Table Of Contents

IP Services Commands

access-class

access-list (IP extended)

access-list (IP standard)

access-list remark

clear access-list counters

clear ip accounting

clear ip drp

clear tcp statistics

deny (IP)

dynamic

forwarding-agent

ip access-group

ip access-list

ip access-list log-update

ip accounting

ip accounting-list

ip accounting-threshold

ip accounting-transits

ip accounting mac-address

ip accounting precedence

ip casa

ip drp access-group

ip drp authentication key-chain

ip drp server

ip icmp rate-limit unreachable

ip icmp redirect

ip mask-reply

ip mtu

ip redirects

ip source-route

ip tcp chunk-size

ip tcp compression-connections

ip tcp header-compression

ip tcp mss

ip tcp path-mtu-discovery

ip tcp queuemax

ip tcp selective-ack

ip tcp synwait-time

ip tcp timestamp

ip tcp window-size

ip unreachables

permit (IP)

remark

show access-lists

show interface mac

show interface precedence

show ip access-list

show ip accounting

show ip casa affinities

show ip casa oper

show ip casa stats

show ip casa wildcard

show ip drp

show ip redirects

show ip sockets

show ip tcp header-compression

show ip traffic

show standby

show tcp statistics

standby authentication

standby ip

standby mac-address

standby mac-refresh

standby preempt

standby priority

standby timers

standby track

standby use-bia

start-forwarding-agent

transmit-interface

IP Services Commands

---

Use the commands in this chapter to configure various IP services. For configuration information and examples on IP services, refer to the "Configuring IP Services" chapter of the Cisco IOS IP and IP Routing Configuration Guide.

access-class

To restrict incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list, use the access-class line configuration command. To remove access restrictions, use the no form of this command.

access-class access-list-number {in | out}

no access-class access-list-number {in | out}

Syntax Description

access-list-number	Number of an IP access list. This is a decimal number from 1 to 199 or from 1300 to 2699.
in	Restricts incoming connections between a particular Cisco device and the addresses in the access list.
out	Restricts outgoing connections between a particular Cisco device and the addresses in the access list.

Defaults

No access lists are defined.

Command Modes

Line configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.

To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.

Examples

The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:

access-list 12 permit 192.89.55.0  0.0.0.255

 line 1 5

 access-class 12 in 

The following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5:

access-list 10 permit 36.0.0.0 0.255.255.255

 line 1 5

 access-class 10 out

Related Commands

Command	Description
show line	Displays the parameters of a terminal line.

access-list (IP extended)

To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

no access-list access-list-number

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

Transmission Control Protocol (TCP)

For TCP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

User Datagram Protocol (UDP)

For UDP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]

Syntax Description

access-list-number	Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.
dynamic dynamic-name	(Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
timeout minutes	(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
deny	Denies access if the conditions are matched.
permit	Permits access if the conditions are matched.
protocol	Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the keyword ip. Some protocols allow further qualifiers described below.
source	Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: •Use a 32-bit quantity in four-part, dotted-decimal format. •Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. •Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard	Wildcard bits to be applied to source. Each wildcard bit set to zero indicates that the corresponding bit position in the packet's ip address must exactly match the bit value in the corresponding bit position in the source. Each wildcard bit set to one indicates that both a zero bit and a one bit in the corresponding position of the packet's ip address will be considered a match to this access list entry. There are three alternative ways to specify the source wildcard: •Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. For example, 0.0.255.255 to require an exact match of only the first 16 bits of the source. •Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. •Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0. Wildcard bits set to one do not need to be contiguous in the source-wildcard. For example, a source-wildcard of 0.255.0.64 would be valid.
destination	Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: •Use a 32-bit quantity in four-part, dotted-decimal format. •Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. •Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
destination-wildcard	Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: •Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. •Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. •Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
precedence precedence	(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos	(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."
icmp-type	(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
log	(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.
log-input	(Optional) Includes the input interface and source MAC address or VC in the logging output.
time-range time-range-name	(Optional) Name of the time range that applies to this statement. The name of the time range and its restrictions are specified by the time-range command.
icmp-code	(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message	(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines."
igmp-type	(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."
operator	(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.
port	(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names are listed in the section "Usage Guidelines." UDP port names can only be used when filtering UDP. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established	(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK, FIN, PSH, RST, SYN, or URG control bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
fragments	(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.

Defaults

An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.
10.3	The following keywords and arguments were added: •source •source-wildcard •destination •destination-wildcard •precedence precedence •icmp-type •icm-code •icmp-message •igmp-type •operator •port •established
11.1	The dynamic dynamic-name keyword and argument were added.
11.1	The timeout minutes keyword and argument were added.
11.2	The log-input keyword was added.
12.0(1)T	The time-range time-range-name keyword and argument were added.
12.1(2)	The fragments keyword was added.

Usage Guidelines

You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

---

Note After a numbered access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific numbered access list.

---

The following is a list of precedence names:

•critical

•flash

•flash-override

•immediate

•internet

•network

•priority

•routine

The following is a list of type of service (ToS) names:

•max-reliability

•max-throughput

•min-delay

•min-monetary-cost

•normal

The following is a list of ICMP message type names and ICMP message type and code names:

•administratively-prohibited

•alternate-address

•conversion-error

•dod-host-prohibited

•dod-net-prohibited

•echo

•echo-reply

•general-parameter-problem

•host-isolated

•host-precedence-unreachable

•host-redirect

•host-tos-redirect

•host-tos-unreachable

•host-unknown

•host-unreachable

•information-reply

•information-request

•mask-reply

•mask-request

•mobile-redirect

•net-redirect

•net-tos-redirect

•net-tos-unreachable

•net-unreachable

•network-unknown

•no-room-for-option

•option-missing

•packet-too-big

•parameter-problem

•port-unreachable

•precedence-unreachable

•protocol-unreachable

•reassembly-timeout

•redirect

•router-advertisement

•router-solicitation

•source-quench

•source-route-failed

•time-exceeded

•timestamp-reply

•timestamp-request

•traceroute

•ttl-exceeded

•unreachable

The following is a list of IGMP message names:

•dvmrp

•host-query

•host-report

•pim

•trace

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

•bgp

•chargen

•daytime

•discard

•domain

•echo

•finger

•ftp

•ftp-data

•gopher

•hostname

•irc

•klogin

•kshell

•lpd

•nntp

•pop2

•pop3

•smtp

•sunrpc

•syslog

•tacacs-ds

•talk

•telnet

•time

•uucp

•whois

•www

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

•biff

•bootpc

•bootps

•discard

•dns

•dnsix

•echo

•mobile-ip

•nameserver

•netbios-dgm

•netbios-ns

•ntp

•rip

•snmp

•snmptrap

•sunrpc

•syslog

•tacacs-ds

•talk

•tftp

•time

•who

•xdmcp

Access List Processing of Fragments

The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:

If the Access-List Entry has...	Then..
...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,	For an access-list entry containing only Layer 3 information: •The entry is applied to nonfragmented packets, initial fragments and noninitial fragments. For an access list entry containing Layer 3 and Layer 4 information: •The entry is applied to nonfragmented packets and initial fragments. –If the entry is a permit statement, the packet or fragment is permitted. –If the entry is a deny statement, the packet or fragment is denied. •The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and –If the entry is a permit statement, the noninitial fragment is permitted. –If the entry is a deny statement, the next access-list entry is processed. Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.
...the fragments keyword, and assuming all of the access-list entry information matches,	The access-list entry is applied only to noninitial fragments. Note The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.

Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.

---

Note The fragments keyword cannot solve all cases involving access lists and IP fragments.

---

Fragments and Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.

By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.

Examples

In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. The established keyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.

access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established

access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25

interface serial 0

 ip access-group 102 in

The following example also permits Domain Naming System (DNS) packets and ICMP echo and echo reply packets:

access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established

access-list 102 permit tcp any host 128.88.1.2 eq smtp

access-list 102 permit tcp any any eq domain

access-list 102 permit udp any any eq domain

access-list 102 permit icmp any any echo

access-list 102 permit icmp any any echo-reply

The following examples show how wildcard bits are used to indicate the bits of the prefix or mask that are relevant. They are similar to the bitmasks that are used with normal access lists. Prefix/mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix/mask bits corresponding to wildcard bits set to 0 are used in comparison.

The following example permits 192.108.0.0 255.255.0.0 but denies any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0):

access-list 101 permit ip 192.108.0.0 0.0.0.0   255.255.0.0 0.0.0.0 
access-list 101 deny ip 192.108.0.0 0.0.255.255  255.255.0.0 0.0.255.255

The following example permits 131.108.0/24 but denies 131.108/16 and all other subnets of 131.108.0.0:

access-list 101 permit ip 131.108.0.0 0.0.0.0     255.255.255.0 0.0.0.0 
access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0   0.0.255.255

The following example uses a time-range to deny HTTP traffic on Monday through Friday between the hours of 8:00 a.m. and 6:00 p.m.:

time-range no-http

 periodic weekdays 8:00 to 18:00

!

access-list 101 deny tcp any any eq http time-range no-http

!

interface ethernet 0

 ip access-group 101 in

Related Commands

Command	Description
access-class	Restricts incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list.
access-list (IP standard)	Establishes MAC address access lists.
clear access-template	Clears a temporary access list entry from a dynamic access list.
distribute-list in	Filters networks received in updates.
distribute-list out	Suppresses networks from being advertised in updates.
ip access-group	Controls access to an interface.
ip access-list	Defines an IP access list by name.
ip access-list log-update	Sets the threshold number of packets that cause a logging message.
ip accounting	Enables IP accounting on an interface.
logging console	Controls which messages are logged to the console, based on severity.
show access-lists	Displays the contents of current IP and rate-limit access lists.
show ip access-list	Displays the contents of all current IP access lists.
time-range	Specifies when an access list or other feature is in effect.

access-list (IP standard)

To define a standard IP access list, use the standard version of the access-list global configuration command. To remove a standard access lists, use the no form of this command.

access-list access-list-number {deny | permit} source [source-wildcard] [log]

no access-list access-list-number

---

Caution Enhancements to this command are backward compatible; migrating from releases prior to Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images.

---

Syntax Description

access-list-number	Number of an access list. This is a decimal number from 1 to 99 or from 1300 to 1999.
deny	Denies access if the conditions are matched.
permit	Permits access if the conditions are matched.
source	Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source: •Use a 32-bit quantity in four-part, dotted-decimal format. •Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
source-wildcard	(Optional) Wildcard bits to be applied to source.Each wildcard bit set to zero indicates that the corresponding bit position in the packet's ip address must exactly match the bit value in the corresponding bit position in the source. Each wildcard bit set to one indicates that both a zero bit and a one bit in the corresponding position of the packet's ip address will be considered a match to this access list entry. There are two alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Wildcard bits set to one do not need to be contiguous in the source-wildcard. For example, a source-wildcard of 0.255.0.64 would be valid.
log	(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information. The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list. If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.

Defaults

The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.
11.3(3)T	The log keyword was added.

Usage Guidelines

Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.

You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates.

Use the show access-lists EXEC command to display the contents of all access lists.

Use the show ip access-list EXEC command to display the contents of one access list.

Examples

The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected.

access-list 1 permit 192.5.34.0  0.0.0.255

access-list 1 permit 128.88.0.0  0.0.255.255

access-list 1 permit 36.0.0.0  0.255.255.255

! (Note: all other access implicitly denied) 

The following example of a standard access list allows access for devices with IP addresses in the range 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.

access-list 1 permit 10.29.2.64 0.0.0.63

! (Note: all other access implicitly denied)

To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect:

access-list 2 permit 36.48.0.3

access-list 2 permit 36.48.0.3  0.0.0.0

Related Commands

Command	Description
access-class	Restricts incoming and outgoing connections between a particular vty (into a Cisco device) and the addresses in an access list.
access-list (IP extended)	Defines an extended IP access list.
distribute-list in (IP)	Filters networks received in updates.
distribute-list out (IP)	Suppresses networks from being advertised in updates.
ip access-group	Controls access to an interface.
ip access-list log-update	Sets the threshold number of packets that cause a logging message.
show access-lists	Displays the contents of current IP and rate-limit access lists.
show ip access-list	Displays the contents of all current IP access lists.

access-list remark

To write a helpful comment (remark) for an entry in a numbered IP access list, use the access-list remark global configuration command. To remove the remark, use the no form of this command.

access-list access-list-number remark remark

no access-list access-list-number remark remark

Syntax Description

access-list-number	Number of an IP access list.
remark	Comment that describes the access list entry, up to 100 characters long.

Defaults

The access list entries have no remarks.

Command Modes

Global configuration

Command History

Release	Modification
12.0(2)T	This command was introduced.

Usage Guidelines

The remark can be up to 100 characters; anything longer is truncated.

If you want to write a comment about an entry in a named access list, use the remark command.

Examples

In the following example, the workstation belonging to Jones is allowed access, and the workstation belonging to Smith is not allowed access:

access-list 1 remark Permit only Jones workstation through

access-list 1 permit 171.69.2.88

access-list 1 remark Do not allow Smith workstation through

access-list 1 deny 171.69.3.13

Related Commands

Command	Description
access-list (IP extended)	Defines an extended IP access list.
access-list (IP standard)	Establishes MAC address access lists.
remark	Writes a helpful comment (remark) for an entry in a named IP access list.

clear access-list counters

To clear the counters of an access list, use the clear access-list counters EXEC command.

clear access-list counters {access-list-number | name}

Syntax Description

access-list-number	Access list number of the access list for which to clear the counters.
name	Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.

Command Modes

EXEC

Command History

Release	Modification
11.0	This command was introduced.

Usage Guidelines

Some access lists keep counters that count the number of packets that pass each line of an access list. The show access-lists command displays the counters as a number of matches. Use the clear access-list counters command to restart the counters for a particular access list to 0.

Examples

The following example clears the counters for access list 101:

clear access-list counters 101

Related Commands

Command	Description
show access-lists	Displays the contents of current IP and rate-limit access lists.

clear ip accounting

To clear the active or checkpointed database when IP accounting is enabled, use the clear ip accounting EXEC command.

clear ip accounting [checkpoint]

Syntax Description

checkpoint

(Optional) Clears the checkpointed database.

Command Modes

EXEC

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

You can also clear the checkpointed database by issuing the clear ip accounting command twice in succession.

Examples

The following example clears the active database when IP accounting is enabled:

clear ip accounting

Related Commands

Command	Description
ip accounting	Enables IP accounting on an interface.
ip accounting-list	Defines filters to control the hosts for which IP accounting information is kept.
ip accounting-threshold	Sets the maximum number of accounting entries to be created.
ip accounting-transits	Controls the number of transit records that are stored in the IP accounting database.
show ip accounting	Displays the active accounting or checkpointed database or displays access list violations.

clear ip drp

To clear all statistics being collected on Director Response Protocol (DRP) requests and replies, use the clear ip drp EXEC command.

clear ip drp

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.2 F	This command was introduced.

Examples

The following example clears all DRP statistics:

clear ip drp

Related Commands

Command	Description
ip drp access-group	Controls the sources of DRP queries to the DRP Server Agent.
ip drp authentication key-chain	Configures authentication on the DRP Server Agent for DistributedDirector.

clear tcp statistics

To clear TCP statistics, use the clear tcp statistics privileged EXEC command.

clear tcp statistics

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3	This command was introduced.

Examples

The following example clears all TCP statistics:

clear tcp statistics

Related Commands

Command	Description
show tcp statistics	Displays TCP statistics.

deny (IP)

To set conditions for a named IP access list, use the deny access-list configuration command. To remove a deny condition from an access list, use the no form of this command.

deny source [source-wildcard