Table Of Contents
ip drp authentication key-chain
ip icmp rate-limit unreachable
ip tcp compression-connections
show ip tcp header-compression
IP Services Commands
Use the commands in this chapter to configure various IP services. For configuration information and examples on IP services, refer to the "Configuring IP Services" chapter of the Cisco IOS IP and IP Routing Configuration Guide.
access-class
To restrict incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list, use the access-class line configuration command. To remove access restrictions, use the no form of this command.
access-class access-list-number {in | out}
no access-class access-list-number {in | out}
Syntax Description
Defaults
No access lists are defined.
Command Modes
Line configuration
Command History
Usage Guidelines
Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.
To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.
Examples
The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:
access-list 12 permit 192.89.55.0 0.0.0.255line 1 5access-class 12 inThe following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5:
access-list 10 permit 36.0.0.0 0.255.255.255line 1 5access-class 10 outRelated Commands
access-list (IP extended)
To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]
no access-list access-list-number
Internet Control Message Protocol (ICMP)
For ICMP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]
Internet Group Management Protocol (IGMP)
For IGMP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]
Transmission Control Protocol (TCP)
For TCP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]
User Datagram Protocol (UDP)
For UDP, you can also use the following syntax:
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log | log-input] [time-range time-range-name] [fragments]
Syntax Description
access-list-number
Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.
dynamic dynamic-name
(Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
timeout minutes
(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
deny
Denies access if the conditions are matched.
permit
Permits access if the conditions are matched.
protocol
Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the keyword ip. Some protocols allow further qualifiers described below.
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
•
Use a 32-bit quantity in four-part, dotted-decimal format.
•
•
source-wildcard
Wildcard bits to be applied to source. Each wildcard bit set to zero indicates that the corresponding bit position in the packet's ip address must exactly match the bit value in the corresponding bit position in the source. Each wildcard bit set to one indicates that both a zero bit and a one bit in the corresponding position of the packet's ip address will be considered a match to this access list entry.
There are three alternative ways to specify the source wildcard:
•
•
•
Wildcard bits set to one do not need to be contiguous in the source-wildcard. For example, a source-wildcard of 0.255.0.64 would be valid.
destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
•
•
•
destination-wildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
•
•
•
precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos
(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."
icmp-type
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.
log-input
(Optional) Includes the input interface and source MAC address or VC in the logging output.
time-range time-range-name
(Optional) Name of the time range that applies to this statement. The name of the time range and its restrictions are specified by the time-range command.
icmp-code
(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines."
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."
operator
(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port.
If the operator is positioned after the destination and destination-wildcard, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names are listed in the section "Usage Guidelines." UDP port names can only be used when filtering UDP.
TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK, FIN, PSH, RST, SYN, or URG control bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
fragments
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
Defaults
An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.
Command Modes
Global configuration
Command History
Usage Guidelines
You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Note
The following is a list of precedence names:
•
•
•
•
•
•
•
•
The following is a list of type of service (ToS) names:
•
•
•
•
•
The following is a list of ICMP message type names and ICMP message type and code names:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following is a list of IGMP message names:
•
•
•
•
•
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Access List Processing of Fragments
The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.
Examples
In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. The established keyword is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 establishedaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25interface serial 0ip access-group 102 inThe following example also permits Domain Naming System (DNS) packets and ICMP echo and echo reply packets:
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 establishedaccess-list 102 permit tcp any host 128.88.1.2 eq smtpaccess-list 102 permit tcp any any eq domainaccess-list 102 permit udp any any eq domainaccess-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-replyThe following examples show how wildcard bits are used to indicate the bits of the prefix or mask that are relevant. They are similar to the bitmasks that are used with normal access lists. Prefix/mask bits corresponding to wildcard bits set to 1 are ignored during comparisons and prefix/mask bits corresponding to wildcard bits set to 0 are used in comparison.
The following example permits 192.108.0.0 255.255.0.0 but denies any more specific routes of 192.108.0.0 (including 192.108.0.0 255.255.255.0):
access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0 access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255The following example permits 131.108.0/24 but denies 131.108/16 and all other subnets of 131.108.0.0:
access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0 access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255The following example uses a time-range to deny HTTP traffic on Monday through Friday between the hours of 8:00 a.m. and 6:00 p.m.:
time-range no-httpperiodic weekdays 8:00 to 18:00!access-list 101 deny tcp any any eq http time-range no-http!interface ethernet 0ip access-group 101 inRelated Commands
access-list (IP standard)
To define a standard IP access list, use the standard version of the access-list global configuration command. To remove a standard access lists, use the no form of this command.
access-list access-list-number {deny | permit} source [source-wildcard] [log]
no access-list access-list-number
Caution
Syntax Description
access-list-number
Number of an access list. This is a decimal number from 1 to 99 or from 1300 to 1999.
deny
Denies access if the conditions are matched.
permit
Permits access if the conditions are matched.
source
Number of the network or host from which the packet is being sent.
There are two alternative ways to specify the source:
•
•
source-wildcard
(Optional) Wildcard bits to be applied to source.Each wildcard bit set to zero indicates that the corresponding bit position in the packet's ip address must exactly match the bit value in the corresponding bit position in the source. Each wildcard bit set to one indicates that both a zero bit and a one bit in the corresponding position of the packet's ip address will be considered a match to this access list entry.
There are two alternative ways to specify the source wildcard:
Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.
Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
Wildcard bits set to one do not need to be contiguous in the source-wildcard. For example, a source-wildcard of 0.255.0.64 would be valid.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied, the source address, and the number of packets. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.
Defaults
The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.
Command Modes
Global configuration
Command History
Usage Guidelines
Plan your access conditions carefully and be aware of the implicit deny statement at the end of the access list.
You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates.
Use the show access-lists EXEC command to display the contents of all access lists.
Use the show ip access-list EXEC command to display the contents of one access list.
Examples
The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255access-list 1 permit 128.88.0.0 0.0.255.255access-list 1 permit 36.0.0.0 0.255.255.255! (Note: all other access implicitly denied)The following example of a standard access list allows access for devices with IP addresses in the range 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.
access-list 1 permit 10.29.2.64 0.0.0.63! (Note: all other access implicitly denied)To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. Thus, the following two configuration commands are identical in effect:
access-list 2 permit 36.48.0.3access-list 2 permit 36.48.0.3 0.0.0.0Related Commands
access-list remark
To write a helpful comment (remark) for an entry in a numbered IP access list, use the access-list remark global configuration command. To remove the remark, use the no form of this command.
access-list access-list-number remark remark
no access-list access-list-number remark remark
Syntax Description
access-list-number
Number of an IP access list.
remark
Comment that describes the access list entry, up to 100 characters long.
Defaults
The access list entries have no remarks.
Command Modes
Global configuration
Command History
Usage Guidelines
The remark can be up to 100 characters; anything longer is truncated.
If you want to write a comment about an entry in a named access list, use the remark command.
Examples
In the following example, the workstation belonging to Jones is allowed access, and the workstation belonging to Smith is not allowed access:
access-list 1 remark Permit only Jones workstation throughaccess-list 1 permit 171.69.2.88access-list 1 remark Do not allow Smith workstation throughaccess-list 1 deny 171.69.3.13Related Commands
Defines an extended IP access list.
Establishes MAC address access lists.
Writes a helpful comment (remark) for an entry in a named IP access list.
clear access-list counters
To clear the counters of an access list, use the clear access-list counters EXEC command.
clear access-list counters {access-list-number | name}
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
Some access lists keep counters that count the number of packets that pass each line of an access list. The show access-lists command displays the counters as a number of matches. Use the clear access-list counters command to restart the counters for a particular access list to 0.
Examples
The following example clears the counters for access list 101:
clear access-list counters 101Related Commands
clear ip accounting
To clear the active or checkpointed database when IP accounting is enabled, use the clear ip accounting EXEC command.
clear ip accounting [checkpoint]
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
You can also clear the checkpointed database by issuing the clear ip accounting command twice in succession.
Examples
The following example clears the active database when IP accounting is enabled:
clear ip accountingRelated Commands
clear ip drp
To clear all statistics being collected on Director Response Protocol (DRP) requests and replies, use the clear ip drp EXEC command.
clear ip drp
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following example clears all DRP statistics:
clear ip drpRelated Commands
Controls the sources of DRP queries to the DRP Server Agent.
Configures authentication on the DRP Server Agent for DistributedDirector.
clear tcp statistics
To clear TCP statistics, use the clear tcp statistics privileged EXEC command.
clear tcp statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Examples
The following example clears all TCP statistics:
clear tcp statisticsRelated Commands
deny (IP)
To set conditions for a named IP access list, use the deny access-list configuration command. To remove a deny condition from an access list, use the no form of this command.
deny source [source-wildcard]
no deny source [source-wildcard]
deny protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
no deny protocol source source-wildcard destination destination-wildcard
Internet Control Message Protocol (ICMP)
For ICMP, you can also use the following syntax:
deny icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Internet Group Management Protocol (IGMP)
For IGMP, you can also use the following syntax:
deny igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Transmission Control Protocol (TCP)
For TCP, you can also use the following syntax:
deny tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
User Datagram Protocol (UDP)
For UDP, you can also use the following syntax:
deny udp source source-wildcard [operator port [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Syntax Description
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
•
•
•
source-wildcard
Wildcard bits to be applied to the source. There are three alternative ways to specify the source wildcard:
•
•
•
protocol
Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.
destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
•
•
•
destination-wildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
•
•
•
precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the "Usage Guidelines" section.
tos tos
(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Usage Guidelines" section of the access-list (extended) command.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.
time-range time-range-name
(Optional) Name of the time range that applies to this deny statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
icmp-type
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code
(Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the "Usage Guidelines" section of the access-list (extended) command.
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (extended) command.
operator
(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port.
If the operator is positioned after the destination and destination-wildcard, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
fragments
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
Defaults
There is no specific condition under which a packet is denied passing the named access list.
Command Modes
Access-list configuration
Command History
11.2
This command was introduced.
12.0(1)T
The time-range time-range-name keyword and argument were added.
12.1(2)
The fragments keyword was added.
Usage Guidelines
Use this command following the ip access-list command to specify conditions under which a packet cannot pass the named access list.
The time-range option allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this deny statement is in effect.
A ccess List Processing of Fragments
The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.
Examples
The following example sets a deny condition for a standard access list named Internetfilter:
ip access-list standard Internetfilterdeny 192.5.34.0 0.0.0.255permit 128.88.0.0 0.0.255.255permit 36.0.0.0 0.255.255.255! (Note: all other access implicitly denied)The following example denies HTTP traffic on Monday through Friday between the hours of 8:00 am and 6:00 p.m.:
time-range no-httpperiodic weekdays 8:00 to 18:00!ip access-list extended strictdeny tcp any any eq http time-range no-http!interface ethernet 0ip access-group strict inRelated Commands
dynamic
To define a named, dynamic, IP access list, use the dynamic access-list configuration command. To remove the access lists, use the no form of this command.
dynamic dynamic-name [timeout minutes] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [fragments]
no dynamic dynamic-name
Internet Control Message Protocol (ICMP)
For ICMP, you can also use the following syntax:
dynamic dynamic-name [timeout minutes] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [fragments]
Internet Group Management Protocol (IGMP)
For IGMP, you can also use the following syntax:
dynamic dynamic-name [timeout minutes] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [fragments]
Transmission Control Protocol (TCP)
For TCP, you can also use the following syntax:
dynamic dynamic-name [timeout minutes] {deny | permit} tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [fragments]
User Datagram Protocol (UDP)
For UDP, you can also use the following syntax:
dynamic dynamic-name [timeout minutes] {deny | permit} udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [fragments]
Caution
Syntax Description
dynamic-name
Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
timeout minutes
(Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Cisco IOS Security Configuration Guide.
deny
Denies access if the conditions are matched.
permit
Permits access if the conditions are matched.
protocol
Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
Use a 32-bit quantity in four-part, dotted-decimal format.
•
•
source-wildcard
Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
•
•
•
destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
•
•
•
destination-wildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
•
•
•
precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos
(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
icmp-type
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code
(Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."
operator
(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port.
If the operator is positioned after the destination and destination-wildcard, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (IP extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
fragments
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
Defaults
An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.
Command Modes
Access-list configuration
Command History
Usage Guidelines
You can use named access lists to control the transmission of packets on an interface and restrict contents of routing updates. The Cisco IOS software stops checking the extended access list after a match occurs.
Note
The following is a list of precedence names:
•
•
•
•
•
•
•
•
The following is a list of type of service names:
•
•
•
•
•
The following is a list of ICMP message type names and ICMP message type and code names:
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following is a list of IGMP message names:
•
•
•
•
•
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by typing a ? in the place of a port number.
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
•
Access List Processing of Fragments
The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.
Examples
The following example defines a dynamic access list named washington:
ip access-group washington in!ip access-list extended washingtondynamic testlist timeout 5permit ip any anypermit tcp any host 185.302.21.2 eq 23Related Commands
forwarding-agent
To specify the port on which the forwarding agent will listen for wildcard and fixed affinities, use the forwarding-agent CASA-port configuration command. Use the no form of the command to disable listening on that port.
forwarding-agent number [password [timeout]]
no forwarding-agent
Syntax Description
Defaults
The default password timeout is 180 seconds.
The default port for the services manager is 1637.
Command Modes
CASA-port configuration
Command History
Examples
The following example specifies that the forwarding agent will listen for wildcard and fixed affinities on port 1637:
forwarding-agent 1637Related Commands
ip access-group
To control access to an interface, use the ip access-group interface configuration command. To remove the specified access group, use the no form of this command.
ip access-group {access-list-number | name}{in | out}
no ip access-group {access-list-number | name}{in | out}
Syntax Description
Defaults
No access list is applied to the interface.
Command Modes
Interface configuration
Command History
Usage Guidelines
Access lists are applied on either outbound or inbound interfaces. For standard inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software continues to process the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.
For standard outbound access lists, after receiving and routing a packet to a controlled interface, the software checks the source address of the packet against the access list. For extended access lists, the router also checks the destination access list. If the access list permits the address, the software sends the packet. If the access list rejects the address, the software discards the packet and returns an ICMP Host Unreachable message.
If the specified access list does not exist, all packets are passed.
When you enable outbound access lists, you automatically disable autonomous switching for that interface.When you enable input access lists on any cBus or CxBus interface, you automatically disable autonomous switching for all interfaces (with one exception—an SSE configured with simple access lists can still switch packets, on output only).
Examples
The following example applies list 101 on packets outbound from Ethernet interface 0:
interface ethernet 0ip access-group 101 outRelated Commands
Defines an extended IP access list.
Defines a standard IP access list.
Defines an IP access list by name.
Displays the contents of current IP and rate-limit access lists.
ip access-list
To define an IP access list by name, use the ip access-list global configuration command. To remove a named IP access lists, use the no form of this command.
ip access-list {standard | extended} name
no ip access-list {standard | extended} name
Caution
Syntax Description
Defaults
No named IP access list is defined.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to configure a named IP access list as opposed to a numbered IP access list. This command will take you into access-list configuration mode, where you must define the denied or permitted access conditions with the deny and permit commands.
Specifying the standard or extended keyword with the ip access-list command determines the prompt you get when you enter access-list configuration mode.
Use the ip access-group command to apply the access-list to an interface.
Named access lists are not compatible with Cisco IOS releases prior to Release 11.2.
Examples
The following example defines a standard access list named Internetfilter:
ip access-list standard Internetfilterpermit 192.5.34.0 0.0.0.255permit 128.88.0.0 0.0.255.255permit 36.0.0.0 0.255.255.255! (Note: all other access implicitly denied)Related Commands
Sets conditions for a named IP access list.
Controls access to an interface.
Sets conditions for a named IP access list.
Displays the contents of all current IP access lists.
ip access-list log-update
To set the threshold number of packets that generate a log message if they match an access list, use the ip access-list log-update command in global configuration mode. To remove the threshold, use the no form of this command.
ip access-list log-update threshold number-of-matches
no ip access-list log-update
Syntax Description
number-of-matches
Threshold number of packets necessary to match an access list before a log message is generated. The range is 0 to 2147483647. There is no default number of matches.
Defaults
Log messages are sent at the first matching packet and at 5-minute intervals after that.
Command Modes
Global configuration
Command History
Usage Guidelines
Log messages are generated if you have specified the log keyword in the access-list (IP standard), access-list (IP extended), deny (IP), dynamic, or permit command.
Log messages provide information about the packets that are permitted or denied by an access list. By default, log messages appear at the console. (The level of messages logged to the console is controlled by the logging console command.) The log message includes the access list number, whether the packet was permitted or denied, and other information.
By default, the log messages are sent at the first matching packet and after that, identical messages are accumulated for 5-minute intervals, with a single message being sent with the number of packets permitted and denied during that interval. However, you can use the ip access-list log-update command to set the number of packets that, when match an access list (and are permitted or denied), cause the system to generate a log message. You might want to do this to receive log messages more frequently than at 5-minute intervals.
Caution
Even if you use the ip access-list log-update command, the 5-minute timer remains in effect, so the cache is emptied at the end of 5 minutes, regardless of the count of messages in the cache. Regardless of when the log message is sent, the cache is flushed and the count reset to 0 for that message the same way it is when a threshold is not specified.
If the syslog server is not directly connected to a LAN that the router shares, any intermediate router might drop the log messages because they are UDP (unreliable) messages.
Examples
The following example enables logging whenever the 1000th packet matches an access list entry:
ip access-list log-update threshold 1000Related Commands
ip accounting
To enable IP accounting on an interface, use the ip accounting interface configuration command. To disable IP accounting, use the no form of this command.
ip accounting [access-violations] [output-packets]
no ip accounting [access-violations] [output-packets]
Syntax Description
Defaults
Disabled
Command Modes
Interface configuration
Command History
10.0
This command was introduced.
10.3
The access-violations keyword was added.
Usage Guidelines
The IP accounting command records the number of bytes (IP header and data) and packets switched through the system on a source and destination IP address basis. Only transit IP traffic is measured and only on an outbound basis; traffic generated by the router access server or terminating in this device is not included in the accounting statistics. Traffic coming from a remote site and transiting through a router is also recorded.
If you specify the access-violations keyword, the ip accounting command provides information identifying IP traffic that fails IP access lists. Identifying IP source addresses that violate IP access lists alerts you to possible attempts to breach security. The data might also indicate that you should verify IP access list configurations.
To receive a logging message on the console when an extended access list entry denies a packet access (to log violations), you must include the log keyword in the access-list (IP extended) or access-list (IP standard) command.
Statistics are accurate even if IP fast switching or IP access lists are being used on the interface.
IP accounting disables autonomous switching, SSE switching, and distributed switching (dCEF) on the interface. IP accounting will cause packets to be switched on the Route Switch Processor (RSP) instead of the Versatile Interface Processor (VIP), which can cause performance degradation.
Examples
The following example enables IP accounting on Ethernet interface 0:
interface ethernet 0ip accountingRelated Commands
ip accounting-list
To define filters to control the hosts for which IP accounting information is kept, use the ip accounting-list global configuration command. To remove a filter definition, use the no form of this command.
ip accounting-list ip-address wildcard
no ip accounting-list ip-address wildcard
Syntax Description
ip-address
IP address in dotted-decimal format.
wildcard
Wildcard bits to be applied to the ip-address argument.
Defaults
No filters are defined.
Command Modes
Global configuration
Command History
Usage Guidelines
The wildcard argument is a 32-bit quantity written in dotted-decimal format. Address bits corresponding to wildcard bits set to 1 are ignored in comparisons; address bits corresponding to wildcard bits set to zero are used in comparisons.
Examples
The following example adds all hosts with IP addresses beginning with 192.31 to the list of hosts for which accounting information will be kept:
ip accounting-list 192.31.0.0 0.0.255.255Related Commands
ip accounting-threshold
To set the maximum number of accounting entries to be created, use the ip accounting-threshold global configuration command. To restore the default number of entries, use the no form of this command.
ip accounting-threshold threshold
no ip accounting-threshold threshold
Syntax Description
threshold
Maximum number of entries (source and destination address pairs) that the Cisco IOS software accumulates.
Defaults
The default maximum number of accounting entries is 512 entries.
Command Modes
Global configuration
Command History
Usage Guidelines
The accounting threshold defines the maximum number of entries (source and destination address pairs) that the software accumulates, preventing IP accounting from possibly consuming all available free memory. This level of memory consumption could occur in a router that is switching traffic for many hosts. Overflows will be recorded; see the monitoring commands for display formats.
The default accounting threshold of 512 entries results in a maximum table size of 12,928 bytes. Active and checkpointed tables can reach this size independently.
Examples
The following example sets the IP accounting threshold to only 500 entries:
ip accounting-threshold 500Related Commands
ip accounting-transits
To control the number of transit records that are stored in the IP accounting database, use the ip accounting-transits global configuration command. To return to the default number of records, use the no form of this command.
ip accounting-transits count
no ip accounting-transits
Syntax Description
Defaults
The default number of transit records that are stored in the IP accounting database is 0.
Command Modes
Global configuration
Command History
Usage Guidelines
Transit entries are those that do not match any of the filters specified by ip accounting-list global configuration commands. If no filters are defined, no transit entries are possible.
To maintain accurate accounting totals, the Cisco IOS software maintains two accounting databases: an active and a checkpointed database.
Examples
The following example specifies that no more than 100 transit records are stored:
ip accounting-transits 100Related Commands
ip accounting mac-address
To enable IP accounting on a LAN interface based on the source and destination MAC address, use the ip accounting mac-address interface configuration command. To disable IP accounting based on the source and destination MAC address, use the no form of this command.
ip accounting mac-address {input | output]
no ip accounting mac-address {input | output]
Syntax Description
input
Performs accounting based on the source MAC address on received packets.
output
Performs accounting based on the destination MAC address on transmitted packets.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
This feature is supported on Ethernet, FastEthernet, and FDDI interfaces.
To display the MAC accounting information, use the show interface mac EXEC command.
MAC address accounting provides accounting information for IP traffic based on the source and destination MAC address on LAN interfaces. This calculates the total packet and byte counts for a LAN interface that receives or sends IP packets to or from a unique MAC address. It also records a timestamp for the last packet received or sent. With MAC address accounting, you can determine how much traffic is being sent to and/or received from various peers at NAPS/peering points.
Examples
The following example enables IP accounting based on the source and destination MAC address for received and transmitted packets:
interface ethernet 4/0/0ip accounting mac-address inputip accounting mac-address outputRelated Commands
Displays MAC accounting information for interfaces configured for MAC accounting.
ip accounting precedence
To enable IP accounting on any interface based on IP precedence, use the ip accounting precedence interface configuration command. To disable IP accounting based on IP precedence, use the no form of this command.
ip accounting precedence {input | output]
no ip accounting precedence {input | output]
Syntax Description
input
Performs accounting based on IP precedence on received packets.
output
Performs accounting based on IP precedence on transmitted packets.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
To display IP precedence accounting information, use the show interface precedence EXEC command.
The precedence accounting feature provides accounting information for IP traffic, summarized by IP precedence value(s). This feature calculates the total packet and byte counts for an interface that receives or sends IP packets and sorts the results based on IP precedence. This feature is supported on all interfaces and subinterfaces and supports CEF, dCEF, flow, and optimum switching.
Examples
The following example enables IP accounting based on IP precedence for received and transmitted packets:
interface ethernet 4/0/0ip accounting precedence inputip accounting precedence outputRelated Commands
Displays precedence accounting information for an interface configured for precedence accounting.
ip casa
To configure the router to function as a forwarding agent, use the ip casa global configuration command. Use the no form of the command to disable the forwarding agent.
ip casa control-address igmp-address
no ip casa
Syntax Description
Defaults
No default behavior or values.
Command Modes
Global configuration
Command History
Examples
The following example specifies the internet address (10.10.4.1) and IGMP address (224.0.1.2) for the forwarding agent:
ip-casa 10.10.4.1 224.0.1.2Related Commands
Specifies the port on which the forwarding agent will listen for wildcard and fixed affinities.
ip drp access-group
To control the sources of Director Response Protocol (DRP) queries to the DRP Server Agent, use the ip drp access-group global configuration command. To remove the access list, use the no form of this command.
ip drp access-group access-list-number
no ip drp access-group access-list-number
Syntax Description
Defaults
The DRP Server Agent will answer all queries.
Command Modes
Global configuration
Command History
Usage Guidelines
This command applies an access list to the interface, thereby controlling who can send queries to the DRP Server Agent.
If both an authentication key chain and an access group have been specified, both security measures must permit access before a request is processed.
Examples
The following example configures access list 1, which permits only queries from the host at 33.45.12.4:
access-list 1 permit 33.45.12.4ip drp access-group 1Related Commands
Configures authentication on the DRP Server Agent for DistributedDirector.
Displays information about the DRP Server Agent for DistributedDirector.
ip drp authentication key-chain
To configure authentication on the Director Response Protocol (DRP) Server Agent for Distributed Director, use the ip drp authentication key-chain global configuration command. To remove the key chain, use the no form of this command.
ip drp authentication key-chain name-of-chain
no ip drp authentication key-chain name-of-chain
Syntax Description
Defaults
No authentication is configured for the DRP Server Agent.
Command Modes
Global configuration
Command History
Usage Guidelines
When a key chain and key are configured, the key is used to authenticate all DRP requests and responses. The active key on the DRP Server Agent must match the active key on the primary agent. Use the key and key-string commands to configure the key.
Examples
The following example configures a key chain named ddchain:
ip drp authentication key-chain ddchainRelated Commands
ip drp server
To enable the Director Response Protocol (DRP) Server Agent that works with DistributedDirector, use the ip drp server global configuration command. To disable the DRP Server Agent, use the no form of this command.
ip drp server
no ip drp server
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Examples
The following example enables the DRP Server Agent:
ip drp serverRelated Commands
ip icmp rate-limit unreachable
To have the Cisco IOS software limit the rate that Internet Control Message Protocol (ICMP) destination unreachable messages are generated, use the ip icmp rate-limit unreachable global configuration command. To remove the rate limit, use the no form of this command.
ip icmp rate-limit unreachable [df] milliseconds
no ip icmp rate-limit unreachable [df]
Syntax Description
Defaults
The default value is one ICMP destination unreachable message per 500 milliseconds.
Command Modes
Global configuration
Command History
Usage Guidelines
The no ip icmp rate-limit unreachable command turns off the previously configured rate limit. To re-set the rate limit to its default value, use the default ip icmp rate-limit unreachable command.
The Cisco IOS software maintains two timers: one for general destination unreachable messages and one for DF destination unreachable messages. Both share the same time limits and defaults. If the df option is not configured, the ip icmp rate-limit unreachable command sets the time values for DF destination unreachable messages. If the df option is configured, its time values remain independent from those of general destination unreachable messages.
Examples
The following example sets the rate of the ICMP destination unreachable message to one message every 10 milliseconds:
ip icmp rate-limit unreachable 10The following example turns off the previously configured rate limit:
no ip icmp rate-limit unreachableThe following example sets the rate limit back to the default:
default ip icmp rate-limit unreachableip icmp redirect
To control the type of Internet Control Message Protocol (ICMP) redirect message that is sent by the Cisco IOS software, use the ip icmp redirect command in global configuration mode. To set the value back to the default, use the no form of this command.
ip icmp redirect [host | subnet]
no ip icmp redirect [host | subnet]
Syntax Description
Defaults
The router will send ICMP subnet redirect messages.
Because the ip icmp redirect subnet command is the default, the command will not be displayed in the configuration.
Command Modes
Global configuration
Command History
Usage Guidelines
An ICMP redirect message can be generated by a router when a packet is received and transmitted on the same interface. In this situation, the router will forward the original packet and send a ICMP redirect message back to the sender of the original packet. This behavior allows the sender to bypass the router and forward future packets directly to the destination (or a router closer to the destination).
There are two types of ICMP redirect messages: redirect for a host address or redirect for an entire subnet.
The ip icmp redirect command determines the type of ICMP redirects sent by the system and is configured on a per system basis. Some hosts do not understand ICMP subnet redirects and need the router to send out ICMP host redirects. Use the ip icmp redirect host command to have the router send out ICMP host redirects. Use the ip icmp redirect subnet command to set the value back to the default, which is to send subnet redirects.
To prevent the router from sending ICMP redirects, use the no ip redirects interface configuration command.
Examples
The following example enables the router to send out ICMP host redirects:
ip icmp redirect hostsThe following example sets the value back to the default, which is subnet redirects:
ip icmp redirect subnetRelated Commands
ip mask-reply
To have the Cisco IOS software respond to Internet Control Message Protocol (ICMP) mask requests by sending ICMP Mask Reply messages, use the ip mask-reply interface configuration command. To disable this function, use the no form of this command.
ip mask-reply
no ip mask-reply
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Examples
The following example enables the sending of ICMP Mask Reply messages on Ethernet interface 0:
interface ethernet 0ip address 131.108.1.0 255.255.255.0ip mask-replyip mtu
To set the maximum transmission unit (MTU) size of IP packets sent on an interface, use the ip mtu interface configuration command. To restore the default MTU size, use the no form of this command.
ip mtu bytes
no ip mtu
Syntax Description
Defaults
Minimum is 128 bytes; maximum depends on interface medium.
Command Modes
Interface configuration
Command History
Usage Guidelines
If an IP packet exceeds the MTU set for the interface, the Cisco IOS software will fragment it.
All devices on a physical medium must have the same protocol MTU in order to operate.
Note
Examples
The following example sets the maximum IP packet size for the first serial interface to 300 bytes:
interface serial 0ip mtu 300Related Commands
ip redirects
To enable the sending of Internet Control Message Protocol (ICMP) Redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, use the ip redirects interface configuration command. To disable the sending of redirect messages, use the no form of this command.
ip redirects
no ip redirects
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled, unless Hot Standby Router Protocol is configured
Command Modes
Interface configuration
Command History
Usage Guidelines
If the Hot Standby Router Protocol is configured on an interface, ICMP Redirect messages are disabled by default for the interface.
Examples
The following example enables the sending of ICMP Redirect messages on Ethernet interface 0:
interface ethernet 0ip redirectsRelated Commands
ip source-route
To allow the Cisco IOS software to handle IP datagrams with source routing header options, use the ip source-route global configuration command. To have the software discard any IP datagram containing a source-route option, use the no form of this command.
ip source-route
no ip source-route
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration
Command History
Examples
The following example enables the handling of IP datagrams with source routing header options:
ip source-routeRelated Commands
ip tcp chunk-size
To alter the TCP maximum read size for Telnet or rlogin, use the ip tcp chunk-size global configuration command. To restore the default value, use the no form of this command.
ip tcp chunk-size characters
no ip tcp chunk-size
Syntax Description
Defaults
0, which Telnet and rlogin interpret as the largest possible 32-bit positive number.
Command Modes
Global configuration
Command History
Usage Guidelines
It is unlikely you will need to change the default value.
Examples
The following example sets the maximum TCP read size to 64000 bytes:
ip tcp chunk-size 64000ip tcp compression-connections
To specify the total number of TCP header compression connections that can exist on an interface, use the ip tcp compression-connections interface configuration command. To restore the default, use the no form of this command.
ip tcp compression-connections number
no ip tcp compression-connections number
Syntax Description
number
Number of TCP header compression connections the cache supports, in the range from 3 to 1000. The default is 32 connections (16 calls).
Defaults
The default number 32 connections.
Command Modes
Interface configuration
Command History
Usage Guidelines
You should configure one connection for each TCP connection through the specified interface.
Each connection sets up a compression cache entry, so you are in effect specifying the maximum number of cache entries and the size of the cache. Too few cache entries for the specified interface can lead to degraded performance, while too many cache entries can lead to wasted memory.
Note
Examples
The following example sets the first serial interface for header compression with a maximum of ten cache entries:
interface serial 0ip tcp header-compressionip tcp compression-connections 10Related Commands
ip rtp header-compression
Enables RTP header compression.
Enables TCP header compression.
show ip rtp header-compression
Displays RTP header compression statistics.
ip tcp header-compression
To enable TCP header compression, use the ip tcp header-compression interface configuration command. To disable compression, use the no form of this command.
ip tcp header-compression [passive]
no ip tcp header-compression [passive]
Syntax Description
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
You can compress the headers of your TCP/IP packets in order to reduce the size of your packets. TCP header compression is supported on serial lines using Frame Relay, HDLC or Point-to-Point (PPP) encapsulation. You must enable compression on both ends of a serial connection. RFC 1144 specifies the compression process. Compressing the TCP header can speed up Telnet connections dramatically. In general, TCP header compression is advantageous when your traffic consists of many small packets, not for traffic that consists of large packets. Transaction processing (usually using terminals) tends to use small packets while file transfers use large packets. This feature only compresses the TCP header, so it has no effect on UDP packets or other protocol headers.
When compression is enabled, fast switching is disabled. This means that fast interfaces like T1 can overload the router. Consider your network's traffic characteristics before using this command.
Examples
The following example sets the first serial interface for header compression with a maximum of ten cache entries:
interface serial 0ip tcp header-compressionip tcp compression-connections 10Related Commands
Specifies the total number of header compression connections that can exist on an interface.
ip tcp mss
To enable a maximum segment size (MSS) for TCP connections originating or terminating on a router, use the ip tcp mss command in global configuration mode. To disable the configuration of the MSS, use the no form of this command.
ip tcp mss mss-value
no ip tcp mss mss-value
Syntax Description
Defaults
This command is disabled.
Command Modes
Global configuration
Command History
12.0(05)S
This command was introduced.
12.1
This command was integrated into Cisco IOS Release 12.1.
Usage Guidelines
If this command is not enabled, the MSS value of 536 bytes is used if the destination is not on a LAN, otherwise the MSS value is 1460 for a local destination.
For connections originating from a router, the specified value is used directly as an MSS option in the synchronize (SYN) segment. For connections terminating on a router, the value is used only if the incoming SYN segment has an MSS option value higher than the configured value. Otherwise the incoming value is used as the MSS option in the SYN/acknowledge (ACK) segment.
Note
Examples
The following example sets the MSS value at 250:
ip tcp mss 250Related Commands
ip tcp header-compression
Specifies the total number of header compression connections that can exist on an interface.
ip tcp path-mtu-discovery
To enable Path MTU Discovery for all new TCP connections from the router, use the ip tcp path-mtu-discovery global configuration command. To disable the function, use the no form of this command.
ip tcp path-mtu-discovery [age-timer {minutes | infinite}]
no ip tcp path-mtu-discovery [age-timer {minutes | infinite}]
Syntax Description
Defaults
Disabled. If enabled, default minutes is 10 minutes.
Command Modes
Global configuration
Command History
10.3
This command was introduced.
11.2
The following keywords were added:
•
•
Usage Guidelines
Path MTU Discovery is a method for maximizing the use of available bandwidth in the network between the end points of a TCP connection. It is described in RFC 1191. Existing connections are not affected when this feature is turned on or off.
Customers using TCP connections to move bulk data between systems on distinct subnets would benefit most by enabling this feature. This might include customers using RSRB with TCP encapsulation, STUN, X.25 Remote Switching (also known as XOT, or X.25 over TCP), and some protocol translation configurations.
The age timer is a time interval for how often TCP re-estimates the Path MTU with a larger MSS. By using the age timer, TCP Path MTU becomes a dynamic process. If MSS used for the connection is smaller than what the peer connection can handle, a larger MSS is tried every time the age timer expires. The discovery process is stopped when either the send MSS is as large as the peer negotiated, or the user has disabled the timer on the router. You can turn off the age-timer by setting it to infinite.
Examples
The following example enables Path MTU Discovery:
ip tcp path-mtu-discoveryip tcp queuemax
To alter the maximum TCP outgoing queue per connection, use the ip tcp queuemax global configuration command. To restore the default value, use the no form of this command.
ip tcp queuemax packets
no ip tcp queuemax
Syntax Description
packets
Outgoing queue size of TCP packets. The default value is 5 segments if the connection has a TTY associated with it. If there is no TTY associated with it, the default value is 20 segments.
Defaults
The default value is 5 segments if the connection has a TTY associated with it. If there is no TTY associated with it, the default value is 20 segments.
Command Modes
Global configuration
Command History
Usage Guidelines
Changing the default value changes the 5 segments, not the 20 segments.
Examples
The following example sets the maximum TCP outgoing queue to 10 packets:
ip tcp queuemax 10ip tcp selective-ack
To enable TCP selective acknowledgment, use the ip tcp selective-ack global configuration command. To disable TCP selective acknowledgment, use the no form of this command.
ip tcp selective-ack
no ip tcp selective-ack
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
TCP might not experience optimal performance if multiple packets are lost from one window of data. With the limited information available from cumulative acknowledgments, a TCP sender can learn about only one lost packet per round trip time. An aggressive sender could re-send packets early, but such re-sent segments might have already been successfully received.
The TCP selective acknowledgment mechanism helps overcome these limitations. The receiving TCP returns selective acknowledgment packets to the sender, informing the sender about data that has been received. The sender can then re-send only the missing data segments.
TCP selective acknowledgment improves overall performance. The feature is used only when multiple packets drop from a TCP window. There is no performance impact when the feature is enabled but not used.
This command becomes effective only on new TCP connections opened after the feature is enabled.
This feature must be disabled if you want TCP header compression. You might disable this feature if you have severe TCP problems.
Refer to RFC 2018 for more detailed information on TCP selective acknowledgment.
Examples
The following example enables the router to send and receive TCP selective acknowledgments:
ip tcp selective-ackRelated Commands
ip tcp synwait-time
To set a period of time the Cisco IOS software waits while attempting to establish a TCP connection before it times out, use the ip tcp synwait-time global configuration command. To restore the default time, use the no form of this command.
ip tcp synwait-time seconds
no ip tcp synwait-time seconds
Syntax Description
seconds
Time in seconds the software waits while attempting to establish a TCP connection. It can be an integer from 5 to 300 seconds. The default is 30 seconds.
Defaults
The default time is 30 seconds.
Command Modes
Global configuration
Command History
Usage Guidelines
In versions previous to Cisco IOS software 10.0, the system would wait a fixed 30 seconds when attempting to establish a TCP connection. If your network contains Public Switched Telephone Network (PSTN) dial-on-demand routing (DDR), the call setup time may exceed 30 seconds. This amount of time is not sufficient in networks that have dial-up asynchronous connections because it will affect your ability to Telnet over the link (from the router) if the link must be brought up. If you have this type of network, you might want to set this value to the UNIX value of 75.
Because this is a host parameter, it does not pertain to traffic going through the router, just for traffic originated at this device. Because UNIX has a fixed 75-second timeout, hosts are unlikely to see this problem.
Examples
The following example configures the Cisco IOS software to continue attempting to establish a TCP connection for 180 seconds:
ip tcp synwait-time 180ip tcp timestamp
To enable TCP time stamp, use the ip tcp timestamp global configuration command. To disable TCP timestamp, use the no form of this command.
ip tcp timestamp
no ip tcp timestamp
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Global configuration
Command History
Usage Guidelines
TCP time stamp improves round-trip time estimates. Refer to RFC 1323 for more detailed information on TCP timestamp.
This feature must be disabled if you want to use TCP header compression.
Examples
The following example enables the router to send TCP timestamps:
ip tcp timestampRelated Commands
ip tcp window-size
To alter the TCP window size, use the ip tcp window-size global configuration command. To restore the default value, use the no form of this command.
ip tcp window-size bytes
no ip tcp window-size
Syntax Description
Defaults
The default size is 2144 bytes.
Command Modes
Global configuration
Command History
Usage Guidelines
Do not use this command unless you clearly understand why you want to change the default value.
If your TCP window size is set to 1000 bytes, for example, you could have 1 packet of 1000 bytes or 2 packets of 500 bytes, and so on. However, there is also a limit on the number of packets allowed in the window. There can be a maximum of 5 packets if the connection has TTY; otherwise there can be 20 packets.
Examples
The following example sets the TCP window size to 1000 bytes:
ip tcp window-size 1000ip unreachables
To enable the generation of Internet Control Message Protocol (ICMP) Unreachable messages, use the ip unreachables interface configuration command. To disable this function, use the no form of this command.
ip unreachables
no ip unreachables
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Interface configuration
Command History
Usage Guidelines
If the Cisco IOS software receives a nonbroadcast packet destined for itself that uses a protocol it does not recognize, it sends an ICMP Protocol Unreachable message to the source.
If the software receives a datagram that it cannot deliver to its ultimate destination because it knows of no route to the destination address, it replies to the originator of that datagram with an ICMP Host Unreachable message.
This command affects all kinds of ICMP unreachable messages.
Examples
The following example enables the generation of ICMP Unreachable messages, as appropriate, on an interface:
interface ethernet 0ip unreachablespermit (IP)
To set conditions for a named IP access list, use the permit access-list configuration command. To remove a condition from an access list, use the no form of this command.
permit source [source-wildcard]
no permit source [source-wildcard]
permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
no permit protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log] [time-range time-range-name]
Internet Control Message Protocol (ICMP)
For ICMP, you can also use the following syntax:
permit icmp source source-wildcard destination destination-wildcard [icmp-type [icmp-code] | icmp-message] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Internet Group Management Protocol (IGMP)
For IGMP, you can also use the following syntax:
permit igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Transmission Control Protocol (TCP)
For TCP, you can also use the following syntax:
permit tcp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [established] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
User Datagram Protocol (UDP)
For UDP, you can also use the following syntax:
permit udp source source-wildcard [operator [port]] destination destination-wildcard [operator [port]] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
Syntax Description
source
Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
•
•
•
source-wildcard
Wildcard bits to be applied to source. There are three alternative ways to specify the source wildcard:
•
•
•
protocol
Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP), use the keyword ip. Some protocols allow further qualifiers described later.
destination
Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
•
•
•
destination-wildcard
Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
•
•
•
precedence precedence
(Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos
(Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the "Usage Guidelines" section of the access-list (IP extended) command.
log
(Optional) Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.)
The message includes the access list number, whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches, and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval.
Use the ip access-list log-update command to generate logging messages when the number of matches reaches a configurable threshold (rather than waiting for a 5-minute interval). See the ip access-list log-update command for more information.
The logging facility might drop some logging message packets if there are too many to be handled or if there is more than one logging message to be handled in 1 second. This behavior prevents the router from crashing due to too many logging packets. Therefore, the logging facility should not be used as a billing tool or an accurate source of the number of matches to an access list.
If you enable CEF and then create an access list that uses the log keyword, the packets that match the access list are not CEF switched. They are fast switched. Logging disables CEF.
time-range time-range-name
(Optional) Name of the time range that applies to this permit statement. The name of the time range and its restrictions are specified by the time-range and absolute or periodic commands, respectively.
icmp-type
(Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code
(Optional) ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message
(Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the "Usage Guidelines" section of the access-list (IP extended) command.
igmp-type
(Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the "Usage Guidelines" section of the access-list (IP extended) command.
operator
(Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port.
If the operator is positioned after the destination and destination-wildcard, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
port
(Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the "Usage Guidelines" section of the access-list (IP extended) command. TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP.
established
(Optional) For the TCP protocol only: Indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection.
fragments
(Optional) The access list entry applies to noninitial fragments of packets; the fragment is either permitted or denied accordingly. For more details about the fragments keyword, see the "Access List Processing of Fragments" and "Fragments and Policy Routing" sections in the "Usage Guidelines" section.
Defaults
There are no specific conditions under which a packet passes the named access list.
Command Modes
Access-list configuration
Command History
11.2
This command was introduced.
12.0(1)T
The time-range time-range-name keyword and argument were added.
12.1(2)
The fragments keyword was added.
Usage Guidelines
Use this command following the ip access-list command to define the conditions under which a packet passes the access list.
The time-range option allows you to identify a time range by name. The time-range, absolute, and periodic commands specify when this permit statement is in effect.
Access List Processing of Fragments
The behavior of access-list entries regarding the use or lack of the fragments keyword can be summarized as follows:
Be aware that you should not simply add the fragments keyword to every access list entry because the first fragment of the IP packet is considered a nonfragment and is treated independently of the subsequent fragments. An initial fragment will not match an access list permit or deny entry that contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it is either permitted or denied by an access list entry that does not contain the fragments keyword. Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair will not include the fragments keyword, and applies to the initial fragment. The second deny entry of the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where there are multiple deny access list entries for the same host but with different Layer 4 ports, a single deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all the fragments of a packet are handled in the same manner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individually as a packet in access list accounting and access list violation counts.
Note
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the match ip address command and the access list had entries that match on Layer 4 through 7 information. It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment was not policy routed or the reverse.
By using the fragments keyword in access list entries as described earlier, a better match between the action taken for initial and noninitial fragments can be made and it is more likely policy routing will occur as intended.
Examples
The following example sets conditions for a standard access list named Internetfilter:
ip access-list standard Internetfilterdeny 192.5.34.0 0.0.0.255permit 128.88.0.0 0.0.255.255permit 36.0.0.0 0.255.255.255! (Note: all other access implicitly denied)The following example permits Telnet traffic on Mondays, Tuesdays, and Fridays between the hours of 9:00 am and 5:00 pm:
time-range testingperiodic Monday Tuesday Friday 9:00 to 17:00!ip access-list extended legalpermit tcp any any eq telnet time-range testing!interface ethernet 0ip access-group legal inRelated Commands
remark
To write a helpful comment (remark) for an entry in a named IP access list, use the remark access-list configuration command. To remove the remark, use the no form of this command.
remark remark
no remark remark
Syntax Description
Defaults
The access list entries have no remarks.
Command Modes
Standard named or extended named access-list configuration
Command History
Usage Guidelines
The remark can be up to 100 characters; anything longer is truncated.
If you want to write a comment about an entry in a numbered IP access list, use the access-list remark command.
Examples
In the following example, the Jones subnet is not allowed to use outbound Telnet:
ip access-list extended telnettingremark Do not allow Jones subnet to telnet outdeny tcp host 171.69.2.88 any eq telnetRelated Commands
show access-lists
To display the contents of current access lists, use the show access-lists privileged EXEC command.
show access-lists [access-list-number | name]
Syntax Description
access-list-number
(Optional) Number of the access list to display. The system displays all access lists by default.
name
(Optional) Name of the IP access list to display.
Defaults
The system displays all access lists.
Command Modes
Privileged EXEC
Command History
Examples
The following is sample output from the show access-lists command when access list 101 is specified:
Router# show access-lists 101Extended IP access list 101permit tcp host 198.92.32.130 any established (4304 matches) check=5permit udp host 198.92.32.130 any eq domain (129 matches)permit icmp host 198.92.32.130 anypermit tcp host 198.92.32.130 host 171.69.2.141 gt 1023permit tcp host 198.92.32.130 host 171.69.2.135 eq smtp (2 matches)permit tcp host 198.92.32.130 host 198.92.30.32 eq smtppermit tcp host 198.92.32.130 host 171.69.108.33 eq smtppermit udp host 198.92.32.130 host 171.68.225.190 eq syslogpermit udp host 198.92.32.130 host 171.68.225.126 eq syslogdeny ip 150.136.0.0 0.0.255.255 224.0.0.0 15.255.255.255deny ip 171.68.0.0 0.1.255.255 224.0.0.0 15.255.255.255 (2 matches) check=1deny ip 172.24.24.0 0.0.1.255 224.0.0.0 15.255.255.255deny ip 192.82.152.0 0.0.0.255 224.0.0.0 15.255.255.255deny ip 192.122.173.0 0.0.0.255 224.0.0.0 15.255.255.255deny ip 192.122.174.0 0.0.0.255 224.0.0.0 15.255.255.255deny ip 192.135.239.0 0.0.0.255 224.0.0.0 15.255.255.255deny ip 192.135.240.0 0.0.7.255 224.0.0.0 15.255.255.255deny ip 192.135.248.0 0.0.3.255 224.0.0.0 15.255.255.255An access list counter counts how many packets are allowed by each line of the access list. This number is displayed as the number of matches. Check denotes how many times a packet was compared to the access list but did not match.
For information on how to configure access lists, refer to the "Configuring IP Services" chapter of the Cisco IOS IP and IP Routing Configuration Guide.
For information on how to configure dynamic access lists, refer to the "Traffic Filtering and Firewalls" chapter of the Cisco IOS Security Configuration Guide.
Related Commands
show interface mac
To display MAC accounting information for interfaces configured for MAC accounting, use the show interface mac EXEC command.
show interface [type number] mac
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The show interface mac command displays information for all interfaces configured for MAC accounting. To display information for a single interface, use the show interface type number mac command.
For incoming packets on the interface, the accounting statistics are gathered before the CAR/DCAR feature is performed on the packet. For outgoing packets on the interface, the accounting statistics are gathered after output CAR, before output DCAR or DWRED or DWFQ feature is performed on the packet. Therefore, if a you are using DCAR or DWRED on the interface and packets are dropped, the dropped packets are still counted in the show interface mac command because the calculations are done prior to the features.
The maximum number of MAC addresses that can be stored for the input address is 512 and the maximum number of MAC address that can be stored for the output address is 512. After the maximum is reached, subsequent MAC addresses are ignored.
To clear the accounting statistics, use the clear counter EXEC command.
To configure an interface for IP accounting based on the MAC address, use the ip accounting mac-address interface configuration command.
Examples
The following is sample output from the show interface mac command. This feature calculates the total packet and byte counts for the interface that receives (input) or sends (output) IP packets to or from a unique MAC address. It also records a timestamp for the last packet received or sent.
Router# show interface ethernet 0/1/1 macEthernet0/1/1Input (511 free)0007.f618.4449(228): 4 packets, 456 bytes, last: 2684ms agoTotal: 4 packets, 456 bytesOutput (511 free)0007.f618.4449(228): 4 packets, 456 bytes, last: 2692ms agoTotal: 4 packets, 456 bytesRelated Commands
Enables IP accounting on any interface based on the source and destination MAC address.
show interface precedence
To display precedence accounting information for interfaces configured for precedence accounting, use the show interface precedence EXEC command.
show interface [type number] precedence
Syntax Description
Command Modes
EXEC
Command History
Usage Guidelines
The show interface precedence command displays information for all interfaces configured for IP precedence accounting. To display information for a single interface, use the show interface type number precedence command.
For incoming packets on the interface, the accounting statistics are gathered before input CAR/DCAR is performed on the packet. Therefore, if CAR/DCAR changes the precedence on the packet, it is counted based on the old precedence setting with the show interface precedence command.
For outgoing packets on the interface, the accounting statistics are gathered after output DCAR or DWRED or DWFQ feature is performed on the packet.
To clear the accounting statistics, use the clear counter EXEC command.
To configure an interface for IP accounting based on IP precedence, use the ip accounting precedence interface configuration command.
Examples
The following is sample output from the show interface precedence command. This feature calculates the total packet and byte counts for the interface that receives (input) or sends (output) IP packets and sorts the results based on IP precedence.
Router# show interface ethernet 0/1/1 precedenceEthernet0/1/1InputPrecedence 0: 4 packets, 456 bytesOutputPrecedence 0: 4 packets, 456 bytesRelated Commands
show ip access-list
To display the contents of all current IP access lists, use the show ip access-list EXEC command.
show ip access-list [access-list-number | name]
Syntax Description
access-list-number
(Optional) Number of the IP access list to display.
name
(Optional) Name of the IP access list to display.
Defaults
Displays all standard and extended IP access lists.
Command Modes
EXEC
Command History
Usage Guidelines
The show ip access-list command provides output identical to the show access-lists command, except that it is IP-specific and allows you to specify a particular access list.
Examples
The following is sample output from the show ip access-list command when all are requested:
Router# show ip access-listExtended IP access list 101deny udp any any eq ntppermit tcp any anypermit udp any any eq tftppermit icmp any anypermit udp any any eq domainThe following is sample output from the show ip access-list command when the name of a specific access list is requested:
Router# show ip access-list InternetfilterExtended IP access list Internetfilterpermit tcp any 171.69.0.0 0.0.255.255 eq telnetdeny tcp any anydeny udp any 171.69.0.0 0.0.255.255 lt 1024deny ip any any logshow ip accounting
To display the active accounting or checkpointed database or to display access list violations, use the show ip accounting EXEC command.
show ip accounting [checkpoint] [output-packets | access-violations]
Syntax Description
Defaults
If neither the output-packets nor access-violations keyword is specified, show ip accounting displays information pertaining to packets that passed access control and were successfully routed.
Command Modes
EXEC
Command History
10.0
This command was introduced.
10.3
The following keywords were added:
•
•
Usage Guidelines
If you do not specify any keywords, the show ip accounting command displays information about the active accounting database.
To display IP access violations, you must give the access-violations keyword on the command. If you do not specify the keyword, the command defaults to displaying the number of packets that have passed access lists and were routed.
To use this command, you must first enable IP accounting on a per-interface basis.
Examples
The following is sample output from the show ip accounting command:
Router# show ip accountingSource Destination Packets Bytes131.108.19.40 192.67.67.20 7 306131.108.13.55 192.67.67.20 67 2749131.108.2.50 192.12.33.51 17 1111131.108.2.50 130.93.2.1 5 319131.108.2.50 130.93.1.2 463 30991131.108.19.40 130.93.2.1 4 262131.108.19.40 130.93.1.2 28 2552131.108.20.2 128.18.6.100 39 2184131.108.13.55 130.93.1.2 35 3020131.108.19.40 192.12.33.51 1986 95091131.108.2.50 192.67.67.20 233 14908131.108.13.28 192.67.67.53 390 24817131.108.13.55 192.12.33.51 214669 9806659131.108.13.111 128.18.6.23 27739 1126607131.108.13.44 192.12.33.51 35412 1523980192.31.7.21 130.93.1.2 11 824131.108.13.28 192.12.33.2 21 1762131.108.2.166 192.31.7.130 797 141054131.108.3.11 192.67.67.53 4 246192.31.7.21 192.12.33.51 15696 695635192.31.7.24 192.67.67.20 21 916131.108.13.111 128.18.10.1 16 1137accounting threshold exceeded for 7 packets and 433 bytesThe following is sample output from the show ip accounting access-violations command. The output pertains to packets that failed access lists and were not routed:
Router# show ip accounting access-violationsSource Destination Packets Bytes ACL131.108.19.40 192.67.67.20 7 306 77131.108.13.55 192.67.67.20 67 2749 185131.108.2.50 192.12.33.51 17 1111 140131.108.2.50 130.93.2.1 5 319 140131.108.19.40 130.93.2.1 4 262 77Accounting data age is 41The following is sample output from the show ip accounting command. The output shows the original source and destination addresses that are separated by three routers:
Router3# show ip accountingSource Destination Packets Bytes10.225.231.154 172.16.10.2 44 2816010.76.97.34 172.16.10.2 44 2816010.10.11.1 172.16.10.2 507 32448010.10.10.1 172.16.10.2 507 31839610.100.45.1 172.16.10.2 508 32512010.98.32.5 172.16.10.2 44 28160Accounting data age is 2Table 15 describes the fields shown in the displays.
Related Commands
show ip casa affinities
To display statistics about affinities, use the show ip casa affinities EXEC command.
show ip casa affinities [stats] | [saddr ipaddr [detail]] | [daddr ipaddr [detail]] | sport sport [detail]] | dport dport [detail]] | protocol protocol [detail]]
Syntax Description
Command Modes
EXEC
Command History
Examples
The following is sample output of the show ip casa affinities command:
Router# show ip casa affinitiesAffinity TableSource Address Port Dest Address Port Prot161.44.36.118 1118 172.26.56.13 19 TCP172.26.56.13 19 161.44.36.118 1118 TCPThe following is sample output of the show ip casa affinities detail command:
Router# show ip casa affinities detailAffinity TableSource Address Port Dest Address Port Prot161.44.36.118 1118 172.26.56.13 19 TCPAction Details:Interest Addr: 172.26.56.19 Interest Port: 1638Interest Packet: 0x0102 SYN FRAGInterest Tickle: 0x0005 FIN RSTDispatch (Layer 2): YES Dispatch Address: 172.26.56.33Source Address Port Dest Address Port Prot172.26.56.13 19 161.44.36.118 1118 TCPAction Details:Interest Addr: 172.26.56.19 Interest Port: 1638Interest Packet: 0x0104 RST FRAGInterest Tickle: 0x0003 FIN SYNDispatch (Layer 2): NO Dispatch Address: 0.0.0.0Table 16 describes significant fields shown in the display.
Related Commands
Specifies the port on which the forwarding agent will listen for wildcard and fixed affinities.
Displays operational information about the forwarding agent.
show ip casa oper
To display operational information about the forwarding agent, use the show ip casa oper EXEC command.
show ip casa oper
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output of the show ip casa oper command:
Router# show ip casa operCasa is ActiveCasa control address is 206.10.20.34/32Casa multicast address is 224.0.1.2Listening for wildcards on:Port:1637Current passwd:NONE Pending passwd:NONEPasswd timeout:180 sec (Default)Table 17 describes significant fields shown in the display.
Related Commands
show ip casa stats
To display statistical information about the forwarding agent, use the show ip casa stats EXEC command.
show ip casa stats
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output of the show ip casa stats command:
Router# show ip casa statsCasa is active:Wildcard Stats:Wildcards: 6 Max Wildcards: 6Wildcard Denies: 0 Wildcard Drops: 0Pkts Throughput: 441 Bytes Throughput: 39120Affinity Stats:Affinities: 2 Max Affinities: 2Cache Hits: 444 Cache Misses: 0Affinity Drops: 0Casa Stats:Int Packet: 4 Int Tickle: 0Casa Denies: 0 Drop Count: 0Table 18 describes significant fields shown in the display.
.
Related Commands
show ip casa wildcard
To display information about wildcard blocks, use the show ip casa wildcard EXEC command.
show ip casa wildcard [detail]
Syntax Description
Command Modes
EXEC
Command History
Examples
The following is sample output of the show ip casa wildcard command:
Router# show ip casa wildcardSource Address Source Mask Port Dest Address Dest Mask Port Prot0.0.0.0 0.0.0.0 0 172.26.56.2 255.255.255.255 0 ICMP0.0.0.0 0.0.0.0 0 172.26.56.2 255.255.255.255 0 TCP0.0.0.0 0.0.0.0 0 172.26.56.13 255.255.255.255 0 ICMP0.0.0.0 0.0.0.0 0 172.26.56.13 255.255.255.255 0 TCP172.26.56.2 255.255.255.255 0 0.0.0.0 0.0.0.0 0 TCP172.26.56.13 255.255.255.255 0 0.0.0.0 0.0.0.0 0 TCPThe following is sample output of the show ip casa wildcard detail command:
router# show ip casa wildcard detailSource Address Source Mask Port Dest Address Dest Mask Port Prot0.0.0.0 0.0.0.0 0 172.26.56.2 255.255.255.255 0 ICMPService Manager Details:Manager Addr: 172.26.56.19 Insert Time: 08:21:27 UTC 04/18/96Affinity Statistics:Affinity Count: 0 Interest Packet Timeouts: 0Packet Statistics:Packets: 0 Bytes: 0Action Details:Interest Addr: 172.26.56.19 Interest Port: 1638Interest Packet: 0x8000 ALLPKTSInterest Tickle: 0x0107 FIN SYN RST FRAGDispatch (Layer 2): NO Dispatch Address: 0.0.0.0Advertise Dest Address: YES Match Fragments: NOSource Address Source Mask Port Dest Address Dest Mask Port Prot0.0.0.0 0.0.0.0 0 172.26.56.2 255.255.255.255 0 TCPService Manager Details:Manager Addr: 172.26.56.19 Insert Time: 08:21:27 UTC 04/18/96Affinity Statistics:Affinity Count: 0 Interest Packet Timeouts: 0Packet Statistics:Packets: 0 Bytes: 0Action Details:Interest Addr: 172.26.56.19 Interest Port: 1638Interest Packet: 0x8102 SYN FRAG ALLPKTSInterest Tickle: 0x0005 FIN RSTDispatch (Layer 2): NO Dispatch Address: 0.0.0.0Advertise Dest Address: YES Match Fragments: NO
Note
Table 19 describes significant fields shown in the display.
Related Commands
show ip drp
To display information about the Director Response Protocol (DRP) Server Agent for DistributedDirector, use the show ip drp EXEC command.
show ip drp
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Examples
The following is sample output from the show ip drp command:
Router# show ip drpDirector Responder Protocol Agent is enabled717 director requests, 712 successful lookups, 5 failures, 0 no routeAuthentication is enabled, using "test" key-chainTable 20 describes the significant fields in the display.
Related Commands
Controls the sources of DRP queries to the DRP Server Agent.
Configures authentication on the DRP Server Agent for DistributedDirector.
show ip redirects
To display the address of a default gateway (router) and the address of hosts for which an Internet Control Message Protocol (ICMP) Redirect message has been received, use the show ip redirects EXEC command.
show ip redirects
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
