dh – dm

dhcp-client broadcast-flag

To allow the ASA to set the broadcast flag in the DHCP client packet, use the dhcp-client broadcast-flag command in global configuration mode. To disallow the broadcast flag, use the no form of this command.

dhcp-client broadcast-flag

no dhcp-client broadcast-flag

Syntax Description

This command has no arguments or keywords.

Command Default

By default, the broadcast flag is disabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

Usage Guidelines

If you enable the DHCP client for an interface using the ip address dhcp command, then you can use this command to set the broadcast flag to 1 in the DHCP packet header when the DHCP client sends a discover requesting an IP address. The DHCP server listens to this broadcast flag and broadcasts the reply packet if the flag is set to 1.

If you enter the no dhcp-client broadcast-flag command, the broadcast flag is set to 0, and the DHCP server unicasts the reply packets to the client with the offered IP address.

The DHCP client can receive both broadcast and unicast offers from the DHCP server.

Examples

The following example enables the broadcast flag:


ciscoasa(config)# dhcp-client broadcast-flag

dhcp-client client-id

To force a MAC address to be stored inside a DHCP request packet for option 61 instead of the default internally generated string, use the dhcp-client client-id command in global configuration mode. To disallow the MAC address, use the no form of this command.

dhcp-client client-id interface interface_name

no dhcp-client client-id interface interface_name

Syntax Description

interface interface_name

Specifies the interface on which you want to enable the MAC address for option 61.

Command Default

By default, an internally-generated ASCII string is used for option 61.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

Usage Guidelines

If you enable the DHCP client for an interface using the ip address dhcp command, some ISPs expect option 61 to be the interface MAC address. If the MAC address is not included in the DHCP request packet, then an IP address will not be assigned. Use the dhcp-client client-id command to include the interface MAC address for option 61.

Examples

The following example enables the MAC address for option 61 for the outside interface:


ciscoasa(config)# dhcp-client client-id interface outside

dhcp client route distance

To configure an administrative distance for routes learned through DHCP, use the dhcp client route distance command in interface configuration mode. To restore the default setting, use the no form of this command.

dhcp client route distance distance

no dhcp client route distance distance

Syntax Description

distance

The administrative distance to apply to routes learned through DHCP. Valid values are from 1 to 255.

Command Default

Routes learned through DHCP are given an administrative distance of 1 by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Usage Guidelines

The dhcp client route distance command is checked only when a route is learned from DHCP. If the dhcp client route distance command is entered after a route is learned from DHCP, the administrative distance specified does not affect the existing learned route. Only routes learned after the command was entered have the specified administrative distance.

You must specify the setroute option in the ip address dhcp command to obtain routes through DHCP.

If DHCP is configured on multiple interfaces, you must use the dhcp client route distance command on each of the interfaces to indicate the priority of the installed routes.

Examples

The following example obtains the default route through DHCP on GigabitEhternet0/2. The route is tracked by tracking entry object 1. The SLA operation monitors the availability of the 10.1.1.1 gateway off of the outside interface. If the SLA operation fails, then the backup route obtained through DHCP on GigabitEthernet0/3 is used. The backup route is assigned an administrative distance of 254.


ciscoasa(config)# sla monitor 123
ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside
 
ciscoasa(config-sla-monitor-echo)# timeout 1000
ciscoasa(config-sla-monitor-echo)# frequency 3
ciscoasa(config)# sla monitor schedule 123 life forever start-time now
ciscoasa(config)# track 1 rtr 123 reachability
ciscoasa(config)# interface GigabitEthernet0/2
ciscoasa(config-if)# dhcp client route track 1
ciscoasa(config-if)# ip address dhcp setroute
ciscoasa(config)# interface GigabitEthernet0/3
ciscoasa(config-if)# dhcp client route track 1
ciscoasa(config-if)# dhcp client route distance 254
ciscoasa(config-if)# ip address dhcp setroute

dhcp client route track

To configure the DHCP client to associate added routes with a specified tracked object number, use the dhcp client route track command in interface configuration mode. To disable DHCP client route tracking, use the no form of this command.

dhcp client route track number

no dhcp client route track

Syntax Description

number

The tracking entry object ID. Valid values are from 1 to 500.

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Usage Guidelines

The dhcp client route track command is checked only when a route is learned from DHCP. If the dhcp client route track command is entered after a route is learned from DHCP, the existing learned routes are not associated with a tracking object. You must put the following two commands in the correct order. Make sure that you always enter the dhcp client route track command first, followed by the ip address dhcp setroute command, If you have already entered the ip address dhcp setroute command, then remove it and reenter it in the order previously described. Only routes learned after the command was entered are associated with the specified tracking object.

You must specify the setroute option in the ip address dhcp command to obtain routes through DHCP.

If DHCP is configured on multiple interfaces, you must use the dhcp client route distance command on each of the interfaces to indicate the priority of the installed routes.

Examples

The following example obtains the default route through DHCP on GigabitEhternet0/2. The route is tracked by tracking entry object 1. The SLA operation monitors the availability of the 10.1.1.1 gateway off of the outside interface. If the SLA operation fails, then the backup route obtained through DHCP on GigabitEthernet0/3 is used. The backup route is assigned an administrative distance of 254.


ciscoasa(config)# sla monitor 123
ciscoasa(config-sla-monitor)# type echo protocol ipIcmpEcho 10.1.1.1 interface outside
 
ciscoasa(config-sla-monitor-echo)# timeout 1000
ciscoasa(config-sla-monitor-echo)# frequency 3
ciscoasa(config)# sla monitor schedule 123 life forever start-time now
ciscoasa(config)# track 1 rtr 123 reachability
ciscoasa(config)# interface GigabitEthernet0/2
ciscoasa(config-if)# dhcp client route track 1
ciscoasa(config-if)# ip address dhcp setroute
ciscoasa(config)# interface GigabitEthernet0/3
ciscoasa(config-if)# dhcp client route distance 254
ciscoasa(config-if)# ip address dhcp setroute

dhcp-client update dns

To configure the update parameters that the DHCP client passes to the DHCP server, use the dhcp-client update dns command in global configuration mode. To remove the parameters that the DHCP client passes to the DHCP server, use the no form of this command.

dhcp-client update dns [ server { both | none } ]

no dhcp-client update dns [ server { both | none } ]

Syntax Description

both

The client requests that the DHCP server update both the DNS A and PTR resource records.

none

The client requests that the DHCP server perform no DDNS updates.

server

Specifies the DHCP server to receive the client requests.

Command Default

By default, the ASA requests that the DHCP server perform PTR RR updates only. The client does not send the FQDN option to the server.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Usage Guidelines

This command can also be entered in interface configuration mode, but it is not hyphenated. See the dhcp client update dns command. When entered in interface mode, the dhcp client update dns command overrides settings configured by this command in global configuration mode.

Examples

The following example configures the client to request that the DHCP server update neither the A and the PTR RRs:


ciscoasa(config)# dhcp-client update dns server none

The following example configures the client to request that the server update both the A and PTR RRs:

ciscoasa(config)# dhcp-client update dns server both

dhcp-network-scope

To specify the range of IP addresses the DHCP server should use to assign addresses to users of this group policy, use the dhcp-network-scope command in group-policy configuration mode. To remove the attribute from the running configuration, use the no form of this command.

dhcp-network-scope { ip_address | none }

no dhcp-network-scope

Syntax Description

ip_address

Specifies a routeable address on the same subnet as the desired pool, but not within the pool. The DHCP server determines which subnet this IP address belongs to and assigns an IP address from that pool.

none

Sets the DHCP scope to a null value, thereby allowing no IP addresses. Prevents inheriting a value from a default or specified group policy.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Group-policy

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

If you configure DHCP servers for the address pool in the connection profile, the DHCP scope identifies the subnets to use for the pool for this group. The DHCP server must also have addresses in the same subnet identified by the scope. The scope allows you to select a subset of the address pools defined in the DHCP server to use for this specific group.

If you do not define a network scope, the DHCP server assigns IP addresses in the order of the address pools configured. It goes through the pools until it identifies an unassigned address.

To specify a scope, enter a routeable address on the same subnet as the desired pool, but not within the pool. The DHCP server determines which subnet this IP address belongs to and assigns an IP address from that pool.

We recommend using the IP address of an interface whenever possible for routing purposes. For example, if the pool is 10.100.10.2-10.100.10.254, and the interface address is 10.100.10.1/24, use 10.100.10.1 as the DHCP scope. Do not use the network number. You can use DHCP for IPv4 addressing only. If the address you choose is not an interface address, you might need to create a static route for the scope address.

This command allows inheritance of a value from another group policy. To prevent inheriting a value, use the dhcp-network-scope none command.

Examples

The following example shows how to set an IP subnetwork of 10.10.85.1 for the group policy named First Group:


ciscoasa(config)# group-policy FirstGroup attributes
ciscoasa(config-group-policy)# dhcp-network-scope 10.10.85.1

dhcp-server

To configure support for DHCP servers that assign IP addresses to clients as a VPN tunnel is established, use the dhcp-server command in tunnel-group general-attributes configuration mode. To return this command to the default, use the no form of this command.

dhcp-server [ link-selection | subnet-selection ] ip1 [ ip2-ip10 ]

[ no ] dhcp-server [ link-selection | subnet-selection ] ip1 [ ip2-ip10 ]

Syntax Description

ip1

Address of a DHCP server

ip2-ip10

(Optional) Addresses of additional DHCP servers. Up to ten may be specified in the same command or spread over multiple commands.

link-selection

(Optional) Specifies that the ASA should send DHCP suboption 5, the Link Selection Suboption for the Relay Information Option 82, defined by RFC 3527. This should only be used with servers that support this RFC.

subnet-selection

(Optional) Specifies that the ASA should send DHCP Option 118, the IPv4 Subnet Selection Option, defined by RFC 3011. This should only be used with servers that support this RFC.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Tunnel-group general attributes configuration

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

8.0(5)

The link-selection and subnet-selection keywords were added.

Usage Guidelines

You can apply this attribute to remote access tunnel group types only.

Examples

The following command, entered in config-general configuration mode, adds three DHCP servers (dhcp1, dhcp2, and dhcp3) to the IPsec remote access tunnel group “remotegrp”:


ciscoasa(config)# tunnel-group remotegrp type remote-access
ciscoasa(config)# tunnel-group remotegrp general
ciscoasa(config-tunnel-general)# default-group-policy remotegrp
ciscoasa(config-tunnel-general)# dhcp-server dhcp1 dhcp2 dhcp3
ciscoasa(config-tunnel-general)

dhcpd address

To define the IP address pool used by the DHCP server, use the dhcpd address command in global configuration mode. To remove an existing DHCP address pool, use the no form of this command.

dhcpd address ip_address 1 [ - ip_address 2 ] interface_name

no dhcpd address interface_name

Syntax Description

interface_name

Interface to which the address pool is assigned. In transparent mode, specify a bridge group member interface. In routed mode, specify a routed interface or a BVI; do not specify the bridge group member interface.

ip_address1

Start address of the DHCP address pool.

ip_address2

End address of the DHCP address pool.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

9.7(1)

You can now configure this command on a BVI in routed mode when using Integrated Routing and Bridging.

Usage Guidelines

The address pool of an ASA DHCP server must be within the same subnet of the ASA interface on which it is enabled, and you must specify the associated ASA interface using interface_name .

The size of the address pool is limited to 256 addresses per pool on the ASA. If the address pool range is larger than 253 addresses, the netmask of the ASA interface cannot be a Class C address (for example, 255.255.255.0) and needs to be something larger, for example, 255.255.254.0.

DHCP clients must be physically connected to the subnet of the ASA DCHP server interface.

The dhcpd address command cannot use interface names with a “-” (dash) character because this character is interpreted as a range specifier instead of as part of the object name.

The no dhcpd address interface_name command removes the DHCP server address pool that you configured for the specified interface.

See the CLI configuration guide for information about how to implement the DHCP server feature in the ASA.

Examples

The following example shows how to configure an address pool and DNS server for the DHCP clients on the DMZ interface of the ASA:


ciscoasa(config)# dhcpd address 10.0.1.100-10.0.1.108 dmz
ciscoasa(config)# dhcpd dns 209.165.200.226
ciscoasa(config)# dhcpd enable dmz

The following example shows how to configure a DHCP server on the inside interface. The dhcpd address command assigns a pool of 10 IP addresses to the DHCP server on that interface.


ciscoasa(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
ciscoasa(config)# dhcpd dns 198.162.1.2 198.162.1.3
ciscoasa(config)# dhcpd wins 198.162.1.4
ciscoasa(config)# dhcpd lease 3000
ciscoasa(config)# dhcpd ping_timeout 1000
ciscoasa(config)# dhcpd domain example.com
ciscoasa(config)# dhcpd enable inside

dhcpd auto_config

To enable the ASA to automatically configure DNS, WINS and domain name values for the DHCP server based on the values obtained from an interface running a DHCP or PPPoE client, or from a VPN server, use the dhcpd auto_config command in global configuration mode. To discontinue the automatic configuration of DHCP parameters, use the no form of this command.

dhcpd auto_config client_if_name [ [ vpnclient-wins-override ] interface if_name ]

no dhcpd auto_config client_if_name [ [ vpnclient-wins-override ] interface if_name ]

Syntax Description

client_if_name

Specifies the interface running the DHCP client that supplies the DNS, WINS, and domain name parameters.

interface if_name

Specifies the interface to which the action will apply.

vpnclient-wins-override

Overrides the interface DHCP or PPPoE client WINS parameter with the vpnclient parameter.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

If you specify DNS, WINS, or domain name parameters using the CLI commands, then the CLI-configured parameters overwrite the parameters obtained by automatic configuration.

Examples

The following example shows how to configure DHCP on the inside interface. The dhcpd auto_config command is used to pass DNS, WINS, and domain information obtained from the DHCP client on the outside interface to the DHCP clients on the inside interface.


ciscoasa(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
ciscoasa(config)# dhcpd auto_config outside
ciscoasa(config)# dhcpd enable inside

dhcpd dns

To define the DNS servers for DHCP clients, use the dhcpd dns command in global configuration mode. To clear defined servers, use the no form of this command.

dhcpd dns dnsip1 [ dnsip2 ] [ interface if_name ]

no dhcpd dns dnsip1 [ dnsip2 ] [ interface if_name ]

Syntax Description

dnsip1

Specifies the IP address of the primary DNS server for the DHCP client.

dnsip2

(Optional) Specifies the IP address of the alternate DNS server for the DHCP client.

interface if_name

Specifies the interface to which values entered to the server apply. If no interface is specified, values are applied to all servers.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The dhcpd dns command lets you specify the IP address or addresses of the DNS server(s) for the DHCP client. You can specify two DNS servers. The no dhcpd dns command lets you remove the DNS IP address(es) from the configuration.

Examples

The following example shows how to configure an address pool and DNS server for the DHCP clients on the DMZ interface of the ASA.


ciscoasa(config)# dhcpd address 10.0.1.100-10.0.1.108 dmz
ciscoasa(config)# dhcpd dns 192.168.1.2
ciscoasa(config)# dhcpd enable dmz

dhcpd domain

To define the DNS domain name for DHCP clients, use the dhcpd domain command in global configuration mode. To clear the DNS domain name, use the no form of this command.

dhcpd domain domain_name [ interface if_name ]

no dhcpd domain [ domain_name ] [ interface if_name ]

Syntax Description

domain_name

Specifies the DNS domain name (example.com).

interface if_name

Specifies the interface to which values entered to the server apply. If no interface is specified, values are applied to all servers.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The dhcpd domain command lets you specify the DNS domain name for the DHCP client. The no dhcpd domain command lets you remove the DNS domain server from the configuration.

Examples

The following example shows how to configure the domain name supplied to DHCP clients by the DHCP server on the ASA:


ciscoasa(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
ciscoasa(config)# dhcpd dns 198.162.1.2 198.162.1.3
ciscoasa(config)# dhcpd wins 198.162.1.4
ciscoasa(config)# dhcpd lease 3000
ciscoasa(config)# dhcpd ping_timeout 1000
ciscoasa(config)# dhcpd domain example.com
ciscoasa(config)# dhcpd enable inside

dhcpd enable

To enable the DHCP server, use the dhcpd enable command in global configuration mode. To disable the DHCP server, use the no form of this command.

dhcpd enable interface

no dhcpd enable interface

Syntax Description

interface

Specifies the interface on which to enable the DHCP server.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The DHCP server provides network configuration parameters to DHCP clients. Support for the DHCP server within the ASA means that the ASA can use DHCP to configure connected clients. The dhcpd enable interface command lets you enable the DHCP daemon to listen for the DHCP client requests on the DHCP-enabled interface. The no dhcpd enable command disables the DHCP server feature on the specified interface.


Note


For multiple context mode, you cannot enable the DHCP server on an interface that is used by more than one context (a shared VLAN).

When the ASA responds to a DHCP client request, it uses the IP address and subnet mask of the interface at which the request was received as the IP address and subnet mask of the default gateway in the response.


Note


The ASA DHCP server daemon does not support clients that are not directly connected to an ASA interface.

See the CLI configuration guide for information about how to implement the DHCP server feature in the ASA.

Examples

The following example shows how to enable the DHCP server on the inside interface:


ciscoasa(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
ciscoasa(config)# dhcpd dns 198.162.1.2 198.162.1.3
ciscoasa(config)# dhcpd wins 198.162.1.4
ciscoasa(config)# dhcpd lease 3000
ciscoasa(config)# dhcpd ping_timeout 1000
ciscoasa(config)# dhcpd domain example.com
ciscoasa(config)# dhcpd enable inside

dhcpd lease

To specify the DHCP lease length, use the dhcpd lease command in global configuration mode. To restore the default value for the lease, use the no form of this command.

dhcpd lease lease_length [ interface if_name ]

no dhcpd lease [ lease_length ] [ interface if_name ]

Syntax Description

interface if_name

Specifies the interface to which values entered to the server apply. If no interface is specified, values are applied to all servers.

lease_length

Specifies the length of the IP address lease, in seconds, granted to the DHCP client from the DHCP server. Valid values are from 300 to 1048575 seconds.

Command Default

The default lease_length is 3600 seconds.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The dhcpd lease command lets you specify the length of the lease, in seconds, that is granted to the DHCP client. This lease indicates how long the DHCP client can use the assigned IP address that the DHCP server granted.

The no dhcpd lease command lets you remove the lease length that you specified from the configuration and replaces this value with the default value of 3600 seconds.

Examples

The following example shows how to specify the length of the lease of DHCP information for DHCP clients:


ciscoasa(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
ciscoasa(config)# dhcpd dns 198.162.1.2 198.162.1.3
ciscoasa(config)# dhcpd wins 198.162.1.4
ciscoasa(config)# dhcpd lease 3000
ciscoasa(config)# dhcpd ping_timeout 1000
ciscoasa(config)# dhcpd domain example.com
ciscoasa(config)# dhcpd enable inside

dhcpd option

To configure DHCP options, use the dhcpd option command in global configuration mode. To clear the option, use the no form of this command.

dhcpd option code { ascii string } | { ip IP_address [ IP_address ] } | { hex hex_string } [ interface if_name ]

no dhcpd option code [ interface if_name ]

Syntax Description

ascii string

Specifies that the option parameter is an ASCII character string without spaces.

code

Specifies a number representing the DHCP option being set. Valid values are 0 to 255 with several exceptions. See the Usage Guidelines section for the list of DHCP option codes that are not supported.

hex hex_string

Specifies that the option parameter is a hexadecimal string with an even number of digits and no spaces. You do not need to use a 0x prefix.

interface if_name

Specifies the interface to which values entered to the server apply. If no interface is specified, values are applied to all servers.

ip

Specifies that the option parameter is an IP address. You can specify a maximum of two IP addresses with the ip keyword.

IP_address

Specifies a dotted-decimal IP address.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

You can use the dhcpd option command to provide TFTP server information to Cisco IP Phones and routers.

When a DHCP option request arrives at the ASA DHCP server, the ASA places the value or values that are specified by the dhcpd option command in the response to the client.

The dhcpd option 66 and dhcpd option 150 commands specify TFTP servers that Cisco IP Phones and routers can use to download configuration files. Use these commands as follows:

  • dhcpd option 66 ascii string , where string is either the IP address or hostname of the TFTP server. Only one TFTP server can be specified for option 66.

  • dhcpd option 150 ip IP_address [IP_address ], where IP_address is the IP address of the TFTP server. You can specify a maximum of two IP addresses for option 150.


Note


The dhcpd option 66 command only takes an ascii parameter, and the dhcpd option 150 only takes an ip parameter.

Use the following guidelines when specifying an IP address for the dhcpd option 66 | 150 commands:

  • If the TFTP server is located on the DHCP server interface, use the local IP address of the TFTP server.

  • If the TFTP server is located on a less secure interface than the DHCP server interface, then general outbound rules apply. Create a group of NAT, global, and access list entries for the DHCP clients, and use the actual IP address of the TFTP server.

  • If the TFTP server is located on a more secure interface, then general inbound rules apply. Create a group of static and access list statements for the TFTP server and use the global IP address of the TFTP server.

For information about other DHCP options, see RFC 2132.


Note


The ASA does not verify that the option type and value that you provide match the expected type and value for the option code as defined in RFC 2132. For example, you can enter the dhcpd option 46 ascii hello command, and the ASA accepts the configuration although option 46 is defined in RFC 2132 as a single-digit, hexadecimal value.

You cannot configure the following DHCP options with the dhcpd option command:

Option Code

Description

0

DHCPOPT_PAD

1

HCPOPT_SUBNET_MASK

12

DHCPOPT_HOST_NAME

50

DHCPOPT_REQUESTED_ADDRESS

51

DHCPOPT_LEASE_TIME

52

DHCPOPT_OPTION_OVERLOAD

53

DHCPOPT_MESSAGE_TYPE

54

DHCPOPT_SERVER_IDENTIFIER

58

DHCPOPT_RENEWAL_TIME

59

DHCPOPT_REBINDING_TIME

61

DHCPOPT_CLIENT_IDENTIFIER

67

DHCPOPT_BOOT_FILE_NAME

82

DHCPOPT_RELAY_INFORMATION

255

DHCPOPT_END

Examples

The following example shows how to specify a TFTP server for DHCP option 66:


ciscoasa(config)# dhcpd option 66 ascii MyTftpServer

dhcpd ping_timeout

To change the default timeout for DHCP ping, use the dhcpd ping_timeout command in global configuration mode. To return to the default value, use the no form of this command.

dhcpd ping_timeout number [ interface if_name ]

no dhcpd ping_timeout [ interface if_name ]

Syntax Description

interface if_name

Specifies the interface to which values entered to the server apply. If no interface is specified, values are applied to all servers.

number

The timeout value of the ping, in milliseconds. The minimum value is 10, the maximum is 10000. The default is 50.

Command Default

The default number of milliseconds for number is 50.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

To avoid address conflicts, the DHCP server sends two ICMP ping packets to an address before assigning that address to a DHCP client. The ASA waits for both ICMP ping packets to time out before assigning an IP address to a DHCP client. For example, if the default value is used, the ASA waits for 1500 milliseconds (750 milliseconds for each ICMP ping packet) before assigning an IP address.

A long ping timeout value can adversely affect the performance of the DHCP server.

Examples

The following example shows how to use the dhcpd ping_timeout command to change the ping timeout value for the DHCP server:


ciscoasa(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
ciscoasa(config)# dhcpd dns 198.162.1.2 198.162.1.3
ciscoasa(config)# dhcpd wins 198.162.1.4
ciscoasa(config)# dhcpd lease 3000
ciscoasa(config)# dhcpd ping_timeout 1000
ciscoasa(config)# dhcpd domain example.com
ciscoasa(config)# dhcpd enable inside

dhcpd reserve-address

To reserve a DHCP address for an interface, use the dhcpd reserve-address command in global configuration mode. To remove an existing DHCP address reservation, use the no form of this command.

dhcpd reserve-address ip_address mac_address if_name

no dhcpd reserve_address ip_address mac_address if_name

Syntax Description

ip_address

The IP address from the address pool assigned to the DHCP client, based on the client’s MAC address.

mac_address

The client MAC address.

if_name

The interface on which you want to reserve an IP address.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.13(1)

This command was added.

Usage Guidelines

The reserved address must come from the configured address pool, and the address pool must be on the same subnet as the ASA interface. In transparent mode, specify a bridge group member interface. In routed mode, specify a routed interface or a BVI; do not specify the bridge group member interface.

Examples

The following example shows how to use the dhcpd reserve-address command to assign a specific address from the address pool to client based on the client's MAC address:


ciscoasa(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
ciscoasa(config)# dhcpd enable inside
ciscoasa(config)# dhcpd reserve-address 10.0.1.109 030c.f142.4cde inside

dhcpd update dns

To enable a DHCP server to perform DDNS updates, use the dhcpd update dns command in global configuration mode. To disable DDNS by a DHCP server, use the no form of this command.

dhcpd update dns [ both ] [ override ] [ interface srv_ifc_name ]

no dhcpd update dns [ both ] [ override ] [ interface srv_ifc_name ]

Syntax Description

both

Specifies that the DHCP server updates both A and PTR DNS RRs.

interface

Specifies the ASA interface to which the DDNS updates apply.

override

Specifies that the DHCP server overrides DHCP client requests.

srv_ifc_name

Specifies an interface to apply this option to.

Command Default

By default, the DHCP server performs PTR RR updates only.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

Usage Guidelines

DDNS updates the name-to-address and address-to-name mapping maintained by DNS. Updates are performed in conjunction with a DHCP server. The dhcpd update dns command enables updates by the server.

Name and address mapping is contained in two types of RRs:

  • The A resource record contains domain name-to IP-address mapping.

  • The PTR resource record contains IP address- to-domain name mapping.

DDNS updates can be used to maintain consistent information between the A and PTR RR types.

Using the dhcpd update dns command, the DHCP server can be configured to perform both A and PRT RR updates or PTR RR updates only. It can also be configured to override update requests from the DHCP client.

Examples

The following example configures the DDNS server to perform both A and PTR updates and override requests from the DHCP client:


ciscoasa(config)# dhcpd update dns both override

dhcpd wins

To define the WINS server IP addresses for DHCP clients, use the dhcpd wins command in global configuration mode. To remove the WINS server IP addresses from the configuration, use the no form of this command.

dhcpd wins server1 [ server2 ] [ interface if_name ]

no dhcpd wins [ server1 [ server2 ] ] [ interface if_name ]

Syntax Description

interface if_name

Specifies the interface to which values entered to the server apply. If no interface is specified, values are applied to all servers.

server1

Specifies the IP address of the primary Microsoft NetBIOS name server (WINS server).

server2

(Optional) Specifies the IP address of the alternate Microsoft NetBIOS name server (WINS server).

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The dhcpd wins command lets you specify the addresses of the WINS servers for the DHCP client. The no dhcpd wins command removes the WINS server IP addresses from the configuration.

Examples

The following example shows how to specify WINS server information that is sent to DHCP clients:


ciscoasa(config)# dhcpd address 10.0.1.101-10.0.1.110 inside
ciscoasa(config)# dhcpd dns 198.162.1.2 198.162.1.3
ciscoasa(config)# dhcpd wins 198.162.1.4
ciscoasa(config)# dhcpd lease 3000
ciscoasa(config)# dhcpd ping_timeout 1000
ciscoasa(config)# dhcpd domain example.com
ciscoasa(config)# dhcpd enable inside

dhcprelay enable

To enable the DHCP relay agent, use the dhcprelay enable command in global configuration mode. To disable the DHCP relay agent, use the no form of this command.

dhcprelay enable interface_name

no dhcprelay enable interface_name

Syntax Description

interface_name

Name of the interface on which the DHCP relay agent accepts client requests.

Command Default

The DHCP relay agent is disabled.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The DHCP relay agent allows DHCP requests to be forwarded from a specified ASA interface to a specified DHCP server.

For the ASA to start the DHCP relay agent with the dhcprelay enable interface_name command, you must have a dhcprelay server command already in the configuration. Otherwise, the ASA displays an error message similar to the following:


DHCPRA: Warning - There are no DHCP servers configured!
No relaying can be done without a server!
Use the 'dhcprelay server <server_ip> <server_interface>' command

You cannot enable DHCP relay under the following conditions:

  • You cannot enable DHCP relay and the DHCP relay server on the same interface.

  • You cannot enable DCHP relay and a DHCP server (dhcpd enable ) on the same interface.

  • The DHCP relay agent cannot be enabled if the DHCP server is also enabled.

  • For multiple context mode, you cannot enable DHCP relay on an interface that is used by more than one context (a shared VLAN).

The no dhcprelay enable interface_name command removes the DHCP relay agent configuration for the interface that is specified by the interface_name argument only.

Examples

The following example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the ASA, client requests on the inside interface of the ASA, and a timeout value up to 90 seconds:


ciscoasa(config)# dhcprelay server 10.1.1.1 outside
ciscoasa(config)# dhcprelay timeout 90
ciscoasa(config)# dhcprelay enable inside
ciscoasa(config)# show running-config dhcprelay
dhcprelay server 10.1.1.1 outside
dhcprelay enable inside
dhcprelay timeout 90

The following example shows how to disable the DHCP relay agent:


ciscoasa(config)# no dhcprelay enable inside
ciscoasa(config)# show running-config dhcprelay
dhcprelay server 10.1.1.1 outside
dhcprelay timeout 90

dhcprelay information trust-all

To configure a specified interface as trusted, use the dhcprelay information trust-all command in global configuration mode.

dhcprelay information trust-all

Syntax Description

This command has no arguments or keywords.

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.1(2)

This command was added.

Usage Guidelines

This command configures a given interface as trusted. To view the interface-specific trusted configuration, use the show running-config dhcprelay interface command in interface configuration mode. To configure a given interface as trusted in interface configuration mode, use the dhcprelay information trusted command. To view a given interface as trusted in global configuration mode, use the show running-config dhcprelay command.

Examples

The following example shows how to configure a specified interface as trusted in global configuration mode:


ciscoasa(config-if)# interface vlan501
ciscoasa(config-if)# nameif inside
ciscoasa(config)# dhcprelay information trust-all
ciscoasa(config)# show running-config dhcprelay
dhcprelay information trust-all

dhcprelay information trusted

To configure a specified interface as trusted, use the dhcprelay information trusted command in interface configuration mode.

dhcprelay information trusted

Syntax Description

This command has no arguments or keywords.

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.1(2)

This command was added.

Usage Guidelines

This command configures a given interface as trusted. To view the interface-specific trusted configuration, use the show running-config dhcprelay interface command in interface configuration mode. To configure a given interface as trusted in global configuration mode, use the dhcprelay information trust-all command. To view a given interface as trusted in global configuration mode, use the show running-config dhcprelay command.

Examples

The following example shows how to configure a specified interface as trusted:


ciscoasa(config-if)# interface gigabitEthernet 0/0
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# dhcprelay information trusted
ciscoasa(config)# show running-config dhcprelay
interface gigabitEthernet 0/0
nameif inside
dhcprelay information trusted

dhcprelay server (global)

To specify the DHCP server to which DHCP requests are forwarded, use the dhcpreplay server command in global configuration mode. To remove the DHCP server from the DHCP relay configuration, use the no form of this command.

dhcprelay server [ interface_name ]

no dhcprelay server [ interface_name ]

Syntax Description

interface_name

Specifies the name of the ASA interface on which the DHCP server resides.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The DHCP relay agent allows DHCP requests to be forwarded from a specified ASA interface to a specified DHCP server. You can add up to ten DHCP relay servers per interface. You must add at least one dhcprelay server command to the ASA configuration before you can enter the dhcprelay enable command. You cannot configure a DHCP client on an interface that has a DHCP relay server configured.

The dhcprelay server command opens UDP port 67 on the specified interface and starts the DHCP relay task as soon as the dhcprelay enable command is added to the configuration.

Examples

The following example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the ASA, client requests on the inside interface of the ASA, and a timeout value of up to 90 seconds:


ciscoasa(config)# dhcprelay server 10.1.1.1 outside
ciscoasa(config)# dhcprelay timeout 90
ciscoasa(config)# dhcprelay enable inside
ciscoasa(config)# show running-config dhcprelay
dhcprelay server 10.1.1.1 outside
dhcprelay enable inside
dhcprelay timeout 90

dhcprelay server (interface)

To specify the DHCP relay interface server to which DHCP requests are forwarded, use the dhcpreplay server command in interface configuration mode. To remove the DHCP relay interface server from the DHCP relay configuration, use the no form of this command.

dhcprelay server ip_address

no dhcprelay server ip_address

Syntax Description

ip_address

Specifies the IP address of the DHCP relay interface server to which the DHCP relay agent forwards client DHCP requests.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Interface Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.1(2)

This command was added.

Usage Guidelines

The DHCP relay agent allows DHCP requests to be forwarded from a specified ASA interface to a specified DHCP server. You can add up to four DHCP relay servers per interface. You must add at least one dhcprelay server command to the ASA configuration before you can enter the dhcprelay enable command. You cannot configure a DHCP client on an interface that has a DHCP relay server configured.

The dhcprelay server command opens UDP port 67 on the specified interface and starts the DHCP relay task as soon as the dhcprelay enable command is added to the configuration.

In the interface configuration mode, you can use the dhcprelay server ip_address command to configure a DHCP relay server (called a helper) address on a per-interface basis. This means that when a DHCP request is received on an interface and it has helper addresses configured, then the request is forwarded to only those servers.

When you use the no dhcprelay server ip_address command, the interface stops forwarding DHCP packets to that server and removes the DHCP relay agent configuration for the DHCP server that is specified by the ip_address argument only.

This command takes precedence over a DHCP relay server that has been configured in global configuration mode. This means that the DHCP relay agent forwards the client discovery message first to the DHCP relay interface server, then to the DHCP global relay server.

Examples

The following example shows how to configure the DHCP relay agent for a DHCP relay interface server with an IP address of 10.1.1.1 on the outside interface of the ASA, client requests on the inside interface of the ASA, and a timeout value of up to 90 seconds:


ciscoasa(config)# interface vlan 10
ciscoasa(config-if)# nameif inside
ciscoasa(config-if)# dhcprelay server 10.1.1.1
ciscoasa(config-if)# exit
ciscoasa(config)# dhcprelay timeout 90
ciscoasa(config)# dhcprelay enable inside
ciscoasa(config)# show running-config dhcprelay
dhcprelay enable inside
dhcprelay timeout 90
interface vlan 10
nameif inside
dhcprelay server 10.1.1.1

dhcprelay server (vti tunnel)

To reach a dhcp relay server through a VTI tunnel interface, use the dhcpreplay server command in global configuration mode.

dhcprelay server ip_address vti-ifc-name

Syntax Description

ip_address

Specifies the IP address of the DHCP relay server that forwards client DHCP requests.

vti-ifc-name

Specify the name of the VTI interface that you want the DHCP relay agent forward the DHCP packets to the DHCP server.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.14(1)

This command was added.

Usage Guidelines

The DHCP relay agent allows DHCP requests to be forwarded from a specified ASA interface to a specified DHCP server. However, the relay agent could be configured only on physical interfaces. As VTI interface was a logical interface, the DHCP relay requests could not be forwarded through it.

From ASA 9.14(1), using this command, the DHCP relay server can forward the packets through a VTI tunnel interface.

Examples

The following example shows how to configure the DHCP relay agent on a VTI tunnel. First, create a VTI tunnel:


ciscoasa(config)# interface Tunnel100
ciscoasa(config-if)# nameif vti
ciscoasa(config-if)# ip address 10.1.1.10 255.255.255.0
ciscoasa(config-if)# tunnel source interface outside
ciscoasa(config-if)# tunnel destination 192.168.2.111
ciscoasa(config-if)# tunnel mode ipsec ipv4
ciscoasa(config-if)# tunnel protection ipsec profile PROFILE1

Now, configure the DHCP relay server with the tunnel name:


ciscoasa(config)# dhcprelay server 192.168.3.112 vti

dhcprelay setroute

To set the default gateway address in the DHCP reply, use the dhcprelay setroute command in global configuration mode. To remove the default router, use the no form of this command.

dhcprelay setroute interface

no dhcprelay setroute interface

Syntax Description

interface

Configures the DHCP relay agent to change the first default IP address (in the packet sent from the DHCP server) to the address of interface .

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

This command causes the default IP address of the DHCP reply to be substituted with the address of the specified ASA interface. The dhcprelay setroute interface command lets you enable the DHCP relay agent to change the first default router address (in the packet sent from the DHCP server) to the address of interface .

If there is no default router option in the packet, the ASA adds one containing the address of interface . This action allows the client to set its default route to point to the ASA.

When you do not configure the dhcprelay setroute interface command (and there is a default router option in the packet), it passes through the ASA with the router address unaltered.

Examples

The following example shows how to set the default gateway in the DHCP reply from the external DHCP server to the inside interface of the ASA:


ciscoasa(config)# dhcprelay server 10.1.1.1 outside
ciscoasa(config)# dhcprelay timeout 90
ciscoasa(config)# dhcprelay setroute inside
ciscoasa(config)# dhcprelay enable inside

dhcprelay timeout

To set the DHCP relay agent timeout value, use the dhcprelay timeout command in global configuration mode. To restore the timeout value to its default value, use the no form of this command.

dhcprelay timeout seconds

no dhcprelay timeout

Syntax Description

seconds

Specifies the number of seconds that are allowed for DHCP relay address negotiation.

Command Default

The default value for the DHCP relay timeout is 60 seconds.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The dhcprelay timeout command lets you set the amount of time, in seconds, allowed for responses from the DHCP server to pass to the DHCP client through the relay binding structure.

Examples

The following example shows how to configure the DHCP relay agent for a DHCP server with an IP address of 10.1.1.1 on the outside interface of the ASA, client requests on the inside interface of the ASA, and a timeout value up to 90 seconds:


ciscoasa(config)# dhcprelay server 10.1.1.1 outside
ciscoasa(config)# dhcprelay timeout 90
ciscoasa(config)# dhcprelay enable inside
ciscoasa(config)# show running-config dhcprelay
dhcprelay server 10.1.1.1 outside
dhcprelay enable inside
dhcprelay timeout 90

dialog

To customize dialog box messages displayed to WebVPN users, use the dialog command in webvpn customization configuration mode. To remove the command from the configuration and cause the value to be inherited, use the no form of this command.

dialog { title | message | border } style value

no dialog { title | message | border } style value

Syntax Description

border

Specifies a change to the border.

message

Specifies a change to the message.

style

Specifies a change to the style.

title

Specifies a change to the title.

value

The actual text or or CSS parameters to display (the maximum is 256 characters).

Command Default

The default title style is background-color:#669999;color:white.

The default message style is background-color:#99CCCC;color:black.

The default border style is border:1px solid black;border-collapse:collapse.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Webvpn customization configuration

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was added.

Usage Guidelines

The style option is expressed as any valid CSS parameters. Describing these parameters is beyond the scope of this document. For more information about CSS parameters, consult CSS specifications at the World Wide Web Consortium website at www.w3.org. Appendix F of the CSS 2.1 Specification contains a convenient list of CSS parameters, and is available at www.w3.org/TR/CSS21/propidx.html.

Here are some tips for making the most common changes to the WebVPN pages—the page colors:

  • You can use a comma-separated RGB value, an HTML color value, or the name of the color if recognized in HTML.

  • The RGB format is 0,0,0, a range of decimal numbers from 0 to 255 for each color (red, green, blue); the comma-separated entry indicates the level of intensity of each color to combine with the others.

  • The HTML format is #000000, six digits in hexadecimal format; the first and second represent red, the third and fourth green, and the fifth and sixth represent blue.


Note


To easily customize the WebVPN pages, we recommend that you use ASDM, which has convenient features for configuring style elements, including color swatches and preview capabilities.

Examples

The following example customizes the dialog box message, changing the foreground color to blue:


ciscoasa(config)# webvpn
ciscoasa(config-webvpn)# customization cisco
ciscoasa(config-webvpn-custom)# dialog message style color:blue

diameter

To create a custom Diameter attribute-value pair (AVP) for use in a Diameter inspection class or policy map, use the diameter command in global configuration mode. To remove an existing custom AVP, use the no form of this command.

diameter avp name code value data-type type [ vendor-id id_number ] [ description text ]

no diameter avp name code value data-type type [ vendor-id id_number ] [ description text ]

Syntax Description

name

The name of the custom AVP you are creating, up to 32 characters. You would refer to this name on the match avp command in a Diameter inspection policy map or class map.

code value

The custom AVP code value, from 256-4294967295. You cannot enter a code and vendor-id combination that is already defined in the system.

data-type type

The data type of the AVP. You can define AVP of the following types. If the new AVP is of a different type, you cannot create a custom AVP for it.

  • address —For IP addresses.

  • diameter-identity —Diameter identity data.

  • diameter-uri —Diameter uniform resource identifier (URI).

  • float32 —32-bit floating point number.

  • float64 —64-bit floating point number.

  • int32 —32-bit integer.

  • int64 —64-bit integer.

  • octetstring —Octet string.

  • time —Time value.

  • uint32 —32-bit unsigned integer.

  • uint64 —64-bit unsigned integer.

vendor-id id_number

(Optional.) The ID number of the vendor who defined the AVP, from 0-4294967295. For example, the 3GPP vendor ID is 10415, the IETF is 0.

description text

(Optional.) A description of the AVP, up to 80 characters. Enclose the description in quotation marks if you include spaces.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Global Configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.5(2)

This command was added.

Usage Guidelines

As new attribute-value pairs (AVP) are defined and registered, you can create custom Diameter AVP to define them and use them in your Diameter inspection policy map. You would get the information you need to create the AVP from the RFC or other source that defines the AVP.

Create custom AVP only if you want to use them in a Diameter inspection policy map or class map for AVP matching.

Examples

The following example shows how to create a custom AVP and then use it in a Diameter inspection policy map.


ciscoasa(config)# diameter avp eg_custom_avp code 9999 data-type int32
 
ciscoasa(config)# policy-map type inspect diameter avp-filter-pmap
 
asa3(config-pmap)# match avp eg_custom_avp

dir

To display the directory contents, use the dir command in privileged EXEC mode.

dir [ /all ] [ all-filesystems ] [ /recursive ] [ disk0: | flash: | system: ] [ path ]

Syntax Description

/all

(Optional) Displays all files.

/recursive

(Optional) Displays the directory contents recursively.

all-filesystems

(Optional) Displays the files of all filesystems.

disk0:

(Optional) Specifies the internal Flash memory, followed by a colon.

disk1:

(Optional) Specifies the external Flash memory card, followed by a colon.

flash:

(Optional) Displays the directory contents of the default flash partition.

path

(Optional) Specifies a specific path.

system:

(Optional) Displays the directory contents of the file system.

Command Default

If you do not specify a directory, the directory is the current working directory by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

The dir command without keywords or arguments displays the directory contents of the current directory.

Examples

The following example shows how to display the directory contents:


ciscoasa# dir
Directory of disk0:/
1      -rw-  1519        10:03:50 Jul 14 2003    my_context.cfg
2      -rw-  1516        10:04:02 Jul 14 2003    my_context.cfg
3      -rw-  1516        10:01:34 Jul 14 2003    admin.cfg
60985344 bytes total (60973056 bytes free)

The following example shows how to display recursively the contents of the entire file system:


ciscoasa# dir /recursive disk0:
Directory of disk0:/*
1      -rw-  1519        10:03:50 Jul 14 2003    my_context.cfg
2      -rw-  1516        10:04:02 Jul 14 2003    my_context.cfg
3      -rw-  1516        10:01:34 Jul 14 2003    admin.cfg
60985344 bytes total (60973056 bytes free)

The following example shows how to display the contents of the flash partition:


ciscoasa# dir flash:
Directory of disk0:/*
1      -rw-  1519        10:03:50 Jul 14 2003    my_context.cfg
2      -rw-  1516        10:04:02 Jul 14 2003    my_context.cfg
3      -rw-  1516        10:01:34 Jul 14 2003    admin.cfg
60985344 bytes total (60973056 bytes free)

director-localization

To enable director localization to improve performance and reduce round-trip time latency for inter-site clustering for data centers, use the director-localization command in cluster group configuration mode. To disable director localization, use the no form of this command.

director-localization

no director-localization

Syntax Description

This command has no arguments or keywords.

Command Default

This command is disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Cluster group configuration

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.7(1)

We introduced this command.

Usage Guidelines

New connections are typically load-balanced and owned by cluster members within a given site. However, the ASA assigns the director role to a member at any site. Director localization enables additional director roles: a local director at the same site as the owner, and a global director that can be at any site. Keeping the owner and director at the same site improves performance. Also, if the original owner fails, the local director chooses a new connection owner at the same site. The global director is used if a cluster member receives packets for a connection that is owned on a different site.

Set the site ID for the cluster member in the bootstrap configuration.

The following traffic types do not support localization: NAT or PAT traffic; SCTP-inspected traffic; Fragmentation owner query.

Examples

The following example enables director localization for cluster1:


ciscoasa(config)# cluster group cluster1
ciscoasa(cfg-cluster)# local-unit unit1
ciscoasa(cfg-cluster)# site-id 1
ciscoasa(cfg-cluster)# cluster-interface port-channel1 ip 192.168.1.1 255.255.255.0
ciscoasa(cfg-cluster)# priority 1
ciscoasa(cfg-cluster)# key chuntheunavoidable
ciscoasa(cfg-cluster)# director-localization
ciscoasa(cfg-cluster)# enable noconfirm

disable (cache)

To disable caching for WebVPN, use the disable command in cache configuration mode. To reenable caching, use the no version of this command.

disable

no disable

Command Default

Caching is enabled with default settings for each cache attribute.

Command Modes


The following table shows the modes in which you enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Cache Configuration

  • Yes

  • Yes

Command History

Release

Modification

7.1(1)

This command was added.

Usage Guidelines

Caching stores frequently reused objects in the system cache, which reduces the need to perform repeated rewriting and compressing of content. It reduces traffic between WebVPN and both the remote servers and end-user browsers, with the result that many applications run much more efficiently.

Examples

The following example shows how to disable caching, and then how to reenable it.


ciscoasa
(config)#
 webvpn
ciscoasa
(config-webvpn)#
 cache
ciscoasa(config-webvpn-cache)# disable
ciscoasa(config-webvpn-cache)# no disable
ciscoasa(config-webvpn-cache)#

disable (privileged EXEC)

To exit privileged EXEC mode and return to unprivileged EXEC mode, use the disable command in privileged EXEC mode.

disable

Syntax Description

This command has no arguments or keywords.

Command Default

No default behaviors or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Privileged EXEC

  • Yes

  • Yes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

Use the enable command to enter privileged mode. The disable command allows you to exit privileged mode and returns you to an unprivileged mode.


Note


If you are logged into the ASA with a username, then entering disable will change your user identity to the default enable_1 username.

Examples

The following example shows how to enter privileged mode:


ciscoasa
> 
enable
ciscoasa#

The following example shows how to exit privileged mode:


ciscoasa#
 
disable
ciscoasa
>

disable service-settings (Deprecated)

To disable the service settings on IP phones when using the Phone Proxy feature, use the disable service-settings command in phone-proxy configuration mode. To preserve the settings on the IP phones, use the no form of this command.

disable service-settings

no disable service-settings

Syntax Description

There are no arguments or keywords for this command.

Command Default

The service settings are disabled by default.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Phone-proxy configuration

  • Yes

  • Yes

Command History

Release

Modification

8.0(4)

This command was added.

9.4(1)

This command was deprecated along with all phone-proxy mode commands.

Usage Guidelines

By default, the following settings are disabled on the IP phones:

  • PC Port

  • Gratuitous ARP

  • Voice VLAN access

  • Web Access

  • Span to PC Port

To preserve the settings configured on the CUCM for each IP phone configured, configure the no disable service-settings command.

Examples

The following example shows how to preserve the settings of the IP phones that use the Phone Proxy feature on the ASA:


ciscoasa
(config-phone-proxy)# no disable service-settings

display

To display attribute value pairs that the ASA writes to the DAP attribute database, enter the display command in dap test attributes mode.

display

Command Default

No default value or behaviors.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Dap test attributes

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

Usage Guidelines

Normally the ASA retrieves user authorization attributes from the AAA server and retrieves endpoint attributes from Cisco Secure Desktop, Host Scan, CNA or NAC. For the test command, you specify the user authorization and endpoint attributes in this attributes mode. The ASA writes them to an attribute database that the DAP subsystem references when evaluating the AAA selection attributes and endpoint select attributes for a DAP record. The display command lets you display these attributes to the console.

distance

To define the administrative distance assigned to routes discovered by the IS-IS protocol, use the distance command in router isis configuration mode. To remove the distance command from the configuration file and restore the system to its default condition in which the software removes a distance definition, use the no form of this command.

distanceweightip

no distance weight ip

Syntax Description

weight

The administrative distance to be assigned to IS-IS routes. The range is 1 to 255.

ip

The distance applied for IP-derived routes.

Command Default

The default is 115.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.6(1)

This command was added.

Usage Guidelines

An administrative distance is a number from 1 to 255. In general, the higher the value, the lower the trust rating. An administrative distance of 255 means that the routing information source cannot be trusted at all and should be ignored. Weight values are subjective; no quantitative method exists for choosing weight values.

Use the distance command to configure the administrative distances applied to IS-IS routes when they are inserted into the Routing Information Base (RIB), and influence the likelihood of these routes being preferred over routes to the same destination addresses discovered by other protocols.

Examples

In the following example, a distance of 20 is assigned to all ISIS routes:


ciscoasa(config)# 
router isis 
ciscoasa(config-router)#
distance 20 ip

distance bgp

To configure the administrative distance for BGP routes, use the distance bgp command in address family configuration mode. To return the administrative distance to the default value, use the no form of this command.

distancebgpexternal-distanceinternal-distancelocal-distance

no distance bgp

Syntax Description

external-distance

Administrative distance for external BGP routes. Routes are external when learned from an external autonomous system. The range of values for this argument are from 1 to 255.

internal-distance

Administrative distance for internal BGP routes. Routes are internal when learned from peer in the local autonomous system. The range of values for this argument are from 1 to 255.

local-distance

Administrative distance for local BGP routes. Local routes are those networks listed with a network router configuration command, often as back doors, for the router or for the networks that is being redistributed from another process. The range of values for this argument are from 1 to 255.

Command Default

The following values are used if this command is not configured or if the no form is entered:

external-distance: 20 internal-distance: 200 local-distance: 200


Note


Routes with a distance of 255 are not installed in the routing table.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Address-family configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.2(1)

This command was added.

Usage Guidelines

The distance bgp command is used to configure a rating of the trustworthiness of a routing information source, such as an individual router or a group of routers. Numerically, an administrative distance is a positive integer from 1 to 255.

In general, the higher the value, the lower the trust rating. An administrative distance of 255 means the routing information source cannot be trusted at all and should be ignored. Use this command if another protocol is known to be able to provide a better route to a node than was actually learned via external BGP (eBGP), or if some internal routes should be preferred by BGP.


Caution


Changing the administrative distance of internal BGP routes is considered dangerous and is not recommended. Improper configuration can introduce routing table inconsistencies and break routing.


The distance bgp command replaces the distance mbgp command.

Examples

In the following example, the external distance is set to 10, the internal distance is set to 50, and the local distance is set to 100:


ciscoasa(config)# router bgp 50000 
ciscoasa(config-router)# address family ipv4 
ciscoasa(config-router-af)# network 10.108.0.0 
ciscoasa(config-router-af)# neighbor 192.168.6.6 remote-as 123 
ciscoasa(config-router-af)# neighbor 172.16.1.1 remote-as 47 
ciscoasa(config-router-af)# distance bgp 10 50 100 
ciscoasa(config-router-af)# end 

distance eigrp

To configure the administrative distances of internal and external EIGRP routes, use the distance eigrp command in router configuration mode. To restore the default values, use the no form of this command.

distanceeigrpinternal-distanceexternal-distance

no distance eigrp

Syntax Description

external-distance

Administrative distance for EIGRP external routes. External routes are those for which the best path is learned from a neighbor external to the autonomous system. Valid values are from 1 to 255.

internal-distance

Administrative distance for EIGRP internal routes. Internal routes are those that are learned from another entity within the same autonomous system. Valid values are from 1 to 255.

Command Default

The default values are as follows:

  • external-distance is 170

  • internal-distance is 90

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

8.0(2)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

Because every routing protocol has metrics based on algorithms that are different from the other routing protocols, it is not always possible to determine the “best path” for two routes to the same destination that were generated by different routing protocols. Administrative distance is a route parameter that the ASA uses to select the best path when there are two or more different routes to the same destination from two different routing protocols.

If you have more than one routing protocol running on the ASA, you can use the distance eigrp command to adjust the default administrative distances of routes discovered by the EIGRP routing protocol in relation to the other routing protocols. <xref> lists the default administrative distances for the routing protocols supported by the ASA.

Table 1. Default Administrative Distances

Route Source

Default Administrative Distance

Connected interface

0

Static route

1

EIGRP summary route

5

Internal EIGRP

90

OSPF

110

RIP

120

EIGRP external route

170

Unknown

255

The no form of the command does not take any keywords or arguments. Using the no form of the command restores the default administrative distance for both internal and external EIGRP routes.

Examples

The following example uses the distance eigrp command to set the administrative distance of all EIGRP internal routes to 80 and all EIGRP external routes to 115. Setting the EIGRP external route administrative distance to 115 would give routes discovered by EIGRP to a specific destination preference over the same routes discovered by RIP but not by OSPF.


ciscoasa(config)# router eigrp 100 
ciscoasa(config-router)# network 192.168.7.0
ciscoasa(config-router)# network 172.16.0.0
 
ciscoasa(config-router)# distance eigrp 90 115

distance ospf (ipv6 router ospf)

To define OSPFv3 route administrative distances based on route type, use the distance command in ipv6 router ospf configuration mode. To restore the default values, use the no form of this command.

distance [ ospf { external | intra-area / inter-area } ] distance

no distance [ ospf { external | intra-area / inter-area } ] distance

Syntax Description

distance

Specifies the administrative distance. Valid values range from 10 to 254.

external

(Optional) Specifies external type 5 and type 7 routes for OSPFv3 routes.

inter-area

(Optional) Specifies the inter-area routes for OSPFv3 routes.

intra-area

(Optional) Specifies the intra-area routes for OSPFv3 routes.

ospf

(Optional) Specifies the administrative distance for OSPFv3 routes.

Command Default

No default behavior or values.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Ipv6 router ospf configuration

  • Yes

  • Yes

Command History

Release

Modification

9.0(1)

This command was added.

Usage Guidelines

Use this command to set the administrative distance for OSPFv3 routes.

Examples

The following example sets the administrative distance for external type 5 and type 7 routes for OSPFv3 to 200:


ciscoasa(config-if)# ipv6 router ospf 1
ciscoasa(config-router)# distance ospf external 200

distance ospf (router ospf)

To define OSPFv2 route administrative distances based on route type, use the distance ospf command in router ospf configuration mode. To restore the default values, use the no form of this command.

distance ospf [ intra-area d1 ] [ inter-area d2 ] [ external d3 ]

no distance ospf

Syntax Description

d1 , d2 , and d3

Specifies the distance for each route type. Valid values range from 1 to 255.

external

(Optional) Sets the distance for routes from other routing domains that are learned by redistribution.

inter-area

(Optional) Sets the distance for all routes from one area to another area.

intra-area

(Optional) Sets the distance for all routes within an area.

Command Default

The default values for d1 , d2 , and d3 are 110.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router ospf configuratio

  • Yes

  • Yes

Command History

Release

Modification

7.0(1)

This command was added.

Usage Guidelines

You must specify at least one keyword and argument. You can enter the commands for each type of administrative distance separately, however they appear as a single command in the configuration. If you reenter an administrative distance, the administrative distance for only that route type changes; the administrative distances for any other route types remain unaffected.

The no form of the command does not take any keywords or arguments. Using the no form of the command restores the default administrative distance for all of the route types. If you want to restore the default administrative distance for a single route type when you have multiple route types configured, you can do one of the following:

  • Manually set that route type to the default value.

  • Use the no form of the command to remove the entire configuration and then reenter the configurations for the route types that you want to keep.

Examples

The following example sets the administrative distance of external routes to 150:


ciscoasa(config-router)# distance ospf external 105 
ciscoasa(config-router)#

The following example shows how entering separate commands for each route type appears as a single command in the router configuration:


ciscoasa(config-rtr)# distance ospf intra-area 105 inter-area 105
ciscoasa(config-rtr)# distance ospf intra-area 105
ciscoasa(config-rtr)# distance ospf external 105
ciscoasa(config-rtr)# exit
ciscoasa(config)# show running-config router ospf 1
!
router ospf 1
 distance ospf intra-area 105 inter-area 105 external 105
!
ciscoasa(config)#

The following example shows how to set each administrative distance to 105, and then change only the external administrative distance to 150. The show running-config router ospf command shows how only the external route type value changed, while the other route types retained the value previously set.


ciscoasa(config-rtr)# distance ospf external 105 intra-area 105 inter-area 105
ciscoasa(config-rtr)# distance ospf external 150
ciscoasa(config-rtr)# exit
ciscoasa(config)# show running-config router ospf 1
!
router ospf 1
 distance ospf intra-area 105 inter-area 105 external 150
!
ciscoasa(config)#

distribute-list

To filter networks received or transmitted in Open Shortest Path First (OSPF) updates, use the distribute-list command in the router ospf configuration mode. To change or cancel the filter, use the no form of this command.

distribute-list access-list name [ in | out ] [ interface if_name ]

no distribute-list access-list name [ in | out ]

Syntax Description

access-list name

Standard IP access list name. The list defines which networks are to be received and which are to be suppressed in routing updates.

in

Applies the access list or route-policy to incoming routing updates.

out

Applies the access list or route-policy to outgoing routing updates.The out keyword is available only in router configuration mode.

interface if_name

(Optional) The interface on which to apply the routing updates. Specifying an interface causes the access list to be applied only to routing updates received on that interface.

Command Default

Networks are not filtered.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router ospf Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.2(1)

This command was added.

Usage Guidelines

If no interface is specified, the access list will be applied to all incoming updates.

Examples

The following example filters OSPF routing updates received on the outside interface. It accepts routes in the 10.0.0.0 network and discards all others.


ciscoasa(config)# access-list ospf_filter permit 10.0.0.0 255.0.0.0
ciscoasa(config)# access-list ospf_filter deny any
ciscoasa(config)# router ospf 1
ciscoasa(config-router)# network 10.0.0.0
ciscoasa(config-router)# distribute-list ospf_filter in interface outside

distribute-list in (address-family)

To filter routes or networks received in incoming Border Gateway Protocol (BGP) updates; use the distribute-list in command in address-family configuration mode. You can access the address-family configuration mode by first entering the router bgp command. To delete the distribute list and remove it from the running configuration file, use the no form of this command.

distribute-list { acl-name | prefix list-name } in

no distribute-list { acl-name | prefix list-name } in

Syntax Description

acl-name

Standard IP access list name. The access list defines which networks are to be received and which are to be suppressed in routing updates.

prefix list-name

Name of a prefix list. The prefix list defines which networks are to be received and which are to be suppressed in routing updates, based upon matching prefixes.

Command Default

If this command is configured without a predefined access list or prefix list, the distribute list will default to permitting all traffic.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Address-family configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.2(1)

This command was added.

Usage Guidelines

The distribute-list in command is used to filter incoming BGP updates. An access list or prefix list must be defined prior to configuration of this command. Standard and expanded access lists are supported. IP prefix lists are used to filter based on the bit length of the prefix. An entire network, subnet, supernet, or single host route can be specified. Prefix list and access list configuration is mutually exclusive when configuring a distribute list. The session must be reset with the clear bgp command before the distribute list will take effect.

Examples

In the following example, a prefix list and distribute list are defined to configure the BGP routing process to accept traffic from only network 10.1.1.0/24, network 192.168.1.0, and network 10.108.0.0. An inbound route refresh is initiated to activate the distribute-list.


ciscoasa(config)# ip prefix-list RED permit 10.1.1.0/24
ciscoasa(config)# ip prefix-1ist RED permit 10.108.0.0/16 
ciscoasa(config)# ip prefix-list RED permit 192.168.1.0/24 
ciscoasa(config)# router bgp 50000 
ciscoasa(config-router)# address-family ipv4 
ciscoasa(config-router-af)# network 10.108.0.0
ciscoasa(config-router-af)# distribute-list prefix RED in 
ciscoasa(config-router-af)# exit 
ciscoasa(config-router)# exit
ciscoasa# clear bgp in 

In the following example, an access list and distribute list are defined to configure the BGP routing process to accept traffic from only network 192.168.1.0 and network 10.108.0.0. An inbound route refresh is initiated to activate the distribute-list.


ciscoasa(config)# access-list distribute-list-acl permit 192.168.1.0 255.255.255.0
 
ciscoasa(config)# access-list distribute-list-acl permit 10.108.0.0 255.255.0.0
 
ciscoasa(config)# router bgp 50000 
ciscoasa(config-router)# address-family ipv4 
ciscoasa(config-router-af)# network 10.108.0.0
ciscoasa(config-router-af)# distribute-list distribute-list-acl in 
ciscoasa(config-router-af)# exit 
ciscoasa(config-router)# exit
ciscoasa# clear bgp in 

distribute-list in (router)

To filter incoming routing updates, use the distribute-list in command in router configuration mode. To remove the filtering, use the no form of this command.

distribute-list acl in [ interface if_name ]

no distribute-list acl in [ interface if_name ]

Syntax Description

acl

Name of a standard access list.

interface if_name

(Optional) The interface on which to apply the incoming routing updates. Specifying an interface causes the access list to be applied only to routing updates received on that interface.

Command Default

Networks are not filtered in incoming updates.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

9.0(1)

Support for multiple context mode was added.

Usage Guidelines

If no interface is specified, the access list will be applied to all incoming updates.

Examples

The following example filters RIP routing updates received on the outside interface. It accepts routes in the 10.0.0.0 network and discards all others.


ciscoasa(config)# access-list ripfilter permit 10.0.0.0 255.0.0.0 
ciscoasa(config)# access-list ripfilter deny any
ciscoasa(config)# router rip
ciscoasa(config-router)# network 10.0.0.0
ciscoasa(config-router)# distribute-list ripfilter in interface outside

The following example filters EIGRP routing updates received on the outside interface. It accepts routes in the 10.0.0.0 network and discards all others.


ciscoasa(config)# access-list eigrp_filter permit 10.0.0.0 255.0.0.0 
ciscoasa(config)# access-list eigrp_filter deny any
ciscoasa(config)# router eigrp 100
ciscoasa(config-router)# network 10.0.0.0
ciscoasa(config-router)# distribute-list eigrp_filter in interface outside

distribute-list out (address-family)

To suppress networks from being advertised in outbound Border Gateway Protocol (BGP) updates, use the distribute-list out command in address-family configuration mode. You can access the address-family configuration mode by first entering the router bgp command. To delete the distribute list and remove it from the running configuration file, use the no form of this command.

distribute-list { acl-name | prefix list-name } out [ protocol process-number | connected | static ]

no distribute-list { acl-name | prefix list-name } out [ protocol process-number | connected | static ]

Syntax Description

acl-name

Standard IP access list name. The access list defines which networks are to be received and which are to be suppressed in routing updates.

prefix list-name

Name of a prefix list. The prefix list defines which networks are to be received and which are to be suppressed in routing updates, based upon matching prefixes.

protocol process-number

Specifies the routing protocol to apply the distribution list. BGP, EIGRP, OSPF, and RIP are supported. The process number is entered for all routing protocols, except RIP. The process number is a value from 1 to 65.

connected

Specifies peers and networks learned through connected routes.

static

Specifies peers and networks learned through static routes.

Command Default

If this command is configured without a predefined access list or prefix list, the distribute list will default to permitting all traffic.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Address-family Configuration

  • Yes

  • Yes

  • Yes

Command History

Release

Modification

9.2(1)

This command was added.

Usage Guidelines

The distribute-list out command is used to filter outbound BGP updates. An access list or prefix list must be defined prior to configuration of this command. Only standard access lists are supported.

IP prefix lists are used to filter based on the bit length of the prefix. An entire network, subnet, supernet, or single host route can be specified. Prefix list and access list configuration is mutually exclusive when configuring a distribute list. The session must be reset with the clear bgp command before the distribute list will take effect.

Entering a protocol and/or process-number arguments causes the distribute list to be applied to only routes derived from the specified routing process. Addresses not specified in the distribute-list command will not be advertised in outgoing routing updates after a distribute list is configured.

To suppress networks or routes from being received in inbound updates, use the distribute-list in command.

Examples

In the following example, a prefix list and distribute list are defined to configure the BGP routing process to advertise only network 192.168.0.0. An outbound route refresh is initiated to activate the distribute-list.


ciscoasa(config)# ip prefix-list BLUE permit 192.168.0.0/16 
ciscoasa(config)# router bgp 50000 
ciscoasa(config-router)# address-family ipv4 
ciscoasa(config-router-af)# distribute-list prefix BLUE out 
ciscoasa(config-router-af)# exit
ciscoasa(config-router)# exit 
ciscoasa# clear bgp out 

In the following example, an access list and a distribute list are defined to configure the BGP routing process to advertise only network 192.168.0.0. An outbound route refresh is initiated to activate the distribute-list.


ciscoasa(config)# access-list distribute-list-acl permit 192.168.0.0 255.255.0.0 
ciscoasa(config)# access-list distribute-list-acl deny 0.0.0.0 0.0.0.0 
ciscoasa(config)# router bgp 50000 
ciscoasa(config-router)# address-family ipv4 
ciscoasa(config-router-af)# distribute-list distribute-list-acl out 
ciscoasa(config-router-af)# exit
ciscoasa(config-router)# exit 
ciscoasa# clear bgp out 

distribute-list out (router)

To filter outgoing routing updates, use the distribute-list out command in router configuration mode. To remove the filtering, use the no form of this command.

distribute-list acl out [ interface if_name ] [ eigrp as_number | rip | ospf pid | static | connected ]

no distribute-list acl out [ interface if_name ] [ eigrp as_number | rip | ospf pid | static | connected ]

Syntax Description

acl

Name of a standard access list.

connected

(Optional) Filters only connected routes.

eigrp as_number

(Optional) Filters only EIGRP routes from the specified autonomous system number. The as_number argument is the autonomous system number of the EIGRP routing process on the ASA.

interface if_name

(Optional) The interface on which to apply the outgoing routing updates. Specifying an interface causes the access list to be applied only to routing updates received on that interface.

ospf pid

(Optional) Filters only OSPF routes discovered by the specified OSPF process.

rip

(Optional) Filters only RIP routes.

static

(Optional) Filters only static routes.

Command Default

Networks are not filtered in sent updates.

Command Modes


The following table shows the modes in which you can enter the command:

Command Mode

Firewall Mode

Security Context

Routed

Transparent

Single

Multiple

Context

System

Router Configuration

  • Yes

  • Yes

Command History

Release

Modification

7.2(1)

This command was added.

8.0(2)

The eigrp keyword was added.

Usage Guidelines

If no interface is specified, the access list will be applied to all outgoing updates.

Examples

The following example prevents the 10.0.0.0 network from being advertised in RIP updates sent out of any interface:


ciscoasa(config)# access-list ripfilter deny 10.0.0.0 255.0.0.0 
ciscoasa(config)# access-list ripfilter permit any
ciscoasa(config)# router rip
ciscoasa(config-router)# network 10.0.0.0
ciscoasa(config-router)# distribute-list ripfilter out

The following example prevents the EIGRP routing process from advertising the 10.0.0.0 network on the outside interface:


ciscoasa(config)# access-list eigrp_filter deny 10.0.0.0 255.0.0.0 
ciscoasa(config)# access-list eigrp_filter permit any
ciscoasa(config)# router eigrp 100
ciscoasa(config-router)# network 10.0.0.0
ciscoasa(config-router)# distribute-list eigrp_filter out interface outside