-
Cisco IOS IPv6 Command Reference
-
Introduction
-
aaa accounting multicast default through clear ipv6 mobile home-agents
-
clear ipv6 mobile traffic through debug bgp vpnv6 unicast
-
debug crypto ipv6 ipsec through debug ipv6 pim
-
debug ipv6 pim df-election through ip http server
-
ip name-server through ipv6 general-prefix
-
ipv6 hello-interval eigrp through ipv6 mld static-group
-
ipv6 mobile home-agent (global configuration) through ipv6 ospf database-filter all out
-
ipv6 ospf dead-interval through ipv6 split-horizon eigrp
-
ipv6 summary-address eigrp through mpls ldp router-id
-
mpls traffic-eng auto-bw timers through route-map
-
router-id (IPv6) through show bgp ipv6 labels
-
show bgp ipv6 neighbors through show crypto isakmp peers
-
show crypto isakmp policy through show ipv6 eigrp neighbors
-
show ipv6 eigrp topology through show ipv6 nat statistics
-
show ipv6 nat translations through show ipv6 protocols
-
show ipv6 rip through snmp-server host
-
snmp-server user through vrf forwarding
-
Table Of Contents
ipv6 traffic interface-statistics
ipv6 verify unicast reverse-path
ipv6 verify unicast source reachable-via
ipv6 virtual-reassembly drop-fragments
log-neighbor-changes (IPv6 EIGRP)
mls ipv6 acl compress address unicast
ipv6 summary-address eigrp
To configure a summary aggregate address for a specified interface, use the ipv6 summary-address eigrp command in interface configuration mode. To disable a configuration, use the no form of this command.
ipv6 summary-address eigrp as-number ipv6-address [admin-distance]
no ipv6 summary-address eigrp as-number ipv6-address [admin-distance]
Syntax Description
as-number
Autonomous system number.
ipv6-address
Summary IPv6 address to apply to an interface.
admin-distance
(Optional) Administrative distance. A value from 0 through 255. The default value is 90.
Command Default
An administrative distance of 5 is applied to Enhanced Interior Gateway Routing Protocol (EIGRP) for IPv6 summary routes.
EIGRP for IPv6 automatically summarizes to the network level, even for a single host route.
No summary addresses are predefined.Command Modes
Interface configuration
Command History
12.4(6)T
This command was introduced.
12.2(33)SRB
This command was integrated into Cisco IOS Release 12.2(33)SRB.
Usage Guidelines
The ipv6 summary-address eigrp command is used to configure interface-level address summarization. EIGRP for IPv6 summary routes are given an administrative distance value of 5. The administrative distance metric is used to advertise a summary address without installing it in the routing table.
Examples
The following example provides a summary aggregate address for EIGRP for IPv6 for AS 1:
ipv6 summary-address eigrp 1 2001:0DB8:0:1::/64ipv6 traffic-filter
To filter incoming or outgoing IPv6 traffic on an interface, use the ipv6 traffic-filter command in interface configuration mode. To disable the filtering of IPv6 traffic on an interface, use the no form of this command.
ipv6 traffic-filter access-list-name {in | out}
no ipv6 traffic-filter access-list-name
Syntax Description
access-list-name
Specifies an IPv6 access name.
in
Specifies incoming IPv6 traffic.
out
Specifies outgoing IPv6 traffic.
Command Default
Filtering of IPv6 traffic on an interface is not configured.
Command Modes
Interface configuration
Command History
Examples
The following example filters inbound IPv6 traffic on Ethernet interface 0/0 as defined by the access list named cisco:
Router(config)# interface ethernet 0/0Router(config-if)# ipv6 traffic-filter cisco inRelated Commands
ipv6 traffic interface-statistics
To collect IPv6 forwarding statistics for all interfaces, use the ipv6 traffic interface-statistics command in global configuration mode. To ensure that IPv6 forwarding statistics are not collected for any interface, use the no form of this command.
ipv6 traffic interface-statistics [unclearable]
no ipv6 traffic interface-statistics [unclearable]
Syntax Description
unclearable
(Optional) IPv6 forwarding statistics are kept for all interfaces, but it is not possible to clear the statistics on any interface.
Command Default
IPv6 forwarding statistics are collected for all interfaces.
Command Modes
Global configuration
Command History
Usage Guidelines
Using the optional unclearable keyword halves the per-interface statistics storage requirements.
Examples
The following example does not allow statistics to be cleared on any interface:
ipv6 traffic interface-statistics unclearableipv6 unicast-routing
To enable the forwarding of IPv6 unicast datagrams, use the ipv6 unicast-routing command in global configuration mode. To disable the forwarding of IPv6 unicast datagrams, use the no form of this command.
ipv6 unicast-routing
no ipv6 unicast-routing
Syntax Description
This command has no arguments or keywords.
Command Default
IPv6 unicast routing is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Configuring the no ipv6 unicast-routing command removes all IPv6 routing protocol entries from the IPv6 routing table.
Examples
The following example enables the forwarding of IPv6 unicast datagrams:
Router(config)# ipv6 unicast-routingRelated Commands
ipv6 unnumbered
To enable IPv6 processing on an interface without assigning an explicit IPv6 address to the interface, use the ipv6 unnumbered command in interface configuration mode. To disable IPv6 on an unnumbered interface, use the no form of this command.
ipv6 unnumbered interface-type interface-number
no ipv6 unnumbered
Syntax Description
Command Default
This command is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
The ipv6 unnumbered command is similar to the ip unnumbered command, except that it is IPv6-specific.
IPv6 packets that are originated from an unnumbered interface use the global IPv6 address of the interface specified in the ipv6 unnumbered command as the source address for the packets.
Note
Serial interfaces using High-Level Data Link Control (HDLC), PPP, Link Access Procedure, Balanced (LAPB), Frame Relay encapsulations, and tunnel interfaces can be unnumbered. You cannot use this interface configuration command with X.25 or Switched Multimegabit Data Service (SMDS) interfaces.
The interface you specify with the interface-type and interface-number arguments must be enabled (listed as "up" in the show ipv6 interface command display).
Examples
The following example configures serial interface 0/1as unnumbered. IPv6 packets that are sent on serial interface 0/1 use the IPv6 address of Ethernet 0/0 as their source address:
Router(config)# interface ethernet 0/0Router(config-if)# ipv6 address 3FFE:C00:0:1:260:3EFF:FE11:6770Router(config)# interface serial 0/1Router(config-if)# ipv6 unnumbered ethernet 0/0Related Commands
show ipv6 interface
Displays the usability status of interfaces configured for IPv6.
ipv6 unreachables
To enable the generation of Internet Control Message Protocol for IPv6 (ICMPv6) unreachable messages for any packets arriving on a specified interface, use the ipv6 unreachables command in interface configuration mode. To prevent the generation of unreachable messages, use the no form of this command.
ipv6 unreachables
no ipv6 unreachables
Syntax Description
This command has no arguments or keywords.
Command Default
ICMPv6 unreachable messages can be generated for any packets arriving on that interface.
Command Modes
Interface configuration
Command History
Usage Guidelines
If the Cisco IOS software receives a nonbroadcast packet destined for itself that uses a protocol it does not recognize, it sends an ICMPv6 unreachable message to the source.
If the software receives a datagram that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies to the originator of that datagram with an ICMP host unreachable message.
Examples
The following example enables the generation of ICMPv6 unreachable messages, as appropriate, on an interface:
interface ethernet 0ipv6 unreachablesipv6 verify unicast reverse-path
To enable Unicast Reverse Path Forwarding (Unicast RPF) for IPv6, use the ipv6 verify unicast reverse-path command in interface configuration mode. To disable Unicast RPF, use the no form of this command.
ipv6 verify unicast reverse-path [access-list name]
no ipv6 verify unicast reverse-path [access-list name]
Syntax Description
access-list name
(Optional) Specifies the name of the access list.
Note
Command Default
Unicast RPF is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
The ipv6 verify unicast reverse-path command is used to enable Unicast RPF for IPv6 in strict checking mode. The Unicast RPF for IPv6 feature requires that Cisco Express Forwarding for IPv6 (CEFv6) is enabled on the router.
Note
Use the ipv6 verify unicast reverse-path command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through a router. Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IP address spoofing.
When Unicast RPF is enabled on an interface, the router examines all packets received on that interface. The router checks to make sure that the source IPv6 address appears in the routing table and that it is reachable by a path through the interface on which the packet was received. Unicast RPF is an input feature and is applied only on the input interface of a router at the upstream end of a connection.
The Unicast RPF feature performs a reverse lookup in the CEF table to check if any packet received at a router interface has arrived on a path identified as a best return path to the source of the packet. If a reverse path for the packet is not found, Unicast RPF can drop or forward the packet, depending on whether an ACL is specified in the Unicast RPF command. If an ACL is specified in the command, then when (and only when) a packet fails the Unicast RPF check, the ACL is checked to determine whether the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for Unicast RPF drops and in the interface statistics for Unicast RPF.
If no ACL is specified in the Unicast RPF command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated.
Unicast RPF events can be logged by specifying the logging option for the ACL entries used by the Unicast RPF command. Log information can be used to gather information about the attack, such as source address, time, and so on.
Note
When you configure a SPA on the Cisco 12000 series Internet router, the interface address is in the format slot/subslot/port.
The optional access-list keyword for the ipv6 verify unicast reverse-path command is not supported on the Cisco 12000 series Internet router. For information about how Unicast RPF can be used with ACLs on other platforms to mitigate the transmission of invalid IPv4 addresses (perform egress filtering) and to prevent (deny) the reception of invalid IPv4 addresses (perform ingress filtering), refer to the "Configuring Unicast Reverse Path Forwarding" chapter in the "Other Security Features" section of the Cisco IOS Security Configuration Guide, Release 12.4.
Note
Do not use Unicast RPF on core-facing interfaces that are internal to the network. Internal interfaces are likely to have routing asymmetry, meaning that there are multiple routes to the source of a packet. Apply Unicast RPF only where there is natural or configured symmetry.
For example, routers at the edge of the network of an Internet service provider (ISP) are more likely to have symmetrical reverse paths than routers that are in the core of the ISP network. Routers that are in the core of the ISP network have no guarantee that the best forwarding path out of the router will be the path selected for packets returning to the router. Hence, it is not recommended that you apply Unicast RPF where there is a chance of asymmetric routing. It is simplest to place Unicast RPF only at the edge of a network or, for an ISP, at the customer edge of the network.
Examples
Unicast Reverse Path Forwarding on a Serial Interface
The following example shows how to enable the Unicast RPF feature on a serial interface:
interface serial 5/0/0ipv6 verify unicast reverse-pathUnicast Reverse Path Forwarding on a Cisco 12000 Series Internet Router
The following example shows how to enable Unicast RPF for IPv6 with strict checking on a 10G SIP Gigabit Ethernet interface 2/1/2:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# interface gigabitEthernet 2/1/2Router(config-if)# ipv6 verify unicast reverse-pathRouter(config-if)# exitUnicast Reverse Path Forwarding on a Single-Homed ISP
The following example uses a very simple single-homed ISP to demonstrate the concepts of ingress and egress filters used in conjunction with Unicast RPF. The example illustrates an ISP-allocated classless interdomain routing (CIDR) block 209.165.202.128/28 that has both inbound and outbound filters on the upstream interface. Be aware that ISPs are usually not single-homed. Hence, provisions for asymmetrical flows (when outbound traffic goes out one link and returns via a different link) need to be designed into the filters on the border routers of the ISP.
interface Serial 5/0/0description Connection to Upstream ISPipv6 address FE80::260:3EFF:FE11:6770/64no ipv6 redirectsipv6 verify unicast reverse-path abc!ipv6 access-list abcpermit ipv6 host 2::1 anydeny ipv6 FEC0::/10 anyipv6 access-group abc inipv6 access-group jkl out!access-list abc permit ip FE80::260:3EFF:FE11:6770/64 2001:0DB8:0000:0001::0001anyaccess-list abc deny ipv6 any any logaccess-list jkl deny ipv6 host 2001:0DB8:0000:0001::0001 any logaccess-list jkl deny ipv6 2001:0DB8:0000:0001:FFFF:1234::5.255.255.255 any logaccess-list jkl deny ipv6 2002:0EF8:002001:0DB8:0000:0001:FFFF:1234::5172.16.0.00.15.255.255 any logaccess-list jkl deny ipv6 2001:0CB8:0000:0001:FFFF:1234::5 0.0.255.255 any logaccess-list jkl deny ipv6 2003:0DB8:0000:0001:FFFF:1234::5 0.0.0.31 any logaccess-list jkl permit ipv6ACL Logging with Unicast RPF
The following example demonstrates the use of ACLs and logging with Unicast RPF. In this example, extended ACL abc provides entries that deny or permit network traffic for specific address ranges. Unicast RPF is configured on interface Ethernet 0/0 to check packets arriving at that interface.
For example, packets with a source address of 8765:4321::1 arriving at interface Ethernet 0 are dropped because of the deny statement in ACL "abc." In this case, the ACL information is logged (the logging option is turned on for the ACL entry) and dropped packets are counted per-interface and globally. Packets with a source address of 1234:5678::1 arriving at interface Ethernet 0/0 are forwarded because of the permit statement in ACL abc. ACL information about dropped or suppressed packets is logged (the logging option is turned on for the ACL entry) to the log server.
interface ethernet 0/0ipv6 address FE80::260:3EFF:FE11:6770/64 link-localipv6 verify unicast reverse-path abc!ipv6 access-list abcpermit ipv6 1234:5678::/64 any log-inputdeny ipv6 8765:4321::/64 any log-inputRelated Commands
ipv6 verify unicast source reachable-via
To verify that a source address exists in the FIB table and enable Unicast Reverse Path Forwarding (Unicast RPF), use the ipv6 verify unicast source reachable-via command in interface configuration mode. To disable URPF, use the no form of this command.
ipv6 verify unicast source reachable-via {rx | any} [allow-default] [allow-self-ping] [access-list-name]
no ipv6 verify unicast
Syntax Description
Command Default
Unicast RPF is disabled.
Command Modes
Interface configuration
Command History
12.2(25)S
This command was introduced.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
Usage Guidelines
The ipv6 verify unicast reverse-path command is used to enable Unicast RPF for IPv6 in loose checking mode.
Use the ipv6 verify unicast source reachable-via command to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through an IPv6 router. Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IPv6 address spoofing.
The URPF feature checks to see if any packet received at a router interface arrives on one of the best return paths to the source of the packet. The feature does this by doing a reverse lookup in the CEF table. If URPF does not find a reverse path for the packet, U RPF can drop or forward the packet, depending on whether an access control list (ACL) is specified in the ipv6 verify unicast source reachable-via command. If an ACL is specified in the command, then when (and only when) a packet fails the URPF check, the ACL is checked to see if the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for U RPF drops and in the interface statistics for Unicast RPF.
If no ACL is specified in the ipv6 verify unicast source reachable-via command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated.
U RPF events can be logged by specifying the logging option for the ACL entries used by the ipv6 verify unicast source reachable-via command. Log information can be used to gather information about the attack, such as source address, time, and so on.
Examples
The following example enables Unicast RPF on any interface:
ipv6 verify unicast source reachable-via anyRelated Commands
ipv6 virtual-reassembly
To enable Virtual Fragment Reassembly (VFR) on an interface, use the ipv6 virtual-reassembly command in global configuration mode. To disable VFR, use the no form of this command.
ipv6 virtual-reassembly [max-reassemblies maxreassemblies] [max-fragments max-fragments] [timeout seconds]
noipv6 virtual-reassembly [max-reassemblies maxreassemblies] [max-fragments max-fragments] [timeout seconds]
Syntax Description
Command Default
Reassemblies = 256
Fragments = 8Command Modes
Global configuration
Command History
Usage Guidelines
Maximum Number of Reassemblies
Whenever the maximum number of 256 reassemblies (fragment sets) is crossed, all the fragments in the forthcoming fragment set will be dropped and an alert message VFR-4-FRAG_TABLE_OVERFLOW will be logged to the syslog server.
Maximum Number of Fragments per Fragment Set
If a datagram being reassembled receives more than eight fragments, tall fragments will be dropped and an alert message VFR-4-TOO_MANY_FRAGMENTS will be logged to the syslog server.
Examples
The following example sets the maximum number of reassemblies to 32, maximum fragments to 4, and the timeout to 7 seconds:
ip virtual-reassembly max-reassemblies 32 max-fragments 4 timeout 7ipv6 virtual-reassembly drop-fragments
To drop all fragments on an interface, use the ipv6 virtual-reassembly drop-fragments command in global configuration mode. Use the no form of this command to remove the packet-dropping behavior.
ipv6 virtual-reassembly drop-fragments
no ipv6 virtual-reassembly drop-fragments
Syntax Description
This command has no arguments or keywords.
Command Default
Fragments on an interface are not dropped.
Command Modes
Global configuration
Command History
Examples
The following example causes all fragments on an interface to be dropped:
ipv6 virtual-reassembly drop-fragmentsisis ipv6 metric
To configure the value of an Intermediate System-to-Intermediate System (IS-IS) IPv6 metric, use the isis ipv6 metric command in interface configuration mode. To return the metric to its default value, use the no form of this command.
isis ipv6 metric {metric-value | maximum} [level-1 | level-2]
no isis ipv6 metric {metric-value | maximum} [level-1 | level-2]
Syntax Description
Command Default
The default metric value is set to 10.
Command Modes
Interface configuration
Command History
Usage Guidelines
The isis ipv6 metric command is used only in multitopology IS-IS.
Changing the metric allows differentiation between IPv4 and IPv6 traffic, forcing traffic onto different interfaces. This function allows you to use the lower-cost rather than the high-cost interface.
For using extended metrics, such as with the IS-IS multitopology for IPv6 feature, Cisco IOS software provides support of a 24-bit metric field, the so-called "wide metric." Using the new metric style, link metrics now have a maximum value of 16777214 with a total path metric of 4261412864.
Cisco IOS Release 12.4(13) and 12.4(13)T
Entering the maximum keyword will exclude the link from the SPF calculation. If a link is advertised with the maximum link metric, the link will not be considered during the normal SPF computation. When the link excluded from the SPF, it will not be advertised for calculating the normal SPF. An example would be a link that is available for traffic engineering, but not for hop-by-hop routing. If a link, such as one that is used for traffic engineering, should not be included in the SPF calculation, enter the isis ipv6 metric command with the maximum keyword.
Note
Examples
The following example sets the value of an IS-IS IPv6 metric to 20:
Router(config)# interface Ethernet 0/0/1Router(config-if)# isis ipv6 metric 20The following example sets the IS-IS IPv6 metric for the link to maximum. SPF will ignore the link for both Level 1 and Level 2 routing because neither the level-1 keyword nor the level-2 keyword was entered.
Router(config)# interface fastethernet 0/0Router(config-if)# isis ipv6 metric maximumRelated Commands
metric-style wide
Configures a router running IS-IS so that it generates and accepts only new-style TLVs.
key
To identify an authentication key on a key chain, use the key command in key-chain configuration mode. To remove the key from the key chain, use the no form of this command.
key key-id
no key key-id
Syntax Description
key-id
Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.
Command Default
No key exists on the key chain.
Command Modes
Key-chain configuration
Command History
Usage Guidelines
Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains.
It is useful to have multiple keys on a key chain so that the software can sequence through the keys as they become invalid after time, based on the accept-lifetime and send-lifetime key chain key command settings.
Each key has its own key identifier, which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and Message Digest 5 (MD5) authentication key in use. Only one authentication packet is sent, regardless of the number of valid keys. The software starts looking at the lowest key identifier number and uses the first valid key.
If the last key expires, authentication will continue and an error message will be generated. To disable authentication, you must manually delete the last valid key.
To remove all keys, remove the key chain by using the no key chain command.
Examples
The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.
interface ethernet 0ip rip authentication key-chain chain1ip rip authentication mode md5!router ripnetwork 172.19.0.0version 2!key chain chain1key 1key-string key1accept-lifetime 13:30:00 Jan 25 1996 duration 7200send-lifetime 14:00:00 Jan 25 1996 duration 3600key 2key-string key2accept-lifetime 14:30:00 Jan 25 1996 duration 7200send-lifetime 15:00:00 Jan 25 1996 duration 3600Related Commands
key chain
To enable authentication for routing protocols, identify a group of authentication keys by using the key chain command in global configuration mode. To remove the key chain, use the no form of this command.
key chain name-of-chain
no key chain name-of-chain
Syntax Description
name-of-chain
Name of a key chain. A key chain must have at least one key and can have up to 2147483647 keys.
Command Default
No key chain exists.
Command Modes
Global configuration
Command History
Usage Guidelines
Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains.
You must configure a key chain with keys to enable authentication.
Although you can identify multiple key chains, we recommend using one key chain per interface per routing protocol. Upon specifying the key chain command, you enter key-chain configuration mode.
Examples
The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.
interface ethernet 0ip rip authentication key-chain chain1ip rip authentication mode md5!router ripnetwork 172.19.0.0version 2!key chain chain1key 1key-string key1accept-lifetime 13:30:00 Jan 25 1996 duration 7200send-lifetime 14:00:00 Jan 25 1996 duration 3600key 2key-string key2accept-lifetime 14:30:00 Jan 25 1996 duration 7200send-lifetime 15:00:00 Jan 25 1996 duration 3600Related Commands
key-string (authentication)
To specify the authentication string for a key, use the key-string command in key chain key configuration mode. To remove the authentication string, use the no form of this command.
key-string text
no key-string text
Syntax Description
Command Default
No key exists.
Command Modes
Key chain key configuration
Command History
Usage Guidelines
Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains. Each key can have only one key string.
If password encryption is configured (with the service password-encryption command), the software saves the key string as encrypted text. When you write to the terminal with the more system:running-config command, the software displays key-string 7 encrypted text.
Examples
The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.
interface ethernet 0ip rip authentication key-chain chain1ip rip authentication mode md5!router ripnetwork 172.19.0.0version 2!key chain chain1key 1key-string key1accept-lifetime 13:30:00 Jan 25 1996 duration 7200send-lifetime 14:00:00 Jan 25 1996 duration 3600key 2key-string key2accept-lifetime 14:30:00 Jan 25 1996 duration 7200send-lifetime 15:00:00 Jan 25 1996 duration 3600Related Commands
lifetime (IKE policy)
To specify the lifetime of an Internet Key Exchange (IKE) security association (SA), use the lifetime command in Internet Security Association Key Management Protocol (ISAKMP) policy configuration mode. To reset the SA lifetime to the default value, use the no form of this command.
lifetime seconds
no lifetime
Syntax Description
seconds
Number of many seconds for each SA should exist before expiring. Use an integer from 60 to 86,400 seconds, which is the default value.
Command Default
The default is 86,400 seconds (one day).
Command Modes
ISAKMP policy configuration
Command History
Usage Guidelines
Use this command to specify how long an IKE SA exists before expiring.
When IKE begins negotiations, the first thing it does is agree upon the security parameters for its own session. The agreed-upon parameters are then referenced by an SA at each peer. The SA is retained by each peer until the SA's lifetime expires. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. Before an SA expires, it can be reused by subsequent IKE negotiations, which can save time when setting up new IPSec SAs. New IPSec SAs are negotiated before current IPSec SAs expire.
So, to save setup time for IPSec, configure a longer IKE SA lifetime. However, shorter lifetimes limit the exposure to attackers of this SA. The longer an SA is used, the more encrypted traffic can be gathered by an attacker and possibly used in an attack.
Note that when your local peer initiates an IKE negotiation between itself and a remote peer, an IKE policy can be selected only if the lifetime of the remote peer's policy is shorter than or equal to the lifetime of the local peer's policy. Then, if the lifetimes are not equal, the shorter lifetime will be selected. To restate this behavior: If the two peer's policies' lifetimes are not the same, the initiating peer's lifetime must be longer and the responding peer's lifetime must be shorter, and the shorter lifetime will be used.
Examples
The following example configures an IKE policy with a security association lifetime of 600 seconds (10 minutes), and all other parameters are set to the defaults:
crypto isakmp policy 15lifetime 600exitRelated Commands
log-adjacency-changes
To configure the router to send a syslog message when an Open Shortest Path First (OSPF) neighbor goes up or down, use the log-adjacency-changes command in router configuration mode. To turn off this function, use the no form of this command.
log-adjacency-changes [detail]
no log-adjacency-changes [detail]
Syntax Description
detail
(Optional) Sends a syslog message for each state change, not just when a neighbor goes up or down.
Command Default
Enabled
Command Modes
Router configuration
Command History
