IP Routing Protocol-Independent Commands

This chapter contains the following sections:

cryptographic-algorithm

To set a cryptographic algorithm to apply when using the key string configured for the key ID, use the cryptographic-algorithm command in Key Chain Key Configuration mode. To disable the cryptographic algorithm for the key ID, use the no form of this command.

Syntax

cryptographic-algorithm {md5 | hmac-sha-1 | hmac-sha-256 | hmac-sha-384 | hmac-sha-512}

no cryptographic-algorithm

Parameters

  • md5— Use MD5 as the cryptographic algorithm.

  • hmac-sha-1— Use HMAC-SHA-1 as the cryptographic algorithm.

  • hmac-sha-256— Use HMAC-SHA-256 as the cryptographic algorithm.

  • hmac-sha-384— Use HMAC-SHA-384 as the cryptographic algorithm.

  • hmac-sha-512— Use HMAC-SHA-512 as the cryptographic algorithm.

Default Configuration

The cryptographic algorithm is not set by default.

Command Mode

Key Chain Key Configuration mode

User Guidelines

Configuring the cryptographic-algorithm command defines the algorithm to use for each key in the key-chain. The same algorithm must be configured for the same key ID on the link partner interface.

Configuring a cryptographic algorithm for a key is mandatory for OSPF key-chain based authentication (command ip ospf authentication with key-chain option). If a key-chain used for OSPF authentication includes a key-id not configured with a cryptographic algorithm, then:

  • If this is the only key in the key-chain, then OSPF packets are not sent on the IP interface and OSPF packets received on the IP interface are dropped.

  • If the key-chain includes additional keys then only the keys configured with a cryptographic algorithm will be used. If a certain time-range (commands accept-lifetime or send-lifetime) is covered only by the key without a cryptographic algorithm, then during this time-range OSPF packets are not sent on the IP interface and OSPF packets received on the IP interface are dropped.

RIP key-chain based authentication (command ip rip authentication key-chain) supports only MD5 authentication. Therefore:

  • If a "cryptographic-algorithm" was not configured for a key, then RIP authentication will use the specified key using the MD5 algorithm.

  • If a "cryptographic-algorithm" was used to configure MD5 algorithm for a key, then RIP authentication will use the specified key using the MD5 algorithm.

  • If a "cryptographic-algorithm" was used to configure any other (non MD5) algorithm for a key, then the key will not be used for RIP authentication.

Example

The following example configures a key chain called keychain1, with a key named string1.

The cryptographic algorithm is set to hmac-sha-256:

switchxxxxxx(config)# key chain keychain1
switchxxxxxx(config-keychain)# key 1
switchxxxxxx(config-keychain-key)# key-string string1
switchxxxxxx(config-keychain-key)# cryptographic-algorithm hmac-sha-256
switchxxxxxx(config-keychain-key)# exit

directed-broadcast

Use the directed-broadcast IP Interface Configuration mode command to enable the translation of a directed broadcast to physical broadcasts. Use the no form of this command to disable this function.

Syntax

directed-broadcast

no directed-broadcast

Default Configuration

Translation of a directed broadcast to physical broadcasts is disabled. All IP directed broadcasts are dropped.

Command Mode

IP Configuration mode

Example

The following example enables the translation of a directed broadcast to physical broadcasts.

switchxxxxxx(config)# interface ip 192.168.1.1
switchxxxxxx(config-ip)# directed-broadcast

distance (IP)

To define an administrative distance for routes that are inserted into the routing table, use the distance command in global configuration mode. To return the administrative distance to its default distance definition, use the no form of this command.

Syntax

distance {static | rip} distance

no distance {static | rip}

distance ospf {inter-as | intra-as} distance

no distance ospf {inter-as | intra-as}

Parameters

  • static—Administrative distance for static routes

  • rip—Administrative distance for RIP routes

  • ospf—Administrative distance for OSPF for IPv6 routes.

  • ospf inter-as—Administrative distance for OSPF routes from one Autonomous System to another Autonomous System (LSAs type 5 and type 7 routes, external 2 metric).

  • ospf intra-as—Administrative distance for OSPF routes within an Autonomous System (Internal and External 1 metric.

  • distance—Administrative distance. An integer from 1 to 255. A value of 0 is reserved for connected routes that cannot be changed.

Default Configuration

static—1

rip—120

ospf intra-as—30

ospf inter-as—110

Command Mode

Interface Configuration mode

User Guidelines

Use the ip policy route-map command to enable policy routing on an interface. The actual policy routing will take a place if an IP address is defined on the interface.

The IP packets matched to the route-map conditions specified by the route map with the map-tag name will take a route depended on the action of the matched ACL:

  • permit—The route specified by the set command Policy routing.

  • deny—The route specified by the IP Forwarding table (regular routing).

  • Name of the route map to use for policy routing. The name must match a map-tag value specified by a route-map (Policy Routing) command.

The not matched IP packets will be forwarded using the obvious shortest path.

IP policy routing on a Layer 2 interface is performed only when IP interface is defined, its status is UP, and the next hop is reachable. If the IP policy routing is not applied then the matched IP packets will be forwarded using the obvious shortest path.

Note. Of course, like in the case of regular IP Routing Policy Based IP Router routes only MAC "tome" IP frames.

IP policy routing cannot be configured on an interface together with the following features:

  • VLAN ACL

Example

The following example shows how to configure policy routing:

switchxxxxxx(config)# ip access-list extended pr-acl1
switchxxxxxx(config-ip-al)# permit tcp any any 156.12.5.0 0.0.0.255 any
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# ip access-list extended pr-acl2
switchxxxxxx(config-ip-al)# permit tcp any any 156.122.5.0 0.0.0.255 any
switchxxxxxx(config-ip-al)# exit
switchxxxxxx(config)# route-map pbr 10
switchxxxxxx(config-route-map)# match ip address access-list pr-acl1
switchxxxxxx(config-route-map)# set ip next-hop 56.1.1.1
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config)# route-map pbr 20
switchxxxxxx(config-route-map)# match ip address access-list pr-acl2
switchxxxxxx(config-route-map)# set ip next-hop 50.1.1.1
switchxxxxxx(config-route-map)# exit
switchxxxxxx(config)# interface vlan 1
switchxxxxxx(config-if)# ip policy route-map pbr 
switchxxxxxx(config-if)# exit

ip route

To establish static routes, use the ip route command in global configuration mode. To remove static routes, use the no form of this command.

Syntax

ip route prefix {mask | /prefix-length} {{ip-address [metric value]} | reject-route}

no ip route prefix {mask | /prefix-length} [ip-address]

Parameters

  • prefix—IP route prefix for the destination.

  • mask—Prefix mask for the destination.

  • / prefix-length—Prefix mask for the destination.Specifies the number of bits that comprise the IP address prefix. The prefix length must be preceded by a forward slash (/). (Range: 0–32)

  • ip-address—IP address of the next hop that can be used to reach that network.

  • metric value—Metric of the route. The default metric is 4 for the Next Hop on an In-Band interface . Range: 1–255.

  • reject-route—Stopping routing to the destination network.

Default Configuration

No static routes are established.

Command Mode

Global Configuration mode

User Guidelines

Use the no ip route command without the ip-address parameter to remove all static routes to the given subnet.

Use the no ip route command with the ip-address parameter to remove only one static route to the given subnet via the given next hop.

Examples

Example 1—The following example shows how to route packets for network 172.31.0.0 to a router at 172.31.6.6 using mask: 

switchxxxxxx(config)# ip route 172.31.0.0 255.255.0.0 172.31.6.6 metric 2

Example 2—The following example shows how to route packets for network 172.31.0.0 to a router at 172.31.6.6 using prefix length : 

switchxxxxxx(config)# ip route 172.31.0.0 /16 172.31.6.6 metric 2

Example 3—The following example shows how to reject packets for network 194.1.1.0: 

switchxxxxxx(config)# ip route 194.1.1.0 255.255.255.0 reject-route

Example 4—The following example shows how to remove all static routes to network 194.1.1.0/24: 

switchxxxxxx(config)# no ip route 194.1.1.0 /24

Example 5—The following example shows how to remove one static route to network 194.1.1.0/24 via 1.1.1.1: 

switchxxxxxx(config)# no ip route 194.1.1.0 /24 1.1.1.1

ip routing

To enable IP routing, use the ip routing command in global configuration mode. To disable IP routing, use the no form of this command.

Syntax

ip routing

no ip routing

Parameters

This command has no arguments or keywords.

Default Configuration

IP routing is enabled.

Command Mode

Global Configuration mode

User Guidelines

Use the command to enable IP Routing.

Example The following example enables IP routing

switchxxxxxx(config)# ip routing

key (key chain)

To identify an authentication key on a key chain, use the key command in key-chain configuration mode. To remove the key from the key chain, use the no form of this command.

Syntax

key key-id

no key key-id

Parameters

  • key-id—Identification number of an authentication key on a key chain. The range of keys is from 1 to 255. The key identification numbers need not be consecutive. The scope of a key identification number is the key chain where the key is defined.

Default Configuration

No key exists on the key chain.

Command Mode

Key-Chain Configuration mode

User Guidelines

It is useful to have multiple keys on a key chain so that the software can sequence through the keys as they become invalid after time, based on the accept-lifetime and send-lifetime key chain key command settings.

Each key has its own key identifier, which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and authentication key in use. Only one authentication packet is sent, regardless of the number of valid keys. The software starts looking at the lowest key identifier number and uses the first valid key.

If the last key expires, authentication will be finished with error.

To remove all keys, remove the key chain by using the no key chain command.

Example

The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences: 


switchxxxxxx(config)# key 1
switchxxxxxx(config)# key chain chain1
switchxxxxxx(config-keychain)# key 1
switchxxxxxx(config-keychain-key)# key-string key1
switchxxxxxx(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 2011 duration 7200
switchxxxxxx(config-keychain-key)# send-lifetime 14:00:00 Jan 25 2011 duration 3600
switchxxxxxx(config-keychain-key)# exit
switchxxxxxx(config-keychain)# key 2
switchxxxxxx(config-keychain-key)# key-string key2
switchxxxxxx(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 2011 duration 7200
switchxxxxxx(config-keychain-key)# send-lifetime 15:00:00 Jan 25 2011 duration 3600
switchxxxxxx(config-keychain-key)# exit
switchxxxxxx(config-keychain)# exit
switchxxxxxx(config)# router rip
switchxxxxxx(config-rip)# network 172.19.1.1
exit
switchxxxxxx(config)# interface ip 172.19.1.1
switchxxxxxx(config-ip)# ip rip authentication mode md5
switchxxxxxx(config-ip)# ip rip authentication key-chain chain1
switchxxxxxx(config-ip)# exit

show distance

To display the distance of the IP routing protocols, use the show distance command in user EXEC or privileged EXEC mode.

Syntax

show distance

Parameters

This command has no arguments or keywords.

Command Mode

User EXEC mode

Privileged EXEC mode

User Guidelines

Use the command to display the distance of the IP routing protocols.

Example

The following is sample output from the show distance command:

switchxxxxxx# show distance
Protocol Distance
------- --------
connected 0
static 1
rip 120
ospf intra-as 30
ospf inter-as 110

show ip route

To display the current state of the routing table, use the show ip route command in user EXEC or privileged EXEC mode.

Syntax

show ip route [address ip-address {mask [longer-prefixes]} [protocol | static | rejected | icmp | connected]

Parameters

  • address ip-address—IP address about which routing information should be displayed.

  • mask—The value of the subnet mask.

  • longer-prefixes—Specifies that only routes matching the IP address and mask pair should be displayed.

  • protocol—The name of the origin of the protocol to be displayed. Use one of the following arguments:

  • connected—Displays connected routes.

  • icmp—Displays routes added by ICMP Direct.

  • rejected—Displays rejected routes.

  • static—Displays static routes.

Command Mode

User EXEC mode

Privileged EXEC mode

User Guidelines

Use this command without parameters to display the whole IPv4 Routing table.

Use this command with parameters to specify required routes.

Examples

Example 1. The following is sample output from the show ip route command when IP Routing is not enabled: 

switchxxxxxx# show ip route
Maximum Parallel Paths: 1 (1 after reset)IP Forwarding: disabled
Codes: > - best, C - connected, S - static, I - ICMP
IP Routing Table - 5 entries
Code IP Route Distance/ Next Hop Last Time Outgoing
 Metric IP Address Updated Interface
------ ------------------- ----------- --------------- ------------- ------------
S 10.10.0.0/16 1/2 10.119.254.244 00:02:22 vlan2
S> 10.10.0.0/16 1/1 10.120.254.244 00:02:22 vlan3
S> 10.16.2.0/24 1/1 10.119.254.244 00:02:22 vlan2
C> 10.119.0.0/16 0/1 0.0.0.0 vlan2
C> 10.120.0.0/16 0/1 0.0.0.0 vlan3

show ip route summary

Use the show ip route summary command in User EXEC or Privileged EXEC mode to display the current contents of the IP routing table in summary format.

Syntax

show ip route summary

Command Mode

User EXEC mode

Privileged EXEC mode

User Guidelines

Example

The following is sample output from the show ip route summary command: 

switchxxxxxx# show ip route summary
IP Routing Table Summary - 90 entries
35 connected, 25 static, 12 RIP
Number of prefixes:
/16: 16, /18: 10, /22: 15, /24: 15, /28: 2, /30: 12