- Introduction
- aaa accounting through clear ipv6 mobile home-agents
- clear ipv6 mobile traffic through debug bgp vpnv6 unicast
- debug crypto ipv6 ipsec through debug ipv6 pim
- debug ipv6 pim df-election through ip http server
- ip mroute-cache through ipv6 general-prefix
- ipv6 hello-interval eigrp through ipv6 mld static-group
- ipv6 mobile home-agent (global configuration) through ipv6 ospf database-filter all out
- ipv6 ospf dead-interval through ipv6 split-horizon eigrp
- ipv6 summary-address eigrp through mpls ldp router-id
- mpls traffic-eng auto-bw timers through route-map
- router-id (IPv6) through show bgp ipv6 labels
- show bgp ipv6 neighbors through show crypto isakmp peers
- show crypto isakmp policy through show ipv6 eigrp neighbors
- show ipv6 eigrp topology through show ipv6 nat statistics
- show ipv6 nat translations through show ipv6 protocols
- show ipv6 rip through snmp-server host
- snmp-server user through vrf forwarding
- mpls traffic-eng auto-bw timers
- multi-topology
- nai
- neighbor (EIGRP)
- neighbor activate
- neighbor ebgp-multihop
- neighbor next-hop-unchanged
- neighbor override-capability-neg
- neighbor peer-group (assigning members)
- neighbor peer-group (creating)
- neighbor remote-as
- neighbor route-map
- neighbor route-reflector-client
- neighbor send-community
- neighbor send-label
- neighbor translate-update
- neighbor update-source
- network (BGP and multiprotocol BGP)
- network (IPv6)
- nis address
- nis domain-name
- nisp address
- nisp domain-name
- ntp access-group
- ntp authenticate
- ntp authentication-key
- ntp broadcast client
- ntp broadcastdelay
- ntp disable
- ntp clear drift
- ntp logging
- ntp master
- ntp max-associations
- ntp multicast
- ntp multicast client
- ntp peer
- ntp refclock
- ntp server
- ntp source
- ntp trusted-key
- ntp update-calendar
- ospfv3 area
- ospfv3 authentication
- ospfv3 cost
- ospfv3 database-filter
- ospfv3 dead-interval
- ospfv3 demand-circuit
- ospfv3 encryption
- ospfv3 flood-reduction
- ospfv3 hello-interval
- ospfv3 mtu-ignore
- ospfv3 network
- ospfv3 priority
- ospfv3 retransmit-interval
- ospfv3 transmit-delay
- other-config-flag
- outbound-proxy
- parameter-map type inspect
- passive-interface (IPv6)
- passive-interface (OSPFv3)
- password (ca-trustpoint)
- peer default ipv6 address pool
- permit (IPv6)
- ping
- ping ipv6
- ping vrf
- platform ipv6 acl fragment hardware
- platform ipv6 acl icmp optimize neighbor-discovery
- platform ipv6 acl punt extension-header
- poison-reverse (IPv6 RIP)
- policy-map type inspect
- port (dial peer)
- port (IPv6 RIP)
- port (TACACS+)
- ppp accounting
- ppp authentication
- ppp ipcp
- ppp multilink
- ppp ncp override local
- ppp timeout ncp
- ppp unique address accept-access
- prc-interval (IPv6)
- pre-shared-key
- prefix-delegation
- prefix-delegation aaa
- prefix-delegation pool
- process-min-time percent
- protocol ipv6 (ATM)
- protocol mode
- queue-depth (OSPFv3)
- radius-server attribute list
- radius-server host
- radius-server key
- radius-server retransmit
- radius-server vsa send
- rd
- redistribute (IPv6)
- redistribute (OSPFv3)
- redistribute isis (IPv6)
- register (mobile router)
- registrar
- remark (IPv6)
- retry register
- revocation-check
- router bgp
- router ospfv3
- route-map
mpls traffic-eng auto-bw timers
To enable automatic bandwidth adjustment for a platform and to start output rate sampling for tunnels configured for automatic bandwidth adjustment, use the mpls traffic-eng auto-bw timers command in global configuration mode. To disable automatic bandwidth adjustment for the platform, use the no form of this command.
mpls traffic-eng auto-bw timers [frequency seconds]
no mpls traffic-eng auto-bw timers
Syntax Description
Command Default
When the optional frequency keyword is not specified, the sampling interval is 300 seconds (5 minutes).
Command Modes
Global configuration
Command History
Usage Guidelines
The mpls traffic-eng auto-bw timers command enables automatic bandwidth adjustment on a platform by causing traffic engineering to periodically sample the output rate for each tunnel configured for bandwidth adjustment.
The no mpls traffic-eng auto-bw timers command disables automatic bandwidth adjustment for a platform by terminating the output rate sampling and bandwidth adjustment for tunnels configured for adjustment. In addition, the no form of the command restores the configured bandwidth for each tunnel where "configured bandwidth" is determined as follows:
•
If the tunnel bandwidth was explicitly configured via the tunnel mpls traffic-eng bandwidth command after the running configuration was written (if at all) to the startup configuration, the "configured bandwidth" is the bandwidth specified by that command.
•Otherwise, the "configured bandwidth" is the bandwidth specified for the tunnel in the startup configuration.
Examples
The following example shows how to designate that for each Multiprotocol Label Switching (MPLS) traffic engineering tunnel, the output rate is sampled once every 10 minutes (every 600 seconds):
Router(config)# mpls traffic-eng auto-bw timers frequency 600
Related Commands
multi-topology
To enable multitopology Intermediate System-to-Intermediate System (IS-IS) for IPv6, use the multi-topology command in address family configuration mode. To disable multitopology IS-IS for IPv6, use the no form of this command.
multi-topology [transition]
no multi-topology
Syntax Description
transition |
(Optional) Allows an IS-IS IPv6 user to continue to use single shortest path first (SPF) mode while upgrading to multitopology IS-IS for IPv6. |
Command Default
Multitopology IS-IS is disabled by default.
Command Modes
Address family configuration
Command History
Usage Guidelines
By default, the router runs IS-IS IPv6 in single SPF mode. The multi-topology command enables multitopology IS-IS for IPv6.
The optional transition keyword can be used to migrate from IS-IS IPv6 single SPF mode to multitopology IS-IS IPv6. When transition mode is enabled, the router advertises both multitopology type, length, and value (TLV) objects and single-SPF-mode IS-IS IPv6 TLVs, but the SPF is computed using the single-SPF-mode IS-IS IPv6 TLV. This action has the side effect of increasing the link-state packet (LSP) size.
Examples
The following example enables multitopology IS-IS for IPv6:
Router(config)# router isis
Router(config-router)# address-family ipv6
Router(config-router-af)# multi-topology
nai
To specify the network address identifier (NAI) for the IPv6 mobile node, use the nai command in home agent configuration mode or IPv6 mobile router host configuration mode. To remove a host configuration, use the no form of this command.
nai [realm | user | macaddress] {user@realm | @realm}
no nai
Syntax Description
Command Default
No NAI is specified.
Command Modes
Home agent configuration (config-ha)
IPv6 mobile router host configuration (IPv6-mobile-router-host-config)
Command History
|
|
|
|---|---|
12.4(11)T |
This command was introduced. |
12.2(33)SRB |
Support for IPv6 was added. |
12.4(20)T |
IPv6 network mobility (NEMO) functionality was added. |
Usage Guidelines
The nai command can be used to configure a specific user NAI or a generic realm for defining a group.
When the address command is configured with a specific IPv6 address, the nai command cannot be configured using the @realm argument. For example, the following nai command configuration would not be valid because the address command is configured with the specific address baba::1:
host group group1
nai @cisco.com
address baba::1
Two different profiles cannot be configured with the nai command configured with the same @realm value. For example, the following two profiles are configured with the same NAI realm of @cisco.com, which is not valid:
host group group1
nai @cisco.com
host group group2
nai @cisco.com
However, if the one of the profiles uses a fully qualified NAI, which is configured using the nai command with the user@realm argument, its properties take precedence over the group profile for that user, and the second group's configuration using the nai command with the @realm argument is valid.
host group group1
nai example@cisco.com
host group group2
nai @cisco.com
Examples
In the following example, the host group named group1 is configured using the NAI fully qualified realm of example@cisco.com:
host group group1
nai example@cisco.com
Related Commands
|
|
|
|---|---|
host group |
Creates a host configuration in IPv6 Mobile. |
ipv6 mobile home-agent (global configuration) |
Enters home agent configuration mode. |
neighbor (EIGRP)
To define a neighboring router with which to exchange routing information on a router that is running Enhanced Interior Gateway Routing Protocol (EIGRP), use the neighbor command in router configuration mode or address-family configuration mode. To remove an entry, use the no form of this command.
neighbor {ip-address | ipv6-address} interface-type interface-number [remote maximum-hops]
no neighbor {ip-address | ipv6-address} interface-type interface-number
Syntax Description
Command Default
No neighboring routers are defined.
Command Modes
Router configuration (config-router)
Address-family configuration (config-router-af)
Command History
Usage Guidelines
Multiple neighbor statements can be used to establish peering sessions with specific EIGRP neighbors. The interface through which EIGRP will exchange routing updates must be specified in the neighbor statement. The interfaces through which two EIGRP neighbors exchange routing updates must be configured with IP addresses from the same network.
Note Configuring the passive-interface command suppresses all incoming and outgoing routing updates and hello messages. EIGRP neighbor adjacencies cannot be established or maintained over an interface that is configured as passive.
Examples
The following example configures EIGRP peering sessions with the 192.168.1.1 and 192.168.2.2 neighbors:
Router(config)# router eigrp 1
Router(config-router)# network 192.168.0.0
Router(config-router)# neighbor 192.168.1.1 Ethernet 0/0
Router(config-router)# neighbor 192.168.2.2 Ethernet 1/1
The following named configuration example configures EIGRP to send address-family updates to specific neighbors:
Router(config)# router eigrp virtual-name
Router(config-router)# address-family ipv4 autonomous-system 4453
Router(config-router-af)# neighbor 192.168.1.1 ethernet0/0
Router(config-router-af)# neighbor 10.1.1.2 loopback0 remote 10
Related Commands
neighbor activate
To enable the exchange of information with a Border Gateway Protocol (BGP) neighbor, use the neighbor activate command in address family configuration mode or router configuration mode. To disable the exchange of an address with a BGP neighbor, use the no form of this command.
neighbor {ip-address | peer-group-name | ipv6-address%} activate
no neighbor {ip-address | peer-group-name | ipv6-address%} activate
Syntax Description
Command Default
The exchange of addresses with BGP neighbors is enabled for the IPv4 address family. Enabling address exchange for all other address families is disabled.
Note Address exchange for address family IPv4 is enabled by default for each BGP routing session configured with the neighbor remote-as command unless you configure the no bgp default ipv4-activate command before configuring the neighbor remote-as command, or you disable address exchange for address family IPv4 with a specific neighbor by using the no form of the neighbor activate command.
Command Modes
Address family configuration (config-router-af)
Router configuration (config-router)
Command History
Usage Guidelines
Use this command to advertise address information in the form of an IP or IPv6 prefix. The address prefix information is known as Network Layer Reachability Information (NLRI) in BGP.
The % keyword is used whenever link-local IPv6 addresses are used outside the context of their interfaces. This keyword does not need to be used for non-link-local IPv6 addresses.
Examples
Address Exchange Example for Address Family vpn4
The following example shows how to enable address exchange for address family vpnv4 for all neighbors in the BGP peer group named PEPEER and for the neighbor 10.0.0.44:
Router(config)# address-family vpnv4
Router(config-router-af)# neighbor PEPEER activate
Router(config-router-af)# neighbor 10.0.0.44 activate
Router(config-router-af)# exit-address-family
Address Exchange Example for Address Family IPv4 Unicast
The following example shows how to enable address exchange for address family IPv4 unicast for all neighbors in the BGP peer group named group1 and for the BGP neighbor 172.16.1.1:
Router(config)# address-family ipv4 unicast
Router(config-router-af)# neighbor group1 activate
Router(config-router-af)# neighbor 172.16.1.1 activate
Address Exchange Example for Address Family IPv6
The following example shows how to enable address exchange for address family IPv6 for all neighbors in the BGP peer group named group2 and for the BGP neighbor 7000::2:
Router(config)# address-family ipv6
Router(config-router-af)# neighbor group2 activate
Router(config-router-af)# neighbor 7000::2 activate
Related Commands
neighbor ebgp-multihop
To accept and attempt BGP connections to external peers residing on networks that are not directly connected, use the neighbor ebgp-multihop command in router configuration mode. To return to the default, use the no form of this command.
neighbor {ip-address | ipv6-address | peer-group-name} ebgp-multihop [ttl]
no neighbor {ip-address | ipv6-address | peer-group-name} ebgp-multihop
Syntax Description
Command Default
Only directly connected neighbors are allowed.
Command Modes
Router configuration (config-router)
Command History
Usage Guidelines
This feature should be used only under the guidance of Cisco technical support staff.
If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group will inherit the characteristic configured with this command.
To prevent the creation of loops through oscillating routes, the multihop will not be established if the only route to the multihop peer is the default route (0.0.0.0).
Examples
The following example allows connections to or from neighbor 10.108.1.1, which resides on a network that is not directly connected:
router bgp 109
neighbor 10.108.1.1 ebgp-multihop
Related Commands
neighbor next-hop-unchanged
To enable an external BGP (eBGP) peer that is configured as multihop to propagate the next hop unchanged, use the neighbor next-hop-unchanged command in address family or router configuration mode. To disable that propagation of the next hop being unchanged, use the no form of this command.
neighbor {ip-address | ipv6-address | peer-group-name} next-hop-unchanged [allpaths]
no neighbor {ip-address | ipv6-address | peer-group-name} next-hop-unchanged [allpaths]
Syntax Description
Command Default
This command is disabled by default.
Command Modes
Address family configuration (config-router-af)
Router configuration (config-router)
Command History
Usage Guidelines
By default, for eBGP, the next hop to reach a connected network is the IP address of the neighbor that sent the update. Therefore, as an update goes from router to router, the next hop typically changes to be the address of the neighbor that sent the update (the router's own address).
However, there might be a scenario where you want the next hop to remain unchanged. The neighbor next-hop-unchanged command is used to propagate the next hop unchanged for multihop eBGP peering sessions. This command is configured on an eBGP neighbor, but the neighbor propagates routes learned from iBGP; that is, the neighbor propagates the next hop of iBGP routes toward eBGP.
Using the
neighbor next-hop-unchanged command or incorrectly altering the BGP next hop can cause inconsistent routing, routing loops, or a loss of connectivity. It should only be attempted by someone who has a good understanding of the design implications.
This command can be used to configure MPLS VPNs between service providers by not modifying the next hop attribute when advertising routes to an eBGP peer.
Examples
The following example configures a multihop eBGP peer at 10.0.0.100 in a remote autonomous system (AS). When the local router sends updates to that peer, it will send them without modifying the next hop attribute.
router bgp 65535
address-family ipv4
neighbor 10.0.0.100 remote-as 65600
neighbor 10.0.0.100 activate
neighbor 10.0.0.100 ebgp-multihop 255
neighbor 10.0.0.100 next-hop-unchanged
end
Related Commands
neighbor override-capability-neg
To enable the IPv6 address family for a Border Gateway Protocol (BGP) neighbor that does not support capability negotiation, use the neighbor override-capability-neg command in address family configuration mode. To disable the IPv6 address family for a BGP neighbor that does not support capability negotiation, use the no form of this command.
neighbor {peer-group-name | ipv6-address} override-capability-neg
no neighbor {peer-group-name | ipv6-address} override-capability-neg
Syntax Description
Command Default
Capability negotiation is enabled.
Command Modes
Address family configuration
Command History
Usage Guidelines
Capability negotiation is used to establish a connection between BGP-speaking peers. If one of the BGP peers does not support capability negotiation, the connection is automatically terminated. The neighbor override-capability-neg command overrides the capability negotiation process and enables BGP-speaking peers to establish a connection.
The neighbor override-capability-neg command is supported only in address family configuration mode for the IPv6 address family.
Examples
The following example enables the IPv6 address family for BGP neighbor 7000::2:
Router(config)# address-family ipv6
Router(config-router-af)# neighbor 7000::2 override-capability-neg
The following example enables the IPv6 address family for all neighbors in the BGP peer group named group1:
Router(config)# address-family ipv6
Router(config-router-af)# neighbor group1 override-capability-neg
Related Commands
|
|
|
address-family ipv6 |
Places the router in address family configuration mode for configuring routing sessions, such as BGP, that use standard IPv6 address prefixes. |
neighbor peer-group (assigning members)
To configure a BGP neighbor to be a member of a peer group, use the neighbor peer-group command in address family or router configuration mode. To remove the neighbor from the peer group, use the no form of this command.
neighbor {ip-address | ipv6-address} peer-group peer-group-name
no neighbor {ip-address | ipv6-address} peer-group peer-group-name
Syntax Description
Defaults
There are no BGP neighbors in a peer group.
Command Modes
Address family configuration (config-router-af)
Router configuration (config-router)
Command History
Usage Guidelines
The neighbor at the IP address indicated inherits all the configured options of the peer group.
Note Using the no form of the neighbor peer-group command removes all of the BGP configuration for that neighbor, not just the peer group association.
Examples
The following router configuration mode example assigns three neighbors to the peer group named internal:
router bgp 100
neighbor internal peer-group
neighbor internal remote-as 100
neighbor internal update-source loopback 0
neighbor internal route-map set-med out
neighbor internal filter-list 1 out
neighbor internal filter-list 2 in
neighbor 172.16.232.53 peer-group internal
neighbor 172.16.232.54 peer-group internal
neighbor 172.16.232.55 peer-group internal
neighbor 172.16.232.55 filter-list 3 in
The following address family configuration mode example assigns three neighbors to the peer group named internal:
router bgp 100
address-family ipv4 unicast
neighbor internal peer-group
neighbor internal remote-as 100
neighbor internal update-source loopback 0
neighbor internal route-map set-med out
neighbor internal filter-list 1 out
neighbor internal filter-list 2 in
neighbor 172.16.232.53 peer-group internal
neighbor 172.16.232.54 peer-group internal
neighbor 172.16.232.55 peer-group internal
neighbor 172.16.232.55 filter-list 3 in
Related Commands
neighbor peer-group (creating)
To create a BGP or multiprotocol BGP peer group, use the neighbor peer-group command in address family or router configuration mode. To remove the peer group and all of its members, use the no form of this command.
neighbor peer-group-name peer-group
no neighbor peer-group-name peer-group
Syntax Description
peer-group-name |
Name of the BGP peer group. |
Defaults
There is no BGP peer group.
Command Modes
Address family configuration (config-router-af)
Router configuration (config-router)
Command History
Usage Guidelines
Often in a BGP or multiprotocol BGP speaker, many neighbors are configured with the same update policies (that is, same outbound route maps, distribute lists, filter lists, update source, and so on). Neighbors with the same update policies can be grouped into peer groups to simplify configuration and make update calculation more efficient.
Note Peer group members can span multiple logical IP subnets, and can transmit, or pass along, routes from one peer group member to another.
Once a peer group is created with the neighbor peer-group command, it can be configured with the neighbor commands. By default, members of the peer group inherit all the configuration options of the peer group. Members also can be configured to override the options that do not affect outbound updates.
All the peer group members will inherit the current configuration as well as changes made to the peer group. Peer group members will always inherit the following configuration options by default:
•remote-as (if configured)
•version
•update-source
•outbound route-maps
•outbound filter-lists
•outbound distribute-lists
•minimum-advertisement-interval
•next-hop-self
If a peer group is not configured with a remote-as option, the members can be configured with the neighbor {ip-address | peer-group-name} remote-as command. This command allows you to create peer groups containing external BGP (eBGP) neighbors.
Examples
The following example configurations show how to create these types of neighbor peer group:
•internal Border Gateway Protocol (iBGP) peer group
•eBGP peer group
•Multiprotocol BGP peer group
iBGP Peer Group
In the following example, the peer group named internal configures the members of the peer group to be iBGP neighbors. By definition, this is an iBGP peer group because the router bgp command and the neighbor remote-as command indicate the same autonomous system (in this case, autonomous system 100). All the peer group members use loopback 0 as the update source and use set-med as the outbound route map. The neighbor internal filter-list 2 in command shows that, except for 172.16.232.55, all the neighbors have filter list 2 as the inbound filter list.
router bgp 100
neighbor internal peer-group
neighbor internal remote-as 100
neighbor internal update-source loopback 0
neighbor internal route-map set-med out
neighbor internal filter-list 1 out
neighbor internal filter-list 2 in
neighbor 172.16.232.53 peer-group internal
neighbor 172.16.232.54 peer-group internal
neighbor 172.16.232.55 peer-group internal
neighbor 172.16.232.55 filter-list 3 in
eBGP Peer Group
The following example defines the peer group named external-peers without the neighbor remote-as command. By definition, this is an eBGP peer group because each individual member of the peer group is configured with its respective autonomous system number separately. Thus the peer group consists of members from autonomous systems 200, 300, and 400. All the peer group members have the set-metric route map as an outbound route map and filter list 99 as an outbound filter list. Except for neighbor 172.16.232.110, all of them have 101 as the inbound filter list.
router bgp 100
neighbor external-peers peer-group
neighbor external-peers route-map set-metric out
neighbor external-peers filter-list 99 out
neighbor external-peers filter-list 101 in
neighbor 172.16.232.90 remote-as 200
neighbor 172.16.232.90 peer-group external-peers
neighbor 172.16.232.100 remote-as 300
neighbor 172.16.232.100 peer-group external-peers
neighbor 172.16.232.110 remote-as 400
neighbor 172.16.232.110 peer-group external-peers
neighbor 172.16.232.110 filter-list 400 in
Multiprotocol BGP Peer Group
In the following example, all members of the peer group are multicast-capable:
router bgp 100
neighbor 10.1.1.1 remote-as 1
neighbor 172.16.2.2 remote-as 2
address-family ipv4 multicast
neighbor mygroup peer-group
neighbor 10.1.1.1 peer-group mygroup
neighbor 172.16.2.2 peer-group mygroup
neighbor 10.1.1.1 activate
neighbor 172.16.2.2 activate
Related Commands
neighbor remote-as
To add an entry to the BGP or multiprotocol BGP neighbor table, use the neighbor remote-as command in router configuration mode. To remove an entry from the table, use the no form of this command.
neighbor {ip-address | ipv6-address[%] | peer-group-name} remote-as autonomous-system-number [alternate-as autonomous-system-number ...]
no neighbor {ip-address | ipv6-address[%] | peer-group-name} remote-as autonomous-system-number [alternate-as autonomous-system-number ...]
Syntax Description
Command Default
There are no BGP or multiprotocol BGP neighbor peers.
Command Modes
Router configuration (config-router)
Command History
Usage Guidelines
Specifying a neighbor with an autonomous system number that matches the autonomous system number specified in the router bgp global configuration command identifies the neighbor as internal to the local autonomous system. Otherwise, the neighbor is considered external.
If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group will inherit the characteristic configured with this command.
By default, neighbors that are defined using the neighbor remote-as command in router configuration mode exchange only unicast address prefixes. To exchange other address prefix types, such as multicast and Virtual Private Network (VPN) Version 4, neighbors must also be activated in the appropriate address family configuration mode.
Use the alternate-as keyword introduced in Cisco IOS Release 12.2(33)SXH to specify up to five alternate autonomous systems in which a dynamic BGP neighbor may be identified. BGP dynamic neighbor support allows BGP peering to a group of remote neighbors that are defined by a range of IP addresses. BGP dynamic neighbors are configured using a range of IP addresses and BGP peer groups. After a subnet range is configured and associated with a BGP peer group using the bgp listen command and a TCP session is initiated for an IP address in the subnet range, a new BGP neighbor is dynamically created as a member of that group. The new BGP neighbor will inherit any configuration or templates for the group.
The % keyword is used whenever link-local IPv6 addresses are used outside the context of their interfaces. This keyword does not need to be used for non-link-local IPv6 addresses.
In Cisco IOS Release 12.0(32)SY8, 12.0(33)S3, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, Cisco IOS XE Release 2.4, and later releases, the Cisco implementation of 4-byte autonomous system numbers uses asplain—65538 for example—as the default regular expression match and output display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain format and the asdot format as described in RFC 5396. To change the default regular expression match and output display of 4-byte autonomous system numbers to asdot format, use the bgp asnotation dot command followed by the clear ip bgp * command to perform a hard reset of all current BGP sessions.
In Cisco IOS Release 12.0(32)S12, 12.4(24)T, and Cisco IOS XE Release 2.3, the Cisco implementation of 4-byte autonomous system numbers uses asdot—1.2 for example—as the only configuration format, regular expression match, and output display, with no asplain support.
Note In Cisco IOS releases that include 4-byte ASN support, command accounting and command authorization that include a 4-byte ASN number are sent in the asplain notation irrespective of the format that is used on the command-line interface.
To ensure a smooth transition, we recommend that all BGP speakers within an autonomous system that is identified using a 4-byte autonomous system number, be upgraded to support 4-byte autonomous system numbers.
Examples
The following example specifies that a router at the address 10.108.1.2 is an internal BGP (iBGP) neighbor in autonomous system number 65200:
router bgp 65200
network 10.108.0.0
neighbor 10.108.1.2 remote-as 65200
The following example specifies that a router at the IPv6 address 2001:0DB8:1:1000::72a is an external BGP (eBGP) neighbor in autonomous system number 65001:
router bgp 65300
address-family ipv6 vrf site1
neighbor 2001:0DB8:1:1000::72a remote-as 65001
The following example assigns a BGP router to autonomous system 65400, and two networks are listed as originating in the autonomous system. Then the addresses of three remote routers (and their autonomous systems) are listed. The router being configured will share information about networks 10.108.0.0 and 192.168.7.0 with the neighbor routers. The first router is a remote router in a different autonomous system from the router on which this configuration is entered (an eBGP neighbor); the second neighbor remote-as command shows an internal BGP neighbor (with the same autonomous system number) at address 10.108.234.2; and the last neighbor remote-as command specifies a neighbor on a different network from the router on which this configuration is entered (also an eBGP neighbor).
router bgp 65400
network 10.108.0.0
network 192.168.7.0
neighbor 10.108.200.1 remote-as 65200
neighbor 10.108.234.2 remote-as 65400
neighbor 172.29.64.19 remote-as 65300
The following example configures neighbor 10.108.1.1 in autonomous system 65001 to exchange only multicast routes:
router bgp 65001
neighbor 10.108.1.1 remote-as 65001
neighbor 172.31 1.2 remote-as 65001
neighbor 172.16.2.2 remote-as 65002
address-family ipv4 multicast
neighbor 10.108.1.1 activate
neighbor 172.31 1.2 activate
neighbor 172.16.2.2 activate
exit-address-family
The following example configures neighbor 10.108.1.1 in autonomous system 65001 to exchange only unicast routes:
router bgp 65001
neighbor 10.108.1.1 remote-as 65001
neighbor 172.31 1.2 remote-as 65001
neighbor 172.16.2.2 remote-as 65002
The following example, configurable only in Cisco IOS Release 12.2(33)SXH and later releases, configures a subnet range of 192.168.0.0/16 and associates this listen range with a BGP peer group. Note that the listen range peer group that is configured for the BGP dynamic neighbor feature can be activated in the IPv4 address family using the neighbor activate command. After the initial configuration on Router 1, when Router 2 starts a BGP router session and adds Router 1 to its BGP neighbor table, a TCP session is initiated, and Router 1 creates a new BGP neighbor dynamically because the IP address of the new neighbor is within the listen range subnet.
Router 1
enable
configure terminal
router bgp 45000
bgp log-neighbor-changes
neighbor group192 peer-group
bgp listen range 192.168.0.0/16 peer-group group192
neighbor group192 remote-as 40000 alternate-as 50000
address-family ipv4 unicast
neighbor group192 activate
end
Router 2
enable
configure terminal
router bgp 50000
neighbor 192.168.3.1 remote-as 45000
exit
If the show ip bgp summary command is now entered on Router 1, the output shows the dynamically created BGP neighbor, 192.168.3.2.
Router1# show ip bgp summary
BGP router identifier 192.168.3.1, local AS number 45000
BGP table version is 1, main routing table version 1
Neighbor V AS MsgRcvd MsgSent TblVer InQ OutQ Up/Down State/PfxRcd
*192.168.3.2 4 50000 2 2 0 0 0 00:00:37 0
* Dynamically created based on a listen range command
Dynamically created neighbors: 1/(200 max), Subnet ranges: 1
BGP peergroup group192 listen range group members:
192.168.0.0/16
The following example configures a BGP process for autonomous system 65538 and configures two external BGP neighbors in different autonomous systems using 4-byte autonomous system numbers in asplain format. This example is supported only on Cisco IOS Release 12.0(32)SY8, 12.0(33)S3, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, Cisco IOS XE Release 2.4, or later releases.
router bgp 65538
neighbor 192.168.1.2 remote-as 65536
neighbor 192.168.3.2 remote-as 65550
neighbor 192.168.3.2 description finance
!
address-family ipv4
neighbor 192.168.1.2 activate
neighbor 192.168.3.2 activate
no auto-summary
no synchronization
network 172.17.1.0 mask 255.255.255.0
exit-address-family
The following example configures a BGP process for autonomous system 1.2 and configures two external BGP neighbors in different autonomous systems using 4-byte autonomous system numbers in asdot format. This example requires Cisco IOS Release 12.0(32)SY8, 12.0(32)S12, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, 12.4(24)T, Cisco IOS XE Release 2.3, or a later release.
router bgp 1.2
neighbor 192.168.1.2 remote-as 1.0
neighbor 192.168.3.2 remote-as 1.14
neighbor 192.168.3.2 description finance
!
address-family ipv4
neighbor 192.168.1.2 activate
neighbor 192.168.3.2 activate
no auto-summary
no synchronization
network 172.17.1.0 mask 255.255.255.0
exit-address-family
Related Commands
neighbor route-map
To apply a route map to incoming or outgoing routes, use the neighbor route-map command in address family or router configuration mode. To remove a route map, use the no form of this command.
neighbor {ip-address | peer-group-name | ipv6-address [%]} route-map map-name {in | out}
no neighbor {ip-address | peer-group-name | ipv6-address [%]} route-map map-name {in | out}
Syntax Description
Command Default
No route maps are applied to a peer.
Command Modes
Router configuration (config-router)
Command History
Usage Guidelines
When specified in address family configuration mode, this command applies a route map to that particular address family only. When specified in router configuration mode, this command applies a route map to IPv4 or IPv6 unicast routes only.
If an outbound route map is specified, it is proper behavior to only advertise routes that match at least one section of the route map.
If you specify a BGP or multiprotocol BGP peer group by using the peer-group-name argument, all the members of the peer group will inherit the characteristic configured with this command. Specifying the command for a neighbor overrides the inbound policy that is inherited from the peer group.
The % keyword is used whenever link-local IPv6 addresses are used outside the context of their interfaces. This keyword does not need to be used for non-link-local IPv6 addresses.
Examples
The following router configuration mode example applies a route map named internal-map to a BGP incoming route from 172.16.70.24:
router bgp 5
neighbor 172.16.70.24 route-map internal-map in
route-map internal-map
match as-path 1
set local-preference 100
The following address family configuration mode example applies a route map named internal-map to a multiprotocol BGP incoming route from 172.16.70.24:
router bgp 5
address-family ipv4 multicast
neighbor 172.16.70.24 route-map internal-map in
route-map internal-map
match as-path 1
set local-preference 100
Related Commands
neighbor route-reflector-client
To configure the router as a BGP route reflector and configure the specified neighbor as its client, use the neighbor route-reflector-client command in address family or router configuration mode. To indicate that the neighbor is not a client, use the no form of this command.
neighbor {ip-address | ipv6-address | peer-group-name} route-reflector-client
no neighbor {ip-address | ipv6-address | peer-group-name} route-reflector-client
Syntax Description
ip-address |
IP address of the BGP neighbor being identified as a client. |
ipv6-address |
IPv6 address of the BGP neighbor being identified as a client. |
peer-group-name |
Name of a BGP peer group. |
Command Default
There is no route reflector in the autonomous system.
Command Modes
Address family configuration (config-router-af)
Router configuration (config-router)
Command History
Usage Guidelines
By default, all internal BGP (iBGP) speakers in an autonomous system must be fully meshed, and neighbors do not readvertise iBGP learned routes to neighbors, thus preventing a routing information loop. When all the clients are disabled, the local router is no longer a route reflector.
If you use route reflectors, all iBGP speakers need not be fully meshed. In the route reflector model, an Interior BGP peer is configured to be a route reflector responsible for passing iBGP learned routes to iBGP neighbors. This scheme eliminates the need for each router to talk to every other router.
Use the neighbor route-reflector-client command to configure the local router as the route reflector and the specified neighbor as one of its clients. All the neighbors configured with this command will be members of the client group and the remaining iBGP peers will be members of the nonclient group for the local route reflector.
The bgp client-to-client reflection command controls client-to-client reflection.
Examples
In the following router configuration mode example, the local router is a route reflector. It passes learned iBGP routes to the neighbor at 172.16.70.24.
router bgp 5
neighbor 172.16.70.24 route-reflector-client
In the following address family configuration mode example, the local router is a route reflector. It passes learned iBGP routes to the neighbor at 172.16.70.24.
router bgp 5
address-family ipv4 unicast
neighbor 172.16.70.24 route-reflector-client
Related Commands
neighbor send-community
To specify that a communities attribute should be sent to a BGP neighbor, use the neighbor send-community command in address family or router configuration mode. To remove the entry, use the no form of this command.
neighbor {ip-address | ipv6-address | peer-group-name} send-community [both | standard | extended]
no neighbor {ip-address | ipv6-address | peer-group-name} send-community
Syntax Description
Command Default
No communities attribute is sent to any neighbor.
Command Modes
Address family configuration (config-router-af)
Router configuration (config-router)
Command History
Usage Guidelines
If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group will inherit the characteristic configured with this command.
Examples
In the following router configuration mode example, the router belongs to autonomous system 109 and is configured to send the communities attribute to its neighbor at IP address 172.16.70.23:
router bgp 109
neighbor 172.16.70.23 send-community
In the following address family configuration mode example, the router belongs to autonomous system 109 and is configured to send the communities attribute to its neighbor at IP address 172.16.70.23:
router bgp 109
address-family ipv4 multicast
neighbor 172.16.70.23 send-community
Related Commands
neighbor send-label
To enable a Border Gateway Protocol (BGP) router to send Multiprotocol Label Switching (MPLS) labels with BGP routes to a neighboring BGP router, use the neighbor send-label command in address family configuration mode or router configuration mode. To disable this feature, use the no form of this command.
neighbor {ip-address | ipv6-address | peer-group-name} send-label [explicit-null]
neighbor {ip-address | ipv6-address | peer-group-name} send-label [explicit-null]
Syntax Description
Command Default
BGP routers distribute only BGP routes.
Command Modes
Address family configuration (config-router-af)
Router configuration (config-router)
Command History
Usage Guidelines
The neighbor send-label command enables a router to use BGP to distribute MPLS labels along with IPv4 routes to a peer router. You must issue this command on both the local and the neighboring router.
This command has the following restrictions:
•If a BGP session is running when you issue the neighbor send-label command, the BGP session flaps immediately after the command is issued.
•In router configuration mode, only IPv4 addresses are distributed.
Use the neighbor send-label command in address family configuration mode, to bind and advertise IPv6 prefix MPLS labels. Using this command in conjunction with the mpls ipv6 source-interface global configuration command allows IPv6 traffic to run over an IPv4 MPLS network without any software or hardware configuration changes in the backbone. Edge routers configured to run both IPv4 and IPv6 traffic forward IPv6 traffic using MPLS and multiprotocol internal BGP (MP-iBGP).
Cisco IOS software installs /32 routes for directly connected external BGP (eBGP) peers when the BGP session for such a peer comes up. The /32 routes are installed only when MPLS labels are exchanged between such peers. Directly connected eBGP peers exchange MPLS labels for:
•IP address families (IPv4 and IPv6) with the neighbor send-label command enabled for the peers
•VPN address families (VPNv4 and VPNv6)
A single BGP session can include multiple address families. If one of the families exchanges MPLS labels, the /32 neighbor route is installed for the connected peer.
Examples
The following example shows how to enable a router in autonomous system 65000 to send MPLS labels with BGP routes to the neighboring BGP router at 192.168.0.1:
Router(config)# router bgp 65000
Router(config-router)# neighbor 192.168.0.1 remote-as 65001
Router(config-router)# neighbor 192.168.0.1 send-label
The following example shows how to enable a router in the autonomous system 65000 to bind and advertise IPv6 prefix MPLS labels and send the labels with BGP routes to the neighboring BGP router at 192.168.99.70:
Router(config)# router bgp 65000
Router(config-router)# neighbor 192.168.99.70 remote-as 65000
Router(config-router)# address-family ipv6
Router(config-router-af)# neighbor 192.168.99.70 activate
Router(config-router-af)# neighbor 192.168.99.70 send-label
Related Commands
neighbor translate-update
To generate multiprotocol IPv6 Border Gateway Protocol (BGP) updates that correspond to unicast IPv6 updates received from a peer, use the neighbor translate-update command in address family or router configuration mode. To return to default values, use the no form of the command.
neighbor ipv6-address translate-update ipv6 multicast [unicast]
no neighbor ipv6-address translate-update ipv6 multicast [unicast]
Syntax Description
Command Default
No BGP updates for unicast IPv6 are updated
Command Modes
Address family configuration
Router configuration
Command History
Usage Guidelines
The multicast BGP (MBGP) translate-update feature generally is used in an MBGP-capable router that peers with a customer site that has a router that is only BGP capable; the customer site has not or cannot upgrade the router to an MBGP-capable image. Because the customer site cannot originate MBGP advertisements, the router with which it peers will translate the BGP prefixes into MBGP prefixes, which are used for multicast-source Reverse Path Forwarding (RPF) lookup.
Examples
The following example generates multiprotocol IPv6 BGP updates that correspond to unicast IPv6 updates received from peer at address 7000::2:
neighbor 7000::2 translate-update ipv6 multicast
neighbor update-source
To have the Cisco IOS software allow Border Gateway Protocol (BGP) sessions to use any operational interface for TCP connections, use the neighbor update-source command in router configuration mode. To restore the interface assignment to the closest interface, which is called the best local address, use the no form of this command.
neighbor {ip-address | ipv6-address[%] | peer-group-name} update-source interface-type interface-number
no neighbor {ip-address | ipv6-address[%] | peer-group-name} update-source interface-type interface-number
Syntax Description
Command Default
Best local address
Command Modes
Router configuration (config-router)
Command History
Usage Guidelines
This command can work in conjunction with the loopback interface feature described in the "Interface Configuration Overview" chapter of the Cisco IOS Interface and Hardware Component Configuration Guide.
If you specify a BGP peer group by using the peer-group-name argument, all the members of the peer group will inherit the characteristic configured with this command.
The neighbor update-source command must be used to enable IPv6 link-local peering for internal or external BGP sessions.
The % keyword is used whenever link-local IPv6 addresses are used outside the context of their interfaces and for these link-local IPv6 addresses you must specify the interface they are on. The syntax becomes <IPv6 local-link address>%<interface name>, for example, FE80::1%Ethernet1/0. Note that the interface type and number must not contain any spaces, and be used in full-length form because name shortening is not supported in this situation. The % keyword and subsequent interface syntax is not used for non-link-local IPv6 addresses.
Examples
The following example sources BGP TCP connections for the specified neighbor with the IP address of the loopback interface rather than the best local address:
router bgp 65000
network 172.16.0.0
neighbor 172.16.2.3 remote-as 110
neighbor 172.16.2.3 update-source Loopback0
The following example sources IPv6 BGP TCP connections for the specified neighbor in autonomous system 65000 with the global IPv6 address of loopback interface 0 and the specified neighbor in autonomous system 65400 with the link-local IPv6 address of Fast Ethernet interface 0/0. Note that the link-local IPv6 address of FE80::2 is on Ethernet interface 1/0.
router bgp 65000
neighbor 3ffe::3 remote-as 65000
neighbor 3ffe::3 update-source Loopback0
neighbor fe80::2%Ethernet1/0 remote-as 65400
neighbor fe80::2%Ethernet1/0 update-source FastEthernet 0/0
address-family ipv6
neighbor 3ffe::3 activate
neighbor fe80::2%Ethernet1/0 activate
exit-address-family
Related Commands
|
|
|
|---|---|
neighbor activate |
Enables the exchange of information with a BGP neighboring router. |
neighbor remote-as |
Adds an entry to the BGP or multiprotocol BGP neighbor table. |
network (BGP and multiprotocol BGP)
To specify the networks to be advertised by the Border Gateway Protocol (BGP) and multiprotocol BGP routing processes, use the network command in address family or router configuration mode. To remove an entry from the routing table, use the no form of this command.
network {network-number [mask network-mask] | nsap-prefix} [route-map map-tag]
no network {network-number [mask network-mask] | nsap-prefix} [route-map map-tag]
Syntax Description
Command Default
No networks are specified.
Command Modes
Address family configuration (config-router-af)
Router configuration (config-router)
Command History
Usage Guidelines
BGP and multiprotocol BGP networks can be learned from connected routes, from dynamic routing, and from static route sources.
The maximum number of network commands you can use is determined by the resources of the router, such as the configured NVRAM or RAM.
Examples
The following example sets up network 10.108.0.0 to be included in the BGP updates:
router bgp 65100
network 10.108.0.0
The following example sets up network 10.108.0.0 to be included in the multiprotocol BGP updates:
router bgp 64800
address family ipv4 multicast
network 10.108.0.0
The following example advertises NSAP prefix 49.6001 in the multiprotocol BGP updates:
router bgp 64500
address-family nsap
network 49.6001
Related Commands
network (IPv6)
To configure the network source of the next hop to be used by the PE VPN, use the network command in router configuration mode. To disable the source, use the no form of this command.
network ipv6-address/prefix-length
no network ipv6-address/prefix-length
Syntax Description
Command Default
Next-hop network sources are not configured.
Command Modes
Address family configuration
Router configuration
Command History
Usage Guidelines
The ipv6-address argument in this command configures the IPv6 network number.
Examples
The following example places the router in address family configuration mode and configures the network source to be used as the next hop:
Router(config)# router bgp 100
Router(config-router)# network 2001:DB8:100::1/128
Related Commands
nis address
To specify the network information service (NIS) address of an IPv6 server to be sent to the client, use the nis address command in DHCP for IPv6 pool configuration mode. To remove the NIS address, use the no form of this command.
nis address ipv6-address
no nis address ipv6-address
Syntax Description
ipv6-address |
The NIS address of an IPv6 server to be sent to the client. |
Command Default
No NIS address is specified.
Command Modes
IPv6 DHCP pool configuration
Command History
Usage Guidelines
The Dynamic Host Configuration Protocol (DHCP) for IPv6 for stateless configuration allows a DHCP for IPv6 client to export configuration parameters (that is, DHCP for IPv6 options) to a local DHCP for IPv6 server pool. The local DHCP for IPv6 server can then provide the imported configuration parameters to other DHCP for IPv6 clients.
The NIS server option provides a list of one or more IPv6 addresses of NIS servers available to send to the client. The client must view the list of NIS servers as an ordered list, and the server may list the NIS servers in the order of the server's preference.
The NIS server option code is 27. For more information on DHCP options and suboptions, see the "DHCPv6 Options" appendix in the Network Registrar User's Guide, Release 6.2.
Examples
The following example shows how to specify the NIS address of an IPv6 server:
nis address 23::1
Related Commands
|
|
|
|---|---|
import nis address |
Imports the NIS server option to a DHCP for IPv6 client. |
nis domain-name |
Enables a server to convey a client's NIS domain name information to the client. |
nis domain-name
To enable a server to convey a client's network information service (NIS) domain name information to the client, use the nis domain-name command in DHCP for IPv6 pool configuration mode. To remove the domain name, use the no form of this command.
nis domain-name domain-name
no nis domain-name domain-name
Syntax Description
domain-name |
The domain name of an IPv6 server to be sent to the client. |
Command Default
No NIS domain name is specified.
Command Modes
IPv6 DHCP pool configuration
Command History
Usage Guidelines
The Dynamic Host Configuration Protocol (DHCP) for IPv6 for stateless configuration allows a DHCP for IPv6 client to export configuration parameters (that is, DHCP for IPv6 options) to a local DHCP for IPv6 server pool. The local DHCP for IPv6 server can then provide the imported configuration parameters to other DHCP for IPv6 clients.
The NIS domain name option provides a NIS domain name for the client. Use the nis domain-name command to specify the client's NIS domain name that the server sends to the client.
The NIS domain name option code is 29. For more information on DHCP options and suboptions, see the "DHCPv6 Options" appendix in the Network Registrar User's Guide, Release 6.2.
Examples
The following example shows how to enable the IPv6 server to specify the NIS domain name of a client:
nis domain-name cisco1.com
Related Commands
|
|
|
|---|---|
import nis domain |
Imports the NIS domain name option to a DHCP for IPv6 client. |
nis address |
Specifies the NIS address of an IPv6 server to be sent to the client. |
nisp address
To specify the network information service plus (NIS+) address of an IPv6 server to be sent to the client, use the nisp address command in DHCP for IPv6 pool configuration mode. To remove the NIS+ address, use the no form of the command.
nisp address ipv6-address
no nisp address ipv6-address
Syntax Description
ipv6-address |
The NIS+ address of an IPv6 server to be sent to the client. |
Command Default
No NIS+ address is specified.
Command Modes
IPv6 DHCP pool configuration
Command History
Usage Guidelines
The Dynamic Host Configuration Protocol (DHCP) for IPv6 for stateless configuration allows a DHCP for IPv6 client to export configuration parameters (that is, DHCP for IPv6 options) to a local DHCP for IPv6 server pool. The local DHCP for IPv6 server can then provide the imported configuration parameters to other DHCP for IPv6 clients.
The NIS+ servers option provides a list of one or more IPv6 addresses of NIS+ servers available to send to the client. The client must view the list of NIS+ servers as an ordered list, and the server may list the NIS+ servers in the order of the server's preference.
The NIS+ servers option code is 28. For more information on DHCP options and suboptions, see the "DHCPv6 Options" appendix in the Network Registrar User's Guide, Release 6.2.
Examples
The following example shows how to specify the NIS+ address of an IPv6 server:
nisp address 33::1
Related Commands
|
|
|
|---|---|
import nisp address |
Imports the NIS+ servers option to a DHCP for IPv6 client. |
nisp domain-name |
Enables a server to convey a client's NIS+ domain name information to the client. |
nisp domain-name
To enable an IPv6 server to convey a client's network information service plus (NIS+) domain name information to the client, use the nisp domain-name command in DHCP for IPv6 pool configuration mode. To remove the domain name, use the no form of this command.
nisp domain-name domain-name
no nisp domain-name domain-name
Syntax Description
domain-name |
The NIS+ domain name of an IPv6 server to be sent to the client. |
Command Default
No NIS+ domain name is specified.
Command Modes
IPv6 DHCP pool configuration
Command History
Usage Guidelines
The Dynamic Host Configuration Protocol (DHCP) for IPv6 for stateless configuration allows a DHCP for IPv6 client to export configuration parameters (that is, DHCP for IPv6 options) to a local DHCP for IPv6 server pool. The local DHCP for IPv6 server can then provide the imported configuration parameters to other DHCP for IPv6 clients.
The NIS+ domain name option provides a NIS+ domain name for the client. Use the nisp domain-name command to enable a server to send the client its NIS+ domain name information.
The NIS+ domain name option code is 30. For more information on DHCP options and suboptions, see the "DHCPv6 Options" appendix in the Network Registrar User's Guide, Release 6.2.
Examples
The following example shows how to enable the IPv6 server to specify the NIS+ domain name of a client:
nisp domain-name cisco1.com
Related Commands
|
|
|
|---|---|
import nisp domain |
Imports the NIS+ domain name option to a DHCP for IPv6 client. |
nisp address |
Specifies the NIS+ address of an IPv6 server to be sent to the client. |
ntp access-group
To control access to the Network Time Protocol (NTP) services on the system, use the ntp access-group command in global configuration mode. To remove access control to the NTP services, use the no form of this command.
ntp access-group {peer | query-only | serve | serve-only} {access-list-number | access-list-number-expanded | access-list-name} [kod]
no ntp [access-group {peer | query-only | serve | serve-only} {access-list-number | access-list-number-expanded | access-list-name}]
Syntax Description
Command Default
By default, there is no access control. Full access is granted to all systems.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The access group options are scanned in the following order from the least restrictive to most restrictive:
1. peer
2. query-only
3. serve
4. serve-only
Access is granted for the first match that is found. If no access groups are specified, all access is granted to all sources. If you specify any access groups, only the specified access is granted. This facility provides minimal security for the time services of the system. However, it can be circumvented by a determined programmer. If tighter security is desired, use the NTP authentication facility.
The NTP service can be activated by entering any ntp command. When you use the ntp access-group command, the NTP service is activated (if it has not already been activated) and access control to NTP services is configured simultaneously.
When you enter the no ntp access-group command, only access control to NTP services is removed. The NTP service itself remains active, along with any other previously configured NTP functions.
To disable the NTP service on a device, use the no ntp command without any keywords in global configuration mode. For example, if you want to remove not only the access control to NTP services, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
Examples
The following example shows how to configure a system to allow itself to be synchronized by a peer from access list 99. However, the system restricts access to allow only time requests from access list 42.
Router(config)# ntp access-group peer 99
Router(config)# ntp access-group serve-only 42
In the following IPv6 example, a KOD packet is sent to any host that tries to send a packet that is not compliant with the access-group policy:
Router(config)# ntp access-group serve acl1 kod
The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntp
Related Commands
|
|
|
|---|---|
access-list |
Configures the access list mechanism for filtering frames by protocol type or vendor code. |
ntp server |
Allows the software clock to be synchronized by a time server. |
ntp authenticate
To enable Network Time Protocol (NTP) authentication, use the ntp authenticate command in global configuration mode. To disable the function, use the no form of this command.
ntp authenticate
no ntp [authenticate]
Syntax Description
This command has no arguments or keywords.
Command Default
By default, NTP authentication is not enabled.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use this command if you want to authenticate NTP. If this command is specified, the system will not synchronize to another system unless it carries one of the authentication keys specified in the ntp trusted-key global configuration command.
The NTP service can be activated by entering any ntp command. When you use the ntp authenticate command, the NTP service is activated (if it has not already been activated) and NTP authentication is enabled simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp authenticate command, only the NTP authentication is removed from the NTP service. The NTP service itself remains active, along with any other functions you that previously configured.
To disable the NTP service on a device, you must enter the no ntp command without any keywords in global configuration mode. For example, if you previously issued the ntp authenticate command and you now want to disable not only the authentication, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
Examples
The following example shows how to configure the system to synchronize only to systems that provide the authentication key 42 in their NTP packets:
Router(config)# ntp authenticate
Router(config)# ntp authentication-key 42 md5 aNiceKey
Router(config)# ntp trusted-key 42
The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntp
Related Commands
|
|
|
|---|---|
ntp authentication-key |
Defines an authentication key for NTP. |
ntp trusted-key |
Authenticates the identity of a system to which NTP will synchronize. |
ntp authentication-key
To define an authentication key for Network Time Protocol (NTP), use the ntp authentication-key command in global configuration mode. To remove the authentication key for NTP, use the no form of this command.
ntp authentication-key number md5 key [encryption-type]
no ntp [authentication-key number]
Syntax Description
Command Default
No authentication key is defined for NTP.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use this command to define authentication keys for use with other NTP commands in order to provide a higher degree of security.
Note When this command is written to NVRAM, the key is encrypted so that it is not displayed in the configuration.
When you configure the authentication key using the ntp authentication-key command or using the auto secure ntp command, if the length of the MD5 key exceeds 32 characters, an error message is displayed.
The NTP service can be activated by entering any ntp command. When you use the ntp authentication-key command, the NTP service is activated (if it has not already been activated) and the NTP authentication key is defined simultaneously.
When you enter the no ntp authentication-key command, only the NTP authentication key is removed from the NTP service. The NTP service itself remains active, along with any other previously configured NTP functions.
Note If a specific authentication key configuration is removed, the NTP process is not stopped until all the authentication key configurations are removed.
To disable the NTP service on a device, use the no ntp command without any keywords in global configuration mode. For example, if you want to remove not only the access control to NTP services, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
Examples
The following example shows how to configure the system to synchronize only to systems providing the authentication key 42 in their NTP packets:
Router(config)# ntp authenticate
Router(config)# ntp authentication-key 42 md5 aNiceKey
Router(config)# ntp trusted-key 42
The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntp
The following example shows the error message displayed when the authentication key character string length exceeds 32:
Router(config)# ntp authentication-key 23 md5 11111111111111111111111111111111111
%NTP: Key too long
Related Commands
ntp broadcast client
To configure a device to receive Network Time Protocol (NTP) broadcast messages on a specified interface, use the ntp broadcast client command in interface configuration mode. To disable this capability, use the no form of this command.
ntp broadcast client [novolley]
no ntp [broadcast [client]]
Syntax Description
Command Default
By default, an interface is not configured to receive NTP broadcast messages.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use this command to allow the system to listen to broadcast packets on an interface-by-interface basis.
The NTP service can be activated by entering any ntp command. When you use the ntp broadcast client command, the NTP service is activated (if it has not already been activated) and the device is configured to receive NTP broadcast packets on a specified interface simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp broadcast client command, only the broadcast client configuration is removed from the NTP service. The NTP service itself remains active, along with any other functions that you previously configured.
To disable the NTP service on a device, you must enter the no ntp command without any keywords. For example, if you previously issued the ntp broadcast client command and you now want to remove not only the broadcast client capability, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
In IPv6 configuration, the ntp broadcastdelay command is used when the ntp broadcast client or ntp multicast client command is configured with the novolley keyword.
Examples
In the following example, the system is configured to receive (listen to) NTP broadcasts on Ethernet interface 1:
Router(config)# interface ethernet 1
Router(config-if)# ntp broadcast client
The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntp
Related Commands
ntp broadcastdelay
To set the estimated round-trip delay between the Cisco IOS software and a Network Time Protocol (NTP) broadcast server, use the ntp broadcastdelay command in global configuration mode. To revert to the default value, use the no form of this command.
ntp broadcastdelay microseconds
no ntp [broadcastdelay]
Syntax Description
microseconds |
Estimated round-trip time (in microseconds) for NTP broadcasts. The range is from 1 to 999999. |
Command Default
By default, the round-trip delay between the Cisco IOS software and an NTP broadcast server is 3000 microseconds.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the ntp broadcastdelay command when the router is configured as a broadcast client and the round-trip delay on the network is other than 3000 microseconds. In IPv6, the value set by this command should be used only when the ntp broadcast client and ntp multicast client commands have the novolley keyword enabled.
The NTP service can be activated by entering any ntp command. When you use the ntp broadcastdelay command, the NTP service is activated (if it has not already been activated) and the estimated round-trip delay between the Cisco IOS software and an NTP broadcast server is set simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp broadcastdelay command, only the estimated round-trip delay between the Cisco IOS software and an NTP broadcast server is removed from the NTP service. The NTP service itself remains active, along with any other functions you previously configured.
To disable the NTP service on a device, you must enter the no ntp command without any keywords in global configuration mode. For example, if you previously issued the ntp broadcastdelay command and you now want to remove not only the delay setting, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
Examples
The following example shows how to set the estimated round-trip delay between a router and the broadcast client to 5000 microseconds:
Router(config)# ntp broadcastdelay 5000
The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntp
Related Commands
ntp disable
To prevent an interface from receiving Network Time Protocol (NTP) packets, use the ntp disable command in interface configuration mode. To enable the receipt of NTP packets on an interface, use the no form of this command.
ntp disable [ip | ipv6]
no ntp disable [ip | ipv6]
Syntax Description
ip |
(Optional) Disables IP-based NTP traffic. |
ipv6 |
(Optional) Disables IPv6-based NTP traffic. |
Command Default
By default, interfaces receive NTP packets.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
This command provides a simple method of access control.
Use the ntp disable command in interface configuration mode to configure an interface to reject NTP packets. If the ntp disable command is configured on an interface that does not have any NTP service running, the interface remains disabled even after the NTP service is started by another NTP configuration. When you use the ntp disable command without the ip or ipv6 keyword, NTP is disabled on the interface for all the address families.
When you enter the no ntp disable command in interface configuration mode, the interface that was configured to reject NTP packets is enabled to receive NTP packets.
Note Remove all NTP commands from an interface before entering the ntp disable command on that interface.
Configuring the ntp disable command on an interface does not stop the NTP service. To disable the NTP service on a device, use the no ntp command without keywords in global configuration mode. For example, if you had previously issued the ntp disable command and you now want to remove not only this restriction, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
Examples
The following example shows how to prevent Ethernet interface 0 from receiving NTP packets:
Router(config)# interface ethernet 0
Router(config-if)# ntp disable
The following example shows the message displayed when you try to execute the ntp disable command on an interface that has other NTP commands configured on it:
Router(config-if)# ntp disable
%NTP: Unconfigure other NTP commands on this interface before executing 'ntp disable'
If you had previously issued the ntp disable command and you now want to remove not only this restriction, but also all NTP functions from the device, use the no ntp command without keywords in global configuration mode. The following example shows how to disable the NTP service on a device:
Router(config)# no ntp
Related Commands
|
|
|
|---|---|
ntp |
Activates the NTP service. |
ntp clear drift
To reset the drift value stored in the persistent data file, use the ntp clear drift command in privileged EXEC mode.
ntp clear drift
Syntax Description
This command has no arguments or keywords.
Command Default
The drift value stored in the persistent data file is not reset.
Command Modes
Privileged EXEC (#)
Command History
Usage Guidelines
The ntp clear drift command is used to reset the local clock drift value in the persistent data file. The drift is the frequency offset between the local clock hardware and the authoritative time from the Network Time Protocol version 4 (NTPv4) servers. NTPv4 automatically computes this drift and uses it to compensate permanently for local clock imperfections.
This command is available only when the NTP service is activated using any ntp command in global configuration mode.
Examples
The following example shows how to reset the drift value in the persistent data file:
Router# ntp clear drift
Related Commands
|
|
|
|---|---|
ntp |
Activates the NTP service. |
ntp logging
To enable Network Time Protocol (NTP) message logging, use the ntp logging command in global configuration mode. To disable NTP logging, use the no form of this command.
ntp logging
no ntp [logging]
Syntax Description
This command has no arguments or keywords.
Command Default
NTP message logging is disabled.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the ntp logging command to control the display of NTP logging messages.
The NTP service can be activated by entering any ntp command. When you use the ntp logging command, the NTP service is activated (if it has not already been activated) and message logging is enabled simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp logging command, only message logging is disabled in the NTP service. The NTP service itself remains active, along with any other functions that you previously configured.
To disable the NTP service on a device, you must enter the no ntp command without keywords. For example, if you previously issued the ntp logging command and you now want to disable not only the message logging, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
Examples
The following example shows how to enable NTP message logging and verify that it is enabled:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# ntp logging
Router(config)# end
Router# show running-config | include ntp
ntp logging
ntp clock-period 17180152
ntp peer 10.0.0.1
ntp server 192.168.166.3
The following example shows how to disable NTP message logging and verify to that it is disabled:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# no ntp logging
Router# end
Router(config)# show running-config | include ntp
ntp clock-period 17180152
ntp peer 10.0.0.1
ntp server 192.168.166.3
The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntp
Related Commands
|
|
|
|---|---|
ntp peer |
Configures the software clock to synchronize a peer or to be synchronized by a peer. |
ntp server |
Allows the software clock to be synchronized by an NTP time server. |
ntp master
To configure the Cisco IOS software as a Network Time Protocol (NTP) master clock to which peers synchronize themselves when an external NTP source is not available, use the ntp master command in global configuration mode. To disable the master clock function, use the no form of this command.
ntp master [stratum]
no ntp [master]
Use this command with caution. Valid time sources can be easily overridden using this command, especially if a low stratum number is configured. Configuring multiple devices in the same network with the
ntp master command can cause instability in keeping time if the devices do not agree on the time.
Syntax Description
stratum |
(Optional) Number from 1 to 15. Indicates the NTP stratum number that the system will claim. |
Command Default
By default, the master clock function is disabled. When enabled, the default stratum is 8.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Because the Cisco implementation of NTP does not support directly attached radio or atomic clocks, the router is normally synchronized, directly or indirectly, to an external system that has such a clock. In a network without Internet connectivity, such a time source may not be available. The ntp master command is used in such cases.
A system with the ntp master command configured that cannot reach any clock with a lower stratum number will claim to be synchronized at the configured stratum number, and other systems will be willing to synchronize to it via NTP.
Note The software clock must have been set from some source, including manual setting, before the ntp master command will have any effect. This protects against distributing erroneous time after the system is restarted.
The NTP service can be activated by entering any ntp command. When you use the ntp master command, the NTP service is activated (if it has not already been activated) and the Cisco IOS software is configured as an NTP master clock simultaneously. When you enter the no ntp master command, only the NTP master clock configuration is removed from the NTP service. The NTP service itself remains active, along with any other functions that you previously configured.
To disable the NTP service on a device, you must enter the no ntp command without any keywords in global configuration mode. For example, if you had previously issued the ntp master command and you now want to remove not only the master clock function, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
Examples
The following example shows how to configure a router as an NTP master clock to which peers may synchronize:
Router(config)# ntp master 10
The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntp
Related Commands
|
|
|
|---|---|
clock calendar-valid |
Configures the system hardware clock that is an authoritative time source for the network. |
ntp max-associations
To configure the maximum number of Network Time Protocol (NTP) peers and clients for a routing device, use the ntp max-associations command in global configuration mode. To return the maximum associations value to the default, use the no form of this command.
ntp max-associations number
no ntp [max-associations]
Syntax Description
number |
Number of NTP associations. The range is from 1 to 4294967295. The default is 100. In the Cisco IOS Release 12.2SX train, the range is from 0 to 4294967295. |
Command Default
The maximum association value of NTP peers and clients is 100.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The router can be configured to define the maximum number of NTP peer and client associations that the router will serve. Use the ntp max-associations command to set the maximum number of NTP peer and client associations that the router will serve.
The ntp max-associations command is useful for ensuring that the router is not overwhelmed by NTP synchronization requests. For an NTP master server, this command is useful for allowing numerous devices to synchronize to a router.
The NTP service can be activated by entering any ntp command. When you use the ntp max-associations command, the NTP service is activated (if it has not already been activated) and the maximum number of NTP peers and clients is configured simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp max-associations command, only the maximum number value is removed from the NTP service. The NTP service itself remains active, along with any other functions that you previously configured.
To disable the NTP service on a device, you must enter the no ntp command without any keywords in global configuration mode. For example, if you previously issued the ntp max-associations command and you now want to remove not only that maximum value, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
Note By default, the previous configuration values are retained when the last valid configuration (configuration for which the NTP service needs to run) is removed. Only the configuration values related to the maximum number of NTP peer and client associations are reset to the default value when the NTP process is disabled.
Examples
In the following example, the router is configured to act as an NTP server to 200 clients:
Router(config)# ntp max-associations 200
The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntp
Related Commands
|
|
|
|---|---|
show ntp associations |
Displays all current NTP associations for the device. |
ntp multicast
To configure a system to send Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast command in interface configuration mode. To disable this capability, use the no form of this command.
ntp multicast [ip-address | ipv6-address] [key key-id] [ttl value] [version number]
no ntp [multicast [ip-address | ipv6-address] [key key-id] [ttl value] [version number]]
Syntax Description
Command Default
NTP multicast capability is disabled.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
The TTL value is used to limit the scope of an audience for multicast routing.
The NTP service can be activated by entering any ntp command. When you use the ntp multicast command, the NTP service is activated (if it has not already been activated) and the interface on which to send multicast packets is configured simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp multicast command, only the multicast capability is removed from the NTP service. The NTP service itself remains active, along with any other functions that you previously configured.
To disable the NTP service on a device, you must enter the no ntp command in global configuration mode without keywords. For example, if you had previously issued the ntp multicast command and you now want to remove not only the multicast capability, but also all NTP functions from the device, use the no ntp command in global configuration mode without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
Examples
The following example shows how to configure Ethernet interface 0 to send NTP version 2 broadcasts:
Router(config)# interface ethernet 0
Router(config-if)# ntp multicast version 2
If you had previously issued the ntp multicast command and you now want to remove not only the multicast capability, but also all NTP functions from the device, use the no ntp command in global configuration mode without any keywords. The following example shows how to remove the ntp multicast command along with all the other configured NTP options and to disable the NTP server:
Router(config)# no ntp
Related Commands
|
|
|
|---|---|
ntp authentication-key |
Defines an authentication key for NTP. |
ntp multicast client |
Allows the system to receive NTP multicast packets on an interface. |
ntp multicast client
To configure the system to receive Network Time Protocol (NTP) multicast packets on a specified interface, use the ntp multicast client command in interface configuration mode. To disable this capability, use the no form of this command.
ntp multicast client [ip-address | ipv6-address] [novolley]
no ntp [multicast client [ip-address | ipv6-address]]
Syntax Description
Command Default
NTP multicast client capability is disabled.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ntp multicast client command to allow the system to listen to multicast packets on an interface-by-interface basis.
This command enables the multicast client mode on the local NTP host. In this mode, the host is ready to receive mode 5 (broadcast) NTP messages sent to the specified multicast address. After receiving the first packet, the client measures the nominal propagation delay using a brief client/server association with the server. After this initial phase, the client enters the broadcast client mode, in which it synchronizes its clock to the received multicast messages.
The NTP service can be activated by entering any ntp command. When you use the ntp multicast client command, the NTP service is activated (if it has not already been activated) and the interface on which to receive multicast packets is configured simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp multicast client command, only the multicast client capability is removed from the NTP service. The NTP service itself remains active, along with any other functions that you previously configured.
To disable the NTP service on a device, you must enter the no ntp command without any keywords in global configuration mode. For example, if you had previously issued the ntp multicast client command and you now want to remove not only the multicast client capability, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
In IPv6 configuration, the ntp broadcastdelay command is used when the ntp broadcast client or ntp multicast client command is configured with the novolley keyword.
Examples
In the following example, the system is configured to receive (listen to) NTP multicast packets on Ethernet interface 1:
Router(config)# interface ethernet 1
Router(config-if)# ntp multicast client
If you had previously issued the ntp multicast client command and you now want to remove not only the multicast client capability, but also all NTP functions from the device, use the no ntp command without any keywords. The following example shows how to remove the ntp multicast client command along with all the other configured NTP options and to disable the NTP server:
Router(config)# no ntp
Related Commands
ntp peer
To configure the software clock to synchronize an NTP peer or to be synchronized by an NTP peer, use the ntp peer command in global configuration mode. To disable this capability, use the no form of this command.
ntp peer [vrf vrf-name] {ip-address | ipv6-address | [ip | ipv6] hostname} [normal-sync] [version number] [key key-id] [source interface-type interface-number] [prefer] [maxpoll number] [minpoll number] [burst] [iburst]
no ntp [vrf vrf-name] {ip-address | ipv6-address | [ip | ipv6] hostname}
Syntax Description
Command Default
No peers are configured.
The default maxpoll number is 10 seconds.
The default minpoll number is 6 seconds.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
When a peer is configured, the default NTP version number is 3, no authentication key is used, and the source address is taken from the outgoing interface.
Use this command to allow a device to synchronize with a peer, or vice versa. Use the prefer keyword to reduce switching between peers.
If you are using the default version of 3 and NTP synchronization does not occur, try using NTP version 2 (NTPv2). For IPv6, use NTP version 4.
If you select an NTP version that is not supported, a message is displayed.
If you are using NTPv4, the NTP synchronization takes more time to complete (unlike NTPv3, which synchronizes in seconds or a maximum of 1 to 2 minutes). The acceptable time for synchronization in NTPv4 is 15 to 20 minutes. To achieve faster NTP synchronization, enable the burst or iburst mode by using the burst or iburst keyword. With the burst or iburst mode configured, NTP synchronization takes about 1 to 2 minutes.
The exact time span required for the NTP synchronization while using NTPv4 cannot be derived accurately. It depends on the network topology and complexity.
Multiple configurations are not allowed for the same peer or server. If a configuration exists for a peer and you use the ntp peer command to configure the same peer, the new configuration will replace the old one.
The NTP service can be activated by entering any ntp command. When you use the ntp peer command, the NTP service is activated (if it has not already been activated) and the peer is configured simultaneously.
When you enter the no ntp peer command, only the NTP peer configuration is removed from the NTP service. The NTP service itself remains active, along with any other previously configured NTP functions.
To disable the NTP service on a device, use the no ntp command without keywords in global configuration mode. For example, if you had previously issued the ntp peer command and you now want to remove not only this restriction, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
Examples
The following example shows how to configure a router to allow its software clock to be synchronized with the clock of the peer (or vice versa) at the IPv4 address 192.168.22.33 using NTPv2. The source IPv4 address is the address of Ethernet 0:
Router(config)# ntp peer 192.168.22.33 version 2 source ethernet 0
The following example shows how to configure a router to allow its software clock to be synchronized with the clock of the peer (or vice versa) at IPv6 address 2001:0DB8:0:0:8:800:200C:417A using NTPv4:
Router(config)# ntp peer 2001:0DB8:0:0:8:800:200C:417A version 4
The following example shows how to disable rapid synchronization at startup:
Router(config)# ntp peer 192.168.22.33 normal-sync
The following example shows the message displayed when you try to configure an unsupported NTP version:
Router(config)# ntp peer 192.168.22.33 version 1
NTP version 4 supports backward compatibility to only version 2 and 3
Please re-enter version[2-4]
Setting NTP version 4 as default
The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntp
Related Commands
ntp refclock
To configure an external clock source for use with Network Time Protocol (NTP) services, use the ntp refclock command in line configuration mode. To disable support of the external time source, use the no form of this command.
ntp refclock {trimble | telecom-solutions} pps {cts | ri | none} [inverted] [pps-offset milliseconds] [stratum number] [timestamp-offset number]
no ntp [refclock]
Syntax Description
Command Default
By default, an external clock source for use with NTP services is not configured.
Command Modes
Line configuration (config-line)
Command History
Usage Guidelines
To configure a PPS signal as the source for NTP synchronization, use the following form of the ntp refclock command:
ntp refclock trimble pps {cts | ri} [inverted] [pps-offset milliseconds] [stratum number] [timestamp-offset number]
To configure a Trimble Palisade NTP Synchronization Kit as the GPS clock source connected to the auxiliary port of a Cisco 7200 router, use the following form of the ntp refclock command:
ntp refclock trimble pps none [stratum number]
To configure a Telecom Solutions product as the GPS clock source, use the ntp refclock telecom-solutions form of the command:
ntp refclock telecom-solutions pps cts [stratum number]
When two or more servers are configured with the same stratum number, the client will never synchronize with any of the servers. This is because the client is not able to identify the device with which to synchronize. When two or more servers are configured with the same stratum number, and if the client was in synchronization with one of the servers, the synchronization is lost if the settings on one server are changed.
The NTP service can be activated by entering any ntp command. When you use the ntp refclock command, the NTP service is activated (if it has not already been activated) and the external clock source is configured simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp refclock command, only the external clock source is removed from the NTP service. The NTP service itself remains active, along with any other functions that you previously configured.
To terminate the NTP service on a device, you must enter the no ntp command without keywords in global configuration mode. For example, if you had previously issued the ntp refclock command and you now want to remove not only the external clock source, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also terminated.
Examples
The following example shows the configuration of a Trimble Palisade GPS time source on a Cisco 7200 router:
Router(config)# ntp master
Router(config)# ntp update-calendar
Router(config)# line aux 0
Router(config-line)# ntp refclock trimble pps none
The following example shows the configuration of a Telecom Solutions GPS time source on a Catalyst switch platform:
Router(config)# ntp master
Router(config)# ntp update-calendar
Router(config)# line aux 0
Router(config-line)# ntp refclock telecom-solutions pps cts stratum 1
If you had previously issued the ntp refclock command and you now want to remove not only the external clock source, but also all NTP functions from the device, use the no ntp command without any keywords in global configuration mode. The following example shows how to remove the ntp refclock command along with all the configured NTP options and how to disable the NTP server:
Router(config)# no ntp
Related Commands
|
|
|
|---|---|
show ntp associations |
Displays the status of NTP associations configured for your system. |
ntp server
To allow the software clock to be synchronized by a Network Time Protocol (NTP) time server, use the ntp server command in global configuration mode. To disable this capability, use the no form of this command.
ntp server [vrf vrf-name] {ip-address | ipv6-address | [ip | ipv6] hostname} [normal-sync] [version number] [key key-id] [source interface-type interface-number] [prefer] [maxpoll number] [minpoll number] [burst] [iburst]
no ntp server [vrf vrf-name] {ip-address | ipv6-address | [ip | ipv6] hostname}
Syntax Description
Command Default
No servers are configured by default. If a server is configured, the default NTP version number is 3, an authentication key is not used, and the source IPv4 or IPv6 address is taken from the outgoing interface.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use this command if you want to allow the system to synchronize with the specified server.
When you use the hostname option, the router does a DNS lookup on that name, and stores the IPv4 or IPv6 address in the configuration. For example, if you enter the ntp server hostname command and then check the running configuration, the output shows "ntp server a.b.c.d," where a.b.c.d is the IP address of the host, assuming that the router is correctly configured as a DNS client.
Use the prefer keyword if you need to use this command multiple times, and you want to set a preferred server. Using the prefer keyword reduces switching between servers.
If you are using the default NTP version 3 and NTP synchronization does not occur, try NTPv2. Some NTP servers on the Internet run version 2. For IPv6, use NTP version 4.
If you are using NTPv4, the NTP synchronization takes more time to complete (unlike NTPv3, which synchronizes in seconds or a maximum of 1 to 2 minutes). The acceptable time for synchronization in NTPv4 is 15 to 20 minutes. To achieve faster NTP synchronization, enable the burst or iburst mode by using the burst or iburst keyword. With the burst or iburst mode configured, NTP synchronization takes about 1 to 2 minutes.
The exact time span required for the NTP synchronization while using NTPv4 cannot be derived accurately. It depends on the network topology and complexity.
The NTP service can be activated by entering any ntp command. When you use the ntp server command, the NTP service is activated (if it has not already been activated) and software clock synchronization is configured simultaneously.
When you enter the no ntp server command, only the server synchronization capability is removed from the NTP service. The NTP service itself remains active, along with any other previously configured NTP functions.
To disable the NTP service on a device, enter the no ntp command without keywords. For example, if you had previously issued the ntp server command and you now want to remove not only the server synchronization capability, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
If you want to unconfigure an NTP server or a peer configured with a particular source interface, you must specify the interface type and number in the no form of the command.
Examples
The following example shows how to configure a router to allow its software clock to be synchronized with the clock by using the device at the IPv4 address 172.16.22.44 using NTPv2:
Router(config)# ntp server 172.16.22.44 version 2
The following example shows how to configure a router to allow its software clock to be synchronized with the clock by using the device at the IPv6 address 2001:0DB8:0:0:8:800:200C:417A using NTPv4:
Router(config)# ntp server 2001:0DB8:0:0:8:800:200C:417A version 4
The following example shows how to configure an NTP peer with a particular source interface:
Router(config)# ntp server 209.165.200.231 source ethernet 0/1
Related Commands
ntp source
To use a particular source address in Network Time Protocol (NTP) packets, use the ntp source command in global configuration mode. To remove the specified source address, use the no form of this command.
ntp source interface-type interface-number
no ntp [source]
Syntax Description
interface-type |
Type of interface. |
interface-number |
Number of the interface. |
Command Default
Source address is determined by the outgoing interface.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use this command when you want to use a particular source IPv4 or IPv6 address for all NTP packets. The address is taken from the named interface. This command is useful if the address on an interface cannot be used as the destination for reply packets. If the source keyword is present on an ntp server or ntp peer global configuration command, that value overrides the global value set by this command.
The NTP service can be activated by entering any ntp command. When you use the ntp source command, the NTP service is activated (if it has not already been activated) and the source address is configured simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp source command, only the source address is removed from the NTP service. The NTP service itself remains active, along with any other functions that you previously configured.
To disable the NTP service on a device, you must enter the no ntp command without any keywords in global configuration mode. For example, if you had previously issued the ntp source command and you now want to remove not only the configured source address, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
If the NTP source is not set explicitly, and a link fails or an interface state changes, the NTP packets are sourced from the next best interface and the momentarily lost synchronization is regained.
Examples
The following example shows how to configure a router to use the IPv4 or IPv6 address of Ethernet interface 0 as the source address of all outgoing NTP packets:
Router(config)# ntp source ethernet 0
The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntp
Related Commands
|
|
|
|---|---|
ntp peer |
Configures the software clock to synchronize a peer or to be synchronized by a peer. |
ntp server |
Allows the software clock to be synchronized by a time server. |
ntp trusted-key
To authenticate the identity of a system to which Network Time Protocol (NTP) will synchronize, use the ntp trusted-key command in global configuration mode. To disable the authentication of the identity of the system, use the no form of this command.
ntp trusted-key key-number
no ntp [trusted-key key-number]
Syntax Description
key-number |
Key number of the authentication key to be trusted. |
Command Default
Authentication of the identity of the system is disabled.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
If authentication is enabled, use this command to define one or more key numbers (corresponding to the keys defined with the ntp authentication-key command) that a peer NTP system must provide in its NTP packets for synchronization. This function provides protection against accidentally synchronizing the system to a system that is not trusted, because the other system must know the correct authentication key.
The NTP service can be activated by entering any ntp command. When you use the ntp trusted-key command, the NTP service is activated (if it has not already been activated) and the system to which NTP will synchronize is authenticated simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp trusted-key command, only the authentication is disabled in the NTP service. The NTP service itself remains active, along with any other functions that you previously configured.
To disable the NTP service on a device, you must enter the no ntp command without any keywords in global configuration mode. For example, if you had previously issued the ntp trusted-key command and you now want to remove not only the authentication, but also all NTP functions from the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
Examples
The following example shows how to configure the system to synchronize only to systems providing authentication key 42 in its NTP packets:
Router(config)# ntp authenticate
Router(config)# ntp authentication-key 42 md5 aNiceKey
Router(config)# ntp trusted-key 42
The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntp
Related Commands
|
|
|
|---|---|
ntp authenticate |
Enables NTP authentication. |
ntp authentication-key |
Defines an authentication key for NTP. |
ntp update-calendar
To periodically update the hardware clock (calendar) from a Network Time Protocol (NTP) time source, use the ntp update-calendar command in global configuration mode. To disable the periodic updates, use the no form of this command.
ntp update-calendar
no ntp [update-calendar]
Syntax Description
This command has no arguments or keywords.
Command Default
The hardware clock (calendar) is not updated.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Some platforms have a battery-powered hardware clock, referred to in the CLI as the calendar, in addition to the software-based system clock. The hardware clock runs continuously, even if the router is powered off or rebooted.
If the software clock is synchronized to an outside time source via NTP, it is a good practice to periodically update the hardware clock with the time learned from NTP. Otherwise, the hardware clock will tend to gradually lose or gain time (drift), and the software clock and hardware clock may lose synchronization with each other. The ntp update-calendar command will enable the hardware clock to be periodically updated with the time specified by the NTP source. The hardware clock will be updated only if NTP has synchronized to an authoritative time server.
Many lower-end routers (for example, the Cisco 2500 series or the Cisco 2600 series) do not have hardware clocks, so this command is not available on those platforms.
To force a single update of the hardware clock from the software clock, use the clock update-calendar command in user EXEC mode.
The NTP service can be activated by entering any ntp command. When you use the ntp update-calendar command, the NTP service is activated (if it has not already been activated) and the hardware clock is updated simultaneously.
In the no form of any ntp command, all the keywords are optional. When you enter the no ntp update-calendar command, only the clock updates are stopped in the NTP service. The NTP service itself remains active, along with any other functions that you previously configured.
To disable the NTP service on a device, you must enter the no ntp command without any keywords in global configuration mode. For example, if you had previously issued the ntp update-calendar command and you now want to disable not only the periodic updates, but also all NTP functions running on the device, use the no ntp command without any keywords. This ensures that all NTP functions are removed and that the NTP service is also disabled.
Examples
The following example shows how to configure the system to periodically update the hardware clock from the NTP time source:
Router(config)# ntp update-calendar
The following example shows how to remove all the configured NTP options and disable the NTP server:
Router(config)# no ntp
Related Commands
ospfv3 area
To enable Open Shortest Path First version 3 (OSPFv3) on an interface with the IPv4 or IPv6 address family (AF), use the ospfv3 area command in interface configuration mode. To disable OSPFv3 routing for interfaces defined, use the no form of this command.
ospfv3 process-id area area-ID {ipv4 | ipv6} [instance instance-id]
no ospfv3 process-id area area-ID {ipv4 | ipv6}
Syntax Description
Command Default
OSPFv3 is not enabled on the interface.
The default instance ID for IPv4 is 64.
The default instance ID for IPv6 is 0.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 area command to enable OSPFv3 on an interface. This command enables you to configure two OSPFv3 instances on an interface-one IPv6 AF instance, and one IPv4 AF instance. You can configure only one process for each AF per interface.
Before you enable OSPFv3 on an interface using the ospfv3 area command, you must enable IPv6 on the interface, and you must enable IPv6 routing.
When the ospfv3 area command is configured for the IPv6 AF, it overwrites the ipv6 ospf area configuration if OSPFv3 was attached to the interface using the ipv6 ospf area command.
Examples
The following example enables OSPFv3 for the IPv4 AF on an interface:
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 1 area 1 ipv4
ospfv3 authentication
To specify the authentication type for an Open Shortest Path First version 3 (OSPFv3) instance, use the ospfv3 authentication command in interface configuration mode. To remove this instance, use the no form of this command.
ospfv3 authentication {ipsec spi} {md5 | sha1} {key-encryption-type key} | null
no ospfv3 authentication {ipsec spi} {md5 | sha1} {key-encryption-type key} | null
Syntax Description
Command Default
No authentication is specified.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 authentication command to specify the OSPFv3 authentication type on an interface. The ospfv3 authentication command cannot be configured per process. If the ospfv3 authentication command is used, it affects all OSPFv3 instances.
The user needs to ensure that the same policy (the SPI and the key) is configured on all of the interfaces on the link. SPI values may automatically be used by other client applications, such as tunnels.
The policy database is common to all client applications on a box. This means that two IPsec clients, such as OSPFv3 and a tunnel, cannot use the same SPI. Additionally, an SPI can be used only in one policy.
The null keyword is used to override existing area authentication. If area authentication is not configured, then it is not necessary to configure the interface with the authentication null command.
Examples
The following example specifies the authentication type for an OSPFv3 instance: :
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 authentication md5 0 27576134094768132473302031209727
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
ospfv3 cost
To explicitly specify the cost of sending a packet on an Open Shortest Path First version 3 (OSPFv3) interface, use the ospfv3 cost command in interface configuration mode. To reset the interface cost to the default value, use the no form of this command.
ospfv3 [process-id] cost {interface-cost | dynamic [default default-link-metric | hysteresis [percent | threshold threshold-value] | weight {L2-factor percent | latency percent | resources percent | throughput percent}
no ospfv3 [process-id] cost
Syntax Description
Command Default
Default cost is based on the bandwidth. Mobile Ad Hoc Network (MANET) interfaces are set to use dynamic costs. Non-MANET networks are set to use static costs.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 cost command to specify the cost of sending a packet on an interface. When the ospfv3 cost command is configured with the process-id argument, it overwrites the ipv6 ospf cost configuration if OSPFv3 was attached to the interface using the ipv6 ospf area command. When the ospfv3 cost command is configured without the process-id argument, it is inherited on all instances running on the interface.
You can set the metric manually using the ospfv3 cost command, if you need to change the default. Using the bandwidth command changes the link cost as long as the ospfv3 cost command is not used. The link-state metric is advertised as the link cost in the router link advertisement.
The dynamic cost metric used for interfaces is computed based on the Layer 2 (L2) feedback to Layer 3 (L3). For a dynamic cost to have the same cost as a default cost, all parameters must equal zero.
Each Layer 2 feedback can contribute a cost in the range of 0 to 65535. To tune down this cost range, use the optional weight keyword in conjunction with the throughput, resources, latency, or L2-factor keyword. Each of these weights has a default value of 100% and can be configured in the range from 0 to 100. When 0 is configured for a specific weight, that weight does not contribute to the OSPFv3 cost.
Because cost components can change rapidly, you may need to dampen the amount of changes in order to reduce network-wide churn. Use the optional hysteresis keyword with the threshold threshold-value keyword and argument to set a cost change threshold. Any cost change below this threshold is ignored.
If you enable hysteresis without specifying the mode (percent or threshold), the default mode is threshold, and 10k as the default threshold value.
The higher the threshold or the percent value is set, the larger the change in link quality required to change the OSPFv3 route costs.
Mobile Ad Hoc Networks (MANET)
When the network type is set to MANET, the OSPF cost associated with an interface automatically sets to dynamic. All other network types, keep the interface cost, and you must enter the ospfv3 cost dynamic command to change the cost to dynamic.
If you do not specify a default dynamic cost with the ospfv3 cost dynamic default command, OSPF uses the interface cost until it receives link metric data.
Examples
The following example sets the interface cost value to 65:
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 101 cost 65
The following example shows how to configure OSPFv3 instance 4 to use 30 as the default cost until link metric data arrives from dynamic costing:
Router(config)# interface ethernet 0/0
Router(config-if)# ospfv3 4 cost dynamic default 30
Router(config-if)# exit
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
ospfv3 database-filter
To filter outgoing link-state advertisements (LSAs) to an Open Shortest Path First version 3 (OSPFv3) interface, use the database-filter command in interface configuration mode. To restore the forwarding of LSAs to the interface, use the no form of this command.
ospfv3 [process-id] database-filter [all | disable]
no ospfv3 database-filter
Syntax Description
Command Default
All outgoing LSAs are flooded to the interface.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 database-filter command to filter outgoing LSAs to an OSPFv3 interface. When the ospfv3 database-filter command is configured with the process-id argument, it overwrites the ipv6 ospf database-filter configuration if OSPFv3 was attached to the interface using the ipv6 ospf area command. When the ospfv3 database-filter command is configured without the process-id argument, it is inherited on all instances running on the interface.
Examples
The following example prevents flooding of OSPFv3 LSAs to networks reachable through Ethernet interface 0/0:
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 101 database-filter
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
ospfv3 dead-interval
To set the time period for which hello packets must not be seen before neighbors declare the router down, use the ospfv3 dead-interval command in interface configuration mode. To return to the default time, use the no form of this command.
ospfv3 [process-id] dead-interval seconds
no ospfv3 [process-id] dead-interval seconds
Syntax Description
Command Default
Four times the interval set by the ospfv3 hello-interval command.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 dead-interval command to set the time period for which hello packets must not be seen before neighbors declare the router down. When the ospfv3 dead-interval command is configured with the process-id argument, it overwrites the ipv6 dead-interval configuration if OSPFv3 was attached to the interface using the ipv6 ospf area command. When the ospfv3 dead-interval command is configured without the process-id argument, it is inherited on all instances running on the interface.
The interval is advertised in router hello packets. This value must be the same for all routers and access servers on a specific network.
If no hello-interval is specified, the default dead-interval is 120 seconds for Mobile Ad Hoc Networks (MANETs) and 40 seconds for all other network types.
Examples
The following example sets the OSPFv3 dead interval to 60 seconds:
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 101 dead-interval 60
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
ospfv3 demand-circuit
To configure Open Shortest Path First version 3 (OSPFv3) to treat the interface as an OSPFv3 demand circuit, use the ospfv3 demand-circuit command in interface configuration mode. To remove the demand circuit designation from the interface, use the no form of this command.
ospfv3 [process-id] demand-circuit [disable]
no ospfv3 demand-circuit
Syntax Description
Command Default
The circuit is not a demand circuit.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 demand-circuit command to configure OSPFv3 to treat the interface as an OSPFv3 demand circuit. When the ospfv3 demand-circuit command is configured with the process-id argument, it overwrites the ipv6 ospf demand-circuit configuration if OSPFv3 was attached to the interface using the ipv6 ospf area command. When the ospfv3 demand-circuit command is configured without the process-id argument, it is inherited on all instances running on the interface.
On point-to-point interfaces, only one end of the demand circuit must be configured with the demand-circuit command. Periodic hello messages are suppressed and periodic refreshes of link-state advertisements (LSAs) do not flood the demand circuit. This command allows the underlying data link layer to be closed when the topology is stable. In point-to-multipoint topology, only the multipoint end must configured with this command.
Examples
The following example configures an on-demand circuit on Ethernet interface 0/0:
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 101 demand-circuit
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
ospfv3 encryption
To specify the encryption type for an Open Shortest Path First version 3 (OSPFv3) interface, use the ospfv3 encryption command in interface configuration mode. To remove the encryption type from an interface, use the no form of this command.
ospfv3 encryption {ipsec spi spi esp encryption-algorithm {key-encryption-type key} authentication-algorithm {key-encryption-type key} | null}
no ospfv3 encryption ipsec spi spi
Syntax Description
Command Default
Authentication and encryption are not configured on an interface.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 encryption command to specify the encryption type for an interface. The ospfv3 encryption command cannot be configured per process. If the ospfv3 encryption command is used, it affects all OSPFv3 instances.
The user needs to ensure that the same policy (the SPI and the key) is configured on all of the interfaces on the link. SPI values may automatically be used by other client applications, such as tunnels.
The policy database is common to all client applications on a box. This means that two IPSec clients, such as OSPFv3 and a tunnel, cannot use the same SPI. Additionally, an SPI can be used only in one policy.
The null keyword is used to override existing area encryption. If area encryption is not configured, then it is not necessary to configure the interface with the encryption null command.
Examples
The following example specifies the encryption type for Ethernet interface 0/0. The IPSec SPI value is 1001, ESP is used with no encryption, and the authentication algorithm is MD5.
Router(config)# interface ethernet 0/0
Router(config-if)# ospfv3 encryption ipsec spi 1001 esp null md5 0 27576134094768132473302031209727
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
ospfv3 flood-reduction
To suppress the unnecessary flooding of link-state advertisements (LSAs) in stable topologies, use the ospfv3 flood-reduction command in interface configuration mode. To disable this feature, use the no form of this command.
ospfv3 [process-id] flood-reduction [disable]
no ospfv3 [process-id] flood-reduction
Syntax Description
Command Default
This command is disabled.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 flood-reduction command to suppress unnecessary LSA flooding in stable topologies. When the ospfv3 flood-reduction command is configured with the process-id argument, it overwrites the ipv6 ospf flood-reduction configuration if OSPFv3 was attached to the interface using the ipv6 ospf flood-reduction command. When the ospfv3 flood-reduction command is configured without the process-id argument, it is inherited on all instances running on the interface.
All routers supporting the OSPFv3 demand circuit are compatible and can interact with routers supporting flooding reduction.
Examples
The following example suppresses the flooding of unnecessary LSAs on Ethernet interface 0/0:
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 101 flood-reduction
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
ospfv3 hello-interval
To specify the interval between hello packets that the Cisco IOS software sends on the Open Shortest Path First version 3 (OSPFv3) interface, use the ospfv3 hello-interval command in interface configuration mode. To return to the default time, use the no form of this command.
ospfv3 [process-id] hello-interval seconds
no ospfv3 [process-id] hello-interval seconds
Syntax Description
Command Default
The default interval is 10 seconds when using Ethernet and 30 seconds when using nonbroadcast, such as Mobile Ad Hoc Networks (MANETs).
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 hello-interval command to suppress unnecessary LSA flooding in stable topologies. When the ospfv3 hello-interval command is configured with the process-id argument, it overwrites the ipv6 ospf hello-interval configuration if OSPFv3 was attached to the interface using the ipv6 ospf area command. When the ospfv3 hello-interval command is configured without the process-id argument, it is inherited on all instances running on the interface.
The hello-interval value is advertised in the hello packets. The shorter the hello interval, the earlier topological changes will be detected, but more routing traffic will ensue. This value must be the same for all routers and access servers on a specific network.
Examples
The following example sets the interval between hello packets to 15 seconds:
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 101 hello-interval 15
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
ospfv3 mtu-ignore
To disable Open Shortest Path First version 3 (OSPFv3) maximum transmission unit (MTU) mismatch detection on receiving database descriptor (DBD) packets, use the ospfv3 mtu-ignore command in interface configuration mode. To reset to default, use the no form of this command.
ospfv3 [process-id] mtu-ignore [disable]
no ospfv3 [process-id] mtu-ignore
Syntax Description
Command Default
OSPFv3 MTU mismatch detection is enabled.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 mtu-ignore command to disable OSPFv3 MTU mismatch detection on receiving DBD packets. When the ospfv3 mtu-ignore command is configured with the process-id argument, it overwrites the ipv6 ospf mtu-ignore configuration if OSPFv3 was attached to the interface using the ipv6 ospf area command. When the ospfv3 mtu-ignore command is configured without the process-id argument, it is inherited on all instances running on the interface.
OSPFv3 checks whether neighbors are using the same MTU on a common interface. This check is performed when neighbors exchange DBD packets. If the receiving MTU in the DBD packet is higher then the IP MTU configured on the incoming interface, OSPFv3 adjacency will not be established.
Examples
The following example disables MTU mismatch detection on receiving DBD packets:
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 101 mtu-ignore
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
ospfv3 network
To configure an Open Shortest Path First version 3 (OSPFv3) network type to a type other than the default for a given medium, use the ospfv3 network command in interface configuration mode. To return to the default type, use the no form of this command.
ospfv3 [process-id] network {broadcast | manet | non-broadcast | {point-to-multipoint [non-broadcast] | point-to-point}}
no ospfv3 [process-id] network {broadcast | manet | non-broadcast | {point-to-multipoint [non-broadcast] | point-to-point}}
Syntax Description
Command Default
Default depends on the network type.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 network command to configure an OSPFv3 network type to a type other than the default for a given medium. When the ospfv3 network command is configured with the process-id argument, it overwrites the ipv6 ospf network configuration if OSPFv3 was attached to the interface using the ipv6 ospf area command. When the ospfv3 network command is configured without the process-id argument, it is inherited on all instances running on the interface. .
MANET Networks
Use the ospfv3 network manet command to enable relaying and caching of LSA updates and LSA ACKs on the MANET interface. This results in a reduction of OSPF traffic and saves radio bandwidth.
By default, selective peering is disabled on MANET interfaces.
By default, the OSPFv3 dynamic cost timer is enabled for the MANET network type, as well as caching of LSAs and LSA ACKs received on the MANET interface. The following default values are applied for cache and timers:
LSA cache |
Default = 1000 messages |
LSA timer |
Default = 10 minutes |
LSA ACK cache |
Default = 1000 messages |
LSA ACK timer |
Default = 5 minutes |
Examples
The following example sets your OSPFv3 network as a broadcast network:
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 101 network broadcast
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
ospfv3 priority
To set the router priority, which helps determine the designated router for this network, use the ospfv3 priority command in interface configuration mode. To return to the default value, use the no form of this command.
ospfv3 [process-id] priority number-value
no ospfv3 [process-id] priority number-value
Syntax Description
Command Default
The router priority is 1.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 priority command to set the router priority, which helps determine the designated router for this network. When the ospfv3 priority command is configured with the process-id argument, it overwrites the ipv6 ospf priority configuration if OSPFv3 was attached to the interface using the ipv6 ospf area command. When the ospfv3 priority command is configured without the process-id argument, it is inherited on all instances running on the interface.
When two routers attached to a network both attempt to become the designated router, the one with the higher router priority takes precedence. If there is a tie, the router with the higher router ID takes precedence. A router with a router priority set to zero is ineligible to become the designated router or backup designated router. Router priority is configured only for interfaces to multiaccess networks (in other words, not to point-to-point networks).
Examples
The following example sets the router priority value to 4:
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 101 priority 4
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
ospfv3 retransmit-interval
To specify the time between link-state advertisement (LSA) retransmissions for adjacencies belonging to the Open Shortest Path First version 3 (OSPFv3) interface, use the ospfv3 retransmit-interval command in interface configuration mode. To return to the default value, use the no form of this command.
ospfv3 [process-id] retransmit-interval seconds
no ospfv3 [process-id] retransmit-interval seconds
Syntax Description
Command Default
The default is 5 seconds.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 retransmit-interval command to specify the time between LSA retransmissions for adjacencies belonging to the interface. When the ospfv3 retransmit-interval command is configured with the process-id argument, it overwrites the ipv6 ospf retransmit-interval configuration if OSPFv3 was attached to the interface using the ipv6 ospf area command. When the ospfv3 retransmit-interval command is configured without the process-id argument, it is inherited on all instances running on the interface.
When a router sends an LSA to its neighbor, it keeps the LSA until it receives back the acknowledgment message. If the router receives no acknowledgment, it will resend the LSA.
The setting of the restransmit-interval parameter should be conservative, or needless retransmission will result. The value should be larger for serial lines and virtual links.
Examples
The following example sets the retransmit interval value to 8 seconds:
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 101 retransmit-interval 8
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
ospfv3 transmit-delay
To set the estimated time required to send a link-state update packet on the Open Shortest Path First version 3 (OSPFv3) interface, use the ospfv3 transmit-delay command in interface configuration mode. To return to the default value, use the no form of this command.
ospfv3 [process-id] transmit-delay seconds
no ospfv3 [process-id] transmit-delay seconds
Syntax Description
Command Default
The default is 1 second.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
Use the ospfv3 transmit-delay command to set the estimated time required to send a link-state update packet on the interface. When the ospfv3 transmit-delay command is configured with the process-id argument, it overwrites the ipv6 ospf transmit-delay configuration if OSPFv3 was attached to the interface using the ipv6 ospf area command. When the ospfv3 transmit-delay command is configured without the process-id argument, it is inherited on all instances running on the interface.
Link-state advertisements (LSAs) in the update packet must have their ages incremented by the amount specified in the seconds argument before transmission. The value assigned should take into account the transmission and propagation delays for the interface.
If the delay is not added before transmission over a link, the time in which the LSA propagates over the link is not considered. This setting has more significance on very low-speed links.
Examples
The following example sets the retransmit delay value to 3 seconds:
Router(config)# interface ethernet0/0
Router(config-if)# ospfv3 101 transmit-delay 3
Related Commands
|
|
|
|---|---|
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
other-config-flag
To verify the advertised other configuration parameter, use the other-config-flag command in router advertisement (RA) guard policy configuration mode.
other-config-flag {on | off}
Syntax Description
on |
Verification is enabled. |
off |
Verification is disabled. |
Command Default
Verification is not enabled.
Command Modes
RA guard policy configuration (config-ra-guard)
Command History
|
|
|
|---|---|
12.2(50)SY |
This command was introduced. |
Usage Guidelines
The other-config-flag command enables verification of the advertised "other" configuration parameter (or "O" flag). This flag could be set by an attacker to force hosts to retrieve other configuration information through a potentially untrusted DHCPv6 server.
Examples
The following example defines an RA guard policy name as raguard1, places the router in RA guard policy configuration mode, and enables O flag verification:
Router(config)# ipv6 nd raguard policy raguard1
Router(config-ra-guard)# other-config-flag on
Related Commands
|
|
|
|---|---|
ipv6 nd raguard policy |
Defines the RA guard policy name and enter RA guard policy configuration mode. |
outbound-proxy
To configure a Session Initiation Protocol (SIP) outbound proxy for outgoing SIP messages globally on a Cisco IOS voice gateway, use the outbound-proxy command in voice service SIP configuration mode. To globally disable forwarding of SIP messages to a SIP outbound proxy globally, use the no form of this command.
outbound-proxy {dhcp | ipv4:ip-address[:port-number] | dns:host:domain [reuse]}
no outbound-proxy
Syntax Description
Command Default
The Cisco IOS voice gateway does not forward outbound SIP messages to a proxy.
Command Modes
Voice service VoIP SIP configuration (conf-serv-sip)
Command History
Usage Guidelines
You can use the outbound-proxy command in voice service SIP configuration mode to specify outbound proxy settings globally for a Cisco IOS voice gateway. You can also use the voice-class sip outbound-proxy command in dial peer voice configuration mode to configure settings for an individual dial peer that override or defer to the global settings for the gateway. However, if both a Cisco Unified Communications Manager Express (CME) and a SIP gateway are configured on the same router, then there is a scenario that can cause incoming SIP messages from line-side phones to be confused with SIP messages coming from the network side. To avoid failed calls caused by this scenario, disable the SIP outbound proxy setting for all line-side phones on a dial peer using the outbound-proxy system command in voice register global configuration mode.
Examples
The following example shows how to specify the SIP outbound proxy globally for a Cisco IOS voice gateway using an IP address:
Router> enable
Router# configure terminal
Router(config)# voice service voip
Router(conf-voi-serv)# sip
Router(conf-serv-sip)# outbound-proxy ipv4:10.1.1.1
The following example shows how to specify the SIP outbound proxy globally for a Cisco IOS voice gateway using a destination hostname and domain:
Router> enable
Router# configure terminal
Router(config)# voice service voip
Router(conf-voi-serv)# sip
Router(conf-serv-sip)# outbound-proxy dns:sipproxy:example.com
The following example shows how to specify the SIP outbound proxy globally for a Cisco IOS voice gateway using the DHCP protocol:
Router> enable
Router# configure terminal
Router(config)# voice service voip
Router(conf-voi-serv)# sip
Router(conf-serv-sip)# outbound-proxy dhcp
Related Commands
parameter-map type inspect
To configure an inspect type parameter map for connecting thresholds, timeouts, and other parameters pertaining to the inspect action, use the parameter-map type inspect command in global configuration mode. To delete an inspect type parameter map, use the no form of this command.
parameter-map type inspect {parameter-map-name | global | default}
no parameter-map type inspect {parameter-map-name | global | default}
Syntax Description
parameter-map-name |
Name of the inspect parameter map. |
global |
Defines a global inspect parameter map. |
default |
Defines a default inspect parameter map. |
Command Default
No inspect type parameter maps are set.
Command Modes
Global configuration (config)
Command History
|
|
|
|---|---|
12.4(6)T |
This command was introduced. |
15.1(1)T |
The keywords global and default were added. |
15.1(2)T |
Support for IPv6 was added. |
Usage Guidelines
After you enter the parameter-map type inspect command, you can enter the following commands in parameter-map type inspect configuration mode:
•alert {on | off}
Turns on Cisco IOS stateful packet inspection alert messages.
•audit-trail {on | off}
Turns audit trail messages on or off.
•dns-timeout seconds
Specifies the Domain Name System (DNS) idle timeout.
•icmp idle-timeout seconds
Configures the timeout for Internet Control Message Protocol (ICMP) sessions.
•max-incomplete {low | high} number-of-connections
Defines the number of existing half-open sessions that will cause the software to start and stop deleting half-open sessions.
•one-minute {low | high} number-of-connections
Defines the rate of new half-open session initiation in one minute that will cause the system to start deleting half-open sessions and stop deleting half-open sessions.
•tcp finwait-time seconds
Specifies how long a TCP session will be managed after the Cisco IOS firewall detects a FIN-exchange.
•tcp idle-time seconds
Configures the timeout for TCP sessions.
•tcp max-incomplete host threshold [block-time minutes}
Specifies threshold and blocking time values for TCP host-specific denial-of-service (DOS) detection and prevention.
•tcp synwait-time seconds
Specifies how long the software will wait for a TCP session to reach the established state before dropping the session.
•udp idle-time seconds
Configures the timeout of User Datagram Protocol (UDP) sessions going through the firewall.
For more detailed information about these commands, see their individual command descriptions.
Examples
The following example shows a sample inspect parameter map with the Cisco IOS stateful packet inspection alert messages enabled:
parameter-map type inspect eng-network-profile
alert on
The following example shows a sample inspect type parameter map configuration:
parameter-map type inspect eng_network_profile
audit-trail on
alert on
max-incomplete low unlimited
max-incomplete high unlimited
one-minute low unlimited
one-minute high unlimited
udp idle-time 30
icmp idle-time 10
dns-timeout 5
tcp idle-time 3600
tcp finwait-time 5
tcp synwait-time 30
tcp block-non-session
tcp max-incomplete host 1-2147483647 block-time unlimited
sessions maximum:2147483647
Related Commands
passive-interface (IPv6)
To disable sending routing updates on an interface, use the passive-interface command in router configuration mode. To reenable the sending of routing updates, use the no form of this command.
passive-interface [default | interface-type interface-number]
no passive-interface [default | interface-type interface-number]
Syntax Description
default |
(Optional) All interfaces become passive. |
interface-type interface-number |
(Optional) Interface type and number. For more information, use the question mark (?) online help function. |
Command Default
No interfaces are passive. Routing updates are sent to all interfaces on which the routing protocol is enabled.
Command Modes
Router configuration
Command History
Usage Guidelines
If you disable the sending of routing updates on an interface, the particular address prefix will continue to be advertised to other interfaces, and updates from other routers on that interface continue to be received and processed.
The default keyword sets all interfaces as passive by default. You can then configure individual interfaces where adjacencies are desired using the no passive-interface command. The default keyword is useful in Internet service provider (ISP) and large enterprise networks where many of the distribution routers have more than 200 interfaces.
OSPF for IPv6 routing information is neither sent nor received through the specified router interface. The specified interface address appears as a stub network in the OSPF for IPv6 domain.
For the Intermediate System-to-Intermediate System (IS-IS) protocol, this command instructs IS-IS to advertise the IP addresses for the specified interface without actually running IS-IS on that interface. The no form of this command for IS-IS disables advertising IP addresses for the specified address.
Examples
The following example sets all interfaces as passive, then activates Ethernet interface 0:
Router(config-router)# passive-interface default
Router(config-router)# no passive-interface ethernet0/0
passive-interface (OSPFv3)
To suppress sending routing updates on an interface when using an IPv4 Open Shortest Path First version 3 (OSPFv3) process, use the passive-interface command in router configuration mode. To reenable the sending of routing updates, use the no form of this command.
passive-interface [default | interface-type interface-number]
no passive-interface [default | interface-type interface-number]
Syntax Description
default |
(Optional) All interfaces become passive. |
interface-type interface-number |
(Optional) Interface type and number. For more information, use the question mark (?) online help function. |
Command Default
No interfaces are passive. Routing updates are sent to all interfaces on which the routing protocol is enabled.
Command Modes
OSPFv3 router configuration mode (config-router)
Command History
Usage Guidelines
If you suppress the sending of routing updates on an interface, the particular address prefix will continue to be advertised to other interfaces, and updates from other routers on that interface continue to be received and processed.
The default keyword sets all interfaces as passive by default. You can then configure individual interfaces where adjacencies are desired using the no passive-interface command. The default keyword is useful in Internet service provider (ISP) and large enterprise networks where many of the distribution routers have more than 200 interfaces.
Examples
The following example sets all interfaces as passive, then activates Ethernet interface 0/0:
Router(config-router)# passive-interface default
Router(config-router)# no passive-interface ethernet0/0
Related Commands
|
|
|
|---|---|
default (OSPFv3) |
Returns an OSPFv3 parameter to its default value. |
router ospfv3 |
Enables OSPFv3 router configuration mode for the IPv4 or IPv6 address family. |
password (ca-trustpoint)
To specify the revocation password for the certificate, use the password command in ca-trustpoint configuration mode. To erase any stored passwords, use the no form of this command.
password string
no password
Syntax Description
string |
Name of the password. |
Defaults
You are prompted for the password during certificate enrollment.
Command Modes
Ca-trustpoint configuration
Command History
|
|
|
|---|---|
12.2(8)T |
This command was introduced. |
12.4(24)T |
Support for IPv6 Secure Neighbor Discovery (SeND) was added. |
Usage Guidelines
Before you can issue the password command, you must enable the crypto ca trustpoint command, which declares the certification authority (CA) that your router should use and enters ca-trustpoint configuration mode.
This command allows you to specify the revocation password for the certificate before actual certificate enrollment begins. The specified password is encrypted when the updated configuration is written to NVRAM by the router.
If this command is enabled, you will not be prompted for a password during certificate enrollment.
Examples
The following example shows how to specify the password "revokeme" for the certificate request:
crypto ca trustpoint trustpoint1
enrollment url http://trustpoint1.example.com/
subject-name OU=Spiral Dept., O=example1.com
ip-address ethernet-0
auto-enroll regenerate
password revokeme
Related Commands
|
|
|
|---|---|
crypto ca trustpoint |
Declares the CA that your router should use. |
peer default ipv6 address pool
To specify the pool from which client prefixes are assigned, use the peer default ipv6 address pool command in interface configuration mode. To disable a prior peer IPv6 address pooling configuration on an interface, or to remove the default address from your configuration, use the no form of this command.
peer default ipv6 address pool pool-name
no peer default ipv6 address pool
Syntax Description
pool-name |
Name of a local address pool created using the ipv6 local pool command. |
Command Default
The default pool name is pool.
Command Modes
Interface configuration
Command History
|
|
|
|---|---|
12.2(13)T |
This command was introduced. |
Usage Guidelines
This command applies to point-to-point interfaces that support PPP encapsulation. This command sets the address used on the remote (PC) side.
This command allows an administrator to configure all possible address pooling mechanisms on an interface-by-interface basis.
Examples
The following command specifies that this interface will use a local IPv6 address pool named pool3:
peer default ipv6 address pool pool3
In the following example, the pool1 pool is assigned to virtual template 1:
interface Virtual-Template1
ipv6 enable
no ipv6 nd suppress-ra
peer default ipv6 address pool pool1
ppp authentication chap
Related Commands
permit (IPv6)
To set permit conditions for an IPv6 access list, use the permit command in IPv6 access list configuration mode. To remove the permit conditions, use the no form of this command.
permit protocol {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
no permit {protocol} {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
Internet Control Message Protocol
permit icmp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [icmp-type [icmp-code] | icmp-message] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [routing] [routing-type routing-number] [sequence value] [time-range name]
Transmission Control Protocol
permit tcp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [ack] [dest-option-type [doh-number | doh-type]] [dscp value] [established] [fin] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [neq {port | protocol}] [psh] [range {port | protocol}] [reflect name [timeout value]] [routing] [routing-type routing-number] [rst] [sequence value] [syn] [time-range name] [urg]
User Datagram Protocol
permit udp {source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth} [operator [port-number]] {destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth} [operator [port-number]] [dest-option-type [doh-number | doh-type]] [dscp value] [flow-label value] [fragments] [log] [log-input] [mobility] [mobility-type [mh-number | mh-type]] [neq {port | protocol}] [range {port | protocol}] [reflect name [timeout value]] [routing] [routing-type routing-number] [sequence value] [time-range name]
Syntax Description
Command Default
No IPv6 access list is defined.
Command Modes
IPv6 access list configuration
Command History
Usage Guidelines
The permit (IPv6) command is similar to the permit (IP) command, except that it is IPv6-specific.
Use the permit (IPv6) command following the ipv6 access-list command to define the conditions under which a packet passes the access list or to define the access list as a reflexive access list.
Specifying IPv6 for the protocol argument matches against the IPv6 header of the packet.
By default, the first statement in an access list is number 10, and the subsequent statements are incremented by 10.
You can add permit, deny, remark, or evaluate statements to an existing access list without retyping the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to indicate where it belongs.
In Cisco IOS Release 12.2(2)T or later releases, 12.0(21)ST, and 12.0(22)S, IPv6 access control lists (ACLs) are defined and their deny and permit conditions are set by using the ipv6 access-list command with the deny and permit keywords in global configuration mode. In Cisco IOS Release 12.0(23)S or later releases, IPv6 ACLs are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Refer to the ipv6 access-list command for more information on defining IPv6 ACLs.
Note In Cisco IOS Release 12.0(23)S or later releases, every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect.
The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Both the source-ipv6-prefix/prefix-length and destination-ipv6-prefix/prefix-length arguments are used for traffic filtering (the source prefix filters traffic based upon the traffic source; the destination prefix filters traffic based upon the traffic destination).
Note IPv6 prefix lists, not access lists, should be used for filtering routing protocol prefixes.
The fragments keyword is an option only if the operator [port-number] arguments are not specified.
The following is a list of ICMP message names:
•beyond-scope
•destination-unreachable
•echo-reply
•echo-request
•header
•hop-limit
•mld-query
•mld-reduction
•mld-report
•nd-na
•nd-ns
•next-header
•no-admin
•no-route
•packet-too-big
•parameter-option
•parameter-problem
•port-unreachable
•reassembly-timeout
•renum-command
•renum-result
•renum-seq-number
•router-advertisement
•router-renumbering
•router-solicitation
•time-exceeded
•unreachable
Defining Reflexive Access Lists
To define an IPv6 reflexive list, a form of session filtering, use the reflect keyword in the permit (IPv6) command. The reflect keyword creates an IPv6 reflexive access list and triggers the creation of entries in the reflexive access list. The reflect keyword must be an entry (condition statement) in an IPv6 access list.
Note For IPv6 reflexive access lists to work, you must nest the reflexive access list using the evaluate command.
If you are configuring IPv6 reflexive access lists for an external interface, the IPv6 access list should be one that is applied to outbound traffic.
If you are configuring an IPv6 reflexive access list for an internal interface, the IPv6 access list should be one that is applied to inbound traffic.
IPv6 sessions that originate from within your network are initiated with a packet exiting your network. When such a packet is evaluated against the statements in the IPv6 access list, the packet is also evaluated against the IPv6 reflexive permit entry.
As with all IPv6 access list entries, the order of entries is important, because they are evaluated in sequential order. When an IPv6 packet reaches the interface, it will be evaluated sequentially by each entry in the access list until a match occurs.
If the packet matches an entry prior to the reflexive permit entry, the packet will not be evaluated by the reflexive permit entry, and no temporary entry will be created for the reflexive access list (session filtering will not be triggered).
The packet will be evaluated by the reflexive permit entry if no other match occurs first. Then, if the packet matches the protocol specified in the reflexive permit entry, the packet is forwarded and a corresponding temporary entry is created in the reflexive access list (unless the corresponding entry already exists, indicating that the packet belongs to a session in progress). The temporary entry specifies criteria that permit traffic into your network only for the same session.
Characteristics of Reflexive Access List Entries
The permit (IPv6) command with the reflect keyword enables the creation of temporary entries in the same IPv6 reflexive access list that was defined by the permit (IPv6) command. The temporary entries are created when an IPv6 packet exiting your network matches the protocol specified in the permit (IPv6) command. (The packet "triggers" the creation of a temporary entry.) These entries have the following characteristics:
•The entry is a permit entry.
•The entry specifies the same IP upper-layer protocol as the original triggering packet.
•The entry specifies the same source and destination addresses as the original triggering packet, except that the addresses are swapped.
•If the original triggering packet is TCP or UDP, the entry specifies the same source and destination port numbers as the original packet, except that the port numbers are swapped.
•If the original triggering packet is a protocol other than TCP or UDP, port numbers do not apply, and other criteria are specified. For example, for ICMP, type numbers are used: The temporary entry specifies the same type number as the original packet (with only one exception: if the original ICMP packet is type 8, the returning ICMP packet must be type 0 to be matched).
•The entry inherits all the values of the original triggering packet, with exceptions only as noted in the previous four bullets.
•IPv6 traffic entering your internal network will be evaluated against the entry, until the entry expires. If an IPv6 packet matches the entry, the packet will be forwarded into your network.
•The entry will expire (be removed) after the last packet of the session is matched.
•If no packets belonging to the session are detected for a configured length of time (the timeout period), the entry will expire.
Examples
The following example configures two IPv6 access lists named OUTBOUND and INBOUND and applies both access lists to outbound and inbound traffic on Ethernet interface 0. The first and second permit entries in the OUTBOUND list permit all TCP and UDP packets from network 2001:ODB8:0300:0201::/64 to exit out of Ethernet interface 0. The entries also configure the temporary IPv6 reflexive access list named REFLECTOUT to filter returning (incoming) TCP and UDP packets on Ethernet interface 0. The first deny entry in the OUTBOUND list keeps all packets from the network FEC0:0:0:0201::/64 (packets that have the site-local prefix FEC0:0:0:0201 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0. The third permit entry in the OUTBOUND list permits all ICMP packets to exit out of Ethernet interface 0.
The permit entry in the INBOUND list permits all ICMP packets to enter Ethernet interface 0. The evaluate command in the list applies the temporary IPv6 reflexive access list named REFLECTOUT to inbound TCP and UDP packets on Ethernet interface 0. When outgoing TCP or UDP packets are permitted on Ethernet interface 0 by the OUTBOUND list, the INBOUND list uses the REFLECTOUT list to match (evaluate) the returning (incoming) TCP and UDP packets. Refer to the evaluate command for more information on nesting IPv6 reflexive access lists within IPv6 ACLs.
ipv6 access-list OUTBOUND
permit tcp 2001:0DB8:0300:0201::/64 any reflect REFLECTOUT
permit udp 2001:0DB8:0300:0201::/64 any reflect REFLECTOUT
deny FEC0:0:0:0201::/64 any
permit icmp any any
ipv6 access-list INBOUND
permit icmp any any
evaluate REFLECTOUT
interface ethernet 0
ipv6 traffic-filter OUTBOUND out
ipv6 traffic-filter INBOUND in
Note Given that a permit any any statement is not included as the last entry in the OUTBOUND or INBOUND access list, only TCP, UDP, and ICMP packets will be permitted out of and in to Ethernet interface 0 (the implicit deny all condition at the end of the access list denies all other packet types on the interface).
The following example shows how to allow the matching of any UDP traffic. The authentication header may be present.
permit udp any any sequence 10
The following example shows how to allow the matching of only TCP traffic if the authentication header is also present.
permit tcp any any auth sequence 20
The following example shows how to allow the matching of any IPv6 traffic where the authentication header is present.
permit ahp any any sequence 30
Related Commands
ping
To diagnose basic network connectivity on AppleTalk, ATM, Connectionless Network Service (CLNS), DECnet, IP, Novell IPX, or source-route bridging (SRB) networks, use the ping command in user EXEC or privileged EXEC mode.
ping [[protocol [tag] {host-name | system-address}]
Syntax Description
Command Default
This command has no default values.
Command Modes
User EXEC (>)
Privileged EXEC (#)
Command History
Usage Guidelines
The ping command sends an echo request packet to an address then waits for a reply. Ping output can help you evaluate path-to-host reliability, delays over the path, and whether the host can be reached or is functioning. For example, the ping clns command sends International Organization for Standardization (ISO) CLNS echo packets to test the reachability of a remote router over a connectionless Open System Interconnection (OSI) network.
If you enter the ping command without any keywords or argument values, an interactive system dialog prompts you for the additional syntax appropriate to the protocol you specify. (See the "Examples" section.)
To exit the interactive ping dialog before responding to all the prompts, type the escape sequence. The default escape sequence is Ctrl-^, X (Simultaneously press and release the Ctrl, Shift, and 6 keys and then press the X key). The escape sequence will vary depending on your line configuration. For example, another commonly used escape sequence is Ctrl-c.
Table 39 describes the test characters sent by the ping facility.
Note Not all protocols require hosts to support pings. For some protocols, the pings are Cisco defined and can be answered only by another Cisco router.
The availability of protocol keywords depends on what protocols are enabled on your system.
Issuing the ping command in user EXEC mode will generally offer fewer syntax options than issuing the ping command in privileged EXEC mode.
Examples
After you enter the ping command in privileged EXEC mode, the system prompts you for a protocol keyword. The default protocol is IP.
If you enter a hostname or address on the same line as the ping command, the default action is taken as appropriate for the protocol type of that name or address.
The following example is sample dialog from the ping command using default values. The specific dialog varies somewhat from protocol to protocol.
Router# ping
Protocol [ip]:
Target IP address: 192.168.7.27
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.7.27, timeout is 2 seconds:
!!!!!
Success rate is 100 percent, round-trip min/avg/max = 1/2/4 ms
Table 40 describes the significant fields shown in the display.
The following example verifies connectivity to the neighboring ATM device for the ATM permanent virtual circuit (PVC) with the virtual path identifier (VPI)/virtual channel identifier (VCI) value 0/16:
Router# ping
Protocol [ip]:atm
ATM Interface:atm1/0
VPI value [0]:
VCI value [1]:16
Loopback - End(0), Segment(1) [0]:1
Repeat Count [5]:
Timeout [2]:
Type escape sequence to abort.
Sending 5, 53-byte segment OAM echoes, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Table 41 describes the default ping fields shown in the display.
Related Commands
ping ipv6
To diagnose basic network connectivity when using IPv6, use the ping IPv6 command in user EXEC or privileged EXEC mode.
ping ipv6 ipv6-address [data hex-data-pattern | repeat repeat-count | size datagram-size | source [async | bvi | ctunnel | dialer | ethernet | fastEthernet | gigabitEthernet | loopback | mfr | multilink | null | port-channel | tunnel | virtual-template | source-address | xtagatm] | timeout seconds | verbose]
Syntax Description
Command Modes
User EXEC
Privileged EXEC
Command History
Usage Guidelines
The user-level ping feature provides a basic ping facility for users that do not have system privileges. This feature allows the Cisco IOS software to perform the simple default ping functionality for a number of protocols.
The ping program sends an echo request packet to an address, then awaits a reply. Ping output can help you evaluate path-to-host reliability, delays over the path, and whether the host can be reached or is functioning.
If the system cannot map an address for a hostname, it returns an "%Unrecognized host or address, or protocol not running" message.
To abnormally terminate a ping session, type the escape sequence—by default, Ctrl-^ X. You type the default by simultaneously pressing and releasing the Ctrl, Shift, and 6 keys, and then pressing the X key.
When the
timeout keyword is used with the
seconds argument set to 0, an immediate timeout occurs, which causes a flood ping. Use the
timeout 0 parameter with caution, because you may receive replies only from immediately adjacent routers depending on router and network use, distance to the remote device, and other factors.
Table 42 describes the characters displayed by the ping facility in IPv6.
Note Not all protocols require hosts to support pings. For some protocols, the pings are Cisco-defined and are answered only by another Cisco router.
When the ping ipv6 command is enabled, the router attempts to resolve hostnames into IPv6 addresses before trying to resolve them into IPv4 addresses, so if a hostname resolves to both an IPv6 and an IPv4 address and you specifically want to use the IPv4 address, use the ping (IPv4) command.
Examples
The following user EXEC example shows sample output for the ping ipv6 command:
Router# ping ipv6 2001:0DB8::3/64
Target IPv6 address: 2001:0DB8::3/64
Repeat count [5]:
Datagram size [100]:48
Timeout in seconds [2]:
Extended commands? [no]: yes
UDP protocol? [no]:
Verbose? [no]:
Precedence [0]:
DSCP [0]:
Include hop by hop option? [no]:yes
Include destination option? [no]:y
% Using size of 64 to accommodate extension headers
Sweep range of sizes? [no]:y
Sweep min size [100]: 100
Sweep max size [18024]: 150
Sweep interval [1]: 5
Sending 55, [100..150]-byte ICMP Echos to 2001:0DB8::3/64, timeout is 2 seconds:
Success rate is 100 percent
round-trip min/avg/max = 2/5/10 ms
Table 43 describes the default ping ipv6 fields shown in the display.
ping vrf
To test a connection in the context of a specific VPN connection, use the ping vrf command in user EXEC or privileged EXEC mode.
ping vrf vrf-name [tag] [connection] target-address [connection-options]
Syntax Description
Command Default
The default connection type for ping is IPv4.
Command Modes
User EXEC
Privileged EXEC
Command History
Usage Guidelines
A VPN routing and forwarding (VRF) instance is used to identify a VPN. To check if a configured VRF is working, you can use the ping vrf command.
When attempting to ping from a provider edge (PE) router to a customer edge (CE) router, or from a PE router to PE router, the standard ping command will not usually work. The ping vrf command allows you to ping the IP addresses of LAN interfaces on CE routers.
If you are on a PE router, be sure to indicate the specific VRF (VPN) name, as shown in the "Examples" section.
If all required information is not provided at the command line, the system will enter the interactive dialog (extended mode) for ping.
Examples
In the following example, the target host in the domain 209.165.201.1 is pinged (using IP/ICMP) in the context of the "CustomerA" VPN connection.
Router# ping vrf CustomerA 209.165.201.1
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.201.1, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 176/264/576 ms
Pressing the Enter key before providing all of the required options will begin the interactive dialog for ping. In the following example, the interactive dialog is started after the "ip" protocol is specified, but no address is given:
Router# ping vrf CustomerB ip
Target IP address: 209.165.200.225
Repeat count [5]:
Datagram size [100]:
Timeout in seconds [2]:
Extended commands [n]: y
Source address or interface:
Type of service [0]:
Set DF bit in IP header? [no]:
Validate reply data? [no]:
Data pattern [0xABCD]:
Loose, Strict, Record, Timestamp, Verbose[none]: Record
Number of hops [ 9 ]:
Loose, Strict, Record, Timestamp, Verbose[RV]:
Sweep range of sizes [n]:
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 209.165.200.225, timeout is 2 seconds:
Packet has IP options: Total option bytes= 39, padded length=40
Record route: <*>
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
(0.0.0.0)
.
.
.
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/4/4 ms
The following example shows the various options for IP in the ping vrf command:
Router# show parser dump exec | include ping vrf
1 ping vrf <string>
1 ping vrf <string> ip <string>
1 ping vrf <string> ip (interactive)
1 ping vrf <string> ip <string>
1 ping vrf <string> ip <string> source <address>
1 ping vrf <string> ip <string> source <interface>
1 ping vrf <string> ip <string> repeat <1-2147483647>
1 ping vrf <string> ip <string> size Number
1 ping vrf <string> ip <string> df-bit
1 ping vrf <string> ip <string> validate
1 ping vrf <string> ip <string> data <0-65535>
1 ping vrf <string> ip <string> timeout <0-3600>
1 ping vrf <string> ip <string> verbose
1 ping vrf <string> ip <string> data <0-65535>
1 ping vrf <string> ip <string> timeout <0-3600>
1 ping vrf <string> tag
1 ping vrf <string> atm
1 ping vrf <string> ipv6
1 ping vrf <string> appletalk
1 ping vrf <string> decnet
1 ping vrf <string> clns
1 ping vrf <string> ipx
1 ping vrf <string> sna
1 ping vrf <string> srb
Related Commands
platform ipv6 acl fragment hardware
To permit or deny fragments at hardware, use the platform ipv6 acl fragment hardware command in global configuration mode. To reset the IPv6 fragment handling to bridged mode, use the no form of this command.
platform ipv6 acl fragment hardware {forward | drop}
no platform ipv6 acl fragment hardware {forward | drop}
Syntax Description
forward |
Forwards the IPv6 fragments in the hardware. |
drop |
Drops the IPv6 fragments in the hardware. |
Command Default
The no form of this command is the default behavior.
Command Modes
Global configuration (config)
Command History
|
|
|
|---|---|
12.2(33)SXH |
This command was introduced. |
Usage Guidelines
The PFC3A, PFC3B, and PFC3BXL are unable to handle IPv6 fragments in hardware, and all IPv6 fragments are handled in software. This could result in high CPU if your traffic includes a large amount of IPv6 fragments. This limitation is handled in the PFC3C hardware. The platform ipv6 acl fragment hardware command provides a software workaround for the PFC3A, PFC3B, and PFC3BXL by specifying either to permit or drop all IPv6 fragments in hardware.
Note When you enter the drop keyword, a small portion of the packets is leaked to the software (for ICMP message generation) and forwarded in software.
The platform ipv6 acl fragment hardware command overrides the following actions:
•Any ACE in the IPv6 filter (ACL) that contains the fragment keyword. If the ACE in the ACL contains the fragment keyword, the associated action (permit | deny | log) is not taken, and the action (permit | drop) specified by the platform ipv6 acl fragment hardware command is taken.
•Any IPv6 ACL that contains ACEs that implicitly permit IPv6 fragments; for example, permit ACEs that contain Layer 4 ports to implicitly permit fragments only.
•If the IPv6 fragment hits the implicit deny any any ACE added at the end of the ACL, the IPv6 fragment will not get hit.
Examples
This example shows how to forward the IPv6 fragments at hardware:
Router(config)# platform ipv6 acl fragment hardware forward
This example shows how to drop the IPv6 fragments at hardware:
Router(config)# platform ipv6 acl fragment hardware drop
platform ipv6 acl icmp optimize neighbor-discovery
To optimize ternary content addressable memory (TCAM) support for IPv6 access lists (ACLs), use the platform ipv6 acl icmp optimize neighbor-discovery command in global configuration mode. To disable optimization of TCAM support for IPv6 ACLs, use the no form of this command.
platform ipv6 acl icmp optimize neighbor-discovery
no platform ipv6 acl icmp optimize neighbor-discovery
Syntax Description
This command has no arguments or keywords.
Command Default
This command is disabled.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
12.2(18)SXE |
This command was introduced on the Supervisor Engine 720. |
12.2(33)SRA |
This command was integrated into Cisco IOS Release 12.2(33)SRA. |
Usage Guidelines
Note Use this command under the direction of the Cisco Technical Assistance Center only.
When you enable optimization of the TCAM support for IPv6 ACLs, the global Internet Control Message Protocol version 6 (ICMPv6) neighbor-discovery ACL at the top of the TCAM is programmed to permit all ICMPv6 neighbor-discovery packets. Enabling optimization prevents the addition of ICMPv6 access control entries (ACEs) at the end of every IPv6 security ACL, reducing the number of TCAM resources being used. Enabling this command reprograms IPv6 ACLs on all interfaces.
Note The ICMPv6 neighbor-discovery ACL at the top of the TCAM takes precedence over security ACLs for ICMP neighbor-discovery packets that you have configured, but has no effect if you have a bridge/deny that overlaps with the global ICMP ACL.
Examples
This example shows how to optimize TCAM support for IPv6 ACLs:
Router(config)# platform ipv6 acl icmp optimize neighbor-discovery
This example shows how to disable optimization of TCAM support for IPv6 ACLs:
Router(config)# no platform ipv6 acl icmp optimize neighbor-discovery
platform ipv6 acl punt extension-header
To enable processing of IPv6 packets with extension headers in software on the RP, use the platform ipv6 acl punt extension-header command in global configuration mode. To disable processing of IPv6 packets with extension headers in software on the RP, use the no form of this command.
platform ipv6 acl punt extension-header
no platform ipv6 acl punt extension-header
Syntax Description
This command has no arguments or keywords.
Command Default
IPv6 packets with extension headers are processed in software.
Command Modes
Global configuration mode
Command History
|
|
|
|---|---|
12.2(33)SXH7 |
This command was introduced on the Supervisor Engine 720. |
Usage Guidelines
If your IPv6 traffic does not specify a Layer 4 protocol, software processing of IPv6 packets with extension headers is unnecessary. If your IPv6 traffic specifies a Layer 4 protocol, you can enter the platform ipv6 acl punt extension-header global configuration command to enable software processing of IPv6 packets with extension headers.
Examples
This example shows how to enable processing of IPv6 packets with extension headers in software on the RP:
Router(config)# platform ipv6 acl punt extension-header
Router(config)#
This example shows how to disable processing of IPv6 packets with extension headers in software on the RP:
Router(config)# no platform ipv6 acl punt extension-header
Router(config)#
poison-reverse (IPv6 RIP)
To configure the poison reverse processing of IPv6 Routing Information Protocol (RIP) router updates, use the poison-reverse command in router configuration mode. To disable the poison reverse processing of IPv6 RIP updates, use the no form of this command.
poison-reverse
no poison-reverse
Syntax Description
This command has no keywords or arguments
Command Default
Poison reverse is not configured.
Command Modes
Router configuration
Command History
Usage Guidelines
This command configures poison reverse processing of IPv6 RIP router updates. When poison reverse is configured, routes learned via RIP are advertised out the interface over which they were learned, but with an unreachable metric.
If both poison reverse and split horizon are configured, then simple split horizon behavior (suppression of routes out of the interface over which they were learned) is replaced by poison reverse behavior.
Examples
The following example configures poison reverse processing for the IPv6 RIP routing process named cisco:
Router(config)# ipv6 router rip cisco
Router(config-rtr)# poison-reverse
Related Commands
|
|
|
|---|---|
split-horizon (IPv6 RIP) |
Configures split horizon processing of IPv6 RIP router updates. |
policy-map type inspect
To create a Layer 3 and Layer 4 or a Layer 7 (protocol-specific) inspect type policy map, use the policy-map type inspect command in global configuration mode. To delete an inspect type policy map, use the no form of this command.
Layer 3 and Layer 4 (Top Level) Policy Map Syntax
policy-map type inspect policy-map-name
no policy-map type inspect policy-map-name
Layer 7 (Application-Specific) Policy Map Syntax
policy-map type inspect protocol-name policy-map-name
no policy-map type inspect protocol-name policy-map-name
Syntax Description
Command Default
No policy-map is configured.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the policy-map type inspect command to create a Layer 3, Layer 4 inspect type policy map or a Layer 7 application-specific inspect type policy map. After you create a policy map, you should enter the class type inspect command (as appropriate for your configuration) to specify the traffic (class) on which an action is to be performed. The class was previously defined in a class map. Thereafter, you should enter the inspect command to enable Cisco IOS stateful packet inspection and to specify inspect-specific parameters in a parameter map.
Layer 3, Layer 4 (Top Level) Policy Maps
Top-level policy maps allow you to define high-level actions such as inspect, drop, pass, and urlfilter. You can attach the maps to a target (zone pair). The maps can contain "child" policies that are also known as application-specific Layer 7 policies.
Layer 7 (Application-Specific) Policy Maps
Application-specific policy maps are used to specify a policy for an application protocol. For example, if you want to drop HTTP traffic with Uniform Resource Identifier (URI) lengths exceeding 256 bytes, you must configure an HTTP policy map to do that. Application-specific policy maps cannot be attached directly to a target (zone pair). They must be configured as "child" policies in a top-level Layer 3 or Layer 4 policy map.
Examples
The following example specifies the traffic class (host) on which the drop action is to be performed:
policy-map type inspect mypolicy
class type inspect host
drop
The following example shows how to configure the policy map "my-im-pmap" with two IM classes—AOL and Yahoo Messenger—and allow only text-chat messages to pass through. When any packet with a service other than "text-chat" is seen, the connection will be reset.
class-map type inspect aol match-any my-aol-cmap
match service text-chat
!
class-map type inspect ymsgr match-any my-ysmgr-cmap
match service any
!
policy-map type inspect im my-im-pmap
class type inspect aol my-aol-cmap
allow
log
!
class type inspect ymsgr my-ysmgr-cmap
reset
log
Related Commands
|
|
|
|---|---|
class type inspect |
Specifies the traffic (class) on which an action is to be performed. |
port (dial peer)
To associate a dial peer with a specific voice port, use the port command in dial peer configuration mode. To cancel this association, use the no form of this command.
Cisco 1750 and Cisco 3700 Series
port slot-number/port
no port slot-number/port
Cisco 2600 Series, Cisco 3600 Series, and Cisco 7200 Series
port {slot-number/subunit-number/port | slot/port:ds0-group-number}
no port {slot-number/subunit-number/port | slot/port:ds0-group-number}
Cisco AS5300 and Cisco AS5800
port controller-number:D
no port controller-number:D
Cisco uBR92x Series
port slot/subunit/port
no port slot/subunit/port
Syntax Description
Cisco 1750 and Cisco 3700 Series
Cisco 2600 Series, Cisco 3600 Series, and Cisco 7200 Series
Cisco AS5300
controller-number |
The T1 or E1 controller. |
:D |
Indicates the D channel associated with the ISDN PRI. |
Cisco uBR92x series
Command Default
No port is configured.
Command Modes
Dial peer configuration
Command History
Usage Guidelines
This command enables calls that come from a telephony interface to select an incoming dial peer and for calls that come from the VoIP network to match a port with the selected outgoing dial peer.
This command applies only to POTS peers.
Note This command does not support the extended EC feature on the Cisco AS5300.
Examples
The following example associates POTS dial peer 10 with voice port 1, which is located on subunit 0 and accessed through port 0:
dial-peer voice 10 pots
port 1/0/0
The following example associates POTS dial peer 10 with voice port 0:D:
dial-peer voice 10 pots
port 0:D
The following example associates POTS dial peer 10 with voice port 1/0/0:D (T1 card):
dial-peer voice 10 pots
port 1/0/0:D
Related Commands
|
|
|
|---|---|
prefix |
Specifies the prefix of the dialed digits for a dial peer. |
port (IPv6 RIP)
To configure a specified User Datagram Protocol (UDP) port and multicast address for an IPv6 Routing Information Protocol (RIP) routing process, use the port command in router configuration mode. To return the port number and multicast address to their default values, use the no form of this command.
port port-number multicast-group multicast-address
no port port-number multicast-group multicast-address
Syntax Description
port-number |
The UDP port number. Can be a number from 1 to 65535. Table 44 in the "Usage Guidelines" section lists common UDP services and their port numbers. |
multicast-group |
Specifies a multicast group. |
multicast-address |
The address or host name of the multicast group. |
Command Default
UDP port 521; multicast address FF02::9
Command Modes
Router configuration
Command History
Usage Guidelines
Two IPv6 RIP routing processes cannot use the same UDP port. If two IPv6 RIP routing processes are configured on the same UDP port, the second process will not start up until the configuration conflict is resolved. Two IPv6 RIP routing processes can use the same multicast address. UDP sources and port numbers are shown in Table 44.
Examples
The following example configures UDP 200 and multicast address FF02::9 for the IPv6 RIP routing process named cisco:
Router(config)# ipv6 router rip cisco
Router(config-rtr-rip)# port 200 multicast-group FF02::9
port (TACACS+)
To specify the TCP port to be used for TACACS+ connections, use the port command in TACACS+ server configuration mode. To remove the TCP port, use the no form of this command.
port [number]
no port [number]
Syntax Description
number |
(Optional) Specifies the port where the TACACS+ server receives access-request packets. The range is from 1 to 65535. |
Command Default
If no port is configured, port 49 is used.
Command Modes
TACACS+ server configuration (config-server-tacacs)
Command History
|
|
|
|---|---|
Cisco IOS XE Release 3.2S |
This command was introduced. |
Usage Guidelines
TCP port 49 is used if the number argument is not used when using the port command.
Examples
The following example shows how to specify TCP port 12:
Router (config)# tacacs server server1
Router(config-server-tacacs)# port 12
Related Commands
|
|
|
|---|---|
tacacs server |
Configures the TACACS+ server for IPv6 or IPv4 and enters TACACS+ server configuration mode. |
ppp accounting
To enable authentication, authorization, and accounting (AAA) accounting services on the selected interface, use the ppp accounting command in interface configuration mode. To disable AAA accounting services, use the no form of this command.
ppp accounting {default | listname}
no ppp accounting
Syntax Description
default |
The name of the method list is created with the aaa accounting command. |
listname |
A specified method list. |
Command Default
Accounting is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
After you enable the aaa accounting command and define a named accounting method list (or use the default method list), you must apply the defined lists to the appropriate interfaces for accounting services to take place. Use the ppp accounting command to apply the specified method lists (or if none is specified, the default method list) to the selected interface.
Examples
The following example enables accounting on asynchronous interface 4 and uses the accounting method list named charlie:
interface async 4
encapsulation ppp
ppp accounting list1
Related Commands
|
|
|
|---|---|
aaa accounting |
Enables AAA accounting of requested services for billing or security purposes. |
ppp authentication
To enable at least one PPP authentication protocol and to specify the order in which the protocols are selected on the interface, use the ppp authentication command in interface configuration mode. To disable this authentication, use the no form of this command.
ppp authentication {protocol1 [protocol2...]} [if-needed] [list-name | default] [callin] [one-time] [optional]
no ppp authentication
Syntax Description
protocol1 [protocol2...] |
At least one of the keywords described in Table 45. |
if-needed |
(Optional) Used with TACACS and extended TACACS. Does not perform Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) authentication if authentication has already been provided. This option is available only on asynchronous interfaces. |
list-name |
(Optional) Used with authentication, authorization, and accounting (AAA). Specifies the name of a list of methods of authentication to use. If no list name is specified, the system uses the default. The list is created with the aaa authentication ppp command. |
default |
(Optional) Name of the method list created with the aaa authentication ppp command. |
callin |
(Optional) Authentication on incoming (received) calls only. |
one-time |
(Optional) The username and password are accepted in the username field. |
optional |
(Optional) Accepts the connection even if the peer refuses to accept the authentication methods that the router has requested. |
Defaults
PPP authentication is not enabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
When you enable Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), or Extensible Authentication Protocol (EAP) authentication (or all three methods), the local router requires the remote device to prove its identity before allowing data traffic to flow. PAP authentication requires the remote device to send a name and a password, which is checked against a matching entry in the local username database or in the remote security server database. CHAP authentication sends a challenge message to the remote device. The remote device encrypts the challenge value with a shared secret and returns the encrypted value and its name to the local router in a Response message. The local router attempts to match the name of the remote device with an associated secret stored in the local username or remote security server database; it uses the stored secret to encrypt the original challenge and verify that the encrypted values match. EAP works much as CHAP does, except that identity request and response packets are exchanged when EAP starts.
You can enable CHAP, Microsoft CHAP (MS-CHAP), PAP, or EAP in any order. If you enable all four methods, the first method specified is requested during link negotiation. If the peer suggests using the second method, or refuses the first method, the second method is tried. Some remote devices support only one method. Base the order in which you specify methods on the ability of the remote device to correctly negotiate the appropriate method and on the level of data-line security you require. PAP usernames and passwords are sent as clear text strings, which can be intercepted and reused.
If you use a
list-name value that was not configured with the
aaa authentication ppp command, you will disable PPP on this interface.
Table 45 lists the protocols used to negotiate PPP authentication.
Enabling or disabling PPP authentication does not affect the ability of the local router to authenticate itself to the remote device.
If you are using autoselect on a tty line, you can use the ppp authentication command to turn on PPP authentication for the corresponding interface.
MS-CHAP is the Microsoft version of CHAP. Like the standard version of CHAP, MS-CHAP is used for PPP authentication; authentication occurs between a personal computer using Microsoft Windows NT or Microsoft Windows 95 and a Cisco router or access server acting as a network access server.
To configure Cisco PDSN in compliance with the TIA/EIA/IS-835-B standard, you must configure the PDSN virtual template as follows:
ppp authentication chap pap optional
Examples
The following example configures virtual-template interface 4:
interface virtual-template 4
ip unnumbered loopback0
ppp authentication chap pap optional
The following example enables CHAP on asynchronous interface 4 and uses the authentication list MIS-access:
interface async 4
encapsulation ppp
ppp authentication chap MIS-access
The following example enables EAP on dialer interface 1:
interface dialer 1
encapsulation ppp
ppp authentication eap
Related Commands
ppp ipcp
To configure PPP IP Control Protocol (IPCP) features such as the ability to provide primary and secondary Domain Name Server (DNS) and Windows Internet Naming Service (WINS) server addresses, and the ability to accept any address requested by a peer, use the ppp ipcp command in template or interface configuration mode. To disable a PPP IPCP feature, use the no form of this command.
ppp ipcp {accept-address | address {accept | required | unique} | dns {primary-ip-address [secondary-ip-address] [aaa] [accept] | accept | reject | request [accept]} | header-compression ack | ignore-map | mask {subnet-mask | reject | request} | username unique | wins {primary-ip-address [secondary-ip-address] [aaa] [accept] | accept | reject | request [accept]}}
no ppp ipcp {accept-address | address {accept | required | unique} | dns | header-compression ack | ignore-map | mask | predictive | username unique | wins}
Syntax Description
Defaults
No servers are configured, and no address request is made.
Command Modes
Template configuration
Interface configuration (config-if)
Command History
Examples
The following examples show use of the ppp ipcp command:
ppp ipcp accept-address
ppp ipcp dns 10.1.1.3
ppp ipcp dns 10.1.1.3 10.1.1.4
ppp ipcp dns 10.1.1.1 10.1.1.2 accept
ppp ipcp dns accept
ppp ipcp dns reject
ppp ipcp ignore-map
ppp ipcp username unique
ppp ipcp wins 10.1.1.1 10.1.1.2
ppp ipcp wins accept
The following examples show how to use the no form of the ppp ipcp command:
no ppp ipcp wins
no ppp ipcp ignore-map
Related Commands
ppp multilink
To enable Multilink PPP (MLP) on an interface and, optionally, to enable Bandwidth Allocation Control Protocol (BACP) and its Bandwidth Allocation Protocol (BAP) subset for dynamic bandwidth allocation, use the ppp multilink command in interface configuration mode. To disable Multilink PPP or, optionally, to disable only dynamic bandwidth allocation, use the no form of this command.
ppp multilink [bap]
no ppp multilink [bap [required]]
Cisco 10000 Series Router
ppp multilink
no ppp multilink
Syntax Description
Defaults
This command is disabled. When BACP is enabled, the defaults are to accept calls and to set the timeout pending at 30 seconds.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
This command applies only to interfaces that use PPP encapsulation.
MLP and PPP reliable links do not work together.
When the ppp multilink command is used, the first channel will negotiate the appropriate Network Control Protocol (NCP) layers (such as the IP Control Protocol and IPX Control Protocol), but subsequent links will negotiate only the link control protocol and MLP. NCP layers do not get negotiated on these links, and it is normal to see these layers in a closed state.
This command with the bap keyword must be used before configuring any ppp bap commands and options. If the bap required option is configured and a reject of the options is received, the multilink bundle is torn down.
The no form of this command without the bap keyword disables both MLP and BACP on the interface.
The dialer load-threshold command enables a rotary group to bring up additional links and to add them to a multilink bundle.
Before Cisco IOS Release 11.1, the dialer-load threshold 1 command kept a multilink bundle of any number of links connected indefinitely, and the dialer-load threshold 2 command kept a multilink bundle of two links connected indefinitely. If you want a multilink bundle to be connected indefinitely, you must set a very high idle timer.
Note By default, after changing hostnames, an MLP member link does not undergo failure recovery automatically. You must use the ppp chap hostname command to define the MLP bundle name on an endpoint. If this command is not configured and the hostname is changed, then a link flap will not return the link back to the bundle.
Cisco 10000 Series Router
The ppp multilink command has no arguments or keywords.
Examples
The following partial example shows how to configure a dialer for MLP:
interface Dialer0
ip address 10.0.0.2 255.0.0.0
encapsulation ppp
dialer in-band
dialer idle-timeout 500
dialer map ip 10.0.0.1 name atlanta broadcast 81012345678901
dialer load-threshold 30 either
dialer-group 1
ppp authentication chap
ppp multilink
Related Commands
ppp ncp override local
To track attributes received in authorization from RADIUS, verify the permitted Network Control Program (NCP), reject the current NCP negotiation, and override the local dual-stack configuration, use the ppp ncp override local command in global configuration mode. To disable the configuration, use the no form of this command.
ppp ncp override local
no ppp ncp override local
Syntax Description
This command has no arguments or keywords.
Command Default
The tracking of attributes from RADIUS and the local configuration override are not enabled. The local configuration is used.
Command Modes
Global configuration (config)
Command History
|
|
|
|---|---|
Cisco IOS XE |
This command was introduced. |
Usage Guidelines
Framed attributes are primarily used for address allocation. The RADIUS server maintains a pool of both IPv4 addresses and IPv6 prefixes. If IPv4 address or IPv6 prefix attributes are absent in the access-accept response from RADIUS, the ppp ncp override local command can be used to override local configuration.
Examples
The following example shows how to override the local IPv6 or IPv4 dual-stack configuration:
Router> enable
Router# configure terminal
Router(config)# ppp ncp override local
ppp timeout ncp
To set a time limit for the successful negotiation of at least one network layer protocol after a PPP connection is established, use the ppp timeout ncp command in interface configuration mode. To remove the time limit, use the no form of this command.
ppp timeout ncp seconds
no ppp timeout ncp
Syntax Description
seconds |
Maximum time, in seconds, PPP should wait for negotiation of a network layer protocol. If no network protocol is negotiated in the given time, the connection is disconnected. |
Defaults
No time limit is imposed.
Command Modes
Interface configuration (config-if)
Command History
Usage Guidelines
The ppp timeout ncp command protects against the establishment of links that are physically up and carrying traffic at the link level, but are unusable for carrying data traffic due to failure to negotiate the capability to transport any network level data. This command is particularly useful for dialed connections, where it is usually undesirable to leave a telephone circuit active when it cannot carry network traffic.
Examples
The following example sets the Network Control Protocol (NCP) timer to 8 seconds:
ppp timeout ncp 8
Related Commands
ppp unique address accept-access
To track duplicate addresses received from RADIUS and create a standalone database, use the ppp unique address accept-access command in global configuration mode. To disable this feature and remove the database, use the no form of this command.
ppp unique address accept-access
no ppp unique address accept-access
Syntax Description
This command has no arguments or keywords.
Command Default
This feature is not enabled.
Command Modes
Global configuration
Command History
|
|
|
|---|---|
Cisco IOS XE Release 3.2S |
This command was introduced. |
Usage Guidelines
The ppp unique address accept-access command enables the IPv6 router to track and check duplicate attributes received in an Access-Accept response from RADIUS, and triggers creation of a new, standalone database that contains the Access-Accept responses received since the feature was enabled.
The following RADIUS attributes are tracked in this database and checked when an Access-Accept response is received:
•Framed-IP-Address
•Framed-IPv6-Prefix
•Delegated-IPv6-Prefix
All of these RADIUS attributes from this list are checked against the database for duplicates and, if none are found, added to the database exactly as presented in the RADIUS attribute.
Examples
The following example enables this feature:
Router (config)# ppp unique address accept-access
prc-interval (IPv6)
To configure the hold-down period between partial route calculations (PRCs), use the prc-interval command in address family configuration mode. To restore the default interval, use the no form of this command.
prc-interval seconds [initial-wait] [secondary-wait]
no prc-interval seconds
Syntax Description
Command Default
The default is 5 seconds.
Command Modes
Address family configuration
Command History
Usage Guidelines
The prc-interval command is used only in multitopology Intermediate System-to-Intermediate System (IS-IS).
The prc-interval command controls how often Cisco IOS software can perform a PRC. Increasing the PRC interval reduces the processor load of the router, but it could slow the convergence.
This command is analogous to the spf-interval command, which controls the hold-down period between shortest path first (SPF) calculations.
You can use the prc-interval (IPv6) command only when using the IS-IS multitopology for IPv6 feature.
Examples
The following example sets the PRC calculation interval to 20 seconds:
Router(config)# router isis
Router(config-router)# address-family ipv6
Router(config-router-af)# prc-interval 20
Related Commands
|
|
|
|---|---|
spf-interval (IPv6) |
Controls how often Cisco IOS software performs the SPF calculation. |
pre-shared-key
To define a preshared key to be used for Internet Key Exchange (IKE) authentication, use the pre-shared-key command in keyring configuration mode. To disable the preshared key, use the no form of this command.
pre-shared-key {address address [mask] | hostname hostname | ipv6 {ipv6-address | ipv6-prefix}} key key
no pre-shared-key {address address [mask] | hostname hostname | ipv6 {ipv6-address | ipv6-prefix}} key key
Syntax Description
Command Default
None
Command Modes
Keyring configuration (config-keyring)
Command History
Usage Guidelines
Before configuring preshared keys, you must configure an Internet Security Association and Key Management Protocol (ISAKMP) profile.
Output for the pre-shared-key command will show that the preshared key is either unencrypted or encrypted. An output example for an unencrypted preshared key would be as follows:
pre-shared-key address 10.1.0.1 key test123
An output example for a type 6 encrypted preshared key would be as follows:
pre-shared-key address 10.1.0.1 key 6 RHZE[JACMUI\bcbTdELISAAB
Examples
The following example shows how to configure a preshared key using an IP address and hostname:
Router(config)# crypto keyring vpnkeyring
Router(config-keyring)# pre-shared-key address 10.72.23.11 key vpnkey
Router(config-keyring)# pre-shared-key hostname www.vpn.com key vpnkey
Related Commands
|
|
|
|---|---|
crypto keyring |
Defines a crypto keyring to be used during IKE authentication. |
prefix-delegation
To specify a manually configured numeric prefix to be delegated to a specified client (and optionally a specified identity association for prefix delegation [IAPD] for that client), use the prefix-delegation command in DHCP for IPv6 pool configuration mode. To remove the prefix, use the no form of this command.
prefix-delegation ipv6-prefix/prefix-length client-DUID [iaid iaid] [lifetime]
no prefix-delegation ipv6-prefix/prefix-length client-DUID [iaid iaid]
Syntax Description
Command Default
No manually configured prefix delegations exist.
Command Modes
DHCP for IPv6 pool configuration
Command History
|
|
|
|---|---|
12.3(4)T |
This command was introduced. |
Usage Guidelines
Administrators can manually configure a list of prefixes and associated preferred and valid lifetimes for an IAPD of a specific client that is identified by its DUID. This static binding of client and prefixes can be specified based on users' subscription to an ISP using the prefix-delegation prefix-length command.
The client-DUID argument identifies the client to which the prefix is delegated. All the configured prefixes will be assigned to the specified IAPD of the client. The IAPD to which the prefix is assigned is identified by the iaid argument if the iaid keyword is configured. If the iaid keyword is not configured, the prefix will be assigned to the first IAPD from the client that does not have a static binding. This function is intended to make it convenient for administrators to manually configure prefixes for a client that only sends one IAPD in case it is not easy to know the iaid in advance.
When the delegating router receives a request from a client, it checks whether there is a static binding configured for the IAPD in the client's message. If one is present, the prefixes in the binding are returned to the client. If no such binding is found, the server attempts to assign prefixes for the client from other sources.
Optionally valid and preferred lifetimes can be specified for the prefixes assigned from this pool. Users should coordinate the specified lifetimes with the lifetimes on prefixes from the upstream delegating router if the prefixes were acquired from that router.
The lifetime keyword can be specified in one of two ways:
•A fixed duration that stays the same in consecutive advertisements.
•Absolute expiration time in the future so that advertised lifetime decrements in real time, which will result in a lifetime of 0 at the specified time in the future.
The specified length of time is between 60 and 4294967295 seconds or infinity if the infinite keyword is specified.
Examples
The following example configures an IAPD for a specified client:
prefix-delegation 2001:0DB8::/64 00030001000BBFAA2408
Related Commands
prefix-delegation aaa
To specify that prefixes are to be acquired from authorization, authentication, and accounting (AAA) servers, use the prefix-delegation aaa command in DHCP for IPv6 pool configuration mode. To disable this feature, use the no form of this command.
Cisco IOS Release 12.4(22)T and Earlier Releases and Cisco IOS Release 12.2(18)SXE, Cisco IOS XE Release 2.1, and Later Releases
prefix-delegation aaa [method-list method-list [lifetime] {{valid-lifetime | infinite} {valid-lifetime | infinite} | at {date month year time | month date year time} {date month year time | month date year time}}]
no prefix-delegation aaa method-list method-list
Cisco IOS Release 15.0(1)M and Later Releases
prefix-delegation aaa method-list {method-list | default} [lifetime {valid-lifetime | infinite} {preferred-lifetime | infinite} | at {date month year time | month date year time} {date month year time | month date year time}]
no prefix-delegation aaa method-list method-list
Syntax Description
Command Default
The default time that the prefix remains valid is 2592000 seconds, and the default time that the prefix remains preferred for the requesting router to use is 604800 seconds.
Command Modes
DHCP for IPv6 pool configuration (config-dhcpv6)
Command History
Usage Guidelines
In order for the Dynamic Host Configuration Protocol (DHCP) for IPv6 server to obtain prefixes from RADIUS servers, you must also configure the AAA client and Point-to-Point Protocol (PPP) on the router. For information on how to configure the AAA client and PPP, see the "Implementing ADSL and Deploying Dial Access for IPv6" module.
Use the aaa authorization configuration default, aaa group server radius, and radius-server host commands to specify a named list of authorization method and RADIUS servers to contact to acquire prefixes, and then apply that named list to the prefix-delegation aaa command.
Valid and preferred lifetimes can be specified for the prefixes assigned from AAA servers.
The prefix-delegation aaa and prefix-delegation pool commands are mutually exclusive in a pool.
Examples
The following example shows how to specify the use of a method list named list1:
Router> enable
Router# configure terminal
Router(config)# ipv6 dhcp pool name
Router(config-dhcpv6)# prefix-delegation aaa method-list list1
Related Commands
prefix-delegation pool
To specify a named IPv6 local prefix pool from which prefixes are delegated to Dynamic Host Configuration Protocol (DHCP) for IPv6 clients, use the prefix-delegation pool command in DHCP for IPv6 pool configuration mode. To remove a named IPv6 local prefix pool, use the no form of this command.
prefix-delegation pool poolname [lifetime {valid-lifetime preferred-lifetime}]
no prefix-delegation pool poolname
Syntax Description
Command Default
No IPv6 local prefix pool is specified.
Valid lifetime is 2592000 seconds (30 days).
Preferred lifetime is 604800 seconds (7 days).
Command Modes
DHCP for IPv6 pool configuration
Command History
|
|
|
|---|---|
12.3(4)T |
This command was introduced. |
Usage Guidelines
The prefix-delegation pool command specifies a named IPv6 local prefix pool from which prefixes are delegated to clients. Use the ipv6 local pool command to configure the named IPv6 prefix pool.
Optionally, valid and preferred lifetimes can be specified for the prefixes assigned from this pool. Users should coordinate the specified lifetimes with the lifetimes on prefixes from the upstream delegating router if the prefixes were acquired from that router.
The lifetime keyword can be specified in one of two ways:
•A fixed duration that stays the same in consecutive advertisements.
•Absolute expiration time in the future so that advertised lifetime decrements in real time, which will result in a lifetime of 0 at the specified time in the future.
The specified length of time is from 60 to 4,294,967,295 seconds or infinity if the infinite keyword is specified.
The Cisco IOS DHCP for IPv6 server can assign prefixes dynamically from an IPv6 local prefix pool, which is configured using the ipv6 local pool command and associated with a DHCP for IPv6 configuration pool using the prefix-delegation pool command. When the server receives a prefix request from a client, it attempts to obtain unassigned prefixes, if any, from the pool.
After the client releases the previously assigned prefixes, the server will return the prefixes to the pool for reassignment to other clients.
Examples
The following example specifies that prefix requests should be satisfied from the pool called client-prefix-pool. The prefixes should be delegated with the valid lifetime set to 1800 seconds, and the preferred lifetime is set to 600 seconds:
prefix-delegation pool client-prefix-pool lifetime 1800 600
Related Commands
process-min-time percent
Note Effective with Cisco IOS 15.1(1)T release, the process-min-time percent command is not available in Cisco IOS 15.1(1)T and later releases. Improvements in Cisco IOS scheduler have made this command unnecessary.
To specify the minimum percentage of CPU process time OSPF takes before the CPU should yield to a process with a higher priority, use the process-min-time percent command in router configuration mode. To disable this function, use the no form of this command.
process-min-time percent percentage
no process-min-time percent
Syntax Description
percentage |
Percentage of CPU process time to be used before trying to release the CPU for other processes. The valid value range is from 1 to 100. The default is 25. |
Command Default
The default is 25 percent.
Command Modes
Router configuration (config-router)
Command History
Usage Guidelines
Note Use this command under the direction of Cisco TAC only.
This command is supported by OSPFv2 and OSPFv3.
Use the process-min-time percent command to configure the minimum percentage of the process maximum time. Lowering the minimum percentage of CPU usage that a process can utilize is useful in some circumstances to ensure equitable division of CPU resources among different tasks. Once the percentage has been exceeded, CPU control may be given to a higher priority process.
The process maximum time is set using the process-max-time command. Use the process-min-time percent command in conjunction with the process-max-time command.
Examples
The following example shows how to set the percentage of CPU process time to be used before releasing the CPU:
Router# configure terminal
Router(config)# router ospf
Router(config-router)# process-min-time percent 35
The following example shows how to return to the default setting in IPv4:
Router# configure terminal
Router(config)# router ospf
Router(config-router)# no process-min-time percent
Related Commands
|
|
|
|---|---|
process-max-time |
Configures the amount of time after which a process should voluntarily yield to another process. |
protocol ipv6 (ATM)
To map the IPv6 address of a remote node to the ATM permanent virtual circuit (PVC) used to reach the address, use the protocol ipv6 command in ATM VC configuration mode. To remove the static map, use the no form of this command.
protocol ipv6 ipv6-address [[no] broadcast]
no protocol ipv6 ipv6-address [[no] broadcast]
Syntax Description
Command Default
No mapping is defined.
Command Modes
ATM VC configuration (for an ATM PVC)
Command History
Examples
In the following example, two nodes named Cisco 1 and Cisco 2 are connected by a single PVC. The point-to-point subinterface ATM0.132 is used on both nodes to terminate the PVC; therefore, the mapping between the IPv6 addresses of both nodes and the PVC is implicit (no additional mappings are required).
Cisco 1 Configuration
interface ATM0
no ip address
!
interface ATM0.132 point-to-point
pvc 1/32
encapsulation aal5snap
!
ipv6 address 2001:0DB8:2222::72/32
Cisco 2 Configuration
interface ATM0
no ip address
!
interface ATM0.132 point-to-point
pvc 1/32
encapsulation aal5snap
!
ipv6 address 2001:0DB8:2222::45/32
In the following example, the same two nodes (Cisco 1 and Cisco 2) from the previous example are connected by the same PVC. In this example, however, the point-to-multipoint interface ATM0 is
used on both nodes to terminate the PVC; therefore, explicit mappings are required between the link-local and global IPv6 addresses of interface ATM0 on both nodes and the PVC. Additionally,
ATM pseudobroadcasts are enabled on the link-local address of interface ATM0 on both nodes.
Cisco 1 Configuration
interface ATM0
no ip address
pvc 1/32
protocol ipv6 2001:0DB8:2222::45
protocol ipv6 FE80::60:2FA4:8291:2 broadcast
encapsulation aal5snap
!
ipv6 address 2001:0DB8:2222::72/32
Cisco 2 Configuration
interface ATM0
no ip address
pvc 1/32
protocol ipv6 FE80::60:3E47:AC8:C broadcast
protocol ipv6 2001:0DB8:2222::72
encapsulation aal5snap
!
ipv6 address 2001:0DB8:2222::45/32
Related Commands
|
|
|
|---|---|
show atm map |
Displays the list of all configured ATM static maps to remote hosts on an ATM network and on ATM bundle maps. |
protocol mode
To configure the Cisco IOS Session Initiation Protocol (SIP) stack, use the protocol mode command in SIP user-agent configuration mode. To disable the configuration, use the no form of this command.
protocol mode {ipv4 | ipv6 | dual-stack [preference {ipv4 | ipv6}]}
no protocol mode
Syntax Description
Command Default
No protocol mode is configured.
The Cisco IOS SIP stack operates in IPv4 mode when the no protocol mode or protocol mode ipv4 command is configured.
Command Modes
SIP user-agent configuration (config-sip-ua)
Command History
|
|
|
|---|---|
12.4(22)T |
This command was introduced. |
15.1(1)T |
This command was integrated into Cisco IOS Release 15.1(1)T. |
Usage Guidelines
The protocol mode command is used to configure the Cisco IOS SIP stack in IPv4-only, IPv6-only, or dual-stack mode. For dual-stack mode, the user can (optionally) configure the preferred family, IPv4 or IPv6.
For a particular mode (for example, IPv6-only), the user can configure any address (for example, both IPv4 and IPv6 addresses) and the system will not hide or restrict any commands on the router. SIP chooses the right address for communication based on the configured mode on a per-call basis.
For example, if the domain name system (DNS) reply has both IPv4 and IPv6 addresses and the configured mode is IPv6-only (or IPv4-only), the system discards all IPv4 (or IPv6) addresses and tries the IPv6 (or IPv4) addresses in the order they were received in the DNS reply. If the configured mode is dual-stack, the system first tries the addresses of the preferred family in the order they were received in the DNS reply. If all of the addresses fail, the system tries addresses of the other family.
Examples
The following example configures dual-stack as the protocol mode:
Router(config-sip-ua)# protocol mode dual-stack
The following example configures IPv6 only as the protocol mode:
Router(config-sip-ua)# protocol mode ipv6
The following example configures IPv4 only as the protocol mode:
Router(config-sip-ua)# protocol mode ipv4
The following example configures no protocol mode:
Router(config-sip-ua)# no protocol mode
Related Commands
|
|
|
|---|---|
sip ua |
Enters SIP user-agent configuration mode. |
queue-depth (OSPFv3)
To configure the number of incoming packets that the IPv4 Open Shortest Path First version 3 (OSPFv3) process can keep in its queue, use the queue-depth command in OSPFv3 router configuration mode. To set the queue depth to its default value, use the no form of the command.
queue-depth {hello | update} {queue-size | unlimited}
no queue-depth {hello | update}
Syntax Description
Command Default
If you do not set a queue size, the OSPFv3 hello process queue depth is unlimited and the OSPFv3 router process (update) queue depth is 200 packets.
Command Modes
OSPFv3 router configuration mode (config-router)
Command History
Usage Guidelines
All incoming OSPFv3 packets are initially enqueued in the hello queue. OSPFv3 hello packets are processed directly from this queue, while all other OSPFv3 packet types are subsequently enqueued in the update queue.
If you configure a router with many neighbors and a large database, use the queue-depth command to adjust the size of the hello and router queues. Otherwise, packets might be dropped because of queue limits, and OSPFv3 adjacencies may be lost.
Examples
The following example shows how to configure the OSPFv3 update queue to 1500 packets:
Router(config)# router ospfv3 1
Router(config-router)# queue-depth update 1500
Related Commands
|
|
|
|---|---|
router ospfv3 |
Enables OSPFv3 router configuration mode for the IPv4 or IPv6 address family. |
radius-server attribute list
To define an accept or reject list name, use the radius-server attribute list command in global configuration mode. To remove an accept or reject list name from your configuration, use the no form of this command.
radius-server attribute list list-name
no radius-server attribute list list-name
Syntax Description
list-name |
Name for an accept or reject list. |
Command Default
List names are not defined.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
A user may configure an accept or reject list with a selection of attributes on the network access server (NAS) for authorization or accounting so unwanted attributes are not accepted and processed. The radius-server attribute list command allows users to specify a name for an accept or reject list. This command is used in conjunction with the attribute (server-group configuration) command, which adds attributes to an accept or reject list.
Note The list name must be the same as the list name defined in the accounting or authorization configuration command.
Examples
The following example shows how to configure the reject list "bad-list" for RADIUS authorization and accept list "usage-only" for RADIUS accounting:
Router(config)# aaa new-model
Router(config)# aaa authentication ppp default group radius-sg
Router(config)# aaa authorization network default group radius-sg
Router(config)# aaa group server radius radius-sg
Router(config-sg-radius)# server 10.1.1.1
Router(config-sg-radius)# authorization reject bad-list
Router(config-sg-radius)# accounting accept usage-only
Router(config-sg-radius)# exit
Router(config)# radius-server host 10.1.1.1 key mykey1
Router(config)# radius-server attribute list usage-only
Router(config-radius-attrl)# attribute 1,40,42-43,46
Router(config-radius-attrl)# exit
Router(config)# radius-server attribute list bad-list
Router(config-radius-attrl)# attribute 22,27-28,56-59
Note Although you cannot configure more than one access or reject list per server group for authorization or accounting, you can configure one list for authorization and one list for accounting per server group.
Related Commands
radius-server host
To specify a RADIUS server host, use the radius-server host command in global configuration mode. To delete the specified RADIUS host, use the no form of this command.
Cisco IOS Releases 12.2SB and 12.2SR
radius-server host {hostname | ip-address} [test username user-name] [auth-port port-number] [ignore-auth-port] [acct-port port-number] [ignore-acct-port] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}] [idle-time minutes] [backoff exponential {backoff-retry number-of-retransmits | max-delay minutes}] [key encryption-key]
no radius-server host {hostname | ip-address}
All Other Releases
radius-server host {hostname | ip-address} [auth-port port-number] [acct-port port-number] [timeout seconds] [retransmit retries] [key string] [alias {hostname | ip-address}] [backoff exponential {backoff-retry number-of-retransmits | max-delay minutes}] [pac [key encryption-key] | key encryption-key]
no radius-server host {hostname | ip-address}
Syntax Description
Defaults
No RADIUS host is specified; use global radius-server command values.
RADIUS server load balancing automated testing is disabled by default.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
You can use multiple radius-server host commands to specify multiple hosts. The software searches for hosts in the order in which you specify them.
You can specify the keywords of the radius-server host command in any order. However, the pac keyword always precedes the key encryption-key keyword.
If you do not specify the port number for authentication requests for both the acct-port and the auth-port keywords, the port number defaults to 1645.
If no host-specific timeout, retransmit, or key values are specified, the global values apply to each host.
We recommend the use of a test user who is not defined on the RADIUS server for the automated testing of the RADIUS server. This is to protect against security issues that can arise if the test user is not configured correctly.
If you configure one RADIUS server with the nonstandard option and another RADIUS server without the nonstandard option, the RADIUS-server host with the nonstandard option does not accept a predefined host. If you configure the same RADIUS server host IP address for a different UDP destination port for accounting requests using the acct-port keyword and a UDP destination port for authentication requests using the auth-port keyword with and without the nonstandard option, the RADIUS server does not accept the nonstandard option.
Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
To use separate servers for accounting and authentication, use the zero port value as appropriate.
RADIUS Server Automated Testing (for Cisco IOS Release 12.2(28)SB)
When you use the radius-server host command to enable automated testing for RADIUS server load balancing:
•The authentication port is enabled by default. If the port number is not specified, the default port of 1645 is used. To disable the authentication port, specify the ignore-auth-port keyword.
•The accounting port is enabled by default. If the port number is not specified, the default port of 1645 is used. To disable the accounting port, specify the ignore-acct-port keyword.
Examples
Releases Other than Cisco IOS Release 12.2(28)SB
The following example specifies host1 as the RADIUS server and uses default ports for both accounting and authentication:
radius-server host host1
The following example specifies port 1612 as the destination port for authentication requests and port 1616 as the destination port for accounting requests on the RADIUS host named host1:
radius-server host host1 auth-port 1612 acct-port 1616
Because entering a line resets all the port numbers, you must specify a host and configure accounting and authentication ports on a single line.
The following example specifies the host with IP address 192.0.2.46 as the RADIUS server, uses ports 1612 and 1616 as the authorization and accounting ports, sets the timeout value to 6, sets the retransmit value to 5, and sets "rad123" as the encryption key, matching the key on the RADIUS server:
radius-server host 192.0.2.46 auth-port 1612 acct-port 1616 timeout 6 retransmit 5 key rad123
To use separate servers for accounting and authentication, use the zero port value as appropriate.
The following example specifies that RADIUS server host1 be used for accounting but not for authentication, and that RADIUS server host2 be used for authentication but not for accounting:
radius-server host host1.example.com auth-port 0
radius-server host host2.example.com acct-port 0
The following example specifies four aliases on the RADIUS server with IP address 192.0.2.1:
radius-server host 192.0.2.1 auth-port 1646 acct-port 1645
radius-server host 192.0.2.1 alias 192.0.2.2 192.0.2.3 192.0.2.4
The following example shows how to enable exponential backoff retransmits on a per-server basis. In this example, assume that the retransmit is configured for three retries and the timeout is configured for 5 seconds; that is, the RADIUS request will be transmitted three times with a delay of 5 seconds. Thereafter, the router will continue to retransmit RADIUS requests with a delayed interval that doubles each time until 32 retries have been achieved. The router will stop doubling the retransmit intervals after the interval surpasses the configured 60 minutes; it will transmit every 60 minutes.
The pac keyword allows the PAC-Opaque, which is a variable length field, to be sent to the server during the Transport Layer Security (TLS) tunnel establishment phase. The PAC-Opaque can be interpreted only by the server to recover the required information for the server to validate the peer's identity and authentication. For example, the PAC-Opaque may include the PAC-Key and the PAC's peer identity. The PAC-Opaque format and contents are specific to the issuing PAC server.
The following example configures automatic PAC provisioning on a router. In seed devices, also known as core switches, the PAC-Opaque has to be provisioned so that all RADIUS exchanges can use this PAC-Opaque to enable automatic PAC provisioning for the server being used. All nonseed devices obtain the PAC-Opaque during the authentication phase of a link initialization.
enable
configure terminal
radius-server host 10.0.0.1 auth-port 1812 acct-port 1813 pac
Cisco IOS Release 12.2(28)SB
The following example shows how to enable RADIUS server automated testing for load balancing with the authorization and accounting ports specified:
radius-server host 192.0.2.176 test username test1 auth-port 1645 acct-port 1646
Related Commands
radius-server key
To set the authentication and encryption key for all RADIUS communications between the router and the RADIUS daemon, use the radius-server key command in global configuration mode. To disable the key, use the no form of this command.
radius-server key {0 string | 7 string} string
no radius-server key
Syntax Description
Command Default
The authentication and encryption key is disabled.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
After enabling authentication, authorization, and accounting (AAA) authentication with the aaa new-model command, you must set the authentication and encryption key using the radius-server key command.
Note Specify a RADIUS key after you issue the aaa new-model command.
The key entered must match the key used on the RADIUS daemon. All leading spaces are ignored, but spaces within and at the end of the key are used. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
Examples
The following example sets the authentication and encryption key to "key1":
Router(config)# radius-server key key1
The following example sets the authentication and encryption key to "anykey." The 7 specifies that a hidden key will follow.
service password-encryption
radius-server key 7 anykey
After you save your configuration and use the show-running config command, an encrypted key will be displayed as follows:
Router# show running-config
!
!
radius-server key 7 19283103834782sda
! The leading 7 indicates that the following text is encrypted.
Related Commands
radius-server retransmit
To specify the number of times the Cisco IOS software searches the list of RADIUS server hosts before giving up, use the radius-server retransmit command in global configuration mode. To disable retransmission, use the no form of this command.
radius-server retransmit retries
no radius-server retransmit
Syntax Description
retries |
Maximum number of retransmission attempts. The range is 0 to 100. |
Command Default
The default number of retransmission attempts is 3.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The Cisco IOS software tries all servers, allowing each one to time out before increasing the retransmit count.
If the RADIUS server is only a few hops from the router, we recommend that you configure the RADIUS server retransmit rate to 5.
Examples
The following example shows how to specify a retransmit counter value of five times:
Router(config)# radius-server retransmit 5
Related Commands
radius-server vsa send
To configure the network access server (NAS) to recognize and use vendor-specific attributes (VSAs), use the radius-server vsa send command in global configuration mode. To restore the default, use the no form of this command.
radius-server vsa send [accounting | authentication | cisco-nas-port] [3gpp2]
no radius-server vsa send [accounting | authentication | cisco-nas-port] [3gpp2]
Syntax Description
Command Default
NAS is not configured to recognize and use VSAs.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
The IETF draft standard specifies a method for communicating vendor-specific information between the NAS and the RADIUS server by using the VSA (attribute 26). VSAs allow vendors to support their own extended attributes not suitable for general use. The radius-server vsa send command enables the NAS to recognize and use both accounting and authentication VSAs. Use the accounting keyword with the radius-server vsa send command to limit the set of recognized VSAs to accounting attributes only. Use the authentication keyword with the radius-server vsa send command to limit the set of recognized VSAs to authentication attributes only.
The Cisco RADIUS implementation supports one vendor-specific option using the format recommended in the specification. The Cisco vendor ID is 9, and the supported option has vendor-type 1, which is named "cisco-avpair." The value is a string with the following format:
protocol : attribute sep value *
In the preceding example, "protocol" is a value of the Cisco "protocol" attribute for a particular type of authorization; "attribute" and "value" are an appropriate attribute-value (AV) pair defined in the Cisco TACACS+ specification; and "sep" is "=" for mandatory attributes and "*" for optional attributes. This solution allows the full set of features available for TACACS+ authorization to also be used for RADIUS.
For example, the following AV pair causes the Cisco "multiple named ip address pools" feature to be activated during IP authorization (during the PPP Internet Protocol Control Protocol (IPCP) address assignment):
cisco-avpair= "ip:addr-pool=first"
The following example causes a "NAS Prompt" user to have immediate access to EXEC commands.
cisco-avpair= "shell:priv-lvl=15"
Other vendors have their own unique vendor IDs, options, and associated VSAs. For more information about vendor IDs and VSAs, see RFC 2138, Remote Authentication Dial-In User Service (RADIUS).
Examples
The following example shows how to configure the NAS to recognize and use vendor-specific accounting attributes:
Router(config)# radius-server vsa send accounting
Related Commands
|
|
|
|---|---|
aaa nas port extended |
Replaces the NAS-Port attribute with RADIUS IETF attribute 26 and displays extended field information. |
rd
To specify a route distinguisher (RD) for a VPN routing and forwarding (VRF) instance, use the rd command in VRF configuration mode. To remove a route distinguisher, use the no form of this command.
rd route-distinguisher
no rd route-distinguisher
Syntax Description
route-distinguisher |
An 8-byte value to be added to an IPv4 prefix to create a VPN IPv4 prefix. |
Command Default
No RD is specified.
Command Modes
VRF configuration (config-vrf)
Command History
Usage Guidelines
An RD creates routing and forwarding tables and specifies the default route distinguisher for a VPN. The RD is added to the beginning of the customer's IPv4 prefixes to change them into globally unique VPN-IPv4 prefixes.
An RD is either:
•ASN-related—Composed of an autonomous system number and an arbitrary number.
•IP-address-related—Composed of an IP address and an arbitrary number.
You can enter an RD in either of these formats:
16-bit autonomous-system-number:your 32-bit number
For example, 101:3.
32-bit IP address:your 16-bit number
For example, 192.168.122.15:1.
Examples
The following example shows how to configure a default RD for two VRFs. It illustrates the use of both autonomous-system-number-relative and IP-address-relative RDs:
Router(config)# ip vrf vrf1
Router(config-vrf)# rd 100:3
Router(config-vrf)# exit
Router(config)# ip vrf vrf2
Router(config-vrf)# rd 10.13.0.12:200
The following is an example of a VRF for IPv4 and IPv6 that has common policies defined in the global part of the VRF configuration:
vrf definition vrf2
rd 200:1
route-target both 200:2
!
address-family ipv4
exit-address-family
!
address-family ipv6
exit-address-family
end
Related Commands
redistribute (IPv6)
To redistribute IPv6 routes from one routing domain into another routing domain, use the redistribute command in address family configuration or router configuration mode. To disable redistribution, use the no form of this command.
redistribute source-protocol [process-id] [include-connected {level-1 | level-1-2 | level-2}] [as-number] [metric {metric-value | transparent}] [metric-type type-value] [match {external [1 | 2] | internal | nssa-external [1 | 2]}] [tag tag-value] [route-map map-tag]
no redistribute source-protocol [process-id] [include-connected] {level-1 | level-1-2 | level-2} [as-number] [metric {metric-value | transparent}] [metric-type type-value] [match {external [1 | 2] | internal | nssa-external [1 | 2]}] [tag tag-value] [route-map map-tag]
Syntax Description
Command Default
Route redistribution is disabled.
Command Modes
Address family configuration
Router configuration
Command History
Usage Guidelines
Changing or disabling any keyword will not affect the state of other keywords.
A router receiving an IPv6 IS-IS route with an internal metric will consider the cost of the route from itself to the redistributing router plus the advertised cost to reach the destination. An external metric considers only the advertised metric to reach the destination.
IS-IS will ignore any configured redistribution of routes configured with the include-connected keyword. IS-IS will advertise a prefix on an interface if either IS-IS is running over the interface or the interface is configured as passive.
Routes learned from IPv6 routing protocols can be redistributed into IPv6 IS-IS at Level 1 into an attached area or at Level 2. The level-1-2 keyword allows both Level 1 and Level 2 routes in a single command.
For IPv6 RIP, use the redistribute command to advertise static routes as if they were directly connected routes.
Advertising static routes as directly connected routes can cause routing loops if improperly configured.
Redistributed IPv6 RIP routing information should always be filtered by the distribute-list prefix-list router configuration command. Use of the distribute-list prefix-list command ensures that only those routes intended by the administrator are passed along to the receiving routing protocol.
Note The metric value specified in the redistribute command for IPv6 RIP supersedes the metric value specified using the default-metric command.
Note In IPv4, if you redistribute a protocol, by default you also redistribute the subnet on the interfaces over which the protocol is running. In IPv6 this is not the default behavior. To redistribute the subnet on the interfaces over which the protocol is running in IPv6, use the include-connected keyword. In IPv6 this functionality is not supported when the source protocol is BGP.
When the no redistribute command is configured, the parameter settings are ignored when the client protocol is IS-IS or EIGRP.
IS-IS redistribution will be removed completely when IS-IS level 1 and level 2 are removed by the user. IS-IS level settings can be configured using the redistribute command only.
The default redistribute type will be restored to OSPF when all route type values are removed by the user.
Examples
The following example configures IPv6 IS-IS to redistribute IPv6 BGP routes. The metric is specified as 5, and the metric type will be set to external, indicating that it has lower priority than internal metrics.
Router(config)# router isis
Router(config-router)# address-family ipv6
Router(config-router-af)# redistribute bgp 64500 metric 5 metric-type external
The following example redistributes IPv6 BGP routes into the IPv6 RIP routing process named cisco:
Router(config)# ipv6 router rip cisco
Router(config-router)# redistribute bgp 42
The following example redistributes IS-IS for IPv6 routes into the OSPF for IPv6 routing process 1:
Router(config)# ipv6 router ospf 1
Router(config-router)# redistribute isis 1 metric 32 metric-type 1 tag 85
In the following example, ospf 1 redistributes the prefixes 2001:1:1::/64 and 2001:99:1::/64 and any prefixes learned through rip 1:
interface ethernet0/0
ipv6 address 2001:1:1::90/64
ipv6 rip 1 enable
interface ethernet1/1
ipv6 address 2001:99:1::90/64
ipv6 rip 1 enable
interface ethernet2/0
ipv6 address 2001:1:2::90/64
ipv6 ospf 1 area 1
ipv6 router ospf 1
redistribute rip 1 include-connected
The following configuration example and output show the no redistribute command parameters when the last route type value is removed:
Router(config-router)# redistribute rip process1 metric 7
Router(config-router)# do show run | include redistribute
redistribute rip process1 metric 7
Router(config-router)# no redistribute rip process1 metric 7
Router(config-router)# do show run | include redistribute
redistribute rip process1
Router(config-router)#
Related Commands
redistribute (OSPFv3)
To redistribute IPv6 and IPv4 routes from one routing domain into another routing domain, use the redistribute command in IPv6 or IPv4 address family configuration mode. To disable redistribution, use the no form of this command.
redistribute source-protocol [process-id] [options]
no redistribute source-protocol [process-id] [options]
Syntax Description
Command Default
Default redistribute type is OSPFv3.
Command Modes
IPv6 address family configuration (config-router-af)
IPv4 address family configuration (config-router-af)
Command History
Usage Guidelines
Changing or disabling any keyword will not affect the state of other keywords.
For the IPv6 address family (AF), the ospf option refers to an OSPFv3 process. For the IPv4 address family, the ospfv3 option specifies an OSPFv3 process, and the ospf option refers to an OSPFv2 process.
A router receiving an IPv6 IS-IS route with an internal metric will consider the cost of the route from itself to the redistributing router plus the advertised cost to reach the destination. An external metric considers only the advertised metric to reach the destination.
IS-IS will ignore any configured redistribution of routes configured with the include-connected keyword. IS-IS will advertise a prefix on an interface if either IS-IS is running over the interface or the interface is configured as passive.
Routes learned from IPv6 routing protocols can be redistributed into IPv6 IS-IS at Level 1 into an attached area or at Level 2. The level-1-2 keyword allows both Level 1 and Level 2 routes in a single command.
For IPv6 RIP, use the redistribute command to advertise static routes as if they were directly connected routes.
Advertising static routes as directly connected routes can cause routing loops if improperly configured.
Redistributed IPv6 RIP routing information should always be filtered by the distribute-list prefix-list router configuration command. Use of the distribute-list prefix-list command ensures that only those routes intended by the administrator are passed along to the receiving routing protocol.
Note The metric value specified in the redistribute command for IPv6 RIP supersedes the metric value specified using the default-metric command.
Note In IPv4, if you redistribute a protocol, by default you also redistribute the subnet on the interfaces over which the protocol is running. In IPv6, this is not the default behavior. To redistribute the subnet on the interfaces over which the protocol is running in IPv6, use the include-connected keyword. In IPv6, this functionality is not supported when the source protocol is BGP.
When the no redistribute command is configured, the parameter settings are ignored when the client protocol is IS-IS or EIGRP.
IS-IS redistribution will be removed completely when IS-IS level 1 and level 2 are removed by the user. IS-IS level settings can be configured using the redistribute command only.
The default redistribute type will be restored to OSPFv3 when all route type values are removed by the user.
Examples
The following example :
Related Commands
|
|
|
|---|---|
router ospfv3 |
Enables OSPFv3 router configuration mode for the IPv4 or IPv6 address family. |
redistribute isis (IPv6)
To redistribute IPv6 routes from one routing domain into another routing domain using Intermediate System-to-Intermediate System (IS-IS) as both the target and source protocol, use the redistribute isis command in address family configuration. To disable redistribution, use the no form of this command.
redistribute isis [process-id] {level-1 | level-2} into {level-1 | level-2} distribute-list list-name
no redistribute isis [process-id] {level-1 | level-2} into {level-1 | level-2} distribute-list list-name
Syntax Description
Command Default
Route redistribution is disabled.
process-id: No process ID is defined.
Command Modes
Address family configuration
Command History
Usage Guidelines
Changing or disabling any keyword will not affect the state of other keywords.
A router receiving an IPv6 IS-IS route with an internal metric will consider the cost of the route from itself to the redistributing router plus the advertised cost to reach the destination. An external metric only considers the advertised metric to reach the destination.
IS-IS will ignore any configured redistribution of routes configured with the connected keyword. IS-IS will advertise a prefix on an interface if either IS-IS is running over the interface or the interface is configured as passive.
Routes learned from IPv6 routing protocols can be redistributed into IPv6 IS-IS at Level 1 into an attached area or at Level 2. The level-1-2 keyword allows both Level 1 and Level 2 routes in a single command.
Examples
The following examples shows how to redistribute IPv6 routes from level 1 to level 2:
redistribute isis level-1 into level-2
Related Commands
|
|
|
|---|---|
default-metric |
Specifies a default metric for redistributed routes. |
redistribute (IPv6) |
Redistributes IPv6 routes from one routing domain into another routing domain. |
register (mobile router)
To control the registration parameters of the IPv6 mobile router, use the register command in mobile router configuration mode or IPv6 mobile router configuration mode. To return the registration parameters to their default settings, use the no form of this command.
register {extend expire seconds retry number interval seconds | lifetime seconds | retransmit initial milliseconds maximum milliseconds retry number}
no register {extend expire seconds retry number interval seconds | lifetime seconds | retransmit initial milliseconds maximum milliseconds retry number}
Syntax Description
Command Default
The registration parameters of the IPv6 mobile router are used.
Command Modes
Mobile router configuration
IPv6 mobile router configuration (IPv6-mobile-router)
Command History
|
|
|
|---|---|
12.2(4)T |
This command was introduced. |
12.4(20)T |
Support for IPv6 was added. |
Usage Guidelines
The register lifetime seconds command configures the lifetime that the mobile router requests in a registration request. The home agent also has lifetimes that are set. If the registration request from a mobile router has a greater lifetime than the registration reply from the home agent, the lifetime set on the home agent will be used for the registration. If the registration request lifetime from the mobile router is less than the registration reply from the home agent, the lifetime set on the mobile router will be used. Thus, the smaller lifetime between the home agent and mobile router is used for registration.
Examples
The following example specifies a registration lifetime of 600 seconds:
ip mobile router
address 10.1.1.10 255.255.255.0
home-agent 10.1.1.20
register lifetime 600
Related Commands
registrar
To enable Session Initiation Protocol (SIP) gateways to register E.164 numbers on behalf of analog telephone voice ports (FXS), IP phone virtual voice ports (EFXS), and Skinny Client Control Protocol (SCCP) phones with an external SIP proxy or SIP registrar, use the registrar command in SIP UA configuration mode. To disable registration of E.164 numbers, use the no form of this command.
registrar {dhcp | [registrar-index] registrar-server-address [:port]} [auth-realm realm] [expires seconds] [random-contact] [refresh-ratio ratio-percentage] [scheme {sip | sips}] [tcp] [type] [secondary]
no registrar [registrar-index | secondary]
Syntax Description
Command Default
Registration is disabled.
Command Modes
SIP UA configuration (config-sip-ua)
Command History
Usage Guidelines
Use the registrar dhcp or registrar registrar-server-address command to enable the gateway to register E.164 telephone numbers with primary and secondary external SIP registrars. In Cisco IOS Release 15.0(1)XA and later releases, endpoints on Cisco IOS SIP time-division multiplexing (TDM) gateways, Cisco Unified Border Elements (Cisco UBEs), and Cisco Unified Communications Manager Express (Cisco Unified CME) can be registered to multiple registrars using the registrar registrar-index command.
By default, Cisco IOS SIP gateways do not generate SIP register messages.
Note When entering an IPv6 address, you must include square brackets around the address value.
Examples
The following example shows how to configure registration with a primary and secondary registrar:
Router> enable
Router# configure terminal
Router(config)# sip-ua
Router(config-sip-ua)# retry invite 3
Router(config-sip-ua)# retry register 3
Router(config-sip-ua)# timers register 150
Router(config-sip-ua)# registrar ipv4:209.165.201.1 expires 14400 secondary
The following example shows how to configure a device to register with the SIP server address received from the DHCP server. The dhcp keyword is available only for configuration by the primary registrar and cannot be used if configuring multiple registrars.
Router> enable
Router# configure terminal
Router(config)# sip-ua
Router(config-sip-ua)# registrar dhcp expires 14400
The following example shows how to configure a primary registrar using an IP address with TCP:
Router> enable
Router# configure terminal
Router(config)# sip-ua
Router(config-sip-ua)# retry invite 3
Router(config-sip-ua)# retry register 3
Router(config-sip-ua)# timers register 150
Router(config-sip-ua)# registrar ipv4:209.165.201.3 tcp
The following example shows how to configure a URL scheme with SIP security:
Router> enable
Router# configure terminal
Router(config)# sip-ua
Router(config-sip-ua)# retry invite 3
Router(config-sip-ua)# retry register 3
Router(config-sip-ua)# timers register 150
Router(config-sip-ua)# registrar ipv4:209.165.201.7 scheme sips
The following example shows how to configure a secondary registrar using an IPv6 address:
Router> enable
Router# configure terminal
Router(config)# sip-ua
Router(config-sip-ua)# registrar ipv6:[3FFE:501:FFFF:5:20F:F7FF:FE0B:2972] expires 14400 secondary
The following example shows how to configure all POTS endpoints to two registrars using DNS addresses:
Router> enable
Router# configure terminal
Router(config)# sip-ua
Router(config-sip-ua)# registrar 1 dns:example1.com expires 180
Router(config-sip-ua)# registrar 2 dns:example2.com expires 360
The following example shows how to configure the realm for preloaded authorization using the registrar server address:
Router> enable
Router# configure terminal
Router(config)# sip-ua
Router(config-sip-ua)# registrar 2 192.168.140.3:8080 auth-realm example.com expires 180
Related Commands
remark (IPv6)
To write a helpful comment (remark) for an entry in an IPv6 access list, use the remark command in IPv6 access list configuration mode. To remove the remark, use the no form of this command.
remark text-string
no remark text-string
Syntax Description
text-string |
Comment that describes the access list entry, up to 100 characters long. |
Command Default
IPv6 access list entries have no remarks.
Command Modes
IPv6 access list configuration
Command History
Usage Guidelines
The remark (IPv6) command is similar to the remark (IP) command, except that it is IPv6-specific.
The remark can be up to 100 characters long; anything longer is truncated.
Examples
The following example configures a remark for the IPv6 access list named TELNETTING. The remark is specific to not letting the Marketing subnet use outbound Telnet.
ipv6 access-list TELNETTING
remark Do not allow Marketing subnet to telnet out
deny tcp 2001:0DB8:0300:0201::/64 any eq telnet
Related Commands
|
|
|
|---|---|
ipv6 access-list |
Defines an IPv6 access list and enters IPv6 access list configuration mode. |
show ipv6 access-list |
Displays the contents of all current IPv6 access lists. |
retry register
Usage Guidelines
To set the total number of Session Initiation Protocol (SIP) register messages that the gateway should send, use the retry register command in SIP user-agent configuration mode. To reset this number to the default, use the no form of this command.
retry register retries [exhausted-random-interval minimum minutes maximum minutes]
no retry register
Syntax Description
Command Default
The gateway sends ten retries.
Command Modes
SIP UA configuration
Command History
Usage Guidelines
Use the default number of 10 when possible. Lower values such as 1 can lead to an increased chance of the message not being received by the other user agent.
Examples
The following example specifies that the gateway sends nine register messages:
sip-ua
retry register 9
The following example specifies that the gateway sends six register message, and that a random number, between the 2 and 5 minutes will be used as the interval before the next registration is sent
sip-ua
retry register 6 exhausted-random-interval minimum 2 maximum 5
Related Commands
revocation-check
To check the revocation status of a certificate, use the revocation-check command in ca-trustpoint configuration mode. To disable this functionality, use the no form of this command.
revocation-check method1 [method2[method3]]
no revocation-check method1 [method2[method3]]
Syntax Description
Defaults
After a trustpoint is enabled, the default is set to revocation-check crl, which means that CRL checking is mandatory.
Command Modes
Ca-trustpoint configuration
Command History
Usage Guidelines
Use the revocation-check command to specify at least one method that is to be used to ensure that the certificate of a peer has not been revoked.
If your router does not have the applicable CRL and is unable to obtain one or if the OCSP server returns an error, your router will reject the peer's certificate—unless you include the none keyword in your configuration. If the none keyword is configured, a revocation check will not be performed and the certificate will always be accepted. If the revocation-check none command is configured, you cannot manually download the CRL via the crypto pki crl request command because the manually downloaded CRL may not be deleted after it expires. The expired CRL can cause all certificate verifications to be denied.
Note The none keyword replaces the optional keyword that is available from the crl command. If you enter the crl optional command, it will be written back as the revocation-check none command. However, there is a difference between the crl optional command and the revocation-check none command. The crl optional command will perform revocation checks against any applicable in-memory CRL. If a CRL is not available, a CRL will not be downloaded and the certificate is treated as valid; the revocation-check none command ignores the revocation check completely and always treats the certificate as valid.
Also, the crl and none keywords issued together replace the best-effort keyword that is available from the crl command. If you enter the crl best-effort command, it will be written back as the revocation-check crl none command.
Examples
The following example shows how to configure the router to use the OCSP server that is specified in the AIA extension of the certificate:
Router(config)# crypto pki trustpoint mytp
Router(ca-trustpoint)# revocation-check ocsp
The following example shows how to configure the router to download the CRL from the CDP; if the CRL is unavailable, the OCSP server that is specified in the Authority Info Access (AIA) extension of the certificate will be used. If both options fail, certificate verification will also fail.
Router(config)# crypto pki trustpoint mytp
Router(ca-trustpoint)# revocation-check crl ocsp
The following example shows how to configure your router to use the OCSP server at the HTTP URL "http://myocspserver:81." If the server is down, revocation check will be ignored.
Router(config)# crypto pki trustpoint mytp
Router(ca-trustpoint)# ocsp url http://myocspserver:81
Router(ca-trustpoint)# revocation-check ocsp none
Related Commands
router bgp
To configure the Border Gateway Protocol (BGP) routing process, use the router bgp command in global configuration mode. To remove a BGP routing process, use the no form of this command.
router bgp autonomous-system-number
no router bgp autonomous-system-number
Syntax Description
Command Default
No BGP routing process is enabled by default.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
This command allows you to set up a distributed routing core that automatically guarantees the loop-free exchange of routing information between autonomous systems.
Prior to January 2009, BGP autonomous system numbers that were allocated to companies were 2-octet numbers in the range from 1 to 65535 as described in RFC 4271, A Border Gateway Protocol 4 (BGP-4). Due to increased demand for autonomous system numbers, the Internet Assigned Number Authority (IANA) will start in January 2009 to allocate four-octet autonomous system numbers in the range from 65536 to 4294967295. RFC 5396, Textual Representation of Autonomous System (AS) Numbers, documents three methods of representing autonomous system numbers. Cisco has implemented the following two methods:
•Asplain—Decimal value notation where both 2-byte and 4-byte autonomous system numbers are represented by their decimal value. For example, 65526 is a 2-byte autonomous system number and 234567 is a 4-byte autonomous system number.
•Asdot—Autonomous system dot notation where 2-byte autonomous system numbers are represented by their decimal value and 4-byte autonomous system numbers are represented by a dot notation. For example, 65526 is a 2-byte autonomous system number and 1.169031 is a 4-byte autonomous system number (this is dot notation for the 234567 decimal number).
For details about the third method of representing autonomous system numbers, see RFC 5396.
Note In Cisco IOS releases that include 4-byte ASN support, command accounting and command authorization that include a 4-byte ASN number are sent in the asplain notation irrespective of the format that is used on the command-line interface.
Asdot Only Autonomous System Number Formatting
In Cisco IOS Release 12.0(32)S12, 12.4(24)T, Cisco IOS XE Release 2.3, and later releases, the 4-octet (4-byte) autonomous system numbers are entered and displayed only in asdot notation, for example, 1.10 or 45000.64000. When using regular expressions to match 4-byte autonomous system numbers the asdot format includes a period which is a special character in regular expressions. A backslash must be entered before the period for example, 1\.14, to ensure the regular expression match does not fail. Table 46 shows the format in which 2-byte and 4-byte autonomous system numbers are configured, matched in regular expressions, and displayed in show command output in Cisco IOS images where only asdot formatting is available.
Asplain as Default Autonomous System Number Formatting
In Cisco IOS Release 12.0(32)SY8, 12.0(33)S3, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, Cisco IOS XE Release 2.4, and later releases, the Cisco implementation of 4-byte autonomous system numbers uses asplain as the default display format for autonomous system numbers, but you can configure 4-byte autonomous system numbers in both the asplain and asdot format. In addition, the default format for matching 4-byte autonomous system numbers in regular expressions is asplain, so you must ensure that any regular expressions to match 4-byte autonomous system numbers are written in the asplain format. If you want to change the default show command output to display 4-byte autonomous system numbers in the asdot format, use the bgp asnotation dot command under router configuration mode. When the asdot format is enabled as the default, any regular expressions to match 4-byte autonomous system numbers must be written using the asdot format, or the regular expression match will fail. Table 47 and Table 48 show that although you can configure 4-byte autonomous system numbers in either asplain or asdot format, only one format is used to display show command output and control 4-byte autonomous system number matching for regular expressions, and the default is asplain format. To display 4-byte autonomous system numbers in show command output and to control matching for regular expressions in the asdot format, you must configure the bgp asnotation dot command. After enabling the bgp asnotation dot command, a hard reset must be initiated for all BGP sessions by entering the clear ip bgp * command.
Note If you are upgrading to an image that supports 4-byte autonomous system numbers, you can still use 2-byte autonomous system numbers. The show command output and regular expression match are not changed and remain in asplain (decimal value) format for 2-byte autonomous system numbers regardless of the format configured for 4-byte autonomous system numbers.
Reserved and Private Autonomous System Numbers
In Cisco IOS Release 12.0(32)S12, 12.0(32)SY8, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, 12.4(24)T, Cisco IOS XE Release 2.3 and later releases, the Cisco implementation of BGP supports RFC 4893. RFC 4893 was developed to allow BGP to support a gradual transition from 2-byte autonomous system numbers to 4-byte autonomous system numbers. A new reserved (private) autonomous system number, 23456, was created by RFC 4893 and this number cannot be configured as an autonomous system number in the Cisco IOS CLI.
RFC 5398, Autonomous System (AS) Number Reservation for Documentation Use, describes new reserved autonomous system numbers for documentation purposes. Use of the reserved numbers allow configuration examples to be accurately documented and avoids conflict with production networks if these configurations are literally copied. The reserved numbers are documented in the IANA autonomous system number registry. Reserved 2-byte autonomous system numbers are in the contiguous block, 64496 to 64511 and reserved 4-byte autonomous system numbers are from 65536 to 65551 inclusive.
Private 2-byte autonomous system numbers are still valid in the range from 64512 to 65534 with 65535 being reserved for special use. Private autonomous system numbers can be used for internal routing domains but must be translated for traffic that is routed out to the Internet. BGP should not be configured to advertise private autonomous system numbers to external networks. Cisco IOS software does not remove private autonomous system numbers from routing updates by default. We recommend that ISPs filter private autonomous system numbers.
Note Autonomous system number assignment for public and private networks is governed by the IANA. For information about autonomous-system numbers, including reserved number assignment, or to apply to register an autonomous system number, see the following URL: http://www.iana.org/.
Examples
The following example configures a BGP process for autonomous system 45000 and configures two external BGP neighbors in different autonomous systems using 2-byte autonomous system numbers:
router bgp 45000
neighbor 192.168.1.2 remote-as 40000
neighbor 192.168.3.2 remote-as 50000
neighbor 192.168.3.2 description finance
!
address-family ipv4
neighbor 192.168.1.2 activate
neighbor 192.168.3.2 activate
no auto-summary
no synchronization
network 172.17.1.0 mask 255.255.255.0
exit-address-family
The following example configures a BGP process for autonomous system 65538 and configures two external BGP neighbors in different autonomous systems using 4-byte autonomous system numbers in asplain notation. This example is supported i n Cisco IOS Release 12.0(32)SY8, 12.0(33)S3, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, Cisco IOS XE Release 2.4, and later releases.
router bgp 65538
neighbor 192.168.1.2 remote-as 65536
neighbor 192.168.3.2 remote-as 65550
neighbor 192.168.3.2 description finance
!
address-family ipv4
neighbor 192.168.1.2 activate
neighbor 192.168.3.2 activate
no auto-summary
no synchronization
network 172.17.1.0 mask 255.255.255.0
exit-address-family
The following example configures a BGP process for autonomous system 1.2 and configures two external BGP neighbors in different autonomous systems using 4-byte autonomous system numbers in asdot notation. This example is supported in Cisco IOS Release 12.0(32)SY8, 12.0(32)S12, 12.2(33)SRE, 12.2(33)XNE, 12.2(33)SXI1, 12.4(24)T, and Cisco IOS XE Release 2.3, and later releases.
router bgp 1.2
neighbor 192.168.1.2 remote-as 1.0
neighbor 192.168.3.2 remote-as 1.14
neighbor 192.168.3.2 description finance
!
address-family ipv4
neighbor 192.168.1.2 activate
neighbor 192.168.3.2 activate
no auto-summary
no synchronization
network 172.17.1.0 mask 255.255.255.0
exit-address-family
Related Commands
router ospfv3
To enter Open Shortest Path First version 3 (OSPFv3) router configuration mode , use the router ospfv3 command in interface configuration mode.
router ospfv3 [process-id]
Syntax Description
process-id |
(Optional) Internal identification. The number used here is the number assigned administratively when enabling the OSPFv3 routing process and can be a value from 1 through 65535. |
Command Default
No OSPFv3 routing process is defined.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the router ospfv3 command to enter the OSPFv3 router configuration mode. From this mode, you can enter address-family configuration mode for IPv6 or IPv4 and then configure the IPv6 or IPv4 AF.
Examples
The following example enters OSPFv3 router configuration mode:
Router(config)# router ospfv3 1
Router(config-router)#
Related Commands
|
|
|
|---|---|
ipv6 ospf area |
Enables OSPFv3 on an interface |
ospfv3 area |
Enables OSPFv3 on an interface with the IPv4 or IPv6 AF. |
route-map
To define the conditions for redistributing routes from one routing protocol into another routing protocol, or to enable policy routing, use the route-map command in global configuration mode and the match and set commands in route-map configuration modes. To delete an entry, use the no form of this command.
route-map map-tag [permit | deny] [sequence-number]
no route-map map-tag [permit | deny] [sequence-number]
Syntax Description
Command Default
Policy routing is not enabled and conditions for redistributing routes from one routing protocol into another routing protocol are not configured.
Command Modes
Global configuration (config)
Command History
Usage Guidelines
Use the route-map command to enter route-map configuration mode.
Use route maps to redistribute routes or to subject packets to policy routing. Both purposes are described in this section.
Redistribution
Use the route-map global configuration command, and the match and set route-map configuration commands, to define the conditions for redistributing routes from one routing protocol into another. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria—the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions—the particular redistribution actions to perform if the criteria enforced by the match commands are met. The no route-map command deletes the route map.
The match route-map configuration command has multiple formats. The match commands can be given in any order, and all match commands must "pass" to cause the route to be redistributed according to the set actions given with the set commands. The no forms of the match commands remove the specified match criteria.
Use route maps when you want detailed control over how routes are redistributed between routing processes. The destination routing protocol is the one you specify with the router global configuration command. The source routing protocol is the one you specify with the redistribute router configuration command. See the "Examples" section for an illustration of how route maps are configured.
When you are passing routes through a route map, a route map can have several parts. Any route that does not match at least one match clause relating to a route-map command will be ignored; that is, the route will not be advertised for outbound route maps and will not be accepted for inbound route maps. If you want to modify only some data, you must configure a second route map section with an explicit match specified.
Policy Routing
Another purpose of route maps is to enable policy routing. Use the ip policy route-map or ipv6 policy route-map command, in addition to the route-map command, and the match and set commands to define the conditions for policy routing packets. The match commands specify the conditions under which policy routing occurs. The set commands specify the routing actions to perform if the criteria enforced by the match commands are met. You might want to policy route packets some way other than the obvious shortest path.
The sequence-number argument works as follows:
1. If no entry is defined with the supplied tag, an entry is created with the sequence-number argument set to 10.
2. If only one entry is defined with the supplied tag, that entry becomes the default entry for the following route-map command. The sequence-number argument of this entry is unchanged.
3. If more than one entry is defined with the supplied tag, an error message is printed to indicate that the sequence-number argument is required.
If the no route-map map-tag command is specified (with no sequence-number argument), the whole route map is deleted.
Examples
The following example redistributes Routing Information Protocol (RIP) routes with a hop count equal to 1 into Open Shortest Path First (OSPF). These routes will be redistributed into OSPF as external link-state advertisements (LSAs) with a metric of 5, metric type of Type 1, and a tag equal to 1.
Router(config)# router ospf 109
Router(config-router)# redistribute rip route-map rip-to-ospf
Router(config-router)# exit
Router(config)# route-map rip-to-ospf permit
Router(config-route-map)# match metric 1
Router(config-route-map)# set metric 5
Router(config-route-map)# set metric-type type1
Router(config-route-map)# set tag 1
The following example for IPv6 redistributes RIP routes with a hop count equal to 1 into OSPF. These routes will be redistributed into OSPF as external LSAs with a tag equal to 42 and a metric type equal to type1.
Router(config)# ipv6 router ospf 1
Router(config-router)# redistribute rip one route-map rip-to-ospfv3
Router(config-router)# exit
Router(config)# route-map rip-to-ospfv3
Router(config-route-map)# match tag 42
Router(config-route-map)# set metric-type type1
The following named configuration example redistributes Enhanced Interior Gateway Routing Protocol (EIGRP) addresses with a hop count equal to 1. These addresses are redistributed into EIGRP as external with a metric of 5 and a tag equal to 1:
Router(config)# router eigrp virtual-name1
Router(config-router)# address-family ipv4 autonomous-system 4453
Router(config-router-af)# topology base
Router(config-router-af-topology)# redistribute eigrp 6473 route-map virtual-name1-to-virtual-name2
Router(config-router-af-topology)# exit-address-topology
Router(config-router-af)# exit-address-family
Router(config-router)# router eigrp virtual-name2
Router(config-router)# address-family ipv4 autonomous-system 6473
Router(config-router-af)# topology base
Router(config-router-af-topology)# exit-af-topology
Router(config-router-af)# exit-address-family
Router(config)# route-map virtual-name1-to-virtual-name2
Router(config-route-map)# match tag 42
Router(config-route-map)# set metric 5
Router(config-route-map)# set tag 1
Feedback