Table Of Contents
lease
local-ip (IPC transport-SCTP local)
local-port
logging server-arp
manager (DFP agent)
maxconns (server farm)
nat
netbios-name-server
netbios-node-type
network (DHCP)
next-server
no ip gratuitous-arps
object (tracking)
option
origin
password (DFP agent)
permit (IP)
interface ethernet 0
port (DFP agent)
predictor
real
reassign
relay agent information
relay destination
relay source
relay target
relay-information hex
release dhcp
remark
remote-ip (IPC transport-SCTP remote)
remote-port
renew dhcp
retry (real server)
lease
To configure the duration of the lease for an IP address that is assigned from a Cisco IOS Dynamic Host Configuration Protocol (DHCP) server to a DHCP client, use the lease command in DHCP pool configuration mode. To restore the default value, use the no form of this command.
lease {days [hours [minutes]] | infinite}
no lease
Syntax Description
days
|
Specifies the duration of the lease in numbers of days.
|
hours
|
(Optional) Specifies the number of hours in the lease. A days value must be supplied before you can configure an hours value.
|
minutes
|
(Optional) Specifies the number of minutes in the lease. A days value and an hours value must be supplied before you can configure a minutes value.
|
infinite
|
Specifies that the duration of the lease is unlimited.
|
Defaults
1 day
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.0(1)T
|
This command was introduced.
|
Examples
The following example shows a 1-day lease:
The following example shows a 1-hour lease:
The following example shows a 1-minute lease:
The following example shows an infinite (unlimited) lease:
Related Commands
Command
|
Description
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.
|
local-ip (IPC transport-SCTP local)
To define at least one local IP address that is used to communicate with the local peer, use the local-ip command in IPC transport-SCTP local configuration mode. To remove one or all IP addresses from your configuration, use the no form of this command.
local-ip device-real-ip-address [device-real-ip-address2]
no local-ip device-real-ip-address [device-real-ip-address2]
Syntax Description
device-real-ip-address
|
IP address of the local device.
The local IP addresses must match the remote IP addresses on the peer router. There can be either one or two IP addresses, which must be in global Virtual Routing and Forwarding (VRF). A virtual IP (VIP) address cannot be used.
|
device-real-ip-address2
|
(Optional) IP address of the local device.
|
Defaults
No IP addresses are defined; thus, peers cannot communicate with the local peer.
Command Modes
IPC transport-SCTP local configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
Use the local-ip command to help associate Stream Control Transmission Protocol (SCTP) as the transport protocol between the local and remote peer.
This command is part of a suite of commands used to configure the Stateful Switchover (SSO) protocol. SSO is necessary for IP Security (IPSec) and Internet Key Exchange (IKE) to learn about the redundancy state of the network and to synchronize their internal application state with their redundant peers.
Examples
The following example shows how to enable SSO:
Related Commands
Command
|
Description
|
local-port
|
Defines the local SCTP port number that is used to communicate with the redundant peer.
|
remote-ip
|
Defines at least one remote IP address that is used to communicate with the redundant peer.
|
local-port
To define the local Stream Control Transmission Protocol (SCTP) port that is used to communicate with the redundant peer, use the local-port command in SCTP protocol configuration mode. .
local-port local-port-number
Syntax Description
local-port-number
|
Local port number, which should be the same as the remote port number on the peer router (which is specified via the remote-port command).
|
Defaults
A local SCTP port is not defined.
Command Modes
SCTP protocol configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Usage Guidelines
The local-port command enters IPC transport-SCTP local configuration mode, which allows you to specify at least one local IP address (via the local-ip command) that is used to communicate with the redundant peer.
Examples
The following example shows how to enable Stateful Switchover (SSO):
Related Commands
Command
|
Description
|
local-ip
|
Defines at least one local IP address that is used to communicate with the local peer.
|
remote-port
|
Defines the remote SCTP that is used to communicate with the redundant peer.
|
logging server-arp
To enable the sending of Address Resolution Protocol (ARP) requests for syslog server address during system initialization bootup, use the logging server-arp command in global configuration mode. To disable the sending of ARP requests for syslog server addresses, use the no form of this command.
logging server-arp
no logging server-arp
Syntax Description
This command has no arguments or keywords.
Command Default
This command is disabled by default.
Command Modes
Global configuration.
Command History
Release
|
Modification
|
12.3
|
This command was introduced.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
12.3(5)B
|
This command was integrated into Cisco IOS Release 12.3(5)B.
|
Usage Guidelines
The logging server-arp global configuration command allows the sending of ARP requests for syslog server address during system initialization bootup.
When this CLI command is configured and saved to the startup configuration file, the system will send an ARP request for remote syslog server address before sending out the first syslog message.
The command should only be used when the remote syslog server is in the same subnet as the system router sending the ARP request.
Note
Use this command even if a static ARP has been configured with the syslog server address.
Examples
The following example shows how to enable an ARP request for syslog server addresses:
Router# configure terminal
Router(config)# logging server-arp
The following example shows how to disable an ARP request for syslog server addresses:
Router# configure terminal
Router(config)# no logging server-arp
Related Commands
Command
|
Description
|
arp (global)
|
Adds a permanent entry in the Address Resolution Protocol (ARP) cache, use the arp command in global configuration mode.
|
manager (DFP agent)
This command has been replaced by the following commands:
•
inservice (DFP agent)
•
interval (DFP agent)
•
ip dfp agent
•
password (DFP agent)
•
port (DFP agent)
maxconns (server farm)
To limit the number of active connections to the real server, use the maxconns command in SLB server farm configuration mode. To restore the default of 4294967295, use the no form of this command.
maxconns maximum-number [sticky-override]
no maxconns
Syntax Description
maximum-number
|
Maximum number of simultaneous active connections on the real server. Valid values range from 1 to 4294967295. The default is 4294967295.
|
sticky-override
|
(Optional) Allow sticky load balancing to exceed maximum-number for this real server.
|
Defaults
The default maximum number of simultaneous active connections on the real server is 4294967295.
Command Modes
SLB server farm configuration
Command History
Release
|
Modification
|
12.0(7)XE
|
This command was introduced.
|
12.1(5)T
|
This command was integrated into Cisco IOS Release 12.1(5)T.
|
12.2
|
This command was integrated into Cisco IOS Release 12.2.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.1(18)E
|
The sticky-override keyword was added.
|
12.2(18)SXE
|
This command was integrated into Cisco IOS Release 12.2(18)SXE.
|
12.2(33)SRA
|
This command was integrated into Cisco IOS Release 12.2(33)SRA.
|
Examples
The following example limits the real server to a maximum of 1000 simultaneous active connections:
Router(config)# ip slb serverfarm PUBLIC
Router(config-slb-sfarm)# real 10.10.1.1
Router(config-slb-real)# maxconns 1000
Related Commands
Command
|
Description
|
real (server farm)
|
Identifies a real server by IP address and optional port number as a member of a server farm and enters real server configuration mode.
|
show ip slb reals
|
Displays information about the real servers.
|
show ip slb severfarms
|
Displays information about the server farm configuration.
|
nat
To configure IOS SLB Network Address Translation (NAT) and specify a NAT mode, use the nat SLB server farm configuration command. To remove a NAT configuration, use the no form of this command.
nat server
no nat server
Syntax Description
server
|
Specifies that the destination address in load-balanced packets sent to the real server is the address of the real server chosen by the server farm load-balancing algorithm.
|
Defaults
No default behavior or values.
Command Modes
SLB server farm configuration
Command History
Release
|
Modification
|
12.1(1)E
|
This command was introduced.
|
12.1(5)T
|
This command was integrated into Cisco IOS Release 12.1(5)T.
|
Usage Guidelines
The no nat command is allowed only if the virtual server was removed from service with the no inservice command.
Examples
The following example changes to IOS SLB server farm configuration mode and configures NAT mode as server address translation on the server farm named FARM2:
Related Commands
Command
|
Description
|
ip slb serverfarm
|
Associates a real server farm with a virtual server.
|
real
|
Identifies a real server as a member of a server farm.
|
show ip slb serverfarms
|
Displays information about the server farm configuration.
|
netbios-name-server
To configure NetBIOS Windows Internet Naming Service (WINS) name servers that are available to Microsoft Dynamic Host Configuration Protocol (DHCP) clients, use the netbios-name-server command in DHCP pool configuration. To remove the NetBIOS name server list, use the no form of this command.
netbios-name-server address [address2...address8]
no netbios-name-server
Syntax Description
address
|
Specifies the IP address of the NetBIOS WINS name server. One IP address is required, although you can specify up to eight addresses in one command line.
|
address2...address8
|
(Optional) Specifies up to eight addresses in the command line.
|
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.0(1)T
|
This command was introduced.
|
Usage Guidelines
One IP address is required, although you can specify up to eight addresses in one command line. Servers are listed in order of preference (address1 is the most preferred server, address2 is the next most preferred server, and so on).
Examples
The following example specifies the IP address of a NetBIOS name server available to the client:
netbios-name-server 10.12.1.90
Related Commands
Command
|
Description
|
dns-server
|
Specifies the DNS IP servers available to a DHCP client.
|
domain-name (DHCP)
|
Specifies the domain name for a DHCP client.
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP Server and enters DHCP pool configuration mode.
|
netbios-node-type
|
Configures the NetBIOS node type for Microsoft DHCP clients.
|
netbios-node-type
To configure the NetBIOS node type for Microsoft Dynamic Host Configuration Protocol (DHCP) clients, use the netbios-node-type command in DHCP pool configuration mode. To remove the NetBIOS node type, use the no form of this command.
netbios-node-type type
no netbios-node-type
Syntax Description
type
|
Specifies the NetBIOS node type. Valid types are:
• b-node—Broadcast
• p-node—Peer-to-peer
• m-node—Mixed
• h-node—Hybrid (recommended)
|
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.0(1)T
|
This command was introduced.
|
Usage Guidelines
The recommended type is h-node (hybrid).
Examples
The following example specifies the client's NetBIOS type as hybrid:
Related Commands
Command
|
Description
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP Server and enters DHCP pool configuration mode.
|
netbios name-server
|
Configures NetBIOS WINS name servers that are available to Microsoft DHCP clients.
|
network (DHCP)
To configure the subnet number and mask for a Dynamic Host Configuration Protocol (DHCP) address pool on a Cisco IOS DHCP server, use the network command in DHCP pool configuration mode. To remove the subnet number and mask, use the no form of this command.
network network-number [mask | prefix-length]
no network
Syntax Description
network-number
|
The IP address of the DHCP address pool.
|
mask
|
(Optional) The bit combination that renders which portion of the address of the DHCP address pool refers to the network or subnet and which part refers to the host.
|
prefix-length
|
(Optional) The number of bits that comprise the address prefix. The prefix is an alternative way of specifying the network mask of the client. The prefix length must be preceded by a forward slash (/).
|
Defaults
No default behavior or values.
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.0(1)T
|
This command was introduced.
|
Usage Guidelines
This command is valid for DHCP subnetwork address pools only. If the mask or prefix length is not specified, the class A, B, or C natural mask is used. The DHCP Server assumes that all host addresses are available. The system administrator can exclude subsets of the address space by using the ip dhcp excluded-address command.
You cannot configure manual bindings within the same pool that is configured with the network command.
Examples
The following example configures 172.16.0.0/16 as the subnetwork number and mask of the DHCP pool:
Related Commands
Command
|
Description
|
host
|
Specifies the IP address and network mask for a manual binding to a DHCP client.
|
ip dhcp excluded-address
|
Specifies IP addresses that a Cisco IOS DHCP server should not assign to DHCP clients.
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.
|
next-server
To configure the next server in the boot process of a Dynamic Host Configuration Protocol (DHCP) client, use the next-server command in DHCP pool configuration. To remove the boot server list, use the no form of this command.
next-server address [address2...address8]
no next-server address
Syntax Description
address
|
Specifies the IP address of the next server in the boot process, which is typically a Trivial File Transfer Protocol (TFTP) server. One IP address is required, although you can specify up to eight addresses in one command line.
|
address2...address8
|
(Optional) Specifies up to eight addresses in the command line.
|
Defaults
If the next-server command is not used to configure a boot server list, the DHCP Server uses inbound interface helper addresses as boot servers.
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.0(1)T
|
This command was introduced.
|
Usage Guidelines
You can specify up to eight servers in the list. Servers are listed in order of preference (address1 is the most preferred server, address2 is the next most preferred server, and so on).
Examples
The following example specifies 10.12.1.99 as the IP address of the next server in the boot process:
Related Commands
Command
|
Description
|
accounting (DHCP)
|
Specifies the name of the default boot image for a DHCP client.
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.
|
ip helper-address
|
Forwards UDP broadcasts, including BOOTP, received on an interface.
|
option
|
Configures Cisco IOS DHCP server options.
|
no ip gratuitous-arps
To disable the transmission of gratuitous Address Resolution Protocol (ARP) messages for an address in a local pool, use the no ip gratuitous-arps command in global configuration mode.
no ip gratuitous-arps
Syntax Description
This command has no keywords or arguments.
Defaults
Disabled
Command Modes
Global configuration
Command History
Release
|
Modification
|
11.3
|
This command was introduced.
|
Usage Guidelines
A Cisco router will send out a gratuitous ARP message when a client connects and negotiates an address over a PPP connection. This transmission occurs even when the client receives the address from a local address pool.
Examples
The following example disables gratuitous arp messages from being sent:
object (tracking)
To specify an object for a tracked list, use the object command in tracking configuration mode. To remove the object from the tracked list, use the no form of this command.
object object-number [not] [weight weight-number]
no object object-number [not] [weight weight-number]
Syntax Description
object-number
|
Object in a tracked list of objects. Range is from 1 to 500.
|
not
|
(Optional) Negates the state of an object.
Note The not keyword cannot be used in a weight or percentage threshold list only the Boolean list.
|
weight weight-number
|
The optional weight keyword specifies a threshold weight for each object.
|
Defaults
The object is removed from the tracked list.
Command Modes
Tracking configuration
Command History
Release
|
Modification
|
12.3(8)T
|
This command was introduced.
|
Examples
The following example shows two serial interfaces (objects) that are in tracked list 100. The Boolean "not" negates state of object 2 , which means when object 2 is up, the tracked list regards the object as down.
track 1 interface serial2/0 line-protocol
track 2 interface serial2/1 line-protocol
track 100 list boolean and
Related Commands
Command
|
Description
|
show track
|
Displays tracking information.
|
track list threshold percentage
|
Tracks a list of objects as to the up and down object states using a threshold percentage.
|
track list threshold weight
|
Tracks a list of objects as to the up and down object states using a threshold weight.
|
threshold weight
|
Specifies a threshold weight for a tracked list.
|
option
To configure Cisco IOS Dynamic Host Configuration Protocol (DHCP) server options, use the option command in DHCP pool configuration mode. To remove the options, use the no form of this command.
option code [instance number] {ascii string | hex string | ip address}
no option code [instance number]
Syntax Description
code
|
Specifies the DHCP option code.
|
instance number
|
(Optional) Specifies a number from 0 to 255.
|
ascii string
|
Specifies an NVT ASCII character string. ASCII character strings that contain white space must be delimited by quotation marks.
|
hex string
|
Specifies dotted hexadecimal data. Each byte in hexadecimal character strings is two hexadecimal digits—each byte can be separated by a period, colon, or white space.
|
ip address
|
Specifies an IP address.
|
Defaults
The default instance number is 0.
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.0(1)T
|
This command was introduced.
|
Usage Guidelines
DHCP provides a framework for passing configuration information to hosts on a TCP/IP network. Configuration parameters and other control information are carried in tagged data items that are stored in the options field of the DHCP message. The data items themselves are also called options. The current set of DHCP options are documented in RFC 2131, Dynamic Host Configuration Protocol.
Examples
The following example configures DHCP option 19, which specifies whether the client should configure its IP layer for packet forwarding. A value of 0 means disable IP forwarding; a value of 1 means enable IP forwarding. IP forwarding is enabled in the following example:
The following example configures DHCP option 72, which specifies the World Wide Web servers for DHCP clients. World Wide Web servers 172.16.3.252 and 172.16.3.253 are configured in the following example:
option 72 ip 172.16.3.252 172.16.3.253
Related Commands
Command
|
Description
|
ip dhcp pool
|
Configures a DHCP address pool on a Cisco IOS DHCP server and enters DHCP pool configuration mode.
|
origin
To configure an address pool as an on-demand address pool (ODAP) or static mapping pool, use the origin command in DHCP pool configuration mode. To disable the ODAP, use the no form of this command.
origin {dhcp | aaa | ipcp | file url} [subnet size initial size [autogrow size]]
no origin {dhcp | aaa | ipcp | file url} [subnet size initial size [autogrow size]]
Syntax Description
dhcp
|
Specifies the Dynamic Host Configuration Protocol (DHCP) as the subnet allocation protocol.
|
aaa
|
Specifies authentication, authorization, and accounting (AAA) as the subnet allocation protocol.
|
ipcp
|
Specifies the IP Control Protocol (IPCP) as the subnet allocation protocol.
|
file url
|
Specifies the external database file that contains the static bindings assigned by the DHCP server. The url argument specifies the location of the external database file.
|
subnet size initial size
|
(Optional) Specifies the initial size of the first requested subnet. You can enter size as either the subnet mask (nnnn.nnnn.nnnn.nnnn) or prefix size (/nn). The valid values are /0 and /4 to /30.
|
autogrow size
|
(Optional) Specifies that the pool can grow incrementally. The size argument is the size of the requested subnets when the pool requests additional subnets (upon detection of high utilization). You can enter size as either the subnet mask (nnnn.nnnn.nnnn.nnnn) or prefix size (/nn). The valid values are /0 and /4 to /30.
|
Defaults
The default size value is /0.
Command Modes
DHCP pool configuration
Command History
Release
|
Modification
|
12.2(8)T
|
This command was introduced.
|
12.3(11)T
|
The file keyword was added.
|
Usage Guidelines
If you do not configure the pool as an autogrow pool, the pool will not request additional subnets if one subnet is already in the pool.
Use the dhcp keyword to obtain subnets from DHCP, the aaa keyword to obtain subnets from the AAA server, and the ipcp keyword to obtain subnets from IPCP negotiation. If you expect that the utilization of the pool may grow over time, use the autogrow size option.
If a pool has been configured with the autogrow size option, ensure that the source server is capable of providing more than one subnet to the same pool. Even though the Cisco IOS software specifies the requested subnet size, it can accept any offered subnet size from the source server.
Examples
The following example shows how to configure an address pool named green to use DHCP as the subnet allocation protocol with an initial subnet size of 24 and an autogrow subnet size of 24:
origin dhcp subnet size initial /24 autogrow /24
The following example shows how to configure the location of the external text file:
origin file tftp://10.1.0.1/staticbindingfile
Related Commands
Command
|
Description
|
show ip dhcp pool
|
Displays information about the DHCP address pools.
|
password (DFP agent)
To configure a DFP agent password for MD5 authentication, use the password command in DFP agent configuration mode. To remove the DFP agent password, use the no form of this command.
password [0 | 7] password [timeout]
no password
Syntax Description
0
|
(Optional) Unencrypted password. This is the default setting.
|
7
|
(Optional) Encrypted password.
|
password
|
(Optional) Password value for MD5 authentication.
Note This password must match the password configured on the host agent.
|
timeout
|
(Optional) Delay period, in seconds, during which both the old password and the new password are accepted. The valid range is from 0 to 65535. The default is 180.
|
Defaults
No password is enabled.
Command Modes
DFP agent configuration
Command History
Release
|
Modification
|
12.1(8a)E
|
This command was introduced.
|
12.2(14)S
|
This command was integrated into Cisco IOS Release 12.2(14)S.
|
12.3(4)T
|
This command was integrated into Cisco IOS Release 12.3(4)T.
|
Usage Guidelines
The timeout option allows you to change the password without stopping messages between the DFP agent and its manager. The default value is 180 seconds.
During the timeout, the agent sends packets with the old password (or null, if there is no old password), and receives packets with either the old or new password. After the timeout expires, the agent sends and receives packets only with the new password; received packets that use the old password are discarded.
If you are changing the password for an entire load-balanced environment, set a longer timeout. This allows enough time for you to update the password on all agents and servers before the timeout expires. It also prevents mismatches between agents and servers that have begun running the new password and agents, and servers on which you have not yet changed the old password.
Examples
The following example shows how to set the DFP agent password (unencrypted by default) to Cookies and the timeout to 360 seconds:
Router(config)# ip dfp agent slb
Router(config-dfp)# password Cookies 360
Related Commands
Command
|
Description
|
agent
|
Identifies a DFP agent to which IOS SLB can connect.
|
ip dfp agent
|
Identifies a DFP agent subsystem and initiates DFP agent configuration mode.
|
ip slb dfp
|
Configures DFP, supplies an optional password, and initiates DFP configuration mode.
|
replicate casa (firewall farm)
|
Configures a stateful backup of IOS SLB decision tables to a backup switch.
|
replicate casa (virtual server)
|
Configures a stateful backup of IOS SLB decision tables to a backup switch.
|
permit (IP)
To set conditions to allow a packet to pass a named IP access list, use the permit command in access list configuration mode. To remove a permit condition from an access list, use the no form of this command.
[sequence-number] permit source [source-wildcard]
[sequence-number] permit protocol source source-wildcard destination destination-wildcard
[option option-name] [precedence precedence] [tos tos] [log] [time-range time-range-name]
[fragments]
no sequence-number
no permit source [source-wildcard]
no permit protocol source source-wildcard destination destination-wildcard [option option-name]
[precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Internet Control Message Protocol (ICMP)
[sequence-number] permit icmp source source-wildcard destination destination-wildcard
[icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range
time-range-name] [fragments]
Internet Group Management Protocol (IGMP)
[sequence-number] permit igmp source source-wildcard destination destination-wildcard
[igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name]
[fragments]
Transmission Control Protocol (TCP)
[sequence-number] permit tcp source source-wildcard [operator [port]] destination
destination-wildcard [operator [port]] [established | {match-any | match-all} {+ | -}
flag-name] [precedence precedence] [tos tos] [log] [time-range time-range-name]
[fragments]
User Datagram Protocol (UDP)
[sequence-number] permit udp source source-wildcard [operator [port]] destination
destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range
time-range-name] [fragments]
Syntax Description
sequence-number
|
(Optional) Sequence number assigned to the permit statement. The sequence number causes the system to insert the statement in that numbered position in the access list.
|
source
|
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
• Use a 32-bit quantity in four-part dotted-decimal format.
• Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
|
source-wildcard
|
Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
• Use a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit positions that you want to ignore.
• Use the any keyword as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
|
protocol
|
Name or number of an Internet protocol. The protocol argument can be one of the keywords eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range from 0 to 255 representing an Internet protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the ip keyword.
Note When the icmp, igmp, tcp, and udp keywords are entered, they must be followed with the specific command syntax that is shown for the ICMP, IGMP, TCP, and UDP forms of the permit command.
|
icmp
|
Permits only ICMP packets. When you enter the icmp keyword, you must use the specific command syntax shown for the ICMP form of the permit command.
|
igmp
|
Permits only IGMP packets. When you enter the igmp keyword, you must use the specific command syntax shown for the IGMP form of the permit command.
|
tcp
|
Permits only TCP packets. When you enter the tcp keyword, you must use the specific command syntax shown for the TCP form of the permit command.
|
udp
|
Permits only UDP packets. When you enter the udp keyword, you must use the specific command syntax shown for the UDP form of the permit command.
|
destination
|
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
• Use a 32-bit quantity in four-part dotted-decimal format.
• Use the any keyword as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
|
destination-wildcard
|
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
• Use a 32-bit quantity in four-part dotted-decimal format. Place 1s in the bit positions that you want to ignore.
• Use the any keyword as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
|
option option-name
|
(Optional) Packets can be filtered by IP Options, as specified by a number from 0 to 255, or by the corresponding IP Option name, as listed in Table 3 in the "Usage Guidelines" section.
|
precedence precedence
|
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by a name.
|
tos tos
|
(Optional) Packets can be filtered by type of service (ToS) level, as specified by a number from 0 to 15, or by a name as listed in the "Usage Guidelines" section of the access-list (IP extended) command.
|
log
|
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
|
time-range time-range-name
|
(Optional) Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
|
fragments
|
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
|
icmp-type
|
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
|
icmp-code
|
(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
|
icmp-message
|
(Optional) ICMP packets can be filtered by an ICMP message type name or an ICMP message type and code name. The possible names are listed in the "Usage Guidelines" section of the access-list (IP extended) command.
|
igmp-type
|
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (IP extended) command.
|
operator
|
(Optional) Compares source or destination ports. Operators include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard arguments, it must match the source port. If the operator is positioned after the destination and destination-wildcard arguments, it must match the destination port.
The range operator requires two port numbers. Up to ten port numbers can be enter |