Quick Reference

aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name no aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} [vrf vrf-name] {start-stop | stop-only | none} [broadcast] group group-name  

Configures

AAA Accounting

Default

Disabled

Description

This command enables accounting, which can be used for billing and security purposes.

auth-proxy

Provides information about all authenticated proxy user events.

system

Enables accounting for all system events that are not associated with a user (such as a reload).

exec

Enables accounting for EXEC-level commands.

connection

Provides information about all outbound connections, such as telnet, LAT, rlogin and SSH.

commands level

Enables accounting for the specified privilege level (0 to 15).

default

Uses the listed accounting methods that follow this argument as the default list for accounting services

list-name

Specifies the AAA accounting protocol to use (radius or tacacs+).

vrf vrf-name

Optional. Specifies a virtual route forwarding (VRF) configuration.

start-stop

Creates an accounting entry at the start and end of the command.

stop-only

Sends an accounting entry only when the command has completed execution.

none

Disables accounting services on this line or interface.

broadcast

Optional. Enables the sending accounting records to multiple AAA servers.

group group-name

Specifies the AAA accounting protocol to use for the specified server group (group radius and group tacacs+).

Example

The following configuration statements enable AAA accounting for commands at level 5. An accounting entry is generated when the command is initiated and when it is terminated; the command doesn't execute until the server has received the message and the TACACS+ protocol is used to send the entries to the accounting server.

aaa new-model aaa accounting command 5 default group tacacs+

aaa accounting delay-start no accounting delay-start  

Configures

Delays accounting start records until the user's IP address is established

Default

Disabled (no delay)

Description

The default behavior is to start accounting as soon as the user connects, even before her IP address has been established. The command delays the accounting until the IP address has been established.

aaa accounting gigawords no aaa accounting gigawords  

Configures

Enables 64-bit counters within AAA

Default

Enabled

Description

The command is enabled by default and only shows up in the configuration if the no version is used. The high-capacity counters provide greater counter capacity but use 8 percent of CPU memory for 24,000 sessions running under the ready state. If you do disable this with the no form of the command, you must reload the router to have it take effect.

aaa accounting nested no aaa accounting nested  

Configures

Nesting network records within EXEC start and stop records

Default

Disabled

Description

This commands keeps EXEC start and stop records togetheror nestedfor PPP users who start EXEC terminal sessions. Such nesting can be helpful for certain billing practices.

aaa accounting resource method-list start-stop [broadcast] group group-name no accounting resource method-list start-stop [broadcast] group group-name aaa accounting resource method-list stop-failure [broadcast] group group-name no accounting resource method-list stop-failure [broadcast] group group-name  

Configures

Accounting for the starting or stopping of a connection

Default

N/A

Description

The start-stop version of this command enables the accounting of a user's connection at the start of the call and at the end. The stop-failure command enables the generation of a stop record if the user's call is terminated.

method-list

Method used for accounting services. You can set this to default or provide a list of accounting methods.

broadcast

Optional. Enables the sending of accounting records to multiple AAA servers.

group group-name

Specifies the AAA accounting protocol to use (group radius or group tacacs+).

Example

aaa accounting resource default start-stop group radius aaa accounting resource default stop-failure group radius

aaa accounting send stop-record authentication failure no aaa accounting send stop-record authentication failure  

Configures

Stop records for users who fail to authenticate

Default

Disabled

Description

If the user fails a login or session negotiation, this command causes a stop record to be generated for this connection attempt.

aaa accounting session-duration ntp-adjusted no accounting session-duration ntp-adjusted  

Configures

Use of NTP clock to calculate Radius session time

Default

Disabled

Description

By default, the Radius attribute acct-sess-time is calculated on a 64-bit monotonically increasing counter, which is not Network Time Protocol-adjusted. This command causes the attribute to be calculated based on the NTP clock.

aaa accounting suppress null-username no aaa accounting suppress null-username  

Configures

Stopping the sending of accounting messages when the username is NULL

Default

Disabled

Description

This command prevents the creation of accounting records with usernames of NULL.

aaa accounting update [newinfo] [periodic minutes [jitter {maximum max-value}]] no accounting update  

Configures

Periodic interim accounting records

Default

Disabled

Description

Enables periodic interim accounting records to be sent to the accounting server. If the newinfo option is used, periodic reports are sent only when there is new information to report.

newinfo

Optional. Causes periodic information to be sent whenever there is new information about the user.

periodic

Optional. Specifies the number of minutes between periodic updates.

jitter

Optional. Allows the setting of the maximum jitter value.

maximum

Required for the jitter command. Sets the number of seconds for the maximum jitter in a periodic update. A value of 0 disables jitter. The default is 300 seconds.

aaa authentication attempts login number no aaa authentication attempts login  

Configures

The maximum number of login failures

Default

Three attempts

Description

This command sets the number of login attempts that will be permitted before the connection is dropped. number is the maximum value, which can be 1 to 25.

aaa authentication banner delimiter no aaa authentication banner  

Configures

A banner to be displayed at user login

Default

None

Description

Like all banner commands, this one takes a delimiter, which marks the end of the following banner string. This banner is displayed to the user at login.

Example

aaa new-model aaa authentication banner * Welcome to our system. Unauthorized access is prohibited * aaa authentication login default group radius

aaa authentication enable default method ... method no aaa authentication enable default method ... method  

Configures

Authentication for privileged command level

Default

None

Description

This command configures the router to use AAA to determine whether a user can access the privileged command set. The method parameter can be any of the following: enable, line, none, group tacacs+, or group radius. Each method describes where to get the password for authentication. If more than one method is listed, the methods are tried in order until one succeeds or all fail. This command does not work with TACACS or Extended TACACS (XTACACS).

aaa authentication fail-message delimiter no aaa authentication fail-message  

Configures

A failed login attempt banner message

Default

Disabled

Description

Like all banner commands, this one takes a delimiter, which marks the end of the following banner string. This banner is displayed to the user at a failed login attempt.

aaa authentication local-override no aaa authentication local-override  

Configures

The use of local usernames and passwords

Default

Disabled

Description

This command tells the router to check its own username and password database for a match before using any other authentication methods. It is useful if you have a small set of administrators who need access to the router even when the AAA server is down.

aaa authentication login {default | listname} method ... method no aaa authentication login  

Configures

AAA authentication method for login

Default

local

Description

This command defines a named list of authentication methods that can be used when a user logs into the device. The listname parameter specifies the name of the list; the login authentication command is used to apply a list. default is a special list name; the default list specifies the authentication methods to be used by default (i.e., in the absence of explicit login authentication commands). method describes where to get the password for authentication. If more than one method is listed, the methods are tried in order until one succeeds or all have failed. The valid methods are: enable, krb5, line, local, local-case, none, group radius, group tacacs+, and krb5-telnet. The local-case option uses case-sensitive local usernames.

Example

The following command defines the default list of login authentication methods. Because this is the default list, it applies to all users, even if there is no login authentication command. The router first attempts to use the tacacs+ method for authentication, then the enable method. Therefore, the enable password is used to authenticate users if the device cannot contact the TACACS+ server.

! Set authentication for login aaa authentication login default group tacacs+ enable none

aaa authentication password-prompt string no aaa authentication password-prompt  

Configures

Password prompt for logins

Default

Password:

Description

This command sets the text displayed for a user's password prompt to string.

Example

aaa authentication password-prompt "What is your password?"

aaa authentication ppp {default | listname} method ... method no aaa authentication ppp  

Configures

AAA authentication method for PPP

Default

local

Description

This command defines a named list of authentication methods that can be used when a user starts a PPP session. The listname parameter specifies the name of the list; the login authentication command is used to apply a list. default is a special list name; the default list specifies the authentication methods to be used by default (i.e., in the absence of explicit login authentication commands). method describes where to get the password for authentication. If more than one method is listed, they are tried in order until one succeeds or all fail. The valid methods are enable, krb5, line, local, local-case, none, group radius, group tacacs+, and krb5-telnet.

Example

The following command defines the default list of authentication methods for PPP users. Because this is the default list, it applies to all PPP users, even if there is no login authentication command. The router attempts to use the tacacs+ method for authentication; if the device cannot contact the TACACS+ server, no other authentication is attempted, and the connection is rejected.

! Set authentication for ppp aaa authentication ppp default tacacs+ none

aaa authentication username-prompt string no aaa authentication username-prompt string  

Configures

Username prompt for AAA authentication

Default

Username:

Description

Like the password-prompt command, this command sets the text used to prompt for a username when using AAA authentication. The prompt is set to string.

aaa authorization {network | exec | command level} method ... method no aaa authorization {network | exec | command level}  

Configures

Authorization for actions

Default

Disabled

Description

This command sets the authorization method for different command sets.

network

Sets the authorization method used for network commands.

exec

Sets the authorization method for any EXEC-level command.

command level

Sets the authorization method for commands at the given privilege level. Privilege levels range from 0 to 15, inclusive.

method ... method

Specifies where the device looks up the authorization information for a user. method describes where to get the password for authentication. If more than one method is listed, the methods are tried in order until one succeeds or all have failed. The valid method types are group tacacs+, if-authenticated, none, local, group radius, and krb5-instance.

Example

The following commands require TACACS+ authentication for users giving commands at level 8.

aaa new-model aaa authorization command 8 group tacacs+ none

aaa authorization config-commands no aaa authorization config-commands  

Configures

Authorization for config level access

Default

Disabled, unless the aaa authorization command has been given, in which case all config-commands require authorization

Description

This command enables authorization of config-commands (i.e., any command that requires you to give the conf terminal command to enter configuration mode). Here's a scenario in which you might use it: if you give the aaa authorization command, AAA authorization will be required for all commands. To disable authorization of config-commands, you can give the command no aaa authorization config-commands.

Example

aaa new-model aaa authorization command 8 tacacs+ none no aaa authorization config-commands

aaa authorization reverse-access {group tacacs+ | group radius} no aaa authorization reverse-access  

Configures

Authorization for reverse telnet access

Default

Disabled (no authorization for reverse telnet)

Description

This command enables authorization for a user who is requesting reverse telnet access. If specified, group tacacs+ or group radius is used for authentication.

aaa authorization template no aaa authorization template  

Configures

Local or remote customer templates

Default

Disabled

Description

This command enables the use of customer templates for VPN or VPN Routing and Forwarding (VRF).

aaa configuration route username string [password string] no aaa configuration route username string [password string]  

Configures

Username and password for downloading static routes from Radius server

Default

Username is hostname and password is cisco

Description

This command allows for the definition of a username and password other than the defaults for downloading static route information from a Radius server.

aaa group server radius group-name no aaa group server radius group-name  

Configures

A group of Radius servers

Default

None

Description

This command defines a group of Radius servers. To add a Radius server to the group, use the server command, followed by the IP address of the server. If the auth-port and acct-port are not defined, the default ports of 1645 and 1646 are used.

Example

aaa group server radius myradiusgroup server 10.1.1.1 server 10.1.2.1 auth-port 1700 acct-port 1701

aaa group server tacacs+ group-name no aaa group server tacacs+ group-name  

Configures

A group of TACACS+ servers

Default

None

Description

This command defines a group of TACACS+ servers. To add a TACACS+ server to the group, use the server command, followed by the IP address of the server.

Example

aaa group server tacacs+ mytacacsplusgroup server 10.1.1.1 server 10.1.2.1

aaa new-model no aaa new-model  

Configures

Enables AAA access control

Default

Disabled

Description

By default, the AAA model is not enabled, and you cannot use the AAA configuration commands. This command enables AAA and allows you to configure it.

absolute-timeout number-of-minutes no absolute-timeout  

Configures

Amount of time a connection can be open

Default

None

Description

This command sets the interval before closing a connection to number-of-minutes. Unlike the other timeouts, this command sets a hard limit for the connection time; it is not an idle timeout. The connection will be closed at this time even if the connection is not idle. Use the no form of the command to disable the timeout.

access-class access-list [in | out] no access-class access-list  

Configures

Applies an access list to a line

Default

None

Description

This command specifies which access list to apply to this line (access-list), and in what direction the list should be applied (in or out). For more information on creating access lists, see Chapter 7.

Example

The following commands apply access list 10 to outgoing traffic on virtual terminals 0-4.

access-list 10 permit host 10.10.1.2 ! Apply the access-list to the virtual lines 0-4 line vty 0 4 access-class 10 out

access-enable [host] [timeout minutes]  

Configures

Creates an entry in a dynamic access list

Default

None

Description

This command enables the Lock and Key feature . It allows an entry to be made in a dynamic access list for the current session. The host keyword is optional; it tells the access list to allow access only from the host that initiated the session. The timeout option specifies the time in minutes, after which the access list entry is deleted if no traffic matching the entry is seen. In other words, if the connection is idle for the given time, the entry in the access list is deleted and the user must re-authenticate.

access-enable is often used with autocommand to create a dynamic access list for an incoming telnet session.

Example

This example creates a dynamic access list for the host that made the connection. The access list times out after five minutes.

autocommand access-enable host timeout 5  

To make use of this entry, there must be an extended access list like the following:

access-list 110 dynamic incoming-user timeout 5 permit ip any any  

This list must be applied to any interfaces that support dial-in users. The permit part of the statement controls the incoming user's access to network resources. The timeout in the access-list command is absolute; the temporary entry exists only for the given number of minutes. It overrides the timeout in the access-enable command.

Standard:

access-list number {permit | deny} src-address-spec  

Extended:

access-list number {permit | deny} protocol src-address-spec [operator port] dest-address-spec [operator port] [established] [precedence value] [tos value] [log]  

Named:

ip access-list {standard | extended} name  

All access list types:

no access-list number  

Configures

An access list

Default

None

Description

Access lists are an extremely general method for controlling access to the router, the traffic flowing in and out of the router, and even the routes accepted by the router. This command defines an entry in an access list.

number

A number that identifies the list and list type. Table 17-1 shows the ranges assigned to each list type. This book covers only standard and extended IP access lists, plus named and reflexive access lists.

permit|deny

Specifies if the line is to permit or deny matched traffic.

protocol

Specifies the protocol to which the access list entry applies. For IP access lists, this option can be ip, tcp, udp, igmp, or icmp.

src-address-spec dest-address-spec

The source and destination addresses or networks can be expressed in a number of ways: any, a single host address, or an entire network address, as follows:

any

Matches any address. This command is shorthand for the IP address and wildcard mask of 0.0.0.0 255.255.255.255. (See Chapter 7 for more information.)

host ip-address

Matches a single host, identified by its IP address.

ip-address wildcard-mask

Matches any address in the set specified by the IP address and the wildcard mask. For example, 10.10.1.0 0.0.0.255 matches the address range 10.10.1.0 through 10.10.1.255. Wildcards are covered in Chapter 7.

operator port

These options, operator and port, allow you to specify services or groups of services. The operator must be one of the following:

lt

Less than

gt

Greater than

eq

Equal

neq

Not equal

range

The range between two port numbers

Ports can be specified either by number or by the name of a service (smtp, telnet, www, ftp, etc.).

If a port expression follows the source address in an access list, packets must have a source port that matches the expression in order to pass the access list. Likewise, if a port expression follows the destination address, packets must have a destination port that matches the expression to pass the access list.

precedence value

Optional. This command allows packets to be filtered on IP precedence level. The value can be 0 to 7.

tos value

Optional. TOS stands for Type of Service. Packets can be filtered by the IP Type of Service, with a value of 0 to 15.

log

This keyword causes the router to write a log message to the console for packets that match this line. It logs the first packet that matches the line and then repeats only every few minutes, which prevents a flood of log messages. Console logging must be enabled before messages appear.

established

This keyword matches TCP packets that have ACK or RST bits set, i.e., packets that belonged to an established connection. It is used to prevent hosts from outside the local network from starting connections to hosts within the network, while allowing packets from an established connection back into the network.

icmp-type value

ICMP packets can be filtered based on their type, which is a value from 0 to 255.

igmp-type value

IGMP packets can be filtered based on their type, which is a value from 0 to 15.

Many different kinds of statements are used to apply an access list. The most common are ip access-group, which applies an access list to incoming or outgoing traffic on an interface, and access-class, which applies an access list to incoming or outgoing traffic on a line.

Note that the no form of this command deletes the entire access list, not just a single entry.

Named Access Lists (IOS 11.0 and greater)

IOS 11.0 introduced a new method of creating and editing IP access lists, called named access lists. As the name implies, named access lists are assigned a string-based name, rather than a number. Otherwise, they are essentially identical to standard and extended IP access lists but with the added ability to do some basic editing.

To create a named access list, start with the ip access list command:

ip access-list {standard | extended} name  

The keyword standard indicates that this is a standard IP access list; extended indicates that this is an extended IP access list. name is the name of the list; it must be a unique alphanumeric string. You may then enter a series of permit and deny commands. For standard access lists, these commands have the following syntax:

{permit | deny} src-address-spec  

For an extended list, the syntax is:

{permit | deny} protocol src-address-spec [operator port] dest-address-spec [operator port] [established] [precedence value] [tos value] [log]  

The parameters for the permit and deny commands in named access lists are the same as for extended access lists.

Named access lists cannot always be used in the same places that numbered access lists can, though this is slowly being corrected as IOS evolves.

As of IOS 12.4, you can enter noncontiguous ports on a single line within a named access list. Before, you would write such an access list like this:

ip access-list extended acllist1 permit tcp any host 192.168.1.1 eq telnet permit tcp any host 192.168.1.1 eq www permit tcp any host 192.168.1.1 eq smtp permit tcp any host 192.168.1.1 eq pop3  

With noncontiguous port support, you can write it more tersely:

ip access-list extended acllist1 permit tcp any host 192.168.1.1 eq telnet www smtp pop3  

Example

Here are examples of several types of access list elements. We assume that these access lists are used to restrict incoming traffic on an interface. First, a standard IP access list that permits traffic from the network 10.0.1.0:

access-list 5 permit 10.0.1.0 0.0.0.255  

This access list element permits HTTP traffic from any source to reach the server at 10.1.2.3:

access-list 105 permit tcp any host 10.1.2.3 eq http  

And this element permits TCP traffic to enter the router from any destination, provided that the session was initiated by a host "behind" the router:

access-list 105 permit tcp any any established  

Remember that all access lists end with an "implicit deny," which rejects all traffic not permitted by a statement in the access list.

access-list rate-limit access-list {precedence | exp | mac-address | mask precedence-mask} no access-list rate-limit access-list  

Configures

An access list for Committed Access Rate (CAR)

Default

None

Description

This command selects packets for CAR policies based on IP precedence or MAC addresses. There can only be one command per access list. If you need to assign more than one precedence level to a single access list, use the mask keyword. The access list is used to classify packets. For IP, use any number from 1 to 99; for MAC, use any number from 100 to 199; and for the MPLS experimental field, use any number from 200 to 299.

precedence

The IP precedence level to apply to the access list.

exp

MPLS experimental field. Valid values are number from 0 to 7.

mac-address

The MAC address to apply to the access list.

mask precedence-mask

The precedence mask to apply to the access list. To calculate the mask, convert the precedence value to an eight-bit mask. A precedence of 0 is encoded as 000000001; a precedence of 1 is 00000010. Then AND all the bit values together to get a single mask. For example, the mask that covers a precedence of 1 through 3 would be 00001110. When you have the binary mask, convert it to a two-digit hexadecimal number; for this example, the mask would be 0E.

Example

! This command assigns a CAR access-list of 10 to packets with an IP ! precedence of 1 through 3. access-list rate-limit 10 mask 0E

access-template [access-list] [temp-list] [source] [destination] [timeout minutes]  

Configures

An entry in a temporary access list

Default

None

Description

This command creates an entry in a temporary access list on the router to which you are connected.

access-list

The name or number of the dynamic access list.

temp-list

The name of the temporary list within the access list.

source

The usual source address specification (the host and any keywords are allowed).

destination

The usual destination address specification (the host and any keywords are allowed).

timeout minutes

The maximum time, in minutes, that the entry will remain in the list.

For more information about how source and destination addresses are specified, see the description of the access-list command and Chapter 7.

activation-character ascii-number no activation-character  

Configures

The activation character for an idle terminal session

Default

Return character (13)

Description

This command specifies which key initiates a session at an idle terminal. ascii-number is the decimal value of the activation character you wish to set. To disable this command and return to the default, use the no form.

Example

These commands set the activation character for a terminal connected to line 2 to ASCII character 13 (Return or Enter):

Router(config)# line 2 Router(config-line)# activation-character 13

aggregate-address address mask [as-set] [summary-only] [suppress-map map] [advertise-map map] [attribute-map map] no aggregate-address address mask [as-set] [summary-only] [suppress-map map] [advertise-map map] [attribute-map map]  

Configures

BGP route aggregation

Default

Disabled

Description

This command configures route aggregation when using BGP. An aggregate route is generated by combining several different routes. The new route covers all the smaller routes with a single route, making the routing table smaller and easier to manage.

address

The IP address of the destination network for the aggregate route.

mask

The network mask for the aggregate route.

as-set

Optional. Generates AS-SET path information.

summary-only

Optional. This keyword causes routes that are more specific than the aggregate address to be suppressed.

suppress-map map

Optional. The map to use to select routes to be suppressed.

advertise-map map

Optional. The map to use to select routes to create AS-SET origin communities.

attribute-map map

Optional. The map to use to set the attributes of the aggregate route.

Example

Say that we're configuring a router for the network 10.10.0.0. Instead of advertising all the routes within this network that we know about (10.10.1.0, 10.10.2.0, etc.), we want to advertise an aggregate address for the whole 10.10.0.0 network:

! BGP configuration router bgp 100 neighbor 10.1.1.1 remote-as 100 neighbor 10.2.2.2 remote-as 200 network 10.10.0.0 ! Without the summary-only keyword, the router would continue to advertise ! the component networks of this summary route. aggregrate-address 10.10.0.0 255.255.0.0 summary-only

alias mode alias-name command  

Configures

Command aliases

Default

None

Description

This command allows you to configure an alias, or abbreviation, for any IOS command.

mode

The mode to which the alias and the command that you are aliasing belong. It can be any of the configuration modes: configuration (for global commands), user, exec, hub, interface, line, map-class, map-list, route-map, router, etc.

alias-name

The name to be assigned to the alias.

command

The IOS command represented by the alias.

Example

To assign the shorthand t1 to the command telnet 10.1.1.1 2001, use the following command:

alias exec t1 telnet 10.1.1.1 2001

area area-id authentication [message-digest] no area area-id authentication  

Configures

OSPF authentication

Default

No authentication

Description

This command enables simple password authentication for an OSPF network. All routers within the OSPF area must be configured to use the same password. The authentication password is set by the ip ospf authentication-key command.

area-id

The area to which this command applies.

message-digest

Enables MD5 authentication for the area.

Example

The following configuration starts an OSPF process using authentication for area 0. The authentication key is letmein.

! Set the OSPF key on interface serial 0 to letmein interface serial 0 ip address 10.100.1.1 255.255.2255.0 ip ospf authentication-key letmein ! router ospf 99 network 10.0.0.0 0.255.255.255 area 0 area 0 authentication

area area-id default-cost cost no area area-id default-cost  

Configures

The OSPF cost for a default summary route

Default

1

Description

This command is used only for an Area Border Router (ABR) to a stub area.

area-id

The area to which the default-cost applies.

cost

The value of the cost. Any 24-bit number can be used.

area area-id nssa [no-redistribution] [default-information-originate] no area area-id nssa  

Configures

An OSPF NSSA

Default

None

Description

A not-so-stubby area (NSSA) is just like a stub area, but shares routing information with an external network that is using a different routing protocol. In other words, it is a stub area with an ASBR router. The remote network becomes an area to your OSPF network, eliminating the need to implement the different routing protocol within the OSPF network. See the OSPF section in Chapter 9 for more information.

area-id

The area to which this command applies.

no-redistribution

Optional. Disables redistribution of normal area routes into the NSSA.

default-information-originate

Optional. Generates type-7 default routes into the NSSA.

area-password password no area-password  

Configures

IS-IS area authentication password

Default

No password authentication

Description

This command enables password authentication for an IS-IS area. The password is transmitted in clear text; it thus provides very little security but may help prevent misconfiguration.

area area-id range address mask no area area-id range address mask  

Configures

OSPF route summarization

Default

None

Description

This command tells the OSPF routing process to summarize selected routes for an area. A single route to the given address is generated, instead of separate routes for the individual networks.

area-id

The area to be summarized.

address

The IP address of the network to summarize.

mask

The mask for the IP address, showing which routes to include in the summary.

Example

The following OSPF configuration summarizes all routes for area 2 into a single route for network 10.0.0.0/8:

router ospf 99 network 10.0.0.0 0.255.255.255 area 2 area 2 range 10.0.0.0 255.0.0.0

area area-id stub [no-summary] no area area-id stub  

Configures

An OSPF stub area

Default

None

Description

This command defines an area to be a stub area. A stub area receives a default summary route from the ABR for destinations outside the autonomous system. The no-summary option makes the area a Totally Stubby network, which restricts LSA Type-3 packets (intra-area summaries) from entering the stubby area.

area-id

The area to define as a stub.

no-summary

Prevents summary link advertisements from entering the stub area.

area area-id virtual-link router-id [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds] [authentication-key key] [message-digest-key keyid md5 key] no area area-id virtual-link router-id  

Configures

An OSPF virtual link

Default

None

Description

This command establishes a virtual link that connects a broken OSPF backbone; in OSPF, the backbone must be contiguous. It is useful when a contiguous backbone is not possible. Virtual links can also be used to create an area that does not have a direct link to the backbone (area 0).

area-id

The ID of the area being crossed by the virtual link.

router-id

The ID of the router at the other end of the virtual link.

hello-interval seconds

Optional. The time in seconds between transmission of hello messages by the router over the virtual link. The default is 10 seconds. All routers participating in the same area must have the same hello interval.

retransmit-interval seconds

Optional. The time in seconds that a router waits before retransmitting a link-state announcement (LSA). The default is five seconds. When setting this value, you need to ensure that the time includes the entire round trip of the packet.

transmit-delay seconds

Optional. This is the estimated time, in seconds, that the interface will take to transmit the packet. An LSA's age is decremented by this value before transmission. The default is one second.

dead-interval seconds

Optional. A router is considered down if a hello packet isn't received from it within this interval. All routers participating in the area must have the same dead-interval. The default is 40 seconds.

authentication-key key

Optional. This is the authentication password used for OSPF routing if authentication is enabled. The key can be up to eight bytes long. If you want to use authentication, all routers in the OSPF network must have authentication enabled, and all neighbor routers must use the same key.

message-digest-key keyid md5 key

Optional. This is the authentication key and password to be used by neighboring OSPF routers. The keyid is a number between 1 and 255, and is used to identify this key in subsequent commands. The key is essentially a password; it is a string up to 16 characters long. All neighbor routers must use the same keyid and key.

arp ip-address mac-address type [alias] no arp ip-address mac-address type [alias]  

Configures

Adds a static entry to the ARP table

Default

No static ARP entries are made

Description

This command allows you to place a static entry in the ARP table, which is a dynamic table that maps IP addresses to the corresponding MAC (hardware) addresses. The ip-address and mac-address are simply the IP address and the hardware address for the entry you wish to create. The type argument is the encapsulation type (arpa for Ethernet, smds for SMDS, snap for FDDI and token ring, etc.). The optional alias keyword tells the router to respond to ARP requests as if it were the requested device itself; i.e., the router responds to an ARP request for an aliased device with its own IP address.

arp {arpa | frame-relay | probe | snap} no arp {arpa | frame-relay | probe | snap}  

Configures

Interface-specific handling of ARP requests

Default

ARPA (Ethernet)

Description

This command allows you to specify the type of encapsulation to use for ARP packets on this interface. The types are arpa (Ethernet, the default), frame-relay (ARP over Frame Relay encapsulation), probe (HP Probe protocol), and snap (RFC 1042).

arp timeout seconds no arp timeout seconds  

Configures

The lifetime of an ARP entry in the ARP table

Default

14400 seconds

Description

This command allows you to set the time that an entry will remain in the ARP table. The default is 4 hours.

async-bootp keyword [:hostname] value no async-bootp keyword [:hostname] value  

Configures

BOOTP parameters for async dial-up lines

Default

Disabled

Description

This command assigns a value to a given BOOTP keyword. Table 17-2 shows the BOOTP parameters and their values. Normally, all BOOTP parameters are sent to dial-up hosts requesting BOOTP information. Adding :hostname to a keyword applies the BOOTP variable to a specific requesting host. Other hosts that request BOOTP parameters will not be sent this keyword.

Example

The following commands define the DNS server, subnet mask, and NBNS server to be sent to hosts requesting BOOTP information:

! Configure our bootp items async-bootp subnet-mask 255.255.255.0 async-bootp dns-server 10.1.1.1 async-bootp nbns-server 10.1.1.2

async default ip address address no async default ip address address  

Configures

The IP address used by the connecting (remote) system

Default

None

Description

This command is defunct. Use peer default ip address instead.

async default routing no async default routing  

Configures

Routing on async interfaces

Default

Disabled

Description

By default, routing protocols like RIP, IGRP, EIGRP, and OSPF are not enabled on asynchronous interfaces. This command allows all the routing protocols to be enabled on these interfaces. It can be used to route between offices that are linked by traditional analog modems. Use the no form to disable routing on this interface.

Example

The following commands set up default routing for a dedicated async line:

interface async 2 encapsulation ppp async mode dedicated async default routing

async dynamic address no async dynamic address  

Configures

Dynamic IP addresses on async interfaces

Default

Disabled

Description

Dynamic addressing means that a user connecting to the router for a PPP or SLIP session is allowed to select the interface's IP address using the EXEC mode commands. This feature can be used only when the async mode is interactive.

async dynamic routing no async dynamic routing  

Configures

Dynamic routing on an async interface

Default

Disabled

Description

Dynamic routing means that remote users who connect to this asynchronous interface can enable routing over their PPP or SLIP connections. By default, no dynamic routing is done on an asynchronous interface.

Example

interface async 5 ip tcp header-compression passive async dynamic routing async dynamic address

async mode {dedicated | interactive} no async mode {dedicated | interactive}  

Configures

The mode the user receives when connecting to an async interface

Default

Disabled

Description

The mode can be either dedicated or interactive.

dedicated

The interface is reserved for PPP and SLIP connections. No user prompt ever appears on a dedicated line when a user connects. Instead, the connection parameters are negotiated automatically.

interactive

Users are given a prompt when they connect to this interface. It is up to the user to start PPP or SLIP, or to interact directly with the router from the command prompt. The autoselect command can be used to detect PPP packets on an interactive async line and start PPP automatically. autoselect is not needed on dedicated mode async lines.

Example

On the first interface (async1), we set up a dedicated interface, which means that an IOS prompt doesn't appear when a user connects to the router through this interface. We make the second interface interactive, allowing the user to enter IOS commands and requiring her to start PPP or SLIP manually.

interface async1 peer default ip address 10.10.1.1 async mode dedicated encapsulation ppp ! interface async2 peer default ip address 10.10.1.2 async mode interactive

atm address address no atm address  

Configures

An ATM address

Default

An automatically generated ATM address is assigned

Description

This command assigns a full (20-byte) ATM address or a partial (13-byte) address. Multiple ATM addresses are allowed. The first address in the list is the active address.

atm arp-server {self [timeout minutes] |nsap nsap-address} no atm arp-server {self [timeout minutes] | nsap nsap-address}  

Configures

An ARP server for the network

Default

No ATM ARP server

Description

This command assigns an ARP server for the ATM network. The self keyword identifies the current device as the ARP server. The timeout minutes option specifies the amount of time that an ARP entry is listed before the server tries to verify the entry; the default timeout value is 20 minutes. The nsap nsap-address parameter specifies the NSAP address of the ATM ARP server if the current device isn't acting as the server.

atm esi-address esi.selector no atm esi-address  

Configures

End station ID and selector fields of the ATM NSAP address

Default

None

Description

This command specifies the end station ID (ESI) and the selector byte fields of an ATM address. The ESI is 12 hexadecimal characters; the selector byte field is 2 hexadecimal characters.

atm lecs-address lecs-address[sequence-number] no atm lecs-address  

Configures

The LECS address to be advertised

Default

None

Description

This command configures the address of the LAN Emulation Configuration Server (LECS) for the current interface. If this command isn't in the interface's configuration, the LECS defaults to the server given by atm lecs-address-default. The lecs-address is the NSAP address of the server. The sequence-number provides the position in the address in the LECS table.

atm lecs-address-default lecs-address[sequence-number] no atm lecs-address-default lecs-address  

Configures

The LECS address to be advertised

Default

None

Description

This command configures the address of the LECS. It is a global command; the server specified here is overridden by the interface-specific atm lecs-address command. The lecs-address is the NSAP address of the server. The sequence-number provides the position in the address in the LECS table.

atm nsap-address address no atm nsap-address  

Configures

The NSAP ATM end-system address of the interface

Default

None

Description

This command sets the NSAP address of the interface, which consists of 40 hexadecimal characters.

atm pvc vcd vpi vci encap [peak avg [burst]] [inarp [minutes]] [oam [seconds]] [compress] no atm pvc vcd vpi vci encap [peak avg [burst]] [inarp [minutes]] [oam [seconds]] [compress]  

Configures

Creates an ATM PVC

Default

None

Description

This command creates an ATM Permanent Virtual Circuit (PVC). On recent versions of IOS, it's preferable to use the pvc command, if available. ATM commands are highly hardware-dependent, so the commands available on any particular router vary. For more information on creating PVCs, consult Chapter 6.

vcd

A Virtual Circuit Descriptor, which is a unique number used to identify this particular VPI/VCI pair on the router.

vpi

The Virtual Path Identifier of the PVC. This identifier is unique only to the interface. The value can be from 0 to 255.

vci

The Virtual Channel Identifier of the PVC, which is a value from 0 to 1023. 0 to 31 are typically reserved for specific kinds of management traffic. vpi and vci may not both be 0.

encap

The type of encapsulation used on the line. The encapsulation may be aal5mux (a MUX-type virtual connection), aal5snap (the only encapsulation supported for Inverse ARP), aal1 (used for streaming video), aal5voice (used for voice traffic), ilmi, and qsaal.

peak

Optional, but required for voice circuits. The maximum capacity of the virtual circuit in Kbps. peak ranges from 56 to 10,000. The default is the link's maximum capacity.

avg

Optional, but required for voice circuits. The average rate at which data is sent over the virtual circuit. Legal values are hardware-dependent. The default is the link's maximum capacity.

burst

Optional, but required for voice circuits. The maximum number of ATM cells that the circuit can transmit at its peak rate.

inarp minutes

Optional. This option generates inverse ARP packets on this virtual circuit. minutes specifies the interval between inverse ARP packets, and ranges from 1 to 60; if omitted, minutes defaults to 15.

oam seconds

Optional. This option generates OAM cells on this virtual circuit. seconds specifies the interval at which OAM cells are generated, and ranges from 1 to 600; if omitted, seconds defaults to 10.

compress

Optional. This option compresses traffic over the circuit; hardware compression is used if it's available.

Example

The following commands set up a permanent virtual circuit on an ATM interface.

interface atm0.1 ! assign our interface's IP address ip address 10.10.1.1 255.255.255.0 ! Create pvc 20 with a VPI of 0 and a VCI of 60 atm pvc 20 0 60 aal5snap

ip address atm-vc vci [class class-name] [broadcast] [aal5mux] no ip address atm-vc vci [class class-name] [broadcast] [aal5mux]  

Configures

An ATM PVC

Default

None

Description

This command creates an ATM PVC. The map-list command places you in the map list configuration mode; you must be in this mode to use the atm-vc command.

Note that it is rather bizarre to call this command atm-vc; by normal notions of command naming, it should be called ip. We're following Cisco's usage; in its defense, there are many commands whose names start with ip and have nothing to do with ATM configuration.

address

The destination IP address being mapped to this PVC.

vci

The Virtual Channel Identifier (VCI).

class class-name

Optional. class-name is the name of a table that contains encapsulation-specific parameters.

broadcast

Optional. This specifies that this entry should be used when broadcast packets need to be sent.

aal5mux

Optional. This specifies AAL5 multiplexing encapsulation. The default is snap encapsulation.

Example

The following commands create an ATM map named atm-map1. It establishes a virtual channel with a VCI of 20, which is mapped to the IP address 10.10.2.1; this virtual channel can be used for broadcast.

map-list atm-map1 ip 10.10.2.1 atm-vc 20 broadcast

autobaud [fast] no autobaud  

Configures

Automatic baud rate detection

Default

Disabled

Description

The autobaud command configures a line to select the incoming baud rate automatically. The baud rate must be between 300 and 115,200. There are two limitations to this command:

• Autobaud cannot be used on a connection at rates higher than 19,200 baud when the parity bit is set.
• This command cannot be used on outgoing connections.

The optional fast keyword detects the baud rate with exactly three carriage returns.

Many routers do not support the higher baud rates.

Example

The following commands enable automatic baud rate detection on line 3:

Router(config)#line 3 Router(config-line)#autobaud  

To disable autobaud and to return to the default, use the no form of this command:

Router(config)#line 3 Router(config-line)#no autobaud

autocommand command-string no autocommand  

Configures

Automatic execution of a command upon connection

Default

Disabled

Description

This command forces a specified line command, given by command-string, to be executed automatically when a login session is started. The command string can be any valid command. Use the no form to delete the selected autocommand.

Example

The following code starts PPP automatically after a successful login on line 5:

Router(config)#line tty 5 Router(config-line)#autocommand ppp

autodetect encapsulation {lapb-ta | ppp | v120} no autodetect encapsulation  

Configures

Automatic detection of encapsulation types

Default

No autodetect

Description

This command enables automatic detection of the encapsulation type for ISDN or point-to-point serial links. The interface changes its encapsulation type if it detects that the remote system is using a different configuration. The valid types are lapb-ta (Link Access Procedure Balanced for ISDN), ppp, and v120 (for V.120 on ISDN B channels).

autohangup no autohangup  

Configures

Automatic line disconnect

Default

Disabled

Description

This command tells the router to hang up the line automatically after the session is closed.

auto discovery qos [trust] no auto discovery qos  

Configures

Auto QoS Autodiscovery

Default

Disabled

Description

This command enables the disovery and collecting of data for the configuration of AutoQoS. Using NBAR, this command can analyze the traffic on the network in order to produce a more relevant QoS configuration. You should let this command run a few days in order for the data collection to work. Once the system has collected enough data, disable this command with the no auto disovery qos command and then enable AutoQoS with the auto qos command. To view the QoS policy generated by this command, use the show auto qos command. This command was introduced in IOS 12.3(7)T.

trust

Optional. When used, this keyword tells AutoQoS that the DSCP (Differentiated Service Code Point) values of a packet can be trusted for packet classification. If the trust keyword is not used, AutoQoS relies solely on NBAR for DSCP values.

auto qos [voip] [trust] [fr-atm] no auto qos [voip] [trust] [fr-atm]  

Configures

The AutoQos VoIP feature on an interface

Default

Disabled

Description

This command enables the AutoQoS VoIP feature on an interface.

trust

Optional. Indicates that the DSCP markings are to be trusted for classification of voice traffic.

fr-atm

Optional. Enables this feature for Frame Relay-to-ATM links.

Example

interface serial3/1.102 point-to-point bandwidth 100 ip address 192.168.1.2 255.255.255.0 frame-relay interface-dlci 102 auto qos voip trust fr-dlci

auto secure [management | forwarding] [no-interact]  

Configures

The router for security automatically

Default

Disabled

Description

By using this command, you are telling the router to try to automatically secure as many IP services as it can in order to configure the router as much as possible. This command reduces the complexity of securely configuring your router. For more information on this command, see Chapter 15.

management

Optional. Configure only the management level of the router.

forwarding

Optional. Configure only the packet forwarding part of the router.

no-interact

Optional. No user prompts on any configuration items.

autoselect {arap | ppp | slip| during-login} no autoselect  

Configures

Automatic selection of session type

Default

ARAP sessions

Description

This command configures a line to start the selected session type automatically. The sessions allowed are arap (AppleTalk remote access), ppp, and slip. during-login means that the username and password prompt are presented without a carriage return, and the user must log in normally before autoselection takes place.

Example

The following commands configure the router to start a PPP session automatically on line 10, but only after the user has successfully logged in:

line 10 autoselect ppp autoselect during-login

auto-summary no auto-summary  

Configures

RIP (Version 2), EIGRP, BGP route summarization

Default

Enabled

Description

By default, subnet routes are summarized to "classful" network routes. If you need to advertise subnets across networks, auto-summary must be disabled. To disable auto-summary, use the no form of this command. For more information, consult Chapter 8.

Example

The following configuration disables auto-summary for an EIGRP routing process:

router eigrp 110 network 10.0.0.0 no auto-summary

backup interface interface no backup interface interface backup delay {enable-time | never} {disable-time | never} no backup delay {enable-time | never} {disable-time | never} backup load {enable-load | never} {disable-load | never} no backup load {enable-load | never} {disable-load | never}  

Configures

A backup interface

Default

None

Description

This family of commands configures a backup interface for the current interface. The first command, backup interface, specifies the interface to be used as the backup. The backup interface is activated when the primary interface goes down or reaches the load specified by the backup load command.

The backup delay command specifies how long the router should wait before activating (enable-time) or deactivating (disable-time) the backup interface. Both enable-time and disable-time are in seconds. Use of the backup delay command allows you to prevent routing instability if you have an intermittent interface. The keyword never, when used for the enable-time parameter, prevents the backup interface from being activated; when used for the disable-time parameter, it prevents the backup interface from being deactivated once it has been activated.

The backup load command specifies the load on the primary interface at which the backup interface should be activated (enable-load) or deactivated (disable-load). The load is expressed as a percentage of the primary interface's maximum capacity. The keyword never, when used for the enable-load parameter, prevents the backup interface from being activated; when used for the disable-load parameter, it prevents the backup interface from being deactivated once it has been activated.

Example

This example configures serial1 as a backup interface for serial0. If serial0 goes down for more than five seconds, or if the load on serial0 reaches 70%, the backup interface is activated.

interface serial0 backup interface serial 1 backup delay 5 20 backup load 70 20

bandwidth rate no bandwidth rate  

Configures

The bandwidth value to be used in computing routing metrics

Default

Depends on the interface

Description

This command describes the bandwidth value to the routing protocols that use the bandwidth in computing routing metrics. It does not actually set the bit-rate on the interface itself. It does not affect the speed at which data is transmitted over the link, but does affect how the router selects routes and, therefore, how the link is used.

Example

A T1 connection would be:

bandwidth 1536  

A 56K connection would be:

bandwidth 56

bandwidth {rate | remaining percent value | percent value } no bandwidth {rate | remaining percent value | percent value }  

Configures

Specifies or modifies the bandwidth allocated for a policy map

Default

None

Description

This command specifies the bandwidth in Kbps to be assigned to the class in a policy map. Alternatively, a percentage of the available bandwidth can be specified. The amount configured should be large enough to accommodate the Layer-2 overhead.

rate

The amount of bandwidth in Kbps.

remaining percent

Amount of guaranteed bandwidth, based on a relative percentage of remaining bandwidth. Value can be from 1 to 100.

percent

This is the percentage of available bandwidth to be set aside for this class. Value can be from 1 to 100.

Example

policy-map policy1 class class1 bandwidth percent 80

banner exec delimiter message delimiter no banner exec  

Configures

The banner that is displayed to the user upon successful login

Default

None

Description

This command specifies the message that is displayed after the user has logged in to the router. It is not displayed for reverse-telnet connections. This command defines only the banner message; use the exec-banner command to enable or disable the message. The delimiter marks the beginning and the end of the message; it may be any character that isn't used in the message.

Example

Here's an example of a banner:

Router(config)# banner exec # Welcome to Pyramid #  

You can also do multiple lines:

Router(config)# banner exec # Enter TEXT message. End with the character '#'. Welcome to Pyramid Enjoy your stay #  

To delete the banner:

Router(config)#no banner exec  

By default, this banner is automatically active; disabling the banner requires the use of no exec-banner:

Router(config)#no exec-banner  

Note that disabling the exec-banner also disables the motd-banner.

banner incoming delimiter message delimiter no banner incoming  

Configures

The banner message for all incoming reverse telnet connections

Default

None

Description

This command specifies the message that is displayed to all incoming reverse telnet connections (instead of the exec banner). If you want to disable the message, delete the banner with the no form of this command. The delimiter marks the beginning and the end of the message; it may be any character that isn't used in the message.

Example

Here's how to set a banner:

Router(config)#banner incoming # Welcome to Pyramid #  

You can also do multiple lines:

Router(config)#banner incoming # Enter TEXT message. End with the character '#'. Welcome to Pyramid Enjoy your stay #  

To disable the message, delete it with the following command:

Router(config)#no banner incoming

banner login delimiter message delimiter no banner login  

Configures

The login banner message

Default

None

Description

This command specifies the message that is displayed prior to the login prompt for all connections. This message cannot be disabled. If you do not want it displayed, delete it with the no form of this command. The delimiter marks the beginning and the end of the message; it may be any character that isn't used in the message.

Example

Here's an example of a login banner:

Router(config)#banner login # Restricted Access #  

To disable this message, delete it with the following command:

Router(config)#no banner login

banner motd delimiter message delimiter no banner motd  

Configures

The banner that is displayed before the login prompt

Default

None

Description

This command specifies the message that is displayed as the message of the day, the very first message displayed to an incoming connection. This command defines only the message; the motd-banner command enables or disables the display. The delimiter marks the beginning and the end of the message; it may be any character that isn't used in the message.

Example

The following commands create a message-of-the-day banner and enable its display:

Router(config)# banner motd # All routers will be rebooted at Sunday 10AM # Router(config)# motd-banner  

The motd-banner command isn't strictly necessary, since the display is enabled by default. To disable the display, use the no motd-banner command:

Router(config)#no banner motd

bgp always-compare-med no bgp always-compare-med  

Configures

BGP route selection

Default

Disabled

Description

This command allows the comparison of the multi-exit discriminator (MED) for paths, regardless of which autonomous system the path comes from.

bgp bestpath as-path ignore no bgp bestpath as-path ignore  

Configures

BGP route selection

Default

Disabled

Description

This command prevents the router from considering the autonomous system path (as-path) when selecting routes.

bgp bestpath med-confed no bgp bestpath med-confed  

Configures

BGP route selection

Default

Disabled

Description

This command enables MED comparison among paths from confederation peers.

bgp bestpath missing-as-worst no bgp bestpath missing-as-worst  

Configures

BGP route selection

Default

Disabled

Description

By default, routers give a route with a missing MED a value of 1, which causes that route to be considered the best path. This command causes the router to assign a value of infinity to the missing MED, which makes the route the least desirable of all the routes. For more information on MED values, consult Chapter 10.

bgp client-to-client reflection no bgp client-to-client reflection  

Configures

Route reflection

Default

Enabled

Description

A route reflector automatically reflects routes from one BGP client to another. The no form of this command disables route reflection. Route reflection isn't needed if the clients already have fully meshed IBGP connections, because the clients will learn their routes directly from each other.

bgp cluster-id id no bgp cluster-id id  

Configures

Cluster ID of a route reflector

Default

Router ID

Description

This command specifies the cluster ID (id) for a BGP router. When you have one route reflector, its cluster ID is normally its router ID. If there is more than one route reflector in a cluster, they must all have the same cluster ID. In this case, you would use the bgp cluster-id command to specify the ID explicitly. A cluster ID is four bytes long.

Example

The following BGP configuration creates a BGP process for autonomous system 10. This router is designated as a route reflector. We set its cluster ID explicitly, because there is presumably more than one route reflector in the cluster.

router bgp 10 network 10.200.200.1 route-reflector bgp cluster-id 10000

bgp confederation identifier as no bgp confederation identifier as  

Configures

AS number of the confederation

Default

None

Description

This command specifies the autonomous system (AS) number for a confederation. A confederation is a group of small autonomous systems that appear to the world as a single large autonomous system. The autonomous system number for the confederation is set to as.

bgp confederation peers as [as] no bgp confederation peers as [as]  

Configures

A BGP confederation

Default

None

Description

This command lets you list the AS numbers that belong to the confederation.

Example

router bgp 1000 bgp conferation peers 1001 1002 1003 1004

bgp dampening [half-life reuse suppress max-suppress-time] [route-map map] no bgp dampening [half-life reuse suppress max-suppress-time] [route-map map]  

Configures

BGP dampening settings

Defaults

half-life, 15 min; reuse, 750; suppress, 2000; max-suppress-time, 60 min

Description

This command allows you to specify the route dampening values for BGP. Dampening allows you to control "route flap," which is routing instability that results from a route making repeated transitions.

half-life

The time in minutes after which a penalty is decreased by half.

reuse

If the penalty for a flapping route increases to this value, the route can be reused.

suppress

When the penalty exceeds this limit, the route is suppressed.

max-suppress-time

The maximum amount of time a route can be suppressed; this should be about four times the half-life.

route-map map

A route map that controls which routes are selected for route dampening.

bgp default local-preference value no bgp default local-preference value  

Configures

BGP local preference

Default

100

Description

This command allows you to set the local preference to value. The higher the preference, the better the path. Acceptable values range from 0 to 4,294,967,295.

bgp default route-target filter no bgp default route-target filter  

Configures

BGP route-target community filtering

Default

Enabled

Description

When the no form of this command is used, all received VPN IPv4 routes are accepted. If the router is an autonomous system border or customer edge router, this is the desired behavior.

bgp deterministic med no bgp deterministic med  

Configures

BGP route selection

Default

Disabled

Description

By default, the router does not compare the MED values for paths learned from different autonomous systems within the same confederation. This command allows you to enable MED comparison for routes learned from different autonomous systems within the same confederation.

bgp fast-external-fallover no bgp fast-external-fallover  

Configures

BGP fast failover

Default

Enabled

Description

This command enables the router to reset the BGP sessions of any direct peers immediately if the link that connects the router to the peer goes down.

bgp log-neighbor-changes no bgp log-neighbor-changes  

Configures

BGP logging

Default

Disabled prior to IOS 12.1

Description

This command allows you to log changes in the status of BGP neighbors.

bgp-policy {source | destination} {ip-prec-map | ip-qos-map} no bgp-policy {source | destination} {ip-prec-map | ip-qos-map}  

Configures

Propagation of policy information via BGP

Default

Disabled

Description

This command allows the propagation of policy information that is based on the IP precedence setting via BGP. To enable this properly, you must also configure a route map to set the IP precedence or QoS (quality of service) group ID by using the set ip precedence or set ip qos-group commands.

source

Use the precedence or QoS bit from the source address.

destination

Use the precedence or QoS bit from the destination address.

ip-prec-map

Use IP precedence as the QoS policy.

ip-qos-map

Use the QoS group ID as the QoS policy.

bridge bridge-group acquire no bridge bridge-group acquire  

Configures

Bridge forwarding

Default

Enabled

Description

By default, the router forwards frames from dynamically learned hosts. The no form of this command allows you to change this behavior so that the router only forwards frames from statically configured stations. To create static bridge hosts, use the bridge address command.

bridge bridge-group address mac {forward | discard} [interface] no bridge bridge-group address mac  

Configures

Static bridge hosts

Default

None

Description

This command allows a bridge group to filter packets based on the MAC address.

bridge-group

The bridge group to which this command applies. A bridge group can have a value of 1 to 63. On larger routers, the value can be from 1 to 255.

mac

The MAC address to be filtered.

forward

This keyword tells the router to forward frames from the given MAC address to other interfaces in the bridge group.

discard

This keyword tells the router to discard frames from the given MAC address.

interface

Optional. The interface on which the MAC address can be found.

bridge cmf no bridge cmf  

Configures

Constrained Multicast Flooding (CMF)

Default

Disabled

Description

This command enables CMF for all configured bridge groups.

bridge crb no bridge crb  

Configures

Concurrent Routing and Bridging (CRB)

Default

Disabled

Description

This command allows the router to route and bridge a protocol at the same time but on different interfaces. Unlike Integrated Routing and Bridging (IRB), the routed and bridged interfaces cannot communicate with each other.

bridge bridge-group forward-time seconds no bridge bridge-group forward-time seconds  

Configures

The forward delay interval

Default

30 seconds

Description

This command sets the bridge forwarding delay interval for the interface to seconds. The value of seconds can be from 10 to 200. (Note: Catalysts use 6-40 seconds.)

bridge-group bridge-group no bridge-group bridge-group  

Configures

Makes an interface part of a bridge group

Default

None

Description

This command makes the interface a member of the given bridge group. Use the no form of this command to remove the bridge group from the interface.

bridge-group bridge-group aging-time seconds no bridge-group bridge-group aging-time  

Configures

The time that a dynamic entry remains in the bridge table

Default

300 seconds

Description

This command sets the amount of time in seconds that a dynamic entry can remain in the bridge table. If the entry is updated, the counter starts over. The value can range from 0 to 1,000,000 seconds.

bridge-group bridge-group circuit-group circuit-group no bridge-group bridge-group circuit-group circuit-group  

Configures

Assigns a circuit group to a bridge group for the interface

Default

None

Description

This command assigns a circuit group for a bridge group. It is used only for HDLC encapsulated interfaces.

bridge-group bridge-group input-address-list access-list no bridge-group bridge-group input-address-list access-list  

Configures

Allows an interface to filter based on an access list

Default

None

Description

This command applies an access list to an interface for a bridge group . This access list must filter based on MAC addresses, which means that the access list must be an Ethernet access list with a number between 700 and 799. By applying an access list, you can permit or deny bridging to hosts based on the MAC addresses.

bridge-group bridge-group input-lsap-list access-list no bridge-group bridge-group input-lsap-list access-list  

Configures

An access list for filtering IEEE 802.2 packets

Default

Disabled

Description

This command applies an access list to all IEEE 802.2 packets received on the interface.

bridge-group bridge-group input-pattern access-list no bridge-group bridge-group input-pattern access-list  

Configures

An access list for a bridge group

Default

None

Description

This command applies an access list to incoming packets on an interface for a specific bridge group.

bridge-group bridge-group input-type-list access-list no bridge-group bridge-group input-type-list access-list  

Configures

An access list for a bridge group

Default

None

Description

This command applies an access list to all incoming Ethernet and SNAP frames on an interface for a specific bridge group.

bridge-group bridge-group output-address-list access-list no bridge-group bridge-group output-address-list access-list  

Configures

Filtering based on an access list

Default

None

Description

This command allows you to apply an access list to an interface for a bridge group. This access list can filter based on MAC addresses, which means the access list must be an Ethernet access list numbered 700 through 799. With this command, you can permit or deny bridging to hosts based on the MAC addresses.

bridge-group bridge-group output-lsap-listaccess-list no bridge-group bridge-group output-lsap-list access-list  

Configures

An access list for outgoing IEEE 802.2

Default

Disabled

Description

This command applies an access list to all IEEE 802.2 packets leaving the interface.

bridge-group bridge-group output-pattern access-list no bridge-group bridge-group output-pattern access-list  

Configures

An access list for a bridge group

Default

None

Description

This command applies an access list to outgoing packets on an interface for a specific bridge group.

bridge-group bridge-group output-type-list access-list no bridge-group bridge-group output-type-list access-list  

Configures

An access list for a bridge group

Default

None

Description

This command applies an access list to all outgoing Ethernet and SNAP frames on an interface for a specific bridge group.

bridge-group bridge-group path-cost value no bridge-group bridge-group path-cost value  

Configures

Changes a bridge group's path cost for an interface

Default

Based on the interface's bandwidth setting

Description

This command changes the path cost for an interface, which is usually calculated as 10,000 ÷ bandwidth, where the bandwidth is the value set by the bandwidth command or the default bandwidth for the interface. The value can be from 1 to 65,535. The higher the value, the higher the cost.

bridge-group bridge-group priority value no bridge-group bridge-group priority value  

Configures

Assigns a priority to a bridge group

Default

32,768 for bridges using the IEEE protocol; 128 for bridges using the Digital spanning-tree protocol

Description

This command assigns a priority to an interface within the given bridge-group. value specifies the interface's priority; this must be between 0 and 65,535. A higher priority increases the chance that the interface will be selected as the root bridge.

bridge-group bridge-group spanning-disabled no bridge-group bridge-group spanning-disabled  

Configures

Use of the spanning-tree algorithm

Default

Enabled

Description

This command disables the spanning-tree algorithm for the given bridge-group. The spanning algorithm can be disabled safely for bridge groups that have no possible loop paths at layer 2.

Example

interface ethernet 1 bridge-group 1 bridge-group 1 spanning-disabled

bridge bridge-group hello-time seconds no bridge bridge-group hello-time seconds  

Configures

The interval between hello packets

Default

2 seconds

Description

This command sets the hello interval for the given bridge-group to seconds. The value of seconds can be from 1 to 10.

bridge irb no bridge irb  

Configures

Integrated Routing and Bridging (IRB)

Default

Disabled

Description

Like CRB, IRB allows a router to both route and bridge a single protocol. However, unlike CRB, IRB allows the routed and bridged interfaces to communicate with each other. See also interface bvi.

bridgebridge-group max-age seconds no bridge bridge-group max-age seconds  

Configures

The time to save Bridge Protocol Data Units (BPDUs)

Default

15 seconds

Description

This command sets the maximum time that the router will wait to hear from the root bridge for the given bridge-group. If the router does not hear from the root bridge within this interval, the spanning tree is recomputed. The value of seconds can be from 6 to 200. (Note: Catalysts use 6-40 seconds.)

bridge bridge-group multicast-source no bridge bridge-group multicast-source  

Configures

Bridging to support the forwarding of multicast packets

Default

Disabled

Description

This command permits the given bridge-group to forward multicast packets.

bridge bridge-group priority value no bridge bridge-group priority value  

Configures

The priority of an individual bridge

Default

32768 for bridges using the IEEE protocol; 128 for bridges using the Digital spanning-tree protocol

Description

This command assigns a priority to an individual bridge within the given bridge-group. value specifies the interface's priority; value must be between 0 and 65535. A higher priority increases the chance that an interface will be selected as the root bridge. To set an interface to a specific priority, use the bridge-group priority command.

bridge bridge-group protocol {ieee | dec} no bridge bridge-group protocol {ieee | dec}  

Configures

The spanning-tree protocol

Default

None

Description

This command selects the spanning-tree protocol to use for the bridge-group. Possible values are dec, for the Digital spanning-tree protocol, and ieee, for the IEEE spanning-tree protocol. IEEE is the recommend protocol.

bridge bridge-group route protocol {apollo | appletalk | clns | decnet | ip | ipx | vines | xns} no bridge bridge-group route protocol {apollo | appletalk | clns | decnet | ip | ipx | vines | xns}  

Configures

Routing of a protocol in a bridge group

Default

None

Description

This command enables routing of the given protocol on a specific bridge group. The protocol parameter may be apollo, appletalk, clns, decnet, ip, ipx, vines, or xns.

Example

This example enables routing of both IP and IPX in a CRB environment:

bridge crb bridge 5 protocol ieee bridge 5 route ip bridge 5 ipx

busy-message hostname delimiter message delimiter no busy-message  

Configures

The message displayed when a connection fails

Default

None

Description

This command sets the message that is displayed when a telnet connection to a specific host (given by the hostname parameter) fails. The new message replaces the generic "host failed" message. To disable this message, delete it with the no form of this command. This banner is useful when you want to give the user information about the connection failure. The delimiter marks the beginning and end of the message; it may be any character that is not used in the message.

Example

Router(config)#busy-message sunserver2 # server2 is down, please contact sysadmin at 555-1234 #

cable helper-address ip-address [cable-modem | host ] no cable helper-address ip-address [cable-modem | host ]  

Configures

DHCP destination address

Default

Disabled

Description

This command specifies an IP address of a DHCP server to use for UDP broadcasts from cable modems or other hosts. The cable-modem option specifies that only cable modem UDP broadcasts are forwarded while the host option specifies that only host UDP broadcasts are forwarded.

calendar set hh:mm:ss day month year  

Configures

The system calendar

Description

The calendar is available only on high-end routers. It is an internal clock that continues to run even when the router is powered off. This command allows you to set the calendar to a new time. The month must be a name, for example, june. The year must be a complete four-digit value, for example, 2000.

callback forced-wait seconds no callback forced-wait seconds  

Configures

The time the router waits before a callback

Default

None

Description

This command specifies the amount of time in seconds that the router waits before initiating a callback to a remote modem.

cd [URL]  

Description

This command changes the current working directory within the router's filesystem. The URL is optional; if not provided, the system defaults to the flash: directory. See the copy command for other valid filesystem URLs.

cdp advertise-v2 no cdp advertise-v2  

Configures

Cisco Discovery Protocol (CDP )

Default

Enabled

Description

This command enables Version 2 of CDP, which provides added information. CDP is available only on Cisco routers.

cdp enable no cdp enable  

Configures

Cisco Discovery Protocol (CDP)

Default

Enabled

Description

This command enables CDP on a specific interface. CDP provides information about neighboring Cisco routers. It is a proprietary protocol, and therefore isn't implemented by other router vendors. Use show cdp neighbors to see the output.

Example

interface ethernet0 cdp enable

cdp holdtime seconds no cdp holdtime seconds  

Configures

CDP holdtime

Default

180 seconds

Description

This command sets the amount of time, in seconds, that the router holds CDP packets before discarding them.

cdp run no cdp run  

Configures

Globally enables/disables CDP

Default

Enabled

Description

This command enables CDP on all interfaces.

Example

Router(config)#cdp run

cdp timer seconds no cdp timer seconds  

Configures

CDP update broadcast interval

Default

60 seconds

Description

This command sets the interval, in seconds, at which the router transmits CDP updates to its neighbors.

channel-group channel-number timeslots range [speed kbps] no channel-group channel-number timeslots range [speed kbps]  

Configures

T1 or E1 timeslots

Default

None

Description

This command defines the channel timeslots for a fractional T1 or E1 line. Your service provider determines the timeslots for your lines.

channel-number

A number identifying the communication channel you are defining. For T1 lines, the channel number can be from 0 to 23; for E1 lines, 0 to 30.

timeslots range

A list of timeslots that make up this communication channel. The list can be a series of comma-separated timeslot numbers, or a pair of timeslots separated by a dash to indicate a range. Timeslot numbers range from 1 to 24 on a T1 line; 1 to 31 for E1. A timeslot cannot belong to more than one channel group.

speed kbps

The speed of a single timeslot in Kbps. Allowable values are 48, 56, and 64. 56 is the default for T1; 64 is the default for E1.

Example

When defining the timeslots range, the value can be a single number or a group of ranges separated by commas and hyphens. For example, the following ranges are all valid:

channel-group 3 timeslots 4 channel-group 5 timeslots 4,6-15,24 channel-group 8 timeslots 4-10

channel-group channel-number no channel-group channel-number  

Configures

A Fast EtherChannel group

Default

None

Description

This command allows a Fast Ethernet interface to be part of a Fast EtherChannel group. A Fast EtherChannel group allows multiple point-to-point Fast Ethernet interfaces to act as one logical interface. At most, four Fast Ethernet interfaces can belong to a channel group.

chat-script name script-string no chat-script name script-string  

Configures

A chat script for placing a call over a modem

Default

None

Description

The chat-script command defines the script to use for modem communication when dialing to a remote device. name identifies the chat script for use in other commands; script-string specifies the script itself. The script-string contains a series of expect/send characters that communicate with the modem. Table 17-3 shows special characters and escape codes that can be used in chat scripts . Chat scripts are allowed only on asynchronous interfaces like ASYNC and BRI.

class name no class name  

Configures

Association of a map class with a DLCI

Default

None

Description

This command associates the map class given by name with a Data Link Connection Identifier (DLCI).

class class [available | standard | premium | control] no class class  

Configures

MPLS

Default

Disabled

Description

This command specifies a class that shows how classes map to Label Switched Controlled Virtual Circuits (LVCs ) .

class

The precedence of identified traffic to classify (from 0 to 7).

available

Optional. Means low precedence.

standard

Optional. Means next precedence.

premium

Optional. Means high precedence.

control

Optional. Means highest precedence.

Example

mpls cos-map 50 Class 1 premium

class name no class name  

Configures

The name of a class within a policy

Default

None

Description

This command identifies the name of the class to change or modify within a policy. The policy-map command must be used to enter the policy map configuration mode before entering this command. The maximum number of classes that can be configured for a router is 64.

Example

policy-map policy1 class class1 bandwidth 1000 queue-limit 50 class class2 bandwidth 2000 random-detect

class-map name [ match-all | match-any] no class-map name [ match-all | match-any]  

Configures

A class map to be used for matching packets to a specified class

Default

None

Description

This command creates a class map, which is used for matching packets with a defined class. The name is the class's name as defined in the policy-map. match-all means that all of the following criteria must be met before a packet is marked for the class. match-any means that if any of the following criteria matches, the packet is marked for the class.

The class map consists of a set of criteria defined by the match command.

Example

class-map class1 match-all match input-interface ethernet0 match access-group 100

clear command  

Description

A clear command erases counters for various statistics or performs a reset action. For example, clear line clears an asynchronous line and drops the connection, while clear cdp counters resets the Cisco Discovery Protocol statistics. Table 17-4 summarizes the many clear commands.

client-atm-address atm-address name elan-name no client-atm-address atm-address  

Configures

Adds a LANE client address to the database

Default

None

Description

This command adds a LANE client address to the LAN emulation configuration server's database.

atm-address

Either a complete ATM address or a template that specifies matching ATM addresses. You can create a template by using wildcard characters: an asterisk (*) to match a single character, or an ellipsis (... ) to match any number of leading, middle, or trailing characters. A full address is 20 bytes (40 hex characters) long, and is similar to (though not the same as) an NSAP address.

name elan-name

The name of the emulated LAN. The maximum length of a name is 32 characters.

If you use a template, any name that matches the template is associated with the ELAN. If the given address or template matches addresses that are already in the database, the command has no effect; the database is not changed.

clock calendar-valid no clock calendar-valid  

Configures

Network Time Protocol (NTP)

Default

Disabled

Description

This command tells the router to consider the RTC calendar in hardware to be a valid source of time. This command is valid only on high-end routers (5000, 6000, 7500, 8500, etc.).

clock rate bps no clock rate  

Configures

Clock rate for serial devices

Default

None

Description

By default, no clock rate is configured for any serial devices. This command specifies the bit rate for DCE serial devices in bps. Possible values for bps are 1200, 2400, 4800, 9600, 19200, 38400, 56000, 64000, 72000, 125000, 148000, 500000, 800000, 1000000, 1300000, 2000000, and 4000000.

This command is most useful for connecting routers back-to-back in a lab setting. In this case, the command is required only on the DCE end of the link. You usually don't need this command when connecting to a WAN service because the network provider provides the clockings.

clock read-calendar  

Configures

Calendar time

Description

This command manually updates the calendar time into the router's system clock. It is not a configuration command and is not stored in the router's configuration. Normally, the system clock is updated from the calendar during system boot-up. This command is available only on high-end routers (5000, 6000, 7500, 8500, etc.).

clock set hh:mm:ss day month year  

Description

This command manually sets the router's internal clock. It is not stored in the router's configuration. The time is specified in terms of a 24-hour clock; the year must be a full four digits (for example, 2001).

clock summer-time zone recurring [sweek sday smonth shh:mm eweek eday emonth ehh:mm][offset] clock summer-time zone date sday smonth syear shh:mm eday emonth eyear ehh:mm [offset] no clock summer-time  

Configures

daylight savings time behavior

Default

No daylight savings time

Description

This command tells the router to update for daylight savings time. The recurring form of the command specifies that daylight savings time should be observed at the given time every year. The date form of the command specifies a specific start date and end date for daylight savings time. Use the no form of the command to return to the default, in which daylight savings time is not observed.

zone

The time zone (EDT, CDT, etc.).

sweek, eweek

The week of the month (1, 2, 3, 4, 5, last) on which daylight savings time begins (sweek) or ends (eweek). (This is only used in the recurring form of the command.)

sday, eday

The day on which daylight savings time starts (sday) or ends (eday). For the recurring form of the command, use the actual name of the day (Monday, Tuesday, etc.) For the date form of the command, use a numeric date (1-31).

smonth, emonth

The month in which daylight savings time starts (smonth) or ends (emonth). Use the actual name of the month (September, October, etc.).

syear, eyear

All four digits of the year. syear is the year in which daylight savings time starts; eyear is the year in which it ends (used only in the date form of the command).

shh:mm, ehh:mm

The time in hours and minutes at which daylight savings time starts or ends.

offset

The number of minutes to add for daylight savings time (optional; the default is 60).

Example

The following command sets the time zone to use U.S. rules in the Eastern time zone:

clock summer-time EDT recurring

clock timezone zone hours[minutes] no clock timezone  

Configures

The router's time zone

Default

Coordinated Universal Time (UTC)

Description

This command sets the router's time zone and the number of hours from the UTC. minutes is optional and is also an offset from the UTC.

zone

The time zone (PST, EST, etc.).

hours

The offset from the UTC (a positive or negative integer).

minutes

Optional. The offset from the UTC in minutes (a positive or negative integer).

clock update-calendar  

Configures

Updates the calendar

Description

This command manually updates the calendar from the router's system clock. The calendar is a separate internal clock that continuously runs even if the router is powered off. This command is available only on high-end routers (5000, 6000, 7500, 8500, etc.).

compress {predictor | stac} no compress {predictor | stac}  

Configures

Type of compression used across an interface

Default

None

Description

This command enables compression for the selected interface. Compression can be enabled only for PPP or HDLC encapsulation. Two types of compression are supported:

predictor

Can be used on PPP connections; consumes more of the router's CPU and memory, but less bandwidth.

stac

Can be used on HDLC or PPP connections; consumes more bandwidth, but requires less CPU power.

Compression should not be activated on lines where link speeds are very high or most of the data is already compressed. If the data is already compressed, the router spends valuable CPU cycles for no reason.

When using compression, monitor the router's CPU usage. If the CPU usage is consistently high (65%), compression might be hindering the router.

The same type of compression must be enabled on both ends of the link.

Example

The following commands enable stac compression for the serial1 interface, which uses HDLC encapsulation.

interface serial1 encapsulation hdlc compress stac

config-register value  

Configures

Sets the configuration register

Default

Depends on the product

Description

This command allows the user to change the configuration register. Setting the configuration register is useful for recovering lost passwords and remedying other situations.

value

The value to set in the configuration register. The register is 16 bits wide, so legal values range from 0x0 to 0xFFFF in hexadecimal (0 to 65,535 decimal). Table 17-5 shows the significance of the bits in the configuration register. (There are some differences in bit assignments on different products; check your documentation.)

Since the baud settings are now spread over three different bits (5, 11, and 12), Table 17-6 shows the baud settings for the bits:

configure {terminal | memory | network | overwrite-network}  

Configures

Enters global configuration mode

Description

The conf terminal command places you in configuration mode. conf memory executes the commands stored in memory (essentially a reload of the startup config). Note that the commands conf network and conf overwrite-network have been deprecated; it is now preferable to use copy tftp running-config.

Example

The following command places you in configuration mode; from there, you can enter global configuration commands.

Router#configure terminal Router(config)# ! I can now enter configuration commands!

controller {t1 | e1} slot/port controller {t1 | e1} number  

Configures

T1 or E1 controllers

Default

None

Description

This command places you in the controller mode, allowing you to configure a controller for a T1 or E1 line. slot/port and number identify the controller that you are configuring.

copy source [destination]  

Description

This command allows you to copy system images and configuration files. You can copy files within the router's memory (for example, copy running-config startup-config), or you can copy files to or from a TFTP server or an RCP server. Table 17-7 shows possible values for the source and destination parameters. If you omit the destination, the router will prompt you for it.

Newer versions of IOS also permit the use of URLs. The syntax of a URL can look like this:

tftp:[[//hostname]/path]/filename ftp:[[//[username[:password]@]hostname]/path]/filename rcp:[[//[username@]hostname]/path]/filename scp:[[//[username@hostname]/path/filename  

In each of these URLs, the hostname is simply the hostname or IP address of the end device. TFTP doesn't require a username or password. FTP and RCP can have an optional username and password, which depends on the server configuration.

To use the URL, simply provide the correct hostname and path in the source or destination.

Example

Here are some accepted uses of the copy command:

copy running-config startup-config copy startup-config tftp copy running-config tftp copy flash tftp copy startup-config rcp copy running-config rcp copy flash rcp copy tftp running-config copy tftp://ourserver/newconfig running-config copy ftp://bob:letmein@oursever/newconfig running-config

crc length no crc  

Configures

The length of the CRC checksum

Default

16 bits

Description

This command sets the length (in bits) of the CRC (Cyclic Redundancy Check) on FSIP (Fast Serial Interface Processor) and HIP (HSSI Interface Processor) interfaces. These interfaces are found only on the 7500 series routers. The length must be 16 or 32 bits.

custom-queue-list list-number no custom-queue-list list-number  

Configures

Applies a custom queue list to an interface

Default

None

Description

This command applies a custom queue to the current interface. The list-number must be between 1 and 16. Custom queue lists are used to implement priority-based queuing; they allow you to configure the bandwidth used by a particular type of traffic. To create a queue list, use the queue-list command. If you're configuring a Frame Relay interface, see the frame-relay custom-queue-list command. Queue lists are discussed in Chapter 11.

databits {5 | 6 | 7 | 8}  

Configures

Databits per character

Default

8

Description

This command defines the number of databits per character that are interpreted and generated by the hardware. Possible values are 5, 6, 7, and 8.

Example

The following commands configure TTY 3 for seven databits per character:

Router(config)#line tty3 Router(config-line)#databits 7

data-character-bits {7 | 8}  

Configures

Software databits per character

Default

8

Description

This command defines the number of databits per character that are interpreted and generated by the software. Possible values are 7 and 8.

dce-terminal-timing enable no dce-terminal-timing enable  

Configures

Interface timing

Default

Off (the DCE provides its own clock)

Description

This command prevents phase-shifting of data on high-speed data lines that span long distances. Phase-shifting is prevented by taking the clock from the DTE to provide timing for the DCE. (The DTE's timing is called SCTE.)

debug level undebug level undebug all  

Configures

System debugging

Default

Disabled

Description

This command enables debugging at the specified level. Just about every configuration item within the IOS has a debug level associated with it. The debug ? command gives you an extensive list that allows you to find the debug level that meets your needs.

Be careful in selecting your debug level; you can easily crash a busy router with the incorrect selection. For example, debug ip packet might render a busy router useless until debugging is disabled. See Chapter 16 for more information on using debug correctly. If you get in trouble, issue the command undebug all, which disables all debug output.

Example

Here is the output from debug ip ?:

Router#debug ip ? bgp BGP information cache IP cache operations cgmp CGMP protocol activity dvmrp DVMRP protocol activity egp EGP information eigrp IP-EIGRP information error IP error debugging ftp FTP dialogue http HTTP connections icmp ICMP transactions igmp IGMP protocol activity igrp IGRP information mcache IP multicast cache operations mobile Mobility protocols mpacket IP multicast packet debugging mrouting IP multicast routing table activity ospf OSPF information packet General IP debugging and IPSO security transactions peer IP peer address activity pim PIM protocol activity policy Policy routing rip RIP protocol transactions routing Routing table events rsvp RSVP protocol activity sd Session Directory (SD) security IP security options tcp TCP information udp UDP based transactions  

Though there is a debug all command, using it is not recommended. It produces so much output that it will overwhelm you and the router. Use it only as a last resort.

The undebug all command disables all debugging that is currently enabled.

default-information {in | out} access-list no default-information {in | out}  

Configures

Default routing information

Default

EIGRP announces the default route in both incoming and outgoing updates

Description

When redistributing EIGRP into IGRP, you can use this command to allow (or suppress, using the no form of the command) the redistribution of the default routes or exterior routes from EIGRP. By default, all exterior routes (including default routes) are passed between IGRP and EIGRP.

in

Allows the protocol to receive the default route via redistribution.

out

Allows the protocol to propagate the default route via redistribution.

access-list

The number or name of a simple access list that permits or denies the default routes you want to propagate.

Example

The following commands prevent IGRP from receiving exterior or default routes via redistribution from EIGRP.

router igrp 109 network 10.0.0.0 redistribute eigrp 100 no default-information in  

To disable the default routes in outgoing updates, use the no form of the command.

router eigrp 100 network 10.0.0.0 no default-information out

default-information originate [route-map map] no default information originate  

BGP:

default-information originate no default-information originate  

OSPF:

default-information originate [always] [metric metric-value] [metric-type type] [route-map map] no default-information originate [always] [metric metric-value] [metric-type type] [route-map map]  

Configures

Redistribution of the default route

Default

Disabled

Description

This command allows the protocol to propagate the default route (0.0.0.0). The use of a route map, map, tells the router to inject the default route if the route map's conditions are met.

For OSPF, this command tells an Autonomous System Border Router (ASBR) to inject a default route into the OSPF domain. When used with OSPF, this command has the following additional parameters.

always

Optional. Specifies to advertise the route even if the software does not have a default route.

metric metric-value

Optional. The metric value of the default route. The default metric is 10.

metric-type metric-type

Optional. Defines the link type associated with the default route. Possible values are 1 (Type-1 external route) and 2 (Type-2 external route; the default).

route-map map

Optional. Defines the route map to use for the default route. The route is advertised only if the route map is successful. This option can be used to set a different default metric depending on the host to which the route is sent.

Example

! BGP router bgp 150 default-information orginate ! ! Ospf router ospf 110 default-information originate metric 100 metric-type 1

BGP:

default-metric number no default-metric number  

RIP:

default-metric number no default-metric  

IGRP/EIGRP:

default-metric bandwidth delay reliability loading mtu no default metric bandwidth delay reliability loading mtu  

OSPF:

default-metric number no default-metric number  

Configures

Default metric for routes learned from a different routing protocol

Default

Depends on the protocol

Description

When redistributing routes from one routing protocol to another, the metrics used by the different protocols are not compatible. This command allows you to set the metric values for routes learned from other protocols.

For RIP and OSPF, this command simply sets the metric value to number.

For BGP, this command sets the value for the multi-exit discriminator (MED) metric to number.

For IGRP and EIGRP, this command sets the default metric for redistributing other protocols into EIGRP. (Note that IGRP and EIGRP have compatible metrics, so the default metric set by this command is not required when distributing routes between these two protocols.) The default metric is computed using the following parameters:

bandwidth

The route bandwidth measured in kilobits per second.

delay

The route delay in microseconds.

reliability

An estimate of the reliability of packet transmission on this link. It must be a value between 0 and 255; 255 indicates 100% reliability and 0 indicates that the link is completely unreliable (no packets are transferred correctly).

loading

The effective bandwidth of a route as a fraction of the bandwidth's capacity. This value must be between 0 and 255; 255 indicates 100% loading.

mtu

The maximum transmission unit for this route in octets.

Example

The following commands assign metric 10 to all routes redistributed from OSPF into RIP:

router rip network 192.168.1.0 default-metric 10 redistribute ospf 110  

The following commands provide various parameters for computing an EIGRP metric to be used when redistributing routes from RIP into EIGRP:

router eigrp 101 network 10.0.0.0 redistribute rip default-metric 1000 100 250 100 1500

default-name elan-name no default-name  

Configures

A default ELAN for clients

Default

None

Description

This command sets the default name for the ELAN (Emulated LAN) in the configuration server's database. This name is used for clients who do not have an explicit name set. The name can be up to 32 characters in length and must already be in the configuration server's database. To put a name in the LANE emulation server database, use the commands lane database and name server-atm-address.

delay tens-of-milliseconds no delay  

Configures

Link delay

Default

Depends on the interface type

Description

This command is used to specify the latency of an interface in tens-of-milliseconds. The value is used as input to route metric calculations; it does not set anything on the interface itself.

delete URL  

Description

This command marks a file as deleted in the flash filesystem. The actual behavior of this command depends on the type of filesystem implemented for your router. In a Class-A filesystem, deleted files are only marked for deletion, and can be recovered with the undelete command; the squeeze command permanently deletes the marked files. In a Class-B filesystem, files are deleted immediately, but the space they occupied can't be recovered without erasing the entire filesystem. In a Class-C filesystem, files are deleted immediately, and their space is recovered immediately. Filesystems are described in more detail in Chapter 2.

description text no description  

Configures

A description for the interface

Default

None

Description

This command provides a description for the interface, letting you build some documentation into your IOS configuration. The description is for informational purposes and does not affect the interface's behavior. The description you give appears in the output of some show commands.

Example

interface serial0 description T1 Connection to Baltimore

dialer aaa no dialer aaa  

Configures

AAA for dial-on-demand routing (DDR)

Default

Disabled

Description

This command enables AAA for a dialer interface.

dialer callback-secure no dialer callback-secure  

Configures

Callback security

Default

Disabled

Description

This command enables secure callback dialing on the interface.

dialer callback-server [username] [dialstring] no dialer callback-server  

Configures

An interface to return calls

Default

Disabled

Description

This command enables an interface to return calls. The username keyword tells the router to identify the caller by looking up the authenticated hostname in the dialer map command; this is the default behavior for this command. The dialstring keyword tells the router to identify the caller during callback negotiation.

dialer caller number [callback] no dialer caller number [callback]  

Configures

Caller ID screening

Default

Disabled

Description

This command configures a dialer interface to reject calls that do not match the given number. The number can be any phone number; the character x can be used as a wildcard. The callback keyword enables Caller ID callback; in this case, the incoming call is refused, and the router initiates a call to the Caller ID number. This may help you to manage your telephone charges. This feature is available only on certain routers with special dialer interfaces. A switch that supports Caller ID is also required for this operation. If you enable this feature and do not have the required hardware for Caller ID, all calls are denied.

Example

The following command allows any number from 4,105,554,290 through 4,105,554,299:

dialer caller 410555429x

dialer dtr no dialer dtr  

Configures

Enables DDR and specifies that the modem handles only DTR signaling

Default

None

Description

Configures interfaces that are connected to modems that require DTR (Data Terminal Ready) , and enables DDR. Interfaces configured with this command cannot receive calls; they can only make them.

dialer enable-timeout seconds no dialer enable-timeout  

Configures

The amount of time the interface remains down

Default

15 seconds

Description

Sets the time in seconds that an interface remains down between calls or failed connections.

dialer fast-idle seconds no dialer fast-idle  

Configures

The amount of idle time when there is contention for the line

Default

20 seconds

Description

This command can apply to interfaces or map-class configurations. When used on an interface or a map class, it defines the number of seconds that must pass before a line is disconnected when there is contention for the interface, i.e., when there is traffic waiting for a different destination other than the current connection.

When used for a map class, this command defines the number of seconds to wait before placing another call, and defaults to the fast-idle setting for the interface.

For regular idle-timeouts for a DDR interface, see the dialer idle-timeout command.

Example

Interface configuration:

interface async 5 dialer fast-idle 55  

Map-class configuration:

map-class dialer office dialer fast-idle 55

dialer-group number no dialer-group number  

Configures

Associates an interface with a dialer group

Default

None

Description

This command adds the interface to the dialer group specified by number. An interface can have only one dialer group associated with it. Each dialer group has an associated access list that defines "interesting" traffic for this interface. If the traffic is permitted by the access list, a call is initiated for the interface if the interface is not already connected.

Example

The following commands add the async1 interface to dialer-group 1. access-list 110 specifies the traffic that causes this interface to initiate a call; in this case, ICMP traffic doesn't bring up the connection, but any other IP traffic does. Note that this access list does not block ICMP traffic once the link is up; it just prevents ICMP traffic from bringing it up in the first place.

! Set the interface as part of the dialer group interface async 1 dialer-group 1 ! ! Set the dialer group to use access-list 110 dialer-list 1 list 110 ! ! Configure the access-list for the dialer group access-list 110 deny icmp any any access-list 110 permit ip any any

dialer hold-queue packets timeout seconds no dialer hold-queue packets timeout seconds  

Configures

A queue that holds packets until a dial-up connection is established

Default

Disabled

Description

Instructs the interface to queue traffic until the dial-up connection is completed. By default, queuing is not enabled and packets are dropped until the connection is established.

packets

The number of packets to hold in the queue, waiting for the connection. The value can be set from 0 to 100.

timeout seconds

The period of time after which the connection attempt is determined to have failed, and the waiting packets are discarded.

dialer idle-timeout seconds no dialer idle-timeout seconds  

Configures

The amount of idle time before a connection is disconnected

Default

120 seconds

Description

This command can apply to interfaces or map-class configurations. When used on an interface or a map class, it defines the number of seconds an interface must be idle (no traffic) before the connection is closed. When there is contention for a dialer (i.e., traffic for a destination different from the one to which the interface is currently connected), then the fast idle timeout is used. (See dialer fast-idle.)

Example

Interface configuration:

interface async 4 dialer idle-timeout 300  

Map-class configuration:

map-class dialer office dialer idle-timeout 300

dialer in-band [no-parity | odd-parity] no dialer in-band  

Configures

Dial-on-demand routing (DDR)

Default

Disabled; no-parity is the default when the command is issued with no options

Description

This command configures an interface to support DDR.

no-parity

Optional. Chat scripts to the modem have no parity.

odd-parity

Optional. Chat scripts to the modem have odd parity.

This is not required on BRI interfaces.

dialer isdn [speed value] [spc] no dialer isdn [speed value] [spc]  

Configures

Bit rate used on the B channel

Default

64

Description

This command is for map-class configurations only. It defines the bit rate for the B channel of an ISDN connection and sets up semipermanent connections for the map class.

speed value

Optional. Defines the bit rate in Kbps for the B channel; either 56 or 64. Default is 64.

spc

Optional. Requires the use of ISDN semipermanent connections for this map class (Germany only).

Example

map-class dialer office dialer isdn speed 64

dialer-list grouplist access-list dialer-list group protocol protocol {permit | deny | list} access-list no dialer-list group  

Configures

Assigns an access list to a dialer group

Default

None

Description

The first version of this command specifies a group number and applies the given access list to that group. The access list defines "interesting" traffic for the dialer group. If traffic matches the access list, it is deemed interesting, and the DDR interface establishes a connection (if one hasn't been already established).

group

The dialer group number.

list access-list

The access list that defines interesting traffic for this group.

The second version of this command allows you to specify the traffic that brings up the connection without using an external access list. Its parameters are:

group

The dialer group number.

protocol protocol

The protocol to allow (or reject): ip, ipx, etc.

permit

Permits traffic using this protocol.

deny

Denies the entire protocol.

list access-list

Applies an access list to the protocol. Used to single out ports within the protocol.

Examples

The following commands define a dialer group, assign an interface to that dialer group, and specify that the interface should be brought up if traffic matching access list 110 appears on the interface.

interface async 5 dialer-group 10 ! ! Define the access-list for group 10 dialer-list 10 list 110 ! ! Define the list ( all IP traffic to 10.10.1.0 network) access-list 110 permit ip any 10.10.1.0 0.0.0.255  

The following commands define a dialer group, assign an interface to that dialer group, and specify that the interface should be brought up for any IP traffic. No access list is used.

interface async 5 dialer-group 10 ! ! Define all ip traffic as interesting dialer-list 10 protocol ip permit

dialer load-threshold load [{outbound | inbound | either}] no dialer load-threshold  

Configures

The threshold for opening an additional connection

Default

None

Description

This command defines the threshold at which the router opens an additional connection to obtain more bandwidth. Another connection can be made only if this interface is part of a rotary group. This command can be used only if the interface belongs to a rotary group.

load

The utilization at which another connection to the destination is established. The number can be from 1 to 255 (255 = 100% utilization).

outbound

Optional. Load is considered only for outbound traffic.

inbound

Optional. Load is considered only for inbound traffic.

either

Optional. Default. A new connection is established if the utilization exceeds the given load in either the outbound or inbound direction.

dialer map protocol destination [name hostname] [class name] [broadcast] [spc] [speed {56|64}] [modem-script script-name] [system-script script-name] [dial-string] no dialer map protocol destination [name hostname] [class name] [broadcast] [spc] [speed {56|64}] [modem-script script-name] [system-script script-name] [dial-string]  

Configures

Any non-DTR dialer interface for PPP callback

Default

None

Description

The dialer map command allows an interface to call one or more different sites by mapping a destination address to connection-specific dial strings and connection scripts.

protocol

Names the protocol to use for the connection. Valid values are ip, appletalk, bridge, decnet, ipx, novell, snapshot, vines, and xns.

destination

The destination address to use for this map. The next-hop address of a packet is the destination address in map configurations.

name hostname

Optional. The name of the remote system for the DDR connection.

class name

Optional. Names a map class to use for this mapping. A map class is defined with the map-class command.

broadcast

Optional. Allows broadcast packets to be forwarded over this connection.

spc

Optional. ISDN only; Germany only. Configures a semipermanent connection between the ISDN device and the exchange.

speed speed

Optional. ISDN only. Defines the speed of an ISDN B channel in Kbps. Valid values are 56 and 64. The default value is 64.

modem-script script-name

Optional. Names the modem script to use for dialing the connection. Required only if no dialer string is defined for the interface used.

system-script script-name

Optional. Names the system script to use for logging into the remote system.

dial-string

Optional. This option must be the last entry on the command line. It defines the telephone number to be sent to the dialing device. For multipoint ISDN connections, append the subaddress to the dial string (separated by a colon).

dialer map snapshot seq-number dial-string no dialer map snapshot [seq-number]  

Configures

Snapshot routing

Default

None

Description

This command configures client snapshot routing on a DDR interface.

seq-number

Identifies the dialer map. This number can range from 1 to 254.

dial-string

The telephone number to dial for this snapshot connection.

dialer max-link number no dialer max-link  

Configures

The maximum number of open links that a dialer profile can have to a destination

Default

255

Description

This command sets the maximum number of links that a dialer profile can have open to a single destination at any time. This command can be used only on dialer interfaces. number can be from 1 to 255.

dialer pool pool-number no dialer pool pool-number  

Configures

The dialing pool to use to connect to a specific network

Default

None

Description

Specifies the dialer pool to which a dialer interface belongs. Pool numbers range from 1 to 255. For more information on dialer pools, consult Chapter 12.

Example

The following code configures a dialer interface with an IP address and PPP encapsulation, and assigns the interface to dialer pool 5.

interface dialer1 ip address 10.10.1.0 255.255.255.0 encapsulation ppp dialer pool 5

dialer pool-member pool-number [priority value] [min-link value] [max-link value] no dialer pool-member pool-number  

Configures

Assigns a physical interface to a dialer pool

Default

Disabled

Description

Any interface can belong to a dialer pool. Dialer pools are configured using the dialer interface. This command assigns an interface to a pool.

pool-number

The pool to which the interface is assigned.

priority value

Optional. This value is the interface's priority within the pool. The interface with the highest priority is selected first for dialing out. This value can be from 0 to 255; the default is 0.

min-link value

Optional. This is for ISDN lines; it specifies the minimum number of B channels that are reserved on this interface. The value can be from to 255; the default is 0.

max-link value

Optional. This is for ISDN lines; it specifies the maximum number of B channels that are reserved on this interface. The value can be from to 255; the default is 0.

Example

The following commands assign the ISDN interface BRI1 to dialer pool 1:

interface BRI1 encapsulation ppp dialer pool-member 1 priority 50

dialer priority value no dialer priority value  

Configures

The priority of an interface in a rotary group

Default

0

Description

This command sets the priority of the interface within a rotary group. value can be from 0 to 255. The highest-priority interface is selected first for dialing.

dialer remote-name username no dialer remote-name username  

Configures

The authentication name for the remote router

Default

None

Description

This command sets the username to use when connecting to a remote system with CHAP or PAP authentication.

dialer rotary-group group-number no dialer rotary-group group-number  

Configures

Includes the interface as part of a dialer rotary group

Default

None

Description

This command sets the rotary group for an interface to group-number. The number of the rotary group must match the number of the dialer interface for which the rotary group is defined. The group number can range from 0 to 255.

dialer rotor {priority | best} no dialer rotor {priority | best}  

Configures

The method for selecting the next interface to use to dial out

Default

Disabled

Description

For rotary groups, this command tells the router whether to select the interface with the highest priority (priority) or the interface with the most recent connection success (best).

dialer string string [class dialer-map-name] no dialer string  

Configures

Legacy DDR phone numbers

Default

None

Description

Specifies the dial string for the interface's modem. Table 17-8 shows the codes that can be used in the dialer string. This command is used only for legacy DDR; on modern routers, it's more flexible to use dialer pools or dialer map statements, which allow more than one destination to be called. The class option names the dialer map associated with this dialer string.

dialer wait-for-carrier-time seconds no dialer wait-for-carrier-time  

Configures

The amount of time the interface waits for a carrier

Default

30 seconds

Description

This command sets the maximum amount of time in seconds that the router waits for a carrier when bringing up a dialer interface. It can be used on an interface or map-class configuration.

dialer watch-disable seconds no dialer watch-disable  

Configures

Delay time for the backup interface

Default

Disabled

Description

This command configures the time in seconds to keep the backup link up after the primary link recovers, if the backup link has been brought up by a dialer watch group.

dialer watch-group group-number no dialer watch-group group-number  

Configures

Enables backup DDR for an interface

Default

Disabled

Description

This command is used to configure an interface as a backup DDR link using a watch list. The group-number identifies the watch list that triggers calls on this interface; the interface is brought up if the router doesn't have any routes to the networks listed in the watch list. A watch list is created by the dialer watch-list command; the interface must have a dialer map that corresponds exactly to the networks listed in that command.

dialer watch-list group-number ip address mask no dialer watch-list group-number ip address mask  

Configures

A watch group number assigned to an IP address range

Default

None

Description

This command allows you to define a group of routes based on IP address and mask, and assign that group to a group-number. If no routes to these networks are in the routing table, the router dials a backup connection. Note that this connection is dialed regardless of whether there is any traffic for these destinations; dialing depends only on the existence of a route. This command is used in conjunction with dialer watch-group, dialer watch-disable, and dialer map. Valid group numbers are from 1 to 255.

dir [/all] [filesystem:]  

Description

This command displays the files in the router's filesystem. If you supply a directory as an argument, the command lists the files in that directory; otherwise, it lists the current working directory. Use the /all keyword to list all files, including those marked for deletion.

disable [level]  

Description

This command exits privileged mode and returns the user to user mode. The optional level parameter value ranges from 0 through 15. 0 is the normal user mode; 15 is the privileged user mode. If no level is specified, the user is returned to level 0 (user mode). See the privilege command for more information on setting the level values.

Example

Router# disable Router

disconnect  

Description

This command terminates a background telnet session.

disconnect-character ascii-number no disconnect-character