Table Of Contents
dnsix-nat authorized-redirection
ip forward-protocol any-local-broadcast
ip forward-protocol spanning-tree
ip forward-protocol turbo-flood
ip security ignore-authorities
ip security implicit-labelling
ip tcp compression-connections
show ip tcp header-compression
IP Commands
The Internet Protocol (IP) is a packet-based protocol used to exchange data over computer networks. IP handles addressing, fragmentation, reassembly, and protocol demultiplexing. It is the foundation on which all other Internet protocols, collectively referred to as the Internet Protocol suite, are built. IP is a network-layer protocol that contains addressing information and some control information that allows data packets to be routed.
The Transmission Control Protocol (TCP) is built upon the IP layer. TCP is a connection-oriented protocol that specifies the format of data and acknowledgments used in the transfer of data. TCP also specifies the procedures that the computers use to ensure that the data arrives correctly. TCP allows multiple applications on a system to communicate concurrently because it handles all demultiplexing of the incoming traffic among the application programs.
Use the commands in this chapter to configure and monitor IP networks. For IP protocol configuration information and examples, refer to the "Configuring IP" chapter of the Network Protocols Configuration Guide, Part 1.
access-class
To restrict incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list, use the access-class line configuration command. To remove access restrictions, use the no form of this command.
access-class access-list-number {in | out}
no access-class access-list-number {in | out}Syntax Description
Default
No access lists are defined.
Command Mode
Line configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.
To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.
Examples
The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:
access-list 12 permit 192.89.55.0 0.0.0.255line 1 5access-class 12 inThe following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5:
access-list 10 permit 36.0.0.0 0.255.255.255line 1 5access-class 10 outRelated Command
A dagger (†) indicates that the command is documented outside this chapter.
show line †
access-list (extended)
To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
protocol source source-wildcard destination destination-wildcard [precedence precedence]
[tos tos] [log]
no access-list access-list-numberFor Internet Control Message Protocol (ICMP), you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |
icmp-message] [precedence precedence] [tos tos] [log]For Internet Group Management Protocol (IGMP), you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
igmp source source-wildcard destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos] [log]For TCP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
tcp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [established] [precedence precedence] [tos tos] [log]For User Datagram Protocol (UDP), you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}
udp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [precedence precedence] [tos tos] [log]
CautionEnhancements to this command are backward compatible; migrating from releases prior to Release 11.1 will convert your access lists automatically. However, releases prior to Release 11.1 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 11.1, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images.
Syntax Description
Default
An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.
Command Mode
Global configuration
Usage Guidelines
The UDP form of this command first appeared in Cisco IOS Release 10.0. All other forms of the command, as well as the following arguments and keywords, first appeared in Cisco IOS Release 10.3:
source
source-wildcard
destination
destination-wildcard
precedence precedence
icmp-type
icm-code
icmp-message
igmp-type
operator
port
establishedThe following keywords and arguments first appeared in Cisco IOS Release 11.1:
dynamic dynamic-name
timeout minutesYou can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match against the TCP source port, the type of service value, or the packet's precedence.
Note
After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.
The following is a list of precedence names:
•
•
•
•
•
•
•
•
The following is a list of type of service (TOS) names:
•
•
•
•
•
The following is a list of ICMP message type names and ICMP message type and code names:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following is a list of IGMP message names:
•
•
•
•
•
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Examples
In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. The keyword established is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 establishedaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25interface serial 0ip access-group 102 inThe following example also permit Domain Naming System (DNS) packets and ICMP echo and echo reply packets:
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 establishedaccess-list 102 permit tcp any host 128.88.1.2 eq smtpaccess-list 102 permit tcp any any eq domainaccess-list 102 permit udp any any eq domainaccess-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-replyThe following examples show how wildcardbits are used to indicate the bits of the prefix or mask that are relevant. They are similar to the bitmasks that are used with normal access-lists. Prefix/mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix/mask bits corresponding to wildcard bits set to 0 are used in comparison.
In the following example, permit 192.108.0.0 255.255.0.0 but deny any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0).
access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255In the following example, permit 131.108.0/24 but deny 131.108/16 and all other subnets of 131.108.0.0.
access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0 accces-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
access-class
access-list (standard)
clear access-temp †
distribute-list in †
distribute-list out †
ip access-group
ip access-list
logging console †
priority-list †
queue-list †
show access-lists
show ip access-listaccess-list (standard)
To define a standard IP access list, use the standard version of the access-list global configuration command. To remove a standard access lists, use the no form of this command.
access-list access-list-number {deny | permit} source [source-wildcard]
no access-list access-list-number
CautionEnhancements to this command are backward compatible; migrating from releases prior to Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images.
Syntax Description
Default
The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.
You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates.
Use the show access-lists EXEC command to display the contents of all access lists.
Use the show ip access-list EXEC command to display the contents of one access list.
Examples
The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255access-list 1 permit 128.88.0.0 0.0.255.255access-list 1 permit 36.0.0.0 0.255.255.255! (Note: all other access implicitly denied)To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect:
access-list 2 permit 36.48.0.3access-list 2 permit 36.48.0.3 0.0.0.0Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
access-class
access-list (extended)
distribute-list in †
distribute-list out †
ip access-group
priority-list †
queue-list †
show access-lists
show ip access-listarp (global)
To add a permanent entry in the Address Resolution Protocol (ARP) cache, use the arp global configuration command. To remove an entry from the ARP cache, use the no form of this command.
arp ip-address hardware-address type [alias]
no arp ip-address hardware-address type [alias]Syntax Description
Default
No entries are permanently installed in the ARP cache.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The Cisco IOS software uses ARP cache entries to translate 32-bit IP addresses into 48-bit hardware addresses.
Because most hosts support dynamic resolution, you generally do not need to specify static ARP cache entries.
To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.
Example
The following is an example of a static ARP entry for a typical Ethernet host:
arp 192.31.7.19 0800.0900.1834 arpaRelated Command
arp (interface)
To control the interface-specific handling of IP address resolution into 48-bit Ethernet, FDDI, and Token Ring hardware addresses, use the arp interface configuration command. To disable an encapsulation type, use the no form of this command.
arp {arpa | probe | snap}
no arp {arpa | probe | snap}Syntax Description
arpa
Standard Ethernet-style ARP (RFC 826).
probe
HP Probe protocol for IEEE-802.3 networks.
snap
ARP packets conforming to RFC 1042.
Default
Standard Ethernet-style ARP
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Unlike most commands that take multiple arguments, arguments to the arp command are not mutually exclusive. Each command enables or disables a specific type of ARP. For example, if you enter the arp arpa command followed by the arp probe command, the Cisco IOS software would send three (two for probe and one for arpa) packets each time it needed to discover a Media Access Control (MAC) address.
The arp probe command allows the software to use the Probe protocol (in addition to ARP) whenever it attempts to resolve an IEEE-802.3 or Ethernet local data link address. The subset of Probe that performs address resolution is called Virtual Address Request and Reply. Using Probe, the software can communicate transparently with Hewlett-Packard IEEE-802.3 hosts that use this type of data encapsulation.
Note
The show interfaces EXEC command displays the type of ARP being used on a particular interface. To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.
Example
The following example enables probe services:
interface ethernet 0arp probeRelated Commands
A dagger (†) indicates that the command is documented outside this chapter.
clear arp-cache
show interfaces †arp timeout
To configure how long an entry remains in the ARP cache, use the arp timeout interface configuration command. To restore the default value, use the no form of this command.
arp timeout seconds
no arp timeout secondsSyntax Description
seconds
Time (in seconds) that an entry remains in the ARP cache. A value of zero means that entries are never cleared from the cache.
Default
14400 seconds (4 hours)
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
This command is ignored when issued on interfaces that do not use ARP. The show interfaces EXEC command displays the ARP timeout value. The value follows the "Entry Timeout:" heading, as seen in this sample show interfaces display:
ARP type: ARPA, PROBE, Entry Timeout: 14400 secExample
The following example sets the ARP timeout to 12000 seconds to allow entries to time out more quickly than the default:
interface ethernet 0arp timeout 12000Related Command
A dagger (†) indicates that the command is documented outside this chapter.
show interfaces †
clear access-list counters
To clear the counters of an access list, use the clear access-list counters EXEC command.
clear access-list counters {access-list-number | name}
Syntax Description
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 11.0.
Some access lists keep counters that count the number of packets that pass each line of an access list. The show access-lists command displays the counters as a number of matches. Use the clear access-list counters command to restart the counters for a particular access list to 0.
Example
The following example clears the counters for access list 101:
clear access-list counters 101Related Command
clear arp-cache
To delete all dynamic entries from the ARP cache, to clear the fast-switching cache, and to clear the IP route cache, use the clear arp-cache EXEC command.
clear arp-cache
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Usage Guidelines
This command first appeared in IOS Release 10.0.
Example
The following example removes all dynamic entries from the ARP cache and clears the fast-switching cache:
clear arp-cacheRelated Commands
clear host
To delete entries from the host-name-and-address cache, use the clear host EXEC command.
clear host {name | *}
Syntax Description
Command Mode
EXEC
Usage Guidelines
This command first appeared in IOS Release 10.0.
The host name entries will not be removed from nonvolatile random-access memory (NVRAM), but will be cleared in running memory.
Example
The following example clears all entries from the host name-and-address cache:
clear host *Related Commands
clear ip accounting
To clear the active or checkpointed database when IP accounting is enabled, use the clear ip accounting EXEC command.
clear ip accounting [checkpoint]
Syntax Description
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
You can also clear the checkpointed database by issuing the clear ip accounting command twice in succession.
Example
The following example clears the active database when IP accounting is enabled:
clear ip accountingRelated Commands
ip accounting
ip accounting-list
ip accounting-threshold
ip accounting-transits
show ip accountingclear ip nat translation
To clear dynamic Network Address Translation (NAT) translations from the translation table, use the clear ip nat translation EXEC command.
clear ip nat translation {* | [inside global-ip local-ip][outside local-ip global-ip]}
clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside local-ip global-ip]Syntax Description
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
Use this command to clear entries from the translation table before they time out.
Example
The following example shows the NAT entries before and after the UDP entry being cleared:
Router# show ip nat translationPro Inside global Inside local Outside local Outside globaludp 171.69.233.209:1220 192.168.1.95:1220 171.69.2.132:53 171.69.2.132:53tcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23Router# clear ip nat trans udp inside 171.69.233.209 1220 192.168.1.95 1220171.69.2.132 53 171.69.2.132 53Router# show ip nat translationPro Inside global Inside local Outside local Outside globaltcp 171.69.233.209:11012 192.168.1.89:11012 171.69.1.220:23 171.69.1.220:23tcp 171.69.233.209:1067 192.168.1.95:1067 171.69.1.161:23 171.69.1.161:23Related Commands
ip nat
ip nat inside destination
ip nat inside source
ip nat outside source
ip nat pool
ip nat translation
show ip nat statistics
show ip nat translationsclear ip nhrp
To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the clear ip nhrp EXEC command.
clear ip nhrp
Syntax Description
This command has no arguments or keywords.
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 11.0.
This command does not clear any static (configured) IP-to-nonbroadcast multiaccess (NBMA) address mappings from the NHRP cache.
Example
The following example clears all dynamic entries from the NHRP cache for the interface:
clear ip nhrpRelated Command
show ip nhrp
clear ip route
To delete routes from the IP routing table, use the clear ip route EXEC command.
clear ip route {network [mask] | *}
Syntax Description
network
Network or subnet address to remove.
mask
(Optional) Subnet address to remove.
*
Removes all routing table entries.
Default
All entries are removed.
Command Mode
EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Example
The following example removes a route to network 132.5.0.0 from the IP routing table:
clear ip route 132.5.0.0clear ip sse
To have the Route Processor recompute the silicon switching engine (SSE) program for IP on the Cisco 7000 series, use the clear ip sse privileged EXEC command.
clear ip sse
Syntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Privileged EXEC
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The SSE is on the Silicon Switch Processor (SSP) board in the Cisco 7000.
This command also updates the SSE cache for IP.
Example
In the following example, the Route Processor recomputes the program for IP:
clear ip sseclear sse
To reinitialize the Route Processor on the Cisco 7000 series, use the clear sse EXEC command.
clear sse
Syntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
EXEC
Usage Guidelines
This command first appeared in ICisco OS Release 10.3.
The silicon switching engine (SSE) is on the Silicon Switch Processor (SSP) board in the
Cisco 7000.Example
The following example reinitializes the Route Processor:
clear ssedeny
To set conditions for a named IP access list, use the deny access-list configuration command. To remove a deny condition from an access list, use the no form of this command.
deny source [source-wildcard]
no deny source [source-wildcard]deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]
no access-list access-list-numberFor ICMP, you can also use the following syntax:
deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |
icmp-message] [precedence precedence] [tos tos] [log]For IGMP, you can also use the following syntax:
deny igmp source source-wildcard destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos] [log]For TCP, you can also use the following syntax:
deny tcp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [established] [precedence precedence] [tos tos] [log]For UDP, you can also use the following syntax:
deny udp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [precedence precedence] [tos tos] [log]Syntax Description
source
Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:
•
•
source-wildcard
(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:
•
•
protocol
Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
•
•
•
source-wildcard
Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
•
•
•
destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
•
•
•
destination-wildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
•
•
•
precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos
(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Usage Guidelines" section of the access-list (extended) command.
icmp-type
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code
(Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the "Usage Guidelines" section of the access-list (extended) command.
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (extended) command.
operator
(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port.
If the operator is positioned after the destination and destination-wildcard, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Default
There is no specific condition under which a packet is denied passing the named access list.
Command Mode
Access-list configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
Use this command following the ip access-list command to specify conditions under which a packet cannot pass the named access list.
Example
The following example of a standard access list named Internetfilter:
ip access-list standard Internetfilterdeny 192.5.34.0 0.0.0.255permit 128.88.0.0 0.0.255.255permit 36.0.0.0 0.255.255.255! (Note: all other access implicitly denied)Related Commands
ip access-group
ip access-list
permit
show ip access-listdnsix-dmdp retries
To set the retransmit count used by the Department of Defense Intelligence Information System Network Security for Information Exchange (DNSIX) Message Delivery Protocol (DMDP), use the dnsix-dmdp retries global configuration command. To restore the default number of retries, use the no form of this command.
dnsix-dmdp retries count
no dnsix-dmdp retries countSyntax Description
count
Number of times DMDP will retransmit a message. It can be a decimal integer from 0 to 200. The default is 4 retries, or until acknowledged.
Default
Retransmits messages up to 4 times, or until acknowledged
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Example
The following example sets the number of times DMDP will attempt to retransmit a message to 150:
dnsix-dmdp retries 150Related Commands
dnsix-nat authorized-redirection
dnsix-nat primary
dnsix-nat secondary
dnsix-nat source
dnsix-nat transmit-countdnsix-nat authorized-redirection
To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection global configuration command. To delete an address, use the no form of this command.
dnsix-nat authorized-redirection ip-address
no dnsix-nat authorized-redirection ip-addressSyntax Description
Default
An empty list of addresses
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Use multiple dnsix-nat authorized-redirection commands to specify a set of hosts that are authorized to change the destination for audit messages. Redirection requests are checked against the configured list, and if the address is not authorized the request is rejected and an audit message is generated. If no address is specified, no redirection messages are accepted.
Example
The following example specifies that the address of the collection center that is authorized to change the primary and secondary addresses is 193.1.1.1.
dnsix-nat authorization-redirection 193.1.1.1.dnsix-nat primary
To specify the IP address of the host to which DNSIX audit messages are sent, use the dnsix-nat primary global configuration command. To delete an entry, use the no form of this command.
dnsix-nat primary ip-address
no dnsix-nat primary ip-addressSyntax Description
Default
Messages are not sent.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
An IP address must be configured before audit messages can be sent.
Example
The following example configures an IP address as the address of the host to which DNSIX audit messages are sent:
dnsix-nat primary 194.1.1.1dnsix-nat secondary
To specify an alternate IP address for the host to which DNSIX audit messages are sent, use the dnsix-nat secondary global configuration command. To delete an entry, use the no form of this command.
dnsix-nat secondary ip-address
no dnsix-nat secondary ip-addressSyntax Description
Default
No alternate IP address is known.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
When the primary collection center is unreachable, audit messages are sent to the secondary collection center instead.
Example
The following example configures an IP address as the address of an alternate host to which DNSIX audit messages are sent:
dnsix-nat secondary 193.1.1.1dnsix-nat source
To start the audit-writing module and to define audit trail source address, use the dnsix-nat source global configuration command. To disable the DNSIX audit trail writing module, use the no form of this command.
dnsix-nat source ip-address
no dnsix-nat source ip-addressSyntax Description
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
You must issue the dnsix-nat source command before any of the other dnsix-nat commands. The configured IP address is used as the source IP address for DMDP protocol packets sent to any of the collection centers.
Example
The following example enables the audit trail writing module, and specifies that the source IP address for any generated audit messages should be the same as the primary IP address of Ethernet interface 0.
dnsix-nat source 128.105.2.5 interface ethernet 0 ip address 128.105.2.5 255.255.255.0dnsix-nat transmit-count
To have the audit writing module collect multiple audit messages in the buffer before sending the messages to a collection center, use the dnsix-nat transmit-count global configuration command. To revert to the default audit message count, use the no form of this command.
dnsix-nat transmit-count count
no dnsix-nat transmit-count countSyntax Description
Default
One message is sent at a time.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
An audit message is sent as soon as the message is generated by the IP packet-processing code. The audit writing module can, instead, buffer up to several audit messages before transmitting to a collection center.
Example
The following example configures the system to buffer five audit messages before transmitting them to a collection center:
dnsix-nat transmit-count 5dynamic
To define a named, dynamic, IP access list, use the dynamic access-list configuration command. To remove the access lists, use the no form of this command.
dynamic dynamic-name [timeout minutes]{deny | permit} protocol source source-wildcard
destination destination-wildcard [precedence precedence][tos tos] [log]
no dynamic dynamic-nameFor ICMP, you can also use the following syntax:
dynamic dynamic-name [timeout minutes] {deny | permit} icmp source source-wildcard
destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence
precedence] [tos tos] [log]For IGMP, you can also use the following syntax:
dynamic dynamic-name [timeout minutes] {deny | permit} igmp source source-wildcard
destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log]For TCP, you can also use the following syntax:
dynamic dynamic-name [timeout minutes] {deny | permit} tcp source source-wildcard
[operator port [port]] destination destination-wildcard [operator port [port]] [established]
[precedence precedence] [tos tos] [log]For UDP, you can also use the following syntax:
dynamic dynamic-name [timeout minutes] {deny | permit} udp source source-wildcard
[operator port [port]] destination destination-wildcard [operator port [port]] [precedence
precedence] [tos tos] [log]
CautionNamed IP access lists will not be recognized by any software release prior to Cisco IOS Release 11.2.
Syntax Description
dynamic-name
Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Traffic Filters" chapter in the Security Configuration Guide.
timeout minutes
(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Traffic Filters" chapter in the Security Configuration Guide.
deny
Denies access if the conditions are matched.
permit
Permits access if the conditions are matched.
protocol
Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
•
•
•
source-wildcard
Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
•
•
•
destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
•
•
•
destination-wildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
•
•
•
precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos
(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."
icmp-type
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code
(Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."
operator
(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port.
If the operator is positioned after the destination and destination-wildcard, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Default
An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.
Command Mode
Access-list configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
You can use named access lists to control the transmission of packets on an interface and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match against the TCP source port, the type of service value, or the packet's precedence.
Note
The following is a list of precedence names:
•
•
•
•
•
•
•
•
The following is a list of type of service (TOS) names:
•
•
•
•
•
The following is a list of ICMP message type names and ICMP message type and code names:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following is a list of IGMP message names:
•
•
•
•
•
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Example
In the following example, the access list named washington is a dynamic access list.
ip access-group washington in!ip access-list extended washingtondynamic testlist timeout 5permit ip any anypermit tcp any host 185.302.21.2 eq 23Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
clear access-temp †
distribute-list in †
distribute-list out †
ip access-group
ip access-list
logging console †
priority-list †
queue-list †
show access-lists
show ip access-listip access-group
To control access to an interface, use the ip access-group interface configuration command. To remove the specified access group, use the no form of this command.
ip access-group {access-list-number | name}{in | out}
no ip access-group {access-list-number | name}{in | out}Syntax Description
Default
Entering a keyword is strongly recommended, but if a keyword is not specified, out is the default.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0. The name argument first appeared in Cisco IOS Release 11.2.
Access lists are applied on either outbound or inbound interfaces. For standard inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.
For standard outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list.For extended access lists, the router also checks the destination access list. If the access list permits the address, the software transmits the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.
If the specified access list does not exist, all packets are passed.
When you enable outbound access lists, you automatically disable autonomous switching for that interface.When you enable input access lists on any cBus or CxBus interface, you automatically disable autonomous switching for all interfaces (with one exception—an SSE configured with simple access lists can still switch packets, on output only).
Example
The following example applies list 101 on packets outbound from Ethernet interface 0:
interface ethernet 0ip access-group 101 outRelated Commands
access-list (extended)
access-list (standard)
ip access-list
show access-listsip access-list
To define an IP access list by name, use the ip access-list global configuration command. To remove a named IP access lists, use the no form of this command.
ip access-list {standard | extended} name
no ip access-list {standard | extended} name
CautionNamed access lists will not be recognized by any software release prior to Cisco IOS Release 11.2.
Syntax Description
Default
There is no named IP access list.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
Use this command to configure a named IP access list as opposed to a numbered IP access list. This command will take you into access-list configuration mode, where you must define the denied or permitted access conditions with the deny and permit commands.
Specifying standard or extended with the ip access-list command determines the prompt you get when you enter access-list configuration mode.
Use the ip access-group command to apply the access-list to an interface.
Named access lists are not compatible with Cisco IOS releases prior to Release 11.2.
Example
The following example of a standard access list named Internetfilter:
ip access-list standard Internetfilterpermit 192.5.34.0 0.0.0.255permit 128.88.0.0 0.0.255.255permit 36.0.0.0 0.255.255.255! (Note: all other access implicitly denied)Related Commands
deny
ip access-group
permit
show ip access-listip accounting
To enable IP accounting on an interface, use the ip accounting interface configuration command. To disable IP accounting, use the no form of this command.
ip accounting [access-violations]
no ip accounting [access-violations]Syntax Description
access-violations
(Optional) Enables IP accounting with the ability to identify IP traffic that fails IP access lists.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
IP accounting records the number of bytes (IP header and data) and packets switched through the system on a source and destination IP address basis. Only transit IP traffic is measured and only on an outbound basis; traffic generated by the router access server or terminating in this device is not included in the accounting statistics.
The access-violations option first appeared in IOS Release 10.3. If you specify the access-violations keyword, ip accounting provides information identifying IP traffic that fails IP access lists. Identifying IP source addresses that violate IP access lists alerts you to possible attempts to breach security. The data might also indicate that you should verify IP access list configurations. To receive a logging message on the console when an extended access list entry denies a packet access (to log violations), include the log keyword in the access-list (extended) command.
Statistics are accurate even if IP fast switching or IP access lists are being used on the interface.
IP accounting disables autonomous switching and SSE switching on the interface.
Example
The following example enables IP accounting on Ethernet interface 0:
interface ethernet 0ip accountingRelated Commands
access-list (extended)
clear ip accounting
ip accounting-list
ip accounting-threshold
ip accounting-transits
show ip accountingip accounting-list
To define filters to control the hosts for which IP accounting information is kept, use the ip accounting-list global configuration command. To remove a filter definition, use the no form of this command.
ip accounting-list ip-address wildcard
no ip accounting-list ip-address wildcardSyntax Description
Default
No filters are defined.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The source and destination address of each IP datagram is logically ANDed with the wildcard bits and compared with the ip-address. If there is a match, the information about the IP datagram will be entered into the accounting database. If there is no match, the IP datagram is considered a transit datagram and will be counted according to the setting of the ip accounting-transits global configuration command.
Example
The following example adds all hosts with IP addresses beginning with 192.31 to the list of hosts for which accounting information will be kept:
ip accounting-list 192.31.0.0 0.0.255.255Related Commands
clear ip accounting
ip accounting
ip accounting-threshold
ip accounting-transits
show ip accountingip accounting-threshold
To set the maximum number of accounting entries to be created, use the ip accounting-threshold global configuration command. To restore the default number of entries, use the no form of this command.
ip accounting-threshold threshold
no ip accounting-threshold thresholdSyntax Description
threshold
Maximum number of entries (source and destination address pairs) that the Cisco IOS software accumulates.
Default
512 entries
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The accounting threshold defines the maximum number of entries (source and destination address pairs) that the software accumulates, preventing IP accounting from possibly consuming all available free memory. This level of memory consumption could occur in a router that is switching traffic for many hosts. Overflows will be recorded; see the monitoring commands for display formats.
The default accounting threshold of 512 entries results in a maximum table size of 12,928 bytes. Active and checkpointed tables can reach this size independently.
Example
The following example sets the IP accounting threshold to only 500 entries:
ip accounting-threshold 500Related Commands
clear ip accounting
ip accounting
ip accounting-list
ip accounting-transits
show ip accountingip accounting-transits
To control the number of transit records that are stored in the IP accounting database, use the ip accounting-transits global configuration command. To return to the default number of records, use the no form of this command.
ip accounting-transits count
no ip accounting-transitsSyntax Description
Default
0
Command Mode
Global configuration
Usage Guidelines
This command first appeared in IOS Release 10.0.
Transit entries are those that do not match any of the filters specified by ip accounting-list global configuration commands. If no filters are defined, no transit entries are possible.
To maintain accurate accounting totals, the Cisco IOS software maintains two accounting databases: an active and a checkpointed database.
Example
The following example specifies that no more than 100 transit records are stored:
ip accounting-transits 100Related Commands
clear ip accounting
ip accounting
ip accounting-list
ip accounting-threshold
show ip accountingip address
To set a primary or secondary IP address for an interface, use the ip address interface configuration command. To remove an IP address or disable IP processing, use the no form of this command.
ip address ip-address mask [secondary]
no ip address ip-address mask [secondary]Syntax Description
Default
No IP address is defined for the interface.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
An interface can have one primary IP address and multiple secondary IP addresses. Packets generated by the Cisco IOS software always use the primary IP address. Therefore, all routers and access servers on a segment should share the same primary network number.
Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) Mask Request message. Routers respond to this request with an ICMP Mask Reply message.
You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the software detects another host using one of its IP addresses, it will print an error message on the console.
The optional keyword secondary allows you to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and ARP requests are handled properly, as are interface routes in the IP routing table.
Secondary IP addresses can be used in a variety of situations. The following are the most common applications:
•
•
•
Note
Note
To transparently bridge IP on an interface, you must do two things:
•
•
To concurrently route and transparently bridge IP on an interface, see the bridge crb command.
Example
In the following example, 131.108.1.27 is the primary address and 192.31.7.17 and 192.31.8.17 are secondary addresses for Ethernet interface 0:
interface ethernet 0ip address 131.108.1.27 255.255.255.0ip address 192.31.7.17 255.255.255.0 secondaryip address 192.31.8.17 255.255.255.0 secondaryRelated Commands
A dagger (†) indicates that the command is documented outside this chapter.
bridge crb †
bridge-group †ip broadcast-address
To define a broadcast address for an interface, use the ip broadcast-address interface configuration command. To restore the default IP broadcast address, use the no form of this command.
ip broadcast-address [ip-address]
no ip broadcast-address [ip-address]Syntax Description
Default
Default address: 255.255.255.255 (all ones)
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Example
The following example specifies an IP broadcast address of 0.0.0.0:
ip broadcast-address 0.0.0.0ip cache-invalidate-delay
To control the invalidation rate of the IP route cache, use the ip cache-invalidate-delay global configuration command. To allow the IP route cache to be immediately invalidated, use the no form of this command.
ip cache-invalidate-delay [minimum maximum quiet threshold]
no ip cache-invalidate-delaySyntax Description
Defaults
minimum = 2 seconds
maximum = 5 seconds, and 3 seconds with no more than zero invalidation requestsCommand Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
All cache invalidation requests are honored immediately.
This command should typically not be used except under the guidance of technical support personnel. Incorrect settings can seriously degrade network performance.
The IP fast-switching and autonomous-switching features maintain a cache of IP routes for rapid access. When a packet is to be forwarded and the corresponding route is not present in the cache, the packet is process-switched and a new cache entry is built. However, when routing table changes occur (such as when a link or an interface goes down), the route cache must be flushed so that it can be rebuilt with up-to-date routing information.
This command controls how the route cache is flushed. The intent is to delay invalidation of the cache until after routing has settled down, since there tend to be many route table changes clustered in a short period of time, and the cache may be flushed repeatedly, which may put a high CPU load on the router.
When this feature is enabled, and the system requests that the route cache be flushed, the request is held for at least minimum seconds. Then the system determines whether the cache has been "quiet" (that is, less than threshold invalidation requests in the last quiet seconds). If the cache has been quiet, the cache is then flushed. If the cache does not become quiet within maximum seconds after the first request, it is flushed unconditionally.
Manipulation of these parameters trades off CPU utilization versus route convergence time. Note that this does not affect the timing of the routing protocols, but only of the removal of stale cache entries.
Example
The following example sets a minimum delay of 5 seconds, a maximum delay of 30 seconds, and a quiet threshold of no more than 5 invalidation requests in the previous 10 seconds:
ip cache-invalidate-delay 5 30 10 5Related Commands
ip classless
At times the router might receive packets destined for a subnet of a network that has no network default route. To have the Cisco IOS software forward such packets to the best supernet route possible, use the ip classless global configuration command. To disable this feature, use the no form of this command.
ip classless
no ip classlessSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
This command allows the software to forward packets that are destined for unrecognized subnets of directly connected networks. By default, the software discards the packets when a router receives packets for a subnet that numerically falls within its subnetwork addressing scheme, if there is no such subnet number in the routing table and there is no network default route. However, when the ip classless command is enabled, the software instead forwards those packets to the best supernet route.
Example
The following example configures the software to forward packets destined for an unrecognized subnet to the best supernet possible:
ip classlessip default-gateway
To define a default gateway (router) when IP routing is disabled, use the ip default-gateway global configuration command. To disable this function, use the no form of this command.
ip default-gateway ip-address
no ip default-gateway ip-addressSyntax Description
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The Cisco IOS software sends any packets that need the assistance of a gateway to the address you specify. If another gateway has a better route to the requested host, the default gateway sends an ICMP redirect message back. The ICMP redirect message indicates which local router the Cisco IOS software should use.
Example
The following example defines the router on IP address 192.31.7.18 as the default router:
ip default-gateway 192.31.7.18Related Command
ip directed-broadcast
To enable the translation of directed broadcast to physical broadcasts, use the ip directed-broadcast interface configuration command. To disable this function, use the no form of this command.
ip directed-broadcast [access-list-number]
no ip directed-broadcast [access-list-number]Syntax Description
access-list-number
(Optional) Number of the access list. If specified, a broadcast must pass the access list to be forwarded. If not specified, all broadcasts are forwarded.
Default
Enabled, with no list specified
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
This feature is enabled only for those protocols configured using the ip forward-protocol global configuration command. An access list may be specified to control which broadcasts are forwarded. When an access list is specified, only those IP packets permitted by the access list are eligible to be translated from directed broadcasts to physical broadcasts.
Example
The following example enables forwarding of IP directed broadcasts on Ethernet interface 0:
interface ethernet 0ip directed-broadcastRelated Command
ip domain-list
To define a list of default domain names to complete unqualified host names, use the ip domain-list global configuration command. To delete a name from a list, use the no form of this command.
ip domain-list name
no ip domain-list nameSyntax Description
name
Domain name. Do not include the initial period that separates an unqualified name from the domain name.
Default
No domain names are defined.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
If there is no domain list, the domain name that you specified with the ip domain-name global configuration command is used. If there is a domain list, the default domain name is not used. The ip domain-list command is similar to the ip domain-name command, except that with ip domain-list you can define a list of domains, each to be tried in turn.
Examples
The following example adds several domain names to a list:
ip domain-list martinez.comip domain-list stanford.eduThe following example adds a name to and then deletes a name from the list:
ip domain-list sunya.eduno ip domain-list stanford.eduRelated Command
ip domain-lookup
To enable the IP Domain Naming System (DNS)-based host name-to-address translation, use the ip domain-lookup global configuration command. To disable the DNS, use the no form of this command.
ip domain-lookup
no ip domain-lookupSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Example
The following example enables the IP Domain Naming System-based host name-to-address translation:
ip domain-lookupRelated Commands
ip domain-lookup nsap
ip domain-name
ip name-serverip domain-lookup nsap
To allow DNS queries for Connectionless Network System (CLNS) addresses, use the ip domain-lookup nsap global configuration command. To disable this feature, use the no form of this command.
ip domain-lookup nsap
no ip domain-lookup nsapSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
With both IP and International Organization for Standardization (ISO) CLNS enabled, this feature allows the Cisco IOS software to dynamically determine a CLNS address given a host name. This feature is useful for the ISO CLNS ping EXEC command and when making CLNS Telnet connections.
Example
The following example disables DNS queries of CLNS addresses:
no ip domain-lookup nsapRelated Commands
A dagger (†) indicates that the command is documented outside this chapter.
ip domain-lookup
ping (for ISO CLNS) †ip domain-name
To define a default domain name that the Cisco IOS software uses to complete unqualified host names (names without a dotted-decimal domain name), use the ip domain-name global configuration command. To disable use of the DNS, use the no form of this command.
ip domain-name name
no ip domain-nameSyntax Description
name
Default domain name used to complete unqualified host names. Do not include the initial period that separates an unqualified name from the domain name.
Default
Enabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Any IP host name that does not contain a domain name (that is, any name without a dot), will have the dot and cisco.com appended to it before being added to the host table.
Example
The following example defines cisco.com as the default domain name:
ip domain-name cisco.comRelated Commands
ip domain-list
ip domain-lookup
ip name-serverip flow-export
To allow the exporting of information in NetFlow cache entries, use the ip flow-export global configuration command. To disable the exporting of information, use the no form of this command.
ip flow-export ip-address udp-port
no ip flow-export ip-address udp-portSyntax Description
ip-address
IP address of the workstation to which you want to send the NetFlow information.
udp-port
UDP protocol-specific port number.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
There is a lot of information in a NetFlow cache entry. When flow switching is enabled with the ip route-cache flow command, you can use the ip flow-export command to configure the router to export the flow cache entry to a workstation when a flow expires. This feature can be useful for purposes of statistics, billing, security, for example.
Example
The following example configures the router to export the NetFlow cache entry to the workstation at 134.22.23.7 when the flow expires:
ip flow-export 134.22.23.7 125Related Command
ip route-cache flow
ip forward-protocol
To specify which protocols and ports the router forwards when forwarding broadcast packets, use the ip forward-protocol global configuration command. To remove a protocol or port, use the no form of this command.
ip forward-protocol {udp [port] | nd | sdns}
no ip forward-protocol {udp [port] | nd | sdns}Syntax Description
Default
If an IP helper address is defined, UDP forwarding is enabled on default ports. If UDP flooding is configured, UDP flooding is enabled on the default ports.
If a helper address is specified and UDP forwarding is enabled, broadcast packets destined to the following port numbers are forwarded by default:
•
•
•
•
•
•
•
Note
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Enabling a helper address or UDP flooding on an interface causes the Cisco IOS software to forward particular broadcast packets. You can use the ip forward-protocol command to specify exactly which types of broadcast packets you would like to have forwarded. A number of commonly forwarded applications are enabled by default. Enabling forwarding for some ports (for example, RIP) may be hazardous to your network.
If you use the ip forward-protocol command, specifying just UDP, without the port, enables forwarding and flooding on the default ports.
One common application that requires helper addresses is Dynamic Host Configuration Protocol (DHCP). DHCP is defined in RFC 1531. DHCP protocol information is carried inside of BOOTP packets. To enable BOOTP broadcast forwarding for a set of clients, configure a helper address on the router interface closest to the client. The helper address should specify the address of the DHCP server. If you have multiple servers, you can configure one helper address for each server. Since BOOTP packets are forwarded by default, DHCP information can now be forwarded by the software. The DHCP server now receives broadcasts from the DHCP clients.
Example
The following example uses the ip forward-protocol command to specify forwarding of UDP port 3001 in addition to the default ports, and then defines a helper address:
ip forward-protocol udp 3001!interface ethernet 1ip helper-address 131.120.1.0Related Commands
ip directed-broadcast
ip forward-protocol spanning-tree
ip forward-protocol turbo-flood
ip helper-addressip forward-protocol any-local-broadcast
To forward any broadcasts including local subnet broadcasts, use the ip forward-protocol any-local-broadcast global configuration command. To disable this type of forwarding, use the no form of this command.
ip forward-protocol any-local-broadcast
no ip forward-protocol any-local-broadcastSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
The ip forward-protocol any-local-broadcast command forwards packets similarly to how the ip forward-protocol spanning-tree command does. That is, it forwards packets whose contents are all ones (255.255.255.255), all zeros (0.0.0.0), and, if subnetting is enabled, all networks (131.108.255.255 as an example in the network number 131.108.0.0). This mechanism also forwards packets whose contents are the zeros version of the all-networks broadcast when subnetting is enabled (for example, 131.108.0.0). In addition, it forwards any local subnet broadcast packets.
Use the ip forward-protocol any-local-broadcast command in conjunction with the ip forward-protocol spanning-tree command, not as a replacement for it.
Example
Assume a router is directly connected to subnet 1 of network 131.108.0.0 and that the netmask is 255.255.255.0. The following command enables the forwarding of IP broadcasts destined to 131.108.1.255 and 131.108.1.0 in addition to the broadcast addresses mentioned in the "Usage Guidelines" section:
ip forward-protocol any-local-broadcastRelated Command
ip forward-protocol spanning-tree
ip forward-protocol spanning-tree
To permit IP broadcasts to be flooded throughout the internetwork in a controlled fashion, use the ip forward-protocol spanning-tree global configuration command. To disable the flooding of IP broadcasts, use the no form of this command.
ip forward-protocol spanning-tree
no ip forward-protocol spanning-treeSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Packets must meet the following criteria to be considered for flooding:
•
•
•
•
A flooded UDP datagram is given the destination address specified by the ip broadcast-address interface configuration command on the output interface. The destination address can be set to any desired address. Thus, the destination address may change as the datagram propagates through the network. The source address is never changed. The TTL value is decremented.
After a decision has been made to send the datagram out on an interface (and the destination address possibly changed), the datagram is handed to the normal IP output routines and is therefore subject to access lists, if they are present on the output interface.
The ip forward-protocol spanning-tree command uses the database created by the bridging spanning-tree protocol. Therefore, the transparent bridging option must be in the routing software, and bridging must be configured on each interface that is to participate in the flooding in order to support this capability.
If an interface does not have bridging configured, it still will be able to receive broadcasts, but it will never forward broadcasts received on that interface. Also, it will never use that interface to send broadcasts received on a different interface.
If no actual bridging is desired, you can configure a type-code bridging filter that will deny all packet types from being bridged. Refer to the "Transparent Bridging" chapter in the Bridging and IBM Networking Configuration Guide for more information about using access lists to filter bridged traffic. The spanning-tree database is still available to the IP forwarding code to use for the flooding.
The spanning-tree-based flooding mechanism forwards packets whose contents are all ones (255.255.255.255), all zeros (0.0.0.0), and, if subnetting is enabled, all networks (131.108.255.255 as an example in the network number 131.108.0.0). This mechanism also forward packets whose contents are the zeros version of the all-networks broadcast when subnetting is enabled (for example, 131.108.0.0).
This command is an extension of the ip helper-address interface configuration command, in that the same packets that may be subject to the helper address and forwarded to a single network can now be flooded. Only one copy of the packet will be put on each network segment.
Example
The following example permits IP broadcasts to be flooded through the internetwork in a controlled fashion:
ip forward-protocol spanning-treeRelated Commands
ip broadcast-address
ip forward-protocol
ip forward-protocol turbo-flood
ip helper-addressip forward-protocol turbo-flood
To speed up flooding of User Datagram Protocol (UDP) datagrams using the spanning-tree algorithm, use the ip forward-protocol turbo-flood global configuration command. To disable this feature, use the no form of this command.
ip forward-protocol turbo-flood
no ip forward-protocol turbo-floodSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Used in conjunction with the ip forward-protocol spanning-tree global configuration command, this feature is supported over Advanced Research Projects Agency (ARPA)-encapsulated Ethernets, FDDI, and HDLC-encapsulated serials, but is not supported on Token Rings. As long as the Token Rings and the non-HDLC serials are not part of the bridge group being used for UDP flooding, turbo flooding will behave normally.
Example
The following is an example of a two-port router (2E) using this feature:
ip forward-protocol turbo-floodip forward-protocol spanning-tree!interface ethernet 0ip address 128.9.1.1bridge-group 1!interface ethernet 1ip address 128.9.1.2bridge-group 1!!bridge 1 protocol decRelated Commands
ip forward-protocol
ip forward-protocol spanning-treeip gdp gdp
To configure the router discovery feature using the Cisco Gateway Discovery Protocol (GDP) routing protocol, use the ip gdp gdp interface configuration command. To disable this feature, use the no form of this command.
ip gdp gdp
no ip gdp gdpSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
In future Cisco IOS software releases, GDP will not be supported.
IP routing must be disabled before you can configure this feature.
Example
The following example configures router discovery using GDP on Ethernet interface 0:
interface ethernet 0ip gdp gdpip gdp igrp
To configure the router discovery feature using the Cisco Interior Gateway Routing Protocol (IGRP), use the ip gdp igrp interface configuration command. To disable this feature, use the no form of this command.
ip gdp igrp
no ip gdp igrpSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
In future Cisco IOS software releases, the Gateway Discovery Protocol (GDP) will not be supported.
IP routing must be disabled before you can configure this feature.
Example
The following example configures router discovery using IGRP on Ethernet interface 1:
interface ethernet 1ip gdp igrpip gdp irdp
To configure the router discovery feature using the ICMP Router Discovery Protocol (IRDP), use the ip gdp irdp interface configuration command. To disable this feature, use the no form of this command.
ip gdp irdp
no ip gdp irdpSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
In future Cisco IOS software releases, the Gateway Discovery Protocol (GDP) will not be supported.
IP routing must be disabled before you can configure this feature.
Example
The following example configures router discovery using IRDP on Ethernet interface 0:
interface ethernet 0ip gdp irdpip gdp rip
To configure the router discovery feature using the Routing Information Protocol (RIP), use the ip gdp rip interface configuration command. To disable this feature, use the no form of this command.
ip gdp rip
no ip gdp ripSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
In future Cisco IOS software releases, the Gateway Discovery Protocol (GDP) will not be supported.
IP routing must be disabled before you can configure this feature.
Example
The following example configures router discovery using RIP on Ethernet interface 1:
interface ethernet 1ip gdp ripip helper-address
To have the Cisco IOS software forward User Datagram Protocol (UDP) broadcasts, including BOOTP, received on an interface, use the ip helper-address interface configuration command. To disable the forwarding of broadcast packets to specific addresses, use the no form of this command.
ip helper-address address
no ip helper-address addressSyntax Description
address
Destination broadcast or host address to be used when forwarding UDP broadcasts. There can be more than one helper address per interface.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Combined with the ip forward-protocol global configuration command, the ip helper-address command allows you to control which broadcast packets and which protocols are forwarded.
One common application that requires helper addresses is Dynamic Host Configuration Protocol (DHCP), which is defined in RFC 1531. DHCP protocol information is carried inside of BOOTP packets. To enable BOOTP broadcast forwarding for a set of clients, configure a helper address on the router interface closest to the client. The helper address should specify the address of the DHCP server. If you have multiple servers, you can configure one helper address for each server. Since BOOTP packets are forwarded by default, DHCP information can now be forwarded by the router. The DHCP server now receives broadcasts from the DHCP clients.
Note
Example
The following example defines an address that acts as a helper address:
interface ethernet 1ip helper-address 121.24.43.2Related Command
ip host
To define a static host name-to-address mapping in the host cache, use the ip host global configuration command. To remove the name-to-address mapping, use the no form of this command.
ip host name [tcp-port-number] address1 [address2...address8]
no ip host name addressSyntax Description
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The first character can be either a letter or a number. If you use a number, the operations you can perform (such as ping) are limited.
Example
The following example defines two static mappings:
ip host croff 192.31.7.18ip host bisso-gw 10.2.0.2 192.31.7.33ip hp-host
To enter into the host table the host name of an HP host to be used for HP Probe Proxy service, use the ip hp-host global configuration command. To remove a host name, use the no form of this command.
ip hp-host hostname ip-address
no ip hp-host hostname ip-addressSyntax Description
Default
No host names are defined.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
To use the HP Proxy service, you must first enter the host name of the HP host into the host table using this command.
Example
The following example specifies an HP host's name and address, and then enables Probe Proxy:
ip hp-host BCWjo 131.108.1.27interface ethernet 0ip probe proxyRelated Command
ip mask-reply
To have the Cisco IOS software to respond to Internet Control Message Protocol (ICMP) mask requests by sending ICMP Mask Reply messages, use the ip mask-reply interface configuration command. To disable this function, use the no form of this command.
ip mask-reply
no ip mask-replySyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Example
The following example enables the sending of ICMP Mask Reply messages on Ethernet interface 0:
interface ethernet 0ip address 131.108.1.0 255.255.255.0ip mask-replyip mobile arp
To enable local-area mobility, use the ip mobile arp interface configuration command. To disable local-area mobility, use the no form of this command.
ip mobile arp [timers keepalive hold-time] [access-group access-list-number | name]
no ip mobile arp [timers keepalive hold-time] [access-group access-list-number | name]Syntax Description
Defaults
Local-area mobility is disabled.
If you enable local-area mobility:
keepalive: 300 seconds (5 minutes)
hold-time: 900 seconds (15 minutes)Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.0.
Local-area mobility is supported on Ethernet, Token Ring, and FDDI interfaces only.
To create larger mobility areas, you must first redistribute the mobile routes into your Interior Gateway Protocol (IGP). The IGP must support host routes. You can use Enhanced IGRP, OSPF, or Intermediate System-to-Intermediate System (IS-IS); you can also use RIP, but this is not recommended. The mobile area must consist of a contiguous set of subnets.
Using an access list to control the list of possible mobile nodes is strongly encouraged. Without an access list, misconfigured hosts can be taken for mobile nodes and disrupt normal operations.
Example
The following example configures local-area mobility on Ethernet interface 0:
bridge 1 protocol ieeeaccess-list 10 permit 198.92.37.114interface ethernet 0ip mobile arp access-group 10bridge-group 1Related Commands
A dagger (†) indicates that the command is documented outside this chapter.
access-list (standard)
bridge-group †
bridge protocol †
default-metric (BGP, EGP, OSPF, and RIP) †
network (BGP)†
network (EGP) †
network (IGRP) †
network (RIP) †
redistribute †
router eigrp †
router isis †
router ospf †ip mtu
To set the maximum transmission unit (MTU) size of IP packets sent on an interface, use the ip mtu interface configuration command. To restore the default MTU size, use the no form of this command.
ip mtu bytes
no ip mtuSyntax Description
Default
Minimum is 128 bytes; maximum depends on interface medium.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
If an IP packet exceeds the MTU set for the interface, the Cisco IOS software will fragment it.
All devices on a physical medium must have the same protocol MTU in order to operate.
Note
Example
The following example sets the maximum IP packet size for the first serial interface to 300 bytes:
interface serial 0ip mtu 300Related Command
A dagger (†) indicates that the command is documented outside this chapter.
mtu †
ip name-server
To specify the address of one or more name servers to use for name and address resolution, use the ip name-server global configuration command. To remove the addresses specified, use the no form of this command.
ip name-server server-address1 [[server-address2]...server-address6]
no ip name-server server-address1 [[server-address2]...server-address6]Syntax Description
server-address1
IP addresses of name server.
server-address2...server-address6
(Optional) IP addresses of additional name servers (a maximum of six name servers).
Default
No name server addresses are specified.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0
Example
The following example specifies host 131.108.1.111 as the primary name server and host 131.108.1.2 as the secondary server:
ip name-server 131.108.1.111 131.108.1.2This command will be reflected in the configuration file as follows:
ip name-server 131.108.1.111ip name-server 131.108.1.2Related Commands
ip domain-lookup
ip domain-nameip nat
To designate that traffic originating from or destined for the interface is subject to Network Address Translation (NAT), use the ip nat interface configuration command. To prevent the interface from being able to translate, use the no form of this command.
ip nat {inside | outside}
no ip nat {inside | outside}Syntax Description
inside
Indicates the interface is connected to the inside network (the network subject to NAT translation).
outside
Indicates the interface is connected to the outside network.
Default
Traffic leaving or arriving at this interface is not subject to network address translation.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
Only packets moving between "inside" and "outside" interfaces can be translated. You must specify at least one inside interface and outside interface for each border router where you intend to use NAT.
Example
The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 networks to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28ip nat inside source list 1 pool net-208!interface ethernet 0ip address 171.69.232.182 255.255.255.240ip nat outside!interface ethernet 1ip address 192.168.1.94 255.255.255.0ip nat inside!access-list 1 permit 192.168.1.0 0.0.0.255access-list 1 permit 192.168.2.0 0.0.0.255Related Commands
clear ip nat translation
ip nat inside destination
ip nat inside source
ip nat outside source
ip nat pool
ip nat translation
show ip nat statistics
show ip nat translationsip nat inside destination
To enable Network Address Translation (NAT) of the inside destination address, use the ip nat inside destination global configuration command. To remove the dynamic association to a pool, use the no form of this command.
ip nat inside destination list {access-list-number | name} pool name
no ip nat inside destination list {access-list-number | name}Syntax Description
Default
No inside destination addresses are translated.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.
Alternatively, the syntax form with the keyword static establishes a single static translation.
Examples
The following example translates between inside hosts addressed to either the 192.168.1.0 or 192.168.2.0 networks to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28ip nat inside destination list 1 pool net-208!interface ethernet 0ip address 171.69.232.182 255.255.255.240ip nat outside!interface ethernet 1ip address 192.168.1.94 255.255.255.0ip nat inside!access-list 1 permit 192.168.1.0 0.0.0.255access-list 1 permit 192.168.2.0 0.0.0.255Related Commands
clear ip nat translation
ip nat
ip nat inside source
ip nat outside source
ip nat pool
ip nat translation
show ip nat statistics
show ip nat translationsip nat inside source
To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source global configuration command. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.
ip nat inside source {list {access-list-number | name} pool name [overload] | static local-ip
global-ip}
no ip nat inside source {list {access-list-number | name} pool name [overload] | static local-ip
global-ip}Syntax Description
Default
No NAT translation of inside source addresses occurs.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.
Alternatively, the syntax form with the keyword static establishes a single static translation.
Example
The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 networks to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28ip nat inside source list 1 pool net-208!interface ethernet 0ip address 171.69.232.182 255.255.255.240ip nat outside!interface ethernet 1ip address 192.168.1.94 255.255.255.0ip nat inside!access-list 1 permit 192.168.1.0 0.0.0.255access-list 1 permit 192.168.2.0 0.0.0.255Related Commands
clear ip nat translation
ip nat
ip nat inside destination
ip nat outside source
ip nat pool
ip nat translation
show ip nat statistics
show ip nat translationsip nat outside source
To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source global configuration command. To remove the static entry or the dynamic association, use the no form of this command.
ip nat outside source {list {access-list-number | name} pool name | static global-ip local-ip}
no ip nat outside source {list {access-list-number | name} pool name | static global-ip local-ip}Syntax Description
Default
No translation of source addresses coming from the outside to the inside network occurs.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
You might have IP addresses that are not legal, officially assigned IP addresses. Perhaps you chose IP addresses that officially belong to another network. The case of an address used illegally and legally is called overlapping. You can use NAT to translate inside addresses that overlap with outside addresses. Use this feature if your IP addresses in the stub network happen to be legitimate IP addresses belonging to another network, and you need to communicate with those hosts or routers.
This command has two forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.
Alternatively, the syntax form with the keyword static establishes a single static translation.
Example
The following example would translate between inside hosts addressed from the 9.114.11.0 network to the globally unique 171.69.233.208/28 network. Further packets from outside hosts addressed from the 9.114.11.0 network (the true 9.114.11.0 network) are translated to appear to be from the network 10.0.1.0/24.
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28 ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24ip nat inside source list 1 pool net-208ip nat outside source list 1 pool net-10!interface ethernet 0ip address 171.69.232.182 255.255.255.240ip nat outside!interface ethernet 1ip address 9.114.11.39 255.255.255.0ip nat inside!access-list 1 permit 9.114.11.0 0.0.0.255Related Commands
clear ip nat translation
ip nat
ip nat inside destination
ip nat inside source
ip nat pool
ip nat translation
show ip nat statistics
show ip nat translationsip nat pool
To define a pool of IP addresses for Network Address Translation (NAT), use the ip nat pool global configuration command. To remove one or more addresses from the pool, use the no form of this command.
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
[type rotary]
no ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
[type rotary]Syntax Description
Default
No pool of addresses is defined.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
This command defines a pool of addresses using start address, end address, and either netmask or prefix length. The pool could define either an inside global pool, an outside local pool, or a rotary pool.
Example
The following example translates between inside hosts addressed from either the 192.168.1.0 or 192.168.2.0 networks to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28ip nat inside source list 1 pool net-208!interface ethernet 0ip address 171.69.232.182 255.255.255.240ip nat outside!interface ethernet 1ip address 192.168.1.94 255.255.255.0ip nat inside!access-list 1 permit 192.168.1.0 0.0.0.255access-list 1 permit 192.168.2.0 0.0.0.255Related Commands
clear ip nat translation
ip nat
ip nat inside destination
ip nat inside source
ip nat outside source
ip nat translation
show ip nat statistics
show ip nat translationsip nat translation
To change the amount of time after which Network Address Translation (NAT) translations time out, use the ip nat translation global configuration command. To disable the timeout, use the no form of this command.
ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout} seconds
no ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout}Syntax Description
Defaults
timeout is 86400 seconds (24 hours)
udp-timeout is 300 seconds (5 minutes)
dns-timeout is 60 seconds (1 minute)
tcp-timeout is 86400 seconds (24 hours)
finrst-timeout is 60 seconds (1 minute)Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.2.
When port translation is configured, there is finer control over translation entry timeouts because each entry contains more context about the traffic that is using it. Non-Domain Naming System UDP translations time out after 5 minutes, while DNS times out in 1 minute. TCP translations timeout in 24 hours, unless a RST or FIN is seen on the stream, in which case they will time out in 1 minute.
Example
The following example causes UDP port translation entries to timeout after 10 minutes:
ip nat translation udp-timeout 600Related Commands
clear ip nat translation
ip nat
ip nat inside destination
ip nat inside source
ip nat outside source
ip nat pool
show ip nat statistics
show ip nat translationsip netmask-format
To specify the format in which netmasks are displayed in show command output, use the ip netmask-format line configuration command. To restore the default display format, use the no form of this command.
ip netmask-format {bitcount | decimal | hexadecimal}
no ip netmask-format [bitcount | decimal | hexadecimal]Syntax Description
Default
Netmasks are displayed in dotted decimal format.
Command Mode
Line configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
IP uses a 32-bit mask that indicates which address bits belong to the network and subnetwork fields, and which bits belong to the host field. This is called a netmask. By default, show commands display an IP address and then its netmask in dotted decimal notation. For example, a subnet would be displayed as 131.108.11.0 255.255.255.0.
However, you can specify that the display of the network mask appear in hexadecimal format or bit count format instead. The hexadecimal format is commonly used on UNIX systems. The previous example would be displayed as 131.108.11.0 0XFFFFFF00.
The bitcount format for displaying network masks is to append a slash (/) and the total number of bits in the netmask to the address itself. The previous example would be displayed as 131.108.11.0/24.
Example
The following example configures network masks for the specified line to be displayed in bitcount notation in the output of show commands:
line vty 0 4ip netmask-format bitcountip nhrp authentication
To configure the authentication string for an interface using Next Hop Resolution Protocol (NHRP), use the ip nhrp authentication interface configuration command. To remove the authentication string, use the no form of this command.
ip nhrp authentication string
no ip nhrp authentication [string]Syntax Description
string
Authentication string configured for the source and destination stations that controls whether NHRP stations allow intercommunication. The string can be up to 8 characters long.
Default
No authentication string is configured; the Cisco IOS software adds no authentication option to NHRP packets it generates.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
All routers configured with NHRP within one logical NBMA network must share the same authentication string.
Example
In the following example, the authentication string specialxx must be configured in all devices using NHRP on the interface before NHRP communication occurs:
ip nhrp authentication specialxxip nhrp holdtime
To change the number of seconds that NHRP nonbroadcast, multiaccess (NBMA) addresses are advertised as valid in authoritative NHRP responses, use the ip nhrp holdtime interface configuration command. To restore the default value, use the no form of this command.
ip nhrp holdtime seconds-positive [seconds-negative]
no ip nhrp holdtime [seconds-positive [seconds-negative]]Syntax Description
Default
7200 seconds (2 hours) for both arguments
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
The ip nhrp holdtime command affects authoritative responses only. The advertised holding time is the length of time the Cisco IOS software tells other routers to keep information that it is providing in authoritative NHRP responses. The cached IP-to-NBMA address mapping entries are discarded after the holding time expires.
The NHRP cache can contain static and dynamic entries. The static entries never expire. Dynamic entries expire regardless of whether they are authoritative or nonauthoritative.
If you want to change the valid time period for negative NHRP responses, you must also include a value for positive NHRP responses, as the arguments are position-dependent.
Examples
In the following example, NHRP NBMA addresses are advertised as valid in positive authoritative NHRP responses for one hour:
ip nhrp holdtime 3600In the following example, NHRP NBMA addresses are advertised as valid in negative authoritative NHRP responses for one hour and in positive authoritative NHRP responses for two hours:
ip nhrp holdtime 7200 3600ip nhrp interest
To control which IP packets can trigger sending a Next Hop Resolution Protocol (NHRP) Request, use the ip nhrp interest interface configuration command. To restore the default value, use the no form of this command.
ip nhrp interest access-list-number
no ip nhrp interest [access-list-number]Syntax Description
Default
All non-NHRP packets can trigger NHRP requests.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
Use this command with the access-list command to control which IP packets trigger NHRP Requests.
The ip nhrp interest command controls which packets cause NHRP address resolution to take place; the ip nhrp use command controls how readily the system attempts such address resolution.
Example
In the following example, any TCP traffic can cause NHRP Requests to be sent, but no other IP packets will cause NHRP Requests:
ip nhrp interest 101access-list 101 permit tcp any anyRelated Commands
access-list (extended)
access-list (standard)
ip nhrp useip nhrp map
To statically configure the IP-to-NBMA address mapping of IP destinations connected to a nonbroadcast, multiaccess (NBMA) network, use the ip nhrp map interface configuration command. To remove the static entry from NHRP cache, use the no form of this command.
ip nhrp map ip-address nbma-address
no ip nhrp map ip-address nbma-addressSyntax Description
Default
No static IP-to-NBMA cache entries exist.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
You will probably have to configure at least one static mapping in order to reach the Next Hop Server. Repeat this command to statically configure multiple IP-to-NBMA address mappings.
Example
In the following example, this station in a multipoint tunnel network is statically configured to be served by two Next Hop Servers 100.0.0.1 and 100.0.1.3. The NBMA address for 100.0.0.1 is statically configured to be 11.0.0.1 and the NBMA address for 100.0.1.3 is 12.2.7.8.
interface tunnel 0ip nhrp nhs 100.0.0.1ip nhrp nhs 100.0.1.3ip nhrp map 100.0.0.1 11.0.0.1ip nhrp map 100.0.1.3 12.2.7.8Related Command
ip nhrp map multicast
To configure NBMA addresses used as destinations for broadcast or multicast packets to be sent over a tunnel network, use the ip nhrp map multicast interface configuration command. To remove the destinations, use the no form of this command.
ip nhrp map multicast nbma-address
no ip nhrp map multicast nbma-addressSyntax Description
nbma-address
Nonbroadcast, multiaccess (NBMA) address which is directly reachable through the NBMA network. The address format varies depending on the medium you are using.
Default
No NBMA addresses are configured as destinations for broadcast or multicast packets.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3, and applies only to tunnel interfaces.
The command is useful for supporting broadcasts over a tunnel network when the underlying network does not support IP multicast. If the underlying network does support IP multicast, you should use the tunnel destination command to configure a multicast destination for transmission of tunnel broadcasts or multicasts.
When multiple NBMA addresses are configured, the system replicates the broadcast packet for each address.
Example
In the following example, if a packet is sent to 10.255.255.255, it is replicated to destinations 11.0.0.1 and 11.0.0.2. Addresses 11.0.0.1 and 11.0.0.2 are the IP addresses of two other routers that are part of the tunnel network, but those addresses are their addresses in the underlying network, not the tunnel network. They would have tunnel addresses that are in network 10.0.0.0.
interface tunnel 0ip address 10.0.0.3 255.0.0.0ip nhrp map multicast 11.0.0.1ip nhrp map multicast 11.0.0.2ip nhrp max-send
To change the maximum frequency at which NHRP packets can be sent, use the ip nhrp max-send interface configuration command. To restore this frequency to the default value, use the no form of this command.
ip nhrp max-send pkt-count every interval
no ip nhrp max-sendSyntax Description
pkt-count
Number of packets which can be transmitted in the range from 1 to 65535. Default is 5 packets.
interval
Time (in seconds) in the range from 10 to 65535. Default is 10 seconds.
Defaults
pkt-count = 5 packets
interval = 10 secondsCommand Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.1.
The software maintains a per-interface quota of NHRP packets that can be transmitted. NHRP traffic, whether locally generated or forwarded, cannot be sent at a rate that exceeds this quota. The quota is replenished at the rate specified by interval.
Example
In the following example, only 1 NHRP packet can be sent from serial interface 0 each minute:
interface serial 0 ip nhrp max-send 1 every 60Related Commands
ip nhrp network-id
To enable the Next Hop Resolution Protocol (NHRP) on an interface, use the ip nhrp network-id interface configuration command. To disable NHRP on the interface, use the no form of this command.
ip nhrp network-id number
no ip nhrp network-id [number]Syntax Description
number
Globally unique, 32-bit network identifier for a nonbroadcast, multiaccess (NBMA) network. The range is 1 to 4294967295.
Default
NHRP is disabled on the interface.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
In general, all NHRP stations within one logical NBMA network must be configured with the same network identifier.
Example
The following example enables NHRP on the interface:
ip nhrp network-id 1ip nhrp nhs
To specify the address of one or more NHRP Next Hop Servers, use the ip nhrp nhs interface configuration command. To remove the address, use the no form of this command.
ip nhrp nhs nhs-address [net-address [netmask]]
no ip nhrp nhs nhs-address [net-address [netmask]]Syntax Description
Default
No Next Hop Servers are explicitly configured, so normal network layer routing decisions are used to forward NHRP traffic.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
Use this command to specify the address of a Next Hop Server and the networks it serves. Normally, NHRP consults the network layer forwarding table to determine how to forward NHRP packets. When Next Hop Servers are configured, these next hop addresses override the forwarding path that would otherwise be used for NHRP traffic.
For any Next Hop Server that is configured, you can specify multiple networks that it serves by repeating this command with the same nhs-address, but with different net-address IP network addresses.
Example
In the following example, the Next Hop Server with address 131.108.10.11 serves IP network 10.0.0.0. The mask is 255.0.0.0.
ip nhrp nhs 131.108.10.11 10.0.0.0 255.0.0.0ip nhrp record
To re-enable the use of forward record and reverse record options in NHRP Request and Reply packets, use the ip nhrp record interface configuration command. To suppress the use of such options, use the no form of this command.
ip nhrp record
no ip nhrp recordSyntax Description
This command has no arguments or keywords.
Default
Forward record and reverse record options are used in NHRP Request and Reply packets.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
Forward record and reverse record options provide loop detection and are enabled by default. Using the no form of this command disables this method of loop detection. For another method of loop detection, see the ip nhrp responder command.
Example
The following example suppresses forward record and reverse record options:
no ip nhrp recordRelated Command
ip nhrp responder
To designate which interface's primary IP address the Next Hop Server will use in NHRP Reply packets when the NHRP requestor uses the Responder Address option, use the ip nhrp responder interface configuration command. To remove the designation, use the no form of this command.
ip nhrp responder type number
no ip nhrp responder [type] [number]Syntax Description
Default
The Next Hop Server uses the IP address of the interface where the NHRP Request was received.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
If an NHRP requestor wants to know which Next Hop Server generates an NHRP Reply packet, it can request that information through the Responder Address option. The Next Hop Server that generates the NHRP Reply packet then complies by inserting its own IP address in the Responder Address option of the NHRP Reply. The Next Hop Server uses the primary IP address of the specified interface.
If an NHRP Reply packet being forwarded by a Next Hop Server contains that Next Hop Server's own IP address, the Next Hop Server generates an Error Indication of type "NHRP Loop Detected" and discards the Reply.
Example
In the following example, any NHRP requests for the Responder Address will cause this router acting as a Next Hop Server to supply the primary IP address of serial interface 0 in the NHRP Reply packet:
ip nhrp responder serial 0ip nhrp use
To configure the software so that NHRP is deferred until the system has attempted to send data traffic to a particular destination multiple times, use the ip nhrp use interface configuration command. To restore the default value, use the no form of this command.
ip nhrp use usage-count
no ip nhrp use usage-countSyntax Description
Default
usage-count = 1. The first time a data packet is sent to a destination for which the system determines NHRP can be used, an NHRP request is sent.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 11.1.
When the software attempts to transmit a data packet to a destination for which it has determined that NHRP address resolution can be used, an NHRP request for that destination is normally transmitted right away. Configuring the usage-count causes the system to wait until that many data packets have been sent to a particular destination before it attempts NHRP. The usage-count for a particular destination is measured over 1-minute intervals (the NHRP cache expiration interval).
The usage-count applies per destination. So if usage-count is configured to be 3, and 4 data packets are sent toward 10.0.0.1 and 1 packet toward 10.0.0.2, then an NHRP request is generated for 10.0.0.1 only.
If the system continues to need to forward data packets to a particular destination, but no NHRP response has been received, retransmission of NHRP requests are performed. This retransmission occurs only if data traffic continues to be sent to a destination.
The ip nhrp interest command controls which packets cause NHRP address resolution to take place; the ip nhrp use command controls how readily the system attempts such address resolution.
Example
In the following example, if in the first minute 4 packets are sent to one destination and 5 packets are sent to a second destination, then a single NHRP request is generated for the second destination.
If in the second minute the same traffic is generated and no NHRP responses have been received, then the system retransmits its request for the second destination.
ip nhrp use 5Related Commands
ip nhrp interest
ip nhrp max-sendip probe proxy
To enable the HP Probe Proxy support, which allows the Cisco IOS software to respond to HP Probe Proxy Name requests, use the ip probe proxy interface configuration command. To disable HP Probe Proxy, use the no form of this command.
ip probe proxy
no ip probe proxySyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
HP Probe Proxy Name requests are typically used at sites that have HP equipment and are already using HP Probe.
To use the HP Proxy service, you must first enter the host name of the HP host into the host table using the ip hp-host global configuration command.
Example
The following example specifies an HP host's name and address, and then enables Probe Proxy:
ip hp-host BCWjo 131.108.1.27interface ethernet 0ip probe proxyRelated Command
ip proxy-arp
To enable proxy ARP on an interface, use the ip proxy-arp interface configuration command. To disable proxy ARP on the interface, use the no form of this command.
ip proxy-arp
no ip proxy-arpSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Example
The following example enables proxy ARP on Ethernet interface 0:
interface ethernet 0ip proxy-arpip redirects
To enable the sending of redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, use the ip redirects interface configuration command. To disable the sending of redirect messages, use the no form of this command.
ip redirects
no ip redirectsSyntax Description
This command has no arguments or keywords.
Default
Enabled, unless Hot Standby Router Protocol is configured
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
If the Hot Standby Router Protocol is configured on an interface, ICMP Redirect messages are disabled by default for the interface.
Example
The following example enables the sending of IP redirects on Ethernet interface 0:
interface ethernet 0ip redirectsRelated Command
ip route-cache
To control the use of high-speed switching caches for IP routing, as well as the use of autonomous switching, use the ip route-cache interface configuration command. To disable any of these switching modes, use the no form of this command.
ip route-cache [cbus]
no ip route-cache [cbus]ip route-cache same-interface
no ip route-cache same-interfaceip route-cache sse
no ip route-cache sseip route-cache [optimum | flow]
no ip route-cache [optimum | flow]ip route-cache distributed
no ip route-cache distributedSyntax Description
Defaults
IP autonomous switching is disabled.
Fast switching varies by interface and media.
SSE switching of IP is disabled.
Optimum switching is enabled on supported interfaces.
Distributed switching is disabled.Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0. The optimum keyword first appeared in Cisco IOS Release 11.1. Ths distributed keyword first appeared in Cisco IOS Release 11.2.
Using the route cache is often called fast switching. The route cache allows outgoing packets to be load-balanced on a per-destination basis.
The ip route-cache command with no additional keywords enables fast switching and disables.
Our routers generally offer better packet transfer performance when fast switching is enabled, with one exception. On networks using slow serial links (64 K and below), disabling fast switching to enable the per-packet load sharing is usually the best choice.
Autonomous switching gives a router faster packet processing by allowing the ciscoBus to switch packets independently without interrupting the system processor. It works only in Cisco 7000 series systems with a switch processor controller card running microcode Version 1.4 or later.
You can enable IP fast switching when the input and output interfaces are the same interface, using the ip route-cache same-interface command. This normally is not recommended, though it is useful when you have partially meshed media, such as Frame Relay. You could use this feature on other interfaces, although it is not recommended because it would interfere with redirection.
SSE switching gives a router even faster packet processing than is provided by the other ip route-cache commands by allowing the SSE to switch packets without interrupting the system processor. SSE switching is supported only in Cisco 7000 systems with an SSP board. Fast switching must be active to enable SSE switching. SSE switching requires that fast switching be enabled.
Flow switching is faster than the default optimum fast-switching on Cisco 7507 and 7513 platforms when IP accounting or extended access lists are used. When the RSP is flow switching, it uses a flow cache instead of a destination network cache to switch IP packets. The flow cache uses source and destination network address, protocol, and source and destination port numbers to distinguish entries.
The flow caching option can also be used to allow statistics to be gathered with a finer granularity. The statistics include IP subprotocols, well-known ports, total flows, average number of packets per flow, and average flow lifetime.
On Cisco RSP7000 and Cisco 7500 series routers with a route switch processor (RSP) and with Versatile Interface Processor (VIP) controllers, the VIP hardware can be configured to switch packets received by the VIP with no per-packet intervention on the part of the RSP. When VIP distributed switching is enabled, the input VIP interface tries to switch IP packets instead of forwarding them to the RSP for switching. Distributed switching helps decrease the demand on the RSP.
Not all switching methods are available on all platforms.
Examples
The following example enables both fast switching and autonomous switching:
ip route-cache cbusThe following example disables both fast switching and autonomous switching:
no ip route-cacheThe following example turns off autonomous switching only:
no ip route-cache cbusThe following example enables VIP distributed flow switching on the interface:
interface ethernet 0/5/0ip address 17.252.245.2 255.255.255.0ip route-cache distributedip route-cache flowThe following example returns the system to its defaults (fast switching enabled; autonomous switching disabled):
ip route-cacheRelated Commands
ip cache-invalidate-delay
show ip cacheip routing
To enable IP routing, use the ip routing global configuration command. To disable IP routing, use the no form of this command.
ip routing
no ip routingSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
To bridge IP, the no ip routing command must be configured to disable IP routing. However, you need not specify no ip routing in conjunction with concurrent routing and bridging to bridge IP.
Example
The following example enables IP routing:
ip routingip security add
To add a basic security option to all outgoing packets, use the ip security add interface configuration command. To disable the adding of a basic security option to all outgoing packets, use the no form of this command.
ip security add
no ip security addSyntax Description
This command has no arguments or keywords.
Default
Disabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is enabled.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
If an outgoing packet does not have a security option present, this interface configuration command will add one as the first IP option. The security label added to the option field is the label that was computed for this packet when it first entered the router. Because this action is performed after all the security tests have been passed, this label will either be the same as or will fall within the range of the interface.
Example
The following example adds a basic security option to each packet leaving Ethernet interface 0:
interface ethernet 0ip security addRelated Commands
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security stripip security aeso
To attach Auxiliary Extended Security Options (AESOs) to an interface, use the ip security aeso interface configuration command. To disable AESO on an interface, use the no form of this command.
ip security aeso source compartment-bits
no ip security aeso source compartment-bitsSyntax Description
source
Extended Security Option (ESO) source. This can be an integer from 0 to 255.
compartment-bits
Compartment bits in hexadecimal.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Compartment bits are specified only if this AESO is to be inserted in a packet. On every incoming packet at this level on this interface, these AESOs should be present.
Beyond being recognized, no further processing of AESO information is performed. AESO contents are not checked and are assumed to be valid if the source is listed in the configurable AESO table.
Configuring any per-interface extended IP security option (IPSO) information automatically enables ip security extended-allowed (disabled by default).
Example
In the following example, the extended security option source is defined as 5 and the compartments bits are set to 5:
interface ethernet 0ip security aeso 5 5Related Commands
ip security eso-info
ip security eso-max
ip security eso-min
ip security extended-allowedip security dedicated
To set the level of classification and authority on the interface, use the ip security dedicated interface configuration command. To reset the interface to the default classification and authorities, use the no form of this command.
ip security dedicated level authority [authority...]
no ip security dedicated level authority [authority...]Syntax Description
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
All traffic entering the system on this interface must have a security option that exactly matches this label. Any traffic leaving via this interface will have this label attached to it.
The following definitions apply to the descriptions of the IP security options (IPSO) in this section:
•
•
Table 2 IPSO Authority Keywords and Bit Patterns
Genser
1000 0000
Siop-Esi
0100 0000
DIA
0010 0000
NSA
0001 0000
DOE
0000 1000
•
Example
The following example sets a confidential level with Genser authority:
ip security dedicated confidential GenserRelated Commands
ip security add
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security stripip security eso-info
To configure system-wide defaults for extended IP Security Option (IPSO) information, use the ip security eso-info global configuration command. To return to the default settings, use the no form of this command.
ip security eso-info source compartment-size default-bit
no ip security eso-info source compartment-size default-bitSyntax Description
Default
Disabled
Command mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
This command configures Extended Security Option (ESO) information, including Auxiliary Extended Security Option (AESO). Transmitted compartment info is padded to the size specified by the compartment-size argument.
Example
In the following example, system-wide defaults for source, compartment size, and the default bit value are set:
ip security eso-info 100 5 1Related Commands
ip security eso-max
ip security eso-minip security eso-max
To specify the maximum sensitivity level for an interface, use the ip security eso-max interface configuration command. To return to the default, use the no form of this command.
ip security eso-max source compartment-bits
no ip security eso-max source compartment-bitsSyntax Description
source
Extended Security Option (ESO) source. This is an integer from 1 to 255.
compartment-bits
Compartment bits in hexadecimal.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The command is used to specify the minimum sensitivity level for a particular interface. Before the per interface compartment information for a particular Network Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.
On every incoming packet on the interface, these extended security options should be resent at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.
On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.
When transmitting locally generated traffic out this interface, or adding security information (with the ip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.
A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.
Example
In the following example, the specified ESO source is 240 and the compartment bits are specified as 500:
interface ethernet 0ip security eso-max 240 500Related Commands
ip security eso-info
ip security eso-minip security eso-min
To configure the minimum sensitivity for an interface, use the ip security eso-min interface configuration command. To return to the default, use the no form of this command.
ip security eso-min source compartment-bits
no ip security eso-min source compartment-bitsSyntax Description
source
Extended Security Option (ESO) source. This is an integer from 1 to 255.
compartment-bits
Compartment bits in hexadecimal.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The command is used to specify the minimum sensitivity level for a particular interface. Before the per-interface compartment information for a particular Network Level Extended Security Option (NLESO) source can be configured, the ip security eso-info global configuration command must be used to specify the default information.
On every incoming packet on this interface, these extended security options should be resent at the minimum level and should match the configured compartment bits. Every outgoing packet must have these ESOs.
On every packet transmitted or received on this interface, any NLESO sources present in the IP header should be bounded by the minimum sensitivity level and bounded by the maximum sensitivity level configured for the interface.
When transmitting locally generated traffic out this interface, or adding security information (with the iip security add command), the maximum compartment bit information can be used to construct the NLESO sources placed in the IP header.
A maximum of 16 NLESO sources can be configured per interface. Due to IP header length restrictions, a maximum of 9 of these NLESO sources appear in the IP header of a packet.
Example
In the following example, the specified ESO source is 5 and the compartment bits are specified as 5:
interface ethernet 0ip security eso-min 5 5Related Commands
ip security eso-info
ip security eso-maxip security extended-allowed
To accept packets on an interface that has an extended security option present, use the ip security extended-allowed interface configuration command. To restore the default, use the no form of this command.
ip security extended-allowed
no ip security extended-allowedSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Packets containing extended security options are rejected.
Example
The following example allows interface Ethernet 0 to accept packets that have an extended security option present:
interface ethernet 0ip security extended-allowedRelated Commands
ip security add
ip security dedicated
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security stripip security first
To prioritize the presence of security options on a packet, use the ip security first interface configuration command. To disable this function, use the no form of this command.
ip security first
no ip security firstSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
If a basic security option is present on an outgoing packet, but it is not the first IP option, then the packet is moved to the front of the options field when this interface configuration command is used.
Example
The following example ensures that, if a basic security option is present in the options field of a packet exiting interface Ethernet 0, the packet is moved to the front of the options field:
interface ethernet 0ip security firstRelated Commands
ip security add
ip security dedicated
ip security extended-allowed
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security stripip security ignore-authorities
To have the Cisco IOS software ignore the authorities field of all incoming packets, use the ip security ignore-authorities interface configuration command. To disable this function, use the no form of this command.
ip security ignore-authorities
no ip security ignore-authoritiesSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
When the packet's authority field is ignored, the value used in place of this field is the authority value declared for the specified interface. The ip security ignore-authorities can only be configured on interfaces with dedicated security levels.
Example
The following example causes interface Ethernet 0 to ignore the authorities field on all incoming packets:
interface ethernet 0ip security ignore-authoritiesRelated Commands
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security implicit-labelling
ip security multilevel
ip security reserved-allowed
ip security stripip security implicit-labelling
To force the Cisco IOS software to accept packets on the interface, even if they do not include a security option, use the ip security implicit-labelling interface configuration command. To disable this function, use the no form of this command.
ip security implicit-labelling [level authority [authority...]]
no ip security implicit-labelling [level authority [authority...]]Syntax Description
Default
Enabled, when the security level of the interface is "Unclassified Genser" (or unconfigured). Otherwise, the default is disabled.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
If your interface has multilevel security set, you must use the expanded form of the command (with the optional arguments as noted in brackets) because the arguments are used to specify the precise level and authority to use when labeling the packet. If your interface has dedicated security set, the additional arguments are ignored.
Example
In the following example, an interface is set for security and will accept unlabeled packets:
ip security dedicated confidential genserip security implicit-labellingRelated Commands
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security multilevel
ip security reserved-allowed
ip security stripip security multilevel
To set the range of classifications and authorities on an interface, use the ip security multilevel interface configuration command. To disable this function, use the no form of this command.
ip security multilevel level1 [authority1...] to level2 authority2 [authority2...]
no ip security multilevelSyntax Description
level1
Degree of sensitivity of information. The classification level of incoming packets must be equal to or greater than this value for processing to occur. (See the level keywords found in in the ip security dedicated command section.)
authority1
(Optional) Organization that defines the set of security levels that will be used in a network. The authority bits must be a superset of this value. (See the authority keywords listed in in the ip security dedicated command section.)
to
Separates the range of classifications and authorities.
level2
Degree of sensitivity of information. The classification level of incoming packets must be equal to or less than this value for processing to occur. (See the level keywords found in in the ip security dedicated command section.)
authority2
Organization that defines the set of security levels that will be used in a network. The authority bits must be a proper subset of this value. (See the authority keywords listed in in the ip security dedicated command section.)
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
All traffic entering or leaving the system must have a security option that falls within this range. Being within range requires that the following two conditions be met:
•
•
Example
The following example specifies levels Unclassified to Secret and NSA authority:
ip security multilevel unclassified to secret nsaRelated Commands
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security reserved-allowed
ip security stripip security reserved-allowed
To treat as valid any packets that have Reserved1 through Reserved4 security levels, use the ip security reserved-allowed interface configuration command. To disable this feature, use the no form of this command.
ip security reserved-allowed
no ip security reserved-allowedSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3.
When you set multilevel security on an interface, and indicate, for example, that the highest range allowed is Confidential, and the lowest is Unclassified, the Cisco IOS software neither allows nor operates on packets that have security levels of Reserved3 and Reserved2 because they are undefined.
If you use the IP Security Option (IPSO) to block transmission out of unclassified interfaces, and you use one of the Reserved security levels, you must enable this feature to preserve network security.
Example
The following example allows a security level of Reserved through Ethernet interface 0:
interface ethernet 0ip security reserved-allowedRelated Commands
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security stripip security strip
To remove any basic security option on outgoing packets on an interface, use the ip security strip interface configuration command. To disable this function, use the no form of this command.
ip security strip
no ip security stripSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The removal procedure is performed after all security tests in the router have been passed. This command is not allowed for multilevel interfaces.
Example
The following example removes any basic security options on outgoing packets on Ethernet interface 0:
interface ethernet 0ip security stripRelated Commands
ip security add
ip security dedicated
ip security extended-allowed
ip security first
ip security ignore-authorities
ip security implicit-labelling
ip security multilevel
ip security reserved-allowedip source-route
To allow the Cisco IOS software to handle IP datagrams with source routing header options, use the ip source-route global configuration command. To have the software discard any IP datagram containing a source-route option, use the no form of this command.
ip source-route
no ip source-routeSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Example
The following example enables the handling of IP datagrams with source routing header options:
ip source-routeRelated Commands
ip subnet-zero
To enable the use of subnet zero for interface addresses and routing updates, use the ip subnet-zero global configuration command. To restore the default, use the no form of this command.
ip subnet-zero
no ip subnet-zeroSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
The ip subnet-zero command provides the ability to configure and route to subnet-zero subnets.
Subnetting with a subnet address of zero is discouraged because of the confusion inherent in having a network and a subnet with indistinguishable addresses.
Example
In the following example, subnet-zero is enabled:
ip subnet-zeroip tcp chunk-size
To alter the TCP maximum read size for Telnet or rlogin, use the ip tcp chunk-size global configuration command. To restore the default value, use the no form of this command.
ip tcp chunk-size characters
no ip tcp chunk-sizeSyntax Description
Default
0, which Telnet and rlogin interpret as the largest possible 32-bit positive number.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 9.1.
It is unlikely you will need to change the default value.
Example
The following example sets the maximum TCP read size to 64000 bytes:
ip tcp chunk-size 64000ip tcp compression-connections
To specify the total number of header compression connections that can exist on an interface, use the ip tcp compression-connections interface configuration command. To restore the default, use the no form of this command.
ip tcp compression-connections number
no ip tcp compression-connections numberSyntax Description
Default
16 connections
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
You should configure one connection for each TCP connection through the specified interface.
Each connection sets up a compression cache entry, so you are in effect specifying the maximum number of cache entries and the size of the cache. Too few cache entries for the specified interface can lead to degraded performance, while too many cache entries can lead to wasted memory.
Note
Example
In the following example, the first serial interface is set for header compression with a maximum of ten cache entries:
interface serial 0ip tcp header-compressionip tcp compression-connections 10Related Commands
ip tcp header-compression
show ip tcp header-compressionip tcp header-compression
To enable TCP header compression, use the ip tcp header-compression interface configuration command. To disable compression, use the no form of this command.
ip tcp header-compression [passive]
no ip tcp header-compression [passive]Syntax Description
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.ß
You can compress the headers of your TCP/IP packets in order to reduce the size of your packets. TCP header compression is supported on serial lines using Frame Relay, HDLC or Point-to-Point (PPP) encapsulation. You must enable compression on both ends of a serial connection. RFC 1144 specifies the compression process. Compressing the TCP header can speed up Telnet connections dramatically. In general, TCP header compression is advantageous when your traffic consists of many small packets, not for traffic that consists of large packets. Transaction processing (usually using terminals) tends to use small packets while file transfers use large packets. This feature only compresses the TCP header, so it has no effect on UDP packets or other protocol headers.
When compression is enabled, fast switching is disabled. This means that fast interfaces like T1 can overload the router. Consider your network's traffic characteristics before using this command.
Example
In the following example, the first serial interface is set for header compression with a maximum of ten cache entries:
interface serial 0ip tcp header-compressionip tcp compression-connections 10Related Command
ip tcp compression-connections
ip tcp path-mtu-discovery
To enable Path MTU Discovery for all new TCP connections from the router, use the ip tcp path-mtu-discovery interface configuration command. To disable the feature, use the no form of this command.
ip tcp path-mtu-discovery [age-timer {minutes | infinite}]
no ip tcp path-mtu-discovery [age-timer {minutes | infinite}]Syntax Description
Default
Disabled. If enabled, default minutes is 10 minutes.
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.3. The age-timer and infinite keywords first appeared in Cisco IOS Release 11.2.
Path MTU Discovery is a method for maximizing the use of available bandwidth in the network between the end points of a TCP connection. It is described in RFC 1191. Existing connections are not affected when this feature is turned on or off.
Customers using TCP connections to move bulk data between systems on distinct subnets would benefit most by enabling this feature. This might include customers using RSRB with TCP encapsulation, STUN, X.25 Remote Switching (also known as XOT, or X.25 over TCP), and some protocol translation configurations.
The age timer is a time interval for how often TCP re-estimates the Path MTU with a larger MSS. By using the age timer, TCP Path MTU becomes a dynamic process. If MSS used for the connection is smaller than what the peer connection can handle, a larger MSS is tried every time the age timer expires. The discovery process is stopped when either the send MSS is as large as the peer negotiated, or the user has disabled the timer on the router. You can turn off the age-timer by setting it to infinite.
Example
The following example enables Path MTU Discovery:
ip tcp path-mtu-discoveryip tcp queuemax
To alter the maximum TCP outgoing queue per connection, use the ip tcp queuemax global configuration command. To restore the default value, use the no form of this command.
ip tcp queuemax packets
no ip tcp queuemaxSyntax Description
packets
Outgoing queue size of TCP packets. The default value is 5 segments if the connection has a TTY associated with it. If there is no TTY associated with it, the default value is 20 segments.
Default
The default value is 5 segments if the connection has a TTY associated with it. If there is no TTY associated with it, the default value is 20 segments.
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Changing the default value changes the 5, not the 20.
Example
The following example sets the maximum TCP outgoing queue to 10 packets:
ip tcp queuemax 10ip tcp synwait-time
To set a period of time the Cisco IOS software waits while attempting to establish a TCP connection before it times out, use the ip tcp synwait-time global configuration command. To restore the default time, use the no form of this command.
ip tcp synwait-time seconds
no ip tcp synwait-time secondsSyntax Description
seconds
Time in seconds the software waits while attempting to establish a TCP connection. It can be an integer from 5 to 300 seconds. The default is 30 seconds.
Default
30 seconds
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
In previous versions of Cisco IOS software, the system would wait a fixed 30 seconds when attempting to establish a TCP connection. If your network contains Public Switched Telephone Network (PSTN) dial-on-demand routing (DDR), the call setup time may exceed 30 seconds. This amount of time is not sufficient in networks that have dial-up asynchronous connections because it will affect your ability to Telnet over the link (from the router) if the link must be brought up. If you have this type of network, you might want to set this value to the UNIX value of 75.
Because this is a host parameter, it does not pertain to traffic going through the router, just for traffic originated at this device. Because UNIX has a fixed 75-second timeout, hosts are unlikely to see this problem.
Example
The following example configures the Cisco IOS software to continue attempting to establish a TCP connection for 180 seconds:
ip tcp synwait-time 180ip tcp window-size
To alter the TCP window size, use the ip tcp window-size global configuration command. To restore the default value, use the no form of this command.
ip tcp window-size bytes
no ip tcp window-sizeSyntax Description
Default
2144 bytes
Command Mode
Global configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 9.1.
Do not use this command unless you clearly understand why you want to change the default value.
If your TCP window size is set to 1000 bytes, for example, you could have 1 packet of 1000 bytes or 2 packets of 500 bytes, etc. However, there is also a limit on the number of packets allowed in the window. There can be a maximum of 5 packets if the connection has TTY; otherwise there can be 20 packets.
Example
The following example sets the TCP window size to 1000 bytes:
ip tcp window-size 1000ip unnumbered
To enable IP processing on a serial interface without assigning an explicit IP address to the interface, use the ip unnumbered interface configuration command. To disable the IP processing on the interface, use the no form of this command.
ip unnumbered type number
no ip unnumbered type numberSyntax Description
type number
Type and number of another interface on which the router has an assigned IP address. It cannot be another unnumbered interface.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
Whenever the unnumbered interface generates a packet (for example, for a routing update), it uses the address of the specified interface as the source address of the IP packet. It also uses the address of the specified interface in determining which routing processes are sending updates over the unnumbered interface. Restrictions include the following:
•
•
•
•
The interface you specify by the type and number arguments must be enabled (listed as "up" in the show interfaces command display).
If you are configuring IS-IS across a serial line, you should configure the serial interfaces as unnumbered. This allows you to conform with RFC 1195, which states that IP addresses are not required on each interface.
Note
Example
In the following example, the first serial interface is given Ethernet 0's address:
interface ethernet 0ip address 131.108.6.6 255.255.255.0!interface serial 0ip unnumbered ethernet 0ip unreachables
To enable the generation of ICMP Unreachable messages, use the ip unreachables interface configuration command. To disable this function, use the no form of this command.
ip unreachables
no ip unreachablesSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Interface configuration
Usage Guidelines
This command first appeared in Cisco IOS Release 10.0.
If the Cisco IOS software receives a nonbroadcast packet destined for itself that uses a protocol it does not recognize, it sends an ICMP Protocol Unreachable message to the source.
If the software receives a datagram that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies to the originator of that datagram with an ICMP Host Unreachable message.
This command affects all kinds of ICMP unreachable messages.
Example
The following example enables the generation of ICMP Unreachable messages, as appropriate, on an interface:
interface ethernet 0ip unreachablespermit
To set conditions for a named IP access list, use the permit access-list configuration command. To remove a condition from an access list, use the no form of this command.
permit source [source-wildcard]
no permit source [source-wildcard]permit protocol source source-wildcard destination destination-wildcard [precedence
precedence] [tos tos] [log]
no permit protocol source source-wildcard destination destination-wildcard [precedence
precedence] [tos tos] [log]For ICMP, you can also use the following syntax:
permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |
icmp-message] [precedence precedence] [tos tos] [log]For IGMP, you can also use the following syntax:
permit igmp source source-wildcard destination destination-wildcard [igmp-type]
[precedence precedence] [tos tos] [log]For TCP, you can also use the following syntax:
permit tcp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [established] [precedence precedence] [tos tos] [log]For UDP, you can also use the following syntax:
permit udp source source-wildcard [operator port [port]] destination destination-wildcard
[operator port [port]] [precedence precedence] [tos tos] [log]Syntax Description
source
Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:
•
•
source-wildcard
(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:
•
•
protocol
Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
•
•
•
source-wildcard
Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
•
•
•
destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
•
•
•
destination-wildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
•
•
•
precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos
(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Usage Guidelines" section of the access-list (extended) command.
icmp-type
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code
(Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the "Usage Guidelines" section of the access-list (extended) command.
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (extended) command.
operator
(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port.
If the operator is positioned after the destination and destination-wildcard, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Default
There are no specific conditions under which a packet passes the n
