The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.
To configure the capability of sending and receiving additional paths to and from the BGP peers, use the additional-paths command. To disable this feature, use the no form of this command.
additional-paths { receive | selection route-map map-name | send | install backup }
receive |
Enables the receive capability of additional paths for all of the neighbors under this address family for which the capability has not been disabled. |
selection |
Specifies the capability of selecting additional paths for a prefix. |
route-map |
Specifies the route map for the additional paths selection. |
map-name |
Route map name. The maximum size is 63 alphanumeric character. |
send |
Enables the send capability of additional paths for all of the neighbors under this address family for which the capability has not been disabled. |
install backup |
Enables BGP to install the backup path to the routing table. |
None
address-family configuration mode
Release |
Modification |
---|---|
6.2(8) |
Added the install backup keywords. |
6.1(1) |
This command was introduced. |
The additional-paths install backup command enables BGP to install the backup path to the routing table. This command is required to support the BGP PIC edge active-backup path scenario.
Note | The additional-paths install backup command is supported only with IPv4 unicast address-families. |
This command does not require a license.
This example shows how to enable the additional paths send and receive capability for all neighbors under the specified address family for which this capability has not been disabled:
switch# configure terminal switch(config)# feature bgp switch(config)# router bgp 64496 switch(config-router)# address-family ipv4 unicast switch(config-router-af)# additional-paths send switch(config-router-af)# switch(config-router-af)# additional-paths receive switch(config-router-af)#
This example shows how to configure the additional paths selection under the specified address family:
switch# configure terminal switch(config-router)# address-family ipv4 unicast switch(config-router-af)# additional-paths selection route-map PATH_SELECTION_RMAP switch(config-router-af)# #
This example shows how to configure the backup path to the routing table:
switch# configure terminal switch(config)# router bgp 100 switch(config-router)# address-family ipv4 unicast switch(config-router-af)# additional-paths install backup
Command |
Description |
---|---|
address family (BGP) |
Enters the address family configuration mode for BGP. |
show vrrp |
Displays VRRP configuration information. |
To add a single, primary IP address to a virtual router, use the address command. To remove an IP address from a virtual router, use the no form of this command.
address ip-address [secondary]
no address
ip-address |
Virtual router address (IPv4). This address should be in the same subnet as the interface IP address. |
secondary |
(Optional) Specifies a secondary virtual router address. |
None
VRRP configuration mode
Release |
Modified |
---|---|
4.0(1) |
This command was introduced. |
You can configure one virtual router IP address for a virtual router. If the configured IP address is the same as the interface IP address, this switch automatically owns the IP address. You can configure an IPv4 address only.
The master VRRP router drops the packets addressed to the virtual router's IP address because the virtual router is only intended as a next-hop router to forward packets. In NX-OS devices, some applications require that packets addressed to the virtual router's IP address be accepted and delivered. By using the secondary option to the virtual router IPv4 address, the VRRP router will accept these packets when it is the master.
This command does not require a license.
This example shows how to configure a virtual router IP address:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# vrrp 250 switch(config-if-vrrp)# address 10.0.0.10
This example shows how to remove all the IP addresses (primary and secondary) using a single command:
switch# configure terminal switch(config-if-vrrp)# show run interface ethernet 9/10 version 4.0(1) interface Ethernet9/10 vrrp 1 address 10.10.10.10 address 10.10.10.11 secondary ip address 10.10.10.1/24 no shutdown switch(config-if-vrrp)# no address switch(config-if-vrrp)# show run int e9/10 version 4.0(1) interface Ethernet9/10 vrrp 1 ip address 10.10.10.1/24 no shutdown switch(config-if-vrrp)#
Command |
Description |
---|---|
show vrrp |
Displays VRRP configuration information. |
clear vrrp |
Clears all the software counters for the specified virtual router. |
To enter the address family mode or a virtual routing and forwarding (VRF) address-family mode and configure submode commands for the Border Gateway Protocol (BGP), use theaddress-family command. To disable the address family submode for configuring routing protocols, use the no form of this command.
address-family { ipv4 | ipv6 } { multicast | unicast }
no address-family { ipv4 | ipv6 } { multicast | unicast }
ipv4 |
Specifies the IPv4 address family. |
ipv6 |
Specifies the IPv6 address family. |
multicast |
Specifies multicast address support. |
unicast |
Specifies unicast address support. |
This command has no default settings.
Router configuration
Neighbor configuration
VRF configuration
Release |
Modification |
---|---|
6.2(8) |
Added support for IPv6 sessions. |
4.0(1) |
This command was introduced. |
Use the address-family command to enter various address family configuration modes while configuring BGP routing. When you enter the address-family command from router configuration mode, you enable the address family and enter global address family configuration mode. The prompt changes to switch(config-router-af)#.
You must configure the address families if you are using route redistribution, address aggregation, load balancing, and other advanced features. IPv4 neighbor sessions support IPv4 unicast and multicast address families. IPv6 neighbor sessions support IPv6 unicast and multicast address families.
Note | Beginning with Cisco NX-OS Release 6.2(8) you can configure the address-family ipv4 unicast command in an IPv6 session. |
From the address family configuration mode, the following parameters are available:
Note | This applies to IPv4 multicast or unicast and IPv6 multicast or unicast. |
Note | When enabled, the default-metric command applies a metric value of 0 to redistributed connected routes. The default-metric command does not override metric values that are applied with the redistribute command. |
Caution | Changing the administrative distance of internal BGP routes is considered dangerous and is not recommended. Improper configuration can introduce routing table inconsistencies and break routing. |
Use the neighbor command to enter neighbor address family configuration mode while configuring BGP routing. From the BGP neighbor configuration mode, you can perform the following actions:
This command requires the Enterprise Services license.
This example shows how to place the router in global address family configuration mode for the IPv4 unicast address family:
switch# configure terminal switch(config)# feature bgp switch(config)# router bgp 64496 switch(config-router)# address-family ipv4 unicast switch(config-router-af)#
This example shows how to activate IPv4 multicast for neighbor 192.0.2.1 and place the device in neighbor address family configuration mode for the IPv4 multicast address family:
switch# configure terminal switch(config)# feature bgp switch(config)# router bgp 64496 switch(config-router)# address-family ipv4 multicast switch(config-router-af)# exit switch(config-router)# neighbor 192.0.2.1 switch(config-router-neighbor)# remote-as 64496 switch(config-router-neighbor)# address-family ipv4 multicast switch(config-router-neighbor-af)
Command |
Description |
---|---|
aggregate-address |
Configures BGP summary addresses. |
client-to-client |
Configures route reflection. |
dampening |
Configures route flap dampening. |
default-metric (BGP) |
Configures the default metric for routes redistributed into BGP. |
distance(BGP) |
Configures the administrative distance. |
feature bgp |
Enables BGP configuration. |
maximum-paths(BGP) |
Configures the maximum number of equal-cost paths. |
redistribute(BGP) |
Configures route redistribution for BGP. |
timers(BGP) |
Configures the BGP timers. |
To configure an address family for the Enhanced Interior Gateway Routing Protocol (EIGRP), use the address-family command in router configuration mode.
address-family { ipv4 | ipv6 } unicast
ipv4 |
Specifies the IPv4 address family. |
ipv6 |
Specifies the IPv6 address family. |
unicast |
Specifies unicast address support. |
None
Router configuration
Address family configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
4.1(2) |
The ipv6keyword was added. |
This command requires the Enterprise license.
This example shows how to set the IPv4 unicast address family for an EIGRP instance:
switch# configure terminal switch(config)# router eigrp 201 switch(config-router)# address-family ipv4 unicast
Command |
Description |
---|---|
default-information |
Controls the distribution of a default route. |
default-metric |
Configures the default metric for routes redistributed into EIGRP. |
distance |
Configures the administrative distance. |
maximum-paths |
Configures the maximum number of equal-cost paths. |
redistribute |
Configures route redistribution for EIGRP. |
router-id |
Configures the router ID. |
timers |
Configures the EIGRP timers. |
To enter the address family mode or a virtual routing and forwarding (VRF) address-family mode and configure submode commands for the Intermediate System-to-Intermediate System Intradomain Routing Protocol (IS-IS), use theaddress-family command. To disable the address family submode for configuring routing protocols, use the no form of this command.
address-family { ipv4 | ipv6 } unicast
noaddress-family { ipv4 | ipv6 } unicast
ipv4 |
Specifies the IPv4 address family. |
ipv6 |
Specifies the IPv6 address family. |
unicast |
Specifies unicast address support. |
None
Router configuration
VRF configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the address-family command to enter various address family configuration modes while configuring IS-IS routing. When you enter the address-family command from configuration mode, you enable the address family and enter global address family configuration mode. The prompt changes to switch(config-router-af)#.
You must configure the address families if you are using route redistribution, address aggregation, load balancing, and other advanced features. IPv4 neighbor sessions support IPv4 unicast address families.
IPv6 neighbor sessions support IPv6 unicast address familiesFrom the address family configuration mode, the following configuration modes are available:
Use the no adjacency-check command in address-family configuration mode to suppress the consistency checks for IPv6 IS-IS and allow an IPv4 IS-IS router to form an adjacency with a router running IPv4 IS-IS and IPv6. IS-IS will never form an adjacency between a router running IPv4 IS-IS only and a router running IPv6 only.
Use the no adjacency-check configuration mode command to suppress the IPv4 subnet consistency check and allow IS-IS to form an adjacency with other routers regardless of whether or not they have an IPv4 subnet in common. By default, IS-IS makes checks in hello packets for IPv4 address subnet matching with a neighbor.
Tip | Use the debug isis adjacency packets command in privileged EXEC mode to check for adjacency errors. Error messages in the output may indicate where routers are failing to establish adjacencies. |
This command requires the Enterprise Services license.
This example shows how to place the router in address family configuration mode and specify unicast address prefixes for the IPv4 address family:
switch# configure terminal switch(config)# router isis 100 switch(config-router)# address-family ipv4 unicast switch(config-router-af)#
This example shows how to redistribute directly connected routes into IS-IS. This example advertises only 10.1.0.0 into the IS-IS level-1 link-state PDU.
switch# configure terminal switch(config)# router isis 100 switch(config-router)# address-family ipv4 unicast switch(config-router-af)# redistribute direct route-map core1 switch(config-router-af)# summary-address 10.1.0.0 255.255.0.0
This example shows how to introduce IPv6 into an existing IPv4 IS-IS network. To ensure that the checking of hello packet checks from adjacent neighbors is disabled until all the neighbor routers are configured to use IPv6, enter the no adjacency-check command.
switch# configure terminal switch(config)# router isis test2 switch(config-router)# address-family ipv6 unicast switch(config-router-af)# no adjacency-check
Command |
Description |
---|---|
feature isis |
Enables IS-IS on the router. |
router isis |
Enables IS-IS. |
To enter address family mode for the Open Shortest Path First version 3(OSPFv3) protocol, use the address-familycommand.
address-family ipv6 unicast
ipv6 |
Specifies the IPv6 address family. |
unicast |
Specifies unicast address support. |
This command has no default settings.
Router configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
This command requires the Enterprise Services license.
This example shows how to enter the IPv6 unicast address family for an OSPFv3v3 instance:
switch# configure terminal switch(config)# router ospfv3v3 Enterprise switch(config-router)# address-family ipv6 unicast switch(config-router-af)#
Command |
Description |
---|---|
default-information (OSPFv3) |
Controls the distribution of a default route. |
default-metric (OSPFv3) |
Configures the default metric for routes redistributed into OSPFv3. |
distance (OSPFv3) |
Configures the administrative distance. |
maximum-paths (OSPFv3) |
Configures the maximum number of equal-cost paths. |
redistribute (OSPFv3) |
Configures route redistribution for OSPFv3. |
timers (OSPFv3) |
Configures the OSPFv3 timers. |
To configure an address family for the Routing Information Protocol (RIP), use the address-familycommand in router configuration mode.
address-family { { ipv4 | ipv6 } | ipv6 } unicast
ipv4 |
Specifies the IPv4 address family. |
ipv6 |
Specifies the IPv6 address family. |
unicast |
Specifies unicast address support. |
This command has no default settings.
Router configuration
Release |
Modification |
---|---|
6.1(1) |
Added IPv6 keyword to the syntax description. |
4.0(1) |
This command was introduced. |
This command does not require a license.
This example shows how to set the IPv4 unicast address family for a RIP instance:
switch# configure terminal switch(config)# router rip Enterprise switch(config-router-af)# address-family ipv4 unicast
This example shows how to set the IPv6 unicast address family for a RIP instance:
switch# configure terminal switch(config)# router rip Enterprise switch(config-router)# address-family ipv6 unicast switch(config-router-af)#
Command |
Description |
---|---|
default-information |
Controls the distribution of a default route. |
default-metric |
Configures the default metric for routes redistributed into RIP. |
distance |
Configures the administrative distance. |
maximum-paths |
Configures the maximum number of equal-cost paths. |
redistribute |
Configures route redistribution for RIP. |
timers |
Configures the RIP timers. |
To enter address family configuration mode for configuring Intermediate System-to-Intermediate System (IS-IS) routing sessions that use standard IPv6 address prefixes, use the address-family ipv6 command. To disable the address family submode for configuring routing protocols, use the no form of this command.
address-family ipv6 unicast
no address-family ipv6 unicast
unicast |
Specifies IPv6 unicast address prefixes. |
None.
Router configuration
Release |
Modification |
---|---|
6.2(2) |
This command was introduced. |
Use the address-family ipv6 command to enter various address family configuration modes while configuring IS-IS routing. You must enter the address-family ipv6 command from router isis configuration mode. The prompt changes to switch(config-router-af)#:
switch# configure terminal switch(config)# router isis 100 switch(config-router)# address-family ipv6 switch(config-router-af)#
You must configure the address families if you are using route redistribution, address aggregation, load balancing, and other advanced features.
From the address family configuration mode, the following configuration modes are available:
Use the no adjacency-check command in in address-family configuration mode to suppress the consistency checks for IPv6 IS-IS and allow an IPv4 IS-IS router to form an adjacency with a router running IPv4 IS-IS and IPv6. IS-IS will never form an adjacency between a router running IPv4 IS-IS only and a router running IPv6 only.
Tip | Use the debug isis adjacency packets command in privileged EXEC mode to check for adjacency errors. Error messages in the output may indicate where routers are failing to establish adjacencies. |
This command requires the Enterprise Services license.
This example shows how to place the router in address family configuration mode and specify unicast address prefixes for the IPv6 address family:
switch# configure terminal switch(config)# router isis 100 switch(config-router)# address-family ipv6 unicast switch(config-router-af)#
This example shows how to ensure that the checking of hello packet checks from adjacent neighbors is disabled until all the neighbor routers are configured to use IPv6:
switch# configure terminal switch(config)# router isis test2 switch(config-router)# address-family ipv6 unicast switch(config-router-af)# no adjacency-check
Command |
Description |
---|---|
address-family (IS-IS) |
Enters the address family configuration mode for IS-IS. |
feature isis |
Enables IS-IS on the router. |
router isis |
Enables IS-IS. |
To enable strict adjacency mode for the IPv4 and IPv6 address, use the adjacency-check command. To disable this feature, use the no form of this command.
adjacency-check
no adjacency-check
This command has no arguments or keywords.
None.
address-family configuration mode
Release |
Modification |
---|---|
6.1(1) |
This command was introduced. |
This command does not require a license.
This example shows how to configure the adjacency's protocol support consistency check:
switch# configure terminal switch(config)# router isis Enterprise switch(config-router)# address-family ipv4 unicast switch(config-router-af)# adjacency-check
Command |
Description |
---|---|
feature isis |
Enables IS-IS. |
To configure Border Gateway Protocol (BGP) conditional advertisement, use the advertise-map command. To remove BGP conditional advertisement, use the no form of this command.
advertise-map adv-map { exist-map exist-rmap | non-exist-map nonexist-rmap }
adv-map |
Route map with match statements that the route must pass before BGP passes the route to the next route map. The adv-map is a case-sensitive, alphanumeric string up to 63 characters. |
exist-map exist-rmap |
Specifies a route map with match statements for a prefix list. A prefix in the BGP table must match a prefix in the prefix list before BGP will advertise the route. The exist-rmap is a case-sensitive, alphanumeric string up to 63 characters. |
non-exist-map nonexist-rmap |
Specifies a route map with match statements for a prefix list. A prefix in the BGP table must not match a prefix in the prefix list before BGP will advertise the route. The nonexist-rmap is a case-sensitive, alphanumeric string up to 63 characters. |
None
BGP neighbor address-family command mode
Release |
Modification |
---|---|
4.2(1) |
This command was introduced. |
Use the advertise-map command to conditionally advertise selected routes. The routes or prefixes that BGP conditionally advertises are defined in two route maps, the adv-map and an exist-map or nonexist-map . The exist-map or nonexist-map specifies the prefix that the BGP tracks. The adv-map specifies the prefix that BGP advertises to the specified neighbor when the condition is met.
This command requires the Enterprise Services license.
This example shows how to configure BGP conditional advertisement:
switch# configure terminal switch(config)# router bgp 65536 switch(config-router)# neighbor 192.0.2.2 remote-as 65537 switch(config-router-neighbor)# address-family ipv4 unicast switch(config-router-neighbor-af)# advertise-map advertise exist-map exist switch(config-router-neighbor-af)# exit switch(config-router-neighbor)# exit switch(config-router)# exit switch(config)# route-map advertise switch(config-route-map)# match as-path pathList switch(config-route-map)# exit switch(config)# route-map exit switch(config-route-map)# match ip address prefix-list plist switch(config-route-map)# exit switch(config)# ip prefix-list plist permit 209.165.201.0/27
Command |
Description |
---|---|
feature bgp |
Enables BGP. |
To specify the time interval between the advertisement packets that are being sent to other Virtual Router Redundancy Protocol (VRRP) routers in the same group, use the advertisement-interval command. To return to the default interval value of 1 second, use the no form of this command.
advertisement-interval seconds
no advertisement-interval
seconds |
Number of seconds between advertisement frames being sent. For IPv4, the range is from 1 to 255 seconds. |
1 second
VRRP configuration
Release |
Modified |
---|---|
4.0(1) |
This command was introduced. |
VRRP advertisements communicate the priority and state of the virtual router master. The advertisements are encapsulated in IP packets and are sent to the IPv4 multicast address that is assigned to the VRRP group.
VRRP uses a dedicated Internet Assigned Numbers Authority (IANA) standard multicast address (224.0.0.18) for VRRP advertisements. This addressing scheme minimizes the number of routers that must service the multicasts and allows test equipment to accurately identify VRRP packets on a segment. The IANA-assigned VRRP IP protocol number is 112.
This command does not require a license.
This example shows how to specify an advertisement interval of 200 seconds for VRRP group 250:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# vrrp 250 switch(config-if-vrrp)# advertisement-interval 200
Command |
Description |
---|---|
show vrrp |
Displays VRRP configuration information. |
clear vrrp |
Clears all the software counters for the specified virtual router. |
To create a summary address in a Border Gateway Protocol (BGP) routing table, use the aggregate-addresscommand. To remove the summary address, use the no form of this command.
aggregate-address address / length [ advertise-map map-name ] [as-set] [ attribute-map map-name ] [summary-only] [ suppress-map map-name ]
no aggregate-address address /mask-length [ advertise-map map-name ] [as-set] [ attribute-map map-name ] [summary-only] [ suppress-map map-name ]
address/length |
Aggregate IP address and mask length. Valid values for length are as follows:
|
advertise-map map-name |
(Optional) Specifies the name of the route map used to select attribute information from specific routes. |
as-set |
(Optional) Generates the autonomous system set path information and community information from the contributing paths. |
attribute-map map-name |
(Optional) Specifies the name of the route map used to set the attribute information for specific routes. The map-name is an alphanumeric string up to 63 characters. |
summary-only |
(Optional) Filters all more-specific routes from updates. |
suppress-map map-name |
(Optional) Specifies the name of the route map used to conditionally filter more specific routes. The map-name is an alphanumeric string up to 63 characters. |
The atomic aggregate attribute is set automatically when an aggregate route is created with this command unless the as-set keyword is specified.
Address-family configuration
Neighbor address-family configuration
Router BGP configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
You can implement aggregate routing in BGP and mBGP either by redistributing an aggregate route into BGP or mBGP, or by using the conditional aggregate routing feature.
Using the aggregate-address command with no keywords will create an aggregate entry in the BGP or mBGP routing table if any more-specific BGP or mBGP routes are available that fall within the specified range. (A longer prefix which matches the aggregate must exist in the RIB.) The aggregate route will be advertised as coming from your autonomous system and will have the atomic aggregate attribute set to show that information might be missing. (By default, the atomic aggregate attribute is set unless you specify the as-set keyword.)
Using the as-set keyword creates an aggregate entry using the same rules that the command follows without this keyword, but the path advertised for this route will be an AS_SET consisting of all elements contained in all paths that are being summarized. Do not use this form of the aggregate-address command when aggregating many paths, because this route must be continually withdrawn and updated as autonomous system path reachability information for the summarized routes changes.
Using the summary-only keyword not only creates the aggregate route (for example, 192.*.*.*) but also suppresses advertisements of more-specific routes to all neighbors. If you want to suppress only advertisements to certain neighbors, you may use the neighbor distribute-list command, with caution. If a more-specific route leaks out, all BGP or mBGP routers will prefer that route over the less-specific aggregate you are generating (using longest-match routing).
Using the suppress-map keyword creates the aggregate route but suppresses advertisement of specified routes. You can use the match clauses of route maps to selectively suppress some more-specific routes of the aggregate and leave others unsuppressed. IP access lists and autonomous system path access lists match clauses are supported.
Using the advertise-map keyword selects specific routes that will be used to build different components of the aggregate route, such as AS_SET or community. This form of the aggregate-address command is useful when the components of an aggregate are in separate autonomous systems and you want to create an aggregate with AS_SET, and advertise it back to some of the same autonomous systems. You must remember to omit the specific autonomous system numbers from the AS_SET to prevent the aggregate from being dropped by the BGP loop detection mechanism at the receiving router. IP access lists and autonomous system path access lists match clauses are supported.
Using the attribute-map keyword allows attributes of the aggregate route to be changed. This form of the aggregate-address command is useful when one of the routes forming the AS_SET is configured with an attribute such as the community no-export attribute, which would prevent the aggregate route from being exported. An attribute map route map can be created to change the aggregate attributes.
This command requires the Enterprise Services license.
In This example, an aggregate BGP address is created in router configuration mode. The path advertised for this route will be an AS_SET consisting of all elements contained in all paths that are being summarized.
switch# configure terminal switch(config)# router bgp 64496 switch(config-router)# aggregate-address 10.0.0.0 255.0.0.0 as-set
In This example, an aggregate BGP address is created in address family configuration mode and applied to the multicast database (SAFI) under the IP Version 4 address family. Because the summary-only keyword is configured, more-specific routes are filtered from updates.
switch# configure terminal switch(config)# router bgp 64496 switch(config-router)# address-family ipv4 multicast switch(config-router-af)# aggregate-address 10.0.0.0 255.0.0.0 summary-only
In This example, a route map called MAP-ONE is created to match on an as-path access list. The path advertised for this route will be an AS_SET consisting of elements contained in paths that are matched in the route map.
switch# configure terminal switch(config)# ip as-path access-list 1 deny ^1234_ switch(config)# ip as-path access-list 1 permit .* switch(config)# ! switch(config)# route-map MAP-ONE switch(config-route-map)# match ip as-path 1 switch(config-route-map)# exit switch(config)# router bgp 64496 switch(config-router)# address-family ipv4 switch(config-router-af)# aggregate-address 10.0.0.0 255.0.0.0 as-set advertise-map MAP-ONE switch(config-router-af)# end
Command |
Description |
---|---|
route-map |
Creates a route map. |
To enable authentication for an Open Shortest Path First (OSPF) area, use the area authentication command. To remove authentication for an area, use the no form of this command.
area area-id authentication [message-digest]
no area area-id authentication [message-digest]
area-id |
Identifier for the OSPF area where you want to enable authentication. Specify as either a positive integer value or an IP address. |
message-digest |
(Optional) Enables Message Digest 5 (MD5) authentication on the area specified by the area-id argument. |
No authentication
Router configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the area authentication command to configure the authentication mode for the entire OSPF area.
The authentication type and authentication password must be the same for all OSPF devices in an area. Use the ip ospf authentication-key command in interface configuration mode to specify this password.
If you enable MD5 authentication with the message-digest keyword, you must configure a password with the ip ospf message-digest-key command in interface configuration mode.
This command requires the Enterprise Services license.
This example shows how to configure authentication for area 0 of OSPF routing process 201:
switch# configure terminal switch(config)# router ospf 201 switch(config-router)# area 0 authentication message-digest switch(config-router)# interface ethernet 1/1 switch(config-if)# ip ospf area 0 switch(config)-if# ip ospf message-digest-key 10 md5 0 adcdefgh
Command |
Description |
---|---|
ip ospf authentication-key |
Assigns a password for simple password authentication for OSPF. |
ip ospf message-digest-key |
Assigns a password for OSPF MD5 authentication. |
To enable authentication of OSPFv3 packets on a per-interface basis at the Area level, use the area authentication ipsec command. To disable the authentication of OSPFv3 packets at the area level, use the no form of this command.
area area-num authentication ipsec spi spi auth [ 0 | 3 | 7 ] key
no authentication ipsec spi spi
area-num |
Area of the interfaces which need authentication. |
spi |
Specifies the Security Policy Index. |
spi |
Value of spi. It ranges from 256 to 4294967295. |
auth |
Authentication algorithm. Its value can be md1 / sha1 / null. |
key |
Authentication password. |
0 |
Specifies that the authentication password is unencrypted. |
3 |
Specifies that the authentication password is 3DES encrypted. |
7 |
Specifies that the authentication password is Cisco type 7 encrypted. |
The OSPFv3 packets are not authenticated by default.
Router configuration (config-router).
Release |
Modification |
---|---|
7.3(0)D1(1) |
This command was introduced. |
Before running this command, ensure that you have enabled the authentication package with the feature imp command.
The following example shows how to authenticate OSPFv3 packets for all interfaces under area 0:
switch# configure terminal switch(config)# feature imp switch(config)# router ospfv3 1 switch(config-router)# area 0 authentication ipsec spi 301 md5 1234
Command |
Description |
---|---|
authentication ipsec |
Enables authentication of the OSPFv3 packets for all interfaces under the router. |
ospfv3 authentication ipsec |
Enables authentication of the OSPFv3 packets per interface. |
To specify a cost for the default summary route sent into an Open Shortest Path First (OSPF) stub or not-so-stubby area (NSSA), use the area default-costcommand. To remove the assigned default route cost, use the no form of this command.
area area-id default-cost cost
no area area-id default-cost cost
area-id |
Identifier for the OSPF area where you want to configure the default cost. Specify as either a positive integer value or an IP address. |
cost |
Cost for the default summary route used for a stub or NSSA. The range is from 0 to 16777215. |
The summary route cost is based on the area border router that generated the summary route.
Router configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the area default-cost command on an Area Border Router (ABR) attached to a stub or NSSA to configure the metric for the summary default route generated by the ABR into the stub area.
This command requires the Enterprise Services license.
This example shows how to set a default cost of 20 to stub network 192.0.2.0:
switch# configure terminal switch(config)# router ospf 201 switch(config-router)# area 192.0.2.0 stub switch(config-router)# area 192.0.2.0 default-cost 20
Command |
Description |
---|---|
area stub |
Defines an area as a stub area. |
To specify a cost for the default summary route sent into an Open Shortest Path First version 3(OSPFv3) stub or not-so-stubby area (NSSA), use the area default-costcommand. To remove the assigned default route cost, use the no form of this command.
area area-id default-cost cost
no area area-id default-cost cost
area-id |
Identifier for the OSPFv3 area where you want to configure the default cost. Specify as either an IP address or a number from 0 to 4294967295. |
cost |
Cost for the default summary route used for a stub or NSSA. The range is from 0 to 16777215. |
The summary route cost is based on the area border router that generated the summary route.
Address-family configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the area default-cost command on an Area Border Router (ABR) attached to a stub or NSSA to configure the metric for the summary default route generated by the ABR into the stub area.
This command requires the Enterprise Services license.
This example shows how to set a default cost of 20 to stub network 33:
switch# configure terminal switch(config)# router ospfv3 201 switch(config-router)# area 33 stub switch(config-router)# address-family ipv6 unicast switch(config-router-af)# area 33 default-cost 20
Command |
Description |
---|---|
area stub |
Defines an area as a stub area. |
To filter prefixes advertised in type 3 link-state advertisements (LSAs) between Open Shortest Path First (OSPF) areas of an Area Border Router (ABR), use the area filter-list command. To change or cancel the filter, use the no form of this command.
area area-id filter-list route-map map-name { in | out }
no area area-id filter-list route-map map-name { in | out }
area-id |
Identifier for the OSPF area where you want to configure filtering. Specify as either a positive integer value or an IP address. |
route-map map-name |
Specifies the name of a route map used as the filter policy. The map-name argument can be any alphanumeric string of up to 63 characters. |
in |
Filters networks sent to this area. |
out |
Filters networks sent from this area. |
None
Router configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the area filter-list command to filter Type 3 LSAs. If you apply the route map with the in keyword, the route map filters all Type 3 LSAs originated by the ABR to this area, including Type 3 LSAs that originated as a result of the area range command in another area.
If you apply the route map with the out keyword, the route map filters all Type 3 LSAs that are advertised by the ABR to all other areas including Type 3 LSAs that originate locally as a result of the area range command configured in this area.
Cisco NX-OS implicitly denies any prefix that does not match an entry in the route map.
This command requires the Enterprise Services license.
This example shows how to filter prefixes that are sent from all other areas to area 1:
switch# configure terminal switch(config)# router ospf 202 switch(config-router)# area 1 filter-list route-map FilterExternal in
Command |
Description |
---|---|
area range |
Consolidates and summarizes routes at an area boundary. |
route-map |
Defines the conditions for redistributing routes from one routing protocol into another or to enable policy routing. |
To filter prefixes advertised in type 3 link-state advertisements (LSAs) between Open Shortest Path First version 3 (OSPFv3) areas of an Area Border Router (ABR), use the area filter-list command. To change or cancel the filter, use the no form of this command.
area area-id filter-list route-map map-name { in | out }
no area area-id filter-list route-map map-name { in | out }
area-id |
Identifier for the OSPFv3 area where you want to configure filtering. Specify as either an IP address or a number from 0 to 4294967295. |
route-map map-name |
Specifies the name of a route map used as the filter policy. The map-name argument can be any alphanumeric string up to 63 characters. |
in |
Filters networks sent to this area. |
out |
Filters networks sent from this area. |
None
Address-family configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the area filter-list command to filter Type 3 LSAs. If you apply the route map with the in keyword, the route map filters all Type 3 LSAs originated by the ABR to this area, including Type 3 LSAs that originated as a result of the area range command in another area.
If you apply the route map with the out keyword, the route map filters all Type 3 LSAs that are advertised by the ABR to all other areas including Type 3 LSAs that originate locally as a result of the area range command configured in this area.
Cisco NX-OS implicitly denies any prefix that does not match an entry in the route map.
This command requires the Enterprise Services license.
This example shows how to filter prefixes that are sent from all other areas to area 1:
switch# configure terminal switch(config)# router ospfv3 201 switch(config-router)# address-family ipv6 unicast switch(config-router-af)# area 1 filter-list route-map FilterExternal in
Command |
Description |
---|---|
area range (OSPFv3) |
Consolidates and summarizes routes at an area boundary. |
route-map |
Defines the conditions for redistributing routes from one routing protocol into another or to enable policy routing. |
To configure an area as an Open Shortest Path First (OSPF) not-so-stubby area (NSSA), use the area nssacommand. To remove the NSSA area, use the no form of this command.
area area-id nssa [ default-information-originate [ route-map map-name ] ] [no-redistribution] [no-summary] [ translate type7 [ always | never ] [suppress-fa] ]
no area area-id nssa [ default-information-originate [ route-map map-name ] ] [no-redistribution] [no-summary] [ translate type7 [ always | never ] [suppress-fa] ]
area-id |
Identifier for the OSPF NSSA area. Specify as either a positive integer value or an IP address. |
default-information-originate |
(Optional) Generates a Type 7 default into the NSSA area. This keyword takes effect only on NSSA ABR or NSSA ASBR. |
route-map map-name |
(Optional) Filters the Type 7 default generation based on the route map. The map-name argument can be any alphanumeric string up to 63 characters. |
no-redistribution |
(Optional) Blocks redistributed LSAs from entering this NSSA area. Use this keyword when the router is both an NSSA autonomous system border router (ASBR) and an NSSA area border router (ABR) and you want the redistribute command to import routes into the normal areas but not into the NSSA area. |
no-summary |
(Optional) Allows an area to be an NSSA area but not have summary routes injected into it. |
translate type7 |
(Optional) Translates Type 7 LSAs to type 5 LSAs. |
always |
(Optional) Always translates LSAs. |
never |
(Optional) Never translates LSAs. |
suppress-fa |
(Optional) Suppresses the forwarding address in translated LSAs. The ABR uses 0.0.0.0 as the forwarding IPv4 address. |
None
Router configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the area nssa command to create an NSSA area in an OSPF autonomous system. We recommend that you understand the network topology before configuring forwarding address suppression for translated LSAs. Suboptimal routing might result because there might be better paths to reach the destination’s forwarding address.
This command requires the Enterprise Services license.
This example shows how to configure area 1 as an NSSA area:
switch# configure terminal switch(config)# router ospf 10 switch(config-router)# area 1 nssa
This example shows how to configure area 1 as an NSSA area and translate Type 7 LSAs from area 1 to Type 5 LSAs, but not place the Type 7 forwarding address into the Type 5 LSAs. (OSPF places 0.0.0.0 as the forwarding address in the Type 5 LSAs.)
switch# configure terminal switch(config)# router ospf 2 switch(config-router)# area 1 nssa translate type7 suppress-fa
Command |
Description |
---|---|
redistribute |
Redistributes routes learned from one routing protocol to another routing protocol domain. |
To configure an area as an Open Shortest Path First version 3 (osPFv3) not-so-stubby area (NSSA), use the area nssa command. To remove the NSSA area, use the no form of this command.
area area-id nssa [ default-information-originate [ route-map map-name ] ] [no-redistribution] [no-summary] [ translate type7 [ always | never ] [suppress-fa] ]
no area area-id nssa [ default-information-originate [ route-map map-name ] ] [no-redistribution] [no-summary] [ translate type7 [ always | never ] [suppress-fa] ]
area-id |
Identifier for the OSPFv3 NSSA area. Specify as either an IP address or a number from 0 to 4294967295. |
default-information-originate |
(Optional) Generates a Type 7 default into the NSSA area. This keyword takes effect only on NSSA ABR or NSSA ASBR. |
route-map map-name |
(Optional) Filters the Type 7 default generation based on the route map. The map-name argument can be any alphanumeric string up to 63 characters. |
no-redistribution |
(Optional) Blocks redistributed LSAs from entering this NSSA area. Use this keyword when the router is both an NSSA autonomous system border router (ASBR) and an NSSA area border router (ABR) and you want the redistribute command to import routes into the normal areas but not into the NSSA area. |
no-summary |
(Optional) Allows an area to be an NSSA area but not have summary routes injected into it. |
translate type7 |
(Optional) Translates Type 7 LSAs to type 5 LSAs. |
always |
(Optional) Always translates LSAs. |
never |
(Optional) Never translates LSAs. |
suppress-fa |
(Optional) Suppresses the forwarding address in translated LSAs. The ABR uses 0.0.0.0 as the forwarding IPv4 address. |
None
Router configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the area nssa command to create an NSSA area in an OSPFv3 autonomous system. We recommend that you understand the network topology before configuring forwarding address suppression for translated LSAs. Suboptimal routing might result because there might be better paths to reach the destination’s forwarding address.
This command requires the Enterprise Services license.
This example shows how to configure area 1 as an NSSA area:
switch# configure terminal switch(config)# router ospfv3 10 switch(config-router)# area 1 nssa
This example shows how to configure area 1 as an NSSA area and translate Type 7 LSAs from area 1 to Type 5 LSAs, but not place the Type 7 forwarding address into the Type 5 LSAs. (OSPFv3 places 0.0.0.0 as the forwarding address in the Type 5 LSAs.)
switch# configure terminal switch(config)# router ospfv3 2 switch(config-router)# area 1 nssa translate type7 suppress-fa
Command |
Description |
---|---|
redistribute (OSPFv3) |
Redistributes routes learned from one routing protocol to another routing protocol domain. |
To consolidate and summarize routes at an Open Shortest Path First (OSPF) area boundary, use the area range command. To disable this function, use the no form of this command.
area area-id range ip-prefix [not-advertise] [ cost cost-value ]
no area area-id range ip-prefix [not-advertise] [ cost cost-value ]
area-id |
Identifier for the OSPF area where you want to summarize routes. Specify as either a positive integer value or an IP address. |
ip-prefix |
IP prefix specified as IP address/subnet mask length (A.B.C.D/LEN). |
not-advertise |
(Optional) Sets the address range status to DoNotAdvertise. The Type 3 summary LSA is suppressed, and the component networks remain hidden from other networks. |
cost |
(Optional) Specifies the cost to use during shortest path first (SPF) calculation for the summarized route. |
cost-value |
Cost value. The range is from 0 to 16777215. |
Disabled
Router configuration
Release |
Modification |
---|---|
5.2(1) |
Added the cost key word. |
4.0(1) |
This command was introduced. |
Use the area range command only with Area Border Routers (ABRs) to consolidate or summarize routes for an area. The ABR advertises that a single summary route is advertised to other areas and condenses routing information at area boundaries.
You can configure OSPF to summarize addresses for many different sets of address ranges by configuring multiple area range commands.
This command requires the Enterprise Services license.
This example shows how to configure one summary route to be advertised by the ABR to other areas for all hosts on network 192.0.2.0:
switch# configure terminal switch(config-if)# interface ethernet 1/2 switch(config-if)# ip address 192.0.2.201 255.255.255.0 switch(config-if)# ip ospf area 201 switch(config-router)# area 0 range 192.0.2.0 255.255.0.0
To consolidate and summarize routes at an Open Shortest Path First version 3 (OSPFv3) area boundary, use the area range command. To disable this function, use the no form of this command.
area area-id range ivp6-prefix/length [not-advertise] [ cost cost-value ]
no area area-id range ivp6-prefix [not-advertise] [ cost cost-value ]
area-id |
Identifier for the OSPF area where you want to summarize routes. Specify as either an IP address or a number from 0 to 4294967295. |
ipv6-prefix/length |
IP prefix specified as IPv6 address/length (A:B::C:D/LEN). The length argument can be from 1 to 127. |
not-advertise |
(Optional) Sets the address range status to DoNotAdvertise. The Type 3 summary LSA is suppressed, and the component networks remain hidden from other networks. |
cost |
(Optional) Specifies the cost to use during shortest path first (SPF) calculation for the summarized route. |
cost-value |
Cost value. The range is from 0 to 16777215. |
Disabled
Router configuration
Release |
Modification |
---|---|
5.2(1) |
Added the cost key word. |
4.0(1) |
This command was introduced. |
Use the area range command only with Area Border Routers (ABRs) to consolidate or summarize routes for an area. The ABR advertises that a single summary route is advertised to other areas and condenses routing information at area boundaries.
You can configure OSPFv3 to summarize addresses for many different sets of address ranges by configuring multiple area range commands.
This command requires the Enterprise Services license.
This example shows how to configure one summary route to be advertised by the ABR to other areas for all hosts on network 2001:0DB8::/32:
switch# configure terminal switch(config)# router ospfv3 201 switch(config-router)# address-family ipv6 unicast switch(config-router-af)# area 0 range 2001:0DB8::/32
To define an area as an Open Shortest Path First (OSPF) stub area, use the area stub command. To remove the area, use the no form of this command.
area area-id stub [no-summary]
no area area-id stub [no-summary]
area-id |
Identifier for the OSPF stub area. Specify as either a positive integer value or an IP address. |
no-summary |
(Optional) Prevents an Area Border Router (ABR) from sending summary link advertisements into the stub area. |
None
Router configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the area stub command to configure all devices attached to the stub area. Use the area default-cost command on an area border router (ABR) attached to the stub area. The area default-cost command provides the metric for the summary default route generated by the ABR into the stub area.
To further reduce the number of link-state advertisements (LSAs) sent into a stub area, you can configure the no-summary keyword on the ABR to prevent it from sending Summary LSAs (Type 3 LSAs3) into the stub area.
This command requires the Enterprise Services license.
This example shows how to create stub area 33 in OSPF 209:
switch# configure terminal switch(config)# router ospf 201 switch(config-router)# area 33 stub
Command |
Description |
---|---|
area default-cost |
Specifies a cost for the default summary route sent into a stub area. |
To define an area as an Open Shortest Path First version 3 (OSPFv3) stub area, use the area stub command. To remove the area, use the no form of this command.
area area-id stub [no-summary]
no area area-id stub [no-summary]
area-id |
Identifier for the OSPFv3 stub area. Specify as either an IP address or a number from 0 to 4294967295. |
no-summary |
(Optional) Prevents an Area Border Router (ABR) from sending summary link advertisements into the stub area. |
None
Router configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the area stub command to configure all devices attached to the stub area. Use the area default-cost command on an area border router (ABR) attached to the stub area. The area default-cost command provides the metric for the summary default route generated by the ABR into the stub area.
To further reduce the number of link-state advertisements (LSAs) sent into a stub area, you can configure the no-summary keyword on the ABR to prevent it from sending Summary LSAs (Type 3 LSAs3) into the stub area.
This command requires the Enterprise Services license.
This example shows how to create stub area 33 in OSPFv3 209:
switch# configure terminal switch(config)# router ospfv3 201 switch(config-router)# area 33 stub
Command |
Description |
---|---|
area default-cost (OSPFv3) |
Specifies a cost for the default summary route sent into a stub area. |
To define an Open Shortest Path First (OSPF) virtual link, use the area virtual-link command. To remove a virtual link, use the no form of this command.
area area-id virtual-link router-id
no area area-id virtual-link router-id
area-id |
Identifier for the OSPF area assigned to the transit area for the virtual link. Specify as either a positive integer value or an IP address. |
router-id |
Router ID associated with the virtual link neighbor. Specify as an IP address. The router ID appears in the show ip ospf neighbors display. |
None
Router configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the area virtual-link command to establish a virtual link from a remote area to the backbone area. In OSPF, all areas must be connected to a backbone area. If the connection to the backbone is lost, it can be repaired by establishing a virtual link.
Use the area virtual-link command to enter the virtual link configuration mode where you can use the following commands:
See each command for syntax and usage details.
You must configure both sides of a virtual link with the same area ID and the corresponding virtual link neighbor router ID. To see the router ID, use the show ip ospf neighbors command in any mode.
This command requires the Enterprise Services license.
This example shows how to establish a virtual link between two devices, A, and B, with default values for all optional parameters:
Device A: switch# configure terminal switch(config)# router ospf 1 switch(config-router)# router-id 192.0.2.2 switch(config-router)# area 1 virtual-link 192.0.2.1 Device B: switch(config# router ospf 209 switch(config-router)# router-id 192.0.2.1 switch(config-router)# area 1 virtual-link 192.0.2.2
Command |
Description |
---|---|
authentication (OSPF virtual link) |
Enables authentication for an OSPF virtual link. |
authentication-key (OSPF virtual link) |
Assigns a password to be used by neighboring routers that are using the simple password authentication of OSPF. |
dead-interval (OSPF virtual link) |
Configures the dead interval for an OSPF virtual link. |
hello-interval (OSPF virtual link) |
Configures the hello interval for an OSPF virtual link. |
message-digest-key (virtual link) |
Enables OSPF MD5 authentication in an OSPF virtual link. |
retransmit-interval (OSPF virtual link) |
Configures the retransmit interval for an OSPF virtual link. |
transmit-delay (OSPF virtual link) |
Configures the transmit delay for an OSPF virtual link. |
To define an Open Shortest Path First version 3 (osPFv3) virtual link, use the area virtual-link command. To remove a virtual link, use the no form of this command.
area area-id virtual-link router-id
no area area-id virtual-link router-id
area-id |
Identifier for the OSPFv3 area assigned to the transit area for the virtual link. Specify as either an IP address or a number from 0 to 4294967295. |
router-id |
Router ID associated with the virtual link neighbor. Specify as an IP address. The router ID appears in the show ospfv3 neighbors display. |
None
Router configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the area virtual-link command to establish a virtual link from a remote area to the backbone area. In OSPFv3, all areas must be connected to a backbone area. If the connection to the backbone is lost, it can be repaired by establishing a virtual link.
Use the area virtual-link command to enter the virtual link configuration mode where you can use the following commands:
See each command for syntax and usage details.
You must configure both sides of a virtual link with the same area ID and the corresponding virtual link neighbor router ID. To see the router ID, use the show ospfv3 neighbors command in any mode.
This command requires the Enterprise Services license.
This example shows how to establish a virtual link between two devices, A, and B, with default values for all optional parameters:
Device A: switch(config)# router ospfv3 1 switch(config-router)# router-id 192.0.2.2 switch(config-router)# area 1 virtual-link 192.0.2.1 Device B: switch(config# router ospfv3 209 switch(config-router)# router-id 192.0.2.1 switch(config-router)# area 1 virtual-link 192.0.2.2
Command |
Description |
---|---|
dead-interval (OSPFv3 virtual link) |
Configures the dead interval for an OSPFv3 virtual link. |
hello-interval (OSPFv3 virtual link) |
Configures the hello interval for an OSPFv3 virtual link. |
retransmit-interval (OSPFv3 virtual link) |
Configures the retransmit interval for an OSPFv3 virtual link. |
transmit-delay (OSPFv3 virtual link) |
Configures the transmit delay for an OSPFv3 virtual link. |
To configure the autonomous system number (ASN) notation to asdot, use the as-format asdot command. To delete the ASN notation configuration, use the no form of this command.
as-format asdot
no as-format asdot
This command has no arguments or keywords.
asplain
Global configuration mode
Release |
Modification |
---|---|
6.2(2) |
This command was introduced. |
This command requires the Enterprise Services license.
This example shows how to configure the ASN notation to asdot:
switch# configure terminal switch(config)# as-format asdot switch(config)#
This example shows how to delete the ASN notation configuration:
switch# configure terminal switch(config)# no as-format asdot
Command |
Description |
---|---|
copy running-config startup-config |
Saves the configuration change. |
To configure an authentication for the Gateway Load Balancing Protocol (GLBP), use the authentication command. To disable authentication, use the no form of this command.
authentication { text string | md5 { key-string [encrypted] key | key-chain name-of-chain } }
no authentication { text string | md5 { key-string [ 0 | 7 ] key | key-chain name-of-chain } }
text string |
Specifies an authentication string. The range is from 1 to 255 characters. |
md5 |
Specifies the Message Digest 5 (MD5) authentication. |
key-string key |
Specifies the secret key for MD5 authentication. The range is from 1 to 255 characters. We recommend that you use at least 16 characters. |
encrypted |
(Optional) Specifies the encrypted key. |
key-chain name-of-chain |
Identifies a group of authentication keys. |
No authentication of GLBP messages occurs.
GLBP configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
To ensure interoperation, you must configure the same authentication method on all the gateways that are members of the same GLBP group. A gateway ignores all GLBP messages that contain the wrong authentication information.
This command does not require a license.
This example shows how to configure stringxyz as the authentication string for GLBP group 10:
switch#configure terminal switch(config)# interface ethernet 1/1 switch(config-if)# glbp 10 switch(config-glbp)# authentication text stringxyz
This example shows how to configure GLBP to use the key chain “AuthenticateGLBP” to obtain the current live key and key ID for MD5 authentication:
switch#configure terminal switch(config)# interface ethernet1/1 switch(config-if)# glbp 2 switch(config-glbp)# authentication md5 key-chain AuthenticateGLBP
Command |
Description |
---|---|
glbp |
Creates a GLBP group and enters GLBP configuration mode. |
ip (GLBP) |
Enables GLBP on an interface. |
key chain |
Creates a key chain. |
To configure authentication for the Hot Standby Router Protocol (HSRP), use the authentication command. To disable authentication, use the no form of this command.
authentication { text string | md5 { key-chain key-chain | key-string { 0 | 7 } text [ timeout seconds ] } }
no authentication { text string | md5 { key-chain key-chain | key-string { 0 | 7 } text [ timeout seconds ] } }
text string |
Specifies an authentication string. The range is from 1 to 255 characters. The default string is “cisco”. |
md5 |
Specifies the Message Digest 5 (MD5) authentication. |
key-chain key-chain |
Identifies a group of authentication keys. |
key-string |
Specifies the secret key for MD5 authentication. |
0 |
Specifies a clear text string. |
7 |
Specifies an encrypted string. |
text |
Secret key for MD5 authentication. The range is from 1 to 255 characters. We recommend that you use at least 16 characters. |
timeout seconds |
(Optional) Specifies the authentication timeout value. The range is from 0 to 32767. |
Disabled
HSRP configuration or HSRP template mode
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the authentication text command to prevent misconfigured routers from participating in HSRP groups that they are not intended to participate in. The authentication string is sent unencrypted in all HSRP messages. The same authentication string must be configured on all routers in the same group to ensure interoperation. HSRP protocol packets that do not authenticate are ignored.
Caution | If two routers are configured with identical HSRP IP addresses, but with different authentication strings, then neither router will be aware of the duplication. |
This command does not require a license.
This example shows how to configure an authentication string for HSRP group 2:
switch# configure terminal switch(config)# interface ethernet 0/1 switch(config-if)# ip address 10.0.0.1 255.255.255.0 switch(config-if)# hsrp 2 switch(config-if-hsrp)# priority 110 switch(config-if-hsrp)# preempt switch(config-if-hsrp)# authentication text sanjose switch(config-if-hsrp)# ip 10.0.0.3 switch(config-if-hsrp)# end
Command |
Description |
---|---|
feature hsrp |
Enable HSRP and enters HSRP configuration mode. |
hsrp group |
Creates an HSRP group. |
To specify the authentication type for an Open Shortest Path First (OSPF) virtual link, use the authentication command. To remove the authentication type for a virtual link, use the no form of this command.
authentication [ key-chain key-name | message-digest | null ]
no ip ospf authentication
key-chain key-name |
(Optional) Specifies the key-chain to use. The key-name argument can be any alphanumeric string up to 63 characters. |
message-digest |
(Optional) Specifies to use message-digest authentication. |
null |
(Optional) Specifies no authentication is used. Disables authentication if configured for an area. |
Defaults to password authentication if you configure authentication with none of the optional keywords.
OSPF virtual link configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the authentication command in virtual link configuration mode to configure the authentication method used on the virtual link. Use the message-digest keyword to configure MD5 message digest authentication and use the message-digest-key command to complete this authentication configuration. Use the key-chain keyword to configure password authentication using key chains and use the key chain command to complete this authentication configuration. Use the authentication command with no keywords to configure a password for the virtual link, and use the authentication-key command to complete this authentication configuration.
This command requires the Enterprise Services license.
This example shows how to enable message-digest authentication:
switch#configure terminal switch(config)# router ospf 22 switch(config-router)# area 99 virtual-link 192.0.2.12 switch(config-router-vlink)# authentication message-digest switch(config-router-vlink)# message-digest key 4 md5 0 abcd
Command |
Description |
---|---|
area authentication |
Enables authentication for an OSPF area. |
authentication-key (OSPF virtual link) |
Assigns a password to be used by neighboring routers that are using the password authentication of OSPF. |
key chain |
Creates a key chain for managing authentication keys. |
message-digest-key (OSPF virtual link) |
Enables OSPF MD5 authentication. |
To configure an authentication for the Virtual Router Redundancy Protocol (VRRP), use the authentication command. To disable authentication, use the no form of this command.
authentication text password
no authentication
text password |
Selects to use simple text password of up to 8 alphanumeric characters. |
No authentication
VRRP configuration mode
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
This command does not require a license.
This example shows how to configure md5 authentication for VRRP:
switch# configure terminal switch(config)# interface ethernet 2/1 switch(config-if)# vrrp 250 switch(config-if-vrrp)# authentication text mypassword
Command |
Description |
---|---|
show vrrp |
Displays VRRP configuration information. |
clear vrrp |
Clears all the software counters for the specified virtual router. |
To enable authentication for the Enhanced Interior Gateway Routing Protocol (EIGRP) packets and to specify the set of keys that can be used on an interface, use the authentication key-chain command. To prevent authentication, use the no form of this command.
authentication key-chain name-of-chain
no authentication key-chain name-of-chain
name-of-chain |
Group of keys that are valid. |
No authentication is provided for EIGRP packets.
Router configuration
Address family configuration
Router VRF configuration
Release |
Modification |
---|---|
4.0(3) |
This command was introduced. |
Set the authentication mode using the authentication mode command in VRF configuration mode. You must separately configure a key chain using the key-chain command to complete the authentication configuration for an interface.
This command requires the Enterprise Services license.
This example shows how to configure the interface to accept and send any key that belongs to the key-chain trees:
switch#configure terminal switch(config)# router eigrp 209 switch(config-router)# vrf red switch(config-router-vrf)# authentication key-chain trees
Command |
Description |
---|---|
authentication mode (EIGRP) |
Sets the authentication mode for EIGRP in a VRF. |
ip authentication key-chain eigrp |
Enables authentication for EIGRP and specifies the set of keys that can be used on an interface. |
key-chain |
Creates a set of keys that can be used by an authentication method. |
To enable authentication for Intermediate System-to-Intermediate System (IS-IS), use the authentication key-chain configuration mode command. To disable such authentication, use the no form of this command.
authentication key-chain auth-key { level-1 | level-2 }
no authentication key-chain auth-key { level-1 | level-2 }
auth-key |
Authentication key chain. |
level-1 |
Specifies the authentication key for level-1 link state packets (LSP), complete sequence number packets (CSNP), and partial sequence number packets (PSNP) only. |
level-2 |
Specifies the authentication key for level-2 LSP, CSNP and PSNP packets only. |
No key chain authentication is provided for IS-IS packets at the router level.
Router configuration
VRF configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
If no key chain is configured with the authentication key-chain command, no key chain authentication is performed.
Key chain authentication could apply to clear text authentication or MD5 authentication. The mode is determined by the authentication mode command.
Only one authentication key chain is applied to IS-IS at one time. For example, if you configure a second authentication key-chain command, the first authentication key chain is overridden.
You can specify authentication for an individual IS-IS interface by using the isis authentication key-chain command.
This command requires the Enterprise Services license.
This example shows how to configure IS-IS to accept and send any key belonging to the key chain named site1:
switch#configure terminal switch(config)# router isis real_secure_network switch(config-router)# authentication key-chain site1 level-1
Command |
Description |
---|---|
feature isis |
Enables IS-IS on the router. |
isis authentication key-chain |
Enables authentication for an individual IS-IS interface. |
router isis |
Enables IS-IS. |
To specify the type of authentication used in the Enhanced Interior Gateway Routing Protocol (EIGRP) packets, use the authentication mode command. To remove authentication, use the no form of this command.
authentication mode md5
no authentication mode md5
md5 |
Specifies Message Digest 5 (MD5) authentication. |
None
Router configuration
Address family configuration
VRF configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
This command requires the Enterprise Services license.
This example shows how to configure the interface to use MD5 authentication:
switch#configure terminal switch(config)# router eigrp 209 switch(config-router)# vrf red switch(config-router-vrf)# authentication mode md5
Command |
Description |
---|---|
authentication key-chain eigrp |
Enables authentication for EIGRP and specifies the set of keys that can be used on an interface. |
ip authentication mode eigrp |
Configures the authentication mode for EIGRP on an interface. |
key chain |
Creates a set of keys that can be used by an authentication method. |
To specify for the Intermediate System-to-Intermediate System (IS-IS) instance that authentication is performed only on IS-IS packets being sent (not received), use the authentication-check configuration mode command. To configure for the IS-IS instance that if authentication is configured at the router level, such authentication be performed on packets being sent and received, use the no form of this command.
authentication-check { level-1 | level-2 }
no authentication-check
level-1 |
Specifies that authentication is performed only on level-1 packets that are being sent (not received) |
level-2 |
Specifies that authentication is performed only on level-2 packets that are being sent (not received). |
If authentication is configured at the router level, it applies to IS-IS packets being sent and received.
Router configurationVRF configuration
Enter the authentication-check command before configuring the authentication mode and authentication key chain. Entering the authentication-check command allows the routers to have more time for the keys to be configured on each router if authentication is inserted only on the packets being sent, not checked on packets being received. After you enter the authentication-check command on all communicating routers, enable the authentication mode and key chain on each router. Then enter the no authentication-check command to disable the command.
This command could apply to clear text authentication or Message Digest 5 (MD5) authentication. The mode is determined by the authentication mode command.
You can specify authentication for an individual IS-IS interface by using the isis authentication-check {level-1 | level-2} interface configuration mode command.
This command requires the Enterprise Services license.
This example shows how to configure IS-IS level-1 packets to use clear text authentication on packets being sent (not received):
switch#configure terminal switch(config)# router isis test1 switch(config-router)# authentication-check level-1 switch(config-router)# authentication key-chain site1 level-1 switch(config-router)#
Command |
Description |
---|---|
feature isis |
Enables IS-IS on the router. |
isis authentication-check |
Enables authentication on IS-IS packets being sent (not received) from a specific interface. |
router isis |
Enables IS-IS. |
To enable authentication of OSPFv3 packets on a per-interface basis at the Router level, use the authentication ipsec command. To disable the authentication of OSPFv3 packets, use the no form of this command.
authentication ipsec spi spi auth [ 0 | 3 | 7 ] key
no authentication ipsec spi spi
spi |
Specifies the Security Policy Index. |
spi |
Value of spi. It ranges from 256 to 4294967295. |
auth |
Authentication algorithm. Its value can be md1 / sha1 / null. |
key |
Authentication password. |
0 |
Specifies that the authentication password is unencrypted. |
3 |
Specifies that the authentication password is 3DES encrypted. |
7 |
Specifies that the authentication password is Cisco type 7 encrypted. |
The OSPFv3 packets are not authenticated by default.
Router configuration (config-router).
Release |
Modification |
---|---|
7.3(0)D1(1) |
This command was introduced. |
Before running this command, ensure that you have enabled the authentication package with the feature imp command.
The following example shows how to authenticate OSPFv3 packets using md5, at the Router level for default VRF:
switch# configure terminal switch(config)# feature imp switch(config)# router ospfv3 1 switch(config-router)# authentication ipsec spi 301 md5 1234
Command |
Description |
---|---|
area authentication ipsec |
Enables authentication of the OSPFv3 packets for all interfaces under the area. |
ospfv3 authentication ipsec |
Enables authentication of the OSPFv3 packets per interface. |
To assign a password to be used by an Open Shortest Path First (OSPF) virtual link, use the authentication-key command. To remove a previously assigned OSPF password, use the no form of this command.
authentication-key [ 0 | 3 ] password
no authentication-key
0 |
(Optional) Specifies an unencrypted authentication key. |
3 |
(Optional) Specifies a 3DES encrypted authentication key. |
password |
Any continuous string of characters that can be entered from the keyboard up to 8 bytes. |
Unencrypted password
OSPF virtual link configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the authentication-key command to configure the password for password authentication on an OSPF virtual link. All devices on the same virtual link must have the same password to be able to exchange OSPF information.
This command requires the Enterprise Services license.
This example shows how to enable the authentication key with the string yourpass:
switch#configure terminal switch(config)# router ospf 22 switch(config-router)# area 99 virtual-link 192.0.2.12 switch(config-router-vlink)# authentication switch(config-router-vlink)# authentication-key yourpass
Command |
Description |
---|---|
authentication (virtual link) |
Enables authentication for an OSPF virtual link. |
To specify the type of authentication used in Intermediate System-to-Intermediate System (IS-IS) packets for the IS-IS instance, use the authentication-type configuration mode command. To restore clear text authentication, use the no form of this command.
authentication-type { cleartext | md5 } [ level-1 | level-2 ]
no authentication-type
cleartext |
Specifies clear text authentication. |
md5 |
Specifies Message Digest 5 (MD5) authentication. |
level-1 |
Enables the specified authentication for level-1 link state packet (LSP), complete sequence number packet (CSNP) and partial sequence number packet (PSNP) packets only. |
level-2 |
Enables the specified authentication for level-2 LSP, CSNP and PSNP packets only. |
No authentication is provided for IS-IS packets at the router level by use of this command.
Router configuration
VRF configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
If you do not enter the level-1 or level-2 keywords, the mode applies to both levels.
You can specify the type of authentication and the level to which it applies for a single IS-IS interface, rather than per IS-IS instance, by using the authentication-type command.
You can specify authentication type for an individual IS-IS interface by using the isis authentication-type {cleartext | md5} [level-1 | level-2] interface configuration mode command.
This example shows how to configure the IS-IS instance that Message Digest 5 (MD5) authentication is performed on level-1 packets:
switch#configure terminal switch(config)# router isis TEST1 switch(config-router)# authentication-type md5 level-1 switch(config-router)#
Command |
Description |
---|---|
feature isis |
Enables IS-IS on the router. |
isis authentication-type |
Specifies the authentication type for an individual IS-IS interface. |
router isis |
Enables IS-IS. |
To control how Open Shortest Path First (OSPF) calculates default metrics for an interface, use the auto-cost command. To assign the default reference bandwidth of 40Gb/s, use the no form of this command.
auto-cost reference-bandwidth bandwidth [ Gbps | Mbps ]
no auto-cost reference-bandwidth
reference-bandwidth bandwidth |
Sets the reference bandwidth used to calculate the default metrics for an interface. The range depends on whether you use the Gbps or MBps keywords. |
Gbps |
(Optional) Specifies the rate in Gbps (bandwidth). The range is from 1 to 4000; the default is 40. |
Mbps |
(Optional) Specifies the rate in Mbps (bandwidth). The range is from 1 to 4000000; the default is 40000. |
40 Gb/s. The bandwidth defaults to Gb/s if you do not specify the Gpbs or Mbps keyword .
Router configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the auto-cost command to set the reference bandwidth used by the OSPF cost-metric calculation.
The value set by the ip ospf cost command overrides the cost that results from the auto-cost command.
This command requires the Enterprise Services license.
This example shows how to set the reference bandwidth for all local interfaces in an OSPF instance:
switch#configure terminal switch(config)# router ospf 201 switch(config-router)# auto-cost reference-bandwidth 10
Command |
Description |
---|---|
ip ospf cost |
Explicitly specifies the cost of sending a packet on an interface. |
To control how Open Shortest Path First version 3 (OSPFv3) calculates default metrics for an interface, use the auto-cost command. To assign the default reference bandwidth of 40Gb/s, use the no form of this command.
auto-cost reference-bandwidth bandwidth [ Gbps | Mbps ]
no auto-cost reference-bandwidth
reference-bandwidth bandwidth |
Sets the reference bandwidth used to calculate the default metrics for an interface. The range depends on whether you use the Gbps or MBps keywords. |
Gbps |
(Optional) Specifies the rate in Gbps (bandwidth). The range is from 1 to 4000; the default is 40. |
Mbps |
(Optional) Specifies the rate in Mbps (bandwidth). The range is from 1 to 4000000; the default is 40000. |
40 Gb/s. The bandwidth defaults to Gb/s if you do not specify the Gpbs or Mbps keyword .
Router configuration
Release |
Modification |
---|---|
4.0(1) |
This command was introduced. |
Use the auto-cost command to set the reference bandwidth used by the OSPFv3 cost-metric calculation.
The value set by the ipv6 ospfv3 cost command overrides the cost that results from the auto-cost command.
This command requires the Enterprise Services license.
This example shows how to set the reference bandwidth for all local interfaces in an OSPFv3 instance:
switch#configure terminal switch(config)# router ospfv3 201 switch(config-router)# auto-cost reference-bandwidth 10
Command |
Description |
---|---|
ipv6 ospfv3 cost |
Explicitly specifies the cost of sending a packet on an interface. |
To configure the autonomous system number for an Enhanced Interior Gateway Routing Protocol (EIGRP) address family, use the autonomous-system command. To revert to default, use the no form of this command.
autonomous-system as-number
no autonomous-system as-number
as-number |
Autonomous system number. The range is from 1 to 65535. |
None
Address family configuration
Release |
Modification |
---|---|
4.1(2) |
This command was introduced. |
Use the autonomous-system command to set a common AS number for all EIGRP instances in an address family.
This command requires the Enterprise Services license.
This example shows how to set an AS number for EIGRP for IPv6 unicast:
switch#configure terminal switch(config)# router eigrp 201 switch(config-router)# address-family ipv6 unicast switch(config-router-af)# autonomous-system 64496
Command |
Description |
---|---|
address-family (EIGRP) |
Enters the address family configuration mode for EIGRP. |