Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2
IP Services Commands: ip mtu Through transit-interface
Download this chapter
IP Services Commands: ip mtu Through transit-interfaceIP Services Commands: ip mtu Through transit-interface
Download the complete book
Book-level PDF: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2Book-level PDF: Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2 (PDF - 4 MB)
give_us_feedback

Table Of Contents

ip mtu

ip redirects

ip source-route

ip tcp chunk-size

ip tcp compression-connections

ip tcp header-compression

ip tcp mss

ip tcp path-mtu-discovery

ip tcp queuemax

ip tcp selective-ack

ip tcp synwait-time

ip tcp timestamp

ip tcp window-size

ip unreachables

permit (IP)

remark

show access-lists

show access-list compiled

show interface mac

show interface precedence

show ip access-list

show ip accounting

show ip casa affinities

show ip casa oper

show ip casa stats

show ip casa wildcard

show ip drp

show ip redirects

show ip sockets

show ip tcp header-compression

show ip traffic

show standby

show standby capability

show standby delay

show standby internal

show standby redirect

show tcp statistics

standby authentication

standby delay minimum reload

standby ip

standby mac-address

standby mac-refresh

standby name

standby preempt

standby priority

standby redirect

standby timers

standby track

standby use-bia

start-forwarding-agent

transmit-interface


ip mtu

To set the maximum transmission unit (MTU) size of IP packets sent on an interface, use the ip mtu interface configuration command. To restore the default MTU size, use the no form of this command.

ip mtu bytes

no ip mtu

Syntax Description

bytes

MTU in bytes.


Defaults

Minimum is 128 bytes; maximum depends on the interface medium.

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

If an IP packet exceeds the MTU set for the interface, the Cisco IOS software will fragment it.

All devices on a physical medium must have the same protocol MTU in order to operate.

Note Changing the MTU value (with the mtu interface configuration command) can affect the IP MTU value. If the current IP MTU value is the same as the MTU value, and you change the MTU value, the IP MTU value will be modified automatically to match the new MTU. However, the reverse is not true; changing the IP MTU value has no effect on the value for the mtu command.

Examples

The following example sets the maximum IP packet size for the first serial interface to 300 bytes: 

interface serial 0

 ip mtu 300

Related Commands

Command
Description

mtu

Adjusts the maximum packet size or MTU size.


ip redirects

To enable the sending of Internet Control Message Protocol (ICMP) redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, use the ip redirects interface configuration command. To disable the sending of redirect messages, use the no form of this command.

ip redirects

no ip redirects

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Previously, if the Hot Standby Router Protocol (HSRP) was configured on an interface, ICMP redirect messages were disabled by default for the interface. With Cisco IOS Release 12.1(3)T, ICMP redirect messages are enabled by default if HSRP is configured.

Examples

The following example enables the sending of ICMP redirect messages on Ethernet interface 0: 

interface ethernet 0

 ip redirects

Related Commands

Command
Description

ip default-gateway

Defines a default gateway (router) when IP routing is disabled.

show ip redirects

Displays the address of a default gateway (router) and the address of hosts for which an ICMP redirect message has been received.


ip source-route

To allow the Cisco IOS software to handle IP datagrams with source routing header options, use the ip source-route global configuration command. To have the software discard any IP datagram containing a source-route option, use the no form of this command.

ip source-route

no ip source-route

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Examples

The following example enables the handling of IP datagrams with source routing header options: 

ip source-route

Related Commands

Command
Description

ping (privileged)

Diagnoses basic network connectivity (in privileged EXEC mode) on Apollo, AppleTalk, CLNS, DECnet, IP, Novell IPX, VINES, or XNS networks.

ping (user)

Diagnoses basic network connectivity (in user EXEC mode) on Apollo, AppleTalk, CLNS, DECnet, IP, Novell IPX, VINES, or XNS networks.


ip tcp chunk-size

To alter the TCP maximum read size for Telnet or rlogin, use the ip tcp chunk-size global configuration command. To restore the default value, use the no form of this command.

ip tcp chunk-size characters

no ip tcp chunk-size

Syntax Description

characters

Maximum number of characters that Telnet or rlogin can read in one read instruction. The default value is 0, which Telnet and rlogin interpret as the largest possible 32-bit positive number.


Defaults

0, which Telnet and rlogin interpret as the largest possible 32-bit positive number.

Command Modes

Global configuration

Command History

Release
Modification

9.1

This command was introduced.


Usage Guidelines

It is unlikely you will need to change the default value.

Examples

The following example sets the maximum TCP read size to 64,000 bytes: 

ip tcp chunk-size 64000

ip tcp compression-connections

To specify the total number of TCP header compression connections that can exist on an interface, use the ip tcp compression-connections interface configuration command. To restore the default, use the no form of this command.

ip tcp compression-connections number

no ip tcp compression-connections number

Syntax Description

number

Number of TCP header compression connections the cache supports, in the range from 3 to 1000. The default is 32 connections (16 calls).


Defaults

The default number is 32 connections.

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.

12.0(7)T

For Frame Relay, PPP, and High-Level Data Link Control (HDLC) encapsulation, the maximum number of compression connections increased to 256. For Frame Relay, the maximum value is fixed, not configurable.


Usage Guidelines

You should configure one connection for each TCP connection through the specified interface.

Each connection sets up a compression cache entry, so you are in effect specifying the maximum number of cache entries and the size of the cache. Too few cache entries for the specified interface can lead to degraded performance, and too many cache entries can lead to wasted memory.

Note Both ends of the serial connection must use the same number of cache entries.

Examples

The following example sets the first serial interface for header compression with a maximum of ten cache entries: 

interface serial 0

 ip tcp header-compression

 ip tcp compression-connections 10

Related Commands

Command
Description

ip rtp header-compression

Enables RTP header compression.

ip tcp header-compression

Enables TCP header compression.

show ip rtp header-compression

Displays RTP header compression statistics.


ip tcp header-compression

To enable TCP header compression, use the ip tcp header-compression interface configuration command. To disable compression, use the no form of this command.

ip tcp header-compression [passive]

no ip tcp header-compression [passive]

Syntax Description

passive

(Optional) Compresses outgoing TCP packets only if incoming TCP packets on the same interface are compressed. If you do not specify the passive keyword, the Cisco IOS software compresses all traffic.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

You can compress the headers of your TCP/IP packets in order to reduce the size of your packets. TCP header compression is supported on serial lines using Frame Relay, HDLC, or PPP encapsulation. You must enable compression on both ends of a serial connection. RFC 1144 specifies the compression process. Compressing the TCP header can speed up Telnet connections dramatically. In general, TCP header compression is advantageous when your traffic consists of many small packets, not for traffic that consists of large packets. Transaction processing (usually using terminals) tends to use small packets and file transfers use large packets. This feature only compresses the TCP header, so it has no effect on UDP packets or other protocol headers.

When compression is enabled, fast switching is disabled. This condition means that fast interfaces like T1 can overload the router. Consider the traffic characteristics of your network before using this command.

Examples

The following example sets the first serial interface for header compression with a maximum of ten cache entries: 

interface serial 0

 ip tcp header-compression

 ip tcp compression-connections 10

Related Commands

Command
Description

ip tcp header-compression

Specifies the total number of header compression connections that can exist on an interface.


ip tcp mss

To enable a maximum segment size (MSS) for TCP connections originating or terminating on a router, use the ip tcp mss command in global configuration mode. To disable the configuration of the MSS, use the no form of this command.

ip tcp mss mss-value

no ip tcp mss mss-value

Syntax Description

mss-value

Maximum segment size for TCP connections in bytes. The range is from 68 to 10000.


Defaults

This command is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.0(05)S

This command was introduced.

12.1

This command was integrated into Cisco IOS Release 12.1.


Usage Guidelines

If this command is not enabled, the MSS value of 536 bytes is used if the destination is not on a LAN, otherwise the MSS value is 1460 for a local destination.

For connections originating from a router, the specified value is used directly as an MSS option in the synchronize (SYN) segment. For connections terminating on a router, the value is used only if the incoming SYN segment has an MSS option value higher than the configured value. Otherwise the incoming value is used as the MSS option in the SYN/acknowledge (ACK) segment.

Note The ip tcp mss command interacts with the ip tcp path-mtu-discovery command and not the ip tcp header-compression command. The ip tcp path-mtu-discovery command changes the default MSS to 1460 even for non-local nodes.

Examples

The following example sets the MSS value at 250: 

ip tcp mss 250

Related Commands

Command
Description

ip tcp header-compression

Specifies the total number of header compression connections that can exist on an interface.


ip tcp path-mtu-discovery

To enable the Path MTU Discovery feature for all new TCP connections from the router, use the ip tcp path-mtu-discovery global configuration command. To disable the function, use the no form of this command.

ip tcp path-mtu-discovery [age-timer {minutes | infinite}]

no ip tcp path-mtu-discovery [age-timer {minutes | infinite}]

Syntax Description

age-timer minutes

(Optional) Time interval (in minutes) after which TCP re-estimates the path MTU with a larger maximum segment size (MSS). The maximum is 30 minutes; the default is 10 minutes.

age-timer infinite

(Optional) Turns off the age timer.


Defaults

Disabled. If enabled, the default minutes value is 10 minutes.

Command Modes

Global configuration

Command History

Release
Modification

10.3

This command was introduced.

11.2

The age-timer and infinite keywords were added.


Usage Guidelines

Path MTU Discovery is a method for maximizing the use of available bandwidth in the network between the endpoints of a TCP connection. It is described in RFC 1191. Existing connections are not affected when this feature is turned on or off.

Customers using TCP connections to move bulk data between systems on distinct subnets would benefit most by enabling this feature.

The age timer is a time interval for how often TCP re-estimates the path MTU with a larger MSS. When the age timer is used, TCP path MTU becomes a dynamic process. If the MSS used for the connection is smaller than what the peer connection can handle, a larger MSS is tried every time the age timer expires. The discovery process is stopped when either the send MSS is as large as the peer negotiated, or the user has disabled the timer on the router. You can turn off the age timer by setting it to infinite.

Examples

The following example enables Path MTU Discovery: 

ip tcp path-mtu-discovery

ip tcp queuemax

To alter the maximum TCP outgoing queue per connection, use the ip tcp queuemax global configuration command. To restore the default value, use the no form of this command.

ip tcp queuemax packets

no ip tcp queuemax

Syntax Description

packets

Outgoing queue size of TCP packets. The default value is 5 segments if the connection has a TTY associated with it. If no TTY is associated with it, the default value is 20 segments.


Defaults

The default value is 5 segments if the connection has a TTY associated with it. If no TTY is associated with it, the default value is 20 segments.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Changing the default value changes the 5 segments, not the 20 segments.

Examples

The following example sets the maximum TCP outgoing queue to 10 packets: 

ip tcp queuemax 10

ip tcp selective-ack

To enable TCP selective acknowledgment, use the ip tcp selective-ack global configuration command. To disable TCP selective acknowledgment, use the no form of this command.

ip tcp selective-ack

no ip tcp selective-ack

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

TCP might not experience optimal performance if multiple packets are lost from one window of data. With the limited information available from cumulative acknowledgments, a TCP sender can learn about only one lost packet per round-trip time. An aggressive sender could resend packets early, but such re-sent segments might have already been received.

The TCP selective acknowledgment mechanism helps overcome these limitations. The receiving TCP returns selective acknowledgment packets to the sender, informing the sender about data that has been received. The sender can then resend only the missing data segments.

TCP selective acknowledgment improves overall performance. The feature is used only when a multiple number of packets drop from a TCP window. There is no performance impact when the feature is enabled but not used.

This command becomes effective only on new TCP connections opened after the feature is enabled.

This feature must be disabled if you want TCP header compression. You might disable this feature if you have severe TCP problems.

Refer to RFC 2018 for more detailed information on TCP selective acknowledgment.

Examples

The following example enables the router to send and receive TCP selective acknowledgments: 

ip tcp selective-ack

Related Commands

Command
Description

ip tcp header-compression

Enables TCP header compression.


ip tcp synwait-time

To set a period of time the Cisco IOS software waits while attempting to establish a TCP connection before it times out, use the ip tcp synwait-time global configuration command. To restore the default time, use the no form of this command.

ip tcp synwait-time seconds

no ip tcp synwait-time seconds

Syntax Description

seconds

Time (in seconds) the software waits while attempting to establish a TCP connection. It can be an integer from 5 to 300 seconds. The default is 30 seconds.


Defaults

The default time is 30 seconds.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

In versions previous to Cisco IOS software Release 10.0, the system would wait a fixed 30 seconds when attempting to establish a TCP connection. If your network contains Public Switched Telephone Network (PSTN) dial-on-demand routing (DDR), the call setup time may exceed 30 seconds. This amount of time is not sufficient in networks that have dialup asynchronous connections because it will affect your ability to Telnet over the link (from the router) if the link must be brought up. If you have this type of network, you might want to set this value to the UNIX value of 75.

Because this is a host parameter, it does not pertain to traffic going through the router, just for traffic originated at this device. Because UNIX has a fixed 75-second timeout, hosts are unlikely to experience this problem.

Examples

The following example configures the Cisco IOS software to continue attempting to establish a TCP connection for 180 seconds: 

ip tcp synwait-time 180

ip tcp timestamp

To enable TCP time stamp, use the ip tcp timestamp global configuration command. To disable TCP time stamp, use the no form of this command.

ip tcp timestamp

no ip tcp timestamp

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.


Usage Guidelines

TCP time stamp improves round-trip time estimates. Refer to RFC 1323 for more detailed information on TCP time stamp.

This feature must be disabled if you want to use TCP header compression.

Examples

The following example enables the router to send TCP time stamps: 

ip tcp timestamp

Related Commands

Command
Description

ip tcp header-compression

Enables TCP header compression.


ip tcp window-size

To alter the TCP window size, use the ip tcp window-size global configuration command. To restore the default value, use the no form of this command.

ip tcp window-size bytes

no ip tcp window-size

Syntax Description

bytes

Window size (in bytes). The maximum is 65,535 bytes. The default value is 2144 bytes.


Defaults

The default size is 2144 bytes.

Command Modes

Global configuration

Command History

Release
Modification

9.1

This command was introduced.


Usage Guidelines

Do not use this command unless you clearly understand why you want to change the default value.

If your TCP window size is set to 1000 bytes, for example, you could have 1 packet of 1000 bytes or 2 packets of 500 bytes, and so on. However, there is also a limit on the number of packets allowed in the window. There can be a maximum of 5 packets if the connection has TTY; otherwise there can be 20 packets.

Examples

The following example sets the TCP window size to 1000 bytes: 

ip tcp window-size 1000

ip unreachables

To enable the generation of Internet Control Message Protocol (ICMP) unreachable messages, use the ip unreachables interface configuration command. To disable this function, use the no form of this command.

ip unreachables

no ip unreachables

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

If the Cisco IOS software receives a nonbroadcast packet destined for itself that uses a protocol it does not recognize, it sends an ICMP unreachable message to the source.

If the software receives a datagram that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies to the originator of that datagram with an ICMP host unreachable message.

This command affects all types of ICMP unreachable messages.

Examples

The following example enables the generation of ICMP unreachable messages, as appropriate, on an interface: 

interface ethernet 0

 ip unreachables

permit (IP)

To set conditions for a named IP access list, use the permit access-list configuration command. To remove a condition from an access list, use the no form of this command.

permit source [source-wildcard]

no permit source [source-wildcard]

permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

no permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

permit igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Transmission Control Protocol (TCP)

For TCP, you can also use the following syntax:

permit tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

User Datagram Protocol UDP)

For UDP, you can also use the following syntax:

permit udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]

Syntax Description

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

Use a 32-bit quantity in four-part, dotted decimal format.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

protocol

Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword. Some protocols allow further qualifiers described later.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the any keyword as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the bit positions you want to ignore.

Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by name as listed in the section "Usage Guidelines" of the access-list (IP extended) command.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.

The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.

If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.

time-range time-range-name

(Optional) Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines" of the access-list (IP extended) command.

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines" of the access-list (IP extended) command.

TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

fragments

(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.


Defaults

There are no specific conditions under which a packet passes the named access list.

Command Modes

Access-list configuration

Command History

Release
Modification

11.2

This command was introduced.

12.0(1)T

The time-range time-range-name keyword and argument were added.

12.0(11) and 12.1(2)

The fragments keyword was added.


Usage Guidelines

Use this command following the ip access-list command to define the conditions under which a packet passes the access list.

The time-range option allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this permit statement is in effect.

Access List Processing of Fragments

The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:

If the Access-List Entry has...
Then..

...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,

For an access-list entry containing only Layer 3 information:

The entry is applied to nonfragmented packets, initial fragments and noninitial fragments.

For an access list entry containing Layer 3 and Layer 4 information:

The entry is applied to nonfragmented packets and initial fragments.

If the entry is a permit statement, the packet or fragment is permitted.

If the entry is a deny statement, the packet or fragment is denied.

The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access-list entry can be applied. If the Layer 3 portion of the access-list entry matches, and

If the entry is a permit statement, the noninitial fragment is permitted.

If the entry is a deny statement, the next access-list entry is processed.

Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.

...the fragments keyword, and assuming all of the access-list entry information matches,

The access-list entry is applied only to noninitial fragments.

Note The fragments keyword cannot be configured for an access-list entry that contains any Layer 4 information.


Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.

Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.

Note The fragments keyword cannot solve all cases involving access lists and IP fragments.

Fragments and Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.

By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.

Examples

The following example sets conditions for a standard access list named Internetfilter: 

ip access-list standard Internetfilter

 deny 192.5.34.0  0.0.0.255

 permit 128.88.0.0  0.0.255.255

 permit 36.0.0.0  0.255.255.255

! (Note: all other access implicitly denied)

The following example permits Telnet traffic on Mondays, Tuesdays, and Fridays from 9:00 a.m. to 5:00 p.m.: 

time-range testing

 periodic Monday Tuesday Friday 9:00 to 17:00

!

ip access-list extended legal

 permit tcp any any eq telnet time-range testing

!

interface ethernet 0

 ip access-group legal in

Related Commands

Command
Description

deny (IP)

Sets conditions under which a packet does not pass a named IP access list.

ip access-group

Controls access to an interface.

ip access-list

Defines an IP access list by name.

ip access-list log-update

Sets the threshold number of packets that cause a logging message.

show ip access-list

Displays the contents of all current IP access lists.

time-range

Specifies when an access list or other feature is in effect.


remark

To write a helpful comment (remark) for an entry in a named IP access list, use the remark access-list configuration command. To remove the remark, use the no form of this command.

remark remark

no remark remark

Syntax Description

remark

Comment that describes the access list entry, up to 100 characters long.


Defaults

The access list entries have no remarks.

Command Modes

Standard named or extended named access-list configuration

Command History

Release
Modification

12.0(2)T

This command was introduced.


Usage Guidelines

The remark can be up to 100 characters long; anything longer is truncated.

If you want to write a comment about an entry in a numbered IP access list, use the access-list remark command.

Examples

In the following example, the Jones subnet is not allowed to use outbound Telnet: 

ip access-list extended telnetting

 remark Do not allow Jones subnet to telnet out

 deny tcp host 171.69.2.88 any eq telnet

Related Commands

Command
Description

access-list remark

Specifies a helpful comment (remark) for an entry in a numbered IP access list.

deny (IP)

Sets conditions under which a packet does not pass a named IP access list.

ip access-list

Defines an IP access list by name.

permit (IP)

Sets conditions under which a packet passes a named IP access list.


show access-lists

To display the contents of current access lists, use the show access-lists privileged EXEC command.

show access-lists [access-list-number | access-list-name]

Syntax Description

access-list-number

(Optional) Number of the access list to display. The system displays all access lists by default.

access-list-name

(Optional) Name of the IP access list to display.


Defaults

The system displays all access lists.

Command Modes

Privileged EXEC

Command History

Release
Modification

10.0

This command was introduced.

12.1(5)T

The command output was modified to identify compiled access lists.


Examples

The following is sample output from the show access-lists command when access list 101 is specified: 

Router# show access-lists 101


Extended IP access list 101

    permit tcp host 198.92.32.130 any established (4304 matches) check=5

    permit udp host 198.92.32.130 any eq domain (129 matches)

    permit icmp host 198.92.32.130 any

    permit tcp host 198.92.32.130 host 171.69.2.141 gt 1023

    permit tcp host 198.92.32.130 host 171.69.2.135 eq smtp (2 matches)

    permit tcp host 198.92.32.130 host 198.92.30.32 eq smtp

    permit tcp host 198.92.32.130 host 171.69.108.33 eq smtp

    permit udp host 198.92.32.130 host 171.68.225.190 eq syslog

    permit udp host 198.92.32.130 host 171.68.225.126 eq syslog

    deny   ip 150.136.0.0 0.0.255.255 224.0.0.0 15.255.255.255

    deny   ip 171.68.0.0 0.1.255.255 224.0.0.0 15.255.255.255 (2 matches) check=1

    deny   ip 172.24.24.0 0.0.1.255 224.0.0.0 15.255.255.255

    deny   ip 192.82.152.0 0.0.0.255 224.0.0.0 15.255.255.255

    deny   ip 192.122.173.0 0.0.0.255 224.0.0.0 15.255.255.255

    deny   ip 192.122.174.0 0.0.0.255 224.0.0.0 15.255.255.255

    deny   ip 192.135.239.0 0.0.0.255 224.0.0.0 15.255.255.255

    deny   ip 192.135.240.0 0.0.7.255 224.0.0.0 15.255.255.255

    deny   ip 192.135.248.0 0.0.3.255 224.0.0.0 15.255.255.255

An access list counter counts how many packets are allowed by each line of the access list. This number is displayed as the number of matches. Check denotes how many times a packet was compared to the access list but did not match.

The following is sample output from the show access-lists command when the Turbo Access Control List (ACL) feature is configured on all of the following access lists.

Note The permit and deny information displayed by the show access-lists command may not be in the same order as that entered using the access-list command 

Router# show access-lists          

Standard IP access list 1 (Compiled)

    deny   any

Standard IP access list 2 (Compiled)

    deny   192.168.0.0, wildcard bits 0.0.0.255

    permit any

Standard IP access list 3 (Compiled)

    deny   0.0.0.0

    deny   192.168.0.1, wildcard bits 0.0.0.255

    permit any

Standard IP access list 4 (Compiled)

    permit 0.0.0.0

    permit 192.168.0.2, wildcard bits 0.0.0.255

For information on how to configure access lists, refer to the "Configuring IP Services" chapter of the Cisco IOS IP Configuration Guide.

For information on how to configure dynamic access lists, refer to the "Traffic Filtering and Firewalls" chapter of the Cisco IOS Security Configuration Guide.

Related Commands

Command
Description

access-list (IP extended)

Defines an extended IP access list.

access-list (IP standard)

Defines a standard IP access list.

clear access-list counters

Clears the counters of an access list.

clear access-template

Clears a temporary access list entry from a dynamic access list manually.

ip access-list

Defines an IP access list by name.

show access-lists

Displays the contents of all current IP access lists.


show access-list compiled

To display a table showing Turbo Access Control Lists (ACLs), use the show access-list compiled EXEC command.

show access-list compiled

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release
Modification

12.0(6)S

This command was introduced.

12.1(1)E

This command was introduced for Cisco 7200 series routers.

12.1(5)T

This command was integrated into Cisco IOS
Release 12.1(5)T.


Usage Guidelines

This command is used to display the status and condition of the Turbo ACL tables associated with each access list. The memory usage is displayed for each table; large and complex access lists may require substantial amounts of memory. If the memory usage is greater than the memory available, you can disable the Turbo ACL feature so that memory exhaustion does not occur, but the acceleration of the access lists is not then enabled.

Examples

The following is a partial sample output of the show access-list compiled command: 

Router# show access-list compiled


Compiled ACL statistics:

12 ACLs loaded, 12 compiled tables

 ACL         State      Tables  Entries  Config  Fragment  Redundant  Memory

1           Operational    1        2        1         0          0      1Kb

2           Operational    1        3        2         0          0      1Kb

3           Operational    1        4        3         0          0      1Kb

4           Operational    1        3        2         0          0      1Kb

5           Operational    1        5        4         0          0      1Kb

9           Operational    1        3        2         0          0      1Kb

20          Operational    1        9        8         0          0      1Kb

21          Operational    1        5        4         0          0      1Kb

101         Operational    1       15        9         7          2      1Kb

102         Operational    1       13        6         6          0      1Kb

120         Operational    1        2        1         0          0      1Kb

199         Operational    1        4        3         0          0      1Kb

First level lookup tables:

Block      Use              Rows       Columns   Memory used

  0   TOS/Protocol            6/16     12/16      66048

  1   IP Source (MS)         10/16     12/16      66048

  2   IP Source (LS)         27/32     12/16      132096

  3   IP Dest (MS)            3/16     12/16      66048
</