IP Services Commands

Syntax Description

access-list-number	Number of an IP access list. This is a decimal number from 1 to 199 or from 1300 to 2699.
in	Restricts incoming connections between a particular Cisco device and the addresses in the access list.
out	Restricts outgoing connections between a particular Cisco device and the addresses in the access list.

Defaults

No access lists are defined.

Command Modes

Line configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.

Examples

The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:

access-list 12 permit 192.89.55.0  0.0.0.255
 line 1 5
 access-class 12 in

The following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5:

access-list 10 permit 36.0.0.0 0.255.255.255
 line 1 5
 access-class 10 out

Related Commands

Command	Description
show line	Displays the parameters of a terminal line.

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

Syntax Description

access-list-number	Number of an access list. This is a decimal number from 100 to 199.
dynamic dynamic-name	(Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
timeout minutes	(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
deny	Denies access if the conditions are matched.
permit	Permits access if the conditions are matched.
protocol	Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the keyword ip. Some protocols allow further qualifiers described below.
source	Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard	Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
destination	Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
destination-wildcard	Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
precedence precedence	(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos	(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."
icmp-type	(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
log	(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
time-range time-range-name	(Optional) Name of the time range that applies to this statement. The name of the time range and its restrictions are specified by the time-range command.
icmp-code	(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message	(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines."
igmp-type	(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."
operator	(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.
port	(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names are listed in the section "Usage Guidelines." UDP port names can only be used when filtering UDP. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established	(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

Defaults

An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.
10.3	The following keywords and arguments were added: source source-wildcard destination destination-wildcard precedence precedence icmp-type icm-code icmp-message igmp-type operator port established
11.1	The dynamic dynamic-name keyword and argument were added.
11.1	The timeout minutes keyword and argument were added.
12.0(1)T	The time-range time-range-name keyword and argument were added.

Usage Guidelines

You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match against the TCP source port, the type of service value, or the packet's precedence.

Note   After a numbered access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific numbered access list.

The following is a list of precedence names:

• critical

• flash

• flash-override

• immediate

• internet

• network

• priority

• routine

The following is a list of type of service (ToS) names:

• max-reliability

• max-throughput

• min-delay

• min-monetary-cost

• normal

The following is a list of ICMP message type names and ICMP message type and code names:

• administratively-prohibited

• alternate-address

• conversion-error

• dod-host-prohibited

• dod-net-prohibited

• echo

• echo-reply

• general-parameter-problem

• host-isolated

• host-precedence-unreachable

• host-redirect

• host-tos-redirect

• host-tos-unreachable

• host-unknown

• host-unreachable

• information-reply

• information-request

• mask-reply

• mask-request

• mobile-redirect

• net-redirect

• net-tos-redirect

• net-tos-unreachable

• net-unreachable

• network-unknown

• no-room-for-option

• option-missing

• packet-too-big

• parameter-problem

• port-unreachable

• precedence-unreachable

• protocol-unreachable

• reassembly-timeout

• redirect

• router-advertisement

• router-solicitation

• source-quench

• source-route-failed

• time-exceeded

• timestamp-reply

• timestamp-request

• traceroute

• ttl-exceeded

• unreachable

The following is a list of IGMP message names:

• dvmrp

• host-query

• host-report

• pim

• trace

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

• bgp

• chargen

• daytime

• discard

• domain

• echo

• finger

• ftp

• ftp-data

• gopher

• hostname

• irc

• klogin

• kshell

• lpd

• nntp

• pop2

• pop3

• smtp

• sunrpc

• syslog

• tacacs-ds

• talk

• telnet

• time

• uucp

• whois

• www

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

• biff

• bootpc

• bootps

• discard

• dns

• dnsix

• echo

• mobile-ip

• nameserver

• netbios-dgm

• netbios-ns

• ntp

• rip

• snmp

• snmptrap

• sunrpc

• syslog

• tacacs-ds

• talk

• tftp

• time

• who

• xdmcp

Examples

In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. The established keyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.

access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
interface serial 0
 ip access-group 102 in
 

The following example also permits Domain Naming System (DNS) packets and ICMP echo and echo reply packets:

access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp any host 128.88.1.2 eq smtp
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq domain
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
 

The following examples show how wildcard bits are used to indicate the bits of the prefix or mask that are relevant. They are similar to the bitmasks that are used with normal access lists. Prefix/mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix/mask bits corresponding to wildcard bits set to 0 are used in comparison.

The following example permits 192.108.0.0 255.255.0.0 but denies any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0):

access-list 101 permit ip 192.108.0.0 0.0.0.0   255.255.0.0 0.0.0.0
access-list 101 deny ip 192.108.0.0 0.0.255.255  255.255.0.0 0.0.255.255
 

The following example permits 131.108.0/24 but denies 131.108/16 and all other subnets of 131.108.0.0:

access-list 101 permit ip 131.108.0.0 0.0.0.0     255.255.255.0 0.0.0.0
access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0   0.0.255.255
 

The following example uses a time-range to deny HTTP traffic on Monday through Friday between the hours of 8:00 a.m. and 6:00 p.m.:

time-range no-http
 periodic weekdays 8:00 to 18:00
!
access-list 101 deny tcp any any eq http time-range no-http
!
interface ethernet 0
 ip access-group 101 in

Related Commands

Command	Description
access-class	Restricts incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list.
access-list (IP standard)	Establishes MAC address access lists.
clear access-template	Clears a temporary access list entry from a dynamic access list.
distribute-list in	Filters networks received in updates.
distribute-list out	Suppresses networks from being advertised in updates.
ip access-group	Controls access to an interface.
ip access-list	Defines an IP access list by name.
ip accounting	Enables IP accounting on an interface.
logging console	Controls which messages are logged to the console, based on severity.
show access-lists	Displays the contents of current IP and rate-limit access lists.
show ip access-list	Displays the contents of all current IP access lists.
time-range	Specifies when an access list or other feature is in effect.

Caution Enhancements to this command are backward compatible; migrating from releases prior to Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images.

Syntax Description

access-list-number	Number of an access list. This is a decimal number from 1 to 99 or from 1300 to 1999.
deny	Denies access if the conditions are matched.
permit	Permits access if the conditions are matched.
source	Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
source-wildcard	(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
log	(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

Defaults

The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.

Command Modes

Global configuration

Command History

Release	Modification
10.3	This command was introduced.
11.3(3)T	The log keyword was added.

Usage Guidelines

Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.

You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates.

Syntax Description

access-list-number	Number of an IP access list.
remark	Comment that describes the access list entry, up to 100 characters long.

Defaults

The access list entries have no remarks.

Command Modes

Global configuration

Command History

Release	Modification
12.0(2)T	This command was introduced.

Usage Guidelines

The remark can be up to 100 characters; anything longer is truncated.

Syntax Description

access-list-number	Access list number of the access list for which to clear the counters.
name	Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.

Command Modes

EXEC

Command History

Release	Modification
11.0	This command was introduced.

Usage Guidelines

Some access lists keep counters that count the number of packets that pass each line of an access list. The show access-lists command displays the counters as a number of matches. Use the clear access-list counters command to restart the counters for a particular access list to 0.

Examples

The following example clears the counters for access list 101:

clear access-list counters 101

Related Commands

Command	Description
show access-lists	Displays the contents of current IP and rate-limit access lists.

Syntax Description

checkpoint

(Optional) Clears the checkpointed database.

Command Modes

EXEC

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

You can also clear the checkpointed database by issuing the clear ip accounting command twice in succession.

Examples

The following example clears the active database when IP accounting is enabled:

clear ip accounting

Related Commands

Command	Description
ip accounting	Enables IP accounting on an interface.
ip accounting-list	Defines filters to control the hosts for which IP accounting information is kept.
ip accounting-threshold	Sets the maximum number of accounting entries to be created.
ip accounting-transits	Controls the number of transit records that are stored in the IP accounting database.
show ip accounting	Displays the active accounting or checkpointed database or displays access list violations.

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
11.2 F	This command was introduced.

Examples

The following example clears all DRP statistics:

clear ip drp

Related Commands

Command	Description
ip drp access-group	Controls the sources of DRP queries to the DRP Server Agent.
ip drp authentication key-chain	Configures authentication on the DRP Server Agent for DistributedDirector.

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
11.3	This command was introduced.

Examples

The following example clears all TCP statistics:

clear tcp statistics

Related Commands

Command	Description
show tcp statistics	Displays TCP statistics.

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

Syntax Description

source	Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard	Wildcard bits to be applied to the source. There are three alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
protocol	Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.
destination	Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
destination-wildcard	Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
precedence precedence	(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the "Usage Guidelines" section.
tos tos	(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Usage Guidelines" section of the access-list (extended) command.
log	(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
time-range time-range-name	(Optional) Name of the time range that applies to this deny statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
icmp-type	(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code	(Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message	(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the "Usage Guidelines" section of the access-list (extended) command.
igmp-type	(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (extended) command.
operator	(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.
port	(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established	(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

Defaults

There is no specific condition under which a packet is denied passing the named access list.

Command Modes

Access-list configuration

Command History

Release	Modification
11.2	This command was introduced.
12.0(1)T	The time-range time-range-name keyword and argument were added.

Usage Guidelines

Use this command following the ip access-list command to specify conditions under which a packet cannot pass the named access list.

The time-range option allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this deny statement is in effect.

Examples

The following example sets a deny condition for a standard access list named Internetfilter:

ip access-list standard Internetfilter
 deny 192.5.34.0  0.0.0.255
 permit 128.88.0.0  0.0.255.255
 permit 36.0.0.0  0.255.255.255
! (Note: all other access implicitly denied)
 

The following example denies HTTP traffic on Monday through Friday between the hours of 8:00 am and 6:00 p.m.:

time-range no-http
 periodic weekdays 8:00 to 18:00
!
ip access-list extended strict
 deny tcp any any eq http time-range no-http
!
interface ethernet 0
 ip access-group strict in

Related Commands

Command	Description
access-list (IP extended)	Defines an extended IP access list.
ip access-group	Controls access to an interface.
ip access-list	Defines an IP access list by name.
permit (IP)	Sets conditions under which a packet passes a named IP access list.
show ip access-list	Displays the contents of all current IP access lists.
time-range	Specifies when an access list or other feature is in effect.

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

Caution Named IP access lists will not be recognized by any software release prior to Cisco IOS Release 11.2.

Syntax Description

dynamic-name	Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
timeout minutes	(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
deny	Denies access if the conditions are matched.
permit	Permits access if the conditions are matched.
protocol	Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.
source	Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard	Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
destination	Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
destination-wildcard	Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
precedence precedence	(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos	(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."
log	(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
icmp-type	(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code	(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message	(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."
igmp-type	(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."
operator	(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.
port	(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (IP extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established	(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

Defaults

An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.

Command Modes

Access-list configuration

Command History

Release	Modification
11.2	This command was introduced.

Usage Guidelines

You can use named access lists to control the transmission of packets on an interface and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.

Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match against the TCP source port, the type of service value, or the packet's precedence.

Note   After an access list is created initially, any subsequent additions (possibly entered from the terminal) are placed at the end of the list. In other words, you cannot selectively add or remove access list command lines from a specific access list.

The following is a list of precedence names:

• critical

• flash

• flash-override

• immediate

• internet

• network

• priority

• routine

The following is a list of type of service names:

• max-reliability

• max-throughput

• min-delay

• min-monetary-cost

• normal

The following is a list of ICMP message type names and ICMP message type and code names:

• administratively-prohibited

• alternate-address

• conversion-error

• dod-host-prohibited

• dod-net-prohibited

• echo

• echo-reply

• general-parameter-problem

• host-isolated

• host-precedence-unreachable

• host-redirect

• host-tos-redirect

• host-tos-unreachable

• host-unknown

• host-unreachable

• information-reply

• information-request

• mask-reply

• mask-request

• mobile-redirect

• net-redirect

• net-tos-redirect

• net-tos-unreachable

• net-unreachable

• network-unknown

• no-room-for-option

• option-missing

• packet-too-big

• parameter-problem

• port-unreachable

• precedence-unreachable

• protocol-unreachable

• reassembly-timeout

• redirect

• router-advertisement

• router-solicitation

• source-quench

• source-route-failed

• time-exceeded

• timestamp-reply

• timestamp-request

• traceroute

• ttl-exceeded

• unreachable

The following is a list of IGMP message names:

• dvmrp

• host-query

• host-report

• pim

• trace

The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

• bgp

• chargen

• daytime

• discard

• domain

• echo

• finger

• ftp

• ftp-data

• gopher

• hostname

• irc

• klogin

• kshell

• lpd

• nntp

• pop2

• pop3

• smtp

• sunrpc

• syslog

• tacacs-ds

• talk

• telnet

• time

• uucp

• whois

• www

The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.

• biff

• bootpc

• bootps

• discard

• dns

• dnsix

• echo

• mobile-ip

• nameserver

• netbios-dgm

• netbios-ns

• ntp

• rip

• snmp

• snmptrap

• sunrpc

• syslog

• tacacs-ds

• talk

• tftp

• time

• who

• xdmcp

Examples

The following example defines a dynamic access list named washington:

ip access-group washington in
!
ip access-list extended washington
 dynamic testlist timeout 5
 permit ip any any
 permit tcp any host 185.302.21.2 eq 23

Related Commands

Command	Description
clear access-template	Clears a temporary access list entry from a dynamic access list manually.
distribute-list in (IP)	Filters networks received in updates.
distribute-list out (IP)	Suppresses networks from being advertised in updates.
ip access-group	Controls access to an interface.
ip access-list	Defines an IP access list by name.
logging console	Limits messages logged to the console based on severity.
show access-lists	Displays the contents of current IP and rate-limit access lists.
show ip access-list	Displays the contents of all current IP access lists.

Syntax Description

number	Port numbers on which the forwarding agent will listen for wildcards broadcast from the services manager. This must match the port number defined on the services manager.
password	(Optional) Text password used for generating the MD5 digest.
timeout	(Optional) Duration in seconds during which the forwarding agent will accept the new and old password. Valid range is between 0 and 3600 seconds. The default is 180 seconds.

Defaults

The default password timeout is 180 seconds.

The default port for the services manager is 1637.

Command Modes

CASA-port configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.

Examples

The following example specifies that the forwarding agent will listen for wildcard and fixed affinities on port 1637:

forwarding-agent 1637

Related Commands

Command	Description
show ip casa oper	Displays operational information about the forwarding agent.

Syntax Description

access-list-number	Number of an access list. This is a decimal number from 1 to 199 or from 1300 to 2699.
name	Name of an IP access list as specified by an ip access-list command.
in	Filters on inbound packets.
out	Filters on outbound packets.

Defaults

No access list is applied to the interface.

Command Modes

Interface configuration

Command History

Release	Modification
10.0	This command was introduced.
11.2	The name argument was added.

Usage Guidelines

For standard outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.

If the specified access list does not exist, all packets are passed.

When you enable outbound access lists, you automatically disable autonomous switching for that interface.When you enable input access lists on any cBus or CxBus interface, you automatically disable autonomous switching for all interfaces (with one exception—an SSE configured with simple access lists can still switch packets, on output only).

Examples

The following example applies list 101 on packets outbound from Ethernet interface 0:

interface ethernet 0
 ip access-group 101 out

Related Commands

Command	Description
access-list (IP extended)	Defines an extended IP access list.
access-list (IP standard)	Defines a standard IP access list.
ip access-list	Defines an IP access list by name.
show access-lists	Displays the contents of current IP and rate-limit access lists.

Caution Named access lists will not be recognized by any software release prior to Cisco IOS Release 11.2.

Syntax Description

standard	Specifies a standard IP access list.
extended	Specifies an extended IP access list.
name	Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists.

Defaults

No named IP access list is defined.

Command Modes

Global configuration

Command History

Release	Modification
11.2	This command was introduced.

Usage Guidelines

Use this command to configure a named IP access list as opposed to a numbered IP access list. This command will take you into access-list configuration mode, where you must define the denied or permitted access conditions with the deny and permit commands.

Specifying the standard or extended keyword with the ip access-list command determines the prompt you get when you enter access-list configuration mode.

Use the ip access-group command to apply the access-list to an interface.

Named access lists are not compatible with Cisco IOS releases prior to Release 11.2.

Examples

The following example defines a standard access list named Internetfilter:

ip access-list standard Internetfilter
 permit 192.5.34.0  0.0.0.255
 permit 128.88.0.0  0.0.255.255
 permit 36.0.0.0  0.255.255.255
! (Note: all other access implicitly denied)

Related Commands

Command	Description
deny (IP)	Sets conditions for a named IP access list.
ip access-group	Controls access to an interface.
permit (IP)	Sets conditions for a named IP access list.
show ip access-list	Displays the contents of all current IP access lists.

Syntax Description

access-violations

(Optional) Enables IP accounting with the ability to identify IP traffic that fails IP access lists.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release	Modification
10.0	This command was introduced.
10.3	The access-violations keyword was added.

Usage Guidelines

The IP accounting command records the number of bytes (IP header and data) and packets switched through the system on a source and destination IP address basis. Only transit IP traffic is measured and only on an outbound basis; traffic generated by the router access server or terminating in this device is not included in the accounting statistics.

If you specify the access-violations keyword, the ip accounting command provides information identifying IP traffic that fails IP access lists. Identifying IP source addresses that violate IP access lists alerts you to possible attempts to breach security. The data might also indicate that you should verify IP access list configurations.

Statistics are accurate even if IP fast switching or IP access lists are being used on the interface.

IP accounting disables autonomous switching and SSE switching on the interface.

Examples

The following example enables IP accounting on Ethernet interface 0:

interface ethernet 0
 ip accounting
 

Related Commands

Command	Description
access-list (IP extended)	Defines an extended IP access list.
access-list (IP standard)	Defines a standard IP access list.
clear ip accounting	Clears the active or checkpointed database when IP accounting is enabled.
ip accounting-list	Defines filters to control the hosts for which IP accounting information is kept.
ip accounting-threshold	Sets the maximum number of accounting entries to be created.
ip accounting-transits	Controls the number of transit records that are stored in the IP accounting database.
show ip accounting	Displays the active accounting or checkpointed database or displays access list violations.

Syntax Description

ip-address	IP address in dotted-decimal format.
wildcard	Wildcard bits to be applied to the ip-address argument.

Defaults

No filters are defined.

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

The source and destination address of each IP datagram is logically ANDed with the wildcard bits and compared with the value of the ip-address argument. If there is a match, the information about the IP datagram will be entered into the accounting database. If there is no match, the IP datagram is considered a transit datagram and will be counted according to the setting of the ip accounting-transits global configuration command.

Examples

The following example adds all hosts with IP addresses beginning with 192.31 to the list of hosts for which accounting information will be kept:

ip accounting-list 192.31.0.0 0.0.255.255

Related Commands

Command	Description
clear ip accounting	Clears the active or checkpointed database when IP accounting is enabled.
ip accounting	Enables IP accounting on an interface.
ip accounting-threshold	Sets the maximum number of accounting entries to be created.
ip accounting-transits	Controls the number of transit records that are stored in the IP accounting database.
show ip accounting	Displays the active accounting or checkpointed database or displays access list violations.

Syntax Description

threshold

Maximum number of entries (source and destination address pairs) that the Cisco IOS software accumulates.

Defaults

The default maximum number of accounting entries is 512 entries.

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

The accounting threshold defines the maximum number of entries (source and destination address pairs) that the software accumulates, preventing IP accounting from possibly consuming all available free memory. This level of memory consumption could occur in a router that is switching traffic for many hosts. Overflows will be recorded; see the monitoring commands for display formats.

The default accounting threshold of 512 entries results in a maximum table size of 12,928 bytes. Active and checkpointed tables can reach this size independently.

Examples

The following example sets the IP accounting threshold to only 500 entries:

ip accounting-threshold 500

Related Commands

Command	Description
clear ip accounting	Clears the active or checkpointed database when IP accounting is enabled.
ip accounting	Enables IP accounting on an interface.
ip accounting-list	Defines filters to control the hosts for which IP accounting information is kept.
ip accounting-transits	Controls the number of transit records that are stored in the IP accounting database.
show ip accounting	Displays the active accounting or checkpointed database or displays access list violations.

Syntax Description

count

Number of transit records to store in the IP accounting database.

Defaults

The default number of transit records that are stored in the IP accounting database is 0.

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

Transit entries are those that do not match any of the filters specified by ip accounting-list global configuration commands. If no filters are defined, no transit entries are possible.

To maintain accurate accounting totals, the Cisco IOS software maintains two accounting databases: an active and a checkpointed database.

Examples

The following example specifies that no more than 100 transit records are stored:

ip accounting-transits 100

Related Commands

Command	Description
clear ip accounting	Clears the active or checkpointed database when IP accounting is enabled.
ip accounting	Enables IP accounting on an interface.
ip accounting-list	Defines filters to control the hosts for which IP accounting information is kept.
ip accounting-threshold	Sets the maximum number of accounting entries to be created.
show ip accounting	Displays the active accounting or checkpointed database or displays access list violations.

Syntax Description

control-address	IP address of the forwarding agent side of the services manager/forwarding agent tunnel used for sending signals. This address is unique for each forwarding agent.
igmp-address	IGMP address on which the forwarding agent will listen for wildcard and fixed affinities.

Defaults

No default behavior or values.

Command Modes

Global configuration

Command History

Release	Modification
12.0(5)T	This command was introduced.

Examples

The following example specifies the internet address (10.10.4.1) and IGMP address (224.0.1.2) for the forwarding agent:

ip-casa 10.10.4.1 224.0.1.2

Related Commands

Command	Description
forwarding-agent	Specifies the port on which the forwarding agent will listen for wildcard and fixed affinities.

Syntax Description

access-list-number

Number of a standard IP access list in the range 1 to 99 or from 1300 to 1999.

Defaults

The DRP Server Agent will answer all queries.

Command Modes

Global configuration

Command History

Release	Modification
11.2 F	This command was introduced.

Usage Guidelines

This command applies an access list to the interface, thereby controlling who can send queries to the DRP Server Agent.

If both an authentication key chain and an access group have been specified, both security measures must permit access before a request is processed.

Examples

The following example configures access list 1, which permits only queries from the host at 33.45.12.4:

access-list 1 permit 33.45.12.4
ip drp access-group 1

Related Commands

Command	Description
ip drp authentication key-chain	Configures authentication on the DRP Server Agent for DistributedDirector.
show ip drp	Displays information about the DRP Server Agent for DistributedDirector.

Syntax Description

name-of-chain

Name of the key chain containing one or more authentication keys.

Defaults

No authentication is configured for the DRP Server Agent.

Command Modes

Global configuration

Command History

Release	Modification
11.2 F	This command was introduced.

Usage Guidelines

When a key chain and key are configured, the key is used to authenticate all DRP requests and responses. The active key on the DRP Server Agent must match the active key on the primary agent. Use the key and key-string commands to configure the key.

Examples

The following example configures a key chain named ddchain:

ip drp authentication key-chain ddchain

Related Commands

Command	Description
accept-lifetime	Sets the time period during which the authentication key on a key chain is received as valid.
ip drp access-group	Controls the sources of DRP queries to the DRP Server Agent.
key	Identifies an authentication key on a key chain.
key chain	Enables authentication for routing protocols.
key-string (authentication)	Specifies the authentication string for a key.
send-lifetime	Sets the time period during which an authentication key on a key chain is valid to be sent.
show ip drp	Displays information about the DRP Server Agent for DistributedDirector.
show key chain	Displays authentication key information.

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release	Modification
11.2 F	This command was introduced.

Examples

The following example enables the DRP Server Agent:

ip drp server

Related Commands

Command	Description
ip drp access-group	Controls the sources of DRP queries to the DRP Server Agent.
ip drp authentication key-chain	Configures authentication on the DRP Server Agent for DistributedDirector.
show ip drp	Displays information about the DRP Server Agent for DistributedDirector.

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release	Modification
10.0	This command was introduced.

Examples

The following example enables the sending of ICMP Mask Reply messages on Ethernet interface 0:

interface ethernet 0
 ip address 131.108.1.0 255.255.255.0
 ip mask-reply

Syntax Description

bytes

MTU in bytes.

Defaults

Minimum is 128 bytes; maximum depends on interface medium.

Command Modes

Interface configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

If an IP packet exceeds the MTU set for the interface, the Cisco IOS software will fragment it.

All devices on a physical medium must have the same protocol MTU in order to operate.

Note   Changing the MTU value (with the mtu interface configuration command) can affect the IP MTU value. If the current IP MTU value is the same as the MTU value, and you change the MTU value, the IP MTU value will be modified automatically to match the new MTU. However, the reverse is not true; changing the IP MTU value has no effect on the value for the mtu command.

Examples

The following example sets the maximum IP packet size for the first serial interface to 300 bytes:

interface serial 0
 ip mtu 300

Related Commands

Command	Description
mtu	Adjusts the maximum packet size or MTU size.

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled, unless Hot Standby Router Protocol is configured

Command Modes

Interface configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

If the Hot Standby Router Protocol is configured on an interface, ICMP Redirect messages are disabled by default for the interface.

Examples

The following example enables the sending of ICMP Redirect messages on Ethernet interface 0:

interface ethernet 0
 ip redirects

Related Commands

Command	Description
ip default-gateway	Defines a default gateway (router) when IP routing is disabled.
show ip redirects	Displays the address of a default gateway (router) and the address of hosts for which an ICMP Redirect message has been received.

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.

Examples

The following example enables the handling of IP datagrams with source routing header options:

ip source-route

Related Commands

Command	Description
ping (privileged)	Diagnoses basic network connectivity on Apollo, AppleTalk, Connectionless Network Service (CLNS), DECnet, IP, Novell IPX, VINES, or XNS networks.
ping (user)	Diagnoses basic network connectivity on AppleTalk, CLNS, IP, Novell, Apollo, VINES, DECnet, or XNS networks.

Syntax Description

characters

Maximum number of characters that Telnet or rlogin can read in one read instruction. The default value is 0, which Telnet and rlogin interpret as the largest possible 32-bit positive number.

Defaults

0, which Telnet and rlogin interpret as the largest possible 32-bit positive number.

Command Modes

Global configuration

Command History

Release	Modification
9.1	This command was introduced.

Usage Guidelines

It is unlikely you will need to change the default value.

Examples

The following example sets the maximum TCP read size to 64000 bytes:

ip tcp chunk-size 64000
 

Syntax Description

number

Number of TCP header compression connections the cache supports, in the range from 3 to 1000. The default is 32 connections (16 calls).

Defaults

The default number 32 connections.

Command Modes

Interface configuration

Command History

Release	Modification
10.0	This command was introduced.
12.0(7)T	For Frame Relay, PPP, and High-Level Data Link Control (HDLC) encapsulation, the maximum number of compression connections increased to 256. For Frame Relay, the maximum value is fixed, not configurable.

Usage Guidelines

You should configure one connection for each TCP connection through the specified interface.

Each connection sets up a compression cache entry, so you are in effect specifying the maximum number of cache entries and the size of the cache. Too few cache entries for the specified interface can lead to degraded performance, while too many cache entries can lead to wasted memory.

Note   Both ends of the serial connection must use the same number of cache entries.

Examples

The following example sets the first serial interface for header compression with a maximum of ten cache entries:

interface serial 0
 ip tcp header-compression
 ip tcp compression-connections 10

Related Commands

Command	Description
ip rtp header-compression	Enables RTP header compression.
ip tcp header-compression	Enables TCP header compression.
show ip rtp header-compression	Displays RTP header compression statistics.

Syntax Description

passive

(Optional) Compresses outgoing TCP packets only if incoming TCP packets on the same interface are compressed. If you do not specify the passive keyword, the Cisco IOS software compresses all traffic.

Defaults

Disabled

Command Modes

Interface configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

When compression is enabled, fast switching is disabled. This means that fast interfaces like T1 can overload the router. Consider your network's traffic characteristics before using this command.

Examples

The following example sets the first serial interface for header compression with a maximum of ten cache entries:

interface serial 0
 ip tcp header-compression
 ip tcp compression-connections 10

Related Commands

Command	Description
ip tcp header-compression	Specifies the total number of header compression connections that can exist on an interface.

Syntax Description

age-timer minutes	(Optional) Time interval (in minutes) after which TCP re-estimates the Path MTU with a larger maximum segment size (MSS). The maximum is 30 minutes; the default is 10 minutes.
age-timer infinite	(Optional) Turns off the age-timer.

Defaults

Disabled. If enabled, default minutes is 10 minutes.

Command Modes

Interface configuration

Command History

Release	Modification
10.3	This command was introduced.
11.2	The following keywords were added: age-timer infinite

Usage Guidelines

Customers using TCP connections to move bulk data between systems on distinct subnets would benefit most by enabling this feature. This might include customers using RSRB with TCP encapsulation, STUN, X.25 Remote Switching (also known as XOT, or X.25 over TCP), and some protocol translation configurations.

The age timer is a time interval for how often TCP re-estimates the Path MTU with a larger MSS. By using the age timer, TCP Path MTU becomes a dynamic process. If MSS used for the connection is smaller than what the peer connection can handle, a larger MSS is tried every time the age timer expires. The discovery process is stopped when either the send MSS is as large as the peer negotiated, or the user has disabled the timer on the router. You can turn off the age-timer by setting it to infinite.

Examples

The following example enables Path MTU Discovery:

ip tcp path-mtu-discovery

Syntax Description

packets

Outgoing queue size of TCP packets. The default value is 5 segments if the connection has a TTY associated with it. If there is no TTY associated with it, the default value is 20 segments.

Defaults

The default value is 5 segments if the connection has a TTY associated with it. If there is no TTY associated with it, the default value is 20 segments.

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

Changing the default value changes the 5 segments, not the 20 segments.

Examples

The following example sets the maximum TCP outgoing queue to 10 packets:

ip tcp queuemax 10

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release	Modification
11.2 F	This command was introduced.

Usage Guidelines

TCP might not experience optimal performance if multiple packets are lost from one window of data. With the limited information available from cumulative acknowledgments, a TCP sender can learn about only one lost packet per round trip time. An aggressive sender could re-send packets early, but such re-sent segments might have already been successfully received.

TCP selective acknowledgment improves overall performance. The feature is used only when multiple packets drop from a TCP window. There is no performance impact when the feature is enabled but not used.

This command becomes effective only on new TCP connections opened after the feature is enabled.

Examples

The following example enables the router to send and receive TCP selective acknowledgments:

ip tcp selective-ack

Related Commands

Command	Description
ip tcp header-compression	Enables TCP header compression.

Syntax Description

seconds

Time in seconds the software waits while attempting to establish a TCP connection. It can be an integer from 5 to 300 seconds. The default is 30 seconds.

Defaults

The default time is 30 seconds.

Command Modes

Global configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

In versions previous to Cisco IOS software 10.0, the system would wait a fixed 30 seconds when attempting to establish a TCP connection. If your network contains Public Switched Telephone Network (PSTN) dial-on-demand routing (DDR), the call setup time may exceed 30 seconds. This amount of time is not sufficient in networks that have dial-up asynchronous connections because it will affect your ability to Telnet over the link (from the router) if the link must be brought up. If you have this type of network, you might want to set this value to the UNIX value of 75.

Because this is a host parameter, it does not pertain to traffic going through the router, just for traffic originated at this device. Because UNIX has a fixed 75-second timeout, hosts are unlikely to see this problem.

Examples

The following example configures the Cisco IOS software to continue attempting to establish a TCP connection for 180 seconds:

ip tcp synwait-time 180

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled

Command Modes

Global configuration

Command History

Release	Modification
11.2 F	This command was introduced.

Usage Guidelines

Examples

The following example enables the router to send TCP timestamps:

ip tcp timestamp

Related Commands

Command	Description
ip tcp header-compression	Enables TCP header compression.

Syntax Description

bytes

Window size in bytes. The maximum is 65535 bytes. The default value is 2144 bytes.

Defaults

The default size is 2144 bytes.

Command Modes

Global configuration

Command History

Release	Modification
9.1	This command was introduced.

Usage Guidelines

Do not use this command unless you clearly understand why you want to change the default value.

If your TCP window size is set to 1000 bytes, for example, you could have 1 packet of 1000 bytes or 2 packets of 500 bytes, and so on. However, there is also a limit on the number of packets allowed in the window. There can be a maximum of 5 packets if the connection has TTY; otherwise there can be 20 packets.

Examples

The following example sets the TCP window size to 1000 bytes:

ip tcp window-size 1000

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled

Command Modes

Interface configuration

Command History

Release	Modification
10.0	This command was introduced.

Usage Guidelines

If the Cisco IOS software receives a nonbroadcast packet destined for itself that uses a protocol it does not recognize, it sends an ICMP Protocol Unreachable message to the source.

If the software receives a datagram that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies to the originator of that datagram with an ICMP Host Unreachable message.

This command affects all kinds of ICMP unreachable messages.

Examples

The following example enables the generation of ICMP Unreachable messages, as appropriate, on an interface:

interface ethernet 0
 ip unreachables

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

Syntax Description

source	Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard	Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255. Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
protocol	Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.
destination	Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination: Use a 32-bit quantity in four-part, dotted-decimal format. Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
destination-wildcard	Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard: Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255. Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
precedence precedence	(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos	(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Usage Guidelines" section of the access-list (IP extended) command.
log	(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
time-range time-range-name	(Optional) Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
icmp-type	(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code	(Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message	(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the "Usage Guidelines" section of the access-list (IP extended) command.
igmp-type	(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (IP extended) command.
operator	(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number.
port	(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (IP extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established	(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

Defaults

There are no specific conditions under which a packet passes the named access list.

Command Modes

Access-list configuration

Command History

Release	Modification
11.2	This command was introduced.
12.0(1)T	The time-range time-range-name keyword and argument were added.

Usage Guidelines

Use this command following the ip access-list command to define the conditions under which a packet passes the access list.

The time-range option allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this permit statement is in effect.

Examples

The following example sets conditions for a standard access list named Internetfilter:

ip access-list standard Internetfilter
 deny 192.5.34.0  0.0.0.255
 permit 128.88.0.0  0.0.255.255
 permit 36.0.0.0  0.255.255.255
! (Note: all other access implicitly denied)
 

The following example permits Telnet traffic on Mondays, Tuesdays, and Fridays between the hours of 9:00 am and 5:00 pm:

time-range testing
 periodic Monday Tuesday Friday 9:00 to 17:00
!
ip access-list extended legal
 permit tcp any any eq telnet time-range testing
!
interface ethernet 0
 ip access-group legal in

Related Commands

Command	Description
deny (IP)	Sets conditions under which a packet does not pass a named IP access list.
ip access-group	Controls access to an interface.
ip access-list	Defines an IP access list by name.
show ip access-list	Displays the contents of all current IP access lists.
time-range	Specifies when an access list or other feature is in effect.

Syntax Description

remark

Comment that describes the access-list entry, up to 100 characters long.

Defaults

The access list entries have no remarks.

Command Modes

Access-list configuration

Command History

Release	Modification
12.0(2)T	This command was introduced.

Usage Guidelines

The remark can be up to 100 characters; anything longer is truncated.

Syntax Description

access-list-number	(Optional) Number of the access list to display. The system displays all access lists by default.
name	(Optional) Name of the IP access list to display.

Defaults

The system displays all access lists.

Command Modes

Privileged EXEC

Command History

Release	Modification
10.0	This command was introduced.

Examples

The following is sample output from the show access-lists command when access list 101 is specified:

Router# show access-lists 101
Extended IP access list 101
    permit tcp host 198.92.32.130 any established (4304 matches)
    permit udp host 198.92.32.130 any eq domain (129 matches)
    permit icmp host 198.92.32.130 any
    permit tcp host 198.92.32.130 host 171.69.2.141 gt 1023
    permit tcp host 198.92.32.130 host 171.69.2.135 eq smtp (2 matches)
    permit tcp host 198.92.32.130 host 198.92.30.32 eq smtp
    permit tcp host 198.92.32.130 host 171.69.108.33 eq smtp
    permit udp host 198.92.32.130 host 171.68.225.190 eq syslog
    permit udp host 198.92.32.130 host 171.68.225.126 eq syslog
    deny   ip 150.136.0.0 0.0.255.255 224.0.0.0 15.255.255.255
    deny   ip 171.68.0.0 0.1.255.255 224.0.0.0 15.255.255.255 (2 matches)
    deny   ip 172.24.24.0 0.0.1.255 224.0.0.0 15.255.255.255
    deny   ip 192.82.152.0 0.0.0.255 224.0.0.0 15.255.255.255
    deny   ip 192.122.173.0 0.0.0.255 224.0.0.0 15.255.255.255
    deny   ip 192.122.174.0 0.0.0.255 224.0.0.0 15.255.255.255
    deny   ip 192.135.239.0 0.0.0.255 224.0.0.0 15.255.255.255
    deny   ip 192.135.240.0 0.0.7.255 224.0.0.0 15.255.255.255
    deny   ip 192.135.248.0 0.0.3.255 224.0.0.0 15.255.255.255
    deny   ip 192.150.42.0 0.0.0.255 224.0.0.0 15.255.255.255
 

An access list counter counts how many packets are allowed by each line of the access list. This number is displayed as the number of matches.

For information on how to configure access lists, refer to the "Configuring IP Services" chapter of the Cisco IOS IP and IP Routing Configuration Guide.

For information on how to configure dynamic access lists, refer to the "Traffic Filtering and Firewalls" chapter of the Cisco IOS Security Configuration Guide.

Related Commands

Command	Description
access-list (IP extended)	Defines an extended IP access list.
access-list (IP standard)	Defines a standard IP access list.
clear access-list counters	Clears the counters of an access list.
clear access-template	Clears a temporary access list entry from a dynamic access list manually.
ip access-list	Defines an IP access list by name.
show ip access-list	Displays the contents of all current IP access lists.

Syntax Description

access-list-number	(Optional) Number of the IP access list to display.
name	(Optional) Name of the IP access list to display.

Defaults

Displays all standard and extended IP access lists.

Command Modes

EXEC

Command History

Release	Modification
10.3	This command was introduced.

Usage Guidelines

The show ip access-list command provides output identical to the show access-lists command, except that it is IP-specific and allows you to specify a particular access list.

Examples

The following is sample output from the show ip access-list command when all are requested:

Router# show ip access-list
 
Extended IP access list 101
					 	 	 deny udp any any eq ntp
					 	 	 permit tcp any any
					 	 	 permit udp any any eq tftp
					 	 	 permit icmp any any
					 	 	 permit udp any any eq domain
 

The following is sample output from the show ip access-list command when the name of a specific access list is requested:

Router# show ip access-list Internetfilter
Extended IP access list Internetfilter
    permit tcp any 171.69.0.0 0.0.255.255 eq telnet
    deny tcp any any
    deny udp any 171.69.0.0 0.0.255.255 lt 1024
    deny ip any any log

Syntax Description

checkpoint	(Optional) Indicates that the checkpointed database should be displayed.
output-packets	(Optional) Indicates that information pertaining to packets that passed access control and were successfully routed should be displayed. If neither the output-packets nor access-violations keyword is specified, output-packets is the default.
access-violations	(Optional) Indicates that information pertaining to packets that failed access lists and were not routed should be displayed. If neither the output-packets nor access-violations keyword is specified, output-packets is the default.

Defaults

If neither the output-packets nor access-violations keyword is specified, show ip accounting displays information pertaining to packets that passed access control and were successfully routed.

Command Modes

EXEC

Command History

Release	Modification
10.0	This command was introduced.
10.3	The following keywords were added: output-packets access-violations

Usage Guidelines

If you do not specify any keywords, the show ip accounting command displays information about the active accounting database.

To display IP access violations, you must give the access-violations keyword on the command. If you do not specify the keyword, the command defaults to displaying the number of packets that have passed access lists and were routed.

To use this command, you must first enable IP accounting on a per-interface basis.

Examples

The following is sample output from the show ip accounting command:

Router# show ip accounting
 
   Source           Destination              Packets               Bytes     
 131.108.19.40    192.67.67.20                     7                 306
 131.108.13.55    192.67.67.20                    67                2749
 131.108.2.50     192.12.33.51                    17                1111
 131.108.2.50     130.93.2.1                       5                 319
 131.108.2.50     130.93.1.2                     463               30991
 131.108.19.40    130.93.2.1                       4                 262
 131.108.19.40    130.93.1.2                      28                2552
 131.108.20.2     128.18.6.100                    39                2184
 131.108.13.55    130.93.1.2                      35                3020
 131.108.19.40    192.12.33.51                  1986               95091
 131.108.2.50     192.67.67.20                   233               14908
 131.108.13.28    192.67.67.53                   390               24817
 131.108.13.55    192.12.33.51                214669             9806659
 131.108.13.111   128.18.6.23                  27739             1126607
 131.108.13.44    192.12.33.51                 35412             1523980
 192.31.7.21      130.93.1.2                      11                 824
 131.108.13.28    192.12.33.2                     21                1762
 131.108.2.166    192.31.7.130                   797              141054
 131.108.3.11     192.67.67.53                     4                 246
 192.31.7.21      192.12.33.51                 15696              695635
 192.31.7.24      192.67.67.20                    21                 916
 131.108.13.111   128.18.10.1                     16                1137
 

Router# show ip accounting access-violations
 
   Source           Destination      Packets        Bytes        ACL
131.108.19.40    192.67.67.20              7          306         77
131.108.13.55    192.67.67.20             67         2749        185
131.108.2.50     192.12.33.51             17         1111        140
131.108.2.50     130.93.2.1                5          319        140
131.108.19.40    130.93.2.1                4          262         77
Accounting data age is 41
 

Related Commands

Command	Description
clear ip accounting	Clears the active or checkpointed database when IP accounting is enabled.
ip accounting	Enables IP accounting on an interface.
ip accounting-list	Defines filters to control the hosts for which IP accounting information is kept.
ip accounting-threshold	Sets the maximum number of accounting entries to be created.
ip accounting-transits	Controls the number of transit records that are stored in the IP accounting database.

Syntax Description

stats	(Optional) Displays limited statistics.
saddr ipaddr	(Optional) Displays source address of a given TCP connection.
detail	(Optional) Displays detailed statistics.
daddr ipaddr	(Optional) Displays destination address of a given TCP connection.
sport sport	(Optional) Displays source port of a given TCP connection.
dport dport	(Optional) Displays destination port of a given TCP connection.
protocol protocol	(Optional) Displays protocol of a given TCP connection.

Command Modes

EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.

Examples

The following is sample output of the show ip casa affinities command:

Router# show ip casa affinities
 
                        Affinity Table
Source Address  Port  Dest Address    Port  Prot
161.44.36.118   1118  172.26.56.13    19    TCP 
172.26.56.13    19    161.44.36.118   1118  TCP 
 

The following is sample output of the show ip casa affinities detail command:

Router# show ip casa affinities detail 
 
                        Affinity Table
Source Address  Port  Dest Address    Port  Prot
161.44.36.118   1118  172.26.56.13    19    TCP 
  Action Details:
    Interest Addr:          172.26.56.19      Interest Port: 1638
    Interest Packet: 0x0102 SYN FRAG 
    Interest Tickle: 0x0005 FIN RST 
    Dispatch (Layer 2):     YES               Dispatch Address: 172.26.56.33
 
Source Address  Port  Dest Address    Port  Prot
172.26.56.13    19    161.44.36.118   1118  TCP 
  Action Details:
    Interest Addr:          172.26.56.19      Interest Port: 1638
    Interest Packet: 0x0104 RST FRAG
    Interest Tickle: 0x0003 FIN SYN
    Dispatch (Layer 2):     NO                Dispatch Address: 0.0.0.0

Related Commands

Command	Description
forwarding-agent	Specifies the port on which the forwarding agent will listen for wildcard and fixed affinities.
show ip casa oper	Displays operational information about the forwarding agent.

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.

Examples

The following is sample output of the show ip casa oper command:

Router# show ip casa oper
 
Casa is Active
  Casa control address is 206.10.20.34/32
  Casa multicast address is 224.0.1.2
  Listening for wildcards on:
    Port:1637
      Current passwd:NONE Pending passwd:NONE
      Passwd timeout:180 sec (Default)

Related Commands

Command	Description
show ip casa oper	Displays operational information about the forwarding agent.

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.

Examples

The following is sample output of the show ip casa stats command:

Router# show ip casa stats
 
Casa is active:
  Wildcard Stats:
    Wildcards:       6           Max Wildcards:    6          
    Wildcard Denies: 0           Wildcard Drops:   0          
    Pkts Throughput: 441         Bytes Throughput: 39120      
  Affinity Stats:
    Affinities:      2           Max Affinities:   2          
    Cache Hits:      444         Cache Misses:     0          
    Affinity Drops:  0          
  Casa Stats:
    Int Packet:      4           Int Tickle:       0          
    Casa Denies:     0           Drop Count:       0

Related Commands

Command	Description
show ip casa oper	Displays operational information about the forwarding agent.

Syntax Description

detail

(Optional) Displays detailed statistics.

Command Modes

EXEC

Command History

Release	Modification
12.0(5)T	This command was introduced.

Examples

The following is sample output of the show ip casa wildcard command:

Router# show ip casa wildcard
 
Source Address  Source Mask     Port  Dest Address    Dest Mask       Port  Prot
0.0.0.0         0.0.0.0         0     172.26.56.2     255.255.255.255 0     ICMP
0.0.0.0         0.0.0.0         0     172.26.56.2     255.255.255.255 0     TCP 
0.0.0.0         0.0.0.0         0     172.26.56.13    255.255.255.255 0     ICMP
0.0.0.0         0.0.0.0         0     172.26.56.13    255.255.255.255 0     TCP 
172.26.56.2     255.255.255.255 0     0.0.0.0         0.0.0.0         0     TCP 
172.26.56.13    255.255.255.255 0     0.0.0.0         0.0.0.0         0     TCP 

The following is sample output of the show ip casa wildcard detail command:

router# show ip casa wildcard detail
Source Address  Source Mask     Port  Dest Address    Dest Mask       Port  Prot
0.0.0.0         0.0.0.0         0     172.26.56.2     255.255.255.255 0     ICMP
  Service Manager Details:
    Manager Addr:           172.26.56.19      Insert Time: 08:21:27 UTC 04/18/96
  Affinity Statistics:
    Affinity Count:         0                 Interest Packet Timeouts: 0
  Packet Statistics:
    Packets:                0                 Bytes: 0              
  Action Details:
    Interest Addr:          172.26.56.19      Interest Port: 1638
    Interest Packet: 0x8000 ALLPKTS
    Interest Tickle: 0x0107 FIN SYN RST FRAG 
    Dispatch (Layer 2):     NO                Dispatch Address: 0.0.0.0        
    Advertise Dest Address: YES               Match Fragments:  NO 
 
Source Address  Source Mask     Port  Dest Address    Dest Mask       Port  Prot
0.0.0.0         0.0.0.0         0     172.26.56.2     255.255.255.255 0     TCP 
  Service Manager Details:
    Manager Addr:           172.26.56.19      Insert Time: 08:21:27 UTC 04/18/96
  Affinity Statistics:
    Affinity Count:         0                 Interest Packet Timeouts: 0
  Packet Statistics:
    Packets:                0                 Bytes: 0              
  Action Details:
    Interest Addr:          172.26.56.19      Interest Port: 1638
    Interest Packet: 0x8102 SYN FRAG ALLPKTS
    Interest Tickle: 0x0005 FIN RST 
    Dispatch (Layer 2):     NO                Dispatch Address: 0.0.0.0        
    Advertise Dest Address: YES               Match Fragments:  NO 

Note   If a filter is not set, the filter is not active.