Commands - General

8/3/2019 Commands - General

1/147

Commands - General

There are 3 different modes of operation within the Cisco IOS.

1. Disabled mode

2. Enabled mode3. Configuration mode

In the Disabled mode you can use a limited number of commands. This is used primarily to monitorthe router.

The Enabled mode is used to show configuration information, enter the configuration mode, andmake changes to the configuration.

The Configuration mode is used to enter and update the runtime configuration.

To get a list of the commands for the cisco type '?' at the prompt. To get further information aboutany command, type the command followed by a '?'.

clear Reset functions

clock Manage the system clock

configure Enter configuration mode

debug Debugging functions (see also 'undebug')

disable Turn off privileged commands

enable Turn on privileged commands

erase Erase flash or configuration memory

exit Exit from the EXEC

help Description of the interactive help system

login Log in as a particular user

logout Exit from the EXEC

no Disable debugging functions

ping Send echo messages

reload Halt and perform a cold restart

setup Run the SETUP command facility

show Show running system information

telnet Open a telnet connection

terminal Set terminal line parameters

test Test subsystems, memory, and interfaces

traceroute Trace route to destination

tunnel Open a tunnel connection

undebug Disable debugging functions (see also 'debug')verify Verify checksum of a Flash file

write Write running configuration to memory, network, or terminal

show

access-lists List access lists

arp ARP table

buffers Buffer pool statistics

configuration Contents of Non-Volatile memory


2/147

controllers Interface controller status

debugging State of each debugging option

dialer Dialer parameters and statistics

extended Extended Interface Information

flash System Flash information

flh-log Flash Load Helper log buffer

history Display the session command history

hosts IP domain-name, lookup style, name servers, and host table

interfaces Interface status and configuration

ip IP information

isdn ISDN information

line TTY line information

logging Show the contents of logging buffers

memory Memory statistics

privilege Show current privilege level

processes Active process statistics

protocols Active network routing protocols

queue Show queue contentsqueueing Show queueing configuration

reload Scheduled reload information

route-map route-map information

running-config Current operating configuration

sessions Information about Telnet connections

smf Software MAC filter

stacks Process stack utilization

startup-config Contents of startup configuration

subsys Show subsystem information

tcp Status of TCP connections

terminal Display terminal configuration parametersusers Display information about terminal lines

version System hardware and software status

Other Useful Commands

View the Software VersionView the Ethernet IPView the Serial IPView the Default RouteView the FiltersView the BandwidthAdd a Static RouteChange the Dial NumberTurn Filters On and OffPing from the RouterTraceroute from the Router

IP Addressing Commands
http://tomax7.com/mcse/cisco_commands.htm#softwarehttp://tomax7.com/mcse/cisco_commands.htm#ethernet%20IPhttp://tomax7.com/mcse/cisco_commands.htm#serial%20IPhttp://tomax7.com/mcse/cisco_commands.htm#default%20routehttp://tomax7.com/mcse/cisco_commands.htm#filtershttp://tomax7.com/mcse/cisco_commands.htm#bandwidthhttp://tomax7.com/mcse/cisco_commands.htm#static%20routehttp://tomax7.com/mcse/cisco_commands.htm#change%20numberhttp://tomax7.com/mcse/cisco_commands.htm#turn%20filtershttp://tomax7.com/mcse/cisco_commands.htm#pinghttp://tomax7.com/mcse/cisco_commands.htm#traceroutehttp://tomax7.com/mcse/cisco_commands.htm#ethernet%20IPhttp://tomax7.com/mcse/cisco_commands.htm#serial%20IPhttp://tomax7.com/mcse/cisco_commands.htm#default%20routehttp://tomax7.com/mcse/cisco_commands.htm#filtershttp://tomax7.com/mcse/cisco_commands.htm#bandwidthhttp://tomax7.com/mcse/cisco_commands.htm#static%20routehttp://tomax7.com/mcse/cisco_commands.htm#change%20numberhttp://tomax7.com/mcse/cisco_commands.htm#turn%20filtershttp://tomax7.com/mcse/cisco_commands.htm#pinghttp://tomax7.com/mcse/cisco_commands.htm#traceroutehttp://tomax7.com/mcse/cisco_commands.htm#software


3/147

This chapter describes the function and displays the syntax for IP addressing commands. For moreinformation about defaults and usage guidelines, see the corresponding chapter of the NetworkProtocols Command Reference, Part 1.

arp (global)

To add a permanent entry in the Address Resolution Protocol (ARP) cache, use the arp globalconfiguration command. To remove an entry from the ARP cache, use the no form of thiscommand.

arp ip-address hardware-address type [alias]no arp ip-address hardware-address type [alias]

ip-address IP address in four-part dotted-decimal format corresponding to the local data linkaddress.

hardware-address

Local data link address (a 48-bit address).

type Encapsulation description. For Ethernet interfaces, this is typically the arpa keyword.For Fiber Distributed Data Interface (FDDI) and Token Ring interfaces, this is

always snap.

alias (Optional) Indicates that the Cisco IOS software should respond to ARP requests as ifit were the owner of the specified address.

arp (interface)

To control the interface-specific handling of IP address resolution into 48-bit Ethernet, FDDI, andToken Ring hardware addresses, use the arp interface configuration command. To disable anencapsulation type, use the no form of thiscommand.

arp {arpa | probe | snap}no arp {arpa | probe | snap}

arpa Standard Ethernet-style ARP (RFC 826).

probe HP Probe protocol for IEEE-802.3 networks.

snap ARP packets conforming to RFC 1042.

arp timeout

To configure how long an entry remains in the ARP cache, use the arptimeout interfaceconfiguration command. To restore the default value, use the no form of this command.

arp timeout secondsno arp timeout seconds

seconds Time (in seconds) that an entry remains in the ARP cache. A value of zero means thatentries are never cleared from the cache.

clear arp-cache

To delete all dynamic entries from the ARP cache, to clear the fast-switching cache, and to clear theIP route cache, use the clear arp-cache EXEC command.


4/147

clear arp-cache

clear host

To delete entries from the host-name-and-address cache, use the clear host EXEC command.

clear host {name |*}

name Particular host entry to remove.

* Removes all entries.

clear ip nat translation

To clear dynamic Network Address Translation (NAT) translations from the translation table, usethe clear ip nat translation EXEC command.

clear ip nat translation {* | [inside global-ip local-ip] [outside local-ipglobal-ip]}

clear ip nat translationprotocolinside global-ip global-port local-ip local-port[outsidelocal-ipglobal-ip]

* Clears all dynamic translations.

inside Clears the inside translations containing the specified global-ip and local-ip addresses.

global-ip When used without the argumentsprotocol, global-port, and local-port, clears a simpletranslation that also contains the specified local-ip address. When used with theargumentsprotocol, global-port, and local-port, clears an extended translation.

local-ip (Optional) Clears an entry that contains this local IP address and the specified global-ip address.

outside Clears the outside translations containing the specified global-ip and local-ip addresses.

protocol (Optional) Clears an entry that contains this protocol and the specified global-

ip address, local-ip address, global-port, andlocal-port.global-

port(Optional) Clears an entry that contains this global-portand the specifiedprotocol, global-ip address, local-ip address, andlocal-port.

local-port

(Optional) Clears an entry that contains this local-portand the specifiedprotocol, global-ip address, local-ip address, andglobal-port.

clear ip nhrp

To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, usethe clear ip nhrp EXEC command.

clear ip nhrp

clear ip route

To delete routes from the IP routing table, use the clear ip route EXEC command.

clear ip route {network[mask]| *}

networkNetwork or subnet address to remove.

mask (Optional) Subnet address to remove.


5/147

* Removes all routing table entries.

ip address

To set a primary or secondary IP address for an interface, use the ip address interfaceconfiguration command. To remove an IP address or disable IP processing, use the no form of this

command.

ip address ip-address mask[secondary]no ip address ip-address mask[secondary]

ip-address IP address.

mask Mask for the associated IP subnet.

secondary (Optional) Specifies that the configured address is a secondary IP address. If thiskeyword is omitted, the configured address is the primary IP address.

ip broadcast-address

To define a broadcast address for an interface, use the ip broadcast-address interfaceconfiguration command. To restore the default IP broadcast address, use the no form of thiscommand.

ip broadcast-address [ip-address]no ip broadcast-address [ip-address]

ip-address (Optional) IP broadcast address for a network.

ip classless

At times the router might receive packets destined for a subnet of a network that has no network

default route. To have the Cisco IOS software forward such packets to the best supernet routepossible, use the ip classless global configuration command. To disable this feature, usethe no form of this command.

ip classlessno ip classless

ip default-gateway

To define a default gateway (router) when IP routing is disabled, use the ip default-gateway globalconfiguration command. To disable this function, use the no form of this command.

ip default-gateway ip-address

no ip default-gateway ip-address

ip-address IP address of the router.

ip directed-broadcast

To enable the translation of directed broadcast to physical broadcasts, use the ip directed-broadcast interface configuration command. To disable this function, use the no form of thiscommand.


6/147

ip directed-broadcast [access-list-number]no ip directed-broadcast [access-list-number]

access-list-number

(Optional) Number of the access list. If specified, a broadcast must pass the accesslist to be forwarded. If not specified, all broadcasts are forwarded.

ip domain-list

To define a list of default domain names to complete unqualified host names, use the ip domain-list global configuration command. To delete a name from a list, use the no form of this command.

ip domain-list nameno ip domain-list name

name Domain name. Do not include the initial period that separates an unqualified name from thedomain name.

ip domain-lookup

To enable the IP Domain Naming System (DNS)-based host name-to-address translation, usethe ip domain-lookup global configuration command. To disable the DNS, use the no form of thiscommand.

ip domain-lookupno ip domain-lookup

ip domain-lookup nsap

To allow DNS queries for Connectionless Network System (CLNS) addresses, use the ip domain-lookup nsap global configuration command. To disable this feature, use the no form of thiscommand.

ip domain-lookup nsapno ip domain-lookup nsap

ip domain-name

To define a default domain name that the Cisco IOS software uses to complete unqualified hostnames (names without a dotted-decimal domain name), use the ip domain-name globalconfiguration command. To disable use of the DNS, use the no form of this command.

ip domain-name nameno ip domain-name

name Default domain name used to complete unqualified host names. Do not include the initialperiod that separates an unqualified name from the domain name.

ip forward-protocol

To specify which protocols and ports the router forwards when forwarding broadcast packets, usethe ip forward-protocol global configuration command. To remove a protocol or port, usethe no form of this command.


7/147

ip forward-protocol {udp [port] | nd | sdns}no ip forward-protocol {udp [port] | nd | sdns}

udp Forward User Datagram Protocol (UDP) datagrams. See the "Default" section below for a listof port numbers forwarded by default.

port (Optional) Destination port that controls which UDP services are forwarded.

nd Forward Network Disk (ND) datagrams. This protocol is used by older diskless Sunworkstations.

sdns Secure Data Network Service.

ip forward-protocol any-local-broadcast

To forward any broadcasts including local subnet broadcasts, use the ip forward-protocol any-local-broadcast global configuration command. To disable this type of forwarding, use the no formof this command.

ip forward-protocol any-local-broadcastno ip forward-protocol any-local-broadcast

ip forward-protocol spanning-tree

To permit IP broadcasts to be flooded throughout the internetwork in a controlled fashion, usethe ip forward-protocol spanning-tree global configuration command. To disable the flooding ofIP broadcasts, use the no form of this command.

ip forward-protocol spanning-treeno ip forward-protocol spanning-tree

ip forward-protocol turbo-flood

To speed up flooding of User Datagram Protocol (UDP) datagrams using the spanning-tree

algorithm, use the ip forward-protocol turbo-flood global configuration command. To disable thisfeature, use the no form of this command.

ip forward-protocol turbo-floodno ip forward-protocol turbo-flood

ip helper-address

To have the Cisco IOS software forward User Datagram Protocol (UDP) broadcasts, includingBOOTP, received on an interface, use the ip helper-address interface configuration command. Todisable the forwarding of broadcast packets to specific addresses, use the no form of thiscommand.

ip helper-address addressno ip helper-address address

address Destination broadcast or host address to be used when forwarding UDP broadcasts. Therecan be more than one helper address per interface.

ip host


8/147

To define a static host name-to-address mapping in the host cache, use the ip host globalconfiguration command. Toremove the name-to-address mapping, use the no form of thiscommand.

ip host name [tcp-port-number] address1 [address2...address8]no ip host name address1

name Name of the host. The first character can be either a letter or a number. If youuse a number, the operations you can perform are limited.

tcp-port-number (Optional) TCP port number to connect to when using the defined host name inconjunction with an EXEC connect or Telnet command. The default is Telnet(port 23).

address1 Associated IP address.

address2...address8(Optional) Additional associated IP address. You can bind up to eightaddresses to a host name.

ip hp-host

To enter into the host table the host name of an HP host to be used for HP Probe Proxy service,use the ip hp-host global configuration command. To remove a host name, use the no form of thiscommand.

ip hp-host hostname ip-addressno ip hp-host hostname ip-address

hostname Name of the host.

ip-address IP address of the host.

ip irdp

To enable ICMP Router Discovery Protocol (IRDP) processing on an interface, use the ipirdpinterface configuration command. To disable IRDP routing, use the no form of this command.

ip irdp [multicast | holdtime seconds | maxadvertinterval seconds | minadvertinterval

seconds | preference number| address address [number]]no ip irdp

multicast (Optional) Use the multicast address (224.0.0.1) instead of IPbroadcasts.

holdtime seconds (Optional) Length of time in seconds advertisements are held valid.Default is three times themaxadvertinterval value. Must be greaterthan maxadvertinterval and cannot be greater than 9000 seconds.

maxadvertintervalseconds (Optional) Maximum interval in seconds between advertisements. The

default is 600 seconds.minadvertintervalseconds (Optional) Minimum interval in seconds between advertisements. The

default is 0.75 times themaxadvertinterval. If you changethe maxadvertinterval value, this value defaults to three-quarters ofthe new value.

preferencenumber (Optional) Preference value. The allowed range is -231 to 231. Thedefault is 0. A higher value increases the router's preference level. Youcan modify a particular router so that it will be the preferred router towhich others home.


9/147

address address[number] (Optional) IP address (address) to proxy-advertise, and optionally, itspreference value (number).

ip mobile arp

To enable local-area mobility, use the ip mobile arp interface configuration command. To disable

local-area mobility, use the noform of this command.

ip mobile arp [timers keepalive hold-time] [access-group access-list-number| name]no ip mobile arp [timers keepalive hold-time] [access-group access-list-number| name]

timers (Optional) Indicates that you are setting local-area mobility timers.

keepalive (Optional) Frequency, in seconds, at which the Cisco IOS software sends unicast ARPmessages to a relocated host to verify that the host is present and has not moved. Thedefault keepalive time is 300 seconds (5 minutes).

hold-time (Optional) Hold time, in seconds. This is the length of time the software considers that arelocated host is present without receiving some type of ARP broadcast or unicast fromthe host. Normally, the hold time should be at least three times greater than the

keepalive time. The default hold time is 900 seconds (15 minutes).access-group

(Optional) Indicates that you are applying an access list. This access list applies only tolocal-area mobility.

access-list-number

(Optional) Number of a standard IP access list. It is a decimal number from 1 to 99.Only hosts with addresses permitted by this access list are accepted for local-areamobility.

name (Optional) Name of an IP access list. The name cannot contain a space or quotationmark, and must begin with an alphabetic character to avoid ambiguity with numberedaccess lists.

ip name-server

To specify the address of one or more name servers to use for name and address resolution, use

the ip name-serverglobal configuration command. To remove the addresses specified, usethe no form of this command.

ip name-serverserver-address1[[server-address2]...server-address6]no ip name-serverserver-address1[[server-address2]...server-address6]

server-address1 IP addresses of name server.

server-address2...server-address6

(Optional) IP addresses of additional name servers (a maximum ofsix name servers).

ip nat

To designate that traffic originating from or destined for the interface is subject to Network AddressTranslation (NAT), use the ip natinterface configuration command. To prevent the interface frombeing able to translate, use the no form of this command.

ip nat {inside | outside}no ip nat {inside | outside}

inside Indicates the interface is connected to the inside network (the network subject to NATtranslation).


10/147

outside Indicates the interface is connected to the outside network.

ip nat inside destination

To enable Network Address Translation (NAT) of the inside destination address, use the ip natinside destination global configuration command. To remove the dynamic association to a pool,

use the no form of this command.

ip nat inside destination list {access-list-number| name}pool nameno ip nat inside destination list {access-list-number| name}

list access-list-number

Standard IP access list number. Packets with destination addresses that pass theaccess list are translated using global addresses from the named pool.

list name Name of a standard IP access list. Packets with destination addresses that passthe access list are translated using global addresses from the named pool.

pool name Name of the pool from which global IP addresses are allocated during dynamictranslation.

ip nat inside source

To enable Network Address Translation (NAT) of the inside source address, use the ip nat insidesource global configuration command. To remove the static translation or remove the dynamicassociation to a pool, use the no form of this command.

ip nat inside source {list {access-list-number| name}pool name [overload] | static local-ip

global-ip}no ip nat inside source {list {access-list-number| name}pool name [overload] | static local-ipglobal-ip}

listaccess-list-number

Standard IP access list number. Packets with source addresses that pass the accesslist are dynamically translated using global addresses from the named pool.

list name Name of a standard IP access list. Packets with source addresses that pass theaccess list are dynamically translated using global addresses from the named pool.

pool name Name of the pool from which global IP addresses are allocated dynamically.

overload (Optional) Enables the router to use one global address for many local addresses.When overloading is configured, each inside host's TCP or UDP port numberdistinguishes between the multiple conversations using the same local IP address.

staticlocal-ip Sets up a single static translation; this argument establishes the local IP addressassigned to a host on the inside network. The address could be randomly chosen,allocated from RFC 1918, or obsolete.

global-ip Sets up a single static translation; this argument establishes the globally unique IPaddress of an inside host as it appears to the outside world.

ip nat outside source

To enable Network Address Translation (NAT) of the outside source address, use the ip natoutside source global configuration command. To remove the static entry or the dynamicassociation, use the no form of this command.


11/147

ip nat outside source {list {access-list-number| name}pool name | static global-ip local-ip}no ip nat outside source {list {access-list-number| name}pool name | static global-ip local-ip}

list access-list-number

Standard IP access list number. Packets with source addresses that pass theaccess list are translated using global addresses from the named pool.

list name Name of a standard IP access list. Packets with source addresses that pass theaccess list are translated using global addresses from the named pool.

pool name Name of the pool from which global IP addresses are allocated.

staticglobal-ip Sets up a single static translation. This argument establishes the globally unique IPaddress assigned to a host on the outside network by its owner. It was allocatedfrom globally routable network space.

local-ip Sets up a single static translation. This argument establishes the local IP addressof an outside host as it appears to the inside world. The address was allocated fromaddress space routable on the inside (RFC 1918, perhaps).

ip nat pool

To define a pool of IP addresses for Network Address Translation (NAT), use the ip nat pool globalconfiguration command. To remove one or more addresses from the pool, use the no form of thiscommand.

ip nat pool namestart-ip end-ip {netmask netmask| prefix-lengthprefix-length}

[type rotary]no ip nat pool namestart-ip end-ip {netmask netmask| prefix-lengthprefix-length}

[type rotary]

name Name of the pool.

start-ip Starting IP address that defines the range of addresses in the address pool.

end-ip Ending IP address that defines the range of addresses in the address pool.

netmasknetmask Network mask that indicates which address bits belong to the network andsubnetwork fields and which bits belong to the host field. Specify the netmaskof the network to which the pool addresses belong.

prefix-lengthprefix-length

Number that indicates how many bits of the netmask are ones (how many bitsof the address indicate network). Specify the netmask of the network to whichthe pool addresses belong.

typerotary (Optional) Indicates that the range of address in the address pool identify real,inside hosts among which TCP load distribution will occur.

ip nat translation

To change the amount of time after which Network Address Translation (NAT) translations time out,use the ip nat translationglobal configuration command. To disable the timeout, use the no form of

this command.

ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout}secondsno ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout}

timeout Specifies that the timeout value applies to dynamic translations except for overloadtranslations. Default is 86400 seconds (24 hours).

udp- Specifies that the timeout value applies to the UDP port. Default is 300 seconds (5


12/147

timeout minutes).

dns-timeout

Specifies that the timeout value applies to connections to the Domain Naming System(DNS). Default is 60 seconds.

tcp-timeout Specifies that the timeout value applies to the TCP port. Default is 86400 seconds (24hours).

finrst-

timeout

Specifies that the timeout value applies to Finish and Reset TCP packets, which

terminate a connection. Default is 60 seconds.seconds Number of seconds after which the specified port translation times out. Default values

are listed in the Default section.

ip netmask-format

To specify the format in which netmasks are displayed in show command output, usethe ip netmask-format line configuration command. To restore the default display format, usethe no form of this command.

ip netmask-format {bitcount | decimal | hexadecimal}no ip netmask-format [bitcount | decimal | hexadecimal]

bitcount Addresses are followed by a slash and the total number of bits in the netmask. Forexample, 131.108.11.0/24 indicates that the netmask is 24 bits.

decimal Network masks are displayed in dotted decimal notation (for example,255.255.255.0).

hexadecimal Network masks are displayed in hexadecimal format, as indicated by the leading 0X(for example, 0XFFFFFF00).

ip nhrp authentication

To configure the authentication string for an interface using Next Hop Resolution Protocol (NHRP),use the ip nhrp authenticationinterface configuration command. To remove the authenticationstring, use the no form of this command.

ip nhrp authentication stringno ip nhrp authentication [string]

stringAuthentication string configured for the source and destination stations that controls whetherNHRP stations allow intercommunication. The string can be up to 8 characters long.

ip nhrp holdtime

To change the number of seconds that NHRP nonbroadcast, multiaccess (NBMA) addresses areadvertised as valid in authoritative NHRP responses, use the ip nhrp holdtime interfaceconfiguration command. To restore the default value, use the no form of this command.

ip nhrp holdtime seconds-positive [seconds-negative]no ip nhrp holdtime [seconds-positive [seconds-negative]]

seconds-positive

Time in seconds that NBMA addresses are advertised as valid in positiveauthoritative NHRP responses.

seconds-negative

(Optional) Time in seconds that NBMA addresses are advertised as valid in negativeauthoritative NHRP responses.


13/147

ip nhrp interest

To control which IP packets can trigger sending a Next Hop Resolution Protocol (NHRP) Request,use the ip nhrp interest interface configuration command. To restore the default value, usethe no form of this command.

ip nhrp interest access-list-numberno ip nhrp interest [access-list-number]

access-list-numberStandard or extended IP access list number in the range 1 to 199.

ip nhrp map

To statically configure the IP-to-NBMA address mapping of IP destinations connected to anonbroadcast, multiaccess (NBMA) network, use the ip nhrp map interface configurationcommand. To remove the static entry from NHRP cache, use the no form of this command.

ip nhrp map ip-address nbma-address

no ip nhrp map ip-address nbma-address

ip-address

IP address of the destinations reachable through the NBMA network. This address ismapped to the NBMA address.

nbma-address

NBMA address that is directly reachable through the NBMA network. The address formatvaries depending on the medium you are using. For example, ATM has an NSAPaddress, Ethernet has a MAC address, and SMDS has an E.164 address. This address ismapped to the IP address.

ip nhrp map multicast

To configure NBMA addresses used as destinations for broadcast or multicast packets to be sentover a tunnel network, use the ip nhrp map multicast interface configuration command. To remove

the destinations, use the no form of this command.

ip nhrp map multicast nbma-addressno ip nhrp map multicast nbma-address

nbma-address

Nonbroadcast, multiaccess (NBMA) address which is directly reachable through theNBMA network. The address format varies depending on the medium you are using.

ip nhrp max-send

To change the maximum frequency at which NHRP packets can be sent, use the ip nhrp max-send interface configuration command. To restore this frequency to the default value, use

the no form of this command.

ip nhrp max-sendpkt-countevery intervalno ip nhrp max-send

pkt-count Number of packets which can be transmitted in the range from 1 to 65535. Default is5 packets.

every intervalTime (in seconds) in the range from 10 to 65535. Default is 10 seconds.


14/147

ip nhrp network-id

To enable the Next Hop Resolution Protocol (NHRP) on an interface, use the ip nhrp network-id interface configuration command. To disable NHRP on the interface, use the no form of thiscommand.

ip nhrp network-id numberno ip nhrp network-id [number]

numberGlobally unique, 32-bit network identifier for a nonbroadcast, multiaccess (NBMA) network.The range is 1 to 4294967295.

ip nhrp nhs

To specify the address of one or more NHRP Next Hop Servers, use the ip nhrp nhs interfaceconfiguration command. To remove the address, use the no form of this command.

ip nhrp nhs nhs-address [net-address [netmask]]

no ip nhrp nhs nhs-address [net-address [netmask]]

nhs-address

Address of the Next Hop Server being specified.

net-address

(Optional) IP address of a network served by the Next Hop Server.

netmask (Optional) IP network mask to be associated with the netIP address. The netIP addressis logically ANDed with the mask.

ip nhrp record

To re-enable the use of forward record and reverse record options in NHRP Request and Replypackets, use the ip nhrp recordinterface configuration command. To suppress the use of suchoptions, use the no form of this command.

ip nhrp recordno ip nhrp record

ip nhrp responder

To designate which interface's primary IP address the Next Hop Server will use in NHRP Replypackets when the NHRP requestor uses the Responder Address option, use the ip nhrpresponderinterface configuration command. To remove the designation, use the no form of thiscommand.

ip nhrp respondertype numberno ip nhrp responder [type] [number]

type Interface type whose primary IP address is used when a Next Hop Server complies with aResponder Address option (for example, serial, tunnel).

number Interface number whose primary IP address is used when a Next Hop Server complies witha Responder Address option.

ip nhrp use


15/147

To configure the software so that NHRP is deferred until the system has attempted to send datatraffic to a particular destination multiple times, use the ip nhrp use interface configurationcommand. To restore the default value, use the no form of this command.

ip nhrp use usage-countno ip nhrp use usage-count

usage-countPacket count in the range from 1 to 65535. Default is 1.

ip probe proxy

To enable the HP Probe Proxy support, which allows the Cisco IOS software to respond to HPProbe Proxy Name requests, use theip probe proxy interface configuration command. To disableHP Probe Proxy, use the no form of this command.

ip probe proxyno ip probe proxy

ip proxy-arp

To enable proxy ARP on an interface, use the ip proxy-arp interface configuration command. Todisable proxy ARP on the interface, use the no form of this command.

ip proxy-arpno ip proxy-arp

ip redirects

To enable the sending of redirect messages if the Cisco IOS software is forced to resend a packetthrough the same interface on which it was received, use the ip redirects interface configurationcommand. To disable the sending of redirect messages, use theno form of this command.

ip redirectsno ip redirects

ip routing

To enable IP routing, use the ip routing global configuration command. To disable IP routing, usethe no form of this command.

ip routingno ip routing

ip subnet-zero

To enable the use of subnet zero for interface addresses and routing updates, use the ip subnet-zero global configuration command. To restore the default, use the no form of this command.

ip subnet-zerono ip subnet-zero

ip unnumbered


16/147

To enable IP processing on a serial interface without assigning an explicit IP address to theinterface, use the ip unnumberedinterface configuration command.To disable the IP processingon the interface, use the no form of this command.

ip unnumbered type numberno ip unnumbered type number

typenumber

Type and number of another interface on which the router has an assigned IP address. Itcannot be another unnumbered interface.

ping (privileged)

To check host reachability and network connectivity, use the ping (IP packet internet groperfunction) privileged EXEC command.

ping [protocol] {host| address}

protocol(Optional) Protocol keyword. The default is IP.

host Host name of system to ping.address IP address of system to ping.

ping (user)

To check host reachability and network connectivity, use the ping (IP packet internet groperfunction) user EXEC command.

ping [protocol] {host| address}

protocol(Optional) Protocol keyword. The default is IP.

host Host name of system to ping.

address IP address of system to ping.

show arp

To display the entries in the ARP table, use the show arp privileged EXEC command.

show arp

show hosts

To display the default domain name, the style of name lookup service, a list of name server hosts,and the cached list of host names and addresses, use the show hosts EXEC command.

show hosts

show ip aliases

To display the IP addresses mapped to TCP ports (aliases) and SLIP addresses, which are treatedsimilarly to aliases, use theshow ip aliases EXEC command.

show ip aliases


17/147

show ip arp

To display the Address Resolution Protocol (ARP) cache, where SLIP addresses appear aspermanent ARP table entries, use theshow ip arp EXEC command.

show ip arp [ip-address] [hostname] [mac-address] [type number]

ip-address (Optional) ARP entries matching this IP address are displayed.

hostname (Optional) Host name.

mac-address (Optional) 48-bit MAC address.

type number (Optional) ARP entries learned via this interface type and number are displayed.

show ip interface

To display the usability status of interfaces configured for IP, use the show ip interface EXECcommand.

show ip interface [type number]

type (Optional) Interface type.

number(Optional) Interface number.

show ip irdp

To display IRDP values, use the show ip irdp EXEC command.

show ip irdp

show ip masks

To display the masks used for network addresses and the number of subnets using each mask, usethe show ip masks EXEC command.

show ip masks address

address Network address for which a mask is required.

show ip nat statistics

To display Network Address Translation (NAT) statistics, use the show ip nat statistics EXECcommand.

show ip nat statistics

show ip nat translations

To display active Network Address Translation (NAT) translations, use the show ip nattranslations EXEC command.

show ip nat translations [verbose]


18/147

verbose (Optional) Displays additional information for each translation table entry, including howlong ago the entry was created and used.

show ip nhrp

To display the Next Hop Resolution Protocol (NHRP) cache, use the show ip nhrp EXEC

command.

show ip nhrp [dynamic | static] [type number]

dynamic (Optional) Displays only the dynamic (learned) IP-to-NBMA address cache entries.

static (Optional) Displays only the static IP-to-NBMA address entries in the cache (configuredthrough the ip nhrp mapcommand).

type (Optional) Interface type about which to display the NHRP cache (forexample, atm, tunnel).

number (Optional) Interface number about which to display the NHRP cache.

show ip nhrp traffic

To display Next Hop Resolution Protocol (NHRP) traffic statistics, use the show ip nhrptraffic EXEC command.

show ip nhrp traffic

show ip redirects

To display the address of a default gateway (router) and the address of hosts for which a redirecthas been received, use the show ip redirects EXEC command.

show ip redirects

term ip netmask-format

To specify the format in which netmasks are displayed in show command output, usethe term ip netmask-format EXEC command. To restore the default display format, usethe no form of this command.

term ip netmask-format {bitcount | decimal | hexadecimal}term no ip netmask-format [bitcount | decimal | hexadecimal]

bitcount Addresses are followed by a slash and the total number of bits in the netmask. Forexample, 131.108.11.55/24 indicates that the netmask is 24 bits.

decimal Netmasks are displayed in dotted decimal notation (for example, 255.255.255.0).hexadecimal Netmasks are displayed in hexadecimal format, as indicated by the leading 0X (for

example, 0XFFFFFF00).

trace (privileged)

To discover the routes the packets follow when traveling to their destination from the router, usethe trace privileged EXEC command.


19/147

trace[destination]

destination (Optional) Destination address or host name on the command line. The defaultparameters for the appropriate protocol are assumed and the tracing action begins.

trace (user)

To discover the routes the router packets follow when traveling to their destination, usethe trace user EXEC command.

trace ip destination

destination Destination address or host name on the command line. The default parameters for theappropriate protocol are assumed and the tracing action begins.

tunnel mode

To set the encapsulation mode for the tunnel interface, use the tunnel mode interface configuration

command. To set to the default, use the no form of this command.

tunnel mode {aurp | cayman | dvmrp | eon | gre ip [multipoint] | nos}no tunnel mode

aurp AppleTalk Update-Based Routing Protocol (AURP).

cayman Cayman TunnelTalk AppleTalk encapsulation.

dvmrp Distance Vector Multicast Routing Protocol.

eon EON compatible CLNS tunnel.

gre ip Generic routing encapsulation (GRE) protocol over IP.

multipoint (Optional) Enables a GRE tunnel to be used in a multipoint fashion. Can be used withthe gre ip keyword only, and requires the use of the tunnel key command.

nos KA9Q/NOS compatible IP over IP.

IP Services Commands

Use the commands in this chapter to configure various IP services. For configuration informationand examples on IP services, refer to the "Configuring IP Services" chapter of the NetworkProtocols Configuration Guide, Part 1.

access-class

To restrict incoming and outgoing connections between a particular virtual terminal line (into a Ciscodevice) and the addresses in an access list, use the access-class line configuration command. Toremove access restrictions, use the no form of this command.

access-classaccess-list-number{in | out}

no access-classaccess-list-number{in | out}


20/147

Syntax Description

access-list-number

Number of an IP access list. This is a decimal number from 1to 199 or from 1300 to 2699.

in Restricts incoming connections between a particular Ciscodevice and the addresses in the access list.

out Restricts outgoing connections between a particular Ciscodevice and the addresses in the access list.

Defaults

No access lists are defined.

Command Modes

Line configuration

Command History

Release Modification

10.0 This command was introduced.

Usage Guidelines

Remember to set identical restrictions on all the virtual terminal lines because a user can connect toany of them.

To display the access lists for a particular terminal line, use the show line EXEC command andspecify the line number.

Examples

The following example defines an access list that permits only hosts on network 192.89.55.0 toconnect to the virtual terminal ports on the router:

access-list 12 permit 192.89.55.0 0.0.0.255line 1 5access-class 12 in

The following example defines an access list that denies connections to networks other than

network 36.0.0.0 on terminal lines 1 through 5:

access-list 10 permit 36.0.0.0 0.255.255.255line 1 5access-class 10 out

Related Commands

Command Description


21/147

show line Displays the parameters of a terminal line.

access-list (IP extended)

To define an extended IP access list, use the extended version of the access-list globalconfiguration command. To remove the access lists, use the no form of this command.

access-listaccess-list-number[dynamicdynamic-name [timeoutminutes]] {deny | permit} protocolsourcesource-wildcarddestinationdestination-wildcard[precedenceprecedence] [tostos][log | log-input] [fragments]

noaccess-listaccess-list-number

Internet Control Message Protocol (ICMP)

access-listaccess-list-number[dynamicdynamic-name [timeoutminutes]] {deny | permit} icmpsourcesource-wildcarddestinationdestination-wildcard[icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedenceprecedence] [tostos] [log |log-input] [fragments]

Internet Group Management Protocol (IGMP)

access-listaccess-list-number[dynamicdynamic-name [timeoutminutes]] {deny | permit} igmpsource source-wildcard destination destination-wildcard[igmp-type] [precedenceprecedence][tos tos] [log | log-input] [fragments]

TCP

access-listaccess-list-number[dynamicdynamic-name [timeoutminutes]] {deny | permit} tcpsource source-wildcard[operator port[port]] destination destination-wildcard[operator

port[port]] [established] [precedenceprecedence] [tos tos] [log | log-input] [fragments]

User Datagram Protocol (UDP)

access-listaccess-list-number[dynamicdynamic-name [timeoutminutes]] {deny | permit}udpsource source-wildcard[operator port[port]] destinationdestination-wildcard[operator

port[port]] [precedenceprecedence] [tos tos] [log | log-input] [fragments]

Caution Enhancements to this command are backward compatible; migrating from releases prior

to Release 11.1 will convert your access lists automatically. However, releases prior to

Release 11.1 are not upwardly compatible with these enhancements. Therefore, if you save an

access list with these images and then use software prior to Release 11.1, the resulting access list

will not be interpreted correctly. This could cause you severe security problems. Save your old

configuration file before booting these images.


22/147

Syntax Description

access-list-number Number of an access list. This is a decimal numberfrom 100 to 199 or from 2000 to 2699.

dynamicdynamic-name (Optional) Identifies this access list as a dynamicaccess list. Refer to lock-and-key access documented

in the "Configuring Lock-and-Key Security (DynamicAccess Lists)" chapter in the Security ConfigurationGuide.

timeoutminutes (Optional) Specifies the absolute length of time (inminutes) that a temporary access list entry can remainin a dynamic access list. The default is an infinitelength of time and allows an entry to remainpermanently. Refer to lock-and-key accessdocumented in the "Configuring Lock-and-KeySecurity (Dynamic Access Lists)" chapter inthe Security Configuration Guide.

deny Denies access if the conditions are matched.

permit Permits access if the conditions are matched.

protocol Name or number of an IP protocol. It can be one of thekeywords eigrp, gre,icmp,igmp, igrp, ip, ipinip, nos, ospf, pim, tcp,orudp, or an integer in the range 0 to 255representing an IP protocol number. To match anyInternet protocol (including ICMP, TCP, and UDP) usethe keyword ip. Some protocols allow further qualifiersdescribed below.

source Number of the network or host from which the packetis being sent. There are three alternative ways tospecify the source:

Use a 32-bit quantity in four-part, dotted-decimalformat.

Use the keyword any as an abbreviation fora source and source-wildcardof 0.0.0.0255.255.255.255.

Use hostsource as an abbreviation fora source and source-wildcardofsource0.0.0.0.

source-wildcard Wildcard bits to be applied to source. Each wildcard bitset to zero indicates that the corresponding bit position

in the packet's ip address must exactly match the bitvalue in the corresponding bit position in the source.Each wildcard bit set to one indicates that both a zerobit and a one bit in the corresponding position of thepacket's ip address will be considered a match to thisaccess list entry.

There are three alternative ways to specify the source


23/147

wildcard:

Use a 32-bit quantity in four-part, dotted-decimalformat. Place ones in the bit positions you want toignore. For example, 0.0.255.255 to require an exact

match of only the first 16 bits of the source.

Use the keyword any as an abbreviation fora source and source-wildcardof 0.0.0.0255.255.255.255.

Use hostsource as an abbreviation fora source and source-wildcardofsource0.0.0.0.

Wildcard bits set to one do not need to be contiguousin the source-wildcard. For example, a source-wildcardof 0.255.0.64 would be valid.

destination Number of the network or host to which the packet isbeing sent. There are three alternative ways to specifythe destination:

Use a 32-bit quantity in four-part, dotted-decimalformat.

Use the keyword any as an abbreviation forthe destination and destination-wildcardof 0.0.0.0255.255.255.255.

Use hostdestination as an abbreviation for

a destination and destination-wildcardofdestination 0.0.0.0.

destination-wildcard Wildcard bits to be applied to the destination. Thereare three alternative ways to specify the destinationwildcard:

Use a 32-bit quantity in four-part, dotted-decimalformat. Place ones in the bit positions you want toignore.

Use the keyword any as an abbreviation fora destination and destination-wildcardof 0.0.0.0255.255.255.255.

Use hostdestination as an abbreviation fora destination and destination-wildcardofdestination 0.0.0.0.

precedenceprecedence (Optional) Packets can be filtered by precedence level,as specified by a number from 0 to 7 or by name aslisted in the section "Usage Guidelines."


24/147

tos tos (Optional) Packets can be filtered by type of servicelevel, as specified by a number from 0 to 15 or byname as listed in the section "Usage Guidelines."

icmp-type (Optional) ICMP packets can be filtered by ICMPmessage type. The type is a number from 0 to 255.

icmp-code (Optional) ICMP packets that are filtered by ICMPmessage type can also be filtered by the ICMPmessage code. The code is a number from 0 to 255.

icmp-message (Optional) ICMP packets can be filtered by an ICMPmessage type name or ICMP message type and codename. The possible names are found in the section"Usage Guidelines."

igmp-type (Optional) IGMP packets can be filtered by IGMPmessage type or message name. A message type is anumber from 0 to 15. IGMP message names are listedin the section "Usage Guidelines."

operator (Optional) Compares source or destination ports.Possible operands include lt (less than),gt (greaterthan), eq (equal), neq (not equal),and range (inclusive range).

If the operator is positioned afterthe source and source-wildcard, it must match thesource port.

If the operator is positioned afterthe destination and destination-wildcard, it must matchthe destination port.

The range operator requires two port numbers. Allother operators require one port number.

port (Optional) The decimal number or name of a TCP orUDP port. A port number is a number from 0 to 65535.TCP port names are listed in the section "UsageGuidelines." TCP port names can only be used whenfiltering TCP. UDP port names are listed in the section"Usage Guidelines." UDP port names can only beused when filtering UDP.

TCP port names can only be used when filtering TCP.UDP port names can only be used when filtering UDP.

established (Optional) For the TCP protocol only: Indicates anestablished connection. A match occurs if the TCPdatagram has the ACK, FIN, PSH, RST, SYN or URGcontrol bits set. The nonmatching case is that of theinitial TCP datagram to form a connection.

log (Optional) Causes an informational logging messageabout the packet that matches the entry to be sent tothe console. (The level of messages logged to the


25/147

console is controlled by the loggingconsole command.)

The message includes the access list number,whether the packet was permitted or denied; theprotocol, whether it was TCP, UDP, ICMP or a

number; and, if appropriate, the source and destinationaddresses and source and destination port numbers.The message is generated for the first packet thatmatches, and then at 5-minute intervals, including thenumber of packets permitted or denied in the prior 5-minute interval.

The logging facility might drop some logging messagepackets if there are too many to be handled or if thereis more than one logging message to be handled in 1second. This behavior prevents the router fromcrashing due to too many logging packets. Therefore,the logging facility should not be used as a billing tool

or an accurate source of the number of matches to anaccess list.

log-input (Optional) Includes the input interface and sourceMAC address or VC in the logging output.

fragments (Optional) The access list entry applies to noninitialfragments of packets; the fragment is either permittedor denied accordingly. For more details about

the fragments keyword, see the "Access ListProcessing of Fragments" and "Fragmentsand Policy Routing" sections in the "UsageGuidelines" section.

Defaults

An extended access list defaults to a list that denies everything. An extended access list isterminated by an implicit deny statement.

Command Modes

Global configuration

Command History


10.0 This command and the UDP form of this command were introduced.

10.3 The ICMP, IGMP, and TCP forms of this command were introduced.
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040933http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040933http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040963http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040963http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040933http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040933http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040963http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040963


26/147

The following keywords and arguments were added:

source

source-wildcard

destination

destination-wildcard

precedenceprecedence

icmp-type

icm-code

icmp-message

igmp-type

operator

port

established

11.1 The following keywords and arguments were added:

dynamicdynamic-name

timeoutminutes

11.2 The following keyword was added:

log-input

12.0(11) The fragments keyword was added.

Usage Guidelines

You can use access lists to control the transmission of packets on an interface, control virtualterminal line access, and restrict contents of routing updates. The Cisco IOS software stopschecking the extended access list after a match occurs.


27/147

Note After an access list is created initially, any subsequent additions (possibly entered from theterminal) are placed at the end of the list. In other words, you cannot selectively add or removeaccess list command lines from a specific access list.

The following is a list of precedence names:

critical

flash

flash-override

immediate

internet

network

priority

routine

The following is a list of type of service (TOS) names:

max-reliability

max-throughput

min-delay

min-monetary-cost

normal

The following is a list of ICMP message type names and ICMPmessage type and code names:

administratively-prohibited

alternate-address

conversion-error

dod-host-prohibited

dod-net-prohibited

echo

mask-reply

mask-request

mobile-redirect

net-redirect

net-tos-redirect

net-tos-unreachable

net-unreachable

network-unknown

no-room-for-option

option-missing

packet-too-big

parameter-problem

port-unreachable

precedence-unreachable

protocol-unreachable

reassembly-timeout

redirect

router-advertisement

router-solicitation

source-quench

source-route-failed


28/147

echo-reply

general-parameter-problem

host-isolated

host-precedence-unreachable

host-redirect

host-tos-redirect

host-tos-unreachable

host-unknown

host-unreachable

information-reply

information-request

time-exceeded

timestamp-reply

timestamp-request

traceroute

ttl-exceeded

unreachable

The following is a list of IGMP message names:

dvmrp

host-query

host-report

pim

trace

The following is a list of TCP port names that can be used instead of port numbers. Refer to the

current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding

to these protocols can also be found by typing a ? in the place of a port number.

bgp

chargen

daytime

discard

domain

echo

nntp

pop2

pop3

smtp

sunrpc

syslog


29/147

finger

ftp

ftp-data

gopher

hostname

irc

klogin

kshell

lpd

tacacs-ds

talk

telnet

time

uucp

whois

www

The following is a list of UDP port names that can be used instead of port numbers. Refer to the

current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding

to these protocols can also be found by typing a ? in the place of a port number.

biff

bootpc

bootps

discard

dns

dnsix

echo

mobile-ip

nameserver

netbios-dgm

netbios-ns

ntp

rip

snmp

snmptrap

sunrpc

syslog

tacacs-ds

talk

tftp

time

who

xdmcp

Access List Processing of Fragments


30/147

The behavior of access-list entries regarding the use or lack of the fragments keyword can besummarized as follows:

If the Access-List Entry has... Then..

...no fragments keyword (thedefault behavior), and assumingall of the access-list entryinformation matches,

For an access-list entry containing only Layer 3information:

The entry is applied to nonfragmentedpackets, initial fragments and noninitialfragments.

For an access list entry containing Layer 3 andLayer 4 information:

The entry is applied to nonfragmentedpackets and initial fragments.

If the entry is a permit statement, thepacket or fragment is permitted.

If the entry is a deny statement, the packetor fragment is denied.

The entry is also applied to noninitialfragments in the following manner. Becausenoninitial fragments contain only Layer 3information, only the Layer 3 portion of anaccess-list entry can be applied. If the Layer 3portion of the access-list entry matches, and

If the entry is a permit statement, thenoninitial fragment is permitted.

If the entry is a deny statement, the nextaccess-list entry is processed.

Note The deny statements are handleddifferently for noninitial fragments versus

nonfragmented or initial fragments.

...the fragments keyword, andassuming all of the access-listentry information matches,

The access-list entry is applied only tononinitial fragments.


31/147

Note The fragments keyword cannot beconfigured for an access-list entry that containsany Layer 4 information.

Be aware that you should not simply add the fragments keyword to every access list entry becausethe first fragment of the IP packet is considered a nonfragment and is treated independently of thesubsequent fragments. An initial fragment will not match an access list permit ordeny entry thatcontains the fragments keyword, the packet is compared to the next access list entry, and so on,until it is either permitted or denied by an access list entry that does not containthe fragments keyword. Therefore, you may need two access list entries for every deny entry. Thefirst deny entry of the pair will not include the fragments keyword, and applies to the initialfragment. The second deny entry of the pair will include the fragments keyword and applies to thesubsequent fragments. In the cases where there are multiple deny access list entries for the samehost but with different Layer 4 ports, a singledeny access-list entry with the fragments keyword forthat host is all that needs to be added. Thus all the fragments of a packet are handled in the samemanner by the access list.

Packet fragments of IP datagrams are considered individual packets and each counts individuallyas a packet in access list accounting and access list violation counts.

Note The fragments keyword cannot solve all cases involving access lists and IP fragments.

Fragments and Policy Routing

Fragmentation and the fragment control feature affect policy routing if the policy routing is based onthe match ip address command and the access list had entries that match on Layer 4 through 7information. It is possible that noninitial fragments pass the access list and are policy routed, even ifthe first fragment was not policy routed or the reverse.

By using the fragments keyword in access list entries as described earlier, a better match betweenthe action taken for initial and noninitial fragments can be made and it is more likely policy routingwill occur as intended.

Examples

In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0,and the mail host's address is 128.88.1.2. The keyword established is used only for the TCPprotocol to indicate an established connection. A match occurs if the TCP datagram has the ACK orRST bits set, which indicate that the packet belongs to an existing connection.

access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 establishedaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25


32/147

interface serial 0ip access-group 102 in

The following example also permit Domain Naming System (DNS) packets and ICMP echo andecho reply packets:

access-list 102 permit tcp any 128.88.0.0 0.0.255.255 establishedaccess-list 102 permit tcp any host 128.88.1.2 eq smtpaccess-list 102 permit tcp any any eq domainaccess-list 102 permit udp any any eq domainaccess-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-reply

The following examples show how wildcard bits are used to indicate the bits of the prefix or maskthat are relevant. They are similar to the bitmasks that are used with normal access lists.Prefix/mask bits corresponding to wildcard bits set to 1 are ignored during comparisons andprefix/mask bits corresponding to wildcard bits set to 0 are used in comparison.

In the following example, permit 192.108.0.0 255.255.0.0 but deny any more specific routes of

192.108.0.0 (including 192.108.0.0 255.255.255.0).

access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255

In the following example, permit 131.108.0/24 but deny 131.108/16 and all other subnets of131.108.0.0.

access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255

Related Commands

Command Description

access-class Restricts incoming and outgoing connections between aparticular vty (into a Cisco device) and the addresses inan access list.

access-list (IPstandard)

Defines a standard IP access list.

clear access-template

Clears a temporary access list entry from a dynamicaccess list manually.

distribute-list in (IP) Filters networks received in updates.

distribute-list out(IP)

Suppresses networks from being advertised in updates.

ip access-group Controls access to an interface.

ip access-list Defines an IP access list by name.
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017389http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017823http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017823http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018640http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018728http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017389http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017823http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017823http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018640http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018728


33/147

ip accounting Enables IP accounting on an interface.

logging console Limits messages logged to the console based on severity.

show access-lists

Displays the contents of current IP and rate-limit accesslists.

show ip access-list

Displays the contents of all current IP access lists.

access-list (IP standard)

To define a standard IP access list, use the standard version of the access-list global configurationcommand. To remove a standard access lists, use the no form of this command.

access-listaccess-list-number{deny | permit} source [source-wildcard] [log]

no access-listaccess-list-number

Caution Enhancements to this command are backward compatible; migrating from releases prior

to Release 10.3 will convert your access lists automatically. However, releases prior to

Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an

access list with these images and then use software prior to Release 10.3, the resulting access list

will not be interpreted correctly. This could cause you severe security problems. Save your old

configuration file before booting these images.

Syntax Description

access-list-number

Number of an access list. This is a decimal number from1 to 99 orfrom 1300 to 1999.

deny Denies access if the conditions are matched.

permit Permits access if the conditions are matched.

source Number of the network or host from which the packet is being sent.There are two alternative ways to specify the source:

Use a 32-bit quantity in four-part, dotted-decimal format.

Use the keyword any as an abbreviation for a source and source-wildcardof 0.0.0.0 255.255.255.255.

source-wildcard

(Optional) Wildcard bits to be applied to source. Each wildcard bit setto zero indicates that the corresponding bit position in the packet's ipaddress must exactly match the bit value in the corresponding bit
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018815http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018815http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621


34/147

position in the source. Each wildcard bit set to one indicates that botha zero bit and a one bit in the corresponding position of the packet'sip address will be considered a match to this access list entry.

There are two alternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted-decimal format. Place onesin the bit positions you want to ignore. For example, 0.0.255.255 torequire an exact match of only the first 16 bits of the source.


Wildcard bits set to one do not need to be contiguous in the source-wildcard. For example, asource-wildcardof 0.255.0.64 would bevalid.

log (Optional) Causes an informational logging message about thepacket that matches the entry to be sent to the console. (The level of

messages logged to the console is controlled by theloggingconsole command.)

The message includes the access list number, whether the packetwas permitted or denied, the source address, and the number ofpackets. The message is generated for the first packet that matches,and then at 5-minute intervals, including the number of packetspermitted or denied in the prior 5-minute interval.

The logging facility might drop some logging message packets ifthere are too many to be handled or if there is more than one loggingmessage to be handled in 1 second. This behavior prevents therouter from crashing due to too many logging packets. Therefore, the

logging facility should not be used as a billing tool or an accuratesource of the number of matches to an access list.

Defaults

The access list defaults to an implicit deny statement for everything. The access list is alwaysterminated by an implicit deny statement for everything.

Command Modes

Global configuration

Command History



11.3(3)T The log keyword was added.


35/147

Usage Guidelines

Plan your access conditions carefully and be aware of the implicit deny statement at the end of theaccess list.

You can use access lists to control the transmission of packets on an interface, control virtual

terminal line access, and restrict the contents of routing updates.

Use theshow access-listsEXEC command to display the contents of all access lists.

Use theshow ip access-list EXEC command to display the contents of one access list.

Examples

The following example of a standard access list allows access for only those hosts on the threespecified networks. The wildcard bits apply to the host portions of the network addresses. Any hostwith a source address that does not match the access list statements will be rejected.

access-list 1 permit 192.5.34.0 0.0.0.255access-list 1 permit 128.88.0.0 0.0.255.255access-list 1 permit 36.0.0.0 0.255.255.255! (Note: all other access implicitly denied)

The following example of a standard access list allows access for devices with IP addresses in therange 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.

access-list 1 permit 10.29.2.64 0.0.0.63! (Note: all other access implicitly denied)

To specify a large number of individual addresses more easily, you can omit the wildcard if it is allzeros. Thus, the following two configuration commands are identical in effect:

access-list 2 permit 36.48.0.3access-list 2 permit 36.48.0.3 0.0.0.0

Related Commands

Command Description

access-class Restricts incoming and outgoing connections between a

particular vty (into a Cisco device) and the addresses in anaccess list.

access-list (IPextended)

Defines an extended IP access list.

distribute-list in(IP)

Filters networks received in updates.

distribute-list out Suppresses networks from being advertised in updates.
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017389http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017448http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017448http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017389http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017448http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017448


36/147

(IP)

ip access-group

Controls access to an interface.

show access-

lists


show ipaccess-list

Displays the contents of all current IP access lists.

clear access-list counters

To clear the counters of an access list, use the clear access-list counters EXEC command.

clear access-list counters {access-list-number| name}

Syntax Description

access-list-number

Access list number of the access list for which to clear thecounters.

name Name of an IP access list. The name cannot contain a space orquotation mark, and must begin with an alphabetic character toavoid ambiguity with numbered access lists.

Command Modes

EXEC

Command History



Usage Guidelines

Some access lists keep counters that count the number of packets that pass each line of an access

list. The show access-listscommand displays the counters as a number of matches. Usethe clear access-list counters command to restart the counters for a particular access list to 0.

Examples

The following example clears the counters for access list 101:

clear access-list counters 101
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018640http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018640http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018640http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018640http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621


37/147

Related Commands

Command Description

show access-lists


clear ip accounting

To clear the active or checkpointed database when IP accounting is enabled, use the clear ipaccounting EXEC command.

clear ip accounting [checkpoint]

Syntax Description

checkpoint (Optional) Clears the checkpointed database.

Command Modes

EXEC

Command History



Usage Guidelines

You can also clear the checkpointed database by issuing the clear ip accounting command twicein succession.

Examples

The following example clears the active database when IP accounting is enabled:

clear ip accounting

Related Commands

Command Description
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555


38/147

ip accounting Enables IP accounting on an interface.

ip accounting-list Defines filters to control the hosts for which IPaccounting information is kept.

ip accounting-threshold

Sets the maximum number of accounting entries to becreated.

ip accounting-transits

Controls the number of transit records that are stored inthe IP accounting database.

show ipaccounting

Displays the active accounting or checkpointeddatabase or displays access list violations.

clear ip drp

To clear all statistics being collected on Director Response Protocol (DRP) requests and replies,use the clear ip drp EXEC command.

clear ip drp

Syntax Description

This command has no arguments or keywords.

Command Modes

EXEC

Command History


11.2 F This command was introduced.

Examples

The following example clears all DRP statistics:

clear ip drp

Related Commands

Command Description

ip drp access-group Controls the sources of DRP queries to the DRP
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018815http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018915http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018991http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018991http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019064http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019064http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1020197http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1020197http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1033095http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018815http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018915http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018991http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018991http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019064http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019064http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1020197http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1020197http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1033095


39/147

Server Agent.

ip drp authenticationkey-chain

Configures authentication on the DRP ServerAgent for DistributedDirector.

clear tcp statistics

To clear TCP statistics, use the clear tcp statistics EXEC command.


Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History



Examples

The following example clears all TCP statistics:


Related Commands

Command Description

show tcp statistics Displays TCP statistics.

deny (IP)

To set conditions for a named IP access list, use the deny access-list configuration command. Toremove a deny condition from an access list, use the no form of this command.

deny {source [source-wildcard] | any} [log]

no deny {source [source-wildcard] | any}
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019190http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019190http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1020914http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019190http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019190http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1020914


40/147

denyprotocolsourcesource-wildcarddestinationdestination-wildcard[precedenceprecedence][tostos] [log] [fragments]

no denyprotocolsource source-wildcarddestinationdestination-wildcard

ICMP

denyicmp sourcesource-wildcarddestinationdestination-wildcard[icmp-type [icmp-code] | icmp-message] [precedenceprecedence] [tostos] [log] [fragments]

IGMP

denyigmpsourcesource-wildcarddestinationdestination-wildcard[igmp-type][precedenceprecedence] [tostos] [log] [fragments]

TCP

denytcp source source-wildcard[operator port[port]] destination destination-wildcard[operator

port[port]] [established] [precedenceprecedence] [tostos] [log] [fragments]

UDP

denyudp source source-wildcard[operator port[port]] destinationdestination-wildcard[operatorport[port]] [precedenceprecedence] [tostos] [log] [fragments]

Syntax Description

source Number of the network or host from which the packet is beingsent. There are two alternative ways to specify the source:



source-wildcard (Optional) Wildcard bits to be applied to the source. There are twoalternative ways to specify the source wildcard:

Use a 32-bit quantity in four-part, dotted-decimal format. Placeones in the bit positions you want to ignore.


protocol Name or number of an IP protocol. It can be one of thekeywords eigrp, gre, icmp,igmp, igrp, ip, ipinip, nos, ospf, tcp,orudp, or an integer in the range 0 to 255 representing an IPprotocol number. To match any Internet protocol (including ICMP,TCP, and UDP), use the keyword ip. Some protocols allow furtherqualifiers described later.

source Number of the network or host from which the packet is beingsent. There are three alternative ways to specify the source:


41/147


Use the keyword any as an abbreviation fora source and source-wildcardof 0.0.0.0 255.255.255.255.

Use hostsource as an abbreviation for a source and source-wildcardofsource0.0.0.0.

source-wildcard Wildcard bits to be applied to source. There are three alternativeways to specify the source wildcard:


Use the keyword any as an abbreviation fora source and source-wildcardof 0.0.0.0 255.255.255.255.

Use hostsource as an abbreviation for a source and source-wildcardofsource0.0.0.0.

destination Number of the network or host to which the packet is being sent.There are three alternative ways to specify the destination:


Use the keyword any as an abbreviation forthe destination and destination-wildcardof 0.0.0.0255.255.255.255.


destination-wildcard Wildcard bits to be applied to the destination. There are threealternative ways to specify the destination wildcard:


Use the keyword any as an abbreviation fora destination and destination-wildcardof0.0.0.0 255.255.255.255.


precedenceprecedence (Optional) Packets can be filtered by precedence level, asspecified by a number from 0 to 7 or by name as listed in thesection "Usage Guidelines."

tos tos (Optional) Packets can be filtered by type of service level, asspecified by a number from 0 to 15 or by name as listed in the"Usage Guidelines" section of the access-list (IP extended)command.

icmp-type (Optional) ICMP packets can be filtered by ICMP message type.


42/147

The type is a number from 0 to 255.

icmp-code (Optional) ICMP packets which are filtered by ICMP message typecan also be filtered by the ICMP message code. The code is anumber from 0 to 255.

icmp-message (Optional) ICMP packets can be filtered by an ICMP message type

name or ICMP message type and code name. The possiblenames are found in the "Usage Guidelines" section of the access-list (IP extended) command.

igmp-type (Optional) IGMP packets can be filtered by IGMP message type ormessage name. A message type is a number from 0 to 15. IGMPmessage names are listed in the "Usage Guidelines" section ofthe access-list (IP extended) command.

operator (Optional) Compares source or destination ports. Possibleoperands include lt (less than),gt (greaterthan), eq (equal), neq (not equal), and range (inclusive range).

If the operator is positioned after the source and source-wildcard,

it must match the source port.

If the operator is positioned after the destination and destination-wildcard, it must match the destination port.

The range operator requires two port numbers. All other operatorsrequire one port number.

port (Optional) The decimal number or name of a TCP or UDP port. Aport number is a number from 0 to 65535. TCP and UDP portnames are listed in the "Usage Guidelines" section of the access-list (IP extended) command. TCP port names can only be usedwhen filtering TCP. UDP port names can only be used when

filtering UDP.

established (Optional) For the TCP protocol only: Indicates an establishedconnection. A match occurs if the TCP datagram has the ACK orRST bits set. The nonmatching case is that of the initial TCPdatagram to form a connection.

log (Optional) Causes an informational logging message about thepacket that matches the entry to be sent to the console. (The levelof messages logged to the console is controlled by the loggingconsole command.)

The message for a standard list includes the access list number,whether the packet was permitted or denied, the source address,

and the number of packets.

The message for an extended list includes the access list number;whether the packet was permitted or denied; the protocol; whetherit was TCP, UDP, ICMP, or a number; and, if appropriate, thesource and destination addresses and source and destination portnumbers.

For both standard and extended lists, the message is generated


43/147

for the first packet that matches, and then at 5-minute intervals,including the number of packets permitted or denied in the prior 5-minute interval.

The logging facility might drop some logging message packets if

there are too many to be handled or if there is more than onelogging message to be handled in 1 second. This behaviorprevents the router from crashing due to too many loggingpackets. Therefore, the logging facility should not be used as abilling tool or an accurate source of the number of matches to anaccess list.

fragments (Optional) The access list entry applies to noninitial fragments ofpackets; the fragment is either permitted or denied accordingly.

For more details about the fragments keyword, see the "AccessList Processing of Fragments" and "Fragments andPolicy Routing" sections in the "Usage Guidelines" section.

Defaults

There is no specific condition under which a packet is denied passing the named access list.

Command Modes

Access-list configuration

Command History



11.3(3)T The log keyword for a standard access was added.

12.0(11) The fragments keyword was added.

Usage Guidelines

Use this command following the ip access-list command to specify conditions under which apacket cannot pass the named access list.

Access List Processing of Fragments

The behavior of access-list entries regarding the use or lack of the fragments keyword can besummarized as follows:
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040933http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip

Commands - General

Documents

Transcript of Commands - General