ip access-group access-list [in | out]
no ip access-group access-list [in | out]
Configures
Assigns an access list to an interface
Default
No access lists defined
Description
This command applies the given access list to the interface in the direction specified (in or out). Access-list commands are discussed in Chapter 7. Each interface can support only one access list in either direction.
Example
The following commands apply access list 110 to filter incoming packets on the serial1 interface, and access list 111 to filter outgoing packets:
interface serial1
ip access-group 110 in
ip access-group 111 out
To remove an access list from an interface, use the no form of this command:
interface serial1
no ip access-group 111 out
If you use the no access-list command instead of no ip access-group, your access list will be deleted. Be sure to use no ip access-group when removing lists from interfaces.
ip access-list
global
ip access-list {standard | extended} name
Configures
Named access lists
Default
None
Description
This command allows you to create a named access list. A named access list is really no different from a numbered access list as defined by the access-list command, except that it is identified by a logical name. A named access list may be either standard or extended. This command is followed by permit and deny commands that specify the access-list rules. For more about access lists, see Chapter 7 and the discussion of the access-list command.
Example
The following commands defines a named access list that allows HTTP traffic from any host to the server at 10.1.2.3 and permits all other TCP traffic that has the SYN flag set:
ip access-list extended bogus-firewall
permit tcp any host 10.1.2.3 eq http
permit tcp any any established
Remember that all access lists end with an implicit deny, which rejects all traffic not permitted by a statement in the access list.
ip accounting
interface
ip accounting [access-violations]
no ip accounting [access-violations]
Configures
IP accounting for an interface
Default
Disabled
Description
This command enables IP accounting based on the source and destination IP addresses that are passing through this router. Traffic that terminates at the router is not logged. The access-violations option enables logging based on access lists. For an access list to log information, the log keyword must be specified at the end of the access-list command.
Example
The following interface has IP accounting enabled and logs access-list violations:
interface serial 1
ip address 10.10.2.3 255.255.255.0
ip access-group 110 in
ip accounting access-violations
! Deny telnet to the outside and log it when someone tries
access-list 110 deny tcp 10.10.2.0 0.0.0.255 any eq 23 log
access-list 110 permit ip any any
ip accounting-list
global
ip accounting-list address mask
no ip accounting-list address mask
Configures
An accounting filter
Default
None
Description
This command defines an IP address and wildcard mask for use as an accounting filter. Once a filter has been created, traffic is logged only if it matches the filter. If an IP address fails to match this filter, it is considered a transit IP packet and is logged to a separate table. See ip accounting-transits.
Example
The following command logs traffic to and from the 10.10.0.0 network:
ip accounting-list 10.10.0.0 0.0.255.255
ip accounting-threshold
global
ip accounting-threshold log-size
no ip accounting-threshold log-size
Configures
The IP accounting log table
Default
512 entries
Description
This command sets the size of the IP accounting table to log-size bytes. Each entry takes up to 26 bytes. Therefore, an accounting table defined at 100 entries could consume up to 2600 bytes of memory. This calculation should be kept in mind when defining new thresholds, as memory usage has adverse affects on the router.
Example
To double the accounting buffer:
ip accounting-threshold 1024
ip accounting-transits
global
ip accounting-transits number
no ip accounting-transits
Configures
The table used for logging transit IP addresses
Default
None
Description
This command sets the size of the table for transit IP accounting to number entries. A transit IP packet is any packet with a source or destination that does not match the filter defined in the ip accounting-list command. If no accounting filters are defined, there are no transit IP packets.
Example
To set the transit table to 200 entries:
ip accounting-transits 200
ip address
interface
ip address address subnet-mask [secondary]
no ip address address subnet-mask [secondary]
Configures
The IP address for an interface
Default
No IP address
Description
This command sets the IP address for the interface to address; the network mask used on the network is subnet-mask. The secondary keyword is used to apply a second (or third, or fourth...) address to an interface. It is allowed only if the interface allows multiple IP addresses.
Example
This command sets the IP address of the ethernet 0 interface to 10.10.1.1 and the subnet mask to 255.255.255.0:
interface ethernet 0
ip address 10.10.1.1 255.255.255.0
The following commands use the secondary keyword to add a second IP address to the ethernet 0 interface:
interface ethernet 0
ip address 10.10.1.1 255.255.255.0
ip address 10.10.2.1 255.255.255.0 secondary
This interface will now answer and provide routing for both the 10.10.1.0/24 and 10.10.2.0/24 subnets.
ip address negotiated
interface
ip address negotiated
no ip address negotiated
Configures
PPP/IPCP address negotiation
Default
Disabled
Description
This command configures an interface to obtain its IP address via PPP.
ip address-pool
global
ip address-pool [dhcp-proxy-client | local]
no ip address-pool
Configures
Default address pooling
Default
Disabled
Description
This command provides an IP address pool to be used on dial-in or ISDN interfaces.
- dhcp-proxy-client
- Optional. The router works as a proxy between the dial-in peers and the DHCP server to provide the address pool.
- local
- Optional. Tells the router to use the local address pool.
ip alias
global
ip alias ip-address port
no ip alias ip-address
Configures
IP address mapping for reverse telnet
Default
None
Description
This command allows you to provide aliases in the form of IP addresses for various ports on the router. This feature is helpful if you are configuring a communication server with reverse telnet.
- ip-address
- The IP address of the port for which you want to establish an alias.
- port
- The port that you want to use as an alias for the IP address.
Example
Say we have a communication server (router) with three ports to which we allow reverse telnet access: 2001, 2002, and 2003. Instead of requiring users to type the router's IP address and the port every time, we assign (alias) an available IP address to each of our ports. The following commands create three IP address aliases (172.30.1.1, 172.30.1.2, and 172.30.1.3):
ip alias 172.30.1.1 2001
ip alias 172.30.1.2 2002
ip alias 172.30.1.3 2003
ip as-path access-list
global
ip as-path access-list access-list {permit|deny} as-regex
no ip as-path access-list access-list {permit|deny} as-regex
Configures
A BGP access list
Default
None
Description
This command allows you to build an access list for BGP autonomous system (AS) paths. These lists can be applied to a neighbor with the filter-list option to the neighbor command. access-list is a number that identifies the list; as-regex is a regular expression that matches AS paths. For more information on valid regular expressions for BGP, see Chapter 10.
Example
The following commands create an AS-path access list that denies (blocks) routes that include AS 111. This access list is then applied to routes that are sent to the BGP neighbor 11.1.1.1.
ip as-path access-list 1 deny _111_
router bgp 120
network 10.1.0.0
neighbor 11.1.1.1 remote-as 200
neighbor 11.1.1.1 filter-list 1 out
ip authentication
interface
ip authentication key-chain eigrp as-number key-chain
no ip authentication key-chain eigrp as-number key-chain
ip authentication mode eigrp as-number md5
no ip authentication mode eigrp as-number md5
Configures
Authentication of EIGRP packets
Default
None
Description
The ip authentication key-chain command defines the key chain to be used for authenticating EIGRP packets. It is used with the ip authentication mode eigrp command, which applies the key chain to the correct EIGRP process. Key chains are defined with the global key chain command.
- as-number
- The EIGRP process to which this key applies.
- key-chain
- The name of an EIGRP key chain.
Example
interface ethernet 0
ip authentication key-chain eigrp 100 key1
ip authentication mode eigrp 100 md5
ip bandwidth-percent eigrp
interface, EIGRP
ip bandwidth-percent eigrp as-number percent-value
Configures
The bandwidth that EIGRP is allowed to use
Default
50 percent
Description
This command sets the bandwidth percentage that EIGRP is allowed to consume on a link. It is particularly useful if the link's bandwidth has been set to a fake value for some reason (such as metrics).
- as-number
- The EIGRP process whose bandwidth is being limited.
- percent-value
- The percentage of the interface's total bandwidth that can be used by EIGRP. The interface's bandwidth is defined by the bandwidth command and may not be the same as the actual bandwidth available on the link. Note that percent-value may be greater than 100; this is useful if the bandwidth has been set to an artificially low value and doesn't reflect the actual capacity of the link.
ip bgp-community new-format
global
ip bgp-community new-format
no ip bgp-community new-format
Configures
Display of the BGP communities
Default
Disabled
Description
This command changes the display of BGP communities from NN:AA to AA:NN.
ip bootp server
global
ip bootp server
no ip bootp server
Configures
Use of a BOOTP server from the network
Default
Enabled
Description
This command enables or disables the router's BOOTP server. Disabling this feature prevents hosts from accessing the BOOTP service on the router; that is, the router won't act as a BOOTP server.
ip broadcast-address
interface
ip broadcast-address address
no ip broadcast-address address
Configures
A broadcast address for an interface
Default
Depends on the settings in the config-register
Description
This command specifies the interface's broadcast address. All hosts on the network to which the interface is connected must use the same broadcast address. Broadcast addresses are usually formed by setting the "host address" portion of the IP address to 1, which is the default for the router and virtually all modern computer systems. Some very old systems may form the broadcast address by setting the host portion to 0, and may be incapable of using the "1" form. In this case, you must explicitly set the broadcast address of the router interface (and all other hosts on the network) to use the older form.
Example
The following code changes the broadcast IP address for serial 0 to 10.10.10.255:
interface serial 0
ip broadcast-address 10.10.10.255
ip cef
global
ip cef [distributed]
no ip cef
Configures
Cisco Express Forwarding (CEF)
Default
Depends on the hardware: disabled on the 7000 and 7200; enabled on the 7500 and 12000
Description
This command enables CEF on the router. CEF is a Layer 3 switching technology that increases network performance for certain types of network traffic. The optional distributed keyword enables distributed CEF (dCEF), which distributes CEF information to line cards on the router.
ip cef traffic-statistics
global
ip cef traffic-statistics [load-interval seconds] [update-rate seconds]
no ip cef traffic-statistics
Configures
Time intervals that control when NHRP creates or destroys an SVC
Default
load-interval is 30 seconds; update-rate is 10 seconds
Description
This command sets the intervals that NHRP uses when building or tearing down an SVC. The load-interval is used in conjunction with the ip nhrp trigger-svc command; its value can range from 30 to 300 seconds. The update-rate is the frequency, in seconds, at which the port adapter sends statistics to the route processor (RP). When using NHRP in distributed CEF switching mode, the update rate must be set to 5 seconds.
ip classless
global
ip classless
no ip classless
Configures
IP classless routing for the router
Default
Depends on the IOS version
Description
This command enables routing based on "classless" addresses. With classless routing, packets can be routed if the router knows a route for a supernet of the addressee. Without classless addressing, the packet is discarded if it arrives at the router and there is no network route for its destination. Assume that a packet arrives with the destination of 10.10.1.5, but we have routes only for 10.10.2.0/24, 10.10.3.0/24, and 10.10.0.0/16. With IP classless routing enabled, the router forwards the packet to the 10.10.0.0/16 network because 10.10.0.0/16 is the best matching supernet of 10.10.1.5.
ip community-list
global
ip community-list number {permit | deny} community
no ip community-list number
Configures
A community list for BGP
Default
None
Description
This command defines a community list, which is basically an access list for a BGP community. A community list can be used with the match community command in a route-map configuration.
- number
- A value identifying the community list that this command belongs to. Values can be 1 to 99.
- permit | deny
- Permits or denies the given community.
- community
- The community to permit or deny. This parameter may be a community number between 1 and 99, or one of the default community names (internet, no-export, no-advertise).
Example
ip community-list 1 permit internet
ip default-gateway
global
ip default-gateway address
no default-gateway address
Configures
The default gateway for the router
Default
None
Description
This command establishes address as the router's default gateway, which is the gateway to which nonlocal packets are forwarded in the absence of a better route. It is useful if the no ip routing command has been issued or if you are running from boot mode, in which IP routing is disabled. This command allows you to forward traffic to the default gateway when routing is disabled. Use the no form of this command to remove the entry from the router's configuration.
ip default-network
global
ip default-network network
no ip default-network network
Configures
Gateway of last resort
Default
None
Description
This command defines a gateway of last resort. The network argument is a network address; any route to the network becomes the default route. For RIP, this is the 0.0.0.0 route; for OSPF, it is an external route.
ip dhcp-server
global
ip dhcp-server address
no ip dhcp-server address
Configures
The DHCP server for the router to use
Default
None
Description
Specifies the address of the DHCP server for this router. You can provide the hostname of the DHCP server instead of its IP address. This DHCP server is then used for creating address pools with the ip address-pool command.
ip directed-broadcast
interface
ip directed-broadcast [access-list]
no ip directed-broadcast
Configures
Broadcast forwarding
Default
Enabled (disabled for IOS 12.0 and later)
Description
By default, the router automatically translates directed broadcasts to physical broadcasts within your network. In other words, Layer 3 broadcasts to the IP broadcast address (10.10.1.255 for the subnet 10.10.1.0/24) are translated into Layer 2 broadcasts with an address appropriate for the interface (e.g., ff:ff:ff:ff:ff:ff for an Ethernet interface).
While this can be useful, an interface that is configured to the outside world could allow a potential hacker to flood your network by pinging the broadcast address on your interface. It is recommended that directed-broadcast is disabled on your external interfaces to prevent this attack from occurring. Directed broadcast is also the primary mechanism used for the "smurf" attack. It is recommended that you disable directed broadcast on all your interfaces unless you have a very good reason to use it.
Example
To disable directed broadcasts:
interface serial 0
no ip directed-broadcast
ip domain-list
global
ip domain-list domain
no ip domain-list domain
Configures
The domain names for the router
Default
None
Description
This command allows you to define a series of domain names to be used (in turn) to complete an unqualified domain name. It behaves just like the domain-name command except that it allows you to list a series of domains.
Example
These commands set the domain list to mydomain.com, com.com, and mycom.com:
ip domain-list mydomain.com
ip domain-list com.com
ip domain list mycom.com
Use the no form of the command to delete an entry:
no ip domain-list com.com
ip domain-lookup
global
ip domain-lookup
no ip domain-lookup
Configures
DNS lookups for hostnames
Default
Enabled
Description
This command enables the DNS lookup feature. To disable DNS, use the no form of this command. Disabling this feature is useful because you don't usually want the router trying to perform a DNS lookup on every word that you type at the command prompt. (You can accomplish the same thing by enabling transport preferred none on all lines.) Furthermore, if you are having network problems, you may not be able to reach any DNS servers to perform lookups.
Example
To disable DNS lookups:
no ip domain-lookup
ip domain-name
global
ip domain-name domain
no ip domain-name domain
Configures
The domain name for the router
Default
None
Description
This command sets the domain name that the router will use to complete any unqualified domain names.
Example
Here, all unqualified hostnames are taken to be in the mydomain.com domain:
ip domain-name mydomain.com
ip dvmrp accept-filter
interface
ip dvmrp accept-filter access-list [distance] [neighbor-list access-list]
no dvmrp accept-filter access-list
Configures
Incoming filter for DVMRP reports
Default
All reports are accepted with a distance of 0
Description
This command applies an access list to incoming DVMRP reports. The lower the distance, the higher the precedence of the route when computing the Reverse Path Forwarding value.
- access-list
- The number of a standard IP access list (0-99). Routes matching the access list are assigned the given administrative distance. If the access list number is 0 (which is not a legal access list number), all reports are accepted with the given administrative distance.
- distance
- Optional. The administrative distance to be assigned to routes matching the filter. Default is 0.
- neighbor-list list
- Optional. The number of a standard IP access list (1-99). DVMRP reports are accepted only from neighbors who match this access list.
ip dvmrp auto-summary
interface
ip dvmrp auto-summary
no ip dvmrp auto-summary
Configures
DVMRP auto summarization
Default
Enabled
Description
Auto summarization occurs when a route is summarized into a classful network route. Use the no form of this command to disable it, which you will want to do if you are using the ip dvmrp summary-address command.
ip dvmrp default-information
interface
ip dvmrp default-information {originate | only}
no dvmrp default-information
Configures
Advertises a default route to DVMRP neighbors
Default
Disabled
Description
This command causes the default route (0.0.0.0) to be advertised to DVMRP neighbors.
- originate
- Routes more specific than 0.0.0.0 can be advertised.
- only
- Only the default route is advertised.
ip dvmrp metric
interface
ip dvmrp metric metric [list access-list] [[protocol process-id] | [dvmrp]
no ip dvmrp metric
Configures
Metrics for DVMRP
Default
1
Description
This command lets you specify a metric to be used with the DVMRP routing protocol. The specified metric is assigned to multicast destinations that match the access list.
- metric
- The metric associated with DVMRP reports; it can range from 0 to 32. 0 means the route is not advertised; 32 means that the route's destination is unreachable.
- list access-list
- Optional. If used, this metric is assigned only to multicast destinations that match the access list.
- protocol
- Optional. bgp, eigrp, igrp, isis, ospf, rip, static, or dvmrp.
- process-id
- Optional. The process ID of the routing protocol, if required.
- dvmrp
- Optional. Allows routes from the DVMRP routing table to be advertised with the configured metric route map.
ip dvmrp metric-offset
interface
ip dvmrp metric-offset [in | out] value
no ip dvmrp metric-offset
Configures
Metrics of advertised DVMRP routes
Default
in; the default value for in is 1; for out is 0
Description
This command allows you to increment the metric for DVMRP routes. The given value is added to either metrics received (in) or metrics sent (out) by the router.
ip dvmrp output-report-delay
interface
ip dvmrp output-report-delay milliseconds [burst-packets]
no ip dvmrp output-report-delay
Configures
Interpacket delay of a DVMRP report
Default
100 milliseconds; 2 burst packets
Description
This command sets the number of milliseconds that elapse between packets of a DVMRP report.
- milliseconds
- Number of milliseconds between transmission of packets.
- burst-packets
- Optional. The number of packets in the set being transmitted.
ip dvmrp reject-non-pruners
interface
ip dvmrp reject-non-pruners
no ip dvmrp reject-non-pruners
Configures
Peering with DVMRP non-pruners
Default
Disabled
Description
When enabled, this feature tells the interface not to peer with DVMRP hosts that do not support pruning. By default, the router will peer with all DVMRP neighbors.
ip dvmrp routehog-notification
global
ip dvmrp routehog-notification route-count
no ip dvmrp routehog-notification
Configures
Number of routes accepted before a syslog message is generated
Default
10,000
Description
This command sets the number of DVMRP routes that can be accepted within one minute to route-count. If more than this number of routes is accepted within a minute, the router generates a syslog message. This usually helps capture any router that is misconfigured and injecting too many routes.
ip dvmrp route-limit
global
ip dvmrp route-limit count
no ip dvmrp route-limit count
Configures
Number of advertised DVMRP routes
Default
7000
Description
This command sets the limit on the number of DVMRP routes that can be advertised over an interface to count.
ip dvmrp summary-address
interface
ip dvmrp summary-address address mask [metric value]
no ip dvmrp summary-address address mask
Configures
A summary DVMRP route
Default
None
Description
This command configures a summary DVMRP route to be advertised over an interface.
- address
- The IP address of the summary route.
- mask
- The network mask of the summary route.
- metric value
- Optional. The metric to be assigned to the summary address. Default is 1.
ip dvmrp unicast-routing
interface
ip dvmrp unicast-routing
no dvmrp unicast-routing
Configures
DVMRP unicast routing
Default
Disabled
Description
This command enables DVMRP unicast routing on the interface.
ip forward-protocol
global
ip forward-protocol {udp [port] | any-local-broadcast | spanning-tree | turbo-flood}
no ip forward-protocol
Configures
Forwarding of broadcast packets for certain services
Default
Enabled with the ip helper-address command
Description
When the ip helper-address command is configured for an interface, the router "helps" hosts find certain UDP services by forwarding the packets. These services are BOOTP (DHCP), DNS, TFTP, TACACS, TIME, and NetBIOS name and datagram servers. This command allows you to define additional UDP ports that you want forwarded automatically to the helper IP address.
- port
- Optional. Without this parameter, all the default UDP ports listed here are forwarded. This keyword allows you to forward a specific port. You can disable a default port with the no version of this command.
- any-local-broadcast
- Forwards any broadcasts including local subnet broadcasts.
- spanning-tree
- Forwards IP broadcasts that meet the following criteria: First, it must be a MAC level broadcast; second, it must be an IP level broadcast; and third, it must be TFTP, DNS, NetBIOS, ND, TIME, BOOTP, or any other UDP packet specified by an ip forward-protocol udp command.
- turbo-flood
- Speeds up the flooding of UDP datagrams when using the spanning-tree algorithm. This command should be used in conjunction with the ip forward-protocol spanning-tree command.
Example
To forward port 21000 for a specific application:
ip forward-protocol udp 21000
ip ftp passive
global
ip ftp passive
no ip ftp passive
Configures
Passive FTP mode
Default
Disabled (normal FTP)
Description
This command configures the router to use passive FTP. Passive FTP is often used when connecting through firewalls or access lists that block normal FTP connections. With passive FTP, the file transfer occurs on the same port as the initial connection. You may need to use passive FTP when copying a file or image to an FTP server.
ip ftp password
global
ip ftp password [encryption-level] password
no ftp password
Configures
The FTP password
Default
username@routername.domain
Description
This command sets the password to be used for FTP connections. The default password is appropriate for anonymous FTP connections. If you do not use anonymous FTP, you must use this command to provide an appropriate secret password. The encryption-level allows you to encrypt the password within the router's configuration, so people who have access to the configuration file won't learn it. The encryption-level may be 0 or 7; 0 does not encrypt the password, while 7 uses a proprietary (but not particularly strong) encryption scheme.
ip ftp source-interface
global
ip ftp source-interface interface
no ip ftp source-interface
Configures
The FTP source address
Default
The IP address of the interface closest to the destination
Description
This command sets the source address for FTP connections to the IP address of the given interface.
ip ftp username
global
ip ftp username username
no ip ftp username
Configures
The FTP username
Default
anonymous
Description
This command sets the username for FTP connections. If no username is supplied, the router attempts an anonymous FTP file transfer.
Example
The following commands configure the router to use passive FTP with the username saul and the password pleaseletmein.
ip ftp passive
ip ftp username saul
ip ftp password pleaseletmein
ip hello-interval eigrp
interface
ip hello-interval eigrp as-number seconds
no ip hello-interval eigrp as-number seconds
Configures
Hello interval for EIGRP
Default
5 seconds
Description
This command sets the interval at which EIGRP hello discovery packets are sent out on a link. The default value for the hello interval is 5 seconds. On links where latency is high, changing this value to a higher number can be advantageous.
- as-number
- The EIGRP process number (frequently called an AS number).
- seconds
- The interval between hello discovery packets.
ip helper-address
interface
ip helper-address address
no ip helper-address address
Configures
IP address to which certain broadcast UDP packets are forwarded
Default
Disabled
Description
This command sets the helper address to address. The helper address should be the address of a host that can answer UDP requests from other hosts. The router sees these requests broadcasted on a LAN interface and forwards them to the helper address (generally a unicast address) if one is defined. A helper is particularly useful for DHCP requests; without some kind of forwarding, DHCP requires you to have a separate server on every subnet. By itself, this command forwards packets for the BOOTP (DHCP), DNS, TFTP, TACACS, TIME, and NetBIOS name and datagram services. The ip forward-protocol command can be used to forward additional UDP services.
Example
To configure interface ethernet 0 to have a helper address:
interface ethernet 0
ip address 10.10.1.2 255.255.255.0
ip helper address 10.10.2.5
ip hold-time eigrp
interface
ip hold-time eigrp as-number seconds
no ip hold-time eigrp as-number seconds
Configures
Hold time for EIGRP networks
Default
15 seconds
Description
This command defines the number of seconds that a route is held before hearing from a neighbor router. If the router doesn't hear from a neighbor within this time, the routes from that neighbor are considered invalid. The default holdtime is three times the hello interval, which is 15 seconds on most links. Slower links might have a holdtime of 180 seconds and a hello interval of 60 seconds.
- as-number
- The EIGRP process number (frequently called an AS number)
- seconds
- The holdtime for this EIGRP process.
ip host
global
ip host name [tcp-port] address [address]
no ip host name address
Configures
A static hostname that maps to one or more IP addresses
Default
None
Description
This command allows you to define an IP address for a hostname. Each hostname can have up to eight IP addresses associated with it. This is similar to a host file on a workstation (for example, the /etc/hosts file on Unix).
- name
- The name of a host.
- tcp-port
- Optional. The port to connect to on the host when using the telnet command.
- address
- The address assigned to the host.
Example
The following commands define two IP hosts; the second one has two IP addresses:
ip host gateway1 10.10.1.1
ip host gateway2 10.10.1.2 10.10.1.3
ip http
global
ip http server
no ip http server
ip http access-class access-list
no ip http access-class access-list
ip http authentication method
no ip http authentication method
ip http port port
no ip http port port
Configures
Web IOS interface
Default
Disabled; when enabled, listens on port 80
Description
This command configures support for the Web IOS interface software. This feature enables an HTTP server on the router and allows you to configure the router by pointing any web browser at this server. The access-class option lets you specify an access list that limits access to the HTTP server. The port option lets you specify the port on which the server listens.
The acceptable authentication methods are enable, local, tacacs, and aaa.
Example
The following commands enable the web browser interface and specify a non-default port:
ip http server
ip http port 8008
ip identd
global
ip identd
no ip identd
Configures
Identification support
Default
Disabled
Description
This command enables the IDENTD identification protocol. To disable IDENTD, use the no form of the command.
ip igmp access-group
interface
ip igmp access-group access-list version
no ip igmp access-group access-list version
Configures
Controls multicast groups
Default
All groups are enabled; version 2
Description
This command allows you to set an access-list that controls which groups are available on the interface for hosts to join. If a host is in the access list, it will be allowed to join multicast groups. The version parameter changes the IGMP version.
ip igmp helper-address
interface
ip igmp helper-address ip-address
no ip igmp helper-address ip-address
Configures
Forwards IGMP messages to another IP address
Default
Disabled
Description
This command causes all IGMP Host Reports and Leave messages to be sent to the host specified by the ip-address parameter.
ip igmp join-group
interface
ip igmp join-group group-address
no ip igmp join-group group-address
Configures
Has the router join a multicast group
Default
None
Description
This command causes the router to join the multicast group specified by the IP group address on the interface.
ip igmp query-interval
interface
ip igmp query-interval seconds
no ip igmp query-interval seconds
Configures
Query message interval
Default
60 seconds
Description
This command configures the router to send IGMP host-query messages at the specified interval. Changing this value may affect multicast forwarding.
ip igmp query-max-response-time
interface
ip igmp query-max-response-time seconds
no ip igmp query-max-response-time seconds
Configures
Response time advertised in IGMP query packets
Default
10 seconds
Description
This command sets the time in seconds that the responder has to respond to a query before the router deletes the group. This command works only with IGMP Version 2.
ip igmp query-timeout
interface
ip igmp query-timeout seconds
no ip igmp query-timeout seconds
Configures
Query timeout
Default
2 times the query interval
Description
This commmand sets the query timeout period in seconds. This is the time that the router waits after the last querier stops querying, and takes over as the querier.
ip igmp static-group
interface
ip igmp static-group group-address
no ip igmp static-group group-address
Configures
A static igmp group for the router
Default
Disabled
Description
This command enrolls the router in the multicast group specified by the group-address. Unlike the ip igmp join-group command, this command allows packets to the group to be fast-switched out the interface.
ip igmp version
interface
ip igmp version { 1 | 2 }
no ip igmp version
Configures
The IGMP version type
Default
2
Description
This command sets the version number of IGMP supported by the router (1 or 2). Make sure that your hosts support the same version. Version 3 is planned for later releases of the IOS.
ip irdp
interface
ip irdp [multicast | holdtime seconds | maxadvertinterval seconds | minadvertinterval seconds | preference value | address ip-address [preference]]
no ip irdp
Configures
IRDP
Default
Disabled
Description
This command enables ICMP Router Discovery Protocol (IRDP) on an interface. Other hosts on the network can use this protocol to negotiate a default router based on the preference parameter.
This command has many options. Instead of writing a single long command, it's often more convenient to issue a number of shorter commands, each setting one option.
- multicast
- Optional. Tells the router to use the multicast address instead of the broadcast address for IRDP.
- holdtime seconds
- Optional. The time in seconds that advertisements are held. By default, this value is three times the maxadvertinterval.
- maxadvertinterval seconds
- Optional. Sets the maximum interval in seconds between advertisements. The default is 600 seconds.
- minadvertinterval seconds
- Optional. Sets the minimum interval in seconds between advertisements. The default is the maximum interval.
- preference value
- Optional. Sets the preference value for this router, which is used by the routers running IRDP to select the default gateway. The default preference is 0. The higher the preference, the more preferred this router is to hosts.
- address ip-address [preference]
- Optional. Tells the router to generate proxy advertisements for the given ip-address. If you specify a preference, it is associated with the given ip-address. This allows routers that do not run IRDP to participate in router discovery.
Example
interface ethernet0
! Enable IRDP on this interface
ip irdp
! make this router preferred
ip irdp preference 10
ip load-sharing
interface
ip load-sharing [per-packet] [per-destination]
no ip load-sharing [per-packet] [per-destination]
Configures
CEF
Default
per-destination
Description
This command enables load sharing for Cisco Express Forwarding (CEF). By default, CEF uses per-destination load sharing, in which all traffic for a given destination is sent through the same interface. The per-packet keyword changes the behavior of CEF so that packets for the same destination may be sent through different interfaces. This approach makes load sharing more effective because it increases the effective bandwidth between the router and the destination. However, packets might arrive at the destination out of order, requiring the destination host to reassemble them.
ip local policy route-map
global
ip local policy route-map map
no ip local policy route-map map
Configures
Policy routing
Default
None
Description
This command enables local policy routing. In brief, policy routing means using criteria other than the shortest path to the destination (as computed by a routing protocol) for route selection. The map parameter is the name of a route map that specifies the routing policy. Unlike the ip policy command, which applies a routing policy to a single interface, this command applies the policy to traffic originating on the router.
Example
In this example, a route map named map1 states that any traffic that matching access list 101 will be routed to the 10.1.1.1 router. Access list 101 matches all IP traffic destined for network 10.1.5.0/24. The ip local policy command is used to apply this route map, effectively routing all traffic for 10.1.5.0 through 10.1.1.1 regardless of what the routing protocols might tell the router to do. There are many possible reasons for this policy--for example, the traffic for 10.1.5.0 might be highly confidential, and we want to make sure that it passes only through trusted routers.
access-list 101 permit ip 10.1.5.0 0.0.0.255 any
!
ip local policy route-map map1
!
route-map map1
match ip address 101
set ip next-hop 10.1.1.1
ip local pool
global
ip local pool {default | poolname} low-ip-address [high-ip-address]
no ip local pool {default | poolname}
Configures
A pool of IP addresses
Default
None
Description
This command allows you to create a pool of IP addresses that are used when a remote system connects to one of your interfaces. The default pool is the one used if no name is given on the interface.
- default
- Default pool configuration.
- poolname
- The name of the pool you are configuring.
- low-ip-address
- The starting (lowest) IP address in the address pool.
- high-ip-address
- The ending (highest) IP address in the pool. This is optional. If omitted, the only IP address in the pool is the low-ip-address.
Example
! Assign a pool called dialins1 that goes from 172.30.25.10 to 172.30.25.100
ip local pool dialins1 172.30.25.10 172.30.25.100
ip mask-reply
interface
ip mask-reply
no mask-reply
Configures
Responses to ICMP mask request messages
Default
Disabled
Description
By default, the router does not respond to ICMP mask requests. This command enables responses through the interface.
Example
interface ethernet 1
ip mask-reply
ip mroute
global
ip mroute source mask [protocol as-number] {rpf-address | interface} [distance]
no ip mroute source mask [protocol as-number] {rpf-address | interface} [distance]
Configures
A multicast static route
Default
None
Description
This command adds a static multicast route.
- source
- The source IP address.
- mask
- Network mask for the source address.
- protocol as-number
- Optional. The unicast routing protocol you are using, followed by the protocol's process number or autonomous system number, if applicable.
- rpf-address
- The address of the incoming interface for the multicast route. This address can be a host address or a network address.
- interface
- The incoming interface for the route (e.g., serial 0).
- distance
- Optional. This value is used to decide if a unicast, DVMRP, or static route should be used for RPF lookup.
ip mroute-cache
interface
ip mroute-cache
no ip mroute-cache
Configures
IP multicast fast switching
Default
Enabled
Description
This command enables fast switching for multicast routing, which is analogous to the route cache for unicast routing. If disabled with the no form of the command, every packet is switched at the process level.
ip mtu
interface
ip mtu bytes
no ip mtu bytes
Configures
Maximum Transmission Unit (MTU) for the interface
Default
Depends on the interface's media type
Description
This command sets the MTU for the interface to bytes. The MTU is the largest packet size that can be sent over the interface. The default MTU depends on the media type; Table I-2 shows default MTU values for some common media. This command allows you to modify the MTU for any interface. Larger MTU values are more efficient with highly reliable networks; lower MTU values can help if an interface is unreliable, or in situations where protocols do not support fragmentation.
Table I-2:
Default MTU values
|
Interface type
|
Default MTU
|
|
Ethernet/Serial
|
1500
|
|
HSSI/ATM/FDDI
|
4470
|
Example
interface ethernet 0
ip mtu 1250
ip multicast boundary
interface
ip multicast boundary access-list
no ip multicast boundary
Configures
A multicast boundary
Default
None
Description
The access-list defines the multicast boundary, which is used to keep multicast packets from being forwarded out the interface.
ip multicast cache-headers
global
ip multicast cache-headers
no ip multicast cache-headers
Configures
Buffers multicast packet headers
Default
Disabled
Description
This command enables the router to cache IP multicast packet headers. These headers can be viewed with the show ip mpacket command.
ip multicast helper-map
interface
ip multicast helper-map group-address broadcast-address access-list
ip multicast helper-map broadcast multicast-address access-list
no ip multicast helper-map group-address broadcast-address access-list
no ip multicast helper-map broadcast multicast-address access-list
Configures
Multicast tunnelling
Default
None
Description
Use this command to send broadcast packets through a multicast network that connects two or more broadcast-capable networks. At one multicast network, you convert the multicast packets to broadcast packets and send them through the broadcast network, which converts them back to multicast packets at the other end.
- group-address
- Multicast group whose traffic is to be converted to broadcast traffic.
- broadcast
- Specifies that the traffic is going to be converted from broadcast to multicast.
- broadcast-address
- When using the group-address parameter, this parameter specifies the IP address to which to send the broadcast traffic.
- multicast-address
- When using the broadcast option, this variable specifies the multicast address to which converted traffic is sent.
- access-list
- An extended access list that uses the UDP port number to control which broadcast packets will be converted.
Example
The following configuration converts multicast traffic for the multicast group 224.1.1.2 to broadcast traffic using the broadcast address 10.1.1.255 and UDP port 5000:
interface ethernet 0
ip multicast helper-map 224.1.1.2 10.1.1.255 101
ip pim dense-mode
!
! Convert to UDP port 5000
access-list 101 permit any any udp 5000
access-list 101 deny any any udp
!
! Forward UDP port 5000
ip forward-protocol udp 5000
The next configuration is the other end of the tunnel. It converts broadcast traffic on UDP port 5000 to multicast traffic:
interface ethernet 0
ip multicast helper-map broadcast 224.1.1.2 101
ip pim dense-mode
!
! Use access list to convert traffic to UDP
! port 5000
access-list 101 permit any any udp 5000
access-list 101 deny any any udp
!
! Forward udp port 5000
ip forward-protocol udp 5000
ip multicast rate-limit
interface
ip multicast rate-limit {in | out} [video | whiteboard]
[group-list access-list] [source-list access-list] kbps
no ip multicast rate-limit {in | out} [video | whiteboard]
[group-list access-list] [source-list access-list] kbps
Configures
The rate at which a sender can send to a multicast group
Default
No rate limit
Description
This command controls the rate at which hosts matching a source list can send multicast packets to a multicast group.
- in
- The limit applies only to incoming packets.
- out
- The limit applies only to outgoing packets.
- video
- Optional. Rate limit applies only to video traffic.
- whiteboard
- Optional. Rate limit applies only to whiteboard traffic.
- group-list access-list
- Optional. The rate limit applies only to multicast groups that match the access list.
- source-list access-list
- Optional. The rate limit applies only to hosts sending multicast traffic that match the access list.
- kbps
- The total bandwidth, in kbps, that is used for multicast traffic that matches the preceding parameters. Traffic in excess of this rate is discarded. If the rate is set to 0, no traffic is permitted.
ip multicast-routing
global
ip multicast-routing
no ip multicast-routing
Configures
IP multicast routing
Default
Disabled
Description
By default, the router does not forward multicast packets. This command enables multicast routing.
ip multicast ttl-threshold
interface
ip multicast ttl-threshold ttl
no ip multicast ttl-threshold
Configures
TTL threshold of forwarded packets
Default
0
Description
This command configures the TTL threshold for packets that are being forwarded out the interface. Only packets with TTL values greater than the threshold are forwarded. The default value is 0, which means all packets are forwarded. The value of ttl can be from 0 to 255.
ip name-server
global
ip name-server address [address]
no ip name-server address
Configures
DNS server name
Default
None
Description
This command sets the name servers that the router uses for DNS queries. You can specify the addresses of up to 6 different DNS servers on one command line. Because you are configuring domain name service, be sure to use an IP address and not a hostname for the server!
Example
The first line configures one name server; the second line configures six name servers:
ip name-server 10.10.2.5
ip name-server 10.10.1.5 10.10.2.5 10.10.3.5 10.10.4.5 10.10.5.5 10.10.6.5
ip nat
interface
ip nat {inside | outside}
no ip nat {inside | outside}
Configures
IP network address translation (NAT)
Default
Disabled
Description
This command configures an interface for NAT. The translation can occur for inside or outside addresses.
Example
In the following configuration, ethernet0 is our internal network with the internal IP address; serial0 is our external interface to the Internet. The NAT translation should be inside on ethernet0 and outside on serial0.
interface ethernet0
ip address 10.10.1.1 255.255.255.0
