Table Of Contents
lease
local-ip (IPC transport-SCTP local)
local-port
logging server-arp
manager (DFP agent)
maxconns (server farm)
nat
netbios-name-server
netbios-node-type
network (DHCP)
next-server
no ip gratuitous-arps
object (tracking)
option
origin
password (DFP agent)
permit (IP)
interface ethernet 0
port (DFP agent)
predictor
real
reassign
relay agent information
relay destination
relay source
relay target
relay-information hex
release dhcp
remark
remote-ip (IPC transport-SCTP remote)
remote-port
renew dhcp
retry (real server)
lease
To configure the duration of the lease for an IP address that is assigned from a Cisco IOS Dynamic Host Configuration Protocol (DHCP) server to a DHCP client, use the lease command in DHCP pool configuration mode. To restore the default value, use the no form of this command.
lease {days [hours [minutes]] | infinite}
no lease
Syntax Description
days
|
Specifies the duration of the lease in numbers of days.
|
hours
|
(Optional) Specifies the number of hours in the lease. A days value must be supplied before you can configure an hours value.
|
minutes
|
(Optional) Specifies the number of minutes in the lease. A days value and an hours value must be supplied before you can configure a minutes value.
|
infinite
|
Specifies that the duration of the lease is unlimited.
|
Defaults
1 day
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.0(1)T
|
This command was introduced.
|
Examples
The following example shows a 1-day lease:
The following example shows a 1-hour lease:
The following example shows a 1-minute lease:
The following example shows an infinite (unlimited) lease:
Related Commands
Command
|
Description
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.
|
local-ip (IPC transport-SCTP local)
To define at least one local IP address that is used to communicate with the local peer, use the local-ip command in IPC transport-SCTP local configuration mode. To remove one or all IP addresses from your configuration, use the no form of this command.
local-ip device-real-ip-address [device-real-ip-address2]
no local-ip device-real-ip-address [device-real-ip-address2]
Syntax Description
device-real-ip-address
|
IP address of the local device.
The local IP addresses must match the remote IP addresses on the peer router. There can be either one or two IP addresses, which must be in global Virtual Routing and Forwarding (VRF). A virtual IP (VIP) address cannot be used.
|
device-real-ip-address2
|
(Optional) IP address of the local device.
|
Defaults
No IP addresses are defined; thus, peers cannot communicate with the local peer.
Command Modes
IPC transport-SCTP local configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
Use the local-ip command to help associate Stream Control Transmission Protocol (SCTP) as the transport protocol between the local and remote peer.
This command is part of a suite of commands used to configure the Stateful Switchover (SSO) protocol. SSO is necessary for IP Security (IPSec) and Internet Key Exchange (IKE) to learn about the redundancy state of the network and to synchronize their internal application state with their redundant peers.
Examples
The following example shows how to enable SSO:
Related Commands
Command
|
Description
|
local-port
|
Defines the local SCTP port number that is used to communicate with the redundant peer.
|
remote-ip
|
Defines at least one remote IP address that is used to communicate with the redundant peer.
|
local-port
To define the local Stream Control Transmission Protocol (SCTP) port that is used to communicate with the redundant peer, use the local-port command in SCTP protocol configuration mode. .
local-port local-port-number
Syntax Description
local-port-number
|
Local port number, which should be the same as the remote port number on the peer router (which is specified via the remote-port command).
|
Defaults
A local SCTP port is not defined.
Command Modes
SCTP protocol configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
The local-port command enters IPC transport-SCTP local configuration mode, which allows you to specify at least one local IP address (via the local-ip command) that is used to communicate with the redundant peer.
Examples
The following example shows how to enable Stateful Switchover (SSO):
Related Commands
Command
|
Description
|
local-ip
|
Defines at least one local IP address that is used to communicate with the local peer.
|
remote-port
|
Defines the remote SCTP that is used to communicate with the redundant peer.
|
logging server-arp
To enable the sending of Address Resolution Protocol (ARP) requests for syslog server address during system initialization bootup, use the logging server-arp command in global configuration mode. To disable the sending of ARP requests for syslog server addresses, use the no form of this command.
logging server-arp
no logging server-arp
Syntax Description
This command has no arguments or keywords.
Command Default
This command is disabled by default.
Command Modes
Global configuration.
Command History
Release
|
Modification
|
12.3
|
This command was introduced.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
12.3(5)B
|
This command was integrated into Cisco IOS Release 12.3(5)B.
|
Usage Guidelines
The logging server-arp global configuration command allows the sending of ARP requests for syslog server address during system initialization bootup.
When this CLI command is configured and saved to the startup configuration file, the system will send an ARP request for remote syslog server address before sending out the first syslog message.
The command should only be used when the remote syslog server is in the same subnet as the system router sending the ARP request.
Note
Use this command even if a static ARP has been configured with the syslog server address.
Examples
The following example shows how to enable an ARP request for syslog server addresses:
Router# configure terminal
Router(config)# logging server-arp
The following example shows how to disable an ARP request for syslog server addresses:
Router# configure terminal
Router(config)# no logging server-arp
Related Commands
Command
|
Description
|
arp (global)
|
Adds a permanent entry in the Address Resolution Protocol (ARP) cache, use the arp command in global configuration mode.
|
manager (DFP agent)
This command has been replaced by the following commands:
•
inservice (DFP agent)
•
interval (DFP agent)
•
ip dfp agent
•
password (DFP agent)
•
port (DFP agent)
maxconns (server farm)
To limit the number of active connections to the real server, use the maxconns command in SLB server farm configuration mode. To restore the default of 4294967295, use the no form of this command.
maxconns maximum-number [sticky-override]
no maxconns
Syntax Description
maximum-number
|
Maximum number of simultaneous active connections on the real server. Valid values range from 1 to 4294967295. The default is 4294967295.
|
sticky-override
|
(Optional) Allow sticky load balancing to exceed maximum-number for this real server.
|
Defaults
The default maximum number of simultaneous active connections on the real server is 4294967295.
Command Modes
SLB server farm configuration
Command History
Release
|
Modification
|
12.0(7)XE
|
This command was introduced.
|
12.1(5)T
|
This command was integrated into Cisco IOS Release 12.1(5)T.
|
12.2
|
This command was integrated into Cisco IOS Release 12.2.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.1(18)E
|
The sticky-override keyword was added.
|
12.2(18)SXE
|
This command was integrated into Cisco IOS Release 12.2(18)SXE.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
Examples
The following example limits the real server to a maximum of 1000 simultaneous active connections:
Router(config)# ip slb serverfarm PUBLIC
Router(config-slb-sfarm)# real 10.10.1.1
Router(config-slb-real)# maxconns 1000
Related Commands
Command
|
Description
|
real (server farm)
|
Identifies a real server by IP address and optional port number as a member of a server farm and enters real server configuration mode.
|
show ip slb reals
|
Displays information about the real servers.
|
show ip slb severfarms
|
Displays information about the server farm configuration.
|
nat
To configure IOS SLB Network Address Translation (NAT) and specify a NAT mode, use the nat SLB server farm configuration command. To remove a NAT configuration, use the no form of this command.
nat server
no nat server
Syntax Description
server
|
Specifies that the destination address in load-balanced packets sent to the real server is the address of the real server chosen by the server farm load-balancing algorithm.
|
Defaults
No default behavior or values.
Command Modes
SLB server farm configuration
Command History
Release
|
Modification
|
12.1(1)E
|
This command was introduced.
|
12.1(5)T
|
This command was integrated into Cisco IOS Release 12.1(5)T.
|
Usage Guidelines
The no nat command is allowed only if the virtual server was removed from service with the no inservice command.
Examples
The following example changes to IOS SLB server farm configuration mode and configures NAT mode as server address translation on the server farm named FARM2:
Related Commands
Command
|
Description
|
ip slb serverfarm
|
Associates a real server farm with a virtual server.
|
real
|
Identifies a real server as a member of a server farm.
|
show ip slb serverfarms
|
Displays information about the server farm configuration.
|
netbios-name-server
To configure NetBIOS Windows Internet Naming Service (WINS) name servers that are available to Microsoft Dynamic Host Configuration Protocol (DHCP) clients, use the netbios-name-server command in DHCP pool configuration. To remove the NetBIOS name server list, use the no form of this command.
netbios-name-server address [address2...address8]
no netbios-name-server
Syntax Description
address
|
Specifies the IP address of the NetBIOS WINS name server. One IP address is required, although you can specify up to eight addresses in one command line.
|
address2...address8
|
(Optional) Specifies up to eight addresses in the command line.
|
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.0(1)T
|
This command was introduced.
|
Usage Guidelines
One IP address is required, although you can specify up to eight addresses in one command line. Servers are listed in order of preference (address1 is the most preferred server, address2 is the next most preferred server, and so on).
Examples
The following example specifies the IP address of a NetBIOS name server available to the client:
netbios-name-server 10.12.1.90
Related Commands
Command
|
Description
|
dns-server
|
Specifies the DNS IP servers available to a DHCP client.
|
domain-name (DHCP)
|
Specifies the domain name for a DHCP client.
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP Server and enters DHCP pool configuration mode.
|
netbios-node-type
|
Configures the NetBIOS node type for Microsoft DHCP clients.
|
netbios-node-type
To configure the NetBIOS node type for Microsoft Dynamic Host Configuration Protocol (DHCP) clients, use the netbios-node-type command in DHCP pool configuration mode. To remove the NetBIOS node type, use the no form of this command.
netbios-node-type type
no netbios-node-type
Syntax Description
type
|
Specifies the NetBIOS node type. Valid types are:
• b-node—Broadcast
• p-node—Peer-to-peer
• m-node—Mixed
• h-node—Hybrid (recommended)
|
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.0(1)T
|
This command was introduced.
|
Usage Guidelines
The recommended type is h-node (hybrid).
Examples
The following example specifies the client's NetBIOS type as hybrid:
Related Commands
Command
|
Description
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP Server and enters DHCP pool configuration mode.
|
netbios name-server
|
Configures NetBIOS WINS name servers that are available to Microsoft DHCP clients.
|
network (DHCP)
To configure the subnet number and mask for a Dynamic Host Configuration Protocol (DHCP) address pool on a Cisco IOS DHCP server, use the network command in DHCP pool configuration mode. To remove the subnet number and mask, use the no form of this command.
network network-number [mask | prefix-length]
no network
Syntax Description
network-number
|
The IP address of the DHCP address pool.
|
mask
|
(Optional) The bit combination that renders which portion of the address of the DHCP address pool refers to the network or subnet and which part refers to the host.
|
prefix-length
|
(Optional) The number of bits that comprise the address prefix. The prefix is an alternative way of specifying the network mask of the client. The prefix length must be preceded by a forward slash (/).
|
Defaults
No default behavior or values.
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.0(1)T
|
This command was introduced.
|
Usage Guidelines
This command is valid for DHCP subnetwork address pools only. If the mask or prefix length is not specified, the class A, B, or C natural mask is used. The DHCP Server assumes that all host addresses are available. The system administrator can exclude subsets of the address space by using the ip dhcp excluded-address command.
You cannot configure manual bindings within the same pool that is configured with the network command.
Examples
The following example configures 172.16.0.0/16 as the subnetwork number and mask of the DHCP pool:
Related Commands
Command
|
Description
|
host
|
Specifies the IP address and network mask for a manual binding to a DHCP client.
|
ip dhcp excluded-address
|
Specifies IP addresses that a Cisco IOS DHCP server should not assign to DHCP clients.
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.
|
next-server
To configure the next server in the boot process of a Dynamic Host Configuration Protocol (DHCP) client, use the next-server command in DHCP pool configuration. To remove the boot server list, use the no form of this command.
next-server address [address2...address8]
no next-server address
Syntax Description
address
|
Specifies the IP address of the next server in the boot process, which is typically a Trivial File Transfer Protocol (TFTP) server. One IP address is required, although you can specify up to eight addresses in one command line.
|
address2...address8
|
(Optional) Specifies up to eight addresses in the command line.
|
Defaults
If the next-server command is not used to configure a boot server list, the DHCP Server uses inbound interface helper addresses as boot servers.
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.0(1)T
|
This command was introduced.
|
Usage Guidelines
You can specify up to eight servers in the list. Servers are listed in order of preference (address1 is the most preferred server, address2 is the next most preferred server, and so on).
Examples
The following example specifies 10.12.1.99 as the IP address of the next server in the boot process:
Related Commands
Command
|
Description
|
accounting (DHCP)
|
Specifies the name of the default boot image for a DHCP client.
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.
|
ip helper-address
|
Forwards UDP broadcasts, including BOOTP, received on an interface.
|
option
|
Configures Cisco IOS DHCP server options.
|
no ip gratuitous-arps
To disable the transmission of gratuitous Address Resolution Protocol (ARP) messages for an address in a local pool, use the no ip gratuitous-arps command in global configuration mode.
no ip gratuitous-arps
Syntax Description
This command has no keywords or arguments.
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3
|
This command was introduced.
|
Usage Guidelines
A Cisco router will send out a gratuitous ARP message when a client connects and negotiates an address over a PPP connection. This transmission occurs even when the client receives the address from a local address pool.
Examples
The following example disables gratuitous arp messages from being sent:
object (tracking)
To specify an object for a tracked list, use the object command in tracking configuration mode. To remove the object from the tracked list, use the no form of this command.
object object-number [not] [weight weight-number]
no object object-number [not] [weight weight-number]
Syntax Description
object-number
|
Object in a tracked list of objects. Range is from 1 to 500.
|
not
|
(Optional) Negates the state of an object.
Note The not keyword cannot be used in a weight or percentage threshold list only the Boolean list.
|
weight weight-number
|
The optional weight keyword specifies a threshold weight for each object.
|
Defaults
The object is removed from the tracked list.
Command Modes
Tracking configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Examples
The following example shows two serial interfaces (objects) that are in tracked list 100. The Boolean "not" negates state of object 2 , which means when object 2 is up, the tracked list regards the object as down.
track 1 interface serial2/0 line-protocol
track 2 interface serial2/1 line-protocol
track 100 list boolean and
Related Commands
Command
|
Description
|
show track
|
Displays tracking information.
|
track list threshold percentage
|
Tracks a list of objects as to the up and down object states using a threshold percentage.
|
track list threshold weight
|
Tracks a list of objects as to the up and down object states using a threshold weight.
|
threshold weight
|
Specifies a threshold weight for a tracked list.
|
option
To configure Cisco IOS Dynamic Host Configuration Protocol (DHCP) server options, use the option command in DHCP pool configuration mode. To remove the options, use the no form of this command.
option code [instance number] {ascii string | hex string | ip address}
no option code [instance number]
Syntax Description
code
|
Specifies the DHCP option code.
|
instance number
|
(Optional) Specifies a number from 0 to 255.
|
ascii string
|
Specifies an NVT ASCII character string. ASCII character strings that contain white space must be delimited by quotation marks.
|
hex string
|
Specifies dotted hexadecimal data. Each byte in hexadecimal character strings is two hexadecimal digits—each byte can be separated by a period, colon, or white space.
|
ip address
|
Specifies an IP address.
|
Defaults
The default instance number is 0.
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.0(1)T
|
This command was introduced.
|
Usage Guidelines
DHCP provides a framework for passing configuration information to hosts on a TCP/IP network. Configuration parameters and other control information are carried in tagged data items that are stored in the options field of the DHCP message. The data items themselves are also called options. The current set of DHCP options are documented in RFC 2131, Dynamic Host Configuration Protocol.
Examples
The following example configures DHCP option 19, which specifies whether the client should configure its IP layer for packet forwarding. A value of 0 means disable IP forwarding; a value of 1 means enable IP forwarding. IP forwarding is enabled in the following example:
The following example configures DHCP option 72, which specifies the World Wide Web servers for DHCP clients. World Wide Web servers 172.16.3.252 and 172.16.3.253 are configured in the following example:
option 72 ip 172.16.3.252 172.16.3.253
Related Commands
Command
|
Description
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.
|
origin
To configure an address pool as an on-demand address pool (ODAP) or static mapping pool, use the origin command in DHCP pool configuration mode. To disable the ODAP, use the no form of this command.
origin {dhcp | aaa | ipcp | file url} [subnet size initial size [autogrow size]]
no origin {dhcp | aaa | ipcp | file url} [subnet size initial size [autogrow size]]
Syntax Description
dhcp
|
Specifies the Dynamic Host Configuration Protocol (DHCP) as the subnet allocation protocol.
|
aaa
|
Specifies authentication, authorization, and accounting (AAA) as the subnet allocation protocol.
|
ipcp
|
Specifies the IP Control Protocol (IPCP) as the subnet allocation protocol.
|
file url
|
Specifies the external database file that contains the static bindings assigned by the DHCP server. The url argument specifies the location of the external database file.
|
subnet size initial size
|
(Optional) Specifies the initial size of the first requested subnet. You can enter size as either the subnet mask (nnnn.nnnn.nnnn.nnnn) or prefix size (/nn). The valid values are /0 and /4 to /30.
|
autogrow size
|
(Optional) Specifies that the pool can grow incrementally. The size argument is the size of the requested subnets when the pool requests additional subnets (upon detection of high utilization). You can enter size as either the subnet mask (nnnn.nnnn.nnnn.nnnn) or prefix size (/nn). The valid values are /0 and /4 to /30.
|
Defaults
The default size value is /0.
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
12.3(11)T
|
The file keyword was added.
|
Usage Guidelines
If you do not configure the pool as an autogrow pool, the pool will not request additional subnets if one subnet is already in the pool.
Use the dhcp keyword to obtain subnets from DHCP, the aaa keyword to obtain subnets from the AAA server, and the ipcp keyword to obtain subnets from IPCP negotiation. If you expect that the utilization of the pool may grow over time, use the autogrow size option.
If a pool has been configured with the autogrow size option, ensure that the source server is capable of providing more than one subnet to the same pool. Even though the Cisco IOS software specifies the requested subnet size, it can accept any offered subnet size from the source server.
Examples
The following example shows how to configure an address pool named green to use DHCP as the subnet allocation protocol with an initial subnet size of 24 and an autogrow subnet size of 24:
origin dhcp subnet size initial /24 autogrow /24
The following example shows how to configure the location of the external text file:
origin file tftp://10.1.0.1/staticbindingfile
Related Commands
Command
|
Description
|
show ip dhcp pool
|
Displays information about the DHCP address pools.
|
password (DFP agent)
To configure a DFP agent password for MD5 authentication, use the password command in DFP agent configuration mode. To remove the DFP agent password, use the no form of this command.
password [0 | 7] password [timeout]
no password
Syntax Description
0
|
(Optional) Unencrypted password. This is the default setting.
|
7
|
(Optional) Encrypted password.
|
password
|
(Optional) Password value for MD5 authentication.
Note This password must match the password configured on the host agent.
|
timeout
|
(Optional) Delay period, in seconds, during which both the old password and the new password are accepted. The valid range is from 0 to 65535. The default is 180.
|
Defaults
No password is enabled.
Command Modes
DFP agent configuration
Command History
Release
|
Modification
|
12.1(8a)E
|
This command was introduced.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
Usage Guidelines
The timeout option allows you to change the password without stopping messages between the DFP agent and its manager. The default value is 180 seconds.
During the timeout, the agent sends packets with the old password (or null, if there is no old password), and receives packets with either the old or new password. After the timeout expires, the agent sends and receives packets only with the new password; received packets that use the old password are discarded.
If you are changing the password for an entire load-balanced environment, set a longer timeout. This allows enough time for you to update the password on all agents and servers before the timeout expires. It also prevents mismatches between agents and servers that have begun running the new password and agents, and servers on which you have not yet changed the old password.
Examples
The following example shows how to set the DFP agent password (unencrypted by default) to Cookies and the timeout to 360 seconds:
Router(config)# ip dfp agent slb
Router(config-dfp)# password Cookies 360
Related Commands
Command
|
Description
|
agent
|
Identifies a DFP agent to which IOS SLB can connect.
|
ip dfp agent
|
Identifies a DFP agent subsystem and initiates DFP agent configuration mode.
|
ip slb dfp
|
Configures DFP, supplies an optional password, and initiates DFP configuration mode.
|
replicate casa (firewall farm)
|
Configures a stateful backup of IOS SLB decision tables to a backup switch.
|
replicate casa (virtual server)
|
Configures a stateful backup of IOS SLB decision tables to a backup switch.
|
permit (IP)
To set conditions to allow a packet to pass a named IP access list, use the permit command in access list configuration mode. To remove a permit condition from an access list, use the no form of this command.
[sequence-number] permit source [source-wildcard]
[sequence-number] permit protocol source source-wildcard destination destination-wildcard
[option option-name] [precedence precedence] [tos tos] [log] [time-range time-range-name]
[fragments]
no sequence-number
no permit source [source-wildcard]
no permit protocol source source-wildcard destination destination-wildcard [option option-name]
[precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Internet Control Message Protocol (ICMP)
[sequence-number] permit icmp source source-wildcard destination destination-wildcard
[icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range
time-range-name] [fragments]
Internet Group Management Protocol (IGMP)
[sequence-number] permit igmp source source-wildcard destination destination-wildcard
[igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name]
[fragments]
Transmission Control Protocol (TCP)
[sequence-number] permit tcp source source-wildcard [operator [port]] destination
destination-wildcard [operator [port]] [established | {match-any | match-all} {+ | -}
flag-name] [precedence precedence] [tos tos] [log] [time-range time-range-name]
[fragments]
User Datagram Protocol (UDP)
[sequence-number] permit udp source source-wildcard [operator [port]] destination
destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range
time-range-name] [fragments]
Syntax Description
sequence-number
|
(Optional) Sequence number assigned to the permit statement. The sequence number causes the system to insert the statement in that numbered position in the access list.
|
source
|
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
• Use a 32-bit quantity in four-part dotted-decimal format.
• Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
|
source-wildcard
|
Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
• Use a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit positions that you want to ignore.
• Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
|
protocol
|
Name or number of an Internet protocol. The protocol argument can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword.
Note When the icmp, igmp, tcp, and udp keywords are entered, they must be followed with the specific command syntax that is shown for the ICMP, IGMP, TCP, and UDP forms of the permit command.
|
icmp
|
Permits only ICMP packets. When you enter the icmp keyword, you must use the specific command syntax shown for the ICMP form of the permit command.
|
igmp
|
Permits only IGMP packets. When you enter the igmp keyword, you must use the specific command syntax shown for the IGMP form of the permit command.
|
tcp
|
Permits only TCP packets. When you enter the tcp keyword, you must use the specific command syntax shown for the TCP form of the permit command.
|
udp
|
Permits only UDP packets. When you enter the udp keyword, you must use the specific command syntax shown for the UDP form of the permit command.
|
destination
|
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
• Use a 32-bit quantity in four-part dotted-decimal format.
• Use the any keyword as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
|
destination-wildcard
|
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
• Use a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit positions that you want to ignore.
• Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
|
option option-name
|
(Optional) Packets can be filtered by IP Options, as specified by a number from 0 to 255, or by the corresponding IP Option name, as listed in Table 3 in the "Usage Guidelines" section.
|
precedence precedence
|
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by a name.
|
tos tos
|
(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by a name as listed in the "Usage Guidelines" section of the access-list (IP extended) command.
|
log
|
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
|
time-range time-range-name
|
(Optional) Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
|
fragments
|
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
|
icmp-type
|
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
|
icmp-code
|
(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
|
icmp-message
|
(Optional) ICMP packets can be filtered by an ICMP message type name or an ICMP message type and code name. The possible names are listed in the "Usage Guidelines" section of the access-list (IP extended) command.
|
igmp-type
|
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (IP extended) command.
|
operator
|
(Optional) Compares source or destination ports. Operators include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard arguments, it must match the source port. If the operator is positioned after the destination and destination-wildcard arguments, it must match the destination port.
The range operator requires two port numbers. Up to ten port numbers can be entered for the eq (equal) and neq (not equal) operators. All other operators require one port number.
|
port
|
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (IP extended) command.
TCP port names can be used only when filtering TCP. UDP port names can be used only when filtering UDP.
|
established
|
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bit set. The nonmatching case is that of the initial TCP datagram to form a connection.
Note The established keyword can be used only with the old command-line interface (CLI) format. To use the new CLI format, you must use the match-any or match-all keywords followed by the + or - keywords and flag-name argument.
|
{match-any | match-all}
|
(Optional) For the TCP protocol only: A match occurs if the TCP datagram has certain TCP flags set or not set. You use the match-any keyword to allow a match to occur if any of the specified TCP flags are present, or you can use the match-all keyword to allow a match to occur only if all of the specified TCP flags are present. You must follow the match-any and match-all keywords with the + or - keyword and the flag-name argument to match on one or more TCP flags.
|
{+ | -} flag-name
|
(Optional) For the TCP protocol only: The + keyword matches IP packets if their TCP headers contain the TCP flags that are specified by the flag-name argument. The - keyword matches IP packets that do not contain the TCP flags specified by the flag-name argument. You must follow the + and - keywords with the flag-name argument. TCP flag names can be used only when filtering TCP. Flag names for the TCP flags are as follows: urg, ack, psh, rst, syn, and fin.
|
Syntax Description
There are no specific conditions under which a packet passes the named access list.
Command Modes
Access list configuration
Command History
Release
|
Modification
|
11.2
|
This command was introduced.
|
12.0(1)T
|
The time-range time-range-name keyword and argument were added.
|
12.0(11)
|
The fragments keyword was added.
|
12.2(13)T
|
The igrp keyword was removed because the IGRP protocol is no longer available in Cisco IOS software.
|
12.2(14)S
|
The sequence-number argument was added.
|
12.2(15)T
|
The sequence-number argument was integrated into Cisco IOS Release 12.2(15)T.
|
12.3(4)T
|
The option option-name keyword and argument were added. The match-any, match-all, + and - keywords and the flag-name argument were added.
|
12.3(7)T
|
Command functionality was modified to allow up to ten port numbers to be added after the eq and neq operators so that an access list entry can be created with noncontiguous ports.
|
12.2(25)S
|
This command was integrated into Cisco IOS Release 12.2(25)S.
|
Usage Guidelines
Use this command following the ip access-list command to define the conditions under which a packet passes the named access list.
The time-range keyword allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this permit statement is in effect.
log Keyword
A log message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute-interval). See the ip access-list log-update command for more information.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing because of too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
If you enable Cisco Express Forwarding (CEF) and then create an access list that uses the log keyword, the packets that match the access list are not CEF-switched. They are fast-switched. Logging disables CEF.
Access List Filtering of IP Options
Access control lists can be used to filter packets with IP Options to prevent routers from being saturated with spurious packets containing IP Options. To see a complete table of all IP Options, including ones currently not in use, refer to the latest Internet Assigned Numbers Authority (IANA) information that is available from their URL: www.iana.org.
Cisco IOS software allows you to filter packets according to whether they contain one or more of the legitimate IP Options by entering either the IP Option value or the corresponding name for the option-name argument as shown in Table 3.
Table 3 IP Option Values and Names
IP Option Value or Name
|
Description
|
0 to 255
|
IP Options values.
|
add-ext
|
Match packets with Address Extension Option (147).
|
any-options
|
Match packets with any IP Option.
|
com-security
|
Match packets with Commercial Security Option (134).
|
dps
|
Match packets with Dynamic Packet State Option (151).
|
encode
|
Match packets with Encode Option (15).
|
eool
|
Match packets with End of Options (0).
|
ext-ip
|
Match packets with Extended IP Options (145).
|
ext-security
|
Match packets with Extended Security Option (133).
|
finn
|
Match packets with Experimental Flow Control Option (205).
|
imitd
|
Match packets with IMI Traffic Descriptor Option (144).
|
lsr
|
Match packets with Loose Source Route Option (131).
|
mtup
|
Match packets with MTU Probe Option (11).
|
mtur
|
Match packets with MTU Reply Option (12).
|
no-op
|
Match packets with the No Operation Option (1).
|
nsapa
|
Match packets with the NSAP Addresses Option (150).
|
record-route
|
Match packets with Router Record Route Option (7).
|
router-alert
|
Match packets with Router Alert Option (148).
|
sdb
|
Match packets with Selective Directed Broadcast Option (149).
|
security
|
Match packets with Base Security Option (130).
|
ssr
|
Match packets with Strict Source Routing Option (137).
|
stream-id
|
Match packets with Stream ID Option (136).
|
timestamp
|
Match packets with Time Stamp Option (68).
|
traceroute
|
Match packets with Trace Route Option (82).
|
ump
|
Match packets with Upstream Multicast Packet Option (152).
|
visa
|
Match packets with Experimental Access Control Option (142).
|
zsu
|
Match packets with Experimental Measurement Option (10).
|
Filtering IP Packets Based on TCP Flags
The access list entries that make up an access list can be configured to detect and drop unauthorized TCP packets by allowing only the packets that have very specific groups of TCP flags set or not set. Users can select any desired combination of TCP flags with which to filter TCP packets. Users can configure access list entries in order to allow matching on a flag that is set and on a flag that is not set. Use the + and - keywords with a flag name to specify that a match is made based on whether a TCP header flag has been set. Use the match-any and match-all keywords to allow the packet if any or all, respectively, of the flags specified by the + or - keyword and flag-name argument have been set or not set.
Access List Processing of Fragments
The behavior of access list entries regarding the use or lack of use of the fragments keyword can be summarized as follows:
If the Access-List Entry Has...
|
Then...
|
...no fragments keyword (the default behavior), and assuming all of the access-list entry information matches,
|
For an access list entry that contains only Layer 3 information:
• The entry is applied to nonfragmented packets, initial fragments, and noninitial fragments.
For an access list entry that contains Layer 3 and Layer 4 information:
• The entry is applied to nonfragmented packets and initial fragments.
– If the entry is a permit statement, then the packet or fragment is permitted.
– If the entry is a deny statement, then the packet or fragment is denied.
• The entry is also applied to noninitial fragments in the following manner. Because noninitial fragments contain only Layer 3 information, only the Layer 3 portion of an access list entry can be applied. If the Layer 3 portion of the access list entry matches, and
– If the entry is a permit statement, then the noninitial fragment is permitted.
– If the entry is a deny statement, then the next access list entry is processed.
Note The deny statements are handled differently for noninitial fragments versus nonfragmented or initial fragments.
|
...the fragments keyword, and assuming all of the access list entry information matches,
|
The access list entry is applied only to noninitial fragments. The fragments keyword cannot be configured for an access list entry that contains any Layer 4 information.
|
Be aware that you should not add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword. The packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases in which there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets, and each counts individually as a packet in access list accounting and access list violation counts.
Note
The fragments keyword cannot solve all cases that involve access lists and IP fragments.
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list has entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy-routed, even if the first fragment is not policy-routed.
By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made, and it is more likely that policy routing will occur as intended.
Creating an Access List Entry with Noncontiguous Ports
For Cisco IOS Release 12.3(7)T and later releases, you can specify noncontiguous ports on the same access control entry, which greatly reduces the number of access list entries required for the same source address, destination address, and protocol. If you maintain large numbers of access list entries, we recommend that you consolidate them when possible by using noncontiguous ports. You can specify up to ten port numbers following the eq and neq operators.
Examples
The following example sets conditions for a standard access list named Internetfilter:
ip access-list standard Internetfilter
deny 192.168.34.0 0.0.0.255
permit 172.16.0.0 0.0.255.255
permit 10.0.0.0 0.255.255.255
! (Note: all other access implicitly denied).
The following example permits Telnet traffic on Mondays, Tuesdays, and Fridays from 9:00 a.m. to 5:00 p.m.:
periodic Monday Tuesday Friday 9:00 to 17:00
ip access-list extended legal
permit tcp any any eq telnet time-range testing
interface ethernet 0
The following example sets a permit condition for an extended access list named filter2. The access list entry specifies that a packet may pass the named access list only if it contains the NSAP Addresses IP Option, which is represented by the IP Option value nsapa.
Router(config)# ip access-list extended filter2
Router(config-ext-nacl)# permit ip any any option nsapa
The following example sets a permit condition for an extended access list named kmdfilter1. The access list entry specifies that a packet can pass the named access list only if the RST IP flag has been set for that packet:
Router(config)# ip access-list extended kmdfilter1
Router(config-std-nacl)# permit tcp any any match-any +rst
The following example sets a permit condition for an extended access list named kmdfilter1. The access list entry specifies that a packet can pass the named access list only if the RST and FIN TCP flags have been set for that packet:
Router(config)# ip access-list extended kmdfilter1
Router(config-std-nacl)# permit tcp any any match-any +rst +fin
The following example shows how to add an entry to an existing access list:
Router# show access-lists
Standard IP access list 1
2 permit 10.0.0.0, wildcard bits 0.0.255.255
5 permit 10.0.0.0, wildcard bits 0.0.255.255
10 permit 10.0.0.0, wildcard bits 0.0.255.255
20 permit 10.0.0.0, wildcard bits 0.0.255.255
Router(config)# ip access-list standard 1
Router(config-std-nacl)# 15 permit 10.0.0.0 0.0.255.255
The following examples shows how the entry with the sequence number of 20 is removed from the access list:
Router(config)# ip access-list standard 1
Router(config-std-nacl)# no 20
Router# show access-lists
Standard IP access list 1
10 permit 0.0.0.0, wildcard bits 0.0.0.255
30 permit 0.0.0.0, wildcard bits 0.0.0.255
40 permit 0.4.0.0, wildcard bits 0.0.0.255
The following examples shows how, if a user tries to enter an entry that is a duplicate of an entry already on the list, no changes occur. The entry that the user is trying to add is a duplicate of the entry already in the access list with a sequence number of 20.
Router# show access-lists 101
Extended IP access list 101
10 permit ip host 10.0.0.0 host 10.5.5.34
30 permit ip host 10.0.0.0 host 10.2.54.2
40 permit ip host 10.0.0.0 host 10.3.32.3 log
Router(config)# ip access-list extended 101
Router(config-ext-nacl)# 100 permit icmp any any
Router(config-ext-nacl)# end
Router# show access-lists 101
Extended IP access list 101
10 permit ip host 10.3.3.3 host 10.5.5.34
30 permit ip host 10.34.2.2 host 10.2.54.2
40 permit ip host 10.3.4.31 host 10.3.32.3 log
The following example shows what occurs if a user tries to enter a new entry with a sequence number of 20 when an entry with a sequence number of 20 is already in the list. An error message appears, and no change is made to the access list.
Router# show access-lists 101
Extended IP access lists 101
10 permit ip host 10.3.3.3 host 10.5.5.34
30 permit ip host 10.34.2.2 host 10.2.54.2
40 permit ip host 10.3.4.31 host 10.3.32.3 log
Router(config)# ip access-lists extended 101
Router(config-ext-nacl)# 20 permit udp host 10.1.1.1 host 10.2.2.2
Duplicate sequence number.
Router(config-ext-nacl)# end
Router# show access-lists 101
Extended IP access lists 101
10 permit ip host 10.3.3.3 host 10.5.5.34
30 permit ip host 10.34.2.2 host 10.2.54.2
40 permit ip host 10.3.4.31 host 10.3.32.3 log
The following example shows several permit statements that can be consolidated into one access list entry with noncontiguous ports. The show access-lists command is entered to display a group of access list entries for the access list named aaa.
Router# show access-lists aaa
Extended IP access lists aaa
10 permit tcp any eq telnet any eq 450
20 permit tcp any eq telnet any eq 679
30 permit tcp any eq ftp any eq 450
40 permit tcp any eq ftp any eq 679
Because the entries are all for the same permit statement and simply show different ports, they can be consolidated into one new access list entry. The following example shows the removal of the redundant access list entries and the creation of a new access list entry that consolidates the previously displayed group of access list entries:
Router# configure terminal
Router(config)# ip access-list extended aaa
Router(config-ext-nacl)# no 10
Router(config-ext-nacl)# no 20
Router(config-ext-nacl)# no 30
Router(config-ext-nacl)# no 40
Router(config-ext-nacl)# permit tcp any eq telnet ftp any eq 450 679
Router(config-ext-nacl)# end
The following example shows the creation of the consolidated access list entry:
Router# show access-lists aaa
Extended IP access list aaa
10 permit tcp any eq telnet ftp any eq 450 679
Related Commands
Command
|
Description
|
absolute
|
Specifies an absolute time when a time range is in effect.
|
access-list (IP extended)
|
Defines an extended IP access list.
|
access-list (IP standard)
|
Defines a standard IP access list.
|
deny (IP)
|
Sets conditions under which a packet does not pass a named IP access list.
|
ip access-group
|
Controls access to an interface.
|
ip access-list log-update
|
Sets the threshold number of packets that cause a logging message.
|
ip access-list resequence
|
Applies sequence numbers to the access list entries in an access list.
|
ip options
|
Drops or ignores IP Options packets that are sent to the router.
|
logging console
|
Sends system logging (syslog) messages to all available TTY lines and limits messages based on severity.
|
match ip address
|
Distributes any routes that have a destination network number address that is permitted by a standard or extended access list, or performs policy routing on packets.
|
periodic
|
Specifies a recurring (weekly) time range for functions that support the time-range feature.
|
show access-lists
|
Displays a group of access-list entries.
|
show ip access-list
|
Displays the contents of all current IP access lists.
|
time-range
|
Specifies when an access list or other feature is in effect.
|
port (DFP agent)
To define the port number to be used by the DFP manager to connect to the DFP agent, use the port command in DFP agent configuration mode. To disable the port number definition and remove existing connections, use the no form of this command.
port port-number
no port port-number
Syntax Description
port-number
|
Port number used by a DFP manager to connect to a DFP agent. The valid range is from 1 to 65535.
|
Defaults
No port number is defined.
Command Modes
DFP agent configuration
Command History
Release
|
Modification
|
12.1(8a)E
|
This command was introduced.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
Examples
In the following example, the DFP manager is enabled and will connect to the DFP agent using port number 2221:
Router(config)# ip dfp agent slb
Router(config-dfp)# port 2221
Related Commands
Command
|
Description
|
agent
|
Identifies a DFP agent to which IOS SLB can connect.
|
ip dfp agent
|
Identifies a DFP agent subsystem and initiates DFP agent configuration mode.
|
ip slb dfp
|
Configures DFP, supplies an optional password, and initiates DFP configuration mode.
|
predictor
To specify the load-balancing algorithm for selecting a real server in the server farm, use the predictor command in SLB server farm configuration mode. To restore the default load-balancing algorithm of weighted round robin, use the no form of this command.
predictor [roundrobin | leastconns]
no predictor
Syntax Description
roundrobin
|
(Optional) Use the weighted round robin algorithm for selecting the real server to handle the next new connection for the server farm.
|
leastconns
|
(Optional) Use the weighted least connections algorithm for selecting the real server to handle the next new connection for this server farm.
|
Defaults
The default predictor is weighted round robin.
Command Modes
SLB server farm configuration
Command History
Release
|
Modification
|
12.0(7)XE
|
This command was introduced.
|
12.1(5)T
|
This command was integrated into Cisco IOS Release 12.1(5)T.
|
Examples
The following example specifies the weighted least connections algorithm:
Related Commands
Command
|
Description
|
show ip slb serverfarms
|
Displays information about the server farm configuration.
|
weight
|
Specifies the capacity of the real server, relative to other real servers in the server farm.
|
real
To identify a real server as a member of a server farm, use the real command in SLB server farm configuration mode. To remove the real server from the IOS SLB configuration, use the no form of this command.
real ip-address
no real ip-address
Syntax Description
ip-address
|
Real server IP address.
|
Defaults
No default behavior or values.
Command Modes
SLB server farm configuration
Command History
Release
|
Modification
|
12.0(7)XE
|
This command was introduced.
|
12.1(5)T
|
This command was integrated into Cisco IOS Release 12.1(5)T.
|
Examples
The following example identifies a real server as a member of the server farm:
Related Commands
Command
|
Description
|
inservice (real server)
|
Enables the real server for use by IOS SLB.
|
show ip slb serverfarms
|
Displays information about the server farm configuration.
|
show ip slb reals
|
Displays information about the real servers.
|
reassign
To specify the threshold of consecutive unanswered synchronizations that, if exceeded, results in an attempted connection to a different real server, use the reassign command in SLB real server configuration mode. To restore the default reassignment threshold, use the no form of this command.
reassign threshold
no reassign
Syntax Description
threshold
|
Number of unanswered TCP SYNs that are directed to a real server before the connection is reassigned to a different real server. An unanswered SYN is one for which no SYN or ACK is detected before the next SYN arrives from the client. IOS SLB allows 30 seconds for the connection to be established or for a new SYN to be received. If neither of these events occurs within that time, the connection is removed from the IOS SLB database.
The 30-second timer is restarted for each SYN as long as the number of connection reassignments specified on the faildetect command's numconns keyword is not exceeded. See the faildetect command for more information.
Valid threshold values range from 1 to 4 SYNs. The default value is 3.
|
Defaults
The default threshold is three SYNs.
Command Modes
SLB real server configuration
Command History
Release
|
Modification
|
12.0(7)XE
|
This command was introduced.
|
12.1(5)T
|
This command was integrated into Cisco IOS Release 12.1(5)T.
|
Examples
The following example sets the threshold of unanswered SYNs to 2:
Related Commands
Command
|
Description
|
real
|
Identifies a real server.
|
show ip slb reals
|
Displays information about the real servers.
|
show ip slb serverfarms
|
Displays information about the server farm configuration.
|
relay agent information
To enter relay agent information option configuration mode, use the relay agent information command in DHCP class configuration mode. To disable this functionality, use the no form of this command.
relay agent information
no relay agent information
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
DHCP class configuration
Command History
Release
|
Modification
|
12.2(13)ZH
|
This command was introduced.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
Usage Guidelines
If this command is omitted for DHCP class-based address allocation, then the DHCP class matches to any relay agent information option, whether it is present or not.
Using the no relay agent information command removes all patterns in the DHCP class configured by the relay-information hex command.
Examples
The following example shows the relay information patterns configured for DHCP class 1.
relay-information hex 01030a0b0c02050000000123
relay-information hex 01030a0b0c02*
relay-information hex 01030a0b0c02050000000000 bitmask 0000000000000000000000FF
Related Commands
Command
|
Description
|
relay-information hex
|
Specifies a hexadecimal string for the full relay agent information option.
|
relay destination
To configure an IP address for a relay destination to which packets are forwarded by a DHCP relay agent functioning as a DHCP server, use the relay destination command in DHCP-pool configuration mode. To disable the IP address, use the no form of this command.
relay destination [vrf vrf-name | global] ip-address
no relay destination [vrf vrf-name | global] ip-address
Syntax Description
vrf
|
(Optional) Configured virtual routing and forwarding (VRF) that is associated with the relay destination address. The vrf-name argument specifies the name of the VRF table.
Note If the vrf keyword is not specified, the destination address is assumed to be in the same address space as the DHCP pool. If the vrf keyword is specified, the same VRF is assumed to apply here. However, if the destination IP address is actually in the global address space, the global keyword should be specified.
|
global
|
(Optional) IP address selected from the global address space. If the pool does not have any VRF configuration, then the relay destination address defaults to the global address space.
|
ip-address
|
IPv4 address of the remote DHCP server to which the DHCP client packets are relayed.
|
Defaults
No destination IP address to which packets are forwarded is configured.
Command Modes
DHCP-pool configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
The relay destination command serves the same function as the relay target command, except that the relay target command specifies the DHCP server to which packets should be forwarded only for the class under which it is configured, and the relay destination command specifies the DHCP server to which packets should be forwarded for the pool itself. The relay target command overrides the relay destination command in cases in which the configured class name has been specified by the SG.
Examples
In the following example, multiple relay sources and destinations may be configured for a relay pool. This is similar the ip helper-address configuration on multiple interfaces. Pools are matched to the (possibly multiple) IP addresses on an incoming interface in the order in which they appear when using the show running-config command to display information about that interface. Once either a relay is found or an address allocation is found, the search stops. For example, given the following configuration:
ip address 21.0.0.1 255.0.0.0
ip address 22.0.0.5 255.0.0.0 secondary
relay source 21.0.0.0 255.0.0.0
relay destination 10.0.0.1
relay source 22.0.0.0 255.0.0.0
relay destination 20.0.0.1
In the following example, the DHCP client packet would be relayed to 10.0.0.1, if the SG specified ISP1 as the class name, and would be relayed to 20.0.0.1, if the SG specified ISP2 as the class name.
ip address 21.0.0.1 255.0.0.0
ip address 22.0.0.5 255.0.0.0 secondary
relay source 21.0.0.0 255.0.0.0
relay source 22.0.0.0 255.0.0.0
Related Commands
Command
|
Description
|
relay source
|
Configures an IP address for a relay source from which packets are forwarded by a DHCP server.
|
relay target
|
Configures an IP address for a relay target to which packets are forward by a DHCP server.
|
relay source
To configure an IP address for a relay source from which packets are forwarded by a DHCP server, use the relay source command in DHCP-pool configuration mode. To disable the IP address, use the no form of this command.
relay source ip-address subnet-mask
no relay source ip-address subnet-mask
Syntax Description
ip-address
|
IPv4 address of DHCP server from which the DHCP client packets are relayed.
|
subnet-mask
|
Subnet mask that matches the subnet of the incoming interface of the DHCP client packet.
|
Defaults
No IP address from which IP packets are forwarded is configured.
Command Modes
DHCP-pool configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Examples
The following example shows how to configure a source IP address from which DHCP client packets are relayed:
relay source 10.0.0.0 255.255.0.0
relay destination 10.5.1.1
Related Commands
Command
|
Description
|
relay destination
|
Configures an IP address for a relay destination to which packets are forwarded by a DHCP server.
|
relay target
|
Configures an IP address for a relay target to which packets are forward by a DHCP server.
|
relay target
To configure an IP address for a relay target to which packets are forwarded by a DHCP server, use the relay target command in DHCP pool-class configuration mode. To disable the IP address, use the no form of this command.
relay target [vrf vrf-name | global] ip-address
no relay target [vrf vrf-name | global] ip-address
Syntax Description
vrf
|
(Optional) Configured virtual routing and forwarding (VRF) that is associated with the relay destination address. The vrf-name argument specifies the name of the VRF table.
Note If the vrf keyword is not specified, the target address is assumed to be in the same address space as the DHCP pool. If the vrf keyword is specified, the same VRF is assumed to apply here. However, if the target IP address is actually in the global address space, the global keyword should be specified.
|
global
|
(Optional) IP address selected from the global address space. If the pool does not have any VRF configuration, then the relay destination address defaults to the global address space.
|
ip-address
|
IPv4 address of the remote DHCP server to which the DHCP client packets are relayed.
|
Defaults
No target IP address is configured.
Command Modes
DHCP pool-class configuration
Command History
Release
|
Modification
|
12.3(14)T
|
This command was introduced.
|
Usage Guidelines
The relay target command serves the same function as the relay destination command, except that the relay target command specifies the DHCP server to which packets should be forwarded only for the class under which it is configured, and the relay destination command specifies the DHCP server to which packets should be forwarded for the pool itself. The relay target command overrides the relay destination command in cases in which the configured class name has been specified by the SG.
Examples
The following example shows how to configure a relay target if a service gateway (SG)-supplied class name is used to select a DHCP server to which packets are relayed:
relay source 10.0.0. 255.255.0.0.
relay destination 10.5.1.1
In the above example, classname1 relays the DHCP DISCOVER packet to the server at 10.1.1.1, while classname2 relays the DHCP DISCOVER packet to the server at 10.2.2.2.
If the SG returned classname3, then the default pool at 10.5.1.1 is used. If the SG returns any other class name other than classname1, classname2, or classname3, then no relay action is taken.
The relay target configuration with respect to any configured DHCP pool works in the exact same way as a relay destination configuration works.
Related Commands
Command
|
Description
|
relay destination
|
Configures an IP address for a relay destination to which packets are forwarded by a DHCP server.
|
relay source
|
Configures an IP address for a relay source from which packets are forward by a DHCP server.
|
relay-information hex
To specify a hexadecimal string for the full relay agent information option, use the relay-information hex command in relay agent information option configuration mode. To remove the configuration, use the no form of this command.
relay-information hex pattern [*] [bitmask mask]
no relay-information hex pattern [*] [bitmask mask]
Syntax Description
pattern
|
String of hexadecimal values. This string creates a pattern that is matched against the named DHCP class.
|
*
|
(Optional) Wildcard character.
|
bitmask mask
|
(Optional) Hexadecimal bitmask.
|
Defaults
No default behavior or values
Command Modes
Relay agent information option configuration mode.
Command History
Release
|
Modification
|
12.2(13)ZH
|
This command was introduced.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
Usage Guidelines
The relay-information hex command sets a pattern that is used to match against defined DHCP classes. You can configure multiple relay-information hex commands for a DHCP class. This is useful to specify a set of relay information options that can not be summarized with a wildcard or a bitmask.
The pattern itself, excluding the wildcard, must contain a whole number of bytes (a byte is two hexadecimal numbers). For example, 010203 is 3 bytes (accepted) and 01020 is 2.5 bytes (not accepted).
If you omit this command, no pattern is configured and it is considered a match to any relay agent information value, but the relay information option must be present in the DHCP packet.
You must know the hexadecimal value of each byte location in option 82 to be able to configure the relay- information hex command. The option 82 format may vary from product to product. Contact the relay agent vendor for this information.
Examples
The following example shows the configured relay agent information patterns. Note that CLASS 2 has no pattern configured and will "match to any" class.
relay-information hex 01030a0b0c02050000000123
relay-information hex 01030a0b0c02*
relay-information hex 01030a0b0c02050000000000 bitmask 0000000000000000000000FF
release dhcp
To perform an immediate release of a Dynamic Host Configuration Protocol (DHCP) lease for an interface, use the release dhcp command in user EXEC or privileged EXEC mode.
release dhcp type number
Syntax Description
type
|
Interface type. For more information, use the question mark (?) online help function.
|
number
|
Interface or subinterface number. For more information about the numbering syntax for your networking device, use the question mark (?) online help function.
|
Command Modes
User EXEC
Privileged EXEC
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
The release dhcp command immediately releases the DHCP lease on the interface specified by the type and number arguments. If the router interface was not assigned a DHCP IP address by the DHCP server, the release dhcp command fails and displays the following error message:
Interface does not have a DHCP originated address
This command does not have a no form.
Examples
The following example shows how to release a DHCP lease for an interface.
Router# release dhcp ethernet 3/1
Related Commands
Command
|
Description
|
ip address dhcp
|
Specifies that the Ethernet interface acquires an IP address through DHCP.
|
lease
|
Configures the duration of the lease for an IP address that is assigned from a Cisco IOS DHCP server to a DHCP client.
|
renew dhcp
|
Forces the renewal of the DHCP lease for the specified interface.
|
show dhcp lease
|
Displays the DHCP addresses leased from a server.
|
show interface
|
Displays statistics for all interfaces configured on the router or access server.
|
show ip dhcp binding
|
Displays address bindings on the Cisco IOS DHCP server.
|
show ip interface
|
Displays a summary of an interface's IP information and status.
|
show running-config
|
Displays the contents of the currently running configuration file or the configuration for a specific interface.
|
show startup-config
|
Displays the contents of the configuration file that will be used at the next system startup.
|
remark
To write a helpful comment (remark) for an entry in a named IP access list, use the remark command in access list configuration command. To remove the remark, use the no form of this command.
remark remark
no remark remark
Syntax Description
remark
|
Comment that describes the access-list entry, up to 100 characters long.
|
Defaults
The access-list entries have no remarks.
Command Modes
Standard named or extended named access list configuration
Command History
Release
|
Modification
|
12.0(2)T
|
This command was introduced.
|
Usage Guidelines
The remark can be up to 100 characters long; anything longer is truncated.
If you want to write a comment about an entry in a numbered IP access list, use the access-list remark command.
Examples
In the following example, the Jones subnet is not allowed to use outbound Telnet:
ip access-list extended telnetting
remark Do not allow Jones subnet to telnet out
deny tcp host 171.69.2.88 any eq telnet
Related Commands
Command
|
Description
|
access-list remark
|
Specifies a helpful comment (remark) for an entry in a numbered IP access list.
|
deny (IP)
|
Sets conditions under which a packet does not pass a named IP access list.
|
ip access-list
|
Defines an IP access list by name.
|
permit (IP)
|
Sets conditions under which a packet passes a named IP access list.
|
remote-ip (IPC transport-SCTP remote)
To define at least one IP address of the redundant peer that is used to communicate with the local device, use the remote-ip command in IPC transport-SCTP remote configuration mode. To remove one or all IP addresses from your configuration, use the no form of this command.
remote-ip peer-real-ip-address [peer-real-ip-address2]
no remote-ip peer-real-ip-address [peer-real-ip-address2]
Syntax Description
peer-real-ip-address
|
IP address of the remote peer.
The remote IP addresses must match the local IP addresses on the peer router. There can be either one or two IP addresses, which must be in the global Virtual Routing and Forwarding (VRF). A virtual IP (VIP) address cannot be used.
|
peer-real-ip-address2
|
(Optional) IP address of the remote peer.
|
Defaults
No IP addresses are defined.
Command Modes
IPC transport-SCTP remote configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
Use the remote-ip command to help associate Stream Control Transmission Protocol (SCTP) as the transport protocol between the local and remote peer.
This command is part of a suite of commands used to configure the Stateful Switch Over (SSO) protocol. SSO is necessary for IP Security (IPSec) and Internet Key Exchange (IKE) to learn about the redundancy state of the network and to synchronize their internal application state with their redundant peers.
Examples
The following example shows how to enable SSO:
Related Commands
Command
|
Description
|
local-ip
|
Defines at least one local IP address that is used to communicate with the local peer.
|
remote-port
|
Defines the remote SCTP that is used to communicate with the redundant peer.
|
remote-port
To define the remote Stream Control Transmission Protocol (SCTP) port that is used to communicate with the redundant peer, use the remote-port command in SCTP protocol configuration mode.
remote-port remote-port-number
Syntax Description
remote-port-number
|
Remote port number, which should be the same as the local port number on the peer router (which is specified via the local-port command).
|
Defaults
A remote SCTP port is not defined.
Command Modes
SCTP protocol configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
The remote-port command enters IPC transport-SCTP remote configuration mode, which allows you to specify at least one remote IP address (via the remote-ip command) that is used to communicate with the redundant peer.
Examples
The following example shows how to enable Stateful Switchover (SSO):
Related Commands
Command
|
Description
|
local-port
|
Defines the local SCTP port that is used to communicate with the redundant peer.
|
remote-ip
|
Defines at least one IP address of the redundant peer that is used to communicate with the local device.
|
renew dhcp
To perform an immediate renewal of a Dynamic Host Configuration Protocol (DHCP) lease for an interface, use the renew dhcp command in user EXEC or privileged EXEC mode.
renew dhcp type number
Syntax Description
type
|
Interface type. For more information, use the question mark (?) online help function.
|
number
|
Interface or subinterface number. For more information about the numbering syntax for your networking device, use the question mark (?) online help function.
|
Command Modes
User EXEC
Privileged EXEC
Command History
Release
|
Modification
|
12.3(4)T
|
This command was introduced.
|
Usage Guidelines
The renew dhcp command immediately renews the DHCP lease for the interface specified by the type and number arguments. If the router interface was not assigned an IP address by the DHCP server, the renew dhcp command fails and displays the following error message:
Interface does not have a DHCP originated address
This command does not have a no form.
Examples
The following example shows how to renew a DHCP lease for an interface.
Router# renew dhcp Ethernet 3/1
Related Commands
Command
|
Description
|
ip address dhcp
|
Specifies that the Ethernet interface acquires an IP address through DHCP.
|
lease
|
Configures the duration of the lease for an IP address that is assigned from a Cisco IOS DHCP server to a DHCP client.
|
release dhcp
|
Releases the DHCP lease on the specified interface.
|
show dhcp lease
|
Displays the DHCP addresses leased from a server.
|
show interface
|
Displays statistics for all interfaces configured on the router or access server.
|
show ip dhcp binding
|
Displays address bindings on the Cisco IOS DHCP server.
|
show ip interface
|
Displays a summary of an interface's IP information and status.
|
show running-config
|
Displays the contents of the currently running configuration file or the configuration for a specific interface.
|
show startup-config
|
Displays the contents of the configuration file that will be used at the next system startup.
|
retry (real server)
To specify how long to wait before a new connection is attempted to a failed server, use the retry command in SLB real server configuration mode. To restore the default retry value, use the no form of this command.
retry retry-value
no retry
Syntax Description
retry-value
|
Time, in seconds, to wait after the detection of a server failure before a new connection to the server is attempted.
If the new connection attempt succeeds, the real server is placed in OPERATIONAL state. If the connection attempt fails, the timer is reset, the connection is reassigned, and the process repeats until it is successful or until the server is placed OUTOFSERVICE by the network administrator.
Valid values range from 1 to 3600. The default value is 60 seconds.
A value of 0 means do not attempt a new connection to the server when it fails.
|
Defaults
The retry-value default is 60 seconds.
Command Modes
SLB real server configuration
Command History
Release
|
Modification
|
12.0(7)XE
|
This command was introduced.
|
12.1(5)T
|
This command was integrated into Cisco IOS Release 12.1(5)T.
|
Examples
The following example specifies that 120 seconds must elapse after the detection of a server failure before a new connection is attempted:
Related Commands
Command
|
Description
|
real
|
Identifies a real server.
|
show ip slb reals
|
Displays information about the real servers.
|
show ip slb serverfarms
|
Displays information about the server farm configuration.
|