|
|
The Internet Protocol (IP) is a packet-based protocol used to exchange data over computer networks. IP handles addressing, fragmentation, reassembly, and protocol demultiplexing. It is the foundation on which all other Internet protocols, collectively referred to as the Internet Protocol suite, are built. IP is a network-layer protocol that contains addressing information and some control information that allows data packets to be routed.
The Transmission Control Protocol (TCP) is built upon the IP layer. TCP is a connection-oriented protocol that specifies the format of data and acknowledgments used in the transfer of data. TCP also specifies the procedures that the computers use to ensure that the data arrives correctly. TCP allows multiple applications on a system to communicate concurrently because it handles all demultiplexing of the incoming traffic among the application programs.
Use the commands in this chapter to configure and monitor IP networks. For IP protocol configuration information and examples, refer to the "Configuring IP" chapter of the Router Products Configuration Guide.
To restrict incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list, use the access-class line configuration command. To remove access restrictions, use the no form of this command.
access-class access-list-number {in | out}
access-list-number | Number of an access list. This is a decimal number from 1 through 99. |
in | Restricts incoming connections between a particular Cisco device and the addresses in the access list. |
out | Restricts outgoing connections between a particular Cisco device and the addresses in the access list. |
No access lists are defined.
Line configuration
Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.
To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.
The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:
access-list 12 permit 192.89.55.0 0.0.0.255 line 1 5 access-class 12 in
The following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5:
access-list 10 permit 36.0.0.0 0.255.255.255 line 1 5 access-class 10 out
A dagger (†) indicates that the command is documented in another chapter.
show line †
To define a standard IP access list, use the standard version of the access-list global configuration command. To remove a standard access lists, use the no form of this command.
access-list access-list-number {deny | permit} source [source-wildcard] | Caution Enhancements to this command are backward compatible; migrating from existing releases to Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images. |
access-list-number | Number of an access list. This is a decimal number from 1 through 99. |
deny | Denies access if the conditions are matched. |
permit | Permits access if the conditions are matched. |
source | Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:
|
source-wildcard | (Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:
|
The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.
Global configuration
Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.
You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates.
Use the show access-lists EXEC command to display the contents of all access lists.
Use the show ip access-list EXEC command to display the contents of one access list.
The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255 access-list 1 permit 128.88.0.0 0.0.255.255 access-list 1 permit 36.0.0.0 0.255.255.255 ! (Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect:
access-list 2 permit 36.48.0.3 access-list 2 permit 36.48.0.3 0.0.0.0
access-class
access-list (extended)
distribute-list in
distribute-list out
ip access-group
priority-list
queue-list
show access-lists
show ip access-list
To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.
access-list access-list-number {deny | permit} protocol source source-wildcard destinationFor ICMP, you can also use the following syntax:
access-list access-list-number {deny | permit} icmp source source-wildcard destinationFor IGMP, you can also use the following syntax:
access-list access-list-number {deny | permit} igmp source source-wildcard destinationFor TCP, you can also use the following syntax:
access-list access-list-number {deny | permit} tcp source source-wildcardFor UDP, you can also use the following syntax:
access-list access-list-number {deny | permit} udp source source-wildcard | Caution Enhancements to this command are backward compatible; migrating from existing releases to Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images. |
access-list-number | Number of an access list. This is a decimal number from 100 through 199. |
deny | Denies access if the conditions are matched. |
permit | Permits access if the conditions are matched. |
protocol | Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. Some protocols allow further qualifiers described below. |
source | Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
|
source-wildcard | Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
|
destination | Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
|
destination-wildcard | Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
|
precedence precedence | (Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines." |
tos tos | (Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines." |
icmp-type | (Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255. |
icmp-code | (Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255. |
icmp-message | (Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines." |
igmp-type | (Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines." |
operator | (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. |
port | (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names are listed in the section "Usage Guidelines." UDP port names can only be used when filtering UDP. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP. |
established | (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. |
An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.
Global configuration
You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict contents of routing updates. The router stops checking the extended access list after a match occurs.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match against the TCP source port, the type of service value, or the packet's precedence.
The following is a list of precedence names:
The following is a list of type of service (tos) names:
The following is a list of ICMP message type names and ICMP message type and code names:
The following is a list of IGMP message names:
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. The keyword established is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25 interface serial 0 ip access-group 102 in
The following example also permit DNS packets and ICMP echo and echo reply packets:
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established access-list 102 permit tcp any host 128.88.1.2 eq smtp access-list 102 permit tcp any any eq domain access-list 102 permit udp any any eq domain access-list 102 permit icmp any any echo access-list 102 permit icmp any any echo-reply
access-class
access-list (standard)
distribute-list in
distribute-list out
ip access-group
priority-list
queue-list
show access-lists
show ip access-list
To add a permanent entry in the ARP cache, use the arp global configuration command. To remove an entry from the ARP cache, use the no form of this command.
arp ip-address hardware-address type [alias]
ip-address | IP address in four-part dotted-decimal format corresponding to the local data link address. |
hardware-address | Local data link address (a 48-bit address). |
type | Encapsulation description. For Ethernet interfaces, this is typically the arpa keyword. For FDDI and Token Ring interfaces, this is always snap. |
alias | (Optional) Indicates that the router should respond to ARP requests as if it were the owner of the specified address. |
No entries are permanently installed in the ARP cache.
Global configuration
The router uses ARP cache entries to translate 32-bit Internet Protocol addresses into 48-bit hardware addresses.
Because most hosts support dynamic resolution, you generally do not need to specify static ARP cache entries.
To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.
The following is an example of a static ARP entry for a typical Ethernet host:
arp 192.31.7.19 0800.0900.1834 arpa
To control the interface-specific handling of IP address resolution into 48-bit Ethernet, FDDI, and Token Ring hardware addresses, use the arp interface configuration command. To disable an encapsulation type, use the no form of this command.
arp {arpa | probe | snap}
arpa | Standard Ethernet-style ARP (RFC 826). |
probe | HP Probe protocol for IEEE-802.3 networks. |
snap | ARP packets conforming to RFC 1042. |
Standard Ethernet-style ARP
Interface configuration
Unlike most commands that take multiple arguments, arguments to the arp command are not mutually exclusive. Each command enables or disables a specific type of ARP. For example, if you enter the arp arpa command followed by the arp probe command, the router would send three (two for probe and one for arpa) packets each time it needed to discover a MAC address.
The arp probe command allows the router to use the Probe protocol (in addition to ARP) whenever it attempts to resolve an IEEE-802.3 or Ethernet local data link address. The subset of Probe that performs address resolution is called Virtual Address Request and Reply. Using Probe, the router can communicate transparently with Hewlett-Packard IEEE-802.3 hosts that use this type of data encapsulation.
The show interfaces EXEC command displays the type of ARP being used on a particular interface. To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.
The following example enables probe services:
interface ethernet 0
arp probe
clear arp-cache
show interfaces
To configure how long an entry remains in the ARP cache, use the arp timeout interface configuration command. To restore the default value, use the no form of this command.
arp timeout seconds
seconds | Time, in seconds, that an entry remains in the ARP cache. A value of zero means that entries are never cleared from the cache. |
14400 seconds (4 hours)
Interface configuration
This command is ignored when issued on interfaces that do not use ARP. The show interfaces EXEC command displays the ARP timeout value. The value follows the "Entry Timeout:" heading, as seen in this sample show interfaces display:
ARP type: ARPA, PROBE, Entry Timeout: 14400 sec
The following example illustrates how to set the ARP timeout to 12000 seconds to allow entries to time out more quickly than the default:
interface ethernet 0 arp timeout 12000
To delete all dynamic entries from the ARP cache, to clear the fast-switching cache, and to clear the IP route cache, use the clear arp-cache EXEC command.
clear arp-cacheThis command has no arguments or keywords.
EXEC
The following example removes all dynamic entries from the ARP cache and clears the fast-switching cache:
clear arp-cache
To delete entries from the host-name-and-address cache, use the clear host EXEC command.
clear host {name | *}
name | Particular host entry to remove. |
* | Removes all entries. |
EXEC
The host name entries will not be removed from NVRAM, but will be cleared in running memory.
The following example clears all entries from the host name-and-address cache:
clear host *
To clear the active or checkpointed database when IP accounting is enabled, use the clear ip accounting EXEC command.
clear ip accounting [checkpoint]
checkpoint | (Optional) Clears the checkpointed database. |
EXEC
You can also clear the checkpointed database by issuing the clear ip accounting command twice in succession.
The following example clears the active database when IP accounting is enabled:
clear ip accounting
ip accounting
ip accounting-list
ip accounting-threshold
ip accounting-transits
show ip accounting
To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the clear ip nhrp EXEC command.
clear ip nhrpThis command has no arguments or keywords.
EXEC
This command does not clear any static (configured) IP-to-NBMA address mappings from the NHRP cache.
In the following example, all dynamic entries are cleared from the NHRP cache for the interface:
clear ip nhrp
show ip nhrp
To delete routes from the IP routing table, use the clear ip route EXEC command.
clear ip route {network [mask] | *}
network | Network or subnet address to remove. |
mask | (Optional) Subnet address to remove. |
* | Removes all routing table entries. |
All entries are removed.
EXEC
The following example removes a route to network 132.5.0.0 from the IP routing table:
clear ip route 132.5.0.0
To have the route processor recompute the SSE program for IP on the Cisco 7000 series, use the clear ip ssel EXEC command.
clear ip sseThis command has no arguments or keywords.
Disabled
Privileged EXEC
The silicon switching engine (SSE) is on the Silicon Switch Processor (SSP) board in the Cisco 7000.
This command also updates the SSE cache for IP.
The following example causes the route processor to recompute the program for IP:
clear ip sse
To reinitialize the route processor on the Cisco 7000 series, use the clear sse EXEC command.
clear sseThis command has no arguments or keywords.
Disabled
EXEC
The silicon switching engine (SSE) is on the Silicon Switch Processor (SSP) board in the
Cisco 7000.
The following example causes the route processor to be reinitialized:
clear sse
count | Number of times DMDP will retransmit a message. It can be a decimal integer from 0 through 200. The default is 4 retries, or until acknowledged. |
Retransmits messages up to 4 times, or until acknowledged
Global configuration
The following example sets the number of times DMDP will attempt to retransmit a message to 150:
dnsix-dmdp retries 150
dnsix-nat authorized-redirection
dnsix-nat primary
dnsix-nat secondary
dnsix-nat source
dnsix-nat transmit-count
ip-address | IP address of the host from which redirection requests are permitted. |
An empty list of addresses
Global configuration
Use multiple dnsix-nat authorized-redirection commands to specify a set of hosts that are authorized to change the destination for audit messages. Redirection requests are checked against the configured list, and if the address is not authorized the request is rejected and an audit message is generated. If no address is specified, no redirection messages are accepted.
The following example specifies that the address of the collection center that is authorized to change the primary and secondary addresses is 193.1.1.1.
dnsix-nat authorization-redirection 193.1.1.1.
ip-address | IP address for the primary collection center. |
Messages are not sent.
Global configuration
An IP address must be configured before audit messages can be sent.
The following example configures an IP address as the address of the host to which DNSIX audit messages are sent:
dnsix-nat primary 194.1.1.1
ip-address | IP address for the secondary collection center. |
No alternate IP address is known.
Global configuration
When the primary collection center is unreachable, audit messages are sent to the secondary collection center instead.
The following example configures an IP address as the address of an alternate host to which DNSIX audit messages are sent:
dnsix-nat secondary 193.1.1.1
ip-address | Source IP address for DNSIX audit messages. |
Disabled
Global configuration
You must issue the dnsix-nat source command before any of the other dnsix-nat commands. The configured IP address is used as the source IP address for DMDP protocol packets sent to any of the collection centers.
The following example enables the audit trail writing module, and specifies that the source IP address for any generated audit messages should be the same as the primary IP address of interface Ethernet 0.
dnsix-nat source 128.105.2.5
interface ethernet 0
ip address 128.105.2.5 255.255.255.0
count | Number of audit messages to buffer before transmitting to the server. Integer from 1 through 200. |
One message is sent at a time.
Global configuration
An audit message is sent as soon as the message is generated by the IP packet-processing code. The audit writing module can, instead, buffer up to several audit messages before transmitting to a collection center.
The following example configures the system to buffer five audit messages before transmitting them to a collection center:
dnsix-nat transmit-count 5
To control access to an interface, use the ip access-group interface configuration command. To remove the specified access group, use the no form of this command.
ip access-group access-list-number {in | out}
access-list-number | Number of an access lists. This is a decimal number from 1 through 199. |
in | Filters on inbound packets. |
out | Filters on outbound packets. |
Entering a keyword is strongly recommended, but if a keyword is not specified, out is the default.
Interface configuration
For inbound access lists, after receiving a packet, the router checks the source address of the packet against the access list. If the access list permits the address, the router continues to process the packet. If the access list rejects the address, the router discards the packet and returns an ICMP Host Unreachable message.
For outbound access lists, after receiving and routing a packet to a controlled interface, the router checks the source address of the packet against the access list. If the access list permits the address, the router transmits the packet. If the access list rejects the address, the router discards the packet and returns an ICMP Host Unreachable message.
Access lists are applied on either outbound or inbound interfaces.
If the specified access list does not exist, all packets are passed.
When you enable outbound access lists, you automatically disable autonomous switching for that interface.When you enable input access lists on any cBus or CxBus interface, you automatically disable autonomous switching for all interfaces (with one exception; an SSE configured with simple access lists can still switch packets, on output only).
The following example applies list 101 on packets outbound from Ethernet 0:
interface ethernet 0 ip access-group 101 out
access-list (extended)
show access-lists
To enable IP accounting on an interface, use the ip accounting interface configuration command. To disable IP accounting, use the no form of this command.
ip accounting [access-violations]
access-violations | (Optional) Enables IP accounting with the ability to identify IP traffic that fails IP access lists. |
Disabled
Interface configuration
IP accounting records the number of bytes (IP header and data) and packets switched through the system on a source and destination IP address basis. Only transit IP traffic is measured and only on an outbound basis; traffic generated by the router or terminating in the router is not included in the accounting statistics.
If you specify the access-violations keyword, this command provides information identifying IP traffic that fails IP access lists. Identifying IP source addresses that violate IP access lists alerts you to possible attempts to breach security. The data might also indicate that you should verify IP access list configurations.
Statistics are accurate even if IP fast switching or IP access lists are being used on the interface.
IP accounting disables autonomous switching and SSE switching on the interface.
The following example enables IP accounting on Ethernet interface 0:
interface ethernet 0 ip accounting
clear ip accounting
ip accounting-list
ip accounting-threshold
ip accounting-transits
show ip accounting
To define filters to control the hosts for which IP accounting information is kept, use the ip accounting-list global configuration command. To remove a filter definition, use the no form of this command.
ip accounting-list ip-address wildcard
ip-address | IP address in dotted-decimal format. |
wildcard | Wildcard bits to be applied to ip-address. |
No filters are defined.
Global configuration
The source and destination address of each IP datagram is logically ANDed with ones-complement of the wildcard and compared with the ip-address. If there is a match, the information about the IP datagram will be entered into the accounting database. If there is no match, the IP datagram is considered a transit datagram and will be counted according to the setting of the ip accounting-transits global configuration command.
The following example adds all hosts with IP addresses beginning with 192.31 to the list of hosts for which accounting information will be kept:
ip accounting-list 192.31.0.0 0.0.0.255
clear ip accounting
ip accounting
ip accounting-threshold
ip accounting-transits
show ip accounting
To set the maximum number of accounting entries to be created, use the ip accounting-threshold global configuration command. To restore the default number of entries, use the no form of this command.
ip accounting-threshold threshold
threshold | Maximum number of entries (source and destination address pairs) that the router accumulates. |
512 entries
Global configuration
The accounting threshold defines the maximum number of entries (source and destination address pairs) that the router accumulates, preventing IP accounting from possibly consuming all available free memory. This level of memory consumption could occur in a router that is switching traffic for many hosts. Overflows will be recorded; see the monitoring commands for display formats.
The default accounting threshold of 512 entries results in a maximumn table size of 12928 bytes. Active and checkpointed tables can reach this size independently.
The following example sets the IP accounting threshold to only 500 entries:
ip accounting-threshold 500
clear ip accounting
ip accounting
ip accounting-list
ip accounting-transits
show ip accounting
To control the number of transit records that are stored in the IP accounting database, use the ip accounting-transits global configuration command. To return to the default number of records, use the no form of this command.
ip accounting-transits count
count | Number of transit records to store in the IP accounting database. |
0
Global configuration
Transit entries are those that do not match any of the filters specified by ip accounting-list global configuration commands. If no filters are defined, no transit entries are possible.
To maintain accurate accounting totals, the router software maintains two accounting databases: an active and a checkpointed database.
The following example specifies that no more than 100 transit records are stored:
ip accounting-transit 100
clear ip accounting
ip accounting
ip accounting-list
ip accounting-threshold
show ip accounting
To set an IP address for an interface, use the ip address interface configuration command. To remove an IP address, use the no form of this command.
ip address ip-address mask
ip-address | IP address. |
mask | Mask for the associated IP subnet. |
No IP address is defined for an interface.
Interface configuration
Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) Mask Request message. Routers respond to this request with an ICMP Mask Reply message.
You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the router detects another host using one of its IP addresses, it will print an error message on the console.
In the following example, 131.108.1.27 is the primary address for Ethernet 0:
interface ethernet 0 ip address 131.108.1.27 255.255.255.0
To set multiple IP addresses for an interface, use the ip address secondary interface configuration command. To remove an address, use the no form of this command.
ip address ip-address mask secondary
ip-address | IP address. |
mask | Mask for the associated IP subnet. |
No secondary IP addresses are defined.
Interface configuration
Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) Mask Request message. Routers respond to this request with an ICMP Mask Reply message.
Packets generated by the router always use the primary interface IP address. Therefore, all routers on a segment should share the same primary network number.
In the following example, 131.108.1.27 is the primary address and 192.31.7.17 and 192.31.8.17 are secondary addresses for Ethernet 0:
interface ethernet 0 ip address 131.108.1.27 255.255.255.0 ip address 192.31.7.17 255.255.255.0 secondary ip address 192.31.8.17 255.255.255.0 secondary
To define a broadcast address for an interface, use the ip broadcast-address interface configuration command. To restored the default IP broadcast address, use the no form of this command.
ip broadcast-address [ip-address]
ip-address | (Optional) IP broadcast address for a network. |
Default address: 255.255.255.255 (all ones)
Interface configuration
The following example specifies an IP broadcast address of 0.0.0.0:
ip broadcast-address 0.0.0.0
To control the invalidation rate of the IP route cache, use the ip cache-invalidate-delay global configuration command. To allow the IP route cache to be immediately invalidated, use the no form of this command.
ip cache-invalidate-delay [minimum maximum quiet threshold]
minimum | (Optional) Minimum time, in seconds, between invalidation request and actual invalidation. The default is 2 seconds. |
maximum | (Optional) Maximum time, in seconds, between invalidation request and actual invalidation. The default is 5 seconds. |
quiet | (Optional) Length of quiet period, in seconds, before invalidation. |
threshold | (Optional) Maximum number of invalidation requests considered to be quiet. |
minimum = 2 seconds
maximum = 5 seconds, and 3 seconds with no more than zero invalidation requests
Global configuration
All cache invalidation requests are honored immediately.
This command should typically not be used except under the guidance of technical support personnel. Incorrect settings can seriously degrade network performance.
The IP fast switching and autonomous switching features maintain a cache of IP routes for rapid access. When a packet is to be forwarded and the corresponding route is not present in the cache, the packet is process-switched and a new cache entry is built. However, when routing table changes occur (such as when a link or an interface goes down), the route cache must be flushed so that it can be rebuilt with up-to-date routing information.
This command controls how the route cache is flushed. The intent is to delay invalidation of the cache until after routing has settled down, since there tend to be many route table changes clustered in a short period of time, and the cache may be flushed repeatedly, which may put a high CPU load on the router.
When this feature is enabled, and the system requests that the route cache be flushed, the request is held for at least minimum seconds. Then the system determines whether the cache has been "quiet," that is, less than threshold invalidation requests in the last quiet seconds. If the cache has been quiet, the cache is then flushed. If the cache does not become quiet within maximum seconds after the first request, it is flushed unconditionally.
Manipulation of these parameters trades off CPU utilization versus route convergence time. Note that this does not affect the timing of the routing protocols, but only of the removal of stale cache entries.
The following example sets a minimum delay of 5 seconds, a maximum delay of 30 seconds, and a quiet threshold of no more than 5 invalidation requests in the previous 10 seconds:
ip cache-invalidate-delay 5 30 10 5
At times the router might receive packets destined for a subnet of a network that has no network default route. To have the router forward such packets to the best supernet route possible, use the ip classless global configuration command. To disable this feature, use the no form of this command.
ip classlessThis command has no arguments or keywords.
Disabled
Global configuration
This command allows the router to forward packets that are destined for unrecognized subnets of directly connected networks. By default, when a router receives packets for a subnet that numerically falls within its subnetwork addressing scheme, if there is no such subnet number in the routing table and there is no network default route, the router discards the packets. However, when the ip classless command is enabled, the router instead forwards those packets to the best supernet route.
The following example configures the router to forward packets destined for an unrecognized subnet to the best supernet possible:
ip classless
To define a default gateway (router) when IP routing is disabled, use the ip default-gateway global configuration command. To disable this function, use the no form of this command.
ip default-gateway ip-address
ip-address | IP address of the router. |
Disabled
Global configuration
The router sends any packets that need the assistance of a gateway to the address you specify. If another gateway has a better route to the requested host, the default gateway sends an ICMP redirect message to the router. The ICMP redirect message indicates which local router the router should use.
The following example defines the router on IP address 192.31.7.18 as the default router:
ip default-gateway 192.31.7.18
To enable the translation of directed broadcast to physical broadcasts, use the ip directed-broadcast interface configuration command. To disable this function, use the no form of this command.
ip directed-broadcast [access-list-number]
access-list-number | (Optional) Number of the access list. If specified, a broadcast must pass the access list to be forwarded. If not specified, all broadcasts are forwarded. |
Enabled, with no list specified
Interface configuration
This feature is enabled only for those protocols configured using the ip forward-protocol global configuration command. An access list may be specified to control which broadcasts are forwarded. When an access list is specified, only those IP packets permitted by the access list are eligible to be translated from directed broadcasts to physical broadcasts.
The following example enables forwarding of IP directed broadcasts on interface Ethernet 0:
interface ethernet 0 ip directed-broadcast
To define a list of default domain names to complete unqualified host names (in this command, names that do not end with a dot), use the ip domain-list global configuration command. To delete a name from a list, use the no form of this command.
ip domain-list name
name | Domain name. Do not include the initial period that separates an unqualified name from the domain name. |
No domain names are defined.
Global configuration
If there is no domain list, the domain name that you specified with the ip domain-name global configuration command is used. If there is a domain list, the default domain name is not used. The ip domain-list command is similar to the ip domain-name command, except that with ip domain-list you can define a list of domains, each to be tried in turn.
The ip domain-list command considers a name to be fully qualified only if that name ends in a dot. Significantly, the ip domain name command considers a name to be fully qualified if it contains a dot anywhere in the name.
The following example adds several domain names to a list:
ip domain-list martinez.com ip domain-list stanford.edu
The following example adds a name to and then deletes a name from the list:
ip domain-list sunya.edu no ip domain-list stanford.edu
ip domain-name
No domain names are defined.
Global configuration
If there is no domain list, the domain name that you specified with the ip domain-name global configuration command is used. If there is a domain list, the default domain name is not used. The ip domain-list command is similar to the ip domain-name command, except that with ip domain-list you can define a list of domains, each to be tried in turn.
The ip domain-list command considers a name to be fully qualified only if that name ends in a dot. Significantly, the ip domain name command considers a name to be fully qualified if it contains a dot anywhere in the name.
The following example adds several domain names to a list:
ip domain-list martinez.com ip domain-list stanford.edu
The following example adds a name to and then deletes a name from the list:
ip domain-list sunya.edu no ip domain-list stanford.edu
ip domain-name
To enable the IP Domain Name System-based host name-to-address translation, use the ip domain-lookup global configuration command. To disable the Domain Name System, use the no form of this command.
ip domain-lookupThis command has no arguments or keywords.
Enabled
Global configuration
The following example enables the IP Domain Name System-based host name-to-address translation:
ip domain-lookup
ip domain-lookup nsap
ip domain-name
ip name-server
To allow Domain Name System (DNS) queries for CLNS addresses, use the ip domain-lookup nsap global configuration command. To disable this feature, use the no form of this command.
ip domain-lookup nsapThis command has no arguments or keywords.
Enabled
Global configuration
With both IP and ISO CLNS enabled on a router, this feature allows the router to dynamically determine a CLNS address given a host name. This feature is useful for the ISO CLNS ping EXEC command and when making CLNS Telnet connections.
The following example disables DNS queries of CLNS addresses:
no ip domain-lookup nsap
A dagger (†) indicates that the command is documented in another chapter.
ip domain-lookup
ping (for ISO CLNS) †
To define a default domain name that the Cisco IOS software uses to complete unqualified host names (in this command, names without dots in the name), use the ip domain-name global configuration command. To disable, use the no form of this command.
ip domain-name name
name | Default domain name used to complete unqualified host names. Do not include the initial period that separates an unqualified name from the domain name. |
No domain name is defined.
Global configuration
Any IP host name with an unqualified domain name (any name without a dot), will have the dot and the defined name appended to it before being added to the host table. Any IP host name that ends in a dot will not have the dot and the defined name appended to it, because the system considers any name containing a dot to be a fully-qualified domain name.
The ip domain name command considers a name to be fully-qualified if it contains a dot anywhere in the name. Significantly, the ip domain-list command considers a name to be fully qualified only if that name ends in a dot.
Examples
The following example defines cisco.com as the default domain name:
ip domain-name cisco.com
The following example would not append the default domain name to the entered name before querying the DNS server because the name appears to be a fully-qualified domain name.
router>ping sales.marketing
ip domain-list
ip domain-lookup
ip name-server
To specify which protocols and ports the router forwards when forwarding broadcast packets, use the ip forward-protocol global configuration command. To remove a protocol or port, use the no form of this command.
ip forward-protocol {udp [port] | nd | sdns}
udp | Forward User Datagram Protocol (UDP) datagrams. See the "Default" section below for a list of port numbers forwarded by default. |
port | (Optional) Destination port that controls which UDP services are forwarded. |
nd | Forward Network Disk (ND) datagrams. This protocol is used by older diskless SUN workstations. |
sdns | Secure Data Network Service. |
If an IP helper address is defined, UDP forwarding is enabled on default ports. If UDP flooding is configured, UDP flooding is enabled on the default ports.
If a helper address is specified and UDP forwarding is enabled, broadcast packets destined to the following port numbers are forwarded by default:
Global configuration
Enabling a helper address or UDP flooding on an interface causes the router to forward particular broadcast packets. You can use the ip forward-protocol command to specify exactly which types of broadcast packets you would like to have forwarded. A number of commonly forwarded applications are enabled by default. Enabling forwarding for some ports (for example, RIP) may be hazardous to your network.
If you use the ip forward-protocol command, specifying just UDP, without the port, enables forwarding and flooding on the default ports.
One common application that requires helper addresses is Dynamic Host Configuration Protocol (DHCP). DHCP is defined in RFC 1531. DHCP protocol information is carried inside of BOOTP packets. To enable BOOTP broadcast forwarding for a set of clients, configure a helper address on the router interface closest to the client. The helper address should specify the address of the DHCP server. If you have multiple servers, you can configure one helper address for each server. Since BOOTP packets are forwarded by default, DHCP information can now be forwarded by the router. The DHCP server now receives broadcasts from the DHCP clients.
The following example uses the ip forward-protocol command to specify forwarding of UDP port 3001 in addition to the default ports, and then defines a helper address:
ip forward-protocol udp 3001 ! interface ethernet 1 ip helper-address 131.120.1.0
ip directed-broadcast
ip forward-protocol spanning-tree
ip forward-protocol turbo-flood
ip helper-address
To forward any broadcasts including local subnet broadcasts, use the ip forward-protocol any-local-broadcast global configuration command. To disable this type of forwarding, use the no form of this command.
ip forward-protocol any-local-broadcastThis command has no arguments or keywords.
Disabled
Global configuration
The ip forward-protocol any-local-broadcast command forwards packets similarly to how theip forward-protocol spanning-tree command does. That is, it forwards packets whose contents are all ones (255.255.255.255), all zeros (0.0.0.0), and, if subnetting is enabled, all networks (131.108.255.255 as an example in the network number 131.108.0.0. This mechanism also forwards packets whose contents are the zeros version of the all-networks broadcast when subnetting is enabled (for example, 131.108.0.0). In addition, it forwards any local subnet broadcast packets.
Assume a router is directly connected to subnet 1 of network 131.108.0.0 and that the netmask is 255.255.255.0. The following command enables the forwarding of IP broadcasts destined to 131.108.1.255 and 131.108.1.0 in addition to the broadcast addresses mentioned in the "Usage Guidelines" section:
ip forward-protocol any-local-broadcast
ip forward-protocol spanning-tree
To permit IP broadcasts to be flooded throughout the internetwork in a controlled fashion, use the ip forward-protocol spanning-tree global configuration command. To disable the flooding of IP broadcasts, use the no form of this command.
ip forward-protocol spanning-treeThis command has no arguments or keywords.
Disabled
Global configuration
Packets must meet the following criteria to be considered for flooding:
A flooded UDP datagram is given the destination address specified by the ip broadcast-address interface configuration command on the output interface. The destination address can be set to any desired address. Thus, the destination address may change as the datagram propagates through the network. The source address is never changed. The TTL value is decremented.
After a decision has been made to send the datagram out on an interface (and the destination address possibly changed), the datagram is handed to the normal IP output routines and is therefore subject to access lists, if they are present on the output interface.
The ip forward-protocol spanning-tree command uses the database created by the bridging spanning-tree protocol. Therefore, the transparent bridging option must be in the routing software, and bridging must be configured on each interface that is to participate in the flooding in order to support this capability.
If an interface does not have bridging configured, it still will be able to receive broadcasts, but it will never forward broadcasts received on that interface, and it will never use that interface to send broadcasts received on a different interface.
If no actual bridging is desired, you can configure a type-code bridging filter that will deny all packet types from being bridged. Refer to the Transparent Bridging chapter in the Router Products Configuration Guide for more information about using access lists to filter bridged traffic. The spanning-tree database is still available to the IP forwarding code to use for the flooding.
The spanning-tree-based flooding mechanism fowards packets whose contents are all ones (255.255.255.255), all zeros (0.0.0.0), and, if subnetting is enabled, all networks (131.108.255.255 as an example in the network number 131.108.0.0. This mechanism also forward packets whose contents are the zeros version of the all-networks braodcast when subnetting is enabled (for example, 131.108.0.0).
This command is an extension of the ip helper-address interface configuration command, in that the same packets that may be subject to the helper address and forwarded to a single network can now be flooded. Only one copy of the packet will be put on each network segment.
The following example permits IP broadcasts to be flooded through the internetwork in a controlled fashion:
ip forward-protocol spanning-tree
ip broadcast-address
ip helper-address
ip forward-protocol
ip forward-protocol turbo-flood
To speed up flooding of User Datagram Protocol (UDP) datagrams using the spanning-tree algorithm, use the ip forward-protocol turbo-flood global configuration command. To disable this feature, use the no form of this command.
ip forward-protocol turbo-floodThis command has no arguments or keywords.
Disabled
Global configuration
Used in conjunction with the ip forward-protocol spanning-tree global configuration command, this feature is supported over ARPA-encapsulated Ethernets, FDDI, and HDLC-encapsulated serials, but is not supported on Token Rings. As long as the Token Rings and the non-HDLC serials are not part of the bridge group being used for UDP flooding, turbo flooding will behave normally.
The following is an example of a two-port router (2E) using this feature:
ip forward-protocol turbo-flood ip forward-protocol spanning-tree ! interface ethernet 0 ip address 128.9.1.1 bridge-group 1 ! interface ethernet 1 ip address 128.9.1.2 bridge-group 1 ! ! bridge 1 protocol dec
ip forward-protocol
ip forward-protocol spanning-tree
To configure the router discovery feature using the Cisco Gateway Discovery Protocol (GDP) routing protocol, use the ip gdp gdp interface configuration command. To disable this feature, use the no form of this command.
ip gdp gdpThis command has no arguments or keywords.
Disabled
Interface configuration
IP routing must be disabled before you can configure this feature.
The following example configures router discovery using GDP on Ethernet interface 0:
interface ethernet 0 ip gdp gdp
To configure the router discovery feature using the Cisco Interior Gateway Routing Protocol (IGRP), use the ip gdp igrp interface configuration command. To disable this feature, use the no form of this command.
ip gdp igrpThis command has no arguments or keywords.
Disabled
Interface configuration
IP routing must be disabled before you can configure this feature.
The following example configures router discovery using IGRP on Ethernet interface 1:
interface ethernet 1 ip gdp igrp
To configure the router discovery feature using the ICMP Router Discovery Protocol (IRDP), use the ip gdp irdp interface configuration command. To disable this feature, use the no form of this command.
ip gdp irdpThis command has no arguments or keywords.
Disabled
Interface configuration
IP routing must be disabled before you can configure this feature.
The following example configures router discovery using IRDP on Ethernet interface 0:
interface ethernet 0 ip gdp irdp
To configure the router discovery feature using the Routing Information Protocol (RIP), use the ip gdp rip interface configuration command. To disable this feature, use the no form of this command.
ip gdp ripThis command has no arguments or keywords.
Disabled
Interface configuration
IP routing must be disabled before you can configure this feature.
The following example configures router discovery using RIP on Ethernet interface 1:
interface ethernet 1 ip gdp rip
To have the router forward User Datagram Protocol (UDP) broadcasts, including BOOTP, received on an interface, use the ip helper-address interface configuration command. To disable the forwarding of broadcast packets to specific addresses, use the no form of this command.
ip helper-address address
address | Destination broadcast or host address to be used when forwarding UDP broadcasts. You can have more than one helper address per interface. |
Disabled
Interface configuration
Combined with the ip forward-protocol global configuration command, the ip helper-address command allows you to control which broadcast packets and which protocols are forwarded.
One common application that requires helper addresses is Dynamic Host Configuration Protocol (DHCP). DHCP is defined in RFC 1531. DHCP protocol information is carried inside of BOOTP packets. To enable BOOTP broadcast forwarding for a set of clients, configure a helper address on the router interface closest to the client. The helper address should specify the address of the DHCP server. If you have multiple servers, you can configure one helper address for each server. Since BOOTP packets are forwarded by default, DHCP information can now be forwarded by the router. The DHCP server now receives broadcasts from the DHCP clients.
The following example defines an address that acts as a helper address:
interface ethernet 1 ip helper-address 121.24.43.2
To define a static host name-to-address mapping in the host cache, use the ip host global configuration command. To remove the name-to-address mapping, use the no form of this command.
ip host name [tcp-port-number] address1 [address2...address8]
name | Name of the host. The first character can be either a letter or a number, but if you use a number, the operations you can perform are limited. |
tcp-port-number | (Optional) TCP port number to connect to when using the defined host name in conjunction with an EXEC connect or telnet command. The default is Telnet (port 23). |
address1 | Associated IP address. |
address2...address8 | (Optional) Additional associated IP address. You can bind up to eight addresses to a host name. |
Disabled
Global configuration
The first character can be either a letter or a number, but if you use a number, the operations you can perform (such as ping) are limited.
The following example uses the ip host command to define two static mappings:
ip host croff 192.31.7.18 ip host bisso-gw 10.2.0.2 192.31.7.33
To enter into the host table the host name of an HP host to be used for HP Probe Proxy service, use the ip hp-host global configuration command. To remove a host name, use the no form of this command.
ip hp-host hostname ip-address
hostname | Name of the host. |
ip-address | IP address of the host. |
No host names are defined.
Global configuration
To use the HP Proxy service, you must first enter the host name of the HP host into the host table using this command.
The following example specifies an HP host's name and address, and then enables Probe Proxy:
ip hp-host BCWjo 131.108.1.27 interface ethernet 0 ip probe proxy
To have the router to respond to Internet Control Message Protocol (ICMP) mask requests by sending ICMP Mask Reply messages, use the ip mask-reply interface configuration command. To disable this function, use the no form of this command.
ip mask-replyThis command has no arguments or keywords.
Disabled
Interface configuration
The following example enables the sending of ICMP Mask Reply messages on interface Ethernet 0:
interface ethernet 0 ip address 131.108.1.0 255.255.255.0 ip mask-reply
To enable local-area mobility, use the ip mobile arp interface configuration command. To disable local-area mobility, use the no form of this command.
ip mobile arp [timers keepalive hold-time] [access-group access-list-number]
timers | (Optional) Indicates that you are setting local-area mobility timers. |
keepalive | (Optional) Frequency, in seconds, at which the router sends unicast ARP messages to a relocated host to verify that the host is present and has not moved. The default keepalive time is 300 seconds (5 minutes). |
hold-time | (Optional) Hold time, in seconds. This is the length of time the router considers that a relocated host is present without receiving some type of ARP broadast or unicast from the host. Normally, the hold time should be at least three times greater than the keepalive time. The default hold time is 900 seconds (15 minutes). |
access-group | (Optional) Indicates that you are applying an access list. This access list applies only to local-area mobility. |
access-list-number | (Optional) Number of a standard IP access list. It is a decimal number from 1 to 99. Only hosts with addresses permitted by this access list are accepted for local-area mobility. |
Local-area mobility is disabled.
If you enable local-area mobility:
keepalive: 300 seconds (5 minutes)
hold-time: 900 seconds (15 minutes)
Interface configuration
Local-area mobility is supported on Ethernet, Token Ring, and FDDI interfaces only.
To create larger mobility areas, you must first redistribute the mobile routes into your IGP. The IGP must support host routes. You can use Enhanced IGRP, OSPF, or ISIS; you can also use RIP, but this is not recommended. The mobile area must consist of a contiguous set of subnets.
Using an access list to control the list of possible mobile nodes is strongly encouraged. Without an access list, misconfigured hosts can be taken for mobile nodes and disrupt normal operations.
The following example configures local-area mobility on Ethernet interface 0:
bridge 1 protocol ieee access-list 10 permit 198.92.37.114 interface ethernet 0 ip mobile arp access-group 10 bridge-group 1
A dagger (†) indicates that the command is documented in another chapter.
access-list (standard)
bridge-group †
bridge protocol †
default-metric (BGP, EGP, OSPF, and RIP) †
network †
redistribute †
router eigrp †
router isis †
router ospf †
To set the maximum transmission unit (MTU) size of IP packets sent on an interface, use the ip mtu interface configuration command. To restore the default MTU size, use the no form of this command.
ip mtu bytes
bytes | MTU in bytes. |
Minimum is 128 bytes; maximum depends on interface medium.
Interface configuration
If an IP packet exceeds the MTU set for the router's interface, the router will fragment it.
All devices on a physical medium must have the same protocol MTU in order to operate.
The following example sets the maximum IP packet size for the first serial interface to 300 bytes:
interface serial 0 ip mtu 300
A dagger (†) indicates that the command is documented in another chapter.
mtu †
To specify the address of one or more name servers to use for name and address resolution, use the ip name-server global configuration command. To remove the addresses specified, use the no form of this command.
ip name-server server-address1 [[server-address2]... server-address6]
server-address1 | IP addresses of name server. |
server-address2...server-address6 | (Optional) IP addresses of additional name servers (a maximum of six name servers). |
No name server addresses are specified.
Global configuration
The following example specifies host 131.108.1.111 as the primary name server and host 131.108.1.2 as the secondary server:
ip name-server 131.108.1.111 131.108.1.2
This command will be reflected in the configuration file as follows:
ip name-server 131.108.1.111 ip name-server 131.108.1.2
ip domain-lookup
ip domain-name
To specify the format in which netmasks are displayed in show command output, use the ip netmask-format line configuration command. To restore the default display format, use the no form of this command.
ip netmask-format {bitcount | decimal | hexadecimal}
bitcount | Addresses are followed by a slash and the total number of bits in the netmask. For example, 131.108.11.0/24 indicates that the netmask is 24 bits. |
decimal | Network masks are displayed in dotted decimal notation (for example, 255.255.255.0). |
hexadecimal | Network masks are displayed in hexadecimal format, as indicated by the leading 0X (for example, 0XFFFFFF00). |
Netmasks are displayed in dotted decimal format.
Line configuration
IP uses a 32-bit mask that indicates which address bits belong to the network and subnetwork fields and which bits belong to the host field. This is called a netmask. By default, show commands display an IP address and then its netmask in dotted decimal notation. For example, a subnet would be displayed as 131.108.11.0 255.255.255.0.
However, you can specify that the display of the network mask appear in hexadecimal format or bit count format instead. The hexadecimal format is commonly used on UNIX systems. The above example would be displayed as 131.108.11.0 0XFFFFFF00.
The bitcount format for displaying network masks is to append a slash (/) and the total number of bits in the netmask to the address itself. The above example would be displayed as 131.108.11.0/24.
The following example configures network masks for the specified line to be displayed in bitcount notation in the output of show commands:
line vty 0 4 ip netmask-format bitcount
To configure the authentication string for an interface using Next Hop Resolution Protocol (NHRP), use the ip nhrp authentication interface configuration command. To remove the authentication string, use the no form of this command.
ip nhrp authentication string
string | Authentication string configured for the source and destination stations that controls whether NHRP stations allow intercommunication. The string can be up to 8 characters long. |
No authentication string is configured; the router adds no authentication option to NHRP packets it generates.
Interface configuration
All routers configured with NHRP on a fabric (for an interface) must share the same authentication string.
In the following example, the authentication string specialxx must be configured in all routers using NHRP on the interface before NHRP communication occurs:
ip nhrp authentication specialxx
To change the number of seconds that NHRP nonbroadcast, multiaccess (NBMA) addresses are advertised as valid in authoritative NHRP responses, use the ip nhrp holdtime interface configuration command. To restore the default value, use the no form of this command.
ip nhrp holdtime seconds-positive [seconds-negative]
seconds-positive | Time in seconds that NBMA addresses are advertised as valid in positive authoritative NHRP responses. |
seconds-negative | (Optional) Time in seconds that NBMA addresses are advertised as valid in negative authoritative NHRP responses. |
7200 seconds (2 hours) for both arguments
Interface configuration
The ip nhrp holdtime command affects authoritative responses only. The advertised holding time is the length of time the router tells other routers to keep information that it is providing in authoritative NHRP responses. The cached IP-to-NBMA address mapping entries are discarded after the holding time expires.
The NHRP cache can contain static and dynamic entries. The static entries never expire. Dynamic entries expire regardless of whether they are authoritative or nonauthoritative.
If you want to change the valid time period for negative NHRP responses, you must also include a value for positive NHRP responses, as the arguments are position dependent.
In the following example, NHRP NBMA addresses are advertised as valid in positive authoritative NHRP responses for one hour:
ip nhrp holdtime 3600
In the following example, NHRP NBMA addresses are advertised as valid in negative authoritative NHRP responses for one hour and in positive authoritative NHRP responses for two hours:
ip nhrp holdtime 7200 3600
To control which IP packets can trigger sending a Next Hop Resolution Protocol (NHRP) Request, use the ip nhrp interest interface configuration command. To restore the default value, use the no form of this command.
ip nhrp interest access-list-number
access-list-number | Standard or extended IP access list number in the range 1 through 199. |
All non-NHRP packets can trigger NHRP requests.
Interface configuration
Use this command with the access-list command to control which IP packets trigger NHRP Requests.
In the following example, any TCP traffic can cause NHRP Requests to be sent, but no other IP packets will cause NHRP Requests:
ip nhrp interest 101 access-list 101 permit tcp any any
access-list (standard)
access-list (extended)
To statically configure the IP-to-NBMA address mapping of IP destinations connected to a nonbroadcast, multiaccess (NBMA) network, use the ip nhrp map interface configuration command. To remove the static entry from NHRP cache, use the no form of this command.
ip nhrp map ip-address nbma-address
ip-address | IP address of the destinations reachable through the NBMA network. This address is mapped to the NBMA address. |
nbma-address | Nonbroadcast, multiaccess (NBMA) address which is directly reachable through the NBMA network. The address format varies depending on the medium you are using. For example, ATM has an NSAP address, Ethernet has a MAC address, and SMDS has an E.164 address. This address is mapped to the IP address. |
No static IP-to-NBMA cache entries exist.
Interface configuration
You will probably have to configure at least one static mapping in order to reach the Next Hop Server. Repeat this command to statically configure multiple IP-to-NBMA address mappings.
In the following example, this station in a multipoint tunnel network is statically configured to be served by two Next Hop Servers 100.0.0.1 and 100.0.1.3. The NBMA address for 100.0.0.1 is statically configured to be 11.0.0.1 and the NBMA address for 100.0.1.3 is 12.2.7.8.
interface tunnel 0 ip nhrp nhs 100.0.0.1 ip nhrp nhs 100.0.1.3 ip nhrp map 100.0.0.1 11.0.0.1 ip nhrp map 100.0.1.3 12.2.7.8
To configure NBMA addresses used as destinations for broadcast or multicast packets to be sent over a tunnel network, use the ip nhrp map multicast interface configuration command. To remove the destinations, use the no form of this command.
ip nhrp map multicast nbma-address
nbma-address | Nonbroadcast, multiaccess (NBMA) address which is directly reachable through the NBMA network. The address format varies depending on the medium you are using. |
No NBMA addresses are configured as destinations for broadcast or multicast packets.
Interface configuration
This command applies to tunnel interfaces only.
This command is useful for supporting broadcasts over a tunnel network when the underlying network does not support IP multicast. If the underlying network does support IP multicast, you should use the tunnel destination command to configure a multicast destination for transmission of tunnel broadcasts or multicasts.
When multiple NBMA addresses are configured, the system replicates the broadcast packet for each address.
In the following example, if a packet is sent to 10.255.255.255, it is replicated to destinations 11.0.0.1 and 11.0.0.2. Addresses 11.0.0.1 and 11.0.0.2 are the IP addresses of two other routers that are part of the tunnel network, but those addresses are their addresses in the underlying network, not the tunnel network. They would have tunnel addresses that are in network 10.0.0.0.
interface tunnel 0 ip address 10.0.0.3 255.0.0.0 ip nhrp map multicast 11.0.0.1 ip nhrp map multicast 11.0.0.2
To enable the Next Hop Resolution Protocol (NHRP) on an interface, use the ip nhrp network-id interface configuration command. To disable NHRP on the interface, use the no form of this command.
ip nhrp network-id number
number | Globally-unique, 32-bit network identifier for a nonbroadcast, multiaccess (NBMA) network. The range is 1 to 4294967295. |