-
Cisco IOS IPv6 Command Reference
-
Introduction
-
aaa accounting multicast default through clear ipv6 mobile home-agents
-
clear ipv6 mobile traffic through debug bgp vpnv6 unicast
-
debug crypto ipv6 ipsec through debug ipv6 pim
-
debug ipv6 pim df-election through ip http server
-
ip name-server through ipv6 general-prefix
-
ipv6 hello-interval eigrp through ipv6 mld static-group
-
ipv6 mobile home-agent (global configuration) through ipv6 ospf database-filter all out
-
ipv6 ospf dead-interval through ipv6 split-horizon eigrp
-
ipv6 summary-address eigrp through mpls ldp router-id
-
mpls traffic-eng auto-bw timers through route-map
-
router-id (IPv6) through show bgp ipv6 labels
-
show bgp ipv6 neighbors through show crypto isakmp peers
-
show crypto isakmp policy through show ipv6 eigrp neighbors
-
show ipv6 eigrp topology through show ipv6 nat statistics
-
show ipv6 nat translations through show ipv6 protocols
-
show ipv6 rip through snmp-server host
-
snmp-server user through vrf forwarding
-
Table Of Contents
aaa accounting multicast default
aaa authorization multicast default
area virtual-link authentication
clear bgp ipv6 flap-statistics
Cisco IOS IPv6 Commands
aaa accounting multicast default
To enable authentication, authorization, and accounting (AAA) accounting of IPv6 multicast services for billing or security purposes when you use RADIUS, use the aaa accounting multicast default command in global configuration mode. To disable AAA accounting for IPv6 multicast services, use the no form of this command.
aaa accounting multicast default [start-stop | stop-only] [broadcast] [method1] [method2] [method3] [method4]
no aaa accounting multicast default [start-stop | stop-only] [broadcast] [method1] [method2] [method3] [method4]
Syntax Description
Command Default
AAA accounting for multicast is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Note
Including information about IPv6 addresses in accounting and authorization records transmitted between the router and the RADIUS or TACACS+ server is supported. However, there is no support for using IPv6 to communicate with that server. The server must have an IPv4 address.
Use the aaa accounting multicast default command to enable AAA accounting for multicast. The network access server reports user activity to the RADIUS security server in the form of accounting records. Each accounting record contains accounting attribute-value (AV) pairs and is stored on the security server.
Method lists for accounting define the way accounting will be performed. Named accounting method lists enable you to designate a particular security protocol to be used on specific lines or interfaces for particular types of accounting services. When using the aaa accounting multicast default command, you have the option of choosing one or all four existing named access lists, each of which specifies a RADIUS host or server group.
If the aaa accounting multicast default command for a particular accounting type is issued without a named method list specified, the default method list is automatically applied to all interfaces or lines (where this accounting type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no accounting takes place.
For minimal accounting, include the stop-only keyword to send a "stop" record accounting notice at the end of the requested user process. For more accounting, you can include the start-stop keyword, so that RADIUS sends a "start" accounting notice at the beginning of the requested process and a "stop" accounting notice at the end of the process. Accounting is stored only on the RADIUS.
When AAA accounting is activated, the network access server monitors RADIUS accounting attributes pertinent to the connection. The network access server reports these attributes as accounting records, which are then stored in an accounting log on the security server. For a list of supported RADIUS accounting attributes, refer to the appendix "RADIUS Attributes" in the Cisco IOS Security Configuration Guide.
Examples
The following example enables AAA accounting of IPv6 multicast services for billing or security purposes when RADIUS is used:
Router(config)# aaa accounting multicast defaultRelated Commands
aaa authorization multicast default
Sets parameters that restrict user access to an IPv6 network.
aaa authorization multicast default
To enable authentication, authorization, and accounting (AAA) authorization and set parameters that restrict user access to an IPv6 multicast network, use the aaa authorization multicast default command in global configuration mode. To disable authorization for a function, use the no form of this command.
aaa authorization multicast default [method]
no aaa authorization multicast default [method]
Syntax Description
method3, method4
(Optional) Specifies one or two authorization methods that can be used for authorization. A method may be any one of the keywords listed in Table 8.
Command Default
Authorization is disabled for all actions.
Command Modes
Global configuration
Command History
Usage Guidelines
Note
Use the aaa authorization multicast default command to enable authorization. Method lists for authorization define the ways authorization will be performed and the sequence in which these methods will be performed. A method list is a named list describing the authorization methods to be used, in sequence. Method lists enable you to designate one or more security protocols to be used for authorization, thus ensuring a backup system in case the initial method fails. Cisco IOS IPv6 software uses the first method listed to authorize users for specific network services; if that method fails to respond, the Cisco IOS IPv6 software selects the next method listed in the method list. This process continues until there is successful communication with a listed authorization method, or all methods defined are exhausted.
Note
If the aaa authorization multicast default command for a particular authorization type is issued without a named method list specified, the default method list is automatically applied to all lines or interfaces (where this authorization type applies) except those that have a named method list explicitly defined. (A defined method list overrides the default method list.) If no default method list is defined, then no authorization takes place.
Note
Method keywords are described in Table 8.
Cisco IOS IPv6 software supports the following methods for authorization:
•
•
•
•
Method lists are specific to the type of authorization being requested. AAA supports the following different types of authorization:
•
•
•
•
•
The authorization command causes a request packet containing a series of AV pairs to be sent to the RADIUS daemon as part of the authorization process. The daemon can do one of the following:
•
•
•
For a list of supported RADIUS attributes, refer to the appendix "RADIUS Attributes" in the Cisco IOS Security Configuration Guide.
Examples
The following example enables AAA authorization and sets default parameters that restrict user access to an IPv6 multicast network:
Router(config)# aaa authorization multicast defaultRelated Commands
aaa new-model
To enable the authentication, authorization, and accounting (AAA) access control model, issue the aaa new-model command in global configuration mode. To disable the AAA access control model, use the no form of this command.
aaa new-model
no aaa new-model
Syntax Description
This command has no arguments or keywords.
Command Default
AAA is not enabled.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables the AAA access control system.
Examples
The following example initializes AAA:
aaa new-modelRelated Commands
accept-lifetime
To set the time period during which the authentication key on a key chain is received as valid, use the accept-lifetime command in key chain key configuration mode. To revert to the default value, use the no form of this command.
accept-lifetime start-time {infinite | end-time | duration seconds}
no accept-lifetime [start-time {infinite | end-time | duration seconds}]
Syntax Description
Command Default
Forever (the starting time is January 1, 1993, and the ending time is infinite)
Command Modes
Key chain key configuration
Command History
Usage Guidelines
Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains.
Specify a start-time value and one of the following values: infinite, end-time, or duration seconds.
We recommend running Network Time Protocol (NTP) or some other time synchronization method if you assign a lifetime to a key.
If the last key expires, authentication will continue and an error message will be generated. To disable authentication, you must manually delete the last valid key.
Examples
The following example configures a key chain called keychain1. The key named string1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named string2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or discrepancies in the set time of the router. There is a 30-minute leeway on each side to handle time differences.
interface ethernet 0ip rip authentication key-chain keychain1ip rip authentication mode md5!router ripnetwork 172.19.0.0version 2!key chain keychain1key 1key-string string1accept-lifetime 13:30:00 Jan 25 1996 duration 7200send-lifetime 14:00:00 Jan 25 1996 duration 3600key 2key-string string2accept-lifetime 14:30:00 Jan 25 1996 duration 7200send-lifetime 15:00:00 Jan 25 1996 duration 3600Related Commands
address (Mobile IPv6)
To specify the home address of the IPv6 mobile node, use the address command in home-agent configuration mode or IPv6 mobile router host configuration mode. To remove a host configuration, use the no form of this command.
address {ipv6-address | autoconfig}
no address
Syntax Description
Command Default
No home address is specified for the mobile router.
Command Modes
Home-agent configuration (config-ha)
IPv6 mobile router host configurationCommand History
12.4(11)T
This command was introduced.
12.4(20)T
IPv6 network mobility (NEMO) functionality was added.
Usage Guidelines
The address command in IPv6 home-agent configuration mode specifies the home address of the mobile node. The ipv6-address argument can be used to configure a specific IPv6 address, or the autoconfig keyword can be used to allow any IPv6 address as the home address of the IPv6 mobile node.
Do not configure two separate groups with the same IPv6 address. For example, host group group1 and host group group2 cannot both have the same home address of baba::1.
When the address command is configured with a specific IPv6 address, the nai command, which configures the network address identifier (NAI), cannot be configured using the @realm argument. For example, the following nai command configuration would not be valid because the address command is configured with the specific address baba::1:
host group engineeringnai @cisco.comaddress baba::1Examples
In the following example, the user enters home agent configuration mode, creates a host group named group1, and configures any IPv6 address to be used for the mobile node:
Router(config)# ipv6 mobile home-agentRouter(config-ha)# host group group1Router(config-ha)# address autoconfigRelated Commands
address-family ipv4 (BGP)
To enter address family or router scope address family configuration mode to configure a routing session using standard IP Version 4 address prefixes, use the address-family ipv4 command in router configuration or router scope configuration mode. To exit address family configuration mode and remove the IPv4 address family configuration from the running configuration, use the no form of this command.
Syntax Available Under Router Configuration Mode
address-family ipv4 [mdt | multicast | tunnel | unicast [vrf vrf-name] | vrf vrf-name]
no address-family ipv4 [mdt | multicast | tunnel | unicast [vrf vrf-name] | vrf vrf-name]
Syntax Available Under Router Scope Configuration Mode
address-family ipv4 [mdt | multicast | unicast]
no address-family ipv4 [mdt | multicast | unicast]
Syntax Description
Command Default
IP Version 4 address prefixes are not enabled.
Command Modes
Router configuration (config-router)
Router scope configuration (config-router-scope)Command History
Usage Guidelines
The address-family ipv4 command replaces the match nlri and set nlri commands. The address-family ipv4 command places the router in address family configuration mode (prompt: config-router-af), from which you can configure routing sessions that use standard IP Version 4 address prefixes. To leave address family configuration mode and return to router configuration mode, type exit.
Note
The tunnel keyword is used to enable the tunnel subaddress family identifier (SAFI) under the IPv4 address family identifier. This SAFI is used to advertise the tunnel endpoints and the SAFI-specific attributes (which contain the tunnel type and tunnel capabilities). Redistribution of tunnel endpoints into the BGP IPv4 tunnel SAFI table occurs automatically when the tunnel address family is configured. However, peers need to be activated under the tunnel address family before the sessions can exchange tunnel information.
The mdt keyword is used to enable the MDT SAFI under the IPv4 address family identifier. This SAFI is used to advertise tunnel endpoints for inter-AS multicast VPN peering sessions.
In Cisco IOS Release 12.2(33)SRB and later releases, the ability to use address family configuration under the router scope configuration mode was introduced. The scope hierarchy can be defined for BGP routing sessions and is required to support Multi-Topology Routing (MTR). To enter the router scope configuration mode, use the scope command, which can apply globally or for a specific VRF. When using the scope for a specific VRF, only the unicast keyword is available.
Examples
The following example places the router in address family configuration mode for the IP Version 4 address family:
Router(config)# router bgp 50000Router(config-router)# address-family ipv4Router(config-router-af)#Multicast Example
The following example places the router in address family configuration mode and specifies only multicast address prefixes for the IP Version 4 address family:
Router(config)# router bgp 50000Router(config-router)# address-family ipv4 multicastRouter(config-router-af)#Unicast Example
The following example places the router in address family configuration mode and specifies unicast address prefixes for the IP Version 4 address family:
Router(config)# router bgp 50000Router(config-router)# address-family ipv4 unicastRouter(config-router-af)#VRF Example
The following example places the router in address family configuration mode and specifies cisco as the name of the VRF instance to associate with subsequent IP Version 4 address family configuration mode commands:
Router(config)# router bgp 50000Router(config-router)# address-family ipv4 vrf ciscoRouter(config-router-af)#
Note
Tunnel Example
The following example places the router in tunnel address family configuration mode:
Router(config)# router bgp 100Router(config-router)# address-family ipv4 tunnelRouter(config-router-af)#MDT Example
The following example shows how to configure a router to support an IPv4 MDT address-family session:
Router(config)# router bgp 45000Router(config-router)# address-family ipv4 mdtRouter(config-router-af)#Router Scope Configuration Mode Example
The following example shows how to configure the IPv4 address family under router scope configuration mode. In this example, the scope hierarchy is enabled globally. The router enters router scope address family configuration mode, and only multicast address prefixes for the IP Version 4 address family are specified:
Router(config)# router bgp 50000Router(config-router)# scope globalRouter(config-router-scope)# address-family ipv4 multicastRouter(config-router-scope-af)#Related Commands
address-family ipv6
To enter address family configuration mode for configuring routing sessions such as Border Gateway Protocol (BGP) that use standard IPv6 address prefixes, use the address-family ipv6 command in router configuration mode. To disable address family configuration mode, use the no form of this command.
address-family ipv6 [vrf vrf-name] [unicast | multicast | vpnv6]
no address-family ipv6 [vrf vrf-name] [unicast | multicast | vpnv6]
Syntax Description
Command Default
IPv6 address prefixes are not enabled. Unicast address prefixes are the default when IPv6 address prefixes are configured.
Note
Command Modes
Router configuration
Command History
Usage Guidelines
The address-family ipv6 command places the router in address family configuration mode (prompt: config-router-af), from which you can configure routing sessions that use standard IPv6 address prefixes.
Within address family configuration mode, use the question mark (?) online help function to display supported commands. The BGP commands supported in address family configuration mode configure the same functionality as the BGP commands supported in router configuration mode; however, the BGP commands in router configuration mode configure functionality only for the IPv4 unicast address prefix. To configure BGP commands and functionality for other address family prefixes (for example, the IPv4 multicast or IPv6 unicast address prefixes), you must enter address family configuration mode for those address prefixes using the address-family ipv4 command or the address-family ipv6 command.
Use the multicast keyword to specify an administrative distance for multicast BGP routes to be used in reverse path forwarding (RPF) lookups.
Examples
The following example places the router in address family configuration mode and specifies unicast address prefixes for the IPv6 address family:
Router(config)# router bgp 100Router(config-router)# address-family ipv6 unicastThe following example places the router in address family configuration mode and specifies multicast address prefixes for the IPv6 address family:
Router(config)# router bgp 100Router(config-router)# address-family ipv6 multicastRelated Commands
address-family ipv6 (IS-IS)
To enter address family configuration mode for configuring Intermediate System-to-Intermediate System (IS-IS) routing sessions that use standard IPv6 address prefixes, use the address-family ipv6 command in router configuration mode. To reset all IPv6-specific global configuration values to their default values, use the no form of this command.
address-family ipv6 [unicast]
no address-family ipv6 [unicast]
Syntax Description
Command Default
IPv6 address prefixes are not enabled. Unicast address prefixes are the default when IPv6 address prefixes are configured.
Command Modes
Router configuration
Command History
Usage Guidelines
The address-family ipv6 command places the router in address family configuration mode (prompt: config-router-af), from which you can configure IPv6-specific settings. To leave address family configuration mode and return to router configuration mode, enter the exit-address-family command.
Within address family configuration mode, use the question mark (?) online help function to display supported commands. Many of the IS-IS commands supported in address family configuration mode are identical in syntax to IS-IS commands supported in router configuration mode. Note that commands issued in address family configuration mode apply to IPv6 only, while the matching commands in router configuration mode are IPv4-specific.
Examples
The following example places the router in address family configuration mode for IS-IS and specifies unicast address prefixes for the IPv6 address family:
Router(config)# router isis area01Router(config-router)# address-family ipv6 unicastaddress-family vpnv6
To place the router in address family configuration mode for configuring routing sessions, such as Border Gateway Protocol (BGP), that use standard VPNv6 address prefixes, use the address-family vpnv6 command in router BGP configuration mode. To disable address family configuration mode, use the no form of this command.
address-family vpnv6 [unicast]
no address-family vpnv6 [unicast]
Syntax Description
Command Default
VPN Version 6 address prefixes are not enabled. Unicast address prefixes are the default when VPN Version 6 address prefixes are configured.
Command Modes
Router BGP configuration
Command History
Usage Guidelines
The address-family vpnv6 command places the router in address family configuration mode, from which you can configure routing sessions that use VPN Version 6 address prefixes. An address family must be configured for each VPN routing/forwarding (VRF) on a provider edge (PE) router. Furthermore, a separate address family must be configured for carrying VPN-IPv6 routes between PE routers.
Examples
The following example places the router in address family configuration mode for the VPN Version 6 address family:
Router(config)# router bgp 100Router(config-router)# address-family vpnv6Related Commands
adjacency-check
To allow Intermediate System-to-Intermediate System (IS-IS) IPv6 or IPv4 protocol-support consistency checks performed on hello packets, use the adjacency-check command in address family configuration or router configuration mode. To disable consistency checks on hello packets, use the no form of this command.
adjacency-check
no adjacency-check
Syntax Description
This command has no arguments or keywords.
Command Default
The feature is enabled.
Command Modes
Address family configuration
Router configurationCommand History
Usage Guidelines
IS-IS performs consistency checks on hello packets and will form an adjacency only with a neighboring router that supports the same set of protocols. A router running IS-IS for both IPv4 and IPv6 will not form an adjacency with a router running IS-IS for IPv4 only.
Use the no adjacency-check command in address-family configuration mode to suppress the consistency checks for IPv6 IS-IS and allow an IPv4 IS-IS router to form an adjacency with a router running IPv4 IS-IS and IPv6. IS-IS will never form an adjacency between a router running IPv4 IS-IS only and a router running IPv6 only.
Use the no adjacency-check command in router configuration mode to suppress the IPv4 subnet consistency check and allow IS-IS to form an adjacency with other routers regardless of whether or not they have an IPv4 subnet in common. By default, IS-IS makes checks in hello packets for IPv4 address subnet matching with a neighbor. In multitopology mode, the IPv4 subnet consistency check is automatically suppressed.
Tip
Examples
In the following example, the network administrator wants to introduce IPv6 into an existing IPv4 IS-IS network. To ensure that the checking of hello packet checks from adjacent neighbors is disabled until all the neighbor routers are configured to use IPv6, the network administrator enters the no adjacency-check command.
Router(config)# router isisRouter(config-router)# address-family ipv6Router(config-router-af)# no adjacency-checkIn IPv4, the following example shows that the network administrator wants to introduce IPv6 into an existing IPv4 IS-IS network. To ensure that the checking of hello packet checks from adjacent neighbors is disabled until all the neighbor routers are configured to use IPv6, the network administrator enters the no adjacency-check command.
Router(config)# router isisRouter(config-router-af)# no adjacency-checkaggregate-address
To create an aggregate entry in a Border Gateway Protocol (BGP) database, use the aggregate-address command in address family or router configuration mode. To disable this function, use the no form of this command.
aggregate-address address mask [as-set] [summary-only] [suppress-map map-name] [advertise-map map-name] [attribute-map map-name]
no aggregate-address address mask [as-set] [summary-only] [suppress-map map-name] [advertise-map map-name] [attribute-map map-name]
Syntax Description
Command Default
The atomic aggregate attribute is set automatically when an aggregate route is created with this command unless the as-set keyword is specified.
Command Modes
Address family configuration
Router configurationCommand History
Usage Guidelines
You can implement aggregate routing in BGP and mBGP either by redistributing an aggregate route into BGP or mBGP, or by using the conditional aggregate routing feature.
Using the aggregate-address command with no keywords will create an aggregate entry in the BGP or mBGP routing table if any more-specific BGP or mBGP routes are available that fall within the specified range. (A longer prefix which matches the aggregate must exist in the RIB.) The aggregate route will be advertised as coming from your autonomous system and will have the atomic aggregate attribute set to show that information might be missing. (By default, the atomic aggregate attribute is set unless you specify the as-set keyword.)
Using the as-set keyword creates an aggregate entry using the same rules that the command follows without this keyword, but the path advertised for this route will be an AS_SET consisting of all elements contained in all paths that are being summarized. Do not use this form of the aggregate-address command when aggregating many paths, because this route must be continually withdrawn and updated as autonomous system path reachability information for the summarized routes changes.
Using the summary-only keyword not only creates the aggregate route (for example, 192.*.*.*) but also suppresses advertisements of more-specific routes to all neighbors. If you want to suppress only advertisements to certain neighbors, you may use the neighbor distribute-list command, with caution. If a more-specific route leaks out, all BGP or mBGP routers will prefer that route over the less-specific aggregate you are generating (using longest-match routing).
Using the suppress-map keyword creates the aggregate route but suppresses advertisement of specified routes. You can use the match clauses of route maps to selectively suppress some more-specific routes of the aggregate and leave others unsuppressed. IP access lists and autonomous system path access lists match clauses are supported.
Using the advertise-map keyword selects specific routes that will be used to build different components of the aggregate route, such as AS_SET or community. This form of the aggregate-address command is useful when the components of an aggregate are in separate autonomous systems and you want to create an aggregate with AS_SET, and advertise it back to some of the same autonomous systems. You must remember to omit the specific autonomous system numbers from the AS_SET to prevent the aggregate from being dropped by the BGP loop detection mechanism at the receiving router. IP access lists and autonomous system path access lists match clauses are supported.
Using the attribute-map keyword allows attributes of the aggregate route to be changed. This form of the aggregate-address command is useful when one of the routes forming the AS_SET is configured with an attribute such as the community no-export attribute, which would prevent the aggregate route from being exported. An attribute map route map can be created to change the aggregate attributes.
Examples
AS-Set Example
In the following example, an aggregate BGP address is created in router configuration mode. The path advertised for this route will be an AS_SET consisting of all elements contained in all paths that are being summarized.
Router(config)# router bgp 50000Router(config-router)# aggregate-address 10.0.0.0 255.0.0.0 as-setSummary-Only Example
In the following example, an aggregate BGP address is created in address family configuration mode and applied to the multicast database (SAFI) under the IP Version 4 address family. Because the summary-only keyword is configured, more-specific routes are filtered from updates.
Router(config)# router bgp 50000Router(config-router)# address-family ipv4 multicastRouter(config-router-af)# aggregate-address 10.0.0.0 255.0.0.0 summary-onlyConditional Aggregation Example
In the following example, a route map called MAP-ONE is created to match on an as-path access list. The path advertised for this route will be an AS_SET consisting of elements contained in paths that are matched in the route map.
Router(config)# ip as-path access-list 1 deny ^1234_Router(config)# ip as-path access-list 1 permit .*Router(config)# !Router(config)# route-map MAP-ONERouter(config-route-map)# match ip as-path 1Router(config-route-map)# exitRouter(config)# router bgp 50000Router(config-router)# address-family ipv4Router(config-router-af)# aggregate-address 10.0.0.0 255.0.0.0 as-set advertise-map MAP-ONERouter(config-router-af)# endRelated Commands
allow-connections
To allow connections between specific types of endpoints in a VoIP network, use the allow-connections command in voice service configuration mode. To refuse specific types of connections, use the no form of this command.
allow-connections from-type to to-type
no allow-connections from-type to to-type
Syntax Description
Command Default
Cisco IOS Release 12.3(4)T, Cisco IOS Release 12.3, and Earlier Releases
H.323-to-H.323 connections are enabled by default and cannot be changed, and POTS-to-any and any-to-POTS connections are disabled.
Cisco IOS Release 12.3(7)T and Later Releases
H.323-to-H.323 connections are disabled by default and can be changed, and POTS-to-any and any-to-POTS connections are enabled.
H.323-to-SIP Connections
H.323-to-SIP and SIP-to-H.323 connections are disabled by default, and POTS-to-any and any-to-POTS connections are enabled.
SIP-to-SIP Connections
SIP-to-SIP connections are disabled by default, and POTS-to-any and any-to-POTS connections are enabled.
Command Modes
Voice service configuration
Command History
Usage Guidelines
Cisco IOS Release 12.3(4)T, Cisco IOS Release 12.3, and Earlier Releases
This command is used to allow connections between specific types of endpoints in a Cisco multiservice IP-to-IP gateway. The command is enabled by default and cannot be changed. Connections to or from POTS endpoints are not allowed. Only H.323-to-H.323 connections are allowed.
Cisco IOS Release 12.3(7)T and Later Releases
This command is used with Cisco Unified Communications Manager Express 3.1 or later systems and with the Cisco Multiservice IP-to-IP Gateway feature. In Cisco Unified Communications Manager Express, the allow-connections command enables the VoIP-to-VoIP connections used for hairpin call routing or routing to an H.450 tandem gateway.
Examples
The following example specifies that connections between H.323 and SIP endpoints are allowed:
Router(config-voi-serv)# allow-connections h323 to sipThe following example specifies that connections between H.323 endpoints are allowed:
Router(config-voi-serv)# allow-connections h323 to h323
The following example specifies that connections between SIP endpoints are allowed:
Router(config-voi-serv)# allow-connections sip to sip
Related Commands
anat
To enable Alternative Network Address Types (ANAT) on a Session Initiation Protocol (SIP) trunk, use the anat command in voice service SIP configuration mode or dial peer configuration mode. To disable ANAT on SIP trunks, use the no form of this command.
anat
no anat
Syntax Description
This command has no arguments or keywords.
Command Default
ANAT is enabled on SIP trunks.
Command Modes
Voice service voip-sip configuration (conf-serv-sip)
Dial peer configurationCommand History
Usage Guidelines
Both the Cisco IOS SIP gateway and the Cisco Unified Border Element are required to support Session Description Protocol (SDP) ANAT semantics for SIP IPv6 sessions. SDP ANAT semantics are intended to address scenarios that involve different network address families (for example, different IP versions). Media lines grouped using ANAT semantics provide alternative network addresses of different families for a single logical media stream. The entity creating a session description with an ANAT group must be ready to receive or send media over any of the grouped "m" lines.
By default, ANAT is enabled on SIP trunks. However, if the SIP gateway is configured in IPv4-only or IPv6-only mode, the gateway will not use ANAT semantics in its SDP offer.
Examples
The following example enables ANAT on a SIP trunk:
Router(conf-serv-sip)# anatarea authentication (IPv6)
To enable authentication for an Open Shortest Path First (OSPF) area, use the area authentication command in router configuration mode. To remove an authentication specification of an area or a specified area from the configuration, use the no form of this command.
area area-id authentication ipsec spi spi {md5 | sha1} [key-encryption-type] key
no area area-id authentication ipsec spi spi
Syntax Description
Command Default
Key encryption type 0: key is not encrypted.
Command Modes
Router configuration
Command History
Usage Guidelines
Ensure that the same policy (the SPI and the key) is configured on all of the interfaces on the link. SPI values may be automatically used by other client applications, such as tunnels.
The policy database is common to all client applications on a box. This means that two IPSec clients, such as OSPF and a tunnel, cannot use the same SPI. Additionally, an SPI can only be used in one policy.
Beginning with Cisco IOS Release 12.4(4)T, the sha-1 keyword can be used to choose SHA-1 authentication instead of entering the md5 keyword to use MD5 authentication. The SHA-1 algorithm is considered to be somewhat more secure than the MD5 algorithm, and requires a 40 hex digit (20-byte) key rather than the 32 hex digit (16-byte) key that is required for MD5 authentication.
Examples
The following example enables authentication for the OSPF area 1:
area 1 authentication ipsec spi 678 md5 1234567890ABCDEF1234567890ABCDEFThe following example enables SHA-1 authentication for the OSPF area 0:
area 0 authentication ipsec spi 1000 sha1 1234567890123456789012345678901234567890area encryption
To enable encryption for an Open Shortest Path First (OSPF) area, use the area encryption command in router configuration mode. To remove an encryption specification of an area or a specified area from the configuration, use the no form of this command.
area area-id encryption ipsec spi spi esp encryption-algorithm [[key-encryption-type] key] authentication-algorithm [key-encryption-type] key
no area area-id encryption ipsec spi spi
Syntax Description
Command Default
Authentication and encryption are not enabled.
Command Modes
Router configuration
Command History
Usage Guidelines
When the area encryption command is enabled, both authentication and encryption are enabled. However, when you use an encryption command such as area encryption, you may not also use an authentication command (such as area authentication or area virtual-link authentication) at the same time.
In IPv6, security is implemented using two IPv6 extension headers—the authentication header (AH) and ESP header. AH is used to provide connectionless integrity and data origin authentication for IPv6 datagrams, whereas ESP is used to provide confidentiality, connectionless integrity, data origin authentication, an antireplay service, and limited traffic flow confidentiality.
In OSPF for IPv6, authentication fields have been removed from OSPF packet headers. OSPF for IPv6 relies on the IPv6 extension headers, AH and ESP, to ensure integrity, authentication, and confidentiality of routing exchanges.
Examples
The following example provides ESP with no encryption and enables MD5 authentication on OSPF area 1:
Router(config-rtr)# area 1 encryption ipsec spi 500 esp null md5 1aaa2bbb3ccc4ddd5eee6fff7aaa8bbbRelated Commands
area range
To consolidate and summarize routes at an area boundary, use the area range command in router configuration mode. To disable this function, use the no form of this command.
area area-id range ipv6-prefix /prefix-length [advertise | not-advertise] [cost cost]
no area area-id range ipv6-prefix /prefix-length [advertise | not-advertise] [cost cost]
Syntax Description
Command Default
This command is disabled by default.
Command Modes
Router configuration
Command History
Usage Guidelines
The area range command is used only with Area Border Routers (ABRs). It is used to consolidate or summarize routes for an area. The result is that a single summary route is advertised to other areas by the ABR. Routing information is condensed at area boundaries. External to the area, a single route is advertised for each address range. This behavior is called route summarization.
Multiple area router configuration commands specifying the range option can be configured. Thus, OSPF can summarize addresses for many different sets of address ranges.
This command has been modified for Open Shortest Path First (OSPF) for IPv6. Users can now enter the IPv6 address syntax.
Note
Examples
The following example specifies one summary route to be advertised by the ABR to other areas for all subnets on network 10.0.0.0 and for all hosts on network 192.168.110.0:
interface Ethernet0/0no ip addressipv6 enableipv6 ospf 1 area 1!ipv6 router ospf 1router-id 192.168.255.5log-adjacency-changesarea 1 range 2001:0DB8:0:1::/64The following example shows the IPv6 address syntax:
Router(config-rtr)# area 1 range ?X:X:X:X::X/<0-128> IPv6 prefix x:x::y/zarea virtual-link
To define an Open Shortest Path First (OSPF) virtual link, use the area virtual-link command in router address family topology or router configuration mode. To remove a virtual link, use the no form of this command.
area area-id virtual-link router-id [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds] [ttl-security hops hop-count]
no area area-id virtual-link router-id
Syntax Description
Command Default
No OSPF virtual link is defined.
Command Modes
Router address family topology configuration (config-router-af-topology)
Router configuration (config-router)Command History
Usage Guidelines
In OSPF, all areas must be connected to a backbone area. If the connection to the backbone is lost, it can be repaired by establishing a virtual link.
The smaller the hello interval, the faster topological changes will be detected, but more routing traffic will ensue. The setting of the retransmit interval should be conservative, or needless retransmissions will result. The value should be larger for serial lines and virtual links.
The transmit delay value should take into account the transmission and propagation delays for the interface.
To configure a virtual link in OSPF for IPv6, you must use a router ID instead of an address. In OSPF for IPv6, the virtual link takes the router ID rather than the IPv6 prefix of the remote router.
Use the ttl-security hops hop-count keywords and argument to enable checking of TTL values on OSPF packets from neighbors or to set TTL values sent to neighbors. This feature adds an extra layer of protection to OSPF.
Note
Note
Release 12.2(33)SRB
If you plan to configure the Multi-Topology Routing (MTR) feature, you need to enter the area virtual-link command in router address family topology configuration mode in order for this OSPF router configuration command to become topology-aware.
Examples
The following example establishes a virtual link with default values for all optional parameters:
ipv6 router ospf 1log-adjacency-changesarea 1 virtual-link 192.168.255.1The following example establishes a virtual link in OSPF for IPv6:
ipv6 router ospf 1log-adjacency-changesarea 1 virtual-link 192.168.255.1 hello-interval 5area virtual-link authentication
To enable authentication for virtual links in an Open Shortest Path First (OSPF) area, use the area virtual-link authentication command in router configuration mode. To remove authentication from an area, use the no form of this command.
area area-id virtual-link router-id [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds] authentication ipsec spi spi authentication-algorithm [key-encryption-type] key
no area area-id virtual-link router-id authentication ipsec spi spi
Syntax Description
Command Default
Authentication is not enabled on an area.
area-id: No area ID is predefined.
router-id: No router ID is predefined.
hello-interval seconds: 10 seconds
retransmit-interval seconds: 5 seconds
transmit-delay seconds: 1 second
dead-interval seconds: 40 secondsCommand Modes
Router configuration
Command History
Usage Guidelines
When you use an encryption command such as area encryption, you may not also use an authentication command (such as area authentication or area virtual-link authentication) at the same time.
In OSPF, all areas must be connected to a backbone area. If the connection to the backbone is lost, it can be repaired by establishing a virtual link.
To configure a virtual link in OSPF for IPv6, you must use a router ID instead of an address. In OSPF for IPv6, the virtual link takes the router ID rather than the IPv6 prefix of the remote router.
Examples
The following example enables authentication for virtual links in OSPF area 1. The router ID associated with the virtual link neighbor is 10.0.0.1, the IPSec SPI value is 940, and the authentication algorithm used is MD5:
Router(config)# ipv6 router ospf 1Router(config-rtr)# area 1 virtual-link 10.0.0.1 authentication ipsec spi 940 md5 1234567890ABCDEF1234567890ABCDEFRelated Commands
area authentication
Enables authentication for an OSPF area.
area encryption
Enables encryption for an OSPF area.
area virtual-link encryption
To enable encryption for virtual links in an Open Shortest Path First (OSPF) area, use the area virtual-link encryption command in router configuration mode. To remove encryption from an area, use the no form of this command.
area area-id virtual-link router-id [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds] encryption ipsec spi spi esp encryption-algorithm [[key-encryption-type] key] authentication-algorithm [key-encryption-type] key
no area area-id virtual-link router-id encryption ipsec spi spi
Syntax Description
Command Default
Authentication and encryption are not enabled.
area-id: No area ID is predefined.
router-id: No router ID is predefined.
hello-interval seconds: 10 seconds
retransmit-interval seconds: 5 seconds
transmit-delay seconds: 1 second
dead-interval seconds: 40 secondsCommand Modes
Router configuration
Command History
Usage Guidelines
When the area virtual-link encryption command is enabled, both authentication and encryption are enabled. However, when you use an encryption command such as area encryption, you may not also use an authentication command (such as area authentication or area virtual-link authentication) at the same time.
Interface-level configuration takes precedence over an area configuration. If the interface configuration is removed, then an area configuration is applied to the interface. Authentication and encryption may be configured at the same time.
Examples
The following example enables encryption for virtual links in OSPF area 1. The router ID associated with the virtual link neighbor is 10.1.0.1, the IPSec SPI value is 3944, and the encryption algorithm used is SHA-1:
Router(config)# ipv6 router ospf 1Router(config-rtr)# area 1 virtual-link 10.1.0.1 hello-interval 2 dead-interval 10 encryption ipsec spi 3944 esp null sha1 123456789A123456789B123456789C123456789DRelated Commands
arp (interface)
To support a type of encapsulation for a specific network, such as Ethernet, Fiber Distributed Data Interface (FDDI), Frame Relay, and Token Ring, so that the 48-bit Media Access Control (MAC) address can be matched to a corresponding 32-bit IP address for address resolution, use the arp command in interface configuration mode. To disable an encapsulation type, use the no form of this command.
arp {arpa | frame-relay | snap}
no arp {arpa | frame-relay | snap}
Syntax Description
arpa
Standard Ethernet-style Address Resolution Protocol (ARP) (RFC 826).
frame-relay
Enables ARP over a Frame Relay encapsulated interface.
snap
ARP packets conforming to RFC 1042.
Defaults
Standard Ethernet-style ARP
Command Modes
Interface configuration
Command History
Usage Guidelines
Unlike most commands that have multiple arguments, the arp command has arguments that are not mutually exclusive. Each command enables or disables a specific type of encapsulation.
Given a network protocol address (IP address), the arp frame-relay command determines the corresponding hardware address, which would be a data-link connection identifier (DLCI) for Frame Relay.
The show interfaces command displays the type of encapsulation being used on a particular interface. To remove all nonstatic entries from the ARP cache, use the clear arp-cache command.
Examples
The following example enables Frame Relay services:
interface ethernet 0arp frame-relayRelated Commands
clear arp-cache
Deletes all dynamic entries from the ARP cache.
show interfaces
Displays statistics for all interfaces configured on the router or access server.
associate application sccp
To associate Skinny Client Control Protocol (SCCP) to the digital signal processor (DSP) farm profile, use the associate application sccp command in DSP farm profile configuration mode. To remove the protocol, use the no form of this command.
associate application sccp
no associate application sccp
Syntax Description
This command has no arguments or keywords.
Command Default
No SCCP is associated with the DSP farm profile.
Command Modes
DSP farm profile configuration
Command History
12.3(8)T
This command was introduced.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
12.4(22)T
Support for IPv6 was added.
Usage Guidelines
This command enables SCCP as the application control protocol used to interface with Cisco Unified CallManager.
Examples
The following example associates SCCP to the DSP farm profile:
Router(config-dspfarm-profile)# associate application sccpRelated Commands
associate profile
To associate a digital signal processor (DSP) farm profile with a Cisco CallManager group, use the associate profile command in SCCP Cisco CallManager configuration mode. To disassociate a DSP farm profile from a Cisco Unified CallManager, use the no form of this command.
associate profile profile-identifier register device-name
no associate profile profile-identifier register device-name
Syntax Description
Command Default
This command is not enabled.
Command Modes
SCCP Cisco CallManager configuration
Command History
Usage Guidelines
The device name must match the name configured in Cisco UnifiedCallManager; otherwise the profile is not registered to Cisco Unified CallManager.
Note
Examples
The following example associates DSP farm profile abgz12345 to Cisco CallManager group 999:
Router(config)# sccp ccm group 999Router(conif-sccp-ccm)# associate profile 1 register abgz12345Related Commands
atm route-bridged
To configure an interface to use the ATM routed bridge encapsulation (RBE), use the atm route-bridged command in interface configuration mode.
atm route-bridged protocol
Syntax Description
protocol
Protocol to be route-bridged. IP and IPv6 are the only protocols that can be route-bridged using ATM RBE.
Command Default
ATM routed bridge encapsulation is not configured.
Command Modes
ATM subinterface configuration
Command History
Usage Guidelines
Use this command to configure RBE on an ATM interface. The atm route-bridged command can also be used to integrate RBE with quality of service (QoS) features on the Cisco 800 and 1700 series routers.
Routing of IPv6 and IP Packets
IP and IPv6 packets can be routed using RBE only over ATM point-to-point subinterfaces.
Routing of IP packets and IPv6 half-bridging, bridging, PPP over Ethernet (PPPoE), or other Ethernet 802.3-encapsulated protocols can be configured on the same subinterface.
Router Advertisements with IPv6
Router advertisements are suppressed by default. For stateless autoconfiguration, router advertisements must be allowed with the no ipv6 nd suppress-ra command. For static configuration, router advertisement is not required; however, the aggregator should either have the RBE interface on the same subnet as the client or have a static IPv6 route to that subnet through the RBE interface.
Examples
IP Encapsulation Example
The following example configures ATM routed bridge encapsulation on an interface:
interface atm 4/0.100 point-to-pointip address 172.16.5.9 255.255.255.0atm route-bridged ippvc 0/32IPv6 Encapsulation Example
The following example shows a typical configuration on an RBE interface to allow routing of IPv6 encapsulated Ethernet packets. IPv6 packets sent out of the subinterface are encapsulated over Ethernet over the RBE interface.
interface ATM1/0.1 point-to-pointipv6 enableipv6 address 3FEE:12E1:2AC1:EA32::/64no ipv6 nd suppress-raatm route-bridged ipv6pvc 1/101In this example, the ipv6 enable command allows the routing of IPv6 packets. The ipv6 address command specifies an IPv6 address for the interface and an IPv6 prefix to be advertised to a peer. The no ipv6 nd ra suppress command enables router advertisements on the interface.
IPv6 Routing and Bridging of Other Traffic Example
The following example shows a configuration in which IPv6 packets are routed and all other packets are bridged.
interface ATM1/0.1 point-to-pointipv6 enableipv6 address 3FEE:12E1:2AC1:EA32::/64atm route-bridged ipv6bridge-group 1pvc 1/101IP and IPv6 Routing with Bridging of Other Protocols Example
IP and IPv6 routing can be configured on the same interface as shown in this example. All other packets are bridged. PPPoE could also be configured on this same interface.
interface ATM1/0.1 point-to-pointipv6 enableipv6 address 3FEE:12E1:2AC1:EA32::/64ip address 10.0.0.1 255.255.255.0atm route-bridged ipv6atm route-bridged ipbridge-group 1pvc 1/101Static Configuration Example
The following example shows the IPv6 static route configured. Unlike IP, the IPv6 interface on an aggregator is always numbered and, minimally, has a link local IPv6 address.
Router# configure terminalRouter(config)# ipv6 route 3FEE:12E1:2AC1:EA32::/64 atm1/0.3Router(config)# endshow ipv6 interface Example
Notice in this show ipv6 interface output display that each RBE link has its own subnet prefix. Unlike proxy ARP in IPv4 RBE configurations, the aggregator does not require proxy ND in IPv6 RBE deployments.
Router# show ipv6 interface atm1/0.1ATM1/0.1 is up, line protocol is upIPv6 is enabled, link-local address is FE80::203:FDFF:FE3B:B400Global unicast address(es):3FEE:12E1:2AC1:EA32::, subnet is 3FEE:12E1:2AC1:EA32::/64Joined group address(es):FF02::1FF02::2FF02::1:FF00:0FF02::1:FF3B:B400MTU is 4470 bytesICMP error messages limited to one every 100 millisecondsICMP redirects are enabledND DAD is enabled, number of DAD attempts: 1ND reachable time is 30000 millisecondsND advertised reachable time is 0 millisecondsND advertised retransmit interval is 0 millisecondsND router advertisements are sent every 200 secondsND router advertisements live for 1800 secondsHosts use stateless autoconfig for addressesIntegrated Class-Based Weighted Fair Queueing and RBE on ATM Example
The following partial example configures a single PVC using AAL5SNAP encapsulation and class-based routing for traffic shaping on the interface where RBE is enabled. The following CBWFQ parameters are configured: access-list with different IP precedence, class map, policy map, and service policy. Different bandwidth classes are configured in the same policy.
RBE base configuration:
interface FastEthernet0ip address 172.22.1.1 255.255.0.0!interface ATM0.1 point-to-pointip address 10.1.1.5 255.255.255.252atm route-bridged ippvc 88/800encapsulation aal5snap!interface ATM0.1 point-to-pointip address 10.1.1.1 255.255.255.252atm route-bridged ippvc 99/900encapsulation aal5snap!interface ATM0.1 point-to-pointip address 172.18.0.1 255.0.0.0pvc 100/1000!router eigrp 100network 10.1.0.0network 172.18.0.0network 172.22.0.0...CBWFQ configuration:
class-map match-all voicematch access-group 105!policy-map voicedatapolicyclass voicebandwidth 200class class-defaultfair-queuerandom-detect!interface Ethernet0ip address 172.25.1.1 255.0.0.0hold-queue 600 inhold-queue 100 out!interface ATM0no ip addressno atm ilmi-keepalivedsl operating-mode auto!interface ATM0.1 point-to-pointip address 10.2.3.4 255.255.255.0atm route-bridged ippvc 1/42protocol ip 10.2.3.5 broadcastvbr-nrt 300 300encapsulation aal5snapservice-policy output voicedatapolicy...Related Commands
no ipv6 nd ra suppress
Suppresses IPv6 router advertisement transmissions on a LAN interface.
authentication (IKE policy)
To specify the authentication method within an Internet Key Exchange (IKE) policy, use the authentication command in ISAKMP policy configuration mode. IKE policies define a set of parameters to be used during IKE negotiation. To reset the authentication method to the default value, use the no form of this command.
authentication {rsa-sig | rsa-encr | pre-share}
no authentication
Syntax Description
Command Default
The RSA signatures authentication method is used.
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify the authentication method to be used in an IKE policy.
If you specify RSA signatures, you must configure your peer routers to obtain certificates from a certification authority (CA).
If you specify RSA encrypted nonces, you must ensure that each peer has the other peer's RSA public keys. (See the crypto key pubkey-chain rsa, addressed-key, named-key, address, and commands.)
If you specify preshared keys, you must also separately configure these preshared keys. (See the crypto isakmp identity and crypto isakmp key commands.)
Examples
The following example configures an IKE policy with preshared keys as the authentication method (all other parameters are set to the defaults):
crypto isakmp policy 15authentication pre-shareexitRelated Commands
authentication (Mobile IPv6)
To specify the authentication properties for the IPv6 mobile node by creating either a unidirectional or bidirectional security parameter index (SPI), use the authentication command in home agent configuration mode or IPv6 mobile router host configuration mode. To remove these authentication properties, use the no form of this command.
authentication {inbound-spi {hex-in | decimal decimal-in} outbound-spi {hex-out | decimal decimal-out} | spi {hex-value | decimal decimal-value}} key {ascii string | hex string}[algorithm algorithm-type] [replay within seconds]
no authentication
Syntax Description
Command Default
No SPI is configured.
Command Modes
Home agent configuration
Command History
12.4(11)T
This command was introduced.
12.4(20)T
IPv6 network mobility (NEMO) functionality was added.
Usage Guidelines
The authentication command provides mobility message authentication by creating a mobility SPI, a key, an authentication algorithm, and a replay protection mechanism. Mobility message authentication option is used to authenticate binding update (BU) and binding acknowledgment (BA) messages based on the shared-key-based security association between the mobile node and the home agent.
The mobile node or home agent receiving this BU must verify the authentication data in the option. If authentication fails, the home agent must send a FAIL message. If the home agent does not have shared-key-based mobility SA, the home agent MUST discard the BU.
The mobility message replay protection option may be used in BU or BA messages when authenticated using the mobility message authentication option. The mobility message replay protection option, configured using the replay within keywords, is used to let the home agent verify that a BU has been freshly generated by the mobile node and not replayed by an attacker from some previous BU. This function is especially useful for cases in which the home agent does not maintain stateful information about the mobile node after the binding entry has been removed. The home agent performs the replay protection check after the BU has been authenticated. The mobility message replay protection option, when included, is used by the mobile node for matching the BA with the BU.
Examples
The following example shows a unidirectional SPI and a key:
authentication spi 500 key ascii ciscoRelated Commands
auto-cost (IPv6)
To control the reference value Open Shortest Path First (OSPF) for IPv6 uses when calculating metrics for interfaces, use the auto-cost command in router configuration mode. To return the reference value to its default, use the no form of this command.
auto-cost reference-bandwidth Mbps
no auto-cost reference-bandwidth
Syntax Description
reference-bandwidth Mbps
Rate in Mbps (bandwidth). The range is from 1 to 4294967; the default is 100.
Command Default
The reference value is 100 Mbps.
Command Modes
Router configuration
Command History
12.2(15)T
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
The OSPF for IPv6 metric is calculated as the Mbps value divided by the bandwidth, with Mbps equal to 108 by default, and bandwidth determined by the bandwidth (interface) command. The calculation gives Fast Ethernet a metric of 1.
If you have multiple links with high bandwidth (such as Fast Ethernet or ATM), you might want to use a larger number to differentiate the cost on those links.
Using this formula, the default path costs were calculated as noted in the following bulleted list. If these values do not suit your network, you can use your own method of calculating path costs.
•
•
•
•
•
•
•
•
•
•
•
The value set by the ipv6 ospf cost command overrides the cost resulting from the auto-cost command.
Examples
The following example sets the auto-cost reference bandwidth to 1000 Mbps:
ipv6 router ospf 1auto-cost reference-bandwidth 1000Related Commands
ipv6 ospf cost
Explicitly specifies the cost of sending an IPv6 packet on an interface.
auto-enroll
To enable certificate autoenrollment, use the auto-enroll command in ca-trustpoint configuration mode. To disable certificate autoenrollment, use the no form of this command.
auto-enroll [percent] [regenerate]
no auto-enroll [percent] [regenerate]
Syntax Description
Command Default
Certificate autoenrollment is not enabled.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Use the auto-enroll command to automatically request a router certificate from the CA that is using the parameters in the configuration. This command will generate a new Rivest, Shamir, and Adelman (RSA) key only if a new key does not exist with the requested label.
A trustpoint that is configured for certificate autoenrollment will attempt to reenroll when the router certificate expires.
Use the regenerate keyword to provide seamless key rollover for manual certificate enrollment. A new key pair is created with a temporary name, and the old certificate and key pair are retained until a new certificate is received from the CA. When the new certificate is received, the old certificate and key pair are discarded and the new key pair is renamed with the name of the original key pair. Some CAs require a new key for reenrollment to work.
If the key pair being rolled over is exportable, the new key pair will also be exportable. The following comment will appear in the trustpoint configuration to indicate whether the key pair is exportable:
! RSA keypair associated with trustpoint is exportable
Note
Examples
The following example shows how to configure the router to autoenroll with the CA named "trustme1" on startup. In this example, the regenerate keyword is issued, so a new key will be generated for the certificate. The renewal percentage is configured as 90; so if the certificate has a lifetime of one year, a new certificate is requested 36.5 days before the old certificate expires.
crypto ca trustpoint trustme1enrollment url http://trustme1.example.com/subject-name OU=Spiral Dept., O=example1.comip-address ethernet0serial-number noneauto-enroll 90 regeneratepassword revokemersakeypair trustme1 2048exitcrypto ca authenticate trustme1Related Commands
crypto ca authenticate
Retrieves the CA certificate and authenticates it.
crypto ca trustpoint
Declares the CA that your router should use.
bandwidth (interface)
To set the inherited and received bandwidth values for an interface, use the bandwidth command in interface configuration mode. To restore the default values, use the no form of this command.
bandwidth {kbps | inherit [kbps] | receive [kbps]}
no bandwidth {kbps | inherit [kbps] | receive [kbps]}
Syntax Description
Command Default
Default bandwidth values are set during startup. The bandwidth values can be displayed using the show interfaces or show ipv6 interface command. If the receive keyword is not used, by default, the transmit and receive bandwidths are the same.
Command Modes
Interface configuration
Command History
Usage Guidelines
Bandwidth Information
The bandwidth command sets an informational parameter to communicate only the current bandwidth to the higher-level protocols; you cannot adjust the actual bandwidth of an interface using this command.
Note
Changing Bandwidth
For some media, such as Ethernet, the bandwidth is fixed; for other media, such as serial lines, you can change the actual bandwidth by adjusting hardware. For both classes of media, you can use the bandwidth command to communicate the current bandwidth to the higher-level protocols.
Bandwidth Inheritance
Before the introduction of the bandwidth inherit command option, when the bandwidth value was changed on the main interface, existing subinterfaces did not inherit the bandwidth value from the main interface. If the subinterface was created before the bandwidth was changed on the main interface, then the subinterface would receive the default bandwidth of the main interface, not the configured bandwidth. Additionally, if the router was subsequently reloaded, the bandwidth of the subinterface would then change to the bandwidth configured on the main interface.
The bandwidth inherit command controls how a subinterface inherits the bandwidth of its main interface. This functionality eliminates the inconsistencies related to whether the router has been reloaded and what the order was in entering the commands.
The no bandwidth inherit command enables all subinterfaces to inherit the default bandwidth of the main interface, regardless of the configured bandwidth. If a bandwidth is not configured on a subinterface, and you use the bandwidth inherit command, all subinterfaces will inherit the current bandwidth of the main interface. If you configure a new bandwidth on the main interface, all subinterfaces will use this new value.
If you do not configure a bandwidth on the subinterface and you configure the bandwidth inherit kbps command on the main interface, the subinterfaces will inherit the specified bandwidth.
In all cases, if an interface has an explicit bandwidth setting configured, then that interface will use that setting, regardless of whether the bandwidth inheritance setting is in effect.
Bandwidth Receipt
Some interfaces (such as ADSL, V.35, RS-449, and HSSI serial interfaces) can operate with different transmit and receive bandwidths. The bandwidth receive command permits this type of asymmetric operation. For example, for ADSL, the lower layer detects the two bandwidth values and configures the IDB accordingly. Other interface drivers, particularly serial interface cards on low- and midrange-platforms) can operate in this asymmetric bandwidth mode but cannot measure their clock rates. In these cases, administrative configuration is necessary for asymmetric operations.
Examples
The following example shows how to set the full bandwidth for DS3 transmissions:
Router(config)# interface serial 0Router(config-if)# bandwidth 44736The following example shows how to set the receive bandwidth:
Router(config)# interface serial 0Router(config-if)# bandwidth receive 1000Related Commands
show interfaces
Displays statistics for all interfaces configured on the router.
show ipv6 interface
Displays statistics for all interfaces configured on the IPv6 router.
bfd all-interfaces
To enable Bidirectional Forwarding Detection (BFD) for all interfaces participating in the routing process, use the bfd all-interfaces command in router configuration mode. To disable BFD for all interfaces, use the no form of this command.
bfd all-interfaces
no bfd all-interfaces
Syntax Description
This command has no arguments or keywords.
Command Default
BFD is not enabled on the interfaces participating in the routing process.
Command Modes
Router configuration
Command History
Usage Guidelines
There are two methods to configure routing protocols to use BFD for failure detection. To enable BFD for all neighbors of a routing protocol, enter the bfd all-interfaces command in router configuration mode. If you do not want to enable BFD on all interfaces, enter the bfd interface command in router configuration mode.
Examples
The following example shows BFD enabled for all Enhanced Interior Gateway Routing Protocol (EIGRP) neighbors:
Router> enableRouter# configure terminalRouter(config)# router eigrp 123Router(config-router)# bfd all-interfacesRouter(config-router)# endThe following example shows BFD enabled for all Intermediate System-to-Intermediate System (IS-IS) neighbors:
Router> enableRouter# configure terminalRouter(config)# router isis tag1Router(config-router)# bfd all-interfacesRouter(config-router)# endThe following example shows BFD enabled for all Open Shortest Path First (OSPF) neighbors:
Router> enableRouter# configure terminalRouter(config)# router ospf 123Router(config-router)# bfd all-interfacesRouter(config-router)# endRelated Commands
bfd
Sets the baseline BFD session parameters on an interface.
bfd interface
Enables BFD on a per-interface basis for a BFD peer.
bgp default ipv6-nexthop
To set the IPv6 unicast nex-thop format as the default for Border Gateway Protocol (BGP) IPv6 updates, use the bgp default ipv6-nexthop command in router configuration mode. To disable the default IPv6 unicast next-hop format as the default, use the no form of this command.
bgp default ipv6-nexthop
no bgp default ipv6-nexthop
Syntax Description
This command has no arguments or keywords.
Command Default
This command is enabled by default and is not shown in the running configuration.
Command Modes
Router configuration
Command History
Usage Guidelines
The bgp default ipv6-nexthop command enables BGP to choose the IPv6 next hop automatically for IPv6 address family prefixes.
Use the no bgp default ipv6-nexthop command to disable automatic next-hop selection in the following situations when IPv6 next-hop selection is configured to propogate over IPv4 sessions:
•
•
–
–
–
Examples
The following example disables the unicast next-hop format for router process 50000:
Router(config)# router bgp 50000Router(config-router)# no bgp default ipv6-nexthopbgp graceful-restart
To enable the Border Gateway Protocol (BGP) graceful restart capability globally for all BGP neighbors, use the bgp graceful-restart command in router configuration mode. To disable the BGP graceful restart capability globally for all BGP neighbors, use the no form of this command.
bgp graceful-restart [restart-time seconds | stalepath-time seconds] [all]
no bgp graceful-restart
Syntax Description
Command Default
The following default values are used when this command is entered without any keywords or arguments:
restart-time: 120 seconds
stalepath-time: 360 seconds
Note
Command Modes
Address-family configuration
Router configuration (router-config)Command History
Usage Guidelines
The bgp graceful-restart command is used to enable or disable the graceful restart capability globally for all BGP neighbors in a BGP network. The graceful restart capability is negotiated between nonstop forwarding (NSF)-capable and NSF-aware peers in OPEN messages during session establishment. If the graceful restart capability is enabled after a BGP session has been established, the session will need to be restarted with a soft or hard reset.
The graceful restart capability is supported by NSF-capable and NSF-aware routers. A router that is NSF-capable can perform a stateful switchover (SSO) operation (graceful restart) and can assist restarting peers by holding routing table information during the SSO operation. A router that is NSF-aware functions like a router that is NSF-capable but cannot perform an SSO operation.
The BGP graceful restart capability is enabled by default when a supporting version of Cisco IOS software is installed. The default timer values for this feature are optimal for most network deployments. We recommend that they are adjusted only by experienced network operators. When adjusting the timer values, the restart timer should not be set to a value greater than the hold time that is carried in the OPEN message. If consecutive restart operations occur, routes (from a restarting router) that were previously marked as stale will be deleted.
Note
Examples
In the following example, the BGP graceful restart capability is enabled:
Router# configure terminalRouter(config)# router bgp 65000Router(config-router)# bgp graceful-restartIn the following example, the restart timer is set to 130 seconds:
Router# configure terminalRouter(config)# router bgp 65000Router(config-router)# bgp graceful-restart restart-time 130In the following example, the stalepath timer is set to 350 seconds:
Router# configure terminalRouter(config)# router bgp 65000Router(config-router)# bgp graceful-restart stalepath-time 350Related Commands
show ip bgp
Displays entries in the BGP routing table.
show ip bgp neighbors
Displays information about the TCP and BGP connections to neighbors.
bgp log-neighbor-changes
To enable logging of BGP neighbor resets, use the bgp log-neighbor-changes command in router configuration mode. To disable the logging of changes in BGP neighbor adjacencies, use the no form of this command.
bgp log-neighbor-changes
no bgp log-neighbor-changes
Syntax Description
This command has no arguments or keywords.
Command Default
Logging of BGP neighbor resets is not enabled.
Command Modes
Router configuration
Command History
Usage Guidelines
The bgp log-neighbor-changes command enables logging of BGP neighbor status changes (up or down) and resets for troubleshooting network connectivity problems and measuring network stability. Unexpected neighbor resets might indicate high error rates or high packet loss in the network and should be investigated.
Using the bgp log-neighbor-changes command to enable status change message logging does not cause a substantial performance impact, unlike, for example, enabling per BGP update debugging. If the UNIX syslog facility is enabled, messages are sent to the UNIX host running the syslog daemon so that the messages can be stored and archived. If the UNIX syslog facility is not enabled, the status change messages are retained in the internal buffer of the router, and are not stored to disk. You can set the size of this buffer, which is dependent upon the available RAM, using the logging buffered command.
The neighbor status change messages are not tracked if the bgp log-neighbor-changes command is not enabled, except for the reset reason, which is always available as output of the show ip bgp neighbors and show bgp ipv6 neighbors commands.
The eigrp log-neighbor-changes command enables logging of Enhanced Interior Gateway Routing Protocol (EIGRP) neighbor adjacencies, but messages for BGP neighbors are logged only if they are specifically enabled with the bgp log-neighbor-changes command.
Use the show logging command to display the log for the BGP neighbor changes.
Examples
The following example logs neighbor changes for BGP in router configuration mode:
Router(config)# bgp router 40000Router(config-router)# bgp log-neighbor-changesRelated Commands
bind
To bind the source address for signaling and media packets to the IPv4 or IPv6 address of a specific interface, use the bind command in SIP configuration mode. To disable binding, use the no form of this command.
bind {control | media | all} source-interface interface-id [ipv4-address ipv4-address | ipv6-address ipv6-address]
no bind
Syntax Description
Command Default
Binding is disabled.
Command Modes
SIP configuration (conf-serv-sip)
Command History
Usage Guidelines
Async, Ethernet, FastEthernet, Loopback, and Serial (including Frame Relay) are interfaces within the SIP application.
If the bind command is not enabled, the IPv4 layer still provides the best local address.
Examples
The following example sets up binding on a SIP network:
Router(config)# voice serv voipRouter(config-voi-serv)# sipRouter(config-serv-sip)# bind control source-interface FastEthernet 0Related Commands
binding
To configure binding options for the Mobile IPv6 home agent feature, use the binding command in home agent configuration mode. To restore parameters to default values, use the no form of this command.
binding [access access-list-name | auth-option | seconds | maximum | refresh]
no binding [access access-list-name | auth-option | seconds | maximum | refresh]
Syntax Description
Command Default
No access list is used to configure a binding update filter.
The default value for the seconds argument is 262140, which is the maximum permissible binding time.
The default value for the maximum argument is a number of entries limited by memory available on the router.
The default value of the refresh argument is 300 sec.Command Modes
Home agent configuration
Command History
Usage Guidelines
Before you enable the ipv6 mobile home-agent command on an interface, you should configure common parameters on the router using the binding command. This command does not enable home agent service on the interfaces.
If the configured number of home agent registrations is reached or exceeded, subsequent registrations will be refused with the error "Insufficient resources." No existing bindings will discarded until their lifetime has expired, even if the maximum argument is set to a value lower than the current number of such bindings.
The appropriate value for the refresh argument will depend on whether the router is operating any high-availability features. If it is not, and a failure would cause the bindings cache to be lost, set the refresh argument to a low value.
Examples
In the following example, the maximum number of binding cache entries is set to 15:
binding 15
Related Commands
cache
To configure operational parameters for NetFlow accounting aggregation caches, use the cache command in NetFlow aggregation cache configuration mode. To disable the NetFlow aggregation cache operational parameters for NetFlow accounting, use the no form of this command.
cache {entries number | timeout {active minutes | inactive seconds}}
no cache {entries | timeout {active | inactive}}
Syntax Description
Command Default
The default for cache entries is 4096.
The default for active cache entries is 30 minutes.
The default for inactive cache entries is 15 seconds.Command Modes
NetFlow aggregation cache configuration
Command History
Usage Guidelines
You must have NetFlow accounting configured on your router before you can use this command.
Examples
The following example shows how to set the NetFlow aggregation cache entry limits and timeout values for the NetFlow protocol-port aggregation cache:
Router(config)# ip flow-aggregation cache protocol-portRouter(config-flow-cache)# cache entries 2046Router(config-flow-cache)# cache timeout inactive 199Router(config-flow-cache)# cache timeout active 45Router(config-flow-cache)# enabledRelated Commands
call service stop
To shut down VoIP call service on a gateway, use the call service stop command in voice service SIP or voice service H.323 configuration mode. To enable VoIP call service, use the no form of this command. To set the command to its defaults, use the default call service stop command
call service stop [forced] [maintain-registration]
no call service stop
default call service stop
Syntax Description
forced
(Optional) Forces the gateway to immediately terminate all in-progress calls.
maintain-registration
(Optional) Forces the gateway to remain registered with the gatekeeper.
Command Default
VoIP call service is enabled.
Command Modes
Voice service SIP configuration (conf-serv-sip)
Voice service H.323 configuration (conf-serv-h323)Command History
12.3(1)
This command was introduced.
12.4(22)T
Support for IPv6 was added.
12.4(23.08)T01
The default behavior was clarified for SIP and H.323 protocols.
Usage Guidelines
Use the call service stop command to shut down the SIP or H.323 services regardless of whether the shutdown or no shutdown command was configured in voice service configuration mode.
Use the no call service stop command to enable SIP or H.323 services regardless of whether the shutdown or no shutdown command was configured in voice service configuration mode.
Use the default call service stop command to set the command to its defaults. The defaults are as follows:
•
•
Examples
The following example shows SIP call service being shut down on a Cisco gateway:
Router> enableRouter# configure terminalRouter(config)# voice service voipRouter(conf-voi-serv)# sipRouter(conf-serv-sip)# call service stopThe following example shows H.323 call service being enabled on a Cisco gateway:
Router> enableRouter# configure terminalRouter(config)# voice service voipRouter(conf-voi-serv)# h323Router(conf-serv-h323)# no call service stopThe following example shows SIP call service being enabled on a Cisco gateway because the no shutdown command was configured in voice service configuration mode:
Router> enableRouter# configure terminalRouter(config)#voice service voipRouter(conf-voi-serv)# no shutdownRouter(conf-voi-serv)# sipRouter(conf-serv-sip)# default call service stopThe following example shows H.323 call service being shut down on a Cisco gateway because the shutdown command was configured in voice configuration mode:
Router> enableRouter# configure terminalRouter(config)# voice service voipRouter(conf-voi-serv)# shutdownRouter(conf-voi-serv)# h323Router(conf-serv-h323)# default call service stopRelated Commands
cdma pdsn ipv6
To enable the packet data serving node (PDSN) IPv6 functionality, use the cdma pdsn ipv6 command in global configuration mode. To disable this function, use the no form of the command.
cdma pdsn ipv6 ra-count ra-value [ra-interval seconds]
no cdma pdsn ipv6 ra-count ra-value [ra-interval seconds]
Syntax Description
Command Default
Number of IPv6 RAs to be sent is 1.
The interval between IPv6 RAs sent is 5 seconds.Command Modes
Global configuration
Command History
12.3(14)XY
This command was introduced.
12.4(11)T
This command was integrated into Cisco IOS Release 12.4(11)T.
Usage Guidelines
If the cdma pdsn ipv6 command is not entered and a PDSN session is brought up with IPv6, the session will be terminated and the following message displayed:
%CDMA_PDSN-3-PDSNIPV6NOTENABLED: PDSN IPv6 feature has not been enabled.
Examples
The following example illustrates how to control the number and interval of routing advertisements sent to the MN when an IPv6 session comes up:
router(config)# cdma pdsn ipv6 ra-count 2 ra-interval 3cef table consistency-check
To enable Cisco Express Forwarding table consistency checker types and parameters, use the cef table consistency-check command in global configuration mode. To disable consistency checkers, use the no form of this command.
cef table consistency-check {ipv4 | ipv6} [type {lc-detect | scan-lc-rp | scan-rp-lc | scan-rib-ios | scan-ios-rib}] [count count-number] [period seconds] [error-message] [auto-repair delay seconds holddown seconds] [data-checking]
no cef table consistency-check {ipv4 | ipv6} [type {lc-detect | scan-lc-rp | scan-rp-lc | scan-rib-ios | scan-ios-rib}] [count count-number] [period seconds] [error-message] [auto-repair delay seconds holddown seconds] [data-checking]
Syntax Description
Command Default
All consistency checkers are disabled.
Command Modes
Global configuration (config)
Command History
Examples
The following example enables the Cisco Express Forwarding consistency checker to check IPv4 addresses:
Router(config)# cef table consistency-check ipv4The following example enables the Cisco Express Forwarding consistency checker to check IPv4 addresses and specifies the scan-rp-lc checker to run every 60 seconds for 5000 prefixes:
Router(config)# cef table consistency-check ipv4 type scan-rp-lc count 5000 period 60The following example enables the Cisco Express Forwarding consistency checker to check IPv4 addresses and display an error message when it finds an inconsistency:
Router(config)# cef table consistency-check ipv4 error-messageRelated Commands
clear bgp ipv6
To reset IPv6 Border Gateway Protocol (BGP) sessions, use the clear bgp ipv6 command in privileged EXEC mode.
clear bgp ipv6 {unicast | multicast} {* | autonomous-system-number | ip-address | ipv6-address | peer-group-name} [soft] [in | out]
Syntax Description
Command Default
No reset is initiated.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The clear bgp ipv6 command is similar to the clear ip bgp command, except that it is IPv6-specific.
Use of the clear bgp ipv6 command allows a reset of the neighbor sessions with varying degrees of severity depending on the specified keywords and arguments.
Use the clear bgp ipv6 unicast command to drop neighbor sessions with IPv6 unicast address prefixes.
The unicast keyword is available in Cisco IOS Release 12.3(2)T and later releases. It is not available in releases prior to 12.3(2)T. Use of the unicast keyword is mandatory starting with Cisco IOS Release 12.3(2)T.
The multicast keyword is available in Cisco IOS Release 12.0(26)S and later releases. It is not available in releases prior to 12.0(26)S. Use of either the unicast or multicast keyword is mandatory starting with Cisco IOS Release 12.0(26)S.
Use the clear bgp ipv6 * command to drop all neighbor sessions. The Cisco IOS software will then reset the neighbor connections. Use this form of the command in the following situations:
•
•
Use the clear bgp ipv6 soft out or the clear bgp ipv6 unicast soft out command to drop only the outbound neighbor connections. Inbound neighbor sessions will not be reset. Use this form of the command in the following situations:
•
•
•
•
Use the clear bgp ipv6 soft in or the clear bgp ipv6 unicast soft in command to drop only the inbound neighbor connections. Outbound neighbor sessions will not be reset. To reset inbound routing table updates dynamically for a neighbor, you must configure the neighbor to support the router refresh capability. To determine whether a BGP neighbor supports this capability, use the show bgp ipv6 neighbors or the show bgp ipv6 unicast neighbors command. If a neighbor supports the route refresh capability, the following message is displayed:
Received route refresh capability from peer.If all BGP networking devices support the route refresh capability, use the clear bgp ipv6 {* | ip-address | ipv6-address | peer-group-name} in or the clear bgp ipv6 unicast {* | ip-address | ipv6-address | peer-group-name} in command. Use of the soft keyword is not required when the route refresh capability is supported by all BGP networking devices, because the software automatically performs a soft reset.
Use this form of the command in the following situations:
•
•
•
•
Examples
The following example clears the inbound session with the neighbor 7000::2 without the outbound session being reset:
Router# clear bgp ipv6 unicast 7000::2 soft inThe following example uses the unicast keyword and clears the inbound session with the neighbor 7000::2 without the outbound session being reset:
Router# clear bgp ipv6 unicast 7000::2 soft inThe following example clears the outbound session with the peer group named marketing without the inbound session being reset:
Router# clear bgp ipv6 unicast marketing soft outThe following example uses the unicast keyword and clears the outbound session with the peer group named peer-group marketing without the inbound session being reset:
Router# clear bgp ipv6 unicast peer-group marketing soft outRelated Commands
clear bgp ipv6 dampening
To clear IPv6 Border Gateway Protocol (BGP) route dampening information and unsuppress the suppressed routes, use the clear bgp ipv6 dampening command in privileged EXEC mode.
clear bgp ipv6 {unicast | multicast} dampening [ipv6-prefix /prefix-length]
Syntax Description
Command Default
When the ipv6-prefix/prefix-length argument is not specified, the clear bgp ipv6 dampening command clears route dampening information for the entire IPv6 BGP routing table.
As of Cisco IOS Release 12.3(2)T, when the ipv6-prefix/prefix-length argument is not specified, the clear bgp ipv6 unicast dampening command clears route dampening information for the entire IPv6 BGP routing table.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The clear bgp ipv6 dampening and the clear bgp ipv6 unicast dampening commands are similar to the clear ip bgp dampening command, except they are IPv6-specific.
The unicast keyword is available in Cisco IOS Release 12.3(2)T and later releases. It is not available in releases prior to 12.3(2)T. Use of the unicast keyword is mandatory starting with Cisco IOS Release 12.3(2)T.
The multicast keyword is available in Cisco IOS Release 12.0(26)S and later releases. It is not available in releases prior to 12.0(26)S. Use of either the unicast or multicast keyword is mandatory starting with Cisco IOS Release 12.0(26)S.
Examples
The following example clears route dampening information about the route to network 7000::0 and unsuppresses its suppressed routes:
Router# clear bgp ipv6 unicast dampening 7000::/64The following example uses the unicast keyword and clears route dampening information about the route to network 7000::0 and unsuppresses its suppressed routes:
Router# clear bgp ipv6 unicast dampening 7000::/64Related Commands
bgp dampening
Enables BGP route dampening or changes various BGP route dampening factors.
show bgp ipv6 dampened-paths
Displays IPv6 BGP dampened routes.
clear bgp ipv6 external
To clear external IPv6 Border Gateway Protocol (BGP) peers, use the clear bgp ipv6 external command in privileged EXEC mode.
clear bgp ipv6 {unicast | multicast} external [soft] [in | out]
Syntax Description
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The clear bgp ipv6 external command is similar to the clear ip bgp external command, except that it is IPv6-specific.
The unicast keyword is available in Cisco IOS Release 12.3(2)T and later releases. It is not available in releases prior to 12.3(2)T. Use of the unicast keyword is mandatory starting with Cisco IOS Release 12.3(2)T.
The multicast keyword is available in Cisco IOS Release 12.0(26)S and later releases. It is not available in releases prior to 12.0(26)S. Use of either the unicast or multicast keyword is mandatory starting with Cisco IOS Release 12.0(26)S.
Examples
The following example clears the inbound session with external IPv6 BGP peers without the outbound session being reset:
Router# clear bgp ipv6 unicast external soft inThe following example uses the unicast keyword and clears the inbound session with external IPv6 BGP peers without the outbound session being reset:
Router# clear bgp ipv6 unicast external soft inRelated Commands
clear bgp ipv6 flap-statistics
To clear IPv6 Border Gateway Protocol (BGP) flap statistics, use the clear bgp ipv6 flap-statistics command in privileged EXEC mode.
clear bgp ipv6 {unicast | multicast} flap-statistics [ipv6-prefix/prefix-length | regexp regexp | filter-list list]
Syntax Description
Command Default
No statistics are cleared.
If no arguments or keywords are specified, the software clears flap statistics for all routes.Command Modes
Privileged EXEC
Command History
Usage Guidelines
The clear bgp ipv6 flap-statistics command is similar to the clear ip bgp flap-statistics command, except that it is IPv6-specific.
The flap statistics for a route are also cleared when an IPv6 BGP peer is reset. Although the reset withdraws the route, no penalty is applied in this instance even though route flap dampening is enabled.
The unicast keyword is available in Cisco IOS Release 12.3(2)T and later releases. It is not available in releases prior to 12.3(2)T. Use of the unicast keyword is mandatory starting with Cisco IOS Release 12.3(2)T.
The multicast keyword is available in Cisco IOS Release 12.0(26)S and later releases. It is not available in releases prior to 12.0(26)S. Use of either the unicast or multicast keyword is mandatory starting with Cisco IOS Release 12.0(26)S.
Examples
The following example clears all of the flap statistics for paths that pass access list 3:
Router# clear bgp ipv6 unicast flap-statistics filter-list 3Related Commands
bgp dampening
Enables BGP route dampening or changes various BGP route dampening factors.
show bgp ipv6 flap-statistics
Displays IPv6 BGP flap statistics.
clear bgp ipv6 peer-group
To clear all members of an IPv6 Border Gateway Protocol (BGP) peer group, use the clear bgp ipv6 peer-group command in privileged EXEC mode.
clear bgp ipv6 {unicast | multicast} peer-group [name]
Syntax Description
unicast
Specifies IPv6 unicast address prefixes.
multicast
Specifies IPv6 multicast address prefixes.
name
BGP peer group name.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
Using the clear bgp ipv6 peer-group command without the optional name argument will clear all BGP peer groups.
The multicast keyword is available in Cisco IOS Release 12.0(26)S and later releases. It is not available in releases prior to 12.0(26)S. Use of either the unicast or multicast keyword is mandatory starting with Cisco IOS Release 12.0(26)S.
Examples
The following example clears all IPv6 BGP peer groups:
Router# clear bgp ipv6 unicast peer-groupclear cef table
To clear the Cisco Express Forwarding tables, use the clear cef table command in privileged EXEC mode.
clear cef table {ipv4 | ipv6} [vrf {vrf-name | * }]
Syntax Description
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
The clear cef table command clears the selected table or address family of tables (for IPv4 or IPv6) and updates (refreshes) them throughout the router (including the Route Processor and line cards). The command increments the table epoch, updates the tables, distributes the updated information to the line cards, and performs a distributed purge of any stale entries in the tables based on the noncurrent epoch number. This ensures that any inconsistencies that occurred over time are removed.
Because this command might require significant processing resources and can cause dropped traffic or system error messages about excessive CPU use, it's use is recommended only as a last resort for debugging or mitigating serious problems.
Cisco Express Forwarding tables are also cleared automatically during bootup or online insertion and removal (OIR) of line cards.
Note
Examples
The following example clears the Cisco Express Forwarding tables for the IPv6 address family:
Router# clear cef table ipv6 vrf *The following example clears the Cisco Express Forwarding tables for a VRF table named blue in the IPv4 address family:
Router# clear cef table ipv4 vrf blueThe following example clears the Cisco Express Forwarding tables for all VRF tables in the IPv4 address family. This example shows output with Cisco Express Forwarding table debugging enabled:
Router# clear cef table ipv4 vrf *06:56:01: FIBtable: Refreshing table IPv4:Default06:56:01: FIBtable: Invalidated 224.0.0.0/4 in IPv4:Default06:56:01: FIBtable: Deleted 224.0.0.0/4 from IPv4:Default06:56:01: FIBtable: Validated 224.0.0.0/4 in IPv4:Default06:56:01: FIBtable: IPv4: Event up, 10.1.41.0/24, vrf Default, 1 path, flags 0100022006:56:01: FIBtable: IPv4: Adding route for 10.1.41.0/24 but route already exists.Trying modify.06:56:01: FIBtable: IPv4: Event up, 10.0.0.11/32, vrf Default, 1 path, flags 0100000006:56:01: FIBtable: IPv4: Adding route for 10.0.0.11/32 but route already exists. Trying modify.06:56:01: FIBtable: IPv4: Event up, 10.0.0.15/32, vrf Default, 1 path, flags 0100000006:56:01: FIBtable: IPv4: Adding route for 10.0.0.15/32 but route already exists. Trying modify.06:56:01: FIBtable: IPv4: Event up, 10.0.0.7/32, vrf Default, 1 path, flags 0100022006:56:01: FIBtable: IPv4: Adding route for 10.0.0.7/32 but route already exists.Trying modify.06:56:01: FIBtable: IPv4: Event up, 10.0.0.0/8, vrf Default, 1 path, flags 0000022006:56:01: FIBtable: IPv4: Adding route for 10.0.0.0/8 but route already exists.Trying modify.06:56:01: FIBtable: IPv4: Event up, 0.0.0.0/0, vrf Default, 1 path, flags 0042000506:56:01: FIBtable: IPv4: Adding route for 0.0.0.0/0 but route already exists. Trying modify.06:56:01: FIBtable: Starting purge of table IPv4:Default to epoch 1306:56:01: FIBtable: Invalidated 10.1.41.1/32 in IPv4:Default06:56:01: FIBtable: Deleted 10.1.41.1/32 from IPv4:Default06:56:01: FIBtable: Purged 1 prefix from table IPv4:Default06:56:01: FIBtable: Validated 10.1.41.1/32 in IPv4:Default06:56:06: FIBtable: IPv4: Event modified, 0.0.0.0/0, vrf Default, 1 path, flags0042000506:56:06: FIBtable: IPv4: Event up, default, 0.0.0.0/0, vrf Default, 1 path, flags 0042000506:56:06: FIBtable: IPv4: Adding route for 0.0.0.0/0 but route already exists. Trying modify.Related Commands
clear dmvpn session
To clear Dynamic Multipoint VPN (DMVPN) sessions, use the clear dmvpn session command in privileged EXEC mode.
clear dmvpn session [peer {nbma | tunnel ipv4-address | ipv6-address}] [interface tunnel number] [vrf vrf-name] [static]
Syntax Description
Command Default
The DMVPN sessions will not be cleared.
Command Modes
Privileged EXEC
Command History
12.4(9)T
This command was introduced.
12.4(20)T
The ipv6-address argument was added.
Usage Guidelines
This command clears existing DMVPN sessions based on input parameters.
Examples
The following example clears all DMVPN sessions, both static and dynamic, for the specified peer NBMA address:
Router# clear dmvpn session peer nbma staticRelated Commands
clear ip nhrp
Clears all dynamic entries from the IPv4 NHRP cache.
clear ipv6 nhrp
Clears all dynamic entries from the IPv6 NHRP cache.
clear frame-relay-inarp
To clear dynamically created Frame Relay maps, which are created by the use of Inverse Address Resolution Protocol (ARP), use the clear frame-relay-inarp command in privileged EXEC mode.
clear frame-relay-inarp
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example clears dynamically created Frame Relay maps:
clear frame-relay-inarpRelated Commands
clear ipv6 access-list
To reset the IPv6 access list match counters, use the clear ipv6 access-list command in privileged EXEC mode.
clear ipv6 access-list [access-list-name]
Syntax Description
access-list-name
(Optional) Name of the IPv6 access list for which to clear the match counters. Names cannot contain a space or quotation mark, or begin with a numeric.
Command Default
No reset is initiated.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The clear ipv6 access-list command is similar to the clear ip access-list counters command, except that it is IPv6-specific.
The clear ipv6 access-list command used without the access-list-name argument resets the match counters for all IPv6 access lists configured on the router.
Examples
The following example resets the match counters for the IPv6 access list named marketing:
Router# clear ipv6 access-list marketingRelated Commands
ipv6 access-list
Defines an IPv6 access list and enters IPv6 access list configuration mode.
show ipv6 access-list
Displays the contents of all current IPv6 access lists.
clear ipv6 dhcp binding
To delete automatic client bindings from the Dynamic Host Configuration Protocol (DHCP) for IPv6 server binding table, use the clear ipv6 dhcp binding command in privileged EXEC mode.
clear ipv6 dhcp binding [ipv6-address]
Syntax Description
Command Modes
Privileged EXEC
Command History
12.3(4)T
This command was introduced.
12.4(24)T
The command was updated to allow for clearing all address bindings associated with a client.
Usage Guidelines
The clear ipv6 dhcp binding command is used as a server function.
A binding table entry on the DHCP for IPv6 server is automatically:
•
•
•
If the clear ipv6 dhcp binding command is used with the optional ipv6-address argument specified, only the binding for the specified client is deleted. If the clear ipv6 dhcp binding command is used without the ipv6-address argument, then all automatic client bindings are deleted from the DHCP for IPv6 binding table.
Examples
The following example deletes all automatic client bindings from the DHCP for IPv6 server binding table:
Router# clear ipv6 dhcp bindingRelated Commands
show ipv6 dhcp binding
Displays automatic client bindings from the DHCP for IPv6 server binding table.
clear ipv6 dhcp client
To restart the Dynamic Host Configuration Protocol (DHCP) for IPv6 client on an interface, use the clear ipv6 dhcp client command in privileged EXEC mode.
clear ipv6 dhcp client interface-type interface-number
Syntax Description
interface-type interface-number
Interface type and number. For more information, use the question mark (?) online help function.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The clear ipv6 dhcp client command restarts the DHCP for IPv6 client on specified interface after first releasing and unconfiguring previously acquired prefixes and other configuration options (for example, Domain Name System [DNS] servers).
Examples
The following example restarts the DHCP for IPv6 client for Ethernet interface 1/0:
Router# clear ipv6 dhcp client Ethernet 1/0Related Commands
clear ipv6 dhcp conflict
To clear an address conflict from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server database, use the clear ipv6 dhcp conflict command in privileged EXEC mode.
clear ipv6 dhcp conflict {* | IPv6-address}
Syntax Description
*
Clears all address conflicts.
IPv6-address
Clears the host IPv6 address that contains the conflicting address.
Command Default
The address conflicts are not cleared.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
When you configure the DHCPv6 server to detect conflicts, it uses ping. The client uses neighbor discovery to detect clients and reports to the server through a DECLINE message. If an address conflict is detected, the address is removed from the pool, and the address is not assigned until the administrator removes the address from the conflict list.
If you use the asterisk (*) character as the address parameter, DHCP clears all conflicts.
Examples
The following example shows how to clear all address conflicts from the DHCPv6 server database:
Router# clear ipv6 dhcp conflict *Related Commands
show ipv6 dhcp conflict
Displays address conflicts found by a DHCPv6 server when addresses are offered to the client.
clear ipv6 eigrp
To delete entries from Enhanced Interior Gateway Routing Protocol (EIGRP) for IPv6 routing tables, use the clear ipv6 eigrp command in privileged EXEC mode.
clear ipv6 eigrp [as-number] [neighbor [ipv6-address | interface-type interface-number]]
Syntax Description
Command Modes
Privileged EXEC
Command History
12.4(6)T
This command was introduced.
12.2(33)SRB
This command was integrated into Cisco IOS Release 12.2(33)SRB.
Usage Guidelines
Use the clear ipv6 eigrp command without any arguments or keywords to clear all EIGRP for IPv6 routing table entries. Use the as-number argument to clear routing table entries on a specified process, and use the neighbor ipv6-address keyword and argument, or the interface-type interface-number argument, to remove a specific neighbor from the neighbor table.
Examples
The following example removes the neighbor whose IPv6 address is 3FEE:12E1:2AC1:EA32:
Router# clear ipv6 eigrp neighbor 3FEE:12E1:2AC1:EA32clear ipv6 flow stats
To clear the NetFlow switching statistics, use the clear ipv6 flow stats command in privileged EXEC mode.
clear ipv6 flow stats
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The show iv6 cache flow command displays the NetFlow switching statistics. Use the clear ipv6 flow stats command to clear the NetFlow switching statistics.
Examples
The following example clears the NetFlow switching statistics on the router:
Router# clear ipv6 flow statsRelated Commands
show ipv6 flow cache
Displays the routing table cache used to fast switch IPv6 traffic.
clear ipv6 inspect
To remove a specific IPv6 session or all IPv6 inspection sessions, use the clear ipv6 inspect command in privileged EXEC mode.
clear ipv6 inspect {session session-number | all}
Syntax Description
session session-number
Indicates the number of the session to clear.
all
Clears all inspection sessions.
Command Default
Inspection sessions previously configured are unaffected.
Command Modes
Privileged EXEC
Command History
Examples
The following example clears all inspection sessions:
Router# clear ipv6 inspect allRelated Commands
clear ipv6 mfib counters
To reset all active Multicast Forwarding Information Base (MFIB) traffic counters, use the clear ipv6 mfib counters command in privileged EXEC mode.
clear ipv6 mfib counters [group-name | group-address [source-address | source-name]]
Syntax Description
group-name | group-address
(Optional) IPv6 address or name of the multicast group.
source-address | source-name
(Optional) IPv6 address or name of the source.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
After you enable the clear ipv6 mfib counters command, you can determine if additional traffic is forwarded by using one of the following show commands that display traffic counters:
•
•
•
•
