-
Cisco IOS IPv6 Command Reference
-
Introduction
-
aaa accounting multicast default through clear ipv6 mobile home-agents
-
clear ipv6 mobile traffic through debug bgp vpnv6 unicast
-
debug crypto ipv6 ipsec through debug ipv6 pim
-
debug ipv6 pim df-election through ip http server
-
ip name-server through ipv6 general-prefix
-
ipv6 hello-interval eigrp through ipv6 mld static-group
-
ipv6 mobile home-agent (global configuration) through ipv6 ospf database-filter all out
-
ipv6 ospf dead-interval through ipv6 split-horizon eigrp
-
ipv6 summary-address eigrp through mpls ldp router-id
-
mpls traffic-eng auto-bw timers through route-map
-
router-id (IPv6) through show bgp ipv6 labels
-
show bgp ipv6 neighbors through show crypto isakmp peers
-
show crypto isakmp policy through show ipv6 eigrp neighbors
-
show ipv6 eigrp topology through show ipv6 nat statistics
-
show ipv6 nat translations through show ipv6 protocols
-
show ipv6 rip through snmp-server host
-
snmp-server user through vrf forwarding
-
Table Of Contents
mpls traffic-eng auto-bw timers
neighbor override-capability-neg
neighbor peer-group (assigning members)
neighbor peer-group (creating)
neighbor route-reflector-client
network (BGP and multiprotocol BGP)
peer default ipv6 address pool
platform ipv6 acl fragment hardware
platform ipv6 acl icmp optimize neighbor-discovery
mpls traffic-eng auto-bw timers
To enable automatic bandwidth adjustment for a platform and to start output rate sampling for tunnels configured for automatic bandwidth adjustment, use the mpls traffic-eng auto-bw timers command in global configuration mode. To disable automatic bandwidth adjustment for the platform, use the no form of this command.
mpls traffic-eng auto-bw timers [frequency seconds]
no mpls traffic-eng auto-bw timers
Syntax Description
Command Default
When the optional frequency keyword is not specified, the sampling interval is 300 seconds (5 minutes).
Command Modes
Global configuration
Command History
Usage Guidelines
The mpls traffic-eng auto-bw timers command enables automatic bandwidth adjustment on a platform by causing traffic engineering to periodically sample the output rate for each tunnel configured for bandwidth adjustment.
The no mpls traffic-eng auto-bw timers command disables automatic bandwidth adjustment for a platform by terminating the output rate sampling and bandwidth adjustment for tunnels configured for adjustment. In addition, the no form of the command restores the configured bandwidth for each tunnel where "configured bandwidth" is determined as follows:
•
If the tunnel bandwidth was explicitly configured via the tunnel mpls traffic-eng bandwidth command after the running configuration was written (if at all) to the startup configuration, the "configured bandwidth" is the bandwidth specified by that command.
•
Examples
The following example shows how to designate that for each Multiprotocol Label Switching (MPLS) traffic engineering tunnel, the output rate is sampled once every 10 minutes (every 600 seconds):
Router(config)# mpls traffic-eng auto-bw timers frequency 600Related Commands
multi-topology
To enable multitopology Intermediate System-to-Intermediate System (IS-IS) for IPv6, use the multi-topology command in address family configuration mode. To disable multitopology IS-IS for IPv6, use the no form of this command.
multi-topology [transition]
no multi-topology
Syntax Description
transition
(Optional) Allows an IS-IS IPv6 user to continue to use single shortest path first (SPF) mode while upgrading to multitopology IS-IS for IPv6.
Command Default
Multitopology IS-IS is disabled by default.
Command Modes
Address family configuration
Command History
Usage Guidelines
By default, the router runs IS-IS IPv6 in single SPF mode. The multi-topology command enables multitopology IS-IS for IPv6.
The optional transition keyword can be used to migrate from IS-IS IPv6 single SPF mode to multitopology IS-IS IPv6. When transition mode is enabled, the router advertises both multitopology type, length, and value (TLV) objects and single-SPF-mode IS-IS IPv6 TLVs, but the SPF is computed using the single-SPF-mode IS-IS IPv6 TLV. This action has the side effect of increasing the link-state packet (LSP) size.
Examples
The following example enables multitopology IS-IS for IPv6:
Router(config)# router isisRouter(config-router)# address-family ipv6Router(config-router-af)# multi-topologynai
To specify the network address identifier (NAI) for the IPv6 mobile node, use the nai command in home agent configuration mode or IPv6 mobile router host configuration mode. To remove a host configuration, use the no form of this command.
nai [realm | user | macaddress] {user@realm | @realm}
no nai
Syntax Description
Command Default
No NAI is specified.
Command Modes
Home agent configuration (config-ha)
IPv6 mobile router host configuration (IPv6-mobile-router-host-config)Command History
12.4(11)T
This command was introduced.
12.2(33)SRB
Support for IPv6 was added.
12.4(20)T
IPv6 network mobility (NEMO) functionality was added.
Usage Guidelines
The nai command can be used to configure a specific user NAI or a generic realm for defining a group.
When the address command is configured with a specific IPv6 address, the nai command cannot be configured using the @realm argument. For example, the following nai command configuration would not be valid because the address command is configured with the specific address baba::1:
host group group1nai @cisco.comaddress baba::1Two different profiles cannot be configured with the nai command configured with the same @realm value. For example, the following two profiles are configured with the same NAI realm of @cisco.com, which is not valid:
host group group1nai @cisco.comhost group group2nai @cisco.comHowever, if the one of the profiles uses a fully qualified NAI, which is configured using the nai command with the user@realm argument, its properties take precedence over the group profile for that user, and the second group's configuration using the nai command with the @realm argument is valid.
host group group1nai example@cisco.comhost group group2nai @cisco.comExamples
In the following example, the host group named group1 is configured using the NAI fully qualified realm of example@cisco.com:
host group group1nai example@cisco.comRelated Commands
host group
Creates a host configuration in IPv6 Mobile.
ipv6 mobile home-agent (global configuration)
Enters home agent configuration mode.
neighbor (EIGRP)
To define a neighboring router with which to exchange routing information on a router that is running Enhanced Interior Gateway Routing Protocol (EIGRP), use the neighbor command in router configuration mode or address-family configuration mode. To remove an entry, use the no form of this command.
neighbor {ip-address | ipv6-address} interface-type interface-number [remote maximum-hops]
no neighbor {ip-address | ipv6-address} interface-type interface-number
Syntax Description
Command Default
No neighboring routers are defined.
Command Modes
Router configuration (config-router)
Address-family configuration (config-router-af)Command History
Usage Guidelines
Multiple neighbor statements can be used to establish peering sessions with specific EIGRP neighbors. The interface through which EIGRP will exchange routing updates must be specified in the neighbor statement. The interfaces through which two EIGRP neighbors exchange routing updates must be configured with IP addresses from the same network.
Note
Examples
The following example configures EIGRP peering sessions with the 192.168.1.1 and 192.168.2.2 neighbors:
Router(config)# router eigrp 1Router(config-router)# network 192.168.0.0Router(config-router)# neighbor 192.168.1.1 Ethernet 0/0Router(config-router)# neighbor 192.168.2.2 Ethernet 1/1The following named configuration example configures EIGRP to send address-family updates to specific neighbors:
Router(config)# router eigrp virtual-nameRouter(config-router)# address-family ipv4 autonomous-system 4453Router(config-router-af)# neighbor 192.168.1.1 ethernet0/0Router(config-router-af)# neighbor 10.1.1.2 loopback0 remote 10Related Commands
neighbor activate
To enable the exchange of information with a Border Gateway Protocol (BGP) neighbor, use the neighbor activate command in address family configuration mode or router configuration mode. To disable the exchange of an address with a BGP neighbor, use the no form of this command.
neighbor {ip-address | peer-group-name | ipv6-address%} activate
no neighbor {ip-address | peer-group-name | ipv6-address%} activate
Syntax Description
Command Default
The exchange of addresses with BGP neighbors is enabled for the IPv4 address family. Enabling address exchange for all other address families is disabled.
Note
Command Modes
Address family configuration
Router configurationCommand History
Usage Guidelines
Use this command to advertise address information in the form of an IP or IPv6 prefix. The address prefix information is known as Network Layer Reachability Information (NLRI) in BGP.
The % keyword is used whenever link-local IPv6 addresses are used outside the context of their interfaces. This keyword does not need to be used for non-link-local IPv6 addresses.
Examples
Address Exchange Example for Address Family vpn4
The following example shows how to enable address exchange for address family vpnv4 for all neighbors in the BGP peer group named PEPEER and for the neighbor 10.0.0.44:
Router(config)# address-family vpnv4Router(config-router-af)# neighbor PEPEER activateRouter(config-router-af)# neighbor 10.0.0.44 activateRouter(config-router-af)# exit-address-familyAddress Exchange Example for Address Family IPv4 Unicast
The following example shows how to enable address exchange for address family IPv4 unicast for all neighbors in the BGP peer group named group1 and for the BGP neighbor 172.16.1.1:
Router(config)# address-family ipv4 unicastRouter(config-router-af)# neighbor group1 activateRouter(config-router-af)# neighbor 172.16.1.1 activateAddress Exchange Example for Address Family IPv6
The following example shows how to enable address exchange for address family IPv6 for all neighbors in the BGP peer group named group2 and for the BGP neighbor 7000::2:
Router(config)# address-family ipv6Router(config-router-af)# neighbor group2 activateRouter(config-router-af)# neighbor 7000::2 activateRelated Commands
neighbor ebgp-multihop
To accept and attempt BGP connections to external peers residing on networks that are not directly connected, use the neighbor ebgp-multihop command in router configuration mode. To return to the default, use the no form of this command.
neighbor {ip-address | ipv6-address | peer-group-name} ebgp-multihop [ttl]
no neighbor {ip-address | ipv6-address | peer-group-name} ebgp-multihop
Syntax Description
Command Default
Only directly connected neighbors are allowed.
Command Modes
Router configuration
Command History
Usage Guidelines
This feature should be used only under the guidance of Cisco technical support staff.
If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group will inherit the characteristic configured with this command.
To prevent the creation of loops through oscillating routes, the multihop will not be established if the only route to the multihop peer is the default route (0.0.0.0).
Examples
The following example allows connections to or from neighbor 10.108.1.1, which resides on a network that is not directly connected:
router bgp 109neighbor 10.108.1.1 ebgp-multihopRelated Commands
neighbor next-hop-unchanged
To enable an external BGP (eBGP) multihop peer to propagate the next hop unchanged, use the neighbor next-hop-unchanged command in address family or router configuration mode. To disable next hop propagation capabilities, use the no form of this command.
neighbor {ip-address | ipv6-address | peer-group-name} next-hop-unchanged [allpaths]
no neighbor {ip-address | ipv6-address | peer-group-name} next-hop-unchanged [allpaths]
Syntax Description
Command Default
Next hop propagation capabilities are not enabled.
Command Modes
Address family configuration (config-router-af)
Router configuration (config-router)Command History
Usage Guidelines
The neighbor next-hop-unchanged command is used to configured the propagate the next hop unchanged for multihop eBGP peering sessions. This command should not be configured on a route reflector, and the neighbor next-hop-self command should not be used to modify the next hop attribute for a route reflector when this feature is enabled for a route reflector client.
This command can be used to perform the following tasks:
•
•
•
Caution
Examples
Route Reflector Configuration
In the following example, the local router is configured as a route reflector and configures the 10.0.0.100 multihop peer as a route reflector client. A route map is created to set the advertised next hop to 172.16.0.1.
Router(config)# route-map NEXTHOPRouter(config-route-map)# set ip next-hop 172.16.0.1Router(config-route-map)# exitRouter(config)# router bgp 65534Router(config-router)# neighbor 10.0.0.100 remote-as 65412Router(config-router)# address-family ipv4Router(config-router-af)# neighbor 10.0.0.100 activateRouter(config-router-af)# neighbor 10.0.0.100 ebgp-multihop 255Router(config-router-af)# neighbor 10.0.0.100 route-reflector-clientRouter(config-router-af)# neighbor 10.0.0.100 route-map NEXTHOP outRouter(config-router-af)# endRoute Reflector Client Configuration
In the following example, the local router (route-reflector client) is configured to establish peering with the route reflector and to propagate the next hop unchanged:
Router(config)# router bgp 65412Router(config-router)# neighbor 192.168.0.1 remote-as 65412Router(config-router)# address-family ipv4Router(config-router-af)# neighbor 192.168.0.1 activateRouter(config-router-af)# neighbor 192.168.0.1 ebgp-multihop 255Router(config-router-af)# neighbor 192.168.0.1 next-hop-unchangedRouter(config-router-af)# endRelated Commands
neighbor override-capability-neg
To enable the IPv6 address family for a Border Gateway Protocol (BGP) neighbor that does not support capability negotiation, use the neighbor override-capability-neg command in address family configuration mode. To disable the IPv6 address family for a BGP neighbor that does not support capability negotiation, use the no form of this command.
neighbor {peer-group-name | ipv6-address} override-capability-neg
no neighbor {peer-group-name | ipv6-address} override-capability-neg
Syntax Description
Command Default
Capability negotiation is enabled.
Command Modes
Address family configuration
Command History
Usage Guidelines
Capability negotiation is used to establish a connection between BGP-speaking peers. If one of the BGP peers does not support capability negotiation, the connection is automatically terminated. The neighbor override-capability-neg command overrides the capability negotiation process and enables BGP-speaking peers to establish a connection.
The neighbor override-capability-neg command is supported only in address family configuration mode for the IPv6 address family.
Examples
The following example enables the IPv6 address family for BGP neighbor 7000::2:
Router(config)# address-family ipv6Router(config-router-af)# neighbor 7000::2 override-capability-negThe following example enables the IPv6 address family for all neighbors in the BGP peer group named group1:
Router(config)# address-family ipv6Router(config-router-af)# neighbor group1 override-capability-negRelated Commands
address-family ipv6
Places the router in address family configuration mode for configuring routing sessions, such as BGP, that use standard IPv6 address prefixes.
neighbor peer-group (assigning members)
To configure a BGP neighbor to be a member of a peer group, use the neighbor peer-group command in address family or router configuration mode. To remove the neighbor from the peer group, use the no form of this command.
neighbor {ip-address | ipv6-address} peer-group peer-group-name
no neighbor {ip-address | ipv6-address} peer-group peer-group-name
Syntax Description
Command Default
There are no BGP neighbors in a peer group.
Command Modes
Address family
Router configurationCommand History
Usage Guidelines
The neighbor at the IP address indicated inherits all the configured options of the peer group.
Note
Examples
The following router configuration mode example assigns three neighbors to the peer group named internal:
router bgp 100neighbor internal peer-groupneighbor internal remote-as 100neighbor internal update-source loopback 0neighbor internal route-map set-med outneighbor internal filter-list 1 outneighbor internal filter-list 2 inneighbor 172.16.232.53 peer-group internalneighbor 172.16.232.54 peer-group internalneighbor 172.16.232.55 peer-group internalneighbor 172.16.232.55 filter-list 3 inThe following address family configuration mode example assigns three neighbors to the peer group named internal:
router bgp 100address-family ipv4 unicastneighbor internal peer-groupneighbor internal remote-as 100neighbor internal update-source loopback 0neighbor internal route-map set-med outneighbor internal filter-list 1 outneighbor internal filter-list 2 inneighbor 172.16.232.53 peer-group internalneighbor 172.16.232.54 peer-group internalneighbor 172.16.232.55 peer-group internalneighbor 172.16.232.55 filter-list 3 inRelated Commands
neighbor peer-group (creating)
To create a BGP or multiprotocol BGP peer group, use the neighbor peer-group command in address family or router configuration mode. To remove the peer group and all of its members, use the no form of this command.
neighbor peer-group-name peer-group
no neighbor peer-group-name peer-group
Syntax Description
Command Default
There is no BGP peer group.
Command Modes
Router configuration
Command History
Usage Guidelines
Often in a BGP or multiprotocol BGP speaker, many neighbors are configured with the same update policies (that is, same outbound route maps, distribute lists, filter lists, update source, and so on). Neighbors with the same update policies can be grouped into peer groups to simplify configuration and make update calculation more efficient.
Note
Once a peer group is created with the neighbor peer-group command, it can be configured with the neighbor commands. By default, members of the peer group inherit all the configuration options of the peer group. Members also can be configured to override the options that do not affect outbound updates.
All the peer group members will inherit the current configuration as well as changes made to the peer group. Peer group members will always inherit the following configuration options by default:
•
•
•
•
•
•
•
•
If a peer group is not configured with a remote-as option, the members can be configured with the neighbor {ip-address | peer-group-name} remote-as command. This command allows you to create peer groups containing external BGP (eBGP) neighbors.
Examples
The following example configurations show how to create these types of neighbor peer group:
•
•
•
iBGP Peer Group
In the following example, the peer group named internal configures the members of the peer group to be iBGP neighbors. By definition, this is an iBGP peer group because the router bgp command and the neighbor remote-as command indicate the same autonomous system (in this case, autonomous system 100). All the peer group members use loopback 0 as the update source and use set-med as the outbound route map. The neighbor internal filter-list 2 in command shows that, except for 172.16.232.55, all the neighbors have filter list 2 as the inbound filter list.
router bgp 100neighbor internal peer-groupneighbor internal remote-as 100neighbor internal update-source loopback 0neighbor internal route-map set-med outneighbor internal filter-list 1 outneighbor internal filter-list 2 inneighbor 172.16.232.53 peer-group internalneighbor 172.16.232.54 peer-group internalneighbor 172.16.232.55 peer-group internalneighbor 172.16.232.55 filter-list 3 ineBGP Peer Group
The following example defines the peer group named external-peers without the neighbor remote-as command. By definition, this is an eBGP peer group because each individual member of the peer group is configured with its respective autonomous system number separately. Thus the peer group consists of members from autonomous systems 200, 300, and 400. All the peer group members have the set-metric route map as an outbound route map and filter list 99 as an outbound filter list. Except for neighbor 172.16.232.110, all of them have 101 as the inbound filter list.
router bgp 100neighbor external-peers peer-groupneighbor external-peers route-map set-metric outneighbor external-peers filter-list 99 outneighbor external-peers filter-list 101 inneighbor 172.16.232.90 remote-as 200neighbor 172.16.232.90 peer-group external-peersneighbor 172.16.232.100 remote-as 300neighbor 172.16.232.100 peer-group external-peersneighbor 172.16.232.110 remote-as 400neighbor 172.16.232.110 peer-group external-peersneighbor 172.16.232.110 filter-list 400 inMultiprotocol BGP Peer Group
In the following example, all members of the peer group are multicast-capable:
router bgp 100neighbor 10.1.1.1 remote-as 1neighbor 172.16.2.2 remote-as 2address-family ipv4 multicastneighbor mygroup peer-groupneighbor 10.1.1.1 peer-group mygroupneighbor 172.16.2.2 peer-group mygroupneighbor 10.1.1.1 activateneighbor 172.16.2.2 activateRelated Commands
neighbor remote-as
To add an entry to the BGP or multiprotocol BGP neighbor table, use the neighbor remote-as command in router configuration mode. To remove an entry from the table, use the no form of this command.
neighbor {ip-address | ipv6-address[%] | peer-group-name} remote-as autonomous-system-number [alternate-as autonomous-system-number ...]
no neighbor {ip-address | ipv6-address[%] | peer-group-name} remote-as autonomous-system-number [alternate-as autonomous-system-number ...]
Syntax Description
Command Default
There are no BGP or multiprotocol BGP neighbor peers.
Command Modes
Router configuration (config-router)
Command History
Usage Guidelines
Specifying a neighbor with an autonomous system number that matches the autonomous system number specified in the router bgp global configuration command identifies the neighbor as internal to the local autonomous system. Otherwise, the neighbor is considered external.
If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group will inherit the characteristic configured with this command.
By default, neighbors that are defined using the neighbor remote-as command in router configuration mode exchange only unicast address prefixes. To exchange other address prefix types, such as multicast and Virtual Private Network (VPN) Version 4, neighbors must also be activated in the appropriate address family configuration mode.
Use the alternate-as keyword introduced in Cisco IOS Release 12.2(33)SXH to specify up to five alternate autonomous systems in which a dynamic BGP neighbor may be identified. BGP dynamic neighbor support allows BGP peering to a group of remote neighbors that are defined by a range of IP addresses. BGP dynamic neighbors are configured using a range of IP addresses and BGP peer groups. After a subnet range is configured and associated with a BGP peer group using the bgp listen command and a TCP session is initiated for an IP address in the subnet range, a new BGP neighbor is dynamically created as a member of that group. The new BGP neighbor will inherit any configuration or templates for the group.
The % keyword is used whenever link-local IPv6 addresses are used outside the context of their interfaces. This keyword does not need to be used for non-link-local IPv6 addresses.
In Cisco IOS Release 12.0(32)SY8, 12.0(33)S3, 12.2(33)SXI1, Cisco IOS XE Release 2.4, and later releases, the Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the default regular expression match and output display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as described in RFC 5396. To change the default regular expression match and output display of 4-byte autonomous system numbers to asdot format, use the bgp asnotation dot command followed by the clear ip bgp * command to perform a hard reset of all current BGP sessions.
In Cisco IOS Release 12.0(32)S12, 12.4(24)T, and Cisco IOS XE Release 2.3, the Cisco implementation of 4-byte autonomous system numbers uses asdot—1.2 for example—as the only configuration format, regular expression match, and output display, with no asplain support.
To ensure a smooth transition, we recommend that all BGP speakers within an autonomous system that is identified using a 4-byte autonomous system number, be upgraded to support 4-byte autonomous system numbers.
Examples
The following example specifies that a router at the address 10.108.1.2 is an internal BGP (iBGP) neighbor in autonomous system number 65200:
router bgp 65200network 10.108.0.0neighbor 10.108.1.2 remote-as 65200The following example specifies that a router at the IPv6 address 2001:0DB8:1:1000::72a is an external BGP (eBGP) neighbor in autonomous system number 65001:
router bgp 65300address-family ipv6 vrf site1neighbor 2001:0DB8:1:1000::72a remote-as 65001The following example assigns a BGP router to autonomous system 65400, and two networks are listed as originating in the autonomous system. Then the addresses of three remote routers (and their autonomous systems) are listed. The router being configured will share information about networks 10.108.0.0 and 192.168.7.0 with the neighbor routers. The first router is a remote router in a different autonomous system from the router on which this configuration is entered (an eBGP neighbor); the second neighbor remote-as command shows an internal BGP neighbor (with the same autonomous system number) at address 10.108.234.2; and the last neighbor remote-as command specifies a neighbor on a different network from the router on which this configuration is entered (also an eBGP neighbor).
router bgp 65400network 10.108.0.0network 192.168.7.0neighbor 10.108.200.1 remote-as 65200neighbor 10.108.234.2 remote-as 65400neighbor 172.29.64.19 remote-as 65300The following example configures neighbor 10.108.1.1 in autonomous system 65001 to exchange only multicast routes:
router bgp 65001neighbor 10.108.1.1 remote-as 65001neighbor 172.31 1.2 remote-as 65001neighbor 172.16.2.2 remote-as 65002address-family ipv4 multicastneighbor 10.108.1.1 activateneighbor 172.31 1.2 activateneighbor 172.16.2.2 activateexit-address-familyThe following example configures neighbor 10.108.1.1 in autonomous system 65001 to exchange only unicast routes:
router bgp 65001neighbor 10.108.1.1 remote-as 65001neighbor 172.31 1.2 remote-as 65001neighbor 172.16.2.2 remote-as 65002The following example, configurable only in Cisco IOS Release 12.2(33)SXH and later releases, configures a subnet range of 192.168.0.0/16 and associates this listen range with a BGP peer group. Note that the listen range peer group that is configured for the BGP dynamic neighbor feature can be activated in the IPv4 address family using the neighbor activate command. After the initial configuration on Router 1, when Router 2 starts a BGP router session and adds Router 1 to its BGP neighbor table, a TCP session is initiated, and Router 1 creates a new BGP neighbor dynamically because the IP address of the new neighbor is within the listen range subnet.
Router 1
enableconfigure terminalrouter bgp 45000bgp log-neighbor-changesneighbor group192 peer-groupbgp listen range 192.168.0.0/16 peer-group group192neighbor group192 remote-as 40000 alternate-as 50000address-family ipv4 unicastneighbor group192 activateendRouter 2
enableconfigure terminalrouter bgp 50000neighbor 192.168.3.1 remote-as 45000exitIf the show ip bgp summary command is now entered on Router 1, the output shows the dynamically created BGP neighbor, 192.168.3.2.Router1# show ip bgp summaryBGP router identifier 192.168.3.1, local AS number 45000BGP table version is 1, main routing table version 1Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd*192.168.3.2 4 50000 2 2 0 0 0 00:00:37 0* Dynamically created based on a listen range commandDynamically created neighbors: 1/(200 max), Subnet ranges: 1BGP peergroup group192 listen range group members:192.168.0.0/16The following example configures a BGP process for autonomous system 65538 and configures two external BGP neighbors in different autonomous systems using 4-byte autonomous system numbers in asplain format. This example is supported only on Cisco IOS Release 12.0(32)SY8, 12.0(33)S3, 12.2(33)SXI1, Cisco IOS XE Release 2.4, or later releases.
router bgp 65538neighbor 192.168.1.2 remote-as 65536neighbor 192.168.3.2 remote-as 65550neighbor 192.168.3.2 description finance!address-family ipv4neighbor 192.168.1.2 activateneighbor 192.168.3.2 activateno auto-summaryno synchronizationnetwork 172.17.1.0 mask 255.255.255.0exit-address-familyThe following example configures a BGP process for autonomous system 1.2 and configures two external BGP neighbors in different autonomous systems using 4-byte autonomous system numbers in asdot format. This example requires Cisco IOS Release 12.0(32)SY8, 12.0(32)S12, 12.2(33)SXI1, 12.4(24)T, Cisco IOS XE Release 2.3, or a later release.
router bgp 1.2neighbor 192.168.1.2 remote-as 1.0neighbor 192.168.3.2 remote-as 1.14neighbor 192.168.3.2 description finance!address-family ipv4neighbor 192.168.1.2 activateneighbor 192.168.3.2 activateno auto-summaryno synchronizationnetwork 172.17.1.0 mask 255.255.255.0exit-address-familyRelated Commands
neighbor route-map
To apply a route map to incoming or outgoing routes, use the neighbor route-map command in address family or router configuration mode. To remove a route map, use the no form of this command.
neighbor {ip-address | peer-group-name | ipv6-address [%]} route-map map-name {in | out}
no neighbor {ip-address | peer-group-name | ipv6-address [%]} route-map map-name {in | out}
Syntax Description
Command Default
No route maps are applied to a peer.
Command Modes
Router configuration (config-router)
Command History
Usage Guidelines
When specified in address family configuration mode, this command applies a route map to that particular address family only. When specified in router configuration mode, this command applies a route map to IPv4 or IPv6 unicast routes only.
If an outbound route map is specified, it is proper behavior to only advertise routes that match at least one section of the route map.
If you specify a BGP or multiprotocol BGP peer group by using the peer-group-name argument, all the members of the peer group will inherit the characteristic configured with this command. Specifying the command for a neighbor overrides the inbound policy that is inherited from the peer group.
The % keyword is used whenever link-local IPv6 addresses are used outside the context of their interfaces. This keyword does not need to be used for non-link-local IPv6 addresses.
Examples
The following router configuration mode example applies a route map named internal-map to a BGP incoming route from 172.16.70.24:
router bgp 5neighbor 172.16.70.24 route-map internal-map inroute-map internal-mapmatch as-path 1set local-preference 100The following address family configuration mode example applies a route map named internal-map to a multiprotocol BGP incoming route from 172.16.70.24:
router bgp 5address-family ipv4 multicastneighbor 172.16.70.24 route-map internal-map inroute-map internal-mapmatch as-path 1set local-preference 100Related Commands
neighbor route-reflector-client
To configure the router as a BGP route reflector and configure the specified neighbor as its client, use the neighbor route-reflector-client command in address family or router configuration mode. To indicate that the neighbor is not a client, use the no form of this command.
neighbor {ip-address | ipv6-address | peer-group-name} route-reflector-client
no neighbor {ip-address | ipv6-address | peer-group-name} route-reflector-client
Syntax Description
ip-address
IP address of the BGP neighbor being identified as a client.
ipv6-address
IPv6 address of the BGP neighbor being identified as a client.
peer-group-name
Name of a BGP peer group.
Command Default
There is no route reflector in the autonomous system.
Command Modes
Address family configuration (config-router-af)
Router configuration (config-router)Command History
Usage Guidelines
By default, all internal BGP (iBGP) speakers in an autonomous system must be fully meshed, and neighbors do not readvertise iBGP learned routes to neighbors, thus preventing a routing information loop. When all the clients are disabled, the local router is no longer a route reflector.
If you use route reflectors, all iBGP speakers need not be fully meshed. In the route reflector model, an Interior BGP peer is configured to be a route reflector responsible for passing iBGP learned routes to iBGP neighbors. This scheme eliminates the need for each router to talk to every other router.
Use the neighbor route-reflector-client command to configure the local router as the route reflector and the specified neighbor as one of its clients. All the neighbors configured with this command will be members of the client group and the remaining iBGP peers will be members of the nonclient group for the local route reflector.
The bgp client-to-client reflection command controls client-to-client reflection.
Examples
In the following router configuration mode example, the local router is a route reflector. It passes learned iBGP routes to the neighbor at 172.16.70.24.
router bgp 5neighbor 172.16.70.24 route-reflector-clientIn the following address family configuration mode example, the local router is a route reflector. It passes learned iBGP routes to the neighbor at 172.16.70.24.
router bgp 5address-family ipv4 unicastneighbor 172.16.70.24 route-reflector-clientRelated Commands
neighbor send-community
To specify that a communities attribute should be sent to a BGP neighbor, use the neighbor send-community command in address family or router configuration mode. To remove the entry, use the no form of this command.
neighbor {ip-address | ipv6-address | peer-group-name} send-community [both | standard | extended]
no neighbor {ip-address | ipv6-address | peer-group-name} send-community
Syntax Description
Command Default
No communities attribute is sent to any neighbor.
Command Modes
Address family configuration
Router configurationCommand History
Usage Guidelines
If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group will inherit the characteristic configured with this command.
Examples
In the following router configuration mode example, the router belongs to autonomous system 109 and is configured to send the communities attribute to its neighbor at IP address 172.16.70.23:
router bgp 109neighbor 172.16.70.23 send-communityIn the following address family configuration mode example, the router belongs to autonomous system 109 and is configured to send the communities attribute to its neighbor at IP address 172.16.70.23:
router bgp 109address-family ipv4 multicastneighbor 172.16.70.23 send-communityRelated Commands
neighbor send-label
To enable a Border Gateway Protocol (BGP) router to send Multiprotocol Label Switching (MPLS) labels with BGP routes to a neighboring BGP router, use the neighbor send-label command in address family configuration mode or router configuration mode. To disable this feature, use the no form of this command.
neighbor {ip-address | ipv6-address | peer-group-name} send-label
no neighbor {ip-address | ipv6-address | peer-group-name} send-label
Syntax Description
ip-address
IP address of the neighboring router.
ipv6-address
IPv6 address of the neighboring router.
peer-group-name
Name of a BGP peer group.
Command Default
BGP routers distribute only BGP routes.
Command Modes
Address family configuration
Router configurationCommand History
Usage Guidelines
This command enables a router to use BGP to distribute MPLS labels along with the IPv4 routes to a peer router. You must issue this command on both the local router and the neighboring router.
This command has the following restrictions:
•
•
Use this command in IPv6 address family configuration mode to bind and advertise IPv6 prefix MPLS labels. Using this command in conjunction with the mpls ipv6 source-interface global configuration command allows IPv6 traffic to run over an IPv4 MPLS network without any software or hardware configuration changes in the backbone. Edge routers configured to run both IPv4 and IPv6 forward IPv6 traffic using MPLS and multiprotocol internal BGP (MP-iBGP).
Cisco IOS installs /32 routes for directly connected external BGP (eBGP) peers when the BGP session for such a peer comes up. The /32 routes are installed only when MPLS labels are exchanged between such peers. Directly connected eBGP peers exchange MPLS labels for:
•
•
A single BGP session can include multiple address families. If one of the families exchanges MPLS labels, the /32 neighbor route is installed for the connected peer.
Examples
The following example shows how to enable a router in the autonomous system 65000 to send MPLS labels with BGP routes to the neighbor BGP router at 192.168.0.1:
Router(config)# router bgp 65000Router(config-router)# neighbor 192.168.0.1 remote-as 65001Router(config-router)# neighbor 192.168.0.1 send-labelThe following example shows how to enable a router in the autonomous system 65000 to bind and advertise IPv6 prefix MPLS labels and send the labels with BGP routes to the neighbor BGP router at 192.168.99.70:
Router(config)# router bgp 65000Router(config-router)# neighbor 192.168.99.70 remote-as 65000Router(config-router)# address-family ipv6Router(config-router-af)# neighbor 192.168.99.70 activateRouter(config-router-af)# neighbor 192.168.99.70 send-labelRelated Commands
neighbor activate
Enables the exchange of information with a neighboring router.
neighbor translate-update
To generate multiprotocol IPv6 Border Gateway Protocol (BGP) updates that correspond to unicast IPv6 updates received from a peer, use the neighbor translate-update command in address family or router configuration mode. To return to default values, use the no form of the command.
neighbor ipv6-address translate-update ipv6 multicast [unicast]
no neighbor ipv6-address translate-update ipv6 multicast [unicast]
Syntax Description
Command Default
No BGP updates for unicast IPv6 are updated
Command Modes
Address family configuration
Router configurationCommand History
Usage Guidelines
The multicast BGP (MBGP) translate-update feature generally is used in an MBGP-capable router that peers with a customer site that has a router that is only BGP capable; the customer site has not or cannot upgrade the router to an MBGP-capable image. Because the customer site cannot originate MBGP advertisements, the router with which it peers will translate the BGP prefixes into MBGP prefixes, which are used for multicast-source Reverse Path Forwarding (RPF) lookup.
Examples
The following example generates multiprotocol IPv6 BGP updates that correspond to unicast IPv6 updates received from peer at address 7000::2:
neighbor 7000::2 translate-update ipv6 multicastneighbor update-source
To have the Cisco IOS software allow Border Gateway Protocol (BGP) sessions to use any operational interface for TCP connections, use the neighbor update-source command in router configuration mode. To restore the interface assignment to the closest interface, which is called the best local address, use the no form of this command.
neighbor {ip-address | ipv6-address[%] | peer-group-name} update-source interface-type interface-number
no neighbor {ip-address | ipv6-address[%] | peer-group-name} update-source interface-type interface-number
Syntax Description
Command Default
Best local address
Command Modes
Router configuration (config-router)
Command History
Usage Guidelines
This command can work in conjunction with the loopback interface feature described in the "Interface Configuration Overview" chapter of the Cisco IOS Interface and Hardware Component Configuration Guide.
If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group will inherit the characteristic configured with this command.
The neighbor update-source command must be used to enable IPv6 link-local peering for internal or external BGP sessions.
The % keyword is used whenever link-local IPv6 addresses are used outside the context of their interfaces and for these link-local IPv6 addresses you must specify the interface they are on. The syntax becomes <IPv6 local-link address>%<interface name>, for example, FE80::1%Ethernet1/0. Note that the interface type and number must not contain any spaces, and be used in full-length form because name shortening is not supported in this situation. The % keyword and subsequent interface syntax is not used for non-link-local IPv6 addresses.
Examples
The following example sources BGP TCP connections for the specified neighbor with the IP address of the loopback interface rather than the best local address:
router bgp 65000network 172.16.0.0neighbor 172.16.2.3 remote-as 110neighbor 172.16.2.3 update-source Loopback0The following example sources IPv6 BGP TCP connections for the specified neighbor in autonomous system 65000 with the global IPv6 address of loopback interface 0 and the specified neighbor in autonomous system 65400 with the link-local IPv6 address of Fast Ethernet interface 0/0. Note that the link-local IPv6 address of FE80::2 is on Ethernet interface 1/0.
router bgp 65000neighbor 3ffe::3 remote-as 65000neighbor 3ffe::3 update-source Loopback0neighbor fe80::2%Ethernet1/0 remote-as 65400neighbor fe80::2%Ethernet1/0 update-source FastEthernet 0/0address-family ipv6neighbor 3ffe::3 activateneighbor fe80::2%Ethernet1/0 activateexit-address-familyRelated Commands
neighbor activate
Enables the exchange of information with a BGP neighboring router.
neighbor remote-as
Adds an entry to the BGP or multiprotocol BGP neighbor table.
network (BGP and multiprotocol BGP)
To specify the networks to be advertised by the Border Gateway Protocol (BGP) and multiprotocol BGP routing processes, use the network command in address family or router configuration mode. To remove an entry from the routing table, use the no form of this command.
network {network-number [mask network-mask] | nsap-prefix} [route-map map-tag]
no network {network-number [mask network-mask] | nsap-prefix} [route-map map-tag]
Syntax Description
Command Default
No networks are specified.
Command Modes
Address family configuration
Router configurationCommand History
Usage Guidelines
BGP and multiprotocol BGP networks can be learned from connected routes, from dynamic routing, and from static route sources.
The maximum number of network commands you can use is determined by the resources of the router, such as the configured NVRAM or RAM.
Examples
The following example sets up network 10.108.0.0 to be included in the BGP updates:
router bgp 65100network 10.108.0.0The following example sets up network 10.108.0.0 to be included in the multiprotocol BGP updates:
router bgp 64800address family ipv4 multicastnetwork 10.108.0.0The following example advertises NSAP prefix 49.6001 in the multiprotocol BGP updates:
router bgp 64500address-family nsapnetwork 49.6001Related Commands
network (IPv6)
To configure the network source of the next hop to be used by the PE VPN, use the network command in router configuration mode. To disable the source, use the no form of this command.
network ipv6-address/prefix-length
no network ipv6-address/prefix-length
Syntax Description
Command Default
Next-hop network sources are not configured.
Command Modes
Address family configuration
Router configurationCommand History
Usage Guidelines
The ipv6-address argument in this command configures the IPv6 network number.
Examples
The following example places the router in address family configuration mode and configures the network source to be used as the next hop:
Router(config)# router bgp 100Router(config-router)# network 2001:DB8:100::1/128Related Commands
nis address
To specify the network information service (NIS) address of an IPv6 server to be sent to the client, use the nis address command in DHCP for IPv6 pool configuration mode. To remove the NIS address, use the no form of this command.
nis address ipv6-address
no nis address ipv6-address
Syntax Description
Command Default
No NIS address is specified.
Command Modes
IPv6 DHCP pool configuration
Command History
Usage Guidelines
The Dynamic Host Configuration Protocol (DHCP) for IPv6 for stateless configuration allows a DHCP for IPv6 client to export configuration parameters (that is, DHCP for IPv6 options) to a local DHCP for IPv6 server pool. The local DHCP for IPv6 server can then provide the imported configuration parameters to other DHCP for IPv6 clients.
The NIS server option provides a list of one or more IPv6 addresses of NIS servers available to send to the client. The client must view the list of NIS servers as an ordered list, and the server may list the NIS servers in the order of the server's preference.
The NIS server option code is 27. For more information on DHCP options and suboptions, see the "DHCPv6 Options" appendix in the Network Registrar User's Guide, Release 6.2.
Examples
The following example shows how to specify the NIS address of an IPv6 server:
nis address 23::1Related Commands
import nis address
Imports the NIS server option to a DHCP for IPv6 client.
nis domain-name
Enables a server to convey a client's NIS domain name information to the client.
nis domain-name
To enable a server to convey a client's network information service (NIS) domain name information to the client, use the nis domain-name command in DHCP for IPv6 pool configuration mode. To remove the domain name, use the no form of this command.
nis domain-name domain-name
no nis domain-name domain-name
Syntax Description
Command Default
No NIS domain name is specified.
Command Modes
IPv6 DHCP pool configuration
Command History
Usage Guidelines
The Dynamic Host Configuration Protocol (DHCP) for IPv6 for stateless configuration allows a DHCP for IPv6 client to export configuration parameters (that is, DHCP for IPv6 options) to a local DHCP for IPv6 server pool. The local DHCP for IPv6 server can then provide the imported configuration parameters to other DHCP for IPv6 clients.
The NIS domain name option provides a NIS domain name for the client. Use the nis domain-name command to specify the client's NIS domain name that the server sends to the client.
The NIS domain name option code is 29. For more information on DHCP options and suboptions, see the "DHCPv6 Options" appendix in the Network Registrar User's Guide, Release 6.2.
Examples
The following example shows how to enable the IPv6 server to specify the NIS domain name of a client:
nis domain-name cisco1.comRelated Commands
import nis domain
Imports the NIS domain name option to a DHCP for IPv6 client.
nis address
Specifies the NIS address of an IPv6 server to be sent to the client.
nisp address
To specify the network information service plus (NIS+) address of an IPv6 server to be sent to the client, use the nisp address command in DHCP for IPv6 pool configuration mode. To remove the NIS+ address, use the no form of the command.
nisp address ipv6-address
no nisp address ipv6-address
Syntax Description
Command Default
No NIS+ address is specified.
Command Modes
IPv6 DHCP pool configuration
Command History
Usage Guidelines
The Dynamic Host Configuration Protocol (DHCP) for IPv6 for stateless configuration allows a DHCP for IPv6 client to export configuration parameters (that is, DHCP for IPv6 options) to a local DHCP for IPv6 server pool. The local DHCP for IPv6 server can then provide the imported configuration parameters to other DHCP for IPv6 clients.
The NIS+ servers option provides a list of one or more IPv6 addresses of NIS+ servers available to send to the client. The client must view the list of NIS+ servers as an ordered list, and the server may list the NIS+ servers in the order of the server's preference.
The NIS+ servers option code is 28. For more information on DHCP options and suboptions, see the "DHCPv6 Options" appendix in the Network Registrar User's Guide, Release 6.2.
Examples
The following example shows how to specify the NIS+ address of an IPv6 server:
nisp address 33::1Related Commands
import nisp address
Imports the NIS+ servers option to a DHCP for IPv6 client.
nisp domain-name
Enables a server to convey a client's NIS+ domain name information to the client.
nisp domain-name
To enable an IPv6 server to convey a client's network information service plus (NIS+) domain name information to the client, use the nisp domain-name command in DHCP for IPv6 pool configuration mode. To remove the domain name, use the no form of this command.
nisp domain-name domain-name
no nisp domain-name domain-name
Syntax Description
Command Default
No NIS+ domain name is specified.
Command Modes
IPv6 DHCP pool configuration
Command History
Usage Guidelines
The Dynamic Host Configuration Protocol (DHCP) for IPv6 for stateless configuration allows a DHCP for IPv6 client to export configuration parameters (that is, DHCP for IPv6 options) to a local DHCP for IPv6 server pool. The local DHCP for IPv6 server can then provide the imported configuration parameters to other DHCP for IPv6 clients.
The NIS+ domain name option provides a NIS+ domain name for the client. Use the nisp domain-name command to enable a server to send the client its NIS+ domain name information.
The NIS+ domain name option code is 30. For more information on DHCP options and suboptions, see the "DHCPv6 Options" appendix in the Network Registrar User's Guide, Release 6.2.
Examples
The following example shows how to enable the IPv6 server to specify the NIS+ domain name of a client:
nisp domain-name cisco1.comRelated Commands
import nisp domain
Imports the NIS+ domain name option to a DHCP for IPv6 client.
nisp address
Specifies the NIS+ address of an IPv6 server to be sent to the client.
ntp access-group
To control access to the Network Time Protocol (NTP) services on the system, use the ntp access-group command in global configuration mode. To remove access control to the NTP services, use the no form of this command.
ntp access-group {query-only | serve-only | serve | peer} {access-list-number | access-list-name} [kod]
no ntp [access-group {query-only | serve-only | serve | peer} {access-list-number | access-list-name} [kod]
Syntax Description
Command Default
No access control (full access granted to all systems)
Command Modes
Global configuration
Command History
Usage Guidelines
The access group options are scanned in the following order from least restrictive to most restrictive:
1.
2.
3.
4.
Access is granted for the first match that is found. If no access groups are specified, all access is granted to all sources. If any access groups are specified, only the specified access is granted. This facility provides minimal security for the time services of the system. However, it can be circumvented by a determined programmer. If tighter security is desired, use the NTP authentication facility.
The NTP service can be activated by entering any ntp command. When you use the ntp access-group command, the NTP service is activated (if it has not already been activated) and access control to NTP services is configured simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp access-control command, only access control to NTP services is removed. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp access-group command and you now want to remove not only the access group, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows how to configure a system to allow itself to be synchronized by a peer from access list 99. However, the system restricts access to allow only time requests from access list 42.
Router(config)# ntp access-group peer 99Router(config)# ntp access-group serve-only 42In the following IPv6 example, a KOD packet is sent to any host that tries to send a packet that is not compliant with the access-group policy:
Router(config)# ntp access-group serve acl1 kodThe following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
access-list
Configures the access list mechanism for filtering frames by protocol type or vendor code.
ntp authenticate
To enable Network Time Protocol (NTP) authentication, use the ntp authenticate command in global configuration mode. To disable the function, use the no form of this command.
ntp authenticate
no ntp [authenticate]
Syntax Description
This command has no arguments or keywords.
Command Default
No authentication
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command if you want authentication. If this command is specified, the system will not synchronize to a system unless it carries one of the authentication keys specified in the ntp trusted-key global configuration command.
The NTP service can be activated by entering any ntp command. When you use the ntp authenticate command, the NTP service is activated (if it has not already been activated) and NTP authentication is enabled simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp authenticate command, only the NTP authentication is removed from the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp authenticate command and you now want to disable not only the authentication, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows how to configure the system to synchronize only to systems that provide authentication key 42 in their NTP packets:
Router(config)# ntp authenticateRouter(config)# ntp authentication-key 42 md5 aNiceKeyRouter(config)# ntp trusted-key 42The following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
ntp authentication-key
Defines an authentication key for NTP.
ntp trusted-key
Authenticates the identity of a system to which NTP will synchronize.
ntp authentication-key
To define an authentication key for Network Time Protocol (NTP), use the ntp authentication-key command in global configuration mode. To remove the authentication key for NTP, use the no form of this command.
ntp authentication-key number md5 value
no ntp [authentication-key]
Syntax Description
Command Default
No authentication key is defined for NTP.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to define authentication keys for use with other NTP commands in order to provide a higher degree of security.
Note
The NTP service can be activated by entering any ntp command. When you use the ntp authentication-key command, the NTP service is activated (if it has not already been activated) and the NTP authentication key is defined simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp authentication-key command, only the NTP authentication key is removed from the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp authentication-key command and you now want to remove not only the authentication key, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows how to configure the system to synchronize only to systems providing authentication key 42 in their NTP packets:
Router(config)# ntp authenticateRouter(config)# ntp authentication-key 42 md5 aNiceKeyRouter(config)# ntp trusted-key 42The following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
ntp broadcast client
To configure a device to receive Network Time Protocol (NTP) broadcast messages on a specified interface, use the ntp broadcast client command in interface configuration mode. To disable this capability, use the no form of this command.
ntp broadcast client [novolley]
no ntp broadcast [client]
Syntax Description
Command Default
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
Use this command to allow the system to listen to broadcast packets on an interface-by-interface basis.
The NTP service can be activated by entering any ntp command. When you use the ntp broadcast client command, the NTP service is activated (if it has not already been activated) and the device is configured to receive NTP broadcast packets on a specified interface simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp broadcast client command, only the broadcast client configuration is removed from the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp broadcast client command and you now want to remove not only the broadcast client capability, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
In IPv6 configuration, the ntp broadcastdelay command is used when the ntp broadcast client or ntp multicast client command is configured with the novolley keyword.
Examples
In the following example, the system is configured to receive (listen to) NTP broadcasts on Ethernet interface 1:
Router(config)# interface ethernet 1Router(config-if)# ntp broadcast clientThe following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
ntp broadcastdelay
To set the estimated round-trip delay between the Cisco IOS software and a Network Time Protocol (NTP) broadcast server, use the ntp broadcastdelay command in global configuration mode. To revert to the default value, use the no form of this command.
ntp broadcastdelay microseconds
no ntp [broadcastdelay]
Syntax Description
microseconds
Estimated round-trip time (in microseconds) for NTP broadcasts. The range is from 1 to 999999.
Command Default
3000 microseconds
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ntp broadcastdelay command when the router is configured as a broadcast client and the round-trip delay on the network is other than 3000 microseconds. In IPv6, the value set by this command should only be used when the ntp broadcast client and ntp multicast client commands have the novolley keyword enabled.
The NTP service can be activated by entering any ntp command. When you use the ntp broadcastdelay command, the NTP service is activated (if it has not already been activated) and the estimated round-trip delay between the Cisco IOS software and an NTP broadcast server is set simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp broadcastdelay command, only the estimated round-trip delay between the Cisco IOS software and an NTP broadcast server is removed from the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp broadcastdelay command and you now want to remove not only the delay setting, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
In IPv6 configuration, the ntp broadcast delay command is used when the ntp broadcast client or ntp multicast client command is configured with the novolley keyword.
Examples
The following example shows how to set the estimated round-trip delay between a router and the broadcast client to 5000 microseconds:
Router(config)# ntp broadcastdelay 5000The following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
ntp disable
To prevent an interface from receiving Network Time Protocol (NTP) packets, use the ntp disable command in interface configuration mode. To enable receipt of NTP packets on an interface, use the no form of this command.
ntp disable [ipv4 | ipv6]
no ntp [disable]
Syntax Description
ipv4
(Optional) Allows you to disable NTP for the IPv4 address family.
ipv6
(Optional) Allows you to disable NTP for the IPv6 address family.
Command Default
Enabled
Command Modes
Interface configuration
Command History
Usage Guidelines
This command provides a simple method of access control.
The NTP service can be activated by entering any ntp command. When you use the ntp disable command, the NTP service is activated (if it has not already been activated) and the interface is configured to reject NTP packets simultaneously.
In the no form of any ntp command, all the keywords are optional. However, you must remove all NTP commands from the interface before you can enter the ntp disable command on that interface.
When you enter the no ntp disable command, the interface that was configured to reject NTP packets is enabled to receive NTP packets. The NTP service itself remains active, along with any other functions you previously configured.
When you use the ntp disable command without either ipv4 or ipv6 keyword, NTP is disabled on the interface for both address families.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp disable command and you now want to remove not only this restriction, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows how to prevent Ethernet interface 0 from receiving NTP packets:
Router(config)# interface ethernet 0Router(config-if)# ntp disableThe following example shows the display after trying to execute ntp disable on an interface with other NTP commands configured on it:
Router(config-if)# ntp disable%NTP: Unconfigure other NTP commands on this interface before executing `ntp disable'Router(config-if)#The following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpntp drift clear
To reset the drift value stored in the persistent data file, use the ntp drift clear command in privileged EXEC mode. To disable the function, use the no form of this command.
ntp drift clear
no ntp drift clear
Syntax Description
This command has no arguments or keywords.
Command Default
This command is not enabled.
Command Modes
Privileged EXEC
Command History
Usage Guidelines
The ntp drift clear command is used to reset the local clock drift value in the persistent data file. The drift is the frequency offset between the local clock hardware and the authoritative time from the Network Time Protocol version 4 (NTPv4) servers. NTPv4 automatically computes this drift and uses it to compensate permanently for local clock imperfections.
Examples
The following example shows how to reset the drift value in the persistent data file:
Router# ntp drift clearntp logging
To enable Network Time Protocol (NTP) message logging, use the ntp logging command in global configuration mode. To disable NTP logging, use the no form of this command.
ntp logging
no ntp [logging]
Syntax Description
This command has no arguments or keywords.
Command Default
NTP message logging is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the ntp logging command to control the display of NTP logging messages.
The NTP service can be activated by entering any ntp command. When you use the ntp logging command, the NTP service is activated (if it has not already been activated) and message logging is enabled simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp logging command, only the message logging is disabled in the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp logging command and you now want to disable not only the message logging, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows how to enable NTP message logging and verify that it is enabled:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ntp loggingRouter(config)# endRouter# show running-config | include ntpntp loggingntp clock-period 17180152ntp peer 10.0.0.1ntp server 192.168.166.3In the preceding example, the "ntp logging" entry in the configuration file verifies that NTP message logging is enabled.
The following example shows how to disable NTP message logging and verify that it is disabled:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# no ntp loggingRouter# endRouter(config)# show running-config | include ntpntp clock-period 17180152ntp peer 18.0.0.1ntp server 128.107.166.3The "ntp logging" entry no longer appears in the configuration file, which verifies that NTP message logging is disabled.
The following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntp
Related Commands
ntp peer
Configures the software clock to synchronize a peer or to be synchronized by a peer.
ntp server
Allows the software clock to be synchronized by an NTP time server.
ntp master
To configure the Cisco IOS software as a Network Time Protocol (NTP) master clock to which peers synchronize themselves when an external NTP source is not available, use the ntp master command in global configuration mode. To disable the master clock function, use the no form of this command.
ntp master [stratum]
no ntp [master]
Caution
Syntax Description
stratum
(Optional) Number from 1 to 15. Indicates the NTP stratum number that the system will claim.
Command Default
By default, the master clock function is disabled. When enabled, the default stratum is 8.
Command Modes
Global configuration
Command History
Usage Guidelines
Because the Cisco implementation of NTP does not support directly attached radio or atomic clocks, the router is normally synchronized, directly or indirectly, to an external system that has such a clock. In a network without Internet connectivity, such a time source may not be available. The ntp master command is used in such cases.
If the system has ntp master configured, and it cannot reach any clock with a lower stratum number, the system will claim to be synchronized at the configured stratum number, and other systems will be willing to synchronize to it via NTP.
Note
The NTP service can be activated by entering any ntp command. When you use the ntp master command, the NTP service is activated (if it has not already been activated) and the Cisco IOS software is configured as an NTP master clock simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp master command, only the NTP master clock configuration is removed from the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp master command and you now want to remove not only the master clock function, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows how to configure a router as an NTP master clock to which peers may synchronize:
Router(config)# ntp master 10The following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
clock calendar-valid
Configures the system hardware clock an authoritative time source for the network.
ntp max-associations
To configure the maximum number of Network Time Protocol (NTP) peers and clients for a routing device, use the ntp max-associations command in global configuration mode. To return the maximum associations value to the default, use the no form of this command.
ntp max-associations number
no ntp [max-associations]
Syntax Description
Command Default
100 maximum associations.
Command Modes
Global configuration
Command History
Usage Guidelines
The router can be configured to define the maximum number of NTP peer and client associations that the router will serve. The ntp max-associations command is used to set this limit.
For a router, this command is useful for ensuring that the router is not overwhelmed by NTP synchronization requests. For an NTP master server, this command is useful for allowing numerous devices to synchronize to a router.
The NTP service can be activated by entering any ntp command. When you use the ntp max-associations command, the NTP service is activated (if it has not already been activated) and the maximum number of NTP peers and clients is configured simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp max-associations command, only the maximum number value is removed from the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp max-associations command and you now want to remove not only that maximum value, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
In the following example, the router is configured to act as an NTP server to 200 clients:
Router(config)# ntp max-associations 200The following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
ntp multicast
To configure a system to send Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast interface configuration command. To disable this capability, use the no form of this command.
ntp multicast {ip-address | ipv6-address} [key key-id] [ttl value] [version number]
no ntp [multicast]
Syntax Description
Command Default
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
The TTL value is used to limit the scope of an audience for multicast routing.
The NTP service can be activated by entering any ntp command. When you use the ntp multicast command, the NTP service is activated (if it has not already been activated) and the interface on which to send multicast packets is configured simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp multicast command, only the multicast capability is removed from the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp multicast command and you now want to remove not only the multicast capability, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows how to configure Ethernet interface 0 to send NTP version 2 broadcasts:
Router(config)# interface ethernet 0Router(config-if)# ntp multicast version 2The following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
ntp authentication-key
Defines an authentication key for NTP.
ntp multicast client
Allows the system to receive NTP multicast packets on an interface.
ntp multicast client
To configure the system to receive Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast client interface configuration command. To disable this capability, use the no form of this command.
ntp multicast client {ip-address | ipv6-address} [novolley]
no ntp [multicast client [ip-address | ipv6-address]]
Syntax Description
Command Default
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the ntp multicast client command to allow the system to listen to multicast packets on an interface-by-interface basis.
This command enables the multicast client mode on the local NTP host. In this mode, the host is ready to receive mode 5 (broadcast) NTP messages sent to the specified multicast address. After receiving the first packet, the client measures the nominal propagation delay using a brief client/server association with the server. After this initial phase, the client enters the broadcast client mode, in which it synchronizes its clock to received multicast messages.
The NTP service can be activated by entering any ntp command. When you use the ntp multicast client command, the NTP service is activated (if it has not already been activated) and the interface on which to receive multicast packets is configured simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp multicast client command, only the multicast client capability is removed from the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp multicast client command and you now want to remove not only the multicast client capability, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
In IPv6 configuration, the ntp broadcast delay command is used when the ntp broadcast client or ntp multicast client command is configured with the novolley keyword.
Examples
In the following example, the system is configured to receive (listen to) NTP multicast packets on Ethernet interface 1:
Router(config)# interface ethernet 1Router(config-if)# ntp multicast clientThe following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
ntp peer
To configure the software clock to synchronize a peer or to be synchronized by a peer, use the ntp peer command in global configuration mode. To disable this capability, use the no form of this command.
ntp peer {vrf vrf-name | ip-address | ipv6-address | ipv4 | ipv6 | hostname} [normal-sync] [version number] [key key-id] [source interface] [prefer] [maxpoll number] [minpoll number] [burst] [iburst]
no ntp {vrf vrf-name | ipv4-address | ipv6-address | ipv4 | ipv6 | hostname}
Syntax Description
Command Default
No peers are configured.
The default maxpoll number is 10 seconds.
The default minpoll number is 6 seconds.Command Modes
Global configuration (config)
Command History
Usage Guidelines
When a peer is configured, the default NTP version number is 3, no authentication key is used, and the source IPv4 or IPv6 address is taken from the outgoing interface.
Use this command to allow a device to synchronize with a peer, or vice versa. Use the prefer keyword to reduce switching between peers.
If you are using the default version of 3 and NTP synchronization does not occur, try using NTP version 2 (NTPv2). For IPv6, use NTP version 4.
If you are using NTPv4, the NTP synchronization takes more time to complete unlike NTPv3, which syncs in seconds or a maximum of 1 to 2 minutes. The acceptable time for sync in case of NTPv4 is 15 to 20 minutes. To achieve faster NTP synchronization, enable the burst or iburst modes by using the burst or iburst keywords. With the burst or iburst mode configured, NTP synchronization takes about 1 to 2 minutes to sync.
The time span required for the NTP synchronization while using NTPv4 cannot be deduced accurately. It depends on the network topology and complexity.
The NTP service can be activated by entering any ntp command. When you use the ntp peer command, the NTP service is activated (if it has not already been activated) and the peer is configured simultaneously.
When you enter the no ntp peer command, only the NTP peer configuration is removed from NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp peer command and you now want to remove not only the peer, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows how to configure a router to allow its software clock to be synchronized with the clock of the peer (or vice versa) at IPv4 address 192.168.22.33 using NTPv2. The source IPv4 address is the address of Ethernet 0:
Router(config)# ntp peer 192.168.22.33 version 2 source ethernet 0The following example shows how to configure a router to allow its software clock to be synchronized with the clock of the peer (or vice versa) at IPv6 address 2001:0DB8:0:0:8:800:200C:417A using NTPv4:
Router(config)# ntp peer 2001:0DB8:0:0:8:800:200C:417A version 4The following example shows how to disable rapid synchronization at startup:
Router(config)# ntp peer 192.168.22.33 normal-syncThe following example shows how to keep a peer configured but reenable rapid synchronization at startup after previously disabling it:
Router(config)# ntp peer 192.168.22.33The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntpRelated Commands
ntp refclock
To configure an external clock source for use with Network Time Protocol (NTP) services, use the ntp refclock command in line configuration mode. To disable support of the external time source, use the no form of this command.
ntp refclock {trimble | telecom-solutions} pps {cts | ri | none} [inverted] [pps-offset number] [stratum number] [timestamp-offset number]
no ntp [refclock]
Syntax Description
Command Default
This command is disabled by default.
Command Modes
Line configuration (for auxilary 0 only)
Command History
Usage Guidelines
To configure a PPS signal as the source for NTP synchronization, use the following form of the ntp refclock command:
ntp refclock pps {cts | ri} [inverted] [pps-offset number] [stratum number] [timestamp-offset number]
To configure a Trimble Palisade NTP Synchronization Kit as the GPS clock source connected to the auxiliary port of a Cisco 7200 router, use the following form of the ntp refclock command:
ntp refclock trimble pps none [stratum number]
To configure a Telecom Solutions product as the GPS clock source, use the ntp refclock telecom-solutions form of the command:
ntp refclock telecom-solutions pps cts [stratum number]
The NTP service can be activated by entering any ntp command. When you use the ntp refclock command, the NTP service is activated (if it has not already been activated) and the external clock source is configured simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp refclock command, only the external clock source is removed from the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp refclock command and you now want to remove not only the external clock source, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows configuration of a Trimble Palisade GPS time source on a Cisco 7200 router:
Router(config)# ntp masterRouter(config)# ntp update-calendarRouter(config)# line aux 0Router(config-line)# ntp refclock trimble pps noneThe following example shows configuration of a Telecom Solutions GPS time source on a Catalyst switch platform:
Router(config)# ntp masterRouter(config)# ntp update-calendarRouter(config)# line aux 0Router(config-line)# ntp refclock telecom-solutions pps cts stratum 1The following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
show ntp associations
Displays the status of NTP associations configured for your system.
ntp server
To allow the software clock to be synchronized by a Network Time Protocol (NTP) time server, use the ntp server command in global configuration mode. To disable this capability, use the no form of this command.
ntp server {vrf vrf-name | ip-address | ipv6-address | ipv4 | ipv6 | hostname} [normal-sync] [version number] [key key-id] [source interface] [prefer] [maxpoll number] [minpoll number] [burst] [iburst]
no ntp server {vrf vrf-name | ipv4-address | ipv6 address | ipv4 | ipv6 | hostname}
Syntax Description
Command Default
No servers are configured by default. If a server is configured, the default NTP version number is 3, no authentication key is used, and the source IPv4 or IPv6 address is taken from the outgoing interface.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use this command if you want to allow the system to synchronize with the specified server. The server will not synchronize to this machine.
When you use the hostname option, the router does a domain name server (DNS) lookup on that name, and stores the IPv4 or IPv6 address in the configuration. For example, if you enter the command ntp server host1 and then check the running configuration, the output shows "ntp server 172.16.0.4," assuming that the router is correctly configured as a DNS client.
Use the prefer keyword if you use this command multiple times, and you want to set a preferred server. Using the prefer keyword reduces switching between servers.
If you are using the default version of 3 and NTP synchronization does not occur, try NTPv2. Some NTP servers on the Internet run version 2. For IPv6, use NTP version 4.
If you are using NTPv4, the NTP synchronization takes more time to complete unlike NTPv3, which syncs in seconds or a maximum of 1 to 2 minutes. The acceptable time for sync in case of NTPv4 is 15 to 20 minutes. To achieve faster NTP synchronization, enable the burst or iburst modes by using the burst or iburst keywords. With the burst or iburst mode configured, NTP synchronization takes about 1 to 2 minutes to sync.
The exact time span required for the NTP synchronization while using NTPv4 cannot be deduced accurately. It depends on the network topology and complexity.
The NTP service can be activated by entering any ntp command. When you use the ntp server command, the NTP service is activated (if it has not already been activated) and software clock synchronization is configured simultaneously.
When you enter the no ntp server command, only the server synchronization capability is removed from the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp server command and you now want to remove not only the server synchronization capability, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows how to configure a router to allow its software clock to be synchronized with the clock by the device at IPv4 address 172.16.22.44 using NTPv2:
Router(config)# ntp server 172.16.22.44 version 2The following example shows how to configure a router to allow its software clock to be synchronized with the clock by the device at IPv6 address 2001:0DB8:0:0:8:800:200C:417A using NTPv4:
Router(config)# ntp server 2001:0DB8:0:0:8:800:200C:417A version 4The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntpRelated Commands
ntp source
To use a particular source address in Network Time Protocol (NTP) packets, use the ntp source command in global configuration mode. To remove the specified source address, use the no form of this command.
ntp source type number
no ntp [source]
Syntax Description
Command Default
Source address is determined by the outgoing interface.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command when you want to use a particular source IPv4 or IPv6 address for all NTP packets. The address is taken from the named interface. This command is useful if the address on an interface cannot be used as the destination for reply packets. If the source keyword is present on an ntp server or ntp peer global configuration command, that value overrides the global value set by this command.
The NTP service can be activated by entering any ntp command. When you use the ntp source command, the NTP service is activated (if it has not already been activated) and the source address is configured simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp source command, only the source address is removed from the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp source command and you now want to remove not only the configured source address, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows how to configure a router to use the IPv4 or IPv6 address of Ethernet 0 as the source address of all outgoing NTP packets:
Router(config)# ntp source ethernet 0The following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
ntp peer
Configures the software clock to synchronize a peer or to be synchronized by a peer.
ntp server
Allows the software clock to be synchronized by a time server.
ntp trusted-key
To authenticate the identity of a system to which Network Time Protocol (NTP) will synchronize, use the ntp trusted-key command in global configuration mode. To disable authentication of the identity of the system, use the no form of this command.
ntp trusted-key key-number
no ntp [trusted-key key-number]
Syntax Description
Command Default
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
If authentication is enabled, use this command to define one or more key numbers (corresponding to the keys defined with the ntp authentication-key command) that a peer NTP system must provide in its NTP packets, in order for this system to synchronize to it. This function provides protection against accidentally synchronizing the system to a system that is not trusted, because the other system must know the correct authentication key.
The NTP service can be activated by entering any ntp command. When you use the ntp trusted-key command, the NTP service is activated (if it has not already been activated) and the system to which NTP will synchronize is authenticated simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp trusted-key command, only the authentication is disabled in the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp trusted-key command and you now want to remove not only the authentication, but all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows how to configure the system to synchronize only to systems providing authentication key 42 in its NTP packets:
Router(config)# ntp authenticateRouter(config)# ntp authentication-key 42 md5 aNiceKeyRouter(config)# ntp trusted-key 42The following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
ntp authenticate
Enables NTP authentication.
ntp authentication-key
Defines an authentication key for NTP.
ntp update-calendar
To periodically update the hardware clock (calendar) from a Network Time Protocol (NTP) time source, use the ntp update-calendar command in global configuration mode. To disable the periodic updates, use the no form of this command.
ntp update-calendar
no ntp [update-calendar]
Syntax Description
This command has no arguments or keywords.
Command Default
The hardware clock (calendar) is not updated.
Command Modes
Global configuration
Command History
Usage Guidelines
Some platforms have a battery-powered hardware clock, referred to in the command-line interface (CLI) as the "calendar," in addition to the software based system clock. The hardware clock runs continuously, even if the router is powered off or rebooted.
If the software clock is synchronized to an outside time source via NTP, it is a good practice to periodically update the hardware clock with the time learned from NTP. Otherwise, the hardware clock will tend to gradually lose or gain time (drift), and the software clock and hardware clock may become out of synchronization with each other. The ntp update-calendar command will enable the hardware clock to be periodically updated with the time specified by the NTP source. The hardware clock will be updated only if NTP has synchronized to an authoritative time server.
Many lower-end routers (for example, the Cisco 2500 series or the Cisco 2600 series) do not have hardware clocks, so this command is not available on those platforms.
To force a single update of the hardware clock from the software clock, use the clock update-calendar command in user EXEC mode.
The NTP service can be activated by entering any ntp command. When you use the ntp update-calendar command, the NTP service is activated (if it has not already been activated) and the hardware clock is updated simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp update-calendar command, only the clock updates are stopped in the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To terminate NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp update-calendar command and you now want to disable not only the periodic updates, but all NTP functions running on the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows how to configure the system to periodically update the hardware clock from the NTP time source:
Router(config)# ntp update-calendarThe following example shows how to remove all the configured NTP options and disable the ntp server:
Router(config)# no ntpRelated Commands
outbound-proxy
To configure a Session Initiation Protocol (SIP) outbound proxy for outgoing SIP messages globally on a Cisco IOS voice gateway, use the outbound-proxy command in voice service SIP configuration mode. To disable forwarding of SIP messages to a SIP outbound proxy globally, use the no form of this command.
outbound-proxy {dhcp | ipv4:ip-address[:port-number] | dns:host:domain}
no outbound-proxy
Syntax Description
Command Default
The Cisco IOS voice gateway does not forward outbound SIP messages to a proxy.
Command Modes
Voice service SIP configuration (conf-serv-sip)
Command History
Usage Guidelines
You can use the outbound-proxy command in voice service SIP configuration mode to specify outbound proxy settings globally for a Cisco IOS voice gateway. You can also use the voice-class sip outbound-proxy command in dial peer voice configuration mode to configure settings for an individual dial peer that override or defer to the global settings for the gateway. However, if both a Cisco Unified Communications Manager Express (CME) and a SIP gateway are configured on the same router, then there is a scenario that can cause incoming SIP messages from line-side phones to be confused with SIP messages coming from the network side. To avoid failed calls caused by this scenario, disable the SIP outbound proxy setting for all line-side phones on a dial peer using the outbound-proxy system command in voice register global configuration mode.
Examples
The following example shows how to specify the SIP outbound proxy globally for a Cisco IOS voice gateway using an IP address:
Router> enableRouter# configure terminalRouter(config)# voice service voipRouter(conf-voi-serv)# sipRouter(conf-serv-sip)# outbound-proxy ipv4:10.1.1.1The following example shows how to specify the SIP outbound proxy globally for a Cisco IOS voice gateway using a destination hostname and domain:
Router> enableRouter# configure terminalRouter(config)# voice service voipRouter(conf-voi-serv)# sipRouter(conf-serv-sip)# outbound-proxy dns:sipproxy:example.comThe following example shows how to specify the SIP outbound proxy globally for a Cisco IOS voice gateway using the DHCP protocol:
Router> enableRouter# configure terminalRouter(config)# voice service voipRouter(conf-voi-serv)# sipRouter(conf-serv-sip)# outbound-proxy dhcpRelated Commands
passive-interface (IPv6)
To disable sending routing updates on an interface, use the passive-interface command in router configuration mode. To reenable the sending of routing updates, use the no form of this command.
passive-interface [default | interface-type interface-number]
no passive-interface [default | interface-type interface-number]
Syntax Description
default
(Optional) All interfaces become passive.
interface-type interface-number
(Optional) Interface type and number. For more information, use the question mark (?) online help function.
Command Default
No interfaces are passive. Routing updates are sent to all interfaces on which the routing protocol is enabled.
Command Modes
Router configuration
Command History
Usage Guidelines
If you disable the sending of routing updates on an interface, the particular address prefix will continue to be advertised to other interfaces, and updates from other routers on that interface continue to be received and processed.
The default keyword sets all interfaces as passive by default. You can then configure individual interfaces where adjacencies are desired using the no passive-interface command. The default keyword is useful in Internet service provider (ISP) and large enterprise networks where many of the distribution routers have more than 200 interfaces.
OSPF for IPv6 routing information is neither sent nor received through the specified router interface. The specified interface address appears as a stub network in the OSPF for IPv6 domain.
For the Intermediate System-to-Intermediate System (IS-IS) protocol, this command instructs IS-IS to advertise the IP addresses for the specified interface without actually running IS-IS on that interface. The no form of this command for IS-IS disables advertising IP addresses for the specified address.
Examples
The following example sets all interfaces as passive, then activates Ethernet interface 0:
Router(config-router)# passive-interface defaultRouter(config-router)# no passive-interface ethernet0/0password (ca-trustpoint)
To specify the revocation password for the certificate, use the password command in ca-trustpoint configuration mode. To erase any stored passwords, use the no form of this command.
password string
no password
Syntax Description
Defaults
You are prompted for the password during certificate enrollment.
Command Modes
Ca-trustpoint configuration
Command History
12.2(8)T
This command was introduced.
12.4(24)T
Support for IPv6 Secure Neighbor Discovery (SeND) was added.
Usage Guidelines
Before you can issue the password command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.
This command allows you to specify the revocation password for the certificate before actual certificate enrollment begins. The specified password is encrypted when the updated configuration is written to NVRAM by the router.
If this command is enabled, you will not be prompted for a password during certificate enrollment.
Examples
The following example shows how to specify the password "revokeme" for the certificate request:
crypto ca trustpoint trustpoint1enrollment url http://trustpoint1.example.com/subject-name OU=Spiral Dept., O=example1.comip-address ethernet-0auto-enroll regeneratepassword revokemeRelated Commands
peer default ipv6 address pool
To specify the pool from which client prefixes are assigned, use the peer default ipv6 address pool command in interface configuration mode. To disable a prior peer IPv6 address pooling configuration on an interface, or to remove the default address from your configuration, use the no form of this command.
peer default ipv6 address pool pool-name
no peer default ipv6 address pool
Syntax Description
Command Default
The default pool name is pool.
Command Modes
Interface configuration
Command History
Usage Guidelines
This command applies to point-to-point interfaces that support PPP encapsulation. This command sets the address used on the remote (PC) side.
This command allows an administrator to configure all possible address pooling mechanisms on an interface-by-interface basis.
Examples
The following command specifies that this interface will use a local IPv6 address pool named pool3:
peer default ipv6 address pool pool3In the following example, the pool1 pool is assigned to virtual template 1:
interface Virtual-Template1ipv6 enableno ipv6 nd suppress-rapeer default ipv6 address pool pool1ppp authentication chapRelated Commands
permit (IPv6)
To set permit conditions for an IPv6 access list, use the permit command in IPv6 access list configuration mode. To remove the permit conditions, use the no form of this command.
permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
no permit {protocol} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
Internet Control Message Protocol
permit icmp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [icmp-type [icmp-code] | icmp-message] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name]
Transmission Control Protocol
permit tcp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [ack] [dest-option-type [doh-number | doh-type]] [dscp value] [established] [fin] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [neq {port | protocol}] [psh] [range {port | protocol}] [reflect name [timeout value]] [routing] [routing-type routing-number] [rst] [sequence value] [syn] [time-range name] [urg]
User Datagram Protocol
permit udp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [neq {port | protocol}] [range {port | protocol}] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
Syntax Description
Command Default
No IPv6 access list is defined.
Command Modes
IPv6 access list configuration
Command History
Usage Guidelines
The permit (IPv6) command is similar to the permit (IP) command, except that it is IPv6-specific.
Use the permit (IPv6) command following the ipv6 access-list command to define the conditions under which a packet passes the access list or to define the access list as a reflexive access list.
Specifying IPv6 for the protocol argument matches against the IPv6 header of the packet.
By default, the first statement in an access list is number 10, and the subsequent statements are incremented by 10.
You can add permit, deny, remark, or evaluate statements to an existing access list without retyping the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to indicate where it belongs.
In Cisco IOS Release 12.2(2)T or later releases, 12.0(21)ST, and 12.0(22)S, IPv6 access control lists (ACLs) are defined and their deny and permit conditions are set by using the ipv6 access-list command with the deny and permit keywords in global configuration mode. In Cisco IOS Release 12.0(23)S or later releases, IPv6 ACLs are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Refer to the ipv6 access-list command for more information on defining IPv6 ACLs.
Note
The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.Both the source-ipv6-prefix/prefix-length and destination-ipv6-prefix/prefix-length arguments are used for traffic filtering (the source prefix filters traffic based upon the traffic source; the destination prefix filters traffic based upon the traffic destination).
Note
The fragments keyword is an option only if the operator [port-number] arguments are not specified.
The following is a list of ICMP message names:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Defining Reflexive Access Lists
To define an IPv6 reflexive list, a form of session filtering, use the reflect keyword in the permit (IPv6) command. The reflect keyword creates an IPv6 reflexive access list and triggers the creation of entries in the reflexive access list. The reflect keyword must be an entry (condition statement) in an IPv6 access list.
Note
If you are configuring IPv6 reflexive access lists for an external interface, the IPv6 access list should be one that is applied to outbound traffic.
If you are configuring an IPv6 reflexive access list for an internal interface, the IPv6 access list should be one that is applied to inbound traffic.
IPv6 sessions that originate from within your network are initiated with a packet exiting your network. When such a packet is evaluated against the statements in the IPv6 access list, the packet is also evaluated against the IPv6 reflexive permit entry.
As with all IPv6 access list entries, the order of entries is important, because they are evaluated in sequential order. When an IPv6 packet reaches the interface, it will be evaluated sequentially by each entry in the access list until a match occurs.
If the packet matches an entry prior to the reflexive permit entry, the packet will not be evaluated by the reflexive permit entry, and no temporary entry will be created for the reflexive access list (session filtering will not be triggered).
The packet will be evaluated by the reflexive permit entry if no other match occurs first. Then, if the packet matches the protocol specified in the reflexive permit entry, the packet is forwarded and a corresponding temporary entry is created in the reflexive access list (unless the corresponding entry already exists, indicating that the packet belongs to a session in progress). The temporary entry specifies criteria that permit traffic into your network only for the same session.
Characteristics of Reflexive Access List Entries
The permit (IPv6) command with the reflect keyword enables the creation of temporary entries in the same IPv6 reflexive access list that was defined by the permit (IPv6) command. The temporary entries are created when an IPv6 packet exiting your network matches the protocol specified in the permit (IPv6) command. (The packet "triggers" the creation of a temporary entry.) These entries have the following characteristics:
•
•
•
•
•
•
•
•
•
Examples
The following example configures two IPv6 access lists named OUTBOUND and INBOUND and applies both access lists to outbound and inbound traffic on Ethernet interface 0. The first and second permit entries in the OUTBOUND list permit all TCP and UDP packets from network 2001:ODB8:0300:0201::/64 to exit out of Ethernet interface 0. The entries also configure the temporary IPv6 reflexive access list named REFLECTOUT to filter returning (incoming) TCP and UDP packets on Ethernet interface 0. The first deny entry in the OUTBOUND list keeps all packets from the network FEC0:0:0:0201::/64 (packets that have the site-local prefix FEC0:0:0:0201 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0. The third permit entry in the OUTBOUND list permits all ICMP packets to exit out of Ethernet interface 0.
The permit entry in the INBOUND list permits all ICMP packets to enter Ethernet interface 0. The evaluate command in the list applies the temporary IPv6 reflexive access list named REFLECTOUT to inbound TCP and UDP packets on Ethernet interface 0. When outgoing TCP or UDP packets are permitted on Ethernet interface 0 by the OUTBOUND list, the INBOUND list uses the REFLECTOUT list to match (evaluate) the returning (incoming) TCP and UDP packets. Refer to the evaluate command for more information on nesting IPv6 reflexive access lists within IPv6 ACLs.
ipv6 access-list OUTBOUNDpermit tcp 2001:0DB8:0300:0201::/64 any reflect REFLECTOUTpermit udp 2001:0DB8:0300:0201::/64 any reflect REFLECTOUTdeny FEC0:0:0:0201::/64 anypermit icmp any anyipv6 access-list INBOUNDpermit icmp any anyevaluate REFLECTOUTinterface ethernet 0ipv6 traffic-filter OUTBOUND outipv6 traffic-filter INBOUND in
Note
The following example shows how to allow the matching of any UDP traffic. The authentication header may be present.
permit udp any any sequence 10The following example shows how to allow the matching of only TCP traffic if the authentication header is also present.
permit tcp any any auth sequence 20The following example shows how to allow the matching of any IPv6 traffic where the authentication header is present.
permit ahp any any sequence 30Related Commands
ping
To diagnose basic network connectivity on AppleTalk, ATM, Connectionless Network Service (CLNS), DECnet, IP, Novell IPX, or source-route bridging (SRB) networks, use the ping command in user EXEC or privileged EXEC mode.
ping [[protocol [tag] {host-name | system-address}]
Syntax Description
Command Default
This command has no default values.
Command Modes
User EXEC (>)
Privileged EXEC (#)Command History
Usage Guidelines
The ping command sends an echo request packet to an address then waits for a reply. Ping output can help you evaluate path-to-host reliability, delays over the path, and whether the host can be reached or is functioning. For example, the ping clns command sends International Organization for Standardization (ISO) CLNS echo packets to test the reachability of a remote router over a connectionless Open System Interconnection (OSI) network.
If you enter the ping command without any keywords or argument values, an interactive system dialog prompts you for the additional syntax appropriate to the protocol you specify. (See the "Examples" section.)
To exit the interactive ping dialog before responding to all the prompts, type the escape sequence. The default escape sequence is Ctrl-^, X (Simultaneously press and release the Ctrl, Shift, and 6 keys and then press the X key). The escape sequence will vary depending on your line configuration. For example, another commonly used escape sequence is Ctrl-c.
Table 41 describes the test characters sent by the ping facility.
Note
The availability of protocol keywords depends on what protocols are enabled on your system.
Issuing the ping command in user EXEC mode will generally offer fewer syntax options than issuing the ping command in privileged EXEC mode.
Examples
After you enter the ping command in privileged EXEC mode, the system prompts you for a protocol keyword. The default protocol is IP.
If you enter a hostname or address on the same line as the ping command, the default action is taken as appropriate for the protocol type of that name or address.
The following example is sample dialog from the ping command using default values. The specific dialog varies somewhat from protocol to protocol.
Router# ping
