-
Cisco IOS IPv6 Command Reference
-
Introduction
-
aaa accounting multicast default through clear ipv6 mobile home-agents
-
clear ipv6 mobile traffic through debug bgp vpnv6 unicast
-
debug crypto ipv6 ipsec through debug ipv6 pim
-
debug ipv6 pim df-election through ip http server
-
ip name-server through ipv6 general-prefix
-
ipv6 hello-interval eigrp through ipv6 mld static-group
-
ipv6 mobile home-agent (global configuration) through ipv6 ospf database-filter all out
-
ipv6 ospf dead-interval through ipv6 split-horizon eigrp
-
ipv6 summary-address eigrp through mpls ldp router-id
-
mpls traffic-eng auto-bw timers through route-map
-
router-id (IPv6) through show bgp ipv6 labels
-
show bgp ipv6 neighbors through show crypto isakmp peers
-
show crypto isakmp policy through show ipv6 eigrp neighbors
-
show ipv6 eigrp topology through show ipv6 nat statistics
-
show ipv6 nat translations through show ipv6 protocols
-
show ipv6 rip through snmp-server host
-
snmp-server user through vrf forwarding
-
Table Of Contents
ipv6 traffic interface-statistics
ipv6 verify unicast reverse-path
ipv6 verify unicast source reachable-via
ipv6 virtual-reassembly drop-fragments
log-neighbor-changes (IPv6 EIGRP)
maximum sessions (DSP farm profile)
mls ipv6 acl compress address unicast
monitor event-trace cef ipv6 (global)
ipv6 summary-address eigrp
To configure a summary aggregate address for a specified interface, use the ipv6 summary-address eigrp command in interface configuration mode. To disable a configuration, use the no form of this command.
ipv6 summary-address eigrp as-number ipv6-address [admin-distance]
no ipv6 summary-address eigrp as-number ipv6-address [admin-distance]
Syntax Description
as-number
Autonomous system number.
ipv6-address
Summary IPv6 address to apply to an interface.
admin-distance
(Optional) Administrative distance. A value from 0 through 255. The default value is 90.
Command Default
An administrative distance of 5 is applied to Enhanced Interior Gateway Routing Protocol (EIGRP) for IPv6 summary routes.
EIGRP for IPv6 automatically summarizes to the network level, even for a single host route.
No summary addresses are predefined.Command Modes
Interface configuration
Command History
Usage Guidelines
The ipv6 summary-address eigrp command is used to configure interface-level address summarization. EIGRP for IPv6 summary routes are given an administrative distance value of 5. The administrative distance metric is used to advertise a summary address without installing it in the routing table.
Examples
The following example provides a summary aggregate address for EIGRP for IPv6 for AS 1:
ipv6 summary-address eigrp 1 2001:0DB8:0:1::/64ipv6 traffic interface-statistics
To collect IPv6 forwarding statistics for all interfaces, use the ipv6 traffic interface-statistics command in global configuration mode. To ensure that IPv6 forwarding statistics are not collected for any interface, use the no form of this command.
ipv6 traffic interface-statistics [unclearable]
no ipv6 traffic interface-statistics [unclearable]
Syntax Description
unclearable
(Optional) IPv6 forwarding statistics are kept for all interfaces, but it is not possible to clear the statistics on any interface.
Command Default
IPv6 forwarding statistics are collected for all interfaces.
Command Modes
Global configuration
Command History
Usage Guidelines
Using the optional unclearable keyword halves the per-interface statistics storage requirements.
Examples
The following example does not allow statistics to be cleared on any interface:
ipv6 traffic interface-statistics unclearableipv6 traffic-filter
To filter incoming or outgoing IPv6 traffic on an interface, use the ipv6 traffic-filter command in interface configuration mode. To disable the filtering of IPv6 traffic on an interface, use the no form of this command.
ipv6 traffic-filter access-list-name {in | out}
no ipv6 traffic-filter access-list-name
Syntax Description
access-list-name
Specifies an IPv6 access name.
in
Specifies incoming IPv6 traffic.
out
Specifies outgoing IPv6 traffic.
Command Default
Filtering of IPv6 traffic on an interface is not configured.
Command Modes
Interface configuration
Command History
Examples
The following example filters inbound IPv6 traffic on Ethernet interface 0/0 as defined by the access list named cisco:
Router(config)# interface ethernet 0/0Router(config-if)# ipv6 traffic-filter cisco inRelated Commands
ipv6 unicast-routing
To enable the forwarding of IPv6 unicast datagrams, use the ipv6 unicast-routing command in global configuration mode. To disable the forwarding of IPv6 unicast datagrams, use the no form of this command.
ipv6 unicast-routing
no ipv6 unicast-routing
Syntax Description
This command has no arguments or keywords.
Command Default
IPv6 unicast routing is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Configuring the no ipv6 unicast-routing command removes all IPv6 routing protocol entries from the IPv6 routing table.
Examples
The following example enables the forwarding of IPv6 unicast datagrams:
Router(config)# ipv6 unicast-routingRelated Commands
ipv6 unnumbered
To enable IPv6 processing on an interface without assigning an explicit IPv6 address to the interface, use the ipv6 unnumbered command in interface configuration mode. To disable IPv6 on an unnumbered interface, use the no form of this command.
ipv6 unnumbered interface-type interface-number
no ipv6 unnumbered
Syntax Description
Command Default
This command is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
The ipv6 unnumbered command is similar to the ip unnumbered command, except that it is IPv6-specific.
IPv6 packets that are originated from an unnumbered interface use the global IPv6 address of the interface specified in the ipv6 unnumbered command as the source address for the packets.
Note
Serial interfaces using High-Level Data Link Control (HDLC), PPP, Link Access Procedure, Balanced (LAPB), Frame Relay encapsulations, and tunnel interfaces can be unnumbered. You cannot use this interface configuration command with X.25 or Switched Multimegabit Data Service (SMDS) interfaces.
The interface you specify with the interface-type and interface-number arguments must be enabled (listed as "up" in the show ipv6 interface command display).
Examples
The following example configures serial interface 0/1as unnumbered. IPv6 packets that are sent on serial interface 0/1 use the IPv6 address of Ethernet 0/0 as their source address:
Router(config)# interface ethernet 0/0Router(config-if)# ipv6 address 3FFE:C00:0:1:260:3EFF:FE11:6770Router(config)# interface serial 0/1Router(config-if)# ipv6 unnumbered ethernet 0/0Related Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 unreachables
To enable the generation of Internet Control Message Protocol for IPv6 (ICMPv6) unreachable messages for any packets arriving on a specified interface, use the ipv6 unreachables command in interface configuration mode. To prevent the generation of unreachable messages, use the no form of this command.
ipv6 unreachables
no ipv6 unreachables
Syntax Description
This command has no arguments or keywords.
Command Default
ICMPv6 unreachable messages can be generated for any packets arriving on that interface.
Command Modes
Interface configuration
Command History
Usage Guidelines
If the Cisco IOS software receives a nonbroadcast packet destined for itself that uses a protocol it does not recognize, it sends an ICMPv6 unreachable message to the source.
If the software receives a datagram that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies to the originator of that datagram with an ICMP host unreachable message.
Examples
The following example enables the generation of ICMPv6 unreachable messages, as appropriate, on an interface:
interface ethernet 0ipv6 unreachablesipv6 verify unicast reverse-path
To enable Unicast Reverse Path Forwarding (Unicast RPF) for IPv6, use the ipv6 verify unicast reverse-path command in interface configuration mode. To disable Unicast RPF, use the no form of this command.
ipv6 verify unicast reverse-path [access-list name]
no ipv6 verify unicast reverse-path [access-list name]
Syntax Description
access-list name
(Optional) Specifies the name of the access list.
Note
Command Default
Unicast RPF is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
The ipv6 verify unicast reverse-path command is used to enable Unicast RPF for IPv6 in strict checking mode. The Unicast RPF for IPv6 feature requires that Cisco Express Forwarding for IPv6 (CEFv6) is enabled on the router.
Note
Use the ipv6 verify unicast reverse-path command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IP address spoofing.
When Unicast RPF is enabled on an interface, the router examines all packets received on that interface. The router checks to make sure that the source IPv6 address appears in the routing table and that it is reachable by a path through the interface on which the packet was received. Unicast RPF is an input feature and is applied only on the input interface of a router at the upstream end of a connection.
The Unicast RPF feature performs a reverse lookup in the CEF table to check if any packet received at a router interface has arrived on a path identified as a best return path to the source of the packet. If a reverse path for the packet is not found, Unicast RPF can drop or forward the packet, depending on whether an ACL is specified in the Unicast RPF command. If an ACL is specified in the command, then when (and only when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF.
If no ACL is specified in the Unicast RPF command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated.
Unicast RPF events can be logged by specifying the logging option for the ACL entries used by the Unicast RPF command. Log information can be used to gather information about the attack, such as source address, time, and so on.
Note
When you configure a SPA on the Cisco 12000 series Internet router, the interface address is in the format slot/subslot/port.
The optional access-list keyword for the ipv6 verify unicast reverse-path command is not supported on the Cisco 12000 series Internet router. For information about how Unicast RPF can be used with ACLs on other platforms to mitigate the transmission of invalid IPv4 addresses (perform egress filtering) and to prevent (deny) the reception of invalid IPv4 addresses (perform ingress filtering), refer to the "Configuring Unicast Reverse Path Forwarding" chapter in the "Other Security Features" section of the Cisco IOS Security Configuration Guide, Release 12.4.
Note
Do not use Unicast RPF on core-facing interfaces that are internal to the network. Internal interfaces are likely to have routing asymmetry, meaning that there are multiple routes to the source of a packet. Apply Unicast RPF only where there is natural or configured symmetry.
For example, routers at the edge of the network of an Internet service provider (ISP) are more likely to have symmetrical reverse paths than routers that are in the core of the ISP network. Routers that are in the core of the ISP network have no guarantee that the best forwarding path out of the router will be the path selected for packets returning to the router. Hence, it is not recommended that you apply Unicast RPF where there is a chance of asymmetric routing. It is simplest to place Unicast RPF only at the edge of a network or, for an ISP, at the customer edge of the network.
Examples
Unicast Reverse Path Forwarding on a Serial Interface
The following example shows how to enable the Unicast RPF feature on a serial interface:
interface serial 5/0/0ipv6 verify unicast reverse-pathUnicast Reverse Path Forwarding on a Cisco 12000 Series Internet Router
The following example shows how to enable Unicast RPF for IPv6 with strict checking on a 10G SIP Gigabit Ethernet interface 2/1/2:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# interface gigabitEthernet 2/1/2Router(config-if)# ipv6 verify unicast reverse-pathRouter(config-if)# exitUnicast Reverse Path Forwarding on a Single-Homed ISP
The following example uses a very simple single-homed ISP to demonstrate the concepts of ingress and egress filters used in conjunction with Unicast RPF. The example illustrates an ISP-allocated classless interdomain routing (CIDR) block 209.165.202.128/28 that has both inbound and outbound filters on the upstream interface. Be aware that ISPs are usually not single-homed. Hence, provisions for asymmetrical flows (when outbound traffic goes out one link and returns via a different link) need to be designed into the filters on the border routers of the ISP.
interface Serial 5/0/0description Connection to Upstream ISPipv6 address FE80::260:3EFF:FE11:6770/64no ipv6 redirectsipv6 verify unicast reverse-path abc!ipv6 access-list abcpermit ipv6 host 2::1 anydeny ipv6 FEC0::/10 anyipv6 access-group abc inipv6 access-group jkl out!access-list abc permit ip FE80::260:3EFF:FE11:6770/64 2001:0DB8:0000:0001::0001anyaccess-list abc deny ipv6 any any logaccess-list jkl deny ipv6 host 2001:0DB8:0000:0001::0001 any logaccess-list jkl deny ipv6 2001:0DB8:0000:0001:FFFF:1234::5.255.255.255 any logaccess-list jkl deny ipv6 2002:0EF8:002001:0DB8:0000:0001:FFFF:1234::5172.16.0.00.15.255.255 any logaccess-list jkl deny ipv6 2001:0CB8:0000:0001:FFFF:1234::5 0.0.255.255 any logaccess-list jkl deny ipv6 2003:0DB8:0000:0001:FFFF:1234::5 0.0.0.31 any logaccess-list jkl permit ipv6ACL Logging with Unicast RPF
The following example demonstrates the use of ACLs and logging with Unicast RPF. In this example, extended ACL abc provides entries that deny or permit network traffic for specific address ranges. Unicast RPF is configured on interface Ethernet 0/0 to check packets arriving at that interface.
For example, packets with a source address of 8765:4321::1 arriving at interface Ethernet 0 are dropped because of the deny statement in ACL "abc." In this case, the ACL information is logged (the logging option is turned on for the ACL entry) and dropped packets are counted per-interface and globally. Packets with a source address of 1234:5678::1 arriving at interface Ethernet 0/0 are forwarded because of the permit statement in ACL abc. ACL information about dropped or suppressed packets is logged (the logging option is turned on for the ACL entry) to the log server.
interface ethernet 0/0ipv6 address FE80::260:3EFF:FE11:6770/64 link-localipv6 verify unicast reverse-path abc!ipv6 access-list abcpermit ipv6 1234:5678::/64 any log-inputdeny ipv6 8765:4321::/64 any log-inputRelated Commands
ipv6 verify unicast source reachable-via
To verify that a source address exists in the FIB table and enable Unicast Reverse Path Forwarding (Unicast RPF), use the ipv6 verify unicast source reachable-via command in interface configuration mode. To disable URPF, use the no form of this command.
ipv6 verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-name]
no ipv6 verify unicast
Syntax Description
Command Default
Unicast RPF is disabled.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
The ipv6 verify unicast reverse-path command is used to enable Unicast RPF for IPv6 in loose checking mode.
Use the ipv6 verify unicast source reachable-via command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through an IPv6 router. Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IPv6 address spoofing.
The URPF feature checks to see if any packet received at a router interface arrives on one of the best return paths to the source of the packet. The feature does this by doing a reverse lookup in the CEF table. If URPF does not find a reverse path for the packet, U RPF can drop or forward the packet, depending on whether an access control list (ACL) is specified in the ipv6 verify unicast source reachable-via command. If an ACL is specified in the command, then when (and only when) a packet fails the URPF check, the ACL is checked to see if the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for U RPF drops and in the interface statistics for Unicast RPF.
If no ACL is specified in the ipv6 verify unicast source reachable-via command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated.
U RPF events can be logged by specifying the logging option for the ACL entries used by the ipv6 verify unicast source reachable-via command. Log information can be used to gather information about the attack, such as source address, time, and so on.
Examples
The following example enables Unicast RPF on any interface:
ipv6 verify unicast source reachable-via anyRelated Commands
ipv6 virtual-reassembly
To enable Virtual Fragment Reassembly (VFR) on an interface, use the ipv6 virtual-reassembly command in global configuration mode. To disable VFR, use the no form of this command.
ipv6 virtual-reassembly [max-reassemblies maxreassemblies] [max-fragments max-fragments] [timeout seconds]
noipv6 virtual-reassembly [max-reassemblies maxreassemblies] [max-fragments max-fragments] [timeout seconds]
Syntax Description
Command Default
Reassemblies = 256
Fragments = 8Command Modes
Global configuration
Command History
Usage Guidelines
Maximum Number of Reassemblies
Whenever the maximum number of 256 reassemblies (fragment sets) is crossed, all the fragments in the forthcoming fragment set will be dropped and an alert message VFR-4-FRAG_TABLE_OVERFLOW will be logged to the syslog server.
Maximum Number of Fragments per Fragment Set
If a datagram being reassembled receives more than eight fragments, tall fragments will be dropped and an alert message VFR-4-TOO_MANY_FRAGMENTS will be logged to the syslog server.
Examples
The following example sets the maximum number of reassemblies to 32, maximum fragments to 4, and the timeout to 7 seconds:
ip virtual-reassembly max-reassemblies 32 max-fragments 4 timeout 7ipv6 virtual-reassembly drop-fragments
To drop all fragments on an interface, use the ipv6 virtual-reassembly drop-fragments command in global configuration mode. Use the no form of this command to remove the packet-dropping behavior.
ipv6 virtual-reassembly drop-fragments
no ipv6 virtual-reassembly drop-fragments
Syntax Description
This command has no arguments or keywords.
Command Default
Fragments on an interface are not dropped.
Command Modes
Global configuration
Command History
Examples
The following example causes all fragments on an interface to be dropped:
ipv6 virtual-reassembly drop-fragmentsisis ipv6 metric
To configure the value of an Intermediate System-to-Intermediate System (IS-IS) IPv6 metric, use the isis ipv6 metric command in interface configuration mode. To return the metric to its default value, use the no form of this command.
isis ipv6 metric {metric-value | maximum} [level-1 | level-2]
no isis ipv6 metric {metric-value | maximum} [level-1 | level-2]
Syntax Description
Command Default
The default metric value is set to 10.
Command Modes
Interface configuration
Command History
Usage Guidelines
The isis ipv6 metric command is used only in multitopology IS-IS.
Changing the metric allows differentiation between IPv4 and IPv6 traffic, forcing traffic onto different interfaces. This function allows you to use the lower-cost rather than the high-cost interface.
For using extended metrics, such as with the IS-IS multitopology for IPv6 feature, Cisco IOS software provides support of a 24-bit metric field, the so-called "wide metric." Using the new metric style, link metrics now have a maximum value of 16777214 with a total path metric of 4261412864.
Cisco IOS Release 12.4(13) and 12.4(13)T
Entering the maximum keyword will exclude the link from the SPF calculation. If a link is advertised with the maximum link metric, the link will not be considered during the normal SPF computation. When the link excluded from the SPF, it will not be advertised for calculating the normal SPF. An example would be a link that is available for traffic engineering, but not for hop-by-hop routing. If a link, such as one that is used for traffic engineering, should not be included in the SPF calculation, enter the isis ipv6 metric command with the maximum keyword.
Note
Examples
The following example sets the value of an IS-IS IPv6 metric to 20:
Router(config)# interface Ethernet 0/0/1Router(config-if)# isis ipv6 metric 20The following example sets the IS-IS IPv6 metric for the link to maximum. SPF will ignore the link for both Level 1 and Level 2 routing because neither the level-1 keyword nor the level-2 keyword was entered.
Router(config)# interface fastethernet 0/0Router(config-if)# isis ipv6 metric maximumRelated Commands
metric-style wide
Configures a router running IS-IS so that it generates and accepts only new-style TLVs.
keepalive target
To identify Session Initiation Protocol (SIP) servers that will receive keepalive packets from the SIP gateway, use the keepalive target command in SIP user-agent configuration mode. To disable the keepalive target command behavior, use the no form of this command.
keepalive target {{ipv4:address | ipv6:address}[:port] | dns:hostname} | [tcp [tls]] | [udp] | [secondary]
no keepalive target [secondary]
Syntax Description
Command Default
No keepalives are sent by default from SIP gateway to SIP gateway. The SIP port number is 5060 by default.
Command Modes
SIP user-agent configuration (config-sip-ua)
Command History
Usage Guidelines
The primary or secondary SIP server addresses are in the following forms: dns:example.sip.com or ipv4:172.16.0.10.
Examples
The following example sets the primary SIP server address and defaults to the UDP transport:
sip-uakeepalive target ipv4:172.16.0.10The following example sets the primary SIP server address and the transport to UDP:
sip-uakeepalive target ipv4:172.16.0.10 udpThe following example sets both the primary and secondary SIP server address and the transport to UDP:
sip-uakeepalive target ipv4:172.16.0.10 udpkeepalive target ipv4:172.16.0.20 udp secondaryThe following example sets both the primary and secondary SIP server addresses and defaults to the UDP transport:
sip-uakeepalive target ipv4:172.16.0.10keepalive target ipv4:172.16.0.20 secondaryThe following example sets the primary SIP server address and the transport to TCP:
sip-uakeepalive target ipv4:172.16.0.10 tcpThe following example sets both the primary and secondary SIP server addresses and the transport to TCP:
sip-uakeepalive target ipv4:172.16.0.10 tcpkeepalive target ipv4:172.16.0.20 tcp secondaryThe following example sets the primary SIP server address and the transport to TCP and sets security to TLS mode:
sip-uakeepalive target ipv4:172.16.0.10 tcp tlsThe following example sets both the primary and secondary SIP server addresses and the transport to TCP and sets security to the TLS mode:
sip-uakeepalive target ipv4:172.16.0.10 tcp tlskeepalive target ipv4:172.16.0.20 tcp tls secondaryRelated Commands
key
To identify an authentication key on a key chain, use the key command in key-chain configuration mode. To remove the key from the key chain, use the no form of this command.
key key-id
no key key-id
Syntax Description
key-id
Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.
Command Default
No key exists on the key chain.
Command Modes
Key-chain configuration (config-keychain)
Command History
Usage Guidelines
Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains.
It is useful to have multiple keys on a key chain so that the software can sequence through the keys as they become invalid after time, based on the accept-lifetime and send-lifetime key chain key command settings.
Each key has its own key identifier, which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and Message Digest 5 (MD5) authentication key in use. Only one authentication packet is sent, regardless of the number of valid keys. The software starts looking at the lowest key identifier number and uses the first valid key.
If the last key expires, authentication will continue and an error message will be generated. To disable authentication, you must manually delete the last valid key.
To remove all keys, remove the key chain by using the no key chain command.
Examples
The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.
Router(config)# interface ethernet 0Router(config-if)# ip rip authentication key-chain chain1Router(config-if)# ip rip authentication mode md5!Router(config)# router ripRouter(config-router)# network 172.19.0.0Router(config-router)# version 2!Router(config)# key chain chain1Router(config-keychain)# key 1Router(config-keychain-key)# key-string key1Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600Router(config-keychain-key)# exitRouter(config-keychain)# key 2Router(config-keychain-key)# key-string key2Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600The following named configuration example configures a key chain named chain1 for EIGRP address-family. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.
Router(config)# router eigrp virtual-nameRouter(config-router)# address-family ipv4 autonomous-system 4453Router(config-router-af)# network 10.0.0.0Router(config-router-af)# af-interface ethernet0/0Router(config-router-af-interface)# authentication key-chain treesRouter(config-router-af-interface)# authentication mode md5Router(config-router-af-interface)# exitRouter(config-router-af)# exitRouter(config-router)# exitRouter(config)# key chain chain1Router(config-keychain)# key 1Router(config-keychain-key)# key-string key1Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600Router(config-keychain-key)# exitRouter(config-keychain)# key 2Router(config-keychain-key)# key-string key2Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600The following named configuration example configures a key chain named chain1 for EIGRP service-family. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.
Router(config)# eigrp virtual-nameRouter(config-router)# service-family ipv4 autonomous-system 4453Router(config-router-sf)# network 10.0.0.0Router(config-router-sf)# sf-interface ethernet0/0Router(config-router-sf-interface)# authentication key-chain treesRouter(config-router-sf-interface)# authentication mode md5Router(config-router-sf-interface)# exitRouter(config-router-sf)# exitRouter(config-router)# exitRouter(config)# key chain chain1Router(config-keychain)# key 1Router(config-keychain-key)# key-string key1Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600Router(config-keychain-key)# exitRouter(config-keychain)# key 2Router(config-keychain-key)# key-string key2Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600Related Commands
key chain
To define an authentication key chain needed to enable authentication for routing protocols and enter key-chain configuration mode, use the key chain command in global configuration mode. To remove the key chain, use the no form of this command.
key chain name-of-chain
no key chain name-of-chain
Syntax Description
name-of-chain
Name of a key chain. A key chain must have at least one key and can have up to 2147483647 keys.
Command Default
No key chain exists.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains.
You must configure a key chain with keys to enable authentication.
Although you can identify multiple key chains, we recommend using one key chain per interface per routing protocol. Upon specifying the key chain command, you enter key chain configuration mode.
Examples
The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.
Router(config)# interface ethernet 0Router(config-if)# ip rip authentication key-chain chain1Router(config-if)# ip rip authentication mode md5!Router(config)# router ripRouter(config-router)# network 172.19.0.0Router(config-router)# version 2!Router(config)# key chain chain1Router(config-keychain)# key 1Router(config-keychain-key)# key-string key1Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600Router(config-keychain-key)# exitRouter(config-keychain)# key 2Router(config-keychain-key)# key-string key2Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600The following named configuration example configures a key chain named chain1 for EIGRP address-family. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.
Router(config)# router eigrp virtual-nameRouter(config-router)# address-family ipv4 autonomous-system 4453Router(config-router-af)# network 10.0.0.0Router(config-router-af)# af-interface ethernet0/0Router(config-router-af-interface)# authentication key-chain treesRouter(config-router-af-interface)# authentication mode md5Router(config-router-af-interface)# exitRouter(config-router-af)# exitRouter(config-router)# exitRouter(config)# key chain chain1Router(config-keychain)# key 1Router(config-keychain-key)# key-string key1Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600Router(config-keychain-key)# exitRouter(config-keychain)# key 2Router(config-keychain-key)# key-string key2Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600The following named configuration example configures a key chain named trees for service-family. The key named chestnut will be accepted from 1:30 pm to 3:30 pm and be sent from 2:00 pm to 3:00 pm. The key birch will be accepted from 2:30 pm to 4:30 pm and be sent from 3:00 pm to 4:00 pm. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.
Router(config)# router eigrp virtual-nameRouter(config-router)# service-family ipv4 autonomous-system 4453Router(config-router-sf)# sf-interface ethernetRouter(config-router-sf-interface)# authentication key chain treesRouter(config-router-sf-interface)# authentication mode md5Router(config-router-sf-interface)# exitRouter(config-router-sf)# exitRouter(config-router)# exitRouter(config)# key chain chain1Router(config-keychain)# key 1Router(config-keychain-key)# key-string chestnutRouter(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600Router(config-keychain-key)# exitRouter(config-keychain)# key 2Router(config-keychain-key)# key-string birchRouter(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600Related Commands
key-string (authentication)
To specify the authentication string for a key, use the key-string (authentication) command in key chain key configuration mode. To remove the authentication string, use the no form of this command.
key-string text
no key-string text
Syntax Description
Command Default
No authentication string for a key exists.
Command Modes
Key chain key configuration (config-keychain-key)
Command History
Usage Guidelines
Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains. Each key can have only one key string.
If password encryption is configured (with the service password-encryption command), the software saves the key string as encrypted text. When you write to the terminal with the more system:running-config command, the software displays key-string 7 encrypted text.
Examples
The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.
Router(config)# interface ethernet 0Router(config-if)# ip rip authentication key-chain chain1Router(config-if)# ip rip authentication mode md5!Router(config)# router ripRouter(config-router)# network 172.19.0.0Router(config-router)# version 2!Router(config)# key chain chain1Router(config-keychain)# key 1Router(config-keychain-key)# key-string key1Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600Router(config-keychain-key)# exitRouter(config-keychain)# key 2Router(config-keychain-key)# key-string key2Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600The following example configures a key chain named chain1 for EIGRP address-family. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.
Router(config)# eigrp virtual-nameRouter(config-router)# address-family ipv4 autonomous-system 4453Router(config-router-af)# network 10.0.0.0Router(config-router-af)# af-interface ethernet0/0Router(config-router-af-interface)# authentication key-chain treesRouter(config-router-af-interface)# authentication mode md5Router(config-router-af-interface)# exitRouter(config-router-af)# exitRouter(config-router)# exitRouter(config)# key chain chain1Router(config-keychain)# key 1Router(config-keychain-key)# key-string key1Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600Router(config-keychain-key)# exitRouter(config-keychain)# key 2Router(config-keychain-key)# key-string key2Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600Related Commands
lifetime (IKE policy)
To specify the lifetime of an Internet Key Exchange (IKE) security association (SA), use the lifetime command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. To reset the SA lifetime to the default value, use the no form of this command.
lifetime seconds
no lifetime
Syntax Description
seconds
Number of many seconds for each each SA should exist before expiring. Use an integer from 60 to 86,400 seconds, which is the default value.
Command Default
The default is 86,400 seconds (one day).
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify how long an IKE SA exists before expiring.
When IKE begins negotiations, the first thing it does is agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the SA's lifetime expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. New IPSec SAs are negotiated before current IPSec SAs expire.
So, to save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Note that when your local peer initiates an IKE negotiation between itself and a remote peer, an IKE policy can be selected only if the lifetime of the remote peer's policy is shorter than or equal to the lifetime of the local peer's policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be longer and the responding peer's lifetime must be shorter, and the shorter lifetime will be used.
Examples
The following example configures an IKE policy with a security association lifetime of 600 seconds (10 minutes), and all other parameters are set to the defaults:
crypto isakmp policy 15lifetime 600exitRelated Commands
log-adjacency-changes
To configure the router to send a syslog message when an Open Shortest Path First (OSPF) neighbor goes up or down, use the log-adjacency-changes command in router configuration mode. To turn off this function, use the no form of this command.
log-adjacency-changes [detail]
no log-adjacency-changes [detail]
Syntax Description
detail
(Optional) Sends a syslog message for each state change, not just when a neighbor goes up or down.
Command Default
Enabled
Command Modes
Router configuration
Command History
Usage Guidelines
This command allows you to know about OSPF neighbors going up or down without turning on the debug ip ospf packet command or the debug ipv6 ospf adjacency command. The log-adjacency-changes command provides a higher level view of those changes of the peer relationship with less output than the debug command provides. The log-adjacency-changes command is on by default but only up/down (full/down) events are reported, unless the detail keyword is also used.
Examples
The following example configures the router to send a syslog message when an OSPF neighbor state changes:
log-adjacency-changes detailRelated Commands
debug ip ospf packet
Displays information about each OSPF packet received for IPv4.
debug ipv6 ospf
Displays debugging information for OSPF for IPv6.
logging host
To log system messages and debug output to a remote host, use the logging host command in global configuration mode. To remove a specified logging host from the configuration, use the no form of this command.
logging host {{ip-address | hostname} [vrf vrf-name] | ipv6 {ipv6-address | hostname}} [discriminator discr-name | [[filtered [stream stream-id] | xml]] [transport {[beep [audit] [channel chnl-number] [sasl profile-name] [tls cipher [cipher-num] trustpoint trustpt-name]]] | tcp [audit] | udp} [port port-num]] [sequence-num-session] [session-id {hostname | ipv4 | ipv6 | string custom-string}]
no logging host {{ip-address | hostname} | ipv6 {ipv6-address | hostname}}
Syntax Description
Command Default
System logging messages are not sent to any remote host.
When this command is entered without the xml or filtered keyword, messages are sent in the standard format.Command Modes
Global configuration (config)
Command History
Usage Guidelines
Standard system logging is enabled by default. If logging is disabled on your system (using the no logging on command), you must enter the logging on command to reenable logging before you can use the logging host command.
The logging host command identifies a remote host (usually a device serving as a syslog server) to receive logging messages. By issuing this command more than once, you can build a list of hosts that receive logging messages.
To specify the severity level for logging to all hosts, use the logging trap command.
Use the vrf vrf-name keyword and argument to enable a syslog client (a provider edge [PE] router) to send syslog messages to a syslog server host connected through a VRF interface. To delete the configuration of the syslog server host from the VRF, use the no logging host command with the vrf vrf-name keyword and argument.
When XML-formatted syslog is enabled using the logging host command with the xml keyword, messages are sent to the specified host with the system-defined XML tags. These tags are predefined and cannot be configured by a user. XML formatting is not applied to debug output.
If you are using the ESM feature, you can enable ESM-filtered syslog messages to be sent to one or more hosts using the logging host filtered command. To use the ESM feature, you must first specify the syslog filter modules that should be applied to the messages using the logging filter command. See the description of the logging filter command for more information about the ESM feature.
Note
Using the BEEP transport protocol, you can have reliable and secure delivery for syslog messages and configure multiple sessions over eight BEEP channels. The sasl profile-name, tls cipher cipher-num, trustpoint trustpt-name keywords and arguments are available only in crypto images.
To configure standard logging to a specific host after configuring XML-formatted or ESM-filtered logging to that host, use the logging host command without the xml or filtered keyword. Issuing the standard logging host command replaces an XML- or ESM- filtered logging host command, and vice versa, if the same host is specified.
You can configure the system to send standard messages to one or more hosts, XML-formatted messages to one or more hosts, and ESM-filtered messages to one or more hosts by repeating this command as many times as desired with the appropriate syntax. (See the "Examples" section.)
When the no logging host command is issued with or without the optional keywords, all logging to the specified host is disabled.
Examples
In the following example, messages at severity levels 0 (emergencies) through 5 (notifications) (logging trap command severity levels) are logged to a host at 192.168.202.169:
Router(config)# logging host 192.168.202.169Router(config)# logging trap 5In the following example, standard system logging messages are sent to the host at 192.168.200.225, XML-formatted system logging messages are sent to the host at 192.168.200.226, ESM-filtered logging messages with the stream 10 value are sent to the host at 192.168.200.227, and ESM-filtered logging messages with the stream 20 value are sent to host at 192.168.202.129:
Router(config)# logging host 192.168.200.225Router(config)# logging host 192.168.200.226 xmlRouter(config)# logging host 192.168.200.227 filtered stream 10Router(config)# logging host 192.168.202.129 filtered stream 20In the following example, messages are logged to a host with an IP address of 172.16.150.63 connected through a VRF named vpn1:
Router(config)# logging host 172.16.150.63 vrf vpn1In the following example, the default UDP on an IPv6 server is set because no port number is specified. The default port number of 514 is used:
Router(config)# logging host ipv6 AAAA:BBBB:CCCC:DDDD::FFFFIn the following example, TCP port 1774 on an IPv6 server is set:
Router(config)# logging host ipv6 BBBB:CCCC:DDDD:FFFF::1234 transport tcp port 1774In the following example, the UDP port default is used on an IPv6 server with a hostname of v6-hostname:
Router(config)# logging host ipv6 v6-hostname transport udp port 514In the following example, a message discriminator named fltr1 is specified as well as the BEEP protocol for port 600 and channel 3.
Router(config)# logging host host2 dicriminator fltr1 transport beep channel 3 port 600Related Commands
logging origin-id
To add an origin identifier to system logging messages sent to remote hosts, use the logging origin-id command in global configuration mode. To disable the origin identifier, use the no form of this command.
logging origin-id {hostname | ip | ipv6 | string user-defined-id}
no logging origin-id
Syntax Description
Command Default
This command is disabled.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The origin identifier is added to the beginning of all system logging (syslog) messages sent to remote hosts. The identifier can be the hostname, the IP address, the IPv6 address, or any text that you specify. The origin identifier is not added to messages sent to local destinations (the console, monitor, or buffer).
The origin identifier is useful for identifying the source of system logging messages in cases where you send syslog output from multiple devices to a single syslog host.
When you specify your own identification string using the logging origin-id string user-defined-id command, the system expects a string without spaces. For example:
Router(config)# logging origin-id string Cisco_SystemsTo use spaces (multiple words) or additional syntax, enclose the string with quotation marks (" "). For example:
Router(config)# logging origin-id string "Cisco Systems, Inc."Examples
In the following example, the origin identifier "Domain 1, router B" will be added to the beginning of all system logging messages sent to remote hosts:
Router(config)# logging origin-id string Domain 1, router BIn the following example, all logging messages sent to remote hosts will have the IP address configured for serial interface 1 added to the beginning of the message:
Router(config)# logging host 209.165.200.225Router(config)# logging trap 5Router(config)# logging source-interface serial 1Router(config)# logging origin-id ipRelated Commands
logging source-interface
To specify the source IP or IPv6 address of system logging packets, use the logging source-interface command in global configuration mode. To remove the source designation, use the no form of this command.
logging source-interface type number
no logging source-interface
Syntax Description
Command Default
No interface is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
Normally, a syslog message contains the IP or IPv6 address of the interface it uses to leave the router. The logging source-interface command specifies that syslog packets contain the IP or IPv6 address of a particular interface, regardless of which interface the packet uses to exit the router.
When no specific interface is configured, a wildcard interface address of 0.0.0.0 (for IPv4) or :: (for IPv6) is used, and the IP socket selects the best outbound interface.
Examples
In the following example, the user specifies that the IP address for Ethernet interface 0 is the source IP address for all syslog messages:
Router(config)# logging source-interface ethernet 0The following example specifies that the IP address for Ethernet interface 2/1 on a Cisco 7000 series router is the source IP address for all syslog messages:
Router(config)# logging source-interface ethernet 2/1Related Commands
log-neighbor-changes (IPv6 EIGRP)
To enable the logging of changes in Enhanced Interior Gateway Routing Protocol (EIGRP) IPv6 neighbor adjacencies, use the log-neighbor-changes command in router configuration mode. To disable the logging of changes in EIGRP IPv6 neighbor adjacencies, use the no form of this command.
log-neighbor-changes
no log-neighbor-changes
Syntax Description
This command has no arguments or keywords.
Command Default
Adjacency changes are logged.
Command Modes
Router configuration
Command History
Usage Guidelines
The log-neighbor-changes command enables the logging of neighbor adjacency changes to monitor the stability of the routing system and to help detect problems.
Logging is enabled by default. To disable the logging of neighbor adjacency changes, use the no form of this command.
Examples
The following example disables logging of neighbor changes for EIGRP process 1:
ipv6 router eigrp 1no log-neighbor-changesThe following configuration enables logging of neighbor changes for EIGRP process 1:
ipv6 router eigrp 1log-neighbor-changesRelated Commands
log-neighbor-warnings
Note
To enable the logging of Enhanced Interior Gateway Routing Protocol (EIGRP) neighbor warning messages, use the log-neighbor-warnings command in router configuration mode. To disable the logging of EIGRP neighbor warning messages, use the no form of this command.
log-neighbor-warnings [seconds]
no log-neighbor-warnings
Syntax Description
seconds
(Optional) The time interval (in seconds) between repeated neighbor warning messages. The range of seconds is from 1 through 65535.
Command Default
Neighbor warning messages are logged.
Command Modes
Router configuration (config-router)
Command History
Usage Guidelines
When neighbor warning messages occur, they are logged by default. With the log-neighbor-warnings command, you can disable and enable the logging of neighbor warning messages and configure the interval between repeated neighbor warning messages.
Examples
The following example shows that neighbor warning messages will be logged for EIGRP process 1 and warning messages will be repeated in 5-minute (300 seconds) intervals:
Router(config)# ipv6 router eigrp 1Router(config-router)# log-neighbor-warnings 300Related Commands
log-neighbor-changes
Enables the logging of changes in EIGRP neighbor adjacencies.
mask
To specify the destination or source mask, use the mask command in aggregation cache configuration mode. To disable the destination mask, use the no form of this command.
mask {destination | source} minimum value
no mask destination minimum value
Syntax Description
Command Default
The default value of the minimum mask is zero.
Command Modes
Aggregation cache configuration
Command History
Usage Guidelines
This command is only available with router-based aggregation. Minimum masking capability is not available if router-based aggregation is not enabled.
Examples
The following example shows how to configure the mask to use the destination-prefix as the aggregation cache scheme with a minimum mask value of 32:
Router(config)# ipv6 flow-aggregation cache destination-prefixRouter(config-flow-cache)# mask destination minimum 32Related Commands
match access-group name
To specify the name of an IPv6 access list against whose contents packets are checked to determine if they belong to the traffic class, use the match access-group name command in class-map configuration mode. To remove the name of the IPv6 access list, use the no form of this command.
match access-group name ipv6-access-group
no match access-group name ipv6-access-group
Syntax Description
ipv6-access-group
Name of the IPv6 access group. Names cannot contain a space or quotation mark, or begin with a numeric.
Command Default
No match criteria are configured.
Command Modes
Class-map configuration
Command History
12.0(28)S
This command was introduced.
Cisco IOS XE Release 2.1
This command was introduced on Cisco ASR 1000 Series Routers.
Usage Guidelines
For class-based weighted fair queueing (CBWFQ), you define traffic classes based on match criteria including access control lists (ACLs), protocols, input interfaces, QoS labels, and EXP field values. Packets satisfying the match criteria for a class constitute the traffic for that class.
The match access-group name command specifies an IPv6 named ACL only. The contents of the ACL are used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.
To use the match access-group name command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish. After you identify the class, you can use one of the following commands to configure its match criteria:
•
•
•
•
•
If you specify more than one command in a class map, only the last command entered applies. The last command overrides the previously entered commands.
Examples
The following example specifies an access list named ipv6acl against whose contents packets will be checked to determine if they belong to the traffic class:
class-map ipv6_acl_classmatch access-group name ipv6aclRelated Commands
match dscp
To identify one or more differentiated service code point (DSCP), Assured Forwarding (AF), and Certificate Server (CS) values as a match criterion, use the match dscp command in class-map configuration mode. To remove a specific DSCP value from a class map, use the no form of this command.
match [ip] dscp dscp-value [dscp-value dscp-value dscp-value dscp-value dscp-value dscp-value dscp-value]
no match [ip] dscp dscp-value
Syntax Description
Command Default
No match criteria are configured.
If you do not enter the ip keyword, matching occurs on both IPv4 and IPv6 packets.Command Modes
Class-map configuration
Command History
Usage Guidelines
DSCP Values
You must enter one or more differentiated service code point (DSCP) values. The command may include any combination of the following:
•
•
•
•
•
For example, if you wanted the DCSP values of 0, 1, 2, 3, 4, 5, 6, or 7 (note that only one of the IP DSCP values must be a successful match criterion, not all of the specified DSCP values), enter the match dscp 0 1 2 3 4 5 6 7 command.
This command is used by the class map to identify a specific DSCP value marking on a packet. In this context, dscp-value arguments are used as markings only and have no mathematical significance. For instance, the dscp-value of 2 is not greater than 1. The value simply indicates that a packet marked with the dscp-value of 2 is different than a packet marked with the dscp-value of 1. The treatment of these marked packets is defined by the user through the setting of Quality of Service (QoS) policies in policy-map class configuration mode.
Match Packets on DSCP Values
To match DSCP values for IPv6 packets only, the match protocol ipv6 command must also be used. Without that command, the DSCP match defaults to match both IPv4 and IPv6 packets.
To match DSCP values for IPv4 packets only, use the ip keyword. Without the ip keyword the match occurs on both IPv4 and IPv6 packets. Alternatively, the match protocol ip command may be used with match dscp to classify only IPv4 packets.
After the DSCP bit is set, other QoS features can then operate on the bit settings.
The network can give priority (or some type of expedited handling) to marked traffic. Typically, you set the precedence value at the edge of the network (or administrative domain); data is then queued according to the precedence. Weighted fair queueing (WFQ) can speed up handling for high-precedence traffic at congestion points. Weighted Random Early Detection (WRED) can ensure that high-precedence traffic has lower loss rates than other traffic during times of congestion.
Cisco 10000 Series Router
The Cisco 10000 series router supports DSCP matching of IPv4 packets only. You must include the ip keyword when specifying the DSCP values to use as match criterion.
You cannot use the set ip dscp command with the set ip precedence command to mark the same packet. DSCP and precedence values are mutually exclusive. A packet can have one value or the other, but not both.
Examples
The following example shows how to set multiple match criteria. In this case, two IP DSCP value and one AF value.
Router(config)# class-map map1Router(config-cmap)# match dscp 1 2 af11Related Commands
match identity
To match an identity from a peer in an Internet Security Association and Key Management Protocol (ISAKMP) profile, use the match identity command in ISAKMP profile configuration mode. To remove the identity, use the no form of this command.
match identity {group group-name | address {address [mask] [fvrf] | ipv6 ipv6-address} | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}
no match identity {group group-name | address {address [mask] [fvrf] | ipv6 ipv6-address} | host host-name | host domain domain-name | user user-fqdn | user domain domain-name}
Syntax Description
Command Default
No default behavior or values
Command Modes
ISAKMP profile configuration (conf-isa-prof)
Command History
Usage Guidelines
There must be at least one match identity command in an ISAKMP profile configuration. The peers are mapped to an ISAKMP profile when their identities are matched (as given in the ID payload of the Internet Key Exchange [IKE] exchange) against the identities that are defined in the ISAKMP profile. To uniquely map to an ISAKMP profile, no two ISAKMP profiles should match the same identity. If the peer identity is matched in two ISAKMP profiles, the configuration is invalid.
Examples
The following example shows that the match identity command is configured:
crypto isakmp profile vpnprofilematch identity group vpngroupmatch identity address 10.53.11.1match identity host domain example.commatch identity host server.example.comRelated Commands
match ipv6 address
To distribute IPv6 routes that have a prefix permitted by a prefix list or to specify an IPv6 access list to use to match packets for policy-based routing (PBR) for IPv6, use the match ipv6 address command in route-map configuration mode. To remove the match ipv6 address entry, use the no form of this command.
match ipv6 address {prefix-list prefix-list-name | access-list-name}
no match ipv6 address
Syntax Description
Command Default
No routes are distributed based on destination network number.
No routes are distributed based on an access list.Command Modes
Route-map configuration
Command History
Usage Guidelines
Use the route-map command, and the match and set commands, to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria enforced by the match commands are met.
The match ipv6 address command can be used to specify either an access list or a prefix list. When using PBR, you must use the access-list-name argument—the prefix-list keyword and prefix-list-name argument will not work.
Examples
In the following example, IPv6 routes that have addresses specified by the prefix list named marketing are matched:
Router(config)# route-map nameRouter(config-route-map)# match ipv6 address prefix-list marketingIn the following example, IPv6 routes that have addresses specified by an access list named marketing are matched:
Router(config-route-map)# match ipv6 address marketingRelated Commands
match ipv6 next-hop
To distribute IPv6 routes that have a next hop prefix permitted by a prefix list, use the match ipv6 next-hop command in route-map configuration mode. To remove the match ipv6 next-hop entry, use the no form of this command.
match ipv6 next-hop prefix-list prefix-list-name
no match ipv6 next-hop
Syntax Description
Command Default
Routes are distributed freely, without being required to match a next hop address.
Command Modes
Route-map configuration
Command History
Usage Guidelines
The match ipv6 next-hop command is similar to the match ip next-hop command, except that it is IPv6-specific.
Use the route-map command, and the match and set commands, to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map.
The match command has multiple formats. The match commands can be given in any order, and all match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
When you are passing routes through a route map, a route map can have several parts. Any route that does not match at least one match command relating to a route-map command will be ignored; that is, the route will not be advertised for outbound route maps and will not be accepted for inbound route maps. If you want to modify only some data, you must configure a second route map section with an explicit match specified.
Note
Examples
The following example distributes routes that have a next hop IPv6 address passed by the prefix list named marketing:
Router(config)# route-map nameRouter(config-route-map)# match ipv6 next-hop prefix-list marketingRelated Commands
match ipv6 route-source
To distribute IPv6 routes that have been advertised by routers at an address specified by a prefix list, use the match ipv6 route-source command in route-map configuration mode. To remove the match ipv6 route-source entry, use the no form of this command.
match ipv6 route-source prefix-list prefix-list-name
no match ipv6 route-source
Syntax Description
Command Default
No filtering on route source.
Command Modes
Route-map configuration
Command History
Usage Guidelines
The match ipv6 route-source command is similar to the match ip route-source command, except that it is IPv6-specific.
Use the route-map command, and the match and set commands, to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map.
The match command has multiple formats. The match commands can be given in any order, and all match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
When you are passing routes through a route map, a route map can have several parts. Any route that does not match at least one match command relating to a route-map command will be ignored; that is, the route will not be advertised for outbound route maps and will not be accepted for inbound route maps. If you want to modify only some data, you must configure a second route map section with an explicit match specified.
There are situations in which the next hop for a route and the source networking device address are not the same.
Note
Examples
The following example distributes routes that have been advertised by networking devices at the addresses specified by the prefix list named marketing:
Router(config)# route-map nameRouter(config-route-map)# match ipv6 route-source prefix-list marketingRelated Commands
match length
To base policy routing on the Level 3 length of a packet, use the match length command in route-map configuration mode. To remove the entry, use the no form of this command.
match length minimum-length maximum-length
no match length minimum-length maximum-length
Syntax Description
Command Default
No policy routing occurs on the length of a packet.
Command Modes
Route-map configuration
Command History
Usage Guidelines
In IPv4, use the ip policy route-map interface configuration command, the route-map global configuration command, and the match and set route-map configuration commands, to define the conditions for policy routing packets. The ip policy route-map command identifies a route map by name. Each route-map has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which policy routing occurs. The set commands specify the set actions—the particular routing actions to perform if the criteria enforced by the match commands are met.
In PBR for IPv6, use the ipv6 policy route-map or ipv6 local policy route-map command to define conditions for policy routing packets.
In IPv4, the match route-map configuration command has multiple formats. The match commands can be given in any order, and all match commands must "pass" to cause the packet to be routed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
In IPv4, you might want to base your policy routing on the length of packets so that your interactive traffic and bulk traffic are directed to different routers.
Examples
In the following example, packets 3 to 200 bytes long, inclusive, will be routed to FDDI interface 0:
interface serial 0ip policy route-map interactive!route-map interactivematch length 3 200set interface fddi 0In the following example for IPv6, packets 3 to 200 bytes long, inclusive, will be routed to FDDI interface 0:
interface Ethernet0/0ipv6 policy-route-map interactive!route-map interactivematch length 3 200set interface fddi 0Related Commands
match mpls-label
To redistribute routes that include Multiprotocol Label Switching (MPLS) labels if the routes meet the conditions specified in the route map, use the match mpls-label command in route-map configuration mode. To disable this function, use the no form of this command.
match mpls-label
no match mpls-label
Syntax Description
This command has no arguments or keywords.
Command Default
Routes with MPLS labels are not redistributed.
Command Modes
Route-map configuration
Command History
Usage Guidelines
A route map that includes this command can be used in the following instances:
•
•
Use the route-map global configuration command, and the match and set route map configuration commands, to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. The match commands can be given in any order, and all match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
When you are passing routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command will be ignored; that is, the route will not be advertised for outbound route maps and will not be accepted for inbound route maps. If you want to modify only some data, you must configure a second route map section with an explicit match specified.
Examples
The following example shows how to create a route map that redistributes routes if the following conditions are met:
•
•
Router(config-router)# route-map incoming permit 10Router(config-route-map)# match ip address 2Router(config-route-map)# match mpls-labelRelated Commands
match precedence
To identify IP precedence values to use as the match criterion, use the match precedence command in class-map configuration mode. To remove IP precedence values from a class map, use the no form of this command.
match [ip] precedence {precedence-criteria1 | precedence-criteria2 | precedence-criteria3 | precedence-criteria4}
no match [ip] precedence {precedence-criteria1 | precedence-criteria2 | precedence-criteria3 | precedence-criteria4}
Syntax Description
Command Default
No match criterion is configured.
If you do not enter the ip keyword, matching occurs on both IPv4 and IPv6 packets.
Command Modes
Class-map configuration mode (config-cmap)
Command History
Usage Guidelines
You can enter up to four matching criteria, as number abbreviation (0 to 7) or criteria names (critical, flash, and so on), in a single match statement. For example, if you wanted the precedence values of 0, 1, 2, or 3 (note that only one of the precedence values must be a successful match criterion, not all of the specified precedence values), enter the match ip precedence 0 1 2 3 command. The precedence-criteria numbers are not mathematically significant; that is, the precedence-criteria of 2 is not greater than 1. The way that these different packets are treated depends upon quality of service (QoS) policies, set in the policy-map configuration mode.
You can configure a QoS policy to include IP precedence marking for packets entering the network. Devices within your network can then use the newly marked IP precedence values to determine how to treat the packets. For example, class-based weighted random early detection (WRED) uses IP precedence values to determine the probability that a packet is dropped. You can also mark voice packets with a particular precedence. You can then configure low-latency queueing (LLQ) to place all packets of that precedence into the priority queue.
Matching Precedence for IPv6 and IPv4 Packets on the Cisco 10000 and 7600 Series Routers
On the Cisco 7600 Series and 10000 Series Routers, you set matching criteria based on precedence values for only IPv6 packets using the match protocol command with the ipv6 keyword. Without that keyword, the precedence match defaults to match both IPv4 and IPv6 packets. You set matching criteria based on precedence values for IPv4 packets only, use the ip keyword. Without the ip keyword the match occurs on both IPv4 and IPv6 packets.
Precedence Values and Names
The following table lists all criteria conditions by value, name, binary value, and recommended use. You may enter up to four criteria, each separated by a space. Only one of the precedence values must be a successful match criterion. Table 36 lists the IP precedence values.
Do not use IP precedence 6 or 7 to mark packets, unless you are marking control packets.
Examples
IPv4-Specific Traffic Match
The following example shows how to configure the service policy called "priority50" and attach service policy "priority50" to an interface, matching for IPv4 traffic only. In a network where both IPv4 and IPv6 are running, you might find it necessary to distinguish between the protocols for matching and traffic segregation. In this example, the class map called "ipprec5" will evaluate all IPv4 packets entering Fast Ethernet interface 1/0/0 for a precedence value of 5. If the incoming IPv4 packet has been marked with the precedence value of 5, the packet will be treated as priority traffic and will be allocated with bandwidth of 50 kbps.
Router(config)# class-map ipprec5Router(config-cmap)# match ip precedence 5Router(config)# exitRouter(config)# policy-map priority50Router(config-pmap)# class ipprec5Router(config-pmap-c)# priority 50Router(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface fa1/0/0Router(config-if)# service-policy input priority50IPv6-Specific Traffic Match
The following example shows the same service policy matching on precedence for IPv6 traffic only. Notice that the match protocol command with the ipv6 keyword precedes the match precedence command. The match protocol command is required to perform matches on IPv6 traffic alone.
Router(config)# class-map ipprec5Router(config-cmap)# match protocol ipv6Router(config-cmap)# match precedence 5Router(config)# exitRouter(config)# policy-map priority50Router(config-pmap)# class ipprec5Router(config-pmap-c)# priority 50Router(config-pmap-c)# exitRouter(config-pmap)# exitRouter(config)# interface fa1/0/0Router(config-if)# service-policy input priority50Related Commands
match protocol
To configure the match criterion for a class map on the basis of the specified protocol, use the match protocol command in class-map configuration mode. To remove protocol-based match criterion from a class map, use the no form of this command.
match protocol protocol-name
no match protocol protocol-name
Syntax Description
protocol-name
Name of the protocol (for example, bgp) used as a matching criterion. See the "Usage Guidelines" for a list of protocols supported by most routers.
Command Default
No match criterion is configured.
Command Modes
Class-map configuration (config-cmap)
Command History
Usage Guidelines
Supported Platforms Other Than Cisco 7600 Routers and Cisco 10000 Series Routers
For class-based weighted fair queueing (CBWFQ), you define traffic classes based on match criteria protocols, access control lists (ACLs), input interfaces, quality of service (QoS) labels, and Experimental (EXP) field values. Packets satisfying the match criteria for a class constitute the traffic for that class.
The match protocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.
The match protocol ipx command matches packets in the output direction only.
To use the match protocol command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish. After you identify the class, you can use one of the following commands to configure its match criteria:
•
•
•
If you specify more than one command in a class map, only the last command entered applies. The last command overrides the previously entered commands.
To configure NBAR to match protocol types that are supported by NBAR traffic, use the match protocol (NBAR) command.
Cisco 7600 Routers
The match protocol command in QoS class-map configuration configures NBAR and sends all traffic on the port, both ingress and egress, to be processed in the software on the Multilayer Switch Feature Card 2 (MSFC2).
For CBWFQ, you define traffic classes based on match criteria like protocols, ACLs, input interfaces, QoS labels, and Multiprotocol Label Switching (MPLS) EXP field values. Packets satisfying the match criteria for a class constitute the traffic for that class.
The match protocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.
If you want to use the match protocol command, you must first enter the class-map command to specify the name of the class to which you want to establish the match criteria.
If you specify more than one command in a class map, only the last command entered applies. The last command overrides the previously entered commands.
This command can be used to match protocols that are known to the NBAR feature. For a list of protocols supported by NBAR, see the "Classification" part of the Cisco IOS Quality of Service Solutions Configuration Guide.
Cisco 10000 Series Routers
For CBWFQ, you define traffic classes based on match criteria including protocols, ACLs, input interfaces, QoS labels, and EXP field values. Packets satisfying the match criteria for a class constitute the traffic for that class.
The match protocol command specifies the name of a protocol to be used as the match criteria against which packets are checked to determine if they belong to the class specified by the class map.
The match protocol ipx command matches packets in the output direction only.
To use the match protocol command, you must first enter the class-map command to specify the name of the class whose match criteria you want to establish.
If you are matching NBAR protocols, use the match protocol (NBAR) command.
Supported Protocols
Table 37 lists the protocols supported by most routers. Some routers support a few additional protocols. For example, the Cisco 7600 router supports the aarp and decnet protocols, while the Cisco 7200 router supports the directconnect and pppoe protocols. For a complete list of supported protocols, see the online help for the match protocol command on the router that you are using.
* This protocol is not supported on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine.Match Protocol Command Restrictions (Catalyst 6500 Series Switches Only)
Policy maps contain traffic classes. Traffic classes contain one or more match commands that can be used to match packets (and organize them into groups) on the basis of a protocol type or application. You can create as many traffic classes as needed.
Cisco IOS Release 12.2(18)ZY includes software intended for use on the Catalyst 6500 series switch that is equipped with a Supervisor 32/PISA engine. For this release and platform, note the following restrictions for using policy maps and match protocol commands:
•
•
Examples
The following example specifies a class map called ftp and configures the protocol as a match criterion:
Router(config)# class-map ftpRouter(config-cmap)# match protocol ftpRelated Commands
maximum routes
To limit the maximum number of routes in a Virtual Private Network (VPN) routing and forwarding (VRF) instance to prevent a provider edge (PE) router from importing too many routes, use the maximum routes command in VRF configuration mode or VRF address family configuration mode. To remove the limit on the maximum number of routes allowed, use the no form of this command.
maximum routes limit {warn-threshold | warning-only}
no maximum routes
Syntax Description
Command Default
No limit is set on the maximum number of routes allowed.
Command Modes
VRF address family configuration (config-vrf-af)
VRF configuration (config-vrf)Command History
Usage Guidelines
All values within the range for the limit argument can be configured for IPv4. For IPv6, however, only values greater than the current number of IPv6 routes present in the routing information base (RIB) for the specified VRF is allowed.
The maximum routes command can be configured in one of two ways:
•
•
To limit the number of routes allowed in the VRF, use the maximum routes limit command with the warn-threshold argument. The warn-threshold argument generates a warning and does not allow the addition of routes to the VRF when the maximum number set by the limit argument is reached. The software generates a warning message every time a route is added to a VRF when the VRF route count is above the warning threshold. The software also generates a route rejection notification when the maximum threshold is reached and every time a route is rejected after the limit is reached.
To set a number of routes at which you receive a notification, but which does not limit the number of routes that can be imported into the VRF, use the maximum routes limit command with the warn-only keyword.
To configure the router to generate SNMP notifications (traps or informs) for these values, use the snmp-server enable traps mpls vpn command in global configuration mode.
Examples
The following example shows how to set a limit threshold of VRF routes to 1000. When the number of routes for the VRF reaches 1000, the router issues a syslog error message, but continues to accept new VRF routes.
Router(config)# ip vrf vrf1Router(config-vrf)# rd 100:1Router(config-vrf)# route-target import 100:1Router(config-vrf)# maximum routes 1000 warning-onlyThe following example shows how to set the maximum number of VRF routes allowed to 1000 and set the warning threshold at 80 percent of the maximum. When the number of routes for the VRF reaches 800, the router issues a warning message. When the number of routes for the VRF reaches 1000, the router issues a syslog error message and rejects any new routes.
Router(config)# ip vrf vrf2Router(config-vrf)# rd 200:1Router(config-vrf)# route-target import 200:1Router(config-vrf)# maximum routes 1000 80The following example for an IPv6 address family defined under the vrf definition command shows how to set the maximum number of VRF routes allowed to 500 and set the warning threshold at 50 percent of the maximum. When the number of routes for the VRF reaches 250, the router issues a warning message. When the number of routes for the VRF reaches 500, the router issues a syslog error message and rejects any new routes.
Router(config)# vrf definitionRouter(config-vrf)# address-family ipv6Router(config-router-vrf)# maximum routes 500 50Related Commands
maximum-paths (IPv6)
To control the maximum number of equal-cost routes that a process for IPv6 Border Gateway Protocol (BGP), a process for IPv6 Intermediate System-to-Intermediate System (IS-IS), a process for IPv6 Routing Information Protocol (RIP), a process for Open Shortest Path First (OSPF) for IPv6, or a process for Enhanced Interior Gateway Routing Protocol (EIGRP) for IPv6 routing can support, use the maximum-paths command in address family configuration or router configuration mode. To restore the default value, use the no form of this command.
maximum-paths number-paths
no maximum-paths
Syntax Description
number-paths
Maximum number of equal-cost paths to a destination learned via IPv6 BGP, IS-IS, RIP, OSPF, or EIGRP installed in the IPv6 routing table, in the range from 1 to 64.
Command Default
The default for BGP is 1 path, the default for IS-IS and RIP is 4 paths, and the default for OSPF for IPv6 is 16 paths.
Command Modes
Address family configuration
Router configurationCommand History
Usage Guidelines
To configure the maximum-paths command for IPv6 BGP and IS-IS, enter address family configuration mode.
Examples
The following example shows a maximum of three paths to an external destination for the IPv6 BGP autonomous system 65000, and a maximum of two paths to an IPv6 internal BGP destination being configured:
Router(config)# router bgp 65000Router(config-router)# address-family ipv6Router(config-router-af)# maximum-paths 3Router(config-router-af)# maximum-paths ibgp 2The following example shows a maximum of two paths to a destination for the IPv6 IS-IS routing process named area01 being configured:
Router(config)# router isis area01Router(config-router)# address-family ipv6Router(config-router-af)# maximum-paths 2The following example shows a maximum of one path to a destination for the IPv6 RIP routing process named one being configured:
Router(config)# ipv6 router rip oneRouter(config-router-rip)# maximum-paths 1The following example shows a maximum of four paths to a destination for an IPv6 OSPF routing process:
Router(config) ipv6 router ospf 1Router(config-router)# maximum-paths 4The following example shows a maximum of two paths to a destination for an EIGRP for IPv6 routing process:
Router(config) ipv6 router eigrp 1Router(config-router)# maximum-paths 2Related Commands
maximum-paths ibgp
To control the maximum number of parallel internal Border Gateway Protocol (iBGP) routes that can be installed in a routing table, use the maximum-paths ibgp command in router configuration mode. To restore the default value, use the no form of this command.
Router Configuration Mode
maximum-paths ibgp number-of-paths
no maximum-paths ibgp number-of-paths
Under VRF in Address Family Configuration Mode
maximum-paths ibgp {number-of-paths [import number-of-import-paths] | unequal-cost number-of-import-paths}
no maximum-paths ibgp {number-of-paths [import number-of-import-paths] | unequal-cost number-of-import-paths}
Syntax Description
Command Default
BGP, by default, will install only one best path in the routing table.
Command Modes
Address-family configuration
Router configurationCommand History
Usage Guidelines
The maximum-paths ibgp command is used to configure equal-cost or unequal-cost multipath load sharing for iBGP peering sessions. In order for a route to be installed as a multipath in the BGP routing table, the route cannot have a next hop that is the same as another route that is already installed. The BGP routing process will still advertise a best path to iBGP peers when iBGP multipath load sharing is configured. For equal-cost routes, the path from the neighbor with the lowest router ID is advertised as the best path.
To configure equal-cost multipath load sharing, all path attributes must be the same. The path attributes include weight, local preference, autonomous system path (entire attribute and not just the length), origin code, Multi Exit Discriminator (MED), and Interior Gateway Protocol (IGP) distance.
The number of paths that can be configured is determined by the version of Cisco IOS software. The following list shows current limits:
•
•
•
Note
Configuring VRF Import Paths
A VRF will import only one path (the best path) per prefix from the source VRF table, unless the prefix is exported with a different route-target. If the best path goes down, the destination will not be reachable until the next import event occurs, and then a new best path will be imported into the VRF table. The import event runs every 15 seconds by default.
The import keyword allows the network operator to configure the VRF table to accept multiple redundant paths in addition to the best path. This feature should be used when there are multiple paths with identical next hops available to ensure optimal convergence times. A typical application of this configuration option is to configure redundant paths in a network that has multiple route reflectors for redundancy.
Note
Examples
The following example configuration installs 3 parallel iBGP paths in a non-Multiprotocol Label Switching (MPLS) topology:
Router(config)# router bgp 100Router(config-router)# maximum-paths ibgp 3The following example configuration installs 3 parallel iBGP paths in an MPLS Virtual Private Network (VPN) topology:
Router(config)# router bgp 100Router(config-router)# address-family ipv4 unicast vrf REDRouter(config-route-af)# maximum-paths ibgp 3The following example configuration installs 2 parallel routes in the VRF table:
Router(config)# router bgp 100Router(config-router)# address-family ipv4 vrf BLUERouter(config-router-af)# maximum-paths ibgp 2 import 2Router(config-router-af)# endThe following example configuration installs 2 parallel routes in the VRF table:
Router(config)# router bgp 100Router(config-router)# address-family ipv4 vrf GREENRouter(config-router-af)# maximum-paths ibgp import 2Router(config-router-af)# endRelated Commands
maximum-paths
Controls the maximum number of parallel routes an IP routing protocol can support.
maximum sessions (DSP farm profile)
To specify the maximum number of sessions that are supported by the profile, use the maximum sessions command in DSP farm profile configuration mode. To reset to the default, use the no form of this command.
Command Syntax When Conferencing or Transcoding Is Configured
maximum sessions number
no maximum sessions
Command Syntax When MTP Is Configured
maximum sessions {hardware | software} number
no maximum sessions
Syntax Description
Command Default
The maximum number of supported sessions is 0.
Command Modes
DSP farm profile configuration
Command History
Usage Guidelines
When using the MTP service type, you must specify the number of sessions separately for software MTP and hardware MTP. The hardware MTP needs digital signal processor (DSP) resources. Use hardware MTP when the codecs are the same and the packetization period is different.
Active profiles must be shut down before any parameters can be changed.
Note
Examples
The following example shows that four sessions are supported by the DSP farm profile:
Router(config-dspfarm-profile)# maximum sessionsRelated Commands
metric weights (EIGRP)
To tune Enhanced Interior Gateway Routing Protocol (EIGRP) metric calculations, use the metric weights command in router configuration mode or address family configuration mode. To reset the values to their defaults, use the no form of this command.
metric weights tos k1 k2 k3 k4 k5
no metric weights
Syntax Description
Command Default
EIGRP metric K values are set to their default values.
Command Modes
Router configuration (config-router)
Address family configuration (config-router-af)Command History
Usage Guidelines
Use this command to alter the default behavior of EIGRP routing and metric computation and allow the tuning of the EIGRP metric calculation for a particular type of service (ToS).
If k5 equals 0, the composite EIGRP metric is computed according to the following formula:
metric = [k1 * bandwidth + (k2 * bandwidth)/(256 - load) + k3 * delay]
If k5 does not equal zero, an additional operation is performed:
metric = metric * [k5/(reliability + k4)]
Bandwidth is inverse minimum bandwidth of the path in bps scaled by a factor of 2.56 * 1012. The range is from a 1200-bps line to 10 terabits per second.
Delay is in units of 10 microseconds. The range of delay is from 10 microseconds to 168 seconds. A delay of all ones indicates that the network is unreachable.
The delay parameter is stored in a 32-bit field, in increments of 39.1 nanoseconds. The range of delay is from 1 (39.1 nanoseconds) to hexadecimal FFFFFFFF (decimal 4,294,967,040 nanoseconds). A delay of all ones (that is, a delay of hexadecimal FFFFFFFF) indicates that the network is unreachable.
Table 38 lists the default values used for several common media.
Reliability is given as a fraction of 255. That is, 255 is 100 percent reliability or a perfectly stable link.
Load is given as a fraction of 255. A load of 255 indicates a completely saturated link.
Examples
The following example sets the metric weights to slightly different values than the defaults:
Router(config)# router eigrp 109Router(config-router)# network 192.168.0.0Router(config-router)# metric weights 0 2 0 2 0 0The following example configures an address-family metric weight to tos: 0; K1: 2; K2: 0; K3: 2; K4: 0; K5: 0.
Router(config)# router eigrp virtual-nameRouter(config-router)# address-family ipv4 autonomous-system 4533Router(config-router-af)# metric weights 0 2 0 2 0 0Related Commands
mls cef maximum-routes
To limit the maximum number of the routes that can be programmed in the hardware allowed per protocol, use the mls cef maximum-routes command in global configuration mode. To return to the default settings, use the no form of this command.
mls cef maximum-routes {ip | ip-multicast | ipv6 | mpls} maximum-routes
no mls cef maximum-routes {ip | ip-multicast | ipv6 | mpls}
Syntax Description
Command Default
The defaults are as follows:
•
–
–
•
–
–
Note
Command Modes
Global configuration
Command History
Usage Guidelines
Note
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
The mls cef maximum-routes command limits the maximum number of the routes that can be programmed in the hardware. If routes are detected that exceed the limit for that protocol, an exception condition is generated.
The determination of XL and non-XL mode is based on the type of Policy Feature Card (PFC) or Distributed Forwarding Card (DFC) modules that are installed in your system. For additional information on systems running Cisco IOS software release 12.2SXF and earlier releases see:
For additional information on systems running Cisco IOS software release 12.2SXH and later releases see:
http://www.cisco.com/en/US/docs/switches/lan/catalyst6500/ios/12.2SX/release/notes/ol_14271.html#Policy_Feature_Card_Guidelines_and_Restrictions
The valid values for the maximum-routes argument depend on the system mode—XL mode or non-XL mode. The valid values are as follows:
•
–
–
•
–
–
Note
An example of how to enter the maximum routes argument is as follows:
mls cef maximum-routes ip 4where 4 is 4096 IP routes (1024 x4 = 4096).
The new configurations are applied after a system reload only and do not take effect if a switchover occurs.
In RPR mode, if you change and save the maximum-routes configuration, the redundant supervisor engine reloads when it becomes active from either a switchover or a system reload. The reload occurs 5 minutes after the supervisor engine becomes active.
Use the show mls cef maximum-routes command to display the current maximum routes system configuration.
Examples
This example shows how to set the maximum number of routes that are allowed per protocol:
Router(config)# mls cef maximum-routes ip 100This example shows how to return to the default setting for a specific protocol:
Router(config)# no mls cef maximum-routes ipRelated Commands
show mls cef maximum-routes
Displays the current maximum-route system configuration.
mls erm priority
To assign the priorities to define an order in which protocols attempt to recover from the exception status, use the mls erm priority command in global configuration mode. To return to the default settings, use the no form of this command.
mls erm priority ipv4 value ipv6 value mpls value
no mls erm priority ipv4 value ipv6 value mpls value
Syntax Description
Command Default
The default priority settings are used.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
A lower value indicates a higher priority.
When a protocol sees a Forwarding Information Base (FIB) table exception, the protocol notifies the FIB Embedded Resource Manager (ERM). The FIB ERM periodically polls the FIB table exception status and decides which protocol gets priority over another protocol when multiple protocols are running under the exception. Only one protocol can attempt to recover from an exception at any time.
If there is sufficient FIB space, the protocol with the highest priority tries to recover first. Other protocols under the exception do not start to recover until the previous protocol completes the recovery process by reloading the appropriate FIB table.
Examples
This example shows how to set the ERM exception-recovery priority:
Router(config)# mls erm priority ipv4 2 ipv6 1 mpls 3This example shows how to return to the default setting:
Router(config)# no mls erm priority ipv4 2 ipv6 1 mpls 3Related Commands
show mls cef exception
Displays information about the Cisco Express Forwarding exception.
mls ipv6 acl compress address unicast
To enable the compression of compressible IPv6 addresses, use the mls ipv6 acl compress address unicast command in global configuration mode. To disable the compression of compressible IPv6 addresses, use the no form of this command.
mls ipv6 acl compress address unicast
no mls ipv6 acl compress address unicast
Syntax Description
This command has no arguments or keywords.
Command Default
This command is disabled.
Command Modes
Global configuration
Command History
12.2(17a)SX
This command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
Note
Examples
This example shows how to turn on the compression of compressible IPv6 addresses:
Router(config)# mls ipv6 acl compress address unicastThis example shows how to turn off the compression of compressible IPv6 addresses:
Router(config)# no mls ipv6 acl compress address unicastRelated Commands
show fm ipv6 traffic-filter
Displays the IPv6 information.
show mls netflow ipv6
Displays configuration information about the NetFlow hardware.
mls ipv6 acl source
To deny all IPv6 packets from a source-specific address, use the mls ipv6 acl source command in global configuration mode. To accept all IPv6 packets from a source-specific address, use the no form of this command.
mls ipv6 acl source {loopback | multicast}
no mls ipv6 acl source {loopback | multicast}
Syntax Description
loopback
Denies all IPv6 packets with a source loopback address.
multicast
Denies all IPv6 packets with a source multicast address.
Command Default
This command is disabled.
Command Modes
Global configuration
Command History
12.2(17b)SXA
This command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
Examples
This example shows how to deny all IPv6 packets with a source loopback address:
Router(config)# mls ipv6 acl source loopbackThis example shows how to deny all IPv6 packets with a source multicast address:
Router(config)# no mls ipv6 acl source multicastRelated Commands
show mls netflow ipv6
Displays configuration information about the NetFlow hardware.
mls ipv6 vrf
To enable IPv6 globally in a virtual routing and forwarding (VRF) instance, use the mls ipv6 vrf command in global configuration mode. To remove this functionality, use the no form of the command.
mls ipv6 vrf
no mls ipv6 vrf
Syntax Description
This command has no arguments or keywords.
Command Default
VRFs are supported only for IPv4 addresses.
Command Modes
Global configuration
Command History
Usage Guidelines
You must enable the mls ipv6 vrf command in global configuration mode in order to enable IPv6 in a VRF. If this command is not used, a VRF is supported only for the IPv4 address family.
Configuring the mls ipv6 vrf command makes the router reserve the lower 255 hardware IDs for IPv6 regardless of whether IPv6 is enabled. Other applications that make use of these hardware IDs then cannot use that space.
To remove the mls ipv6 vrf command from the running configuration, the user needs to remove all IPv6 VRFs from the router and reload the system.
Examples
The following example shows how to enable IPv6 in a VRF globally:
Router(config)# mls ipv6 vrf
Related Commands
mls rate-limit multicast ipv6
To configure the IPv6 multicast rate limiters, use the mls rate-limit multicast ipv6 command in global configuration mode. To disable the rate limiters, use the no form of this command.
mls rate-limit multicast ipv6 {connected pps [packets-in-burst] | rate-limiter-name {share {auto | target-rate-limiter}}
no mls rate-limit multicast ipv6 {connected | rate-limiter-name}
Syntax Description
Command Default
If the burst is not set, a default of 100 is programmed for multicast cases.
Command Modes
Global configuration
Command History
12.2(18)SXD
This command was introduced on the Supervisor Engine 720.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
This command is not supported on Cisco 7600 series routers that are configured with a Supervisor Engine 2.
The rate-limiter-name argument must be a rate limiter that is not currently programmed.
The target-rate-limiter argument must be a rate limiter that is programmed in the hardware and must be the first rate limiter programmed for its group.
Table 40 lists the IPv6 rate limiters and the class of traffic that each rate limiter serves.
You can configure rate limiters for IPv6 multicast traffic using one of the following methods:
•
Router(config)# mls rate-limit multicast ipv6 default-drop 1000 20•
Router(config)# mls rate-limit multicast ipv6 route-cntl share default-dropIf the target rate limiter is not configured, a message displays that the target rate limiter must be configured for it to be shared with other rate limiters.
•
Router(config)# mls rate-limit multicast ipv6 route-cntl share autoExamples
This example shows how to set the rate limiters for the IPv6 multicast packets from a directly connected source:
Router(config)# mls rate-limit multicast ipv6 connected 1500 20Router(config)#This example shows how to configure a direct association of the rate limiters for a traffic class:
Router(config)# mls rate-limit multicast ipv6 default-drop 1000 20Router(config)#This example shows how to configure the static sharing of a rate limiter with another preconfigured rate limiter:
Router(config)# mls rate-limit multicast ipv6 route-cntl share default-dropRouter(config)#This example shows how to enable dynamic sharing for the route-cntrl rate limiter:
Router(config)# mls rate-limit multicast ipv6 route-cntl share autoRouter(config)#Related Commands
monitor event ipv6 static
To monitor the operation of the IPv6 static and IPv6 static Bidirectional Forwarding Detection for IPv6 (BFDv6) neighbors using event trace, use the monitor event ipv6 static command in privileged EXEC mode. To disable monitoring, use the no form of the command.
monitor event ipv6 static
no monitor event ipv6 static
Syntax Description
This command has no arguments or keywords.
Command Default
IPv6 static and IPv6 static BFD neighbors are not monitored.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
Use the monitor event ipv6 static command to monitor the operation of IPv6 static and IPv6 static BFDv6 neighbors and collect data.
Examples
The following example enables event trace to monitor BFDv6 operation:
Router# monitor event ipv6 staticRelated Commands
debug ipv6 static
Enables BFDv6 debugging.
show ipv6 static
Displays the current contents of the IPv6 routing table.
monitor event-trace cef ipv6 (global)
To configure event tracing for Cisco Express Forwarding IPv6 events, use the monitor event-trace cef ipv6 command in global configuration mode. To disable event tracing for Cisco Express Forwarding, use the no form of this command.
monitor event-trace cef ipv6 {disable | distribution | dump-file dump-file-name | enable | match {global | ipv6-address/n} | size number | stacktrace [depth] | vrf vrf-name [distribution | match {global | ipv6-address/n}]}
no monitor event-trace cef ipv6 {disable | distribution | dump-file dump-file-name | enable | match | size | stacktrace [depth] | vrf}
Syntax Description
Command Default
Event tracing for Cisco Express Forwarding IPv6 events is enabled by default.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the monitor event-trace cef ipv6 command to enable or disable event tracing for Cisco Express Forwarding IPv6 events.
The Cisco IOS software allows Cisco Express Forwarding to define whether support for event tracing is enabled or disabled by default. The command interface for event tracing allows you to change the default value in one of two ways: using the monitor event-trace cef ipv6 command in privileged EXEC mode or using the monitor event-trace cef ipv6 command in global configuration mode.
Note
To determine whether event tracing is enabled by default for Cisco Express Forwarding IPv6 events, use the show monitor event-trace cef ipv6 command to display trace messages.
To specify the trace call stack at tracepoints, you must first clear the trace buffer.
Examples
The following example shows how to enable event tracing for Cisco Express Forwarding IPv6 events and configure the buffer size to 10000 messages.
Router(config)# monitor event-trace cef ipv6 enableRouter(config)# monitor event-trace cef ipv6 size 10000Related Commands
mpls ipv6 source-interface
Note
Effective with Cisco IOS Release 12.4(15)T, the mpls ipv6 source-interface command is not available in Cisco IOS 12.4T releases.To specify an IPv6 address of an interface to be used as the source address for locally generated IPv6 packets to be sent over a Multiprotocol Label Switching (MPLS) network, use the mpls ipv6 source-interface command in global configuration mode. To disable this feature, use the no form of this command.
mpls ipv6 source-interface
