IP Routing Protocol-Independent Commands: A through R

accept-ao-mismatch

Accepts segments even if there is a TCP-AO mismatch. For example a connection is still established in the following scenarios:

  • The key-string or cryptographic algorithm do not match.

  • The client is using a TCP-AO key, but the server is not using a TCP-AO key.

accept-ao-mismatch

Command Default

By default this option is disabled.

Command Modes

Key chain key configuration (config-keychain-key)

Command History

Release

Modification

16.12.1

This command was introduced.

Usage Guidelines

You must configure a key chain with keys to enable authentication.

Although you can identify multiple key chains, we recommend using one key chain per interface per routing protocol. Upon specifying the key chain command, you enter key chain configuration mode.

Examples

The following example configures a simple key chain for a TCP-AO enabled connection.

Router(config)# key chain kc1 tcp
Router(config-keychain)# key 7890
Router(config-keychain-key)# send-id 215
Router(config-keychain-key)# recv-id 215
Router(config-keychain-key)# key-string klomn
Router(config-keychain-key)# accept-ao-mismatch

accept-lifetime

To set the time period during which the authentication key on a key chain is received as valid, use the accept-lifetime command in key chain key configuration mode. To revert to the default value, use the no form of this command.

accept-lifetime start-time {infinite | end-time | duration seconds}

no accept-lifetime [start-time {infinite | end-time | duration seconds}]

Syntax Description

start-time

Beginning time that the key specified by the key command is valid to be received. The syntax can be either of the following:

hh : mm : ss Month date year

hh : mm : ss date Month year

  • hh --hours

  • mm --minutes

  • ss-- s econds

  • Month-- first three letters of the month

  • date-- date (1-31)

  • year-- y ear (four digits)

The default start time and the earliest acceptable date is January 1, 1993.

infinite

Key is valid to be received from the start-time value on.

end-time

Key is valid to be received from the start-time value until the end-time value. The syntax is the same as that for the start-time value. The end-time value must be after the start-time value. The default end time is an infinite time period.

duration seconds

Length of time (in seconds) that the key is valid to be received. The range is from 1 to 2147483646.

Command Default

The authentication key on a key chain is received as valid forever (the starting time is January 1, 1993, and the ending time is infinite).

Command Modes

Key chain key configuration (config-keychain-key)

Command History

Release

Modification

11.1

This command was introduced.

12.4(6)T

Support for IPv6 was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol ( RIP) Version 2 use key chains.

Specify a start-time value and one of the following values: infinite , end-time , or duration seconds.

We recommend running Network Time Protocol (NTP) or some other time synchronization method if you assign a lifetime to a key.

If the last key expires, authentication will continue and an error message will be generated. To disable authentication, you must manually delete the last valid key.

Examples

The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and will be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and will be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# interface ethernet 0
Router(config-if)# ip rip authentication key-chain chain1
Router(config-if)# ip rip authentication mode md5
!
Router(config)# router rip
Router(config-router)# network 172.19.0.0
Router(config-router)# version 2
!
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain)# key-string key2
Router(config-keychain)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

The following example configures a key chain named chain1 for EIGRP address-family. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# router
 eigrp virtual-name
Router(config-router)# address-family ipv4 autonomous-system 4453
Router(config-router-af)# network 10.0.0.0
Router(config-router-af)# af-interface ethernet0/0
Router(config-router-af-interface)# authentication key-chain trees
Router(config-router-af-interface)# authentication mode md5
Router(config-router-af-interface)# exit
Router(config-router-af)# exit
Router(config-router)# exit
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

authentication (BFD)

To configure authentication in a Bidirectional Forwarding Detection (BFD) template for single hop and multihop sessions, use the authentication command in BFD configuration mode. To disable authentication in BFD template for single-hop and multihop sessions, use the no form of this command.

authentication authentication-type keychain keychain-name

no authentication authentication-type keychain keychain-name

Syntax Description

authentication-type

Authentication type. Valid values are md5, meticulous-md5, meticulous-sha-1, and sha-1.

keychain keychain-name

Configures an authentication key chain with the specified name. The maximum number of characters allowed in the name is 32.

Command Default

Authentication in BFD template for single hop and multihop sessions is not enabled.

Command Modes

BFD configuration (config-bfd)

Command History

Release

Modification

15.1(3)S

This command was introduced.

15.2(4)S

This command was modified. This command can be configured in both single hop and multihop templates.

Cisco IOS XE Release 3.7S

This command was integrated into Cisco IOS XE Release 3.7S.

Usage Guidelines

You can configure authentication in single hop and multihop templates. We recommend that you configure authentication to enhance security. Authentication must be configured on each BFD source-destination pair, and authentication parameters must match on both devices.

Examples

The following example shows how to configure authentication for the template1 BFD single-hop template:


Device> enable
Device# configuration terminal
Device(config)# bfd-template single-hop template1
Device(config-bfd)# authentication sha-1 keychain bfd-singlehop

The following example shows how to configure authentication for template1 BFD multihop template:


Device> enable
Device# configuration terminal
Device(config)# bfd-template multi-hop template1
Device(config-bfd)# authentication sha-1 keychain bfd-multihop

bfd

To set the baseline Bidirectional Forwarding Detection (BFD) session parameters on an interface, use the bfd command in interface configuration mode. To remove the baseline BFD session parameters, use the no form of this command.

bfd interval milliseconds min_rx milliseconds multiplier multiplier-value

no bfd interval milliseconds min_rx milliseconds multiplier multiplier-value

Syntax Description

interval milliseconds

Specifies the rate, in milliseconds, at which BFD control packets will be sent to BFD peers. The valid range for the milliseconds argument is from 50 to 999.

min_rx milliseconds

Specifies the rate, in milliseconds, at which BFD control packets will be expected to be received from BFD peers. The valid range for the milliseconds argument is from 50 to 999.

multiplier multiplier-value

Specifies the number of consecutive BFD control packets that must be missed from a BFD peer before BFD declares that the peer is unavailable and the Layer 3 BFD peer is informed of the failure. The valid range for the multiplier-value argument is from 3 to 50.

Command Default

No baseline BFD session parameters are set.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

12.2(18)SXE

This command was introduced.

12.0(31)S

This command was integrated into Cisco IOS Release 12.0(31)S.

12.2S

This command was modified. Support for IPv6 was added.

12.4(4)T

This command was integrated into Cisco IOS Release 12.4(4)T.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SB

This command was integrated into Cisco IOS Release 12.2(33)SB.

Cisco IOS XE Release 2.1

This command was implemented on Cisco ASR 1000 Series Aggregation Services Routers.

12.2(33)SRE

This command was modified. Support for IPv6 was added.

15.0(1)M

This command was modified. Support was removed from ATM and inverse multiplexing over ATM (IMA) interfaces.

15.1(2)T

This command was modified. Support for IPv6 was added.

Cisco IOS XE Release 3.4

This command was modified. Support for point-to-point IPv4, IPv6, and generic routing encapsulation (GRE) tunnels was added.

15.1(1)SG

This command was integrated into Cisco IOS Release 15.1(1)SG.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

15.3(1)S

This command was modified. Support for multilink interface was added.

15.2(1)E

This command was integrated into Cisco IOS Release 15.2(1)E.

Usage Guidelines

The bfd command can be configured on the following interfaces:

  • ATM

  • Dot1Q VLAN subinterfaces (with an IP address on the Dot1Q subinterface)

  • Ethernet

  • Frame Relay

  • Inverse Multiplexing over ATM (IMA)

  • IP tunnel

  • Port channel

  • PoS

  • Multilink

  • Serial

  • Tunnel (The tunnel type must be point-to-point, not Multiprotocol Label Switching (MPLS).

If BFD runs on a port channel interface, BFD has a timer value restriction of 750 * 3 milliseconds. Other interface types are not supported by BFD.


Note

The interval command is not supported on ATM and IMA interfaces in Cisco IOS Release 15.0(1)M and later releases.


The bfd interval configuration is not removed when:
  • an IPv4 address is removed from an interface

  • an IPv6 address is removed from an interface

  • IPv6 is disabled from an interface

  • an interface is shutdown

  • IPv4 CEF is disabled globally or locally on an interface

  • IPv6 CEF is disabled globally or locally on an interface

The bfd interval configuration is removed when:
  • the subinterface on which it is configured is removed

Examples

The following example shows the BFD session parameters set for Fast Ethernet interface 3/0:


Router> enable
Router# configure terminal
Router(config)# interface fastethernet 3/0
Router(config-if)# bfd interval 50 min_rx 50 multiplier 3
Router(config-if)# end

bfd all-interfaces

To enable Bidirectional Forwarding Detection (BFD) for all interfaces participating in the routing process, use the bfd all-interfaces command in router configuration or address family interface configuration mode. To disable BFD for all neighbors on a single interface, use the no form of this command.

bfd all-interfaces

no bfd all-interfaces

Syntax Description

This command has no arguments or keywords.

Command Default

BFD is disabled on the interfaces participating in the routing process.

Command Modes

Router configuration (config-router)

Address family interface configuration (config-router-af)

Command History

Release

Modification

12.2(18)SXE

This command was introduced.

12.0(31)S

This command was integrated into Cisco IOS Release 12.0(31)S.

12.4(4)T

This command was integrated into Cisco IOS Release 12.4(4)T.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS Release XE 2.1 and implemented on the Cisco ASR 1000 Series Aggregation Services Routers.

12.2(33)SRE

This command was modified. Support for IPv6 was added.

15.0(1)M

This command was modified. The bfd all-interfaces command in named router configuration mode was replaced by the bfd command in address family interface mode.

15.1(2)T

This command was modified. Support for IPv6 was added.

Cisco IOS XE Release 3.3

This command was modified. Support for the Routing Information Protocol (RIP) was added.

15.2(4)S

This command was modified. Support for IPv6 was added.

Cisco IOS XE Release 3.7S

This command was modified. Support for IPv6 was added.

Usage Guidelines

There are two methods to configure routing protocols to use BFD for failure detection. To enable BFD for all interfaces, enter the bfd all-interfaces command in router configuration mode. In Cisco IOS Release 12.4(24)T, Cisco IOS 12.2(33)SRA, and earlier releases, the bfd all-interfaces command works in router configuration mode and address family interface mode.

In Cisco IOS Release 15.0(1)M and later releases, the bfd all-interfaces command in named router configuration mode is replaced by the bfd command in address family interface configuration mode. Use the bfd command in address family interface configuration mode to achieve the same functionality as that of the bfd all-interfaces command in router configuration mode.

Examples

The following example shows how to enable BFD for all Enhanced Interior Gateway Routing Protocol (EIGRP) neighbors:


Router> enable
Router# configure terminal
Router(config)# router eigrp 123
Router(config-router)# bfd all-interfaces
Router(config-router)# end

The following example shows how to enable BFD for all Intermediate System-to-Intermediate System (IS-IS) neighbors:


Router> enable
Router# configure terminal
Router(config)# router isis tag1
Router(config-router)# bfd all-interfaces
Router(config-router)# end

The following example shows how to enable BFD for all Open Shortest Path First (OSPF) neighbors:


Router> enable
Router# configure terminal
Router(config)# router ospf 123
Router(config-router)# bfd all-interfaces
Router(config-router)# end

The following example shows how to enable BFD for all EIGRP neighbors, using the bfd command in address family interface configuration mode:


Router> enable
Router# configure terminal
Router(config)# router eigrp my_eigrp
Router(config-router)# address family ipv4 autonomous-system 100
Router(config-router-af)# af-interface FastEthernet 0/0
Router(config-router-af)# bfd

The following example shows how to enable BFD for all Routing Information Protocol (RIP) neighbors:


Router> enable
Router# configure terminal
Router(config)# router rip
Router(config-router)# bfd all-interfaces
Router(config-router)# end

The following example shows how to enable IPv6 BFD for all IS-IS neighbors, in address family interface configuration mode:


Router> enable
Router# configure terminal
Router(config)# router isis
Router(config-router)# address family ipv6
Router(config-router-af)# bfd all-interfaces
Router(config-router-af)# end

bfd check-ctrl-plane-failure

To enable Bidirectional Forwarding Detection (BFD) control plane failure checking for the Intermediate System-to-Intermediate System (IS-IS) routing protocol, use the bfd check-control-plane-failure command in router configuration mode. To disable control plane failure detection, use the no form of this command.

bfd check-ctrl-plane-failure

no bfd check-ctrl-plane-failure

Syntax Description

This command has no arguments or keywords.

Command Default

BFD control plane failure checking is disabled.

Command Modes

Router configuration (config-router)

Command History

Release

Modification

Cisco IOS XE Release 3.7S

This command was introduced.

Usage Guidelines

The bfd check-ctrl-plane-failure command can be configured for an IS-IS routing process only. The command is not supported on other protocols.

When a router restarts, a false BFD session failure can occur, where neighboring routers behave as if a true forwarding failure has occurred. However, if the bfd check-ctrl-plane-failure command is enabled on a router, the router can ignore control plane related BFD session failures. We recommend that you add this command to the configuration of all neighboring routers just prior to a planned router restart, and that you remove the command from all neighboring routers when the restart is complete.

Examples

The following example enables BFD control plane failure checking for the IS-IS routing protocol:

(config)# router isis
(config-router)# bfd check-ctrl-plane-failure
      

bfd echo

To enable Bidirectional Forwarding Detection (BFD) echo mode, use the bfdecho command in interface configuration mode. To disable BFD echo mode, use the no form of this command.

bfd echo

no bfd echo

Syntax Description

This command has no arguments or keywords.

Command Default

BFD echo mode is enabled by default.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

12.4(9)T

This command was introduced.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.0(1)M

This command was modified. Support was removed from ATM and inverse multiplexing over ATM (IMA) interfaces.

Usage Guidelines

Echo mode is enabled by default. Entering the nobfdecho command without any keywords turns off the sending of echo packets and signifies that the router is unwilling to forward echo packets received from BFD neighbor routers.

When echo mode is enabled, the desired minimum echo transmit interval and required minimum transmit interval values are taken from the bfd interval milliseconds min_rx milliseconds parameters, respectively.


Note

If the noiproute-cache same-interface command is configured, the bfdechoaccept command will not be accepted.



Note

Before using BFD echo mode, you must disable the sending of Internet Control Message Protocol (ICMP) redirect messages by entering the noipredirects command, in order to avoid high CPU utilization.


The bfdecho command is not supported on ATM and IMA interfaces Cisco IOS Release 15.0(1)M and later releases.

Echo Mode Without Asymmetry

Echo mode is described as without asymmetry when it is running on both sides (both BFD neighbors are running echo mode).

Examples

The following example configures echo mode between BFD neighbors:


Router> enable
Router# configure terminal
Router(config)# interface Ethernet 0/1
Router(config-if)# bfd
 echo

The following output from the showbfdneighborsdetails command shows that the BFD session neighbor is up and using BFD echo mode. The relevant command output is shown in bold in the output.


Router# show bfd neighbors details
OurAddr       NeighAddr      LD/RD  RH/RS    Holdown(mult)State    Int
172.16.1.2    172.16.1.1     1/6    Up       0    (3 )    Up       Fa0/1       
Session state is UP and using echo function with 50 ms interval.
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 1000000, MinRxInt: 1000000, Multiplier: 3
Received MinRxInt: 1000000, Received Multiplier: 3
Holdown (hits): 3000(0), Hello (hits): 1000(337)
Rx Count: 341, Rx Interval (ms) min/max/avg: 1/1008/882 last: 364 ms ago
Tx Count: 339, Tx Interval (ms) min/max/avg: 1/1016/886 last: 632 ms ago
Registered protocols: EIGRP
Uptime: 00:05:00
Last packet: Version: 1            - Diagnostic: 0
             State bit: Up         - Demand bit: 0
             Poll bit: 0           - Final bit: 0
             Multiplier: 3         - Length: 24
             My Discr.: 6          - Your Discr.: 1
             Min tx interval: 1000000    - Min rx interval: 1000000
             Min Echo interval: 50000

bfd interface

To enable Bidirectional Forwarding Detection (BFD) on a per-interface basis, use the bfdinterface command in router configuration mode. To disable BFD for all neighbors on a single interface, use the no form of this command.

bfd interface type number

no bfd interface type number

Syntax Description

type

Interface type for the interface to be enabled for BFD.

number

Interface number for the interface to be enabled for BFD.

Command Default

BFD is not enabled for the interface.

Command Modes

Router configuration (config-router)

Command History

Release

Modification

12.2(18)SXE

This command was introduced.

12.0(31)S

This command was integrated into Cisco IOS Release 12.0(31)S.

12.4(4)T

This command was integrated into Cisco IOS Release 12.4(4)T.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

15.0(1)M

This command was modified. Thebfdinterface command in named router configuration mode was replaced by thebfd command in address family interface mode.

Usage Guidelines

In Cisco IOS Release 12.4(24)T and 12.2(33)SRA and earlier releases, the bfdinterface command works in router configuration mode and address-family intreface mode (af-interface mode).

In Cisco IOS Release 15.0(1)M and later releases, the bfdinterface command in named router configuration mode is replaced by the bfd command in address-family interface mode. Use the bfd command in af-interface mode to achieve the same functionality as that of the bfdinterface command in router configuration mode.

Examples

The following example shows how to enable BFD for the Enhanced Interior Gateway Routing Protocol (EIGRP) neighbors on Fast Ethernet interface 3/0:


Router> enable
Router# configure terminal
Router(config)# router eigrp 123
Router(config-router)# bfd interface fastethernet 3/0
Router(config-if)# end

The following example shows how to enable the bfd command in address-family interface mode:


Router> enable
Router# configure terminal
Router(config)# router eigrp my_eigrp
Router(config-router)# address-family ipv4 autonomous-system 100
 
Router(config-router-af)# af-interface FastEthernet 0/0
Router(config-router-af-interface)# bfd

bfd map

To configure a Bidirectional Forwarding Detection (BFD) map that associates timers and authentication with multihop templates, use the bfd map command in global configuration mode. To delete a BFD map, use the no form of this command.

bfd map {ipv4 | ipv6} destination [vrf vrf-name] [source] template-name

no bfd map

Syntax Description

ipv4

Configures an IPv4 address.

ipv6

Configures an IPv6 address.

destination

The destination address.

vrf vrf-name

(Optional) Configures a VPN routing and forwarding instance (VRF).

source

(Optional) The source address.

template-name

The name of the template associated with the BFD map.

Command Default

If this command is not configured, a BFD map does not exist.

Command Modes

Global configuration (config)

Command History

Release

Modification

15.1(3)S

This command was introduced.

15.2(2)SNG

This command was implemented on Cisco ASR 901 Series Aggregation Services Routers.

Usage Guidelines

The show bfd neighbors command can be used to help troubleshoot the BFD feature.

The full output for the show bfd neighbors details command is not supported on the Route Processor (RP) for the Cisco 12000 series Internet router. If you want to enter the show bfd neighbors command with the details keyword on the Cisco 12000 series Internet router, you must enter the command on the line card. Use the attach slot command to establish a CLI session with a line card.

In Cisco IOS Release 15.1(2)S and later releases that support BFD hardware offload, the Tx and Rx intervals on both BFD peers must be configured in multiples of 50 milliseconds. If they are not, output from the show bfd neighbors details command will show the configured intervals, not the changed ones.

For more information about prerequisites and restrictions for hardware offload, see the “Configuring Synchronous Ethernet on the Cisco 7600 Router with ES+ Line Card” section of the Cisco 7600 Series Ethernet Services Plus (ES+) and Ethernet Services Plus T (ES+T) Line Card Configuration Guide.

Cisco IOS Release 15.1(3)S and later releases support BFD on multiple network hops. The bfd-template command configures timers and authentication for a template. The bfd map command associates those timers and authentication with unique source/destination address pairs in multihop BFD sessions. Use the bfd-template command to configure a multihop template and the bfd map command to associate it with a map of destinations and associated BFD timers.

For IPv6 addresses, use X:X:X:X::X format; for IPv4 addresses, use the A.B.C.D. classless interdomain routing (CIDR) notation to represent the mask for both source and destination addresses.

Examples

The following example shows how to create a BFD multihop template, create a BFD map with IPv4 addresses, and associate the map with the template:


Router(config)# bfd-template multi-hop mh-template1
Router(bfd-config)# interval min-tx 200 min-rx 200 multiplier 3
Router(bfd-config)# authentication sha-1 keychain bfd_multihop
Router(bfd-config)# exit
Router(config)# bfd map ipv4 10.11.11.0/24 vrf vpn1 10.36.42.5/32 mh-template1
 

The following example shows how to create a BFD map with IPv6 addresses and associate it with a BFD multihop template:


Router(config)# bfd map ipv6 2001:DB8:0:1::/64 vrf v6_1 2001:DB8:0:2::/64 mh-template1

bfd slow-timers

To configure the Bidirectional Forwarding Detection (BFD) slow timers value, use the bfdslow-timers command in global configuration mode. This command does not have a no form.

bfd slow-timers [milliseconds]

Syntax Description

milliseconds

(Optional) BFD slow timers value, in milliseconds. The range is from 1000 to 30000. The default is 1000.

Command Default

The BFD slow timer value is 1000 milliseconds.

Command Modes

Global configuration (config)

Command History

Release

Modification

12.4(9)T

This command was introduced.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Examples

The following example shows how to configure the BFD slow timers value to 14,000 milliseconds:


Router(config)# bfd slow-timers 14000

The following output from the showbfdneighborsdetails command shows that the BFD slow timers value of 14,000 milliseconds has been implemented. The values for the MinTxInt and MinRxInt will correspond to the configured value for the BFD slow timers. The relevant command output is shown in bold.


Router# show bfd neighbors details
OurAddr       NeighAddr     LD/RD  RH/RS   Holdown(mult)  State     Int
172.16.10.1   172.16.10.2   1/1    Up      0    (3 )      Up        Et2/0
Session state is UP and using echo function with 50 ms interval.
Local Diag: 0, Demand mode: 0, Poll bit: 0
MinTxInt: 14000, MinRxInt: 14000
, Multiplier: 3
Received MinRxInt: 10000, Received Multiplier: 3
Holdown (hits): 3600(0), Hello (hits): 1200(418)
Rx Count: 422, Rx Interval (ms) min/max/avg: 1/1480/1087 last: 112 ms ago
Tx Count: 420, Tx Interval (ms) min/max/avg: 1/2088/1090 last: 872 ms ago
Registered protocols: OSPF
Uptime: 00:07:37
Last packet: Version: 1            - Diagnostic: 0
             State bit: Up         - Demand bit: 0
             Poll bit: 0           - Final bit: 0
             Multiplier: 3         - Length: 24
             My Discr.: 1          - Your Discr.: 1
             Min tx interval: 14000 - Min rx interval: 14000
             Min Echo interval: 4000

bfd template

To bind a single hop Bidirectional Forwarding Detection (BFD) template to an interface, use the bfd template command in interface configuration mode. To unbind single-hop BFD template from an interface, use the no form of this command.

bfd template template-name

no bfd template template-name

Syntax Description

template-name

Name of the BFD template.

Command Default

A BFD template is not bound to an interface.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

15.2(4)S

This command was introduced.

Cisco IOS XE Release 3.7S

This command was integrated into Cisco IOS XE Release 3.7S.

Usage Guidelines

Even if you have not created the template by using the bfd-template command, you can configure the name of the template under an interface, but the template is considered invalid until you define the template. You do not have to reconfigure the template name again. It becomes valid automatically.

Examples

Device> enable
Device# configure terminal
Device(config)# interface Ethernet 0/1
Device(config-if)# bfd template template1
      

bfd-template

To create a Bidirectional Forwarding Detection (BFD) template and to enter BFD configuration mode, use the bfd-template command in global configuration mode. To remove a BFD template, use the no form of this command.

bfd-template {single-hop | multi-hop} template-name

no bfd-template {single-hop | multi-hop} template-name

Syntax Description

single-hop

Creates the single-hop BFD template.

multi-hop

Creates the multihop BFD template.

template-name

Template name.

Command Default

A BFD template does not exist.

Command Modes

Global configuration (config)

Command History

Release

Modification

15.0(1)S

This command was introduced.

15.1(3)S

This command was modified. The multi-hop keyword was added.

Cisco IOS XE Release 3.7S

This command was integrated into Cisco IOS XE Release 3.7S.

Usage Guidelines

The bfd-template command allows you to create a BFD template and places the device in BFD configuration mode. The template can be used to specify a set of BFD interval values. BFD interval values specified as part of the BFD template are not specific to a single interface.

The bfd map command associates timers and authentication in multihop templates with unique source/destination address pairs in multihop BFD sessions.

You can configure authentication in single-hop and multihop templates. Although it is not required, authentication is recommended to enhance security.

Examples

The following example shows how to create a BFD template and specify BFD interval values:

Device> enable 
Device# configure terminal  
Device(config)# bfd-template single-hop node1
Device(bfd-config)# interval min-tx 100 min-rx 100 multiplier 3
Device(bfd-config)# echo

The following example shows how to create a BFD single-hop template and configure BFD interval values and an authentication key chain:

Device> enable 
Device# configure terminal 
Device(config)# bfd-template single-hop template1
Device(bfd-config)# interval min-tx 200 min-rx 200 multiplier 3
Device(bfd-config)# authentication keyed-sha-1 keychain bfd_singlehop

The following example shows how to create a BFD multihop template and configure BFD interval values and an authentication key chain:

Device> enable 
Device# configure terminal 
Device(config)# bfd-template multi-hop template1
Device(bfd-config)# interval min-tx 200 min-rx 200 multiplier 3
Device(bfd-config)# authentication sha-1 keychain bfd-multihop

The following example shows how to change the type of an existing BFD template from single hop to multihop and vice versa:

Device> enable 
Device# configure terminal 
Device(config)# no bfd-template single-hop template1 
Device(config)# bfd-template multi-hop template1
Device(bfd-config)# exit
Device(config)# no bfd-template multi-hop template1 
Device(config)# bfd-template single-hop template1

cryptographic-algorithm

To specify the TCP cryptographic algorithm for a TCP-AO key, use the cryptographic-algorithm command in key chain key configuration mode.

cryptographic-algorithm algorithm

Syntax Description

algorithm

Specify one of the following authentication algorithms:

  • aes-128-cmac- AES-128-CMAC algorithm

  • hmac-sha-1- HMAC-SHA-1 algorithm

  • hmac-sha-256- HMAC-SHA-256 algorithm

Command Default

No algorithm is specified.

Command Modes

Key chain key configuration (config-keychain-key)

Command History

Release

Modification

16.12.1

This command was introduced.

Usage Guidelines

You must configure a key chain with keys to enable authentication.

Although you can identify multiple key chains, we recommend using one key chain per interface per routing protocol. Upon specifying the key chain command, you enter key chain configuration mode.

Examples

The following example configures a simple key chain for a TCP-AO enabled connection.

Router(config)# key chain kc1 tcp
Router(config-keychain)# key 7890
Router(config-keychain-key)# send-id 215
Router(config-keychain-key)# recv-id 215
Router(config-keychain-key)# key-string klomn
Router(config-keychain-key)# cryptographic-algorithm hmac-sha-1

dampening

To configure a device to automatically dampen a flapping session, use the dampening command in interface configuration mode. To disable automatic dampening, use the no form of this command.

dampening [half-life-period reuse-threshold suppress-threshold max-suppress-time] [restart-penalty]

no dampening

Syntax Description

half-life-period

(optional) Time (in seconds) after which a penalty is decreased. Once the route has been assigned a penalty, the penalty is decreased by half after the half-life period expires. The range of the half-life period is from 1 to 30 seconds. The default time is 5 seconds.

reuse-threshold

(optional) Reuse value based on the number of penalties. When the accumulated penalty decreases enough to fall below this value, the route is unsuppressed. The range of the reuse value is from 1 to 20000; the default is 1000.

suppress-threshold

(optional) Value of the accumulated penalty that triggers the router to dampen a flapping interface. A route is suppressed when its penalty exceeds this limit. The range is from 1 to 20000; the default is 2000.

max-suppress-time

(optional) Maximum time (in seconds) a route can be suppressed. The range is from 1 to 20000; the default is four times the half-life-periodvalue . If the half-life -period value is allowed to default, the maximum suppress time defaults to 20 seconds.

restart-penalty

(optional) Penalty to applied to the interface when it comes up for the first time after the router reloads. The configurable range is from 1 to 18000 penalties. The default is 2000 penalties. This argument is not required for any other configurations.

Command Default

This command is disabled by default. To manually configure the timer for the restart-penalty argument, the value for all arguments must be manually entered.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

12.0(22)S

This command was introduced.

12.2(14)S

This command was integrated into Cisco IOS Release 12.2(14)S.

12.2(13)T

This command was integrated into Cisco IOS Release 12.2(13)T.

12.2(18)SXD

This command was integrated into Cisco IOS Release 12.2(18)SXD.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(31)SB2

This command was integrated into Cisco IOS Release 12.2(31)SB2.

Usage Guidelines

The IP Event Dampening feature will function on a subinterface but cannot be configured on only the subinterface. Only the primary interface can be configured with this feature. Primary interface configuration is applied to all subinterfaces by default.

When an interface is dampened, the interface is dampened to both IP and Connectionless Network Services (CLNS) routing equally. The interface is dampened to both IP and CLNS because integrated routing protocols such as Intermediate System-to-Intermediate System (IS-IS), IP, and CLNS routing protocols are closely interconnected, so it is impossible to apply dampening separately.

Copying a dampening configuration from virtual templates to virtual access interfaces is not supported because dampening has limited usefulness to existing applications using virtual templates. Virtual access interfaces are released when an interface flaps, and new connections and virtual access interfaces are acquired when the interface comes up and is made available to the network. Because dampening states are attached to the interface, the dampening states would not survive an interface flap.

If the dampening command is applied to an interface that already has dampening configured, all dampening states are reset and the accumulated penalty will be set to 0. If the interface has been dampened, the accumulated penalty will fall into the reuse threshold range, and the dampened interface will be made available to the network. The flap counts, however, are retained.

Examples

The following example sets the half life to 30 seconds, the reuse threshold to 1500, the suppress threshold to 10000, and the maximum suppress time to 120 seconds:


interface Ethernet 0/0
 dampening 30 1500 10000 120

The following example configures the router to apply a penalty of 500 on Ethernet interface 0/0 when the interface comes up for the first time after the router is reloaded:


interface Ethernet 0/0
 dampening 5 500 1000 20 500 

distance (IP)

To define an administrative distance for routes that are inserted into the routing table, use the distance command in router configuration mode. To return the administrative distance to its default distance definition, use the no form of this command.

distance distance ip-address wildcard-mask [ip-standard-acl | access-list-name]

no distance distance ip-address wildcard-mask [ip-standard-acl | access-list-name]

Syntax Description

distance

Administrative distance. An integer from 10 to 255. (The values 0 to 9 are reserved for internal use. Routes with a distance value of 255 are not installed in the routing table.)

ip-address

IP address in four-part, dotted decimal notation. The IP address or the network address from where routes are learned.

wildcard-mask

Wildcard mask in four-part, dotted decimal notation. A bit set to 1 in the wildcard-mask argument instructs the software to ignore the corresponding bit in the address value.

ip -standard-acl

(Optional) Standard IP access list (ACL) number to be applied to incoming routing updates.

access-list-name

(Optional) Named access list to be applied to incoming routing updates.

Command Default

For information on default administrative distances, see the “Usage Guidelines” section.

Command Modes

Router configuration (config-router)

Command History

Release

Modification

10.0

This command was introduced.

11.2

This command was modified. The access-list-name argument was added.

11.3

This command was modified. The ip keyword was removed.

12.0

This command was modified. The ip-standard -acl and ip-extended-acl arguments were added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Cisco IOS XE Release 2.1

This command was integrated into Cisco IOS XE Release 2.1.

15.0(1)M

This command was integrated into a release earlier than Cisco IOS Release 15.0(1)M.

15.2(4)S

This command was modified. The ip-extended-acl argument was removed.

Usage Guidelines

The table below lists default administrative distances.

Table 1. Default Administrative Distances

Route Source

Default Distance

Connected interface

0

Static route

1

Enhanced Interior Gateway Routing Protocol (EIGRP) summary route

5

External Border Gateway Protocol (eBGP)

20

Internal EIGRP

90

Open Shortest Path First (OSPF)

110

Intermediate System-to-Intermediate System (IS-IS)

115

Routing Information Protocol (RIP)

120

EIGRP external route

170

Internal BGP

200

Unknown

255

An administrative distance is a rating of the trustworthiness of a routing information source, such as an individual router or a group of routers. Numerically, an administrative distance is an integer from 0 to 255. In general, the higher the value, the lower the trust rating. An administrative distance of 255 means the routing information source cannot be trusted at all and should be ignored.

When the optional access list name is used with this command, it is applied when a network is being inserted into the routing table. This behavior allows filtering of networks according to the IP address of the router that supplies the routing information. This option could be used, for example, to filter possibly incorrect routing information from routers that are not under your administrative control.


Note

Extended ACL is not supported for defining the administrative distance for a particular route which is inserted into the routing table. Use the standard IP access list to define the administrative distance.


The order in which you enter distance commands can affect the assigned administrative distances in unexpected ways. See the “Examples” section for further clarification.

For BGP, the distance command sets the administrative distance of the External BGP (eBGP) route.

For EIGRP, the distance command sets the administrative distance of only the internal routes of EIGRP neighbors. To set the administrative distance of external routes of EIGRP neighbors, use the distance eigrp command.

The show ip protocols privileged EXEC command displays the default administrative distance for the active routing processes.

Always set the administrative distance from the least to the most specific network.


Note

The weight of a route can no longer be set with the distance command. To set the weight for a route, use a route map.


Examples

In the following example, the router eigrp global configuration command sets up EIGRP routing in autonomous system number 109. The network router configuration commands specify EIGRP routing on networks 192.168.7.0 and 172.16.0.0. The first distance command sets the administrative distance to 90 for all routers on the Class C network 192.168.7.0. The second distance command sets the administrative distance to 120 for the router with the address 172.16.1.3.


Device> enable
Device# configure terminal
Device(config)# router eigrp 109
Device(config-router)# network 192.168.7.0
Device(config-router)# network 172.16.0.0
Device(config-router)# distance 90 192.168.7.0 0.0.0.255
Device(config-router)# distance 120 172.16.1.3 0.0.0.255
Device(config-router)# end

In the following example, the set distance is from the least to the most specific network:


Device> enable
Device# configure terminal
Device(config)# router eigrp 109
Device(config-router)# distance 22 10.0.0.0 0.0.0.255
Device(config-router)# distance 33 10.11.0.0 0.0.0.255
Device(config-router)# distance 44 10.11.12.0 0.0.0.255
Device(config-router)# end

Note

In this example, adding distance 255 to the end of the list would override the distance values for all networks within the range specified in the example. The result would be that the distance values are set to 255.


Entering the show ip protocols command displays the default administrative distance for the active routing processes, as well as the user-configured administrative distances:


Device# show ip protocols
.
.
.
Routing Protocol is "isis tag1"
  Invalid after 0 seconds, hold down 0, flushed after 0
  Outgoing update filter list for all interfaces is not set
  Incoming update filter list for all interfaces is not set
  Redistributing: isis
  Address Summarization:
    None
  Maximum path: 4
  Routing for Networks:
  Routing Information Sources:
    Gateway         Distance      Last Update
  Distance: (default is 115)
    Address         Wild mask       Distance  List
    10.11.0.0             0.0.0.255       45
    10.0.0.0              0.0.0.255       22
    Address         Wild mask       Distance  List
    10.11.0.0             0.0.0.255       33
    10.11.12.0            0.0.0.255       44

distribute-list in (IP)

To filter networks received in updates, use the distribute-list in command in router configuration mode, address family configuration mode or address family topology configuration mode. To delete the distribution list and remove it from the running configuration file, use the no form of this command.

distribute-list { { access-list-name | access-list-number | gateway prefix-list-name | prefix prefix-list-name [ gateway prefix-list-name] } in [ interface-type interface-number] | route-map route-map-name in}

no distribute-list { { access-list-name | access-list-number | gateway prefix-list-name | prefix prefix-list-name [ gateway prefix-list-name] } in [ interface-type interface-number] | route-map route-map-name in}

Syntax Description

access-list-name

IP access-list name. The access-list-name argument defines which networks are to be received and which are to be suppressed in routing updates.

  • The range is from 1 to 199.

access-list-number

IP access-list number. The access-list-number argument defines which networks are to be received and which are to be suppressed in routing updates.

gateway

Filters incoming address updates based on a gateway.

prefix-list-name

IP prefix-list name. The prefix-list-name argument defines which routes from specified IP prefixes in the routing table are to be received and which are to be suppressed in routing updates.

prefix

Filters prefixes in address updates.

interface-type

(Optional) Type of interface. The interface-type argument defines the type of interface from which routing updates are to be received or suppressed.

The interface-type argument cannot be used in address family configuration mode.

interface-number

(Optional) Interface number on which the access list should be applied to incoming updates. If no interface is specified, the access list will be applied to all incoming updates.

The interface-type and interface-number arguments are applied if you specify an access list, not a route map. The interface-number argument cannot be used in address family configuration mode.

route-map

Specifies the route map that defines which networks are to be installed in the routing table and which are to be filtered from the routing table.

route-map-name

Name of route-map. The route-map-name argument defines the networks from which routing updates are to be received or suppressed. This argument is supported by OSPF, EIGRP and IS-IS.

Command Default

Networks received in updates are not filtered.

Command Modes

Router configuration (config-router)

Address family configuration (config-router-af)

Router address family topology configuration (config-router-af-topology)

Command History

Release

Modification

10.0

This command was introduced.

11.2

This command was modified. The access-list-name , type , and number arguments were added.

12.0(7)T

This command was modified. Address family configuration mode was added.

12.0(24)S

This command was modified. The route-map route-map-name keyword-argument pair was added.

12.2(27)SBC

This command was integrated into Cisco IOS Release 12.2(27)SBC.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SRB

This command was modified. Router address family topology configuration mode was added.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.3(3)M

This command was modified. The IS-IS protocol is now supported.

Usage Guidelines

The distribute-list in command is used to filter incoming updates. An access list, gateway, route map, or prefix list must be defined prior to configuration of this command. Standard and expanded access lists are supported. IP prefix lists are used to filter based on the bit length of the prefix. An entire network, subnet, supernet, or single host route can be specified. Prefix list and access list configuration is mutually exclusive when configuring a distribution list.

This command must specify either an access list or a map-tag name of a route map. The route map is supported for Open Shortest Path First (OSPF) and Enhanced Interior Gateway Routing Protocol (EIGRP) filtering.

The interface-type and interface-number arguments cannot be used in address family configuration mode.

OSPF routes cannot be filtered from entering the OSPF database. If you use this command for OSPF, it only filters routes from the routing table; it does not prevent link-state packets from being propagated.

If a route map is specified, the route map can be based on the following match options:

  • match interface

  • match ip address

  • match ip next-hop

  • match ip route-source

  • match metric

  • match route-type

  • match tag

Configure the route map before specifying it in the distribute-listin command.

Release 12.2(33)SRB

If you plan to configure the Multi-Topology Routing (MTR) feature, you must enter the distribute-listin command in address family topology configuration mode in order for this OSPF router configuration command to become topology-aware.

Examples

In the following example, EIGRP process 1 is configured to accept two networks, network 0.0.0.0 and network 10.108.0.0:


Device(config)# access-list 1 permit 0.0.0.0
Device(config)# access-list 1 permit 10.108.0.0
Device(config)# access-list 1 deny 0.0.0.0 255.255.255.255
Device(config)# router eigrp 1
!
Device(config-router)# network 10.108.0.0
Device(config-router)# distribute-list 1 in

In the following EIGRP named configuration example, EIGRP is configured to accept two networks, network 0.0.0.0 and network 10.108.0.0:


Device(config)# access-list 1 permit 0.0.0.0
Device(config)# access-list 1 permit 10.108.0.0
Device(config)# access-list 1 deny 0.0.0.0 255.255.255.255
Device(config)# router eigrp virtual-name
!
Device(config-router)# address-family ipv4 autonomous-system 4453
Device(config-router-af)# network 10.108.0.0
Device(config-router-af)# network 10.0.0.0
Device(config-router-af)# topology base
Device(config-router-af-topology)# distribute-list 1 in

In the following EIGRP named configuration example, the address-family external route has a tag. The value of the tag is examined before the prefix is installed in the routing table. All address-family external addresses that have the tag value of 777 are filtered (prevented from being installed in the routing table). The permit statement with sequence number 20 has no match conditions, and there are no other route-map statements after sequence number 20, so all other conditions are permitted.


Device(config)# route-map tag-filter deny 10 
Device(config-route-map)# match tag 777
Device(config-route-map)# route-map tag-filter permit 20
Device(config-route-map)# exit
Device(config)# router eigrp virtual-name
!
Device(config-router)# address-family ipv4 autonomous-system 4453
Device(config-router-af)# network 10.108.0.0
Device(config-router-af)# network 10.0.0.0
Device(config-router-af)# topology base
Device(config-router-af-topology)# distribute-list route-map tag-filter in

In the following example, OSPF external LSAs have a tag. The value of the tag is examined before the prefix is installed in the routing table. All OSPF external prefixes that have the tag value of 777 are filtered (prevented from being installed in the routing table). The permit statement with sequence number 20 has no match conditions, and there are no other route-map statements after sequence number 20, so all other conditions are permitted.


Device(config)# route-map tag-filter deny 10
Device(config-route-map)# match tag 777
Device(config-route-map)# route-map tag-filter permit 20
!
Device(config)# router ospf 1
Device(config-router)# router-id 10.0.0.2
Device(config-router)# log-adjacency-changes
Device(config-router)# network 172.16.2.1 0.0.0.255 area 0
Device(config-router)# distribute-list route-map tag-filter in

The following example shows how to filter three IS-IS routes from the routing table using a specified access list:

Device(config)# access-list 101 deny ip any 192.168.4.0 0.0.0.127
Device(config)# access-list 101 deny ip any 192.168.4.128 0.0.0.63
Device(config)# access-list 101 deny ip any 192.168.4.192 0.0.0.63
! 
Device(config)# interface fastethernet 0/0
Device(config-if)# ip router isis 121
Device(config-if)# router isis 121
Device(config-router)# distribute-list 101 in

The following example shows how to filter three IS-IS routes from the routing table using a specified prefix list. Only a single command is required.

Device(config)# ip prefix-list List1 seq 3 deny 192.0.2.1/24
Device(config)# ip prefix-list List1 seq 5 deny 192.168.4.0/24 ge 25 le 26
Device(config)# ip prefix-list List1 seq 10 permit 0.0.0.0/le 32
!
Device(config)# interface fastethernet 0/0
Device(config-if)# ip router isis 122
Device(config-if)# router isis 122
Device(config-router)# distribute-list prefix List1 in

The following example shows how to filter IS-IS routes from the routing table using next hop:

Device(config)# ip prefix-list List2 seq 5 deny 198.51.100.31/24
!
Device(config)# interface fastethernet 0/0
Device(config-if)# ip router isis 125
Device(config-if)# router isis 125
Device(config-router)# distribute-list gateway List2 in

The following example shows how to filter IS-IS routes from the routing table using a specified route map:

Device(config)# route-map Map1 deny 10
Device(config-route-map)# match tag 200
Device(config-route-map)# exit
!
Device(config)# interface fastethernet 0/0
Device(config-if)# ip router isis 150
Device(config-if)# router isis 150
Device(config-router)# distribute-list route-map Map1 in

The following example shows how to enable IS-IS inbound filtering for routes that use standard IPv6 address prefixes:

Device(config)# ipv6 prefix-list 101 seq 5 deny 2001:DB8::/32
Device(config)# ipv6 prefix-list 102 seq 4 permit 2001:DB8::1/48 le 56
!
Device(config)# router isis
Device(config-router)# address-family ipv6
Device(config-router-af)# distribute-list prefix-list 101 in
Device(config-router-af)# distribute-list prefix-list 102 in ethernet 0/0

distribute-list out (IP)

To suppress networks from being advertised in updates, use the distribute-listout command in the appropriate configuration mode. To cancel this function, use the no form of this command.

distribute-list {access-list-number | access-list-name} out [interface-name | routing-process | as-number]

no distribute-list {access-list-number | access-list-name} out [interface-name | routing-process | as-number]

Syntax Description

access-list-number | access-list-name

Standard IP access list number or name. The list defines which networks are to be sent and which are to be suppressed in routing updates.

interface-name

(Optional) Name of a particular interface. The interface-name argument cannot be used in address-family configuration mode.

routing-process

(Optional) Name of a particular routing process, or the static or connected keyword.

as-number

(Optional) Autonomous system number.

Command Default

This command is disabled by default. Networks are advertised in updates.

Command Modes

Router configuration (config-router) Address-family configuration (config-router-af) Address-family topology configuration (config-router-af-topology)

Command History

Release

Modification

10.0

This command was introduced.

11.2

The access-list-name argument was added.

12.0(7)T

Address family configuration mode was added.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SRB

Address-family topology configuration mode was added.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

When networks are redistributed, a routing process name can be specified as an optional trailing argument to the distribute-list command. Specifying this option causes the access list to be applied to only those routes derived from the specified routing process. After the process-specific access list is applied, any access list specified by a distribute-list command without a process name argument will be applied. Addresses not specified in thedistribute-list command will not be advertised in outgoing routing updates.

The interface-name argument cannot be used in address-family configuration mode.


Note

To filter networks that are received in updates, use the distribute-listin command.


Release 12.2(33)SRB

If you plan to configure the Multi-Topology Routing (MTR) feature, you must enter the distribute-listout command in address-family topology configuration mode in order for this OSPF router configuration command to become topology-aware.

Examples

The following example would cause only one network to be advertised by a RIP routing process, network 10.108.0.0:


Router(config)# access-list 1 permit 10.108.0.0
Router(config)# access-list 1 deny 0.0.0.0 255.255.255.255
Router(config)# router rip
Router(config-router)# network 10.108.0.0
Router(config-router)# distribute-list 1 out

The following example applies access list 1 to outgoing routing updates. Only network 10.10.101.0 will be advertised in outgoing EIGRP routing updates.


Router(config)# router eigrp 100
Router(config-router)# distribute-list 1 out
Router(config-router)# exit
Router(config)# access-list 1 permit 10.10.101.0 0.0.0.255

The following EIGRP named configuration example applies access list 1 to outgoing routing updates and enables EIGRP address-family on Ethernet interface 0/0. Only network 10.0.0.0 will be advertised in outgoing EIGRP routing updates:


Router(config)# router eigrp virtual-name
 
Router(config-router)# address-family ipv4 autonomous-system 4453
Router(config-router-af)# network 10.10.0.0
Router(config-router-af)# topology base
Router(config-router-af-topology)# distribute-list 1 in
Router(config-router-af-topology)# exit-af-topology
Router(config-router-af-)# exit-address-family
Router(config-router)# exit
Router(config)# interface ethernet0/0
Router(config-if)# ip eigrp access-list 1 permit 10.10.101.0 0.0.0.255

fast-reroute load-sharing disable

To disable Fast Reroute (FRR) load sharing of prefixes, use the fast-reroute load-sharing disable command in router configuration mode. To restore the default setting, use the no form of this command.

fast-reroute load-sharing {level-1 | level-2} disable

no fast-reroute load-sharing {level-1 | level-2} disable

Syntax Description

level-1

Specifies Level 1 packets.

level-2

Specifies Level 2 packets.

Command Default

Load sharing of prefixes is enabled by default.

Command Modes


Router configuration (config-router)

Command History

Release

Modification

15.1(2)S

This command was introduced.

Cisco IOS XE Release 3.4S

This command was integrated into Cisco IOS XE Release 3.4S.

Usage Guidelines

You must configure the router isis command before you can configure the fast-reroute load-sharing disable command.

Load sharing equally distributes the prefixes that use the same protected primary path over the available loop-free alternates (LFAs). An LFA is a next hop that helps a packet reach its destination without looping back.

Examples

The following example shows how to disable load sharing of Level 2 prefixes:


Router(config)# router isis
Router(router-config)# fast-reroute load-sharing level-2 disable
Router(router-config)# end

fast-reroute per-prefix

To enable Fast Reroute (FRR) per prefix, use the fast-reroute per-prefix command in router configuration mode. To disable the configuration, use the no form of this command.

fast-reroute per-prefix {level-1 | level-2} {all | route-map route-map-name}

no fast-reroute per-prefix {level-1 | level-2} {all | route-map route-map-name}

Syntax Description

level-1

Enables per-prefix FRR of Level 1 packets.

level-2

Enables per-prefix FRR of Level 2 packets.

all

Enables FRR of all primary paths.

route-map

Specifies the route map for selecting primary paths for protection.

route-map-name

Route map name.

Command Default

Fast Reroute per prefix is disabled.

Command Modes


Router configuration (config-router)

Command History

Release

Modification

15.1(2)S

This command was introduced.

Cisco IOS XE Release 3.4S

This command was integrated into Cisco IOS XE Release 3.4S.

15.2(2)SNI

This command was implemented on the Cisco ASR 901 Series Aggregation Services Routers.

Usage Guidelines

You must configure the router isis command before you can configure the fast-reroute per-prefix command.

You must configure the all keyword to protect all prefixes or configure the route-map route-map-name keyword and argument pair to protect a selected set of prefixes. When you specify the all keyword, all paths are protected, except paths that use interfaces, which are not supported, or interfaces, which are not enabled for protection. Using the route-map route-map-name keyword and argument pair to specify protected routes provides you with the flexibility to select protected routes, including using administrative tags.

Repair paths forward traffic during a routing transition. Repair paths are precomputed in anticipation of failures so that they can be activated when a failure is detected.

Examples

The following example shows how to enable FRR for all Level 2 prefixes:


Router(config)# router isis
Router(router-config)# fast-reroute per-prefix level-2 all
Router(router-config)# end

fast-reroute tie-break

To configure the Fast Reroute (FRR) tiebreaking priority, use the fast-reroute tie-break command in router configuration mode. To disable the configuration, use the no form of this command.

fast-reroute tie-break {level-1 | level-2} {downstream | linecard-disjoint | lowest-backup-path-metric | node-protecting | primary-path | secondary-path | srlg-disjoint} priority-number

no fast-reroute tie-break {level-1 | level-2} {downstream | linecard-disjoint | lowest-backup-path-metric | node-protecting | primary-path | secondary-path | srlg-disjoint}

Syntax Description

level-1

Configures tiebreaking for Level 1 packets.

level-2

Configures tiebreaking for Level 2 packets.

downstream

Configures loop-free alternates (LFAs) whose metric to the protected destination is lower than the metric of the protecting node to the destination.

linecard-disjoint

Configures LFAs that use interfaces that do not exist on the line card of the interface used by the primary path. The default is 40.

lowest-backup-path-metric

Configures LFAs with the lowest metric to the protected destination. The default is 30.

node-protecting

Configures LFAs that protect the primary next hop. The default is 50.

primary-path

Configures the repair path from the Equal Cost Multipath (ECMP) set. The default is 20.

secondary-path

Configures the non-ECMP repair path.

srlg-disjoint

Configures LFAs that do not share the same Shared Risk Link Group (SRLG) ID as the primary path. The default is 10.

priority-number

Priority number. Valid values are from 1 to 255.

Command Default

Tiebreaking is enabled by default.

Command Modes


Router configuration (config-router)

Command History

Release

Modification

15.1(2)S

This command was introduced.

Cisco IOS XE Release 3.4S

This command was integrated into Cisco IOS XE Release 3.4S.

Usage Guidelines

You must configure the router isis command before you can configure the fast-reroute tie-break command.

Tiebreaking configurations are applied per IS-IS instance per address family. The lower the configured priority value, the higher the priority of the rule. The same attribute cannot be configured more than once in the same address family.

The default tiebreaking rules have a priority value of 256. Hence, the tiebreaking rules that you configure will always have a higher priority than the default rule.

Load sharing equally distributes the prefixes that use the same protected primary path over the available LFAs. An LFA is a next hop that helps a packet reach its destination without looping back.

Examples

The following example shows how to set a tiebreaking priority of 5 for Level 2 packets:


Router(config)# router isis
Router(router-config)# fast-reroute tie-break level-1 downstream 150
Router(router-config)# end

echo

To enable Bidirectional Forwarding Detection (BFD) echo mode under a BFD template, use the echo command in BFD configuration mode. To disable BFD echo mode, use the no form of this command.

echo

no echo

Syntax Description

This command has no arguments or keywords.

Command Default

BFD echo mode is disabled.

Command Modes

BFD configuration (config-bfd)

Command History

Release

Modification

15.2(4)S

This command was introduced.

Cisco IOS XE Release 3.7S

This command was integrated into Cisco IOS XE Release 3.7S.

Usage Guidelines

Echo mode is disabled by default. Entering the echo command enables the sending of echo packets and signifies that the device is can forward echo packets received from BFD neighbor devices.

When echo mode is enabled, the desired minimum echo transmit interval and required minimum transmit interval values are derived from the values configured through the interval milliseconds min-rx milliseconds command.


Note

If you configure the no iproute-cache same-interface command, the echo command is rejected.



Note

Before using echo mode, you must disable the sending of Internet Control Message Protocol (ICMP) redirect messages by entering the no ip redirects command, in order to avoid high CPU utilization.


When echo mode is enabled on both BFD neighbors, the echo mode is described as without asymmetry.

Examples

The following example shows how to enable a BFD echo mode under a BFD template:


Device> enable
Device# configure terminal
Device(config)# bfd-template single-hop template1
Device(config-bfd)# echo

include-tcp-options

indicates whether TCP options other than TCP-AO must be used to calculate MACs. With the flag enabled, the content of all options, in the order present, is included in the MAC and TCP-AO’s MAC field is filled with zeroes. When the flag is disabled, all options other than TCP-AO are excluded from MAC calculations.

include-tcp-options

Command Default

This option is disabled.

Command Modes

Key chain key configuration (config-keychain-key)

Command History

Release

Modification

16.12.1

This command was introduced.

Usage Guidelines

This option must be configured on both devices.

You must configure a key chain with keys to enable authentication.

Although you can identify multiple key chains, we recommend using one key chain per interface per routing protocol. Upon specifying the key chain command, you enter key chain configuration mode.

Examples

The following example configures a simple key chain for a TCP-AO enabled connection. .

Router(config)# key chain kc1 tcp
Router(config-keychain)# key 7890
Router(config-keychain-key)# send-id 215
Router(config-keychain-key)# recv-id 215
Router(config-keychain-key)# key-string klomn
Router(config-keychain-key)# cryptographic-algorithm hmac-sha-1
Router(config-keychain-key)# include-tcp-options

interval (BFD)

To configure the transmit and receive intervals betweenBidirectional Forwarding Detection (BFD) packets, and to specify the number of consecutive BFD control packets that must be missed before BFD declares that a peer is unavailable, use the interval command in BFD configuration mode. To disable interval values use the no form of this command.

interval [microseconds] {both milliseconds | min-tx milliseconds min-rx milliseconds} [multiplier multiplier-value]

no interval

Syntax Description

microseconds

(Optional) Specifies the min-tx and min-rx timers in microseconds.

both milliseconds

Specifies the rate, in milliseconds, at which BFD control packets are sent to BFD peers and the rate at which BFD control packets are received from BFD peers. The valid range for the milliseconds argument is from 50 to 999.

min-tx milliseconds

Specifies the rate, in milliseconds, at which BFD control packets are sent to BFD peers. The valid range for the milliseconds argument is from 50 to 999.

min-rx milliseconds

Specifies the rate, in milliseconds, at which BFD control packets are received from BFD peers. The valid range for the milliseconds argument is from 50 to 999..

multiplier multiplier-value

(Optional) Specifies the number of consecutive BFD control packets that must be missed from a BFD peer before BFD declares that the peer is unavailable and the Layer 3 BFD peer is informed of the failure. The valid range is from 3 to 50. Default is 3.

Command Default

No session parameters are set.

Command Modes

BFD configuration (config-bfd)

Command History

Release

Modification

15.0(1)S

This command was introduced.

15.1(3)S

This command was modified. The microseconds keyword was added. ntroduced.

Cisco IOS XE 3.5S

This command was modified. Support for BDI interfaces was added.

Usage Guidelines

The interval command allows you to configure the session parameters for a BFD template.

Examples

The following example shows how to configure interval settings for the node1 BFD template:


Router(config)# bfd-template single-hop node1
 
Router(bfd-config)# interval min-tx 120 min-rx 100 multiplier 3

The following example shows how to configure interval settings for the template1 multihop BFD template:


Router(config)# bfd-template multi-hop template1
 
Router(bfd-config)# interval min-tx 200 min-rx 200 multiplier 3

ip default-network

To select a network as a candidate route for computing the gateway of last resort, use the ip default-network command in global configuration mode. To remove a route, use the no form of this command.

ip default-network network-number

no ip default-network network-number

Syntax Description

network-number

Number of the network.

Command Default

If the router has a directly connected interface to the specified network, the dynamic routing protocols running on that router will generate (or source) a default route. For the Routing Information Protocol (RIP), this route flagged as the pseudo network 0.0.0.0.

Command Modes

Global configuration (config#)

Command History

Release

Modification

10.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command was integrated into Cisco IOS Release 12.2SX. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

15.1(3)T

This command was integrated into Cisco IOS Release 15.1(3)T.

Usage Guidelines

The Cisco IOS software uses both administrative distance and metric information to determine the default route. Multiple ip default-network commands can be used. All candidate default routes, both static (that is, flagged by the ip default-network command) and dynamic, appear in the routing table preceded by an asterisk.

If the IP routing table indicates that the specified network number is subnetted with a nonzero subnet number, the system will automatically configure a static summary route instead of a default route. The static summary route uses the specified subnet to route traffic destined for subnets that are not explicitly listed in the IP routing table to be routed.

The ip default-network command is a classful command. It is effective only if the network mask of the network that you wish to configure as a candidate route for computing the gateway of last resort matches the network mask in the Routing Information Base (RIB).

For example, if you configure ip default-network 10.0.0.0 , then the mask considered by the routing protocol is 10.0.0.0/8, as it is a Class A network. The gateway of last resort is set only if the RIB contains a 10.0.0.0/8 route.

If you need to use the ip default-network command, ensure that the RIB contains a network route that matches the major mask of the network class.

Examples

The following example defines a static route to network 10.0.0.0 as the static default route:


ip route 10.0.0.0 255.0.0.0 10.108.3.4
ip default-network 10.0.0.0

If the following command is issued on a router that is not connected to network 10.140.0.0, the software might choose the path to that network as the default route when the network appears in the routing table:


ip default-network 10.140.0.0

ip gdp

To configure the router discovery mechanism, use the ipgdp command in global configuration mode. To disable the configuration, use the no form of this command.

ip gdp {eigrp | irdp [multicast] | rip}

no ip gdp {eigrp | irdp [multicast] | rip}

Syntax Description

eigrp

Configures a gateway to discover routers transmitting Enhanced Interior Gateway Routing Protocol (EIGRP) router updates.

irdp

Configures a gateway to discover routers transmitting ICMP Router Discovery Protocol (IRDP) router updates.

multicast

(Optional) Specifies the router to multicast IRDP solicitations.

rip

Configures a gateway to discover routers transmitting Routing Information Protocol (RIP) router updates.

Command Default

The router discovery mechanism is not configured.

Command Modes

Global configuration (config)

Command History

Release

Modification

15.0(1)M

This command was introduced in a release earlier than Cisco IOS Release 15.0(1)M.

Usage Guidelines

You must disable IP routing to configure the ipgdp command.

Examples

The following example shows how to configure the RIP router discovery mechanism:


Router# configure terminal
Router(config)# ip gdp rip

ip local policy route-map

To identify a route map to use for local policy routing, use the iplocalpolicyroute-map command in global configuration mode. To disable local policy routing, use the no form of this command.

ip local policy route-map commandip local policy route-map map-tag

no ip local policy route-map map-tag

Syntax Description

map-tag

Name of the route map to use for local policy routing. The name must match a map-tag value specified by a route-map command.

Command Default

Packets that are generated by the router are not policy routed.

Command Modes

Global configuration

Command History

Release

Modification

11.1

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Packets that are generated by the router are not normally policy routed. However, you can use this command to policy route such packets. You might enable local policy routing if you want packets originated at the router to take a route other than the obvious shortest path.

The iplocalpolicyroute-map command identifies a route map to use for local policy routing. Each route-map command has a list of match and set commands associated with it. The match commands specify the matchcriteria --the conditions under which packets should be policy routed. The set commands specify the setactions --the particular policy routing actions to perform if the criteria enforced by the match commands are met. The no iplocalpolicyroute-map command deletes the reference to the route map and disables local policy routing.

Examples

The following example sends packets with a destination IP address matching that allowed by extended access list 131 to the router at IP address 172.30.3.20:


ip local policy route-map xyz
!
route-map xyz
 match ip address 131
 set ip next-hop 172.30.3.20

ip policy route-map

To identify a route map to use for policy routing on an interface, use the ip policy route-map command in interface configuration mode. To disable policy routing on the interface, use the no form of this command.

ip policy route-map map-tag

no ip policy route-map

Syntax Description

map-tag

Name of the route map to use for policy routing. The name must match a map-tag value specified by a route-map command.

Command Default

No policy routing occurs on the interface.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

11.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Cisco IOS XE Release 2.2

This command was integrated into Cisco IOS Release 12.2(33)SRA.

Usage Guidelines

You might enable policy routing if you want your packets to take a route other than the obvious shortest path.

The ip policy route-map command identifies a route map to use for policy routing. Eachroute-map command has a list of match and set commands associated with it. The match commands specify the matchc riteria --the conditions under which policy routing is allowed for the interface, based on the destination IP address of the packet. The set commands specify the setactions --the particular policy routing actions to perform if the criteria enforced by the match commands are met. The no ip policy route-map command deletes the pointer to the route map.

Policy routing can be performed on any match criteria that can be defined in an extended IP access list when using thematch ip address command and referencing an extended IP access list.

The policy route map needs to reconfigured in an interface in the following scenarios:

  • When a policy route map is applied to an interface with VRF configuration, the route map is removed and this information is sent to the CEF.
  • When an interface is configured with a policy route map and VRF, the route map is removed whenever the VRF value changes.

Examples

The following example sends packets with the destination IP address of 172.21.16.18 to a router at IP address 172.30.3.20:


interface serial 0
 ip policy route-map wethersfield
!
route-map wethersfield
 match ip address 172.21.16.18
 set ip next-hop 172.30.3.20

ip route

To establish static routes, use the iproute command in global configuration mode. To remove static routes, use the no form of this command.

ip route [ vrf vrf-name ] prefix mask { ip-address | interface-type interface-number [ip-address] } [dhcp] [global] [distance] [multicast] [ name next-hop-name ] [ permanent | track number ] [ tag tag ]

no ip route [ vrf vrf-name ] prefix mask { ip-address | interface-type interface-number [ip-address] } [dhcp] [global] [distance] multicast [ name next-hop-name ] [ permanent | track number ] [ tag tag ]

To establish static routes, use the ip route command in global configuration mode. To remove static routes, use the no form of this command.

ip route prefix mask segment-routing policy [policy name]

no ip route

Syntax Description

vrf vrf-name

(Optional) Specifies name of the VRF for which static routes are configured.

prefix

IP route prefix for the destination.

mask

Prefix mask for the destination.

ip-address

IP address of the next hop that can be used to reach that network.

interface-type interface-number

Network interface type and interface number.

dhcp

(Optional) Enables a Dynamic Host Configuration Protocol (DHCP) server to assign a static route to a default gateway (option 3).

Note 

Specify the dhcp keyword for each routing protocol.

global

(Optional) Specifies that the next hop address is global.

Note 

This keyword is valid with the vrf vrf-name keyword and argument combination only and must be configured before any other keyword.

multicast

(Optional) Specifies that the static route being configured is a multicast route.

distance

(Optional) Administrative distance. The range is 1 to 255. The default administrative distance for a static route is 1.

name next-hop-name

(Optional) Applies a name to the next hop route.

permanent

(Optional) Specifies that the route will not be removed, even if the interface shuts down.

track number

(Optional) Associates a track object with this route. Valid values for the number argument range from 1 to 500.

tag tag

(Optional) Tag value that can be used as a “match” value for controlling redistribution via route maps.

Syntax Description

Syntax Description

prefix

IP route prefix for the destination.

mask

Prefix mask for the destination.

segment-routing policy

Configures the segment routing policy.

policy name

Name of the segment routing policy.

Command Default

No static routes are established.

Command Modes

Global configuration (config)

Command History

Release

Modification

10.0

This command was introduced.

12.3(2)XE

The track keyword and number argument were added.

12.3(8)T

The track keyword and number argument were integrated into Cisco IOS Release 12.3(8)T. The dhcp keyword was added.

12.3(9)

The changes made in Cisco IOS Release 12.3(8)T were added to Cisco IOS Release 12.3(9).

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2(33)SXH

This command was integrated into Cisco IOS Release 12.2(33)SXH.

12.4(1)T

This command was modified. The dhcp keyword was removed and the global keyword was added.

15.0(1)M

This command was modified. The multicast keyword was added.

Cisco IOS XE 17.3.1

Support for the keyword segment-routing policy [policy name] is introduced.

Usage Guidelines

The establishment of a static route is appropriate when the Cisco IOS software cannot dynamically build a route to the destination.

When you specify a DHCP server to assign a static route, the interface type and number and administrative distance may be configured also. In Cisco IOS Release 12.4(1)T and later releases, this keyword is removed.

For Cisco IOS Release 12.4(1)T and later releases, use the global keyword with the vrf vrf-name keyword and argument combination to specify that the next hop address is global.

If you specify an administrative distance, you are flagging a static route that can be overridden by dynamic information. For example, routes derived with Enhanced Interior Gateway Routing Protocol (EIGRP) have a default administrative distance of 100. To have a static route that would be overridden by an EIGRP dynamic route, specify an administrative distance greater than 100. Static routes have a default administrative distance of 1.

Static routes that point to an interface on a connected router will be advertised by way of Routing Information Protocol (RIP) and EIGRP regardless of whether redistribute static commands are specified for those routing protocols. This situation occurs because static routes that point to an interface are considered in the routing table to be connected and hence lose their static nature. Also, the target of the static route should be included in the network (DHCP) command. If this condition is not met, no dynamic routing protocol will advertise the route unless a redistribute static command is specified for these protocols. With the following configuration:


rtr1 (serial 172.16.188.1/30)--------------> rtr2(Fast Ethernet 172.31.1.1/30) ------>
router [rip | eigrp]
 network 172.16.188.0
 network 172.31.0.0 
  • RIP and EIGRP redistribute the route if the route is pointing to the Fast Ethernet interface:


ip route 172.16.188.252 255.255.255.252 FastEthernet 0/0 

RIP and EIGRP do not redistribute the route with the following ip route command because of the split horizon algorithm:


ip route 172.16.188.252 255.255.255.252 serial 2/1 
  • EIGRP redistributes the route with both of the following commands:


ip route 172.16.188.252 255.255.255.252 FastEthernet 0/0
ip route 172.16.188.252 255.255.255.252 serial 2/1 

With the Open Shortest Path First (OSPF) protocol, static routes that point to an interface are not advertised unless a redistribute static command is specified.

Adding a static route to an Ethernet or other broadcast interface (for example, ip route 0.0.0.0 0.0.0.0 Ethernet 1/2) will cause the route to be inserted into the routing table only when the interface is up. This configuration is not generally recommended. When the next hop of a static route points to an interface, the router considers each of the hosts within the range of the route to be directly connected through that interface, and therefore it will send Address Resolution Protocol (ARP) requests to any destination addresses that route through the static route.

A logical outgoing interface, for example, a tunnel, needs to be configured for a static route. If this outgoing interface is deleted from the configuration, the static route is removed from the configuration and hence does not show up in the routing table. To have the static route inserted into the routing table again, configure the outgoing interface once again and add the static route to this interface.

The practical implication of configuring the ip route 0.0.0.0 0.0.0.0 ethernet 1/2 command is that the router will consider all of the destinations that the router does not know how to reach through some other route as directly connected to Ethernet interface 1/2. So the router will send an ARP request for each host for which it receives packets on this network segment. This configuration can cause high processor utilization and a large ARP cache (along with memory allocation failures). Configuring a default route or other static route that directs the router to forward packets for a large range of destinations to a connected broadcast network segment can cause your router to reload.

Specifying a numerical next hop that is on a directly connected interface will prevent the router from using proxy ARP. However, if the interface with the next hop goes down and the numerical next hop can be reached through a recursive route, you may specify both the next hop and interface (for example, ip route 0.0.0.0 0.0.0.0 ethernet 1/2 10.1.2.3) with a static route to prevent routes from passing through an unintended interface.


Note

Configuring a default route that points to an interface, such as ip route 0.0.0.0 0.0.0.0 ethernet 1/2 , displays the warning message: %Default routes, must specify a next hop IP address if not a point-to-point interface Router. This command causes the router to consider all the destinations that the router cannot reach through an alternate route, as directly connected to Ethernet interface 1/2. Hence, the router sends an ARP request for each host for which it receives packets on this network segment. This configuration can cause high processor utilization and a large ARP cache (along with memory allocation failures). Configuring a default route or other static route that directs the router to forward packets for a large range of destinations to a connected broadcast network segment can cause the router to reload.


The name next-hop-name keyword and argument combination allows you to associate static routes with names in your running configuration. If you have several static routes, you can specify names that describe the purpose of each static route in order to more easily identify each one.

The track number keyword and argument combination specifies that the static route will be installed only if the state of the configured track object is up.

Recursive Static Routing

In a recursive static route, only the next hop is specified. The output interface is derived from the next hop.

For the following recursive static route example, all destinations with the IP address prefix address prefix 192.168.1.1/32 are reachable via the host with address 10.0.0.2:


ip route 192.168.1.1 255.255.255.255 10.0.0.2

A recursive static route is valid (that is, it is a candidate for insertion in the IPv4 routing table) only when the specified next hop resolves, either directly or indirectly, to a valid IPv4 output interface, provided the route does not self-recurse, and the recursion depth does not exceed the maximum IPv4 forwarding recursion depth.

The following example defines a valid recursive IPv4 static route:


interface serial 2/0
 ip address 10.0.0.1 255.255.255.252
 exit
ip route 192.168.1.1 255.255.255.255 10.0.0.2

The following example defines an invalid recursive IPv4 static route. This static route will not be inserted into the IPv4 routing table because it is self-recursive. The next hop of the static route, 192.168.1.0/30, resolves via the first static route 192.168.1.0/24, which is itself a recursive route (that is, it only specifies a next hop). The next hop of the first route, 192.168.1.0/24, resolves via the directly connected route via the serial interface 2/0. Therefore, the first static route would be used to resolve its own next hop.


interface serial 2/0
 ip address 10.0.0.1 255.255.255.252
 exit
ip route 192.168.1.0 255.255.255.0 10.0.0.2
ip route 192.168.1.0 255.255.255.252 192.168.1.100

It is not normally useful to manually configure a self-recursive static route, although it is not prohibited. However, a recursive static route that has been inserted in the IPv4 routing table may become self-recursive as a result of some transient change in the network learned through a dynamic routing protocol. If this situation occurs, the fact that the static route has become self-recursive will be detected and the static route will be removed from the IPv4 routing table, although not from the configuration. A subsequent network change may cause the static route to no longer be self-recursive, in which case it will be re-inserted in the IPv4 routing table.


Note

IPv4 recursive static routes are checked at one-minute intervals. Therefore, a recursive static route may take up to a minute to be inserted into the routing table once its next hop becomes valid. Likewise, it may take a minute or so for the route to disappear from the table if its next hop becomes invalid.


Examples

The following example shows how to choose an administrative distance of 110. In this case, packets for network 10.0.0.0 will be routed to a router at 172.31.3.4 if dynamic information with an administrative distance less than 110 is not available.


ip route 10.0.0.0 255.0.0.0 172.31.3.4 110

Note

Specifying the next hop without specifying an interface when configuring a static route can cause traffic to pass through an unintended interface if the default interface goes down.


The following example shows how to route packets for network 172.31.0.0 to a router at 172.31.6.6:


ip route 172.31.0.0 255.255.0.0 172.31.6.6 

The following example shows how to route packets for network 192.168.1.0 directly to the next hop at 10.1.2.3. If the interface goes down, this route is removed from the routing table and will not be restored unless the interface comes back up.


ip route 192.168.1.0 255.255.255.0 Ethernet 0 10.1.2.3 

The following example shows how to install the static route only if the state of track object 123 is up:


ip route 0.0.0.0 0.0.0.0 Ethernet 0/1 10.1.1.242 track 123

The following example shows that using the dhcp keyword in a configuration of Ethernet interfaces 1 and 2 enables the interfaces to obtain the next-hop router IP addresses dynamically from a DHCP server:


ip route 10.165.200.225 255.255.255.255 ethernet1 dhcp
ip route 10.165.200.226 255.255.255.255 ethernet2 dhcp 20

The following example shows that using the name next-hop-name keyword and argument combination for each static route in the configuration helps you remember the purpose for each static route.


ip route 172.0.0.0 255.0.0.0 10.0.0.1 name Seattle2Detroit

The name for the static route will be displayed when the show running-configuration command is entered:


Router# show running-config
 | include ip route
ip route 172.0.0.0 255.0.0.0 10.0.0.1 name Seattle2Detroit

Examples

The following example shows how to configure static route traffic steering using SR-TE policy:

enable
configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#segment-routing mpls
Router(config-srmpls)# set-attributes
Router(config-srmpls-attr)# address-family ipv4
Router(config-srmpls-attr-af)# sr-label-preferred
Router(config-srmpls-attr-af)# explicit-null
Router(config-srmpls-attr-af)# exit-address-family
Router(config-srmpls-attr)# connected-prefix-sid-map
Router(config-srmpls-conn)# address-family ipv4
Router(config-srmpls-conn-af)# 1.1.1.1/32 index 1 range 1
Router(config-srmpls-conn-af)# exit-address-family
Router(config-srmpls-conn)#segment-routing traffic-eng
Router(config-srte)# segment-list name <segment-list name>
Router(config-srte-ep)# segment-list name <segment-list name>
Router(config-srte-ep)# index 1 mpls label 16005
Router(config-srte-ep)# index 2 mpls label 16010
Router(config-srte-ep)# index 3 mpls label 16009
Router(config-srte-ep)# policy <policy name>
Router(config-srte-policy)# color 50 end-point 21.21.21.21
Router(config-srte-policy)# candidate-paths
Router(config-srte-policy-path)# preference 100
Router(config-srte-policy-path-pref)# explicit segment-list <segment-list name>
Router(config-srte-policy-path-pref)# constraints
Router(config-srte-policy-path-pref-constr)# segments
Router(config-srte-policy-path-pref-constr-seg)# dataplane mpls
Router(config-srte-policy-path-pref-constr-seg)#end

Router#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#ip route 21.21.21.21 255.255.255.255 segment-routing policy <policy name>

ip route profile

To enable IP routing table statistics collection, use the iprouteprofile command in global configuration mode. To disable collection of routing table statistics, use the no form of the command.

ip route profile commandp route profile

no ip route profile

Syntax Description

This command has no arguments or keywords.

Command Default

The time interval for each sample, or sampling interval, is a fixed value and is set at 5 seconds.

Command Modes

Global configuration

Command History

Release

Modification

12.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

The iprouteprofile command helps you to monitor routing table fluctuations that can occur as the result of route flapping, network failure, or network restoration.

This command identifies route flapping over brief time intervals. The time interval for each sample, or sampling interval, is a fixed value and is set at 5 seconds.

Two sets of statistics are collected. The per-interval statistics are collected over a sampling interval, while the routing table change statistics are the result of aggregating the per-interval statistics. The per-interval statistics are collected as a single set of counters, with one counter tracking one event. All counters are initialized at the beginning of each sampling interval; counters are incremented as corresponding events occur anywhere in the routing table.

At the end of a sampling interval, the per-interval statistics for that sampling interval are integrated with the routing table change statistics collected from the previous sampling intervals. The counters holding the per-interval statistics are reset and the process is repeated.

Routing table statistics are collected for the following events:

  • Forward-Path Change. This statistic is the number of changes in the forwarding path, which is the accumulation of prefix-add, next-hop change, and pathcount change statistics.

  • Prefix-Add. A new prefix was added to the routing table.

  • Next-Hop Change. A prefix is not added or removed, but the next hop changes. This statistic is only seen with recursive routes that are installed in the routing table.

  • Pathcount Change. The number of paths in the routing table has changed. This statistic is the result of an increase in the number of paths for an Interior Gateway Protocol (IGP) prefix in the routing table.

  • Prefix Refresh. Standard routing table maintenance; the forwarding behavior is not changed.

Use the showiprouteprofile command to display the routing table change statistics.

Examples

The following example enables the collection of routing table statistics:


ip route profile

ip route static adjust-time

To ch ange the time interval for IP static route adjustments during convergence, use the iproutestaticadjust-time command in global configuration mode. To reinstate the default adjustment time of 60 seconds, use the no form of this command.

ip route static adjust-time seconds

no ip route static adjust-time seconds

Syntax Description

seconds

Time of delay, in seconds, for convergence time during which the background process that monitors next-hop reachability is performed. The delay in convergence occurs when the route that covers the next hop is removed. The range is from 1 to 60. The default is 60.

Command Default

seconds : 60

Command Modes

Global configuration

Command History

Release

Modification

12.0(29)S

This command was introduced.

12.3(10)

This command was integrated into Cisco IOS Release 12.3(10).

12.3(11)T

This command was integrated into Cisco IOS Release 12.3(11)T.

Usage Guidelines

By default, static route adjustments are made every 60 seconds. To adjust the timer to any interval from 1 to 60 seconds, enter the ip route static adjust-time command.

The benefit of reducing the timer from the 60-second default value is to increase the convergence when static routes are used. However, reducing the interval can be CPU intensive if the value is set very low and a large number of static routes are configured.

Examples

In the following example, the adjustment time for static routes has been changed from the default 60 seconds to 30 seconds:


Router(config)# ip route static adjust-time 30

To remove the 30-second adjusted time interval and reinstate the default 60-second value, enter the norouteipstaticadjust-time command:


Router(config)# no ip route static adjust-time 30

ip route static bfd

To specify static route bidirectional forwarding detection (BFD) neighbors, use the ip route static bfd command in global configuration mode. To remove a static route BFD neighbor, use the no form of this command.

ip route static bfd {interface-type interface-number ip-address | vrf vrf-name} [multihop-destination-address multihop-source-address] [group group-name ] [passive] [unassociate]

no ip route static bfd {interface-type interface-number ip-address | vrf vrf-name} [multihop-destination-address multihop-source-address] [group group-name ] [passive] [unassociate]

Syntax Description

interface-type interface-number

Interface type and number.

ip-address

IP address of the gateway, in A.B.C.D format.

vrf vrf-name

Specifies Virtual Routing and Forwarding (VRF) instance and the destination vrf name.

multihop-destination-address multihop-source-address

Multihop destination and source address.

group group-name

(Optional) Assigns a BFD group. The group-name is a character string of up to 32 characters specifying the BFD group name.

unassociate

(Optional) Unassociates the static route configured for a BFD.

Command Default

No static route BFD neighbors are specified.

Command Modes

Global configuration (config)

Command History

Release

Modification

12.2(33)SRC

This command was introduced.

15.1(2)S

This command was integrated into Cisco IOS Release 15.1(2)S.

This command was modified. The group group-name keyword and argument pair and the passive keyword were added.

15.1(1)SG

This command was integrated into Cisco IOS Release 15.1(1)SG.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

15.1(2)SNG

This command was implemented on the Cisco ASR 901 Series.

Cisco IOS XE Release 3.8S

This command was integrated into a release prior to Cisco IOS XE Release 3.8S.

15.3(2)S

This command was modified. The unassociate keyword was added.

Usage Guidelines

Use the ip route static bfd command to specify static route BFD neighbors. All static routes that have the same interface and gateway specified in the configuration share the same BFD session for reachability notification.

All static routes that specify the same values for the interface-type , interface-number , and ip-address arguments will automatically use BFD to determine gateway reachability and take advantage of fast failure detection.

The interface-type , interface-number , and ip-address arguments are required because BFD supports only directly connected neighbors for the Cisco IOS 12.2(33)SRC,15.1(2)S and 15.1(2)SNG releases.

If the interface-type , interface-number , and ip-address arguments are used to configure a BFD session, it is a single hop BFD configuration. If vrf , multihop-destination-address or multihop-source-address arguments are used to configure a BFD session, it is a multihop BFD configuration.

The group keyword assigns a BFD group. The static BFD configuration is added to the VPN routing and forwarding (VRF) instance with which the interface is associated. The passive keyword specifies the passive member of the group. Adding static BFD in a group without the passive keyword makes the BFD an active member of the group. A static route should be tracked by the active BFD configuration in order to trigger a BFD session for the group. To remove all the static BFD configurations (active and passive) of a specific group, use the no ip route static bfd command and specify the BFD group name.

The unassociate keyword specifies that a BFD neighbor is not associated with static route, and the BFD sessions are requested if an interface has been configured with BFD. This is useful in bringing up a BFDv4 session in the absence of an IPv4 static route. If the unassociate keyword is not provided, then the IPv4 static routes are associated with BFD sessions.

BFD requires that BFD sessions are initiated on both endpoint devices. Therefore, this command must be configured on each endpoint device.

The BFD static session on a switch virtual interface (SVI) is established only after the bfd interval milliseconds min_rx milliseconds multiplier multiplier-value command is disabled and enabled on that SVI.

To enable the static BFD sessions, perform the following steps:
  1. Enable BFD timers on the SVI.

    bfd interval milliseconds min_rx milliseconds multiplier multiplier-value

  2. Enable BFD for the static IP route

    ip route static bfd interface-type interface-number ip-address

  3. Disable and enable the BFD timers on the SVI again.

    no bfd interval milliseconds min_rx milliseconds multiplier multiplier-value

    bfd interval milliseconds min_rx milliseconds multiplier multiplier-value

Examples

The following example shows how to configure BFD for all static routes through a specified neighbor, group, and active member of the group:


Device# configure terminal
Device(config)# ip route static bfd GigabitEthernet 1/1 10.1.1.1 group group1

The following example shows how to configure BFD for all static routes through a specified neighbor, group, and passive member of the group:


Device# configure terminal
Device(config)# ip route static bfd GigabitEthernet 1/2 10.2.2.2 group group1 passive

The following example shows how to configure BFD for all static routes in an unassociated mode without the group and passive keywords:


Device# configure terminal
Device(config)#ip route static bfd GigabitEthernet 1/2 10.2.2.2 unassociate

ip route static install-routes-recurse-via-nexthop

To enable the installation of recursive static routes into the Routing Information Base (RIB), use the ip route static install-routes-recurse-via-nexthop command in global configuration mode. To remove this configuration, use the no form of this command.

ip route static install-routes-recurse-via-nexthop [all | [multicast] [route-map map-name] [topology topology-name] [vrf vrf-name]]

no ip route static install-routes-recurse-via-nexthop [all | [multicast] [route-map map-name] [topology topology-name] [vrf vrf-name]]

Syntax Description

all

(Optional) Installs all recursive static routes into the RIB.

multicast

(Optional) Installs recursive static routes into multicast topologies.

route-map map-name

(Optional) Installs recursive static routes defined by the specified route map into the RIB.

topology topology-name

(Optional) Installs recursive static routes into the specified topology.

vrf vrf-name

(Optional) Installs recursive static routes into the specified virtual routing and forwarding (VRF) instance.

Command Default

No recursive static routes are installed in the RIB.

Command Modes

Global configuration (config)

Command History

Release Modification

15.3(2)S

This command was introduced.

Cisco IOS XE Release 3.9S

This command was integrated into Cisco IOS XE Release 3.9S.

15.3(3)M

This command was integrated into Cisco IOS Release 15.3(3)M.

Usage Guidelines

Use the ip route static install-routes-recurse-via-nexthop command to install recursive static routes into the RIB. You can install recursive static routes in selected VRFs or topologies. You can use the route-map keyword to specify a route map for a specific VRF. The multicast keyword enables you to install recursive static routes in multicast topologies. If this command is used without any of the optional keywords, recursive static routes will be enabled only for the global VRF or topology. The ip route static install-routes-recurse-via-nexthop command is disabled by default.

Examples

The following example shows how to install recursive static routes into the RIB of a specific virtual routing and forwarding instance. This example is based on the assumption that a 10.0.0.0/8 route is already installed statically or dynamically in the RIB of vrf1.

Device> enable
Device# configure terminal
Device(config)# vrf definition vrf1
Device(config-vrf)# rd 1:100
Device(config-vrf)# address-family ipv4
Device(config-vrf-af)# exit
Device(config-vrf)# exit
Device(config)# ip route vrf vrf1 10.2.0.0 255.255.255.0 10.0.0.2
Device(config)# ip route static install-routes-recurse-via-nexthop vrf vrf1
Device(config)# end 

ip routing

To enable IP routing, use the ip routing command in global configuration mode. To disable IP routing, use the no form of this command.

ip routing

no ip routing

Syntax Description

This command has no arguments or keywords.

Command Default

IP routing is enabled.

Command Modes

Global configuration (config)

Command History

Release

Modification

10.0

This command was introduced.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

To bridge IP, the no ip routing command must be configured to disable IP routing. However, you need not specify no ip routing in conjunction with concurrent routing and bridging to bridge IP.

The ip routing command is disabled on the Cisco VG200 voice over IP gateway.

Disabling IP routing is not allowed if you are running Cisco IOS Release 12.2SX on a Catalyst 6000 platform. The workaround is to not assign an IP address to the SVI.

Examples

The following example enables IP routing:


Router# configure terminal
Router(config
)
# ip routing

ip routing protocol purge interface

To purge the routes of the routing protocols when an interface goes down, use the iproutingprotocolpurgeinterface command in global configuration mode. To disable the purging of the routes, use the no form of this command.

ip routing protocol purge interface

no ip routing protocol purge interface

Syntax Description

This command has no arguments or keywords.

Command Default

Routing protocols purge the routes by default when an interface goes down.

Command Modes

Global configuration (config)

Command History

Release

Modification

12.0(26)S

This command was introduced.

12.0(27)SV

This command was integrated into Cisco IOS Release 12.0(27)SV.

12.2(18)SXE

This command was integrated into Cisco IOS Release 12.2(18)SXE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.

12.2(28)SB

This command was integrated into Cisco IOS Release 12.2(28)SB.

12.2(33)SRA

This command was integrated into Cisco IOS Release 12.2(33)SRA.

15.1(2)S

This command was modified. The command behavior was enabled by default.

Usage Guidelines

The iproutingprotocolpurgeinterface command allows the Routing Information Base (RIB) to ignore interface events for protocols that can respond to interface failures, thus eliminating any unnecessary deletion by the RIB. This in turn results in a single modify event to the Cisco Express Forwarding plane.

If the noiproutingprotocolpurgeinterface command is executed and a link goes down, the RIB process is automatically triggered to delete all prefixes that have the next hop on this interface from the RIB. The protocols on all the routers are notified, and if there is a secondary path, the protocols will update the RIB with the new path. When the process works through a large routing table, the process can consume many CPU cycles and increase the convergence time.

Examples

The following example shows how to disable the purge interface function for a routing protocol:


Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# no ip routing protocol purge interface
Router(config)# end

ipv6 local policy route-map

To enable local policy-based routing (PBR) for IPv6 packets, use the ipv6 local policy route-map command in global configuration mode. To disable local policy-based routing for IPv6 packets, use the no form of this command.

ipv6 local policy route-map route-map-name

no ipv6 local policy route-map route-map-name

Syntax Description

route-map-name

Name of the route map to be used for local IPv6 PBR. The name must match a route-map-name value specified by the route-map command.

Command Default

IPv6 packets are not policy routed.

Command Modes


Global configuration (config#)

Command History

Release

Modification

12.3(7)T

This command was introduced.

12.2(30)S

This command was integrated into Cisco IOS Release 12.2(30)S.

12.2(33)SXI4

This command was integrated into Cisco IOS Release 12.2(33)SXI4.

Cisco IOS XE Release 3.2S

This command was integrated into Cisco IOS XE Release 3.2S.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Usage Guidelines

Packets originating from a router are not normally policy routed. However, you can use the ipv6 local policy route-map command to policy route such packets. You might enable local PBR if you want packets originated at the router to take a route other than the obvious shortest path.

The ipv6 local policy route-map command identifies a route map to be used for local PBR. The route-map commands each have a list of match and set commands associated with them. The match commands specify the match criteria, which are the conditions under which packets should be policy routed. The set commands specify set actions, which are particular policy routing actions to be performed if the criteria enforced by the match commands are met. The no ipv6 local policy route-map command deletes the reference to the route map and disables local policy routing.

Examples

In the following example, packets with a destination IPv6 address matching that allowed by access list pbr-src-90 are sent to the router at IPv6 address 2001:DB8::1:


ipv6 access-list src-90
 permit ipv6 host 2001::90 2001:1000::/64
route-map pbr-src-90 permit 10
 match ipv6 address src-90
 set ipv6 next-hop 2001:DB8::1
ipv6 local policy route-map pbr-src-90

ipv6 policy route-map

To configure IPv6 policy-based routing (PBR) on an interface, use the ipv6 policy route-map command in interface configuration mode. To disable IPv6 PBR on an interface, use the no form of this command.

ipv6 policy route-map route-map-name

no ipv6 policy route-map route-map-name

Syntax Description

route-map-name

Name of the route map to be used for PBR. The name must match the map-tag value specified by a route-map command.

Command Default

Policy-based routing does not occur on the interface.

Command Modes


Interface configuration (config-if)

Command History

Release

Modification

12.3(7)T

This command was introduced.

12.2(30)S

This command was integrated into Cisco IOS Release 12.2(30)S.

12.2(33)SXI4

This command was integrated into Cisco IOS Release 12.2(33)SXI4.

Cisco IOS XE Release 3.2S

This command was integrated into Cisco IOS XE Release 3.2S.

15.1(1)SY

This command was integrated into Cisco IOS Release 15.1(1)SY.

Usage Guidelines

You can enable PBR if you want your packets to take a route other than the obvious shortest path.

The ipv6 policy route-map command identifies a route map to be used for policy-based routing. The route-map commands each have a list of match and set commands associated with them. The match commands specify the match criteria, which are the conditions under which PBR is allowed for the interface. The set commands specify set actions, which are the PBR actions to be performed if the criteria enforced by the match commands are met. The no ipv6 policy route-map command deletes the pointer to the route map.

Policy-based routing can be performed on any match criteria that can be defined in an IPv6 access list.

Examples

In the following example, a route map named pbr-dest-1 is created and configured, specifying the packet match criteria and the desired policy-route action. Then, PBR is enabled on the interface Ethernet0/0.


ipv6 access-list match-dest-1
  permit ipv6 any 2001:DB8::1
route-map pbr-dest-1 permit 10
  match ipv6 address match-dest-1
  set interface Ethernet0/0
interface Ethernet0/0
  ipv6 policy-route-map pbr-dest-1

ipv6 route static bfd

To specify static route Bidirectional Forwarding Detection for IPv6 (BFDv6) neighbors, use the ipv6 route static bfd command in global configuration mode. To remove a static route BFDv6 neighbor, use the no form of this command.

ipv6 route static bfd [vrf vrf-name] interface-type interface-number ipv6-address [unassociated]

no ipv6 route static bfd

Syntax Description

vrf vrf-name

(Optional) Name of the virtual routing and forwarding (VRF) instance by which static routes should be specified.

interface-type interface-number

Interface type and number.

ipv6-address

IPv6 address of the neighbor.

unassociated

(Optional) Moves a static BFD neighbor from associated mode to unassociated mode.

Command Default

No static route BFDv6 neighbors are specified.

Command Modes


Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Release 2.1

This command was introduced.

15.1(2)T

This command was integrated into Cisco IOS Release 15.1(2)T.

15.1(1)SG

This command was integrated into Cisco IOS Release 15.1(1)SG.

15.1(1)SY

This command was modified. Support for IPv6 was added to Cisco IOS Release 15.1(1)SY.

15.2(2)SNG

This command was implemented on the Cisco ASR 901 Series Aggregation Services Routers.

Usage Guidelines

Use the ipv6 route static bfd command to specify static route neighbors. All of the static routes that have the same interface and gateway specified in the configuration share the same BFDv6 session for reachability notification. BFDv6 requires that BFDv6 sessions are initiated on both endpoint routers. Therefore, this command must be configured on each endpoint router. An IPv6 static BFDv6 neighbor must be fully specified (with the interface and the neighbor address) and must be directly attached.

All static routes that specify the same values for vrf vrf-name, interface-type interface-number , and ipv6-address will automatically use BFDv6 to determine gateway reachability and take advantage of fast failure detection.

Examples

The following example creates a neighbor on Ethernet interface 0/0 with an address of 2001::1:

Router(global config)# ipv6 route static bfd ethernet 0/0 2001::1
 

The following example converts the neighbor to unassociated mode:

Router(global config)# ipv6 route static bfd ethernet 0/0 2001::1 unassociated
 

isdn supp-service callRerouteing

To enable ISDN partial rerouting on the BRI interface of Cisco 4000 Series Integrated Services Routers, use the isdn supp-service callRerouteing command in the interface configuration mode. To disable ISDN partial rerouting use the no form of the command.

isdn supp-service callRerouteing

Syntax Description

This command has no arguments or keywords.

Command Default

ISDN partial rerouting is not enabled.

Command Modes

Interface configuration (config-if)

Command History

Release Modification
16.5.1

This command was introduced.

Usage Guidelines

This command is used when an ISDN destination phone has call diversion configured. This command enables the gateway to convert ISDN call reroute information (in ISDN facility messages based on ETS 300 207-1) from the destination into a SIP 302 message. As a result, the connection to the old destination is released and a new connection is established with the new destination. This feature is limited to the described call flow and is tested and supported with facility messages arriving from a particular Mitel PBX (IntelliGate 300) only.

ISDN partial rerouting can only be enabled on the bri-net3 switch type.

This feature is only supported if ISDN is used at the network side.

Examples

The following example enables ISDN partial rerouting on interface bri1:


ISR4321-VoiceGW-LAB(config-if)#
ISR4321-VoiceGW-LAB(config-if)#int BRI0/1/0:0
ISR4321-VoiceGW-LAB(config-if)#isdn switch-type basic-net3
ISR4321-VoiceGW-LAB(config-if)#isdn protocol-emulate network
ISR4321-VoiceGW-LAB(config-if)#isdn supp-service callRerouteing
ISR4321-VoiceGW-LAB(config-if)#end
ISR4321-VoiceGW-LAB#

ipv6 route static resolve default

To allow a recursive IPv6 static route to resolve using the default IPv6 static route, use the ipv6 route static resolve default command in global configuration mode. To remove this function, use the no form of this command.

ipv6 route static resolve default

no ipv6 route static resolve default

Syntax Description

This command has no arguments or keywords.

Command Default

Recursive IPv6 static routes do not resolve via the default route.

Command Modes


Global configuration (config)

Command History

Release

Modification

12.2(33)XNE

This command was introduced.

Usage Guidelines

By default, a recursive IPv6 static route will not resolve using the default route (::/0). The ipv6 route static resolve default command restores legacy behavior and allows resolution using the default route.

Examples

The following example enables an IPv6 recursive static route to be resolved using a IPv6 static default route:


Router(config)# ipv6 route static resolve default

key

To identify an authentication key on a key chain, use the key command in key-chain configuration mode. To remove the key from the key chain, use the no form of this command.

key key-id

no key key-id

Syntax Description

key-id

Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.

Command Default

No key exists on the key chain.

Command Modes

Key-chain configuration (config-keychain)

Command History

Release

Modification

11.1

This command was introduced.

12.4(6)T

Support for IPv6 was added.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains.

It is useful to have multiple keys on a key chain so that the software can sequence through the keys as they become invalid after time, based on the accept-lifetime and send-lifetime key chain key command settings.

Each key has its own key identifier, which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and Message Digest 5 (MD5) authentication key in use. Only one authentication packet is sent, regardless of the number of valid keys. The software starts looking at the lowest key identifier number and uses the first valid key.

If the last key expires, authentication will continue and an error message will be generated. To disable authentication, you must manually delete the last valid key.

To remove all keys, remove the key chain by using the no key chain command.

Examples

The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# interface ethernet 0
Router(config-if)# ip rip authentication key-chain chain1
Router(config-if)# ip rip authentication mode md5
!
Router(config)# router rip
Router(config-router)# network 172.19.0.0
Router(config-router)# version 2
!
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

The following named configuration example configures a key chain named chain1 for EIGRP address-family. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# router 
eigrp virtual-name
Router(config-router)# address-family ipv4 autonomous-system 4453
Router(config-router-af)# network 10.0.0.0
Router(config-router-af)# af-interface ethernet0/0
Router(config-router-af-interface)# authentication key-chain trees
Router(config-router-af-interface)# authentication mode md5
Router(config-router-af-interface)# exit
Router(config-router-af)# exit
Router(config-router)# exit
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

The following named configuration example configures a key chain named chain1 for EIGRP service-family. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4453
Router(config-router-sf)# network 10.0.0.0
Router(config-router-sf)# sf-interface ethernet0/0
Router(config-router-sf-interface)# authentication key-chain trees
Router(config-router-sf-interface)# authentication mode md5
Router(config-router-sf-interface)# exit
Router(config-router-sf)# exit
Router(config-router)# exit
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

key chain

To define an authentication key chain needed to enable authentication for routing protocols and enter key-chain configuration mode, use the key chain command in global configuration mode. To remove the key chain, use the no form of this command.

key chain chain name-of-chain [tcp]

no key chain name-of-chain

Syntax Description

name-of-chain

Name of a key chain. A key chain must have at least one key and can have up to 2147483647 keys.

tcp

Optionally sets the key chain to use the TCP Authentication Option (TCP-AO).

Command Default

No key chain exists.

Command Modes

Global configuration (config)

Command History

Release

Modification

11.1

This command was introduced.

12.4(6)T

Support for IPv6 was added.

12.2(33)SRB

This command was integrated into Cisco IOS Release 12.2(33)SRB.

12.2SX

This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

16.12.1

Support for TCP-AO using the tcp option was added.

Usage Guidelines

Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains.

You must configure a key chain with keys to enable authentication.

Although you can identify multiple key chains, we recommend using one key chain per interface per routing protocol. Upon specifying the key chain command, you enter key chain configuration mode.

Examples

The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# interface ethernet 0
Router(config-if)# ip rip authentication key-chain chain1
Router(config-if)# ip rip authentication mode md5
!
Router(config)# router rip
Router(config-router)# network 172.19.0.0
Router(config-router)# version 2
!
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

The following named configuration example configures a key chain named chain1 for EIGRP address-family. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# router eigrp virtual-name
Router(config-router)# address-family ipv4 autonomous-system 4453
Router(config-router-af)# network 10.0.0.0
Router(config-router-af)# af-interface ethernet0/0
Router(config-router-af-interface)# authentication key-chain trees
Router(config-router-af-interface)# authentication mode md5
Router(config-router-af-interface)# exit
Router(config-router-af)# exit
Router(config-router)# exit
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

The following named configuration example configures a key chain named trees for service-family. The key named chestnut will be accepted from 1:30 pm to 3:30 pm and be sent from 2:00 pm to 3:00 pm. The key birch will be accepted from 2:30 pm to 4:30 pm and be sent from 3:00 pm to 4:00 pm. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# router eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4453
Router(config-router-sf)# sf-interface ethernet
Router(config-router-sf-interface)# authentication key chain trees
Router(config-router-sf-interface)# authentication mode md5
Router(config-router-sf-interface)# exit
Router(config-router-sf)# exit
Router(config-router)# exit
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string chestnut
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string birch
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

Examples

The following example configures a simple key chain for a TCP-AO enabled connection. The key named tcpao1 will be accepted from 1:30 pm to 3:30 pm and be sent from 2:00 pm to 3:00 pm. The key tcpao2 will be accepted from 2:30 pm to 4:30 pm and be sent from 3:00 pm to 4:00 pm. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.

Router(config)# key chain kc1 tcp
Router(config-keychain)# key 1
Router(config-keychain-key)# send-id 215
Router(config-keychain-key)# recv-id 215
Router(config-keychain-key)# key-string tcpao1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# cryptographic-algorithm hmac-sha-1
Router(config-keychain-key)# include-tcp-optionsRouter(config-keychain-key)# exit
outer(config-keychain)# key 2
Router(config-keychain-key)# send-id 215
Router(config-keychain-key)# recv-id 215
Router(config-keychain-key)# key-string tcpao2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# cryptographic-algorithm hmac-sha-1
Router(config-keychain-key)#