Post on 06-Apr-2018
8/3/2019 Commands - General
1/147
Commands - General
There are 3 different modes of operation within the Cisco IOS.
1. Disabled mode
2. Enabled mode3. Configuration mode
In the Disabled mode you can use a limited number of commands. This is used primarily to monitorthe router.
The Enabled mode is used to show configuration information, enter the configuration mode, andmake changes to the configuration.
The Configuration mode is used to enter and update the runtime configuration.
To get a list of the commands for the cisco type '?' at the prompt. To get further information aboutany command, type the command followed by a '?'.
clear Reset functions
clock Manage the system clock
configure Enter configuration mode
debug Debugging functions (see also 'undebug')
disable Turn off privileged commands
enable Turn on privileged commands
erase Erase flash or configuration memory
exit Exit from the EXEC
help Description of the interactive help system
login Log in as a particular user
logout Exit from the EXEC
no Disable debugging functions
ping Send echo messages
reload Halt and perform a cold restart
setup Run the SETUP command facility
show Show running system information
telnet Open a telnet connection
terminal Set terminal line parameters
test Test subsystems, memory, and interfaces
traceroute Trace route to destination
tunnel Open a tunnel connection
undebug Disable debugging functions (see also 'debug')verify Verify checksum of a Flash file
write Write running configuration to memory, network, or terminal
show
access-lists List access lists
arp ARP table
buffers Buffer pool statistics
configuration Contents of Non-Volatile memory
8/3/2019 Commands - General
2/147
controllers Interface controller status
debugging State of each debugging option
dialer Dialer parameters and statistics
extended Extended Interface Information
flash System Flash information
flh-log Flash Load Helper log buffer
history Display the session command history
hosts IP domain-name, lookup style, name servers, and host table
interfaces Interface status and configuration
ip IP information
isdn ISDN information
line TTY line information
logging Show the contents of logging buffers
memory Memory statistics
privilege Show current privilege level
processes Active process statistics
protocols Active network routing protocols
queue Show queue contentsqueueing Show queueing configuration
reload Scheduled reload information
route-map route-map information
running-config Current operating configuration
sessions Information about Telnet connections
smf Software MAC filter
stacks Process stack utilization
startup-config Contents of startup configuration
subsys Show subsystem information
tcp Status of TCP connections
terminal Display terminal configuration parametersusers Display information about terminal lines
version System hardware and software status
Other Useful Commands
View the Software VersionView the Ethernet IPView the Serial IPView the Default RouteView the FiltersView the BandwidthAdd a Static RouteChange the Dial NumberTurn Filters On and OffPing from the RouterTraceroute from the Router
IP Addressing Commands
http://tomax7.com/mcse/cisco_commands.htm#softwarehttp://tomax7.com/mcse/cisco_commands.htm#ethernet%20IPhttp://tomax7.com/mcse/cisco_commands.htm#serial%20IPhttp://tomax7.com/mcse/cisco_commands.htm#default%20routehttp://tomax7.com/mcse/cisco_commands.htm#filtershttp://tomax7.com/mcse/cisco_commands.htm#bandwidthhttp://tomax7.com/mcse/cisco_commands.htm#static%20routehttp://tomax7.com/mcse/cisco_commands.htm#change%20numberhttp://tomax7.com/mcse/cisco_commands.htm#turn%20filtershttp://tomax7.com/mcse/cisco_commands.htm#pinghttp://tomax7.com/mcse/cisco_commands.htm#traceroutehttp://tomax7.com/mcse/cisco_commands.htm#ethernet%20IPhttp://tomax7.com/mcse/cisco_commands.htm#serial%20IPhttp://tomax7.com/mcse/cisco_commands.htm#default%20routehttp://tomax7.com/mcse/cisco_commands.htm#filtershttp://tomax7.com/mcse/cisco_commands.htm#bandwidthhttp://tomax7.com/mcse/cisco_commands.htm#static%20routehttp://tomax7.com/mcse/cisco_commands.htm#change%20numberhttp://tomax7.com/mcse/cisco_commands.htm#turn%20filtershttp://tomax7.com/mcse/cisco_commands.htm#pinghttp://tomax7.com/mcse/cisco_commands.htm#traceroutehttp://tomax7.com/mcse/cisco_commands.htm#software8/3/2019 Commands - General
3/147
This chapter describes the function and displays the syntax for IP addressing commands. For moreinformation about defaults and usage guidelines, see the corresponding chapter of the NetworkProtocols Command Reference, Part 1.
arp (global)
To add a permanent entry in the Address Resolution Protocol (ARP) cache, use the arp globalconfiguration command. To remove an entry from the ARP cache, use the no form of thiscommand.
arp ip-address hardware-address type [alias]no arp ip-address hardware-address type [alias]
ip-address IP address in four-part dotted-decimal format corresponding to the local data linkaddress.
hardware-address
Local data link address (a 48-bit address).
type Encapsulation description. For Ethernet interfaces, this is typically the arpa keyword.For Fiber Distributed Data Interface (FDDI) and Token Ring interfaces, this is
always snap.
alias (Optional) Indicates that the Cisco IOS software should respond to ARP requests as ifit were the owner of the specified address.
arp (interface)
To control the interface-specific handling of IP address resolution into 48-bit Ethernet, FDDI, andToken Ring hardware addresses, use the arp interface configuration command. To disable anencapsulation type, use the no form of thiscommand.
arp {arpa | probe | snap}no arp {arpa | probe | snap}
arpa Standard Ethernet-style ARP (RFC 826).
probe HP Probe protocol for IEEE-802.3 networks.
snap ARP packets conforming to RFC 1042.
arp timeout
To configure how long an entry remains in the ARP cache, use the arptimeout interfaceconfiguration command. To restore the default value, use the no form of this command.
arp timeout secondsno arp timeout seconds
seconds Time (in seconds) that an entry remains in the ARP cache. A value of zero means thatentries are never cleared from the cache.
clear arp-cache
To delete all dynamic entries from the ARP cache, to clear the fast-switching cache, and to clear theIP route cache, use the clear arp-cache EXEC command.
8/3/2019 Commands - General
4/147
clear arp-cache
clear host
To delete entries from the host-name-and-address cache, use the clear host EXEC command.
clear host {name |*}
name Particular host entry to remove.
* Removes all entries.
clear ip nat translation
To clear dynamic Network Address Translation (NAT) translations from the translation table, usethe clear ip nat translation EXEC command.
clear ip nat translation {* | [inside global-ip local-ip] [outside local-ipglobal-ip]}
clear ip nat translationprotocolinside global-ip global-port local-ip local-port[outsidelocal-ipglobal-ip]
* Clears all dynamic translations.
inside Clears the inside translations containing the specified global-ip and local-ip addresses.
global-ip When used without the argumentsprotocol, global-port, and local-port, clears a simpletranslation that also contains the specified local-ip address. When used with theargumentsprotocol, global-port, and local-port, clears an extended translation.
local-ip (Optional) Clears an entry that contains this local IP address and the specified global-ip address.
outside Clears the outside translations containing the specified global-ip and local-ip addresses.
protocol (Optional) Clears an entry that contains this protocol and the specified global-
ip address, local-ip address, global-port, andlocal-port.global-
port(Optional) Clears an entry that contains this global-portand the specifiedprotocol, global-ip address, local-ip address, andlocal-port.
local-port
(Optional) Clears an entry that contains this local-portand the specifiedprotocol, global-ip address, local-ip address, andglobal-port.
clear ip nhrp
To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, usethe clear ip nhrp EXEC command.
clear ip nhrp
clear ip route
To delete routes from the IP routing table, use the clear ip route EXEC command.
clear ip route {network[mask]| *}
networkNetwork or subnet address to remove.
mask (Optional) Subnet address to remove.
8/3/2019 Commands - General
5/147
* Removes all routing table entries.
ip address
To set a primary or secondary IP address for an interface, use the ip address interfaceconfiguration command. To remove an IP address or disable IP processing, use the no form of this
command.
ip address ip-address mask[secondary]no ip address ip-address mask[secondary]
ip-address IP address.
mask Mask for the associated IP subnet.
secondary (Optional) Specifies that the configured address is a secondary IP address. If thiskeyword is omitted, the configured address is the primary IP address.
ip broadcast-address
To define a broadcast address for an interface, use the ip broadcast-address interfaceconfiguration command. To restore the default IP broadcast address, use the no form of thiscommand.
ip broadcast-address [ip-address]no ip broadcast-address [ip-address]
ip-address (Optional) IP broadcast address for a network.
ip classless
At times the router might receive packets destined for a subnet of a network that has no network
default route. To have the Cisco IOS software forward such packets to the best supernet routepossible, use the ip classless global configuration command. To disable this feature, usethe no form of this command.
ip classlessno ip classless
ip default-gateway
To define a default gateway (router) when IP routing is disabled, use the ip default-gateway globalconfiguration command. To disable this function, use the no form of this command.
ip default-gateway ip-address
no ip default-gateway ip-address
ip-address IP address of the router.
ip directed-broadcast
To enable the translation of directed broadcast to physical broadcasts, use the ip directed-broadcast interface configuration command. To disable this function, use the no form of thiscommand.
8/3/2019 Commands - General
6/147
ip directed-broadcast [access-list-number]no ip directed-broadcast [access-list-number]
access-list-number
(Optional) Number of the access list. If specified, a broadcast must pass the accesslist to be forwarded. If not specified, all broadcasts are forwarded.
ip domain-list
To define a list of default domain names to complete unqualified host names, use the ip domain-list global configuration command. To delete a name from a list, use the no form of this command.
ip domain-list nameno ip domain-list name
name Domain name. Do not include the initial period that separates an unqualified name from thedomain name.
ip domain-lookup
To enable the IP Domain Naming System (DNS)-based host name-to-address translation, usethe ip domain-lookup global configuration command. To disable the DNS, use the no form of thiscommand.
ip domain-lookupno ip domain-lookup
ip domain-lookup nsap
To allow DNS queries for Connectionless Network System (CLNS) addresses, use the ip domain-lookup nsap global configuration command. To disable this feature, use the no form of thiscommand.
ip domain-lookup nsapno ip domain-lookup nsap
ip domain-name
To define a default domain name that the Cisco IOS software uses to complete unqualified hostnames (names without a dotted-decimal domain name), use the ip domain-name globalconfiguration command. To disable use of the DNS, use the no form of this command.
ip domain-name nameno ip domain-name
name Default domain name used to complete unqualified host names. Do not include the initialperiod that separates an unqualified name from the domain name.
ip forward-protocol
To specify which protocols and ports the router forwards when forwarding broadcast packets, usethe ip forward-protocol global configuration command. To remove a protocol or port, usethe no form of this command.
8/3/2019 Commands - General
7/147
ip forward-protocol {udp [port] | nd | sdns}no ip forward-protocol {udp [port] | nd | sdns}
udp Forward User Datagram Protocol (UDP) datagrams. See the "Default" section below for a listof port numbers forwarded by default.
port (Optional) Destination port that controls which UDP services are forwarded.
nd Forward Network Disk (ND) datagrams. This protocol is used by older diskless Sunworkstations.
sdns Secure Data Network Service.
ip forward-protocol any-local-broadcast
To forward any broadcasts including local subnet broadcasts, use the ip forward-protocol any-local-broadcast global configuration command. To disable this type of forwarding, use the no formof this command.
ip forward-protocol any-local-broadcastno ip forward-protocol any-local-broadcast
ip forward-protocol spanning-tree
To permit IP broadcasts to be flooded throughout the internetwork in a controlled fashion, usethe ip forward-protocol spanning-tree global configuration command. To disable the flooding ofIP broadcasts, use the no form of this command.
ip forward-protocol spanning-treeno ip forward-protocol spanning-tree
ip forward-protocol turbo-flood
To speed up flooding of User Datagram Protocol (UDP) datagrams using the spanning-tree
algorithm, use the ip forward-protocol turbo-flood global configuration command. To disable thisfeature, use the no form of this command.
ip forward-protocol turbo-floodno ip forward-protocol turbo-flood
ip helper-address
To have the Cisco IOS software forward User Datagram Protocol (UDP) broadcasts, includingBOOTP, received on an interface, use the ip helper-address interface configuration command. Todisable the forwarding of broadcast packets to specific addresses, use the no form of thiscommand.
ip helper-address addressno ip helper-address address
address Destination broadcast or host address to be used when forwarding UDP broadcasts. Therecan be more than one helper address per interface.
ip host
8/3/2019 Commands - General
8/147
To define a static host name-to-address mapping in the host cache, use the ip host globalconfiguration command. Toremove the name-to-address mapping, use the no form of thiscommand.
ip host name [tcp-port-number] address1 [address2...address8]no ip host name address1
name Name of the host. The first character can be either a letter or a number. If youuse a number, the operations you can perform are limited.
tcp-port-number (Optional) TCP port number to connect to when using the defined host name inconjunction with an EXEC connect or Telnet command. The default is Telnet(port 23).
address1 Associated IP address.
address2...address8(Optional) Additional associated IP address. You can bind up to eightaddresses to a host name.
ip hp-host
To enter into the host table the host name of an HP host to be used for HP Probe Proxy service,use the ip hp-host global configuration command. To remove a host name, use the no form of thiscommand.
ip hp-host hostname ip-addressno ip hp-host hostname ip-address
hostname Name of the host.
ip-address IP address of the host.
ip irdp
To enable ICMP Router Discovery Protocol (IRDP) processing on an interface, use the ipirdpinterface configuration command. To disable IRDP routing, use the no form of this command.
ip irdp [multicast | holdtime seconds | maxadvertinterval seconds | minadvertinterval
seconds | preference number| address address [number]]no ip irdp
multicast (Optional) Use the multicast address (224.0.0.1) instead of IPbroadcasts.
holdtime seconds (Optional) Length of time in seconds advertisements are held valid.Default is three times themaxadvertinterval value. Must be greaterthan maxadvertinterval and cannot be greater than 9000 seconds.
maxadvertintervalseconds (Optional) Maximum interval in seconds between advertisements. The
default is 600 seconds.minadvertintervalseconds (Optional) Minimum interval in seconds between advertisements. The
default is 0.75 times themaxadvertinterval. If you changethe maxadvertinterval value, this value defaults to three-quarters ofthe new value.
preferencenumber (Optional) Preference value. The allowed range is -231 to 231. Thedefault is 0. A higher value increases the router's preference level. Youcan modify a particular router so that it will be the preferred router towhich others home.
8/3/2019 Commands - General
9/147
address address[number] (Optional) IP address (address) to proxy-advertise, and optionally, itspreference value (number).
ip mobile arp
To enable local-area mobility, use the ip mobile arp interface configuration command. To disable
local-area mobility, use the noform of this command.
ip mobile arp [timers keepalive hold-time] [access-group access-list-number| name]no ip mobile arp [timers keepalive hold-time] [access-group access-list-number| name]
timers (Optional) Indicates that you are setting local-area mobility timers.
keepalive (Optional) Frequency, in seconds, at which the Cisco IOS software sends unicast ARPmessages to a relocated host to verify that the host is present and has not moved. Thedefault keepalive time is 300 seconds (5 minutes).
hold-time (Optional) Hold time, in seconds. This is the length of time the software considers that arelocated host is present without receiving some type of ARP broadcast or unicast fromthe host. Normally, the hold time should be at least three times greater than the
keepalive time. The default hold time is 900 seconds (15 minutes).access-group
(Optional) Indicates that you are applying an access list. This access list applies only tolocal-area mobility.
access-list-number
(Optional) Number of a standard IP access list. It is a decimal number from 1 to 99.Only hosts with addresses permitted by this access list are accepted for local-areamobility.
name (Optional) Name of an IP access list. The name cannot contain a space or quotationmark, and must begin with an alphabetic character to avoid ambiguity with numberedaccess lists.
ip name-server
To specify the address of one or more name servers to use for name and address resolution, use
the ip name-serverglobal configuration command. To remove the addresses specified, usethe no form of this command.
ip name-serverserver-address1[[server-address2]...server-address6]no ip name-serverserver-address1[[server-address2]...server-address6]
server-address1 IP addresses of name server.
server-address2...server-address6
(Optional) IP addresses of additional name servers (a maximum ofsix name servers).
ip nat
To designate that traffic originating from or destined for the interface is subject to Network AddressTranslation (NAT), use the ip natinterface configuration command. To prevent the interface frombeing able to translate, use the no form of this command.
ip nat {inside | outside}no ip nat {inside | outside}
inside Indicates the interface is connected to the inside network (the network subject to NATtranslation).
8/3/2019 Commands - General
10/147
outside Indicates the interface is connected to the outside network.
ip nat inside destination
To enable Network Address Translation (NAT) of the inside destination address, use the ip natinside destination global configuration command. To remove the dynamic association to a pool,
use the no form of this command.
ip nat inside destination list {access-list-number| name}pool nameno ip nat inside destination list {access-list-number| name}
list access-list-number
Standard IP access list number. Packets with destination addresses that pass theaccess list are translated using global addresses from the named pool.
list name Name of a standard IP access list. Packets with destination addresses that passthe access list are translated using global addresses from the named pool.
pool name Name of the pool from which global IP addresses are allocated during dynamictranslation.
ip nat inside source
To enable Network Address Translation (NAT) of the inside source address, use the ip nat insidesource global configuration command. To remove the static translation or remove the dynamicassociation to a pool, use the no form of this command.
ip nat inside source {list {access-list-number| name}pool name [overload] | static local-ip
global-ip}no ip nat inside source {list {access-list-number| name}pool name [overload] | static local-ipglobal-ip}
listaccess-list-number
Standard IP access list number. Packets with source addresses that pass the accesslist are dynamically translated using global addresses from the named pool.
list name Name of a standard IP access list. Packets with source addresses that pass theaccess list are dynamically translated using global addresses from the named pool.
pool name Name of the pool from which global IP addresses are allocated dynamically.
overload (Optional) Enables the router to use one global address for many local addresses.When overloading is configured, each inside host's TCP or UDP port numberdistinguishes between the multiple conversations using the same local IP address.
staticlocal-ip Sets up a single static translation; this argument establishes the local IP addressassigned to a host on the inside network. The address could be randomly chosen,allocated from RFC 1918, or obsolete.
global-ip Sets up a single static translation; this argument establishes the globally unique IPaddress of an inside host as it appears to the outside world.
ip nat outside source
To enable Network Address Translation (NAT) of the outside source address, use the ip natoutside source global configuration command. To remove the static entry or the dynamicassociation, use the no form of this command.
8/3/2019 Commands - General
11/147
ip nat outside source {list {access-list-number| name}pool name | static global-ip local-ip}no ip nat outside source {list {access-list-number| name}pool name | static global-ip local-ip}
list access-list-number
Standard IP access list number. Packets with source addresses that pass theaccess list are translated using global addresses from the named pool.
list name Name of a standard IP access list. Packets with source addresses that pass theaccess list are translated using global addresses from the named pool.
pool name Name of the pool from which global IP addresses are allocated.
staticglobal-ip Sets up a single static translation. This argument establishes the globally unique IPaddress assigned to a host on the outside network by its owner. It was allocatedfrom globally routable network space.
local-ip Sets up a single static translation. This argument establishes the local IP addressof an outside host as it appears to the inside world. The address was allocated fromaddress space routable on the inside (RFC 1918, perhaps).
ip nat pool
To define a pool of IP addresses for Network Address Translation (NAT), use the ip nat pool globalconfiguration command. To remove one or more addresses from the pool, use the no form of thiscommand.
ip nat pool namestart-ip end-ip {netmask netmask| prefix-lengthprefix-length}
[type rotary]no ip nat pool namestart-ip end-ip {netmask netmask| prefix-lengthprefix-length}
[type rotary]
name Name of the pool.
start-ip Starting IP address that defines the range of addresses in the address pool.
end-ip Ending IP address that defines the range of addresses in the address pool.
netmasknetmask Network mask that indicates which address bits belong to the network andsubnetwork fields and which bits belong to the host field. Specify the netmaskof the network to which the pool addresses belong.
prefix-lengthprefix-length
Number that indicates how many bits of the netmask are ones (how many bitsof the address indicate network). Specify the netmask of the network to whichthe pool addresses belong.
typerotary (Optional) Indicates that the range of address in the address pool identify real,inside hosts among which TCP load distribution will occur.
ip nat translation
To change the amount of time after which Network Address Translation (NAT) translations time out,use the ip nat translationglobal configuration command. To disable the timeout, use the no form of
this command.
ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout}secondsno ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout}
timeout Specifies that the timeout value applies to dynamic translations except for overloadtranslations. Default is 86400 seconds (24 hours).
udp- Specifies that the timeout value applies to the UDP port. Default is 300 seconds (5
8/3/2019 Commands - General
12/147
timeout minutes).
dns-timeout
Specifies that the timeout value applies to connections to the Domain Naming System(DNS). Default is 60 seconds.
tcp-timeout Specifies that the timeout value applies to the TCP port. Default is 86400 seconds (24hours).
finrst-
timeout
Specifies that the timeout value applies to Finish and Reset TCP packets, which
terminate a connection. Default is 60 seconds.seconds Number of seconds after which the specified port translation times out. Default values
are listed in the Default section.
ip netmask-format
To specify the format in which netmasks are displayed in show command output, usethe ip netmask-format line configuration command. To restore the default display format, usethe no form of this command.
ip netmask-format {bitcount | decimal | hexadecimal}no ip netmask-format [bitcount | decimal | hexadecimal]
bitcount Addresses are followed by a slash and the total number of bits in the netmask. Forexample, 131.108.11.0/24 indicates that the netmask is 24 bits.
decimal Network masks are displayed in dotted decimal notation (for example,255.255.255.0).
hexadecimal Network masks are displayed in hexadecimal format, as indicated by the leading 0X(for example, 0XFFFFFF00).
ip nhrp authentication
To configure the authentication string for an interface using Next Hop Resolution Protocol (NHRP),use the ip nhrp authenticationinterface configuration command. To remove the authenticationstring, use the no form of this command.
ip nhrp authentication stringno ip nhrp authentication [string]
stringAuthentication string configured for the source and destination stations that controls whetherNHRP stations allow intercommunication. The string can be up to 8 characters long.
ip nhrp holdtime
To change the number of seconds that NHRP nonbroadcast, multiaccess (NBMA) addresses areadvertised as valid in authoritative NHRP responses, use the ip nhrp holdtime interfaceconfiguration command. To restore the default value, use the no form of this command.
ip nhrp holdtime seconds-positive [seconds-negative]no ip nhrp holdtime [seconds-positive [seconds-negative]]
seconds-positive
Time in seconds that NBMA addresses are advertised as valid in positiveauthoritative NHRP responses.
seconds-negative
(Optional) Time in seconds that NBMA addresses are advertised as valid in negativeauthoritative NHRP responses.
8/3/2019 Commands - General
13/147
ip nhrp interest
To control which IP packets can trigger sending a Next Hop Resolution Protocol (NHRP) Request,use the ip nhrp interest interface configuration command. To restore the default value, usethe no form of this command.
ip nhrp interest access-list-numberno ip nhrp interest [access-list-number]
access-list-numberStandard or extended IP access list number in the range 1 to 199.
ip nhrp map
To statically configure the IP-to-NBMA address mapping of IP destinations connected to anonbroadcast, multiaccess (NBMA) network, use the ip nhrp map interface configurationcommand. To remove the static entry from NHRP cache, use the no form of this command.
ip nhrp map ip-address nbma-address
no ip nhrp map ip-address nbma-address
ip-address
IP address of the destinations reachable through the NBMA network. This address ismapped to the NBMA address.
nbma-address
NBMA address that is directly reachable through the NBMA network. The address formatvaries depending on the medium you are using. For example, ATM has an NSAPaddress, Ethernet has a MAC address, and SMDS has an E.164 address. This address ismapped to the IP address.
ip nhrp map multicast
To configure NBMA addresses used as destinations for broadcast or multicast packets to be sentover a tunnel network, use the ip nhrp map multicast interface configuration command. To remove
the destinations, use the no form of this command.
ip nhrp map multicast nbma-addressno ip nhrp map multicast nbma-address
nbma-address
Nonbroadcast, multiaccess (NBMA) address which is directly reachable through theNBMA network. The address format varies depending on the medium you are using.
ip nhrp max-send
To change the maximum frequency at which NHRP packets can be sent, use the ip nhrp max-send interface configuration command. To restore this frequency to the default value, use
the no form of this command.
ip nhrp max-sendpkt-countevery intervalno ip nhrp max-send
pkt-count Number of packets which can be transmitted in the range from 1 to 65535. Default is5 packets.
every intervalTime (in seconds) in the range from 10 to 65535. Default is 10 seconds.
8/3/2019 Commands - General
14/147
ip nhrp network-id
To enable the Next Hop Resolution Protocol (NHRP) on an interface, use the ip nhrp network-id interface configuration command. To disable NHRP on the interface, use the no form of thiscommand.
ip nhrp network-id numberno ip nhrp network-id [number]
numberGlobally unique, 32-bit network identifier for a nonbroadcast, multiaccess (NBMA) network.The range is 1 to 4294967295.
ip nhrp nhs
To specify the address of one or more NHRP Next Hop Servers, use the ip nhrp nhs interfaceconfiguration command. To remove the address, use the no form of this command.
ip nhrp nhs nhs-address [net-address [netmask]]
no ip nhrp nhs nhs-address [net-address [netmask]]
nhs-address
Address of the Next Hop Server being specified.
net-address
(Optional) IP address of a network served by the Next Hop Server.
netmask (Optional) IP network mask to be associated with the netIP address. The netIP addressis logically ANDed with the mask.
ip nhrp record
To re-enable the use of forward record and reverse record options in NHRP Request and Replypackets, use the ip nhrp recordinterface configuration command. To suppress the use of suchoptions, use the no form of this command.
ip nhrp recordno ip nhrp record
ip nhrp responder
To designate which interface's primary IP address the Next Hop Server will use in NHRP Replypackets when the NHRP requestor uses the Responder Address option, use the ip nhrpresponderinterface configuration command. To remove the designation, use the no form of thiscommand.
ip nhrp respondertype numberno ip nhrp responder [type] [number]
type Interface type whose primary IP address is used when a Next Hop Server complies with aResponder Address option (for example, serial, tunnel).
number Interface number whose primary IP address is used when a Next Hop Server complies witha Responder Address option.
ip nhrp use
8/3/2019 Commands - General
15/147
To configure the software so that NHRP is deferred until the system has attempted to send datatraffic to a particular destination multiple times, use the ip nhrp use interface configurationcommand. To restore the default value, use the no form of this command.
ip nhrp use usage-countno ip nhrp use usage-count
usage-countPacket count in the range from 1 to 65535. Default is 1.
ip probe proxy
To enable the HP Probe Proxy support, which allows the Cisco IOS software to respond to HPProbe Proxy Name requests, use theip probe proxy interface configuration command. To disableHP Probe Proxy, use the no form of this command.
ip probe proxyno ip probe proxy
ip proxy-arp
To enable proxy ARP on an interface, use the ip proxy-arp interface configuration command. Todisable proxy ARP on the interface, use the no form of this command.
ip proxy-arpno ip proxy-arp
ip redirects
To enable the sending of redirect messages if the Cisco IOS software is forced to resend a packetthrough the same interface on which it was received, use the ip redirects interface configurationcommand. To disable the sending of redirect messages, use theno form of this command.
ip redirectsno ip redirects
ip routing
To enable IP routing, use the ip routing global configuration command. To disable IP routing, usethe no form of this command.
ip routingno ip routing
ip subnet-zero
To enable the use of subnet zero for interface addresses and routing updates, use the ip subnet-zero global configuration command. To restore the default, use the no form of this command.
ip subnet-zerono ip subnet-zero
ip unnumbered
8/3/2019 Commands - General
16/147
To enable IP processing on a serial interface without assigning an explicit IP address to theinterface, use the ip unnumberedinterface configuration command.To disable the IP processingon the interface, use the no form of this command.
ip unnumbered type numberno ip unnumbered type number
typenumber
Type and number of another interface on which the router has an assigned IP address. Itcannot be another unnumbered interface.
ping (privileged)
To check host reachability and network connectivity, use the ping (IP packet internet groperfunction) privileged EXEC command.
ping [protocol] {host| address}
protocol(Optional) Protocol keyword. The default is IP.
host Host name of system to ping.address IP address of system to ping.
ping (user)
To check host reachability and network connectivity, use the ping (IP packet internet groperfunction) user EXEC command.
ping [protocol] {host| address}
protocol(Optional) Protocol keyword. The default is IP.
host Host name of system to ping.
address IP address of system to ping.
show arp
To display the entries in the ARP table, use the show arp privileged EXEC command.
show arp
show hosts
To display the default domain name, the style of name lookup service, a list of name server hosts,and the cached list of host names and addresses, use the show hosts EXEC command.
show hosts
show ip aliases
To display the IP addresses mapped to TCP ports (aliases) and SLIP addresses, which are treatedsimilarly to aliases, use theshow ip aliases EXEC command.
show ip aliases
8/3/2019 Commands - General
17/147
show ip arp
To display the Address Resolution Protocol (ARP) cache, where SLIP addresses appear aspermanent ARP table entries, use theshow ip arp EXEC command.
show ip arp [ip-address] [hostname] [mac-address] [type number]
ip-address (Optional) ARP entries matching this IP address are displayed.
hostname (Optional) Host name.
mac-address (Optional) 48-bit MAC address.
type number (Optional) ARP entries learned via this interface type and number are displayed.
show ip interface
To display the usability status of interfaces configured for IP, use the show ip interface EXECcommand.
show ip interface [type number]
type (Optional) Interface type.
number(Optional) Interface number.
show ip irdp
To display IRDP values, use the show ip irdp EXEC command.
show ip irdp
show ip masks
To display the masks used for network addresses and the number of subnets using each mask, usethe show ip masks EXEC command.
show ip masks address
address Network address for which a mask is required.
show ip nat statistics
To display Network Address Translation (NAT) statistics, use the show ip nat statistics EXECcommand.
show ip nat statistics
show ip nat translations
To display active Network Address Translation (NAT) translations, use the show ip nattranslations EXEC command.
show ip nat translations [verbose]
8/3/2019 Commands - General
18/147
verbose (Optional) Displays additional information for each translation table entry, including howlong ago the entry was created and used.
show ip nhrp
To display the Next Hop Resolution Protocol (NHRP) cache, use the show ip nhrp EXEC
command.
show ip nhrp [dynamic | static] [type number]
dynamic (Optional) Displays only the dynamic (learned) IP-to-NBMA address cache entries.
static (Optional) Displays only the static IP-to-NBMA address entries in the cache (configuredthrough the ip nhrp mapcommand).
type (Optional) Interface type about which to display the NHRP cache (forexample, atm, tunnel).
number (Optional) Interface number about which to display the NHRP cache.
show ip nhrp traffic
To display Next Hop Resolution Protocol (NHRP) traffic statistics, use the show ip nhrptraffic EXEC command.
show ip nhrp traffic
show ip redirects
To display the address of a default gateway (router) and the address of hosts for which a redirecthas been received, use the show ip redirects EXEC command.
show ip redirects
term ip netmask-format
To specify the format in which netmasks are displayed in show command output, usethe term ip netmask-format EXEC command. To restore the default display format, usethe no form of this command.
term ip netmask-format {bitcount | decimal | hexadecimal}term no ip netmask-format [bitcount | decimal | hexadecimal]
bitcount Addresses are followed by a slash and the total number of bits in the netmask. Forexample, 131.108.11.55/24 indicates that the netmask is 24 bits.
decimal Netmasks are displayed in dotted decimal notation (for example, 255.255.255.0).hexadecimal Netmasks are displayed in hexadecimal format, as indicated by the leading 0X (for
example, 0XFFFFFF00).
trace (privileged)
To discover the routes the packets follow when traveling to their destination from the router, usethe trace privileged EXEC command.
8/3/2019 Commands - General
19/147
trace[destination]
destination (Optional) Destination address or host name on the command line. The defaultparameters for the appropriate protocol are assumed and the tracing action begins.
trace (user)
To discover the routes the router packets follow when traveling to their destination, usethe trace user EXEC command.
trace ip destination
destination Destination address or host name on the command line. The default parameters for theappropriate protocol are assumed and the tracing action begins.
tunnel mode
To set the encapsulation mode for the tunnel interface, use the tunnel mode interface configuration
command. To set to the default, use the no form of this command.
tunnel mode {aurp | cayman | dvmrp | eon | gre ip [multipoint] | nos}no tunnel mode
aurp AppleTalk Update-Based Routing Protocol (AURP).
cayman Cayman TunnelTalk AppleTalk encapsulation.
dvmrp Distance Vector Multicast Routing Protocol.
eon EON compatible CLNS tunnel.
gre ip Generic routing encapsulation (GRE) protocol over IP.
multipoint (Optional) Enables a GRE tunnel to be used in a multipoint fashion. Can be used withthe gre ip keyword only, and requires the use of the tunnel key command.
nos KA9Q/NOS compatible IP over IP.
IP Services Commands
Use the commands in this chapter to configure various IP services. For configuration informationand examples on IP services, refer to the "Configuring IP Services" chapter of the NetworkProtocols Configuration Guide, Part 1.
access-class
To restrict incoming and outgoing connections between a particular virtual terminal line (into a Ciscodevice) and the addresses in an access list, use the access-class line configuration command. Toremove access restrictions, use the no form of this command.
access-classaccess-list-number{in | out}
no access-classaccess-list-number{in | out}
8/3/2019 Commands - General
20/147
Syntax Description
access-list-number
Number of an IP access list. This is a decimal number from 1to 199 or from 1300 to 2699.
in Restricts incoming connections between a particular Ciscodevice and the addresses in the access list.
out Restricts outgoing connections between a particular Ciscodevice and the addresses in the access list.
Defaults
No access lists are defined.
Command Modes
Line configuration
Command History
Release Modification
10.0 This command was introduced.
Usage Guidelines
Remember to set identical restrictions on all the virtual terminal lines because a user can connect toany of them.
To display the access lists for a particular terminal line, use the show line EXEC command andspecify the line number.
Examples
The following example defines an access list that permits only hosts on network 192.89.55.0 toconnect to the virtual terminal ports on the router:
access-list 12 permit 192.89.55.0 0.0.0.255line 1 5access-class 12 in
The following example defines an access list that denies connections to networks other than
network 36.0.0.0 on terminal lines 1 through 5:
access-list 10 permit 36.0.0.0 0.255.255.255line 1 5access-class 10 out
Related Commands
Command Description
8/3/2019 Commands - General
21/147
show line Displays the parameters of a terminal line.
access-list (IP extended)
To define an extended IP access list, use the extended version of the access-list globalconfiguration command. To remove the access lists, use the no form of this command.
access-listaccess-list-number[dynamicdynamic-name [timeoutminutes]] {deny | permit} protocolsourcesource-wildcarddestinationdestination-wildcard[precedenceprecedence] [tostos][log | log-input] [fragments]
noaccess-listaccess-list-number
Internet Control Message Protocol (ICMP)
access-listaccess-list-number[dynamicdynamic-name [timeoutminutes]] {deny | permit} icmpsourcesource-wildcarddestinationdestination-wildcard[icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedenceprecedence] [tostos] [log |log-input] [fragments]
Internet Group Management Protocol (IGMP)
access-listaccess-list-number[dynamicdynamic-name [timeoutminutes]] {deny | permit} igmpsource source-wildcard destination destination-wildcard[igmp-type] [precedenceprecedence][tos tos] [log | log-input] [fragments]
TCP
access-listaccess-list-number[dynamicdynamic-name [timeoutminutes]] {deny | permit} tcpsource source-wildcard[operator port[port]] destination destination-wildcard[operator
port[port]] [established] [precedenceprecedence] [tos tos] [log | log-input] [fragments]
User Datagram Protocol (UDP)
access-listaccess-list-number[dynamicdynamic-name [timeoutminutes]] {deny | permit}udpsource source-wildcard[operator port[port]] destinationdestination-wildcard[operator
port[port]] [precedenceprecedence] [tos tos] [log | log-input] [fragments]
Caution Enhancements to this command are backward compatible; migrating from releases prior
to Release 11.1 will convert your access lists automatically. However, releases prior to
Release 11.1 are not upwardly compatible with these enhancements. Therefore, if you save an
access list with these images and then use software prior to Release 11.1, the resulting access list
will not be interpreted correctly. This could cause you severe security problems. Save your old
configuration file before booting these images.
8/3/2019 Commands - General
22/147
Syntax Description
access-list-number Number of an access list. This is a decimal numberfrom 100 to 199 or from 2000 to 2699.
dynamicdynamic-name (Optional) Identifies this access list as a dynamicaccess list. Refer to lock-and-key access documented
in the "Configuring Lock-and-Key Security (DynamicAccess Lists)" chapter in the Security ConfigurationGuide.
timeoutminutes (Optional) Specifies the absolute length of time (inminutes) that a temporary access list entry can remainin a dynamic access list. The default is an infinitelength of time and allows an entry to remainpermanently. Refer to lock-and-key accessdocumented in the "Configuring Lock-and-KeySecurity (Dynamic Access Lists)" chapter inthe Security Configuration Guide.
deny Denies access if the conditions are matched.
permit Permits access if the conditions are matched.
protocol Name or number of an IP protocol. It can be one of thekeywords eigrp, gre,icmp,igmp, igrp, ip, ipinip, nos, ospf, pim, tcp,orudp, or an integer in the range 0 to 255representing an IP protocol number. To match anyInternet protocol (including ICMP, TCP, and UDP) usethe keyword ip. Some protocols allow further qualifiersdescribed below.
source Number of the network or host from which the packetis being sent. There are three alternative ways tospecify the source:
Use a 32-bit quantity in four-part, dotted-decimalformat.
Use the keyword any as an abbreviation fora source and source-wildcardof 0.0.0.0255.255.255.255.
Use hostsource as an abbreviation fora source and source-wildcardofsource0.0.0.0.
source-wildcard Wildcard bits to be applied to source. Each wildcard bitset to zero indicates that the corresponding bit position
in the packet's ip address must exactly match the bitvalue in the corresponding bit position in the source.Each wildcard bit set to one indicates that both a zerobit and a one bit in the corresponding position of thepacket's ip address will be considered a match to thisaccess list entry.
There are three alternative ways to specify the source
8/3/2019 Commands - General
23/147
wildcard:
Use a 32-bit quantity in four-part, dotted-decimalformat. Place ones in the bit positions you want toignore. For example, 0.0.255.255 to require an exact
match of only the first 16 bits of the source.
Use the keyword any as an abbreviation fora source and source-wildcardof 0.0.0.0255.255.255.255.
Use hostsource as an abbreviation fora source and source-wildcardofsource0.0.0.0.
Wildcard bits set to one do not need to be contiguousin the source-wildcard. For example, a source-wildcardof 0.255.0.64 would be valid.
destination Number of the network or host to which the packet isbeing sent. There are three alternative ways to specifythe destination:
Use a 32-bit quantity in four-part, dotted-decimalformat.
Use the keyword any as an abbreviation forthe destination and destination-wildcardof 0.0.0.0255.255.255.255.
Use hostdestination as an abbreviation for
a destination and destination-wildcardofdestination 0.0.0.0.
destination-wildcard Wildcard bits to be applied to the destination. Thereare three alternative ways to specify the destinationwildcard:
Use a 32-bit quantity in four-part, dotted-decimalformat. Place ones in the bit positions you want toignore.
Use the keyword any as an abbreviation fora destination and destination-wildcardof 0.0.0.0255.255.255.255.
Use hostdestination as an abbreviation fora destination and destination-wildcardofdestination 0.0.0.0.
precedenceprecedence (Optional) Packets can be filtered by precedence level,as specified by a number from 0 to 7 or by name aslisted in the section "Usage Guidelines."
8/3/2019 Commands - General
24/147
tos tos (Optional) Packets can be filtered by type of servicelevel, as specified by a number from 0 to 15 or byname as listed in the section "Usage Guidelines."
icmp-type (Optional) ICMP packets can be filtered by ICMPmessage type. The type is a number from 0 to 255.
icmp-code (Optional) ICMP packets that are filtered by ICMPmessage type can also be filtered by the ICMPmessage code. The code is a number from 0 to 255.
icmp-message (Optional) ICMP packets can be filtered by an ICMPmessage type name or ICMP message type and codename. The possible names are found in the section"Usage Guidelines."
igmp-type (Optional) IGMP packets can be filtered by IGMPmessage type or message name. A message type is anumber from 0 to 15. IGMP message names are listedin the section "Usage Guidelines."
operator (Optional) Compares source or destination ports.Possible operands include lt (less than),gt (greaterthan), eq (equal), neq (not equal),and range (inclusive range).
If the operator is positioned afterthe source and source-wildcard, it must match thesource port.
If the operator is positioned afterthe destination and destination-wildcard, it must matchthe destination port.
The range operator requires two port numbers. Allother operators require one port number.
port (Optional) The decimal number or name of a TCP orUDP port. A port number is a number from 0 to 65535.TCP port names are listed in the section "UsageGuidelines." TCP port names can only be used whenfiltering TCP. UDP port names are listed in the section"Usage Guidelines." UDP port names can only beused when filtering UDP.
TCP port names can only be used when filtering TCP.UDP port names can only be used when filtering UDP.
established (Optional) For the TCP protocol only: Indicates anestablished connection. A match occurs if the TCPdatagram has the ACK, FIN, PSH, RST, SYN or URGcontrol bits set. The nonmatching case is that of theinitial TCP datagram to form a connection.
log (Optional) Causes an informational logging messageabout the packet that matches the entry to be sent tothe console. (The level of messages logged to the
8/3/2019 Commands - General
25/147
console is controlled by the loggingconsole command.)
The message includes the access list number,whether the packet was permitted or denied; theprotocol, whether it was TCP, UDP, ICMP or a
number; and, if appropriate, the source and destinationaddresses and source and destination port numbers.The message is generated for the first packet thatmatches, and then at 5-minute intervals, including thenumber of packets permitted or denied in the prior 5-minute interval.
The logging facility might drop some logging messagepackets if there are too many to be handled or if thereis more than one logging message to be handled in 1second. This behavior prevents the router fromcrashing due to too many logging packets. Therefore,the logging facility should not be used as a billing tool
or an accurate source of the number of matches to anaccess list.
log-input (Optional) Includes the input interface and sourceMAC address or VC in the logging output.
fragments (Optional) The access list entry applies to noninitialfragments of packets; the fragment is either permittedor denied accordingly. For more details about
the fragments keyword, see the "Access ListProcessing of Fragments" and "Fragmentsand Policy Routing" sections in the "UsageGuidelines" section.
Defaults
An extended access list defaults to a list that denies everything. An extended access list isterminated by an implicit deny statement.
Command Modes
Global configuration
Command History
Release Modification
10.0 This command and the UDP form of this command were introduced.
10.3 The ICMP, IGMP, and TCP forms of this command were introduced.
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040933http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040933http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040963http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040963http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040933http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040933http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040963http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp10409638/3/2019 Commands - General
26/147
The following keywords and arguments were added:
source
source-wildcard
destination
destination-wildcard
precedenceprecedence
icmp-type
icm-code
icmp-message
igmp-type
operator
port
established
11.1 The following keywords and arguments were added:
dynamicdynamic-name
timeoutminutes
11.2 The following keyword was added:
log-input
12.0(11) The fragments keyword was added.
Usage Guidelines
You can use access lists to control the transmission of packets on an interface, control virtualterminal line access, and restrict contents of routing updates. The Cisco IOS software stopschecking the extended access list after a match occurs.
8/3/2019 Commands - General
27/147
Note After an access list is created initially, any subsequent additions (possibly entered from theterminal) are placed at the end of the list. In other words, you cannot selectively add or removeaccess list command lines from a specific access list.
The following is a list of precedence names:
critical
flash
flash-override
immediate
internet
network
priority
routine
The following is a list of type of service (TOS) names:
max-reliability
max-throughput
min-delay
min-monetary-cost
normal
The following is a list of ICMP message type names and ICMPmessage type and code names:
administratively-prohibited
alternate-address
conversion-error
dod-host-prohibited
dod-net-prohibited
echo
mask-reply
mask-request
mobile-redirect
net-redirect
net-tos-redirect
net-tos-unreachable
net-unreachable
network-unknown
no-room-for-option
option-missing
packet-too-big
parameter-problem
port-unreachable
precedence-unreachable
protocol-unreachable
reassembly-timeout
redirect
router-advertisement
router-solicitation
source-quench
source-route-failed
8/3/2019 Commands - General
28/147
echo-reply
general-parameter-problem
host-isolated
host-precedence-unreachable
host-redirect
host-tos-redirect
host-tos-unreachable
host-unknown
host-unreachable
information-reply
information-request
time-exceeded
timestamp-reply
timestamp-request
traceroute
ttl-exceeded
unreachable
The following is a list of IGMP message names:
dvmrp
host-query
host-report
pim
trace
The following is a list of TCP port names that can be used instead of port numbers. Refer to the
current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding
to these protocols can also be found by typing a ? in the place of a port number.
bgp
chargen
daytime
discard
domain
echo
nntp
pop2
pop3
smtp
sunrpc
syslog
8/3/2019 Commands - General
29/147
finger
ftp
ftp-data
gopher
hostname
irc
klogin
kshell
lpd
tacacs-ds
talk
telnet
time
uucp
whois
www
The following is a list of UDP port names that can be used instead of port numbers. Refer to the
current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding
to these protocols can also be found by typing a ? in the place of a port number.
biff
bootpc
bootps
discard
dns
dnsix
echo
mobile-ip
nameserver
netbios-dgm
netbios-ns
ntp
rip
snmp
snmptrap
sunrpc
syslog
tacacs-ds
talk
tftp
time
who
xdmcp
Access List Processing of Fragments
8/3/2019 Commands - General
30/147
The behavior of access-list entries regarding the use or lack of the fragments keyword can besummarized as follows:
If the Access-List Entry has... Then..
...no fragments keyword (thedefault behavior), and assumingall of the access-list entryinformation matches,
For an access-list entry containing only Layer 3information:
The entry is applied to nonfragmentedpackets, initial fragments and noninitialfragments.
For an access list entry containing Layer 3 andLayer 4 information:
The entry is applied to nonfragmentedpackets and initial fragments.
If the entry is a permit statement, thepacket or fragment is permitted.
If the entry is a deny statement, the packetor fragment is denied.
The entry is also applied to noninitialfragments in the following manner. Becausenoninitial fragments contain only Layer 3information, only the Layer 3 portion of anaccess-list entry can be applied. If the Layer 3portion of the access-list entry matches, and
If the entry is a permit statement, thenoninitial fragment is permitted.
If the entry is a deny statement, the nextaccess-list entry is processed.
Note The deny statements are handleddifferently for noninitial fragments versus
nonfragmented or initial fragments.
...the fragments keyword, andassuming all of the access-listentry information matches,
The access-list entry is applied only tononinitial fragments.
8/3/2019 Commands - General
31/147
Note The fragments keyword cannot beconfigured for an access-list entry that containsany Layer 4 information.
Be aware that you should not simply add the fragments keyword to every access list entry becausethe first fragment of the IP packet is considered a nonfragment and is treated independently of thesubsequent fragments. An initial fragment will not match an access list permit ordeny entry thatcontains the fragments keyword, the packet is compared to the next access list entry, and so on,until it is either permitted or denied by an access list entry that does not containthe fragments keyword. Therefore, you may need two access list entries for every deny entry. Thefirst deny entry of the pair will not include the fragments keyword, and applies to the initialfragment. The second deny entry of the pair will include the fragments keyword and applies to thesubsequent fragments. In the cases where there are multiple deny access list entries for the samehost but with different Layer 4 ports, a singledeny access-list entry with the fragments keyword forthat host is all that needs to be added. Thus all the fragments of a packet are handled in the samemanner by the access list.
Packet fragments of IP datagrams are considered individual packets and each counts individuallyas a packet in access list accounting and access list violation counts.
Note The fragments keyword cannot solve all cases involving access lists and IP fragments.
Fragments and Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based onthe match ip address command and the access list had entries that match on Layer 4 through 7information. It is possible that noninitial fragments pass the access list and are policy routed, even ifthe first fragment was not policy routed or the reverse.
By using the fragments keyword in access list entries as described earlier, a better match betweenthe action taken for initial and noninitial fragments can be made and it is more likely policy routingwill occur as intended.
Examples
In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0,and the mail host's address is 128.88.1.2. The keyword established is used only for the TCPprotocol to indicate an established connection. A match occurs if the TCP datagram has the ACK orRST bits set, which indicate that the packet belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 establishedaccess-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
8/3/2019 Commands - General
32/147
interface serial 0ip access-group 102 in
The following example also permit Domain Naming System (DNS) packets and ICMP echo andecho reply packets:
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 establishedaccess-list 102 permit tcp any host 128.88.1.2 eq smtpaccess-list 102 permit tcp any any eq domainaccess-list 102 permit udp any any eq domainaccess-list 102 permit icmp any any echoaccess-list 102 permit icmp any any echo-reply
The following examples show how wildcard bits are used to indicate the bits of the prefix or maskthat are relevant. They are similar to the bitmasks that are used with normal access lists.Prefix/mask bits corresponding to wildcard bits set to 1 are ignored during comparisons andprefix/mask bits corresponding to wildcard bits set to 0 are used in comparison.
In the following example, permit 192.108.0.0 255.255.0.0 but deny any more specific routes of
192.108.0.0 (including 192.108.0.0 255.255.255.0).
access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
In the following example, permit 131.108.0/24 but deny 131.108/16 and all other subnets of131.108.0.0.
access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
Related Commands
Command Description
access-class Restricts incoming and outgoing connections between aparticular vty (into a Cisco device) and the addresses inan access list.
access-list (IPstandard)
Defines a standard IP access list.
clear access-template
Clears a temporary access list entry from a dynamicaccess list manually.
distribute-list in (IP) Filters networks received in updates.
distribute-list out(IP)
Suppresses networks from being advertised in updates.
ip access-group Controls access to an interface.
ip access-list Defines an IP access list by name.
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017389http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017823http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017823http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018640http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018728http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017389http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017823http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017823http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018640http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp10187288/3/2019 Commands - General
33/147
ip accounting Enables IP accounting on an interface.
logging console Limits messages logged to the console based on severity.
show access-lists
Displays the contents of current IP and rate-limit accesslists.
show ip access-list
Displays the contents of all current IP access lists.
access-list (IP standard)
To define a standard IP access list, use the standard version of the access-list global configurationcommand. To remove a standard access lists, use the no form of this command.
access-listaccess-list-number{deny | permit} source [source-wildcard] [log]
no access-listaccess-list-number
Caution Enhancements to this command are backward compatible; migrating from releases prior
to Release 10.3 will convert your access lists automatically. However, releases prior to
Release 10.3 are not upwardly compatible with these enhancements. Therefore, if you save an
access list with these images and then use software prior to Release 10.3, the resulting access list
will not be interpreted correctly. This could cause you severe security problems. Save your old
configuration file before booting these images.
Syntax Description
access-list-number
Number of an access list. This is a decimal number from1 to 99 orfrom 1300 to 1999.
deny Denies access if the conditions are matched.
permit Permits access if the conditions are matched.
source Number of the network or host from which the packet is being sent.There are two alternative ways to specify the source:
Use a 32-bit quantity in four-part, dotted-decimal format.
Use the keyword any as an abbreviation for a source and source-wildcardof 0.0.0.0 255.255.255.255.
source-wildcard
(Optional) Wildcard bits to be applied to source. Each wildcard bit setto zero indicates that the corresponding bit position in the packet's ipaddress must exactly match the bit value in the corresponding bit
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018815http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018815http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp10396218/3/2019 Commands - General
34/147
position in the source. Each wildcard bit set to one indicates that botha zero bit and a one bit in the corresponding position of the packet'sip address will be considered a match to this access list entry.
There are two alternative ways to specify the source wildcard:
Use a 32-bit quantity in four-part, dotted-decimal format. Place onesin the bit positions you want to ignore. For example, 0.0.255.255 torequire an exact match of only the first 16 bits of the source.
Use the keyword any as an abbreviation for a source and source-wildcardof 0.0.0.0 255.255.255.255.
Wildcard bits set to one do not need to be contiguous in the source-wildcard. For example, asource-wildcardof 0.255.0.64 would bevalid.
log (Optional) Causes an informational logging message about thepacket that matches the entry to be sent to the console. (The level of
messages logged to the console is controlled by theloggingconsole command.)
The message includes the access list number, whether the packetwas permitted or denied, the source address, and the number ofpackets. The message is generated for the first packet that matches,and then at 5-minute intervals, including the number of packetspermitted or denied in the prior 5-minute interval.
The logging facility might drop some logging message packets ifthere are too many to be handled or if there is more than one loggingmessage to be handled in 1 second. This behavior prevents therouter from crashing due to too many logging packets. Therefore, the
logging facility should not be used as a billing tool or an accuratesource of the number of matches to an access list.
Defaults
The access list defaults to an implicit deny statement for everything. The access list is alwaysterminated by an implicit deny statement for everything.
Command Modes
Global configuration
Command History
Release Modification
10.3 This command was introduced.
11.3(3)T The log keyword was added.
8/3/2019 Commands - General
35/147
Usage Guidelines
Plan your access conditions carefully and be aware of the implicit deny statement at the end of theaccess list.
You can use access lists to control the transmission of packets on an interface, control virtual
terminal line access, and restrict the contents of routing updates.
Use theshow access-listsEXEC command to display the contents of all access lists.
Use theshow ip access-list EXEC command to display the contents of one access list.
Examples
The following example of a standard access list allows access for only those hosts on the threespecified networks. The wildcard bits apply to the host portions of the network addresses. Any hostwith a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255access-list 1 permit 128.88.0.0 0.0.255.255access-list 1 permit 36.0.0.0 0.255.255.255! (Note: all other access implicitly denied)
The following example of a standard access list allows access for devices with IP addresses in therange 10.29.2.64 to 10.29.2.127. All packets with a source address not in this range will be rejected.
access-list 1 permit 10.29.2.64 0.0.0.63! (Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit the wildcard if it is allzeros. Thus, the following two configuration commands are identical in effect:
access-list 2 permit 36.48.0.3access-list 2 permit 36.48.0.3 0.0.0.0
Related Commands
Command Description
access-class Restricts incoming and outgoing connections between a
particular vty (into a Cisco device) and the addresses in anaccess list.
access-list (IPextended)
Defines an extended IP access list.
distribute-list in(IP)
Filters networks received in updates.
distribute-list out Suppresses networks from being advertised in updates.
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017389http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017448http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017448http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017389http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1017448http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp10174488/3/2019 Commands - General
36/147
(IP)
ip access-group
Controls access to an interface.
show access-
lists
Displays the contents of current IP and rate-limit accesslists.
show ipaccess-list
Displays the contents of all current IP access lists.
clear access-list counters
To clear the counters of an access list, use the clear access-list counters EXEC command.
clear access-list counters {access-list-number| name}
Syntax Description
access-list-number
Access list number of the access list for which to clear thecounters.
name Name of an IP access list. The name cannot contain a space orquotation mark, and must begin with an alphabetic character toavoid ambiguity with numbered access lists.
Command Modes
EXEC
Command History
Release Modification
11.0 This command was introduced.
Usage Guidelines
Some access lists keep counters that count the number of packets that pass each line of an access
list. The show access-listscommand displays the counters as a number of matches. Usethe clear access-list counters command to restart the counters for a particular access list to 0.
Examples
The following example clears the counters for access list 101:
clear access-list counters 101
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018640http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018640http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018640http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018640http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1039621http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp10396218/3/2019 Commands - General
37/147
Related Commands
Command Description
show access-lists
Displays the contents of current IP and rate-limit accesslists.
clear ip accounting
To clear the active or checkpointed database when IP accounting is enabled, use the clear ipaccounting EXEC command.
clear ip accounting [checkpoint]
Syntax Description
checkpoint (Optional) Clears the checkpointed database.
Command Modes
EXEC
Command History
Release Modification
10.0 This command was introduced.
Usage Guidelines
You can also clear the checkpointed database by issuing the clear ip accounting command twicein succession.
Examples
The following example clears the active database when IP accounting is enabled:
clear ip accounting
Related Commands
Command Description
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1036555http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp10365558/3/2019 Commands - General
38/147
ip accounting Enables IP accounting on an interface.
ip accounting-list Defines filters to control the hosts for which IPaccounting information is kept.
ip accounting-threshold
Sets the maximum number of accounting entries to becreated.
ip accounting-transits
Controls the number of transit records that are stored inthe IP accounting database.
show ipaccounting
Displays the active accounting or checkpointeddatabase or displays access list violations.
clear ip drp
To clear all statistics being collected on Director Response Protocol (DRP) requests and replies,use the clear ip drp EXEC command.
clear ip drp
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
Release Modification
11.2 F This command was introduced.
Examples
The following example clears all DRP statistics:
clear ip drp
Related Commands
Command Description
ip drp access-group Controls the sources of DRP queries to the DRP
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018815http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018915http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018991http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018991http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019064http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019064http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1020197http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1020197http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1033095http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018815http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018915http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018991http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1018991http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019064http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019064http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1020197http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1020197http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp10330958/3/2019 Commands - General
39/147
Server Agent.
ip drp authenticationkey-chain
Configures authentication on the DRP ServerAgent for DistributedDirector.
clear tcp statistics
To clear TCP statistics, use the clear tcp statistics EXEC command.
clear tcp statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
Release Modification
11.3 This command was introduced.
Examples
The following example clears all TCP statistics:
clear tcp statistics
Related Commands
Command Description
show tcp statistics Displays TCP statistics.
deny (IP)
To set conditions for a named IP access list, use the deny access-list configuration command. Toremove a deny condition from an access list, use the no form of this command.
deny {source [source-wildcard] | any} [log]
no deny {source [source-wildcard] | any}
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019190http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019190http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1020914http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019190http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1019190http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp10209148/3/2019 Commands - General
40/147
denyprotocolsourcesource-wildcarddestinationdestination-wildcard[precedenceprecedence][tostos] [log] [fragments]
no denyprotocolsource source-wildcarddestinationdestination-wildcard
ICMP
denyicmp sourcesource-wildcarddestinationdestination-wildcard[icmp-type [icmp-code] | icmp-message] [precedenceprecedence] [tostos] [log] [fragments]
IGMP
denyigmpsourcesource-wildcarddestinationdestination-wildcard[igmp-type][precedenceprecedence] [tostos] [log] [fragments]
TCP
denytcp source source-wildcard[operator port[port]] destination destination-wildcard[operator
port[port]] [established] [precedenceprecedence] [tostos] [log] [fragments]
UDP
denyudp source source-wildcard[operator port[port]] destinationdestination-wildcard[operatorport[port]] [precedenceprecedence] [tostos] [log] [fragments]
Syntax Description
source Number of the network or host from which the packet is beingsent. There are two alternative ways to specify the source:
Use a 32-bit quantity in four-part, dotted-decimal format.
Use the keyword any as an abbreviation for a source and source-wildcardof 0.0.0.0 255.255.255.255.
source-wildcard (Optional) Wildcard bits to be applied to the source. There are twoalternative ways to specify the source wildcard:
Use a 32-bit quantity in four-part, dotted-decimal format. Placeones in the bit positions you want to ignore.
Use the keyword any as an abbreviation for a source and source-wildcardof 0.0.0.0 255.255.255.255.
protocol Name or number of an IP protocol. It can be one of thekeywords eigrp, gre, icmp,igmp, igrp, ip, ipinip, nos, ospf, tcp,orudp, or an integer in the range 0 to 255 representing an IPprotocol number. To match any Internet protocol (including ICMP,TCP, and UDP), use the keyword ip. Some protocols allow furtherqualifiers described later.
source Number of the network or host from which the packet is beingsent. There are three alternative ways to specify the source:
8/3/2019 Commands - General
41/147
Use a 32-bit quantity in four-part, dotted-decimal format.
Use the keyword any as an abbreviation fora source and source-wildcardof 0.0.0.0 255.255.255.255.
Use hostsource as an abbreviation for a source and source-wildcardofsource0.0.0.0.
source-wildcard Wildcard bits to be applied to source. There are three alternativeways to specify the source wildcard:
Use a 32-bit quantity in four-part, dotted-decimal format. Placeones in the bit positions you want to ignore.
Use the keyword any as an abbreviation fora source and source-wildcardof 0.0.0.0 255.255.255.255.
Use hostsource as an abbreviation for a source and source-wildcardofsource0.0.0.0.
destination Number of the network or host to which the packet is being sent.There are three alternative ways to specify the destination:
Use a 32-bit quantity in four-part, dotted-decimal format.
Use the keyword any as an abbreviation forthe destination and destination-wildcardof 0.0.0.0255.255.255.255.
Use hostdestination as an abbreviation fora destination and destination-wildcardofdestination 0.0.0.0.
destination-wildcard Wildcard bits to be applied to the destination. There are threealternative ways to specify the destination wildcard:
Use a 32-bit quantity in four-part, dotted-decimal format. Placeones in the bit positions you want to ignore.
Use the keyword any as an abbreviation fora destination and destination-wildcardof0.0.0.0 255.255.255.255.
Use hostdestination as an abbreviation fora destination and destination-wildcardofdestination 0.0.0.0.
precedenceprecedence (Optional) Packets can be filtered by precedence level, asspecified by a number from 0 to 7 or by name as listed in thesection "Usage Guidelines."
tos tos (Optional) Packets can be filtered by type of service level, asspecified by a number from 0 to 15 or by name as listed in the"Usage Guidelines" section of the access-list (IP extended)command.
icmp-type (Optional) ICMP packets can be filtered by ICMP message type.
8/3/2019 Commands - General
42/147
The type is a number from 0 to 255.
icmp-code (Optional) ICMP packets which are filtered by ICMP message typecan also be filtered by the ICMP message code. The code is anumber from 0 to 255.
icmp-message (Optional) ICMP packets can be filtered by an ICMP message type
name or ICMP message type and code name. The possiblenames are found in the "Usage Guidelines" section of the access-list (IP extended) command.
igmp-type (Optional) IGMP packets can be filtered by IGMP message type ormessage name. A message type is a number from 0 to 15. IGMPmessage names are listed in the "Usage Guidelines" section ofthe access-list (IP extended) command.
operator (Optional) Compares source or destination ports. Possibleoperands include lt (less than),gt (greaterthan), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard,
it must match the source port.
If the operator is positioned after the destination and destination-wildcard, it must match the destination port.
The range operator requires two port numbers. All other operatorsrequire one port number.
port (Optional) The decimal number or name of a TCP or UDP port. Aport number is a number from 0 to 65535. TCP and UDP portnames are listed in the "Usage Guidelines" section of the access-list (IP extended) command. TCP port names can only be usedwhen filtering TCP. UDP port names can only be used when
filtering UDP.
established (Optional) For the TCP protocol only: Indicates an establishedconnection. A match occurs if the TCP datagram has the ACK orRST bits set. The nonmatching case is that of the initial TCPdatagram to form a connection.
log (Optional) Causes an informational logging message about thepacket that matches the entry to be sent to the console. (The levelof messages logged to the console is controlled by the loggingconsole command.)
The message for a standard list includes the access list number,whether the packet was permitted or denied, the source address,
and the number of packets.
The message for an extended list includes the access list number;whether the packet was permitted or denied; the protocol; whetherit was TCP, UDP, ICMP, or a number; and, if appropriate, thesource and destination addresses and source and destination portnumbers.
For both standard and extended lists, the message is generated
8/3/2019 Commands - General
43/147
for the first packet that matches, and then at 5-minute intervals,including the number of packets permitted or denied in the prior 5-minute interval.
The logging facility might drop some logging message packets if
there are too many to be handled or if there is more than onelogging message to be handled in 1 second. This behaviorprevents the router from crashing due to too many loggingpackets. Therefore, the logging facility should not be used as abilling tool or an accurate source of the number of matches to anaccess list.
fragments (Optional) The access list entry applies to noninitial fragments ofpackets; the fragment is either permitted or denied accordingly.
For more details about the fragments keyword, see the "AccessList Processing of Fragments" and "Fragments andPolicy Routing" sections in the "Usage Guidelines" section.
Defaults
There is no specific condition under which a packet is denied passing the named access list.
Command Modes
Access-list configuration
Command History
Release Modification
11.2 This command was introduced.
11.3(3)T The log keyword for a standard access was added.
12.0(11) The fragments keyword was added.
Usage Guidelines
Use this command following the ip access-list command to specify conditions under which apacket cannot pass the named access list.
Access List Processing of Fragments
The behavior of access-list entries regarding the use or lack of the fragments keyword can besummarized as follows:
http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip.html#wp1040933http://www.cisco.com/en/US/docs/ios/12_0/np1/command/reference/1rip