cc/td/doc/product/software/ios121/121sup/121csum1
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

IP Services Commands

IP Services Commands

This chapter explains the function and syntax of the IP services commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Cisco IOS IP and IP Routing Command Reference, Release 12.1.

access-class

To restrict incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list, use the access-class line configuration command. To remove access restrictions, use the no form of this command.

access-class access-list-number {in | out}

no access-class access-list-number {in | out}

Syntax Description

access-list-number

Number of an IP access list. This is a decimal number from 1 to 199 or from 1300 to 2699.

in

Restricts incoming connections between a particular Cisco device and the addresses in the access list.

out

Restricts outgoing connections between a particular Cisco device and the addresses in the access list.

access-list (IP extended)

To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name]

no access-list access-list-number

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name]

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name]

Transmission Control Protocol (TCP)

For TCP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [time-range time-range-name]

User Datagram Protocol (UDP)

For UDP, you can also use the following syntax:

access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range time-range-name]

Syntax Description

access-list-number

Number of an access list. This is a decimal number from 100 to 199.

dynamic dynamic-name

(Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the chapter "Configuring Lock-and-Key Security (Dynamic Access Lists)" in the Cisco IOS Security Configuration Guide.

timeout minutes

(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the chapter "Configuring Lock-and-Key Security (Dynamic Access Lists)" in the Cisco IOS Security Configuration Guide.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

protocol

Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the keyword ip. Some protocols allow further qualifiers described below.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

time-range time-range-name

(Optional) Name of the time range that applies to this statement. The name of the time range and its restrictions are specified by the time-range command.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines."

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names are listed in the section "Usage Guidelines." UDP port names can only be used when filtering UDP.

TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

access-list (IP standard)

To define a standard IP access list, use the standard version of the access-list global configuration command. To remove a standard access lists, use the no form of this command.

access-list access-list-number {deny | permit} source [source-wildcard] [log]

no access-list access-list-number

Caution Enhancements to this command are backward compatible; migrating from releases prior to Release 10.3 will convert your access lists automatically. However, releases prior to Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 10.3, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images.

Syntax Description

access-list-number

Number of an access list. This is a decimal number from 1 to 99 or from 1300 to 1999.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

source

Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

source-wildcard

(Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

access-list remark

To write a helpful comment (remark) for an entry in a numbered IP access list, use the access-list remark global configuration command. To remove the remark, use the no form of this command.

access-list access-list-number remark remark

no access-list access-list-number remark remark

Syntax Description

access-list-number

Number of an IP access list.

remark

Comment that describes the access list entry, up to 100 characters long.

clear access-list counters

To clear the counters of an access list, use the clear access-list counters EXEC command.

clear access-list counters {access-list-number | name}

Syntax Description

access-list-number

Access list number of the access list for which to clear the counters.

name

Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.

clear ip accounting

To clear the active or checkpointed database when IP accounting is enabled, use the clear ip accounting EXEC command.

clear ip accounting [checkpoint]

Syntax Description

checkpoint

(Optional) Clears the checkpointed database.

clear ip drp

To clear all statistics being collected on Director Response Protocol (DRP) requests and replies, use the clear ip drp EXEC command.

clear ip drp

Syntax Description

This command has no arguments or keywords.

clear tcp statistics

To clear TCP statistics, use the clear tcp statistics priveleged EXEC command.

clear tcp statistics

Syntax Description

This command has no arguments or keywords.

deny (IP)

To set conditions for a named IP access list, use the deny access-list configuration command. To remove a deny condition from an access list, use the no form of this command.

deny source [source-wildcard]

no deny source [source-wildcard]

deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name]

no deny protocol source source-wildcard destination destination-wildcard

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name]

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

deny igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name]

Transmission Control Protocol (TCP)

For TCP, you can also use the following syntax:

deny tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [time-range time-range-name]

User Datagram Protocol (UDP)

For UDP, you can also use the following syntax:

deny udp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range time-range-name]

Syntax Description

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to the source. There are three alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

protocol

Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the "Usage Guidelines" section.

tos tos

(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Usage Guidelines" section of the access-list (extended) command.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

time-range time-range-name

(Optional) Name of the time range that applies to this deny statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the "Usage Guidelines" section of the access-list (extended) command.

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (extended) command.

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

dynamic

To define a named dynamic IP access list, use the dynamic access-list configuration command. To remove the access lists, use the no form of this command.

dynamic dynamic-name [timeout minutes] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log]

no dynamic dynamic-name

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

dynamic dynamic-name [timeout minutes] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log]

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

dynamic dynamic-name [timeout minutes] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log]

Transmission Control Protocol (TCP)

For TCP, you can also use the following syntax:

dynamic dynamic-name [timeout minutes] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log]

User Datagram Protocol (UDP)

For UDP, you can also use the following syntax:

dynamic dynamic-name [timeout minutes] {deny | permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log]

Caution Named IP access lists will not be recognized by any software release prior to Cisco IOS Release 11.2.

Syntax Description

dynamic-name

Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the chapter "Configuring Lock-and-Key Security (Dynamic Access Lists)" in the Cisco IOS Security Configuration Guide.

timeout minutes

(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the chapter "Configuring Lock-and-Key Security (Dynamic Access Lists)" in the Cisco IOS Security Configuration Guide.

deny

Denies access if the conditions are matched.

permit

Permits access if the conditions are matched.

protocol

Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (IP extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

forwarding-agent

To specify the port on which the forwarding agent will listen for wildcard and fixed affinities, use the forwarding-agent CASA-port configuration command. Use the no form of the command to disable listening on that port.

forwarding-agent number [password [timeout]]

no forwarding-agent

Syntax Description

number

Port numbers on which the forwarding agent will listen for wildcards broadcast from the services manager. This must match the port number defined on the services manager.

password

(Optional) Text password used for generating the MD5 digest.

timeout

(Optional) Duration in seconds during which the forwarding agent will accept the new and old password. Valid range is between 0 and 3600 seconds. The default is 180 seconds.

ip access-group

To control access to an interface, use the ip access-group interface configuration command. To remove the specified access group, use the no form of this command.

ip access-group {access-list-number | name}{in | out}

no ip access-group {access-list-number | name}{in | out}

Syntax Description

access-list-number

Number of an access list. This is a decimal number from 1 to 199 or from 1300 to 2699.

name

Name of an IP access list as specified by an ip access-list command.

in

Filters on inbound packets.

out

Filters on outbound packets.

ip access-list

To define an IP access list by name, use the ip access-list global configuration command. To remove a named IP access lists, use the no form of this command.

ip access-list {standard | extended} name

no ip access-list {standard | extended} name

Caution Named access lists will not be recognized by any software release prior to Cisco IOS Release 11.2.

Syntax Description

standard

Specifies a standard IP access list.

extended

Specifies an extended IP access list.

name

Name of the access list. Names cannot contain a space or quotation mark, and must begin with an alphabetic character to prevent ambiguity with numbered access lists.

ip accounting

To enable IP accounting on an interface, use the ip accounting interface configuration command. To disable IP accounting, use the no form of this command.

ip accounting [access-violations]

no ip accounting [access-violations]

Syntax Description

access-violations

(Optional) Enables IP accounting with the ability to identify IP traffic that fails IP access lists.

ip accounting-list

To define filters to control the hosts for which IP accounting information is kept, use the ip accounting-list global configuration command. To remove a filter definition, use the no form of this command.

ip accounting-list ip-address wildcard

no ip accounting-list ip-address wildcard

Syntax Description

ip-address

IP address in dotted-decimal format.

wildcard

Wildcard bits to be applied to the ip-address argument.

ip accounting-threshold

To set the maximum number of accounting entries to be created, use the ip accounting-threshold global configuration command. To restore the default number of entries, use the no form of this command.

ip accounting-threshold threshold

no ip accounting-threshold threshold

Syntax Description

threshold

Maximum number of entries (source and destination address pairs) that the Cisco IOS software accumulates.

ip accounting-transits

To control the number of transit records that are stored in the IP accounting database, use the ip accounting-transits global configuration command. To return to the default number of records, use the no form of this command.

ip accounting-transits count

no ip accounting-transits

Syntax Description

count

Number of transit records to store in the IP accounting database.

ip casa

To configure the router to function as a forwarding agent, use the ip casa global configuration command. Use the no form of the command to disable the forwarding agent.

ip casa control-address igmp-address

no ip casa

Syntax Description

control-address

IP address of the forwarding agent side of the services manager/forwarding agent tunnel used for sending signals. This address is unique for each forwarding agent.

igmp-address

IGMP address on which the forwarding agent will listen for wildcard and fixed affinities.

ip drp access-group

To control the sources of Director Response Protocol (DRP) queries to the DRP Server Agent, use the ip drp access-group global configuration command. To remove the access list, use the no form of this command.

ip drp access-group access-list-number

no ip drp access-group access-list-number

Syntax Description

access-list-number

Number of a standard IP access list in the range from 1 to 99 or from 1300 to 1999.

ip drp authentication key-chain

To configure authentication on the Director Response Protocol (DRP) Server Agent for Distributed Director, use the ip drp authentication key-chain global configuration command. To remove the key chain, use the no form of this command.

ip drp authentication key-chain name-of-chain

no ip drp authentication key-chain name-of-chain

Syntax Description

name-of-chain

Name of the key chain containing one or more authentication keys.

ip drp server

To enable the Director Response Protocol (DRP) Server Agent that works with DistributedDirector, use the ip drp server global configuration command. To disable the DRP Server Agent, use the no form of this command.

ip drp server

no ip drp server

Syntax Description

This command has no arguments or keywords.

ip mask-reply

To have the Cisco IOS software respond to Internet Control Message Protocol (ICMP) mask requests by sending ICMP Mask Reply messages, use the ip mask-reply interface configuration command. To disable this function, use the no form of this command.

ip mask-reply

no ip mask-reply

Syntax Description

This command has no arguments or keywords.

ip mtu

To set the maximum transmission unit (MTU) size of IP packets sent on an interface, use the ip mtu interface configuration command. To restore the default MTU size, use the no form of this command.

ip mtu bytes

no ip mtu

Syntax Description

bytes

MTU in bytes.

ip redirects

To enable the sending of Internet Control Message Protocol (ICMP) Redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, use the ip redirects interface configuration command. To disable the sending of redirect messages, use the no form of this command.

ip redirects

no ip redirects

Syntax Description

This command has no arguments or keywords.

ip source-route

To allow the Cisco IOS software to handle IP datagrams with source routing header options, use the ip source-route global configuration command. To have the software discard any IP datagram containing a source-route option, use the no form of this command.

ip source-route

no ip source-route

Syntax Description

This command has no arguments or keywords.

ip tcp chunk-size

To alter the TCP maximum read size for Telnet or rlogin, use the ip tcp chunk-size global configuration command. To restore the default value, use the no form of this command.

ip tcp chunk-size characters

no ip tcp chunk-size

Syntax Description

characters

Maximum number of characters that Telnet or rlogin can read in one read instruction. The default value is 0, which Telnet and rlogin interpret as the largest possible 32-bit positive number.

ip tcp compression-connections

To specify the total number of TCP header compression connections that can exist on an interface, use the ip tcp compression-connections interface configuration command. To restore the default, use the no form of this command.

ip tcp compression-connections number

no ip tcp compression-connections number

Syntax Description

number

Number of TCP header compression connections the cache supports, in the range from 3 to 1000. The default is 32 connections (16 calls).

ip tcp header-compression

To enable TCP header compression, use the ip tcp header-compression interface configuration command. To disable compression, use the no form of this command.

ip tcp header-compression [passive]

no ip tcp header-compression [passive]

Syntax Description

passive

(Optional) Compresses outgoing TCP packets only if incoming TCP packets on the same interface are compressed. If you do not specify the passive keyword, the Cisco IOS software compresses all traffic.

ip tcp path-mtu-discovery

To enable Path MTU Discovery for all new TCP connections from the router, use the ip tcp path-mtu-discovery interface configuration command. To disable the function, use the no form of this command.

ip tcp path-mtu-discovery [age-timer {minutes | infinite}]

no ip tcp path-mtu-discovery [age-timer {minutes | infinite}]

Syntax Description

age-timer minutes

(Optional) Time interval (in minutes) after which TCP re-estimates the Path MTU with a larger maximum segment size (MSS). The maximum is 30 minutes; the default is 10 minutes.

age-timer infinite

(Optional) Turns off the age-timer.

ip tcp queuemax

To alter the maximum TCP outgoing queue per connection, use the ip tcp queuemax global configuration command. To restore the default value, use the no form of this command.

ip tcp queuemax packets

no ip tcp queuemax

Syntax Description

packets

Outgoing queue size of TCP packets. The default value is 5 segments if the connection has a TTY associated with it. If there is no TTY associated with it, the default value is 20 segments.

ip tcp selective-ack

To enable TCP selective acknowledgment, use the ip tcp selective-ack global configuration command. To disable TCP selective acknowledgment, use the no form of this command.

ip tcp selective-ack

no ip tcp selective-ack

Syntax Description

This command has no arguments or keywords.

ip tcp synwait-time

To set a period of time the Cisco IOS software waits while attempting to establish a TCP connection before it times out, use the ip tcp synwait-time global configuration command. To restore the default time, use the no form of this command.

ip tcp synwait-time seconds

no ip tcp synwait-time seconds

Syntax Description

seconds

Time in seconds the software waits while attempting to establish a TCP connection. It can be an integer from 5 to 300 seconds. The default is 30 seconds.

ip tcp timestamp

To enable TCP time stamp, use the ip tcp timestamp global configuration command. To disable TCP timestamp, use the no form of this command.

ip tcp timestamp

no ip tcp timestamp

Syntax Description

This command has no arguments or keywords.

ip tcp window-size

To alter the TCP window size, use the ip tcp window-size global configuration command. To restore the default value, use the no form of this command.

ip tcp window-size bytes

no ip tcp window-size

Syntax Description

bytes

Window size in bytes. The maximum is 65535 bytes. The default value is 2144 bytes.

ip unreachables

To enable the generation of Internet Control Message Protocol (ICMP) Unreachable messages, use the ip unreachables interface configuration command. To disable this function, use the no form of this command.

ip unreachables

no ip unreachables

Syntax Description

This command has no arguments or keywords.

permit (IP)

To set conditions for a named IP access list, use the permit access-list configuration command. To remove a condition from an access list, use the no form of this command.

permit source [source-wildcard]

no permit source [source-wildcard]

permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name]

no permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name]

Internet Control Message Protocol (ICMP)

For ICMP, you can also use the following syntax:

permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name]

Internet Group Management Protocol (IGMP)

For IGMP, you can also use the following syntax:

permit igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name]

Transmission Control Protocol (TCP)

For TCP, you can also use the following syntax:

permit tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [time-range time-range-name]

User Datagram Protocol (UDP)

For UDP, you can also use the following syntax:

permit udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range time-range-name]

Syntax Description

source

Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

source-wildcard

Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.

  • Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.

protocol

Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.

destination

Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:

  • Use a 32-bit quantity in four-part, dotted-decimal format.

  • Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

destination-wildcard

Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:

  • Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.

  • Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.

  • Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.

precedence precedence

(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."

tos tos

(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Usage Guidelines" section of the access-list (IP extended) command.

log

(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)

The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.

time-range time-range-name

(Optional) Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.

icmp-type

(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.

icmp-code

(Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.

icmp-message

(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the "Usage Guidelines" section of the access-list (IP extended) command.

igmp-type

(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (IP extended) command.

operator

(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard, it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operators require one port number.

port

(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (IP extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.

established

(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.

remark

To write a helpful comment (remark) for an entry in a named IP access list, use the remark access-list configuration command. To remove the remark, use the no form of this command.

remark remark

no remark remark

Syntax Description

remark

Comment that describes the access-list entry, up to 100 characters long.

show access-lists

To display the contents of current access lists, use the show access-lists privileged EXEC command.

show access-lists [access-list-number | name]

Syntax Description

access-list-number

(Optional) Number of the access list to display. The system displays all access lists by default.

name

(Optional) Name of the IP access list to display.

show ip access-list

To display the contents of all current IP access lists, use the show ip access-list EXEC command.

show ip access-list [access-list-number | name]

Syntax Description

access-list-number

(Optional) Number of the IP access list to display.

name

(Optional) Name of the IP access list to display.

show ip accounting

To display the active accounting or checkpointed database or to display access list violations, use the show ip accounting EXEC command.

show ip accounting [checkpoint] [output-packets | access-violations]

Syntax Description

checkpoint

(Optional) Indicates that the checkpointed database should be displayed.

output-packets

(Optional) Indicates that information pertaining to packets that passed access control and were successfully routed should be displayed. If neither the output-packets nor access-violations keyword is specified, output-packets is the default.

access-violations

(Optional) Indicates that information pertaining to packets that failed access lists and were not routed should be displayed. If neither the output-packets nor access-violations keyword is specified, output-packets is the default.

show ip casa affinities

To display statistics about affinities, use the show ip casa affinities EXEC command.

show ip casa affinities [stats] | [saddr ipaddr [detail]] | [daddr ipaddr [detail]] | sport sport [detail]] | dport dport [detail]] | protocol protocol [detail]]

Syntax Description

stats

(Optional) Displays limited statistics.

saddr ipaddr

(Optional) Displays source address of a given TCP connection.

detail

(Optional) Displays detailed statistics.

daddr ipaddr

(Optional) Displays destination address of a given TCP connection.

sport sport

(Optional) Displays source port of a given TCP connection.

dport dport

(Optional) Displays destination port of a given TCP connection.

protocol protocol

(Optional) Displays protocol of a given TCP connection.

show ip casa oper

To display operational information about the forwarding agent, use the show ip casa oper EXEC command.

show ip casa oper

Syntax Description

This command has no arguments or keywords.

show ip casa stats

To display statistical information about the forwarding agent, use the show ip casa stats EXEC command.

show ip casa stats

Syntax Description

This command has no arguments or keywords.

show ip casa wildcard

To display information about wildcard blocks, use the show ip casa wildcard EXEC command.

show ip casa wildcard [detail]

Syntax Description

detail

(Optional) Displays detailed statistics.

show ip drp

To display information about the Director Response Protocol (DRP) Server Agent for DistributedDirector, use the show ip drp EXEC command.

show ip drp

Syntax Description

This command has no arguments or keywords.

show ip redirects

To display the address of a default gateway (router) and the address of hosts for which an Internet Control Message Protocol (ICMP) Redirect message has been received, use the show ip redirects EXEC command.

show ip redirects

Syntax Description

This command has no arguments or keywords.

show ip tcp header-compression

To display statistics about TCP header compression, use the show ip tcp header-compression EXEC command.

show ip tcp header-compression

Syntax Description

This command has no arguments or keywords.

show ip traffic

To display statistics about IP traffic, use the show ip traffic EXEC command.

show ip traffic

Syntax Description

This command has no arguments or keywords.

show standby

To display Hot Standby Router Protocol (HSRP) information, use the show standby EXEC command.

show standby [type number [group]] [brief]

Syntax Description

type number

(Optional) Interface type and number for which output is displayed.

group

(Optional) Group number on the interface for which output is displayed.

brief

(Optional) A single line of output summarizes each standby group.

show tcp statistics

To display TCP statistics, use the show tcp statistics EXEC command.

show tcp statistics

Syntax Description

This command has no arguments or keywords.

standby authentication

To configure an authentication string for the Hot Standby Router Protocol (HSRP), use the standby authentication interface configuration command. To delete an authentication string, use the no form of this command.

standby [group-number] authentication string

no standby [group-number] authentication string

Syntax Description

group-number

(Optional) Group number on the interface to which this authentication string applies.

string

Authentication string. It can be up to eight characters in length. The default string is cisco.

standby ip

To activate the Hot Standby Router Protocol (HSRP), use the standby ip interface configuration command. To disable HSRP, use the no form of this command.

standby [group-number] ip [ip-address [secondary]]

no standby [group-number] ip [ip-address]

Syntax Description

group-number

(Optional) Group number on the interface for which HSRP is being activated. Default is 0.

ip-address

(Optional) IP address of the Hot Standby Router interface.

secondary

(Optional) Indicates the IP address is a secondary Hot Standby Router interface. Useful on interfaces with primary and secondary addresses; you can configure primary and secondary HSRP addresses.

standby mac-refresh

To change the interval at which packets are sent to refresh the MAC cache when Hot Standby Router Protocol (HSRP) is running over Fiber Distributed Data Interface (FDDI), use the standby mac-refresh interface configuration command. To restore the default value, use the no form of this command.

standby mac-refresh seconds

no standby mac-refresh

Syntax Description

seconds

Number of seconds in the interval at which a packet is sent to refresh the MAC cache. The maximum value is 255 seconds. The default is 10 seconds.

standby preempt

To configure Hot Standby Router Protocol (HSRP) priority, preemption, and preemption delay, use the standby preempt or standby priority interface configuration commands. To restore the default values, use the no form of this command.

standby [group-number] priority priority [preempt [delay delay]]

standby [group-number] [priority priority] preempt [delay delay]



no standby [group-number] priority priority [preempt [delay delay]]

no standby [group-number] [priority priority] preempt [delay delay]

Syntax Description

group-number

(Optional) Group number on the interface to which the other arguments in this command apply.

priority priority

(Optional) Priority value that prioritizes a potential Hot Standby router. The range is 1 to 255; the default is 100.

preempt

(Optional) The router is configured to preempt, which means that when the local router has a Hot Standby priority higher than the current active router, the local router should attempt to assume control as the active router. If preempt is not configured, the local router assumes control as the active router only if it receives information indicating that there is no router currently in the active state (acting as the designated router).

delay delay

(Optional) Time in seconds. The delay argument causes the local router to postpone taking over the active role for delay seconds since that router was last restarted. The range is 0 to 3600 seconds (1 hour). The default is 0 seconds (no delay).

standby priority

To configure Hot Standby Router Protocol (HSRP) priority, preemption, and preemption delay, use the standby priority or standby preempt interface configuration commands. To restore the default values, use the no form of this command.

standby [group-number] priority priority [preempt [delay delay]]

standby [group-number] [priority priority] preempt [delay delay]



no standby [group-number] priority priority [preempt [delay delay]]

no standby [group-number] [priority priority] preempt [delay delay]

Syntax Description

group-number

(Optional) Group number on the interface to which the other arguments in this command apply.

priority priority

(Optional) Priority value that prioritizes a potential Hot Standby router. The range is 1 to 255; the default is 100.

preempt

(Optional) The router is configured to preempt, which means that when the local router has a Hot Standby priority higher than the current active router, the local router should attempt to assume control as the active router. If preempt is not configured, the local router assumes control as the active router only if it receives information indicating that there is no router currently in the active state (acting as the designated router).

delay delay

(Optional) Time in seconds. The delay argument causes the local router to postpone taking over the active role for delay seconds since that router was last restarted. The range is 0 to 3600 seconds (1 hour). The default is 0 seconds (no delay).

standby timers

To configure the time between hellos and the time before other routers declare the active Hot Standby or standby router to be down, use the standby timers interface configuration command. To restore the timers to their default values, use the no form of this command.

standby [group-number] timers hellotime holdtime

no standby [group-number] timers hellotime holdtime

Syntax Description

group-number

(Optional) Group number on the interface to which the timers apply. The default is 0.

hellotime

Hello interval in seconds. This is an integer from 1 to 255. The default is 3 seconds.

holdtime

Time in seconds before the active or standby router is declared to be down. This is an integer from 1 to 255. The default is 10 seconds.

standby track

To configure an interface so that the Hot Standby priority changes based on the availability of other interfaces, use the standby track interface configuration command. To remove the tracking, use the no form of this command.

standby [group-number] track type number [interface-priority]

no standby [group-number] track type number [interface-priority]

Syntax Description

group-number

(Optional) Group number on the interface to which the tracking applies.

type

Interface type (combined with interface number) that will be tracked.

number

Interface number (combined with interface type) that will be tracked.

interface-priority

(Optional) Amount by which the Hot Standby priority for the router is decremented (or incremented) when the interface goes down (or comes back up). The default value is 10.

standby use-bia

To configure Hot Standby Router Protocol (HSRP) to use the burned-in address of the interface as its virtual MAC address instead of the preassigned MAC address (on Ethernet and Fiber Distributed Data Interface (FDDI)) or the functional address (on Token Ring), use the standby use-bia interface configuration command. To restore the default virtual MAC address, use the no form of this command.

standby use-bia [scope interface]

no standby use-bia

Syntax Description

scope interface

(Optional) Specifies that this command is configured just for the subinterface on which it was entered, instead of the major interface.

start-forwarding-agent

To start the forwarding agent, use the start-forwarding-agent CASA-port configuration command.

start-forwarding-agent number [password [timeout]]

Syntax Description

number

Port numbers on which the forwarding agent will listen for wildcards broadcast from the services manager. This must match the port number defined on the services manager.

password

(Optional) Text password used for generating the MD5 digest.

timeout

(Optional) Duration in seconds during which the forwarding agent will accept the new and old password. Valid range is between 0 and 3600 seconds. The default is 180 seconds.

transmit-interface

To assign a transmit interface to a receive-only interface, use the transmit-interface interface configuration command. To return to normal duplex Ethernet interfaces, use the no form of this command.

transmit-interface type number

no transmit-interface

Syntax Description

type

Transmit interface type to be linked with the (current) receive-only interface.

number

Transmit interface number to be linked with the (current) receive-only interface.


hometocprevnextglossaryfeedbacksearchhelp
Posted: Wed Jul 26 14:02:41 PDT 2000
Copyright 1989-2000©Cisco Systems Inc.