|
|
This chapter describes the function and displays the syntax of IP commands. For more information about defaults and usage guidelines, see the corresponding chaper of the Network Protocols Command Reference, Part 1.
To restrict incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list, use the access-class line configuration command. To remove access restrictions, use the no form of this command.
access-class access-list-number {in | out}| access-list-number | Number of an access list. This is a decimal number from 1 to 99. |
| in | Restricts incoming connections between a particular Cisco device and the addresses in the access list. |
| out | Restricts outgoing connections between a particular Cisco device and the addresses in the access list. |
To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}For ICMP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}For IGMP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}For TCP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}For UDP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}| access-list-number | Number of an access list. This is a decimal number from 100 to 199. |
| dynamic dynamic-name | (Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Managing the System" chapter in the Configuration Fundamentals Configuration Guide. |
| timeout minutes | (Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Managing the System" chapter in the Configuration Fundamentals Configuration Guide. |
| deny | Denies access if the conditions are matched. |
| permit | Permits access if the conditions are matched. |
| protocol | Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. Some protocols allow further qualifiers described below. |
| source | Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
|
|
source-wildcard | Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
|
|
destination | Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
|
|
destination-wildcard | Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
|
|
precedence precedence | (Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name. |
| tos tos | (Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines." |
| icmp-type | (Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255. |
| icmp-code | (Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255. |
| icmp-message | (Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. |
| igmp-type | (Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. |
| operator | (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. |
| port | (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP. |
| established | (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. |
| log | (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. |
To define a standard IP access list, use the standard version of the access-list global configuration command. To remove a standard access lists, use the no form of this command.
access-list access-list-number {deny | permit} source [source-wildcard]| access-list-number | Number of an access list. This is a decimal number from 1 to 99. |
| deny | Denies access if the conditions are matched. |
| permit | Permits access if the conditions are matched. |
| source | Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:
|
|
source-wildcard | (Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:
|
To add a permanent entry in the ARP cache, use the arp global configuration command. To remove an entry from the ARP cache, use the no form of this command.
arp ip-address hardware-address type [alias]| ip-address | IP address in four-part dotted-decimal format corresponding to the local data link address. |
| hardware-address | Local data link address (a 48-bit address). |
| type | Encapsulation description. For Ethernet interfaces, this is typically the arpa keyword. For FDDI and Token Ring interfaces, this is always snap. |
| alias | (Optional) Indicates that the Cisco IOS software should respond to ARP requests as if it were the owner of the specified address. |
To control the interface-specific handling of IP address resolution into 48-bit Ethernet, FDDI, and Token Ring hardware addresses, use the arp interface configuration command. To disable an encapsulation type, use the no form of this command.
arp {arpa | probe | snap}| arpa | Standard Ethernet-style ARP (RFC 826). |
| probe | HP Probe protocol for IEEE-802.3 networks. |
| snap | ARP packets conforming to RFC 1042. |
To configure how long an entry remains in the ARP cache, use the arp timeout interface configuration command. To restore the default value, use the no form of this command.
arp timeout seconds| seconds | Time, in seconds, that an entry remains in the ARP cache. A value of zero means that entries are never cleared from the cache. |
To clear the counters of an access list, use the clear access-list counters EXEC command.
clear access-list counters{access-list-number | name}| access-list-number | Access list number from 0 to 1199 for which to clear the counters. |
| name | Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists. |
To delete all dynamic entries from the ARP cache, to clear the fast-switching cache, and to clear the IP route cache, use the clear arp-cache EXEC command.
clear arp-cacheTo delete entries from the host-name-and-address cache, use the clear host EXEC command.
clear host {name | *}| name | Particular host entry to remove. |
| * | Removes all entries. |
To clear the active or checkpointed database when IP accounting is enabled, use the clear ip accounting EXEC command.
clear ip accounting [checkpoint]| checkpoint | (Optional) Clears the checkpointed database. |
To clear dynamic Network Address Translation (NAT) translations from the translation table, use the clear ip nat translation EXEC command.
clear ip nat translation {* | [inside global-ip local-ip][outside local-ip global-ip]}| * | Clears all dynamic translations. |
| inside global-ip | When used without the arguments protocol, global-port, and local-port, clears a simple translation that also contains the specified local-ip address. When used with the arguments protocol, global-port, and local-port, clears an extended translation. |
| local-ip | (Optional) Clears an entry that contains this local IP address and the specified global-ip address. |
| protocol | (Optional) Clears an entry that contains this protocol and the specified global-ip address, local-ip address, global-port, and local-port. |
| global-port | (Optional) Clears an entry that contains this global-port and the specified protocol, global-ip address, local-ip address, and local-port. |
| local-port | (Optional) Clears an entry that contains this local-port and the specified protocol, global-ip address, local-ip address, and global-port. |
To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the clear ip nhrp EXEC command.
clear ip nhrpTo delete routes from the IP routing table, use the clear ip route EXEC command.
clear ip route {network [mask] | *}| network | Network or subnet address to remove. |
| mask | (Optional) Subnet address to remove. |
| * | Removes all routing table entries. |
To have the Route Processor recompute the SSE program for IP on the Cisco 7000 series, use the clear ip sse privileged EXEC command.
clear ip sseTo reinitialize the Route Processor on the Cisco 7000 series, use the clear sse EXEC command.
clear sseTo set conditions for a named IP access list, use the deny access-list configuration command. To remove a deny condition from an access list, use the no form of this command.
deny source [source-wildcard]For ICMP, you can also use the following syntax:
deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |For IGMP, you can also use the following syntax:
deny igmp source source-wildcard destination destination-wildcard [igmp-type]For TCP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}For UDP, you can also use the following syntax:
deny udp source source-wildcard [operator port [port]] destination destination-wildcard| source | Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:
|
|
source-wildcard | (Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:
|
|
protocol | Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. Some protocols allow further qualifiers described below. |
| source | Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
|
|
source-wildcard | Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
|
|
destination | Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
|
|
destination-wildcard | Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
|
|
precedence precedence | (Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name. |
| tos tos | (Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name. |
| icmp-type | (Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255. |
| icmp-code | (Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255. |
| icmp-message | (Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. |
| igmp-type | (Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. |
| operator | (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. |
| port | (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65,535. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP. |
| established | (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. |
| log | (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. |
To set the retransmit count used by the DNSIX Message Delivery Protocol (DMDP), use the dnsix-dmdp retries global configuration command. To restore the default number of retries, use the no form of this command.
dnsix-dmdp retries count| count | Number of times DMDP will retransmit a message. It can be a decimal integer from 0 to 200. The default is 4 retries, or until acknowledged. |
To specify the address of a collection center that is authorized to change the primary and secondary addresses of the host to receive audit messages, use the dnsix-nat authorized-redirection global configuration command. To delete an address, use the no form of this command.
dnsix-nat authorized-redirection ip-address| ip-address | IP address of the host from which redirection requests are permitted. |
To specify the IP address of the host to which DNSIX audit messages are sent, use the dnsix-nat primary global configuration command. To delete an entry, use the no form of this command.
dnsix-nat primary ip-address| ip-address | IP address for the primary collection center. |
To specify an alternate IP address for the host to which DNSIX audit messages are sent, use the dnsix-nat secondary global configuration command. To delete an entry, use the no form of this command.
dnsix-nat secondary ip-address| ip-address | IP address for the secondary collection center. |
To start the audit-writing module and to define audit trail source address, use the dnsix-nat source global configuration command. To disable the DNSIX audit trail writing module, use the no form of this command.
dnsix-nat source ip-address| ip-address | Source IP address for DNSIX audit messages. |
To have the audit writing module collect multiple audit messages in the buffer before sending the messages to a collection center, use the dnsix-nat transmit-count global configuration command. To revert to the default audit message count, use the no form of this command.
dnsix-nat transmit-count count| count | Number of audit messages to buffer before transmitting to the server. Integer from 1 to 200. |
To define a named, dynamic, IP access list, use the dynamic access-list configuration command. To remove the access lists, use the no form of this command.
dynamic dynamic-name [timeout minutes]]{deny | permit} protocol source source-wildcardFor ICMP, you can also use the following syntax:
dynamic dynamic-name [timeout minutes] {deny | permit} icmp source source-wildcardFor IGMP, you can also use the following syntax:
dynamic dynamic-name [timeout minutes] {deny | permit} igmp source source-wildcardFor TCP, you can also use the following syntax:
dynamic dynamic-name [timeout minutes] {deny | permit} tcp source source-wildcardFor UDP, you can also use the following syntax:
dynamic dynamic-name [timeout minutes] {deny | permit} udp source source-wildcard| dynamic-name | Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Traffic Filters" chapter in the Security Configuration Guide. |
| timeout minutes | (Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Traffic Filters" chapter in the Security Configuration Guide. |
| deny | Denies access if the conditions are matched. |
| permit | Permits access if the conditions are matched. |
| protocol | Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. Some protocols allow further qualifiers described below. |
| source | Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
|
|
source-wildcard | Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
|
|
destination | Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
|
|
destination-wildcard | Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
|
|
precedence precedence | (Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name. |
| tos tos | (Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name. |
| icmp-type | (Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255. |
| icmp-code | (Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255. |
| icmp-message | (Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. |
| igmp-type | (Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. |
| operator | (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. |
| port | (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP. |
| established | (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. |
| log | (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. |
To control access to an interface, use the ip access-group interface configuration command. To remove the specified access group, use the no form of this command.
ip access-group {access-list-number | name}{in | out}| access-list-number | Number of an access list. This is a decimal number from 1 to 199. |
| name | Name of an IP access list as specified by an ip access-list command. |
| in | Filters on inbound packets. |
| out | Filters on outbound packets. |
To define an IP access list by name, use the ip access-list global configuration command. To remove a named IP access lists, use the no form of this command.
ip access-list {standard | extended} name| standard | Specifies a standard IP access list. |
| extended | Specifies an extended IP access list. |
| name | Name of the access list. Names cannot contain a space or quotation mark and must begin with an alphabetic character to prevent ambiguity with numbered access lists. |
To enable IP accounting on an interface, use the ip accounting interface configuration command. To disable IP accounting, use the no form of this command.
ip accounting [access-violations]| access-violations | (Optional) Enables IP accounting with the ability to identify IP traffic that fails IP access lists. |
To define filters to control the hosts for which IP accounting information is kept, use the ip accounting-list global configuration command. To remove a filter definition, use the no form of this command.
ip accounting-list ip-address wildcard| ip-address | IP address in dotted-decimal format. |
| wildcard | Wildcard bits to be applied to ip-address. |
To set the maximum number of accounting entries to be created, use the ip accounting-threshold global configuration command. To restore the default number of entries, use the no form of this command.
ip accounting-threshold threshold| threshold | Maximum number of entries (source and destination address pairs) that the Cisco IOS software accumulates. |
To control the number of transit records that are stored in the IP accounting database, use the ip accounting-transits global configuration command. To return to the default number of records, use the no form of this command.
ip accounting-transits count| count | Number of transit records to store in the IP accounting database. |
To set a primary or secondary IP address for an interface, use the ip address interface configuration command. To remove an IP address or disable IP processing, use the no form of this command.
ip address ip-address mask [secondary]| ip-address | IP address. |
| mask | Mask for the associated IP subnet. |
| secondary | (Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address. |
To define a broadcast address for an interface, use the ip broadcast-address interface configuration command. To restore the default IP broadcast address, use the no form of this command.
ip broadcast-address [ip-address]| ip-address | (Optional) IP broadcast address for a network. |
To control the invalidation rate of the IP route cache, use the ip cache-invalidate-delay global configuration command. To allow the IP route cache to be immediately invalidated, use the no form of this command.
ip cache-invalidate-delay [minimum maximum quiet threshold]| minimum | (Optional) Minimum time, in seconds, between invalidation request and actual invalidation. The default is 2 seconds. |
| maximum | (Optional) Maximum time, in seconds, between invalidation request and actual invalidation. The default is 5 seconds. |
| quiet | (Optional) Length of quiet period, in seconds, before invalidation. |
| threshold | (Optional) Maximum number of invalidation requests considered to be quiet. |
At times the router might receive packets destined for a subnet of a network that has no network default route. To have the Cisco IOS software forward such packets to the best supernet route possible, use the ip classless global configuration command. To disable this feature, use the no form of this command.
ip classlessTo define a default gateway (router) when IP routing is disabled, use the ip default-gateway global configuration command. To disable this function, use the no form of this command.
ip default-gateway ip-address| ip-address | IP address of the router. |
To enable the translation of directed broadcast to physical broadcasts, use the ip directed-broadcast interface configuration command. To disable this function, use the no form of this command.
ip directed-broadcast [access-list-number]| access-list-number | (Optional) Number of the access list. If specified, a broadcast must pass the access list to be forwarded. If not specified, all broadcasts are forwarded. |
To define a list of default domain names to complete unqualified host names, use the ip domain-list global configuration command. To delete a name from a list, use the no form of this command.
ip domain-list name| name | Domain name. Do not include the initial period that separates an unqualified name from the domain name. |
To enable the IP Domain Name System-based host name-to-address translation, use the ip domain-lookup global configuration command. To disable the Domain Name System, use the no form of this command.
ip domain-lookupTo allow Domain Name System queries for CLNS addresses, use the ip domain-lookup nsap global configuration command. To disable this feature, use the no form of this command.
ip domain-lookup nsapTo define a default domain name that the Cisco IOS software uses to complete unqualified host names (names without a dotted-decimal domain name), use the ip domain-name global configuration command. To disable use of the Domain Name System, use the no form of this command.
ip domain-name name| name | Default domain name used to complete unqualified host names. Do not include the initial period that separates an unqualified name from the domain name. |
To allow the exporting of information in NetFlow cache entries, use the ip flow-export global configuration command. To disable the exporting of information, use the no form of this command.
ip flow-export ip-address udp-port| ip-address | IP address of the workstation to which you want to send the NetFlow information. |
| udp-port | UDP protocol-specific port number. |
To specify which protocols and ports the router forwards when forwarding broadcast packets, use the ip forward-protocol global configuration command. To remove a protocol or port, use the no form of this command.
ip forward-protocol {udp [port] | nd | sdns}| udp | Forward User Datagram Protocol (UDP) datagrams. |
| port | (Optional) Destination port that controls which UDP services are forwarded. |
| nd | Forward Network Disk (ND) datagrams. This protocol is used by older diskless Sun workstations. |
| sdns | Secure Data Network Service. |
To forward any broadcasts including local subnet broadcasts, use the ip forward-protocol any-local-broadcast global configuration command. To disable this type of forwarding, use the no form of this command.
ip forward-protocol any-local-broadcastTo permit IP broadcasts to be flooded throughout the internetwork in a controlled fashion, use the ip forward-protocol spanning-tree global configuration command. To disable the flooding of IP broadcasts, use the no form of this command.
ip forward-protocol spanning-treeTo speed up flooding of User Datagram Protocol (UDP) datagrams using the spanning-tree algorithm, use the ip forward-protocol turbo-flood global configuration command. To disable this feature, use the no form of this command.
ip forward-protocol turbo-floodTo configure the router discovery feature using the Cisco Gateway Discovery Protocol (GDP) routing protocol, use the ip gdp gdp interface configuration command. To disable this feature, use the no form of this command.
ip gdp gdpTo configure the router discovery feature using the Cisco Interior Gateway Routing Protocol (IGRP), use the ip gdp igrp interface configuration command. To disable this feature, use the no form of this command.
ip gdp igrpTo configure the router discovery feature using the ICMP Router Discovery Protocol (IRDP), use the ip gdp irdp interface configuration command. To disable this feature, use the no form of this command.
ip gdp irdpTo configure the router discovery feature using the Routing Information Protocol (RIP), use the ip gdp rip interface configuration command. To disable this feature, use the no form of this command.
ip gdp ripTo have the Cisco IOS software forward User Datagram Protocol (UDP) broadcasts, including BOOTP, received on an interface, use the ip helper-address interface configuration command. To disable the forwarding of broadcast packets to specific addresses, use the no form of this command.
ip helper-address address| address | Destination broadcast or host address to be used when forwarding UDP broadcasts. There can be more than one helper address per interface. |
To define a static host name-to-address mapping in the host cache, use the ip host global configuration command. To remove the name-to-address mapping, use the no form of this command.
ip host name [tcp-port-number] address1 [address2...address8]| name | Name of the host. The first character can be either a letter or a number, but if you use a number, the operations you can perform are limited. |
| tcp-port-number | (Optional) TCP port number to connect to when using the defined host name in conjunction with an EXEC connect or telnet command. The default is Telnet (port 23). |
| address1 | Associated IP address. |
| address2...address8 | (Optional) Additional associated IP address. You can bind up to eight addresses to a host name. |
To enter into the host table the host name of an HP host to be used for HP Probe Proxy service, use the ip hp-host global configuration command. To remove a host name, use the no form of this command.
ip hp-host hostname ip-address| hostname | Name of the host. |
| ip-address | IP address of the host. |
To have the Cisco IOS software to respond to Internet Control Message Protocol (ICMP) mask requests by sending ICMP Mask Reply messages, use the ip mask-reply interface configuration command. To disable this function, use the no form of this command.
ip mask-replyTo enable local-area mobility, use the ip mobile arp interface configuration command. To disable local-area mobility, use the no form of this command.
ip mobile arp [timers keepalive hold-time] [access-group access-list-number | name]| timers | (Optional) Indicates that you are setting local-area mobility timers. |
| keepalive | (Optional) Frequency, in seconds, at which the Cisco IOS software sends unicast ARP messages to a relocated host to verify that the host is present and has not moved. The default keepalive time is 300 seconds (5 minutes). |
| hold-time | (Optional) Hold time, in seconds. This is the length of time the software considers that a relocated host is present without receiving some type of ARP broadast or unicast from the host. Normally, the hold time should be at least three times greater than the keepalive time. The default hold time is 900 seconds (15 minutes). |
| access-group | (Optional) Indicates that you are applying an access list. This access list applies only to local-area mobility. |
| access-list-number | (Optional) Number of a standard IP access list. It is a decimal number from 1 to 99. Only hosts with addresses permitted by this access list are accepted for local-area mobility. |
| name | (Optional) Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists. |
To set the maximum transmission unit (MTU) size of IP packets sent on an interface, use the ip mtu interface configuration command. To restore the default MTU size, use the no form of this command.
ip mtu bytes| bytes | MTU in bytes. |
To specify the address of one or more name servers to use for name and address resolution, use the ip name-server global configuration command. To remove the addresses specified, use the no form of this command.
ip name-server server-address1 [[server-address2]...server-address6]| server-address1 | IP addresses of name server. |
| server-address2...server-address6 | (Optional) IP addresses of additional name servers (a maximum of six name servers). |
To designate that traffic originating from or destined for the interface is subject to Network Address Translation (NAT), use the ip nat interface configuration command. To prevent the interface from being able to translate, use the no form of this command.
ip nat {inside | outside}| inside | Indicates the interface is connected to the inside network (the network subject to NAT translation). |
| outside | Indicates the interface is connected to the outside network. |
To enable Network Address Translation (NAT) of the inside destination address, use the ip nat inside destination global configuration command. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.
ip nat inside destination {list {access-list-number | name} pool name | static global-ip local-ip}| list access-list-number | Standard IP access list number. Packets with destination addresses that pass the access list are translated using global addresses from the named pool. |
| list name | Name of a standard IP access list. Packets with destination addresses that pass the access list are translated using global addresses from the named pool. |
| pool name | Name of the pool from which global IP addresses are allocated during dynamic translation. |
| static global-ip | Sets up a single static translation; this argument establishes the globally unique IP address. |
| local-ip | Sets up a single static translation; this argument establishes the local IP address. |
To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source global configuration command. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.
ip nat inside source {list {access-list-number | name} pool name [overload] | static local-ip| list access-list-number | Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool. |
| list name | Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool. |
| pool name | Name of the pool from which global IP addresses are allocated dynamically. |
| overload | (Optional) Enables the router to use one global address for many local addresses. When overloading is configured, each inside host's TCP or UDP port number distinguishes between the multiple conversations using the same local IP address. |
| static local-ip | Sets up a single static translation; this argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete. |
| global-ip | Sets up a single static translation; this argument establishes the globally unique IP address of an inside host as it appears to the outside world. |
To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source global configuration command. To remove the static entry or the dynamic association, use the no form of this command.
ip nat outside source {list {access-list-number | name} pool name | static global-ip local-ip}| list access-list-number | Standard IP access list number. Packets with source addresses that pass the access list are translated using global addresses from the named pool. |
| list name | Name of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool. |
| pool name | Name of the pool from which global IP addresses are allocated. |
| static global-ip | Sets up a single static translation; this argument establishes the globally unique IP address assigned to a host on the outside network by its owner. It was allocated from globally routable network space. |
| local-ip | Sets up a single static translation; this argument establishes the local IP address of an outside host as it appears to the inside world. The address was allocated from address space routable on the inside (RFC 1918, perhaps). |
To define a pool of IP addresses for Network Address Translation (NAT), use the ip nat pool global configuration command. To remove one or more addresses from the pool, use the no form of this command.
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}| name | Name of the pool. |
| start-ip | Starting IP address that defines the range of addresses in the address pool. |
| end-ip | Ending IP address that defines the range of addresses in the address pool. |
| netmask netmask | Network mask that indicates which address bits belong to the network and subnetwork fields and which bits belong to the host field. Specify the netmask of the network to which the pool addresses belong. |
| prefix-length prefix-length | Number that indicates how many bits of the netmask are ones (how many bits of the address indicate network). Specify the netmask of the network to which the pool addresses belong. |
| type rotary | (Optional) Indicates that the range of address in the address pool identify real, inside hosts among which TCP load distribution will occur. |
To change the amount of time after which Network Address Translation (NAT) translations time out, use the ip nat translation global configuration command. To disable the timeout, use the no form of this command.
ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout} seconds| timeout | Specifies that the timeout value applies to dynamic translations except for overload translations. Default is 86,400 seconds (24 hours). |
| udp-timeout | Specifies that the timeout value applies to the UDP port. Default is 300 seconds (5 minutes). |
| dns-timeout | Specifies that the timeout value applies to connections to the Domain Naming System (DNS). Default is 60 seconds. |
| tcp-timeout | Specifies that the timeout value applies to the TCP port. Default is 86,400 seconds (24 hours). |
| finrst-timeout | Specifies that the timeout value applies to Finish and Reset TCP packets, which terminate a connection. Default is 60 seconds. |
| seconds | Number of seconds after which the specified port translation times out. |
To specify the format in which netmasks are displayed in show command output, use the ip netmask-format line configuration command. To restore the default display format, use the no form of this command.
ip netmask-format {bitcount | decimal | hexadecimal}| bitcount | Addresses are followed by a slash and the total number of bits in the netmask. For example, 131.108.11.0/24 indicates that the netmask is 24 bits. |
| decimal | Network masks are displayed in dotted decimal notation (for example, 255.255.255.0). |
| hexadecimal | Network masks are displayed in hexadecimal format, as indicated by the leading 0X (for example, 0XFFFFFF00). |
To configure the authentication string for an interface using Next Hop Resolution Protocol (NHRP), use the ip nhrp authentication interface configuration command. To remove the authentication string, use the no form of this command.
ip nhrp authentication string| string | Authentication string configured for the source and destination stations that controls whether NHRP stations allow intercommunication. The string can be up to 8 characters long. |
To change the number of seconds that NHRP nonbroadcast, multiaccess (NBMA) addresses are advertised as valid in authoritative NHRP responses, use the ip nhrp holdtime interface configuration command. To restore the default value, use the no form of this command.
ip nhrp holdtime seconds-positive [seconds-negative]| seconds-positive | Time in seconds that NBMA addresses are advertised as valid in positive authoritative NHRP responses. The default is 7,200 seconds (2 hours). |
| seconds-negative | (Optional) Time in seconds that NBMA addresses are advertised as valid in negative authoritative NHRP responses. The default is 7,200 seconds (2 hours). |
To control which IP packets can trigger sending a Next Hop Resolution Protocol (NHRP) Request, use the ip nhrp interest interface configuration command. To restore the default value, use the no form of this command.
ip nhrp interest access-list-number| access-list-number | Standard or extended IP access list number in the range 1 to 199. |
To statically configure the IP-to-NBMA address mapping of IP destinations connected to a nonbroadcast, multiaccess (NBMA) network, use the ip nhrp map interface configuration command. To remove the static entry from NHRP cache, use the no form of this command.
ip nhrp map ip-address nbma-address| ip-address | IP address of the destinations reachable through the NBMA network. This address is mapped to the NBMA address. |
| nbma-address | Nonbroadcast, multiaccess (NBMA) address which is directly reachable through the NBMA network. The address format varies depending on the medium you are using. For example, ATM has an NSAP address, Ethernet has a MAC address, and SMDS has an E.164 address. This address is mapped to the IP address. |
To configure NBMA addresses used as destinations for broadcast or multicast packets to be sent over a tunnel network, use the ip nhrp map multicast interface configuration command. To remove the destinations, use the no form of this command.
ip nhrp map multicast nbma-address| nbma-address | Nonbroadcast, multiaccess (NBMA) address which is directly reachable through the NBMA network. The address format varies depending on the medium you are using. |
To change the maximum frequency at which NHRP packets can be sent, use the ip nhrp max-send interface configuration command. To restore this frequency to the default value, use the no form of this command.
ip nhrp max-send pkt-count every interval| pkt-count | Number of packets which can be transmitted in the range from 1 to 65535. Default is 5 packets. |
| interval | Time (in seconds) in the range from 10 to 65535. Default is 10 seconds. |
To enable the Next Hop Resolution Protocol (NHRP) on an interface, use the ip nhrp network-id interface configuration command. To disable NHRP on the interface, use the no form of this command.
ip nhrp network-id number| number | Globally unique, 32-bit network identifier for a nonbroadcast, multiaccess (NBMA) network. The range is 1 to 4294967295. |
To specify the address of one or more NHRP Next Hop Servers, use the ip nhrp nhs interface configuration command. To remove the address, use the no form of this command.
ip nhrp nhs nhs-address [net-address [netmask]]| nhs-address | Address of the Next Hop Server being specified. |
| net-address | (Optional) IP address of a network served by the Next Hop Server. |
| netmask | (Optional) IP network mask to be associated with the net IP address. The net IP address is logically ANDed with the mask. |
To re-enable the use of forward record and reverse record options in NHRP Request and Reply packets, use the ip nhrp record interface configuration command. To suppress the use of such options, use the no form of this command.
ip nhrp recordTo designate which interface's primary IP address the Next Hop Server will use in NHRP Reply packets when the NHRP requestor uses the Responder Address option, use the ip nhrp responder interface configuration command. To remove the designation, use the no form of this command.
ip nhrp responder type number| type | Interface type whose primary IP address is used when a Next Hop Server complies with a Responder Address option (for example, serial, tunnel). |
| number | Interface number whose primary IP address is used when a Next Hop Server complies with a Responder Address option. |
To configure the software so that NHRP is deferred until the system has attempted to send data traffic to a particular destination multiple times, use the ip nhrp use interface configuration command. To restore the default value, use the no form of this command.
ip nhrp use usage-count| usage-count | Packet count in the range from 1 to 65535. Default is 1. |
To enable the HP Probe Proxy support, which allows the Cisco IOS software to respond to HP Probe Proxy Name requests, use the ip probe proxy interface configuration command. To disable HP Probe Proxy, use the no form of this command.
ip probe proxyTo enable proxy ARP on an interface, use the ip proxy-arp interface configuration command. To disable proxy ARP on the interface, use the no form of this command.
ip proxy-arpTo enable the sending of redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, use the ip redirects interface configuration command. To disable the sending of redirect messages, use the no form of this command.
ip redirectsTo control the use of a high-speed switching cache for IP routing as well as the use of autonomous switching, use the ip route-cache interface configuration command. To disable any of these switching modes, use the no form of this command.
ip route-cache [cbus]| cbus | (Optional) Enables both autonomous switching and fast switching. |
| same-interface | Enables fast switching packets back out the interface on which they arrived. |
| sse | Enables SSE switching on the SSP board on the Cisco 7000 series routers. |
| optimum | (Optional) Enables optimum fast switching on the Cisco 7500 series route switch processor (RSP). This feature is enabled by default for IP on all supported interfaces (Ethernet, FDDI, and serial). For serial interfaces, it is supported for HDLC encapsulation only. |
| flow | (Optional) Enables the RSP to perform flow switching on the interface. |
| distributed | Enables VIP distributed switching on the interface. This feature can be enabled on Cisco RSP7000 and Cisco 7500 series routers with an RSP and with Versatile Interface Processor (VIP) controllers. If both ip route-cache flow and ip route-cache distributed are configured, the VIP does distributed flow switching. If only ip route-cache distributed is configured, the VIP does distributed optimum switching. |
To enable IP routing , use the ip routing global configuration command. To disable IP routing, use the no form of this command.
ip routingTo add a basic security option to all outgoing packets, use the ip security add interface configuration command. To disable the adding of a basic security option to all outgoing packets, use the no form of this command.
ip security addTo attach Auxiliary Extended Security Options (AESOs) to an interface, use the ip security aeso interface configuration command. To disable AESO on an interface, use the no form of this command.
ip security aeso source compartment-bits| source | Extended Security Option (ESO) source. This value is an integer from 0 to 255. |
| compartment-bits | Compartment bits in hexadecimal. |
To set the level of classification and authority on the interface, use the ip security dedicated interface configuration command. To reset the interface to the default classification and authorities, use the no form of this command.
ip security dedicated level authority [authority...]| level | Degree of sensitivity of information. |
| authority | Organization that defines the set of security levels that will be used in a network. |
To configure system-wide defaults for extended IP Security Option (IPSO) information, use the ip security eso-info global configuration command. To return to the default settings, use the no form of this command.
ip security eso-info source compartment-size default-bit| source | Hexadecimal or decimal value representing the extended IPSO source. This value is an integer from 0 to 255. |
| compartment-size | Maximum number of bytes of compartment information allowed for a particular extended IPSO source. This value is an integer from 1 to 16. |
| default-bit | Default bit value for any unsent compartment bits. |
To specify the maximum sensitivity level for an interface, use the ip security eso-max interface configuration command. To return to the default, use the no form of this command.
ip security eso-max source compartment-bits| source | Extended Security Option (ESO) source. This value is an integer from 1 to 255. |
| compartment-bits | Compartment bits in hexadecimal. |
To configure the minimum sensitivity for an interface, use the ip security eso-min interface configuration command. To return to the default, use the no form of this command.
ip security eso-min source compartment-bits| source | Extended Security Option (ESO) source. This value is an integer from 1 to 255. |
| compartment-bits | Compartment bits in hexadecimal. |
To accept packets on an interface that has an extended security option present, use the ip security extended-allowed interface configuration command. To restore the default, use the no form of this command.
ip security extended-allowedTo prioritize the presence of security options on a packet, use the ip security first interface configuration command. To disable this function, use the no form of this command.
ip security firstTo have the Cisco IOS software ignore the authorities field of all incoming packets, use the ip security ignore-authorities interface configuration command. To disable this function, use the no form of this command.
ip security ignore-authoritiesTo force the Cisco IOS software to accept packets on the interface, even if they do not include a security option, use the ip security implicit-labelling interface configuration command. To disable this function, use the no form of this command.
ip security implicit-labelling [level authority [authority...]]| level | (Optional) Degree of sensitivity of information. If your interface has multilevel security set, you must specify this argument. |
| authority | (Optional) Organization that defines the set of security levels that will be used in a network. If your interface has multilevel security set, you must specify this argument. You can specify more than one. |
To set the range of classifications and authorities on an interface, use the ip security multilevel interface configuration command. To disable this function, use the no form of this command.
ip security multilevel level1 [authority1...] to level2 authority2 [authority2...]| level1 | Degree of sensitivity of information. The classification level of incoming packets must be equal to or greater than this value for processing to occur. |
| authority1 | (Optional) Organization that defines the set of security levels that will be used in a network. The authority bits must be a superset of this value. |
| to | Separates the range of classifications and authorities. |
| level2 | Degree of sensitivity of information. The classification level of incoming packets must be equal to or less than this value for processing to occur. |
| authority2 | Organization that defines the set of security levels that will be used in a network. The authority bits must be a proper subset of this value. |
To treat as valid any packets that have Reserved1 through Reserved4 security levels, use the ip security reserved-allowed interface configuration command. To disable this feature, use the no form of this command.
ip security reserved-allowedTo remove any basic security option on outgoing packets on an interface, use the ip security strip interface configuration command. To disable this function, use the no form of this command.
ip security stripTo allow the Cisco IOS software to handle IP datagrams with source routing header options, use the ip source-route global configuration command. To have the software discard any IP datagram containing a source-route option, use the no form of this command.
ip source-routeTo enable the use of subnet zero for interface addresses and routing updates, use the ip subnet-zero global configuration command. To restore the default, use the no form of this command.
ip subnet-zeroTo specify the total number of header compression connections that can exist on an interface, use the ip tcp compression-connections interface configuration command. To restore the default, use the no form of this command.
ip tcp compression-connections number| number | Number of connections the cache supports.This value is a number from 3 to 256. The default is 16. |
To enable TCP header compression, use the ip tcp header-compression interface configuration command. To disable compression, use the no form of this command.
ip tcp header-compression [passive]| passive | (Optional) Compresses outgoing TCP packets only if incoming TCP packets on the same interface are compressed. If you do not specify the passive keyword, the Cisco IOS software compresses all traffic. |
To enable Path MTU Discovery for all new TCP connections from the router, use the ip tcp path-mtu-discovery interface configuration command. To disable the feature, use the no form of this command.
ip tcp path-mtu-discovery [age-timer {minutes | infinite}]| age-timer | (Optional) Keyword that allows you to specify a time interval after which TCP re-estimates the Path MTU. |
| minutes | (Optional) Time interval (in minutes) after which TCP re-estimates the Path MTU with a larger maximum segment size (MSS). The maximum is 30 minutes; the default is 10 minutes. |
| infinite | (Optional) Turns off the age-timer. |
To set a period of time the Cisco IOS software waits while attempting to establish a TCP connection before it times out, use the ip tcp synwait-time global configuration command. To restore the default time, use the no form of this command.
ip tcp synwait-time seconds| seconds | Time in seconds the software waits while attempting to establish a TCP connection.This value is an integer from 5 to 300 seconds. The default is 30 seconds. |
To enable IP processing on a serial interface without assigning an explicit IP address to the interface, use the ip unnumbered interface configuration command. To disable the IP processing on the interface, use the no form of this command.
ip unnumbered type number| type number | Type and number of another interface on which the router has an assigned IP address. It cannot be another unnumbered interface. |
To enable the generation of ICMP Unreachable messages, use the ip unreachables interface configuration command. To disable this function, use the no form of this command.
ip unreachablesTo set conditions for a named IP access list, use the permit access-list configuration command. To remove a condition from an access list, use the no form of this command.
permit source [source-wildcard]For ICMP, you can also use the following syntax:
permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] |For IGMP, you can also use the following syntax:
permit igmp source source-wildcard destination destination-wildcard [igmp-type]For TCP, you can also use the following syntax:
permit tcp source source-wildcard [operator port [port]] destination destination-wildcardFor UDP, you can also use the following syntax:
permit udp source source-wildcard [operator port [port]] destination destination-wildcard| source | Number of the network or host from which the packet is being sent. There are two alternative ways to specify the source:
|
|
source-wildcard | (Optional) Wildcard bits to be applied to the source. There are two alternative ways to specify the source wildcard:
|
|
protocol | Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later. |
| destination | Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
|
|
destination-wildcard | Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
|
|
precedence precedence | (Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name. |
| tos tos | (Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name. |
| icmp-type | (Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255. |
| icmp-code | (Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255. |
| icmp-message | (Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. |
| igmp-type | (Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. |
| operator | (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. |
| port | (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP. |
| established | (Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. |
| log | (Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. |
To check host reachability and network connectivity, use the ping (IP packet internet groper function) privileged EXEC command.
ping [protocol] {host | address}| protocol | (Optional) Protocol keyword. The default is IP. |
| host | Host name of system to ping. |
| address | IP address of system to ping. |
To check host reachability and network connectivity, use the ping (IP packet internet groper function) user EXEC command.
ping [protocol] {host | address}| protocol | (Optional) Protocol keyword. The default is IP. |
| host | Host name of system to ping. |
| address | IP address of system to ping. |
To display the contents of current access lists, use the show access-lists privileged EXEC command.
show access-lists [access-list-number | name]| access-list-number | (Optional) Access list number to display. The range is 0 to 1199. The system displays all access lists by default. |
| name | (Optional) Name of the IP access list to display. |
To display the entries in the ARP table, use the show arp privileged EXEC command.
show arpTo display state information and the current configuration of the DNSIX audit writing module, use the show dnsix privileged EXEC command.
show dnsixTo display the default domain name, the style of name lookup service, a list of name server hosts, and the cached list of host names and addresses, use the show hosts EXEC command.
show hostsTo display the contents of all current IP access lists, use the show ip access-list EXEC command.
show ip access-list [access-list-number | name]| access-list-number | (Optional) Number of the IP access list to display. This value is a number from 1 to 199. |
| name | (Optional) Name of the IP access list to display. |
To display the active accounting or checkpointed database or to display access list violations, use the show ip accounting EXEC command.
show ip accounting [checkpoint] [output-packets | access-violations]| checkpoint | (Optional) Indicates that the checkpointed database should be displayed. |
| output-packets | (Optional) Indicates that information pertaining to packets that passed access control and were successfully routed should be displayed. If neither the output-packets nor access-violations keyword is specified, output-packets is the default. |
| access-violations | (Optional) Indicates that information pertaining to packets that failed access lists and were not routed should be displayed. If neither the output-packets nor access-violations keyword is specified, output-packets is the default. |
To display the IP addresses mapped to TCP ports (aliases) and SLIP addresses, which are treated similarly to aliases, use the show ip aliases EXEC command.
show ip aliasesTo display the Address Resolution Protocol (ARP) cache, where SLIP addresses appear as permanent ARP table entries, use the show ip arp EXEC command.
show ip arpTo display the routing table cache used to fast switch IP traffic, use the show ip cache EXEC command.
show ip cache [prefix mask] [type number]| prefix | (Optional) Display only the entries in the cache that match the prefix and mask combination. |
| mask | (Optional) Display only the entries in the cache that match the prefix and mask combination. |
| type | (Optional) Display only the entries in the cache that match the interface type and number combination. |
| number | (Optional) Display only the entries in the cache that match the interface type and number combination. |
To display summary NetFlow switching statistics, use the show ip cache flow EXEC command.
show ip cache flowTo display the usability status of interfaces configured for IP, use the show ip interface EXEC command.
show ip interface [type number]| type | (Optional) Interface type. |
| number | (Optional) Interface number. |
To display the masks used for network addresses and the number of subnets using each mask, use the show ip masks EXEC command.
show ip masks address| address | Network address for which a mask is required. |
To display Network Address Translation (NAT) statistics, use the show ip nat statistics EXEC command.
show ip nat statisticsTo display active Network Address Translation (NAT) translations, use the show ip nat translations EXEC command.
show ip nat translations [verbose]| verbose | (Optional) Displays additional information for each translation table entry, including how long ago the entry was created and used. |
To display the Next Hop Resolution Protocol (NHRP) cache, use the show ip nhrp EXEC command.
show ip nhrp [dynamic | static] [type number]| dynamic | (Optional) Displays only the dynamic (learned) IP-to-NBMA address cache entries. |
| static | (Optional) Displays only the static IP-to-NBMA address entries in the cache (configured through the ip nhrp map command). |
| type | (Optional) Interface type about which to display the NHRP cache (for example, atm, tunnel). |
| number | (Optional) Interface number about which to display the NHRP cache. |
To display Next Hop Resolution Protocol (NHRP) traffic statistics, use the show ip nhrp traffic EXEC command.
show ip nhrp trafficTo display the address of a default gateway (router) and the address of hosts for which a redirect has been received, use the show ip redirects EXEC command.
show ip redirectsTo display the entries in the routing table, use the show ip route EXEC command.
show ip route [address [mask]] | [protocol]| address | (Optional) Address about which routing information should be displayed. |
| mask | (Optional) Argument for a subnet mask. |
| protocol | (Optional) Argument for a particular routing protocol, or static or connected. |
To display summary information about entries in the routing table, use the show ip route summary EXEC command.
show ip route summaryTo display statistics about TCP header compression, use the show ip tcp header-compression EXEC command.
show ip tcp header-compressionTo display statistics about IP traffic, use the show ip traffic EXEC command.
show ip trafficTo display a summary of Silicon Switch Processor (SSP) statistics, use the show sse summary EXEC command.
show sse summaryTo display Hot Standby Router Protocol information, use the show standby EXEC command.
show standbyTo configure an authentication string for the Hot Standby Router Protocol, use the standby authentication interface configuration command. To delete an authentication string, use the no form of this command.
standby [group-number] authentication string| group-number | (Optional) Group number on the interface to which this authentication string applies. |
| string | Authentication string. It can be up to eight characters in length. The default string is cisco. |
To activate the Hot Standby Router Protocol, use the standby ip interface configuration command. To disable the Hot Standby Router Protocol, use the no form of this command.
standby [group-number] ip [ip-address [secondary]]| group-number | (Optional) Group number on the interface for which the Hot Standby Router Protocol is being activated. The default is 0. |
| ip-address | (Optional) IP address of the Hot Standby Router interface. |
| secondary | (Optional) Indicates the IP address is a secondary Hot Standby Router interface. Useful on interfaces with primary and secondary addresses; you can configure primary and secondary Hot Standby Router Protocol addresses. |
To indicate that, when the local router has a Hot Standby priority higher than the current active router, the local router should attempt to assume control as the active router, use the standby preempt interface configuration command. To have the local router assume control as the active router only if it receives information indicating that there is no router currently in the active state (acting as the designated router), use the no form of this command.
standby [group-number] preempt| group-number | (Optional) Group number on the interface for which the Hot Standby preemptive feature is being activated. The default is 0. |
To prioritize a potential Hot Standby router, use the standby priority interface configuration command. To restore the priority to the default, use the no form of this command.
standby [group-number] priority priority-number| group-number | (Optional) Group number on the interface to which the priority number applies. The default is 0. |
| priority-number | Priority value. This value is an integer from 0 to 255. The default is 100. |
To configure the time between hellos and the time before other routers declare the active Hot Standby or standby router to be down, use the standby timers interface configuration command. To restore the timers to their default values, use the no form of this command.
standby [group-number] timers hellotime holdtime| group-number | (Optional) Group number on the interface to which the timers apply. The default is 0. |
| hellotime | Hello interval in seconds. This is an integer from 1 to 255. The default is 1 second. |
| holdtime | Time in seconds before the active or standby router is declared to be down. This is an integer from 1 to 255. The default is 3 seconds. |
To configure an interface so that the Hot Standby priority changes based on the availability of other interfaces, use the standby track interface configuration command. To remove the tracking, use the no form of this command.
standby [group-number] track type number [interface-priority]| group-number | (Optional) Group number on the interface to which the tracking applies. The default is 0. |
| type | Interface type (combined with interface number) that will be tracked. |
| number | Interface number (combined with interface type) that will be tracked. |
| interface-priority | (Optional) Amount by which the Hot Standby priority for the router is decremented (or incremented) when the interface goes down (or comes back up). The default value is 10. |
To specify the format in which netmasks are displayed in show command output, use the term ip netmask-format EXEC command. To restore the default display format, use the no form of this command.
term ip netmask-format {bitcount | decimal | hexadecimal}| bitcount | Addresses are followed by a slash and the total number of bits in the netmask. For example, 131.108.11.55/24 indicates that the netmask is 24 bits. |
| decimal | Netmasks are displayed in dotted decimal notation (for example, 255.255.255.0). |
| hexadecimal | Netmasks are displayed in hexadecimal format, as indicated by the leading 0X (for example, 0XFFFFFF00). |
To discover the routes the packets follow when traveling to their destination from the router, use the trace privileged EXEC command.
trace [destination]| destination | (Optional) Destination address or host name on the command line. The default parameters for the appropriate protocol are assumed and the tracing action begins. |
To discover the routes the router packets follow when traveling to their destination, use the trace user EXEC command.
trace ip destination| destination | Destination address or host name on the command line. The default parameters for the appropriate protocol are assumed and the tracing action begins. |
To assign a transmit interface to a receive-only interface, use the transmit-interface interface configuration command. To return to normal duplex Ethernet interfaces, use the no form of this command.
transmit-interface type number| type | Transmit interface type to be linked with the (current) receive-only interface. |
| number | Transmit interface number to be linked with the (current) receive-only interface. |
To set the encapsulation mode for the tunnel interface, use the tunnel mode interface configuration command. To set to the default, use the no form of this command.
tunnel mode {aurp | cayman | dvmrp | eon | gre ip [multipoint] | nos}| aurp | AppleTalk Update Routing Protocol (AURP). |
| cayman | Cayman TunnelTalk AppleTalk encapsulation. |
| dvmrp | Distance Vector Multicast Routing Protocol. |
| eon | EON compatible CLNS tunnel. |
| gre ip | Generic route encapsulation (GRE) protocol over IP. |
| multipoint | (Optional) Enables a GRE tunnel to be used in a multipoint fashion. Can be used with the gre ip keyword only, and requires the use of the tunnel key command. |
| nos | KA9Q/NOS compatible IP over IP. |
|
|