mode
Interface configuration
Usage Guidelines
Use this command with the access-list command to control which IP packets trigger NHRP Requests.
The ip nhrp interest command controls which packets cause NHRP address resolution to take place; the ip nhrp use command controls how readily the system attempts such address resolution.
Example
In the following example, any TCP traffic can cause NHRP Requests to be sent, but no other IP packets will cause NHRP Requests:
ip nhrp interest 101access-list 101 permit tcp any anyRelated Commands
access-list (extended)
access-list (standard)
ip nhrp useip nhrp map
To statically configure the IP-to-NBMA address mapping of IP destinations connected to a nonbroadcast, multiaccess (NBMA) network, use the ip nhrp map interface configuration command. To remove the static entry from NHRP cache, use the no form of this command.
ip nhrp map ip-address nbma-address
no ip nhrp map ip-address nbma-addressSyntax Description
Default
No static IP-to-NBMA cache entries exist.
Command Mode
Interface configuration
Usage Guidelines
You will probably have to configure at least one static mapping in order to reach the Next Hop Server. Repeat this command to statically configure multiple IP-to-NBMA address mappings.
Example
In the following example, this station in a multipoint tunnel network is statically configured to be served by two Next Hop Servers 100.0.0.1 and 100.0.1.3. The NBMA address for 100.0.0.1 is statically configured to be 11.0.0.1 and the NBMA address for 100.0.1.3 is 12.2.7.8.
interface tunnel 0ip nhrp nhs 100.0.0.1ip nhrp nhs 100.0.1.3ip nhrp map 100.0.0.1 11.0.0.1ip nhrp map 100.0.1.3 12.2.7.8Related Command
ip nhrp map multicast
To configure NBMA addresses used as destinations for broadcast or multicast packets to be sent over a tunnel network, use the ip nhrp map multicast interface configuration command. To remove the destinations, use the no form of this command.
ip nhrp map multicast nbma-address
no ip nhrp map multicast nbma-addressSyntax Description
nbma-address
Nonbroadcast, multiaccess (NBMA) address which is directly reachable through the NBMA network. The address format varies depending on the medium you are using.
Default
No NBMA addresses are configured as destinations for broadcast or multicast packets.
Command Mode
Interface configuration
Usage Guidelines
This command applies to tunnel interfaces only.
This command is useful for supporting broadcasts over a tunnel network when the underlying network does not support IP multicast. If the underlying network does support IP multicast, you should use the tunnel destination command to configure a multicast destination for transmission of tunnel broadcasts or multicasts.
When multiple NBMA addresses are configured, the system replicates the broadcast packet for each address.
Example
In the following example, if a packet is sent to 10.255.255.255, it is replicated to destinations 11.0.0.1 and 11.0.0.2. Addresses 11.0.0.1 and 11.0.0.2 are the IP addresses of two other routers that are part of the tunnel network, but those addresses are their addresses in the underlying network, not the tunnel network. They would have tunnel addresses that are in network 10.0.0.0.
interface tunnel 0ip address 10.0.0.3 255.0.0.0ip nhrp map multicast 11.0.0.1ip nhrp map multicast 11.0.0.2ip nhrp max-send
To change the maximum frequency at which NHRP packets can be sent, use the ip nhrp max-send interface configuration command. To restore this frequency to the default value, use the no form of this command.
ip nhrp max-send pkt-count every interval
no ip nhrp max-sendSyntax Description
pkt-count
Number of packets which can be transmitted in the range from 1 to 65535. Default is 5 packets.
interval
Time (in seconds) in the range from 10 to 65535. Default is 10 seconds.
Default
pkt-count = 5 packets
interval = 10 secondsCommand Mode
Interface configuration
Usage Guidelines
The software maintains a per-interface quota of NHRP packets that can be transmitted. NHRP traffic, whether locally generated or forwarded, cannot be sent at a rate that exceeds this quota. The quota is replenished at the rate specified by interval.
Example
In the following example, only 1 NHRP packet can be sent from serial interface 0 each minute:
interface serial 0 ip nhrp max-send 1 every 60Related Commands
ip nhrp network-id
To enable the Next Hop Resolution Protocol (NHRP) on an interface, use the ip nhrp network-id interface configuration command. To disable NHRP on the interface, use the no form of this command.
ip nhrp network-id number
no ip nhrp network-id [number]Syntax Description
number
Globally unique, 32-bit network identifier for a nonbroadcast, multiaccess (NBMA) network. The range is 1 to 4294967295.
Default
NHRP is disabled on the interface.
Command Mode
Interface configuration
Usage Guidelines
In general, all NHRP stations within one logical NBMA network must be configured with the same network identifier.
Example
The following example enables NHRP on the interface:
ip nhrp network-id 1ip nhrp nhs
To specify the address of one or more NHRP Next Hop Servers, use the ip nhrp nhs interface configuration command. To remove the address, use the no form of this command.
ip nhrp nhs nhs-address [net-address [netmask]]
no ip nhrp nhs nhs-address [net-address [netmask]]Syntax Description
Default
No Next Hop Servers are explicitly configured, so normal network layer routing decisions are used to forward NHRP traffic.
Command Mode
Interface configuration
Usage Guidelines
Use this command to specify the address of a Next Hop Server and the networks it serves. Normally, NHRP consults the network layer forwarding table to determine how to forward NHRP packets. When Next Hop Servers are configured, these next hop addresses override the forwarding path that would otherwise be used for NHRP traffic.
For any Next Hop Server that is configured, you can specify multiple networks that it serves by repeating this command with the same nhs-address, but with different net-address IP network addresses.
Example
In the following example, the Next Hop Server with address 131.108.10.11 serves IP network 10.0.0.0. The mask is 255.0.0.0.
ip nhrp nhs 131.108.10.11 10.0.0.0 255.0.0.0ip nhrp record
To re-enable the use of forward record and reverse record options in NHRP Request and Reply packets, use the ip nhrp record interface configuration command. To suppress the use of such options, use the no form of this command.
ip nhrp record
no ip nhrp recordSyntax Description
This command has no arguments or keywords.
Default
Forward record and reverse record options are used in NHRP Request and Reply packets.
Command Mode
Interface configuration
Usage Guidelines
Forward record and reverse record options provide loop detection and are enabled by default. Using the no form of this command disables this method of loop detection. For another method of loop detection, see the ip nhrp responder command.
Example
The following example suppresses forward record and reverse record options:
no ip nhrp recordRelated Command
ip nhrp responder
To designate which interface's primary IP address the Next Hop Server will use in NHRP Reply packets when the NHRP requestor uses the Responder Address option, use the ip nhrp responder interface configuration command. To remove the designation, use the no form of this command.
ip nhrp responder type number
no ip nhrp responder [type] [number]Syntax Description
Default
The Next Hop Server uses the IP address of the interface where the NHRP Request was received.
Command Mode
Interface configuration
Usage Guidelines
If an NHRP requestor wants to know which Next Hop Server generates an NHRP Reply packet, it can request that information through the Responder Address option. The Next Hop Server that generates the NHRP Reply packet then complies by inserting its own IP address in the Responder Address option of the NHRP Reply. The Next Hop Server uses the primary IP address of the specified interface.
If an NHRP Reply packet being forwarded by a Next Hop Server contains that Next Hop Server's own IP address, the Next Hop Server generates an Error Indication of type "NHRP Loop Detected" and discards the Reply.
Example
In the following example, any NHRP requests for the Responder Address will cause this router acting as a Next Hop Server to supply the primary IP address of serial interface 0 in the NHRP Reply packet:
ip nhrp responder serial 0ip nhrp use
To configure the software so that NHRP is deferred until the system has attempted to send data traffic to a particular destination multiple times, use the ip nhrp use interface configuration command. To restore the default value, use the no form of this command.
ip nhrp use usage-count
no ip nhrp use usage-countSyntax Description
Default
usage-count = 1. The first time a data packet is sent to a destination for which the system determines NHRP can be used, an NHRP request is sent.
Command Mode
Interface configuration
Usage Guidelines
When the software attempts to transmit a data packet to a destination for which it has determined that NHRP address resolution can be used, an NHRP request for that destination is normally transmitted right away. Configuring the usage-count causes the system to wait until that many data packets have been sent to a particular destination before it attempts NHRP. The usage-count for a particular destination is measured over 1-minute intervals (the NHRP cache expiration interval).
The usage-count applies per destination. So if usage-count is configured to be 3, and 4 data packets are sent toward 10.0.0.1 and 1 packet toward 10.0.0.2, then an NHRP request is generated for 10.0.0.1 only.
If the system continues to need to forward data packets to a particular destination, but no NHRP response has been received, retransmission of NHRP requests are performed. This retransmission occurs only if data traffic continues to be sent to a destination.
The ip nhrp interest command controls which packets cause NHRP address resolution to take place; the ip nhrp use command controls how readily the system attempts such address resolution.
Example
In the following example, if in the first minute 4 packets are sent to one destination and 5 packets are sent to a second destination, then a single NHRP request is generated for the second destination.
If in the second minute the same traffic is generated and no NHRP responses have been received, then the system retransmits its request for the second destination.
ip nhrp use 5Related Commands
ip nhrp interest
ip nhrp max-sendip probe proxy
To enable the HP Probe Proxy support, which allows the Cisco IOS software to respond to HP Probe Proxy Name requests, use the ip probe proxy interface configuration command. To disable HP Probe Proxy, use the no form of this command.
ip probe proxy
no ip probe proxySyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
HP Probe Proxy Name requests are typically used at sites that have HP equipment and are already using HP Probe.
To use the HP Proxy service, you must first enter the host name of the HP host into the host table using the ip hp-host global configuration command.
Example
The following example specifies an HP host's name and address, and then enables Probe Proxy:
ip hp-host BCWjo 131.108.1.27interface ethernet 0ip probe proxyRelated Command
ip proxy-arp
To enable proxy ARP on an interface, use the ip proxy-arp interface configuration command. To disable proxy ARP on the interface, use the no form of this command.
ip proxy-arp
no ip proxy-arpSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Interface configuration
Example
The following example enables proxy ARP on Ethernet interface 0:
interface ethernet 0ip proxy-arpip redirects
To enable the sending of redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, use the ip redirects interface configuration command. To disable the sending of redirect messages, use the no form of this command.
ip redirects
no ip redirectsSyntax Description
This command has no arguments or keywords.
Default
Enabled, unless Hot Standby Router Protocol is configured
Command Mode
Interface configuration
Usage Guidelines
If the Hot Standby Router Protocol is configured on an interface, ICMP Redirect messages are disabled by default for the interface.
Example
The following example enables the sending of IP redirects on Ethernet interface 0:
interface ethernet 0ip redirectsRelated Command
ip route-cache
To control the use of a high-speed switching cache for IP routing as well as the use of autonomous switching, use the ip route-cache interface configuration command. To disable fast switching and autonomous switching, use the no form of this command.
ip route-cache [cbus]
no ip route-cache [cbus]ip route-cache same-interface
no ip route-cache same-interfaceip route-cache sse
no ip route-cache sseip route-cache [optimum | flow]
no ip route-cache [optimum | flow]ip route-cache distributed
no ip route-cache distributedSyntax Description
Default
IP autonomous switching is disabled.
Fast switching varies by interface and media.
SSE switching of IP is disabled.
Optimum switching is enabled on supported interfaces.
Distributed switching is disabled.Command Mode
Interface configuration
Usage Guidelines
Using the route cache is often called fast switching. The route cache allows outgoing packets to be load-balanced on a per-destination basis.
The ip route-cache command with no additional keywords enables fast switching and disables.
Our routers generally offer better packet transfer performance when fast switching is enabled, with one exception. On networks using slow serial links (64 K and below), disabling fast switching to enable the per-packet load sharing is usually the best choice.
Autonomous switching gives a router faster packet processing by allowing the ciscoBus to switch packets independently without interrupting the system processor. It works only in Cisco 7000 series systems with a switch processor controller card running microcode Version 1.4 or later.
You can enable IP fast switching when the input and output interfaces are the same interface, using the ip route-cache same-interface command. This normally is not recommended, though it is useful when you have partially meshed media, such as Frame Relay. You could use this feature on other interfaces, although it is not recommended because it would interfere with redirection.
SSE switching gives a router even faster packet processing than is provided by the other ip route-cache commands by allowing the SSE to switch packets without interrupting the system processor. SSE switching is supported only in Cisco 7000 systems with an SSP board. Fast switching must be active to enable SSE switching. SSE switching requires that fast switching be enabled.
Flow switching is faster than the default optimum fast-switching on Cisco 7507 and 7513 platforms when extended access lists are used. When the RSP is flow switching, it uses a flow cache instead of a destination network cache to switch IP packets. The flow cache uses source and destination network address, protocol, and source and destination port numbers to distinguish entries.
The flow caching option can also be used to allow statistics to be gathered with a finer granularity. The statistics include IP subprotocols, well-known ports, total flows, average number of packets per flow, and average flow lifetime.
On Cisco RSP7000 and Cisco 7500 series routers with an RSP and with VIP controllers, the VIP hardware can be configured to switch packets received by the VIP with no per-packet intervention on the part of the RSP. When VIP distributed switching is enabled, the input VIP interface tries to switch IP packets instead of forwarding them to the RSP for switching.
Not all switching methods are available on all platforms.
Examples
The following example enables both fast switching and autonomous switching:
ip route-cache cbusThe following example disables both fast switching and autonomous switching:
no ip route-cacheThe following example turns off autonomous switching only:
no ip route-cache cbusThe following example enables flow switching and VIP distributed switching on the interface.
interface ethernet 0/5/0ip address 17.252.245.2 255.255.255.0ip route-cache distributedip route-cache flowThe following example returns the system to its defaults (fast switching enabled; autonomous switching disabled):
ip route-cacheRelated Commands
ip cache-invalidate-delay
show ip cache
show ip cache flowip routing
To enable IP routing , use the ip routing global configuration command. To disable IP routing, use the no form of this command.
ip routing
no ip routingSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Global configuration
Usage Guidelines
To bridge IP, the no ip routing command must be configured to disable IP routing. However, you need not specify no ip routing in conjunction with concurrent routing and bridging to bridge IP.
Example
The following example enables IP routing:
ip routingip security add
To add a basic security option to all outgoing packets, use the ip security add interface configuration command. To disable the adding of a basic security option to all outgoing packets, use the no form of this command.
ip security add
no ip security addSyntax Description
This command has no arguments or keywords.
Default
Disabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is enabled.
Command Mode
Interface configuration
Usage Guidelines
If an outgoing packet does not have a security option present, this interface configuration command will add one as the first IP option. The security label added to the option field is the label that was computed for this packet when it first entered the router. Because this action is performed after all the security tests have been passed, this label will either be the same as or will fall within the range of the interface.
Example
The following example adds a basic security option to each packet leaving Ethernet interface 0:
interface ethernet 0ip security addRelated Commands
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security stripip security aeso
To attach Auxiliary Extended Security Options (AESOs) to an interface, use the ip security aeso interface configuration command. To disable AESO on an interface, use the no form of this command.
ip security aeso source compartment-bits
no ip security aeso source compartment-bitsSyntax Description
source
Extended Security Option (ESO) source. This can be an integer from 0 through 255.
compartment-bits
Compartment bits in hexadecimal.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
Compartment bits are specified only if this AESO is to be inserted in a packet. On every incoming packet at this level on this interface, these AESOs should be present.
Beyond being recognized, no further processing of AESO information is performed. AESO contents are not checked and are assumed to be valid if the source is listed in the configurable AESO table.
Configuring any per-interface extended IP security option (IPSO) information automatically enables ip security extended-allowed (disabled by default).
Example
In the following example, the extended security option source is defined as 5 and the compartments bits are set to 5:
interface ethernet 0ip security aeso 5 5Related Commands
ip security eso-info
ip security eso-max
ip security eso-min
ip security extended-allowedip security dedicated
To set the level of classification and authority on the interface, use the ip security dedicated interface configuration command. To reset the interface to the default classification and authorities, use the no form of this command.
ip security dedicated level authority [authority...]
no ip security dedicated level authority [authority...]Syntax Description
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
All traffic entering the system on this interface must have a security option that exactly matches this label. Any traffic leaving via this interface will have this label attached to it.
The following definitions apply to the descriptions of the IP security options (IPSO) in this section:
•
Table 45 IPSO Level Keywords and Bit Patterns
Reserved4
0000 0001
TopSecret
0011 1101
Secret
0101 1010
Confidential
1001 0110
Reserved3
0110 0110
Reserved2
1100 1100
Unclassified
1010 1011
Reserved1
1111 0001
•
Table 46 IPSO Authority Keywords and Bit Patterns
Genser
1000 0000
Siop-Esi
0100 0000
DIA
0010 0000
NSA
0001 0000
DOE
0000 1000
•
Example
The following example sets a confidential level with Genser authority:
ip security dedicated confidential GenserRelated Commands
ip security add
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security stripip security eso-info
To configure system-wide defaults for extended IP Security Option (IPSO) information, use the ip security eso-info global configuration command. To return to the default settings, use the no form of this command.
ip security eso-info source compartment-size default-bit
no ip security eso-info source compartment-size default-bitSyntax Description
Default
Disabled
Command mode
Global configuration
Usage Guidelines
This command configures Extended Security Option (ESO) information, including Auxiliary Extended Security Option (AESO). Transmitted compartment info is padded to the size specified by the compartment-size argument.
Example
In the following example, system-wide defaults for source, compartment size, and the default bit value are set:
ip security eso-info 100 5 1Related Commands
ip security eso-max
ip security eso-minip security eso-max
To specify the maximum sensitivity level for an interface, use the ip security eso-max interface configuration command. To return to the default, use the no form of this command.
ip security eso-max source compartment-bits
no ip security eso-max source compartment-bitsSyntax Description
source
Extended Security Option (ESO) source. This is an integer from 1 through 255.
compartment-bits
Compartment bits in hexadecimal.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command is used to specify the minimum sensitivity level for a particular interface. Before the per interface compartment information for a particular Network Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.
On every incoming packet on the interface, these extended security options should be resent at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.
On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.
When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.
A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.
Example
In the following example, the specified ESO source is 240 and the compartment bits are specified as 500:
interface ethernet 0ip security eso-max 240 500Related Commands
ip security eso-info
ip security eso-minip security eso-min
To configure the minimum sensitivity for an interface, use the ip security eso-min interface configuration command. To return to the default, use the no form of this command.
ip security eso-min source compartment-bits
no ip security eso-min source compartment-bitsSyntax Description
source
Extended Security Option (ESO) source. This is an integer from 1 through 255.
compartment-bits
Compartment bits in hexadecimal.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command is used to specify the minimum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.
On every incoming packet on this interface, these extended security options should be resent at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.
On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.
When transmitting locally generated traffic out this interface, or adding security information (with the iip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.
A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.
Example
In the following example, the specified ESO source is 5 and the compartment bits are specified as 5:
interface ethernet 0ip security eso-min 5 5Related Commands
ip security eso-info
ip security eso-maxip security extended-allowed
To accept packets on an interface that has an extended security option present, use the ip security extended-allowed interface configuration command. To restore the default, use the no form of this command.
ip security extended-allowed
no ip security extended-allowedSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
Packets containing extended security options are rejected.
Example
The following example allows interface Ethernet 0 to accept packets that have an extended security option present:
interface ethernet 0ip security extended-allowedRelated Commands
ip security add
ip security dedicated
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security stripip security first
To prioritize the presence of security options on a packet, use the ip security first interface configuration command. To disable this function, use the no form of this command.
ip security first
no ip security firstSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
If a basic security option is present on an outgoing packet, but it is not the first IP option, then the packet is moved to the front of the options field when this interface configuration command is used.
Example
The following example ensures that, if a basic security option is present in the options field of a packet exiting interface Ethernet 0, the packet is moved to the front of the options field:
interface ethernet 0ip security firstRelated Commands
ip security add
ip security dedicated
ip security extended-allowed
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security stripip security ignore-authorities
To have the Cisco IOS software ignore the authorities field of all incoming packets, use the ip security ignore-authorities interface configuration command. To disable this function, use the no form of this command.
ip security ignore-authorities
no ip security ignore-authoritiesSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
When the packet's authority field is ignored, the value used in place of this field is the authority value declared for the specified interface. IP security ignore-authorities can only be configured on interfaces with dedicated security levels.
Example
The following example causes interface Ethernet 0 to ignore the authorities field on all incoming packets:
interface ethernet 0ip security ignore-authoritiesRelated Commands
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security stripip security implicit-labelling
To force the Cisco IOS software to accept packets on the interface, even if they do not include a security option, use the ip security implicit-labelling interface configuration command. To disable this function, use the no form of this command.
ip security implicit-labelling [level authority [authority...]]
no ip security implicit-labelling [level authority [authority...]]Syntax Description
Default
Enabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is disabled.
Command Mode
Interface configuration
Usage Guidelines
If your interface has multilevel security set, you must use the expanded form of the command (with the optional arguments as noted in brackets) because the arguments are used to specify the precise level and authority to use when labeling the packet. If your interface has dedicated security set, the additional arguments are ignored.
Example
In the following example, an interface is set for security and will accept unlabeled packets:
ip security dedicated confidential genserip security implicit-labellingRelated Commands
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security multilevel
ip security reserved-allowed
ip security stripip security multilevel
To set the range of classifications and authorities on an interface, use the ip security multilevel interface configuration command. To disable this function, use the no form of this command.
ip security multilevel level1 [authority1...] to level2 authority2 [authority2...]
no ip security multilevelSyntax Description
level1
Degree of sensitivity of information. The classification level of incoming packets must be equal to or greater than this value for processing to occur. The level keywords are found in (see the ip security dedicated command).
authority1
(Optional) Organization that defines the set of security levels that will be used in a network. The authority bits must be a superset of this value. The authority keywords are listed in (see the ip security dedicated command).
to
Separates the range of classifications and authorities.
level2
Degree of sensitivity of information. The classification level of incoming packets must be equal to or less than this value for processing to occur. The level keywords are found in (see the ip security dedicated command).
authority2
Organization that defines the set of security levels that will be used in a network. The authority bits must be a proper subset of this value. The authority keywords are listed in (see the ip security dedicated command).
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
All traffic entering or leaving the system must have a security option that falls within this range. Being within range requires that the following two conditions be met:
•
•
Example
The following example specifies levels Unclassified to Secret and NSA authority:
ip security multilevel unclassified to secret nsaRelated Commands
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security reserved-allowed
ip security stripip security reserved-allowed
To treat as valid any packets that have Reserved1 through Reserved4 security levels, use the ip security reserved-allowed interface configuration command. To disable this feature, use the no form of this command.
ip security reserved-allowed
no ip security reserved-allowedSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
When you set multilevel security on an interface, and indicate, for example, that the highest range allowed is Confidential, and the lowest is Unclassified, the Cisco IOS software neither allows nor operates on packets that have security levels of Reserved3 and Reserved2 because they are undefined.
If you use the IP Security Option (IPSO) to block transmission out of unclassified interfaces, and you use one of the Reserved security levels, you must enable this feature to preserve network security.
Example
The following example allows a security level of Reserved through Ethernet interface 0:
interface ethernet 0ip security reserved-allowedRelated Commands
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security stripip security strip
To remove any basic security option on outgoing packets on an interface, use the ip security strip interface configuration command. To disable this function, use the no form of this command.
ip security strip
no ip security stripSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This procedure is performed after all security tests in the router have been passed. This command is not allowed for multilevel interfaces.
Example
The following example removes any basic security options on outgoing packets on Ethernet interface 0:
interface ethernet 0ip security stripRelated Commands
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowedip source-route
To allow the Cisco IOS software to handle IP datagrams with source routing header options, use the ip source-route global configuration command. To have the software discard any IP datagram containing a source-route option, use the no form of this command.
ip source-route
no ip source-routeSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Global configuration
Example
The following example enables the handling of IP datagrams with source routing header options:
ip source-routeRelated Commands
ip subnet-zero
To enable the use of subnet zero for interface addresses and routing updates, use the ip subnet-zero global configuration command. To restore the default, use the no form of this command.
ip subnet-zero
no ip subnet-zeroSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
The ip subnet-zero command provides the ability to configure and route to subnet-zero subnets.
Subnetting with a subnet address of zero is discouraged because of the confusion inherent in having a network and a subnet with indistinguishable addresses.
Example
In the following example, subnet-zero is enabled:
ip subnet-zeroip tcp chunk-size
To alter the TCP maximum read size, use the ip tcp chunk-size global configuration command. To restore the default value, use the no form of this command.
ip tcp chunk-size bytes
no ip tcp chunk-sizeSyntax Description
bytes
Maximum TCP read size. The default value is a very large number (the largest possible 32-bit positive number).
Default
The largest possible 32-bit positive number.
Command Mode
Global configuration
Usage Guidelines
Do not use this command unless you really have a good reason.
Example
The following example sets the maximum TCP read size to 64000 bytes:
ip tcp chunk-size 64000ip tcp compression-connections
To specify the total number of header compression connections that can exist on an interface, use the ip tcp compression-connections interface configuration command. To restore the default, use the no form of this command.
ip tcp compression-connections number
no ip tcp compression-connections numberSyntax Description
Default
16 connections
Command Mode
Interface configuration
Usage Guidelines
You should configure one connection for each TCP connection through the specified interface.
Each connection sets up a compression cache entry, so you are in effect specifying the maximum number of cache entries and the size of the cache. Too few cache entries for the specified interface can lead to degraded performance, while too many cache entries can lead to wasted memory.
Note
Example
In the following example, the first serial interface is set for header compression with a maximum of ten cache entries:
interface serial 0ip tcp header-compressionip tcp compression-connections 10Related Commands
ip tcp header-compression
show ip tcp header-compressionip tcp header-compression
To enable TCP header compression, use the ip tcp header-compression interface configuration command. To disable compression, use the no form of this command.
ip tcp header-compression [passive]
no ip tcp header-compression [passive]Syntax Description
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
You can compress the headers of your TCP/IP packets in order to reduce the size of your packets. TCP header compression is supported on serial lines using HDLC or PPP encapsulation. You must enable compression on both ends of a serial connection. RFC 1144 specifies the compression process. Compressing the TCP header can speed up Telnet connections dramatically. In general, TCP header compression is advantageous when your traffic consists of many small packets, not for traffic that consists of large packets. Transaction processing (usually using terminals) tends to use small packets while file transfers use large packets. This feature only compresses the TCP header, so it has no effect on UDP packets or other protocol headers.
When compression is enabled, fast switching is disabled. This means that fast interfaces like T1 can overload the router. Consider your network's traffic characteristics before using this command.
Example
In the following example, the first serial interface is set for header compression with a maximum of ten cache entries:
interface serial 0ip tcp header-compressionip tcp compression-connections 10Related Command
ip tcp compression-connections
ip tcp path-mtu-discovery
To enable Path MTU Discovery for all new TCP connections from the router, use the ip tcp path-mtu-discovery interface configuration command. To disable the feature, use the no form of this command.
ip tcp path-mtu-discovery [age-timer {minutes | infinite}]
no ip tcp path-mtu-discovery [age-timer {minutes | infinite}]Syntax Description
Default
Disabled. If enabled, default minutes is 10 minutes.
Command Mode
Interface configuration
Usage Guidelines
Path MTU Discovery is a method for maximizing the use of available bandwidth in the network between the end points of a TCP connection. It is described in RFC 1191. Existing connections are not affected when this feature is turned on or off.
Customers using TCP connections to move bulk data between systems on distinct subnets would benefit most by enabling this feature. This might include customers using RSRB with TCP encapsulation, STUN, X.25 Remote Switching (also known as XOT or X.25 over TCP), and some protocol translation configurations.
The age timer is a time interval for how often TCP re-estimates the Path MTU with a larger MSS. By using the age timer, TCP Path MTU becomes a dynamic process. If MSS used for the connection is smaller than what the peer connection can handle, a larger MSS is tried every time the age timer expires. The discovery process is stopped when either the send MSS is as large as the peer negotiated, or the user has disabled the timer on the router. You can turn off the age-timer by setting it to infinite.
Example
The following example enables Path MTU Discovery:
ip tcp path-mtu-discoveryip tcp queuemax
To alter the maximum TCP outgoing queue per connection, use the ip tcp queuemax global configuration command. To restore the default value, use the no form of this command.
ip tcp queuemax packets
no ip tcp queuemaxSyntax Description
packets
Outgoing queue size of TCP packets. The default value is 5 segments if the connection has a TTY associated with it. If there is no TTY associated with it, the default value is 20 segments.
Default
The default value is 5 segments if the connection has a TTY associated with it. If there is no TTY associated with it, the default value is 20 segments.
Command Mode
Global configuration
Usage Guidelines
Changing the default value changes the 5, not the 20.
Example
The following example sets the maximum TCP outgoing queue to 10 packets:
ip tcp queuemax 10ip tcp synwait-time
To set a period of time the Cisco IOS software waits while attempting to establish a TCP connection before it times out, use the ip tcp synwait-time global configuration command. To restore the default time, use the no form of this command.
ip tcp synwait-time seconds
no ip tcp synwait-time secondsSyntax Description
seconds
Time in seconds the software waits while attempting to establish a TCP connection. It can be an integer from 5 to 300 seconds. The default is 30 seconds.
Default
30 seconds
Command Mode
Global configuration
Usage Guidelines
In previous versions of Cisco IOS software, the system would wait a fixed 30 seconds when attempting to establish a TCP connection. If your network contains Public Switched Telephone Network dial-on-demand routing (PSTN DDR), the call setup time may exceed 30 seconds. This amount of time is not sufficient in networks that have dial-up asynchronous connections because it will affect your ability to Telnet over the link (from the router) if the link must be brought up. If you have this type of network, you might want to set this value to the UNIX value of 75.
Because this is a host parameter, it does not pertain to traffic going through the router, just for traffic originated at this device. Because UNIX has a fixed 75-second timeout, hosts are unlikely to see this problem.
Example
The following example configures the Cisco IOS software to continue attempting to establish a TCP connection for 180 seconds:
ip tcp synwait-time 180ip tcp window-size
To alter the TCP window size, use the ip tcp window-size global configuration command. To restore the default value, use the no form of this command.
ip tcp window-size bytes
no ip tcp window-sizeSyntax Description
Default
2144 bytes
Command Mode
Global configuration
Usage Guidelines
Do not use this command unless you clearly understand why you want to change the default value.
If your TCP window size is set to 1000 bytes, for example, you could have 1 packet of 1000 bytes or 2 packets of 500 bytes, etc. However, there is also a limit on the number of packets allowed in the window. There can be a maximum of 5 packets if the connection has TTY; otherwise there can be 20 packets.
Example
The following example sets the TCP window size to 1000 bytes:
ip tcp window-size 1000ip unnumbered
To enable IP processing on a serial interface without assigning an explicit IP address to the interface, use the ip unnumbered interface configuration command. To disable the IP processing on the interface, use the no form of this command.
ip unnumbered type number
no ip unnumbered type numberSyntax Description
type number
Type and number of another interface on which the router has an assigned IP address. It cannot be another unnumbered interface.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
Whenever the unnumbered interface generates a packet (for example, for a routing update), it uses the address of the specified interface as the source address of the IP packet. It also uses the address of the specified interface in determining which routing processes are sending updates over the unnumbered interface. Restrictions include the following:
•
•
•
•
The interface you specify by the type and number arguments must be enabled (listed as "up" in the show interfaces command display).
If you are configuring IS-IS across a serial line, you should configure the serial interfaces as unnumbered. This allows you to conform with RFC 1195, which states that IP addresses are not required on each interface.
Note
Example
In the following example, the first serial interface is given Ethernet 0's address:
interface ethernet 0ip address 131.108.6.6 255.255.255.0!interface serial 0ip unnumbered ethernet 0ip unreachables
To enable the generation of ICMP Unreachable messages, use the ip unreachables interface configuration command. To disable this function, use the no form of this command.
ip unreachables
no ip unreachablesSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Interface configuration
Usage Guidelines
If the Cisco IOS software receives a nonbroadcast packet destined for itself that uses a protocol it does not recognize, it sends an ICMP Protocol Unreachable message to the source.
If the software receives a datagram that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies to the originator of that datagram with an ICMP Host Unreachable message.
This command affects all kinds of ICMP unreachable messages.
Example
The following example enables the generation of ICMP Unreachable messages, as appropriate, on an interface:
interface ethernet 0ip unreachablesping (privileged)
To check host reachability and network connectivity, use the ping (IP packet internet groper function) user EXEC command.
ping [protocol] {host | address}
Syntax Description
protocol
(Optional) Protocol keyword. The default is IP.
host
Host name of system to ping.
address
IP address of system to ping.
Command Mode
Privileged EXEC
Usage Guidelines
The ping command sends ICMP Echo messages. If the Cisco IOS software receives an ICMP Echo message, it sends an ICMP Echo Reply message to the source of the ICMP Echo message.
You can use the IP ping command to diagnose serial line problems. By placing the local or remote CSU/DSU into loopback mode and pinging your own interface, you can isolate the problem to the router, or to a leased line.
Multicast and broadcast pings are fully supported. When you ping the broadcast address of 255.255.255.255, the system will send out pings and print a list of all stations responding. You can also ping a local network to get a list of all systems that respond, as in the following example, where 128.111.3 is a local network:
ping 128.111.3.255As a side-effect, you also can get a list of all multicast-capable hosts that are connected directly to the router from which you are pinging, as in the following example:
ping 224.0.0.1To abort a ping session, type the escape sequence (by default, Ctrl-^ X, which is done by simultaneously pressing the Ctrl, Shift, and 6 keys, letting go, then pressing the X key).
describes the test characters that the ping facility sends.
Table 47 Ping Test Characters
You can use the extended command mode of the ping command to specify the supported Internet header options, as shown in the following sample display.
Sample Display Showing Extended Command Sequence
To enter ping extended command mode, enter yes at the extended commands prompt of the ping command. The following display shows a sample ping extended command sequence.
Router# pingProtocol [ip]:Target IP address: 192.31.7.27Repeat count [5]:Datagram size [100]:Timeout in seconds [2]:Extended commands [n]: ySource address: 131.108.1.1Type of service [0]:Set DF bit in IP header? [no]:Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]:Sweep range of sizes [n]:Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.31.7.27, timeout is 2 seconds:!!!!!Success rate is 100 percent, round-trip min/avg/max = 1/3/4 msdescribes significant fields shown in the display.
Table 48 IP Ping Internet Header Options Field Descriptions
Use the Record Route Option
Using the Record Route option to trace a path to a particular destination address. Be aware, however, that the trace EXEC command performs a similar function, but the latter does not have the nine-hop limitation.
Sample Display Showing the Record Route Option
The following display shows sample extended ping output when this option is specified:
Router# pingProtocol [ip]:Target IP address: fredRepeat count [5]:Datagram size [100]:Timeout in seconds [2]:Extended commands [n]: ySource address:Type of service [0]:Set DF bit in IP header? [no]:Data pattern [0xABCD]:Loose, Strict, Record, Timestamp, Verbose[none]: rNumber of hops [ 9 ]:Loose, Strict, Record, Timestamp, Verbose[RV]:Sweep range of sizes [n]:Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 131.108.1.115, timeout is 2 seconds:Packet has IP options: Total option bytes= 39, padded length=40Record route: <*> 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.00.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0The following display is a detail of the Echo packet section:
0 in 4 ms. Received packet has optionsTotal option bytes= 40, padded length=40Record route: 160.89.80.31 131.108.6.10 131.108.1.7 131.108.1.115131.108.1.115 131.108.6.7 160.89.80.240 160.89.80.31 <*> 0.0.0.0End of list1 in 8 ms. Received packet has optionsTotal option bytes= 40, padded length=40Record route: 160.89.80.31 131.108.6.10 131.108.1.6 131.108.1.115131.108.1.115 131.108.6.7 160.89.80.240 160.89.80.31 <*> 0.0.0.0End of list2 in 4 ms. Received packet has optionsTotal option bytes= 40, padded length=40Record route: 160.89.80.31 131.108.6.10 131.108.1.7 131.108.1.115131.108.1.115 131.108.6.7 160.89.80.240 160.89.80.31 <*> 0.0.0.0End of list3 in 8 ms. Received packet has optionsTotal option bytes= 40, padded length=40Record route: 160.89.80.31 131.108.6.10 131.108.1.6 131.108.1.115131.108.1.115 131.108.6.7 160.89.80.240 160.89.80.31 <*> 0.0.0.0End of list4 in 4 ms. Received packet has optionsTotal option bytes= 40, padded length=40Record route: 160.89.80.31 131.108.6.10 131.108.1.7 131.108.1.115131.108.1.115 131.108.6.7 160.89.80.240 160.89.80.31 <*> 0.0.0.0End of listSuccess rate is 100 percent, round-trip min/avg/max = 4/5/8 msRouter#In this display, five ping echo packets are sent to the destination address 131.108.1.115. The echo packet detail section includes specific information about each of these echo packets.
The lines of ping output that are unique when the Record Route option is specified are described as follows.
The following line of output allows you to specify the number of hops that will be recorded in the route. Range: 1 through 9. Default: 9.
Number of hops [ 9 ]:The following line of output indicates that IP header options have been enabled on the outgoing echo packets and shows the number of option bytes and padded bytes in the headers of these packets.
Packet has IP options: Total option bytes= 39, padded length=40The following lines of output indicate that the fields that will contain the IP addresses of the nodes in the routes have been zeroed out in the outgoing packets.
Record route: <*> 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.00.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0The following lines of output display statistics for the first of the five echo packets sent. 0 is the number assigned to this packet to indicate that it is the first in the series. 4 ms indicates the round trip travel time for the packet.
0 in 4 ms. Received packet has optionsTotal option bytes= 40, padded length=40Record route: 160.89.80.31 131.108.6.10 131.108.1.7 131.108.1.115131.108.1.115 131.108.6.7 160.89.80.240 160.89.80.31 <*> 0.0.0.0The following line of output indicates that four nodes were included in the packet's route, including the router at source address 160.89.80.31, two intermediate nodes at addresses 131.108.6.10 and 131.108.1.7, and the destination node at address 131.108.1.115. The underlined address shows where the original route differs from the return route in the line that follows this line.
Record route: 160.89.80.31 131.108.6.10 131.108.1.7 131.108.1.115The following line of output includes the addresses of the four nodes in the return path of the echo packet. The underlined address shows where the return route differs from the original route shown in the previous line of output.
131.108.1.115 131.108.6.7 160.89.80.240 160.89.80.31 <*> 0.0.0.0Related Command
ping (user)
To check host reachability and network connectivity, use the ping (IP packet internet groper function) user EXEC command.
ping [protocol] {host | address}
Syntax Description
protocol
(Optional) Protocol keyword. The default is IP.
host
Host name of system to ping.
address
IP address of system to ping.
Command Mode
EXEC
Usage Guidelines
The ping command sends ICMP Echo messages. If the Cisco IOS software receives an ICMP Echo message, it sends an ICMP Echo Reply message to the source of the ICMP Echo message.
The user ping feature provides a basic ping facility for IP users who do not have system privileges. This feature allows the software to perform the simple default ping functionality for the IP protocol. Only the nonverbose form of the ping command is supported for user pings.
If the system cannot map an address for a host name, it will return an "%Unrecognized host or address" error message.
To abort a ping session, type the escape sequence (by default, Ctrl-^ X, which is done by simultaneously pressing the Ctrl, Shift, and 6 keys, letting go, then pressing the X key).
In the ping (privileged) section, describes the test characters that the ping facility sends.
Sample Display Using an IP Host Name
The following display shows sample ping output when you ping a host named fred:
Router> ping fredType escape sequence to abort.Sending 5, 100-byte ICMP Echos to 192.31.7.27, timeout is 2 seconds:!!!!!Success rate is 100 percent, round-trip min/avg/max = 1/3/4 msSample Display Using the Broadcast Address
The following display shows sample ping output when you ping the broadcast address of 255.255.255.255:
Router> ping 255.255.255.255Type escape sequence to abort.Sending 5, 100-byte ICMP Echos to 255.255.255.255, timeout is 2 seconds:Reply to request 0 from 160.89.48.15 (4 ms)Reply to request 0 from 160.89.48.10 (4 ms)Reply to request 0 from 160.89.48.19 (4 ms)Reply to request 0 from 160.89.49.15 (4 ms)Reply to request 1 from 160.89.48.15 (4 ms)Reply to request 1 from 160.89.48.10 (4 ms)Reply to request 1 from 160.89.48.19 (4 ms)Reply to request 1 from 160.89.49.15 (4 ms)Reply to request 2 from 160.89.48.15 (4 ms)Reply to request 2 from 160.89.48.10 (4 ms)Reply to request 2 from 160.89.48.19 (4 ms)Reply to request 2 from 160.89.49.15 (4 ms)Reply to request 3 from 160.89.48.15 (4 ms)Reply to request 3 from 160.89.48.10 (4 ms)Reply to request 3 from 160.89.48.19 (4 ms)Reply to request 3 from 160.89.49.15 (4 ms)Reply to request 4 from 160.89.48.15 (4 ms)Reply to request 4 from 160.89.48.10 (4 ms)Reply to request 4 from 160.89.48.19 (4 ms)Reply to request 4 from 160.89.49.15 (4 ms)Related Command
show access-lists
To display the contents of current access lists, use the show access-lists privileged EXEC command.
show access-lists [access-list-number]
Syntax Description
access-list-number
(Optional) Access list number to display. The range is 0 to 1199. The system displays all access lists by default.
Default
The system displays all access lists.
Command Mode
Privileged EXEC
Sample Display
The following is sample output from the show access-lists command when access list 101 is specified:
Router# show access-lists 101Extended IP access list 101permit tcp host 198.92.32.130 any established (4304 matches)permit udp host 198.92.32.130 any eq domain (129 matches)permit icmp host 198.92.32.130 anypermit tcp host 198.92.32.130 host 171.69.2.141 gt 1023permit tcp host 198.92.32.130 host 171.69.2.135 eq smtp (2 matches)permit tcp host 198.92.32.130 host 198.92.30.32 eq smtppermit tcp host 198.92.32.130 host 171.69.108.33 eq smtppermit udp host 198.92.32.130 host 171.68.225.190 eq syslogpermit udp host 198.92.32.130 host 171.68.225.126 eq syslogdeny ip 150.136.0.0 0.0.255.255 224.0.0.0 15.255.255.255deny ip 171.68.0.0 0.1.255.255 224.0.0.0 15.255.255.255 (2 matches)deny ip 172.24.24.0 0.0.1.255 224.0.0.0 15.255.255.255deny ip 192.82.152.0 0.0.0.255 224.0.0.0 15.255.255.255deny ip 192.122.173.0 0.0.0.255 224.0.0.0 15.255.255.255deny ip 192.122.174.0 0.0.0.255 224.0.0.0 15.255.255.255deny ip 192.135.239.0 0.0.0.255 224.0.0.0 15.255.255.255deny ip 192.135.240.0 0.0.7.255 224.0.0.0 15.255.255.255deny ip 192.135.248.0 0.0.3.255 224.0.0.0 15.255.255.255deny ip 192.150.42.0 0.0.0.255 224.0.0.0 15.255.255.255An access list counter counts how many packets are allowed by each line of the access list. This number is displayed as the number of matches.
For information on how to configure access lists, refer to the "Configuring IP" chapter of the Network Protocols Configuration Guide, Part 1.
For information on how to configure dynamic access lists, refer to the "Managing the System" chapter of the Configuration Fundamentals Configuration Guide.
Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
access-list (extended)
access-list (standard)
clear access-list counters
clear access-temp †show arp
To display the entries in the ARP table, use the show arp privileged EXEC command.
show arp
Syntax Description
This command has no arguments or keywords.
Command Mode
Privileged EXEC
Sample Display
The following is sample output from the show arp command:
Router# show arpProtocol Address Age (min) Hardware Addr Type InterfaceInternet 131.108.42.112 120 0000.a710.4baf ARPA Ethernet3AppleTalk 4028.5 29 0000.0c01.0e56 SNAP Ethernet2Internet 131.108.42.114 105 0000.a710.859b ARPA Ethernet3AppleTalk 4028.9 - 0000.0c02.a03c SNAP Ethernet2Internet 131.108.42.121 42 0000.a710.68cd ARPA Ethernet3Internet 131.108.36.9 - 0000.3080.6fd4 SNAP TokenRing0AppleTalk 4036.9 - 0000.3080.6fd4 SNAP TokenRing0Internet 131.108.33.9 - 0000.0c01.7bbd SNAP Fddi0describes significant fields shown in the first line of output in the display.
Table 49 Show ARP Field Descriptions
show dnsix
To display state information and the current configuration of the DNSIX audit writing module, use the show dnsix privileged EXEC command.
show dnsix
Syntax Description
This command has no arguments or keywords.
Command Mode
Privileged EXEC
Sample Display
The following is sample output from the show dnsix command:
Router# show dnsixAudit Trail Enabled with Source 128.105.2.5State: PRIMARYConnected to 128.105.2.4Primary 128.105.2.4Transmit Count 1DMDP retries 4Authorization Redirection List:128.105.2.4Record count: 0Packet Count: 0Redirect Rcv: 0show hosts
To display the default domain name, the style of name lookup service, a list of name server hosts, and the cached list of host names and addresses, use the show hosts EXEC command.
show hosts
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Sample Display
The following is sample output from the show hosts command:
Router# show hostsDefault domain is CISCO.COMHame/address lookup uses domain serviceHame servers are 255.255.255.255Host Flag Age Type Address(es)SLAG.CISCO.COM (temp, OK) 1 IP 131.108.4.10CHAR.CISCO.COM (temp, OK) 8 IP 192.31.7.50CHAOS.CISCO.COM (temp, OK) 8 IP 131.108.1.115DIRT.CISCO.COM (temp, EX) 8 IP 131.108.1.111DUSTBIN.CISCO.COM (temp, EX) 0 IP 131.108.1.27DREGS.CISCO.COM (temp, EX) 24 IP 131.108.1.30describes significant fields shown in the display.
Table 50 Show Hosts Field Descriptions
Related Command
show ip access-list
To display the contents of all current IP access lists, use the show ip access-list EXEC command.
show ip access-list [access-list-number]
Syntax Description
access-list-number
(Optional) Number of the IP access list to display. This is a decimal number from 1 to 199.
Defaults
Displays all standard and extended IP access lists.
Command Mode
EXEC
Usage Guidelines
The show ip access-list command provides output identical to the show access-lists command, except that it is IP-specific and allows you to specify a particular access list.
Sample Display
The following is sample output from the show ip access-list command:
Router# show ip access-listExtended IP access list 101deny udp any any eq ntppermit tcp any anypermit udp any any eq tftppermit icmp any anypermit udp any any eq domainshow ip accounting
To display the active accounting or checkpointed database or to display access-list violations, use the show ip accounting EXEC command.
show ip accounting [checkpoint] [output-packets | access-violations]
Syntax Description
Defaults
If neither the output-packets nor access-violations keyword is specified, show ip accounting displays information pertaining to packets that passed access control and were successfully routed.
Command Mode
EXEC
Usage Guidelines
If you do not specify any keywords, the show ip accounting command displays information about the active accounting database.
To display IP access violations, you must give the access-violations keyword on the command. If you do not specify the keyword, the command defaults to displaying the number of packets that have passed access lists and were routed.
To use this command, you must first enable IP accounting on a per-interface basis.
Sample Display
Following is sample output from the show ip accounting command:
Router# show ip accountingSource Destination Packets Bytes131.108.19.40 192.67.67.20 7 306131.108.13.55 192.67.67.20 67 2749131.108.2.50 192.12.33.51 17 1111131.108.2.50 130.93.2.1 5 319131.108.2.50 130.93.1.2 463 30991131.108.19.40 130.93.2.1 4 262131.108.19.40 130.93.1.2 28 2552131.108.20.2 128.18.6.100 39 2184131.108.13.55 130.93.1.2 35 3020131.108.19.40 192.12.33.51 1986 95091131.108.2.50 192.67.67.20 233 14908131.108.13.28 192.67.67.53 390 24817131.108.13.55 192.12.33.51 214669 9806659131.108.13.111 128.18.6.23 27739 1126607131.108.13.44 192.12.33.51 35412 1523980192.31.7.21 130.93.1.2 11 824131.108.13.28 192.12.33.2 21 1762131.108.2.166 192.31.7.130 797 141054131.108.3.11 192.67.67.53 4 246192.31.7.21 192.12.33.51 15696 695635192.31.7.24 192.67.67.20 21 916131.108.13.111 128.18.10.1 16 1137The following is sample output from the show ip accounting access-violations command. The output pertains to packets that failed access lists and were not routed:
Router# show ip accounting access-violationsSource Destination Packets Bytes ACL131.108.19.40 192.67.67.20 7 306 77131.108.13.55 192.67.67.20 67 2749 185131.108.2.50 192.12.33.51 17 1111 140 131.108.2.50 130.93.2.1 5 319 140 131.108.19.40 130.93.2.1 4 262 77Accounting data age is 41describes the fields shown in the displays.
Table 51 Show IP Accounting (and Access-Violation) Field Descriptions
Related Commands
clear ip accounting
ip accounting
ip accounting-list
ip accounting-threshold
ip accounting-transitsshow ip aliases
To display the IP addresses mapped to TCP ports (aliases) and SLIP addresses, which are treated similarly to aliases, use the show ip aliases EXEC command.
show ip aliases
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Usage Guidelines
To distinguish a SLIP address from a normal alias address, the command output uses the form SLIP TTY1 for the "port" number, where 1 is the auxiliary port.
Sample Display
The following is sample output from the show ip aliases command:
Router# show ip aliasesIP Address Port131.108.29.245 SLIP TTY1The display lists the IP address and corresponding port number.
Related Command
A dagger (†) indicates that the command is documented outside this chapter.
show line †
show ip arp
To display the Address Resolution Protocol (ARP) cache, where SLIP addresses appear as permanent ARP table entries, use the show ip arp EXEC command.
show ip arp [<ip-address>] [<hostname>] [<mac-address>] [<interface>]
Syntax Description
Command Mode
EXEC
Usage Guidelines
ARP establishes correspondences between network addresses (an IP address, for example) and LAN hardware addresses (Ethernet addresses). A record of each correspondence is kept in a cache for a predetermined amount of time and then discarded.
With ip-address/hostname/mac-address option, arp entries matching the ip address are displayed. With the interface option, all the arp entries learned via a given interface are displayed.
Sample Display
The following is sample output from the show ip arp command:
Router# show ip arpProtocol Address Age(min) Hardware Addr Type InterfaceInternet 171.69.233.22 9 0000.0c59.f892 ARPA Ethernet0/0Internet 171.69.233.21 8 0000.0c07.ac00 ARPA Ethernet0/0Internet 171.69.233.19 - 0000.0c63.1300 ARPA Ethernet0/0Internet 171.69.233.30 9 0000.0c36.6965 ARPA Ethernet0/0Internet 172.19.168.11 - 0000.0c63.1300 ARPA Ethernet0/0Internet 172.19.168.254 9 0000.0c36.6965 ARPA Ethernet0/0describes significant fields shown in the display.
Table 52 Show IP ARP Field Displays
show ip cache
To display the routing table cache used to fast switch IP traffic, use the show ip cache EXEC command.
show ip cache [prefix mask] [type number]
Syntax Description
Command Mode
EXEC
Usage Guidelines
The show ip cache display shows MAC headers up to 92 bytes.
Sample Displays
The following is sample output from the show ip cache command:
Router# show ip cacheIP routing cache version 4490, 141 entries, 20772 bytes, 0 hash overflowsMinimum invalidation interval 2 seconds, maximum interval 5 seconds,quiet interval 3 seconds, threshold 0 requestsInvalidation rate 0 in last second, 0 in last 3 secondsLast full cache invalidation occurred 0:06:31 agoPrefix/Length Age Interface MAC Header131.108.1.1/32 0:01:09 Ethernet0/0 AA000400013400000C0357430800131.108.1.7/32 0:04:32 Ethernet0/0 00000C01281200000C0357430800131.108.1.12/32 0:02:53 Ethernet0/0 00000C029FD000000C0357430800131.108.2.13/32 0:06:22 Fddi2/0 00000C05A3E000000C035753AAAA030000000800131.108.2.160/32 0:06:12 Fddi2/0 00000C05A3E000000C035753AAAA030000000800131.108.3.0/24 0:00:21 Ethernet1/2 00000C026BC600000C03574D0800131.108.4.0/24 0:02:00 Ethernet1/2 00000C026BC600000C03574D0800131.108.5.0/24 0:00:00 Ethernet1/2 00000C04520800000C03574D0800131.108.10.15/32 0:05:17 Ethernet0/2 00000C025FF500000C0357450800131.108.11.7/32 0:04:08 Ethernet1/2 00000C010E3A00000C03574D0800131.108.11.12/32 0:05:10 Ethernet0/0 00000C01281200000C0357430800131.108.11.57/32 0:06:29 Ethernet0/0 00000C01281200000C0357430800describes significant fields shown in the display.
Table 53 Show IP Cache Field Descriptions
The following is sample output from the show ip cache command with a prefix and mask specified:
Router# show ip cache 131.108.5.0 255.255.255.0IP routing cache version 4490, 119 entries, 17464 bytes, 0 hash overflowsMinimum invalidation interval 2 seconds, maximum interval 5 seconds,quiet interval 3 seconds, threshold 0 requestsInvalidation rate 0 in last second, 0 in last 3 secondsLast full cache invalidation occurred 0:11:56 agoPrefix/Length Age Interface MAC Header131.108.5.0/24 0:00:34 Ethernet1/2 00000C04520800000C03574D0800The following is sample output from the show ip cache command with an interface specified:
Router# show ip cache e0/2IP routing cache version 4490, 141 entries, 20772 bytes, 0 hash overflowsMinimum invalidation interval 2 seconds, maximum interval 5 seconds,quiet interval 3 seconds, threshold 0 requestsInvalidation rate 0 in last second, 0 in last 3 secondsLast full cache invalidation occurred 0:06:31 agoPrefix/Length Age Interface MAC Header131.108.10.15/32 0:05:17 Ethernet0/2 00000C025FF500000C0357450800show ip cache flow
To display summary NetFlow switching statistics, use the show ip cache flow EXEC command.
show ip cache flow
Syntax Description
This command has no keywords and arguments.
Command Mode
EXEC
Sample Display
The following is a sample output from the show ip cache flow command.
Router# show ip cache flowIP packet size distribution (308093708 total packets):1-32 64 96 128 160 192 224 256 288 320 352 384 416 448 480.001 .656 .058 .027 .185 .006 .007 .003 .007 .001 .002 .001 .001 .000 .000512 544 576 1024 1536 2048 2560 3072 3584 4096 4608.001 .006 .004 .000 .002 .022 .000 .000 .000 .000 .000IP Flow Switching Cache, 421 active, 32347 inactive, 1201604 added50450 tcp fin, 3209 tcp rst, 1097730 timeout20815 dns, 28979 counter wrap1201183 flows exported, 0 not exported, 284078 export msgs sentflow alloc failures: 0 pkts, 0 bytes4 cur max hash, 29 worst max hash, 421 valid buckets0 tcp reordered flows, 0 reordered pkts, 0 syn retries0 tcp backed-off flows, 0 backoff pkts, 0 backoff secsstatistics cleared 401489 seconds agoProtocol Total Flows Packets Bytes Packets Active(Sec) Idle(Sec)-------- Flows /Sec /Flow /Pkt /Sec /Flow /FlowTCP-Telnet 14847 0.0 265 70 9.8 64.7 16.7TCP-FTP 262 0.0 12 57 0.0 24.0 20.5TCP-FTPD 340 0.0 311 535 0.2 6.3 7.7TCP-WWW 2416 0.0 9 159 0.0 2.9 7.8TCP-SMTP 993 0.0 25 308 0.0 3.1 11.7TCP-X 608957 1.5 175 126 265.5 39.2 33.0TCP-other 202627 0.5 891 66 450.0 96.7 29.5UDP-DNS 20823 0.0 2 247 0.1 0.0 6.9UDP-NTP 80122 0.1 2 76 0.4 1.2 33.9UDP-TFTP 6649 0.0 95 131 1.5 5.9 34.0UDP-Frag 3041 0.0 60 1336 0.4 30.9 33.8UDP-other 239260 0.5 67 457 39.9 152.1 31.7ICMP 15239 0.0 32 65 1.2 50.3 33.4IGMP 6066 0.0 3 51 0.0 6.9 33.9Total: 1201642 2.9 257 108 769.6 68.1 31.5SrcIf SrcIPaddress DstIf DstIPaddress Pr DstP SrcP Pkts B/Pk ActiveFd1/0/0 80.0.0.3 Se1/1/0 200.1.9.1 01 0000 0000 467 46 33.6Fd1/0/0 80.0.0.3 Se1/1/0 200.1.8.1 01 0000 0000 1053 46 68.9Fd1/0/0 80.0.0.3 Se1/1/0 200.1.10.1 01 0000 0000 50 46 2.4Fd1/0/0 80.0.0.3 Se1/1/0 200.1.1.1 01 0000 0000 17 46 1.4Fd1/0/0 80.0.0.3 Se1/1/0 200.1.3.1 01 0000 0000 16 46 1.4Fd1/0/0 80.0.0.3 Se1/1/0 200.1.2.1 01 0000 0000 25 46 1.9Fd1/0/0 80.0.0.3 Se1/1/0 200.1.5.1 01 0000 0000 22 46 2.0Fd1/0/0 80.0.0.3 Se1/1/0 200.1.4.1 01 0000 0000 33 46 2.0Fd1/0/0 80.0.0.3 Se1/1/0 200.1.7.1 01 0000 0000 27 46 2.0Fd1/0/0 80.0.0.3 Se1/1/0 200.1.6.1 01 0000 0000 31 46 2.0describes the fields in the packet size distribution lines of the output.
Table 54 Show IP Cache Flow Field Descriptions—Part 1, Packet Size Distribution
describes the fields in the flow switching cache lines of the output.
Table 55 Show IP Cache Flow Field Descriptions—Part 2, Flow Switching Cache
describes the fields in the activity-by-protocol lines of the output.
Table 56 Show IP Cache Flow Field Descriptions—Part 3, NetFlow Activity by Protocol
describes the fields in the current flow lines of the output.
Table 57 Show IP Cache Flow Field Descriptions—Part 4, Current Flow
Related Command
show ip interface
To display the usability status of interfaces configured for IP, use the show ip interface EXEC command.
show ip interface [type number]
Syntax Description
Command Mode
EXEC
Usage Guidelines
The Cisco IOS software automatically enters a directly connected route in the routing table if the interface is usable. A usable interface is one through which the software can send and receive packets. If the software determines that an interface is not usable, it removes the directly connected routing entry from the routing table. Removing the entry allows the software to use dynamic routing protocols to determine backup routes to the network (if any).
If the interface can provide two-way communication, the line protocol is marked "up." If the interface hardware is usable, the interface is marked "up."
If you specify an optional interface type, you will see only information on that specific interface.
If you specify no optional arguments, you will see information on all the interfaces.
When an asynchronous interface is encapsulated with PPP or SLIP, IP fast switching is enabled. A show ip interface command on an asynchronous interface encapsulated with PPP or SLIP displays a message indicating that IP fast switching is enabled.
Sample Display
The following is sample output from the show ip interface command:
Router# show ip interfaceEthernet0 is up, line protocol is upInternet address is 192.195.78.24, subnet mask is 255.255.255.240Broadcast address is 255.255.255.255Address determined by non-volatile memoryMTU is 1500 bytesHelper address is not setSecondary address 131.192.115.2, subnet mask 255.255.255.0Directed broadcast forwarding is enabledMulticast groups joined: 224.0.0.1 224.0.0.2Outgoing access list is not setInbound access list is not setProxy ARP is enabledSecurity level is defaultSplit horizon is enabledICMP redirects are always sentICMP unreachables are always sentICMP mask replies are never sentIP fast switching is enabledIP fast switching on the same interface is disabledIP SSE switching is disabledRouter Discovery is disabledIP output packet accounting is disabledIP access violation accounting is disabledTCP/IP header compression is disabledProbe proxy name replies are disableddescribes the fields shown in the display.
Table 58 Show IP Interface Field Descriptions
show ip masks
To display the masks used for network addresses and the number of subnets using each mask, use the show ip masks EXEC command.
show ip masks address
Syntax Description
Command Mode
EXEC
Usage Guidelines
The show ip masks command is useful for debugging when variable-length subnet masks (VLSM) are used. It shows the number of masks associated with the network and the number of routes for each mask.
Sample Display
The following is sample output from the show ip masks command:
Router# show ip masks 131.108.0.0Mask Reference count255.255.255.255 2255.255.255.0 3255.255.0.0 1show ip nhrp
To display the Next Hop Resolution Protocol (NHRP) cache, use the show ip nhrp EXEC command.
show ip nhrp [dynamic | static] [type number]
Syntax Description
Command Mode
EXEC
Sample Display
The following is sample output from the show ip nhrp command:
Router# show ip nhrp10.0.0.2 255.255.255.255, ATM0/0 created 0:00:43 expire 1:59:16Type: dynamic Flags: authoritativeNBMA address: 11.1111.1111.1111.1111.1111.1111.1111.1111.1111.1110.0.0.1 255.255.255.255, Tunnel0 created 0:10:03 expire 1:49:56Type: static Flags: authoritativeNBMA address: 11.1.1.2Router#describes the fields in the display.
Table 59 Show IP NHRP Field Descriptions
100.0.0.2 255.255.255.255
IP address and its network mask in the IP-to-NBMA address cache. The mask is currently always 255.255.255.255 because we do not support aggregation of NBMA information through NHRP.
ATM0/0 created 0:00:43
Interface type and number (in this case, ATM slot and port numbers) and how long ago it was created (hours:minutes:seconds).
expire 1:59:16
Time in which the positive and negative authoritative NBMA address will expire (hours:minutes:seconds). This value is based on the
ip nhrp holdtime command.Type
Value can be one of the following:
•
•
Flags
Value can be one of the following:
•
•
•
NBMA address
Nonbroadcast, multiaccess address. The address format is appropriate for the type of network being used (for example, ATM, Ethernet, SMDS, multipoint tunnel).
Related Command
show ip nhrp traffic
To display Next Hop Resolution Protocol (NHRP) traffic statistics, use the show ip nhrp traffic EXEC command.
show ip nhrp traffic
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Sample Display
The following is sample output from the show ip nhrp traffic command:
Router# show ip nhrp trafficTunnel0request packets sent: 2request packets received: 4reply packets sent: 4reply packets received: 2register packets sent: 0register packets received: 0error packets sent: 0error packets received: 0Router#describes the fields in the display.
Table 60 Show IP NHRP Traffic Field Descriptions
show ip redirects
To display the address of a default gateway (router) and the address of hosts for which a redirect has been received, use the show ip redirects EXEC command.
show ip redirects
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Sample Display
The following is sample output from the show ip redirects command:
Router# show ip redirectsDefault gateway is 160.89.80.29Host Gateway Last Use Total Uses Interface131.108.1.111 160.89.80.240 0:00 9 Ethernet0128.95.1.4 160.89.80.240 0:00 4 Ethernet0Router#Related Command
show ip route
To display the entries in the routing table, use the show ip route EXEC command.
show ip route [address [mask]] | [protocol]
Syntax Description
Command Mode
EXEC
Sample Displays
The following is sample output from the show ip route command when entered when you do not specify an address:
Router# show ip routeCodes: I - IGRP derived, R - RIP derived, O - OSPF derivedC - connected, S - static, E - EGP derived, B - BGP derived* - candidate default route, IA - OSPF inter area routeE1 - OSPF external type 1 route, E2 - OSPF external type 2 routeGateway of last resort is 131.119.254.240 to network 129.140.0.0O E2 150.150.0.0 [160/5] via 131.119.254.6, 0:01:00, Ethernet2E 192.67.131.0 [200/128] via 131.119.254.244, 0:02:22, Ethernet2O E2 192.68.132.0 [160/5] via 131.119.254.6, 0:00:59, Ethernet2O E2 130.130.0.0 [160/5] via 131.119.254.6, 0:00:59, Ethernet2E 128.128.0.0 [200/128] via 131.119.254.244, 0:02:22, Ethernet2E 129.129.0.0 [200/129] via 131.119.254.240, 0:02:22, Ethernet2E 192.65.129.0 [200/128] via 131.119.254.244, 0:02:22, Ethernet2E 131.131.0.0 [200/128] via 131.119.254.244, 0:02:22, Ethernet2E 192.75.139.0 [200/129] via 131.119.254.240, 0:02:23, Ethernet2E 192.16.208.0 [200/128] via 131.119.254.244, 0:02:22, Ethernet2E 192.84.148.0 [200/129] via 131.119.254.240, 0:02:23, Ethernet2E 192.31.223.0 [200/128] via 131.119.254.244, 0:02:22, Ethernet2E 192.44.236.0 [200/129] via 131.119.254.240, 0:02:23, Ethernet2E 140.141.0.0 [200/129] via 131.119.254.240, 0:02:22, Ethernet2E 141.140.0.0 [200/129] via 131.119.254.240, 0:02:23, Ethernet2The following is sample output that includes some IS-IS Level 2 routes learned:
Router# show ip routeCodes: I - IGRP derived, R - RIP derived, O - OSPF derivedC - connected, S - static, E - EGP derived, B - BGP derivedi - IS-IS derived* - candidate default route, IA - OSPF inter area routeE1 - OSPF external type 1 route, E2 - OSPF external type 2 routeL1 - IS-IS level-1 route, L2 - IS-IS level-2 routeGateway of last resort is not set160.89.0.0 is subnetted (mask is 255.255.255.0), 3 subnetsC 160.89.64.0 255.255.255.0 is possibly down,routing via 0.0.0.0, Ethernet0i L2 160.89.67.0 [115/20] via 160.89.64.240, 0:00:12, Ethernet0i L2 160.89.66.0 [115/20] via 160.89.64.240, 0:00:12, Ethernet0describes the fields shown in the displays.
Table 61 Show IP Route Field Descriptions
The following is sample output from the show ip route command for a specific address:
Router# show ip route 160.89.6.0Routing entry for 160.89.6.0 (mask 255.255.255.0)Known via "connected", distance 0, metric 0 (connected)Tag 0Routing Descriptor Blocks:* directly connected, via Ethernet1Route metric is 0, traffic share count is 1describes the significant fields shown in the display.
Table 62 Show IP Route Field Descriptions for a Specific Address
show ip route summary
To display summary information about entries in the routing table, use the show ip route summary EXEC command.
show ip route summary
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Sample Display
The following is sample output from the show ip route summary command:
Router# show ip route summaryRoute Source Networks Subnets Overhead Memory (bytes)connected 0 3 126 360static 1 2 126 360igrp 109 747 12 31878 91080internal 3 360Total 751 17 32130 92160Router#describes the fields shown in the display:
Table 63 Show IP Route Summary Field Descriptions
Related Command
show ip tcp header-compression
To display statistics about TCP header compression, use the show ip tcp header-compression EXEC command.
show ip tcp header-compression
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Sample Display
The following is sample output from the show ip tcp header-compression command:
Router# show ip tcp header-compressionTCP/IP header compression statistics:Interface Serial1: (passive, compressing)Rcvd: 4060 total, 2891 compressed, 0 errors0 dropped, 1 buffer copies, 0 buffer failuresSent: 4284 total, 3224 compressed,105295 bytes saved, 661973 bytes sent1.15 efficiency improvement factorConnect: 16 slots, 1543 long searches, 2 misses, 99% hit ratioFive minute miss rate 0 misses/sec, 0 max misses/secdescribes significant fields shown in the display.
Table 64 Show IP TCP Header-Compression
Field Descriptions
Related Command
show ip traffic
To display statistics about IP traffic, use the show ip traffic EXEC command.
show ip traffic
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Sample Display
The following is sample output from the show ip traffic command:
Router# show ip trafficIP statistics:Rcvd: 98 total, 98 local destination0 format errors, 0 checksum errors, 0 bad hop count0 unknown protocol, 0 not a gateway0 security failures, 0 bad optionsFrags: 0 reassembled, 0 timeouts, 0 too big0 fragmented, 0 couldn't fragmentBcast: 38 received, 52 sentSent: 44 generated, 0 forwarded0 encapsulation failed, 0 no routeICMP statistics:Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 0 unreachable0 echo, 0 echo reply, 0 mask requests, 0 mask replies, 0 quench0 parameter, 0 timestamp, 0 info request, 0 otherSent: 0 redirects, 3 unreachable, 0 echo, 0 echo reply0 mask requests, 0 mask replies, 0 quench, 0 timestamp0 info reply, 0 time exceeded, 0 parameter problemUDP statistics:Rcvd: 56 total, 0 checksum errors, 55 no portSent: 18 total, 0 forwarded broadcastsTCP statistics:Rcvd: 0 total, 0 checksum errors, 0 no portSent: 0 totalEGP statistics:Rcvd: 0 total, 0 format errors, 0 checksum errors, 0 no listenerSent: 0 totalIGRP statistics:Rcvd: 73 total, 0 checksum errorsSent: 26 totalHELLO statistics:Rcvd: 0 total, 0 checksum errorsSent: 0 totalARP statistics:Rcvd: 20 requests, 17 replies, 0 reverse, 0 otherSent: 0 requests, 9 replies (0 proxy), 0 reverseProbe statistics:Rcvd: 6 address requests, 0 address replies0 proxy name requests, 0 otherSent: 0 address requests, 4 address replies (0 proxy)0 proxy name repliesdescribes significant fields shown in the display.
Table 65 Show IP Traffic Field Descriptions
show sse summary
To display a summary of Silicon Switch Processor (SSP) statistics, use the show sse summary EXEC command.
show sse summary
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Sample Display
The following is sample output from the show sse summary command:
Router# show sse summarySSE utilization statisticsProgram words Rewrite bytes Internal nodes DepthOverhead 499 1 8IP 0 0 0 0IPX 0 0 0 0SRB 0 0 0 0CLNP 0 0 0 0IP access lists 0 0 0Total used 499 1 8Total free 65037 262143Total available 65536 262144Free program memory[499..65535]Free rewrite memory[1..262143]Internals75032 internal nodes allocated, 75024 freedSSE manager process enabled, microcode enabled, 0 hangsLongest cache computation 4ms, longest quantum 160ms at 0x53AC8show standby
To display Hot Standby Router Protocol information, use the show standby EXEC command.
show standby
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Sample Display
The following is sample output from the show standby command:
Router# show standbyEthernet0 - Group 0Local state is Active, priority 100, may preemptHellotime 3 holdtime 10Next hello sent in 0:00:00Hot standby IP address is 198.92.72.29 configuredActive router is localStandby router is 198.92.72.21 expires in 0:00:07Tracking interface states for 2 interfaces, 2 up:Up Ethernet0Up Serial0describes the fields in the display.
Table 66 Show Standby Field Descriptions
Ethernet0 - Group 0
Interface type and number and Hot Standby group number for the interface.
Local state is ...
State of local router; can be one of the following:
•
•
priority
Priority value of the router based on the standby priority command.
may preempt
Indicates that the router will attempt to assume control as the active router if its priority is greater than the current active router.
Hellotime
Time between hello packets in seconds, based on the standby timers command.
holdtime
Time (in seconds) before other routers declare the active or standby router to be down, based on the standby timers command.
Next hello sent in ...
Time in which the Cisco IOS software will send the next hello packet (in hours:minutes:seconds).
Hot Standby IP address is ... configured
IP address of the current Hot Standby router. The word "configured" indicates that this address is known through the standby ip command. Otherwise, the address was learned dynamically through HSRP hello packets from other routers that do have the HSRP IP address configured.
Active router is ...
Value can be "local" or an IP address. Address of the current active Hot Standby router.
Standby router is ...
Value can be "local" or an IP address. Address of the "standby" router (the router that is next in line to be the Hot Standby router).
expires in
Time (in hours:minutes:seconds) in which the standby router will no longer be the standby router if the local router receives no hello packets from it.
Tracking interface states for ...
List of interfaces that are being tracked and their corresponding states. Based on the standby track command.
standby authentication
To configure an authentication string for the Hot Standby Router Protocol, use the standby authentication interface configuration command. To delete an authentication string, use the no form of this command.
standby [group-number] authentication string
no standby [group-number] authentication stringSyntax Description
Defaults
group-number: 0
string: ciscoCommand Mode
Interface configuration
Usage Guidelines
The authentication string is transmitted unencrypted in all Hot Standby Router Protocol messages. The same authentication string must be configured on all routers and access servers on a cable to ensure interoperation. Authentication mismatch prevents a device from learning the designated Hot Standby IP address and the Hot Standby timer values from other routers configured with the Hot Standby Router Protocol. Authentication mismatch does not prevent protocol events such as one router taking over as the designated router.
When group number 0 is used, no group number is written to NVRAM, providing backward compatibility.
Example
In the following example, "word" is configured as the authentication string required to allow Hot Standby routers in group 1 to interoperate:
interface ethernet 0standby 1 authentication wordstandby ip
To activate the Hot Standby Router Protocol, use the standby ip interface configuration command. To disable the Hot Standby Router Protocol, use the no form of this command.
standby [group-number] ip [ip-address [secondary]]
no standby [group-number] ip [ip-address]Syntax Description
Defaults
group-number: 0
Hot Standby Router Protocol is disabled.Command Mode
Interface configuration
Usage Guidelines
The standby ip command activates the Hot Standby Router Protocol on the configured interface. If an IP address is specified, that address is used as the designated address for the Hot Standby group. If no IP address is specified, the designated address is learned through the standby function. For the Hot Standby Router Protocol to elect a designated router, at least one router on the cable must have been configured with, or learned, the designated address. Configuring the designated address on the active router always overrides a designated address that is currently in use.
When the standby ip command is enabled on an interface, the handling of proxy ARP requests is changed (unless proxy ARP was disabled). If the interface's Hot Standby state is active, proxy ARP requests are answered using the Hot Standby group's MAC address. If the interface is in a different state, proxy ARP responses are suppressed.
When group number 0 is used, no group number is written to NVRAM, providing backward compatibility.
Examples
In the following example, the Hot Standby protocol is enabled for group 1 on Ethernet interface 0. The IP address used by the Hot Standby group will be learned using the Hot Standby Router Protocol.
interface ethernet 0standby 1 ipIn the following example, all three virtual IP addresses appear in the ARP table using the same (single) virtual MAC address. All three virtual IP addresses are using the same HSRP group (group 0).
ip address 1.1.1.1. 255.255.255.0ip address 1.2.2.2. 255.255.255.0 secondaryip address 1.3.3.3. 255.255.255.0 secondaryip address 1.4.4.4. 255.255.255.0 secondarystandby ip 1.1.1.254standby ip 1.2.2.254 secondarystandby ip 1.3.3.254 secondoarystandby preempt
To indicate that, when the local router has a Hot Standby priority higher than the current active router, the local router should attempt to assume control as the active router, use the standby preempt interface configuration command. To have the local router assume control as the active router only if it receives information indicating that there is no router currently in the active state (acting as the designated router), use the no form of this command.
standby [group-number] preempt
no standby [group-number] preemptSyntax Description
group-number
(Optional) Group number on the interface for which the Hot Standby preemptive feature is being activated.
Defaults
group-number: 0
The local router assumes control as the active router only if it receives information indicating that there is no router currently in the active state.Command Mode
Interface configuration
Usage Guidelines
When group number 0 is used, no group number is written to NVRAM, providing backward compatibility.
Example
In the following example, group 1 on Ethernet interface 0 is configured to preempt the current leader if the interface has a higher priority:
interface ethernet 0standby 1 preemptRelated Commands
standby priority
To prioritize a potential Hot Standby router, use the standby priority interface configuration command. To restore the priority to the default, use the no form of this command.
standby [group-number] priority priority-number
no standby [group-number] priority priority-numberSyntax Description
group-number
(Optional) Group number on the interface to which the priority number applies.
priority-number
Priority value. It is an integer from 0 through 255. The default is 100.
Defaults
group-number: 0
priority-number: 100Command Mode
Interface configuration
Usage Guidelines
The assigned priority is used to help select the active and standby routers. Assuming preemption is enabled, the router with the highest priority becomes the designated active router. In case of ties, the primary IP addresses are compared, and the higher IP address has priority.
Note that the device's priority can change dynamically if an interface is configured with the standby track command and another interface on the router goes down.
When group number 0 is used, no group number is written to NVRAM, providing backward compatibility.
Example
In the following example, group number 1 on Ethernet interface 0 is assigned with priority 150:
interface ethernet 0standby 1 priority 150Related Commands
standby timers
To configure the time between hellos and the time before other routers declare the active Hot Standby or standby router to be down, use the standby timers interface configuration command. To restore the timers to their default values, use the no form of this command.
standby [group-number] timers hellotime holdtime
no standby [group-number] timers hellotime holdtimeSyntax Description
Defaults
group-number: 0
hellotime: 3 second
holdtime: 10 secondsCommand Mode
Interface configuration
Usage Guidelines
The standby timers command configures the time between standby hellos and the time before other routers declare the active or standby router to be down. Routers or access servers on which timer values are not configured can learn timer values from the active or standby router. The timers configured on the active router always override any other timer settings. All routers in a Hot Standby group should use the same timer values. Normally, holdtime is greater than or equal to 3 times hellotime (holdtime > 3 * hellotime).
When group number 0 is used, no group number is written to NVRAM, providing backward compatibility.
Example
In the following example, for group number 1 on Ethernet interface 0, the time between hello packets is set to 5 seconds, and the time after which a router is considered to be down is set to 15 seconds:
interface ethernet 0standby 1 ipstandby 1 timers 5 15standby track
To configure an interface so that the Hot Standby priority changes based on the availability of other interfaces, use the standby track interface configuration command. To remove the tracking, use the no form of this command.
standby [group-number] track type number [interface-priority]
no standby [group-number] track type number [interface-priority]Syntax Description
Defaults
group-number: 0
interface-priority: 10Command Mode
Interface configuration
Usage Guidelines
This command ties the router's Hot Standby priority to the availability of its interfaces. It is useful for tracking interfaces that are not configured for the Hot Standby Router Protocol.
When a tracked interface goes down, the Hot Standby priority decreases by 10. If an interface is not tracked, its state changes do not affect the Hot Standby priority. For each interface configured for Hot Standby, you can configure a separate list of interfaces to be tracked.
The optional argument interface-priority specifies how much to decrement the Hot Standby priority by when a tracked interface goes down. When the tracked interface comes back up, the priority is incremented by the same amount.
When multiple tracked interfaces are down and interface-priority values have been configured, these configured priority decrements are cumulative. If tracked interfaces are down, but none of them were configured with priority decrements, the default decrement is 10 and it is noncumulative.
When group number 0 is used, no group number is written to NVRAM, providing backward compatibility.
Example
In the following example, Ethernet interface 1 tracks Ethernet interface 0 and serial interface 0. If one or both of these two interfaces go down, the Hot Standby priority of the router decreases by 10. Because the default Hot Standby priority is 100, the priority becomes 90 when one or both of the tracked interfaces go down.
interface ethernet 1ip address 198.92.72.37 255.255.255.240no ip redirectsstandby track ethernet 0standby track serial 0standby preemptstandby ip 198.92.72.46Related Commands
standby preempt
standby priorityterm ip netmask-format
To specify the format in which netmasks are displayed in show command output, use the term ip netmask-format EXEC command. To restore the default display format, use the no form of this command.
term ip netmask-format {bitcount | decimal | hexadecimal}
term no ip netmask-format [bitcount | decimal | hexadecimal]Syntax Description
Default
Netmasks are displayed in dotted decimal format.
Command Mode
EXEC
Usage Guidelines
IP uses a 32-bit mask that indicates which address bits belong to the network and subnetwork fields and which bits belong to the host field. This is called a netmask. By default, show commands display an IP address and then its netmask in dotted decimal notation. For example, a subnet would be displayed as 131.108.11.55 255.255.255.0.
However, you can specify that the display of the network mask appear in hexadecimal format or bit count format instead. The hexadecimal format is commonly used on UNIX systems. The above example would be displayed as 131.108.11.55 0XFFFFFF00.
The bitcount format for displaying network masks is to append a slash (/) and the total number of bits in the netmask to the address itself. The above example would be displayed as 131.108.11.55/24.
Example
The following example specifies that network masks for the session be displayed in bitcount notation in the output of show commands:
term ip netmask-format bitcounttrace (privileged)
To discover the routes the packets follow when traveling to their destination from the router, use the trace privileged EXEC command.
trace [destination]
Syntax Description
destination
(Optional) Destination address or host name on the command line. The default parameters for the appropriate protocol are assumed and the tracing action begins.
Command Mode
Privileged EXEC
Usage Guidelines
The trace command works by taking advantage of the error messages generated by the Cisco IOS software when a datagram exceeds its time-to-live (TTL) value.
The trace command starts by sending probe datagrams with a TTL value of one. This causes the first router to discard the probe datagram and send back an error message. The trace command sends several probes at each TTL level and displays the round-trip time for each.
The trace command sends out one probe at a time. Each outgoing packet may result in one or two error messages. A time exceeded error message indicates that an intermediate router has seen and discarded the probe. A destination unreachable error message indicates that the destination node has received the probe and discarded it because it could not deliver the packet. If the timer goes off before a response comes in, trace prints an asterisk (*).
The trace command terminates when the destination responds, when the maximum TTL is exceeded, or when the user interrupts the trace with the escape sequence. By default, to invoke the escape sequence, press Ctrl-^ X, which is done by simultaneously pressing the Ctrl, Shift, and 6 keys, letting go, then pressing the X key.
To use nondefault parameters and invoke an extended trace test, enter the command without a destination argument. You will be stepped through a dialog to select the desired parameters.
Common Trace Problems
Due to bugs in the IP implementation of various hosts and routers, the IP trace command may behave in odd ways.
Not all destinations will respond correctly to a probe message by sending back an ICMP port unreachable message. A long sequence of TTL levels with only asterisks, terminating only when the maximum TTL has been reached, may indicate this problem.
There is a known problem with the way some hosts handle an ICMP TTL exceeded message. Some hosts generate an ICMP message but they reuse the TTL of the incoming packet. Since this is zero, the ICMP packets do not make it back. When you trace the path to such a host, you may see a set of TTL values with asterisks (*). Eventually the TTL gets high enough that the ICMP message can get back. For example, if the host is six hops away, trace will time out on responses 6 through 11.
Sample Display Showing Trace IP Routes
The following display shows sample IP trace output when a destination host name has been specified:
Router# trace ABA.NYC.milType escape sequence to abort.Tracing the route to ABA.NYC.mil (26.0.0.73)1 DEBRIS.CISCO.COM (131.108.1.6) 1000 msec 8 msec 4 msec2 BARRNET-GW.CISCO.COM (131.108.16.2) 8 msec 8 msec 8 msec3 EXTERNAL-A-GATEWAY.STANFORD.EDU (192.42.110.225) 8 msec 4 msec 4 msec4 BB2.SU.BARRNET.NET (131.119.254.6) 8 msec 8 msec 8 msec5 SU.ARC.BARRNET.NET (131.119.3.8) 12 msec 12 msec 8 msec6 MOFFETT-FLD-MB.in.MIL (192.52.195.1) 216 msec 120 msec 132 msec7 ABA.NYC.mil (26.0.0.73) 412 msec 628 msec 664 msecdescribes the fields shown in the display.
Table 67 Trace Field Descriptions for IP Routes
Sample Display Showing Extended IP Trace Dialog
The following display shows a sample trace session involving the extended dialog of the trace command:
Router# traceProtocol [ip]:Target IP address: mit.eduSource address:Numeric display [n]:Timeout in seconds [3]:Probe count [3]:Minimum Time to Live [1]:Maximum Time to Live [30]:Port Number [33434]:Loose, Strict, Record, Timestamp, Verbose[none]:Type escape sequence to abort.Tracing the route to MIT.EDU (18.72.2.1)1 ICM-DC-2-V1.ICP.NET (192.108.209.17) 72 msec 72 msec 88 msec2 ICM-FIX-E-H0-T3.ICP.NET (192.157.65.122) 80 msec 128 msec 80 msec3 192.203.229.246 540 msec 88 msec 84 msec4 T3-2.WASHINGTON-DC-CNSS58.T3.ANS.NET (140.222.58.3) 84 msec 116 msec 88 msec5 T3-3.WASHINGTON-DC-CNSS56.T3.ANS.NET (140.222.56.4) 80 msec 132 msec 88 msec6 T3-0.NEW-YORK-CNSS32.T3.ANS.NET (140.222.32.1) 92 msec 132 msec 88 msec7 T3-0.HARTFORD-CNSS48.T3.ANS.NET (140.222.48.1) 88 msec 88 msec 88 msec8 T3-0.HARTFORD-CNSS49.T3.ANS.NET (140.222.49.1) 96 msec 104 msec 96 msec9 T3-0.ENSS134.T3.ANS.NET (140.222.134.1) 92 msec 128 msec 92 msec10 W91-CISCO-EXTERNAL-FDDI.MIT.EDU (192.233.33.1) 92 msec 92 msec 112 msec11 E40-RTR-FDDI.MIT.EDU (18.168.0.2) 92 msec 120 msec 96 msec12 MIT.EDU (18.72.2.1) 96 msec 92 msec 96 msecdescribes the fields that are unique to the extended trace sequence, as shown in the display.
Table 68 Trace Field Descriptions
describes the characters that can appear in trace output.
Table 69 IP Trace Text Characters
Related Command
trace (user)
To discover the routes the router packets follow when traveling to their destination, use the trace user EXEC command.
trace ip destination
Syntax Description
destination
Destination address or host name on the command line. The default parameters for the appropriate protocol are assumed and the tracing action begins.
Command Mode
EXEC
Usage Guidelines
The trace command works by taking advantage of the error messages generated by the Cisco IOS software when a datagram exceeds its time-to-live (TTL) value.
The trace command starts by sending probe datagrams with a TTL value of one. This causes the first router to discard the probe datagram and send back an error message. The trace command sends several probes at each TTL level and displays the round-trip time for each.
The trace command sends out one probe at a time. Each outgoing packet may result in one or two error messages. A time exceeded error message indicates that an intermediate router has seen and discarded the probe. A destination unreachable error message indicates that the destination node has received the probe and discarded it because it could not deliver the packet. If the timer goes off before a response comes in, trace prints an asterisk (*).
The trace command terminates when the destination responds, when the maximum TTL is exceeded, or when the user interrupts the trace with the escape sequence. By default, to invoke the escape sequence, press Ctrl-^ X, which is done by simultaneously pressing the Ctrl, Shift, and 6 keys, letting go, then pressing the X key.
Common Trace Problems
Due to bugs in the IP implementation of various hosts and routers, the IP trace command may behave in odd ways.
Not all destinations will respond correctly to a probe message by sending back an ICMP port unreachable message. A long sequence of TTL levels with only asterisks, terminating only when the maximum TTL has been reached, may indicate this problem.
There is a known problem with the way some hosts handle an ICMP TTL exceeded message. Some hosts generate an ICMP message but they reuse the TTL of the incoming packet. Since this is zero, the ICMP packets do not make it back. When you trace the path to such a host, you may see a set of TTL values with asterisks (*). Eventually the TTL gets high enough that the ICMP message can get back. For example, if the host is six hops away, trace will time out on responses 6 through 11.
Sample Display Showing Trace IP Routes
The following display shows sample IP trace output when a destination host name has been specified:
Router# trace ip ABA.NYC.milType escape sequence to abort.Tracing the route to ABA.NYC.mil (26.0.0.73)1 DEBRIS.CISCO.COM (131.108.1.6) 1000 msec 8 msec 4 msec2 BARRNET-GW.CISCO.COM (131.108.16.2) 8 msec 8 msec 8 msec3 EXTERNAL-A-GATEWAY.STANFORD.EDU (192.42.110.225) 8 msec 4 msec 4 msec4 BB2.SU.BARRNET.NET (131.119.254.6) 8 msec 8 msec 8 msec5 SU.ARC.BARRNET.NET (131.119.3.8) 12 msec 12 msec 8 msec6 MOFFETT-FLD-MB.in.MIL (192.52.195.1) 216 msec 120 msec 132 msec7 ABA.NYC.mil (26.0.0.73) 412 msec 628 msec 664 msecIn the trace (privileged) command section, describes the fields shown in the display. describes the characters that can appear in trace output.
Related Command
transmit-interface
To assign a transmit interface to a receive-only interface, use the transmit-interface interface configuration command. To return to normal duplex Ethernet interfaces, use the no form of this command.
transmit-interface type number
no transmit-interfaceSyntax Description
type
Transmit interface type to be linked with the (current) receive-only interface.
number
Transmit interface number to be linked with the (current) receive-only interface.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
Receive-only interfaces are used commonly with microwave Ethernet links.
Example
The following example specifies Ethernet interface 0 as a simplex Ethernet interface:
interface ethernet 1ip address 128.9.1.2transmit-interface ethernet 0tunnel mode
To set the encapsulation mode for the tunnel interface, use the tunnel mode interface configuration command. To set to the default, use the no form of this command.
tunnel mode {aurp | cayman | dvmrp | eon | gre ip [multipoint] | nos}
no tunnel modeSyntax Description
Default
GRE tunneling
Command Mode
Interface configuration
Usage Guidelines
You cannot have two tunnels using the same encapsulation mode with exactly the same source and destination address. The workaround is to create a loopback interface and source packets off of the loopback interface.
Cayman tunneling implements tunneling as designed by Cayman Systems. This enables our routers and access servers to interoperate with Cayman GatorBoxes. With Cayman tunneling, you can establish tunnels between two routers or between our device and a GatorBox. When using Cayman tunneling, you must not configure the tunnel with an AppleTalk network address. This means that there is no way to ping the other end of the tunnel.
Use DVMRP when a router connects to a mrouted router to run DVMRP over a tunnel. It is required to configure Protocol-Independent Multicast (PIM) and an IP address on a DVMRP tunnel.
Generic route encapsulation (GRE) tunneling can be done between our routers and access servers only. When using GRE tunneling for AppleTalk, you configure the tunnel with an AppleTalk network address. This means that you can ping the other end of the tunnel.
For multipoint GRE tunnels, a tunnel key must be configured. Unlike other tunnels, the tunnel destination is optional. However, if the tunnel destination is supplied, it must map to an IP multicast address.
Examples
The following example enables Cayman tunneling:
interface tunnel 0tunnel source ethernet 0tunnel destination 131.108.164.19tunnel mode caymanThe following example enables GRE tunneling:
interface tunnel 0appletalk cable-range 4160-4160 4160.19appletalk zone Engineeringtunnel source ethernet0tunnel destination 131.108.164.19tunnel mode gre ipRelated Commands
A dagger (†) indicates that the command is documented outside this chapter.
appletalk cable-range †
appletalk zone †
tunnel destination †
tunnel source †
