IP Addressing Services Commands

clear ip nhrp

To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the clear ip nhrp command in user EXEC or privileged EXEC mode.

clear ip nhrp [vrf {vrf-name | global}] [dest-ip-address [dest-mask] | tunnel number | counters [interface tunnel number] | stats [tunnel number [vrf {vrf-name | global}]]]

Syntax Description

vrf

(Optional) Deletes entries from the NHRP cache for the specified virtual routing and forwarding (VRF) instance.

vrf-name

(Optional) Name of the VRF address family to which the command is applied.

global

(Optional) Specifies the global VRF instance.

dest-ip-address

(Optional) Destination IP address. Specifying this argument clears NHRP mapping entries for the specified destination IP address.

dest-mask

(Optional) Destination network mask.

counters

(Optional) Clears the NHRP counters.

interface

(Optional) Clears the NHRP mapping entries for all interfaces.

tunnel number

(Optional) Removes the specified interface from the NHRP cache.

stats

(Optional) Clears all IPv4 statistic information for all interfaces.

Command Modes

User EXEC (>)

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The clear ip nhrp command does not clear any static (configured) IP-to-NBMA address mappings from the NHRP cache.

Examples

The following example shows how to clear all dynamic entries from the NHRP cache for an interface:


Switch# clear ip nhrp 

clear ipv6 access-list

To reset the IPv6 access list match counters, use the clear ipv6 access-list command in privileged EXEC mode.

clear ipv6 access-list [access-list-name]

Syntax Description

access-list-name

(Optional) Name of the IPv6 access list for which to clear the match counters. Names cannot contain a space or quotation mark, or begin with a numeric.

Command Default

No reset is initiated.

Command Modes

Privileged EXEC (#)  

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The clear ipv6 access-list command is similar to the clear ip access-list counters command, except that it is IPv6-specific.

The clear ipv6 access-list command used without the access-list-name argument resets the match counters for all IPv6 access lists configured on the router.

This command resets the IPv6 global ACL hardware counters.

Examples

The following example resets the match counters for the IPv6 access list named marketing:

Device# clear ipv6 access-list marketing 

clear ipv6 dhcp

To clear IPv6 Dynamic Host Configuration Protocol (DHCP) information, use the clear ipv6 dhcp command in privileged EXEC mode:

clear ipv6 dhcp

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The clear ipv6 dhcp command deletes DHCP for IPv6 information.

Examples

The following example :


Device# clear ipv6 dhcp

clear ipv6 dhcp binding

To delete automatic client bindings from the Dynamic Host Configuration Protocol (DHCP) for IPv6 server binding table, use the clear ipv6 dhcp binding command in privileged EXEC mode.

clear ipv6 dhcp binding [ipv6-address] [vrf vrf-name]

Syntax Description

ipv6-address

(Optional) The address of a DHCP for IPv6 client.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The clear ipv6 dhcp binding command is used as a server function.

A binding table entry on the DHCP for IPv6 server is automatically:

  • Created whenever a prefix is delegated to a client from the configuration pool.

  • Updated when the client renews, rebinds, or confirms the prefix delegation.

  • Deleted when the client releases all the prefixes in the binding voluntarily, all prefixes’ valid lifetimes have expired, or an administrator runs the clear ipv6 dhcp binding command.

If the clear ipv6 dhcp binding command is used with the optional ipv6-address argument specified, only the binding for the specified client is deleted. If the clear ipv6 dhcp binding command is used without the ipv6-address argument, then all automatic client bindings are deleted from the DHCP for IPv6 binding table. If the optional vrf vrf-name keyword and argument combination is used, only the bindings for the specified VRF are cleared.

Examples

The following example deletes all automatic client bindings from the DHCP for IPv6 server binding table:


Device# clear ipv6 dhcp binding

clear ipv6 dhcp client

To restart the Dynamic Host Configuration Protocol (DHCP) for IPv6 client on an interface, use the clear ipv6 dhcp client command in privileged EXEC mode.

clear ipv6 dhcp client interface-type interface-number

Syntax Description

interface-type interface-number

Interface type and number. For more information, use the question mark (? ) online help function.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The clear ipv6 dhcp client command restarts the DHCP for IPv6 client on specified interface after first releasing and unconfiguring previously acquired prefixes and other configuration options (for example, Domain Name System [DNS] servers).

Examples

The following example restarts the DHCP for IPv6 client for Ethernet interface 1/0:


Device# clear ipv6 dhcp client Ethernet 1/0

clear ipv6 dhcp conflict

To clear an address conflict from the Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server database, use the clear ipv6 dhcp conflict command in privileged EXEC mode.

clear ipv6 dhcp conflict {* | ipv6-address | vrf vrf-name}

Syntax Description

*

Clears all address conflicts.

ipv6-address

Clears the host IPv6 address that contains the conflicting address.

vrf vrf-name

Specifies a virtual routing and forwarding (VRF) name.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

When you configure the DHCPv6 server to detect conflicts, it uses ping. The client uses neighbor discovery to detect clients and reports to the server through a DECLINE message. If an address conflict is detected, the address is removed from the pool, and the address is not assigned until the administrator removes the address from the conflict list.

If you use the asterisk (*) character as the address parameter, DHCP clears all conflicts.

If the vrf vrf-name keyword and argument are specified, only the address conflicts that belong to the specified VRF will be cleared.

Examples

The following example shows how to clear all address conflicts from the DHCPv6 server database:


Device# clear ipv6 dhcp conflict *

clear ipv6 dhcp relay binding

To clear an IPv6 address or IPv6 prefix of a Dynamic Host Configuration Protocol (DHCP) for IPv6 relay binding, use the clear ipv6 dhcp relay binding command in privileged EXEC mode.

clear ipv6 dhcp relay binding {vrf vrf-name} {* | ipv6-address | ipv6-prefix}

clear ipv6 dhcp relay binding {vrf vrf-name} {* | ipv6-prefix}

Syntax Description

vrf vrf-name

Specifies a virtual routing and forwarding (VRF) configuration.

*

Clears all DHCPv6 relay bindings.

ipv6-address

DHCPv6 address.

ipv6-prefix

IPv6 prefix.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The clear ipv6 dhcp relay binding command deletes a specific IPv6 address or IPv6 prefix of a DHCP for IPv6 relay binding. If no relay client is specified, no binding is deleted.

Examples

The following example shows how to clear the binding for a client with a specified IPv6 address:


Device# clear ipv6 dhcp relay binding 2001:0DB8:3333:4::5

The following example shows how to clear the binding for a client with the VRF name vrf1 and a specified prefix on a Cisco uBR10012 universal broadband device:

Device# clear ipv6 dhcp relay binding vrf vrf1 2001:DB8:0:1::/64

clear ipv6 eigrp

To delete entries from Enhanced Interior Gateway Routing Protocol (EIGRP) for IPv6 routing tables, use the clear ipv6 eigrp command in privileged EXEC mode.

clear ipv6 eigrp [as-number] [neighbor [ipv6-address | interface-type interface-number]]

Syntax Description

as-number

(Optional) Autonomous system number.

neighbor

(Optional) Deletes neighbor router entries.

ipv6-address

(Optional) IPv6 address of a neighboring router.

interface-type

(Optional) The interface type of the neighbor router.

interface-number

(Optional) The interface number of the neighbor router.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the clear ipv6 eigrp command without any arguments or keywords to clear all EIGRP for IPv6 routing table entries. Use the as-number argument to clear routing table entries on a specified process, and use the neighbor ipv6-address keyword and argument, or the interface-type interface-number argument, to remove a specific neighbor from the neighbor table.

Examples

The following example removes the neighbor whose IPv6 address is 3FEE:12E1:2AC1:EA32:


Device# clear ipv6 eigrp neighbor 3FEE:12E1:2AC1:EA32

clear ipv6 mfib counters

To reset all active Multicast Forwarding Information Base (MFIB) traffic counters, use the clear ipv6 mfib counters command in privileged EXEC mode.

clear ipv6 mfib [vrf vrf-name] counters [group-name | group-address [source-address | source-name]]

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

group-name | group-address

(Optional) IPv6 address or name of the multicast group.

source-address | source-name

(Optional) IPv6 address or name of the source.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

After you enable the clear ipv6 mfib counters command, you can determine if additional traffic is forwarded by using one of the following show commands that display traffic counters:

  • show ipv6 mfib

  • show ipv6 mfib active

  • show ipv6 mfib count

  • show ipv6 mfib interface

  • show ipv6 mfib summary

Examples

The following example clears and resets all MFIB traffic counters:


Device# clear ipv6 mfib counters

clear ipv6 mld counters

To clear the Multicast Listener Discovery (MLD) interface counters, use the clear ipv6 mld counters command in privileged EXEC mode.

clear ipv6 mld [vrf vrf-name] counters [interface-type]

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

interface-type

(Optional) Interface type. For more information, use the question mark (? ) online help function.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the clear ipv6 mld counters command to clear the MLD counters, which keep track of the number of joins and leaves received. If you omit the optional interface-type argument, the clear ipv6 mld counters command clears the counters on all interfaces.

Examples

The following example clears the counters for Ethernet interface 1/0:


Device# clear ipv6 mld counters Ethernet1/0

clear ipv6 mld traffic

To reset the Multicast Listener Discovery (MLD) traffic counters, use the clear ipv6 mld traffic command in privileged EXEC mode.

clear ipv6 mld [vrf vrf-name] traffic

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Using the clear ipv6 mld traffic command will reset all MLD traffic counters.

Examples

The following example resets the MLD traffic counters:


Device# clear ipv6 mld traffic

Command

Description

show ipv6 mld traffic

Displays the MLD traffic counters.

clear ipv6 mtu

To clear the maximum transmission unit (MTU) cache of messages, use the clear ipv6 mtu command in privileged EXEC mode.

clear ipv6 mtu

Syntax Description

This command has no arguments or keywords.

Command Default

Messages are not cleared from the MTU cache.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

If a router is flooded with ICMPv6 toobig messages, the router is forced to create an unlimited number of entries in the MTU cache until all available memory is consumed. Use the clear ipv6 mtu command to clear messages from the MTU cache.

Examples

The following example clears the MTU cache of messages:


Device# clear ipv6 mtu

clear ipv6 multicast aaa authorization

To clear authorization parameters that restrict user access to an IPv6 multicast network, use the clear ipv6 multicast aaa authorization command in privileged EXEC mode.

clear ipv6 multicast aaa authorization [interface-type interface-number]

Syntax Description

interface-type interface-number

Interface type and number. For more information, use the question mark (? ) online help function.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Using the clear ipv6 multicast aaa authorization command without the optional interface-type and interface-number arguments will clear all authorization parameters on a network.

Examples

The following example clears all configured authorization parameters on an IPv6 network:


Device# clear ipv6 multicast aaa authorization FastEthernet 1/0

clear ipv6 nd destination

To clear IPv6 host-mode destination cache entries, use the clear ipv6 nd destination command in privileged EXEC mode.

clear ipv6 nd destination [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The clear ipv6 nd destination command clears IPv6 host-mode destination cache entries. If the vrf vrf-name keyword and argument pair is used, then only information about the specified VRF is cleared.

Examples

The following example shows how to clear IPv6 host-mode destination cache entries:

Device# clear ipv6 nd destination
      

clear ipv6 nd on-link prefix

To clear on-link prefixes learned through router advertisements (RAs), use the clear ipv6 nd on-link prefix command in privileged EXEC mode.

clear ipv6 nd on-link prefix [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the clear ipv6 nd on-link prefix command to clear locally reachable IPv6 addresses (e.g., on-link prefixes) learned through RAs. If the vrf vrf-name keyword and argument pair is used, then only information about the specified VRF is cleared.

Examples

The following examples shows how to clear on-link prefixes learned through RAs:

Device# clear ipv6 nd on-link prefix
      

clear ipv6 nd router

To clear neighbor discovery (ND) device entries learned through router advertisements (RAs), use the clear ipv6 nd router command in privileged EXEC mode.

clear ipv6 nd router [vrf vrf-name]

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the clear ipv6 nd router command to clear ND device entries learned through RAs. If the vrf vrf-name keyword and argument pair is used, then only information about the specified VRF is cleared.

Examples

The following example shows how to clear neighbor discovery ND device entries learned through RAs:


Device# clear ipv6 nd router
      

clear ipv6 neighbors

To delete all entries in the IPv6 neighbor discovery cache, except static entries and ND cache entries on non-virtual routing and forwarding (VRF) interfaces, use the clear ipv6 neighbors command in privileged EXEC mode.

clear ipv6 neighbors [interface type number [ipv6 ipv6-address] | statistics | vrf table-name [ipv6-address | statistics]]

clear ipv6 neighbors

Syntax Description

interface type number

(Optional) Clears the IPv6 neighbor discovery cache in the specified interface.

ipv6 ipv6-address

(Optional) Clears the IPv6 neighbor discovery cache that matches the specified IPv6 address on the specified interface.

statistics

(Optional) Clears the IPv6 neighbor discovery entry cache.

vrf

(Optional) Clears entries for a virtual private network (VPN) routing or forwarding instance.

table-name

(Optional) Table name or identifier. The value range is from 0x0 to 0xFFFFFFFF (0 to 65535 in decimal).

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The clear ipv6 neighbor command clears ND cache entries. If the command is issued without the vrf keyword, then the command clears ND cache entries on interfaces associated with the default routing table (e.g., those interfaces that do not have a vrf forwarding statement). If the command is issued with the vrf keyword, then it clears ND cache entries on interfaces associated with the specified VRF.

Examples

The following example deletes all entries, except static entries and ND cache entries on non-VRF interfaces, in the neighbor discovery cache:


Device# clear ipv6 neighbors

The following example clears all IPv6 neighbor discovery cache entries, except static entries and ND cache entries on non-VRF interfaces, on Ethernet interface 0/0:


Device# clear ipv6 neighbors interface Ethernet 0/0 

The following example clears a neighbor discovery cache entry for 2001:0DB8:1::1 on Ethernet interface 0/0:


Device# clear ipv6 neighbors interface Ethernet0/0 ipv6 2001:0DB8:1::1

In the following example, interface Ethernet 0/0 is associated with the VRF named red. Interfaces Ethernet 1/0 and Ethernet 2/0 are associated with the default routing table (because they are not associated with a VRF). Therefore, the clear ipv6 neighbor command will clear ND cache entries on interfaces Ethernet 1/0 and Ethernet 2/0 only. In order to clear ND cache entries on interface Ethernet 0/0, the user must issue the clear ipv6 neighbor vrf red command.

interface ethernet0/0
  vrf forward red
  ipv6 address 2001:db8:1::1/64

interface ethernet1/0
   ipv6 address 2001:db8:2::1/64

interface ethernet2/0
   ipv6 address 2001:db8:3::1/64

clear ipv6 nhrp

To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the clear ipv6 nhrp command in privileged EXEC mode.

clear ipv6 nhrp [ipv6-address | counters]

Syntax Description

ipv6-address

(Optional) The IPv6 network to delete.

counters

(Optional) Specifies NHRP counters to delete.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command does not clear any static (configured) IPv6-to-nonbroadcast multiaccess (NBMA) address mappings from the NHRP cache.

Examples

The following example shows how to clear all dynamic entries from the NHRP cache for the interface:


Device# clear ipv6 nhrp 

clear ipv6 ospf

To clear the Open Shortest Path First (OSPF) state based on the OSPF routing process ID, use the cl ear ipv6 ospf command in privileged EXEC mode.

clear ipv6 ospf [process-id] {process | force-spf | redistribution}

Syntax Description

process-id

(Optional) Internal identification. It is locally assigned and can be any positive integer. The number used here is the number assigned administratively when enabling the OSPF routing process.

process

Restarts the OSPF process.

force-spf

Starts the shortest path first (SPF) algorithm without first clearing the OSPF database.

redistribution

Clears OSPF route redistribution.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

When the process keyword is used with the clear ipv6 ospf command, the OSPF database is cleared and repopulated, and then the shortest path first (SPF) algorithm is performed. When the force-spf keyword is used with the clear ipv6 ospf command, the OSPF database is not cleared before the SPF algorithm is performed.

Use the process-id option to clear only one OSPF process. If the process-id option is not specified, all OSPF processes are cleared.

Examples

The following example starts the SPF algorithm without clearing the OSPF database:


Device# clear ipv6 ospf force-spf

clear ipv6 ospf counters

To clear the Open Shortest Path First (OSPF) state based on the OSPF routing process ID, use the cl ear ipv6 ospf command in privileged EXEC mode.

clear ipv6 ospf [process-id] counters [neighbor [neighbor-interface | neighbor-id]]

Syntax Description

process-id

(Optional) Internal identification. It is locally assigned and can be any positive integer. The number used here is the number assigned administratively when enabling the OSPF routing process.

neighbor

(Optional) Neighbor statistics per interface or neighbor ID.

neighbor-interface

(Optional) Neighbor interface.

neighbor-id

(Optional) IPv6 or IP address of the neighbor.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the neighbor neighbor-interface option to clear counters for all neighbors on a specified interface. If the neighbor neighbor-interface option is not used, all OSPF counters are cleared.

Use the neighbor neighbor-id option to clear counters at a specified neighbor. If the neighbor neighbor-id option is not used, all OSPF counters are cleared.

Examples

The following example provides detailed information on a neighbor router:


Device# show ipv6 ospf neighbor detail
 Neighbor 10.0.0.1
    In the area 1 via interface Serial19/0
    Neighbor:interface-id 21, link-local address FE80::A8BB:CCFF:FE00:6F00
    Neighbor priority is 1, State is FULL, 6 state changes
    Options is 0x194AE05
    Dead timer due in 00:00:37
    Neighbor is up for 00:00:15
    Index 1/1/1, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec

The following example clears all neighbors on the specified interface:


Device# clear ipv6 ospf counters neighbor s19/0

The following example now shows that there have been 0 state changes since the clear ipv6 ospf counters neighbor s19/0 command was used:


Device# show ipv6 ospf neighbor detail
 Neighbor 10.0.0.1
    In the area 1 via interface Serial19/0
    Neighbor:interface-id 21, link-local address FE80::A8BB:CCFF:FE00:6F00
    Neighbor priority is 1, State is FULL, 0 state changes
    Options is 0x194AE05
    Dead timer due in 00:00:39
    Neighbor is up for 00:00:43
    Index 1/1/1, retransmission queue length 0, number of retransmission 1
    First 0x0(0)/0x0(0)/0x0(0) Next 0x0(0)/0x0(0)/0x0(0)
    Last retransmission scan length is 1, maximum is 1
    Last retransmission scan time is 0 msec, maximum is 0 msec

clear ipv6 ospf events

To clear the Open Shortest Path First (OSPF) for IPv6 event log content based on the OSPF routing process ID, use the cl ear ipv6 ospf events command in privileged EXEC mode.

clear ipv6 ospf [process-id] events

Syntax Description

process-id

(Optional) Internal identification. It is locally assigned and can be any positive integer. The number used here is the number assigned administratively when enabling the OSPF routing process.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the optional process-id argument to clear the IPv6 event log content of a specified OSPF routing process. If the process-id argument is not used, all event log content is cleared.

Examples

The following example enables the clearing of OSPF for IPv6 event log content for routing process 1:


Device# clear ipv6 ospf 1 events

clear ipv6 pim reset

To delete all entries from the topology table and reset the Multicast Routing Information Base (MRIB) connection, use the clear ipv6 pim reset command in privileged EXEC mode.

clear ipv6 pim [vrf vrf-name] reset

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Using the clear ipv6 pim reset command breaks the PIM-MRIB connection, clears the topology table, and then reestablishes the PIM-MRIB connection. This procedure forces MRIB resynchronization.


Caution


Use the clear ipv6 pim reset command with caution, as it clears all PIM protocol information from the PIM topology table. Use of the clear ipv6 pim reset command should be reserved for situations where PIM and MRIB communication are malfunctioning.


Examples

The following example deletes all entries from the topology table and resets the MRIB connection:


Device# clear ipv6 pim reset

clear ipv6 pim topology

To clear the Protocol Independent Multicast (PIM) topology table, use the clear ipv6 pim topology command in privileged EXEC mode.

clear ipv6 pim [vrf vrf-name] topology [group-name | group-address]

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

group-name | group-address

(Optional) IPv6 address or name of the multicast group.

Command Default

When the command is used with no arguments, all group entries located in the PIM topology table are cleared of PIM protocol information.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command clears PIM protocol information from all group entries located in the PIM topology table. Information obtained from the MRIB table is retained. If a multicast group is specified, only those group entries are cleared.

Examples

The following example clears all group entries located in the PIM topology table:


Device# clear ipv6 pim topology

clear ipv6 pim traffic

To clear the Protocol Independent Multicast (PIM) traffic counters, use the clear ipv6 pim traffic command in privileged EXEC mode.

clear ipv6 pim [vrf vrf-name] traffic

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding (VRF) configuration.

Command Default

When the command is used with no arguments, all traffic counters are cleared.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command clears PIM traffic counters. If the vrf vrf-name keyword and argument are used, only those counters are cleared.

Examples

The following example clears all PIM traffic counter:


Device# clear ipv6 pim traffic

clear ipv6 prefix-list

To reset the hit count of the IPv6 prefix list entries, use the clear ipv6 prefix-list command in privileged EXEC mode.

clear ipv6 prefix-list [prefix-list-name] [ipv6-prefix/prefix-length]

Syntax Description

prefix-list-name

(Optional) The name of the prefix list from which the hit count is to be cleared.

ipv6-prefix

(Optional) The IPv6 network from which the hit count is to be cleared.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

/ prefix-length

(Optional) The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

Command Default

The hit count is automatically cleared for all IPv6 prefix lists.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The clear ipv6 prefix-list command is similar to the clear ip prefix-list command, except that it is IPv6-specific.

The hit count is a value indicating the number of matches to a specific prefix list entry.

Examples

The following example clears the hit count from the prefix list entries for the prefix list named first_list that match the network mask 2001:0DB8::/ 35.


Device# clear ipv6 prefix-list first_list 2001:0DB8::/35

clear ipv6 rip

To delete routes from the IPv6 Routing Information Protocol (RIP) routing table, use the clear ipv6 rip command in privileged EXEC mode.

clear ipv6 rip [name] [vrf vrf-name]

clear ipv6 rip [name]

Syntax Description

name

(Optional) Name of an IPv6 RIP process.

vrf vrf-name

(Optional) Clears information about the specified Virtual Routing and Forwarding (VRF) instance.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

When the name argument is specified, only routes for the specified IPv6 RIP process are deleted from the IPv6 RIP routing table. If no name argument is specified, all IPv6 RIP routes are deleted.

Use the show ipv6 rip command to display IPv6 RIP routes.

Use the clear ipv6 rip name vrf vrf-name command to delete the specified VRF instances for the specified IPv6 RIP process.

Examples

The following example deletes all the IPv6 routes for the RIP process called one:


Device# clear ipv6 rip one

The following example deletes the IPv6 VRF instance, called vrf1 for the RIP process, called one:


Device# clear ipv6 rip one vrf vrf1

*Mar 15 12:36:17.022: RIPng: Deleting 2001:DB8::/32
*Mar 15 12:36:17.022: [Exec]IPv6RT[vrf1]: rip <name>, Delete all next-hops for 2001:DB8::1
*Mar 15 12:36:17.022: [Exec]IPv6RT[vrf1]: rip <name>, Delete 2001:DB8::1 from table
*Mar 15 12:36:17.022: [IPv6 RIB Event Handler]IPv6RT[<red>]: Event: 2001:DB8::1, Del, owner rip, previous None

clear ipv6 route

To delete routes from the IPv6 routing table, use the clear ipv6 route command in privileged EXEC mode.

{clear ipv6 route {ipv6-address | ipv6-prefix/prefix-length} | *}

Syntax Description

ipv6-address

The address of the IPv6 network to delete from the table.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

ipv6-prefix

The IPv6 network number to delete from the table.

This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.

/ prefix-length

The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.

*

Clears all IPv6 routes.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The clear ipv6 route command is similar to the clear ip route command, except that it is IPv6-specific.

When the ipv6-address or ipv6-prefix/ prefix- length argument is specified, only that route is deleted from the IPv6 routing table. When the * keyword is specified, all routes are deleted from the routing table (the per-destination maximum transmission unit [MTU] cache is also cleared).

Examples

The following example deletes the IPv6 network 2001:0DB8::/ 35:


Device# clear ipv6 route 2001:0DB8::/35

clear ipv6 spd

To clear the most recent Selective Packet Discard (SPD) state transition, use the clear ipv6 spd command in privileged EXEC mode.

clear ipv6 spd

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The clear ipv6 spd command removes the most recent SPD state transition and any trend historical data.

Examples

The following example shows how to clear the most recent SPD state transition:


Device# clear ipv6 spd

debug nhrp

To enable Next Hop Resolution Protocol (NHRP) debugging, use the debug nhrp command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug nhrp [attribute | cache | condition {interface tunnel number | peer {nbma {ipv4-nbma-address | nbma-name | ipv6-nbma-address} } | umatched | vrf vrf-name} | detail | error | extension | group | packet | rate]

no debug nhrp [attribute | cache | condition {interface tunnel number | peer {nbma {ipv4-nbma-address | nbma-name | ipv6-nbma-address} } unmatched | vrf vrf-name} | detail | error | extension | group | packet | rate ]

Syntax Description

attribute

(Optional) Enables NHRP attribute debugging operations.

cache

(Optional) Enables NHRP cache debugging operations.

condition

(Optional) Enables NHRP conditional debugging operations.

interface tunnel number

(Optional) Enables debugging operations for the tunnel interface.

nbma

(Optional) Enables debugging operations for the non-broadcast multiple access (NBMA) network.

ipv4-nbma-address

(Optional) Enables debugging operations based on the IPv4 address of the NBMA network.

nbma-name

(Optional) NBMA network name.

IPv6-address

(Optional) Enables debugging operations based on the IPv6 address of the NBMA network.

vrf vrf-name

(Optional) Enables debugging operations for the virtual routing and forwarding instance.

detail

(Optional) Displays detailed logs of NHRP debugs.

error

(Optional) Enables NHRP error debugging operations.

extension

(Optional) Enables NHRP extension processing debugging operations.

group

(Optional) Enables NHRP group debugging operations.

packet

(Optional) Enables NHRP activity debugging.

rate

(Optional) Enables NHRP rate limiting.

routing

(Optional) Enables NHRP routing debugging operations.

Command Default

NHRP debugging is not enabled.

Command Modes

Privileged EXEC (#)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

Use the debug nhrp detail command to view the NHRP attribute logs.

The Virtual-Access number keyword-argument pair is visible only if the virtual access interface is available on the device.

Examples

The following sample output from the debug nhrp command displays NHRP debugging output for IPv4:


Switch# debug nhrp

Aug  9 13:13:41.486: NHRP: Attempting to send packet via DEST 10.1.1.99
Aug  9 13:13:41.486: NHRP: Encapsulation succeeded.  Tunnel IP addr 10.11.11.99
Aug  9 13:13:41.486: NHRP: Send Registration Request via Tunnel0 vrf 0, packet size: 105
Aug  9 13:13:41.486:       src: 10.1.1.11, dst: 10.1.1.99
Aug  9 13:13:41.486: NHRP: 105 bytes out Tunnel0
Aug  9 13:13:41.486: NHRP: Receive Registration Reply via Tunnel0 vrf 0, packet size: 125
Aug  9 13:13:41.486: NHRP: netid_in = 0, to_us = 1

fhrp delay

To specify the delay period for the initialization of First Hop Redundancy Protocol (FHRP) clients, use the fhrp delay command in interface configuration mode. To remove the delay period specified, use the no form of this command.

fhrp delay {[ minimum] [ reload] seconds}

no fhrp delay {[ minimum] [ reload] seconds}

Syntax Description

minimum

(Optional) Configures the delay period after an interface becomes available.

reload

(Optional) Configures the delay period after the device reloads.

seconds

Delay period in seconds. The range is from 0 to 3600.

Command Default

None

Command Modes

Interface configuration (config-if)

Examples

This example shows how to specify the delay period for the initialization of FHRP clients:


Device(config-if)# fhrp delay minimum 90

fhrp version vrrp v3

To enable Virtual Router Redundancy Protocol version 3 (VRRPv3) and Virtual Router Redundancy Service (VRRS) configuration on a device, use the fhrp version vrrp v3 command in global configuration mode. To disable the ability to configure VRRPv3 and VRRS on a device, use the no form of this command.

fhrp version vrrp v3

no fhrp version vrrp v3

Syntax Description

This command has no keywords or arguments.

Command Default

VRRPv3 and VRRS configuration on a device is not enabled.

Command Modes

Global configuration (config)

Usage Guidelines

When VRRPv3 is in use, VRRP version 2 (VRRPv2) is unavailable.

Examples

In the following example, a tracking process is configured to track the state of an IPv6 object using a VRRPv3 group. VRRP on GigabitEthernet interface 0/0/0 then registers with the tracking process to be informed of any changes to the IPv6 object on the VRRPv3 group. If the IPv6 object state on serial interface VRRPv3 goes down, then the priority of the VRRP group is reduced by 20:


Device(config)# fhrp version vrrp v3
Device(config)# interface GigabitEthernet 0/0/0
Device(config-if)# vrrp 1 address-family ipv6
Device(config-if-vrrp)# track 1 decrement 20

ip address dhcp

To acquire an IP address on an interface from the DHCP, use the ip address dhcp command in interface configuration mode. To remove any address that was acquired, use the no form of this command.

ip address dhcp [client-id interface-type number] [hostname hostname]

no ip address dhcp [client-id interface-type number] [hostname hostname]

Syntax Description

client-id

(Optional) Specifies the client identifier. By default, the client identifier is an ASCII value. The client-id interface-type number option sets the client identifier to the hexadecimal MAC address of the named interface.

interface-type

(Optional) Interface type. For more information, use the question mark (?) online help function.

number

(Optional) Interface or subinterface number. For more information about the numbering syntax for your networking device, use the question mark (?) online help function.

hostname

(Optional) Specifies the hostname.

hostname

(Optional) Name of the host to be placed in the DHCP option 12 field. This name need not be the same as the hostname entered in global configuration mode.

Command Default

The hostname is the globally configured hostname of the device. The client identifier is an ASCII value.

Command Modes

Interface configuration (config-if)

Usage Guidelines

The ip address dhcp command allows any interface to dynamically learn its IP address by using the DHCP protocol. It is especially useful on Ethernet interfaces that dynamically connect to an Internet service provider (ISP). Once assigned a dynamic address, the interface can be used with the Port Address Translation (PAT) of Cisco IOS Network Address Translation (NAT) to provide Internet access to a privately addressed network attached to the device.

The ip address dhcp command also works with ATM point-to-point interfaces and will accept any encapsulation type. However, for ATM multipoint interfaces you must specify Inverse ARP via the protocol ip inarp interface configuration command and use only the aa15snap encapsulation type.

Some ISPs require that the DHCPDISCOVER message have a specific hostname and client identifier that is the MAC address of the interface. The most typical usage of the ip address dhcp client-id interface-type number hostname hostname command is when interface-type is the Ethernet interface where the command is configured and interface-type number is the hostname provided by the ISP.

A client identifier (DHCP option 61) can be a hexadecimal or an ASCII value. By default, the client identifier is an ASCII value. The client-id interface-type number option overrides the default and forces the use of the hexadecimal MAC address of the named interface.

If a Cisco device is configured to obtain its IP address from a DHCP server, it sends a DHCPDISCOVER message to provide information about itself to the DHCP server on the network.

If you use the ip address dhcp command with or without any of the optional keywords, the DHCP option 12 field (hostname option) is included in the DISCOVER message. By default, the hostname specified in option 12 will be the globally configured hostname of the device. However, you can use the ip address dhcp hostname hostname command to place a different name in the DHCP option 12 field than the globally configured hostname of the device.

The no ip address dhcp command removes any IP address that was acquired, thus sending a DHCPRELEASE message.

You might need to experiment with different configurations to determine the one required by your DHCP server. The table below shows the possible configuration methods and the information placed in the DISCOVER message for each method.

Table 1. Configuration Method and Resulting Contents of the DISCOVER Message

Configuration Method

Contents of DISCOVER Messages

ip address dhcp

The DISCOVER message contains “cisco- mac-address -Eth1” in the client ID field. The mac-address is the MAC address of the Ethernet 1 interface and contains the default hostname of the device in the option 12 field.

ip address dhcp hostname hostname

The DISCOVER message contains “cisco- mac-address -Eth1” in the client ID field. The mac-address is the MAC address of the Ethernet 1 interface, and contains hostname in the option 12 field.

ip address dhcp client-id ethernet 1

The DISCOVER message contains the MAC address of the Ethernet 1 interface in the client ID field and contains the default hostname of the device in the option 12 field.

ip address dhcp client-id ethernet 1 hostname hostname

The DISCOVER message contains the MAC address of the Ethernet 1 interface in the client ID field and contains hostname in the option 12 field.

Examples

In the examples that follow, the command ip address dhcp is entered for Ethernet interface 1. The DISCOVER message sent by a device configured as shown in the following example would contain “cisco- mac-address -Eth1” in the client-ID field, and the value abc in the option 12 field.


hostname abc
!
interface GigabitEthernet 1/0/1
 ip address dhcp

The DISCOVER message sent by a device configured as shown in the following example would contain “cisco- mac-address -Eth1” in the client-ID field, and the value def in the option 12 field.


hostname abc
!
interface GigabitEthernet 1/0/1
 ip address dhcp hostname def

The DISCOVER message sent by a device configured as shown in the following example would contain the MAC address of Ethernet interface 1 in the client-id field, and the value abc in the option 12 field.


hostname abc
!
interface Ethernet 1
 ip address dhcp client-id GigabitEthernet 1/0/1

The DISCOVER message sent by a device configured as shown in the following example would contain the MAC address of Ethernet interface 1 in the client-id field, and the value def in the option 12 field.


hostname abc
!
interface Ethernet 1
 ip address dhcp client-id GigabitEthernet 1/0/1 hostname def

ip address pool (DHCP)

To enable the IP address of an interface to be automatically configured when a Dynamic Host Configuration Protocol (DHCP) pool is populated with a subnet from IP Control Protocol (IPCP) negotiation, use the ip address pool command in interface configuration mode. To disable autoconfiguring of the IP address of the interface, use the no form of this command.

ip address pool name

no ip address pool

Syntax Description

name

Name of the DHCP pool. The IP address of the interface will be automatically configured from the DHCP pool specified in name .

Command Default

IP address pooling is disabled.

Command Modes

Interface configuration

Usage Guidelines

Use this command to automatically configure the IP address of a LAN interface when there are DHCP clients on the attached LAN that should be serviced by the DHCP pool on the device. The DHCP pool obtains its subnet dynamically through IPCP subnet negotiation.

Examples

The following example specifies that the IP address of GigabitEthernet interface 1/0/1 will be automatically configured from the address pool named abc:


ip dhcp pool abc
  import all
  origin ipcp
!
interface GigabitEthernet 1/0/1
  ip address pool abc

ip address

To set a primary or secondary IP address for an interface, use the ip address command in interface configuration mode. To remove an IP address or disable IP processing, use the no form of this command.

ip address ip-address mask [secondary [vrf vrf-name]]

no ip address ip-address mask [secondary [vrf vrf-name]]

Syntax Description

ip-address

IP address.

mask

Mask for the associated IP subnet.

secondary

(Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.

Note

 

If the secondary address is used for a VRF table configuration with the vrf keyword, the vrf keyword must be specified also.

vrf

(Optional) Name of the VRF table. The vrf-name argument specifies the VRF name of the ingress interface.

Command Default

No IP address is defined for the interface.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

An interface can have one primary IP address and multiple secondary IP addresses. Packets generated by the Cisco IOS software always use the primary IP address. Therefore, all devices and access servers on a segment should share the same primary network number.

Hosts can determine subnet masks using the Internet Control Message Protocol (ICMP) mask request message. Devices respond to this request with an ICMP mask reply message.

You can disable IP processing on a particular interface by removing its IP address with the no ip address command. If the software detects another host using one of its IP addresses, it will print an error message on the console.

The optional secondary keyword allows you to specify an unlimited number of secondary addresses. Secondary addresses are treated like primary addresses, except the system never generates datagrams other than routing updates with secondary source addresses. IP broadcasts and Address Resolution Protocol (ARP) requests are handled properly, as are interface routes in the IP routing table.

Secondary IP addresses can be used in a variety of situations. The following are the most common applications:

  • There may not be enough host addresses for a particular network segment. For example, your subnetting allows up to 254 hosts per logical subnet, but on one physical subnet you need 300 host addresses. Using secondary IP addresses on the devices or access servers allows you to have two logical subnets using one physical subnet.

  • Many older networks were built using Level 2 bridges. The judicious use of secondary addresses can aid in the transition to a subnetted, device-based network. Devices on an older, bridged segment can be easily made aware that many subnets are on that segment.

  • Two subnets of a single network might otherwise be separated by another network. This situation is not permitted when subnets are in use. In these instances, the first network is extended , or layered on top of the second network using secondary addresses.


Note


  • If any device on a network segment uses a secondary address, all other devices on that same segment must also use a secondary address from the same network or subnet. Inconsistent use of secondary addresses on a network segment can very quickly cause routing loops.

  • When you are routing using the Open Shortest Path First (OSPF) algorithm, ensure that all secondary addresses of an interface fall into the same OSPF area as the primary addresses.

  • If you configure a secondary IP address, you must disable sending ICMP redirect messages by entering the no ip redirects command, to avoid high CPU utilization.


To transparently bridge IP on an interface, you must perform the following two tasks:

  • Disable IP routing (specify the no ip routing command).

  • Add the interface to a bridge group, see the bridge-group command.

To concurrently route and transparently bridge IP on an interface, see the bridge crb command.

Examples

In the following example, 192.108.1.27 is the primary address and 192.31.7.17 is the secondary address for GigabitEthernet interface 1/0/1:

Device> enable
Device# configure terminal
Device(config)# interface GigabitEthernet 1/0/1
Device(config-if)# ip address 192.108.1.27 255.255.255.0
Device(config-if)# ip address 192.31.7.17 255.255.255.0 secondary

ip nat inside source

To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source command in global configuration mode. To remove the static translation, or the dynamic association to a pool, use the no form of this command.

Dynamic NAT

ip nat inside source { list { access-list-number | access-list-name } | route-map name } { interface type number | pool name } [no-payload] [overload] [c] [ vrf name ]

no ip nat inside source { list { access-list-number | access-list-name } | route-map name } { interface type number | pool name } [no-payload] [overload] [ vrf name ]

Static NAT

ip nat inside source static { interface type number | local-ip global-ip} [extendable] [no-alias] [no-payload] [ route-map name ] [reversible] [ vrf name [forced] ]

no ip nat inside source static { interface type number | local-ip global-ip} [extendable] [no-alias] [no-payload] [ route-map name ] [ vrf name [forced] ]

Port Static NAT

ip nat inside source static {tcp | udp} {local-ip local-port global-ip global-port [extendable] [forced] [no-alias] [no-payload] [ route-map name ] [ vrf name ] | interface global-port}

no ip nat inside source static {tcp | udp} {local-ip local-port global-ip global-port [extendable] [forced] [no-alias] [no-payload] [ route-map name ] [ vrf name ] | interface global-port}

Network Static NAT

ip nat inside source static network local-network global-network mask [extendable] [forced] [no-alias] [no-payload] [ vrf name ]

no ip nat inside source static network local-network global-network mask [extendable] [forced] [no-alias] [no-payload] [ vrf name ]

Syntax Description

list access-list-number

Specifies the number of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.

list access-list-name

Specifies the name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.

route-map name

Specifies the named route map.

interface

Specifies an interface for the global address.

type

Interface type. For more information, use the question mark (?) online help function.

number

Interface or subinterface number. For more information about the numbering syntax for your networking device, use the question mark (?) online help function.

pool name

Specifies the name of the pool from which global IP addresses are allocated dynamically.

no-payload

(Optional) Prohibits the translation of an embedded address or port in the payload.

overload

(Optional) Enables the device to use one global address for many local addresses. When overloading is configured, the TCP or UDP port number of each inside host distinguishes between the multiple conversations using the same local IP address.

vrf name

(Optional) Associates the NAT translation rule with a particular VPN routing and forwarding (VRF) instance.

static

Sets up a single static translation.

local-ip

Local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.

global-ip

Globally unique IP address of an inside host as it appears to the outside network.

extendable

(Optional) Extends the translation.

forced

(Optional) Forcefully deletes an entry and its children from the configuration.

no-alias

(Optional) Prohibits an alias from being created for the global address.

tcp

Establishes the TCP protocol.

udp

Establishes the UDP protocol.

local-port

Local TCP or UDP port. The range is from 1 to 65535.

global-port

Global TCP or UDP port. The range is from 1 to 65535.

network local-network

Specifies the local subnet translation.

global-network

Global subnet translation.

mask

IP network mask to be used with subnet translations.

Command Default

No NAT translation of inside source addresses occurs.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Amsterdam 17.1.1

This command was introduced.

Cisco IOS XE Dublin 17.10.1

The route-map keyword was introduced.

Usage Guidelines

The optional keywords of the ip nat inside source command can be entered in any order.

This command has two forms: the dynamic and the static address translation. The form with an access list establishes the dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool named with the ip nat pool command.

Packets that enter the device through the inside interface and packets sourced from the device are checked against the access list for possible NAT candidates. The access list is used to specify which traffic is to be translated.

Alternatively, the syntax form with the keyword static establishes a single static translation.


Note


When a session is initiated from outside with the source IP as the outside global address, the device is unable to determine the destination VRF of the packet.



Note


When you configure NAT with a VRF-enabled interface address that acts as the global address, you must configure the ip nat inside source static no-alias command. If the no-alias keyword is not configured, Telnet to the VRF-enabled interface address fails.


Examples

The following example shows how to translate between inside hosts addressed from either the 192.0.2.0 or the 198.51.100.0 network to the globally unique 203.0.113.209/28 network:


ip nat pool net-209 203.0.113.209 203.0.113.222 prefix-length 28
ip nat inside source list 1 pool net-209
!
interface ethernet 0
 ip address 203.0.113.113 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 192.0.2.1 255.255.255.0
 ip nat inside
!
access-list 1 permit 192.0.2.1 255.255.255.0
access-list 1 permit 198.51.100.253 255.255.255.0

The following example shows how to translate the traffic that is local to the provider’s edge device running NAT (NAT-PE):


ip nat inside source list 1 interface ethernet 0 vrf vrf1 overload
ip nat inside source list 1 interface ethernet 0 vrf vrf2 overload
!
ip route vrf vrf1 10.0.0.1 10.0.0.1 192.0.2.1
ip route vrf vrf2 10.0.0.1 10.0.0.1 192.0.2.1
!
access-list 1 permit 10.1.1.1 0.0.0.255
!
ip nat inside source list 1 interface ethernet 1 vrf vrf1 overload
ip nat inside source list 1 interface ethernet 1 vrf vrf2 overload
!
ip route vrf vrf1 10.0.0.1 10.0.0.1 198.51.100.1 global
ip route vrf vrf2 10.0.0.1 10.0.0.1 198.51.100.1 global
access-list 1 permit 10.1.1.0 0.0.0.255

The following example shows how to translate sessions from outside to inside networks:


ip nat pool POOL-A 10.1.10.1 10.1.10.126 255.255.255.128
ip nat pool POOL-B 10.1.20.1 10.1.20.126 255.255.255.128
ip nat inside source route-map MAP-A pool POOL-A reversible
ip nat inside source route-map MAP-B pool POOL-B reversible
!
ip access-list extended ACL-A
 permit ip any 10.1.10.128 0.0.0.127
ip access-list extended ACL-B
 permit ip any 10.1.20.128 0.0.0.127
!
route-map MAP-A permit 10
 match ip address ACL-A
!
route-map MAP-B permit 10
 match ip address ACL-B
!

The following example shows how to configure the route map R1 to allow outside-to-inside translation for static NAT:


ip nat inside source static 10.1.1.1 10.2.2.2 route-map R1 reversible
!
ip access-list extended ACL-A
 permit ip any 10.1.10.128 0.0.0.127
route-map R1 permit 10
 match ip address ACL-A

The following example shows how to configure NAT inside and outside traffic in the same VRF:


interface Loopback1
 ip vrf forwarding forwarding1
 ip address 192.0.2.11 255.255.255.0
 ip nat inside
 ip virtual-reassembly
!
interface Ethernet0/0
 ip vrf forwarding forwarding2
 ip address 192.0.2.22 255.255.255.0
 ip nat outside
 ip virtual-reassembly
ip nat pool MYPOOL 192.0.2.5 192.0.2.5 prefix-length 24
ip nat inside source list acl-nat pool MYPOOL vrf vrf1 overload
!
!
ip access-list extended acl-nat
 permit ip 192.0.2.0 0.0.0.255 any

ip nat outside source

To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source command in global configuration mode. To remove the static entry or the dynamic association, use the no form of this command.

Dynamic NAT

ip nat outside source { list { access-list-number | access-list-name } } pool pool-name [ vrf name ] [add-route]

no ip nat outside source { list { access-list-number | access-list-name } } pool pool-name [ vrf name ] [add-route]

Static NAT

ip nat outside source static global-ip local-ip [ vrf name ] [add-route] [extendable] [no-alias]

no ip nat outside source static global-ip local-ip [ vrf name ] [add-route] [extendable] [no-alias]

Port Static NAT

ip nat outside source static { tcp | udp } global-ip global-port local-ip local-port [ vrf name ] [add-route] [extendable] [no-alias]

no ip nat outside source static { tcp | udp } global-ip global-port local-ip local-port [ vrf name ] [add-route] [extendable] [no-alias]

Network Static NAT

ip nat outside source static network global-network local-network mask [ vrf name ] [add-route] [extendable] [no-alias]

no ip nat outside source static network global-network local-network mask [ vrf name ] [add-route] [extendable] [no-alias]

Syntax Description

list access-list-number

Specifies the number of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool.

list access-list-name

Specifies the name of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool.

pool pool-name

Specifies the name of the pool from which global IP addresses are allocated.

add-route

(Optional) Adds a static route for the outside local address.

vrf name

(Optional) Associates the NAT rule with a particular VPN routing and forwarding (VRF) instance.

static

Sets up a single static translation.

global-ip

Globally unique IP address assigned to a host on the outside network by its owner. The address was allocated from the globally routable network space.

local-ip

Local IP address of an outside host as it appears to the inside network. The address was allocated from the address space routable on the inside (RFC 1918, Address Allocation for Private Internets).

extendable

(Optional) Extends the transmission.

no-alias

(Optional) Prohibits an alias from being created for the local address.

tcp

Establishes the TCP.

udp

Establishes the UDP.

global-port

Port number assigned to a host on the outside network by its owner.

local-port

Port number of an outside host as it appears to the inside network.

static network

Sets up a single static network translation.

global-network

Globally unique network address assigned to a host on the outside network by its owner. The address is allocated from a globally routable network space.

local-network

Local network address of an outside host as it appears to the inside network. The address is allocated from an address space that is routable on the inside network.

mask

Subnet mask for the networks that are translated.

Command Default

No translation of source addresses coming from the outside to the inside network occurs.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Amsterdam 17.1.1

This command was introduced.

Usage Guidelines

The optional keywords of the ip nat outside source command except for the vrf name keyword can be entered in any order.

You can use NAT to translate inside addresses that overlap with outside addresses. Use this command if your IP addresses in the stub network happen to be legitimate IP addresses belonging to another network, and you need to communicate with those hosts or devices.

This command has two general forms: dynamic and static address translation. The form with an access list establishes dynamic translation. Packets from addresses that match the standard access list are translated using global addresses allocated from the pool that is named by using the ip nat pool command.

Alternatively, the syntax form with the static keyword establishes a single static translation.

When you configure the ip nat outside source static command to add static routes for static outside local addresses, there is a delay in the translation of packets and packets are dropped. To avoid dropped packets, configure either the ip nat outside source static add-route command or the ip route command.

Examples

The following example shows how to translate between inside hosts addressed from the 10.114.11.0 network to the globally unique 10.69.233.208/28 network. Further, packets from outside hosts addressed from the 10.114.11.0 network (the true 10.114.11.0 network) are translated to appear to be from the 10.0.1.0/24 network.


ip nat pool net-208 10.69.233.208 10.69.233.223 prefix-length 28
ip nat pool net-10 10.0.1.0 10.0.1.255 prefix-length 24
ip nat inside source list 1 pool net-208
ip nat outside source list 1 pool net-10
!
interface ethernet 0
 ip address 10.69.232.182 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 10.114.11.39 255.255.255.0
 ip nat inside
!
access-list 1 permit 10.114.11.0 0.0.0.255

ip nat pool

To define a pool of IP addresses for Network Address Translation (NAT) translations, use the ip nat pool command in global configuration mode. To remove one or more addresses from the pool, use the no form of this command.

ip nat pool name start-ip end-ip { netmask netmask | prefix-length prefix-length } [add-route] [ type ]

no ip nat pool name start-ip end-ip { netmask netmask | prefix-length prefix-length } [add-route] [ type ]

Syntax Description

name

Name of the pool.

start-ip

Starting IP address that defines the range of addresses in the address pool.

end-ip

Ending IP address that defines the range of addresses in the address pool.

netmask netmask

Specifies the network mask that indicates the address bits that belong to the network and subnetwork fields and the ones that belong to the host field.

  • Specify the network mask of the network to which the pool addresses belong.

prefix-length prefix-length

Specifies the number that indicates how many bits of the address is dedicated for the network.

add-route

(Optional) Specifies that a route is added to the NAT Virtual Interface (NVI) for the global address.

type

(Optional) Indicates the type of pool.

Command Default

No pool of addresses is defined.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Amsterdam 17.1.1

This command was introduced.

Usage Guidelines

This command defines a pool of addresses by specifying the start address, the end address, and either network mask or prefix length.

When you enable the no-alias keyword, IP aliases are not created for IP addresses mentioned in the NAT pool.

Using the nopreservation keyword with the prefix-length or the netmask keyword disables the default behavior, which is known as IP address reservation. The no form of the command with the nopreservation keyword enables the default behavior and reserves the first IP address in the NAT pool, making the IP address unavailable for dynamic translation.

Examples

The following example shows how to translate between inside hosts addressed from either the 192.0.2.1 or 192.0.2.2 network to the globally unique 10.69.233.208/28 network:


ip nat pool net-208 10.69.233.208 10.69.233.223 prefix-length 28
ip nat inside source list 1 pool net-208
!
interface ethernet 0
 ip address 10.0.0.1 255.255.255.240
 ip nat outside
!
interface ethernet 1
 ip address 192.0.2.4 255.255.255.0
 ip nat inside
!
access-list 1 permit 192.0.2.1 0.0.0.255
access-list 1 permit 192.0.2.2 0.0.0.255

The following example shows how to add a route to the NVI interface for the global address:


ip nat pool NAT 192.0.2.0 192.0.2.3 netmask 255.255.255.0 add-route
ip nat source list 1 pool NAT vrf group1 overload

ip nat translation (timeout)

To change the Network Address Translation (NAT) timeout, use the ip nat translation command in global configuration mode. To disable the timeout, use the no form of this command.

ip nat translation { finrst-timeout | icmp-timeout | port-timeout { tcp | udp } port-number | syn-timeout | tcp-timeout | timeout | udp-timeout } {seconds | never}

no ip nat translation { finrst-timeout | icmp-timeout | port-timeout { tcp | udp } port-number | syn-timeout | tcp-timeout | timeout | udp-timeout }

Syntax Description

finrst-timeout

Specifies that the timeout value applies to Finish and Reset TCP packets, which terminate a connection. The default is 60 seconds.

icmp-timeout

Specifies the timeout value for Internet Control Message Protocol (ICMP) flows. The default is 60 seconds.

port-timeout

Specifies that the timeout value applies to the TCP/UDP port.

tcp

Specifies TCP.

udp

Specifies UDP.

port-number

Port number for TCP or UDP. The range is from 1 to 65535.

syn-timeout

Specifies that the timeout value applies to TCP flows immediately after a synchronous transmission (SYN) message that consists of digital signals that are sent with precise clocking. The default is 60 seconds.

tcp-timeout

Specifies that the timeout value applies to the TCP port. Default is 86,400 seconds (24 hours).

timeout

Specifies that the timeout value applies to dynamic translations, except for overload translations. The default is 86,400 seconds (24 hours).

udp-timeout

Specifies that the timeout value applies to the UDP port. The default is 300 seconds (5 minutes).

seconds

Number of seconds after which the specified port translation times out.

never

Specifies that port translation will not time out.

Command Default

NAT translation timeouts are enabled by default.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Amsterdam 17.1.1

This command was introduced.

Usage Guidelines

When port translation is configured, each entry contains more information about the traffic that is using the translation, which gives you finer control over translation entry timeouts. Non-DNS UDP translations time out after 5 minutes, and DNS times out in 1 minute. TCP translations time out in 24 hours, unless a TCP Reset (RST) or a Finish (FIN) bit is seen on the stream, in which case they will time out in 1 minute.

Examples

The following example shows how to configure the router to cause UDP port translation entries to time out after 10 minutes (600 seconds):


Router# configure terminal
Router(config)# ip nat translation udp-timeout 600

ip nhrp map

To statically configure the IP-to-nonbroadcast multiaccess (NBMA) address mapping of IP destinations connected to an NBMA network, use the ip nhrp map interface configuration command. To remove the static entry from Next Hop Resolution Protocol (NHRP) cache, use the no form of this command.

ip nhrp map {ip-address [nbma-ip-address] [dest-mask] [nbma-ipv6-address] | multicast {nbma-ip-address | | nbma-ipv6-address | | dynamic}}

no ip nhrp map {ip-address [nbma-ip-address] [dest-mask] [nbma-ipv6-address] | multicast {nbma-ip-address | | nbma-ipv6-address | | dynamic}}

Syntax Description

ip-address

IP address of the destinations reachable through the Nonbroadcast multiaccess (NBMA) network. This address is mapped to the NBMA address.

nbma-ip-address

NBMA IP address.

dest-mask

Destination network address for which a mask is required.

nbma-ipv6-address

NBMA IPv6 address.

dynamic

Dynamically learns destinations from client registrations on hub.

multicast

NBMA address that is directly reachable through the NBMA network. The address format varies depending on the medium you are using. For example, ATM has a Network Service Access Point (NSAP) address, Ethernet has a MAC address, and Switched Multimegabit Data Service (SMDS) has an E.164 address. This address is mapped to the IP address.

Command Default

No static IP-to-NBMA cache entries exist.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

This command was introduced.

Usage Guidelines

You will probably need to configure at least one static mapping in order to reach the next-hop server. Repeat this command to statically configure multiple IP-to-NBMA address mappings.

Examples

In the following example, this station in a multipoint tunnel network is statically configured to be served by two next-hop servers 10.0.0.1 and 10.0.1.3. The NBMA address for 10.0.0.1 is statically configured to be 192.0.0.1 and the NBMA address for 10.0.1.3 is 192.2.7.8.


Device(config)# interface tunnel 0
Device(config-if)# ip nhrp nhs 10.0.0.1
Device(config-if)# ip nhrp nhs 10.0.1.3
Device(config-if)# ip nhrp map 10.0.0.1 192.0.0.1
Device(config-if)# ip nhrp map 10.0.1.3 192.2.7.8

Examples

In the following example, if a packet is sent to 10.255.255.255, it is replicated to destinations 10.0.0.1 and 10.0.0.2. Addresses 10.0.0.1 and 10.0.0.2 are the IP addresses of two other routers that are part of the tunnel network, but those addresses are their addresses in the underlying network, not the tunnel network. They would have tunnel addresses that are in network 10.0.0.0.


Device(config)# interface tunnel 0
Device(config-if)# ip address 10.0.0.3 255.0.0.0
Device(config-if)# ip nhrp map multicast 10.0.0.1
Device(config-if)# ip nhrp map multicast 10.0.0.2

ip nhrp map multicast

To configure nonbroadcast multiaccess (NBMA) addresses used as destinations for broadcast or multicast packets to be sent over a tunnel network, use the ip nhrp map multicast command in interface configuration mode. To remove the destinations, use the no form of this command.

ip nhrp map multicast {ip-nbma-address | ipv6-nbma-address | dynamic}

no ip nhrp map multicast {ip-nbma-address | ipv6-nbma-address | dynamic}

Syntax Description

ip-nbma-address

NBMA address that is directly reachable through the NBMA network. The address format varies depending on the medium that you are using.

ipv6-nbma-address

IPv6 NBMA address.

dynamic

Dynamically learns destinations from client registrations on the hub.

Command Default

No NBMA addresses are configured as destinations for broadcast or multicast packets.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

This command applies only to tunnel interfaces. This command is useful for supporting broadcasts over a tunnel network when the underlying network does not support IP multicast. If the underlying network does support IP multicast, you should use the tunnel destination command to configure a multicast destination for transmission of tunnel broadcasts or multicasts.

When multiple NBMA addresses are configured, the system replicates the broadcast packet for each address.

Examples

In the following example, if a packet is sent to 10.255.255.255, it is replicated to destinations 10.0.0.1 and 10.0.0.2:


Switch(config)# interface tunnel 0
Switch(config-if)# ip address 10.0.0.3 255.0.0.0
Switch(config-if)# ip nhrp map multicast 10.0.0.1
Switch(config-if)# ip nhrp map multicast 10.0.0.2
 
		

ip nhrp network-id

To enable the Next Hop Resolution Protocol ( NHRP) on an interface, use the ip nhrp network-id command in interface configuration mode. To disable NHRP on the interface, use the no form of this command.

ip nhrp network-id number

no ip nhrp network-id [number]

Syntax Description

number

Globally unique, 32-bit network identifier from a nonbroadcast multiaccess (NBMA) network. The range is from 1 to 4294967295.

Command Default

NHRP is disabled on the interface.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

This command was introduced.

Usage Guidelines

In general, all NHRP stations within one logical NBMA network must be configured with the same network identifier.

Examples

The following example enables NHRP on the interface:


Device(config-if)# ip nhrp network-id 1

ip nhrp nhs

To specify the address of one or more Next Hop Resolution Protocol (NHRP) servers, use the ip nhrp nhs command in interface configuration mode. To remove the address, use the no form of this command.

ip nhrp nhs {nhs-address [nbma {nbma-address | FQDN-string}] [multicast] [priority value] [cluster value] | cluster value max-connections value | dynamic nbma {nbma-address | FQDN-string} [multicast] [priority value] [cluster value]}

no ip nhrp nhs {nhs-address [nbma {nbma-address | FQDN-string}] [multicast] [priority value] [cluster value] | cluster value max-connections value | dynamic nbma {nbma-address | FQDN-string} [multicast] [priority value] [cluster value]}

Syntax Description

nhs-address

Address of the next-hop server being specified.

net-address

(Optional) IP address of a network served by the next-hop server.

netmask

(Optional) IP network mask to be associated with the IP address. The IP address is logically ANDed with the mask.

nbma

(Optional) Specifies the nonbroadcast multiple access (NBMA) address or FQDN.

nbma-address

NBMA address.

FQDN-string

Next hop server (NHS) fully qualified domain name (FQDN) string.

multicast

(Optional) Specifies to use NBMA mapping for broadcasts and multicasts.

priority value

(Optional) Assigns a priority to hubs to control the order in which spokes select hubs to establish tunnels. The range is from 0 to 255; 0 is the highest and 255 is the lowest priority.

cluster value

(Optional) Specifies NHS groups. The range is from 0 to 10; 0 is the highest and 10 is the lowest. The default value is 0.

max-connections value

Specifies the number of NHS elements from each NHS group that needs to be active. The range is from 0 to 255.

dynamic

Configures the spoke to learn the NHS protocol address dynamically.

Command Default

No next-hop servers are explicitly configured, so normal network layer routing decisions are used to forward NHRP traffic.

Command Modes

Interface configuration (config-if)

Command History

Release

Modification

This command was introduced.

Usage Guidelines

Use the ip nhrp nhs command to specify the address of a next hop server and the networks it serves. Normally, NHRP consults the network layer forwarding table to determine how to forward NHRP packets. When next hop servers are configured, these next hop addresses override the forwarding path that would otherwise be used for NHRP traffic.

When the ip nhrp nhs dynamic command is configured on a DMVPN tunnel and the shut command is issued to the tunnel interface, the crypto socket does not receive shut message, thereby not bringing up a DMVPN session with the hub.

For any next hop server that is configured, you can specify multiple networks by repeating this command with the same nhs-address argument, but with different IP network addresses.

Examples

The following example shows how to register a hub to a spoke using NBMA and FQDN:


Device# configure terminal
Device(config)# interface tunnel 1
Device(config-if)# ip nhrp nhs 192.0.2.1 nbma examplehub.example1.com

The following example shows how to configure the desired max-connections value:


Device# configure terminal
Device(config)# interface tunnel 1
Device(config-if)# ip nhrp nhs cluster 5 max-connections 100

The following example shows how to configure NHS priority and group values:


Device# configure terminal
Device(config)# interface tunnel 1
Device(config-if)# ip nhrp nhs 192.0.2.1 priority 1 cluster 2

ip unnumbered

To enable IP processing on an interface without assigning an explicit IP address to the interface, use the ip unnumbered command in interface configuration mode or subinterface configuration mode. To disable the IP processing on the interface, use the no form of this command.

ip unnumbered type number [ poll ] [ point-to-point ]

no ip unnumbered [ type number ]

Syntax Description

type

Type of interface. For more information, use the question mark (? ) online help function.

number

Interface or subinterface number. For more information about the numbering syntax for your networking device, use the question mark (? ) online help function.

poll

(Optional) Enables IP connected host polling.

point-to-point

(Optional) Enables point to point connection.

Command Default

Unnumbered interfaces are not supported.

Command Modes

Interface configuration (config-if)

Subinterface configuration (config-subif)

Command History

Release

Modification

Cisco IOS XE Fuji 16.8.1a

This command was introduced.

Usage Guidelines

When an unnumbered interface generates a packet (for example, for a routing update), it uses the address of the specified interface as the source address of the IP packet. It also uses the address of the specified interface in determining which routing processes are sending updates over the unnumbered interface.

The following restrictions are applicable for this command:

  • Serial interfaces using High-Level Data Link Control (HDLC), PPP, Link Access Procedure Balanced (LAPB), Frame Relay encapsulations, and Serial Line Internet Protocol (SLIP), and tunnel interfaces can be unnumbered.

  • You cannot use the ping EXEC command to determine whether the interface is up because the interface has no address. Simple Network Management Protocol (SNMP) can be used to remotely monitor interface status.

  • It is not possible to netboot a Cisco IOS image over a serial interface that is assigned an IP address with the ip unnumbered command.

  • You cannot support IP security options on an unnumbered interface.

The interface that you specify using the type and number arguments must be enabled (listed as “up” in the show interfaces command display).

If you are configuring Intermediate System-to-Intermediate System (IS-IS) across a serial line, you must configure the serial interfaces as unnumbered. This configuration allows you to comply with RFC 1195, which states that IP addresses are not required on each interface.


Note


Using an unnumbered serial line between different major networks (or majornets) requires special care. If at each end of the link there are different majornets assigned to the interfaces that you specified as unnumbered, any routing protocol that is running across the serial line must not advertise subnet information.


Examples

The following example shows how to assign the address of Ethernet 0 to the first serial interface:

Device(config)# interface ethernet 0
Device(config-if)# ip address 10.108.6.6 255.255.255.0
!
Device(config-if)# interface serial 0
Device(config-if)# ip unnumbered ethernet 0

The following example shows how to configure Ethernet VLAN subinterface 3/0.2 as an IP unnumbered subinterface:

Device(config)# interface ethernet 3/0.2
Device(config-subif)# encapsulation dot1q 200
Device(config-subif)# ip unnumbered ethernet 3/1

The following example shows how to configure Fast Ethernet subinterfaces in the range from 5/1.1 to 5/1.4 as IP unnumbered subinterfaces:

Device(config)# interface range fastethernet5/1.1 - fastethernet5/1.4
Device(config-if-range)# ip unnumbered ethernet 3/1

The following example shows how to enable polling on a Gigabit Ethernet interface:

Device(config)# interface loopback0
Device(config-if)# ip address 10.108.6.6 255.255.255.0
!
Device(config-if)# ip unnumbered gigabitethernet 3/1
Device(config-if)# ip unnumbered loopback0 poll

ip wccp

To enable support of the specified Web Cache Communication Protocol (WCCP) service for participation in a service group, use the ip wccp command in global configuration mode. To disable the service group, use the no form of this command.

ip wccp [ vrf vrf-name ] { web-cache | service-number } [ service-list service-access-list ] [ mode { open | closed } ] [ group-address multicast-address ] [ redirect-list access-list ] [ group-list access-list ] [ password [ 0 | 7 ] password ]

no ip wccp [ vrf vrf-name ] { web-cache | service-number } [ service-list service-access-list ] [ mode { open | closed } ] [ group-address multicast-address ] [ redirect-list access-list ] [ group-list access-list ] [ password [ 0 | 7 ] password ]

Syntax Description

vrf vrf-name

(Optional) Specifies a virtual routing and forwarding instance (VRF) to associate with a service group.

web-cache

Specifies the web-cache service (WCCP Version 1 and Version 2).

Note

 

Web-cache counts as one of the services. The maximum number of services, including those assigned with the service-number argument, is 256.

service-number

Dynamic service identifier, which means the service definition is dictated by the cache. The dynamic service number can be from 0 to 254. The maximum number of services is 256, which includes the web-cache service specified with the web-cache keyword.

Note

 

If Cisco cache engines are used in the cache cluster, the reverse proxy service is indicated by a value of 99.

service-list service-access-list

(Optional) Identifies a named extended IP access list that defines the packets that will match the service.

mode open

(Optional) Identifies the service as open. This is the default service mode.

mode closed

(Optional) Identifies the service as closed.

group-address multicast-address

(Optional) Specifies the multicast IP address that communicates with the WCCP service group. The multicast address is used by the device to determine which web cache should receive redirected messages.

redirect-list access-list

(Optional) Specifies the access list that controls traffic redirected to this service group. The access-list argument should consist of a string of no more than 64 characters (name or number) in length that specifies the access list.

group-list access-list

(Optional) Specifies the access list that determines which web caches are allowed to participate in the service group. The access-list argument specifies either the number or the name of a standard or extended access list.

password [0 | 7] password

(Optional) Specifies the message digest algorithm 5 (MD5) authentication for messages received from the service group. Messages that are not accepted by the authentication are discarded. The encryption type can be 0 or 7, with 0 specifying not yet encrypted and 7 for proprietary. The password argument can be up to eight characters in length.

Command Default

WCCP services are not enabled on the device.

Command Modes

Global configuration (config)

Command History

Release

Modification

This command was introduced.

Cisco IOS XE Bengaluru 17.6.1

The vrf keyword and vrf-name argument pair were added.

Usage Guidelines

WCCP transparent caching bypasses Network Address Translation (NAT) when Cisco Express Forwarding switching is enabled. To work around this situation, configure WCCP transparent caching in the outgoing direction, enable Cisco Express Forwarding switching on the content engine interface, and specify the ip wccp web-cache redirect out command. Configure WCCP in the incoming direction on the inside interface by specifying the ip wccp redirect exclude in command on the device interface facing the cache. This configuration prevents the redirection of any packets arriving on that interface.

You can also include a redirect list when configuring a service group. The specified redirect list will deny packets with a NAT (source) IP address and prevent redirection.

This command instructs a device to enable or disable support for the specified service number or the web-cache service name. A service number can be from 0 to 254. Once the service number or name is enabled, the device can participate in the establishment of a service group.


Note


All WCCP parameters must be included in a single IP WCCP command. For example: ip wccp 61 redirect-list 10 password password.


The vrf vrf-name keyword and argument pair is optional. It allows you to specify a VRF to associate with a service group. You can then specify a web-cache service name or service number.

The same service (web-cache or service number) can be configured in different VRF tables. Each service will operate independently.

When the no ip wccp command is entered, the device terminates participation in the service group, deallocates space if none of the interfaces still has the service configured, and terminates the WCCP task if no other services are configured.

The keywords following the web-cache keyword and the service-number argument are optional and may be specified in any order, but only may be specified once. The following sections outline the specific usage of each of the optional forms of this command.

ip wccp [vrf vrf-name] {web-cache | service-number} group-address multicast-address

A WCCP group address can be configured to set up a multicast address that cooperating devices and web caches can use to exchange WCCP protocol messages. If such an address is used, IP multicast routing must be enabled so that the messages that use the configured group (multicast) addresses are received correctly.

This option instructs the device to use the specified multicast IP address to coalesce the "I See You" responses for the "Here I Am" messages that it has received on this group address. The response is also sent to the group address. The default is for no group address to be configured, in which case all "Here I Am" messages are responded to with a unicast reply.

ip wccp [vrf vrf-name] {web-cache | service-number} redirect-list access-list

This option instructs the device to use an access list to control the traffic that is redirected to the web caches of the service group specified by the service name given. The access-list argument specifies either the number or the name of a standard or extended access list. The access list itself specifies which traffic is permitted to be redirected. The default is for no redirect list to be configured (all traffic is redirected).

WCCP requires that the following protocol and ports not be filtered by any access lists:

  • UDP (protocol type 17) port 2048. This port is used for control signaling. Blocking this type of traffic prevents WCCP from establishing a connection between the device and web caches.

  • Generic routing encapsulation (GRE) (protocol type 47 encapsulated frames). Blocking this type of traffic prevents the web caches from ever seeing the packets that are intercepted.

ip wccp [vrf vrf-name] {web-cache | service-number} group-list access-list

This option instructs the device to use an access list to control the web caches that are allowed to participate in the specified service group. The access-list argument specifies either the number of a standard or extended access list or the name of any type of named access list. The access list itself specifies which web caches are permitted to participate in the service group. The default is for no group list to be configured, in which case all web caches may participate in the service group.


Note


The ip wccp {web-cache | service-number} group-list command syntax resembles the ip wccp {web-cache | service-number} group-listen command, but these are entirely different commands. The ip wccp group-listen command is an interface configuration command used to configure an interface to listen for multicast notifications from a cache cluster.


ip wccp [vrf vrf-name] web-cache | service-number} password password

This option instructs the device to use MD5 authentication on the messages received from the service group specified by the service name given. Use this form of the command to set the password on the device. You must also configure the same password separately on each web cache. The password can be up to a maximum of eight characters in length. Messages that do not authenticate when authentication is enabled on the device are discarded. The default is for no authentication password to be configured and for authentication to be disabled.

ip wccp service-number service-list service-access-list mode closed

In applications where the interception and redirection of WCCP packets to external intermediate devices for the purpose of applying feature processing are not available within Cisco IOS software, packets for the application must be blocked when the intermediary device is not available. This blocking is called a closed service. By default, WCCP operates as an open service, wherein communication between clients and servers proceeds normally in the absence of an intermediary device. The service-list keyword can be used only for closed mode services. When a WCCP service is configured as closed, WCCP discards packets that do not have a client application registered to receive the traffic. Use the service-list keyword and service-access-list argument to register an application protocol type or port number.

When the definition of a service in a service list conflicts with the definition received via the WCCP protocol, a warning message similar to the following is displayed:


Sep 28 14:06:35.923: %WCCP-5-SERVICEMISMATCH: Service 90 mismatched on WCCP client 10.1.1.13

When there is service list definitions conflict, the configured definition takes precedence over the external definition received via WCCP protocol messages.

Examples

The following example shows how to configure a device to run WCCP reverse-proxy service, using the multicast address of 239.0.0.0:


Device> enable
Device# configure terminal
Device(config)# ip multicast-routing
Device(config)# ip wccp 99 group-address 239.0.0.0
Device(config)# interface ethernet 0
Device(config-if)# ip wccp 99 group-listen

The following example shows how to configure a device to redirect web-related packets without a destination of 10.168.196.51 to the web cache:


Device> enable
Device# configure terminal
Device(config)# access-list 100 deny ip any host 10.168.196.51
Device(config)# access-list 100 permit ip any any
Device(config)# ip wccp web-cache redirect-list 100
Device(config)# interface ethernet 0
Device(config-if)# ip wccp web-cache redirect out

The following example shows how to configure an access list to prevent traffic from network 10.0.0.0 leaving Fast Ethernet interface 0/0. Because the outbound access control list (ACL) check is enabled, WCCP does not redirect that traffic. WCCP checks packets against the ACL before they are redirected.


Device> enable
Device# configure terminal
Device(config)# ip wccp web-cache
Device(config)# ip wccp check acl outbound
Device(config)# interface fastethernet0/0
Device(config-if)# ip access-group 10 out
Device(config-if)# ip wccp web-cache redirect out
Device(config-if)# access-list 10 deny 10.0.0.0 0.255.255.255
Device(config-if)# access-list 10 permit any

If the outbound ACL check is disabled, HTTP packets from network 10.0.0.0 would be redirected to a cache, and users with that network address could retrieve web pages when the network administrator wanted to prevent this from happening.

The following example shows how to configure a closed WCCP service:


Device> enable
Device# configure terminal
Device(config)# ip wccp 99 service-list access1 mode closed

Note


  • If multiple parameters are required, all parameters under ip wccp [vrf vrf-name] web-cache | service-number} must be configured as a single command.

  • If the command is reissued with different parameters, the existing parameter will be removed and the new parameter will be configured.


The following example shows how to configure multiple parameters as a single command:


Device> enable
Device# configure terminal
Device(config)# ip wccp 61 group-address 10.0.0.1 password 0 password mode closed redirect-list 121

ipv6 access-list

To define an IPv6 access list and to place the device in IPv6 access list configuration mode, use the ipv6 access-list command in global configuration mode. To remove the access list, use the no form of this command.

ipv6 access-list access-list-name

no ipv6 access-list access-list-name

Syntax Description

access-list-name

Name of the IPv6 access list. Names cannot contain a space or quotation mark, or begin with a numeric.

Command Default

No IPv6 access list is defined.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The ipv6 access-list command is similar to the ip access-list command, except that it is IPv6-specific.

The standard IPv6 ACL functionality supports --in addition to traffic filtering based on source and destination addresses--filtering of traffic based on IPv6 option headers and optional, upper-layer protocol type information for finer granularity of control (functionality similar to extended ACLs in IPv4). IPv6 ACLs are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Configuring the ipv6 access-list command places the device in IPv6 access list configuration mode--the device prompt changes to Device(config-ipv6-acl)#. From IPv6 access list configuration mode, permit and deny conditions can be set for the defined IPv6 ACL.


Note


IPv6 ACLs are defined by a unique name (IPv6 does not support numbered ACLs). An IPv4 ACL and an IPv6 ACL cannot share the same name.


For backward compatibility, the ipv6 access-list command with the deny and permit keywords in global configuration mode is still supported; however, an IPv6 ACL defined with deny and permit conditions in global configuration mode is translated to IPv6 access list configuration mode.

Refer to the deny (IPv6) and permit (IPv6) commands for more information on filtering IPv6 traffic based on IPv6 option headers and optional, upper-layer protocol type information. See the "Examples" section for an example of a translated IPv6 ACL configuration.


Note


Every IPv6 ACL has implicit permit icmp any any nd-na , permit icmp any any nd-ns , and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.



Note


IPv6 prefix lists, not access lists, should be used for filtering routing protocol prefixes.


Use the ipv6 traffic-filter interface configuration command with the access-list-name argument to apply an IPv6 ACL to an IPv6 interface. Use the ipv6 access-class line configuration command with the access-list-name argument to apply an IPv6 ACL to incoming and outgoing IPv6 virtual terminal connections to and from the device.


Note


An IPv6 ACL applied to an interface with the ipv6 traffic-filter command filters traffic that is forwarded, not originated, by the device.



Note


When using this command to modify an ACL that is already associated with a bootstrap router (BSR) candidate rendezvous point (RP) (see the ipv6 pim bsr candidate rp command) or a static RP (see the ipv6 pim rp-address command), any added address ranges that overlap the PIM SSM group address range (FF3x::/96) are ignored. A warning message is generated and the overlapping address ranges are added to the ACL, but they have no effect on the operation of the configured BSR candidate RP or static RP commands.


Duplicate remark statements can no longer be configured from the IPv6 access control list. Because each remark statement is a separate entity, each one is required to be unique.

Examples

The following example is from a device running Cisco IOS Release 12.0(23)S or later releases. The example configures the IPv6 ACL list named list1 and places the device in IPv6 access list configuration mode.


Device(config)# ipv6 access-list list1
Device(config-ipv6-acl)#

The following example is from a device running Cisco IOS Release 12.2(2)T or later releases, 12.0(21)ST, or 12.0(22)S. The example configures the IPv6 ACL named list2 and applies the ACL to outbound traffic on Ethernet interface 0. Specifically, the first ACL entry keeps all packets from the network FEC0:0:0:2::/64 (packets that have the site-local prefix FEC0:0:0:2 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0. The second entry in the ACL permits all other traffic to exit out of Ethernet interface 0. The second entry is necessary because an implicit deny all condition is at the end of each IPv6 ACL.


Device(config)# ipv6 access-list list2 deny FEC0:0:0:2::/64 any
Device(config)# ipv6 access-list list2 permit any any
Device(config)# interface ethernet 0
Device(config-if)# ipv6 traffic-filter list2 out

If the same configuration was entered on a device running Cisco IOS Release 12.0(23)S or later releases, the configuration would be translated into IPv6 access list configuration mode as follows:


ipv6 access-list list2 
  deny FEC0:0:0:2::/64 any
  permit ipv6 any any
interface ethernet 0
 ipv6 traffic-filter list2 out

Note


IPv6 is automatically configured as the protocol type in permit any any and deny any any statements that are translated from global configuration mode to IPv6 access list configuration mode.



Note


IPv6 ACLs defined on a device running Cisco IOS Release 12.2(2)T or later releases, 12.0(21)ST, or 12.0(22)S that rely on the implicit deny condition or specify a deny any any statement to filter traffic should contain permit statements for link-local and multicast addresses to avoid the filtering of protocol packets (for example, packets associated with the neighbor discovery protocol). Additionally, IPv6 ACLs that use deny statements to filter traffic should use a permit any any statement as the last statement in the list.



Note


An IPv6 device will not forward to another network an IPv6 packet that has a link-local address as either its source or destination address (and the source interface for the packet is different from the destination interface for the packet).


ipv6 address-validate

To enable IPv6 address validation, use the ipv6 address-validate in global configuration mode. To disable IPv6 address validation, use the no form of this command.

ipv6 address- validate

no ipv6 address- validate

Command Default

This command is enabled by default.

Command Modes

Global configuration (config)

Command History

Release Modification
Cisco IOS XE Gibraltar 16.11.1

This command was introduced.

Usage Guidelines

The ipv6 address-validate command is used to validate whether the interface identifiers in an assigned IPv6 address are a part of the reserved IPv6 interface identifiers range, as specified in RFC5453. If the interface identifiers of the assigned IPv6 address are a part of the reserved range, a new IPv6 address is assigned.

Only auto-configured addresses or addresses configured by DHCPv6 are validated.


Note


The no ipv6-address validate command disables the IPv6 address validation and allows assigning of IPv6 addresses with interface identifiers that are a part of the reserved IPv6 interface identifiers range. We do not recommend the use of this command.

You must enter a minimum of eight characters of the ipv6-address validate command if you’re using CLI help (?) for completing the syntax of this command. If you enter less than eight characters the command will conflict with the no ipv6 address command in interface configuration mode.


Examples

The following example shows how to re-enable IPv6 address validation if it is disabled using the no ipv6-address validate command:

Device> enable
Device# configure terminal
Device(config)# ipv6 address-validate

ipv6 cef

To enable Cisco Express Forwarding for IPv6, use the ipv6 cef command in global configuration mode. To disable Cisco Express Forwarding for IPv6, use the no form of this command.

ipv6 cef

no ipv6 cef

Syntax Description

This command has no arguments or keywords.

Command Default

Cisco Express Forwarding for IPv6 is disabled by default.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The ipv6 cef command is similar to the ip cef command, except that it is IPv6-specific.

The ipv6 cef command is not available on the Cisco 12000 series Internet routers because this distributed platform operates only in distributed Cisco Express Forwarding for IPv6 mode.


Note


The ipv6 cef command is not supported in interface configuration mode.



Note


Some distributed architecture platforms support both Cisco Express Forwarding for IPv6 and distributed Cisco Express Forwarding for IPv6. When Cisco Express Forwarding for IPv6 is configured on distributed platforms, Cisco Express Forwarding switching is performed by the Route Processor (RP).



Note


You must enable Cisco Express Forwarding for IPv4 by using the ip cef global configuration command before enabling Cisco Express Forwarding for IPv6 by using the ipv6 cef global configuration command.


Cisco Express Forwarding for IPv6 is advanced Layer 3 IP switching technology that functions the same and offer the same benefits as Cisco Express Forwarding for IPv4. Cisco Express Forwarding for IPv6 optimizes network performance and scalability for networks with dynamic, topologically dispersed traffic patterns, such as those associated with web-based applications and interactive sessions.

Examples

The following example enables standard Cisco Express Forwarding for IPv4 operation and then standard Cisco Express Forwarding for IPv6 operation globally on the Device.


Device(config)# ip cef
Device(config)# ipv6 cef

ipv6 cef accounting

To enable Cisco Express Forwarding for IPv6 and distributed Cisco Express Forwarding for IPv6 network accounting, use the ipv6 cef accounting command in global configuration mode or interface configuration mode. To disable Cisco Express Forwarding for IPv6 network accounting, use the no form of this command.

ipv6 cef accounting accounting-types

no ipv6 cef accounting accounting-types

Specific Cisco Express Forwarding Accounting Information Through Interface Configuration Mode

ipv6 cef accounting non-recursive {external | internal}

no ipv6 cef accounting non-recursive {external | internal}

Syntax Description

accounting-types

The accounting-types argument must be replaced with at least one of the following keywords. Optionally, you can follow this keyword by any or all of the other keywords, but you can use each keyword only once.

  • load-balance-hash --Enables load balancing hash bucket counters.

  • non-recursive --Enables accounting through nonrecursive prefixes.

  • per-prefix --Enables express forwarding of the collection of the number of packets and bytes to a destination (or prefix).

  • prefix-length --Enables accounting through prefix length.

non-recursive

Enables accounting through nonrecursive prefixes.

This keyword is optional when used in global configuration mode after another keyword is entered. See the accounting-types argument.

external

Counts input traffic in the nonrecursive external bin.

internal

Counts input traffic in the nonrecursive internal bin.

Command Default

Cisco Express Forwarding for IPv6 network accounting is disabled by default.

Command Modes

Global configuration (config)

Interface configuration (config-if)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The ipv6 cef accounting command is similar to the ip cef accounting command, except that it is IPv6-specific.

Configuring Cisco Express Forwarding for IPv6 network accounting enables you to collect statistics on Cisco Express Forwarding for IPv6 traffic patterns in your network.

When you enable network accounting for Cisco Express Forwarding for IPv6 by using the ipv6 cef accounting command in global configuration mode, accounting information is collected at the Route Processor (RP) when Cisco Express Forwarding for IPv6 mode is enabled and at the line cards when distributed Cisco Express Forwarding for IPv6 mode is enabled. You can then display the collected accounting information using the show ipv6 cef EXEC command.

For prefixes with directly connected next hops, the non-recursive keyword enables express forwarding of the collection of packets and bytes through a prefix. This keyword is optional when this command is used in global configuration mode after you enter another keyword on the ipv6 cef accounting command.

This command in interface configuration mode must be used in conjunction with the global configuration command. The interface configuration command allows a user to specify two different bins (internal or external) for the accumulation of statistics. The internal bin is used by default. The statistics are displayed through the show ipv6 cef detail command.

Per-destination load balancing uses a series of 16 hash buckets into which the set of available paths are distributed. A hash function operating on certain properties of the packet is applied to select a bucket that contains a path to use. The source and destination IP addresses are the properties used to select the bucket for per-destination load balancing. Use the load-balance-hash keyword with the ipv6 cef accounting command to enable per-hash-bucket counters. Enter the show ipv6 cef prefix internal command to display the per-hash-bucket counters.

Examples

The following example enables the collection of Cisco Express Forwarding for IPv6 accounting information for prefixes with directly connected next hops:

Device(config)# ipv6 cef accounting non-recursive

ipv6 cef distributed

To enable distributed Cisco Express Forwarding for IPv6, use the ipv6 cef distributed command in global configuration mode. To disable Cisco Express Forwarding for IPv6, use the no form of this command.

ipv6 cef distributed

no ipv6 cef distributed

Syntax Description

This command has no arguments or keywords.

Command Default

Distributed Cisco Express Forwarding for IPv6 is disabled by default.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The ipv6 cef distributed command is similar to the ip cef distributed command, except that it is IPv6-specific.

Enabling distributed Cisco Express Forwarding for IPv6 globally on the router by using the ipv6 cef distributed in global configuration mode distributes the Cisco Express Forwarding processing of IPv6 packets from the Route Processor (RP) to the line cards of distributed architecture platforms.


Note


To forward distributed Cisco Express Forwarding for IPv6 traffic on the router, configure the forwarding of IPv6 unicast datagrams globally on your router by using the ipv6 unicast-routing global configuration command, and configure an IPv6 address and IPv6 processing on an interface by using the ipv6 address interface configuration command.



Note


You must enable distributed Cisco Express Forwarding for IPv4 by using the ip cef distributed global configuration command before enabling distributed Cisco Express Forwarding for IPv6 by using the ipv6 cef distributed global configuration command.


Cisco Express Forwarding is advanced Layer 3 IP switching technology. Cisco Express Forwarding optimizes network performance and scalability for networks with dynamic, topologically dispersed traffic patterns, such as those associated with web-based applications and interactive sessions.

Examples

The following example enables distributed Cisco Express Forwarding for IPv6 operation:


Device(config)# ipv6 cef distributed

ipv6 cef load-sharing algorithm

To select a Cisco Express Forwarding load-balancing algorithm for IPv6, use the ipv6 cef load-sharing algorithm command in global configuration mode. To return to the default universal load-balancing algorithm, use the no form of this command.

ipv6 cef load-sharing algorithm {original | universal [id] }

no ipv6 cef load-sharing algorithm

Syntax Description

original

Sets the load-balancing algorithm to the original algorithm based on a source and destination hash.

universal

Sets the load-balancing algorithm to the universal algorithm that uses a source and destination and an ID hash.

id

(Optional) Fixed identifier in hexadecimal format.

Command Default

The universal load-balancing algorithm is selected by default. If you do not configure the fixed identifier for a load-balancing algorithm, the device automatically generates a unique ID.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The ipv6 cef load-sharing algorithm command is similar to the ip cef load-sharing algorithm command, except that it is IPv6-specific.

When the Cisco Express Forwarding for IPv6 load-balancing algorithm is set to universal mode, each device on the network can make a different load-sharing decision for each source-destination address pair.

Examples

The following example shows how to enable the Cisco Express Forwarding original load-balancing algorithm for IPv6:

Device> enable
Device# configure terminal
Device(config)# ipv6 cef load-sharing algorithm original

ipv6 cef optimize neighbor resolution

To configure address resolution optimization from Cisco Express Forwarding for IPv6 for directly connected neighbors, use the ipv6 cef optimize neighbor resolution command in global configuration mode. To disable address resolution optimization from Cisco Express Forwarding for IPv6 for directly connected neighbors, use the no form of this command.

ipv6 cef optimize neighbor resolution

no ipv6 cef optimize neighbor resolution

Syntax Description

This command has no arguments or keywords.

Command Default

If this command is not configured, Cisco Express Forwarding for IPv6 does not optimize the address resolution of directly connected neighbors.

Command Modes

Global configuration (config)

Command History

Release

Modification

Cisco IOS XE Everest 16.6.1

This command was introduced.

Usage Guidelines

The ipv6 cef optimize neighbor resolution command is very similar to the ip cef optimize neighbor resolution command, except that it is IPv6-specific.

Use this command to trigger Layer 2 address resolution of neighbors directly from Cisco Express Forwarding for IPv6.

Examples

The following example shows how to optimize address resolution from Cisco Express Forwarding for IPv6 for directly connected neighbors:


Device(config)# ipv6 cef optimize neighbor resolution
 

ipv6 destination-guard policy

To define a destination guard policy, use the ipv6 destination-guard policy command in global configuration mode. To remove the destination guard policy, use the no form of this command.

ipv6 destination-guard policy [policy-name]

no ipv6 destination-guard policy [policy-name]

Syntax Description

policy-name

(Optional) Name of the destination guard policy.

Command Default

No destination guard policy is defined.

Command Modes

Global configuration (config)

Command History