cc/td/doc/product/lan/cat6000/ios127xe
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Catalyst 6000 Family IOS Commands

Catalyst 6000 Family IOS Commands

This chapter contains an alphabetical listing of Catalyst 6000 family IOS commands. For information about Cisco IOS commands not contained in this publication, please see the current Cisco IOS documentation including:

access-enable

Use the access-enable command to create a temporary access list entry.

access-enable [host] [timeout minutes]

Syntax Description

host

(Optional) Keyword to enable access only for the host from which the Telnet session originated.

timeout minutes

(Optional) Keyword and variable to specify an idle timeout for the temporary access list entry.

Defaults

The default is for the entries to remain permanently.

Command Modes

EXEC mode.

Usage Guidelines

If you do not enter the host keyword, the software allows all hosts on the defined network to gain access to your network.

You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the temporary access list entry will remain, even after the user terminates the session.

If the access list entry is not accessed within this period, it is automatically deleted and requires you to authenticate again. We recommend that this value equal the idle timeout set for the WAN connection.

Examples

This example shows how to create a temporary access list entry and enable access only for the host from which the session originated:

Router# access-enable host timeout 2
Router#

Related Commands

access-list

access-list

Use the access-list command to add an access list entry. Use the no form of this command to remove the access list from the configuration.

access-list access-list-number {deny | permit | remark} source-network[.source-node
 [source-node-mask]] [destination-network[.destination-node[destination-node-mask]]]

no access-list {access-list-number} {deny | permit | remark} source-network[.source-node
 [source-node-mask]] [destination-network[.destination-node[destination-node-mask]]]

Use the extended version of the access-list command to create extended access lists. Use the no form of this command to remove an extended access list from the configuration.

access-list access-list-number {deny | dynamic | permit | remark} protocol
 [source-network][[[.source-node] source-node-mask] | [.source-node
source-network-mask.source-node-mask]] [source-socket]
[destination-network][[[.destination-node] destination-node-mask] |
[.destination-node destination-network-mask.destination-nodemask]] [destination-socket]
[log]

no access-list access-list-number {deny | dynamic | permit | remark} protocol
 [source-network][[[.source-node] source-node-mask] | [.source-node
source-network-mask.source-node-mask]] [source-socket]
[destination-network][[[.destination-node] destination-node-mask] |
[.destination-node destination-network-mask.destination-nodemask]] [destination-socket]
[log]

Syntax Description

access-list-number

Number of the access list. See Table 2-1 for a list of valid values.

deny

Keyword to deny access if the conditions are matched. See Table 2-2 for a list of valid values.

dynamic

Keyword to specify a DYNAMIC list of PERMITs or DENYs. See Table 2-2 for format information.

permit

Keyword to permit access if the conditions are matched. See Table 2-2 for format information.

remark

Keyword to create an access list entry comment. See Table 2-2 for format information.

protocol

Number or name of protocol type; valid numbers are from 0 to 255. See Table 2-3 for a list of valid names (keywords).

source-network

(Optional) Number of the network from which the packet is being sent. See the "Usage Guidelines" section for format guidelines.

.source-node

(Optional) Number of the node on source-network from which the packet is being sent. See the "Usage Guidelines" section for format guidelines.

source-node-mask

(Optional) Mask to be applied to source-node. See the "Usage Guidelines" section for format guidelines.

source-network- mask.

(Optional) Mask to be applied to source-network. See the "Usage Guidelines" section for format guidelines.

source-socket

(Optional) Socket name or number (hexadecimal) from which the packet is being sent. See Table 2-4 in the "Usage Guidelines" section for a list of IPX socket names and numbers.

destination.network

(Optional) Number of the network to which the packet is being sent. See the "Usage Guidelines" section for format guidelines.

.destination-node

(Optional) Node on destination-network to which the packet is being sent. See the "Usage Guidelines" section for format guidelines.

destination-node- mask

(Optional) Mask to be applied to destination-node. See the "Usage Guidelines" section for format guidelines.

destination-network-mask.

(Optional) Mask to be applied to destination-network. See the "Usage Guidelines" section for format guidelines.

destination-socket

(Optional) Socket name or number (hexadecimal) to which the packet is being sent. See Table 2-4 in the "Usage Guidelines" section for a list of IPX socket names and numbers.

log

(Optional) Keyword to log access control list violations whenever a packet matches a particular access list entry.

Defaults

There are no default ACLs and no default ACL-VLAN mappings.

Command Modes

Global configuration mode.

Usage Guidelines

Table 2-1 contains a list of valid values for the access-list-number argument.

Note Although all the values are listed, only the following values are supported: 1 to 99---standard IP ACLs, 100 to 199---extended IP ACLs, 800 to 899---standard IPX ACLs, and 900 to 999---extended IPX ACLs.


Table 2-1: Valid ACL-Number Values
Value Definition

1 to 99

IP standard access list

100 to 199

IP extended access list

1000 to 1099

IPX SAP access list

1100 to 1199

Extended 48-bit MAC address access list

1200 to 1299

IPX summary address access list

1300 to 1999

IP standard access list (expanded range)

200 to 299

Protocol type-code access list

2000 to 2699

IP extended access list (expanded range)

300 to 399

DECnet access list

400 to 499

XNS standard access list

500 to 599

XNS extended access list

600 to 699

AppleTalk access list

700 to 799

48-bit MAC address access list

800 to 899

IPX standard access list

900 to 999

IPX extended access list

compiled access-list-number

Keyword and variable to enable IP access-list compilation

rate-limit access-list-number

Keyword and variable to specify simple rate-limit specific access list; valid values are from 1 to 99 for Precedence ACL index and from 100 to 199 for MAC address ACL index

Table 2-2 lists the different arguments and formats for each access list type. See the "Getting Help" section for information on how to use the Help feature to obtain a syntax description.


Table 2-2: Possible Command Formats
Access List Type Syntax

IP standard access list
(1 to 99)

deny | permit {hostname | address [log]} | {any [log]} | {host {host-name | host-address [log]}}

remark [comment]

IPX extended access list (100 to 199)

deny | permit {{protocol-number | protocol-name} {source-address source-wildcard-bits {destination-address destination-wildcard-bits [message-type]}}} | {any | host} {destination-address destination-wildcard-bits | any | host} [log [precedence precedence [tos tos] | {tos tos [precedence precedence]]} | {log-input [precedence precedence [tos tos] | {tos tos [precedence precedence]}} | {precedence precedence [log | log-input tos tos] | {time-range name} | tos tos}]]

dynamic dynamic-list-name {deny | permit} {protocol-number | protocol-name} | {timeout time} {source-address source-wildcard-bits {destination-address destination-wildcard-bits [message-type]}} | {any | host} {destination-address destination-wildcard-bits | any | host} [log [precedence precedence [tos tos] | {tos tos [precedence precedence]]} | {log-input [precedence precedence [tos tos] | {tos tos [precedence precedence]} | {precedence precedence [log | log-input tos tos] | {time-range name} | tos tos}]] remark [comment]

Protocol type-code access list (200 to 299)

deny | permit protocol-type-code [protocol-type-code-mask]

DECnet access list
(300 to 399)

deny | permit source-address source-mask [{destination-address destination-mask} | {eq {account expression} | any [account expression | any | dst | id | password | src]} | {dst [any | dst {eq object-number | exp expression | gt object-number | id expression | lt object-number | neq object-number | password expression} | src {eq object-number | exp expression | gt object-number | id expression | lt object-number | neq object-number | password expression} | uic [grp,usr]}

XNS standard access list (400 to 499)

deny | permit {-1 | xns-net | source-net | source-net.host address} [{service-type-code [sap-server-name]} | source-net.host-mask [service-type-code]]

XNS extended access list (500 to 599)

deny | permit protocol-type-code {xns-net | source-net | source-net.host address} | source-net.host-mask

AppleTalk access list
(600 to 699)

deny | permit {network-number broadcast-deny | broadcast-permit} | additional-zones | cable-range start-end | includes start-end | {nbp sequence-number} | BrRq | FwdRq | LkReply | Lookup | object object-filter | type type-filter | zone zone-filter}} | {network network-number broadcast-deny | broadcast-permit} | other-access [broadcast-deny | broadcast-permit]} | other-nbps | within start-end | zones zone-name

48-bit MAC address access list (700 to 799)

deny | permit hardware-source-address hardware-source-address-mask

IPX standard access list (800 to 899)

deny | permit {-1 | source-net | source-net.host address}

IPX extended access list (900 to 999)

deny | permit protocol-type [protocol-type-code-mask]{-1 | {source-net source-socket} | all | cping | diagnostic | eigrp | log | ncp | netbios | nlsp | rip | sap | time-range name | trace} {{destination-net.host-address | any | log | time-range name} | source-net.host address {source-socket | source-host-mask | source-net.host-mask | all | cping | diagnostic | eigrp | log | ncp | netbios | nlsp | rip | sap | time-range name | trace} {destination-net.host-address | any | log | time-range name} | any | host | time-range name}}

IPX SAP access list
(1000 to 1099)

deny | permit {-1 | source-net | source-net.host address} [{service-type-code [sap-server-name]} | source-net.host-mask [service-type-code]]

Extended 48-bit MAC address access list
(1100 to 1199)

deny | permit hardware-source-address hardware-source-address-mask hardware-dest-address hardware-dest-address-mask [offset]

IPX summary address access list (1200 to 1299)

deny | permit {-1 {[area-count area-count | ticks tick-count]} | {ipx-net-address ipx-net-mask} | gigabitethernet interface-number | null number [area-count area-count | ticks tick-count] | vlan number [area-count area-count | ticks tick-count] | area-count area-count | ticks tick-count}

IP standard access list (expanded range) (1300 to 1999)

deny | permit {hostname | address [wildcard-bits | log]} | {any [log]} | {host {host-name | host-address [log]}}

remark [comment]

IP extended access list (expanded range)
(2000 to 2699)

deny | permit {hostname | address [wildcard-bits | log]} | {any [log]} | {host {host-name | host-address [log]}}

dynamic dynamic-list-name {deny | permit} {protocol-number | protocol-name} | {timeout time} {deny | permit {protocol-number | protocol-name}} {source-address source-wildcard-bits {destination-address destination-wildcard-bits [message-type]}} | {any | host} {destination-address destination-wildcard-bits | any | host} [log [precedence precedence [tos tos] | {tos tos [precedence precedence]]} | {log-input [precedence precedence [tos tos] | {tos tos [precedence precedence]} | {precedence precedence [log | log-input tos tos] | {time-range name} | tos tos}]] remark [comment]

remark [comment]

The source-network is entered as an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks. You do not need to specify leading zeros in the network number; for example, for the network number 000000AA, you can enter AA.

The source-node is entered as a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx).

The source-node-mask is entered as a 48-bit value represented as a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask.

The source-network-mask is entered as an eight-digit hexadecimal mask. Place ones in the bit positions you want to mask. The mask must immediately be followed by a period, which must in turn immediately be followed by source-node-mask. When you specify the source-network-mask, use the following guidelines:

The destination.network is entered as an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 1 to FFFFFFFE. A network number of 0 matches the local network. A network number of -1 matches all networks. You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA.

The destination-node is entered as a 48-bit value represented by a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx).

The destination-node-mask is entered as a 48-bit value represented as a dotted triplet of four-digit hexadecimal numbers (xxxx.xxxx.xxxx). Place ones in the bit positions you want to mask. You can enter this value only when destination-node is specified.

The destination-network-mask. is an eight-digit hexadecimal number that uniquely identifies a network cable segment. It can be a number in the range 0 to FFFFFFFF and immediately followed by a period, which must in turn be immediately followed by destination-node-mask. A network number of -1 or any matches all networks. You do not need to specify leading zeros in the network number. For example, for the network number 000000AA, you can enter AA. destination-network-mask examples are as follows:

When you enter the log keyword, the information logged includes the source address, destination address, source socket, destination socket, protocol type, and action taken (permit or deny).

Table 2-3 contains a list of valid IPX numbers and names for the protocol argument.


Table 2-3: IPX Protocol Names and Numbers
Number (Decimal) Name Protocol

-1

any

Wildcard; matches any packet type in 900 lists

0

Undefined; refer to the socket number to determine the packet type

17

ncp

NetWare Core Protocol

20

netbios

NetBIOS

1

rip

Routing Information Protocol

4

sap

Service Advertising Protocol

5

spx

Sequenced Packet Exchange

Table 2-4 contains a list of valid numbers and names for the source-socket and destination-socket arguments.


Table 2-4: IPX Socket Names and Numbers
Number (Hexadecimal) Name Socket

0

all

All sockets; wildcard used to match all sockets

2

cping

Cisco IPX ping packet

451

ncp

NetWare Core Protocol process

452

sap

Service Advertising Protocol process

453

rip

Routing Information Protocol process

455

netbios

Novell NetBIOS process

456

diagnostic

Novell diagnostic packet

457

Novell serialization socket

4000 to 7FFF

Dynamic sockets; used by workstations for interaction with file servers and other network servers

8000 to FFFF

Sockets as assigned by Novell, Inc

85BE

eigrp

IPX Enhanced Interior Gateway Routing Protocol (Enhanced IGRP)

9001

nlsp

NetWare Link Services Protocol

9086

nping

Novell standard ping packet

access-list rate-limit

Use the access-list rate-limit command to configure an access list for use. Use the no form of this command to remove the access list from the configuration.

access list rate-limit acl-index {precedence | mask prec-mask} | mac-address

no access list rate-limit acl-index {precedence | mask prec-mask} | mac-address

Syntax Description

acl-index

Access list number; valid values are from 1 to 99 to classify packets by precedence or precedence mask, and from 100 to 199 to classify by MAC address.

precedence

IP precedence; valid values are from 0 to 7.

mask prec-mask

Keyword and variable to specify the IP precedence mask; a two-digit hexadecimal number; valid values are from 0 to FF.

mac-address

MAC address.

Defaults

The default is no access lists are configured.

Command Modes

Global configuration mode.

Usage Guidelines

You can use this command to classify packets by the specified IP precedence or MAC address for a particular access list. You can then apply the policies to individual rate-limit access lists. Thus, packets with different IP precedences or MAC addresses are treated differently.

You can specify only one command for each rate-limit access list. If you enter this command multiple times with the same access list number, the new command will overwrite the previous command. Use the mask keyword to assign multiple IP precedences to the same rate-limit list.

Examples

This example shows how to assign any packets with a specific MAC address to a specific rate-limit access list:

Router(config)# access-list rate-limit 100 00e0.34b0.7777
Router(config)#

This example shows how to assign packets with a specific IP precedence to a specific rate-limit access list:

Router(config)# access-list rate-limit 25 mask 42
Router(config)#

Related Commands

show access-lists (refer to Cisco IOS documentation)

access-profile

Use the access-profile command to apply authorization attributes to an interface. Use the default form of the command (no keywords) to cause existing ACLs to be removed, and ACLs defined in your per-user configuration to be installed.

access-profile [merge | replace | ignore-sanity-checks]

Syntax Description

merge

(Optional) Keyword to remove old access-lists (per-user and per-interface) from the interface and install a new configuration.

replace

(Optional) Keyword to unconfigure all per-user configurations for this interface and replace with a new configuration.

ignore-sanity- checks

(Optional) Keyword to ignore all sanity check errors and allows you to use any AV pair, whether or not they are valid.

Defaults

The default is to remove existing ACLs while retaining other existing authorization attributes for the interface.

Command Modes

EXEC mode.

Usage Guidelines

If you do not enter any keywords, existing ACLs are removed, and new ACLs are installed. The new ACLs come from your per-user configuration on an AAA server (such as a TACACS+ server). The ACL replacement constitutes a reauthorization of your network privileges.

Any changes to the interface caused by this command stays in effect as long as the interface stays up. These changes will be removed when the interface goes down. This command does not affect the normal operation of the interface.

If you do not enter any keywords, the command can fail if your configuration contains statements other than ACL AV pairs. Any protocols with non-ACL statements will be deconfigured, and no traffic for that protocol can pass over the PPP link.

The access-profile merge command causes existing ACLs to be unconfigured (removed) and new authorization information (including new ACLs) to be added to the interface. This new authorization information consists of your complete per-user configuration on an AAA server. If any new authorization statements conflict with existing statements, the new statements could override the old statements or be ignored, depending on the statement and applicable parser rules. The resulting interface configuration is a combination of the original configuration and the newly installed per-user configuration.

Caution If the new authorization profile contains any invalid mandatory AV pairs, the command fails and the PPP protocol (containing the invalid pair) is dropped. If invalid AV pairs are included as optional in the profile, the command succeeds, but the invalid AV pair is ignored. Invalid AV pair types are addr, addr-pool, zonelist, tunnel-id, ip-addresses, x25-addresses, frame-relay, and source-ip.

These AV pair types are invalid only when used with double authentication in the user-specific authorization profile---they cause the access-profile command to fail. However, these AV pair types can be appropriate when used in other contexts.

The access-profile replace command causes the entire existing authorization configuration to be removed from the interface, and the complete per-user authorization configuration to be added. This per-user authorization consists of your complete per-user configuration on an AAA server.

Caution Use extreme caution when using the access-profile replace form of the command, because this option deletes all authorization configuration information (including static routes) before reinstalling the new authorization configuration.

Examples

This example shows how to apply authorization attributes to an interface:

Router# access-profile
Router#

Related Commands

connect (refer to Cisco IOS documentation)
telnet (refer to Cisco IOS documentation)

access-template

Use the access-template command to place a temporary access list entry manually.

access-template {access-list-number | name} {temporary-list-name} {source-address | any [log] | host} {source-wildcard-bits} {destination-address | any [log] | host} {destination-wildcard-bits} [timeout minutes]

Syntax Description

access-list- number

Number of the dynamic access list.

name

Name of an access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.

temporary-list- name

Name of the temporary access list.

source-address

Number of the network or host from which the packet is being sent; valid format is a 32-bit quantity in four-part dotted-decimal format.

any

Keyword to match to any source host.

log

(Optional) Keyword to cause an informational logging message about the packet that matches the entry to be sent to the console.

host

Keyword to specify a single host name or address.

source-wildcard- bits

Wildcard bits (mask) to be applied to source; valid format is a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.

destination- address

Number of the network or host to which the packet is being sent; valid format is a 32-bit quantity in four-part dotted-decimal format.

destination- wildcard- bits

Wildcard bits (mask) to be applied to the destination; valid format is a 32-bit quantity in four-part dotted-decimal format. Place ones in the bit positions you want to ignore.

timeout minutes

(Optional) Keyword and variable to specify an idle timeout for the temporary access list entry.

Command Modes

EXEC mode.

Usage Guidelines

You should always define either an idle timeout (with the timeout keyword) or an absolute timeout (with the timeout keyword in the access-list command). Otherwise, the dynamic access list will remain, even after you have terminated the session.

Examples

This example shows how to enable IP access on incoming packets from a specified source address and destination address. All other source and destination pairs are discarded:

Router# access-template 101 payroll host 172.29.1.129 host 192.168.52.12 timeout 2

Related Commands

access-list

aclmerge

Use the aclmerge command to merge ACLs before sending them to the TCAM manager. Use the no form of this command to turn off ACL merge.

aclmerge memory-usage max value

no aclmerge memory-usage max value

Syntax Description

memory-usage

Keyword to specify memory usage.

max value

(Optional) Keyword and variable to specify the ACL merge value; valid values are from 3 to 16.

Defaults

This command has no default setting.

Command Modes

Global configuration mode.

Examples

This example shows how to merge ACLs before sending them to the TCAM manager:

Router(config)# aclmerge memory-usage max 16
Router(config)#

apply

Use the apply command to implement the proposed new VLAN database, bump the database configuration number, save it in NVRAM, and propagate it throughout the administrative domain.

apply

Syntax Description

This command has no arguments or keywords.

Defaults

This command has no default setting.

Command Modes

VLAN configuration mode.

Usage Guidelines

The apply command implements the configuration changes you made after you entered VLAN database mode and uses them for the running configuration. This command keeps you in VLAN database mode.

You cannot use this command when the switch is in the VTP client mode.

You can verify that VLAN database changes occurred by entering the show vlan command in privileged EXEC mode.

Examples

This example shows how to implement the proposed new VLAN database and recognize it as the current database:

Router(config-if-vlan)# apply
Router(config-if-vlan)#

Related Commands

abort (refer to Cisco IOS documentation)
exit (refer to Cisco IOS documentation)
reset
show vlan
shutdown vlan (refer to Cisco IOS documentation)
vtp (global configuration mode)

auto-sync

Use the auto-sync command to specify automatic synchronization of the configuration between the primary and secondary route processors based on the primary configuration. Use the no form of this command to disable automatic synchronization.

auto-sync {startup-config | config-register | bootvar | standard}
no auto-sync {startup-config | config-register | bootvar | standard}

Syntax Description

startup-config

Keyword to specify automatic synchronization of the startup configuration.

config-register

Keyword to specify automatic synchronization of the configuration register configuration.

bootvar

Keyword to specify automatic synchronization the BOOTVAR configuration.

standard

Keyword to specify automatic synchronization for the startup-config, BOOTVAR, and config-registers.

Defaults

The default is standard.

Command Modes

Main-cpu redundancy mode.

Usage Guidelines

If you enter the no auto-sync standard command, no automatic synchronizations occur. If you want to enable any of the options, you have to enter the appropriate command for each option.

Examples

This example shows how (from the default configuration) to enable automatic synchronization of the configuration register only of the primary and secondary route processors:

Router# configure terminal
Router (config)# redundancy
Router (config-r)# main-cpu
Router (config-r-mc)# no auto-sync standard
Router (config-r-mc)# auto-sync configure-register
Router (config-r-mc)#


hometocprevnextglossaryfeedbacksearchhelp
Posted: Thu Jul 20 15:01:32 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.