Cisco IOS IP Command ReferenceVolume1of4
Cisco IOS IP Command ReferenceVolume1of4
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCIP, CCSP, the Cisco Arrow logo, the Cisco Powered Network mark, Cisco Unity, Follow Me Browsing, FormShare, and StackWise are trademarks of Cisco Systems, Inc.;
Changing the Way We Work, Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Aironet, ASIST, BPX, Catalyst, CCDA, CCDP, CCIE,
CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, the Cisco IOS logo, Cisco Press, Cisco Systems, Cisco Systems Capital, the Cisco Systems
logo, Empowering the Internet Generation, Enterprise/Solver, EtherChannel, EtherSwitch, Fast Step, GigaStack, Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ
Net Readiness Scorecard, LightStream, MGX, MICA, the Networkers logo, Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, RateMUX,
Registrar, ScriptShare, SlideCast, SMARTnet, StrataView Plus, Stratm, SwitchProbe, TeleRouter, The Fastest Way to Increase Your Internet Quotient, TransPath, and VCO
are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and certain other countries.
All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship
between Cisco and any other company. (0304R)
Introduction IP1R-1
This book describes the commands used to configure and monitor the following IP addressing and
services capabilities and features:
• IP Addressing
• Dynamic Host Configuration Protocol (DHCP)
• IP Services
• IP Access Lists
• Server Load Balancing
• Web Cache Communications Protocol (WCCP)
For IP addressing and services tasks and examples, refer to the “IP Addressing and Services” part in the
Cisco IOS IP Configuration Guide, Release 12.3.
IP Addressing
Use the following commands to configure and monitor IP addressing:
• arp (global)
• arp (interface)
• arp timeout
• clear arp-cache
• clear arp interface
• clear host
• clear ip nat translation
• clear ip nhrp
• clear ip route
• clear ip snat sessions
• clear ip snat translation distributed
• clear ip snat translation peer
• crypto ipsec
• ip address
• ip broadcast-address
• ip cef traffic-statistics
• ip classless
• ip default-gateway
• ip directed-broadcast
• ip domain-list
• ip domain-lookup
• ip domain-name
• ip forward-protocol
• ip forward-protocol spanning-tree
• ip forward-protocol turbo-flood
• ip helper address
• ip host
• ip irdp
• ip mobile arp
• ip name-server
• ip nat
• ip nat inside destination
• ip nat inside source
• ip nat outside source
• ip nat pool
• ip nat service
• ip nat stateful id
• ip nat translation’
• ip netmask-format
• ip nhrp authentication
• ip nhrp holdtime
• ip nhrp interest
• ip nhrp map
• ip nhrp map multicast
• ip nhrp map multicast dynamic
• ip nhrp max-send
• ip nhrp network-id
• ip nhrp nhs
• ip nhrp record
• ip nhrp responder
• ip nhrp server-only
• ip nhrp trigger-svc
• ip nhrp use
• ip proxy-arp
• ip routing
• ip routing
• ip subnet zero
• ip unnumbered
• no ip gratuitous-arps
• show arp
• show hosts
• show ip aliases
• show ip arp
• show ip interface
• show ip irdp
• show ip masks
• show ip nat statistics
• show ip nat translations
• show ip nhrp
• show ip nhrp traffic
• show ip snat
• term ip netmask-format
DHCP
Use the following commands to configure and monitor DHCP:
• accounting (DHCP)
• bootfile
• clear ip dhcp binding
• clear ip dhcp server statistics
• clear ip dhcp subnet
• clear ip route dhcp
• client-identifier
• client-name
• default-router
• dns-server
• domain-name (DHCP)
• hardware-address
• host
• import all
• ip address dhcp
• ip address pool (DHCP)
• ip dhcp aaa default username
• ip dhcp bootp ignore
• ip dhcp conflict logging
• ip dhcp database
• ip dhcp excluded-address
• ip dhcp ping packets
• ip dhcp ping timeout
• ip dhcp pool
• ip dhcp relay information check
• ip dhcp relay information option
• ip dhcp relay information policy
• ip dhcp smart-relay
• lease
• netbios-name-server
• netbios-node-type
• network (DHCP)
• next-server
• option
• origin
• service dhcp
• show ip dhcp binding
• show ip dhcp conflict
• show ip dhcp database
• show ip dhcp import
• show ip dhcp pool
• show ip dhcp server statistics
• show ip route dhcp
• subnet prefix-length
• update arp
• utilization mark high’
• utilization mark low
• vrf
IP Access Lists
Use the following commands to configure and monitor access lists:
• access-class
• access-list (IP extended)
• access-list (IP standard)
• access-list compiled
• access-list remark
• deny (IP)
• dynamic
• ip access-group
• ip access-list resequence
• ip access-list
• permit
• remark
• show access-lists
• show access-list compiled
• show ip access-list
IP Services
Use the following commands to configure and monitor IP services:
• access-class
• access-list (IP extended)
• access-list (IP standard)
• access-list compiled
• access-list remark
• clear access-list counters
• clear ip accounting
• clear ip drp
• clear tcp statistics
• clear time-range ipc
• delay (tracking)
• deny (IP)
• dynamic
• forwarding-agent
• glbp authentication
• glbp forwarder preempt
• glbp ip
• glbp load-balancing
• glbp preempt
• glbp priority
• glbp timers
• glbp timers redirect
• glbp weighting track
• ip access-group
• ip access-list
• ip access-list resequence
• ip accounting
• ip accounting-list
• ip accounting-threshold
• ip accounting-transits
• ip accounting mac-address
• ip accounting precedence
• ip casa
• ip drp access-group
• ip drp authentication key-chain
• ip drp server
• ip icmp rate-limit unreachable
• ip information-reply
• ip mask-reply
• ip vrf (tracking)
• ip mtu
• ip redirects
• ip source-route
• ip tcp chunk-size
• ip tcp compression-connections
• ip tcp header-compression
• ip tcp path-mtu-discovery
• ip tcp queuemax
• ip tcp selective-ack
• ip tcp synwait-time
• ip tcp timestamp
• ip tcp window-size
• ip unreachables’
• permit (IP)
• remark
• show access-lists
• show access-list compiled
• show glbp
• show interface mac
• show interface precedence
• show ip access-list
• show ip accounting
• show ip casa affinities
• show ip casa oper
• show ip casa stats
• show ip casa wildcard
• show ip drp
• show ip redirects
• show ip sockets
• show ip tcp header-compression
• show ip traffic
• show standby
• show standby delay
• show tcp statistics
• show time-range ipc
• show track
• show vrrp
• show vrrp interface
• standby authentication
• standby delay minimum reload
• standby ip
• standby mac-address
• standby mac-refresh
• standby name
• standby preempt
• standby priority
• standby redirects
• standby timers
• standby track
• standby use-bia
• start-forwarding-agent
• threshold metric’
• track interface
• track ip route
• track timer
• transmit-interface
• vrrp authentication
• vrrp description
• vrrp ip
• vrrp preempt
• vrrp priority
• vrrp timers advertise
• vrrp timers learn
WCCP
Use the following commands to configure and monitor WCCP:
• clear ip wccp
• ip wccp
• ip wccp enable
• ip wccp group-listen
• ip wccp redirect exclude in
• ip wccp redirect exclude in
• ip wccp redirect-list
• ip wccp redirect
• ip wccp version
• ip web-cache redirect’
• show ip wccp
• show ip wccp web-caches
access-class
To restrict incoming and outgoing connections between a particular vty (into a Cisco device) and the
addresses in an access list, use the access-class command in line configuration mode. To remove access
restrictions, use the no form of this command.
Syntax Description access-list-number Number of an IP access list. This is a decimal number from 1 to 199 or from
1300 to 2699.
in Restricts incoming connections between a particular Cisco device and the
addresses in the access list.
out Restricts outgoing connections between a particular Cisco device and the
addresses in the access list.
Usage Guidelines Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any
of them.
To display the access lists for a particular terminal line, use the show line EXEC command and specify
the line number.
Examples The following example defines an access list that permits only hosts on network 192.89.55.0 to connect
to the virtual terminal ports on the router:
access-list 12 permit 192.89.55.0 0.0.0.255
line 1 5
access-class 12 in
The following example defines an access list that denies connections to networks other than network
36.0.0.0 on terminal lines 1 through 5:
access-list 10 permit 36.0.0.0 0.255.255.255
line 1 5
access-class 10 out
no access-list access-list-number
Syntax Description access-list-number Number of an access list. This is a decimal number from 100 to 199 or
from 2000 to 2699.
dynamic dynamic-name (Optional) Identifies this access list as a dynamic access list. Refer to
lock-and-key access documented in the “Configuring Lock-and-Key
Security (Dynamic Access Lists)” chapter in the Cisco IOS Security
Configuration Guide.
timeout minutes (Optional) Specifies the absolute length of time, in minutes, that a
temporary access list entry can remain in a dynamic access list. The
default is an infinite length of time and allows an entry to remain
permanently. Refer to lock-and-key access documented in the
“Configuring Lock-and-Key Security (Dynamic Access Lists)” chapter in
the Cisco IOS Security Configuration Guide.
port (Optional) The decimal number or name of a TCP or UDP port. A port
number is a number from 0 to 65535. TCP and UDP port names are listed
in the section “Usage Guidelines.” TCP port names can only be used
when filtering TCP. UDP port names can only be used when filtering
UDP.
TCP port names can only be used when filtering TCP. UDP port names
can only be used when filtering UDP.
established (Optional) For the TCP protocol only: Indicates an established
connection. A match occurs if the TCP datagram has the ACK, FIN, PSH,
RST, SYN, or URG control bits set. The nonmatching case is that of the
initial TCP datagram to form a connection.
fragments (Optional) The access list entry applies to noninitial fragments of packets;
the fragment is either permitted or denied accordingly. For more details
about the fragments keyword, see the “Access List Processing of
Fragments” and “Fragments and Policy Routing” sections in the “Usage
Guidelines” section.
Defaults An extended access list defaults to a list that denies everything. An extended access list is terminated by
an implicit deny statement.
Release Modification
12.0(1)T The time-range time-range-name keyword and argument were added.
12.0(11) The fragments keyword was added.
12.2(13)T The non500-isakmp keyword was added to the list of UDP port names. The
igrp keyword was removed because the IGRP protocol is no longer available
in Cisco IOS software.
Usage Guidelines You can use access lists to control the transmission of packets on an interface, control vty access, and
restrict the contents of routing updates. The Cisco IOS software stops checking the extended access list
after a match occurs.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP
access list. Extended access lists used to control vty access or restrict the contents of routing updates
must not match against the TCP source port, the type of service (ToS) value, or the precedence of the
packet.
Note After a numbered access list is created, any subsequent additions (possibly entered from the terminal)
are placed at the end of the list. In other words, you cannot selectively add or remove access list
command lines from a specific numbered access list.
• echo
• echo-reply
• general-parameter-problem
• host-isolated
• host-precedence-unreachable
• host-redirect
• host-tos-redirect
• host-tos-unreachable
• host-unknown
• host-unreachable
• information-reply
• information-request
• mask-reply
• mask-request
• mobile-redirect
• net-redirect
• net-tos-redirect
• net-tos-unreachable
• net-unreachable
• network-unknown
• no-room-for-option
• option-missing
• packet-too-big
• parameter-problem
• port-unreachable
• precedence-unreachable
• protocol-unreachable
• reassembly-timeout
• redirect
• router-advertisement
• router-solicitation
• source-quench
• source-route-failed
• time-exceeded
• timestamp-reply
• timestamp-request
• traceroute
• ttl-exceeded
• unreachable
The following is a list of IGMP message names:
• dvmrp
• host-query
• host-report
• pim
• trace
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current
assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these
protocols can also be found if you type a ? in the place of a port number.
• bgp
• chargen
• daytime
• discard
• domain
• echo
• finger
• ftp
• ftp-data
• gopher
• hostname
• irc
• klogin
• kshell
• lpd
• nntp
• pop2
• pop3
• smtp
• sunrpc
• syslog
• tacacs-ds
• talk
• telnet
• time
• uucp
• whois
• www
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current
assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these
protocols can also be found if you type a ? in the place of a port number.
• biff
• bootpc
• bootps
• discard
• dnsix
• domain
• echo
• mobile-ip
• nameserver
• netbios-dgm
• netbios-ns
• non500-isakmp
• ntp
• rip
• snmp
• snmptrap
• sunrpc
• syslog
• tacacs-ds
• talk
• tftp
• time
• who
• xdmcp
...the fragments keyword, and The access-list entry is applied only to noninitial fragments.
assuming all of the access-list entry
information matches,
Note The fragments keyword cannot be configured for
an access-list entry that contains any Layer 4
information.
Be aware that you should not simply add the fragments keyword to every access list entry because the
first fragment of the IP packet is considered a nonfragment and is treated independently of the
subsequent fragments. An initial fragment will not match an access list permit or deny entry that
contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it
is either permitted or denied by an access list entry that does not contain the fragments keyword.
Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair
will not include the fragments keyword, and applies to the initial fragment. The second deny entry of
the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where
there are multiple deny access list entries for the same host but with different Layer 4 ports, a single
deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all
the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a
packet in access list accounting and access list violation counts.
Note The fragments keyword cannot solve all cases involving access lists and IP fragments.
Examples In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and
the address of the mail host is 128.88.1.2. The established keyword is used only for the TCP protocol
to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set,
which indicates that the packet belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
interface serial 0
ip access-group 102 in
The following example permits Domain Naming System (DNS) packets and ICMP echo and echo reply
packets:
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp any host 128.88.1.2 eq smtp
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq domain
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
The following examples show how wildcard bits are used to indicate the bits of the prefix or mask that
are relevant. Wildcard bits are similar to the bitmasks that are used with normal access lists. Prefix or
mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix or mask bits
corresponding to wildcard bits set to 0 are used in comparison.
The following example permits 192.108.0.0 255.255.0.0 but denies any more specific routes of
192.108.0.0 (including 192.108.0.0 255.255.255.0):
access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0
access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
The following example permits 131.108.0/24 but denies 131.108/16 and all other subnets of 131.108.0.0:
access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0
access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
The following example uses a time range to deny HTTP traffic on Monday through Friday from
8:00 a.m. to 6:00 p.m.:
time-range no-http
periodic weekdays 8:00 to 18:00
!
access-list 101 deny tcp any any eq http time-range no-http
!
interface ethernet 0
ip access-group 101 in
no access-list access-list-number
Syntax Description access-list-number Number of an access list. This is a decimal number from 1 to 99 or from
1300 to 1999.
deny Denies access if the conditions are matched.
permit Permits access if the conditions are matched.
source Number of the network or host from which the packet is being sent. There
are two alternative ways to specify the source:
• Use a 32-bit quantity in four-part, dotted-decimal format.
• Use the any keyword as an abbreviation for a source and
source-wildcard of 0.0.0.0 255.255.255.255.
source-wildcard (Optional) Wildcard bits to be applied to the source. There are two
alternative ways to specify the source wildcard:
• Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in
the bit positions you want to ignore.
• Use the any keyword as an abbreviation for a source and
source-wildcard of 0.0.0.0 255.255.255.255.
log (Optional) Causes an informational logging message about the packet that
matches the entry to be sent to the console. (The level of messages logged
to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was
permitted or denied, the source address, and the number of packets. The
message is generated for the first packet that matches, and then at
5-minute intervals, including the number of packets permitted or denied
in the prior 5-minute interval.
The logging facility might drop some logging message packets if there are
too many to be handled or if there is more than one logging message to be
handled in 1 second. This behavior prevents the router from crashing due
to too many logging packets. Therefore, the logging facility should not be
used as a billing tool or an accurate source of the number of matches to
an access list.
Defaults The access list defaults to an implicit deny statement for everything. The access list is always terminated
by an implicit deny statement for everything.
Usage Guidelines Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access
list.
You can use access lists to control the transmission of packets on an interface, control vty access, and
restrict the contents of routing updates.
Use the show access-lists EXEC command to display the contents of all access lists.
Use the show ip access-list EXEC command to display the contents of one access list.
Caution Enhancements to this command are backward compatible; migrating from releases prior to
Cisco IOS Release 10.3 will convert your access lists automatically. However, releases prior to
Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access
list with these images and then use software prior to Release 10.3, the resulting access list will not
be interpreted correctly. This condition could cause you severe security problems. Save your old
configuration file before booting these images.
Examples The following example of a standard access list allows access for only those hosts on the three specified
networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source
address that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255
access-list 1 permit 128.88.0.0 0.0.255.255
access-list 1 permit 36.0.0.0 0.255.255.255
! (Note: all other access implicitly denied)
The following example of a standard access list allows access for devices with IP addresses in the range
from 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.
access-list 1 permit 10.29.2.64 0.0.0.63
! (Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros.
Thus, the following two configuration commands are identical in effect:
access-list 2 permit 36.48.0.3
access-list 2 permit 36.48.0.3 0.0.0.0
Command Description
distribute-list out (IP) Suppresses networks from being advertised in updates.
ip access-group Controls access to an interface.
permit (IP) Sets conditions under which a packet passes a named access list.
remark (IP) Writes a helpful comment (remark) for an entry in a named IP access list.
show access-lists Displays the contents of current IP and rate-limit access lists.
show ip access-list Displays the contents of all current IP access lists.
access-list compiled
To enable the Turbo Access Control Lists (Turbo ACL) feature, use the access-list compiled command
in global configuration mode. To disable the Turbo ACL feature, use the no form of this command.
access-list compiled
no access-list compiled
Defaults Disabled
Usage Guidelines By default, the Turbo ACL feature is disabled. When Turbo ACL is disabled, normal ACL processing is
enabled, and no ACL acceleration occurs.
When the Turbo ACL feature is enabled using the access-list compiled command, the ACLs in the
configuration are scanned and, if suitable, compiled for Turbo ACL acceleration. This scanning and
compilation may take a few seconds when the system is processing large and complex ACLs, or when
the system is processing a configuration that contains a large number of ACLs.
Any configuration change to an ACL that is being accelerated, such as the addition of new ACL entries
or the deletion of the ACL, triggers a recompilation of that ACL.
When Turbo ACL tables are being built (or rebuilt) for a particular ACL, the normal sequential ACL
search is used until the new tables are ready for installation.
access-list remark
To write a helpful comment (remark) for an entry in a numbered IP access list, use the access-list
remark command in global configuration mode. To remove the remark, use the no form of this
command.
Usage Guidelines The remark can be up to 100 characters long; anything longer is truncated.
If you want to write a comment about an entry in a named access list, use the remark command.
Examples In the following example, the workstation belonging to Jones is allowed access, and the workstation
belonging to Smith is not allowed access:
access-list 1 remark Permit only Jones workstation through
access-list 1 permit 171.69.2.88
access-list 1 remark Do not allow Smith workstation through
access-list 1 deny 171.69.3.13
accounting (DHCP)
To enable DHCP accounting, use the accounting command in DHCP pool configuration mode. To
disable DHCP accounting for the specified server group, use the no form of this command.
accounting server-group-name
no accounting server-group-name
Syntax Description server-group-name Name of a server group to apply DHCP accounting. The server group can
have one or more members. The server group is defined in the configuration
of the aaa group server and aaa accounting commands.
Usage Guidelines The accounting DHCP pool configuration command is used to enable the DHCP accounting feature by
sending secure DHCP START accounting messages when IP addresses are assigned to DHCP clients,
and secure DHCP STOP accounting messages when DHCP leases are terminated. A DHCP lease is
terminated when the client explicitly releases the lease, when the session times out, and when the DHCP
bindings are cleared from the DHCP database. DHCP accounting is configured on a per-client or per-lease
basis. Separate DHCP accounting processes can be configured on a per-pool basis.
The accounting command can be used only to network pools in which bindings are created
automatically and destroyed upon lease termination (or when the client sends a DHCP RELEASE
message). DHCP bindings are also destroyed when the clear ip dhcp binding or no service dhcp
command is issued. These commands should be used with caution if an address pool is configured with
DHCP accounting.
AAA and RADIUS must be configured before this command can be used to enable DHCP accounting.
A server group must be defined with the aaa group server command. START and STOP message
generation is configured with the aaa accounting command. The aaa accounting command can be
configured to enable the DHCP accounting to send both START and STOP messages or STOP messages
only.
Examples The following example configures DHCP accounting START and STOP messages to be sent if
RADIUS-GROUP1 is configured as a start-stop group. STOP messages will only be sent if
RADIUS-GROUP1 is configured as a stop-only group.
Router(config)# ip dhcp pool WIRELESS-POOL
Router(dhcp-config)# accounting RADIUS-GROUP1
Router(dhcp-config)# exit
advertise
To control the installation of a static route to the Null0 interface for a virtual server address, use the
advertise SLB virtual server configuration command. To prevent the installation of a static route for the
virtual server IP address, use the no form of this command.
advertise
no advertise
Defaults The SLB virtual server IP address is added to the routing table.
Usage Guidelines By default, virtual server addresses are advertised. That is, static routes to the Null0 interface are
installed for the virtual server addresses.
Advertisement of this static route using the routing protocol requires that you configure redistribution
of static routes for the routing protocol.
Examples The following example prevents advertisement of the IP address of the virtual server in routing protocol
updates:
ip slb vserver PUBLIC_HTTP
no advertise
agent
To configure a Dynamic Feedback Protocol (DFP) agent, use the agent SLB command in DFP
configuration mode. To remove an agent definition from the DFP configuration, use the no form of this
command.
Examples The following example configures a DFP agent on the DFP manager, sets the DFP password to Cookies
and the timeout to 360 seconds, changes the configuration mode to DFP configuration mode, sets the IP
address of the DFP agent to 10.1.1.1, and sets the port number of the DFP agent to 2221 (FTP):
ip slb dfp password Cookies 360
agent 10.1.1.1 2221
arp (global)
To add a permanent entry in the Address Resolution Protocol (ARP) cache, use the arp command in
global configuration mode. To remove an entry from the ARP cache, use the no form of this command.
Syntax Description ip-address IP address in four-part dotted decimal format corresponding to the
local data-link address.
hardware-address Local data-link address (a 48-bit address).
type Encapsulation description. For Ethernet interfaces, this is typically
the arpa keyword. For FDDI and Token Ring interfaces, this is
always the snap keyword.
alias (Optional) Indicates that the Cisco IOS software should respond to
ARP requests as if it were the owner of the specified address.
Usage Guidelines The Cisco IOS software uses ARP cache entries to translate 32-bit IP addresses into 48-bit hardware
addresses.
Because most hosts support dynamic resolution, you generally need not specify static ARP cache entries.
To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC
command.
Examples The following is an example of a static ARP entry for a typical Ethernet host:
arp 192.31.7.19 0800.0900.1834 arpa
arp (interface)
To control the interface-specific handling of IP address resolution into 48-bit Ethernet, FDDI, Frame
Relay, and Token Ring hardware addresses, use the arp command in interface configuration mode. To
disable an encapsulation type, use the no form of this command.
Usage Guidelines Unlike most commands that have multiple arguments, the arp command has arguments that are not
mutually exclusive. Each command enables or disables a specific type of ARP.
Given a network protocol address (IP address), the arp frame-relay command determines the
corresponding hardware address, which would be a data-link connection identifier (DLCI) for Frame
Relay.
The show interfaces EXEC command displays the type of ARP being used on a particular interface. To
remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.
arp timeout
To configure how long an entry remains in the Address Resolution Protocol (ARP) cache, use the arp
timeout command in interface configuration mode. To restore the default value, use the no form of this
command.
Syntax Description seconds Time (in seconds) that an entry remains in the ARP cache. A value of zero
means that entries are never cleared from the cache.
Usage Guidelines This command is ignored when issued on interfaces that do not use ARP. The show interfaces EXEC
command displays the ARP timeout value. The value follows the “Entry Timeout:” heading, as seen in
the following example from the show interfaces command:
ARP type: ARPA, PROBE, Entry Timeout: 14400 sec
Examples The following example sets the ARP timeout to 12000 seconds to allow entries to time out more quickly
than the default:
interface ethernet 0
arp timeout 12000
bindid
To configure a bind ID, use the bindid command in SLB server farm configuration mode. To remove a
bind ID from the server farm configuration, use the no form of this command.
bindid [bind-id]
no bindid [bind-id]
Usage Guidelines You can configure one bind ID on each bindid command.
The bind ID allows a single physical server to be bound to multiple virtual servers and report a different
weight for each one. Thus, the single real server is represented as multiple instances of itself, each having
a different bind ID. DFP uses the bind ID to identify for which instance of the real server a given weight
is specified.
bootfile
To specify the name of the default boot image for a Dynamic Host Configuration Protocol (DHCP)
client, use the bootfile command in DHCP pool configuration mode. To delete the boot image name, use
the no form of this command.
bootfile filename
no bootfile
Syntax Description filename Specifies the name of the file that is used as a boot image.
Examples The following example specifies xllboot as the name of the boot file:
bootfile xllboot
Syntax Description access-list-number Access list number of the access list for which to clear the counters.
access-list-name Name of an IP access list. The name cannot contain a space or quotation
mark, and must begin with an alphabetic character to avoid ambiguity with
numbered access lists.
Usage Guidelines Some access lists keep counters that count the number of packets that pass each line of an access list.
The show access-lists command displays the counters as a number of matches. Use the clear access-list
counters command to restart the counters for a particular access list to 0.
Examples The following example clears the counters for access list 101:
Router# clear access-list counters 101
Usage Guidelines Use the clear arp interface command to clean up ARP entries associated with an interface.
Examples The following example clears the ARP cache from Ethernet interface 0:
clear arp-cache
To delete all dynamic entries from the Address Resolution Protocol (ARP) cache, to clear the
fast-switching cache, and to clear the IP route cache, use the clear arp-cache command in EXEC mode.
clear arp-cache
Examples The following example removes all dynamic entries from the ARP cache and clears the fast-switching
cache:
clear arp-cache
clear host
To delete entries from the host name-to-address cache, use the clear host EXEC command.
Usage Guidelines The host name entries will not be removed from NVRAM, but will be cleared in running memory.
Examples The following example clears all entries from the host name-to-address cache:
clear host *
clear ip accounting
To clear the active or checkpointed database when IP accounting is enabled, use the clear ip accounting
command in privileged EXEC mode.
Usage Guidelines You can also clear the checkpointed database by issuing the clear ip accounting command twice in
succession.
Examples The following example clears the active database when IP accounting is enabled:
Router> clear ip accounting
Usage Guidelines Typically, the address denotes the IP address of the client. If the asterisk (*) character is used as the
address parameter, DHCP clears all automatic bindings.
Use the no ip dhcp pool global configuration command to delete a manual binding.
Note the following behavior for the clear ip dhcp binding command:
• If you do not specify the pool name option and an IP address is specified, it is assumed that the IP
address is an address in the global address space and will look among all the non-VRF DHCP pools
for the specified binding.
• If you do not specify the pool name option and the * option is specified, it is assumed that all
automatic or on-demand bindings in all VRF and non-VRF pools are to be deleted.
• If you specify both the pool name option and the * option, all automatic or on-demand bindings in
the specified pool only will be cleared.
• If you specify the pool name option and an IP address, the specified binding will be deleted from
the specified pool.
Examples The following example deletes the address binding 10.12.1.99 from a DHCP server database:
Router# clear ip dhcp binding 10.12.1.99
The following example deletes all bindings from the address pool named pool1:
Router# clear ip dhcp pool pool1 binding *
The following example deletes address binding 10.13.2.99 from the address pool named pool2:
Usage Guidelines The server detects conflicts using a ping session. The client detects conflicts using gratuitous Address
Resolution Protocol (ARP). If the asterisk (*) character is used as the address parameter, DHCP clears
all conflicts.
Note the following behavior for the clear ip dhcp conflict command:
• If you do not specify the pool name option and an IP address is specified, it is assumed that the IP
address is an address in the global address space and will look among all the non-VRF DHCP pools
for the specified conflict.
• If you do not specify the pool name option and the * option is specified, it is assumed that all
automatic/ or on-demand conflicts in all VRF and non-VRF pools are to be deleted.
• If you specify both the pool name option and the * option, all automatic or on-demand conflicts in
the specified pool only will be cleared.
• If you specify the pool name option and an IP address, the specified conflict will be deleted from
the specified pool.
Examples The following example shows an address conflict of 10.12.1.99 being deleted from the DHCP server
database:
Router# clear ip dhcp conflict 10.12.1.99
The following example deletes all address conflicts from all pools:
Router# clear ip dhcp conflict *
The following example deletes all address conflicts from the address pool named pool1:
Router# clear ip dhcp pool pool1 conflict *
The following example deletes address conflict 10.13.2.99 from the address pool named pool2:
Router# clear ip dhcp pool pool2 conflict 10.13.2.99
Usage Guidelines The show ip dhcp server statistics command displays DHCP counters. All counters are cumulative. The
counters will be initialized, or set to zero, with the clear ip dhcp server statistics command.
Usage Guidelines A PPP session that is allocated an IP address from the released subnet will be reset.
Note the following behavior for the clear ip dhcp subnet command:
• If you do not specify the pool name option and an IP address is specified, it is assumed that the IP
address is an address in the global address space and will look among all the non-VRF DHCP pools
for the specified subnet.
• If you do not specify the pool name option and the * option is specified, it is assumed that all
automatic or on-demand subnets in all VRF and non-VRF pools are to be deleted.
• If you specify both the pool name option and the * option, all automatic or on-demand subnets in
the specified pool only will be cleared.
• If you specify the pool name option and an IP address, the subnet containing the specified IP address
will be deleted from the specified pool.
Caution Use this command with caution to prevent undesired termination of active PPP sessions.
Examples The following example releases the subnet containing 10.0.0.2 from any non-VRF on-demand address
pools:
Router# clear ip dhcp subnet 10.0.0.2
The following example clears all leased subnets from all pools:
Router# clear ip dhcp subnet *
The following example clears all leased subnets from the address pool named pool3:
Router# clear ip dhcp pool pool3 subnet *
The following example clears the address 10.0.0.2 from the address pool named pool2:
Router# clear ip dhcp pool pool2 subnet 10.0.0.2
clear ip drp
To clear all statistics being collected on Director Response Protocol (DRP) requests and replies, use the
clear ip drp command in privileged EXEC mode.
clear ip drp
clear ip nat translation {* | [inside global-ip global-port local-ip local-port] | [outside local-ip
global-ip]}
clear ip nat translation [esp | tcp | udp] [inside global-ip global-port local-ip local-port] |
[outside local-ip global-ip]
Usage Guidelines Use this command to clear entries from the translation table before they time out.
Examples The following example shows the NAT entries before and after the User Datagram Protocol (UDP) entry
is cleared:
Router> show ip nat translations
Router# clear ip nat translation udp inside 171.69.233.209 1220 192.168.1.95 1220
171.69.2.132 53 171.69.2.132 53
clear ip nhrp
To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the
clear ip nhrp EXEC command.
clear ip nhrp
Usage Guidelines This command does not clear any static (configured) IP-to-nonbroadcast multiaccess (NBMA) address
mappings from the NHRP cache.
Examples The following example clears all dynamic entries from the NHRP cache for the interface:
clear ip nhrp
Syntax Description vrf (Optional) VPN routing and forwarding instance (VRF).
vrf-name (Optional) Name of the VRF.
ip-address (Optional) Address about which routing information should be removed.
Usage Guidelines To remove information about global routes in the routing table, use the clear ip route dhcp command.
To remove routes in the VRF routing table, use the clear ip route vrf vrf-name dhcp command.
Examples The following example removes a route to network 55.5.5.217 from the routing table:
Router# clear ip route dhcp 55.5.5.217
clear ip route
To delete routes from the IP routing table, use the clear ip route EXEC command.
Examples The following example removes a route to network 132.5.0.0 from the IP routing table:
clear ip route 132.5.0.0
clear ip slb
To clear IP IOS SLB connections or counters, use the clear ip slb privileged EXEC command.
Examples The following example clears the connection database of the server farm named FARM1:
Router# clear ip slb connections serverfarm FARM1
The following example clears the connection database of the virtual server named VSERVER1:
Router# clear ip slb connections vserver VSERVER1
Usage Guidelines Use this command to clear entries from the translation table before they time out.
Examples The following example shows the SNAT entries before and after using the clear ip snat sessions
command:.
Router# show ip snat distributed
SNAT:Mode PRIMARY
:State READY
:Local Address 192.168.123.2
:Local NAT id 100
:Peer Address 192.168.123.3
:Peer NAT id 200
:Mapping List 10
Usage Guidelines Use this command to clear entries from the translation table before they time out.
Examples The following example clears all dynamic SNAT translations from the translation table:
Router# clear ip snat translations distributed *
Usage Guidelines Use this command to clear peer entries from the translation table before they time out.
Examples The following example shows the SNAT entries before and after the peer entry is cleared:
Router# show ip snat peer
clear ip wccp
To remove Web Cache Communication Protocol (WCCP) statistics (counts) maintained on the router for
a particular service, use the clear ip wccp command in EXEC mode.
Syntax Description web-cache Directs the router to remove statistics for the web cache service.
service-number Directs the router to remove statistics for a specified cache service.
The number can be from 0 to 99.
Usage Guidelines Use the show ip wccp and show ip wccp detail commands to display WCCP statistics. If Cisco
Cache Engines are used in your service group, the reverse proxy service is indicated by a value of 99.
Examples In the following example, all statistics associated with the web cache service are removed:
Router# clear ip wccp web-cache
Examples The following example clears the time-range IPC statistics and counters:
Router# clear time-range ipc
client
To define which clients are allowed to use the virtual server, use the client SLB virtual server
configuration command. You can use more than one client command to define more than one client. To
remove a client definition from the IOS SLB configuration, use the no form of this command.
Syntax Description ip-address Client IP address. The default is 0.0.0.0 (all clients).
network-mask Client IP network mask. The default is 0.0.0.0 (all subnetworks).
Usage Guidelines The network-mask value is applied to the source IP address of incoming connections. The result must
match the ip-address value for the client to be allowed to use the virtual server.
Examples The following example allows only clients from 10.4.4.x access to the virtual server:
ip slb vserver PUBLIC_HTTP
client 10.4.4.0 255.255.255.0
client-identifier
To specify the unique identifier (in dotted hexadecimal notation) for a Microsoft Dynamic Host
Configuration Protocol (DHCP) client, use the client-identifier command in DHCP pool configuration
mode. To delete the client identifier, use the no form of this command.
client-identifier unique-identifier
no client-identifier
Syntax Description unique-identifier The distinct identification of the client in dotted-hexadecimal notation, for
example, 01b7.0813.8811.66.
Usage Guidelines This command is valid for manual bindings only. Microsoft DHCP clients require client identifiers
instead of hardware addresses. The client identifier is formed by concatenating the media type and the
MAC address. For example, the Microsoft client identifier for Ethernet address b708.1388.f166 is
01b7.0813.88f1.66, where 01 represents the Ethernet media type. For a list of media type codes, refer to
the “Address Resolution Protocol Parameters” section of RFC 1700, Assigned Numbers.
Examples The following example specifies the client identifier for MAC address 01b7.0813.8811.66 in dotted
hexadecimal notation:
client-identifier 01b7.0813.8811.66
client-name
To specify the name of a DHCP client, use the client-name command in DHCP pool configuration mode.
To remove the client name, use the no form of this command.
client-name name
no client-name
Syntax Description name Specifies the name of the client, using any standard ASCII character. The
client name should not include the domain name. For example, the name mars
should not be specified as mars.cisco.com.
Usage Guidelines The client name should not include the domain name.
Examples The following example specifies a string client1 that will be the name of the client:
client-name client1
crypto ipsec
To enable security perimeter index (SPI) matching between two Virtual Private Network (VPN) devices,
use the crypto ipsec command on both devices in global configuration mode. To disable SPI matching,
use the no form of this command.
Usage Guidelines The generation of SPIs that are predictable and symmetric is enabled. SPI matching should be used in
conjunction with Network Address Translation (NAT) devices when multiple ESP connections across a
NAT device is desired.
Examples The following example enables SPI matching on the endpoint routers:
crypto ipsec spi-matching
default-router
To specify the default router list for a Dynamic Host Configuration Protocol (DHCP) client, use the
default-router command in DHCP pool configuration mode. To remove the default router list, use the
no form of this command.
no default-router
Syntax Description address Specifies the IP address of a router. One IP address is required, although you
can specify up to eight addresses in one command line.
address2...address8 (Optional) Specifies up to eight addresses in the command line.
Usage Guidelines The IP address of the router should be on the same subnet as the client subnet. You can specify up to
eight routers in the list. Routers are listed in order of preference (address1 is the most preferred router,
address2 is the next most preferred router, and so on).
Examples The following example specifies 10.12.1.99 as the IP address of the default router:
default-router 10.12.1.99
delay (tracking)
To specify a period of time to delay communicating state changes of a tracked object, use the delay
command in tracking configuration mode. To disable the delay period, use the no form of this command.
Examples In the following example, the tracking process is tracking the IP route metric threshold. The delay period
to communicate the changes of the tracked object to the client process is set to 30 seconds.
track 1 ip route 10.22.0.0/16 metric threshold
threshold metric up 16 down 20
delay down 30
delay duration
no delay
Syntax Description duration Delay timer duration in seconds. The valid range is from 1 to 600
seconds. The default value is 10 seconds.
Usage Guidelines The delay timer allows out-of-sequence packets and final acknowledgments (ACKs) to be delivered after
a TCP connection ends.
Do not set this value to zero (0).
If you are configuring a delay timer for HTTP flows, choose a low number such as 5 seconds as a starting
point.
Examples The following example specifies that the IOS SLB feature maintains TCP connection context for 30
seconds after a connection has terminated:
ip slb vserver PUBLIC_HTTP
delay 30
deny (IP)
To set conditions in a named IP access list that will deny packets, use the deny command in access list
configuration mode.To remove a deny condition from an access list, use the no form of this command.
no sequence-number
Syntax Description sequence-number (Optional) Sequence number assigned to the deny statement, causing the
system to insert the statement in that numbered position in the access list.
source Number of the network or host from which the packet is being sent. There
are three alternative ways to specify the source:
• Use a 32-bit quantity in four-part, dotted-decimal format.
• Use the any keyword as an abbreviation for a source and
source-wildcard of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard
of source 0.0.0.0.
source-wildcard Wildcard bits to be applied to the source. There are three alternative ways
to specify the source wildcard:
• Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in
the bit positions you want to ignore.
• Use the any keyword as an abbreviation for a source and
source-wildcard of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard
of source 0.0.0.0.
protocol Name or number of an Internet protocol. It can be one of the keywords
eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer
in the range from 0 to 255 representing an Internet protocol number. To
match any Internet protocol (including ICMP, TCP, and UDP), use the ip
keyword. Some protocols allow further qualifiers described later.
destination Number of the network or host to which the packet is being sent. There
are three alternative ways to specify the destination:
• Use a 32-bit quantity in four-part, dotted-decimal format.
• Use the any keyword as an abbreviation for the destination and
destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and
destination-wildcard of destination 0.0.0.0.
destination-wildcard Wildcard bits to be applied to the destination. There are three alternative
ways to specify the destination wildcard:
• Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in
the bit positions you want to ignore.
• Use the any keyword as an abbreviation for a destination and
destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and
destination-wildcard of destination 0.0.0.0.
precedence precedence (Optional) Packets can be filtered by precedence level, as specified by a
number from 0 to 7 or by name as listed in the section “Usage
Guidelines.”
tos tos (Optional) Packets can be filtered by type of service (ToS) level, as
specified by a number from 0 to 15, or by name as listed in the section
“Usage Guidelines” of the access-list (IP extended) command.
log (Optional) Causes an informational logging message about the packet that
matches the entry to be sent to the console. (The level of messages logged
to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was
permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a
number; and, if appropriate, the source and destination addresses and
source and destination port numbers. The message is generated for the
first packet that matches, and then at 5-minute intervals, including the
number of packets permitted or denied in the prior 5-minute interval.
Use the ip access-list log-update command to generate logging messages
when the number of matches reaches a configurable threshold (rather than
waiting for a 5-minute interval). See the ip access-list log-update
command for more information.
The logging facility might drop some logging message packets if there are
too many to be handled or if there is more than one logging message to be
handled in 1 second. This behavior prevents the router from crashing due
to too many logging packets. Therefore, the logging facility should not be
used as a billing tool or an accurate source of the number of matches to
an access list.
If you enable CEF and then create an access list that uses the log keyword,
the packets that match the access list are not CEF switched. They are fast
switched. Logging disables CEF.
time-range (Optional) Name of the time range that applies to this deny statement.
time-range-name The name of the time range and its restrictions are specified by the
time-range and absolute or periodic commands, respectively.
fragments (Optional) The access list entry applies to noninitial fragments of packets;
the fragment is either permitted or denied accordingly. For more details
about the fragments keyword, see the “Access List Processing of
Fragments” and “Fragments and Policy Routing” sections in the “Usage
Guidelines” section.
icmp-type (Optional) ICMP packets can be filtered by ICMP message type. The type
is a number from 0 to 255.
icmp-code (Optional) ICMP packets that are filtered by ICMP message type can also
be filtered by the ICMP message code. The code is a number from 0 to
255.
icmp-message (Optional) ICMP packets can be filtered by an ICMP message type name
or ICMP message type and code name. The possible names are listed in
the section “Usage Guidelines” of the access-list (IP extended)
command.
igmp-type (Optional) IGMP packets can be filtered by IGMP message type or
message name. A message type is a number from 0 to 15. IGMP message
names are listed in the section “Usage Guidelines” of the access-list (IP
extended) command.
Defaults There is no specific condition under which a packet is denied passing the named access list.
Usage Guidelines Use this command following the ip access-list command to specify conditions under which a packet
cannot pass the named access list.
The time-range option allows you to identify a time range by name. The time-range, absolute, and
periodic commands specify when this deny statement is in effect.
Be aware that you should not simply add the fragments keyword to every access list entry because the
first fragment of the IP packet is considered a nonfragment and is treated independently of the
subsequent fragments. An initial fragment will not match an access list permit or deny entry that
contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it
is either permitted or denied by an access list entry that does not contain the fragments keyword.
Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair
will not include the fragments keyword, and applies to the initial fragment. The second deny entry of
the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where
there are multiple deny access list entries for the same host but with different Layer 4 ports, a single
deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all
the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a
packet in access list accounting and access list violation counts.
Note The fragments keyword cannot solve all cases involving access lists and IP fragments.
Examples The following example sets a deny condition for a standard access list named Internetfilter:
ip access-list standard Internetfilter
deny 192.5.34.0 0.0.0.255
permit 128.88.0.0 0.0.255.255
permit 36.0.0.0 0.255.255.255
! (Note: all other access implicitly denied)
The following example denies HTTP traffic on Monday through Friday from 8:00 a.m. to 6:00 p.m.:
time-range no-http
periodic weekdays 8:00 to 18:00
!
ip access-list extended strict
deny tcp any any eq http time-range no-http
!
interface ethernet 0
ip access-group strict in
The following example adds an entry with the sequence number 25 to extended IP access list 150:
Router(config)# ip access-list extended 150
Router(config-std-nacl)# 25 deny ip host 3.3.3.3 host 45.5.5.34
The following example removes the entry with the sequence number 25 from the standard access list
example shown above:
Router(config-std-nacl)# no 25
Command Description
show ip access-list Displays the contents of all current IP access lists.
time-range Specifies when an access list or other feature is in effect.
dns-server
To specify the Domain Name System (DNS) IP servers available to a Dynamic Host Configuration
Protocol (DHCP) client, use the dns-server command in DHCP pool configuration mode. To remove the
DNS server list, use the no form of this command.
no dns-server
Syntax Description address The IP address of a DNS server. One IP address is required, although you can
specify up to eight addresses in one command line.
address2...address8 (Optional) Specifies up to eight addresses in the command line.
Defaults If DNS IP servers are not configured for a DHCP client, the client cannot correlate host names to
IP addresses.
Usage Guidelines Servers are listed in order of preference (address1 is the most preferred server, address2 is the next most
preferred server, and so on).
Examples The following example specifies 10.12.1.99 as the IP address of the domain name server of the client:
dns-server 10.12.1.99
domain-name (DHCP)
To specify the domain name for a Dynamic Host Configuration Protocol (DHCP) client, use the
domain-name command in DHCP pool configuration mode. To remove the domain name, use the no
form of this command.
domain-name domain
no domain-name
Syntax Description domain Specifies the domain name string of the client.
Examples The following example specifies cisco.com as the domain name of the client:
domain-name cisco.com
dynamic
To define a named dynamic IP access list, use the dynamic command in access-list configuration mode.
To remove the access lists, use the no form of this command.
no dynamic dynamic-name
Syntax Description dynamic-name Identifies this access list as a dynamic access list. Refer to lock-and-key
access documented in the “Configuring Lock-and-Key Security (Dynamic
Access Lists)” chapter in the Cisco IOS Security Configuration Guide.
timeout minutes (Optional) Specifies the absolute length of time (in minutes) that a temporary
access list entry can remain in a dynamic access list. The default is an infinite
length of time and allows an entry to remain permanently. Refer to
lock-and-key access documented in the “Configuring Lock-and-Key Security
(Dynamic Access Lists)” chapter in the Cisco IOS Security Configuration
Guide.
deny Denies access if the conditions are matched.
permit Permits access if the conditions are matched.
protocol Name or number of an Internet protocol. It can be one of the keywords eigrp,
gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range
from 0 to 255 representing an Internet protocol number. To match any Internet
protocol (including ICMP, TCP, and UDP), use the ip keyword. Some
protocols allow further qualifiers described later.
source Number of the network or host from which the packet is being sent. There are
three alternative ways to specify the source:
• Use a 32-bit quantity in four-part, dotted decimal format.
• Use the any keyword as an abbreviation for a source and source-wildcard
of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard of
source 0.0.0.0.
source-wildcard Wildcard bits to be applied to source. There are three alternative ways to
specify the source wildcard:
• Use a 32-bit quantity in four-part, dotted decimal format. Place 1s in the
bit positions you want to ignore.
• Use the any keyword as an abbreviation for a source and source-wildcard
of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard of
source 0.0.0.0.
destination Number of the network or host to which the packet is being sent. There are
three alternative ways to specify the destination:
• Use a 32-bit quantity in four-part, dotted decimal format.
• Use the any keyword as an abbreviation for the destination and
destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and
destination-wildcard of destination 0.0.0.0.
destination-wildcard Wildcard bits to be applied to the destination. There are three alternative ways
to specify the destination wildcard:
• Use a 32-bit quantity in four-part, dotted-decimal format. Place 1s in the
bit positions you want to ignore.
• Use the any keyword as an abbreviation for a destination and
destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and
destination-wildcard of destination 0.0.0.0.
precedence (Optional) Packets can be filtered by precedence level, as specified by a
precedence number from 0 to 7, or by name as listed in the section “Usage Guidelines.”
tos tos (Optional) Packets can be filtered by type of service (ToS) level, as specified
by a number from 0 to 15, or by name as listed in the section “Usage
Guidelines.”
log (Optional) Causes an informational logging message about the packet that
matches the entry to be sent to the console. (The level of messages logged to
the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was
permitted or denied; the protocol, whether it was TCP, UDP, ICMP, or a
number; and, if appropriate, the source and destination addresses and source
and destination port numbers. The message is generated for the first packet
that matches, and then at 5-minute intervals, including the number of packets
permitted or denied in the prior 5-minute interval.
The logging facility might drop some logging message packets if there are too
many to be handled or if there is more than one logging message to be handled
in 1 second. This behavior prevents the router from crashing due to too many
logging packets. Therefore, the logging facility should not be used as a billing
tool or an accurate source of the number of matches to an access list.
fragments (Optional) The access list entry applies to noninitial fragments of packets; the
fragment is either permitted or denied accordingly. For more details about the
fragments keyword, see the “Access List Processing of Fragments” and
“Fragments and Policy Routing” sections in the “Usage Guidelines” section.
icmp-type (Optional) ICMP packets can be filtered by ICMP message type. The type is
a number from 0 to 255.
icmp-code (Optional) ICMP packets that are filtered by ICMP message type can also be
filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message (Optional) ICMP packets can be filtered by an ICMP message type name or
ICMP message type and code name. The possible names are found in the
section “Usage Guidelines.”
igmp-type (Optional) IGMP packets can be filtered by IGMP message type or message
name. A message type is a number from 0 to 15. IGMP message names are
listed in the section “Usage Guidelines.”
operator (Optional) Compares source or destination ports. Possible operands include lt
(less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive
range).
If the operator is positioned after the source and source-wildcard, it must
match the source port.
If the operator is positioned after the destination and destination-wildcard, it
must match the destination port.
The range operator requires two port numbers. All other operators require one
port number.
port (Optional) The decimal number or name of a TCP or UDP port. A port number
is a number from 0 to 65535. TCP and UDP port names are listed in the
section “Usage Guidelines” of the access-list (IP extended) command. TCP
port names can only be used when filtering TCP. UDP port names can only be
used when filtering UDP.
established (Optional) For the TCP protocol only: Indicates an established connection. A
match occurs if the TCP datagram has the ACK or RST bits set. The
nonmatching case is that of the initial TCP datagram to form a connection.
Defaults An extended access list defaults to a list that denies everything. An extended access list is terminated by
an implicit deny statement.
Usage Guidelines You can use named access lists to control the transmission of packets on an interface and restrict contents
of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP
access list. Extended access lists used to control vty access or restrict the contents of routing updates
must not match against the TCP source port, the ToS value, or the precedence of the packet.
Caution Named IP access lists will not be recognized by any software release prior to Cisco IOS Release 11.2.
Note After an access list is created, any subsequent additions (possibly entered from the terminal) are
placed at the end of the list. In other words, you cannot selectively add or remove access list
command lines from a specific access list.
The following is a list of ICMP message type names and ICMP message type and code names:
• administratively-prohibited
• alternate-address
• conversion-error
• dod-host-prohibited
• dod-net-prohibited
• echo
• echo-reply
• general-parameter-problem
• host-isolated
• host-precedence-unreachable
• host-redirect
• host-tos-redirect
• host-tos-unreachable
• host-unknown
• host-unreachable
• information-reply
• information-request
• mask-reply
• mask-request
• mobile-redirect
• net-redirect
• net-tos-redirect
• net-tos-unreachable
• net-unreachable
• network-unknown
• no-room-for-option
• option-missing
• packet-too-big
• parameter-problem
• port-unreachable
• precedence-unreachable
• protocol-unreachable
• reassembly-timeout
• redirect
• router-advertisement
• router-solicitation
• source-quench
• source-route-failed
• time-exceeded
• timestamp-reply
• timestamp-request
• traceroute
• ttl-exceeded
• unreachable
The following is a list of IGMP message names:
• dvmrp
• host-query
• host-report
• pim
• trace
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current
assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these
protocols can also be found if you type a ? in the place of a port number.
• bgp
• chargen
• daytime
• discard
• domain
• echo
• finger
• ftp
• ftp-data
• gopher
• hostname
• irc
• klogin
• kshell
• lpd
• nntp
• pop2
• pop3
• smtp
• sunrpc
• syslog
• tacacs-ds
• talk
• telnet
• time
• uucp
• whois
• www
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current
assigned numbers RFC to find a reference to these protocols. Port numbers corresponding to these
protocols can also be found if you type a ? in the place of a port number.
• biff
• bootpc
• bootps
• discard
• dns
• dnsix
• echo
• mobile-ip
• nameserver
• netbios-dgm
• netbios-ns
• ntp
• rip
• snmp
• snmptrap
• sunrpc
• syslog
• tacacs-ds
• talk
• tftp
• time
• who
• xdmcp
Be aware that you should not simply add the fragments keyword to every access list entry because the
first fragment of the IP packet is considered a nonfragment and is treated independently of the
subsequent fragments. An initial fragment will not match an access list permit or deny entry that
contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it
is either permitted or denied by an access list entry that does not contain the fragments keyword.
Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair
will not include the fragments keyword, and applies to the initial fragment. The second deny entry of
the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where
there are multiple deny access list entries for the same host but with different Layer 4 ports, a single
deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all
the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a
packet in access list accounting and access list violation counts.
Note The fragments keyword cannot solve all cases involving access lists and IP fragments.
Examples The following example defines a dynamic access list named washington:
ip access-group washington in
!
ip access-list extended washington
dynamic testlist timeout 5
permit ip any any
permit tcp any host 185.302.21.2 eq 23
faildetect
To specify the conditions that indicate a server failure, use the faildetect SLB real server configuration
command. To restore the default values that indicate a server failure, use the no form of this command.
no faildetect
Defaults If you do not specify the faildetect command, the default value of the connection reassignment threshold
is 8.
If you do not specify the numclients keyword, the default value of the unique client failure threshold
is 2.
Examples In the following example the connection reassignment threshold is set to 16 and, because the numclients
keyword is not configured, the threshold for unique client connection failure is set to the default value
8. The real server is considered to have failed when 8 unique clients have had connection failures and
there have been 16 connection reassignments.
ip slb serverfarm PUBLIC
real 10.10.1.1
faildetect numconns 16
forwarding-agent
To specify the port on which the forwarding agent will listen for wildcard and fixed affinities, use the
forwarding-agent CASA-port configuration command. To disable listening on that port, use the no
form of the command.
no forwarding-agent
Syntax Description port-number Port numbers on which the forwarding agent will listen for wildcards
broadcast from the services manager. This must match the port number
defined on the services manager.
password (Optional) Text password used for generating the MD5 digest.
timeout (Optional) Duration (in seconds) during which the Forwarding Agent
will accept the new and old password. Valid range is from 0 to
3600 seconds. The default is 180 seconds.
Examples The following example specifies that the forwarding agent will listen for wildcard and fixed affinities on
port 1637:
forwarding-agent 1637
glbp authentication
To configure an authentication string for the Gateway Load Balancing Protocol (GLBP), use the glbp
authentication command in interface configuration mode. To delete an authentication string, use the no
form of this command.
Syntax Description group GLBP group number in the range from 0 to 1023.
text string Specifies an authentication string. The number of characters in the command
plus the text string must not exceed 255 characters.
Usage Guidelines The authentication string is sent in plain text in all GLBP messages. The same authentication string must
be configured on all the routers that are configured to be members of the same GLBP group, to ensure
interoperation. A router will ignore all GLBP messages that contain the wrong authentication string.
Examples The following example configures stringxyz as the authentication string required to allow GLBP routers
in group 10 to interoperate:
interface fastethernet 0/0
glbp 10 authentication text stringxyz
Syntax Description group GLBP group number in the range from 0 to 1023.
delay minimum (Optional) Specifies a minimum number of seconds that the router will
seconds delay before taking over the role of AVF. The range is from 0 to 3600
seconds with a default delay of 30 seconds.
Examples The following example shows a router being configured to preempt the current AVF when its priority is
higher than that of the current AVF. If the router preempts the current AVF, it waits 60 seconds before
taking over the role of the AVF.
glbp 10 forwarder preempt delay minimum 60
glbp ip
To activate the Gateway Load Balancing Protocol (GLBP), use the glbp ip command in interface
configuration mode. To disable GLBP, use the no form of this command.
Syntax Description group GLBP group number in the range from 0 to 1023.
ip-address (Optional) Virtual IP address for the GLBP group. The IP address must be in the
same subnet as the interface IP address.
secondary (Optional) Indicates that the IP address is a secondary GLBP virtual address.
Usage Guidelines The glbp ip command activates GLBP on the configured interface. If an IP address is specified, that
address is used as the designated virtual IP address for the GLBP group. If no IP address is specified,
the designated address is learned from another router configured to be in the same GLBP group. For
GLBP to elect an active virtual gateway (AVG), at least one router on the cable must have been
configured with the designated address. A router must be configured with, or have learned, the virtual
IP address of the GLBP group before assuming the role of a GLBP gateway or forwarder. Configuring
the designated address on the AVG always overrides a designated address that is in use.
When the glbp ip command is enabled on an interface, the handling of proxy Address Resolution
Protocol (ARP) requests is changed (unless proxy ARP was disabled). ARP requests are sent by hosts to
map an IP address to a MAC address. The GLBP gateway intercepts the ARP requests and replies to the
ARP on behalf of the connected nodes. If a forwarder in the GLBP group is active, proxy ARP requests
are answered using the MAC address of the first active forwarder in the group. If no forwarder is active,
proxy ARP responses are suppressed.
Examples The following example activates GLBP for group 10 on Fast Ethernet interface 0/0. The virtual IP
address to be used by the GLBP group is set to 10.21.8.10.
interface fastethernet 0/0
ip address 10.21.8.32 255.255.255.0
glbp 10 ip 10.21.8.10
The following example activates GLBP for group 10 on Fast Ethernet interface 0/0. The virtual IP
address used by the GLBP group will be learned from another router configured to be in the same GLBP
group.
interface fastethernet 0/0
glbp 10 ip
glbp load-balancing
To specify the load-balancing method used by the active virtual gateway (AVG) of the Gateway Load
Balancing Protocol (GLBP), use the glbp load-balancing command in interface configuration mode. To
disable load balancing, use the no form of this command.
Syntax Description group GLBP group number in the range from 0 to 1023.
host-dependent (Optional) Specifies a load balancing method based on the MAC address of
a host where the same forwarder is always used for a particular host while
the number of GLBP group members remains unchanged.
round-robin (Optional) Specifies a load balancing method where each virtual forwarder
in turn is included in address resolution replies for the virtual IP address.
This method is the default.
weighted (Optional) Specifies a load balancing method that is dependent on the
weighting value advertised by the gateway.
Usage Guidelines Use the host-dependent method of GLBP load balancing when you need each host to always use the same
router. Use the weighted method of GLBP load balancing when you need unequal load balancing
because routers in the GLBP group have different forwarding capacities.
Examples The following example shows the host-dependent load-balancing method being configured for the AVG
of the GLBP group 10:
interface fastethernet 0/0
glbp 10 ip 10.21.8.10
glbp 10 load-balancing host-dependent
glbp preempt
To configure the gateway to take over as active virtual gateway (AVG) for a Gateway Load Balancing
Protocol (GLBP) group if it has higher priority than the current AVG, use the glbp preempt command
in interface configuration mode. To disable this feature, use the no form of this command.
Syntax Description group GLBP group number in the range from 0 to 1023.
delay minimum (Optional) Specifies a minimum number of seconds that the router will
seconds delay before taking over the role of AVG. The range is from 0 to 3600
seconds with a default delay of 30 seconds.
Defaults A GLBP router with a higher priority than the current AVG cannot assume the role of AVG.
The default delay value is 30 seconds.
Examples The following example shows a router being configured to preempt the current AVG when its priority of
254 is higher than that of the current AVG. If the router preempts the current AVG, it waits 60 seconds
before assuming the role of AVG.
glbp 10 preempt delay minimum 60
glbp 10 priority 254
glbp priority
To set the priority level of the gateway within a Gateway Load Balancing Protocol (GLBP) group, use
the glbp priority command in interface configuration mode. To remove the priority level of the gateway,
use the no form of this command.
Syntax Description group GLBP group number in the range from 0 to 1023.
level Priority of the gateway within the GLBP group. The range is from 1 to 255.
The default is 100.
Usage Guidelines Use this command to control which virtual gateway becomes the active virtual gateway (AVG). After the
priorities of several different virtual gateways are compared, the gateway with the numerically higher
priority is elected as the AVG. If two virtual gateways have equal priority, the gateway with the higher
IP address is selected.
Examples The following example shows a virtual gateway being configured with a priority of 254:
glbp 10 priority 254
Syntax Description group GLBP group number in the range from 0 to 1023.
redirect Redirect timer interval (in seconds). The default is 300 seconds (5 minutes).
timeout Time (in seconds) before the secondary virtual forwarder becomes
unavailable. The default is 14,400 seconds (4 hours).
Usage Guidelines A virtual forwarder that is assigned a virtual MAC address by the AVG is known as a primary virtual
forwarder. If the virtual forwarder has learned the virtual MAC address from hello messages, it is
referred to as a secondary virtual forwarder.
The redirect timer sets the time delay between a forwarder failing on the network and the AVG assuming
that the forwarder will not return. The virtual MAC address to which the forwarder was responsible for
replying to is still given out in Address Resolution Protocol (ARP) replies, but the forwarding task is
handled by another router in the GLBP group.
The timeout interval is the time delay between a forwarder failing on the network and the MAC address
for which the forwarder was responsible becoming inactive on all of the routers in the GLBP group. After
the timeout interval, packets sent to this virtual MAC address will be lost. The timeout interval must be
long enough to allow all hosts to refresh their ARP cache entry that contained the virtual MAC address.
Examples The following example shows GLBP group 1, on Fast Ethernet interface 0/0, being configured with a
redirect timer of 600 seconds (10 minutes), and a timeout interval of 7200 seconds (2 hours):
interface fastethernet 0/0
glbp 10 ip
glbp 10 timers redirect 600 7200
glbp timers
To configure the time between hello packets sent by the Gateway Load Balancing Protocol (GLBP)
gateway and the time that the virtual gateway and virtual forwarder information is considered valid, use
the glbp timers command in interface configuration mode. To restore the timers to their default values,
use the no form of this command.
Syntax Description group GLBP group number in the range from 0 to 1023.
msec (Optional) Specifies that the following (hellotime or holdtime) argument value
will be expressed in milliseconds.
hellotime Hello interval. The default is 3 seconds (3000 milliseconds).
holdtime Time before the virtual gateway and virtual forwarder information contained
in the hello packet is considered invalid. The default is 10 seconds
(10,000 milliseconds).
Usage Guidelines Routers on which timer values are not configured can learn timer values from the active virtual gateway
(AVG). The timers configured on the AVG always override any other timer settings. All routers in a
GLBP group should use the same timer values. If a GLBP gateway sends a hello message, the
information should be considered valid for one holdtime. Normally, holdtime is greater than three times
the value of hello time, (holdtime > 3 * hellotime). The range of values for holdtime force the holdtime
to be greater than the hello time.
Examples The following example shows the GLBP group 10 on Fast Ethernet interface 0/0 timers being configured
for an interval of 5 seconds between hello packets, and the time after which virtual gateway and virtual
forwarder information is considered to be invalid to 18 seconds:
interface fastethernet 0/0
glbp 10 ip
glbp 10 timers 5 18
Syntax Description group GLBP group number in the range from 0 to 1023.
object-number Object number representing an item to be tracked. Use the track command
to configure the tracked object.
decrement value (Optional) Specifies an amount by which the GLBP weighting for the router
is decremented (or incremented) when the interface goes down (or comes
back up). The value range is from 1 to 254, with a default value of 10.
Usage Guidelines This command ties the weighting of the GLBP gateway to the availability of its interfaces. It is useful
for tracking interfaces that are not configured for GLBP.
When a tracked interface goes down, the GLBP gateway weighting decreases by 10. If an interface is not
tracked, its state changes do not affect the GLBP gateway weighting. For each GLBP group, you can
configure a separate list of interfaces to be tracked.
The optional value argument specifies by how much to decrement the GLBP gateway weighting when a
tracked interface goes down. When the tracked interface comes back up, the weighting is incremented
by the same amount.
When multiple tracked interfaces are down, the configured weighting decrements are cumulative.
Use the track command to configure each interface to be tracked.
Examples In the following example, Fast Ethernet interface 0/0 tracks two interfaces represented by the numbers
1 and 2. If interface 1 goes down, the GLBP gateway weighting decreases by the default value of 10. If
interface 2 goes down, the GLBP gateway weighting decreases by 5.
interface fastethernet 0/0
glbp weighting
To specify the initial weighting value of the Gateway Load Balancing Protocol (GLBP) gateway, use the
glbp weighting command in interface configuration mode. To restore the default values, use the no form
of this command.
Syntax Description group GLBP group number in the range from 0 to 1023.
maximum Maximum weighting value in the range from 1 to 254. Default value is 100.
lower lower (Optional) Specifies a lower weighting value in the range from 1 to the
specified maximum weighting value. Default value is 1.
upper upper (Optional) Specifies an upper weighting value in the range from the lower
weighting to the maximum weighting value. The default value is the specified
maximum weighting value.
Defaults The default gateway weighting value is 100 and the default lower weighting value is 1.
Usage Guidelines The weighting value of a virtual gateway is a measure of the forwarding capacity of the gateway. If a
tracked interface on the router fails, the weighting value of the router may fall from the maximum value
to below the lower threshold, causing the router to give up its role as a virtual forwarder. When the
weighting value of the router rises above the upper threshold, the router can resume its active virtual
forwarder role.
Use the glbp weighting track and track commands to configure parameters for an interface to be
tracked. If an interface on a router goes down, the weighting for the router can be reduced by a specified
value.
Examples The following example shows the weighting of the gateway for GLBP group 10 being set to a maximum
of 110 with a lower weighting limit of 95 and an upper weighting limit of 105:
interface fastethernet 0/0
ip address 10.21.8.32 255.255.255.0
glbp 10 weighting 110 lower 95 upper 105
hardware-address
To specify the hardware address of a Dynamic Host Configuration Protocol (DHCP) client, use the
hardware-address DHCP pool configuration command. It is valid for manual bindings only. To remove
the hardware address, use the no form of this command.
no hardware-address
Syntax Description hardware-address Specifies the MAC address of the hardware platform of the client.
type Indicates the protocol of the hardware platform. Strings and values are
acceptable. The string options are:
• ethernet
• ieee802
The value options are:
• 1 10Mb Ethernet
• 6 IEEE 802
If no type is specified, the default protocol is Ethernet.
Examples The following example specifies b708.1388.f166 as the MAC address of the client:
hardware-address b708.1388.f166 ieee802
host
To specify the IP address and network mask for a manual binding to a Dynamic Host Configuration
Protocol (DHCP) client, use the host command in DHCP pool configuration mode. To remove the IP
address of the client, use the no form of this command.
no host
Usage Guidelines If the mask and prefix length are unspecified, DHCP examines its address pools. If no mask is found in
the pool database, the Class A, B, or C natural mask is used. This command is valid for manual bindings
only.
There is no limit on the number of manual bindings but you can configure only one manual binding per
host pool.
Examples The following example specifies 10.12.1.99 as the IP address of the client and 255.255.248.0 as the
subnet mask:
host 10.12.1.99 255.255.248.0
idle
To specify the minimum amount of time for which IOS SLB maintains connection information in the
absence of packet activity, use the idle command in virtual server configuration mode. To restore the
default idle duration value, use the no form of this command.
idle duration
no idle
Syntax Description duration Idle connection timer duration (in seconds). Valid values range from
10 to 65535. The default is 3600 seconds (1 hour).
Usage Guidelines TCP connections that do not send flows or keepalives before the idle timer expires are assumed to be
inactive and are reset (RST).
If you are configuring an idle timer for HTTP flows, choose a low number such as 120 seconds as a
starting point. A low number ensures that the IOS SLB connection database maintains a manageable size
if problems at the server, client, or network result in a large number of connections. However, do not
choose a value under 60 seconds; such a low value can reduce the efficiency of the IOS SLB feature.
Examples The following example instructs the IOS SLB feature to maintain connection information for an idle
connection for 120 seconds:
ip slb vserver PUBLIC_HTTP
idle 120
import all
To import Dynamic Host Configuration Protocol (DHCP) option parameters into the DHCP Server
database, use the import all command in DHCP pool configuration mode. To disable this feature, use
the no form of this command.
import all
no import all
Defaults Disabled
Usage Guidelines When the no import all command is used, the Cisco IOS DHCP Server deletes all “imported” option
parameters that were added to the specified pool in the server database. Manually configured DHCP
option parameters override imported DHCP option parameters.
Imported option parameters are not part of the router configuration and are not saved in NVRAM.
Examples The following example allows the importing of all DHCP options for a pool named pool1:
ip dhcp pool pool1
network 172.16.0.0 /16
import all
inservice
no inservice
Defaults If you do not specify the inservice command, the real server is defined to IOS SLB but is not used.
Examples The following example enables the real server for use by the IOS SLB feature:
ip slb serverfarm PUBLIC
real 10.10.1.1
inservice
Syntax Description standby (Optional) Configures the Hot Standby Router Protocol (HSRP)
standby virtual server.
group-name (Optional) Specifies the HSRP group name with which the IOS SLB
virtual server is associated.
Defaults If you do not specify the inservice command, the virtual server is defined to IOS SLB but is not used.
Examples The following example enables the real server for use by the IOS SLB feature:
ip slb vserver PUBLIC_HTTP
inservice
ip access-group
To control access to an interface, use the ip access-group command in interface configuration mode. To
remove the specified access group, use the no form of this command.
Syntax Description access-list-number Number of an access list. This is a decimal number from 1 to 199 or from
1300 to 2699.
access-list-name Name of an IP access list as specified by an ip access-list command.
in Filters on inbound packets.
out Filters on outbound packets.
Usage Guidelines Access lists are applied on either outbound or inbound interfaces. For standard inbound access lists, after
receiving a packet, the Cisco IOS software checks the source address of the packet against the access
list. For extended access lists, the router also checks the destination access list. If the access list permits
the address, the software continues to process the packet. If the access list rejects the address, the
software discards the packet and returns an ICMP host unreachable message.
For standard outbound access lists, after receiving and routing a packet to a controlled interface, the
software checks the source address of the packet against the access list. For extended access lists, the
router also checks the destination access list. If the access list permits the address, the software sends
the packet. If the access list rejects the address, the software discards the packet and returns an ICMP
host unreachable message.
If the specified access list does not exist, all packets are passed.
When you enable outbound access lists, you automatically disable autonomous switching for that
interface. When you enable input access lists on any CBus or CxBus interface, you automatically disable
autonomous switching for all interfaces (with one exception—an SSE configured with simple access
lists can still switch packets, on output only).
Examples The following example applies list 101 on packets outbound from Ethernet interface 0:
interface ethernet 0
ip access-group 101 out
ip access-list resequence
To apply sequence numbers to the access list entries in an access list, use the ip access-list resequence
command in global configuration mode.This command does not have a no version.
Syntax Description access-list-name Name of the access list. Names cannot contain a space or quotation
mark.
starting-sequence-number Access list entries will be resequenced using this initial value. The
default value is 10. The range of possible sequence numbers is 1 through
2147483647.
increment The number by which the sequence numbers change. The default value
is 10. For example, if the increment value is 5 and the beginning
sequence number is 20, the subsequent sequence numbers are 25, 30, 25,
40, and so on.
Defaults Disabled
Usage Guidelines This command allows the permit and deny entries of a specified access list to be resequenced with an
initial sequence number value determined by the starting-sequence-number argument, and continuing in
increments determined by the increment argument. If the highest sequence number exceeds the
maximum possible sequence number, then no sequencing occurs.
For backward compatibility with previous releases, if entries with no sequence numbers are applied, the
first entry is assigned a sequence number of 10, and successive entries are incremented by 10. The
maximum sequence number is 2147483647. If the generated sequence number exceeds this maximum
number, the following message is displayed:
Exceeded maximum sequence number.
If the user enters an entry without a sequence number, it is assigned a sequence number that is 10 greater
than the last sequence number in that access list and is placed at the end of the list.
If the user enters an entry that matches an already existing entry (except for the sequence number), then
no changes are made.
If the user enters a sequence number that is already present, the following error message is generated:
Duplicate sequence number.
If a new access list is entered from global configuration mode, then sequence numbers for that access
list are generated automatically.
Distributed support is provided so that the sequence numbers of entries in the Route Processor (RP) and
line card (LC) are in synchronization at all times.
Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the event
that the system is reloaded, the configured sequence numbers revert to the default sequence starting
number and increment.
This command works with named standard and extended IP access lists. Because the name of an access
list can be designated as a number, numbers are acceptable as names as long as they are entered in named
access list configuration mode.
Examples The following example resequences an access list named kmd1. The starting sequence number is 100,
and the increment value is 5:
Router(config)# ip access-list resequence kmd1 100 5
ip access-list
To define an IP access list by name, use the ip access-list global configuration command. To remove a
named IP access list, use the no form of this command.
Usage Guidelines Use this command to configure a named IP access list as opposed to a numbered IP access list. This
command will place the router in access-list configuration mode, where you must define the denied or
permitted access conditions with the deny and permit commands.
Specifying the standard or extended keyword with the ip access-list command determines the prompt
you get when you enter access-list configuration mode.
Use the ip access-group command to apply the access list to an interface.
Named access lists are not compatible with Cisco IOS releases prior to Release 11.2.
Examples The following example defines a standard access list named Internetfilter:
ip access-list standard Internetfilter
permit 192.5.34.0 0.0.0.255
permit 128.88.0.0 0.0.255.255
permit 36.0.0.0 0.255.255.255
! (Note: all other access implicitly denied)
ip accounting mac-address
To enable IP accounting on a LAN interface based on the source and destination MAC address, use the
ip accounting mac-address command in interface configuration mode. To disable IP accounting based
on the source and destination MAC address, use the no form of this command.
Syntax Description input Performs accounting based on the source MAC address on
received packets.
output Performs accounting based on the destination MAC address
on transmitted packets.
Defaults Disabled
Usage Guidelines This feature is supported on Ethernet, Fast Ethernet, and FDDI interfaces.
To display the MAC accounting information, use the show interface mac EXEC command.
MAC address accounting provides accounting information for IP traffic based on the source and
destination MAC address on LAN interfaces. This calculates the total packet and byte counts for a LAN
interface that receives or sends IP packets to or from a unique MAC address. It also records a timestamp
for the last packet received or sent. With MAC address accounting, you can determine how much traffic
is being sent to and/or received from various peers at NAPS/peering points.
Examples The following example enables IP accounting based on the source and destination MAC address for
received and transmitted packets:
interface ethernet 4/0/0
ip accounting mac-address input
ip accounting mac-address output
ip accounting precedence
To enable IP accounting on any interface based on IP precedence, use the ip accounting precedence
command in interface configuration mode. To disable IP accounting based on IP precedence, use the no
form of this command.
Defaults Disabled
Usage Guidelines To display IP precedence accounting information, use the show interface precedence EXEC command.
The precedence accounting feature provides accounting information for IP traffic, summarized by IP
precedence values. This feature calculates the total packet and byte counts for an interface that receives
or sends IP packets and sorts the results based on IP precedence. This feature is supported on all
interfaces and subinterfaces and supports CEF, dCEF, flow, and optimum switching.
Examples The following example enables IP accounting based on IP precedence for received and transmitted
packets:
interface ethernet 4/0/0
ip accounting precedence input
ip accounting precedence output
ip accounting
To enable IP accounting on an interface, use the ip accounting command in interface configuration
mode. To disable IP accounting, use the no form of this command.
ip accounting [access-violations]
no ip accounting [access-violations]
Syntax Description access-violations (Optional) Enables IP accounting with the ability to identify IP traffic
that fails IP access lists.
Defaults Disabled
Usage Guidelines The ip accounting command records the number of bytes (IP header and data) and packets switched
through the system on a source and destination IP address basis. Only transit IP traffic is measured and
only on an outbound basis; traffic generated by the router access server or terminating in this device is
not included in the accounting statistics.
If you specify the access-violations keyword, the ip accounting command provides information
identifying IP traffic that fails IP access lists. Identifying IP source addresses that violate IP access lists
alerts you to possible attempts to breach security. The data might also indicate that you should verify IP
access list configurations.
To receive a logging message on the console when an extended access list entry denies a packet access
(to log violations), you must include the log keyword in the access-list (IP extended) or access-list (IP
standard) command.
Statistics are accurate even if IP fast switching or IP access lists are being used on the interface.
IP accounting disables autonomous switching and SSE switching on the interface.
ip accounting-list
To define filters to control the hosts for which IP accounting information is kept, use the ip
accounting-list command in global configuration mode. To remove a filter definition, use the no form
of this command.
Usage Guidelines The wildcard argument is a 32-bit quantity written in dotted-decimal format. Address bits corresponding
to wildcard bits set to 1 are ignored in comparisons; address bits corresponding to wildcard bits set to
zero are used in comparisons.
Examples The following example adds all hosts with IP addresses beginning with 192.31 to the list of hosts for
which accounting information will be kept:
ip accounting-list 192.31.0.0 0.0.255.255
ip accounting-threshold
To set the maximum number of accounting entries to be created, use the ip accounting-threshold
command in global configuration mode. To restore the default number of entries, use the no form of this
command.
ip accounting-threshold threshold
no ip accounting-threshold threshold
Syntax Description threshold Maximum number of entries (source and destination address pairs) that the
Cisco IOS software accumulates.
Usage Guidelines The accounting threshold defines the maximum number of entries (source and destination address pairs)
that the software accumulates, preventing IP accounting from possibly consuming all available free
memory. This level of memory consumption could occur in a router that is switching traffic for many
hosts. Overflows will be recorded; see the monitoring commands for display formats.
The default accounting threshold of 512 entries results in a maximum table size of 12,928 bytes. Active
and checkpointed tables can reach this size independently.
Examples The following example sets the IP accounting threshold to 500 entries:
ip accounting-threshold 500
ip accounting-transits
To control the number of transit records that are stored in the IP accounting database, use the ip
accounting-transits command in global configuration mode. To return to the default number of records,
use the no form of this command.
ip accounting-transits count
no ip accounting-transits
Syntax Description count Number of transit records to store in the IP accounting database.
Defaults The default number of transit records that are stored in the IP accounting database is 0.
Usage Guidelines Transit entries are those that do not match any of the filters specified by ip accounting-list global
configuration commands. If no filters are defined, no transit entries are possible.
To maintain accurate accounting totals, the Cisco IOS software maintains two accounting databases: an
active and a checkpointed database.
Examples The following example specifies that no more than 100 transit records are stored:
ip accounting-transits 100
ip address dhcp
To acquire an IP address on an Ethernet interface from the Dynamic Host Configuration Protocol
(DHCP), use the ip address dhcp command in interface configuration mode. To unconfigure any address
that was acquired, use the no form of this command.
Syntax Description client-id (Optional) Specifies the client identifier. By default, the client identifier is an
ASCII value. The client-id interface-name option sets the client identifier to the
hexadecimal MAC address of the named interface.
interface-name (Optional) The interface name from which the MAC address is taken.
hostname (Optional) Specifies the host name.
host-name (Optional) Name of the host to be placed in the DHCP option 12 field. This name
need not be the same as the host name entered in global configuration mode.
Defaults The host name is the globally configured host name of the router.
The client identifier is an ASCII value.
Usage Guidelines The ip address dhcp command allows any interface to dynamically learn its IP address by using the
DHCP protocol. It is especially useful on Ethernet interfaces that dynamically connect to an internet
service provider (ISP). Once assigned a dynamic address, the interface can be used with the Port Address
Translation (PAT) of Cisco IOS Network Address Translation (NAT) to provide Internet access to a
privately addressed network attached to the router.
The ip address dhcp command also works with ATM point-to-point interfaces and will accept any
encapsulation type. However, for ATM multipoint interfaces you must specify Inverse ARP via the
protocol ip inarp interface configuration command and use only the aa15snap encapsulation type.
Some ISPs require that the DHCPDISCOVER message have a specific host name and client identifier
that is the MAC address of the interface. The most typical usage of the ip address dhcp client-id
interface-name hostname host-name command is when interface-name is the Ethernet interface where
the command is configured and host-name is the host name provided by the ISP.
A client identifier (DHCP option 61) can be a hexadecimal or an ASCII value. By default, the client
identifier is an ASCII value. The client-id interface option overrides the default and forces the use of
the hexadecimal MAC address of the named interface.
Note Between Cisco IOS Releases 12.1(3)T and 12.2(3), the client-id optional keyword allowed
the change of the fixed ASCII value for the client identifier. After Release 12.2(3), the
optional client-id keyword forced the use of the hexadecimal MAC address of the named
interface as the client identifier.
If a Cisco router is configured to obtain its IP address from a DHCP server, it sends a DHCPDISCOVER
message to provide information about itself to the DHCP server on the network.
If you use the ip address dhcp command with or without any of the optional keywords, the DHCP option
12 field (host name option) is included in the DISCOVER message. By default, the host name specified
in option 12 will be the globally configured host name of the router. However, you can use the ip address
dhcp hostname host-name command to place a different name in the DHCP option 12 field than the
globally configured host name of the router.
The no ip address dhcp command unconfigures any IP address that was acquired, thus sending a
DHCPRELEASE message.
You might need to experiment with different configurations to determine the one required by your DHCP
server. Table 1 shows the possible configuration methods and the information placed in the DISCOVER
message for each method.
Examples In the examples that follow, the command ip address dhcp is entered for the Ethernet interface 1. The
DISCOVER message sent by a router configured as shown in the following example would contain
“cisco- mac-address -Eth1” in the client-ID field, and the value fresno in the option 12 field.
hostname fresno
!
interface Ethernet 1
ip address dhcp
The DISCOVER message sent by a router configured as shown in the following example would contain
“cisco- mac-address -Eth1” in the client-ID field, and the value sanfran in the option 12 field.
hostname fresno
!
interface Ethernet 1
ip address dhcp hostname sanfran
The DISCOVER message sent by a router configured as shown in the following example would contain
the MAC address of the Ethernet 1 interface in the client-id field, and the value fresno in the option 12
field.
hostname fresno
!
interface Ethernet 1
ip address dhcp client-id Ethernet 1
The DISCOVER message sent by a router configured as shown in the following example would
contain the MAC address of the Ethernet 1 interface in the client-id field, and the value sanfran in the
option 12 field.
hostname fresno
!
interface Ethernet 1
ip address dhcp client-id Ethernet 1 hostname sanfran
no ip address pool
Syntax Description name Name of the DHCP pool. The IP address of the interface will be
automatically configured from the DHCP pool specified in name.
Usage Guidelines Use this command to automatically configure the IP address of a LAN interface when there are DHCP
clients on the attached LAN that should be serviced by the DHCP pool on the router. The DHCP pool
obtains its subnet dynamically through IPCP subnet negotiation.
Examples The following example specifies that the IP address of Ethernet interface 2 will be automatically
configured from the address pool named abc:
ip dhcp pool abc
import all
origin ipcp
!
interface Ethernet 2
ip address pool abc
ip address
To set a primary or secondary IP address for an interface, use the ip address interface configuration
command. To remove an IP address or disable IP processing, use the no form of this command.
Usage Guidelines An interface can have one primary IP address and multiple secondary IP addresses. Packets generated
by the Cisco IOS software always use the primary IP address. Therefore, all routers and access servers
on a segment should share the same primary network number.
Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) mask request
message. Routers respond to this request with an ICMP mask reply message.
You can disable IP processing on a particular interface by removing its IP address with the no ip address
command. If the software detects another host using one of its IP addresses, it will print an error message
on the console.
The optional secondary keyword allows you to specify an unlimited number of secondary addresses.
Secondary addresses are treated like primary addresses, except the system never generates datagrams
other than routing updates with secondary source addresses. IP broadcasts and Address Resolution
Protocol (ARP) requests are handled properly, as are interface routes in the IP routing table.
Secondary IP addresses can be used in a variety of situations. The following are the most common
applications:
• There may not be enough host addresses for a particular network segment. For example, your
subnetting allows up to 254 hosts per logical subnet, but on one physical subnet you need 300 host
addresses. Using secondary IP addresses on the routers or access servers allows you to have two
logical subnets using one physical subnet.
• Many older networks were built using Level 2 bridges. The judicious use of secondary addresses can
aid in the transition to a subnetted, router-based network. Routers on an older, bridged segment can
be easily made aware that many subnets are on that segment.
• Two subnets of a single network might otherwise be separated by another network. This situation is
not permitted when subnets are in use. In these instances, the first network is extended, or layered
on top of the second network using secondary addresses.
Note If any router on a network segment uses a secondary address, all other devices on that same segment
must also use a secondary address from the same network or subnet. Inconsistent use of secondary
addresses on a network segment can very quickly cause routing loops.
Note When you are routing using the Open Shortest Path First (OSPF) algorithm, ensure that all secondary
addresses of an interface fall into the same OSPF area as the primary addresses.
To transparently bridge IP on an interface, you must perform the following two tasks:
• Disable IP routing (specify the no ip routing command).
• Add the interface to a bridge group, see the bridge-group command.
To concurrently route and transparently bridge IP on an interface, see the bridge crb command.
Examples In the following example, 131.108.1.27 is the primary address and 192.31.7.17 and 192.31.8.17 are
secondary addresses for Ethernet interface 0:
interface ethernet 0
ip address 131.108.1.27 255.255.255.0
ip address 192.31.7.17 255.255.255.0 secondary
ip address 192.31.8.17 255.255.255.0 secondary
ip broadcast-address
To define a broadcast address for an interface, use the ip broadcast-address interface configuration
command. To restore the default IP broadcast address, use the no form of this command.
ip broadcast-address [ip-address]
no ip broadcast-address [ip-address]
ip casa
To configure the router to function as a forwarding agent, use the ip casa global configuration command.
To disable the forwarding agent, use the no form of this command.
no ip casa
Syntax Description control-address IP address of the forwarding agent side of the services
manager/forwarding agent tunnel used for sending signals. This
address is unique for each forwarding agent.
igmp-address IGMP address on which the forwarding agent will listen for wildcard
and fixed affinities.
Examples The following example specifies the Internet address (10.10.4.1) and IGMP address (224.0.1.2) for the
forwarding agent:
ip-casa 10.10.4.1 224.0.1.2
ip cef traffic-statistics
To change the time interval that controls when Next Hop Resolution Protocol (NHRP) will set up or tear
down a switched virtual circuit (SVC), use the ip cef traffic-statistics global configuration command.
To restore the default values, use the no form of this command.
no ip cef traffic-statistics
Syntax Description load-interval seconds (Optional) Length of time (in 30-second increments) during which the
average trigger-threshold and teardown-threshold intervals are calculated
before an SVC setup or teardown action is taken. (These thresholds are
configured in the ip nhrp trigger-svc command.) The load-interval
range is from 30 seconds to 300 seconds, in 30-second increments. The
default value is 30 seconds.
update-rate seconds (Optional) Frequency that the port adapter sends the accounting statistics
to the Route Processor (RP). When using NHRP in distributed CEF
switching mode, this value must be set to 5 seconds. The default value is
10 seconds.
Usage Guidelines The ip nhrp trigger-svc command sets the threshold by which NHRP sets up and tears down a
connection. The threshold is the CEF traffic load statistics. The thresholds in the ip nhrp trigger-svc
command are measured during a sampling interval of 30 seconds, by default. To change that interval over
which that threshold is determined, use the load-interval seconds option of the ip cef traffic-statistics
command.
When NHRP is configured on a CEF switching node with a Versatile Interface Processor (VIP2) adapter,
you must make sure the update-rate keyword is set to 5 seconds.
Other Cisco IOS features could also use the ip cef traffic-statistics command; this NHRP feature relies
on it.
Examples In the following example, the triggering and teardown thresholds are calculated based on an average over
120 seconds:
ip cef traffic-statistics load-interval 120
ip classless
At times the router might receive packets destined for a subnet of a network that has no network default
route. To have the Cisco IOS software forward such packets to the best supernet route possible, use the
ip classless global configuration command. To disable this feature, use the no form of this command.
ip classless
no ip classless
Defaults Enabled
Usage Guidelines This command allows the software to forward packets that are destined for unrecognized subnets of
directly connected networks. The packets are forwarded to the best supernet route.
When this feature is disabled, the Cisco IOS software discards the packets when a router receives packets
for a subnet that numerically falls within its subnetwork addressing scheme, no such subnet number is
in the routing table, and there is no network default route.
Note If the supernet, or default route, is learned via IS-IS or OSPF, the no ip classless configuration
command is ignored.
Examples The following example prevents the software from forwarding packets destined for an unrecognized
subnet to the best supernet possible:
no ip classless
ip default-gateway
To define a default gateway (router) when IP routing is disabled, use the ip default-gateway global
configuration command. To disable this function, use the no form of this command.
ip default-gateway ip-address
no ip default-gateway ip-address
Defaults Disabled
Usage Guidelines The Cisco IOS software sends any packets that need the assistance of a gateway to the address you
specify. If another gateway has a better route to the requested host, the default gateway sends an Internet
Control Message Protocol (ICMP) redirect message back. The ICMP redirect message indicates which
local router the Cisco IOS software should use.
Examples The following example defines the router on IP address 192.31.7.18 as the default router:
ip default-gateway 192.31.7.18
Usage Guidelines Address pools that are configured with the vrf and origin aaa DHCP pool configuration commands will
set the USERNAME attribute in the AAA request to the specified VRF name. If the VPN ID as specified
in RFC 2685 is configured for the VRF, the VPN ID will be sent instead.
Address pools that are not configured with the vrf command but are configured with the origin aaa
command, will set the USERNAME attribute in the AAA request to the specified name in the ip dhcp
aaa default username command.
Use the debug aaa attribute command to verify the value of the USERNAME attribute in the subnet
request to the AAA server.
In Cisco IOS Release 12.2(8)T, if this command is not configured, no AAA subnet request from
non-VRF ODAPs will be sent.
In Cisco IOS Release 12.2(15)T, if the DHCP pool is not configured with VRF and the ip dhcp aaa
default username command is not configured, the AAA request will still be sent with the USERNAME
attribute set to the DHCP pool name.
This command is not needed if all ODAPs on the VHG/PE are VRF-associated.
Examples The following example sets the USERNAME attribute in the AAA request to green:
ip dhcp aaa default username green
Usage Guidelines The Cisco IOS software can forward these ignored BOOTP request packets to another DHCP server if
the ip helper-address interface configuration command is configured on the incoming interface. If the
ip helper-address command is not configured, the router will drop the received BOOTP request.
Examples The following example shows that the router will ignore received BOOTP requests:
hostname Router
!
ip subnet-zero
!
ip dhcp bootp ignore
Usage Guidelines We recommend using a DHCP server database agent to store automatic bindings. If you decide not to
use a DHCP Server database agent to store automatic bindings, use the no ip dhcp conflict logging
command to disable the recording of address conflicts. By default, the Cisco IOS DHCP server records
DHCP address conflicts in a log file.
Examples The following example disables the recording of DHCP address conflicts:
no ip dhcp conflict logging
ip dhcp database
To configure a Cisco IOS Dynamic Host Configuration Protocol (DHCP) server and relay agent to save
automatic bindings on a remote host called a database agent, use the ip dhcp database command in
global configuration mode. To remove the database agent, use the no form of this command.
Syntax Description url Specifies the remote file used to store the automatic bindings. Following are the
acceptable URL file formats:
• tftp://host/filename
• ftp://user:password@host/filename
• rcp://user@host/filename
timeout seconds (Optional) Specifies how long (in seconds) the DHCP Server should wait before
aborting a database transfer. Transfers that exceed the timeout period are
aborted. By default, DHCP waits 300 seconds (5 minutes) before aborting a
database transfer. Infinity is defined as 0 seconds.
write-delay (Optional) Specifies how soon the DHCP server should send database updates.
seconds By default, DHCP waits 300 seconds (5 minutes) before sending database
changes. The minimum delay is 60 seconds.
Defaults DHCP waits 300 seconds for both a write delay and a timeout.
Usage Guidelines The administrator may configure multiple database agents. Bindings are transferred by using FTP,
Trivial File Transport Protocol (TFTP), or remote copy protocol (rcp).
The DHCP relay agent can save route information to the same database agents to ensure recovery after
reloads.
Examples The following example specifies the DHCP database transfer timeout value as 80 seconds:
ip dhcp database ftp://user:password@172.16.1.1/router-dhcp timeout 80
The following example specifies the DHCP database update delay value as 100 seconds:
ip dhcp database tftp://172.16.1.1/router-dhcp write-delay 100
ip dhcp excluded-address
To specify IP addresses that a Cisco IOS Dynamic Host Configuration Protocol (DHCP) Server should
not assign to DHCP clients, use the ip dhcp excluded-address command in global configuration mode.
To remove the excluded IP addresses, use the no form of this command.
Syntax Description low-address The excluded IP address, or first IP address in an excluded address range.
high-address (Optional) The last IP address in the excluded address range.
Usage Guidelines The DHCP Server assumes that all pool addresses may be assigned to clients. Use this command to
exclude a single IP address or a range of IP addresses.
Examples The following example configures an excluded IP address range from 172.16.1.100 through
172.16.1.199:
ip dhcp excluded-address 172.16.1.100 172.16.1.199
Syntax Description number The number of ping packets that are sent before the address is assigned to a
requesting client. The default value is two packets.
Usage Guidelines The DHCP server pings a pool address before assigning the address to a requesting client. If the ping is
unanswered, the DHCP server assumes (with a high probability) that the address is not in use and assigns
the address to the requesting client.
Setting the number argument to a value of 0 completely turns off DHCP server ping operation .
Examples The following example specifies five ping attempts by the DHCP server before ceasing any further ping
attempts:
ip dhcp ping packets 5
Syntax Description milliseconds The amount of time (in milliseconds) that the DHCP server waits for a ping
reply before it stops attempting to reach a pool address for client assignment.
The maximum timeout is 10000 milliseconds (10 seconds). The default
timeout is 500 milliseconds.
Usage Guidelines This command specifies how long to wait for a ping reply (in milliseconds).
Examples The following example specifies that the DHCP Server will wait 800 milliseconds for a ping reply before
considering the ping a failure:
ip dhcp ping timeout 800
ip dhcp pool
To configure a Dynamic Host Configuration Protocol (DHCP) address pool on a Cisco IOS DHCP server
and enter DHCP pool configuration mode, use the ip dhcp pool command in global configuration mode.
To remove the address pool, use the no form of this command.
Syntax Description name Name of the pool. Can either be a symbolic string (such as engineering) or an
integer (such as 0).
Usage Guidelines During execution of this command, the configuration mode changes to DHCP pool configuration mode,
which is identified by the (config-dhcp)# prompt. In this mode, the administrator can configure pool
parameters, like the IP subnet number and default router list.
Examples The following example configures pool1 as the DHCP address pool:
ip dhcp pool pool1
Defaults The DHCP server checks relay information. Invalid messages are dropped.
Usage Guidelines This command is used by cable access router termination systems. By default, DHCP checks relay
information. Invalid messages are dropped.
Examples The following example configures the DHCP Server to check that the relay agent information option in
forwarded BOOTREPLY messages is valid:
ip dhcp relay information check
Usage Guidelines This command is used by cable access router termination systems. This functionality enables a DHCP
server to identify the user (cable access router) sending the request and initiate appropriate action based
on this information. By default, DHCP does not insert relay information.
The ip dhcp relay information option command automatically adds the circuit identifier suboption and
the remote ID suboption to the DHCP relay agent information option (also called option 82).
The vpn optional keyword should be used only when the DHCP server allocates addresses based on VPN
identification suboptions.
The ip dhcp relay information option vpn command adds the following VPN-related suboptions into
the relay agent information option when DHCP broadcasts are forwarded by the relay agent from clients
to a DHCP server:
• VPN identifier—Contains the VPN ID if configured or the VRF name if configured on the interface
(VPN ID takes precedence over VRF name).
• Subnet selection—Contains the incoming interface subnet address.
• Server identifier override—Contains the incoming interface IP address.
After these suboptions are successfully added, the gateway address is set to the outgoing interface of the
router toward the DHCP server IP address configured using the ip helper-address interface
configuration command.
If only the ip dhcp relay information option vpn command is configured, the VPN identifier, subnet
selection, and server identifier override suboptions are added to the relay information option. Note that
the circuit identifier suboption and the remote ID suboption are not added to the relay information
option. However, if both the ip dhcp relay information option command and the ip dhcp relay
information option vpn command are configured, all five suboptions are added to the relay agent
information option.
When the packets are returned from the DHCP server, option 82 is removed before the reply is forwarded
to the client.
Even if the vpn option is specified, the VPN suboptions are added only to those DHCP or BOOTP
broadcasts picked up by the interface configured with a VRF name or VPN ID.
For clients from unnumbered ATM or serial interfaces, when this command is enabled, the VPN
identifier suboption will contain the VRF name of the unnumbered interface.
Subnet selection and server identifier override suboptions are added from the IP address of the interface
that the unnumbered interface is configured to borrow its IP address from. The client host route will be
added on the respective VRF routing tables.
If the ip dhcp smart-relay global configuration command is enabled, then the server identifier override
and subnet selection suboptions will use the secondary IP address of the incoming interface when the
same client retransmits more than three DHCP DISCOVER packets (for both numbered and unnumbered
interfaces).
Examples The following example configures a DHCP server to insert the DHCP relay agent information option,
including VPN suboptions, in forwarded BOOTREQUEST messages. In this example, the circuit
identifier suboption and the remote ID suboption are not included in the relay information option:
ip dhcp relay information option vpn
The following example configures a DHCP server to insert the DHCP relay agent information option,
including VPN suboptions, the circuit identifier suboption, and the remote ID suboption, in forwarded
BOOTREQUEST messages:
ip dhcp relay information option vpn
ip dhcp relay information option
Syntax Description drop Directs the DHCP relay agent to discard messages with existing relay
information if the relay information option is already present.
keep Indicates that existing information is left unchanged on the DHCP relay agent.
replace Indicates that existing information is overwritten on the DHCP relay agent.
Usage Guidelines This command is used by cable access router termination systems. A DHCP relay agent may receive a
message from another DHCP relay agent that already contains relay information. By default, the relay
information from the previous relay agent is replaced.
Examples The following examples configure a DHCP relay agent to drop messages with existing relay information,
keep existing information, and replace existing information:
ip dhcp relay information policy drop
ip dhcp smart-relay
To allow the Cisco IOS Dynamic Host Configuration Protocol (DHCP) relay agent to switch the gateway
address (giaddr field of a DHCP packet) to secondary addresses when there is no DHCPOFFER message
from a DHCP server, use the ip dhcp smart-relay global configuration command. To disable this
smart-relay functionality and restore the default behavior, use the no form of this command.
ip dhcp smart-relay
no ip dhcp smart-relay
Defaults Disabled
Usage Guidelines The DHCP relay agent attempts to forward the primary address as the gateway address three times. After
three attempts and no response, the relay agent automatically switches to secondary addresses.
Examples The following example enables the DHCP relay agent to automatically switch to secondary address
pools:
ip dhcp smart-relay
ip directed-broadcast
To enable the translation of a directed broadcast to physical broadcasts, use the ip directed-broadcast
interface configuration command. To disable this function, use the no form of this command.
Syntax Description access-list-number (Optional) Standard access list number in the range from 1 to 199. If
specified, a broadcast must pass the access list to be forwarded.
extended access-list-number (Optional) Extended access list number in the range from 1300 to
2699.
Usage Guidelines An IP directed broadcast is an IP packet whose destination address is a valid broadcast address for some
IP subnet, but which originates from a node that is not itself part of that destination subnet.
A router that is not directly connected to its destination subnet forwards an IP directed broadcast in the
same way it would forward unicast IP packets destined to a host on that subnet. When a directed
broadcast packet reaches a router that is directly connected to its destination subnet, that packet is
“exploded” as a broadcast on the destination subnet. The destination address in the IP header of the
packet is rewritten to the configured IP broadcast address for the subnet, and the packet is sent as a
link-layer broadcast.
The ip directed-broadcast interface command controls the explosion of directed broadcasts when they
reach their target subnets. The command affects only the final transmission of the directed broadcast on
its ultimate destination subnet. It does not affect the transit unicast routing of IP directed broadcasts.
If directed broadcast is enabled for an interface, incoming IP packets whose addresses identify them as
directed broadcasts intended for the subnet to which that interface is attached will be exploded as
broadcasts on that subnet. If an access list has been configured with the ip directed-broadcast
command, only directed broadcasts that are permitted by the access list in question will be forwarded;
all other directed broadcasts destined for the interface subnet will be dropped.
If the no ip directed-broadcast command has been configured for an interface, directed broadcasts
destined for the subnet to which that interface is attached will be dropped, rather than being broadcast.
Note Because directed broadcasts, and particularly Internet Control Message Protocol (ICMP) directed
broadcasts, have been abused by malicious persons, we recommend that security-conscious users
disable the ip directed-broadcast command on any intereface where directed broadcasts are not
needed and that they use access lists to limit the number of exploded packets.
Examples The following example enables forwarding of IP directed broadcasts on Ethernet interface 0:
interface ethernet 0
ip directed-broadcast
ip domain-list
To define a list of default domain names to complete unqualified host names, use the ip domain-list
command in global configuration mode. To delete a name from a list, use the no form of this command.
ip domain-list name
no ip domain-list name
Syntax Description name Domain name. Do not include the initial period that separates an
unqualified name from the domain name.
Usage Guidelines If there is no domain list, the domain name that you specified with the ip domain-name global
configuration command is used. If there is a domain list, the default domain name is not used. The ip
domain-list command is similar to the ip domain-name command, except that with the ip domain-list
command you can define a list of domains, each to be tried in turn.
The following example adds a name to and then deletes a name from the list:
ip domain-list school.edu
no ip domain-list school.edu
ip domain-lookup
To enable the IP Domain Naming System (DNS)-based host name-to-address translation, use the
ip domain-lookup command in global configuration mode. To disable the DNS, use the no form of this
command.
ip domain-lookup
no ip domain-lookup
Defaults Enabled
Examples The following example enables the IP DNS-based host name-to-address translation:
ip domain-lookup
ip domain-name
To define a default domain name that the Cisco IOS software uses to complete unqualified host names
(names without a dotted-decimal domain name), use the ip domain-name command in global
configuration mode. To disable use of the Domain Name System (DNS), use the no form of this
command.
ip domain-name name
no ip domain-name name
Syntax Description name Default domain name used to complete unqualified host names. Do
not include the initial period that separates an unqualified name from
the domain name.
Defaults Enabled
Usage Guidelines Any IP host name that does not contain a domain name (that is, any name without a dot) will have the
dot and cisco.com appended to it before being added to the host table.
Examples The following example defines cisco.com as the default domain name:
ip domain-name cisco.com
ip drp access-group
To control the sources of Director Response Protocol (DRP) queries to the DRP Server Agent, use the
ip drp access-group command in global configuration mode. To remove the access list, use the no form
of this command.
Syntax Description access-list-number Number of a standard IP access list in the range from 1 to 99 or from 1300
to 1999.
Usage Guidelines This command applies an access list to the interface, thereby controlling which devices can send queries
to the DRP Server Agent.
If both an authentication key chain and an access group have been specified, both security measures must
permit access before a request is processed.
Examples The following example configures access list 1, which permits only queries from the host at 33.45.12.4:
access-list 1 permit 33.45.12.4
ip drp access-group 1
Syntax Description name-of-chain Name of the key chain containing one or more authentication keys.
Usage Guidelines When a key chain and key are configured, the key is used to authenticate all DRP requests and responses.
The active key on the DRP Server Agent must match the active key on the primary agent. Use the key
and key-string commands to configure the key.
ip drp server
To enable the Director Response Protocol (DRP) Server Agent that works with DistributedDirector, use
the ip drp server command in global configuration mode. To disable the DRP Server Agent, use the no
form of this command.
ip drp server
no ip drp server
Defaults Disabled
ip forward-protocol
To specify which protocols and ports the router forwards when forwarding broadcast packets, use the ip
forward-protocol command in global configuration mode. To remove a protocol or port, use the no form
of this command.
Syntax Description udp Forwards User Datagram Protocol (UDP) datagrams. See the “Defaults” section
for a list of port numbers forwarded by default.
port (Optional) Destination port that controls which UDP services are forwarded.
nd Forwards Network Disk (ND) datagrams. This protocol is used by older diskless
Sun workstations.
sdns Secure Data Network Service.
Defaults Enabled
Usage Guidelines Enabling a helper address or UDP flooding on an interface causes the Cisco IOS software to forward
particular broadcast packets. You can use the ip forward-protocol command to specify exactly which
types of broadcast packets you would like to have forwarded. A number of commonly forwarded
applications are enabled by default. Enabling forwarding for some ports (for example, Routing
Information Protocol (RIP) may be hazardous to your network.
If you use the ip forward-protocol command, specifying only UDP without the port enables forwarding
and flooding on the default ports.
One common application that requires helper addresses is Dynamic Host Configuration Protocol
(DHCP). DHCP is defined in RFC 1531. DHCP protocol information is carried inside of BOOTP
packets. To enable BOOTP broadcast forwarding for a set of clients, configure a helper address on the
router interface closest to the client. The helper address should specify the address of the DHCP server.
If you have multiple servers, you can configure one helper address for each server. Because BOOTP
packets are forwarded by default, DHCP information can now be forwarded by the software. The DHCP
server now receives broadcasts from the DHCP clients.
If an IP helper address is defined, UDP forwarding is enabled on default ports. If UDP flooding is
configured, UDP flooding is enabled on the default ports.
If a helper address is specified and UDP forwarding is enabled, broadcast packets destined to the
following port numbers are forwarded by default:
ip forward-protocol spanning-tree
To permit IP broadcasts to be flooded throughout the internetwork in a controlled fashion, use the
ip forward-protocol spanning-tree command in global configuration mode. To disable the flooding of
IP broadcasts, use the no form of this command.
Syntax Description any-local-broadcast (Optional) Accept any local broadcast when flooding.
Defaults Disabled
Usage Guidelines A packet must meet the following criteria to be considered for flooding:
• The MAC address of the received frame must be all-ones broadcast address (ffff.ffff.ffff).
• The IP destination address must be one of the following: all-ones broadcast (255.255.255.255),
subnet broadcast for the receiving interface; major-net broadcast for the receiving interface if the no
ip classless command is also configured; or any local IP broadcast address if the ip
forward-protocol spanning-tree any-local-broadcast command is configured.
• The IP time-to-live (TTL) value must be at least 2.
• The IP protocol must be UDP (17).
• The UDP destination port must be for TFTP, Domain Name System (DNS), Time, NetBIOS, ND, or
BOOTP packet, or a UDP port specified by the ip forward-protocol udp global configuration
command.
A flooded UDP datagram is given the destination address specified by the ip broadcast-address
interface configuration command on the output interface. The destination address can be set to any
desired address. Thus, the destination address may change as the datagram propagates through the
network. The source address is never changed. The TTL value is decremented.
After a decision has been made to send the datagram out on an interface (and the destination address
possibly changed), the datagram is handed to the normal IP output routines and is therefore subject to
access lists, if they are present on the output interface.
The ip forward-protocol spanning-tree command uses the database created by the bridging
Spanning-Tree Protocol. Therefore, the transparent bridging option must be in the routing software, and
bridging must be configured on each interface that is to participate in the flooding in order to support
this capability.
If an interface does not have bridging configured, it still will be able to receive broadcasts, but it will
never forward broadcasts received on that interface. Also, it will never use that interface to send
broadcasts received on a different interface.
If no actual bridging is desired, you can configure a type-code bridging filter that will deny all packet
types from being bridged. Refer to the “Configuring Transparent Bridging” chapter in the Cisco IOS
Bridging and IBM Networking Configuration Guide for more information about using access lists to
filter bridged traffic. The spanning-tree database is still available to the IP forwarding code to use for the
flooding.
The spanning-tree-based flooding mechanism forwards packets whose contents are all ones
(255.255.255.255), all zeros (0.0.0.0), and, if subnetting is enabled, all networks (131.108.255.255 as an
example in the network number 131.108.0.0). This mechanism also forward packets whose contents are
the zeros version of the all-networks broadcast when subnetting is enabled (for example, 131.108.0.0).
This command is an extension of the ip helper-address interface configuration command, in that the
same packets that may be subject to the helper address and forwarded to a single network can now be
flooded. Only one copy of the packet will be put on each network segment.
Examples The following example permits IP broadcasts to be flooded through the internetwork in a controlled
fashion:
ip forward-protocol spanning-tree
ip forward-protocol turbo-flood
To speed up flooding of User Datagram Protocol (UDP) datagrams using the spanning-tree algorithm,
use the ip forward-protocol turbo-flood command in global configuration mode. To disable this
feature, use the no form of this command.
ip forward-protocol turbo-flood
no ip forward-protocol turbo-flood
Defaults Disabled
Usage Guidelines Used in conjunction with the ip forward-protocol spanning-tree global configuration command, this
feature is supported over Advanced Research Projects Agency (ARPA)-encapsulated Ethernets, FDDI,
and High-Level Data Link Control (HDLC) encapsulated serials, but is not supported on Token Rings.
As long as the Token Rings and the non-HDLC serials are not part of the bridge group being used for
UDP flooding, turbo flooding will behave normally.
ip helper-address
To enable the forwarding of User Datagram Protocol (UDP) broadcasts, including BOOTP, received on
an interface, use the ip helper-address command in interface configuration mode. To disable the
forwarding of broadcast packets to specific addresses, use the no form of this command.
Syntax Description vrf name (Optional) Enables VPN routing and forwarding (VRF) instance and
VRF name.
global (Optional) Configures a global routing table.
address Destination broadcast or host address to be used when forwarding
UDP broadcasts. There can be more than one helper address per
interface.
redundancy vrg-name (Optional) Defines the VRG group name.
Defaults Disabled
Usage Guidelines Combined with the ip forward-protocol global configuration command, the ip helper-address
command allows you to control which broadcast packets and which protocols are forwarded.
One common application that requires helper addresses is Dynamic Host Configuration Protocol
(DHCP), which is defined in RFC 1531. To enable BOOTP or DHCP broadcast forwarding for a set of
clients, configure a helper address on the router interface connected to the client. The helper address
should specify the address of the BOOTP or DHCP server. If you have multiple servers, you can
configure one helper address for each server.
All of the following conditions must be met in order for a UDP or IP packet to be helpered by the ip
helper-address command:
• The MAC address of the received frame must be all-ones broadcast address (ffff.ffff.ffff).
• The IP destination address must be one of the following: all-ones broadcast (255.255.255.255),
subnet broadcast for the receiving interface, or major-net broadcast for the receiving interface if the
no ip classless command is also configured.
• The IP time-to-live (TTL) value must be at least 2.
• The IP protocol must be UDP (17).
• The UDP destination port must be for TFTP, Domain Name System (DNS), Time, NetBIOS, ND,
BOOTP or DHCP packet, or a UDP port specified by the ip forward-protocol udp global
configuration command.
If the DHCP server resides in a Virtual Private Network (VPN) or global space that is different from the
interface VPN, then the vrf name or global option allows you to specify the name of the VRF or global
space in which the DHCP server resides.
The ip helper-address vrf name address option uses the address associated with the VRF name
regardless of the VRF of the incoming interface. If the ip helper-address vrf name address command
is configured and later the vrf is deleted from the configuration, then all IP helper addresses associated
with that VRF name will be removed from the interface configuration.
If the ip helper-address address command is already configured on an interface with no VRF name
configured, and later the interface is configured with the ip helper-address vrf name address command,
then the previously configured ip helper-address address is considered to be global.
Note The ip helper-address command does not work on an X.25 interface on a destination router because
the router cannot determine if the packet was intended as a physical broadcast.
Examples The following example defines an address that acts as a helper address:
interface ethernet 1
ip helper-address 121.24.43.2
The following example defines an address that acts as a helper address and is associated with the VRF
named red:
interface ethernet 1/0
ip helper-address vrf red 121.25.44.2
The following example defines an address that acts as a helper address and is associated with the VRG
named shop:
interface ethernet 1/0
ip helper-address 121.25.45.2 redundancy shop
ip host
To define a static host name-to-address mapping in the host cache, use the ip host command in global
configuration mode. To remove the host name-to-address mapping, use the no form of this command.
Syntax Description name Name of the host. The first character can be either a letter or a number. If
you use a number, the types of operations you can perform are limited.
tmodem-telephone-number Modem telephone number that is mapped to the IP host address for use
in Cisco modem user interface mode (you must enter the letter “t” before
the telephone number).
tcp-port-number (Optional) TCP port number to connect to when using the defined host
name in conjunction with an EXEC connect or Telnet command. The
default is Telnet (port 23).
address1 Associated IP host address.
address2...address8 (Optional) Additional associated IP addresses. You can bind up to eight
addresses to a host name.
Defaults Disabled
Usage Guidelines The first character can be either a letter or a number. If you use a number, the types of operations you
can perform (such as ping) are limited.
The following example shows how to map modem telephone number (415) 555-1234 to IP host address
10.1.5.5 for the Cisco modem user interface mode:
ip host t4155551234 10.1.5.5
Syntax Description df (Optional) Limits the rate ICMP destination unreachable messages are sent
when code 4, fragmentation is needed and DF set, is specified in the IP header
of the ICMP destination unreachable message.
milliseconds Time limit (in milliseconds) in which one ICMP destination unreachable
message is sent. The range is 1 millisecond to 4294967295 milliseconds.
Defaults The default value is one ICMP destination unreachable message per 500 milliseconds.
Usage Guidelines The no ip icmp rate-limit unreachable command turns off the previously configured rate limit. To
re-set the rate limit to its default value, use the default ip icmp rate-limit unreachable command.
The Cisco IOS software maintains two timers: one for general destination unreachable messages and one
for DF destination unreachable messages. Both share the same time limits and defaults. If the df option
is not configured, the ip icmp rate-limit unreachable command sets the time values for DF destination
unreachable messages. If the df option is configured, its time values remain independent from those of
general destination unreachable messages.
Examples The following example sets the rate of the ICMP destination unreachable message to one message every
10 milliseconds:
ip icmp rate-limit unreachable 10
The following example turns off the previously configured rate limit:
no ip icmp rate-limit unreachable
The following example sets the rate limit back to the default:
default ip icmp rate-limit unreachable
ip information-reply
To have the Cisco IOS software send Internet Control Message Protocol (ICMP) information replies, use
the ip information-reply command in interface configuration mode. To disable this function, use the no
form of this command.
ip information-reply
no information-reply
Defaults Disabled
Usage Guidelines The ability for the Cisco IOS software to respond to ICMP information request messages with an ICMP
information reply message is disabled by default. Use this command to allow the software to send ICMP
information reply messages.
Examples The following example enables the sending of ICMP information reply messages on Ethernet interface 0:
interface ethernet 0
ip address 131.108.1.0 255.255.255.0
ip information-reply
ip irdp
To enable ICMP Router Discovery Protocol (IRDP) processing on an interface, use the ip irdp interface
configuration command. To disable IRDP routing, use the no form of this command.
no ip irdp
Syntax Description multicast (Optional) Use the multicast address (224.0.0.1) instead of IP
broadcasts.
holdtime seconds (Optional) Length of time in seconds that advertisements are held
valid. Default is three times the maxadvertinterval value. Must be
greater than maxadvertinterval and cannot be greater than 9000
seconds.
maxadvertinterval seconds (Optional) Maximum interval in seconds between advertisements.
The range is from 1 to 1800. A value of 0 means only advertise when
solicited. The default is 600 seconds.
minadvertinterval seconds (Optional) Minimum interval in seconds between advertisements.
The range is from 1 to 1800. The default is 450 seconds.
preference number (Optional) Preference value. The allowed range is –231 to 231. The
default is 0. A higher value increases the preference level of the
router. You can modify a particular router so that it will be the
preferred router to which other routers will home.
address address [number] (Optional) IP address (address) to proxy advertise, and optionally, its
preference value (number).
Defaults Disabled
When enabled, IRDP uses these defaults:
• Broadcast IRDP advertisements
• Maximum interval between advertisements: 600 seconds
• Minimum interval between advertisements: 450 seconds
• Preference: 0
Usage Guidelines If you change the maxadvertinterval value, the other two values also change, so it is important to
change the maxadvertinterval value before changing either the holdtime or minadvertinterval values.
The ip irdp multicast command allows for compatibility with Sun Microsystems Solaris, which requires
IRDP packets to be sent out as multicasts. Many implementations cannot receive these multicasts; ensure
end-host ability before using this command.
ip mask-reply
To have the Cisco IOS software respond to Internet Control Message Protocol (ICMP) mask requests by
sending ICMP mask reply messages, use the ip mask-reply command in interface configuration mode.
To disable this function, use the no form of this command.
ip mask-reply
no ip mask-reply
Defaults Disabled
Examples The following example enables the sending of ICMP mask reply messages on Ethernet interface 0:
interface ethernet 0
ip address 131.108.1.0 255.255.255.0
ip mask-reply
ip mobile arp
To enable local-area mobility, use the ip mobile arp command in interface configuration mode. To
disable local-area mobility, use the no form of this command.
Syntax Description timers (Optional) Indicates that you are setting local-area mobility timers.
keepalive (Optional) Frequency, in minutes, at which the Cisco IOS software sends
unicast Address Resolution Protocol (ARP) messages to a relocated host to
verify that the host is present and has not moved. The default keepalive time
is 5 minutes (300 seconds).
hold-time (Optional) Hold time, in minutes. This is the length of time the software
considers that a relocated host is present without receiving some type of
ARP broadcast or unicast from the host. Normally, the hold time should be
at least three times greater than the keepalive time. The default hold time is
15 minutes (900 seconds).
access-group (Optional) Indicates that you are applying an access list. This access list
applies only to local-area mobility.
access-list-number (Optional) Number of a standard IP access list. It is a decimal number from
1 to 99. Only hosts with addresses permitted by this access list are accepted
for local-area mobility.
name (Optional) Name of an IP access list. The name cannot contain a space or
quotation mark, and must begin with an alphabetic character to avoid
ambiguity with numbered access lists.
Usage Guidelines Local-area mobility is supported on Ethernet, Token Ring, and FDDI interfaces only.
To create larger mobility areas, you must first redistribute the mobile routes into your Interior Gateway
Protocol (IGP). The IGP must support host routes. You can use Enhanced IGRP, Open Shortest Path First
(OSPF), or Intermediate System-to-Intermediate System (IS-IS); you can also use Routing Information
Protocol (RIP), but RIP is not recommended. The mobile area must consist of a contiguous set of
subnets.
Using an access list to control the list of possible mobile nodes is strongly encouraged. Without an access
list, misconfigured hosts can be taken for mobile nodes and disrupt normal operations.
ip mtu
To set the maximum transmission unit (MTU) size of IP packets sent on an interface, use the ip mtu
command in interface configuration mode. To restore the default MTU size, use the no form of this
command.
ip mtu bytes
no ip mtu
Usage Guidelines If an IP packet exceeds the MTU set for the interface, the Cisco IOS software will fragment it.
All devices on a physical medium must have the same protocol MTU in order to operate.
Note Changing the MTU value (with the mtu interface configuration command) can affect the IP MTU
value. If the current IP MTU value is the same as the MTU value, and you change the MTU value,
the IP MTU value will be modified automatically to match the new MTU. However, the reverse is not
true; changing the IP MTU value has no effect on the value for the mtu command.
Examples The following example sets the maximum IP packet size for the first serial interface to 300 bytes:
interface serial 0
ip mtu 300
ip name-server
To specify the address of one or more name servers to use for name and address resolution, use the ip
name-server command in global configuration command. To remove the addresses specified, use the no
form of this command.
Examples The following example specifies host 131.108.1.111 as the primary name server and host 131.108.1.2 as
the secondary server:
ip name-server 131.108.1.111 131.108.1.2
ip nat
To designate that traffic originating from or destined for the interface is subject to Network Address
Translation (NAT), use the ip nat interface configuration command. To prevent the interface from being
able to translate, use the no form of this command.
Syntax Description inside Indicates that the interface is connected to the inside network (the network
subject to NAT translation).
outside Indicates that the interface is connected to the outside network.
log Enables NAT logging.
translations Enables NAT logging translations.
syslog Enables syslog for NAT logging translations.
Usage Guidelines Only packets moving between inside and outside interfaces can be translated. You must specify at least
one inside interface and outside interface for each border router where you intend to use NAT.
NAT translations logging can be enabled or disabled with the ip nat log translations syslog command.
Examples The following example translates between inside hosts addressed from either the 192.168.1.0 or
192.168.2.0 network to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
ip nat inside source list 1 pool net-208
!
interface ethernet 0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface ethernet 1
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
Syntax Description list access-list-number Standard IP access list number. Packets with destination addresses that
pass the access list are translated using global addresses from the named
pool.
list name Name of a standard IP access list. Packets with destination addresses that
pass the access list are translated using global addresses from the named
pool.
pool name Name of the pool from which global IP addresses are allocated during
dynamic translation.
Usage Guidelines This command has two forms: dynamic and static address translation. The form with an access list
establishes dynamic translation. Packets from addresses that match the standard access list are translated
using global addresses allocated from the pool named with the ip nat pool command.
Examples The following example translates between inside hosts addressed to either the 192.168.1.0 or
192.168.2.0 network to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
ip nat inside destination list 1 pool net-208
!
interface ethernet 0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface ethernet 1
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
Static NAT
ip nat inside source {static {local-ip global-ip} [vrf name] [extendable] [no-alias] [no-payload]
[route-map] [redundancy group-name] | {esp local-ip interface type number}}
no ip nat inside source {static {local-ip global-ip} [vrf name] [extendable] [no-alias]
[no-payload] [route-map] [redundancy group-name] | {esp local-ip interface type number}}
ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable]
[no-alias] [no-payload]
no ip nat inside source {static {tcp | udp local-ip local-port global-ip global-port} [extendable]
[no-alias] [no-payload]
ip nat inside source {static {network local-network global-network mask} [extendable] [no-alias]
[no-payload]
Syntax Description list access-list-number Number of a standard IP access list. Packets with source addresses that
pass the access list are dynamically translated using global addresses
from the named pool.
list access-list-name Name of a standard IP access list. Packets with source addresses that pass
the access list are dynamically translated using global addresses from the
named pool.
route-map name Specifies the named route map.
interface type Specifies the interface type for the global address.
interface number Specifies the interface number for the global address.
pool name Name of the pool from which global IP addresses are allocated
dynamically.
mapping-id map-name (Optional) Specifies whether the local Stateful NAT Translation (SNAT)
router will distribute a particular set of locally created entries to a peer
SNAT router.
vrf name (Optional) Associates the NAT translation rule with a particular VPN
routing and forwarding (VRF) instance.
overload (Optional) Enables the router to use one global address for many local
addresses. When overloading is configured, the TCP or User Datagram
Protocol (UDP) port number of each inside host distinguishes between
the multiple conversations using the same local IP address.
static local-ip Sets up a single static translation. The local-ip argument establishes the
local IP address assigned to a host on the inside network. The address
could be randomly chosen, allocated from RFC 1918, or obsolete.
local-port Sets the local TCP/UDP port in a range from 1-65535.
static global-ip Sets up a single static translation. The local-ip argument establishes the
globally unique IP address of an inside host as it appears to the outside
world.
global-port Sets the global TCP/UDP port in a range from 1-65535.
extendable (Optional) Entends the translation.
no-alias (Optional) Prohibits an alias from being created for the global address.
no-payload (Optional) Prohibits the tanslation of an embedded address or port in the
payload.
redundancy group-name (Optional) Establishes NAT redundancy.
esp local-ip Establishes IPSec-ESP (tunnel mode) support.
tcp Establishes the Transmission Control Protocol.
udp Establishes the User Datagram Protocol.
network local-network Specifies the local subnet translation.
global-network Specifies the global subnet translation.
mask Established the IP Network mask to be with used with subnet translations.
Usage Guidelines This command has two forms: dynamic and static address translation. The form with an access list
establishes dynamic translation. Packets from addresses that match the standard access list are translated
using global addresses allocated from the pool named with the ip nat pool command.
Packets that enter the router through the inside interface and packets sourced from the router are checked
against the access list for possible NAT candidates. The access list is used to specify which traffic is to
be translated.
Alternatively, the syntax form with the keyword static establishes a single static translation.
Examples The following example translates between inside hosts addressed from either the 192.168.1.0 or
192.168.2.0 network to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
ip nat inside source list 1 pool net-208
!
interface ethernet 0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface ethernet 1
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
The following example translates only traffic local to the providers edge device running NAT (NAT-PE):
ip nat inside source list 1 interface e 0 vrf shop overload
ip nat inside source list 1 interface e 0 vrf bank overload
!
ip route vrf shop 0.0.0.0 0.0.0.0 192.1.1.1
ip route vrf bank 0.0.0.0 0.0.0.0 192.1.1.1
!
access-list 1 permit 10.1.1.1.0 0.0.0.255
!
ip nat inside source list 1 interface e 1 vrf shop overload
ip nat inside source list 1 interface e 1 vrf bank overload
!
ip route vrf shop 0.0.0.0 0.0.0.0 172.1.1.1 global
ip route vrf bank 0.0.0.0 0.0.0.0 172.1.1.1 global
access-list 1 permit 10.1.1.0 0.0.0.255
Static NAT
ip nat outside source {static tcp | udp global-ip global-port local-ip local-port} [add-route]
[extendable] [no-alias] [no-payload]
no ip nat outside source {static tcp | udp global-ip global-port local-ip local-port} [add-route]
[extendable] [no-alias] [no-payload]
Syntax Description] list access-list-number Number of a standard IP access list. Packets with source addresses that
pass the access list are translated using global addresses from the named
pool.
list access-list-name Name of a standard IP access list. Packets with source addresses that pass
the access list are translated using global addresses from the named pool.
route-map name Specifies a named route map.
pool pool-name Name of the pool from which global IP addresses are allocated.
mapping-id map-name (Optional) Specifies whether the local Stateful NAT Translation (SNAT)
router will distribute a particular set of locally created entries to a peer
SNAT router.
vrf name (Optional) Associates the NAT translation rule with a particular VPN.
add-route (Optional) Adds a static route for the outside local address.
static global-ip Sets up a single static translation. This argument establishes the globally
unique IP address assigned to a host on the outside network by its owner.
It was allocated from globally routable network space.
local-ip Local IP address of an outside host as it appears to the inside world. The
address was allocated from address space routable on the inside (RFC
1918, Address Allocation for Private Internets).
extendable (Optional) Extends the transmission.
no-alias (Optional) Prohibits an alias from being created for the local address.
no-payload (Optional) Prohibits the translation of embedded address or port in the
payload.
redundancy group-name (Optional) Enables the NAT redundancy operation.
tcp Establishes the Transmission Control Protocol.
udp Establishes the User Datagram Protocol.
Defaults No translation of source addresses coming from the outside to the inside network occurs.
Usage Guidelines You might have IP addresses that are not legal, officially assigned IP addresses. Perhaps you chose IP
addresses that officially belong to another network. The case of an address used illegally and legally is
called overlapping. You can use NAT to translate inside addresses that overlap with outside addresses.
Use this feature if your IP addresses in the stub network happen to be legitimate IP addresses belonging
to another network, and you need to communicate with those hosts or routers.
This command has two forms: dynamic and static address translation. The form with an access list
establishes dynamic translation. Packets from addresses that match the standard access list are translated
using global addresses allocated from the pool named with the ip nat pool command.
Alternatively, the syntax form with the static keyword establishes a single static translation.
Examples The following example translates between inside hosts addressed from the 9.114.11.0 network to the
globally unique 171.69.233.208/28 network. Further packets from outside hosts addressed from the
9.114.11.0 network (the true 9.114.11.0 network) are translated to appear to be from the 10.0.1.0/24
network.
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24
ip nat inside source list 1 pool net-208
ip nat outside source list 1 pool net-10
!
interface ethernet 0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface ethernet 1
ip address 9.114.11.39 255.255.255.0
ip nat inside
!
access-list 1 permit 9.114.11.0 0.0.0.255
The following example shows NAT configured on the Provider Edge (PE) router with a static
route to the shared service for the gold and silver Virtual Private Networks (VPNs). NAT
is configured as inside source static 1- to -1 translations.
ip nat pool
To define a pool of IP addresses for Network Address Translation (NAT), use the ip nat pool command
in global configuration mode. To remove one or more addresses from the pool, use the no form of this
command.
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}[type rotary]
no ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length} [type rotary]
Usage Guidelines This command defines a pool of addresses using start address, end address, and either netmask or prefix
length. The pool could define either an inside global pool, an outside local pool, or a rotary pool.
Examples The following example translates between inside hosts addressed from either the 192.168.1.0 or
192.168.2.0 network to the globally unique 171.69.233.208/28 network:
ip nat pool net-208 171.69.233.208 171.69.233.223 prefix-length 28
ip nat inside source list 1 pool net-208
!
interface ethernet 0
ip address 171.69.232.182 255.255.255.240
ip nat outside
!
interface ethernet 1
ip address 192.168.1.94 255.255.255.0
ip nat inside
!
access-list 1 permit 192.168.1.0 0.0.0.255
access-list 1 permit 192.168.2.0 0.0.0.255
ip nat service
To specify a port other than the default port, use the ip nat service command in global configuration
mode. To disable the port, use the no form of this command.
Defaults Disabled
Usage Guidelines A host with an FTP server using a port other than the default port can have an FTP client using the default
FTP control port. When a port other than the default port is configured for an FTP server, Network
Address Translation (NAT) prevents FTP control sessions that are using port 21 for that particular server.
If an FTP server uses the default port and a port other than the default port, both ports need to be
configured using the ip nat service command.
NAT listens on the default port of the Cisco CallManager to translate the skinny messages. If the
CallManager uses a port other than the default port, that port needs to be configured using the ip nat
service command.
The following example configures the standard FTP port 21 and the nonstandard port 2021:
ip nat service list 10 ftp tcp port 21
ip nat service list 10 ftp tcp port 2021
access-list 10 permit 10.1.1.1
The following example configures TCP port 500 of the third-party concentrator:
ip nat service list 10 IKE preserve-port
ip nat stateful id
To designate the members of a translation group, use the ip nat stateful id command in global
configuration mode.
Syntax Description id-number Unique number given to each router in the stateful translation
group.
redundancy name Establishes Hot Standby Routing Protocol (HSRP) as the method
of Redundancy.
primary ip-address-primary Manually establishes redundancy for the primary router.
backup ip-address-backup Manually establishes redundancy for the backup router.
peer ip-address-peer Specifies the ip address of the peer router in the translation group.
mapping-id map-number Specifies whether the local Stateful NAT Translation (SNAT)
router will distribute a particular set of locally created entries to
a peer SNAT router.
Usage Guidelines This command has two forms: HSRP stateful NAT translation and manual stateful NAT translation. The
form that uses the keyword redundancy establishes the HSRP redundancy method. When HSRP mode
is set, the primary and backup NAT routers are elected according to the HSRP standby state. To enable
stateful NAT manually, configure the primary router and backup router.
Examples The following example defines a mapping list that specifies which entries will be forwarded to peers in
the group:
Router# ip nat stateful id 1
redundancy SNATHSRP
mapping-id 10
mapping-id 11
ip nat translation
To change the amount of time after which Network Address Translation (NAT) translations time out, use
the ip nat translation command in global configuration mode. To disable the timeout, use the no form
of this command.
Syntax Description max-entries number (Optional) Specifies the maximum number (1-2147483647) of NAT
entries. Default is unlimited.
timeout Specifies that the timeout value applies to dynamic translations except for
overload translations. Default is 86400 seconds (24 hours).
udp-timeout Specifies that the timeout value applies to the User Datagram Protocol
(UDP) port. Default is 300 seconds (5 minutes).
dns-timeout Specifies that the timeout value applies to connections to the Domain
Naming System (DNS). Default is 60 seconds.
tcp-timeout Specifies that the timeout value applies to the TCP port. Default is
86400 seconds (24 hours).
finrst-timeout Specifies that the timeout value applies to Finish and Reset TCP packets,
which terminate a connection. Default is 60 seconds.
icmp-timeout Specifies the timeout value for Internet Control Message Protocol (ICMP)
flows. Default is 60 seconds.
pptp-timeout Specifies the timeout value for NAT Point-to-Point Tunneling Protocol
(PPTP) flows. Default is 86400 seconds (24 hours).
syn-timeout Specifies the timeout value for TCP flows immediately after a
synchronous transmission (SYN) message which consists of digital
signals that are sent with precise clocking. The default is 60 seconds.
port-timeout Specifies that the timeout value applies to the TCP/UDP port.
seconds Number of seconds after which the specified port translation times out.
The default is 0.
never Specifies no port translation time out.
Usage Guidelines When port translation is configured, there is finer control over translation entry timeouts because each
entry contains more context about the traffic that is using it. Non-DNS UDP translations time out after
5 minutes, while DNS times out in 1 minute. TCP translations timeout in 24 hours, unless an RST or FIN
is seen on the stream, in which case they will time out in 1 minute.
Examples The following example causes UDP port translation entries to time out after 10 minutes:
ip nat translation udp-timeout 600
ip netmask-format
To specify the format in which netmasks are displayed in show command output, use the
ip netmask-format command in line configuration mode. To restore the default display format, use the
no form of this command.
Syntax Description bitcount Addresses are followed by a slash and the total number of bits in the netmask.
For example, 131.108.11.0/24 indicates that the netmask is 24 bits.
decimal Network masks are displayed in dotted-decimal notation (for example,
255.255.255.0).
hexadecimal Network masks are displayed in hexadecimal format, as indicated by the
leading 0X (for example, 0XFFFFFF00).
Usage Guidelines IP uses a 32-bit mask that indicates which address bits belong to the network and subnetwork fields, and
which bits belong to the host field. This is called a netmask. By default, show commands display an IP
address and then its netmask in dotted decimal notation. For example, a subnet would be displayed as
131.108.11.0 255.255.255.0.
However, you can specify that the display of the network mask appear in hexadecimal format or bit count
format instead. The hexadecimal format is commonly used on UNIX systems. The previous example
would be displayed as 131.108.11.0 0XFFFFFF00.
The bitcount format for displaying network masks is to append a slash (/) and the total number of bits in
the netmask to the address itself. The previous example would be displayed as 131.108.11.0/24.
Examples The following example configures network masks for the specified line to be displayed in bitcount
notation in the output of show commands:
line vty 0 4
ip netmask-format bitcount
ip nhrp authentication
To configure the authentication string for an interface using the Next Hop Resolution Protocol (NHRP),
use the ip nhrp authentication command in interface configuration mode. To remove the authentication
string, use the no form of this command.
Syntax Description string Authentication string configured for the source and destination
stations that controls whether NHRP stations allow
intercommunication. The string can be up to eight characters long.
Defaults No authentication string is configured; the Cisco IOS software adds no authentication option to NHRP
packets it generates.
Usage Guidelines All routers configured with NHRP within one logical NBMA network must share the same
authentication string.
Examples In the following example, the authentication string named specialxx must be configured in all devices
using NHRP on the interface before NHRP communication occurs:
ip nhrp authentication specialxx
ip nhrp holdtime
To change the number of seconds that Next Hop Resolution Protocol (NHRP) nonbroadcast multiaccess
(NBMA) addresses are advertised as valid in authoritative NHRP responses, use the ip nhrp holdtime
command in interface configuration mode. To restore the default value, use the no form of this command.
Syntax Description seconds Time in seconds that NBMA addresses are advertised as valid in
positive authoritative NHRP responses.
Usage Guidelines The ip nhrp holdtime command affects authoritative responses only. The advertised holding time is the
length of time the Cisco IOS software tells other routers to keep information that it is providing in
authoritative NHRP responses. The cached IP-to-NBMA address mapping entries are discarded after the
holding time expires.
The NHRP cache can contain static and dynamic entries. The static entries never expire. Dynamic entries
expire regardless of whether they are authoritative or nonauthoritative.
Examples In the following example, NHRP NBMA addresses are advertised as valid in positive authoritative
NHRP responses for 1 hour:
ip nhrp holdtime 3600
ip nhrp interest
To control which IP packets can trigger sending a Next Hop Resolution Protocol (NHRP) request packet,
use the ip nhrp interest command in interface configuration mode. To restore the default value, use the
no form of this command.
Syntax Description access-list-number Standard or extended IP access list number in the range from
1 to 199.
Usage Guidelines Use this command with the access-list command to control which IP packets trigger NHRP requests.
The ip nhrp interest command controls which packets cause NHRP address resolution to take place; the
ip nhrp use command controls how readily the system attempts such address resolution.
Examples In the following example, any TCP traffic can cause NHRP requests to be sent, but no other IP packets
will cause NHRP requests:
ip nhrp interest 101
access-list 101 permit tcp any any
Syntax Description nbma-address NBMA address that is directly reachable through the NBMA
network. The address format varies depending on the medium you are
using.
Defaults No NBMA addresses are configured as destinations for broadcast or multicast packets.
Examples In the following example, if a packet is sent to 10.255.255.255, it is replicated to destinations 11.0.0.1
and 11.0.0.2. Addresses 11.0.0.1 and 11.0.0.2 are the IP addresses of two other routers that are part of
the tunnel network, but those addresses are their addresses in the underlying network, not the tunnel
network. They would have tunnel addresses that are in network 10.0.0.0.
interface tunnel 0
ip address 10.0.0.3 255.0.0.0
ip nhrp map multicast 11.0.0.1
ip nhrp map multicast 11.0.0.2
Usage Guidelines Use this command when spoke routers need to initiate multipoint generic routing encapsulation (GRE)
and IPSecurity (IPSec) tunnels and register their unicast NHRP mappings. This command is needed to
enable dynamic routing protocols to work over the Multipoint GRE and IPSec tunnels because IGP
routing protocols use multicast packets. This command prevents the Hub router from needing a separate
configuration line for a multicast mapping for each spoke router.
Examples The following example shows how to enable the ip nhrp map multicast dynamic command on the hub
router:
crypto ipsec profile vpnprof
set transform-set trans2
!
interface Tunnel0
bandwith 1000
ip address 10.0.0.1 255.255.255.0
ip mtu 1436
ip nhrp authentication test
ip nhrp map multicast dynamic
ip nhrp network-id 100000
ip nhrp holdtime 600
no ip split-horizon eigrp 1
delay 1000
tunnel source Ethernet0
tunnel mode gre multipoint
tunnel key 100000
tunnel protection ipsec profile vpnprof
!
interface Ethernet0
ip address 172.17.0.1 255.255.255.0
ip nhrp map
To statically configure the IP-to-NonBroadcast MutiAccess (NBMA) address mapping of IP destinations
connected to an MBMA network, use the ip nhrp map interface configuration command. To remove the
static entry from Next Hop Resolution Protocol (NHRP) cache, use the no form of this command.
Syntax Description ip-address IP address of the destinations reachable through the NBMA network.
This address is mapped to the NBMA address.
nbma-address NBMA address that is directly reachable through the NBMA
network. The address format varies depending on the medium you are
using. For example, ATM has a Network Service Access Point
(NSAP) address, Ethernet has a MAC address, and Switched
Multimegabit Data Service (SMDS) has an E.164 address. This
address is mapped to the IP address.
Usage Guidelines You will probably need to configure at least one static mapping in order to reach the Next Hop Server.
Repeat this command to statically configure multiple IP-to-NBMA address mappings.
Examples In the following example, this station in a multipoint tunnel network is statically configured to be served
by two Next Hop Servers 100.0.0.1 and 100.0.1.3. The NBMA address for 100.0.0.1 is statically
configured to be 11.0.0.1 and the NBMA address for 100.0.1.3 is 12.2.7.8.
interface tunnel 0
ip nhrp nhs 100.0.0.1
ip nhrp nhs 100.0.1.3
ip nhrp map 100.0.0.1 11.0.0.1
ip nhrp map 100.0.1.3 12.2.7.8
ip nhrp max-send
To change the maximum frequency at which Next Hop Resolution Protocol (NHRP) packets can be sent,
use the ip nhrp max-send interface configuration command. To restore this frequency to the default
value, use the no form of this command.
no ip nhrp max-send
Syntax Description pkt-count Number of packets that can be sent in the range from 1 to 65535. Default is
5 packets.
every interval Time (in seconds) in the range from 10 to 65535. Default is 10 seconds.
Usage Guidelines The software maintains a per-interface quota of NHRP packets that can be sent. NHRP traffic, whether
locally generated or forwarded, cannot be sent at a rate that exceeds this quota. The quota is replenished
at the rate specified by the interval value.
Examples In the following example, only one NHRP packet can be sent from serial interface 0 each minute:
interface serial 0
ip nhrp max-send 1 every 60
ip nhrp network-id
To enable the Next Hop Resolution Protocol (NHRP) on an interface, use the ip nhrp network-id
command in interface configuration mode. To disable NHRP on the interface, use the no form of this
command.
Syntax Description number Globally unique, 32-bit network identifier from a nonbroadcast
multiaccess (NBMA) network. The range is from 1 to 4294967295.
Usage Guidelines In general, all NHRP stations within one logical NBMA network must be configured with the same
network identifier.
ip nhrp nhs
To specify the address of one or more Next Hop Resolution Protocol (NHRP) servers, use the
ip nhrp nhs command in interface configuration mode. To remove the address, use the no form of this
command.
Syntax Description nhs-address Address of the Next Hop Server being specified.
net-address (Optional) IP address of a network served by the Next Hop Server.
netmask (Optional) IP network mask to be associated with the net IP address. The
net IP address is logically ANDed with the mask.
Defaults No Next Hop Servers are explicitly configured, so normal network layer routing decisions are used to
forward NHRP traffic.
Usage Guidelines Use this command to specify the address of a Next Hop Server and the networks it serves. Normally,
NHRP consults the network layer forwarding table to determine how to forward NHRP packets. When
Next Hop Servers are configured, these next hop addresses override the forwarding path that would
otherwise be used for NHRP traffic.
For any Next Hop Server that is configured, you can specify multiple networks that it serves by repeating
this command with the same nhs-address argument, but with different net-address IP network addresses.
Examples In the following example, the Next Hop Server with address 131.108.10.11 serves IP network 10.0.0.0.
The mask is 255.0.0.0.
ip nhrp nhs 131.108.10.11 10.0.0.0 255.0.0.0
ip nhrp record
To reenable the use of forward record and reverse record options in Next Hop Resolution Protocol
(NHRP) request and reply packets, use the ip nhrp record interface configuration command. To
suppress the use of such options, use the no form of this command.
ip nhrp record
no ip nhrp record
Defaults Forward record and reverse record options are used in NHRP request and reply packets.
Usage Guidelines Forward record and reverse record options provide loop detection and are enabled by default. Using the
no form of this command disables this method of loop detection. For another method of loop detection,
see the ip nhrp responder command.
Examples The following example suppresses forward record and reverse record options:
no ip nhrp record
ip nhrp responder
To designate the primary IP address the Next Hop Server that an interface will use in Next Hop
Resolution Protocol (NHRP) reply packets when the NHRP requestor uses the Responder Address
option, use the ip nhrp responder command in interface configuration mode. To remove the
designation, use the no form of this command.
Syntax Description type Interface type whose primary IP address is used when a Next Hop Server
complies with a Responder Address option (for example, serial or tunnel).
number Interface number whose primary IP address is used when a Next Hop Server
complies with a Responder Address option.
Defaults The Next Hop Server uses the IP address of the interface where the NHRP request was received.
Usage Guidelines If an NHRP requestor wants to know which Next Hop Server generates an NHRP reply packet, it can
request that information through the Responder Address option. The Next Hop Server that generates the
NHRP reply packet then complies by inserting its own IP address in the Responder Address option of
the NHRP reply. The Next Hop Server uses the primary IP address of the specified interface.
If an NHRP reply packet being forwarded by a Next Hop Server contains the IP address of that Next Hop
Server, the Next Hop Server generates an Error Indication of type “NHRP Loop Detected” and discards
the reply packet.
Examples In the following example, any NHRP requests for the Responder Address will cause this router acting as
a Next Hop Server to supply the primary IP address of serial interface 0 in the NHRP reply packet:
ip nhrp responder serial 0
ip nhrp server-only
To configure the interface to operate in Next Hop Resolution Protocol (NHRP) server-only mode, use
the ip nhrp server-only command in interface configuration mode. To disable this feature, use the no
form of this command.
no ip nhrp server-only
Syntax Description non-caching (Optional) The router will not cache NHRP information received on this
interface.
Defaults Disabled
Usage Guidelines When the interface is operating in NHRP server-only mode, the interface does not originate NHRP
requests or set up an NHRP shortcut Switched Virtual Circuit (SVC).
Examples The following example configures the interface to operate in server-only mode:
ip nhrp server-only
ip nhrp trigger-svc
To configure when the Next Hop Resolution Protocol (NHRP) will set up and tear down a switched
virtual circuit (SVC) based on aggregate traffic rates, use the ip nhrp trigger-svc command in interface
configuration mode. To restore the default thresholds, use the no form of this command.
no ip nhrp trigger-svc
Syntax Description trigger-threshold Average traffic rate calculated during the load interval, at or above which
NHRP will set up an SVC for a destination. The default value is 1 kbps.
teardown-threshold Average traffic rate calculated during the load interval, at or below which NHRP
will tear down the SVC to the destination. The default value is 0 kbps.
Usage Guidelines The two thresholds are measured during a sampling interval of 30 seconds, by default. To change that
interval, use the load-interval seconds argument of the ip cef traffic-statistics command.
Examples In the following example, the triggering and teardown thresholds are set to 100 kbps and 5 kbps,
respectively:
ip nhrp trigger-svc 100 5
ip nhrp use
To configure the software so that Next Hop Resolution Protocol (NHRP) is deferred until the system has
attempted to send data traffic to a particular destination multiple times, use the ip nhrp use command
in interface configuration mode. To restore the default value, use the no form of this command.
Syntax Description usage-count Packet count in the range from 1 to 65535. Default is 1.
Defaults usage-count: 1. The first time a data packet is sent to a destination for which the system determines
NHRP can be used, an NHRP request is sent.
Usage Guidelines When the software attempts to send a data packet to a destination for which it has determined that NHRP
address resolution can be used, an NHRP request for that destination is normally sent immediately.
Configuring the usage-count argument causes the system to wait until that many data packets have been
sent to a particular destination before it attempts NHRP. The usage-count argument for a particular
destination is measured over 1-minute intervals (the NHRP cache expiration interval).
The usage count applies per destination. So if the usage-count argument is configured to be 3, and four
data packets are sent toward 10.0.0.1 and one packet toward 10.0.0.2, then an NHRP request is generated
for 10.0.0.1 only.
If the system continues to need to forward data packets to a particular destination, but no NHRP response
has been received, retransmission of NHRP requests is performed. This retransmission occurs only if
data traffic continues to be sent to a destination.
The ip nhrp interest command controls which packets cause NHRP address resolution to take place; the
ip nhrp use command controls how readily the system attempts such address resolution.
Examples In the following example, if in the first minute five packets are sent to the first destination and five
packets are sent to a second destination, then a single NHRP request is generated for the second
destination.
If in the second minute the same traffic is generated and no NHRP responses have been received, then
the system resends its request for the second destination.
ip nhrp use 5
ip proxy-arp
To enable proxy Address Resolution Protocol (ARP) on an interface, use the ip proxy-arp command in
interface configuration mode. To disable proxy ARP on the interface, use the no form of this command.
ip proxy-arp
no ip proxy-arp
Defaults Enabled
ip redirects
To enable the sending of Internet Control Message Protocol (ICMP) redirect messages if the Cisco IOS
software is forced to resend a packet through the same interface on which it was received, use the ip
redirects command in interface configuration mode. To disable the sending of redirect messages, use
the no form of this command.
ip redirects
no ip redirects
Defaults Enabled
Usage Guidelines Previously, if the Hot Standby Router Protocol (HSRP) was configured on an interface, ICMP redirect
messages were disabled by default for the interface. With Cisco IOS Release 12.1(3)T, ICMP redirect
messages are enabled by default if HSRP is configured.
Examples The following example enables the sending of ICMP redirect messages on Ethernet interface 0:
interface ethernet 0
ip redirects
ip routing
To enable IP routing, use the ip routing command in global configuration mode. To disable IP routing,
use the no form of this command.
ip routing
no ip routing
Defaults Enabled
Usage Guidelines To bridge IP, the no ip routing command must be configured to disable IP routing. However, you need
not specify no ip routing in conjunction with concurrent routing and bridging to bridge IP.
The ip routing command is disabled on the Cisco VG200 voice over IP gateway.
ip slb dfp
To configure the Dynamic Feedback Protocol (DFP) and supply an optional password, use the ip slb dfp
command in global configuration mode. To remove the DFP configuration, use the no form of this
command.
no ip slb dfp
Usage Guidelines The optional password, if configured, must match the password configured on the host agent.
The timeout option allows you to change the password without stopping messages between the DFP
agent and its manager. The default value is 180 seconds.
During the timeout, the agent sends packets with the old password (or null, if there is no old password),
and receives packets with either the old or new password. After the timeout expires, the agent sends and
receives packets only with the new password; received packets that use the old password are discarded.
If you are changing the password for an entire load-balanced environment, set a longer timeout. This
setting allows enough time for you to update the password on all agents and servers before the timeout
expires. It also prevents mismatches between agents and servers that have begun running the new
password and agents, and servers on which you have not yet changed the old password.
Examples The following example configures DFP, sets the password to flounder, configures a timeout period of 60
seconds, and changes to DFP configuration mode:
ip slb dfp flounder 60
ip slb serverfarm
To identify a server farm and enter SLB server farm configuration mode, use the ip slb serverfarm
command in global configuration mode. To remove the server farm from the IOS SLB configuration, use
the no form of this command.
Syntax Description serverfarm-name Character string used to identify the server farm. The character string
is limited to 15 characters.
ip slb vserver
To identify a virtual server and enter SLB virtual server configuration mode, use the ip slb vserver
command in global configuration mode. To remove a virtual server from the IOS SLB configuration, use
the no form of this command.
Syntax Description virtserver-name Character string used to identify the virtual server. The character
string is limited to 15 characters.
ip source-route
To allow the Cisco IOS software to handle IP datagrams with source routing header options, use the ip
source-route command in global configuration mode. To have the software discard any IP datagram
containing a source-route option, use the no form of this command.
ip source-route
no ip source-route
Defaults Enabled
Examples The following example enables the handling of IP datagrams with source routing header options:
ip source-route
ip subnet-zero
To enable the use of subnet 0 for interface addresses and routing updates, use the ip subnet-zero
command in global configuration mode. To restore the default, use the no form of this command.
ip subnet-zero
no ip subnet-zero
Defaults Enabled
Usage Guidelines The ip subnet-zero command provides the ability to configure and route to subnet 0 subnets.
Subnetting with a subnet address of 0 is discouraged because of the confusion inherent in having a
network and a subnet with indistinguishable addresses.
ip tcp chunk-size
To alter the TCP maximum read size for Telnet or rlogin, use the ip tcp chunk-size command in global
configuration mode. To restore the default value, use the no form of this command.
no ip tcp chunk-size
Syntax Description characters Maximum number of characters that Telnet or rlogin can read in one read
instruction. The default value is 0, which Telnet and rlogin interpret as the
largest possible 32-bit positive number.
Defaults 0, which Telnet and rlogin interpret as the largest possible 32-bit positive number.
Usage Guidelines It is unlikely you will need to change the default value.
Examples The following example sets the maximum TCP read size to 64,000 bytes:
ip tcp chunk-size 64000
ip tcp compression-connections
To specify the total number of TCP header compression connections that can exist on an interface, use
the ip tcp compression-connections command in interface configuration mode. To restore the default,
use the no form of this command.
Syntax Description number Number of TCP header compression connections the cache supports, in the
range from 3 to 1000. The default is 32 connections (16 calls).
Usage Guidelines You should configure one connection for each TCP connection through the specified interface.
Each connection sets up a compression cache entry, so you are in effect specifying the maximum number
of cache entries and the size of the cache. Too few cache entries for the specified interface can lead to
degraded performance, and too many cache entries can lead to wasted memory.
Note Both ends of the serial connection must use the same number of cache entries.
Examples The following example sets the first serial interface for header compression with a maximum of ten
cache entries:
interface serial 0
ip tcp header-compression
ip tcp compression-connections 10
Command Description
ip tcp header-compression Enables TCP header compression.
show ip rtp header-compression Displays RTP header compression statistics.
ip tcp header-compression
To enable TCP header compression, use the ip tcp header-compression command in interface
configuration mode. To disable compression, use the no form of this command.
Syntax Description passive (Optional) Compresses outgoing TCP packets only if incoming TCP packets
on the same interface are compressed. If you do not specify the passive
keyword, the Cisco IOS software compresses all traffic.
Defaults Disabled
Usage Guidelines You can compress the headers of your TCP/IP packets in order to reduce the size of your packets. TCP
header compression is supported on serial lines using Frame Relay, HDLC, or PPP encapsulation. You
must enable compression on both ends of a serial connection. RFC 1144 specifies the compression
process. Compressing the TCP header can speed up Telnet connections dramatically. In general, TCP
header compression is advantageous when your traffic consists of many small packets, not for traffic that
consists of large packets. Transaction processing (usually using terminals) tends to use small packets and
file transfers use large packets. This feature only compresses the TCP header, so it has no effect on UDP
packets or other protocol headers.
When compression is enabled, fast switching is disabled. This condition means that fast interfaces like
T1 can overload the router. Consider the traffic characteristics of your network before using this
command.
Examples The following example sets the first serial interface for header compression with a maximum of ten
cache entries:
interface serial 0
ip tcp header-compression
ip tcp compression-connections 10
ip tcp path-mtu-discovery
To enable the Path MTU Discovery feature for all new TCP connections from the router, use the ip tcp
path-mtu-discovery command in global configuration mode. To disable the function, use the no form
of this command.
Syntax Description age-timer minutes (Optional) Time interval (in minutes) after which TCP re-estimates the path
MTU with a larger maximum segment size (MSS). The maximum is
30 minutes; the default is 10 minutes.
age-timer infinite (Optional) Turns off the age timer.
Usage Guidelines Path MTU Discovery is a method for maximizing the use of available bandwidth in the network between
the endpoints of a TCP connection. It is described in RFC 1191. Existing connections are not affected
when this feature is turned on or off.
Customers using TCP connections to move bulk data between systems on distinct subnets would benefit
most by enabling this feature.
The age timer is a time interval for how often TCP re-estimates the path MTU with a larger MSS. When
the age timer is used, TCP path MTU becomes a dynamic process. If the MSS used for the connection
is smaller than what the peer connection can handle, a larger MSS is tried every time the age timer
expires. The discovery process is stopped when either the send MSS is as large as the peer negotiated,
or the user has disabled the timer on the router. You can turn off the age timer by setting it to infinite.
ip tcp queuemax
To alter the maximum TCP outgoing queue per connection, use the ip tcp queuemax command in global
configuration mode. To restore the default value, use the no form of this command.
no ip tcp queuemax
Syntax Description packets Outgoing queue size of TCP packets. The default value is 5 segments if the
connection has a TTY associated with it. If no TTY is associated with it, the
default value is 20 segments.
Defaults The default value is 5 segments if the connection has a TTY associated with it. If no TTY is associated
with it, the default value is 20 segments.
Usage Guidelines Changing the default value changes the 5 segments, not the 20 segments.
Examples The following example sets the maximum TCP outgoing queue to 10 packets:
ip tcp queuemax 10
ip tcp selective-ack
To enable TCP selective acknowledgment, use the ip tcp selective-ack command in global configuration
mode. To disable TCP selective acknowledgment, use the no form of this command.
ip tcp selective-ack
no ip tcp selective-ack
Defaults Disabled
Usage Guidelines TCP might not experience optimal performance if multiple packets are lost from one window of data.
With the limited information available from cumulative acknowledgments, a TCP sender can learn about
only one lost packet per round-trip time. An aggressive sender could resend packets early, but such
re-sent segments might have already been received.
The TCP selective acknowledgment mechanism helps overcome these limitations. The receiving TCP
returns selective acknowledgment packets to the sender, informing the sender about data that has been
received. The sender can then resend only the missing data segments.
TCP selective acknowledgment improves overall performance. The feature is used only when a multiple
number of packets drop from a TCP window. There is no performance impact when the feature is enabled
but not used.
This command becomes effective only on new TCP connections opened after the feature is enabled.
This feature must be disabled if you want TCP header compression. You might disable this feature if you
have severe TCP problems.
Refer to RFC 2018 for more detailed information on TCP selective acknowledgment.
Examples The following example enables the router to send and receive TCP selective acknowledgments:
ip tcp selective-ack
ip tcp synwait-time
To set a period of time the Cisco IOS software waits while attempting to establish a TCP connection
before it times out, use the ip tcp synwait-time command in global configuration mode. To restore the
default time, use the no form of this command.
Syntax Description seconds Time (in seconds) the software waits while attempting to establish a TCP
connection. It can be an integer from 5 to 300 seconds. The default is
30 seconds.
Usage Guidelines In versions previous to Cisco IOS software Release 10.0, the system would wait a fixed 30 seconds when
attempting to establish a TCP connection. If your network contains public switched telephone network
(PSTN) dial-on-demand routing (DDR), the call setup time may exceed 30 seconds. This amount of time
is not sufficient in networks that have dialup asynchronous connections because it will affect your ability
to Telnet over the link (from the router) if the link must be brought up. If you have this type of network,
you may want to set this value to the UNIX value of 75.
Because this is a host parameter, it does not pertain to traffic going through the router, just for traffic
originated at this device. Because UNIX has a fixed 75-second timeout, hosts are unlikely to experience
this problem.
Examples The following example configures the Cisco IOS software to continue attempting to establish a TCP
connection for 180 seconds:
ip tcp synwait-time 180
ip tcp timestamp
To enable TCP time stamp, use the ip tcp timestamp command in global configuration mode. To disable
TCP time stamp, use the no form of this command.
ip tcp timestamp
no ip tcp timestamp
Defaults Disabled
Usage Guidelines TCP time stamp improves round-trip time estimates. Refer to RFC 1323 for more detailed information
on TCP time stamp.
The TCP time stamp must be disabled if you want to use TCP header compression.
Examples The following example enables the router to send TCP time stamps:
ip tcp timestamp
ip tcp window-size
To alter the TCP window size, use the ip tcp window-size command in global configuration mode. To
restore the default value, use the no form of this command.
no ip tcp window-size
Syntax Description bytes Window size (in bytes). An integer from 0 to 1,073,741,823. The default value
is 4128 bytes. Window scaling is enabled when the window size is greater than
65,535 bytes.
Defaults The default window size is 4128 bytes when window scaling is not enabled. If only one neighbor is
configured for the window scaling extension, the default window size is 65,535 bytes.
Usage Guidelines Do not use this command unless you clearly understand why you want to change the default value.
To enable window scaling to support Long Fat Networks (LFNs), the TCP window size must be more
than 65,535 bytes. The remote side of the link also needs to be configured to support window scaling. If
both sides are not configured with window scaling, the default maximum value of 65,535 bytes is
applied.
The scale factor is automatically calculated based on the window-size you configure. You cannot directly
configure the scale factor.
Examples The following example sets the TCP window size to 1000 bytes:
ip tcp window-size 1000
ip unnumbered
To enable IP processing on a serial interface without assigning an explicit IP address to the interface, use
the ip unnumbered command in interface configuration mode. To disable the IP processing on the
interface, use the no form of this command.
Syntax Description type number Type and number of another interface on which the router has an
assigned IP address. It cannot be another unnumbered interface.
Defaults Disabled
Usage Guidelines Whenever the unnumbered interface generates a packet (for example, for a routing update), it uses the
address of the specified interface as the source address of the IP packet. It also uses the address of the
specified interface in determining which routing processes are sending updates over the unnumbered
interface. Restrictions include the following:
• Serial interfaces using High Level Data Link Control (HDLC), PPP, Link Access Procedure,
Balanced (LAPB), Frame Relay encapsulations, and Serial Line Internet Protocol (SLIP) and tunnel
interfaces can be unnumbered. It is not possible to use this interface configuration command with
X.25 or Switched Multimegabit Data Service (SMDS) interfaces.
• You cannot use the ping EXEC command to determine whether the interface is up, because the
interface has no address. Simple Network Management Protocol (SNMP) can be used to remotely
monitor interface status.
• You cannot netboot a runnable image over an unnumbered serial interface.
• You cannot support IP security options on an unnumbered interface.
The interface you specify by the type and number arguments must be enabled (listed as “up” in the show
interfaces command display).
If you are configuring Intermediate System-to-Intermediate System (IS-IS) across a serial line, you
should configure the serial interfaces as unnumbered, which allows you to conform with RFC 1195,
which states that IP addresses are not required on each interface.
Note Using an unnumbered serial line between different major networks (or majornets) requires special
care. If at each end of the link there are different majornets assigned to the interfaces you specified
as unnumbered, then any routing protocol running across the serial line must not advertise subnet
information.
Examples In the following example, the first serial interface is given the address of Ethernet 0:
interface ethernet 0
ip address 131.108.6.6 255.255.255.0
!
interface serial 0
ip unnumbered ethernet 0
ip unreachables
To enable the generation of Internet Control Message Protocol (ICMP) unreachable messages, use the
ip unreachables command in interface configuration mode. To disable this function, use the no form of
this command.
ip unreachables
no ip unreachables
Defaults Enabled
Usage Guidelines If the Cisco IOS software receives a nonbroadcast packet destined for itself that uses a protocol it does
not recognize, it sends an ICMP unreachable message to the source.
If the software receives a datagram that it cannot deliver to its ultimate destination because it knows of
no route to the destination address, it replies to the originator of that datagram with an ICMP host
unreachable message.
This command affects all types of ICMP unreachable messages.
Examples The following example enables the generation of ICMP unreachable messages, as appropriate, on an
interface:
interface ethernet 0
ip unreachables
ip vrf (tracking)
To configure a VPN routing and forwarding (VRF) table, use the ip vrf command in tracking
configuration mode. To remove a VRF routing table, use the no form of this command.
ip vrf vrf-name
no ip vrf vrf-name
Usage Guidelines This command is available for all IP route tracked objects that are tracked by the track ip route global
configuration command. Use this command to track a route belonging to a specific VPN.
Examples In the following example, the route associated with a VRF named VRF1 will be tracked:
track 1 ip route 10.16.0.0/16 reachability
delay down 30
ip vrf VRF1
ip wccp
To direct a router to enable or disable the support for a cache engine service group, use the ip wccp
command in global configuration mode. To remove the ability of a router to control support for a service
group, use the no form of this command.
Usage Guidelines This configuration command instructs a router to enable or disable the support for the Service Group
specified by the service name given. A service name may be either one of the provided standard keyword
definitions or a number representing a cache engine dynamically defined definition. Once the service is
enabled, the router can participate in the establishment of a Service Group.
Currently the only provided keyword definition to be used as a service name is web-cache. This keyword
is used to describe the existing WCCP version 1 functionality.
When the ip wccp global configuration command is issued, it instructs the router to allocate space and
enable support of the specified WCCP service for participation in a Service Group.
When the no ip wccp global configuration command is issued, it instructs the router to terminate
participation in the Service Group, deallocate space if none of the interfaces still have the service
configured, and terminate the WCCP task if no other services are configured.
Note The ip wccp command has replaced the ip wccp enable, ip wccp redirect-list, and ip wccp
group-list commands from the version 1 implementation of WCCP.
The keywords following the service name are optional and may be specified in any order, but only may
be specified once. The following sections outline the specific usage of each of the optional forms of this
command.
Note The ip wccp {web-cache | service-number} group-list command syntax resembles the ip wccp
{web-cache | service-number} group-listen command, but these are entirely different commands.
Note that the ip wccp group-listen command is an interface configuration command, used to
configure an interface to listen for multicast notifications from a cache cluster. See the description of
the ip wccp group-listen command in this chapter for more information.
Examples In the following example, a user configures a router to run WCCP reverse proxy service, using the
multicast address of 224.1.1.1:
Router# configure terminal
Router(config)# ip wccp 99 group-address 224.1.1.1
Router(config)# interface ethernet 0
Router(config-if)# ip wccp web-cache group-list
In the following example, a user configures a router to redirect web-related packets without a destination
of 192.168.196.51 to the cache engine:
Router# configure terminal
Router(config)# access-list 100 deny ip any host 192.168.196.51
Router(config)# access-list 100 permit ip any any
Router(config)# ip wccp redirect-list 100
Router(config)# interface Ethernet 0
Router(config-if)# ip web-cache redirect-list
Router(config-if)# end
Router#
ip wccp enable
The ip wccp enable has been replaced by the ip wccp command. See the description of the ip wccp
command in this chapter for more information.
Usage Guidelines This configuration command instructs the interface to exclude inbound packets from any redirection
check that may occur at the outbound interface. Note that the command is global to all the services and
should be applied to any inbound interface that you wish to exclude from redirection.
This command is intended to be used to accelerate the flow of packets from a cache engine to the internet
as well as allow for the use of the WCCPv2 Packet Return feature.
Examples In the following example, packets arriving on Ethernet interface 0 are excluded from all WCCP
redirection checks:
Router(config)# interface ethernet 0
Router(config-if)# ip wccp redirect exclude in
ip wccp redirect-list
This command is now documented as part of the ip wccp {web-cache | service-number} command. See
the description of the ip wccp command in this book for more information.
ip wccp group-listen
To configure an interface on a router to enable or disable the reception of IP multicast packets for the
Web Cache Communication Protocol (WCCP) feature, use the ip wccp group-listen command in
interface configuration mode. To remove control of the reception of IP multicast packets for the WCCP
feature, use the no form of this command.
Syntax Description web-cache Directs the router to send packets to the web cache service.
service-number The identification number of the cache engine service group being
controlled by a router. The number can be from 0 to 99.
Usage Guidelines On routers that are to be members of a Service Group when IP multicast is used, the following
configuration is required:
• The IP multicast address for use by the WCCP Service Group must be configured.
• The interfaces on which the router wishes to receive the IP multicast address to be configured with
the ip wccp {web-cache | service-number} group-listen interface configuration command.
Examples In the following example, a user enables the multicast packets for a web cache with a multicast address
of 224.1.1.100.
router# configure terminal
router(config)# ip wccp web-cache group-address 244.1.1.100
router(config)# interface ethernet 0
router(config-if)# ip wccp web-cache group listen
ip wccp redirect
To enable packet redirection on an outbound or inbound interface using Web Cache Communication
Protocol (WCCP), use the ip wccp service redirect command in interface configuration mode. To
disable WCCP redirection, use the no form of this command.
Syntax Description service Specifies the service group. You can specify the web-cache keyword, or
you can specify the identification number(from 0 to 99) of the service.
redirect Enables packet redirection checking on an outbound or inbound interface.
out Specifies packet redirection on an outbound interface.
in Specifies packet redirection on an inbound interface.
Usage Guidelines The ip wccp service redirect in command allows you to configure WCCP redirection on an interface
receiving inbound network traffic. When the command is applied to an interface, all packets arriving at
that interface will be compared against the criteria defined by the specified WCCP service. If the packets
match the criteria, they will be redirected.
Likewise, the ip wccp service redirect out command allows you to configure the WCCP redirection
check at an outbound interface.
Tips Be careful not to confuse the ip wccp service redirect {out | in} interface configuration command
with the ip wccp redirect exclude in interface configuration command.
Note This command has the potential to effect the ip wccp redirect exclude in command. (These
commands have opposite functions.) If you have ip wccp redirect exclude in set on an interface and
you subsequently configure the ip wccp service redirect in command, the “exclude in” command
will be overridden. The opposite is also true: configuring the “exclude in” command will override the
“redirect in” command.
Examples In the following example, the user configures a session in which reverse proxy packets on Ethernet
interface 0 are being checked for redirection and redirected to a Cisco Cache Engine:
Router# configure terminal
Router(config)# ip wccp 99
Router(config)# interface ethernet 0
Router(config-if)# ip wccp 99 redirect ?
in Redirect to a Cache Engine appropriate inbound packets
out Redirect to a Cache Engine appropriate outbound packets
Router(config-if)# ip wccp 99 redirect out
In the following example, the user configures a session in which HTTP traffic arriving on Ethernet
interface 0/1 will be redirected to a Cisco Cache Engine:
Router# configure terminal
Router(config)# ip wccp web-cache
Router(config)# interface ethernet 0/1
Router(config-if)# ip wccp web-cache redirect in
ip wccp version
To specify which version of Web Cache Communication Protocol (WCCP) you wish to configure on
your router, use the ip wccp version command in global configuration mode.
ip wccp version {1 | 2}
Defaults WCCPv2
Examples In the following example, the user changes the WCCP version from the default of WCCPv2 to WCCPv1,
starting in privileged EXEC mode:
router# show ip wccp
% WCCP version 2 is not enabled
router# configure terminal
router(config)# ip wccp version 1
router(config)# end
router# show ip wccp
% WCCP version 1 is not enabled
ip web-cache redirect
The ip web-cache redirect interface configuration command has been replaced by the ip wccp redirect
interface configuration command. The ip web-cache redirect command is no longer supported. See the
description of the ip wccp redirect command in this book for more information.
lease
To configure the duration of the lease for an IP address that is assigned from a Cisco IOS Dynamic Host
Configuration Protocol (DHCP) server to a DHCP client, use the lease command in DHCP pool
configuration mode. To restore the default value, use the no form of this command.
no lease
Syntax Description days Specifies the duration of the lease in numbers of days.
hours (Optional) Specifies the number of hours in the lease. A days value must be
supplied before you can configure an hours value.
minutes (Optional) Specifies the number of minutes in the lease. A days value and an
hours value must be supplied before you can configure a minutes value.
infinite Specifies that the duration of the lease is unlimited.
Defaults 1 day
maxconns
To limit the number of active connections to the real server, use the maxconns command in SLB real
server configuration mode. To restore the default of no limit, use the no form of this command.
maxconns maximum-number
no maxconns
Syntax Description maximum-number Maximum number of simultaneous active connections on the real
server. Valid values range from 1 to 4294967295. The default is
4294967295.
Examples The following example limits the real server to a maximum of 1000 simultaneous active connections:
ip slb serverfarm PUBLIC
real 10.10.1.1
maxconns 1000
nat
To configure IOS SLB Network Address Translation (NAT) and specify a NAT mode, use the nat
SLB server farm configuration command. To remove a NAT configuration, use the no form of this
command.
nat server
no nat server
Syntax Description server Specifies that the destination address in load-balanced packets sent to
the real server is the address of the real server chosen by the server farm
load-balancing algorithm.
Usage Guidelines The no nat command is allowed only if the virtual server was removed from service with the
no inservice command.
Examples The following example changes to IOS SLB server farm configuration mode and configures NAT mode
as server address translation on the server farm named FARM2:
ip slb serverfarm FARM2
nat server
netbios-name-server
To configure NetBIOS Windows Internet Naming Service (WINS) name servers that are available to
Microsoft Dynamic Host Configuration Protocol (DHCP) clients, use the netbios-name-server
command in DHCP pool configuration. To remove the NetBIOS name server list, use the no form of this
command.
no netbios-name-server
Syntax Description address Specifies the IP address of the NetBIOS WINS name server. One IP address
is required, although you can specify up to eight addresses in one command
line.
address2...address8 (Optional) Specifies up to eight addresses in the command line.
Usage Guidelines One IP address is required, although you can specify up to eight addresses in one command line. Servers
are listed in order of preference (address1 is the most preferred server, address2 is the next most
preferred server, and so on).
Examples The following example specifies the IP address of a NetBIOS name server available to the client:
netbios-name-server 10.12.1.90
netbios-node-type
To configure the NetBIOS node type for Microsoft Dynamic Host Configuration Protocol (DHCP)
clients, use the netbios-node-type command in DHCP pool configuration mode. To remove the
NetBIOS node type, use the no form of this command.
netbios-node-type type
no netbios-node-type
Syntax Description type Specifies the NetBIOS node type. Valid types are:
• b-node—Broadcast
• p-node—Peer-to-peer
• m-node—Mixed
• h-node—Hybrid (recommended)
Examples The following example specifies the client’s NetBIOS type as hybrid:
netbios node-type h-node
network (DHCP)
To configure the subnet number and mask for a Dynamic Host Configuration Protocol (DHCP) address
pool on a Cisco IOS DHCP server, use the network command in DHCP pool configuration mode. To
remove the subnet number and mask, use the no form of this command.
no network
Usage Guidelines This command is valid for DHCP subnetwork address pools only. If the mask or prefix length is not
specified, the class A, B, or C natural mask is used. The DHCP Server assumes that all host addresses
are available. The system administrator can exclude subsets of the address space by using the ip dhcp
excluded-address command.
You cannot configure manual bindings within the same pool that is configured with the network
command.
Examples The following example configures 172.16.0.0/16 as the subnetwork number and mask of the DHCP pool:
network 172.16.0.0/16
Command Description
ip dhcp Specifies IP addresses that a Cisco IOS DHCP server should not assign to
excluded-address DHCP clients.
ip dhcp pool Configures a DHCP address pool on a Cisco IOS DHCP server and enters
DHCP pool configuration mode.
next-server
To configure the next server in the boot process of a Dynamic Host Configuration Protocol (DHCP)
client, use the next-server command in DHCP pool configuration. To remove the boot server list, use
the no form of this command.
no next-server address
Syntax Description address Specifies the IP address of the next server in the boot process, which is
typically a Trivial File Transfer Protocol (TFTP) server. One IP address is
required, although you can specify up to eight addresses in one command line.
address2...address8 (Optional) Specifies up to eight addresses in the command line.
Defaults If the next-server command is not used to configure a boot server list, the DHCP Server uses inbound
interface helper addresses as boot servers.
Usage Guidelines You can specify up to eight servers in the list. Servers are listed in order of preference (address1 is the
most preferred server, address2 is the next most preferred server, and so on).
Examples The following example specifies 10.12.1.99 as the IP address of the next server in the boot process:
next-server 10.12.1.99
no ip gratuitous-arps
To disable the transmission of gratuitous Address Resolution Protocol (ARP) messages for an address
in a local pool, use the no ip gratuitous-arps command in global configuration mode.
no ip gratuitous-arps
Defaults Disabled
Usage Guidelines A Cisco router will send out a gratuitous ARP message when a client connects and negotiates an address
over a PPP connection. This transmission occurs even when the client receives the address from a local
address pool.
Examples The following example disables gratuitous arp messages from being sent:
no ip gratuitous-arps
option
To configure Cisco IOS Dynamic Host Configuration Protocol (DHCP) server options, use the option
command in DHCP pool configuration mode. To remove the options, use the no form of this command.
Usage Guidelines DHCP provides a framework for passing configuration information to hosts on a TCP/IP network.
Configuration parameters and other control information are carried in tagged data items that are stored
in the options field of the DHCP message. The data items themselves are also called options. The current
set of DHCP options are documented in RFC 2131, Dynamic Host Configuration Protocol.
Examples The following example configures DHCP option 19, which specifies whether the client should configure
its IP layer for packet forwarding. A value of 0 means disable IP forwarding; a value of 1 means enable
IP forwarding. IP forwarding is enabled in the following example:
option 19 hex 01
The following example configures DHCP option 72, which specifies the World Wide Web servers for
DHCP clients. World Wide Web servers 172.16.3.252 and 172.16.3.253 are configured in the following
example:
option 72 ip 172.16.3.252 172.16.3.253
origin
To configure an address pool as an on-demand address pool (ODAP), use the origin command in DHCP
pool configuration mode. To disable the ODAP, use the no form of this command.
origin {dhcp | aaa | ipcp} [subnet size initial size [autogrow size]]
no origin {dhcp | aaa | ipcp} [subnet size initial size [autogrow size]]
Syntax Description dhcp Specifies the Dynamic Host Configuration Protocol (DHCP) as the subnet
allocation protocol.
aaa Specifies authentication, authorization, and accounting (AAA) as the
subnet allocation protocol.
ipcp Specifies the IP Control Protocol (IPCP) as the subnet allocation protocol.
subnet size initial size (Optional) Specifies the initial size of the first requested subnet. You can
enter size as either the subnet mask (nnnn.nnnn.nnnn.nnnn) or prefix size
(/nn).
autogrow size (Optional) Specifies that the pool can grow incrementally. The size
argument is the size of the requested subnets when the pool requests
additional subnets (upon detection of high utilization). You can enter size as
either the subnet mask (nnnn.nnnn.nnnn.nnnn) or prefix size (/nn).
Usage Guidelines If you do not configure the pool as an autogrow pool, the pool will not request additional subnets if one
subnet is already in the pool.
Use the dhcp keyword to obtain subnets from DHCP, the aaa keyword to obtain subnets from the AAA
server, and the ipcp keyword to obtain subnets from IPCP negotiation. If you expect that the utilization
of the pool may grow over time, use the autogrow size option. If a pool has been configured with the
autogrow size option, ensure that the source server is capable of providing more than one subnet to the
same pool. Even though the Cisco IOS software specifies the requested subnet size, it can accept any
offered subnet size from the source server.
In the Cisco IOS 12.2(8)T release, the origin command supports only VRF-associated pools. Work is in
progress to support both VRF and non-VRF pools.
Examples The following example configures an address pool named green to use DHCP as the subnet allocation
protocol with an initial subnet size of 24 and an autogrow subnet size of 24:
ip dhcp pool green
vrf green
origin dhcp subnet size initial /24 autogrow /24
utilization mark high 80
utilization mark low 20
permit (IP)
To set conditions to allow a packet to pass a named IP access list, use the permit command in access list
configuration mode. To remove a permit condition from an access list, use the no form of this command.
no sequence-number
Syntax Description sequence-number (Optional) Sequence number assigned to the permit statement, causing
the system to insert the statement in that numbered position in the access
list.
source Number of the network or host from which the packet is being sent. There
are three alternative ways to specify the source:
• Use a 32-bit quantity in four-part dotted decimal format.
• Use the any keyword as an abbreviation for a source and
source-wildcard of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard
of source 0.0.0.0.
source-wildcard (Optional) Wildcard bits to be applied to source. There are three
alternative ways to specify the source wildcard:
• Use a 32-bit quantity in four-part dotted decimal format. Place 1s in
the bit positions you want to ignore.
• Use the any keyword as an abbreviation for a source and
source-wildcard of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard
of source 0.0.0.0.
protocol Name or number of an Internet protocol. It can be one of the keywords
eigrp, gre, icmp, igmp, ip, ipinip, nos, ospf, tcp, or udp, or an integer
in the range from 0 to 255 representing an Internet protocol number. To
match any Internet protocol (including ICMP, TCP, and UDP), use the ip
keyword. Some protocols allow further qualifiers described later.
destination Number of the network or host to which the packet is being sent. There
are three alternative ways to specify the destination:
• Use a 32-bit quantity in four-part dotted-decimal format.
• Use the any keyword as an abbreviation for the destination and
destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and
destination-wildcard of destination 0.0.0.0.
destination-wildcard Wildcard bits to be applied to the destination. There are three alternative
ways to specify the destination wildcard:
• Use a 32-bit quantity in four-part dotted decimal format. Place 1s in
the bit positions you want to ignore.
• Use the any keyword as an abbreviation for a destination and
destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and
destination-wildcard of destination 0.0.0.0.
precedence precedence (Optional) Packets can be filtered by precedence level, as specified by a
number from 0 to 7 or by name as listed in the section “Usage
Guidelines.”
tos tos (Optional) Packets can be filtered by type of service (ToS) level, as
specified by a number from 0 to 15, or by name as listed in the section
“Usage Guidelines” of the access-list (IP extended) command.
log (Optional) Causes an informational logging message about the packet that
matches the entry to be sent to the console. (The level of messages logged
to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was
permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a
number; and, if appropriate, the source and destination addresses and
source and destination port numbers. The message is generated for the
first packet that matches, and then at 5-minute intervals, including the
number of packets permitted or denied in the prior 5-minute interval.
Use the ip access-list log-update command to generate logging messages
when the number of matches reaches a configurable threshold (rather than
waiting for a 5-minute interval). See the ip access-list log-update
command for more information.
The logging facility may drop some logging message packets if there are
too many to be handled or if there is more than one logging message to be
handled in 1 second. This behavior prevents the router from crashing due
to too many logging packets. Therefore, the logging facility should not be
used as a billing tool or an accurate source of the number of matches to
an access list.
If you enable CEF and then create an access list that uses the log keyword,
the packets that match the access list are not CEF switched. They are fast
switched. Logging disables CEF.
time-range (Optional) Name of the time range that applies to this permit statement.
time-range-name The name of the time range and its restrictions are specified by the
time-range and absolute or periodic commands, respectively.
fragments (Optional) The access list entry applies to noninitial fragments of packets;
the fragment is either permitted or denied accordingly. For more details
about the fragments keyword, see the “Access List Processing of
Fragments” and “Fragments and Policy Routing” sections in the “Usage
Guidelines” section.
icmp-type (Optional) ICMP packets can be filtered by ICMP message type. The type
is a number from 0 to 255.
icmp-code (Optional) ICMP packets that are filtered by ICMP message type can also
be filtered by the ICMP message code. The code is a number from 0 to
255.
icmp-message (Optional) ICMP packets can be filtered by an ICMP message type name
or ICMP message type and code name. The possible names are found in
the section “Usage Guidelines” of the access-list (IP extended)
command.
igmp-type (Optional) IGMP packets can be filtered by IGMP message type or
message name. A message type is a number from 0 to 15. IGMP message
names are listed in the section “Usage Guidelines” of the access-list (IP
extended) command.
Defaults There are no specific conditions under which a packet passes the named access list.
Usage Guidelines Use this command following the ip access-list command to define the conditions under which a packet
passes the access list.
The time-range option allows you to identify a time range by name. The time-range, absolute, and
periodic commands specify when this permit statement is in effect.
...the fragments keyword, and The access-list entry is applied only to noninitial fragments.
assuming all of the access-list entry
information matches,
Note The fragments keyword cannot be configured for
an access-list entry that contains any Layer 4
information.
Be aware that you should not simply add the fragments keyword to every access list entry because the
first fragment of the IP packet is considered a nonfragment and is treated independently of the
subsequent fragments. An initial fragment will not match an access list permit or deny entry that
contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it
is either permitted or denied by an access list entry that does not contain the fragments keyword.
Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair
will not include the fragments keyword, and applies to the initial fragment. The second deny entry of
the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where
there are multiple deny access list entries for the same host but with different Layer 4 ports, a single
deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all
the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a
packet in access list accounting and access list violation counts.
Note The fragments keyword cannot solve all cases involving access lists and IP fragments.
Examples The following example sets conditions for a standard access list named Internetfilter:
ip access-list standard Internetfilter
deny 192.5.34.0 0.0.0.255
permit 128.88.0.0 0.0.255.255
permit 36.0.0.0 0.255.255.255
! (Note: all other access implicitly denied)
The following example permits Telnet traffic on Mondays, Tuesdays, and Fridays from 9:00 a.m. to
5:00 p.m.:
time-range testing
periodic Monday Tuesday Friday 9:00 to 17:00
!
ip access-list extended legal
permit tcp any any eq telnet time-range testing
!
interface ethernet 0
ip access-group legal in
The following example shows how to add an entry to an existing access list:
Router# show access-list
The following examples shows how the entry with the sequence number of 20 is removed from the access
list:
Router(config)# ip access-list standard 1
Router(config-std-nacl)# no 20
The following examples shows how, if a user tries to enter an entry that is a duplicate of an entry already
on the list, no changes occur. The entry that the user is trying to add is a duplicate of the entry already
in the access list with a sequence number of 20.
Router# show access-list 101
The following example shows what occurs if a user tries to enter a new entry with a sequence number of
20 when an entry with a sequence number of 20 is already in the list. An error message appears, and no
change is made to the access list.
Router# show access-list 101
Router(config-ext-nacl)# end
Command Description
ip access-list Applies sequence numbers to the access list entries in an access list.
resequence
match ip-address Distributes any routes that have a destination network number address that
is permitted by a standard or extended access list.
show ip access-list Displays the contents of all current IP access lists.
time-range Specifies when an access list or other feature is in effect.
predictor
To specify the load-balancing algorithm for selecting a real server in the server farm, use the predictor
command in SLB server farm configuration mode. To restore the default load-balancing algorithm of
weighted round robin, use the no form of this command.
no predictor
Syntax Description roundrobin (Optional) Use the weighted round robin algorithm for selecting the
real server to handle the next new connection for the server farm.
leastconns (Optional) Use the weighted least connections algorithm for
selecting the real server to handle the next new connection for this
server farm.
Examples The following example specifies the weighted least connections algorithm:
ip slb serverfarm PUBLIC
predictor leastconns
real
To identify a real server as a member of a server farm, use the real command in SLB server farm
configuration mode. To remove the real server from the IOS SLB configuration, use the no form of this
command.
real ip-address
no real ip-address
Examples The following example identifies a real server as a member of the server farm:
ip slb serverfarm PUBLIC
real 10.1.1.1
reassign
To specify the threshold of consecutive unanswered synchronizations that, if exceeded, results in an
attempted connection to a different real server, use the reassign command in SLB real server
configuration mode. To restore the default reassignment threshold, use the no form of this command.
reassign threshold
no reassign
Syntax Description threshold Number of unanswered TCP SYNs that are directed to a real server before the
connection is reassigned to a different real server. An unanswered SYN is one for
which no SYN or ACK is detected before the next SYN arrives from the client.
IOS SLB allows 30 seconds for the connection to be established or for a new SYN to
be received. If neither of these events occurs within that time, the connection is
removed from the IOS SLB database.
The 30-second timer is restarted for each SYN as long as the number of connection
reassignments specified on the faildetect command’s numconns keyword is not
exceeded. See the faildetect command for more information.
Valid threshold values range from 1 to 4 SYNs. The default value is 3.
remark
To write a helpful comment (remark) for an entry in a named IP access list, use the remark command
in access list configuration command. To remove the remark, use the no form of this command.
remark remark
no remark remark
Syntax Description remark Comment that describes the access list entry, up to 100 characters long.
Usage Guidelines The remark can be up to 100 characters long; anything longer is truncated.
If you want to write a comment about an entry in a numbered IP access list, use the access-list remark
command.
Examples In the following example, the Jones subnet is not allowed to use outbound Telnet:
ip access-list extended telnetting
remark Do not allow Jones subnet to telnet out
deny tcp host 171.69.2.88 any eq telnet
retry retry-value
no retry
Syntax Description retry-value Time, in seconds, to wait after the detection of a server failure before a new
connection to the server is attempted.
If the new connection attempt succeeds, the real server is placed in
OPERATIONAL state. If the connection attempt fails, the timer is reset, the
connection is reassigned, and the process repeats until it is successful or until the
server is placed OUTOFSERVICE by the network administrator.
Valid values range from 1 to 3600. The default value is 60 seconds.
A value of 0 means do not attempt a new connection to the server when it fails.
Examples The following example specifies that 120 seconds must elapse after the detection of a server failure
before a new connection is attempted:
ip slb serverfarm PUBLIC
real 10.10.1.1
retry 120
serverfarm
To associate a real server farm with a virtual server, use the serverfarm command in SLB virtual server
configuration mode. To remove the server farm association from the virtual server configuration, use the
no form of this command.
serverfarm serverfarm-name
no serverfarm
Syntax Description serverfarm-name Name of a server farm that has already been defined using the ip slb
serverfarm command.
Examples The following example shows how the ip slb vserver, virtual, and serverfarm commands are used to
associate the real server farm named PUBLIC with the virtual server named PUBLIC_HTTP:
ip slb vserver PUBLIC_HTTP
virtual 10.0.0.1 tcp www
serverfarm PUBLIC
service dhcp
To enable the Cisco IOS Dynamic Host Configuration Protocol (DHCP) server and relay agent features
on your router, use the service dhcp command in global configuration mode. To disable the Cisco IOS
DHCP server and relay agent features, use the no form of this command.
service dhcp
no service dhcp
Defaults Enabled
Examples The following example enables DHCP services on the DHCP server:
service dhcp
show access-lists
To display the contents of current access lists, use the show access-lists command in privileged EXEC
mode.
Syntax Description access-list-number (Optional) Number of the access list to display. The system displays
all access lists by default.
access-list-name (Optional) Name of the IP access list to display.
Examples The following is sample output from the show access-lists command when access list 101 is specified:
Router# show access-lists 101
An access list counter counts how many packets are allowed by each line of the access list. This number
is displayed as the number of matches. Check denotes how many times a packet was compared to the
access list but did not match.
The following is sample output from the show access-lists command when the Turbo Access Control
List (ACL) feature is configured on all of the following access lists.
Note The permit and deny information displayed by the show access-lists command may not be in the
same order as that entered using the access-list command
For information on how to configure access lists, refer to the “Configuring IP Services” chapter of the
Cisco IOS IP Configuration Guide.
For information on how to configure dynamic access lists, refer to the “Traffic Filtering and Firewalls”
part of the Cisco IOS Security Configuration Guide.
Usage Guidelines This command is used to display the status and condition of the Turbo ACL tables associated with each
access list. The memory usage is displayed for each table; large and complex access lists may require
substantial amounts of memory. If the memory usage is greater than the memory available, you can
disable the Turbo ACL feature so that memory exhaustion does not occur, but the acceleration of the
access lists is not then enabled.
Examples The following is partial sample output from the show access-list compiled command:
Router# show access-list compiled
show arp
To display the entries in the Address Resolution Protocol (ARP) table, use the show arp privileged
EXEC command.
show arp
Examples The following is sample output from the show arp command:
Router# show arp
Field Description
Protocol Protocol for network address in the Address field.
Address The network address that corresponds to the Hardware Address.
Age (min) Age in munutes of the cache entryh. A hyphen (-) means the address is local.
Hardware Addr LAN hardware address of a MAC address that corresponds to the network
address.
Field Description
Type Indicates the encapsulation type the Cisco IOS software is using for the network
address in this entry. Possible values include:
• ARPA
• SNAP
• ETLK (EtherTalk)
• SMDS
Interface Indicates the interface associated with this network address.
show glbp
To display Gateway Load Balancing Protocol (GLBP) information, use the show glbp command in
privileged EXEC mode.
Syntax Description interface-type (Optional) Interface type and number for which output is displayed.
interface-number
group (Optional) GLBP group number in the range from 0 to 1023.
state (Optional) State of the GLBP router, one of the following: active, disabled, init,
listen, speak, or standby.
brief (Optional) Summarizes each virtual gateway or virtual forwarder with a single
line of output.
Usage Guidelines Use the show glbp command to display information about GLBP groups on a router. The brief keyword
displays a single line of information about each virtual gateway or virtual forwarder.
Examples The following is sample output from the show glbp command:
Router# show glbp
FastEthernet0/0 - Group 10
State is Active
2 state changes, last state change 23:50:33
Virtual IP address is 10.21.8.10
Hello time 5 sec, hold time 18 sec
Next hello sent in 4.300 secs
Redirect time 600 sec, forwarder time-out 7200 sec
Authentication text "stringabc"
Preemption enabled, min delay 60 sec
Active is local
Standby is unknown
Priority 254 (configured)
Weighting 105 (configured 110), thresholds: lower 95, upper 105
Track object 2 state Down decrement 5
Load balancing: host-dependent
There is 1 forwarder (1 active)
Forwarder 1
State is Active
1 state change, last state change 23:50:15
MAC address is 0007.b400.0101 (default)
Owner ID is 0005.0050.6c08
Redirection enabled
Preemption enabled, min delay 60 sec
Active is local, weighting 105
The following is sample output from the show glbp command with the brief keyword specified:
Router# show glbp brief
Interface Grp Fwd Pri State Address Active router Standby router
Fa0/0 10 - 254 Active 10.21.8.10 local unknown
Fa0/0 10 1 7 Active 0007.b400.0101 local -
Field Description
FastEthernet0/0 - Interface type and number and GLBP group number for the interface.
Group
State is State descriptions for virtual gateways or virtual forwarders are similar but
differ in some details. For a virtual gateway the state can be one of the
following:
• Disabled—Indicates that the virtual IP address has not been configured or
learned yet, but other GLBP configuration exists.
• Initial—The virtual IP address has been configured or learned but virtual
gateway configuration is not complete. An interface must be up and
configured to route IP, and an interface IP address must be configured.
• Listen—Virtual gateway is receiving hello packets and is ready to change
to the “speak” state if the active or standby virtual gateway becomes
unavailable.
• Speak—Virtual gateway is attempting to become the active or standby
virtual gateway.
• Standby—Indicates that the gateway is next in line to be the active virtual
gateway (AVG).
• Active—Indicates that this gateway is the AVG, and that it is responsible
for responding to Address Resolution Protocol (ARP) requests for the
virtual IP address.
For a virtual forwarder the state can be one of the following:
• Disabled—Indicates that the virtual MAC address has not been assigned or
learned. This is a transitory state because a virtual forwarder changing to a
disabled state is deleted.
• Initial—The virtual MAC address is known but virtual forwarder
configuration is not complete. An interface must be up and configured to
route IP, an interface IP address must be configured, and the virtual IP
address must be known.
• Listen—Virtual forwarder is receiving hello packets and is ready to change
to the “active” state if the active virtual forwarder (AVF) becomes
unavailable.
• Active—Indicates that this gateway is the AVF, and that it is responsible for
forwarding packets sent to the virtual forwarder MAC address.
Virtual IP address is The virtual IP address of the GLBP group. All secondary virtual IP addresses
are listed on separate lines. If one of the virtual IP addresses is a duplicate of an
address configured for another device, it will be marked as “duplicate.” A
duplicate address indicates that the router has failed to defend its ARP cache
entry.
Field Description
Hello time, hold The hello time is the time between hello packets (in seconds or milliseconds).
time The holdtime is the time (in seconds) before other routers declare the active
router to be down. All routers in a GLBP group use the hello and holdtime
values of the current AVG. If the locally configured values are different, the
configured values appear in parentheses after the hello time and holdtime
values.
Next hello sent in Time until GLBP will send the next hello packet (in seconds or milliseconds).
Preemption enabled Indicates whether GLBP gateway preemption is enabled. If enabled, the
minimum delay is the time (in seconds) a higher-priority nonactive router will
wait before preempting the lower-priority active router.
This field is also displayed under the forwarder section where it indicates GLBP
forwarder preemption.
Active is Value can be “local,” “unknown,” or an IP address. Address (and the expiration
date of the address) of the current AVG.
This field is also displayed under the forwarder section where it indicates the
address of the current AVF.
Standby is Value can be “local,” “unknown,” or an IP address. Address (and the expiration
date of the address) of the standby gateway (the gateway that is next in line to
be the AVG).
Weighting Initial weighting value with lower and upper threshold values.
Track object List of objects that are being tracked and their corresponding states.
show hosts
To display the default domain name, the style of name lookup service, a list of name server hosts, and
the cached list of host names and addresses, use the show hosts command in EXEC mode.
show hosts
Examples The following is sample output from the show hosts command:
Router# show hosts
Field Description
Flag A temporary entry is entered by a name server; the Cisco IOS software removes the
entry after 72 hours of inactivity.
A permanent entry is entered by a configuration command and is not timed out.
Entries marked OK are believed to be valid. Entries marked ?? are considered suspect
and subject to revalidation. Entries marked EX are expired.
Age Indicates the number of hours since the software last referred to the cache entry.
Type Identifies the type of address, for example, IP, Connectionless Network Service
(CLNS), or X.121. If you have used the ip hp-host global configuration command,
the show hosts command will display these host names as type HP-IP.
Address(es) Displays the address of the host. One host may have up to eight addresses.
The following is sample output from a router when a modem telephone number is mapped to an IP host
address for the Cisco modem user interface feature using the ip host global configuration command:
Router# show hosts
Under the Host field, a “p” preceding the number indicates a pulse-dialed modem telephone number, and
a “t” indicates a tone-dialed modem telephone number. The IP address mapped to the telephone number
appears under the Address(es) field. See Table 4 for descriptions of the other fields seen in this display.
Usage Guidelines The show interface mac command displays information for all interfaces configured for MAC
accounting. To display information for a single interface, use the show interface type number mac
command.
For incoming packets on the interface, the accounting statistics are gathered before the CAR/DCAR
feature is performed on the packet. For outgoing packets on the interface, the accounting statistics are
gathered after output CAR, before output DCAR or DWRED or DWFQ feature is performed on the
packet. Therefore, if a you are using DCAR or DWRED on the interface and packets are dropped, the
dropped packets are still counted in the show interface mac command because the calculations are done
prior to the features.
The maximum number of MAC addresses that can be stored for the input address is 512 and the
maximum number of MAC address that can be stored for the output address is 512. After the maximum
is reached, subsequent MAC addresses are ignored.
To clear the accounting statistics, use the clear counter EXEC command. To configure an interface for
IP accounting based on the MAC address, use the ip accounting mac-address interface configuration
command.
Examples The following is sample output from the show interface mac command. This feature calculates the total
packet and byte counts for the interface that receives (input) or sends (output) IP packets to or from a
unique MAC address. It also records a time stamp for the last packet received or sent.
Router# show interface ethernet 0/1/1 mac
Ethernet0/1/1
Input (511 free)
Usage Guidelines The show interface precedence command displays information for all interfaces configured for IP
precedence accounting. To display information for a single interface, use the show interface type
number precedence command.
For incoming packets on the interface, the accounting statistics are gathered before input CAR/DCAR
is performed on the packet. Therefore, if CAR/DCAR changes the precedence on the packet, it is counted
based on the old precedence setting with the show interface precedence command.
For outgoing packets on the interface, the accounting statistics are gathered after output DCAR or
DWRED or DWFQ feature is performed on the packet.
To clear the accounting statistics, use the clear counter EXEC command.
To configure an interface for IP accounting based on IP precedence, use the ip accounting precedence
interface configuration command.
Examples The following is sample output from the show interface precedence command. This feature calculates
the total packet and byte counts for the interface that receives (input) or sends (output) IP packets and
sorts the results based on IP precedence.
Router# show interface ethernet 0/1/1 precedence
Ethernet0/1/1
Input
Precedence 0: 4 packets, 456 bytes
Output
Precedence 0: 4 packets, 456 bytes
show ip access-list
To display the contents of all current IP access lists, use the show ip access-list command in user EXEC
or privileged EXEC mode.
Usage Guidelines The show ip access-list command provides output identical to the show access-lists command, except
that it is IP-specific and allows you to specify a particular access list.
Examples The following is sample output from the show ip access-list command when all access lists are
requested:
Router# show ip access-list
The following is sample output from the show ip access-list command when the name of a specific
access list is requested:
Router# show ip access-list Internetfilter
show ip accounting
To display the active accounting or checkpointed database or to display access list violations, use the
show ip accounting command in user EXEC or privileged EXEC mode.
Syntax Description checkpoint (Optional) Indicates that the checkpointed database should be displayed.
output-packets (Optional) Indicates that information pertaining to packets that passed
access control and were routed should be displayed. If neither the
output-packets nor access-violations keyword is specified,
output-packets is the default.
access-violations (Optional) Indicates that information pertaining to packets that failed access
lists and were not routed should be displayed. If neither the output-packets
nor access-violations keyword is specified, output-packets is the default.
Defaults If neither the output-packets nor access-violations keyword is specified, the show ip accounting
command displays information pertaining to packets that passed access control and were routed.
Usage Guidelines If you do not specify any keywords, the show ip accounting command displays information about the
active accounting database.
To display IP access violations, you must use the access-violations keyword. If you do not specify the
keyword, the command defaults to displaying the number of packets that have passed access lists and
were routed.
To use this command, you must first enable IP accounting on a per-interface basis.
Examples The following is sample output from the show ip accounting command:
Router# show ip accounting
The following is sample output from the show ip accounting access-violations command. The output
pertains to packets that failed access lists and were not routed:
Router# show ip accounting access-violations
Field Description
Source Source address of the packet.
Destination Destination address of the packet.
Packets Number of packets sent from the source address to the destination address.
With the access-violations keyword, the number of packets sent from the source
address to the destination address that violated an access control list (ACL).
Bytes Sum of the total number of bytes (IP header and data) of all IP packets sent from
the source address to the destination address.
With the access-violations keyword, the total number of bytes sent from the
source address to the destination address that violated an ACL.
ACL Number of the access list of the last packet sent from the source to the destination
that failed an access list filter.
accounting Data for all packets that could not be entered into the accounting table when the
threshold accounting table is full. This data is combined into a single entry.
exceeded...
show ip aliases
To display the IP addresses mapped to TCP ports (aliases) and Serial Line Internet Protocol (SLIP)
addresses, which are treated similarly to aliases, use the show ip aliases EXEC command.
show ip aliases
Usage Guidelines To distinguish a SLIP address from a normal alias address, the command output uses the form SLIP
TTY1 for the “port” number, where 1 is the auxiliary port.
Examples The following is sample output from the show ip aliases command:
Router# show ip aliases
IP Address Port
131.108.29.245 SLIP TTY1
show ip arp
To display the Address Resolution Protocol (ARP) cache, where Serial Line Internet Protocol (SLIP)
addresses appear as permanent ARP table entries, use the show ip arp EXEC command.
Syntax Description ip-address (Optional) ARP entries matching this IP address are displayed.
host-name (Optional) Host name.
mac-address (Optional) 48-bit MAC address.
interface type number (Optional) ARP entries learned via this interface type and number are
displayed.
Usage Guidelines ARP establishes correspondences between network addresses (an IP address, for example) and LAN
hardware addresses (Ethernet addresses). A record of each correspondence is kept in a cache for a
predetermined amount of time and then discarded.
Examples The following is sample output from the show ip arp command:
Router# show ip arp
Field Description
Protocol Protocol for network address in the Address field.
Address The network address that corresponds to the Hardware Address.
Age (min) Age in minutes of the cache entry. A hyphen (-) means the address is local.
Hardware LAN hardware address of a MAC address that corresponds to the network address.
Addr
Field Description
Type Indicates the encapsulation type the Cisco IOS software is using the network address in
this entry. Possible value include:
• ARPA
• SNAP
• SAP
Interface Indicates the interface associated with this network address.
show ip casa affinities [stats] | [saddr ip-address [detail]] | [daddr ip-address [detail]] | sport
source-port [detail]] | dport destination-port [detail]] | protocol protocol [detail]]
Examples The following is sample output of the show ip casa affinities command:
Router# show ip casa affinities
Affinity Table
Source Address Port Dest Address Port Prot
161.44.36.118 1118 172.26.56.13 19 TCP
172.26.56.13 19 161.44.36.118 1118 TCP
The following is sample output of the show ip casa affinities detail command:
Router# show ip casa affinities detail
Affinity Table
Source Address Port Dest Address Port Prot
161.44.36.118 1118 172.26.56.13 19 TCP
Action Details:
Interest Addr: 172.26.56.19 Interest Port: 1638
Interest Packet: 0x0102 SYN FRAG
Interest Tickle: 0x0005 FIN RST
Dispatch (Layer 2): YES Dispatch Address: 172.26.56.33
Field Description
Source Address Source address of a given TCP connection.
Port Source port of a given TCP connection.
Dest Address Destination address of a given TCP connection.
Port Destination of a given TCP connection.
Prot Protocol of a given TCP connection.
Action Details Actions to be taken on a match.
Interest Addr Services manager address that is to receive interest packets for this
affinity.
Interest Port Services manager port to which interest packets are sent.
Interest Packet List of TCP packet types of interest to the services manager is interested
in.
Interest Tickle List of TCP packet types for which the services manager wants the entire
packet.
Dispatch (Layer 2) Layer 2 destination information will be modified.
Dispatch Address Address of the real server.
Examples The following is sample output from the show ip casa oper command:
Router# show ip casa oper
Casa is Active
Casa control address is 206.10.20.34/32
Casa multicast address is 224.0.1.2
Listening for wildcards on:
Port:1637
Current passwd:NONE Pending passwd:NONE
Passwd timeout:180 sec (Default)
Field Description
Casa is Active The forwarding agent is active.
Casa control address Unique address for this forwarding agent.
Casa multicast address Services manager broadcast address.
Listening for wildcards on Port on which the forwarding agent will listen.
Port Services manager broadcast port.
Current passwd Current password.
Pending passwd Password that will override the current password.
Passwd timeout Interval after which the pending password becomes the current
password.
Examples The following is sample output of the show ip casa stats command:
Router# show ip casa stats
Casa is active:
Wildcard Stats:
Wildcards: 6 Max Wildcards: 6
Wildcard Denies: 0 Wildcard Drops: 0
Pkts Throughput: 441 Bytes Throughput: 39120
Affinity Stats:
Affinities: 2 Max Affinities: 2
Cache Hits: 444 Cache Misses: 0
Affinity Drops: 0
Casa Stats:
Int Packet: 4 Int Tickle: 0
Casa Denies: 0 Drop Count: 0
Field Description
Casa is Active The Forwarding Agent is active.
Wildcard Stats Wildcard statistics.
Wildcards Number of current wildcards.
Max Wildcards Maximum number of wildcards since the Forwarding Agent
became active.
Wildcard Denies Protocol violations.
Wildcard Drops Not enough memory to install wildcard.
Pkts Throughput Number of packets passed through all wildcards.
Bytes Throughput Number of bytes passed through all wildcards.
Field Description
Affinity Stats Affinity statistics.
Affinities Current number of affinities.
Max Affinities Maximum number of affinities since the forwarding agent became
active.
Cache Hits Number of packets that match wildcards and fixed affinities.
Cache Misses Matched wildcard, missed fix.
Affinity Drops Number of times an affinity could not be created.
Casa Stats Forwarding agent statistics.
Int Packet Interest packets.
Int Tickle Interest tickles.
Casa Denies Protocol violation.
Security Drops Packets dropped due to password or authentication mismatch.
Drop Count Number of messages dropped.
Examples The following is sample output from the show ip casa wildcard command:
Router# show ip casa wildcard
Source Address Source Mask Port Dest Address Dest Mask Port Prot
0.0.0.0 0.0.0.0 0 172.26.56.2 255.255.255.255 0 ICMP
0.0.0.0 0.0.0.0 0 172.26.56.2 255.255.255.255 0 TCP
0.0.0.0 0.0.0.0 0 172.26.56.13 255.255.255.255 0 ICMP
0.0.0.0 0.0.0.0 0 172.26.56.13 255.255.255.255 0 TCP
172.26.56.2 255.255.255.255 0 0.0.0.0 0.0.0.0 0 TCP
172.26.56.13 255.255.255.255 0 0.0.0.0 0.0.0.0 0 TCP
The following is sample output from the show ip casa wildcard detail command:
router# show ip casa wildcard detail
Source Address Source Mask Port Dest Address Dest Mask Port Prot
0.0.0.0 0.0.0.0 0 172.26.56.2 255.255.255.255 0 ICMP
Service Manager Details:
Manager Addr: 172.26.56.19 Insert Time: 08:21:27 UTC 04/18/96
Affinity Statistics:
Affinity Count: 0 Interest Packet Timeouts: 0
Packet Statistics:
Packets: 0 Bytes: 0
Action Details:
Interest Addr: 172.26.56.19 Interest Port: 1638
Interest Packet: 0x8000 ALLPKTS
Interest Tickle: 0x0107 FIN SYN RST FRAG
Dispatch (Layer 2): NO Dispatch Address: 0.0.0.0
Advertise Dest Address: YES Match Fragments: NO
Source Address Source Mask Port Dest Address Dest Mask Port Prot
0.0.0.0 0.0.0.0 0 172.26.56.2 255.255.255.255 0 TCP
Service Manager Details:
Manager Addr: 172.26.56.19 Insert Time: 08:21:27 UTC 04/18/96
Affinity Statistics:
Affinity Count: 0 Interest Packet Timeouts: 0
Packet Statistics:
Packets: 0 Bytes: 0
Action Details:
Interest Addr: 172.26.56.19 Interest Port: 1638
Interest Packet: 0x8102 SYN FRAG ALLPKTS
Interest Tickle: 0x0005 FIN RST
Dispatch (Layer 2): NO Dispatch Address: 0.0.0.0
Advertise Dest Address: YES Match Fragments: NO
Field Description
Source Address Source address of a given TCP connection.
Source Mask Mask to apply to source address before matching.
Port Source port of a given TCP connection.
Dest Address Destination address of a given TCP connection.
Dest Mask Mask to apply to destination address before matching.
Port Destination port of a given TCP connection.
Prot Protocol of a given TCP connection.
Service Manager Details Services manager details.
Manager Addr Source address of this wildcard.
Insert Time System time at which this wildcard was inserted.
Affinity Statistics Affinity statistics.
Affinity Count Number of affinities created on behalf of this wildcard.
Interest Packet Timeouts Number of unanswered interest packets.
Packet Statistics Packet statistics.
Packets Number of packets that match this wildcard.
Bytes Number of bytes that match this wildcard.
Action Details Actions to be taken on a match.
Interest Addr Services manager that is to receive interest packets for this wildcard.
Interest Port Services manager port to which interest packets are sent.
Interest Packet List of packet types that the services manager is interested in.
Interest Tickle List of packet types for which the services manager wants the entire
packet.
Dispatch (Layer 2) Layer 2 destination information will be modified.
Dispatch Address Address of the real server.
Advertise Dest Address Destination address.
Match Fragments Does wildcard also match fragments? (boolean)
Syntax Description ip-address (Optional) Specifies the IP address of the DHCP client for which bindings
will be displayed.
Usage Guidelines This command is used to display DHCP binding information for IP address assignment and subnet
allocation. If the address is not specified, all address bindings are shown. Otherwise, only the binding
for the specified client is displayed. The output from this command displays binding information for
individual IP address assignment and allocated subnets. The output that is generated for DHCP IP
address assignment and subnet allocation is almost identical, except that subnet leases display an IP
address followed by the subnet mask (which shows the size of the allocated subnet). Bindings for
individual IP address only display an IP address and are not followed by a subnet mask.
Field Description
IP address The IP address of the host as recorded on the DHCP server.
Hardware address The MAC address or client identifier of the host as recorded on
the DHCP server.
Lease expiration The lease expiration date and time of the IP address of the host.
Type The manner in which the IP address was assigned to the host.
Field Description
IP address The IP address of the host as recorded on the DHCP server. The
subnet that follows the IP address (/26) in the example defines
this binding as a subnet allocation binding.
Hardware address The MAC address or client identifier of the host as recorded on
the DHCP server.
Lease expiration The lease expiration date and time of the IP address of the host.
Type The manner in which the IP address was assigned to the host.
Syntax Description ip-address (Optional) Specifies the IP address of the conflict found.
Usage Guidelines The server uses ping to detect conflicts. The client uses gratuitous Address Resolution Protocol (ARP)
to detect clients. If an address conflict is detected, the address is removed from the pool and the address
is not assigned until an administrator resolves the conflict.
Examples The following example displays the detection method and detection time for all IP addresses the DHCP
server has offered that have conflicts with other devices. Table 13 lists descriptions of the fields in the
example.
Router# show ip dhcp conflict
Field Description
IP address The IP address of the host as recorded on the DHCP server.
Detection Method The manner in which the IP address of the hosts were found on the DHCP
server. Can be a ping or a gratuitous ARP.
Detection time The date and time when the conflict was found.
Command Description
ip dhcp ping packets Specifies the number of packets a Cisco IOS DHCP server sends to a pool
address as part of a ping operation.
ip dhcp ping timeout Specifies how long a Cisco IOS DHCP server waits for a ping reply from an
address pool.
Syntax Description url (Optional) Specifies the remote file used to store automatic DHCP bindings.
Following are the acceptable URL file formats:
• tftp://host/filename
• ftp://user:password@host/filename
• rcp://user@host/filename
Defaults If a URL is not specified, all database agent records are shown. Otherwise, only information about the
specified agent is displayed.
Examples The following example shows all DHCP server database agent information. Table 14 lists descriptions
for each field in the example.
Router# show ip dhcp database
URL : ftp://user:password@172.16.4.253/router-dhcp
Read : Dec 01 1997 12:01 AM
Written : Never
Status : Last read succeeded. Bindings have been loaded in RAM.
Delay : 300 seconds
Timeout : 300 seconds
Failures : 0
Successes : 1
Field Description
URL Specifies the remote file used to store automatic DHCP bindings. Following
are the acceptable URL file formats:
• tftp://host/filename
• ftp://user:password@host/filename
• rcp://user@host/filename
Read The last date and time bindings were read from the file server.
Written The last date and time bindings were written to the file server.
Status Indication of whether the last read or write of host bindings was successful.
Delay The amount of time (in seconds) to wait before updating the database.
Timeout The amount of time (in seconds) before the file transfer is aborted.
Failures The number of failed file transfers.
Successes The number of successful file transfers.
Usage Guidelines Imported option parameters are not part of the router configuration and are not saved in NVRAM. Thus,
the show ip dhcp import command is necessary to display the imported option parameters.
Examples The following is sample output from the show ip dhcp import command:
Router# show ip dhcp import
The following example indicates the imported values, which are domain name and NetBIOS name
information:
Domain Name Server(s): 1.1.1.1
NetBIOS Name Server(s): 3.3.3.3
Syntax Description name (Optional) Displays information about a specific address pool. If not
specified, displays information about all address pools.
Usage Guidelines Use this command to determine the subnets allocated and to examine the current utilization level for the
pool or all the pools if the name argument is not used.
Examples The following example shows DHCP address pool information for pool 1. Table 15 lists descriptions for
each field in the example.
Router# show ip dhcp pool 1
Pool 1:
Utilization mark (high/low) : 85 / 15
Subnet size (first/next) : 24 / 24 (autogrow)
VRF name : RED
Total addresses : 28
Leased addresses : 11
Pending event : none
2 subnets are currently in the pool :
Current index IP address range Leased addresses
10.1.1.12 10.1.1.1 - 10.1.1.14 11
10.1.1.17 10.1.1.17 - 10.1.1.30 0
Field Description
Pool 1 The name of the pool.
Utilization mark The configured high and low utilization level for the pool.
(high/low)
Subnet size (first/next) The size of the requested subnets.
VRF name The VRF name to which the pool is associated.
Total addresses The total number of addresses in the pool.
Field Description
Leased addresses The number of leased addresses in the pool.
Pending event Displays any pending events.
2 subnets are currently The number of subnets allocated to the address pool.
in the pool
Current index Displays the current index.
IP address range The IP address range of the subnets.
Leased addresses The number of leased addresses from each subnet.
Examples The following example displays DHCP server statistics. Table 16 lists descriptions for each field in the
example.
Router> show ip dhcp server statistics
Message Received
BOOTREQUEST 12
DHCPDISCOVER 200
DHCPREQUEST 178
DHCPDECLINE 0
DHCPRELEASE 0
DHCPINFORM 0
Message Sent
BOOTREPLY 12
DHCPOFFER 190
DHCPACK 172
DHCPNAK 6
Field Description
Memory usage The number of bytes of RAM allocated by the DHCP server.
Address pools The number of configured address pools in the DHCP database.
Database agents The number of database agents configured in the DHCP database.
Field Description
Automatic bindings The number of IP addresses that have been automatically mapped to the
MAC addresses of hosts that are found in the DHCP database.
Manual bindings The number of IP addresses that have been manually mapped to the MAC
addresses of hosts that are found in the DHCP database.
Expired bindings The number of expired leases.
Malformed messages The number of truncated or corrupted messages that were received by the
DHCP server.
Secure arp entries The number of ARP entries that heve been secured to the MAC address of
the client interface.
Message The DHCP message type that was received by the DHCP server.
Received The number of DHCP messages that were received by the DHCP server.
Sent The number of DHCP messages that were sent by the DHCP server.
show ip drp
To display information about the Director Response Protocol (DRP) Server Agent for
DistributedDirector, use the show ip drp command in user EXEC or privileged EXEC mode.
show ip drp
Examples The following is sample output from the show ip drp command:
Router# show ip drp
Field Description
director requests Number of DRP requests that have been received (including
any using authentication key-chain encryption that failed).
successful lookups Number of successful DRP lookups that produced responses.
failures Number of DRP failures (for various reasons including
authentication key-chain encryption failures).
show ip interface
To display the usability status of interfaces configured for IP, use the show ip interface EXEC command.
Usage Guidelines The Cisco IOS software automatically enters a directly connected route in the routing table if the
interface is usable. A usable interface is one through which the software can send and receive packets.
If the software determines that an interface is not usable, it removes the directly connected routing entry
from the routing table. Removing the entry allows the software to use dynamic routing protocols to
determine backup routes to the network, if any.
If the interface can provide two-way communication, the line protocol is marked “up.” If the interface
hardware is usable, the interface is marked “up.”
If you specify an optional interface type, you will see only information on that specific interface.
If you specify no optional arguments, you will see information on all the interfaces.
When an asynchronous interface is encapsulated with PPP or Serial Line Internet Protocol (SLIP), IP
fast switching is enabled. A show ip interface command on an asynchronous interface encapsulated
with PPP or SLIP displays a message indicating that IP fast switching is enabled.
Examples The following is sample output from the show ip interface command:
Router# show ip interface
Field Description
Ethernet0 is up If the interface hardware is usable, the interface is marked “up.”
For an interface to be usable, both the interface hardware and line
protocol must be up.
line protocol is up If the interface can provide two-way communication, the line
protocol is marked “up.” For an interface to be usable, both the
interface hardware and line protocol must be up.
Internet address and subnet mask IP Internet address and subnet mask of the interface.
Broadcast address Displays the broadcast address.
Address determined by... Indicates how the IP address of the interface was determined.
MTU Displays the MTU value set on the interface.
Helper address Displays a helper address, if one has been set.
Secondary address Displays a secondary address, if one has been set.
Directed broadcast forwarding Indicates whether directed broadcast forwarding is enabled.
Multicast groups joined Indicates the multicast groups this interface is a member of.
Outgoing access list Indicates whether the interface has an outgoing access list set.
Inbound access list Indicates whether the interface has an incoming access list set.
Proxy ARP Indicates whether Proxy Address Resolution Protocol (ARP) is
enabled for the interface.
Security level Specifies the IP Security Option (IPSO) security level set for this
interface.
Split horizon Indicates that split horizon is enabled.
Field Description
ICMP redirects Specifies whether redirect messages will be sent on this interface.
ICMP unreachables Specifies whether unreachable messages will be sent on this
interface.
ICMP mask replies Specifies whether mask replies will be sent on this interface.
IP fast switching Specifies whether fast switching has been enabled for this
interface. It is generally enabled on serial interfaces, such as this
one.
IP Flow switching Specifies whether Flow switching is enabled for this interface.
IP CEF switching Specifies whether Cisco Express Forwarding (CEF) is enabled for
the interface.
IP multicast fast switching Specifies whether multicast fast switching is enabled for the
interface.
IP route-cache flags Fast, Flow Specifies whether NetFlow has been enabled on an interface.
init, CEF, Ingress Flow Displays “Flow init” to specify that NetFlow is enabled on the
interface. Displays “Ingress Flow” to specify that NetFlow is
enabled on a subinterface using the ip flow ingress command.
Specifies “Flow” to specify that NetFlow is enabled on a main
interface using the ip route-cache flow command.
IP SSE switching Specifies whether IP silicon switching engine (SSE) is enabled.
Router Discovery Specifies whether the discovery process has been enabled for this
interface. It is generally disabled on serial interfaces.
IP output packet accounting Specifies whether IP accounting is enabled for this interface and
what the threshold (maximum number of entries) is.
TCP/IP header compression Indicates whether compression is enabled or disabled.
Probe proxy name Indicates whether HP Probe proxy name replies are generated.
WCCP Redirect outbound is Indicates the status of whether packets received on an interface are
enabled redirected to a cache engine. Displays “enabled” or “disabled.”
WCCP Redirect exclude is Indicates the status of whether packets targeted for an interface
disabled will be excluded from being redirected to a cache engine. Displays
“enabled” or “disabled.”
show ip irdp
To display ICMP Router Discovery Protocol (HRDP) values, use the show ip irdp EXEC command.
show ip irdp
Examples The following is sample output from the show ip irdp command:
Router# show ip irdp
As the display shows, show ip irdp output indicates whether router discovery has been configured for
each router interface, and it lists the values of router discovery configurables for those interfaces on
which router discovery has been enabled. Explanations for the less obvious lines of output in the display
are as follows:
Advertisements will occur between every 450 and 600 seconds.
This indicates the configured minimum and maximum advertising interval for the interface.
Advertisements are valid for 1800 seconds.
This indicates the configured (or in this case default) preference value for the interface.
show ip masks
To display the masks used for network addresses and the number of subnets using each mask, use the
show ip masks EXEC command.
Usage Guidelines The show ip masks command is useful for debugging when a variable-length subnet mask (VLSM) is
used. It shows the number of masks associated with the network and the number of routes for each mask.
Examples The following is sample output from the show ip masks command:
Router# show ip masks 131.108.0.0
Examples The following is sample output from the show ip nat statistics command:
Router# show ip nat statistics
Field Description
Total translations Number of translations active in the system. This number is
incremented each time a translation is created and is decremented
each time a translation is cleared or times out.
Outside interfaces List of interfaces marked as outside with the ip nat outside
command.
Inside interfaces List of interfaces marked as inside with the ip nat inside command.
Hits Number of times the software does a translations table lookup and
finds an entry.
Misses Number of times the software does a translations table lookup, fails
to find an entry, and must try to create one.
Field Description
Expired translations Cumulative count of translations that have expired since the router
was booted.
Dynamic mappings Indicates that the information that follows is about dynamic
mappings.
Inside Source The information that follows is about an inside source translation.
access-list Access list number being used for the translation.
pool Name of the pool (in this case, net-208).
refcount Number of translations using this pool.
netmask IP network mask being used in the pool.
start Starting IP address in the pool range.
end Ending IP address in the pool range.
type Type of pool. Possible types are generic or rotary.
total addresses Number of addresses in the pool available for translation.
allocated Number of addresses being used.
misses Number of failed allocations from the pool.
show ip nat translations [esp] [icmp] [pptp] [tcp] [udp] [verbose] [vrf vrf-name]
Syntax Description esp (Optional) Displays Encapsulating Security Payload (ESP) entries.
icmp (Optional) Displays Internet Control Message Protocol (ICMP) entries.
pptp (Optional) Displays Point-to-Point Tunneling Protocol (PPTP) entries.
tcp (Optional) Displays TCP protocol entries.
udp (Optional) Displays User Datagram Protocol (UDP) entries.
verbose (Optional) Displays additional information for each translation table entry,
including how long ago the entry was created and used.
vrf vrf-name (Optional) Displays VPN routing and forwarding (VRF) traffic-related
information.
Examples The following is sample output from the show ip nat translations command. Without overloading, two
inside hosts are exchanging packets with some number of outside hosts.
Router# show ip nat translations
With overloading, a translation for a Domain Name Server (DNS) transaction is still active, and
translations for two Telnet sessions (from two different hosts) are also active. Note that two different
inside hosts appear on the outside with a single IP address.
Router# show ip nat translations
The following is sample output that includes the esp and verbose keywords:
Field Description
Pro Protocol of the port identifying the address.
Inside global The legitimate IP address that represents one or more inside local IP
addresses to the outside world.
Inside local The IP address assigned to a host on the inside network; probably not
a legitimate address assigned by the Network Interface Card (NIC) or
service provider.
Field Description
Outside local IP address of an outside host as it appears to the inside network;
probably not a legitimate address assigned by the NIC or service
provider.
Outside global The IP address assigned to a host on the outside network by its owner.
create How long ago the entry was created (in hours:minutes:seconds).
use How long ago the entry was last used (in hours:minutes:seconds).
flags Indication of the type of translation. Possible flags are:
• extended—Extended translation
• static—Static translation
• destination—Rotary translation
• outside—Outside translation
• timing out—Translation will no longer be used, due to a TCP
finish (FIN) or reset (RST) flag.
show ip nhrp
To display the Next Hop Resolution Protocol (NHRP) cache, use the show ip nhrp EXEC command.
Syntax Description dynamic (Optional) Displays only the dynamic (learned) IP-to-nonbroadcast multiaccess
(NBMA) address cache entries.
static (Optional) Displays only the static IP-to-NBMA address entries in the cache
(configured through the ip nhrp map command).
type (Optional) Interface type about which to display the NHRP cache (for example,
atm or tunnel).
number (Optional) Interface number about which to display the NHRP cache.
Examples The following is sample output from the show ip nhrp command:
Router# show ip nhrp
Field Description
10.0.0.2 255.255.255.255 IP address and its network mask in the IP-to-NBMA address
cache. The mask is currently always 255.255.255.255 because
we do not support aggregation of NBMA information through
NHRP.
ATM0/0 created 0:00:43 Interface type and number (in this case, ATM slot and port
numbers) and how long ago it was created
(hours:minutes:seconds).
expire 1:59:16 Time in which the positive and negative authoritative NBMA
address will expire (hours:minutes:seconds). This value is
based on the ip nhrp holdtime command.
Field Description
Type • dynamic—NBMA address was obtained from NHRP
Request packet.
• static—NBMA address was statically configured.
Flags • authoritative—Indicates that the NHRP information was
obtained from the Next Hop Server or router that maintains
the NBMA-to-IP address mapping for a particular
destination.
• implicit—Indicates that the information was learned not
from an NHRP request generated from the local router, but
from an NHRP packet being forwarded or from an NHRP
request being received by the local router.
• negative—For negative caching; indicates that the
requested NBMA mapping could not be obtained.
NBMA address Nonbroadcast multiaccess address. The address format is
appropriate for the type of network being used (for example,
ATM, Ethernet, Switched Multimegabit Data Service (SMDS),
or multipoint tunnel).
Examples The following is sample output from the show ip nhrp traffic command:
Router# show ip nhrp traffic
Tunnel0
request packets sent: 2
request packets received: 4
reply packets sent: 4
reply packets received: 2
register packets sent: 0
register packets received: 0
error packets sent: 0
error packets received: 0
Field Description
Tunnel 0 Interface type and number.
request packets sent Number of NHRP request packets originated from this
station.
request packets received Number of NHRP request packets received by this station.
reply packets sent Number of NHRP reply packets originated from this station.
reply packets received Number of NHRP reply packets received by this station.
register packets sent Number of NHRP register packets originated from this
station. Currently, our routers and access servers do not send
register packets, so this value is 0.
register packets received Number of NHRP register packets received by this station.
Currently, our routers or access servers do not send register
packets, so this value is 0.
Field Description
error packets sent Number of NHRP error packets originated by this station.
error packets received Number of NHRP error packets received by this station.
show ip redirects
To display the address of a default gateway (router) and the address of hosts for which an Internet
Control Message Protocol (ICMP) redirect message has been received, use the show ip redirects
command in user EXEC or privileged EXEC mode.
show ip redirects
Usage Guidelines This command displays the default router (gateway) as configured by the ip default-gateway command.
The ip mtu command enables the router to send ICMP redirect messages.
Examples The following is sample output from the show ip redirects command:
Router# show ip redirects
Syntax Description vrf (Optional) Specifies VPN routing and forwarding instance.
vrf-name (Optional) Name of the VRF.
ip-address (Optional) Address about which routing information should be displayed.
Usage Guidelines To display information about global routes, use the show ip route dhcp command. To display routes in
the VRF routing table, use the show ip route vrf vrf-name dhcp command.
Examples The following is sample output from the show ip route dhcp command when entered without an address.
This command lists all routes added by the Cisco IOS DHCP server and relay agent.
Router# show ip route dhcp
55.5.5.56/32 is directly connected, ATM0.2
55.5.5.217/32 is directly connected, ATM0.2
The following is sample output from the show ip route dhcp command when an address is specified.
The output shows the details of the address with the server address (who assigned it) and the lease
expiration time.
Router# show ip route dhcp 55.5.5.217
55.5.5.217 is directly connected, ATM0.2
DHCP Server: 49.9.9.10 Lease expires at Nov 08 2001 01:19 PM
The following is sample output from the show ip route vrf vrf-name dhcp command when entered
without an address:
Router# show ip route vrf red dhcp
55.5.5.218/32 is directly connected, ATM0.2
The following is sample output from the show ip route vrf vrf-name dhcp command when an address
is specified. The output shows the details of the address with the server address (who assigned it) and
the lease expiration time.
Router# show ip route vrf red dhcp 55.5.5.218
55.5.5.218/32 is directly connected, ATM0.2
DHCP Server: 49.9.9.10 Lease expires at Nov 08 2001 03:15PM
Syntax Description vserver (Optional) Displays only those connections associated with a
particular virtual server.
virtserver-name (Optional) Name of the virtual server to be monitored.
client (Optional) Displays only those connections associated with a
particular client IP address.
ip-address (Optional) IP address of the client to be monitored.
detail (Optional) Displays detailed connection information.
Defaults If no options are specified, the command displays output for all active IOS SLB connections.
Examples The following example shows IOS SLB active connection data:
router# show ip slb conns
Field Description
vserver Name of the virtual server whose connections are being monitored and
displayed. Information about each connection is displayed on a
separate line.
prot Protocol being used by the connection.
client Client IP address being used by the connection.
real Real IP address of the connection.
state Current state of the connection:
• CLOSING—IOS SLB TCP connection deactivated (awaiting a
delay timeout before cleaning up the connection).
• ESTAB—IOS SLB TCP connection processed a SYN-SYN/ACK
exchange between the client and server.
• FINCLIENT—IOS SLB TCP connection processed a FIN from the
client.
• FINSERVER—IOS SLB TCP connection processed a FIN from the
server.
• INIT—Initial state of the IOS SLB TCP connection.
• SYNBOTH—IOS SLB TCP connection processed one or more TCP
SYNs from both the client and the server.
• SYNCLIENT—IOS SLB TCP connection processed one or more
client TCP SYNs.
• SYNSERVER—IOS SLB TCP connection processed one or more
server 1 TCP SYNs.
• ZOMBIE—Destruction of the IOS SLB TCP connection failed,
possibly because of bound flows. Destruction will proceed when the
flows are unbound.
DFP Manager:
Current passwd:NONE Pending passwd:NONE
Passwd timeout:0 sec
Uned errors:0
DFP Agent 161.44.2.34:61936 Connection state:Connected
Timeout = 0 Retry Count = 0 Interval = 180 (Default)
Security errors = 0
Last message received:10:20:26 UTC 11/02/99
Last reported Real weights for Protocol TCP, Port www
Host 17.17.17.17 1 Weight 1
Host 68.68.68.68 Bind ID 4 Weight 4
Host 85.85.85.85 Bind ID 5 Weight 5
Last reported Real weights for Protocol TCP, Port 22
Host 17.17.17.17 Bind ID 111 Weight 111
Real IP Address 17.17.17.17 Protocol TCP Port 22 Bind_ID 111 Weight 111
Set by Agent 161.44.2.3458490 at 132241 UTC 12/03/99
Real IP Address 17.17.17.17 Protocol TCP Port www Bind_ID 1 Weight 1
Set by Agent 161.44.2.3458490 at 132241 UTC 12/03/99
DFP Manager:
Current passwd:NONE Pending passwd:NONE
Passwd timeout:0 sec
Field Description
Agent IP IP address of the agent about which information is being displayed.
Port Port number of the agent.
Timeout Time period (in seconds) during which the DFP manager must receive
an update from the DFP agent. A value of 0 means there is no timeout.
Retry Count Number of times the DFP manager attempts to establish the TCP
connection to the DFP agent. A value of 0 means there are infinite
retries.
Interval Interval (in seconds) between retries.
Syntax Description vserver (Optional) Displays information about only those real servers
associated with a particular virtual server.
virtserver-name (Optional) Name of the virtual server.
detail (Optional) Displays detailed information.
Defaults If no options are specified, the command displays information about all real servers.
Examples The following example shows IOS SLB real server data:
router# show ip slb reals
Field Description
real IP address of the real server about which information is being
displayed. Used to identify each real server. Information about each
real server is displayed on a separate line.
server farm Name of the server farm to which the real server is associated.
weight Weight assigned to the real server. The weight identifies the capacity
of the real server, relative to other real servers in the server farm.
state Current state of the real server:
• DFP_THROTTLED—DFP agent sent a weight of 0 for this real
server (send no further connections to this real server).
• FAILED—Removed from use by the predictor algorithms; retry
timer started.
• MAXCONNS—Maximum number of simultaneous active
connections reached.
• OPERATIONAL—Functioning properly.
• OUTOFSERVICE—Removed from the load-balancing predictor
lists.
• READY_TO_TEST—Queued for testing.
• TESTING—Queued for assignment.
Syntax Description name (Optional) Displays information about only a particular server farm.
serverfarm-name (Optional) Name of the server farm.
detail (Optional) Displays detailed server farm information.
Examples The following example shows IOS SLB server farm data:
Field Description
server farm Name of the server farm about which information is being displayed.
Information about each server farm is displayed on a separate line.
predictor Type of load-balancing algorithm (ROUNDROBIN or
LEASTCONNS) used by the server farm.
reals Number of real servers configured in the server farm.
bind id Bind ID configured on the server farm.
Field Description
Pkts via normal switching Number of packets handled by the IOS SLB feature via normal
switching since the last time counters were cleared.
Pkts via special switching Number of packets handled by the IOS SLB feature via special
switching since the last time counters were cleared.
Connections Created Number of connections created since the last time counters were
cleared.
Connections Established Number of connections created that have become established since the
last time counters were cleared.
Connections Destroyed Number of connections destroyed since the last time counters were
cleared.
Connections Reassigned Number of connections reassigned to a different real server since the
last time counters were cleared.
Zombie Count Number of connections currently pending destruction, awaiting a
timeout or some other condition to be met.
Syntax Description client (Optional) Displays only those sticky database entries associated
with a particular client IP address.
ip-address (Optional) IP address of the client.
Defaults If no options are specified, the command displays information about all virtual servers.
Examples The following example shows the entries in the IOS SLB sticky database:
router# show ip slb sticky
Field Description
client Client IP address that is bound to this sticky assignment.
group Group ID for this sticky assignment.
real Real server used by all clients connecting with the client IP address
detailed on this line.
conns Number of connections currently sharing this sticky assignment.
ftp-cntrl Number of FTP control connections currently using this sticky
assignment.
Syntax Description name (Optional) Displays information about only this virtual server.
virtserver-name (Optional) Name of the virtual server.
detail (Optional) Displays detailed virtual server information.
Defaults If no options are specified, the command displays information about all virtual servers.
Field Description
slb vserver Name of the virtual server about which information is being
displayed. Information about each virtual server is displayed on a
separate line.
prot Protocol being used by the virtual server detailed on a given line.
virtual Virtual IP address of the virtual server detailed on a given line.
state Current state of the virtual server detailed on a given line.
conns Number of connections associated with the virtual server detailed on
a given line.
show ip snat
To display active Stateful Network Address Translation (SNAT) translations, use the show ip snat
command in EXEC mode.
Syntax Description distributed (Optional) Displays information about the distributed NAT,
including its peers and status.
verbose (Optional) Displays additional information for each translation
table entry, including how long ago the entry was created and
used.
peer ip-address (Optional) Displays TCP connection information between peer
routers.
Examples The following is sample output from the show ip snat distributed for stateful NAT connected peers:
Router# show ip snat distributed
The following is sample output from the show ip snat distributed verbose command for
stateful NAT connected peers:
:State READY
:Local Address 192.168.123.2
:Local NAT id 100
:Peer Address 192.168.123.3
:Peer NAT id 200
:Mapping List 10
:InMsgs 7, OutMsgs 7, tcb 0x63EBA408, listener 0x0
show ip sockets
To display IP socket information, use the show ip sockets command in user EXEC or privileged EXEC
mode.
show ip sockets
Usage Guidelines Use this command to verify that the socket being used is opening correctly. If there is a local and remote
endpoint, a connection is established with the ports indicated.
Examples The following is sample output from the show ip sockets command:
Router# show ip sockets
Field Description
Proto Protocol type, for example, User Datagram Protocol (UDP) or TCP.
Remote Remote address connected to this networking device. If the remote address is
considered illegal, “--listen--” is displayed.
Port Remote port. If the remote address is considered illegal, “--listen--” is
displayed.
Field Description
Local Local address. If the local address is considered illegal or is the address 0.0.0.0,
“--any--” displays.
Port Local port.
In Input queue size.
Out Output queue size.
Stat Various statistics for a socket.
TTY The tty number for the creator of this socket.
OutputIF Output IF string, if one exists.
Examples The following is sample output from the show ip tcp header-compression command:
Router# show ip tcp header-compression
Field Description
Rcvd:
total Total number of TCP packets received.
compressed Total number of TCP packets compressed.
errors Unknown packets.
dropped Number of packets dropped due to invalid compression.
buffer copies Number of packets that needed to be copied into bigger buffers for
decompression.
buffer failures Number of packets dropped due to a lack of buffers.
Sent:
total Total number of TCP packets sent.
compressed Total number of TCP packets compressed.
Field Description
bytes saved Number of bytes reduced.
bytes sent Number of bytes sent.
efficiency improvement Improvement in line efficiency because of TCP header
factor compression.
Connect:
slots Size of the cache.
long searches Indicates the number of times the software needed to look to find
a match.
misses Indicates the number of times a match could not be made. If your
output shows a large miss rate, then the number of allowable
simultaneous compression connections may be too low.
hit ratio Percentage of times the software found a match and was able to
compress the header.
Five minute miss rate Calculates the miss rate over the previous 5 minutes for a
longer-term (and more accurate) look at miss rate trends.
max misses/sec Maximum value of the previous field.
show ip traffic
To display statistics about IP traffic, use the show ip traffic command in user EXEC or privileged EXEC
mode.
show ip traffic
Examples The following is sample output from the show ip traffic command:
Router# show ip traffic
IP statistics:
Rcvd: 98 total, 98 local destination
0 format errors, 0 checksum errors, 0 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 0 bad options
Frags:0 reassembled, 0 timeouts, 0 too big
0 fragmented, 0 couldn't fragment
Bcast:38 received, 52 sent
Sent: 44 generated, 0 forwarded
0 encapsulation failed, 0 no route
ICMP statistics:
Rcvd: 0 format errors, 0 checksum errors, 0 redirects, 0 unreachable
0 echo, 0 echo reply, 0 mask requests, 0 mask replies, 0 quench
0 parameter, 0 timestamp, 0 info request, 0 other
Sent: 0 redirects, 3 unreachable, 0 echo, 0 echo reply
0 mask requests, 0 mask replies, 0 quench, 0 timestamp
0 info reply, 0 time exceeded, 0 parameter problem
UDP statistics:
Rcvd: 56 total, 0 checksum errors, 55 no port
Sent: 18 total, 0 forwarded broadcasts
TCP statistics:
Rcvd: 0 total, 0 checksum errors, 0 no port
Sent: 0 total
EGP statistics:
Rcvd: 0 total, 0 format errors, 0 checksum errors, 0 no listener
Sent: 0 total
IGRP statistics:
Rcvd: 73 total, 0 checksum errors
Sent: 26 total
HELLO statistics:
Rcvd: 0 total, 0 checksum errors
Sent: 0 total
ARP statistics:
Rcvd: 20 requests, 17 replies, 0 reverse, 0 other
Field Description
format errors Indicates a gross error in the packet format, such as an impossible Internet
header length.
bad hop count Occurs when a packet is discarded because its time-to-live (TTL) field was
decremented to zero.
encapsulation failed Usually indicates that the router had no ARP request entry and therefore did
not send a datagram.
no route Counted when the Cisco IOS software discards a datagram it did not know
how to route.
proxy name replies Counted when the Cisco IOS software sends an ARP request or Probe Reply
on behalf of another host. The display shows the number of probe proxy
requests that have been received and the number of responses that have been
sent.
show ip wccp
To display global statistics related to the Web Cache Communication Protocol (WCCP) feature, use the
show ip wccp command in EXEC mode.
Syntax Description web-cache Directs the router to display statistics for the web cache service.
service-number The identification number of the cache engine service group being controlled by a
router. The number can be from 0 to 99. For cache engine clusters using Cisco
Cache Engines, the reverse proxy service is indicated by a value of 99.
view (Optional) Displays which other members of a particular service group have or
have not been detected.
detail (Optional) Displays information for the router and all cache engines in the
currently configured cluster.
Usage Guidelines Use the clear ip wccp command to reset the counter for the “Packets Redirected” information.
Examples This section contains examples and field descriptions for the three forms of this command:
• show ip wccp
• show ip wccp view
• show ip wccp detail
show ip wccp
The following example is sample output from the show ip wccp command:
Router# show ip wccp
Number of Routers:1
Total Packets Redirected:213
Redirect access-list:no_linux
Total Packets Denied Redirect:88
Total Packets Unassigned:-none-
Group access-list:0
Total Messages Denied to Group:0
Total Authentication failures:0
Service Name: 1
Number of Cache Engines:1
Number of Routers:2
Total Packets Redirected:198
Redirect access-list:-none-
Total Packets Denied Redirect:0
Total Packets Unassigned:0
Group access-list:11
Total Messages Denied to Group:0
Total Authentication failures:0
Field Description
Service Name Indicates which service is detailed.
Number of Cache Engines Number of Cisco cache engines using the router as their home
router.
Number of Routers The number of routers in the service group.
Total Packets Redirected Total number of packets redirected by the router.
Redirect access-list The name or number of the access list that determines which
packets will be redirected.
Total Packets Denied Redirect Total number of packets that were not redirected because they did
not match the access list.
Total Packets Unassigned Number of packets that were not redirected because they were not
assigned to any cache engine. Packets may not be assigned during
initial discovery of cache engines or when a cache is dropped
from a cluster.
Group access-list Indicates which cache engine is allowed to connect to the router.
Total Messages Denied to Group Indicates the number of messages disallowed by the router
because they did not meet all the requirements of the service
group.
Total Authentication failures The number of instances where a password did not match
192.168.88.11
192.168.88.12
If any cache engine is displayed under the WCCP Cache Engines Not Visible field, the router needs to
be reconfigured to map the cache engine that is not visible to it.
Table 34 describes the significant fields shown in the display.
Field Description
WCCP Router Informed of A list of routers detected by the current router.
WCCP Cache Engines Visible A list of cache engines that are visible to the router and other
cache engines in the service group.
WCCP Cache Engines Not Visible A list of cache engines in the service group that are not visible
to the router and other cache engines in the service group.
Field Description
WCCP Router information The header for the area that contains fields for the IP address and
version of WCCP associated with the router connected to the
cache engine in the service group.
IP Address The IP address of the router connected to the cache engine in the
service group.
Protocol Version The version of WCCP being used by the router in the service
group.
WCCP Cache Engine Information Contains fields for information on cache engines.
Field Description
IP Address The IP address of the cache engine in the service group.
Protocol Version The version of WCCP being used by the cache engine in the
service group.
State Indicates whether the cache engine is operating properly and can
be contacted by a router and other cache engines in the service
group.
Initial Hash Info The initial state of the hash bucket assignment.
Assigned Hash Info The current state of the hash bucket assignment.
Hash Allotment The percent of buckets assigned to the current cache engine. Both
a value and a percent figure are displayed.
Packets Redirected The number of packets that have been redirected to the cache
engine.
Connect Time The amount of time it took for the cache engine to connect to the
router.
show standby
To display Hot Standby Router Protocol (HSRP) information, use the show standby command in user
EXEC or privileged EXEC mode.
show standby [type number [group]] [active | init | listen | standby] [brief]
Syntax Description type number (Optional) Interface type and number for which output is displayed.
group (Optional) Group number on the interface for which output is displayed.
active (Optional) Displays HSRP groups in the active state.
init (Optional) Displays HSRP groups in the initial state.
listen (Optional) Displays HSRP groups in the listen or learn state.
standby (Optional) Displays HSRP groups in the standby or speak state.
brief (Optional) A single line of output summarizes each standby group.
Usage Guidelines To specify a group, you must specify an interface type and number.
Examples The following is sample output from the show standby command:
Ethernet0/1 - Group 1
State is Active
2 state changes, last state change 00:30:59
Virtual IP address is 10.1.0.20
Secondary virtual IP address 10.1.0.21
Active virtual MAC address is 0004.4d82.7981
Local virtual MAC address is 0004.4d82.7981 (bia)
Hello time 4 sec, hold time 12 sec
Next hello sent in 1.412 secs
The following is sample output from the show standby command with an interface and the brief and
init keywords specified:
Router# show standby ethernet0/1 1 init brief
Interface Grp Prio P State Active addr Standby addr Group addr
Et0 0 120 Init 10.0.0.1 unknown 10.0.0.12
Field Description
Ethernet - Group Interface type and number and Hot Standby group number for the interface.
State is State of local router; can be one of the following:
• Active—Indicates the current Hot Standby router.
• Standby—Indicates the router next in line to be the Hot Standby router.
• Speak—Router is sending packets to claim the active or standby role.
• Listen—Router is neither in the active nor standby state, but if no messages
are received from the active or standby router, it will start to speak.
• Learn—Router is neither in the active nor standby state, nor does it have
enough information to attempt to claim the active or standby roles.
• Init or Disabled—Router is not yet ready or able to participate in HSRP,
possibly because the associated interface is not up. HSRP groups
configured on other routers on the network that are learned via snooping are
displayed as being in the Init state. Locally configured groups with an
interface that is down or groups without a specified interface IP address
appear in the Init state. For these cases, the Active addr and Standby addr
fields will show “unknown.” The state is listed as disabled in the fields
when the standby ip command has not been specified.
Virtual IP address is, All secondary virtual IP addresses are listed on separate lines. If one of the
secondary virtual IP virtual IP addresses is a duplicate of an address configured for another device,
addresses it will be marked as “duplicate.” A duplicate address indicates that the router
has failed to defend its ARP (Address Resolution Protocol) cache entry.
Active virtual MAC Virtual MAC address being used by the current active router.
address
Local virtual MAC Virtual MAC address that would be used if this router became the active router.
address The origin of this address (displayed in parentheses) can be “default,” “bia,”
(burned-in address) or “confgd” (configured).
Field Description
Hello time, hold The hello time is the time between hello packets (in seconds) based on the
time command. The holdtime is the time (in seconds) before other routers declare the
active or standby router to be down, based on the standby timers command. All
routers in an HSRP group use the hello and hold- time values of the current
active router. If the locally configured values are different, the variance appears
in parentheses after the hello time and hold-time values.
Next hello sent in ... Time in which the Cisco IOS software will send the next hello packet (in
hours:minutes:seconds).
Preemption enabled, Indicates whether preemption is enabled. If enabled, the minimum delay is the
sync delay time a higher-priority nonactive router will wait before preempting the
lower-priority active router. The sync delay is the maximum time a group will
wait to synchronize with the IP redundancy clients.
Active router is Value can be “local,” “unknown,” or an IP address. Address (and the expiration
date of the address) of the current active Hot Standby router.
Standby router is Value can be “local,” “unknown,” or an IP address. Address (and the expiration
date of the address) of the “standby” router (the router that is next in line to be
the Hot Standby router).
expires in Time (in hours:minutes:seconds) in which the standby router will no longer be
the standby router if the local router receives no hello packets from it.
Tracking List of interfaces that are being tracked and their corresponding states. Based
on the standby track command.
Syntax Description type number (Optional) Interface type and number for which output is displayed.
Examples The following is sample output from the show standby delay command:
Router# show standby delay
Examples The following is sample output from the show tcp statistics command:
Router# show tcp statistics
Field Description
Rcvd: Statistics in this section refer to packets received by the router.
Total Total number of TCP packets received.
no port Number of packets received with no port.
checksum error Number of packets received with checksum error.
Field Description
bad offset Number of packets received with bad offset to data.
too short Number of packets received that were too short.
packets in sequence Number of data packets received in sequence.
dup packets Number of duplicate packets received.
partially dup packets Number of packets received with partially duplicated data.
out-of-order packets Number of packets received out of order.
packets with data after window Number of packets received with data that exceeded the window
size of the receiver.
packets after close Number of packets received after the connection was closed.
window probe packets Number of window probe packets received.
window update packets Number of window update packets received.
dup ack packets Number of duplicate acknowledgment packets received.
ack packets with unsend data Number of acknowledgment packets received with unsent data.
ack packets Number of acknowledgment packets received.
Sent: Statistics in this section refer to packets sent by the router.
Total Total number of TCP packets sent.
urgent packets Number of urgent packets sent.
control packets Number of control packets (SYN, FIN, or RST) sent.
data packets Number of data packets sent.
data packets retransmitted Number of data packets re-sent.
ack only packets Number of packets sent that are acknowledgments only.
window probe packets Number of window probe packets sent.
window update packets Number of window update packets sent.
Connections initiated Number of connections initiated.
connections accepted Number of connections accepted.
connections established Number of connections established.
Connections closed Number of connections closed.
Total rxmt timeout Number of times the router tried to resend, but timed out.
connections dropped in rxmit Number of connections dropped in the resend timeout.
timeout
Keepalive timeout Number of keepalive packets in the timeout.
keepalive probe Number of keepalive probes.
Connections dropped in Number of connections dropped in the keepalive.
keepalive
Usage Guidelines The debug time-range ipc EXEC command must be enabled for the show time-range ipc command to
display the time-range IPC message statistics.
Examples The following is sample output from the show time-range ipc command:
Router# show time-range ipc
The display lists the number of time-range updates and time-range deletes sent by the Route Processor.
show track
To display tracking information, use the show track command in user EXEC or privileged EXEC mode.
Syntax Description object-number (Optional) Object number in the range from 1 to 500 representing the object to
be tracked.
brief (Optional) Displays a single line of brief output.
interface (Optional) Displays tracked interface objects.
ip (Optional) Displays tracked IP route objects.
resolution (Optional) Displays resolution of tracked parameters.
timers (Optional) Displays polling interval timers.
Usage Guidelines Use this command to display information about objects that are tracked by the tracking process.
Examples The following example shows information about the state of IP routing on the interface being tracked:
Router# show track 1
Track 1
Interface Ethernet0/2 ip routing
IP routing is Down (no IP addr)
1 change, last change 00:01:08
Tracked by:
HSRP Ethernet0/3 1
The following example shows information about the line-protocol state on the interface being tracked:
Router# show track 1
Track 1
Interface Ethernet0/1 line-protocol
Line protocol is Up
1 change, last change 00:00:05
Tracked by:
HSRP Ethernet0/3 1
The following example shows information about the reachability of a route being tracked:
Router# show track 1
Track 1
IP route 10.16.0.0 255.255.0.0 reachablity
Reachability is Up (RIP)
1 change, last change 00:02:04
First-hop interface is Ethernet0/1
Tracked by:
HSRP Ethernet0/3 1
The following example shows information about the metric threshold of a route being tracked:
Router# show track 1
Track 1
IP route 10.16.0.0 255.255.0.0 metric threshold
Metric threshold is Up (RIP/6/102)
1 change, last change 00:00:08
Metric threshold down 255 up 254
First-hop interface is Ethernet0/1
Tracked by:
HSRP Ethernet0/3 1
The following example shows the object type, the interval in which it is polled, and the time until the
next poll:
Router# show track timers
Field Description
Track 1 Object number that is tracked.
Interface Ethernet0/2 ip Interface type, number, and object that is tracked.
routing
IP routing is Down State value of the object, displayed as Up or Down. If the object is down,
the reason is displayed.
1 change, last change Number of times the state of a tracked object has changed and the time (in
hh:mm:ss) since the last change.
Tracked by Client process that is tracking the object.
First-hop interface Displays the first hop interface.
Object type Object type that is being tracked.
Poll interval Interval (in seconds) in which the tracking process polls the object.
Time to next poll Period of time until the next polling of the object.
Command Description
track ip route Tracks the state of an IP route and enters tracking configuration mode.
track timer Specifies the interval in which the tracking process polls the tracked
object.
show vrrp
To display a brief or detailed status of one or all configured Virtual Router Redundancy Protocol (VRRP)
groups on the router, use the show vrrp command in user EXEC or privileged EXEC mode.
Syntax Description brief (Optional) Provides a summary view of the group information.
group (Optional) Virtual router group number of the group for which information
is to be displayed. The group number is configured with the vrrp ip
command.
Examples The following is sample output from the show vrrp command:
Router# show vrrp
Ethernet1/0 - Group 1
State is Master
Virtual IP address is 10.2.0.10
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 3.000 sec
Preemption is enabled
min delay is 0.000 sec
Priority 100
Master Router is 10.2.0.1 (local), priority is 100
Master Advertisement interval is 3.000 sec
Master Down interval is 9.609 sec
Ethernet1/0 - Group 2
State is Master
Virtual IP address is 10.0.0.20
Virtual MAC address is 0000.5e00.0102
Advertisement interval is 1.000 sec
Preemption is enabled
min delay is 0.000 sec
Priority 95
Master Router is 10.0.0.1 (local), priority is 95
Master Advertisement interval is 1.000 sec
Field Description
Ethernet1/0 - Group Interface type and number, and VRRP group number.
State is Role this interface plays within VRRP (master or backup).
Virtual IP address is Virtual IP address for this interface.
Virtual MAC address is Virtual MAC address for this interface.
Advertisement interval is Interval (in seconds) at which the router will send VRRP
advertisements when it is the master virtual router. This value is
configured with the vrrp timers advertise command.
Preemption is Indication of whether preemption is enabled or disabled.
Priority Priority of the interface.
Master Router is IP address of the current master virtual router.
priority is Priority of the current master virtual router.
Master Advertisement interval is Advertisement interval (in seconds) of the master virtual router.
Master Down interval is Calculated time (in seconds) that the master virtual router can be
down before the backup virtual router takes over.
The following is sample output from the show vrrp command with the brief keyword:
Router# show vrrp brief
Interface Grp Prio Time Own Pre State Master addr Group addr
Ethernet1/0 1 100 3609 P Master 1.0.0.4 1.0.0.10
Ethernet1/0 2 105 3589 P Master 1.0.0.4 1.0.0.20
Field Description
Interface Interface type and number.
Grp VRRP group to which this interface belongs.
Prio VRRP priority number for this interface.
Time Calculated time that the master virtual router can be down before the
backup virtual router takes over.
Own IP address owner.
Pre Preemption. P indicates that preemption is enabled. If this field is empty,
preemption is disabled.
State Role this interface plays within VRRP (master or backup).
Master addr IP address of the master virtual router.
Group addr IP address of the virtual router.
Examples The following is sample output from the show vrrp interface command:
Router# show vrrp interface ethernet 1/0
Ethernet1/0 - Group 1
State is Master
Virtual IP address is 10.2.0.10
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 3.000 sec
Preemption is enabled
min delay is 0.000 sec
Priority 100
Master Router is 10.2.0.1 (local), priority is 100
Master Advertisement interval is 3.000 sec
Master Down interval is 9.609 sec
Ethernet1/0 - Group 2
State is Master
Virtual IP address is 10.0.0.20
Virtual MAC address is 0000.5e00.0102
Advertisement interval is 1.000 sec
Preemption is enabled
min delay is 0.000 sec
Priority 95
Master Router is 10.0.0.1 (local), priority is 95
Master Advertisement interval is 1.000 sec
Master Down interval is 3.628 sec
standby authentication
To configure an authentication string for the Hot Standby Router Protocol (HSRP), use the standby
authentication command in interface configuration mode. To delete an authentication string, use the no
form of this command.
Syntax Description group-number (Optional) Group number on the interface to which this authentication string
applies.
text string Authentication string. It can be up to eight characters long. The default
string is cisco.
Examples The following example configures “word” as the authentication string required to allow Hot Standby
routers in group 1 to interoperate:
interface ethernet 0
standby 1 authentication text word
Syntax Description min-delay (Optional) Minimum time (in seconds) to delay HSRP group initialization after
an interface comes up. This minimum delay period applies to all subsequent
interface events.
reload-delay (Optional) Time (in seconds) to delay after the router has reloaded. This delay
period applies only to the first interface-up event after the router has reloaded.
Usage Guidelines If the active router fails or is removed from the network, then the standby router will automatically
become the new active router. If the former active router comes back online, you can control whether it
takes over as the active router by using the standby preempt command.
However, in some cases, even if the standby preempt command is not configured, the former active
router will resume the active role after it reloads and comes back online. Use the standby delay
minimum reload command to set a delay period for HSRP group initialization. This command allows
time for the packets to get through before the router resumes the active role.
We recommend that you use the standby delay minimum reload command if the standby timers
command is configured in milliseconds or if HSRP is configured on a VLAN interface of a switch.
In most configurations, the default values provide sufficient time for the packets to get through and
configuring longer delay values is not necessary.
The delay will be cancelled if an HSRP packet is received on an interface.
Examples The following example sets the minimum delay period to 30 seconds and the delay period after the first
reload to 120 seconds:
interface ethernet 0
ip address 10.20.0.7 255.255.0.0
standby ip
To activate the Hot Standby Router Protocol (HSRP), use the standby ip command in interface
configuration mode. To disable HSRP, use the no form of this command.
Syntax Description group-number (Optional) Group number on the interface for which HSRP is being activated.
The default is 0.
ip-address (Optional) IP address of the Hot Standby router interface.
secondary (Optional) Indicates the IP address is a secondary Hot Standby router interface.
Useful on interfaces with primary and secondary addresses; you can configure
primary and secondary HSRP addresses.
Usage Guidelines The standby ip command activates HSRP on the configured interface. If an IP address is specified, that
address is used as the designated address for the Hot Standby group. If no IP address is specified, the
designated address is learned through the standby function. For HSRP to elect a designated router, at
least one router on the cable must have been configured with, or have learned, the designated address.
Configuring the designated address on the active router always overrides a designated address that is
currently in use.
When the standby ip command is enabled on an interface, the handling of proxy ARP requests is
changed (unless proxy ARP was disabled). If the Hot Standby state of the interface is active, proxy ARP
requests are answered using the MAC address of the Hot Standby group. If the interface is in a different
state, proxy ARP responses are suppressed.
When group number 0 is used, no group number is written to NVRAM, providing backward
compatibility.
Examples The following example activates HSRP for group 1 on Ethernet interface 0. The IP address used by the
Hot Standby group will be learned using HSRP.
interface ethernet 0
standby 1 ip
In the following example, all three virtual IP addresses appear in the ARP table using the same (single)
virtual MAC address. All three virtual IP addresses are using the same HSRP group (group 0).
ip address 1.1.1.1. 255.255.255.0
ip address 1.2.2.2. 255.255.255.0 secondary
ip address 1.3.3.3. 255.255.255.0 secondary
ip address 1.4.4.4. 255.255.255.0 secondary
standby ip 1.1.1.254
standby ip 1.2.2.254 secondary
standby ip 1.3.3.254 secondary
standby mac-address
To specify a virtual MAC address for the Hot Standby Router Protocol (HSRP), use the standby
mac-address command in interface configuration mode. To revert to the standard virtual MAC address
(0000.0C07.ACxy), use the no form of this command.
Syntax Description group-number (Optional) Group number on the interface for which HSRP is being activated.
The default is 0.
mac-address MAC address.
Defaults If this command is not configured, and the standby use-bia command is not configured, the standard
virtual MAC address is used: 0000.0C07.ACxy, where xy is the group number in hexadecimal. This
address is specified in RFC 2281, Cisco Hot Standby Router Protocol (HSRP).
APPN IP
End node Host
Network node Router or gateway
In an APPN network, an end node is typically configured with the MAC address of the adjacent network
node. Use the standby mac-address command in the routers to set the virtual MAC address to the value
used in the end nodes.
Examples If the end nodes are configured to use 4000.1000.1060 as the MAC address of the network node, the
following example shows the command used to configure HSRP group 1 with the virtual MAC address:
standby 1 mac-address 4000.1000.1060
standby mac-refresh
To change the interval at which packets are sent to refresh the MAC cache when the Hot Standby Router
Protocol (HSRP) is running over FDDI, use the standby mac-refresh command in interface
configuration mode. To restore the default value, use the no form of this command.
no standby mac-refresh
Syntax Description seconds Number of seconds in the interval at which a packet is sent to refresh the MAC
cache. The maximum value is 255 seconds. The default is 10 seconds.
Usage Guidelines This command applies to HSRP running over FDDI only. Packets are sent every 10 seconds to refresh
the MAC cache on learning bridges or switches. By default, the MAC cache entries age out in
300 seconds (5 minutes).
All other routers participating in HSRP on the FDDI ring receive the refresh packets, although the
packets are intended only for the learning bridge or switch. Use this command to change the interval.
Set the interval to 0 if you want to prevent refresh packets (if you have FDDI but do not have a learning
bridge or switch).
Examples The following example changes the MAC refresh interval to 100 seconds. Therefore, a learning bridge
would need to miss three packets before the entry ages out.
standby mac-refresh 100
standby name
To configure the name of the standby group, use the standby name command in interface configuration
mode. To disable the name, use the no form of this command.
standby preempt
To configure Hot Standby Router Protocol (HSRP) preemption and preemption delay, use the standby
preempt command in interface configuration mode. To restore the default values, use the no form of this
command.
Syntax Description group-number (Optional) Group number on the interface to which the other arguments in
this command apply.
delay (Optional) Required if either the minimum, reload, or sync keywords are
specified.
minimum delay (Optional) Specifies the minimum delay period in delay seconds. The delay
argument causes the local router to postpone taking over the active role for
delay (minimum) seconds since that router was last restarted. The range is
from 0 to 3600 seconds (1 hour). The default is 0 seconds (no delay).
reload delay (Optional) Specifies the preemption delay after a reload only.
sync delay (Optional) Specifies the maximum synchronization period in delay seconds.
Usage Guidelines When this command is configured, the router is configured to preempt, which means that when the local
router has a Hot Standby priority higher than the current active router, the local router should attempt to
assume control as the active router. If preemption is not configured, the local router assumes control as
the active router only if it receives information indicating no router is in the active state (acting as the
designated router).
When a router first comes up, it does not have a complete routing table. If it is configured to preempt, it
will become the active router, yet it is unable to provide adequate routing services. Solve this problem
by configuring a delay before the preempting router actually preempts the currently active router.
When group number 0 is used, no group number is written to NVRAM, providing backward
compatibility.
IP redundancy clients can prevent preemption from taking place. The standby preempt delay sync
delay command specifies a maximum number of seconds to allow IP redundancy clients to prevent
preemption. When this expires, then preemption takes place regardless of the state of the IP redundancy
clients.
The standby preempt delay reload delay command allows preemption to occur only after a router
reloads. This provides stablization of the router at startup. After this initial delay at startup, the operation
returns to the default behavior.
The no standby preempt delay command will disable the preemption delay but preemption will remain
enabled. The no standby preempt delay minimum delay command will disable the minimum delay but
leave any synchronization delay if it was configured.
Examples In the following example, the router will wait for 300 seconds (5 minutes) before attempting to become
the active router:
interface ethernet 0
standby ip 172.19.108.254
standby preempt delay minimum 300
standby priority
To configure Hot Standby Router Protocol (HSRP) priority, use the standby priority command in
interface configuration mode. To restore the default values, use the no form of this command.
Syntax Description group-number (Optional) Group number on the interface to which the other arguments in
this command apply. The default group number is 0.
priority Priority value that prioritizes a potential Hot Standby router. The range is
from 1 to 255, where 1 denotes the lowest priority and 255 denotes the
highest priority. The default priority value is 100. The router in the HSRP
group with the highest priority value becomes the active router.
Usage Guidelines When group number 0 is used, no group number is written to NVRAM, providing backward
compatibility.
The assigned priority is used to help select the active and standby routers. Assuming that preemption is
enabled, the router with the highest priority becomes the designated active router. In case of ties, the
primary IP addresses are compared, and the higher IP address has priority.
The assigned priority has a higher priority than the authentication string specified in the standby
authentication command. A router with a higher HSRP priority will ignore the authentication string.
Note that the priority of the device can change dynamically if an interface is configured with the standby
track command and another interface on the router goes down.
Examples In the following example, the router has a priority of 120 (higher than the default value):
interface ethernet 0
standby ip 172.19.108.254
standby priority 120
standby preempt delay 300
standby redirects
To enable Internet Control Message Protocol (ICMP) redirect messages to be sent when the Hot Standby
Router Protocol (HSRP) is configured on an interface, use the standby redirects command in interface
configuration mode. To disable the HSRP ICMP redirection filter, use the no form of this command.
no standby redirects
Syntax Description enable (Optional) Allows the filtering of ICMP redirect messages on interfaces
configured with HSRP, where the next hop IP address may be changed to an
HSRP virtual IP address.
disable (Optional) Disables the filtering of ICMP redirect messages on interfaces
configured with HSRP.
Usage Guidelines The standby redirects command can be configured globally or on a per-interface basis. When HSRP is
first configured on an interface, the setting for that interface will inherit the global value. If ICMP
redirects have been explicitly disabled on an interface, then the global command cannot reenable the
functionality.
The no standby redirects command is the same as the standby redirects disable command. However,
it is not desirable to save the no form of this command to NVRAM. Because the command is enabled by
default, it is preferable to use the standby redirects disable command to disable the functionality.
Examples The following example allows HSRP to filter ICMP redirect messages on interface Ethernet 0:
interface ethernet 0
ip address 20.0.0.1 255.0.0.0
standby redirects
standby 1 ip 20.0.0.11
standby timers
To configure the time between hello packets and the time before other routers declare the active Hot
Standby or standby router to be down, use the standby timers command in interface configuration mode.
To restore the timers to their default values, use the no form of this command.
Syntax Description group-number (Optional) Group number on the interface to which the timers apply. The
default is 0.
msec (Optional) Interval in milliseconds. Millisecond timers allow for faster
failover.
hellotime Hello interval (in seconds). This is an integer from 1 to 254. The default is
3 seconds. If the msec option is specified, hello interval is in milliseconds.
This is an integer from 15 to 999.
holdtime Time (in seconds) before the active or standby router is declared to be down.
This is an integer from x to 255. The default is 10 seconds. If the msec option
is specified, holdtime is in milliseconds. This is an integer from y to 3000.
Where:
• x is the hellotime + 50 milliseconds, then rounded up to the nearest
1 second
• y is greater than or equal to 3 times the hellotime and is not less than
50 milliseconds.
Usage Guidelines The standby timers command configures the time between standby hello packets and the time before
other routers declare the active or standby router to be down. Routers or access servers on which timer
values are not configured can learn timer values from the active or standby router. The timers configured
on the active router always override any other timer settings. All routers in a Hot Standby group should
use the same timer values. Normally, holdtime is greater than or equal to 3 times the value of hellotime.
The range of values for holdtime force the holdtime to be greater than the hellotime. If the timer values
are specified in milliseconds, the holdtime is required to be at least three times the hellotime value and
not less than 50 milliseconds.
Some HSRP state flapping can occasionally occur if the holdtime is set to less than 250 milliseconds,
and the processor is busy. It is recommended that holdtime values less than 250 milliseconds be used on
Cisco 7200 platforms or better, and on Fast-Ethernet or FDDI interfaces or better. Setting the
process-max-time command to a suitable value may also help with flapping.
The value of the standby timer will not be learned through HSRP hellos if it is less than 1 second.
When group number 0 is used, no group number is written to NVRAM, providing backward
compatibility.
Examples The following example sets, for group number 1 on Ethernet interface 0, the time between hello packets
to 5 seconds, and the time after which a router is considered to be down to 15 seconds:
interface ethernet 0
standby 1 ip
standby 1 timers 5 15
The following example sets, for the Hot Router interface located at 172.19.10.1 on Ethernet interface 0,
the time between hello packets to 300 milliseconds, and the time after which a router is considered to be
down to 900 milliseconds:
interface ethernet 0
standby ip 172.19.10.1
standby timers msec 300 msec 900
The following example sets, for the Hot Router interface located at 172.18.10.1 on Ethernet interface 0,
the time between hello packets to 15 milliseconds, and the time after which a router is considered to be
down to 50 milliseconds. Note that the holdtime is larger than three times the hellotime because the
minimum holdtime value in milliseconds is 50.
interface ethernet 0
standby ip 172.18.10.1
standby timers msec 15 msec 50
standby track
To configure the Hot Standby Routing Protocol (HSRP) to track an object and change the Hot Standby
priority based on the state of the object, use the standby track command in interface configuration
mode. To remove the tracking, use the no form of this command.
Syntax Description group-number (Optional) Group number to which the tracking applies.
object-number Object number in the range from 1 to 500 representing the object to be
tracked.
decrement priority (Optional) Amount by which the Hot Standby priority for the router is
decremented (or incremented) when the tracked object goes down (or comes
back up). The default value is 10.
group-number (Optional) Group number on the interface to which the tracking applies.
interface-type Interface type (combined with interface number) that will be tracked.
interface-number Interface number (combined with interface type) that will be tracked.
interface-priority (Optional) Amount by which the Hot Standby priority for the router is
decremented (or incremented) when the interface goes down (or comes back
up). The default value is 10.
Defaults group-number: 0
priority: 10
interface-priority: 10
Usage Guidelines This command ties the Hot Standby priority of the router to the availability of its tracked objects. Use
the track interface or track ip route global configuration command to track an interface object or an
IP route object. The HSRP client can register its interest in the tracking process by using the standby
track command commands, and take action when the object changes.
When a tracked object goes down, the Hot Standby priority decreases by 10. If an object is not tracked,
its state changes do not affect the Hot Standby priority. For each object configured for Hot Standby, you
can configure a separate list of objects to be tracked.
The optional priority argument specifies how much to decrement the Hot Standby priority when a
tracked object goes down. When the tracked object comes back up, the priority is incremented by the
same amount.
When multiple tracked objects are down, the decrements are cumulative, whether configured with
priority values or not.
Use the no standby group-number track command to delete all tracking configuration for a group.
When group number 0 is used, no group number is written to NVRAM, providing backward
compatibility.
The standby track command syntax prior to Release 12.2(15)T is still supported. Using the older form
will cause a tracked object to be created in the new tracking process. This tracking information can be
displayed using the show track command.
Examples In the following example, the tracking process is configured to track the IP routing capability of serial
interface 1/0. HSRP on Ethernet interface 0/0 then registers with the tracking process to be informed of
any changes to the IP routing state of serial interface 1/0. If the IP state on Serial interface 1/0 goes down,
then the priority of the HSRP group is reduced by 10.
If both serial interfaces are operational, then Router A will be the HSRP active router because it has the
higher priority.
However, if IP routing on serial interface 1/0 in Router A fails, then the HSRP group priority will be
reduced and Router B will take over as the active router, thus maintaining a default virtual gateway
service to hosts on the 10.1.0.0 subnet.
Router A Configuration
!
track 100 interface serial1/0 ip routing
!
interface Ethernet0/0
ip address 10.1.0.21 255.255.0.0
standby 1 ip 10.1.0.1
standby 1 priority 105
standby 1 track 100 decrement 10
Router B Configuration
!
track 100 interface serial1/0 ip routing
!
interface Ethernet0/0
ip address 10.1.0.22 255.255.0.0
standby 1 ip 10.1.0.1
standby 1 priority 100
standby 1 track 100 decrement 10
standby use-bia
To configure the Hot Standby Router Protocol (HSRP) to use the burned-in address of the interface as
its virtual MAC address, instead of the preassigned MAC address (on Ethernet and FDDI) or the
functional address (on Token Ring), use the standby use-bia command in interface configuration mode.
To restore the default virtual MAC address, use the no form of this command.
no standby use-bia
Syntax Description scope interface (Optional) Specifies that this command is configured just for the subinterface on
which it was entered, instead of the major interface.
Defaults HSRP uses the preassigned MAC address on Ethernet and FDDI, or the functional address on Token
Ring.
Usage Guidelines For an interface with this command configured, multiple standby group can be configured. Hosts on the
interface must have a default gateway configured. We recommend that you set the no ip proxy-arp
command on the interface. It is desirable to configure the standby use-bia command on a Token Ring
interface if there are devices that reject ARP replies with source hardware addresses set to a functional
address.
When HSRP runs on a multiple-ring, source-routed bridging environment and the HRSP routers reside
on different rings, configuring the standby use-bia command can prevent confusion about the routing
information field (RFI).
Without the scope interface keywords, the standby use-bia command applies to all subinterfaces on the
major interface. The standby use-bia command may not be configured both with and without the scope
interface keywords at the same time.
Examples In the following example, the burned-in address of Token Ring interface 4/0 will be the virtual MAC
address mapped to the virtual IP address:
interface token4/0
standby use-bia
start-forwarding-agent
To start the forwarding agent, use the start-forwarding-agent command in CASA-port configuration
mode.
Syntax Description port-number Port numbers on which the Forwarding Agent will listen for wildcards
broadcast from the services manager. This must match the port number
defined on the services manager.
password (Optional) Text password used for generating the MD5 digest.
timeout (Optional) Duration (in seconds) during which the Forwarding Agent
will accept the new and old password. Valid range is from 0 to
3600 seconds. The default is 180 seconds.
Usage Guidelines The forwarding agent must be started before you can configure any port information for the forwarding
agent.
Examples The following example specifies that the forwarding agent will listen for wildcard and fixed affinities on
port 1637:
start-forwarding-agent 1637
sticky
To assign all connections from a client to the same real server, use the sticky command in virtual server
configuration mode. To remove the client/server coupling, use the no form of this command.
no sticky
Syntax Description duration Sticky timer duration (in seconds). Valid values range from 0 to
65535.
group (Optional) Places the virtual server in a sticky group, for coupling of
services.
group-id (Optional) Number identifying the sticky group to which the virtual
server belongs. Valid values range from 0 to 255.
Usage Guidelines The last real server that was used for a connection from a client is stored for the set duration seconds. If
a new connection from the client to the virtual server is initiated during that time, the same real server
that was used for the previous connection is chosen for the new connection. If two virtual servers are
placed in the same group, coincident connection requests for those services from the same IP address are
handled by the same real server.
Examples The following example specifies that if a subsequent request from a client for a virtual server is made
within 60 seconds of the previous request, then the same real server is used for the connection. This
example also places the virtual server in group 10.
ip slb vserver VS1
sticky 60 group 10
subnet prefix-length
To configure a subnet allocation pool and determine the size subnets that are allocated from the pool,
use the subnet prefix-length command in DHCP pool configuration mode. To unconfigure subnet pool
allocation, use the no form of this command.
Syntax Description prefix-length Configures the IP subnet prefix length in classless interdomain routing
(CIDR) bit count notation. The range is from 1 to 31.
Usage Guidelines This command is used to configure a Cisco IOS router as a subnet allocation server for a centralized or
remote VPN on-demand address pool (ODAP) manager. This command is configured under a DHCP
pool. The prefix-length argument is used to determine the size of the subnets that are allocated from the
subnet allocation pool. The values that can be configured for the prefix-length argument follow CIDR
bit count notation format.
Configuring VPN Subnet Pools for VPN clients with VPN IDs
A subnet allocation server can also be configured to assign subnets from VPN subnet allocation pools
based on the VPN ID of a client. The VPN ID (or Organizational Unique Identifier [OUI]) is a unique
identifier assigned by the IEEE. VPN routes between the ODAP manager and the subnet allocation
server are enabled by configuring the DHCP pool with a VPN ID that matches the VPN ID that is
configured for the VPN client.
synguard
To limit the rate of TCP SYNs handled by a virtual server to prevent an SYN flood Denial-of-Service
attack, use the synguard command in virtual server configuration mode. To remove the threshold, use
the no form of this command.
no synguard
Syntax Description syn-count Number of unanswered SYNs that are allowed to be outstanding to a
virtual server. Valid values range from 0 (off) to 4294967295. The
default is 0.
interval (Optional) Interval (in milliseconds) for SYN threshold monitoring.
Valid values range from 50 to 5000. The default is 100 ms.
Examples The following example sets the threshold of unanswered SYNs to 50:
ip slb vserver PUBLIC_HTTP
synguard 50
term ip netmask-format
To specify the format in which netmasks are displayed in show command output, use the
term ip netmask-format command in EXEC configuration mode. To restore the default display format,
use the no form of this command.
Usage Guidelines IP uses a 32-bit mask that indicates which address bits belong to the network and subnetwork fields, and
which bits belong to the host field. This range of IP addresses is called a netmask. By default, show
commands display an IP address and then its netmask in dotted decimal notation. For example, a subnet
would be displayed as 131.108.11.55 255.255.255.0.
However, you can specify that the display of the network mask appear in hexadecimal format or bit count
format instead. The hexadecimal format is commonly used on UNIX systems. The previous example
would be displayed as 131.108.11.55 0XFFFFFF00.
The bitcount format for displaying network masks is to append a slash (/) and the total number of bits in
the netmask to the address itself. The previous example would be displayed as 131.108.11.55/24.
Examples The following example specifies that network masks for the session be displayed in bitcount notation in
the output of show commands:
term ip netmask-format bitcount
threshold metric
To set a metric threshold other than the default value, use the threshold metric command in tracking
configuration mode. To disable the metric threshold, use the no form of this command.
Syntax Description up Specifies the up threshold. The state is up if the scaled metric for that route
is less than or equal to the up threshold. The default up threshold is 254.
number Threshold value from 0 to 255.
down Specifies the down threshold. The state is down if the scaled metric for that
route is greater than or equal to the down threshold. The default down
threshold is 255.
Usage Guidelines This command is available only to IP route metric threshold objects tracked by the track ip route metric
threshold global configuration command.
The default up and down threshold values are 254 and 255, respectively. With these values, IP route
threshold tracking gives the same result as IP route reachability tracking.
Examples In the following example, the tracking process is tracking the IP route metric threshold. The metric
default value is changed to 16 for the up threshold and to 20 for the down threshold.
track 1 ip route 10.22.0.0/16 metric threshold
threshold metric up 16 down 20
delay down 20
track interface
To configure an interface to be tracked and to enter tracking configuration mode, use the track interface
command in global configuration mode. To remove the tracking, use the no form of this command.
Syntax Description object-number Object number in the range from 1 to 500 representing the interface to be
tracked.
type number Interface type and number to be tracked. No space is required between the
values.
line-protocol Tracks the state of the interface line protocol.
ip routing Tracks whether IP routing is enabled, an IP address is configured on the
interface, and the interface state is up, before reporting to the tracking client
that the interface is up.
Usage Guidelines This command reports a state value to clients. A tracked IP routing object is considered up when the
platform is routing IP, the interface line protocol is up, and IP routing is enabled and active on the
interface.
Tracking the IP routing state of an interface (using the track interface ip routing command) can be
more useful in some situations than just tracking the line-protocol state (using the track interface
line-protocol command), especially on interfaces where IP addresses are negotiated. For example, on a
serial interface that uses PPP, the line protocol could be up (LCP negotiated successfully), but IP could
be down (IPCP negotiation failed).
For GLBP, use the track interface command in conjunction with the glbp weighting and glbp
weighting track commands to configure parameters for an interface to be tracked. If a tracked interface
on a GLBP router goes down, the weighting for that router is reduced. If the weighting falls below a
specified minimum, the router will lose its ability to act as an active GLBP virtual forwarder.
Examples In the following example, the tracking process is configured to track the IP routing capability of serial
interface 1/0:
In the following example, Fast Ethernet interface 0/0 tracks whether serial interfaces 2/0 and 3/0 are up.
If either serial interface goes down, the GLBP weighting is reduced by the default value of 10. If both
serial interfaces go down, the GLBP weighting will fall below the lower threshold and the router will no
longer be an active forwarder. To resume its role as an active forwarder, the router must have both tracked
interfaces back up, and the weighting must rise above the upper threshold.
track 1 interface serial 2/0 line-protocol
track 2 interface serial 3/0 line-protocol
interface fastethernet 0/0
ip address 10.21.8.32 255.255.255.0
glbp 10 weighting 110 lower 95 upper 105
glbp 10 weighting track 1
glbp 10 weighting track 2
In the following example, Fast Ethernet interface 0/0 tracks whether serial interface 2/0 is enabled for
IP routing, whether it is configured with an IP address, and whether the state of the interface is up. If
serial interface 2/0 goes down, the GLBP weighting is reduced by a value of 20.
track 2 interface serial 2/0 ip routing
interface fastethernet 0/0
ip address 10.21.8.32 255.255.255.0
glbp 10 weighting 110 lower 95 upper 105
glbp 10 weighting track 2 decrement 20
track ip route
To track the state of an IP route and to enter tracking configuration mode, use the track ip route
command in global configuration mode. To remove the tracking, use the no form of this command.
Syntax Description object-number Object number in the range from 1 to 500 representing the object to be
tracked.
ip-address IP address.
/prefix-length The number of bits that comprise the address prefix. A slash must precede
the value.
reachability Tracks whether the route is reachable.
metric threshold Tracks the metric threshold. The default up threshold is 254 and the default
down threshold is 255.
Usage Guidelines A tracked IP route object is considered up and reachable when a routing table entry exists for the route
and the route is not inaccessible.
To provide a common interface to tracking clients, route metric values have been normalized to the range
of 0 to 255, where 0 is connected and 255 is inaccessible. The resulting value is compared against
threshold values to determine the tracking state as follows:
• State is up if the scaled metric for that route is less than or equal to the up threshold.
• State is down if the scaled metric for that route is greater than or equal to the down threshold.
The tracking process uses a per-protocol configurable resolution value to convert the real metric to the
scaled metric. The metric value communicated to clients is always such that a lower metric value is better
than a higher value.
Use the threshold metric tracking configuration command to specify a metric threshold other than the
default metric threshold.
Examples In the following example, the tracking process is configured to track the reachability of 10.22.0.0/16:
In the following example, the tracking process is configured to track the metric threshold using the
default metric threshold values:
track 1 ip route 10.22.0.0/16 metric threshold
track timer
To specify the interval in which the tracking process polls the tracked object, use the track timer
command in tracking configuration mode. To disable this functionality, use the no form of this
command.
Usage Guidelines If you do not use the track timer command to specify a polling interval, a tracked object will be tracked
at the default polling interval.
Examples In the following example, the tracking process is configured to poll the tracked interface every 3 seconds:
track timer interface 3
transmit-interface
To assign a transmit interface to a receive-only interface, use the transmit-interface command in
interface configuration mode. To return to normal duplex Ethernet interfaces, use the no form of this
command.
no transmit-interface
Syntax Description type Transmit interface type to be linked with the (current) receive-only
interface.
number Transmit interface number to be linked with the (current) receive-only
interface.
Defaults Disabled
Usage Guidelines Receive-only interfaces are used commonly with microwave Ethernet links.
Examples The following example specifies Ethernet interface 0 as a simplex Ethernet interface:
interface ethernet 1
ip address 128.9.1.2
transmit-interface ethernet 0
update arp
To secure dynamic Address Resolution Protocol (ARP) entries in the ARP table to their corresponding
DHCP bindings, use the update arp command in DHCP pool configuration mode. To disable this
command and change secure ARP entries to dynamic ARP entries, use the no form of this command.
update arp
no update arp
Usage Guidelines The update arp DHCP pool configuration command is used to secure ARP table entries and their
corresponding DHCP leases. However, existing active leases are not secured. These leases will remain
insecure until they are renewed. When the lease is renewed, it is treated as a new lease and will be secured
automatically. If this feature is disabled on the DHCP server, all existing secured ARP table entries will
automatically change to dynamic ARP entries.
This command can be configured only under the following conditions:
• DHCP network pools in which bindings are created automatically and destroyed upon lease
termination or when the client sends a DHCPRELEASE message.
• Directly connected clients on LAN interfaces and wireless LAN interfaces.
The configuration of this command is not visible to the client. When this command is configured,
secured ARP table entries that are created by a DHCP server cannot be removed from the ARP table by
the clear arp-cache command. This is designed behavior. If a secure ARP entry created by the DHCP
server must be removed, the clear ip dhcp binding command can be used. This command will clear the
DHCP binding and secured ARP table entry.
Note This command does not secure ARP table entries for BOOTP clients.
Examples The following example configures the Cisco IOS DHCP server to secure ARP table entries to their
corresponding DHCP leases within the DHCP pool named WIRELESS-POOL:
Router(config)# ip dhcp pool WIRELESS-POOL
Router(dhcp-config)# update arp
Router(dhcp-config)# exit
Defaults The default high utilization mark is 100 percent of the current pool size.
Usage Guidelines The current pool size is the sum of all addresses in all the subnets in the pool. If the utilization level
exceeds the configured high utilization mark, the pool will schedule a subnet request.
This command cannot be used unless the autogrow size option of the origin command is configured.
Examples The following example sets the high utilization mark to 80 percent of the current pool size:
utilization mark high 80
Defaults The default low utilization mark is 0 percent of the current pool size.
Usage Guidelines The current pool size is the sum of all addresses in all the subnets in the pool. If the utilization level
drops below the configured low utilization mark, a subnet release is scheduled from the address pool.
This command cannot be used unless the autogrow size option of the origin command is configured.
Examples The following example sets the low utilization mark to 20 percent of the current pool size:
utilization mark low 20
virtual
To configure virtual server attributes, use the virtual virtual server configuration command. To remove
the attributes, use the no form of this command.
no virtual
Syntax Description ip-address IP address for this virtual server instance, used by clients to connect
to the server farm.
tcp Performs load balancing for only TCP connections.
udp Performs load balancing for only UDP connections.
port-number (Optional) IOS SLB virtual port (the TCP or UDP port number or
port name). If specified, only the connections for the specified port
on the server are load balanced. The ports and the valid name or
number for the port-number argument are as follows:
• Domain Name System: dns 53
• File Transfer Protocol: ftp 21
• HTTP over Secure Socket Layer: https 443
• Mapping of Airline Traffic over IP, Type A: matip-a 350
• Network News Transport Protocol: nntp 119
• Post Office Protocol v2: pop2 109
• Post Office Protocol v3: pop3 110
• Simple Mail Transport Protocol: smtp 25
• Telnet: telnet 23
• World Wide Web (HTTP): www 80
Specify a port number of 0 to configure an all-port virtual server (that
is, a virtual server that accepts flows destined for all ports).
service (Optional) Couple connections associated with a given service, such
as HTTP or Telnet, so all related connections from the same client use
the same real server.
service-name (Optional) Type of connection coupling. Currently, the only choice is
ftp. Couple FTP data connections with the control session that
created them.
Usage Guidelines The no virtual command is allowed only if the virtual server was removed from service by the
no inservice command.
For some applications, it is not feasible to configure all the virtual server TCP or UDP port numbers for
the IOS SLB feature. To support such applications, you can configure IOS SLB virtual servers to accept
flows destined for all ports. To configure an all-port virtual server, specify a port number of 0.
Note In general, you should use port-bound virtual servers instead of all-port virtual servers. When you
use all-port virtual servers, flows can be passed to servers for which no application port exists. When
servers reject these flows, IOS SLB might fail the server and remove it from load balancing.
Examples The following example specifies that the virtual server with the IP address 10.0.0.1 performs load
balancing for TCP connections for the port named www. The virtual server processes HTTP requests.
ip slb vserver PUBLIC_HTTP
virtual 10.0.0.1 tcp www
vrf
To associate the on-demand address pool with a VPN routing and forwarding instance (VRF) name, use
the vrf command in DHCP pool configuration mode. To remove the VRF name, use the no form of this
command.
vrf name
no vrf name
Syntax Description name Name of the VRF to which the address pool is associated.
Usage Guidelines Associating a pool with a VRF allows overlapping addresses with other pools that are not on the same
VRF. Only one pool can be associated with each VRF. If the pool is configured with the origin dhcp
command or origin aaa command, the VRF information is sent in the subnet request. If the VRF is
configured with an RFC 2685 VPN ID, the VPN ID will be sent instead of the VRF name.
Examples The following example associates the on-demand address pool with a VRF named red:
ip dhcp pool red_pool
origin dhcp subnet size initial 24 autogrow 24
utilization mark high 85
utilization mark low 15
vrf red
vrrp authentication
To authenticate Virtual Router Redundancy Protocol (VRRP) packets received from other routers in the
group, use the vrrp authentication command in interface configuration mode. To disable VRRP
authentication, use the no form of this command.
Syntax Description group Virtual router group number for which authentication is being configured.
The group number is configured with the vrrp ip command.
string Authentication string (up to eight alphanumeric characters) used to validate
incoming VRRP packets.
Usage Guidelines When a VRRP packet arrives from another router in the VRRP group, its authentication string is
compared to the string configured on the local system. If the strings match, the message is accepted. If
they do not match, the packet is discarded.
All routers within the group must be configured with the same authentication string.
Note that plain text authentication is not meant to be used for security. It simply provides a way to
prevent a misconfigured router from participating in VRRP.
vrrp description
To assign a description to the Virtual Router Redundancy Protocol (VRRP) group, use the vrrp
description command in interface configuration mode. To remove the description, use the no form of
this command.
Examples The following example enables VRRP on Ethernet interface 0. VRRP group 1 is described as Building A
— Marketing and Administration.
interface ethernet 0
ip address 10.0.1.1 255.255.255.0
!
vrrp 1 ip 10.0.1.20
vrrp 1 description Building A - Marketing and Administration
vrrp ip
To enable the Virtual Router Redundancy Protocol (VRRP) on an interface and identify the IP address
of the virtual router, use the vrrp ip command in interface configuration mode. To disable VRRP on the
interface and remove the IP address of the virtual router, use the no form of this command.
Usage Guidelines Configure this command once without the secondary keyword to indicate the virtual router IP address.
If you want to indicate additional IP addresses supported by this group, then do so and include the
secondary keyword.
Note that removing the VRRP configuration from the IP address owner and leaving the IP address of the
interface active is considered a misconfiguration because duplicate IP addresses on the LAN will result.
Examples The following example enables VRRP on Ethernet interface 0. The VRRP group is 1. IP address
10.0.1.20 is the address of the virtual router.
interface ethernet 0
ip address 10.0.1.1 255.255.255.0
ip address 10.0.2.1 255.255.255.0 secondary
!
vrrp 1 ip 10.0.1.20
vrrp 1 ip 10.0.2.20 secondary
vrrp preempt
To configure the router to take over as master virtual router for a Virtual Router Redundancy Protocol
(VRRP) group if it has higher priority than the current master virtual router, use the vrrp preempt
command in interface configuration mode. To disable this feature, use the no form of this command.
Syntax Description group Virtual router group number of the group for which preemption is being
configured. The group number is configured with the vrrp ip command.
delay seconds (Optional) Number of seconds that the router will delay before issuing an
advertisement claiming master ownership. The default delay is 0 seconds.
Defaults Enabled
Usage Guidelines By default, the router being configured with this command will take over as master virtual router for the
group if it has a higher priority than the current master virtual router. You can configure a delay, which
will cause the VRRP router to wait the specified number of seconds before issuing an advertisement
claiming master ownership.
Note that the router that is the IP address owner will preempt, regardless of the setting of this command.
Examples The following example configures the router to preempt the current master virtual router when its
priority of 200 is higher than that of the current master virtual router. If the router preempts the current
master virtual router, it waits 15 seconds before issuing an advertisement claiming it is the master virtual
router.
vrrp 1 preempt delay 15
vrrp 1 priority 200
vrrp priority
To set the priority level of the router within a Virtual Router Redundancy Protocol (VRRP) group, use
the vrrp priority command in interface configuration mode. To remove the priority level of the router,
use the no form of this command.
Usage Guidelines Use this command to control which router becomes the master virtual router.
Examples The following example configures the router with a priority of 254:
vrrp 1 priority 254
Usage Guidelines The advertisements being sent by the master virtual router communicate the state and priority of the
current master virtual router.
Examples The following example configures the master virtual router to send advertisements every 4 seconds:
vrrp 1 timers advertise 4
Syntax Description group Virtual router group number to which the command applies.
Defaults Disabled; the local router calculates the downtime of the master virtual router based on the advertisement
interval of the local router as configured by the vrrp timers advertise command.
Usage Guidelines If this command is configured, when the local router is acting as a backup virtual router for the group,
it will learn the advertisement interval of the current master virtual router from its master advertisements.
The local router will use that value to calculate how long it should wait before deciding that the master
virtual router has gone down. This command synchronizes timers with the current master virtual router.
Examples The following example configures the router, when it is acting as backup virtual router, to learn the
advertisement interval from the advertisements of the current master virtual router:
vrrp 1 timers learn
weight
To specify the capacity of a real server relative to other real servers in the server farm, use the weight
real server configuration command. To restore the default weight value, use the no form of this
command.
weight weighting-value
no weight
Syntax Description weighting-value Weighting value to use for real server predictor algorithm. Valid
values range from 1 to 155. The default weighting value is 8.
Examples The following example specifies the relative weighting values of three real servers as 16, 8 (by default),
and 24, respectively:
ip slb serverfarm PUBLIC
real 10.10.1.1First real server
weight 16Assigned weight of 16
inserviceEnabled
exit
real 10.10.1.2Second real server
inserviceEnabled; default weight
exit
real 10.10.1.3Third real server
weight 24Assigned weight of 24;