CLI Reference Guide XSR-1805

X-Pedition Security Router
XSR CLI Reference Guide

Version 7.6
P/N 9033842-07
Notice
Enterasys Networks reserves the right to make changes in specifications and other information contained in this document and its Web site without prior notice. The reader should in all cases consult Enterasys Networks to determine whether any such changes have been made. The hardware, firmware, or software described in this document is subject to change without notice. IN NO EVENT SHALL ENTERASYS NETWORKS BE LIABLE FOR ANY INCIDENTAL, INDIRECT, SPECIAL, OR CONSEQUENTIAL DAMAGES WHATSOEVER (INCLUDING BUT NOT LIMITED TO LOST PROFITS) ARISING OUT OF OR RELATED TO THIS DOCUMENT, WEB SITE, OR THE INFORMATION CONTAINED IN THEM, EVEN IF ENTERASYS NETWORKS HAS BEEN ADVISED OF, KNEW OF, OR SHOULD HAVE KNOWN OF, THE POSSIBILITY OF SUCH DAMAGES. Enterasys Networks, Inc. 50 Minuteman Road Andover, MA 01810 2004 Enterasys Networks, Inc. All Rights Reserved Part Number: 9033842-07 September 2005 ENTERASYS NETWORKS, ENTERASYS XSR and any logos associated therewith, are trademarks or registered trademarks of Enterasys Networks, Inc. in the United States and other countries. All other product names mentioned in this manual may be trademarks or registered trademarks of their respective owners. Documentation URL: http://www.enterasys.com/support/manuals Documentacion URL: http://www.enterasys.com/support/manuals Dokumentation http://www.enterasys.com/support/manuals
-i
Enterasys Networks, Inc. FIRMWARE LICENSE AGREEMENT

BEFOREOPENINGORUTILIZINGTHEENCLOSEDPRODUCT, CAREFULLYREADTHISLICENSEAGREEMENT. Thisdocumentisanagreement(Agreement)betweentheenduser(You)andEnterasysNetworks,Inc.onbehalfofitself anditsAffiliates(ashereinafterdefined)(Enterasys)thatsetsforthYourrightsandobligationswithrespecttotheEnterasys softwareprogram/firmwareinstalledontheEnterasysproduct(includinganyaccompanyingdocumentation,hardwareor media)(Program)inthepackageandprevailsoveranyadditional,conflictingorinconsistenttermsandconditions appearingonanypurchaseorderorotherdocumentsubmittedbyYou.Affiliatemeansanyperson,partnership,corporation, limitedliabilitycompany,orotherformofenterprisethatdirectlyorindirectlythroughoneormoreintermediaries,controls,or iscontrolledby,orisundercommoncontrolwiththepartyspecified.ThisAgreementconstitutestheentireunderstanding betweentheparties,andsupersedesallpriordiscussions,representations,understandingsoragreements,whetheroralorin writing,betweenthepartieswithrespecttothesubjectmatterofthisAgreement.TheProgrammaybecontainedinfirmware, chipsorothermedia. BYINSTALLINGOROTHERWISEUSINGTHEPROGRAM,YOUREPRESENTTHATYOUAREAUTHORIZEDTO ACCEPTTHESETERMSONBEHALFOFTHEENDUSER(IFTHEENDUSERISANENTITYONWHOSEBEHALFYOU AREAUTHORIZEDTOACT,YOUANDYOURSHALLBEDEEMEDTOREFERTOSUCHENTITY)ANDTHATYOU AGREETHATYOUAREBOUNDBYTHETERMSOFTHISAGREEMENT,WHICHINCLUDES,AMONGOTHER PROVISIONS,THELICENSE,THEDISCLAIMEROFWARRANTYANDTHELIMITATIONOFLIABILITY.IFYOUDO NOTAGREETOTHETERMSOFTHISAGREEMENTORARENOTAUTHORIZEDTOENTERINTOTHISAGREEMENT, ENTERASYSISUNWILLINGTOLICENSETHEPROGRAMTOYOUANDYOUAGREETORETURNTHEUNOPENED PRODUCTTOENTERASYSORYOURDEALER,IFANY,WITHINTEN(10)DAYSFOLLOWINGTHEDATEOFRECEIPT FORAFULLREFUND. IFYOUHAVEANYQUESTIONSABOUTTHISAGREEMENT,CONTACTENTERASYSNETWORKS,LEGAL DEPARTMENTAT(978)6841000. YouandEnterasysagreeasfollows: 1) LICENSE. Youhavethenonexclusiveandnontransferablerighttouseonlytheone(1)copyoftheProgram providedinthispackagesubjecttothetermsandconditionsofthisAgreement. 2) RESTRICTIONS. ExceptasotherwiseauthorizedinwritingbyEnterasys,Youmaynot,normayYoupermitany thirdpartyto: (i) Reverseengineer,decompile,disassembleormodifytheProgram,inwholeorinpart,includingforreasonsof errorcorrectionorinteroperability,excepttotheextentexpresslypermittedbyapplicablelawandtotheextentthepartiesshall notbepermittedbythatapplicablelaw,suchrightsareexpresslyexcluded.Informationnecessarytoachieveinteroperability orcorrecterrorsisavailablefromEnterasysuponrequestanduponpaymentofEnterasysapplicablefee. (ii) IncorporatetheProgram,inwholeorinpart,inanyotherproductorcreatederivativeworksbasedonthe Program,inwholeorinpart. (iii) Publish,disclose,copy,reproduceortransmittheProgram,inwholeorinpart. (iv) Assign,sell,license,sublicense,rent,lease,encumberbywayofsecurityinterest,pledgeorotherwisetransferthe Program,inwholeorinpart. (v) Removeanycopyright,trademark,proprietaryrights,disclaimerorwarningnoticeincludedonorembeddedin anypartoftheProgram. 3) APPLICABLELAW.ThisAgreementshallbeinterpretedandgovernedunderthelawsandinthestateandfederal courtsoftheCommonwealthofMassachusettswithoutregardtoitsconflictsoflawsprovisions.Youacceptthepersonal jurisdictionandvenueoftheCommonwealthofMassachusettscourts.Noneofthe1980UnitedNationsConventionon ContractsfortheInternationalSaleofGoods,theUnitedNationsConventionontheLimitationPeriodintheInternationalSale ofGoods,andtheUniformComputerInformationTransactionsActshallapplytothisAgreement.
4) EXPORTRESTRICTIONS. YouunderstandthatEnterasysanditsAffiliatesaresubjecttoregulationbyagenciesof theU.S.Government,includingtheU.S.DepartmentofCommerce,whichprohibitexportordiversionofcertaintechnical productstocertaincountries,unlessalicensetoexporttheProgramisobtainedfromtheU.S.Governmentoranexceptionfrom obtainingsuchlicensemayberelieduponbytheexportingparty. IftheProgramisexportedfromtheUnitedStatespursuanttotheLicenseExceptionCIVundertheU.S.ExportAdministration Regulations,YouagreethatYouareacivilenduseroftheProgramandagreethatYouwillusetheProgramforcivilenduses onlyandnotformilitarypurposes. IftheProgramisexportedfromtheUnitedStatespursuanttotheLicenseExceptionTSRundertheU.S.ExportAdministration Regulations,inadditiontotherestrictionontransfersetforthinSections1or2ofthisAgreement,Youagreenotto(i)reexport orreleasetheProgram,thesourcecodefortheProgramortechnologytoanationalofacountryinCountryGroupsD:1orE:2 (Albania,Armenia,Azerbaijan,Belarus,Bulgaria,Cambodia,Cuba,Estonia,Georgia,Iraq,Kazakhstan,Kyrgyzstan,Laos, Latvia,Libya,Lithuania,Moldova,NorthKorea,thePeoplesRepublicofChina,Romania,Russia,Rwanda,Tajikistan, Turkmenistan,Ukraine,Uzbekistan,Vietnam,orsuchothercountriesasmaybedesignatedbytheUnitedStatesGovernment), (ii)exporttoCountryGroupsD:1orE:2(asdefinedherein)thedirectproductoftheProgramorthetechnology,ifsuchforeign produceddirectproductissubjecttonationalsecuritycontrolsasidentifiedontheU.S.CommerceControlList,or(iii)ifthe directproductofthetechnologyisacompleteplantoranymajorcomponentofaplant,exporttoCountryGroupsD:1orE:2 thedirectproductoftheplantoramajorcomponentthereof,ifsuchforeignproduceddirectproductissubjecttonational securitycontrolsasidentifiedontheU.S.CommerceControlListorissubjecttoStateDepartmentcontrolsundertheU.S. MunitionsList. 5) UNITEDSTATESGOVERNMENTRESTRICTEDRIGHTS. TheenclosedProgram(i)wasdevelopedsolelyat privateexpense;(ii)containsrestrictedcomputersoftwaresubmittedwithrestrictedrightsinaccordancewithsection52.227 19(a)through(d)oftheCommercialComputerSoftwareRestrictedRightsClauseanditssuccessors,and(iii)inallrespectsis proprietarydatabelongingtoEnterasysand/oritssuppliers.ForDepartmentofDefenseunits,theProgramisconsidered commercialcomputersoftwareinaccordancewithDFARSsection227.72023anditssuccessors,anduse,duplication,or disclosurebytheGovernmentissubjecttorestrictionssetforthherein. 6) DISCLAIMEROFWARRANTY. EXCEPTFORTHOSEWARRANTIESEXPRESSLYPROVIDEDTOYOUIN WRITINGBYENTERASYS,ENTERASYSDISCLAIMSALLWARRANTIES,EITHEREXPRESSORIMPLIED,INCLUDING BUTNOTLIMITEDTOIMPLIEDWARRANTIESOFMERCHANTABILITY,SATISFACTORYQUALITY,FITNESSFORA PARTICULARPURPOSE,TITLEANDNONINFRINGEMENTWITHRESPECTTOTHEPROGRAM.IFIMPLIED WARRANTIESMAYNOTBEDISCLAIMEDBYAPPLICABLELAW,THENANYIMPLIEDWARRANTIESARELIMITED INDURATIONTOTHIRTY(30)DAYSAFTERDELIVERYOFTHEPROGRAMTOYOU. 7) LIMITATIONOFLIABILITY. INNOEVENTSHALLENTERASYSORITSSUPPLIERSBELIABLEFORANY DAMAGESWHATSOEVER(INCLUDING,WITHOUTLIMITATION,DAMAGESFORLOSSOFBUSINESS,PROFITS, BUSINESSINTERRUPTION,LOSSOFBUSINESSINFORMATION,SPECIAL,INCIDENTAL,CONSEQUENTIAL,OR RELIANCEDAMAGES,OROTHERLOSS)ARISINGOUTOFTHEUSEORINABILITYTOUSETHEPROGRAM,EVENIF ENTERASYSHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.THISFOREGOINGLIMITATIONSHALL APPLYREGARDLESSOFTHECAUSEOFACTIONUNDERWHICHDAMAGESARESOUGHT. THECUMULATIVELIABILITYOFENTERASYSTOYOUFORALLCLAIMSRELATINGTOTHEPROGRAM,IN CONTRACT,TORTOROTHERWISE,SHALLNOTEXCEEDTHETOTALAMOUNTOFFEESPAIDTOENTERASYSBY YOUFORTHERIGHTSGRANTEDHEREIN. 8) AUDITRIGHTS. You herebyacknowledgethattheintellectualpropertyrightsassociatedwiththeProgramareof criticalvaluetoEnterasysand,accordingly,Youherebyagreetomaintaincompletebooks,recordsandaccountsshowing(i) licensefeesdueandpaid,and(ii)theuse,copyinganddeploymentoftheProgram.YoualsogranttoEnterasysandits authorizedrepresentatives,uponreasonablenotice,therighttoauditandexamineduringYournormalbusinesshours,Your books,records,accountsandhardwaredevicesuponwhichtheProgrammaybedeployedtoverifycompliancewiththis Agreement,includingtheverificationofthelicensefeesdueandpaidEnterasysandtheuse,copyinganddeploymentofthe Program.Enterasysrightofexaminationshallbeexercisedreasonably,ingoodfaithandinamannercalculatedtonot unreasonablyinterferewithYourbusiness.IntheeventsuchauditdiscoversnoncompliancewiththisAgreement,including copiesoftheProgrammade,usedordeployedinbreachofthisAgreement,YoushallpromptlypaytoEnterasysthe appropriatelicensefees.Enterasys reservestheright,tobeexercisedinitssolediscretionandwithoutpriornotice,toterminate thislicense,effectiveimmediately,forfailuretocomplywiththisAgreement.Uponanysuchtermination,Youshall immediatelyceasealluseoftheProgramandshallreturntoEnterasystheProgramandallcopiesoftheProgram.
9) OWNERSHIP. Thisisalicenseagreementandnotanagreementforsale.Youacknowledgeandagreethatthe Programconstitutestradesecretsand/orcopyrightedmaterialofEnterasysand/oritssuppliers.Youagreetoimplement reasonablesecuritymeasurestoprotectsuchtradesecretsandcopyrightedmaterial.Allright,titleandinterestinandtothe ProgramshallremainwithEnterasysand/oritssuppliers.AllrightsnotspecificallygrantedtoYoushallbereservedto Enterasys. 10) ENFORCEMENT. YouacknowledgeandagreethatanybreachofSections2,4,or9ofthisAgreementbyYoumay causeEnterasysirreparabledamageforwhichrecoveryofmoneydamageswouldbeinadequate,andthatEnterasysmaybe entitledtoseektimelyinjunctiverelieftoprotectEnterasysrightsunderthisAgreementinadditiontoanyandallremedies availableatlaw. 11) ASSIGNMENT.Youmaynotassign,transferorsublicensethisAgreementoranyofYourrightsorobligationsunder thisAgreement,exceptthatYoumayassignthisAgreementtoanypersonorentitywhichacquiressubstantiallyallofYour stockorassets.EnterasysmayassignthisAgreementinitssolediscretion.ThisAgreementshallbebindinguponandinureto thebenefitoftheparties,theirlegalrepresentatives,permittedtransferees,successorsandassignsaspermittedbythis Agreement.Anyattemptedassignment,transferorsublicenseinviolationofthetermsofthisAgreementshallbevoidanda breachofthisAgreement. 12) WAIVER. AwaiverbyEnterasysofabreachofanyofthetermsandconditionsofthisAgreementmustbeinwriting andwillnotbeconstruedasawaiverofanysubsequentbreachofsuchtermorcondition.Enterasysfailuretoenforceaterm uponYourbreachofsuchtermshallnotbeconstruedasawaiverofYourbreachorpreventenforcementonanyotheroccasion. 13) SEVERABILITY. IntheeventanyprovisionofthisAgreementisfoundtobeinvalid,illegalorunenforceable,the validity,legalityandenforceabilityofanyoftheremainingprovisionsshallnotinanywaybeaffectedorimpairedthereby, andthatprovisionshallbereformed,construedandenforcedtothemaximumextentpermissible.Anysuchinvalidity, illegalityorunenforceabilityinanyjurisdictionshallnotinvalidateorrenderillegalorunenforceablesuchprovisioninany otherjurisdiction. 14) TERMINATION. EnterasysmayterminatethisAgreementimmediatelyuponYourbreachofanyofthetermsand conditionsofthisAgreement.Uponanysuchtermination,YoushallimmediatelyceasealluseoftheProgramandshallreturn toEnterasystheProgramandallcopiesoftheProgram.
ii
Contents
Preface Chapter 1: Network Management
Observing Syntax and Conventions ............................................................................................................... 1-1 Network Management Commands ................................................................................................................. 1-1 General Network Management Commands ...................................................................................................1-2 General Show Commands ........................................................................................................................... 1-14 snmp-server Commands .............................................................................................................................. 1-16 SNMP Show Commands .............................................................................................................................. 1-34 SLA Agent Commands ................................................................................................................................. 1-37 RTR-mode Commands ................................................................................................................................. 1-43 RTR Show Commands ................................................................................................................................. 1-45
Chapter 2: Configuring T1/E1 and T3/E3 Subsystems

Observing Syntax and Conventions ............................................................................................................. 2-55 T1/E1 & T3/E3 Commands ........................................................................................................................... 2-55 T1/E1 and T3/E3 Clear and Show Commands ............................................................................................ 2-74 Drop and Insert Commands ......................................................................................................................... 2-80
Chapter 3: Configuring the XSR Platform

Observing Syntax and Conventions ............................................................................................................. 3-83 Platform Commands ..................................................................................................................................... 3-83 Clock Commands ......................................................................................................................................... 3-84 Crypto Key Commands ................................................................................................................................ 3-85 Other Platform Commands ........................................................................................................................... 3-86 SNTP Commands ......................................................................................................................................... 3-91 Platform Clear and Show Commands .......................................................................................................... 3-94 File System Commands ............................................................................................................................. 3-107 Bootrom Monitor Mode Commands ............................................................................................................3-121
Chapter 4: Configuring Hardware Controllers

Observing Syntax and Conventions ............................................................................................................. 4-83 Hardware Controller Commands .................................................................................................................. 4-83 Hardware Controller Clear and Show Commands ....................................................................................... 4-92
Chapter 5: Configuring the Internet Protocol

Observing Syntax and Conventions ............................................................................................................. 5-83 IP Commands ............................................................................................................................................... 5-83 OSPF Commands ........................................................................................................................................ 5-84 OSPF Debug and Show Commands .......................................................................................................... 5-104 RIP Commands .......................................................................................................................................... 5-123 RIP Show Commands ................................................................................................................................ 5-136 RTP Header Compression Commands ...................................................................................................... 5-137 Triggered on Demand RIP Commands ...................................................................................................... 5-142 Policy-Based Routing Commands .............................................................................................................. 5-145 PBR Clear and Show Commands .............................................................................................................. 5-148
v
ARP Commands ......................................................................................................................................... 5-149 Other IP Commands ................................................................................................................................... 5-151 IP Clear and Show Commands .................................................................................................................. 5-168 Network Address Translation Commands .................................................................................................. 5-182 Virtual Router Redundancy Protocol Commands ....................................................................................... 5-191 VRRP Clear and Show Commands ............................................................................................................5-197
Chapter 6: Configuring the Border Gateway Protocol

Observing Syntax and Conventions ............................................................................................................. 6-83 BGP Configuration Commands .................................................................................................................... 6-83 Route Map Commands ............................................................................................................................... 6-110 BGP Set Commands .................................................................................................................................. 6-114 BGP Clear and Show Commands .............................................................................................................. 6-122 BGP Debug Commands ............................................................................................................................. 6-132
Chapter 7: Configuring IP Multicast

Observing Syntax and Conventions ............................................................................................................. 7-83 PIM Commands ............................................................................................................................................ 7-89 IGMP Clear and Show Commands ..............................................................................................................7-95
Chapter 8: Configuring the Point-to-Point Protocol

Observing Syntax and Conventions ............................................................................................................. 8-83 PPP Commands ........................................................................................................................................... 8-83 PPP Debug, Clear and Show Commands .................................................................................................... 8-97 Multilink PPP Commands ........................................................................................................................... 8-108 Multilink Show Commands ......................................................................................................................... 8-122
Chapter 9: Configuring Frame Relay

Observing Syntax and Conventions ............................................................................................................. 9-83 Frame Relay Commands .............................................................................................................................. 9-83 Frame Relay Map Class Commands ............................................................................................................ 9-95 Frame Relay Clear and Show Commands ................................................................................................. 9-102
Chapter 10: Configuring the Dialer Interface

Observing Syntax and Conventions ........................................................................................................... 10-83 Dialer Interface Commands ........................................................................................................................ 10-83 Dialer Interface Clear and Show Commands ............................................................................................. 10-90 Dial Backup Commands ............................................................................................................................. 10-93 DOD/BOD Commands ............................................................................................................................... 10-96 Dialer Watch Commands .......................................................................................................................... 10-103
Chapter 11: ISDN BRI and PRI Commands

Observing Syntax and Conventions ........................................................................................................... 11-83 ISDN Commands ........................................................................................................................................ 11-83 ISDN Debug and Show Commands ........................................................................................................... 11-92
Chapter 12: Configuring Quality of Service

Observing Syntax and Conventions ........................................................................................................... 12-83 QoS Commands ......................................................................................................................................... 12-83 Policy-Map Commands .............................................................................................................................. 12-84 Class-map Commands ............................................................................................................................. 12-101
vi
QoS Show Commands ............................................................................................................................. 12-105
Chapter 13: Configuring ADSL

Observing Syntax and Conventions ........................................................................................................... 13-83 ADSL Configuration Commands ................................................................................................................ 13-83 CMV Commands ........................................................................................................................................ 13-83 Other ADSL Commands ............................................................................................................................. 13-87 PPP Configuration Commands ................................................................................................................... 13-99 ATM Clear and Show Commands ............................................................................................................ 13-103
Chapter 14: Configuring the VPN

Observing Syntax and Conventions ........................................................................................................... 14-83 VPN Commands ......................................................................................................................................... 14-83 PKI commands ........................................................................................................................................... 14-84 CA Identity Mode Commands ..................................................................................................................... 14-84 Other Certificate Commands ...................................................................................................................... 14-90 IKE Security Protocol Commands .............................................................................................................. 14-94 ISAKMP Protocol Policy Mode Commands ................................................................................................ 14-95 Remote Peer ISAKMP Protocol Policy Mode Commands .......................................................................... 14-99 Remote Peer Show Commands ............................................................................................................... 14-104 IPSec Commands ..................................................................................................................................... 14-106 IPSec Clear and Show Commands ..........................................................................................................14-108 Crypto Map Mode Commands .................................................................................................................. 14-110 Crypto Transform Mode Commands ........................................................................................................ 14-115 Crypto Show Commands .......................................................................................................................... 14-118 Interface CLI Commands .......................................................................................................................... 14-121 Interface VPN Commands ........................................................................................................................ 14-122 Tunnel Commands ................................................................................................................................... 14-127 Tunnel Clear and Show Commands ......................................................................................................... 14-132 Additional Tunnel Termination Commands .............................................................................................. 14-134 DF Bit Commands .................................................................................................................................... 14-137
Chapter 15: Configuring DHCP

Observing Syntax and Conventions ........................................................................................................... 15-83 DHCP Commands ...................................................................................................................................... 15-83 ip address dhcp .................................................................................................................................... 15-92 DHCP Clear and Show Commands ......................................................................................................... 15-111
Chapter 16: Configuring Security

Observing Syntax and Conventions ........................................................................................................... 16-83 General Security Commands ..................................................................................................................... 16-84 Security Clear and Show Commands ......................................................................................................... 16-91 AAA Commands ......................................................................................................................................... 16-93 AAA Usergroup Commands ....................................................................................................................... 16-94 AAA User Commands ................................................................................................................................ 16-97 AAA Method Commands .......................................................................................................................... 16-101 AAA Per-Interface Commands ................................................................................................................. 16-111 AAA Debug and Show Commands ..........................................................................................................16-112 Firewall Feature Set Commands .............................................................................................................. 16-115 Firewall Interface Commands ................................................................................................................... 16-129 Firewall Show Commands ........................................................................................................................ 16-133
vii
viii
Preface
ThisguidedescribestheCommandLineInterface(CLI)commandsneededtomount,connect, powerup,andmaintainanXSRfromEnterasysNetworks. ThisguideiswrittenforadministratorswhowanttoconfiguretheXSRorexperienceduserswho areknowledgeableinbasicnetworkingprinciples.
Contents of the Guide

Informationinthisguideisarrangedasfollows: Chapter1,NetworkManagement,describesfundamentalnetworkcontrolcommands. Chapter2,ConfiguringtheT1/E1&T3/E3Subsystems,detailscommandsforT1/E1andT3/E3 NIMcards. Chapter3,ConfiguringtheXSRPlatform,describesplatformsubsystemcommands. Chapter4,ConfiguringHardwareControllers,describescommandstoconfigurethehardware controllersoverseriallines. Chapter5,ConfiguringtheInternetProtocol,describesIPcommands. Chapter6,ConfiguringtheBorderGatewayProtocol,detailsBGPcommands. Chapter7ConfiguringIPMulticast,definesXSRcommandsforProtocolIndependentMulticast SparseMode(PIMSM)andtheInternetGroupManagementProtocol(IGMP). Chapter8,ConfiguringthePointtoPointProtocol,describesPPPsetup. Chapter9,ConfiguringFrameRelay,detailscommandstoconfigureFrameRelay. Chapter10,ConfiguringtheDialerInterface,describescommandstosetupnetworkconnections overthePublicSwitchTelephoneNetwork,provideabackuplinkoveradialline,and configureBoD/DoD. Chapter11,ISDNBRIandPRICommands,detailscommandstosetupISDN. Chapter12,ConfiguringQualityofService,outlinesQoSsetupcommands. Chapter13,ConfiguringADSL,describesconfigurationcommandsforADSLincludingCMV, ATMandassociatedPPPcommands. Chapter14,ConfiguringtheVPN,detailsVirtualPrivateNetworksetup. Chapter15,ConfiguringDHCP,describeshowtosetupDynamicHostConfigurationProtocol. Chapter16,ConfiguringSecurity,describesconfiguringaccesslists,andothercommandsto protectagainstvariousnetworkattacks.
XSR Users Guide ix
Conventions Used in This Guide

Thefollowingconventionsareusedinthisguide:
Caution: Contains information essential to avoid damage to the equipment. Cautela: Contiene informacin esencial para prevenir daar el equipo. Achtung: Verweit auf wichtige Informationen zum Schutz gegen Beschdigungen. Note: Calls the readers attention to any item of information that may be of special importance.
Bold/En negrilla
Text in boldface indicates values you type using the keyboard or select using the mouse (for example, a:\setup). Default settings may also appear in bold. El texto en negrilla indica valores que usted introduce con el teclado o que selecciona con el mouse (por ejemplo, a:\setup). Las configuraciones default pueden tambin aparecer en en negrilla. Text in italics indicates a variable, important new term, or the title of a manual. El texto en itlica indica un valor variable, un importante nuevo trmino, o el ttulo de un manual. Small caps specify the keys to press on the keyboard; a plus sign (+) between keys indicates that you must press the keys simultaneously (for example, CTRL+ALT+DEL). Las mayusculas indican las teclas a oprimir en el teclado; un signo de ms (+) entre las teclas indica que usted debe presionar las teclas simultneamente (por ejemplo, CTRL+ALT+DEL). Text in this font denotes a file name or directory. El texto en este tipo de letra denota un nombre de archivo o de directorio. Points to text describing CLI command. Apunta al texto que describe un comando de CLI. FastEthernet and GigabitEthernet references are generally interchangeable throughout this guide. Las referencias a los terminos FastEthernet y GigabitEthernet son generalmente intercambiables en el contenido de esta guia.
Italics/It li ca
SMALL CAPS/
Courier font/Tipo de letra Courier
+
FastEthernet
Getting Help
ForadditionalsupportrelatedtotheXSR,contactEnterasysNetworksusingoneofthefollowing methods:
World Wide Web Phone http://www.enterasys.com (603) 332-9400 1-800-872-8440 (toll-free in U.S. and Canada) For the Enterasys Networks Support toll-free number in your country: http://www.enterasys.com/support/gtac-all.html support@enterasys.com To expedite your message, please type [xsr] in the subject line.
Internet mail
FTP Login Password
ftp://ftp.enterasys.com anonymous your Email address
Acquire the latest image and Release Notes Additional documentation Forward comments or suggestions
http://www.enterasys.com/download http://www.enterasys.com/support/manuals techwriting@enterasys.com To expedite your message, type [techwriting] in the subject line, and include the document Part Number in the Email.
BeforecontactingEnterasysNetworksfortechnicalsupport,havethefollowinginformation ready: YourEnterasysNetworksservicecontractnumber Adescriptionofthefailure Adescriptionofanyaction(s)alreadytakentoresolvetheproblem(e.g.,rebootingtheunit, reconfiguringmodules,etc.) TheserialandrevisionnumbersofanyrelevantEnterasysNetworksproductsinthenetwork Adescriptionofyournetworkenvironment(layout,cabletype,etc.) Networkloadandframesizeatthetimeoftheproblem TheXSRshistory(i.e.,haveyoureturnedthedevicebefore,isthisarecurringproblem,etc.) AnypreviousReturnMaterialAuthorization(RMA)numbers.
XSR Users Guide
xi
xii
1
Network Management
Observing Syntax and Conventions
TheCLISyntaxandconventionsusethenotationdescribedinthefollowingtable. Convention xyz [x] [x|y|z] {x|y|z} [x{y|z}] (configif<xx>) Description Keywordormandatoryparameters(bold) []Squarebracketsindicateanoptionalparameter(italic) [|]Squarebracketswithverticalbarindicateachoiceofvalues {|}Braceswithverticalbarindicateachoiceofarequiredvalue [{|}]Combinationofsquarebracketswithbracesandverticalbars indicatesarequiredchoiceofanoptionalparameter xxsignifiesinterfacetypeandnumber,e.g.:F1,S2/1.0, D1, M57, G3. FindicatesaFastEthernet,andGaGigabitEthernetinterface.
NextModeentriesdisplaytheCLIpromptafteracommandisentered. Subcommandheadingsaredisplayedinredtext.
soho.enterasys.com Italicized, non-syntactic text indicates either a user-specified entry or text with special emphasis
Network Management Commands

Thischapterincludesthefollowingsubsetsofnetworkmanagementcommands: GeneralNetworkManagementCommandsonpage 12 GeneralShowCommandsonpage 114 snmpserverCommandsonpage 116 SNMPShowCommandsonpage 134 SLAAgentCommandsonpage 137 RTRmodeCommandsonpage 143 RTRShowCommandsonpage 145
1-1
General Network Management Commands
General Network Management Commands banner

ThiscommandcreatesaloginbannerattheXSRsCLIprompt.Textisenteredonelineattimeand shouldnotexceed80charactersperline.Eachsuccessiveentryaddsalinetothebanner,asshown intheexample.
Syntax
banner login bannerLine bannerLine
Texttobedisplayedatlogin.Amaximumof50linescanbewrittenper banner.Textmustbeenclosedinquotes.
Syntax of the no Form

Usethenoformofthiscommandtoremoveallbanners:
XSR(config)#no banner login
Mode
Globalconfiguration:XSR(config)#
Example
Thefollowingexampleconfiguresaloginbanner:
XSR(config)#banner login Welcome Larry XSR(config)#banner login Youre in the office now XSR(config)#banner login Start working!
configure terminal
ThiscommandentersconfigurationmodefromPrivilegedEXECmode.
Syntax
configure terminal
Mode
PrivilegedEXEC:XSR#
Example
XSR#configure terminal
1-2
Network Management
crypto key dsa

ThiscommandgeneratestheDigitalSignatureAlgorithm(DSA)typehostkeypair(privateand public)aswellasdisplaysthepublickey.AuniquesetofhostkeysarecreatedeachtimetheXSR rebootsbutwerecommendyougenerateanewpairofhostkeyswhenyoubelievesecuritymay becompromised. Themasterencryptionkeyisusedtoencryptthekeysbeforebeingsavedinthehostkey.datfilein Flash.Accesstothisfileisrestrictedanditcannotbereadorcopied.AllSSHconnectionrequests usethehostkeysstoredinthehostkey.datfileunlessnonehavebeengeneratedorthecontentof thefileiscorrupted.Inthosecircumstances,defaultkeysareusedtosecuretheconnection. Additionalhostkeybehaviorisdescribedasfollows: IfyouhavenotgeneratedamasterencryptionkeybeforeusingSSH,theXSRwillpromptyou withthecrypto key master generatecommand. Onetothreeminuteswillelapsewhilehostkeysaregeneratedbycrypto key dsa, dependingonthedeviceloadatthetime. SSHacceptsnonewconnectionsduringhostkeygeneration. Thecommandisignoredifstoredinthestartupconfigfile. Ifthemasterkeyischanged,youarenotrequiredtogenerateanewDSAkeypair. Ifyouremovethemasterkey,theDSAkeypairisremovedaswell(hostkey.datisdeleted).
Syntax
crypto key dsa {generate | remove | show} generate remove show
Producenewkeypairs. Deleteoldkeypair. Displaypublicportionofhostkeypairs.
Mode
Example
Thefollowingexamplegeneratesanewpairofkeys:
XSR(config)#crypto key dsa generate
disable
ThiscommandexitsfromPrivilegedEXECtoEXECmode.
Syntax
disable
Mode
PrivilegedEXEC:XSR#
XSR CLI Reference Guide 1-3
Example
XSR#disable
enable
ThiscommandjumpstoPrivilegedEXECmode.
Syntax
enable
Mode
EXEC:XSR>
Example
XSR>enable
end
Thiscommandterminatesconfigurationmode.
Syntax
end
Mode
Anyconfiguration
Example
XSR(config)#end
exit
Thiscommandquitsthecurrentmodetoahigherlevel.IfyouareinEXECmode,itterminatesthe Telnet,SSH,orConsolesession.
Syntax
exit
Mode
All
Example
XSR(config)#exit
1-4 Network Management
help
ThiscommandretrieveshelpatanyMode.
Syntax
help
Mode
All
Example
XSR#help
ip http port
ThiscommandchangestheHTTP(HyperTextTransferProtocol)portwhereincomingHTTP (Web)sessionsareconnectingto.
Syntax
ip http port {port_number | default} port_number default
IncomingHTTPserverportnumberfrom1024to65535. SetstheHTTPporttodefault.
Note: If you try to set the port-number but it is already in use (Telnet, e.g.) , it will be reset to the default value automatically.
Mode
Default
Portnumber:80
Example
XSR(config)#ip http port 1234
ip http server
Thiscommandenables/disablesHTTP(Web)servicetotherouter.Iftheoptionalparameterisnot supplied,theHTTPserverwillbeenabled.SincetheHTTPserverisdisabledatbootup,youmust eithermanuallyenableitusingtheCLIorenableitinthestartup-configfile.
1-5
Syntax
ip http server [enable | disable] enable disable
EnablesHTTPserver. DisablesHTTPserver.

ThenoformofthiscommanddisablestheHTTPserver:
no ip http server
Mode
Default
Disable
Examples
XSR(config)#ip http server enable XSR(config)#no ip http server
ip ssh server
Thiscommandenables/disablesSecureShell(SSH)servicetotheclient.BecausetheSSHserveris enabledatbootup,youcaneithermanuallydisabletheSSHserverusingCLI,ordisabletheSSH serverinthestartupconfigfile.Iftheoptionalparameterisnotsupplied,theSSHserverwillbe enabled.
Syntax
ip ssh server [enable | disable] enable disable
EnablesSSHserver. DisablesSSHserver.

ThenoformofthiscommanddisablestheSSHserver:
no ip ssh server
Mode
Defaults
1-6
Enabled
Network Management
Portnumber22
Example
XSR(config)#ip ssh server enable
ip telnet port
ThiscommandchangestheTelnetportwhereincomingTelnetsessionsconnectto.
Syntax
ip telnet port {port_number | default} port_number default
IncomingTelnetserverportnumberfrom1024to65535. SetstheTelnetporttothedefault.
Note: If you try to set the port-number but it is already in use (the Web, e.g.) , it will be reset to the default value automatically.
Mode
Default
Portnumber:23
Examples
XSR(config)#ip telnet port 5678
ip telnet server
ThiscommandenablesordisablesTelnetservicetotheXSR.Iftheoptionalparameterisnot supplied,theTelnetserverisenabled. SincetheTelnetserverisenabledatbootup,youmusteithermanuallydisableitusingtheCLIor disableitinstartup-config.
Syntax
ip telnet server [enable | disable] enable disable
EnablesTelnetservice. DisablesTelnetservice.

ThenoformofthiscommanddisablestheTelnetserver:
no ip telnet server
Mode
Default
Enabled
Examples
XSR(config)#ip telnet server enable XSR(config)#no ip telnet server
ping
Thisnetworkconnectivitycommand,whichappliestoIPpingonly,sendsfiveechorequestswith aconfigurablepacketsizeandsourceIPaddress.Pingstopswhenresponsesarereceivedorafter fiverequestsaresent.
Syntax
ping dest_addr [source_addr][size pkt_size] dest_addr source_addr pkt_size
Destinationaddresstobepinged. Sourceaddressforthepingpacket.Ifnotconfigured,theRouterIDisused. Payloadsize,rangingfrom1to65000.
Mode
PrivilegedEXEC:XSR#
Default
Packetsize:72bytes
Sample Output
Thisexampleshowsatimedoutpingwithanunreachabledestination:
XSR#ping 134.141.235.1 Type escape sequence to abort Timeout Timeout Timeout Timeout Timeout Packets: Sent = 5, Received = 0, Lost = 5
Thefollowingexampleshowsasuccessfulping:
XSR#ping 134.141.235.165 Type escape sequence to abort Reply from 192.168.27.165: 20ms
Reply from 192.168.27.165: 10ms Reply from 192.168.27.165: 10ms Reply from 192.168.27.165: 10ms Reply from 192.168.27.165: 10ms Packets: Sent = 5, Received = 5, Lost = 0
Thefollowingexampleshowsthedestinationlostafterthreepings:
XSR>ping 134.141.235.165 Reply from 134.141.235.165: Reply from 134.141.235.165: Reply from 134.141.235.165: Timeout Timeout Packets: Sent = 5, Received 20ms 10ms 10ms
= 3, Lost = 2
privilege
ThiscommandmodifiestheusernameprivilegelevelassociatedwithaparticularCLI configurationmode.Youcanalsoassociateaprivilegelevelwithanothercommandorgroupof commands.Themodeswhichcanbesetincludethefollowing:
class-map configure (global) controller exec interface-dialer interface-dlci interface-fastEthernet interface-loopback interface-serial map-class-dialer map-class-frame-relay policy-map policy-map-class router-ospf router-rip subinterface
Thiscommandisusedinconjunctionwiththeusernamecommandtosettheprivilegelevelfora user.Theshow running-configcommanddisplaysuserinformation.
Syntax
privilege operationMode {level value | reset} {command | commandgroup} privilege operationMode
Associatesprivilegelevelwithacommand. Configurationmodeassociatedwithprivilegelevel.
1-9
value reset command commandgroup
Privilegelevelassociatedwiththemodeofoperationrangingfrom0to 15(highest). Resetstheprivilegeleveltothedefault. Commandwithinthatmodetosetaprivilegefor. Setofcommandstoassociatewithaprivilege.Forexample,T1 Controllergroupcommands.
Mode
Defaults
Privilegelevel0:allstatistics(show)commandswithlowlevelsecuritysuchasshow version,
show clock,etc.
Privilegelevels1through9thefollowingEXECModecommandsareavailable:disable, exit, help, isdn, ping, telnet, terminal,andtraceroute.Unlessexplicitlydefined, usershavingprivilegelevels19havenoaccesstoPrivilegedEXECcommands. Privilegelevels10through14thefollowingPrivilegedEXECmodecommandsareavailable:

cd, clear, clock, dir, disable, enable, exit, help, isdn, no, ping, pwd, reload, telnet, terminal, traceroute,andverify.Unlessexplicitlydefined,onlylevel
15userscanaccessGlobalModecommands. Privilegelevel10:allstatistics(show)commandswithhigherlevelsecuritysuchasshow running-config, show interface,etc. Privilegelevel15:otherconfigurationcommandssuchasconfigure, copy, delete, rename, write. Onlyanadmincanissuethesecommands. Anyuserprivilegelevelautomaticallyinheritsallprivilegesgrantedtolowerprivilegelevels. Adminprivilegelevel(15)cannotbechanged. Privilegeforspecialuseradmin:15 Onlyadministratorscanadd,delete,orchangeuserrights. Onlyadministratorscanchangeprivilegelevelsforcommands. Userscanchangetheirownpasswordsbutnottheirprivilegelevels.
Examples
ThisexamplesetstheprivilegelevelfortheusernamecommandinGlobalmodetolevel6:
XSR(config)#privilege configure level 6 username
ThisexampleresetstheprivilegelevelfortheusernamecommandinGlobalmodetothedefault:
XSR(config)#privilege configure reset username
ThisexamplesetstheprivilegelevelfortheneighborcommandinRouterRIPmodetolevel13:
XSR(config)#privilege router-rip level 13 neighbor
1-10
Network Management
session-timeout
Thiscommandsetstheintervalforclosingaconnectionwhenthereisnoinput.Ifthekeyword console,ssh,orTelnetisused,thetimeoutbecomesthedefaultvalueforthenextsessionofthe specifiedtype,otherwise,thetimeoutappliestothecurrentsession.Whentheconsolesession timesout,itwillsitidleandpromptyouforyouruserIDandpasswordagain.
Syntax
session-timeout {timeout | console timeout | ssh timeout | telnet timeout} timeout console ssh telnet
Timeoutcurrentsession.Range:1535,000seconds. Timeoutforconsolesession.Range:1535,000seconds. TimeoutforallSSHsessions.Range:1535,000seconds TimeoutforallTelnetsessions.Range:1535,000seconds.
Mode
Defaults
Timeout:1,800seconds IfneitherConsole,SSH,norTelnetisspecified,thetimeoutvaluewillbesetforthecurrent session.
Example
ThisexamplesetsthecurrentConsoletimeoutsessionto15seconds:
XSR(config)#session-timeout console 15
terminal
Thiscommandchangestheterminalscreenwidthandlength.
Syntax
terminal {width | length} size width length size
Widthoftheterminalscreeninlines. Lengthoftheterminalscreeninlines. Linerangefrom0to512.
Mode
PrivilegedEXEC:XSR#
Defaults
Length:23lines
Width:132characters 0meansnolimit
Example
XSR#terminal width 40 XSR#terminal length 40
traceroute
ThiscommandgathersinformationregardingtheroutethatIPdatagramsfollowtoaspecified destination.ThisimplementationofthetracerouteutilityusesUDPasthetransportlayer.It transmitsthreeprobesforeachhopbetweensourceanddestination.
Syntax
traceroute dest-addr [source-addr] dest-addr source-addr
Networkaddressofthedestination. Sourceaddressforthepingpacket.Ifthisisnotset,theRouterIDisused.
Mode
EXEC:XSR>
Defaults
Maximumintervaltowaitforaresponse:3seconds Maximumintervaltolive:30seconds Packetsize:40bytes.
Sample Output
XSR>traceroute 140.252.13.65 172.15.57.99 traceroute to 140.252.13.65,30 hops max,40 bytes packets 1. 140.252.13. 3520 ms 10 ms 10 ms 2. 140.252.13. 65120ms 120ms 120ms
Parameters in the Response

Aprobetimeoutissignaledbyanasterisk*.
Abnormal Termination Signs

!PProtocolUnreachable !NNetworkUnreachable !HHostUnreachable
1-12
Network Management
username
Thiscommandaddsauser,privilegelevel,password,andencryptiontypeforthoseaccessingthe XSR.Assigningprivilegelevelsletsyoucontrolwhichuserscanmanageselectiveresources.The usernamecommandcanalsobeusedinconjunctionwiththeprivilegecommandtoassociate usernameswithparticularconfigurationmodes.Forexample,ifconfiguringT1/E1requiresthata userhaveaprivilegelevelof6orhigher,anyuserwithaprivilegeof5orlowerwouldbe prohibitedfromconfiguringtheT1/E1controller.
Caution: We recommend that you add no more than 3000 users due to a size limit for the the user.dat file. Also, we suggest keeping usernames and passwords as short as possible to avoid breaching the 200 Kbyte limit.
Admin/Administrative Users
Thereisaspeciallevel15usercalledadminforwhichyoucansetapasswordbyspecifyingadmin nameasauser.Thedefaultpasswordforadminisnull(thatis,thezerolengthstring). Anyuserwithaprivilegeof15isconsideredanadministrator.Inatleastoneofthefivepermitted Telnet/SSHsessions,anadministrativeusermustbelogged.Ifthefirstfoursessionsareinuseby regularusers,thenthefifthsessionwillonlyallowanadministratortologin,otherwiseanyuser canlogintothefifthsession.Ifoneofthefirstfoursessionshasanadministratorloggedin already,thenthefifthsessioncanbeanyuser.Thisruleismeanttoensurethattheadministrator canalwayslogin. Theshow running-configcommanddisplaysuserinformation.Bycontrast,consulttheaaa client commandwhichconfiguresauserwithAAAsecuritybytheXSRauthentication database.
Syntax
username name [privilege level] password {cleartext | secret type} password name privilege level password cleartext secret type password
UserID. Associatesaprioritylevelwiththisuser. Priorityassociatedwiththisuser,rangingfrom0to15(highest).Iftheprivilege ischangedwhiletheXSRisbeingset,thechangeoccursimmediately. Associatesapasswordwiththisusername. Passwordwillnotbeencrypted. Passwordwillbeencrypted. 0indicatesthepasswordisexpectedtobeunencrypted,5indicatestheinput passwordisexpectedtobeencryptedalready,soitwillnotbeencryptedagain. ThepasswordassociatedwiththespecifieduserID.Usersarestoredinthe startup-configfile. Ifyouchooseasecretpasswordwithanoptionalparameterof5,thenyoumust providethepasswordinencryptedform.

Thenoformofthiscommanddeletesauser.Ifnouserexists,thecommandwillbeignored.Also, thiscommandwillremovetheadminuserprovideditisissuedbyanotheradministrator.
no username name
General Show Commands
Note: No user can be deleted if you presently logged in as that user and admin or other level 15 users can not be deleted unless at least one such administrator remains configured.
Mode
Defaults
Username:admin Password:(nullorzerolengthstring) Newuserlevel:0unlessexplicitlyset Privilegeforspecialuseradmin:15 Userswithaprivilegelevelof15havethesamerightsasadmin. Onlyadminscanadd,delete,orchangeuserrights. Onlyadminscanchangeprivilegelevelsforcommands. Userscanchangetheirownpasswordsbutnottheirprivilegelevels.
Examples
Thefollowingexamplesets1stUserprivilegeto6and2ndUserto0:
XSR(config)#username 1stUser privilege 6 password cleartext Sox XSR(config)#username 2ndUser password cleartext Celtic
Theexamplebelowsetstheprivilegeforlarrycto15,withanalreadycodedpassword:
XSR(config)#username larryc privilege 15 password secret 5 J&*I8
Thefollowingexamplecreatesuserlarrycwithaprivilegeof15andapasswordthatwillbe encryptedbytheXSR:
XSR(config)#username larryc privilege 15 password secret 0 nomar
General Show Commands crypto key dsa show

Thiscommanddisplaystheencryptedpublickey,oneoftheprivate/publickeysgeneratedbythe crypto key dsa generatecommand.Theprivatekeyisnotdisplayed.
Syntax
crypto key dsa show
Mode
General Show Commands
Sample Output
Thefollowingoutputdisplayspublickey:
XSR(config)#crypto key dsa show ---- BEGIN SSH2 PUBLIC KEY ---Subject: root Comment: "1024-bit dsa, administrator@Robo1, Mon Mar 03 2003 05:06:16" AAAAB3NzaC1kc3MAAACBAIgwEkVM26GpC9L+cu9HnXps8S6Qlrhp7mwGudUYDMETdWj53j u6umHQPwekw0AsTH256mbFedfilcr+W207db+YKunWh59nan/kHGg1iZpwfeaE2kNO4om2 PqXGqdJd7tEI6Ut0cCV7R9roVUDkhmkWWcxaLL5r+YkIV7II6b33AAAAFQCO4IaKlgIhPg W3oRkNWe3mq9iDrwAAAIBKHSIUIf/KkYd9r5bi7Ec8OHTbkCAcZqwH4gJIh8EryaMWAm7c zjWtSlLNYhz+q5J2uoPKjct4gqxRv4RLo5yKxsSIcgD6WauvANO7yzQ1CRFBAXL9iZZMEa AhJQbAE1WVXjD61kBmKvrcR2ZDEnpRaueAaojF4Rslo66Y6pn77gAAAIAKjfSPLGIXe0gF JqsEIPkrY+0sMwltOV+zd8NPp/NqkIOxg9kZVASQCn/huAv6Sc3WN/WSQU/BpYu2jI8C1S 1S9BEezin8bNE8YWVLwaG1Fx+GOTEugbgflhgMfNHtzaaHEMfmLq80EJ3jRv+zjwaWYPzT wuo+3CNydBZSwe7fmA== ---- END SSH2 PUBLIC KEY ----
show ip http
ThiscommandinformationabouttheHTTP(Web)session.
Syntax
show ip http
Mode
PrivilegedEXEC:XSR#
Sample Output
Thefollowingisoutputfromtheip httpcommand:
XSR#show ip http HTTP Information: Home page: index.html HTTP Server: Disabled HTTP Port: 80
show ip telnet
ThiscommandinformationabouttheTelnetsession.
Syntax
show ip telnet
Mode
PrivilegedEXEC:XSR#
snmp-server Commands
Sample Output
Thefollowingisoutputfromtheip telnetcommand:
XSR#show ip telnet TELNET Information: Telnet Server: Enabled Telnet Port: 23 Active Telnet Sessions: 1
ThiscommandsetconfigurestheSNMPagentontheXSR.Currently,SNMPv1/v2andv3are supported.AllcommandsareinvokedinGlobalconfigurationmode.IftheSNMPserveris disabled,executinganySNMPconfigurationcommandexceptforsnmp-server disablewill automaticallyturntheSNMPserveronafteritsuccessfullyexecutes.Bydefault,theSNMPserver isdisabledatbootup. AllSNMPGlobalconfigurationlevelcommandshaveaprivilegelevelof15andallshow commandshavealevelof10. TheMIBslistedinTable11canbeaccessedontheXSR. Table 1-1 MIB ctronchassismib Enterasys Download PPPLCP PPPIP OSPF Supported Proprietary and Standard MIB Objects Description XSRcomponentsandmodulesMIB. ctrondownloadmib.txt(supportedviaonlinedownloadonly).Thisisthe onlyMIBwithv1/v2cwriteaccess. RFC1471.(pppLqrExtnsTableandpppTestsnotsupported) RFC1473. RFC1850.Thefollowingtrapsaresupported:ospfTrapIfStateChange, ospfTrapVirtIfStateChange,ospfTrapNbrStateChange, ospfTrapVirtNbrStateChange,ospfTrapIfConfigError, ospfTrapVirtIfConfigError RFC1724. RFC1657. RFC2115. ThisMIBprovidesacountdowntimerandforcesaresetaftertime expires.UsingthisMIBtoresettheXSRperformscorrectlyonlyifSNMP systemshutdownisenabledwiththesnmp-server systemshutdowncommand(refertopage26). ThisMIBallowsmanagemententitiestodetermineifandwhen configurationchangeshaveoccurred.TheMIBreportsthenumberof changesandthetimeandmethodofthelastchangeineachofthree categories:volatileandnonvolatilechanges,andfirmwareupgrades.
RIPv2 BGP FrameRelayDTE ctrontimedreset mib
Enterasys Configuration Change
1-16
Network Management
Table 1-1 MIB
Supported Proprietary and Standard MIB Objects (continued) Description ThisMIBallowsanSNMPmanagemententitytouploadanddownload executableimagesandconfigurationfilestotheXSRandidentifythe activeexecutableimageandconfigurationfiles. UsingthisMIBtoresettheXSRwillsucceedonlyifSNMPsystem shutdownisenabledwiththesnmp-server system-shutdown command(seepage127).
Enterasys Configuration Management
EnterasysSyslog Client EnterasysSNMP Persistence
TheXSRallowsreadonlyaccesstotheSyslogserverconfiguration. ThisMIBletsSNMPsaveconfigurationchangestothestartupconfigfile. WhenreconfigurationoccursviaSNMPortheCLI,changesremain volatileuntilrunningconfigissavedtostartupconfig.BysettingetsysSnmp PersistenceSavetosave(2),runningconfigissavedtostartupconfig.The onlyetsysSnmpPersistenceModesupportedispushButtonSave(2). ThisMIBimplementsSNMPbasedFirewallmonitoringoftheXSR. RFC2790.ThisMIBprovidesmonitoringofCPUloadandmemory. RFC2737.ThisMIBcontainstablesforphysicalandlogicalentities managedbytheSNMPagent. TheSNMPv3MIBsimplementedontheXSRsare:RFC3411Framework, RFC3412MPD,RFC3414USM,RFC3415VACM RFC1213.AllobjectsexcepttheEGPandATgroups.Address Translation(AT)datacanberetrievedfromipNetToMediaTable. RFC1573.IfStackTabletranslatedtoSMIv1. RFC2667.tunnellfTableissupportedwhenVPNisenabled. RFC2096.ipCidrRouteobjects. ResponseTimeReporterfornetworkmonitoring. RFC3413.
EnterasysFirewall HostResource EntityMIBV2 SNMPv3MIBs MIBII EvolutionofMIBII InterfacesGroup IPTunnelMIB IPForward EnterasysService LevelReporting Notification& Target
YoucandownloadEnterasysMIBsfromthefollowingWebsite: http://www.enterasys.com/support/mibs/
1-17
snmp-server community
ThiscommandallowsacommunitystringtoaccessMIBsintheXSR.
Syntax
snmp-server community community-string [view view-name][ro | rw] [access-listnum] community-string
view-name
CommunitystringwithSNMPv1/v2caccess. NameoftheviewdefiningwhichMIBsareaccessible. Readonlypermission. Readwritepermission. Standardaccesslistnumberrangingfrom1to99.
ro rw access-list-num
Notes: You can configure up to 20 read-only and read-write community strings. Community-based write access is available for the ct-download MIB only. For write access to other MIBs, use SNMPv3.

Thenoformofthiscommandremovesacommunitystringfrombothreadonlyandreadwrite communitytables:
no snmp-server community community-string
Defaults
ro v1default
Mode
Example
ThefollowingexamplecreatesMyCommunityforreadwriteaccessandappliesACL#57:
XSR#snmp-server community MyCommunity rw 57
snmp-server contact
ThiscommandspecifiescontactinformationregardingtheSNMPserver.
Syntax
snmp-server contact contact-name contact-name
Stringofupto255characters.Valueswithspacesrequirequotations.
1-18
Network Management

Thenoformofthiscommandoffersnocontactinformation:
no snmp-server contact
Mode
Default
Nullstring
Example
XSR(config)#snmp-server contact LarryCurtis@enterasys.com XSR(config)#snmp-server contact Larry Curtis 508 767-2536
snmp-server enable/disable
ThiscommandenablesordisablestheSNMPserver.Iftheserverisdisabled,usinganysnmpCLI commandwillturnitbackon.
Syntax
snmp-server {enable | disable} enable disable
EnablestheSNMPserver. DisablestheSNMPserver.
Mode
Default
Disable
snmp-server enable traps

Thiscommandenablestrapsandinformstobesent.SNMPv1trapsandv3informsaresupported, Theyaresenttothehostsconfiguredwiththe snmp-server host command.
Syntax
snmp-server enable traps [[snmp [authentication]] entity | frame-relay | bgp | ospf] snmp authentication entity
frame-relay bgp ospf
EnablesallSNMPtraps. Enablesauthenticationtrapsonly. Enablesallentitytraps. EnablesallFrameRelaytraps. EnablesallBGPtraps. EnablesallOSPFtraps.


Thenoformofthiscommanddisablesthesendingofspecifiedtraps:
no snmp-server enable traps [[snmp [authentication]] entity | frame-relay]
Mode
Default
Disabled
Examples
ToenableallSNMPtraps,enterthefollowingcommand:
XSR(config)#snmp-server enable traps snmp
ToenableauthenticationSNMPtrapsonly,enterthefollowingcommand:
XSR(config)#snmp-server enable traps snmp authentication
snmp-server engineID
ThiscommandspecifiesavaluefortheSNMPengineontheXSR.WithinSNMPv3,usersare localizedtothedevicebythisEngineID. AtextualconventionforSnmpEngineIDisspecifiedbyRFC3411.Usingthistextualconvention, theEngineIDiscreatedwiththeMACaddressandenterprisenumberforEnterasys.Inorderto transmitv3informs,theXSRrequirestheengineIDsofremoteSNMPentitieswhichthis commandallowsyoutoconfigure.ThecommandalsoletsyouconfiguretheXSRlocalengineID. AllengineIDsettingsmustbesetbeforeaddinguserstotheUserSecurityModel(USM)table sinceuserkeysarelocalizedwiththeengineID.
Caution: If you want to change the engine ID, do so before adding SNMP v3 users because you cannot delete a user which is associated with a discarded Engine ID. But you can delete an SNMP user when the Engine ID it is associated with still exists.
Syntax
snmp-server engineID [local | remote ip-addr {udp-port port}] engineid-string local remote ip-addr port engineidstring
TheengineIDisforthelocalSNMPagent. TheengineIDisfortheremoteSNMPagent. TheIPaddressoftheremotehost. TheUDPportoftheremoteIPaddress. AuniquehexadecimalstringusedtosetthelocalengineIDaccordingtothe algorithmdefinedinRFC3411.Thestringmustbeanevennumberofupto 54hexcharacters.

UsethenoformofthiscommandtoremovetheengineID:
no snmp-server engineID [local | remote ip-addr {udp-port port}] engineid-string
Mode
Example
ThefollowingexamplespecifiestheEngineID:
XSR(config)#snmp-server engineID local 00020AF100
resultsinanengineIDof0x800015F80500020AF100
snmp-server group
ThiscommandconfiguresanewSNMPgrouptoassociateSNMPuserswithviews.
Syntax
snmp-server group group-name {v1 | v2c | v3 {auth | noauth | priv}} [read readview] [write writeview][access access-list] group group-name v1 v2c v3 auth noauth priv read readview write writeview access access-list
DefinesaUserSecurityModel(USM)group. Nameofthegroup. v1securitymodel(leastsecure)used. v2securitymodel(nexttoleastsecure)used. v3securitymodel(mostsecure)used. authNoPrivsecuritylevelused. noAuthNoPrivsecuritylevelused. authPrivsecuritylevelused. Specifiesareadviewforthegroup. Thereadviewname. Specifiesawriteviewforthegroup. Thewriteviewname. Accesslistassociatedwiththisgroup. StandardIPaccesslistallowingaccesswiththisgroup.

UsethenoformofthiscommandtoremoveaspecifiedSNMPgroup:
no snmp-server group group-name {v1 | v2c | v3}{auth | noauth | priv}}
Mode
Example
Thisexamplespecifiesthev3authSNMPgroupwithauthsecurity,thev3viewforreadandwrite access,andismatchedwithanACLwrittenearlier:
XSR(config)#snmp-server group v3auth v3 auth read v3view write v3view access 88
snmp-server host
ThiscommandspecifieshostparametersoftheSNMPserver;itaddsanewmanagementstation tosendtrapsto.Iftheaddressalreadyexists,thecommandwillupdatetheserversconfiguration whichisstoredinthesnmpTargetMIBdefinedbyRFC2573.
Syntax
snmp-server host ip-addr {traps | informs version {2c | 3 [{auth | noauth | priv}]] community-stringOrUser [udp-port port][notification-type] ip-addr traps informs version 2c 3 auth noauth priv communitystringOrUser udp-port port notificationtype
IPaddressofthetargetrecipient. SendsSNMPtrapstothishost. SendsInformnotifications. Thesecuritymodelused. Version2csecuritymodelused.Thisallowsthetransmissionofinforms andcounter64values. Version3securitymodel(USM)used. Authenticationwithoutencryption. Noauthenticationorencryption. Authenticationwithencryption. Passwordlikecommunitystringtobeusedwithforversions 1and2c. Usernamewhenusingversion3securitymodel. SpecifiestheUDPportofthehosttouse. TheUDPportnumberofthehost. ThetypeoftraptobesentincludingBGP,entity,framerelay,ospf,and snmptraps.
Note: You can configure up to 20 hosts.

ThenoformremovesthespecifiedhostfromthelistofhoststhattheXSRsenttrapsto:
no snmp-server host host ip-addr
Mode
Defaults
Traptype:SNMP,entity,framerelay UDPport:162
1-22
Network Management
Example
ThefollowingexamplesillustrateanSNMPhostwithtraponandoff:
XSR(config)#snmp-server host 192.168.1.10 traps trapsOn XSR(config)#no snmp-server host 192.168.2.11
Sample Output
Thefollowingarethreesampleoutputsfromthecommand:
Notification host: 192.168.2.10 udp-port: 162 user: v3user security model: v3 priv Notification host: 192.168.10.2 udp-port: 162 user: public security model: v1 Notification host: 192.168.1.5 udp-port: 162 user: testuser security model: v3 noauth type: inform
type: trap
type: trap
snmp-server informs
Thiscommandspecifiesinformrequestoptions.
Syntax
snmp-server informs [retries retries] [timeout seconds] [pending pending]

Thenoformofthiscommandreturnssettingstotheirdefaults:
no snmp-server informs [retries retries][timeout timeout] [pending pending] retries timeout pending
Maximumattemptstoresendaninformrequest.Range:010. Intervaltowaitforanacknowledgementbeforeresending.Range:110seconds. Peaknumberofinformswaitingforacknowledgmentsatanyonetime,ranging from1to100.Whenthepeakisreached,olderpendinginformsarediscarded.
Mode
Defaults
Retries:3 Timeout:15seconds Pending:25informs
1-23
Example
Thisexampleshowsaninformwith1retry,a5secondtimeoutanda10pendingvalue:
XSR(config)#snmp-server informs retries 1 timeout 5 pending 10
snmp-server location
ThiscommandspecifiesthelocationoftheSNMPserver.
Syntax
snmp-server location location-string location-string
SitewheretheSNMPserverislocated.

ThenoformofthiscommanddeletesalocationfortheSNMPserver:
no snmp-server location
Mode
Default
Nullstring
Example
ThefollowingexampledescribestheSNMPserverlocation.Notethequotationmarks:
XSR(config)#snmp-server location Beacon Street Branch
snmp-server max-traps-per-window
Thiscommandspecifiesthenumberoftrapsallowedinthetimewindow.
Syntax
snmp-server max-traps-per-window max-traps max-traps
Sumoftrapspermitted,rangingfrom0to999,999,999.

Thenoformofthiscommandsetstheminimumperiodbetweensuccessivetrapstothedefault:
no snmp-server max-traps-per-window
Mode
Default
0traps(unlimited)
Example
Thefollowingexamplesetsthetrapspermittedto1000:
XSR(config)#snmp-server max-traps-per-window 1000
snmp-server min-trap-spacing
ThiscommandsetstheintervalbetweensuccessiveSNMPtraps.Trapspacingisonlyguaranteed tooccuratleasteveryspacingitmightoccurmoreoften.Thecommandimplementationcan exhibitajitterof+0to+200millisecondsandislinkedtotheXSRsfasttimertickinterval.
Syntax
snmp-server min-trap-spacing spacing spacing
Minimumintervalbetweensuccessivetraps,rangingfrom0to3,600,000 milliseconds.Zero(0)indicatestrapsaresentsuccessively,withoutdelay.

Thenoformsetstheminimumintervalbetweensuccessivetrapstothedefaultvalue:
no snmp-server min-trap-spacing
Mode
Default
200milliseconds
Example
Thefollowingexamplelimitstheminimumtrapintervalto1minute:
XSR#snmp-server min-trap-spacing 60000
snmp-server packetsize
Thiscommandsetsthemaximumallowableincomingandoutgoingpacketsizeinbytes.Packets largerthanthisvaluearedropped.
Syntax
snmp-server packetsize size size
Peakpacketsizeallowed,rangingfrom484to8,192bytes.
1-25

Thenoformsetsthemaximumallowedincomingandoutgoingpacketsizetothedefault:
no snmp-server packetsize
Mode
Default
1,500bytes
Example
Thefollowingexamplespecifiesthepeakpacketsizeas1000bytes:
XSR#snmp-server packetsize 1000
snmp-server queue-length
Thiscommandsetstheretransmissionqueuelength.Trapswhichhavenoroutetothehostare putintotheretransmissionqueueforresendinglater.
Syntax
snmp-server queue-length length length
Trapqueuelengthrangingfrom1to1000.

Thenocommandresetstheretransmissionqueuelengthtothedefault:
no snmp-server queue-length
Mode
Default
10
Example
Thefollowingexamplesetstheretransmissionqueuelengthto50:
XSR#snmp-server queue-length 50
snmp-server set entityMIB

ThiscommandspecifiesphysicalaliasandassetIDsfortheentityMIB.
Syntax
snmp-server set entityMIB {entPhysicalAlias | entPhysicalAssetID} host <string> entPhysicalAlias entPhysicalAssetID
string
Analiasnameforthephysicalentity. Auserassignedassettrackingidentifierforthephysicalentity. TextforthealiasorIDnottoexceed32characters.

ThenocommandsetsthePhysicalAliasorPhysicalAssetIDintheEntityMIBasanemptystring:
no snmp-server set entityMIB {entPhysicalAlias | entPhysicalAssetID} host
Mode
Example
Thefollowingexampleprovidesanaliasforthehost:
XSR(config)#snmp-server set entityMIB entPhysicalAlias host aliasSalesServer
snmp-server system-shutdown
ThiscommandallowstheSNMPservertoreboottheXSR(usuallyafterasoftwaredownload).
Syntax
snmp-server system-shutdown

ThenocommanddisallowstheSNMPserverfromrebootingtheXSR:
no snmp-server system-shutdown
Mode
Default
Enabled
Example
ThefollowingexamplepermitstheSNMPservertoreboottheXSR:
XSR(config)#snmp-server system-shutdown
1-27
snmp-server tftp-server-list
ThiscommandspecifiesanAccessControlList(ACL)tolimitTFTPserversaccessduringSNMP downloads.
Syntax
snmp-server tftp-server-list access-list-num access-list-num
StandardACLrangingfrom1to99.

ThenoformremovesanyACLlimitingotherTFTPserversaccessduringSNMPdownloads:
no snmp-server tftp-server-list
Mode
Example
ThefollowingexamplelimitsTFTPserverstoACL#57:
XSR#snmp-server tftp-server-list 57
snmp-server trap-source
Thiscommandsetstheinterfaceservingasthesourceforalltrapsandinforms.Usetheaddressof theinterfacefromwhichthetrap/informgoesoutasthesourceaddressforthetrap/inform.
Syntax
snmp-server trap-source {interface} interface
AsupportedinterfacesuchasFastEthernet1.
Note: If the interface does not have an IP address or if the interface is deleted afterwards, it will use the address of the interface from which the trap/inform goes out as the source address for the trap/ inform.

Thenoformofthiscommandremovestheconfiguredtrapinterface:
no snmp-server trap-source
Example
ThisexamplespecifiesGigabitEthernetinterface2asthetrapsource:
XSR#snmp-server trap-source g2
1-28
Network Management
snmp-server trap-timeout
Thiscommandspecifiestheintervaltrapsintheretransmissionqueueareretriedifnorouteexists tothehostthatSNMPtrapswilltobesentto.
Syntax
snmp-server trap-timeout timeout timeout
Retryintervalrangingfrom1to9,999seconds.

Thenoformofthiscommandsetsthetraptimeouttothedefaultvalue:
no snmp-server trap-timeout
Mode
Default
30seconds
snmp-server user
ThiscommandconfigureslocalorremoteusersinanSNMPgroupwithsecuritymodels, authentication,passwords,privacysettings,andACLs,andaddinguserstotheUSMusertable.
Note: Be aware that the engineID of the remote SNMP entity must be configured before you add a user since passwords are hashed with the engineID to create a localized key.
Syntax
snmp-server user username [groupname remote ip-address [udp-port port]{v1 | v2c | v3 [encrypted][auth {md5 | sha} auth-password [priv des56 priv-password]]}[access access-list] username groupname
remote ip-address udp-port port
Nameoftheuser. Nameofthegrouptowhichtheuserbelongs. AremoteSNMPentity. IPaddressoftheremoteSNMPentity. UDPportoftheremoteSNMPentity. UDPportnumberoftheremoteSNMPentity.Default:162. v1securitymodel(leastsecure)used. v2csecuritymodel(nexttoleastsecure)used. v3securitymodel(mostsecure)used. SpecifiespasswordsasMD5orSHAdigests. Authenticationparametersfortheuser. HMACMD5algorithmusedforauthentication.
v1 v2c v3 encrypted auth md5
sha auth-password priv des56 priv-password access access-list
HMACSHAalgorithmusedforauthentication. Theusersauthenticationpassword.Atleast8charactersisrequired. Specifiestheprivacysetting. CBCDESprivacyencryptionalgorithm. Privacypasswordfortheuser.Aminimumof8charactersisrequired. Specifiesanaccesslistassociatedtothisuser. StandardIPaccesslistallowingaccesstothisuser.

Usethenoformofthiscommandtoremoveauser:
nosnmp-server user username groupname {v1 | v2c | v3}
Mode
Example
Theexamplebelowconfiguresljcofthev3authgrpSNMPgroupwithstrongv3levelsecurity,MD5 authentication,andthepasswordacorntree:
XSR(config)#snmp-server user ljc v3 auth v3authgrp md5 acorntree
snmp-server view
Thiscommandcreatesorupdatesaviewentry.TheXSRprovidesonedefaultviewwhichisused forallcommunitycommandswhichdonotspecifyaviewparameter.Thev1defaultviewincludes theinternettreeandexcludessnmpUsmMIBandsnmpVacmMIB.Youcanremovethisviewwith theno snmp-server v1default command.
Syntax
snmp-server view view-name {oid-tree | treeEntryName} {included | excluded} view-name oid-tree
Labelfortheviewrecordthatyouupdate/create. Objectidentifierofthesubtreetobeincluded/excludedfromtheview. ThisparametercanbeeitheranumericOIDorawellknownMIBname listedinTable 12onpage 131,oraMIBnamefollowedbyanumeric OID(i.e.,system.6forsysLocation).Namesarecasesensitive. NameofthesubtreeequivalenttotheobjectOIDtree. ThisviewincludesthespecifiedOIDtree. ThisviewexcludesthespecifiedOIDtree.
treeEntryName included excluded

Usethenoformofthiscommandtoremoveaviewentry:
no snmp-server view view-name
Mode
Examples
ThefollowingexamplecreatesaviewofallobjectsontheXSR:
XSR(config)#snmp-server view v3view internet included
ThefollowingexamplecreatesaviewofallobjectsintheMIBIIsubtree:
XSR(config)#snmp-server view mib2 mib-2 included
ThefollowingexamplecreatesaviewforTCP:
XSR(config)#snmp-server view TCPview tcp included
ThefollowingexamplecreatesaviewofallobjectsintheMIBIIsubtreeexcluding1.3.6.1:
XSR(config)#snmp-server view MIBIIview 1.3.6.1 excluded
ThefollowingexampleremovesaviewofMINIIsubtree1.3.6.1:
XSR(config)#no snmp-server view 1.3.6.1
ThefollowingexamplecreatesaviewofallobjectsinprivateEnterasysandCabletronMIBs exceptfortheetsysConfigurationChangeMIB:
XSR(config)#snmp-server view Enterasys private included XSR(config)#snmp-server view Enterasys etsysConfigurationChangeMIB excluded
Sample Output
Thefollowingissampleoutputfromthecommand:
XSR#show snmp view viewname: Enterasys included: private excluded: etsysConfigurationChangeMIB
Table 1-2
MIB Names for SNMP View Commands SNMP Numerical ID 1.3 1.3.6 1.3.6.1 1.3.6.1.2 1.3.6.1.4 1.3.6.1.6 1.3.6.1.2.1 1.3.6.1.2.1.1 1.3.6.1.2.1.2 1.3.6.1.2.1.2.2.1
SNMP Term org dod internet mgmt private snmpV2 mib2 system interfaces ifEntry
1-31
Table 1-2
MIB Names for SNMP View Commands (continued) SNMP Numerical ID 1.3.6.1.2.1.3 1.3.6.1.2.1.3.1.1 1.3.6.1.2.1.4 1.3.6.1.2.1.4.20.1 1.3.6.1.2.1.4.21.1 1.3.6.1.2.1.4.22.1 1.3.6.1.2.1.5 1.3.6.1.2.1.6 1.3.6.1.2.1.6.13.1 1.3.6.1.2.1.7 1.3.6.1.2.1.7.5.1 1.3.6.1.2.1.8 1.3.6.1.2.1.10 1.3.6.1.2.1.10.23.1 1.3.6.1.2.1.10.23.3 1.3.6.1.2.1.10.33 1.3.6.1.2.1.10.131 1.3.6.1.2.1.11 1.3.6.1.2.1.14 1.3.6.1.2.1.15 1.3.6.1.2.1.23 1.3.6.1.2.1.31 1.3.6.1.2.1.47 1.3.6.1.4.1.52 1.3.6.1.4.1.52.4.1.1.2 1.3.6.1.4.1.52.4.1.1.5.2 1.3.6.1.4.1.52.4.1.5.8 1.3.6.1.4.1.5624 1.3.6.1.4.1.5624.1.2.12 1.3.6.1.4.1.5624.1.2.14 1.3.6.1.4.1.5624.1.2.24 1.3.6.1.4.1.5624.1.2.37 1.3.6.1.4.1.5624.1.2.39 1.3.6.1.6.3.10
SNMP Term at atEntry ip ipAddrEntry ipRouteEntry ipNetToMediaEntry icmp tcp tcpConnEntry udp udpEntry egp transmission pppLcp pppIp frameRelayDTE tunnelMIB snmp ospf bgp rip2 ifMIB entityMIB cabletron chassis ctTimedResetMIB ctDownload enterasys etsysConfigurationChangeMIB etsysSyslogClientMIB etsysSnmpPersistenceMIB etsysFirewallMIB etsysServiceLevelReportingMIB snmpFrameworkMIB
Table 1-2
MIB Names for SNMP View Commands (continued) SNMP Numerical ID 1.3.6.1.6.3.11 1.3.6.1.6.3.15 1.3.6.1.6.3.16 1.3.6.1.6.3.10.2.1 1.3.6.1.6.3.11.2.1 1.3.6.1.6.3.15.1.1 1.3.6.1.6.3.15.1.2 1.3.6.1.6.3.15.1.2.2 1.3.6.1.6.3.16.1.1 1.3.6.1.6.3.16.1.2 1.3.6.1.6.3.16.1.4 1.3.6.1.6.3.16.1.5 1.3.6.1.6.3.16.1.5.2
SNMP Term snmpMPDMIB snmpUsmMIB snmpVacmMIB snmpEngine snmpMPDStats usmStats usmUser usmUserTable vacmContextTable vacmSecurityToGroupTable vacmAccessTable vacmMIBViews vacmViewTreeFamilyTable
snmp-server window-time
Thiscommandspecifiesthelength,inseconds,ofthemovingwindowusedtocountthenumber oftrapssent.
Syntax
snmp-server window-time time time
Timewindowinterval,rangingfrom1to3,600seconds.

Thenoformofthiscommandsetsthelengthofthemovingwindowusedtocountthenumberof trapssentinrecentlytodefault:
no snmp-server window-time
Mode
Default
10seconds
Example
Thefollowingexamplesetsthemovingwindowintervaltotenminutes:
XSR(config)#snmp-server window-time 600
SNMP Show Commands
SNMP Show Commands show snmp

ThiscommandinformationabouttheSNMPserver.
Syntax
show snmp [location] location
ThesiteoftheSNMPserver.
Mode
PrivilegedEXEC:XSR#
Sample Output
XSRtop(config)#show snmp Chassis serial#: 0000019876543210 In counters: 0 SNMP packets in 0 Bad SNMP version errors 0 Unknown community names 0 Illegal operations for name supplied 0 Encoding errors 0 Packets too big 0 No such names 0 Bad values 0 Read-onlys 0 General Errors 0 Requested variables 0 Altered variables 0 Get requests 0 Get-Next requests 0 Set requests 0 Get responses 0 Traps Out counters: 0 SNMP packets out 0 Packets too big 0 No such names 0 Bad values 0 General errors 0 Get requests 0 Get-Next requests 0 Set requests 0 Get responses 0 Traps
SNMP Show Commands
0 Silent drops 0 Proxy drops
Theexamplebelowshowsoutputwiththelocationoptionentered:
XSR#show snmp location Haverhill Mass.
show snmp engineID

ThiscommanddisplaystheidentificationofthelocalSNMPengine.
Syntax
show snmp engineID
Mode
Privileged EXEC: XSR#
Sample Output
XSR#show snmp engineID Local SNMP engineID: 800015F8030001F423E691 IP-addr Port Rewrite Engine ID 10.10.1.48 162 800009041234
show snmp group

ThiscommanddisplaysthenamesofgroupsontheXSRwiththeirsecuritymodelandviews.
Syntax
show snmp group
Mode
Sample Output
Thefollowingsampleoutputdisplaysonegroup,nm,whichwasconfiguredwithafewviews attachedtoit:
XSR#show snmp group grouname: nm security model: v1 readview: tcpView wirteview: tcpView notifyview: <no notifyview specified> grouname: nm security model: v2c readview: v1default wirteview: <no writeview specified> notifyview: <no notifyview specified>
SNMP Show Commands
grouname: nm readview: v1default notifyview: nmMIBIIview
security model: v3 auth wirteview: nmMIBIIview
XSR#show snmp group groupname: v3RWGroup security model: v3 readview: v3view writeView: v3view notifyview: <no notifyview specified> groupname: v3ROGroup security model: v3 readview: v3view writeView: nmMIBIIview notifyview: <no notifyview specified>
show snmp host

ThiscommanddisplaysinformationfromtheSNMPHosttable.
Syntax
show snmp host
Sample Output
Notification host: 192.168.2.10 udp-port: 162 user: v3user security model: v3 priv Notification host: 192.168.10.2 udp-port: 162 user: public security model: v1 Notification host: 192.168.1.5 udp-port: 162 user: testuser security model: v3 noauth type: inform
type: trap
type: trap
show snmp user

ThiscommanddisplaysinformationoneachSNMPusernameintheUsernametable.
Syntax
show snmp user
Mode
Sample Output
XSR#show snmp user
SLA Agent Commands
User name: authprivUser Engine ID: 800015f8030001f423e691 storage-type: nonvolatile
group: v3RWGroup active
Parameter Description
storage-type
Indicateswhetherthesettingshavebeensavedtopersistentmemory (nonvolatile)orwillbelostifthedeviceisreset(volatile).
show snmp view

ThiscommanddisplaysinformationoneachSNMPviewinthegroupusernametable.
Syntax
show snmp view
Mode
Sample Output
XSR#show snmp view viewname: v3view included: internet excluded: viewname: v1default included: internet excluded: snmpUsmMIB snmpVacmMIB viewname: MIBIIview included: 1.3.6.1 excluded:
SLA Agent Commands aggregate period

Thiscommandspecifiestheperiodbetweentwoaggregatemeasurementactionintervalsbythe ResponseTimeReporter(RTR).
1-37
SLA Agent Commands
Syntax
aggregate-period period period
Intervalbetweenaggregatemeasurement,rangingfrom10to60800seconds.

Thenoformofthiscommandreturnstothedefaultvalue:
aggregate-period period
Mode
RTREchoconfiguration:XSR(config-rtr-echo-xx)#
Default
600seconds
Example
Thefollowingexamplesetsaoneminuteaggregateperiod:
XSR(config-rtr-echo-1)#aggregate-period 60
buckets-of-history-kept
ThiscommandspecifieshowmanyhistoryentrieswillbemaintainedbytheResponseTime Reporter(RTR).
Syntax
buckets-of-history-kept size size
Numberofhistoryrecordsretained.Range:1to60.

no buckets-of-history-kept
Mode
Default
Size:10records Theresultiswrappedwhenthehistoryisfull.
1-38
Network Management
SLA Agent Commands
Example
Thisexamplesetsthebucketsofhistoryvalueto5records:
XSR(config-rtr-echo-1)#buckets-of-history-kept 5
frequency
ThiscommandspecifieshowfrequentlytosendaResponseTimeReporter(RTR)probe.Thevalue youconfigureforfrequencymustbelargerthanyourconfiguredtimeoutvaluesothatauser cannothaveafrequencyof1secondandatimeoutof1001milliseconds.
Syntax
frequency {frequency-interval} frequency-interval
Howoftentosendaprobe,rangingfrom1to604,800seconds.

no frequency
Mode
Default
Frequency:60seconds
Example
ThefollowingexamplesetstheRTRfrequencyto2seconds:
XSR(config-rtr-echo-57)#frequency 2
map
ThiscommandassociatesaResponseTimeReporter(RTR)withamapanadministratively assignedname.
Syntax
map {map-name} map-name
NetworkmanagementmaptowhichtheRTRbelongs.

no map
1-39
SLA Agent Commands
Mode
Example
ThefollowingexamplecreatesanRTRmap:
XSR(config-rtr-echo-57)#map "network in Peoria"
owner
ThiscommandbindsaResponseTimeReporter(RTR)owner(administrator)toameasurement entry.
Note: Because the Enterasys service level reporting MIB requires an owner to be created before an entry, an owner must be added first.
Syntax
owner {owner-name} owner-name
Ownersname.

Thenoformofthiscommandremovesanyconfiguredowner:
no owner
Mode
Example
ThefollowingexamplespecifiestheRTRowner:
XSR(config-rtr-echo-57)#owner operator1
request-data-size
ThiscommandspecifiestheResponseTimeReporter(RTR)payloadsize.
Syntax
request-data-size {payload-size} payload-size
Requestedpayloadsize,rangingfrom12to16384bytes.

no request-data-size
SLA Agent Commands
Mode
Default
Payloadsize:12bytes
Example
ThefollowingexamplelimitstheRTRpayloadsizeto32bytes:
XSR(config-rtr-echo-57)#request-data-size 32
tag
Thiscommandspecifiesanidentifier(name)forthisResponseTimeReporter(RTR) measurement.
Syntax
tag {name-tag} name-tag
Nameassignedtothismeasurement.

Thenoformofthiscommandremovesanyconfiguredtag:
no tag
Mode
Example
ThefollowingexamplespecifiestheRTRname:
XSR(config-rtr-echo-57)#tag "one-way packet loss"
timeout
ThiscommandspecifiesatimeoutfortheResponseTimeReporter(RTR).Beawarethatthe timeoutvaluemustbesmallerthanthefrequencyvalue.So,ausercannothaveafrequencyof1 secondandatimeoutof1001milliseconds.
Syntax
timeout {timeout-value} timeout-value
Timeout,rangingfrom1to604800000milliseconds.
1-41
SLA Agent Commands

no timeout
Mode
Default
5000milliseconds
Example
ThefollowingexampleresetstheRTRtimeoutto500milliseconds:
XSR(config-rtr-echo-57)#timeout 500
type
ThiscommandspecifiesthetypeofResponseTimeReporter(RTR)measurementtobeperformed ICMPEchoaswellasthedestinationandsourcehostIPaddresses.
Syntax
type {echo} protocol {ipIcmpEcho} dst [source-ipaddr src] dst src
IPaddressofthedestinationhost. IPaddressusedasthesource.
Mode
RTRconfiguration:XSR(config-rtr-xx)
Next Mode
RTREchoconfiguration:XSR(config-rtr-echo-xx)
Example
ThefollowingexamplesetstheRTRtypeandacquiresRTREchomode:
XSR(config-rtr-57)#type echo protocol ipIcmpEcho 192.168.57.3 XSR(config-rtr-echo-57)
1-42
Network Management
RTR-mode Commands
RTR-mode Commands rtr

ThiscommandcreatesaResponseTimeReporter(RTR)entry.Thefollowingaresubcommands:
rtr ownerregisterstheRTRadministrator.Gotopage143forthecommanddescription. rtr scheduleconfigureswhenanRTRentrywillberun.Gotopage144forthecommand
description.
Syntax
rtr operation-id operation-id
MeasurementIDnumber,rangingfrom1to2,147,483,647.
Mode
Next Mode
RTRconfiguration:XSR(config-rtr-xx)#
Example
ThefollowingcommandconfiguresRTRentry1andacquiresRTRmode:
XSR(config)#rtr 1 XSR(config-rtr-1)#
rtr owner
ThiscommandregisterstheResponseTimeReporter(RTR)administrator(owner).
Syntax
rtr owner {owner-name}[ipAddress][quota quota][email email][sms sms] owner-name: ipAddress quota email sms
Ownersnamewhichiscasesensitiveandmustcontainnospaces. IPaddressofthemanagemententity. MaximumnumberofrecordsforthisownerintheEnterasysservice levelreportingMIBhistorytable,rangingfrom1to10,500. OwnersEmailaddress. OwnersSMSphonenumber.Itmustnotcontainaspace.
Mode
1-43
RTR-mode Commands
Default
Quota:700
Example
ThefollowingexampleregisterstheRTRowner:
XSR(config)#rtr owner operator1 192.168.57.5 email larrycurtis@enterays.com quota 1000
rtr schedule
ThiscommandschedulesanResponseTimeReporter(RTR)entry.
Syntax
rtr schedule operation-id [[life {forever | lifetime}] start-time {hh:mm:[ss][month day | day month] | pending | now | after hh:mm:ss}] operation-id lifetime hh:mm:ss day month pending
MeasurementIDnumber,rangingfrom1to2,147,483,647. Entrylifespan,rangingfrom1to2,147,483,647seconds. Timeinhours,minutesandseconds. Dayofthemonth. Monthoftheyear. Operationwillnotbegin.ThisstateismeaningfulwhenusedbySNMP. Afteranentryisscheduled,allsupportedmetricsmeaningfultothe protocoltypewillbemeasured.
Mode
Default
pending
Example
ThefollowingexampleschedulestheRTRmeasurementimmediately:
XSR(config)#rtr schedule 1 now
1-44
Network Management
RTR Show Commands
RTR Show Commands show rtr operation-state

ThiscommanddisplaysthecurrentoperationalstateoftheResponseTimeReporter(RTR).
Syntax
show rtr operation-state [operation-id] operation-id
MeasurementID,rangingfrom1to2,147,483,647.
Mode
EXECconfiguration: XSR>
Sample Output
XSR>show rtr operation-state 57 RTR Entry Number: 1 Number of Operations Attempted: 84 Timeout Occurred: FALSE Operational State of Entry: INACTIVE
show rtr configuration

ThiscommanddisplaysyourconfigurationoftheResponseTimeReporter(RTR).
Syntax
show rtr configuration [operation-id] operation-id
Mode
Sample Output
XSR>show rtr configuration RTR Entry Number: 1 Owner: monitor Tag: all metrics Map: network in Peoria Type of Operation to Perform: echo Operation Frequency (seconds): 60 Operation Timeout (milliseconds): 5000
RTR Show Commands
Status of Entry (SNMP RowStatus): active Protocol Type: ipIcmpEcho Target Address: 192.168.57.3 Source Address: 192.168.57.43 Request Size (data portion): 12 Life (seconds): 5000 Next Scheduled Start Time: Start Time already passed Number of History Buckets kept: 15
show rtr history

ThiscommanddisplaysthemeasurementhistoryoftheResponseTimeReporter(RTR).
Syntax
show rtr [operation-id] operation-id
Mode
Sample Output
XSR>show rtr history 57 Owner: operator-toronto Target Address: 1.1.1.1 NET HISTORY TABLE Bucket Sequence Entry Number 1 96 2 97 3 98 4 99 AGGR HISTORY TABLE Bucket Sequence Entry Number 1 11 2 12 3 13
TimeStamp 11:2:1 11:2:1 11:2:1 11:2:1 Sept Sept Sept Sept 1 2 3 4
Delay (ms) 3 3 3 3
Packet Loss FALSE FALSE FALSE FALSE
TimeStamp 10:42:1 Sept 1 10:52:1 Sept 2 11:22:1 Sept 3
Average Delay (ms) 3 3 3
Average Pkt Loss % 0 0 0
Jitter (ms) 0 0 0
1-46
Network Management
2
Configuring T1/E1 and T3/E3 Subsystems
TheCLISyntaxandconventionsusethenotationdescribedinthefollowingtable. Convention
xyz [x] [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>)
Description
Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies interface type and number, e.g.: F1, S2/1.0, D1, M57, G3. F indicates a FastEthernet, and G a GigabitEthernet interface
Next Mode entries display the CLI prompt after a command is entered soho.enterasys.com Italicized, non-syntactic text indicates either a user-specified entry or text with special emphasis
T1/E1 & T3/E3 Commands

ThefollowingcommandsdefineT1/E1/T3/E3subsystemfunctionality: T1/E1&T3/E3Commandsonpage 255. T1/E1andT3/E3ClearandShowCommandsonpage 274. DropandInsertCommandsonpage 280.
Note: The configuration commands for T1/E1 ports that occupy T3/E3 lines are the same commands that exist for T1/E1 NIM cards.
2-55
cablelength
For T3 controllers only
ThiscommandspecifiesthedistanceofcablingfromtheXSRtothenetworkequipmentforaT3 NIMcardonly.
Note: Although you can specify cable length from 0 to 450 feet, the XSR recognizes only two ranges: 0 to 224 and 225 to 450. For example, entering 35 feet selects the 0 to 224 range. If you later change the cable length to 40 feet, there is no change because 40 falls within the 0 to 224 range. But, if you change the cable length to 350, the 225 to 450 range is selected. The actual length you enter is stored in the configuration file.
Syntax
cablelength feet feet
Distancetosetthecablelength,rangingfrom0to450feet.

Thenoformofthiscommandsetsthecablelengthtothedefaultvalue:
no cablelength
Mode
Controllerconfiguration:XSR(config-controller xx)#
Default
224feet
Example
ThefollowingexampleconfigurestheT3controllerinslot1,card2withlinesourceclocking,M13 framing,inchannelizedmode,andacablelengthof225feet:
XSR(config)#controller t3 1/2/0 XSR(config-controller<T3-1/2/0>)#channelized XSR(config-controller<T3-1/2/0>)#clock source line XSR(config-controller<T3-1/2/0>)#framing m13 XSR(config-controller<T3-1/2/0>)#cablelength 225
cablelength long
ThiscommanddecreasesthepulsefromthetransmitterforlonghaulapplicationsonT1 controllersonly.Inlonghaulapplications(lengthofthehaullongerthan655ft,CSUinterface)the transmitpulsemasksareoptionallygeneratedaccordingtoANSIT1.403toreducecrosstalkon
2-56
thereceivedsignals.Thisfeatureisprovidedbyplacingatransmitattenuatorinthedatapath. Thisattenuationisselectablefrom0,7.5,15,or22.5dB.
Note: Long haul line build-out (LBO) compensates for the loss in decibels based on the distance from the device to the first repeater in the circuit. A longer distance from the device to the repeater requires that the signal strength on the circuit be boosted to compensate for loss over that distance. The ideal signal strength should be between -15 dB and -22 dB, which is calculated by adding the Telecom/PTT company loss + cable length loss + line build out. The lengthening or building out of a line is used to control far-end crosstalk. Line build-out attenuates the stronger signal from the customer installation transmitter so that the transmitting and receiving signals have similar amplitudes.
Syntax
cablelength long{0db | -7.5db | -15db | -22.5db} 0db -7.5db -15db -22.5db
Numberofdecibelsbywhichthetransmitsignalislowered. Numberofdecibelsbywhichthetransmitsignalislowered. Numberofdecibelsbywhichthetransmitsignalislowered. Numberofdecibelsbywhichthetransmitsignalislowered.

UsethenoformofthiscommandtoreturntheLBOvaluetothedefault:
no cablelength long
Defaults
0dB
Mode
Controllerconfiguration:XSR(config-controller<xx>)#
Example
ThefollowingexamplesetsthelonghaulLBOto7.5dB:
XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#cablelength long 7.5db
cablelength short
ThiscommandspecifiesthepulseshapeofthetransmitsignalsasdefinedintheANSIT1.102 recommendationforshorthaulapplications. Theseapplicationsapplytohaullengthsshorterorequalto655(DSX1interface).Thisparameter isusedtoobtainanoptimalpulseshapeforexternaltransformers.Fivehaullengthrangesare defined,eachwithdifferentpulseshapingsettings:0...133ft(0..40m),133..266ft(40..81m), 266...399ft(81..122m),399..533ft(122..162m),and533..655ft(162..200m).
Syntax
cablelength short{133 | 266 | 399 | 533 | 655} 133 266 399 533 655
0to133feet(cablelengthforshorthaulpulseshaping). 134to266feet(cablelengthforshorthaulpulseshaping). 267to399feet(cablelengthforshorthaulpulseshaping). 400to533feet(cablelengthforshorthaulpulseshaping). 534to655feet(cablelengthforshorthaulpulseshaping).
Syntax of the no form

Thenoformofthiscommandreturnsthevaluetothedefaultsetting:
no cablelength short
Defaults
133feet
Mode
Example
ThefollowingexamplesetstheshorthaulLBOto266feet:
XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#cablelength short 266
channel-group
For T1/E1 controllers only
ThiscommandspecifiestimeslotsthatmaptochannelgroupsforT1/E1/ISDNPRIdatalines(for channelized/fractionalT1/E1/ISDNPRIservices). Timeslotsandfractional/channelizedT1/E1groupsallowmultiplelogicalWANinterfacestobe createdoutofasinglechannelizedT1orE1controllerport.Thelogicalinterfacescreatedcanhave differentencapsulationtypesPPP,FrameRelay,etc.Foreachchannelgroup(afractionofaT1/ E1/ISDNPRIline),thefollowingvaluesmustbeset: 1. 2. 3. Thechannelgroupmustbeidentifiedbyachannelgroupnumber. OneormoretimeslotsoftheT1/E1/ISDNPRIlinemustbeassignedtoaparticularchannel group. Thebasespeedincrementforthesinglechannelcanbespecifiedinkilobitspersecond.
Syntax
channel-group number timeslots range [speed {56 | 64}] number
2-58
Channelgroupnumber,rangingfrom0to23forT1and0to30forE1datalines.
range speed
Assignsoneormoretimeslotsorarangeoftimeslotstoachannelgroup,ranging from1to24forT1and1to31forE1. LinespeedoftheT1/E1linkinkilobitspersecond.

Usethenoformofthecommandtoremoveachannelgroup:
no channel-group number
Defaults
Speed:64kbpsforbothT1andE1controllers.
Mode
Example
Thefollowingexampleissuesthechannel-group commandforT1controllerconfiguration.Two channelsarecreatedthefirstcreatesgroupnumber0withtimeslots1to10;thesecondcreates groupnumber1withtimeslots11to20,bothwithdefaultspeedsof64kbps.
XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#description T1 for Acme XSR(config-controller<T1-1/0>)#framing esf XSR(config-controller<T1-1/0>)#linecode b8zs XSR(config-controller<T1-1/0>)#channel-group 0 timeslot 1-10 XSR(config-controller<T1-1/0>)#channel-group 1 timeslot 11-20
clock source
ThiscommanddefinestheclocksourceforaT1/E1orT3/E3line.Itisneededbecauseof synchronoustransmissionofdataondigitalinterfacesasinthecaseofT1/E1orT3/E3lines.The clocksourcesetstherequiredtimingsynchronizationbetweenthetransmitterandreceiverusing lineandinternalsettings.
Syntax
clock source {line | internal} line internal
ClockderivedfromtheT1/E1orT3/E3lineprovider. ClockfromachipontheT1/E1orT3/E3controllercard.

Thenoformofthiscommandreturnsthevaluetothedefaultsetting:
no clock source
2-59
Default
Line
Mode
Examples
ThefollowingexampleconfigurestheT1controlleronNIM1,port0(firstport),withESFframing, B8ZSlineencodingandlinesourceclocking:
XSR(config-controller<T1-1/0>)#framing esf XSR(config-controller<T1-1/0>)#linecode b8zs XSR(config-controller<T1-1/0>)#clock source line
ThisexamplesettheE3controllerinwithlinesourceclockingandanationalreservedbitof0:
XSR(config-controller<E3-1/2/0>)#clock source line XSR(config-controller<E3-1/2/0>)#national bit 0
controller
ThiscommandconfiguresaT1/E1orT3/E3controller.YoucaninvokecontrollerwhenaT1/E1 orT3/E3NIMcardispresentontheXSR.Thiscommandautomaticallyprovidesafullrate channelgrouponport0,bydefault,andacquiresControllermodeinwhichadditionalcommands definingclocksource,framing,lineencoding,andothersmustbeexecutedtoconfigurethe controller.ForT1/E1controllersonly,ifyouprefertoconfigureachannelotherthan0,youcan manuallycreateachannelgroupusingalltimeslotsandproceedwithportconfiguration. Ifnoadditionalcommandsarespecifiedinthismode,adefaultnonchannelizedportiscreated withdefaultvalues.
Syntax
controller {t1 | e1 | t3 | e3}{slot/card/port} controller {t1 | e1 | t3 | e3}{card/port} t1 e1 t3 e3 slot card port
AT1controller. AnE1controller. AT3(44.736Mbps)controller. AnE3(34.368Mbps)controller. Setsthenumberoftheslotinasystemwithmultiplecardslots.Themotherboardis slotzero(0).Slotnumber0canbeomitted. SetstheNIMcardnumberinthecardslot(1or2) SetsthenumberoftheportontheslotortheportnumberonaNIMcard,starting withzero.Validchoicesare: FirstportinfirstNIMcard:0/1/0orsimply1/0. SecondportinsecondNIMcard:0/2/0orsimply2/0.
2-60

Thenoformofthiscommanddeletesthedefinedcontroller:
no controller {t1 | e1| t3 | e3}{slot/card/port} no controller {t1 | e1| t3 | e3}{card/port}
Mode
Next Mode
Default
Fullrate
Examples
ThefollowingexamplesetstheT1NIMonboard1,port0(firstport)andmapstimeslotstothe channelgroup.Also,itassignsanIPinterface,setsPPPencodingandenablesSerialport1/0:
XSR(config-controller)#controller t1 1/0 XSR(config-controller<T1-1/0>)#clock source line XSR(config-controller<T1-1/0>)#framing esf XSR(config-controller<T1-1/0>)#channel-group 0 timeslots 1,3-5,8 XSR(config-controller<T1-1/0>)#no shutdown XSR(config)#interface serial 1/0:0 XSR(config-if<S1/0:0>#ip address 10.1.11.2 255.255.255.0 XSR(config-if<S1/0:0>#encapsulation ppp XSR(config-if<S1/0:0>#no shutdown
ThisexamplesetstheE1NIMonboard1,port0(firstport)touseallchannelsatfullrate:
XSR(config-controller)#controller e1 1/0 XSR(config-controller<E1-1/0:0>)#no shutdown XSR(config)#interface serial 1/0:0 XSR(config-if<S1/0:0>#ip address 10.11.44.3 255.255.255.0 XSR(config-if<S1/0:0>#encapsulation ppp XSR(config-if<S1/0:0>#no shutdown
ThefollowingexampleconfigurestheT3controllerinslot1,card1:
XSR(config)#controller<T3-1/1/0>) XSR(config-controller<T3-1/1/0>)#clock source line
crc
ThiscommandsetsthelengthoftheCyclicRedundancyCheck(CRC)perchannelgroup.CRC lengthcanbesetto16or32bitsoftheFrameCheckSequence(FCS).A32bitCRCprovidesmore powerfulerrordetectionbutaddsoverhead.Bothreceiverandsendermustusethesamesetting.
Syntax
crc {16 | 32} 16 or 32
CRCsizeinbitsperchannelgrouporfractionallink(port).

Thenoformofthiscommandreturnstothedefaultsetting:
no crc
Default
16
Mode
Interfaceconfiguration:XSR(config-if<xx>)#
Example
Thisexampleenablesthe32bitCRContheT1interface:
XSR(config)#interface serial 1/0:2 XSR(config-if<S1/0:2)#crc 32
description
ThiscommandidentifiestheT1/E1orT3/E3controller.Thedescriptionstringprovidesamore descriptivename/commentforaparticularT1/E1orT3/E3line.Thisparametercanbeastring valueofarbitrarylength(max80characters).Inallstatisticsreporting,thisvalueidentifiestheT1/ E1orT3/E3lineinamoredescriptiveway.Thiscommandisfunctionalforallserialinterfaces.
Syntax
description string string
Comment(upto80characters)describingtheT1/E1orT3/E3controller. Quotationsaremandatory.

Thenoformofthecommanddeletesthedescription:
no description
Mode
Examples
ThefollowingexampleconfigurestheT1controllerinboard(NIMcare)1,port0(firstport),with ESFframing,B8ZSlineencodingandlinesourceclockingwithadescriptionadded:
2-62 Configuring T1/E1 and T3/E3 Subsystems
XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#framing esf XSR(config-controller<T1-1/0>)#linecode b8zs XSR(config-controller<T1-1/0>)#clock source line XSR(config-controller<T1-1/0>)#description Acmes T1
ThefollowingexampledescribestheT3controllerinslot1,card2:
XSR(config)#controller t3 1/2 XSR(config-controller<T3-1/2/0>)#description T3 Up at ACME
dsu mode
For T3/E3 un-channelized controllers only
ThiscommandconfiguresanunchannelizedsubrateT3/E3porttoemulateaproprietaryData ServiceUnit(DSU)scheme.TheXSRsupportsinteroperabilitywithawiderangeofthirdparty DSUvendors. LocalDSUmodeconfigurationmustmatchtheremoteconfiguration,soyoumustknowwhat typeofDSUisconnectedtotheremoteporttodetermineifitinteroperateswithaT3orE3NIM. ThiscommandenablesinteroperabilitywithprovidersusingvariousT3orE3DSUstoprovision theT3/E3line.
Syntax
dsu mode {digitallink | kentrox | larscom | adtran | verilink} digitallink kentrox larscom adtran verilink
DigitallinkmodeconnectstheT3/E3controllertoaDigitalLink,CISCO, orQuickEagleDSU. KentroxmodeconnectstheT3/E3controllertoaKentroxDSU. LarscommodelinkstheT3controllertoaLarscomDSU. AdtranmodeconnectstheT3controllertoanAdtranT3SU300. VerilinkmodeconnectstheT3controllertoaVerilinkHDM2182.

ThenoformofthiscommandsetstheDSUmodetothedefaultvalue:
no dsu mode
Mode
Controllerconfiguration: XSR(config-controller xx)#
Example
ThefollowingexampleconfigurestheT3controllerinslot1,card2withlinesourceclocking,M13 framing,inunchannelizedmode,withacablelengthof250feet,andDSUinteroperabilitymode settoanAdtranDSU:
XSR(config)#controller<T3-1/2/0 XSR(config-controller<T3-1/2/0>)#no channelized XSR(config-controller<T3-1/2/0>)#clock source line
XSR(config-controller<T3-1/2/0>)#framing m13 XSR(config-controller<T3-1/2/0>)#cablelength 250 XSR(config-controller<T3-1/2/0>)#dsu mode adtran
dsu bandwidth
ThiscommandspecifiesthepeakallowablebandwidthusedbytheT3/E3port.DSUbandwidth configurationmustmatchtheremoteconfigurationanditisimportantthatyouknowthe bandwidthvaluesetontheremoteport.Forexample,ifyoureducethebandwidthto7,000kbps onthelocalport,youmustdothesameontheremoteport.Thiscommandreducesbandwidthby paddingtheT3/E3frame. ForE3portsinbypassframingmode,DSUbandwidthdefaultsto34,368kbps. EventhoughtheXSRletsyouconfigureacontinuousrangeofbandwidthsinsubratemodes, vendorssupportbandwidthsonlyincertainvalues.So,theXSRsetstheuserconfigured bandwidthtotheclosestvendorsupportedbandwidth(refertoTable21)andamessage displayedshowingthenewbandwidth.Usethe show controller commandtoviewthe vendorsupportedbandwidththeXSRsets.
Note: DSU bandwidth is configurable only for an unchannelized T3/E3 port.
Table 2-1
Vendor DSU Bandwidth DSU

Digital Link, Quick Eagle, Cisco Kentrox Larscom Adtran Verilink No DSU
DSU Mode
digitallink kentrox larscom adtran verilink none
Bandwidth Range (kbps)

300-44210 (T3), 358-34010 (E3) 1500-35000/44210 (T3), 1000-24500/34010 (E3) 3100-44210 (T3) 75-44210 (T3) 1500-44210 (T3) 44210 (T3) 34099 5
Step Size (kbps)

300.746 (T3), 358 (E3) 500 (T3/E3) 3158 (T3) 75.186 (T3) 1579 (T3) Fixed full rate
Syntax
dsu bandwidth bandwidth bandwidth
PeakbandwidthallowedfortheselectedDSU,rangingfrom1to44,210 kbps(T3)and1to34,100kbps(E3).

ThenoformofthiscommandsetstheDSUbandwidthtothedefault:
no dsu bandwidth
2-64
Mode
Default
T3:44,210kbps(fullrate) E3:34,099.5kbps(fullrate)
Example
ThefollowingexampleconfigurestheT3controllerinslot1,card2withlinesourceclocking,M13 framing,inunchannelizedmode,withacablelengthof250,DSUinteroperabilitymodesettoa KentroxDSU,andaDSUbandwidthof44,210kbps:
XSR(config)#controller t3 1/2/0 XSR(config-controller<T3-1/2/0>)#no channelized XSR(config-controller<T3-1/2/0>)#clock source line XSR(config-controller<T3-1/2/0>)#framing m13 XSR(config-controller<T3-1/2/0>)#cablelength 250 XSR(config-controller<T3-1/2/0>)#dsu mode 1 XSR(config-controller<T3-1/2/0>)#dsu bandwidth 44210
e-bit-reset
ThiscommandsetstheEbitintheE1frametozerowhiletheportisinanasynchronousstate.
Syntax
e-bit-reset

ThenoformofthiscommandnegatestheEbitreset:
no e-bit-reset
Mode
Controllerconfiguration:XSR(config-controller)#
Example
ThefollowingexampleresetstheEbitontheE1controller:
XSR(config-controller<E1-1/2/0>)#
2-65
equipment
ThiscommandconfigurestheT3/E3controllerasnetworkorcustomerequipmentandoperates accordingtotheT1.403ANSIstandard,allowingequipmentconfiguredasnetworkequipmentto disregardnetworkloopbackcommandsfromthefarenddevice.
Note: Since remote loopback requests are available only when C-bit framing is invoked for a T3 port, the equipment command is useful only when framing is set to C-bit.
Syntax
equipment {customer | network} loopback customer network
Controllersetascustomerequipment.Itallowsaremotelyactivated(feac) payloadloopfromtheT3line. Controllersetasnetworkequipment.Itdisallowsremotelyactivated(feac) payloadloopfromtheT3line.

Thenoformofthiscommandsetstheequipmentvaluetoitsdefault:
no equipment
Mode
Controllerconfiguration:XSR(config-controller)#
Default
Customerequipment
Example
ThefollowingexamplesetstheT3controllerinslot1,card2asnetworkequipment:
XSR(config-controller<T3-1/2/0>)#equipment network loopback
framing
ThiscommandsetstheT1/E1orT3/E3framingtype.Framingmustmatchbetweenthecircuit providerandtheT1/E1orT3/E3interfacewiththecircuitproviderdeterminingwhichframing typeisrequired. FramingtypedefinesthetypeandformatofthetransmissionframeforT1orE1lines.T1lines havetwoframeformats:SF(SuperFrame,D4,F12)andESF(ExtendedSF).E1lineshavethese frameformats:CRC4(multiframe)andNOCRC4(doubleframe). ForunchannelizedT3ports,theCbitframingformatisavailablewithM13asanoption.Forboth channelizedandunchannelizedE3ports,theG751frameformatisavailable.Also,thebypass framingformatspecifiesthattheG.751framingformatwillbebypassed.
2-66
Note: The C-bit T3 parity framing format is an enhancement of the original M13 format. The main difference is the C-bit framing format always stuffs the first bit of the 8th block in each sub-frame. So, in C-bit format, C-bits permit greater management and performance functions on the M frame.
Syntax
framing framing framing framing sf esf c-bit m13 crc4 no-crc4 g751 bypass {sf | esf} (T1) {crc4 | no-crc4} (E1) {c-bit | m13} (T3) {g751 | bypass} (E3)
T1frametypesettoSuperFrame(D4,F12). T1frametypesettoExtendedSuperFrame. T3frametypesettoCbit. T3unchannelizedframetypesettoM13. E1frametypesettoCRC4frame. E1frametypesettonoCRC4frame. E3frametypesettoG.751. E3frametypesettobebypassed.Unchannelizedimplied.

Returntothedefaultframingsettingbyusingthenoform:
no framing
Defaults
T1:ESF E1:CRC4 T3:cbit E3:g751
Mode
Example
ThefollowingexampleconfigurestheT1controlleronNIMcard0,port0,withESFframing:
XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#framing esf
ThisexamplesetstheT3controllerwithlinesourceclocking,M23framing,andchannelizedmode:
XSR(config-controller<T3-1/2/0>)#channelized XSR(config-controller<T3-1/2/0>)#clock source line XSR(config-controller>T3-1/2/0>)#framing m13
interface serial
ThiscommandconfigurestheSerialinterfaceautomaticallycreatedbythecontrollercommand inconjunctionwithT1/E1andT3/E3NIMoperations.TheT3moduleofferschannelstoPPPand FrameRelayprotocolstacks.T3/E3Serialchannelsareconfiguredandmonitoredsimilartoserial channelsprovisionedviaT1/E1andserialNIMs.ForfullandsubrateT3orE3mode,theportand channelsettingis0only.
Syntax
interface serial {slot | card | port0 | channel0} slot card port
Slotnumberofasystemfrom0to6cardslots.Themotherboardisslotzero.Ifthe slotnumberis0,itcanbeomitted. DefinesNIMcardnumberinthecardslot:1or2. DefinestheportnumberontheslotortheportnumberonaNIMcard,from0to3.
Mode
Interfaceconfiguration:XSR(config-if<Sxx>)#
Example
ThefollowingexampleconfiguresSerialinterface2/0:
XSR(config)#interface serial 2/0 XSR(config-if<S2/0>)#
international bit
For E3 controllers only
Thiscommandsetsbits6and8,respectively,ofsetIIintheE3frame.
Syntax
international bit {0 | 1}{0 | 1} 0 | 1 1 | 1
ValueofthefirstinternationalbitintheG.751frame. ValueofthesecondinternationalbitintheG.751frame.

Thenoformofthiscommandsetstheinternationalbitstothedefault:
no international bit
Mode
Default
2-68
Firstinternationalbit:0 Secondinternationalbit:0
Example
ThefollowingexampleconfigurestheE3controllerinslot1,card2withlinesourceclockingand internationalbitsof0and0:
XSR(config)#controller e3 1/2/0 XSR(config-controller<E3-1/2/0>)#clock source line XSR(config-controller<E3-1/2/0>)#international bit 0 0
invert data
Thiscommandinvertsthedatastream.Datainversionisamethodofavoidingexcessivezeroes thatissupersededbytheuseofB8ZSlineencoding.However,incaseswherethenetworkor remotenodedoesnotsupportthistypeoflinecoding,databelongingtoanHDLCstreamcanbe invertedtosatisfyrequirementsoftheline.
Syntax
invert data

Disable inverting the data stream by using the commands no form:
no invert data
Default
Dataisnotinverted.
Mode
Example
ThefollowingexampleenablesdatainversiononthefullrateT1interfaceinNIMcard1,port0:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#invert data
linecode
ThiscommanddefinestheencodingtypeforT1/E1/ISDNPRIlines.Configurationmustmatchthe requiredsettingoftheserviceprovider.Theserviceproviderdetermineswhichlineencodingtype isrequired.Thefollowingthreeencodingtypescanbeconfigured: AMI(AlternateMarkInversion) B8ZS(Bipolar8ZeroSubstitutionT1only) HDB3(HighdensityBipolar3E1only)
Syntax
linecode {ami | b8zs | hdb3} ami b8zs hdb3
AlternateMarkInversion(AMI)lineencoding. Bipolar8ZeroSubstitution(B8ZS)lineencoding.UsedforT1controllersonly. HighDensityBipolar3(HDB3)lineencoding.UsedforE1controllersonly.

Returntothedefaultlinecodesettingbyusingthenoform:
no linecode
Defaults
T1line:B8ZS E1line:HDB3
Mode
Example
ThisexamplesetstheT1controllerwithESFframing,andB8ZSlineencoding:
XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#framing esf XSR(config-controller<T1-1/0>)#linecode b8zs
loopback
ThiscommandimplementsloopbacktestsonaT1/E1/ISDNPRIsubsystem.Typically,itisused fordiagnosticpurposesalthoughyoucanconfigureanIPaddressasaloopbackinterfaceas shownintheexample.IfyouconfigurealoopbackaddressfortheXSR,itwillbeusedasthe RouterID.Ifthereisnoloopbackaddressdefined,theRouterIDisthehighestnonzeroIP addressofexistingconfiguredandactiveinterfaces. WhenaT1/E1/ISDNPRIlinemalfunctions,onetroubleshootingoptionistoperformvarious loopbacktests,forinstance,isolatingpiecesofthelinktotestseparately.Loopbacktestingshould beginonthelocalrouterandproceedtotestingtheservice/networkprovider.Beawarethatall loopbacktestingisintrusive,andwhileloopbacktestsrun,datatransfersoverthelinkarebarred.
Syntax
loopback {diagnostic | local {line | payload}} diagnostic
Loopstheoutgoingtransmitsignalbacktothereceivesignal.Usetheshow t1/e1 controller commandtocheckifloopbackisset.Useshow interface serialtoverifythatthechannelgroupsareloopedback.
2-70
local line
LocalloopbackmodeloopstheentirebandwidthoftheT1/E1/ISDNPRI linetowardthenetwork.UseexternalequipmenttoverifythattheT1/E1/ ISDNPRIportisconnectedtotheline. SameasLocalline,itmerelyloopsbacktheT1payload,thatis,theXSR generatesframingat1.536MBytes/sec.
local payload

no loopback
Default
Disabled
Mode
Examples
Thefollowingexampleinitiatesalocalloopbacktest:
XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#framing esf XSR(config-controller<T1-1/0>)#linecode b8zs XSR(config-controller<T1-1/0>)#channel-group 0 timeslot 1-24 speed 64 XSR(config-controller<T1-1/0>)#loopback local
ThefollowingexampleconfiguresanIPaddressasaloopbackinterface:
XSR(config)#interface loopback 0 XSR(config-if<L0>)#ip address 193.23.24.1 255.255.255.255 XSR(config-if<L0>)#no shutdown
national bit
For E3 controllers only
ThiscommandsetsthenationalbitintheE3framebit12.
Syntax
national bit {0 | 1} 0 1
Setsthenationalreservedbitto0. Setsthenationalreservedbitto1.

Thenoformofthiscommandsetsthenationalbittothedefaultvalue:
no national bit
2-71
Mode
Default
1
Example
ThefollowingexampleconfigurestheE3controllerinslot1,card2withlinesourceclockinganda nationalreservedbitof0:
XSR(config)#controller e3 1/2/0 XSR(config-controller<E3-1/2/0>)#clock source line XSR(config-controller<E3-1/2/0>)#national bit 0
scramble
ThiscommandassistsclockrecoveryonthereceivingendofaT3/E3portbyrandomizingthe patternof1sand0scarriedinthephysicallayerframe.Randomizingthebitscanprevent continuous,nonvariablebitpatterns,inotherwords,longstringsofall1sor0s. Severalphysicallayerprotocolsrelyontransitionsbetween1sand0stomaintainclocking. Scramblingcanpreventsomebitpatternsfrombeingmistakenlyinterpretedasalarms.The followingconditionsmustbemet: Scramblingisusedonlyforfullrate/subrateT3/E3portsandtheymustbeconfiguredas unchannelizedforscramblingtotakeaffect. RemoteandlocalT3/E3scramblingconfigurationmustmatch. ForT3controllers,allDSUmodessupportscramblingexceptClearmode. ForE3controllers,onlyKentroxmodesupportsscrambling. ThisvalueisconfigurableonlyonanunchannelizedT3/E3port.
Syntax
scramble

Thenoformofthiscommanddisablesscrambling:
no scramble
Mode
Default
Disabled
Example
ThefollowingexampleconfigurestheT3controllerinslot1,card2withlinesourceclocking,M13 framing,inunchannelizedmode,cablelengthof250,DSUinteroperabilitymodesettoaKentrox DSU,DSUbandwidthof44210,andscramblingenabled:
XSR(config)#controller t3 1/2/0 XSR(config-controller<T3-1/2/0>)#no channelized XSR(config-controller<T3-1/2/0>)#clock source line XSR(config-controller<T3-1/2/0>)#framing m13 XSR(config-controller<T3-1/2/0>)#cablelength 250 XSR(config-controller<T3-1/2/0>)#dsu mode kentrox XSR(config-controller<T3-1/2/0>)#dsu bandwidth 44210 XSR(config-controller<T3-1/2/0>)#scramble
shutdown
ThiscommanddisablesdisablesaT1/E1/ISDNPRIcontrollerortheT3/E3controllerandall interfacesrelatedtoit.Thecommanddoesnotrequireanyspecificbootingprocedureandcanbe performeddynamicallyduringsystemruntime.Whentheinterfaceiscreated,itisdisabledby default. DisablingaT3/E/3controllercausesaT3porttotransmit: AnAlarmIndicationSignal(AIS)forM13framing. Anidlesignal(forCbitframing).
TensecondsmustelapseforalarmstoclearafterenablingaT3port.Shuttingdownacontroller causesanE3porttotransmitAIS.
Note: The AIS, also known as a blue alarm, is transmitted to notify the downstream device that an upstream line failure has occurred.
ThereisashortdelayforalarmstoclearafterenablinganE3port.Ittakes10secondsforalarmsto clearafterenablingaT3port.
Syntax
shutdown

ThenoformofthiscommandrestoresthepreviouslyconfiguredT1/E1controllerandinterface. Also,itreenablesaT1/E1/ISDNPRIchannelandassociatedserialinterface:
no shutdown
Mode
Default
Disabled
T1/E1 and T3/E3 Clear and Show Commands
Examples
ThefollowingexampledisablesaT1controller:
XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#shutdown
ThefollowingexamplereenablesaT3controller:
XSR(config)#controller t3 1/2/0 XSR(config-controller<T3-1/2/0>)#no shutdown
T1/E1 and T3/E3 Clear and Show Commands clear controller

ThiscommandclearscontrollercountersforindividualT1/E1orT3/E3controllers.Itclearsonly countersshownwithshowcommandsallSNMPrelatedcountersarenotcleared.Itdoesnot resetorbringdownthecontroller.
Syntax
clear controller {t1 | e1 | t3 | e3}{slot/card/port} clear controller {t1 | e1 | t3 | e3}{card/port} t1 e1 t3 e3 slot card port
T1typecontroller. E1typecontroller. T3typecontroller. E3typecontroller. Slotnumberofasystem,rangingfrom0to6.Themotherboardisslot zero.Iftheslotnumberis0,itcanbeomitted. NIMcardnumberinthecardslot,rangingfrom1to2. PortnumberonaNIMcard,rangingfrom0to3.
Mode
PrivilegedEXEC:XSR#
Examples
ThefollowingexampleclearstheT1controllercountersforboard(NIMcard)1,port0(firstport):
XSR#clear controller 1/0 Clear counters on controller 1/0 [confirm]
ThefollowingexampleclearstheT3controllerinslot1andcard1:
XSR#clear controller t3 1/1/0 Clear counters on controller 1/1 [confirm]
2-74
show controllers
Thiscommanddisplaysthestatusandstatisticsforanycontroller.TheT1/E1,T3/E3,andATM subsystemstrackvariousstatusandstatisticalparameters,includingthecurrentcontroller configuration.ThecommandalsodisplaysMaintenanceDataLink(MDL)information(received strings)ifMDLisconfiguredandframingissettoCbitonT3NIMs.
Notes: The network can remotely test XSRs T1 ports by placing them in loopback. If this occurs, the controller will change state to DOWN for the duration of the test even if it remains synchronized. Statistics displayed with the show controllers command are reset every 24 hours. That is, once the port or line is created with the controller command, the 24-hour timer starts.
Syntax
show controllers {interface-type} slot | card | port show controllers {interface-type} slot | port interface -type slot card port
XSRinterfacetype:ATM,BRI,ISDN,T1,E1,T3,E3,Fast/GigabitEthernet,or Serial. Slotnumberofasystemfrom0to6cardslots.Themotherboardisslotzero.Ifthe slotnumberis0,itcanbeomitted. NIMcardnumberinthecardslot:1or2. PortnumberontheslotortheportnumberonaNIMcard,from0to3.
Mode
PrivilegedEXEC:XSR#
Default
T3/E3:Shortdisplay
Sample Output
ThiscommanddisplaysT1controllerstatisticswithtwochannelgroups:
T1 0/2/1 is Admin Up and Oper Up. T1 with CSU Interface. Applique type is Channelized T1. Central Office (Network) loopback is set as line. No alarms detected. Loopback is set as none. Cablelength long is 0db and Cablelength short is 133ft. Framing is esf, Line Encoding is b8zs, Clock Source is line. Description: None Alarms Detected: None Rx signal level -0.0DB (Accuracy:+/-3DB) [NULL string] Bypass time slots table ( * data time slots on s/c/0 and s/c/1): 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2
1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 Rx ABCD * * * * * * F F 0 * F F F F F F F F F F F F F F Channel 1: Timeslots 1,2,3,4,5,6,7,8,9,10 64kbps Base rate Channel 2: Timeslots 12,13 56kbps Base rate Data 0 0 0 0 0 0 0 0 0 0 in current interval (502 seconds elapsed): Line Code Violations Path Code Violations Slip Seconds Frame Loss Seconds Line Error Seconds [string] Degraded Minutes Errored Seconds Bursty Error Seconds Severely Error Seconds Unavailable Seconds
Total Data (last 24 hours): 0 Line Code Violations 0 Path Code Violations 0 Slip Seconds 0 Frame Loss Seconds 0 Line Error Seconds 0 Degraded Minutes 0 Errored Seconds 0 Bursty Error Seconds 0 Severely Error Seconds 0 Unavailable Seconds
Thefollowinglineisaddedtotheoutputifloopbackissetasline:
Central Office (Network) loopback is set as line.
ThefollowingisapartialexampleoftheoutputfromaT3NIM:
XSR#show controllers t3 0/1/0 T3 0/1/0 is Admin Down and Oper Down. Appliqu type is Un channelized T3. Loopback is set as none. Equipment is set as customer. MDL transmission is disabled. Cablelength range is 0-224 feet. Framing is C-BIT, Clock Source is Line. Scramble is disabled. DSU is set to None with bandwidth 44210 kbps. Description: None FEAC codes Received:
Latest No Code
II No Code
III No Code
IV No Code
Alarms Detected: LOS LOF TxAIS X X X
RxAIS
TxRAI
RxRAI
LOOP
PayLd
24 Hour Statistics cleared: MAY 04 22:33:47 Current time: MAY 04 22:34:13 Interval LVC PCV Total 4352 0 Current 4352 0 ( 28s) CCV 0 0 PES 2 2 PSES SEFS UAS 2 2 2 2 2 2 LES 2 2 CES 2 2 CSES 2 2
Note: The 24 hour statistics is applied differently based on the selected farming type, the following table marks the valid fields by a * LCV PCV CCV PES PSES SEFS UAS LES CES CSES T3 C_bit T3 M13 * * * * * * * * * SES * * * * * * * * * * * * -
E3 G751 * E3 Bypass *
Parameter Descriptions
Rxsignallevel0.0DB (Accuracy:+/3DB)[string] Stringvaluescanbe: NULLstring:portlockedonthesignal;range0to43.4 notvalid:portcouldnotlockonthesignal0to43.4 highnoisefloor:portlockedonthesignal,butsignalisnoisy0to43.4.
ThislinedeterminesiftheportisconnectedtoavalidT1/E1signal.Theport willnotfunctionifthesignalisnotvalidandwillactunpredictableifitis highnoisefloor.ThelinedisplaysonlyiftheDrop&InsetNIMisconfigured fordataandvoicemode.Ifitisusedindatamode,itwillnotdisplay. 111111111122222 TimeslotnumberTENs. 1234567890123456789 Timeslotnumberunits. 01234
2-77
RxABCD******FF0*FFFF Timeslotthatbypassesbetweenport0and1carryChannelAssociated FFFFFFFFFF Signaling(CAS).CASsignalingcomprisesfourbits:BitA,C,CandD.This lineshowsCASsignalingforeachvoicechannelbywhichyoucandetermine channelstatusbasedonthecurrentCASvalue.Itisadebugaid.Channels markedwithanasterisk(*)arereadasfollows: T30/1/0isup 1Onthedisplayedport,timeslot10isusedfordataandismarkedwith anasterisk(*) 2Onthecomplementaryport,(theotherportofthecard)timeslots1 through6areusedfordata. 3Alltimeslotsnotusedfordataonneitherportarebypassedbetween thetwoportsandtheirCASdisplayed.
T3controllerinslot0isoperating.Thecontrollersstatecanbeup,down,or administrativelydown.Loopbackconditionsareshownas(Locallylooped)or (RemotelyLooped). ChannelizedorNonChannelized. Anyalarmsdetectedbythecontrolleraredisplayedhere.Anyactivealarm willbringthecontrollertoOperDownstate.TheYELLOWLEDbesidetheport connectorisONforallphysicalalarms,butstaysOFFforloopbackmodes. Thefollowingalarmsarelisted: Transmitterissendingremotealarm(TxRAI). TransmitterissendingTxAIS. Receiverhaslossofsignal(LOS). ReceiverisgettingRxAIS. Receiverhaslossofframe(LOF). Receiverhasremotealarm(RxRAI). Receiverhasnoalarms(NONE). ControllerissetintoaPayloadLoopback(PayLd)fromthenetwork. ControllerissetlocallyorfromthenetworkintoanytypeofLoopback (LOOP)fromthenetwork. Nonenormaloperation DS3LineLoopback(applicableforCbitparityonly)
Appliquetype Alarmsdetected
NetworkLineLoopback MDLtransmissionisdisabled
Statusofthemaintenancedatalink(eitherenabledordisabled).
2-78
FEACcodereceived
Displaysthelast4FEACcodesorcommandsthatwerereceived.Applicable forCbitparityframingonly,perANSIT1.1051995.Thisfieldareintendedfor T3linedebuggingbycarrierpersonal. Values(thelastfourcodesarejustdisplayed,subsequentcodeswilloverwrite currentones)listedareasfollows: DS3Eqpt.Failure(SA) DS3LOS DS3OutofFrame DS3AISReceived DS3IDLEReceived DS3Eqpt.Failure(NSA) CommonEqpt.Failure(NSA) MultipleDS1LOS DS1Eqpt.Failure(SA) SingleDS1LOS DS1Eqpt.Failure(NSA) Nocodeisbeingreceived LoopbackActivate LoopbackDeactivate DS3Line DS1Line1to28(displayedbutnotactedupon) DS1LineAll(displayedbutnotactedupon)
Commandvaluesareasfollows:
Framingis
Framingtypeonthecontroller: CBITParity M13 G.751 Bypass
LineCodeis ClockSourceis LineCodeViolations(ValidforC bit,M13,g751&bypass) PbitCodingViolation(Validfor Cbit&M13) CbitCodingViolation(Validfor Cbit) PbitErrSecs(ValidforCbit& M13)
Linecodingformatonthecontroller:B3ZS Clocksourceonthecontroller:InternalorLine. AcountofbothBipolarViolations(BPVs)andExcessiveZeros(EXZs) occurringovertheaccumulationperiod.AnEXZincrementstheLCVbyone regardlessofthezerostringslength. ForallDS3applications,aPCVerroreventisaPbitparityerrorevent.APbit parityerroreventistheoccurrenceofareceivedPbitcodeontheDS3M framethatisnotidenticaltothecorrespondinglocallycalculatedcode. ForCbitparityapplications,theCCVisthesumofcodingviolationsreported viatheCbits.ForCbitparity,itisthesumofCPbitparityerrorsoccurring duringtheaccumulationinterval. PESisasecondwithoneormorePCVs,oneormoreOutofFramedefects,or adetectedincomingAIS.Thisgaugeisnotincrementedwhenunavailable secondsarecounted.
Drop and Insert Commands
PbitSeverelyErrSecs(Validfor Cbit&M13) SeverelyErrSecs(Validforg751)
PSESisasecondwith44ormorePCVs,oneormoreOutofFramedefects,or adetectedincomingAIS.Thisgaugeisnotincrementedwhenunavailable secondsarecounted. SESisasecondinwhichmorethen43LCVwerecountedoroneormoreOut ofFramedefects,oradetectedincomingAIS.Thisgaugeisnotincremented whenunavailablesecondsarecounted. SEFSisasecondwithoneormoreOutofFramedefectsoradetected incomingAIS.
SeverelyErrFramingSecs(Valid forCbit,M13&g751)
UnavailableSecs(ValidforCbit, UASarecalculatedbycountingtheperiodtheinterfaceisunavailable. M13&g751) LineErrSecs CbitErroredSecs(ValidforC bit) LESisasecondwithoneormorecodeviolationsoroneormoreLOSdefects. CESisasecondwithoneormoreCbitcodeviolations(CCV),oneormore OutofFramedefects,oradetectedincomingAIS.Thisgaugeisnot incrementedwhenUASsarecounted.
CbitSeverelyErroredSecs(Valid CSESisasecondwith44ormoreCCVs,oneormoreOutofFramedefects,or forCbit) adetectedincomingAIS.ThisgaugeisnotincrementedwhenUASsare counted.

ThesecommandseffecttheoperationoftheT1/E1DropandInsertNIM.
drop-and-insert-group
Thiscommand,whichtakesnoparameters,instructstheT1controllertoofferallitsidletimeslots notconfiguredaspartofachannelgrouptotheDropandInsert(D&I)agent.TheT1controllerthus operatesinmixedData/Voicemode. ForT1lines,robbedbitsignalingisusedforChannelAssociatedSignaling(CAS).RobbedBit Signalingusesonebitofeachtimeslotforsignalingeverysixthframe.TheXSRisconfiguredin suchawaythatRBSisdisabledfordatatimeslots(timeslotsbelongingtoachannelgroup)and datacanbepassedat64or56Kbs. WhenthecommandisissuedforbothT1controllersontheNIM,timeslotswhichareidleonboth portswillbeconnected. ItismandatorythattheT1portconnectedtotheCentralOfficederiveitstimingfromtheup streamlineandtheportconnectedtothePBXsupplytimingtothedownstreamline.
Syntax
drop-and-insert-group [cas | clear] cas clear
ForuseifthedevicedownstreamisaPBXusingrobbitsignalling.Enteringno parameterisequivalenttoenteringthenocommand. ForuseifthedevicedownstreamhandlesdatasuchasaVoiceoverIP.

ThenoformofthiscommandremovesDropandInsertfunctionality:
no drop-and-insert-group
Mode
Default
cas
Example
ThisconfigurationinstructstheXSRtoterminatetimeslots1,2,3,4,5,6and7ofcontrollerT10/1/ 0intoaPPPchannelandbypasstherestofthetimeslotsfromT1controller0/1/0tocontrollerT10/ 1/1.controllerportT0/1/0isconnectedtotheCentralOfficeandcontrollerportT0/1/1isconnected thethePBXdownstream.Notethatsettingtheclocksourcetointernalismandatory.
XSR(config)controller T1 0/1/0 XSR(config-controller<T1-0/1/0>)#drop-and-insert-group XSR(config-controller<T1-0/1/0>)#channel group 0 timeslots 1,2,3-7 speed 56 XSR(config-controller<T1-0/1/0>)#clock source line XSR(config-controller<T1-0/1/0>)#no shutdown XSR(config-if<S0/1/0>)#interface serial 0/1/0 XSR(config-if<S0/1/0>)#encapsulation ppp XSR(config-if<S0/1/0>)#no shutdown XSR(config)#controller 0/1/1 XSR(config-controller<T1-0/1/0>)#drop-and-insert-group XSR(config-controller<T1-0/1/0>)#no channel group 0 XSR(config-controller<T1-0/1/0>)#clock source internal XSR(config-controller<T1-0/1/0>)#no shutdown
show controller
For Drop & Insert NIM only
Thiscommand,usefulfordebugging,liststhebypassedtimeslotsbetweenthetwoT1controllers ontheNIMandassociatedCASABCDsignalingbitsreceived.TheRxABCDrowdisplaysthehex valueoftheCASsignalingbitsreceivedbythecontroller.TimeslotsterminatedintheXSRare markedwithanasterisk(*).Thosetimeslotsareusedfordataonports1and/or0.Thebypass timeslottablewilldisplayonlyiftheconfigurationiscorrect,thatis,D&Iisenabledonbothports andoneoftheportsemploysinternalclocking.ThiscommandmayhelpdebuggingCASvoice calls.
Syntax
show controller t1 {slot | card | 0/1}
Example
Thisexampleshowsport0usingtimeslot10fordataandport1usingtimeslots16fordata:
T1 0/1/0 is Admin Up and Oper Up. T1 with CSU Interface.
Applique type is Fractional T1. Loopback is set as none. Cablelength long and short 0. Framing is esf, Line Encoding is b8zs, Clock Source is line. Description: None Alarms Detected: None Rx 0signal level -0.0DB (Accuracy:+/-3DB) Bypass time slots table ( * data time slots 1 1 1 1 1 1 1 1 1 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 Rx ABCD * * * * * * F F 0 * F F F F F F F F Channel 0: Timeslots 10 64kbps Base rate Data in current interval (300 seconds elapsed): 0 Line Code Violations 0 Path Code Violations 8 Slip Seconds 0 Frame Loss Seconds 0 Line Error Seconds 0 Degraded Minutes 0 Errored Seconds 0 Bursty Error Seconds 0 Severely Error Seconds 9 Unavailable Seconds Total Data (Last 0 hours and 0 minutes): 0 Line Code Violations 0 Path Code Violations 0 Slip Seconds 0 Frame Loss Seconds 0 Line Error Seconds 0 Degraded Minutes 0 Errored Seconds 0 Bursty Error Seconds 0 Severely Error Seconds 0 Unavailable Seconds
on s/c/0 and s/c/1): 1 2 2 2 2 2 9 0 1 2 3 4 F F F F F F
2-82
3
Configuring the XSR Platform
TheCLIcommandsyntaxandconventionsusethenotationdescribedinthefollowingtable. Convention
Description
Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies the interface, class map, policy map or other value you specify; e.g., F1, G3, S2/1.0, <Your Name>. F indicates a FastEthernet, and G a GigabitEthernet interface.
Next Mode entries display the CLI prompt after a command is entered. Sub-commands are displayed in red text. soho.enterasys.com Italicized, non-syntactic text indicates either a user-specified entry or text with special emphasis
Platform Commands
ThefollowingsetsofcommandsdefinetheplatformsubsystemsoftwareoftheXSR: ClockCommandsonpage 384. CryptoKeyCommandsonpage 385. OtherPlatformCommandsonpage 386 PlatformClearandShowCommandsonpage 394. FileSystemCommandsonpage 3107. BootromMonitorModeCommandsonpage 3121.
3-83
Clock Commands
Clock Commands clock set

ThiscommandsetsthecurrenttimeoftheRealTimeClockchip(softwaremoduleclock).After resettingtheXSR,youmustmanuallysettheclock.
Syntax
clock set hh:mm:ss wday mday month year hh:mm:ss wday mday month year
Currenttime. Dayoftheweek,rangingfrom1to7.Sundayis1. Dayofthemonth,rangingfrom1to31. Monthoftheyear.Januaryis1. Year,rangingfrom2000to2100.
Mode
PrivilegedEXEC:XSR#
Example
Settheclockto2:59:59p.m.,Friday,October7,2002.Typethefollowing:
XSR#clock set 14:59:59 06 07 10 2002
clock timezone
Thiscommandsetsthetimezonetoreflectthelocaltimeandcanbeoffsetbyupto12hours behindor13hoursaheadoftheUniversalTimeClock(UTC)timeassetforGreenwichMean Time(GMT).
Syntax
clock timezone hh mm hh mm
Numberofhoursoffset(12behindto+13aheadofGMT). Numberofminutesoffset(0to59).
Mode
PrivilegedEXEC:XSR#
Example
Thisexamplesetsthetimezone5hoursand30minutesbehindUTCtime(Easternstandardtime):
XSR#clock timezone -5 30
3-84
Crypto Key Commands
Crypto Key Commands crypto key master generate

Thiscommandgeneratesarandommasterencryptionkey.Whenthecommandisentered,you arepromptedtoidentifythepreviousmasterkey.Ifyousuccessfullyidentifyit,thecurrentsecure datafilesareconvertedtousethenewkey.Ifnot,youhavethefollowingoptions: Retryenteringthepreviouskey, Abortthekeychange, Removethepreviousfilesetandenteranewkey.
Note: This CLI command is not reflected in the running-config.
Syntax
crypto key master generate
Mode
Example
XSR(config)#crypto key master generate
crypto key master remove

Thiscommandremovesthemasterencryptionkey.Whenentered,thecommandpromptsyouto identifythepreviousmasterkey.Ifyousuccessfullyidentifyit,thecurrentsecuredatafilesare removed.Ifnot,youhavethefollowingoptions: Retryenteringthepreviousoldkey, Abortthekeyremovalprocess.
Syntax
crypto key master remove
Mode
Example
XSR(config)#crypto key master remove
3-85
Other Platform Commands
crypto key master specify

Thiscommandallowsyoutospecifyamasterencryptionkey.Whenentered,thecommandfirst promptsyoutoidentifythepreviousmasterkey.Ifyoucannotidentifyit,youhavethefollowing options: Retryenteringthepreviouskey, Abortthekeychange, Removethepreviousfilesetandenteranewkey.
Ifyousuccessfullyidentifyanewkeyorproceedregardlessofacorrectresponse,youare promptedtospecifyanewkeynumbering24bytes.Thisnewkeywillberejectedifitisidentified asaweak,semiweak,orpossiblyweakkey.Ifyouspecifyavalidnewkey,thecurrentsecuredata filesareconvertedtothenewkey.

Note: This CLI command is not reflected in the running-config.
Syntax
crypto key master specify
Mode
Example
XSR(config)#crypto key master specify
Other Platform Commands cpu-utilization

ThiscommandenablestheXSRtocalculatetheintervalitspendsonparticulartasksandprovides theutilizationpercentageperthattask.CPUstatisticsaredisplayedusingthe show cpuutilizationcommand.
Syntax
cpu-utilization

ThenoformofthiscommanddisablesCPUutilizationreporting:
no cpu-utilization
Mode
3-86 Configuring the XSR Platform
Example
XSR(config)#cpu-utilization
debug processor
ThiscommanddefinesamethodtoforceforwardingenginejobstoaspecificCPUorallowsthe jobstofloatbetweenavailableCPUs.
Syntax
debug processor {number | job type | interface | mobility} number job type interface mobility
CPU:0or1. Input,Output,orProtocol. Thespecifiedinterface. Fixed(assigntoaCPUandport)orfloating(XSRassignsCPUandport).
Mode
PrivilegedEXEC:XSR#
Examples
ThefollowingexampleforcesCPU0toacceptforwardingjobsinputtoF1:
XSR#debug processor 0 Input FE1 FIXED Input Job for Interface FastEthernet 1 is now fixed to Processor #0
ThisexampleforcesCPU1toacceptprotocolforwardingjobsoninterfaceF2:
XSR#debug processor 1 Protocol FE2 FIXED Protocol Job for Interface FastEthernet 2 is now fixed to Processor #1
hostname
ThiscommandsetsthesystemnetworknameontheCLIprompt.
Syntax
hostname name name
NameoftheXSRthatappearsattheCLIprompt.

Thenoformofthiscommanddeletestheconfiguredhostname:
no hostname
Mode
PrivilegedEXEC:XSR#
Default
ThenamethatisstoredinBootrom.
Example
XSR#hostname XSR-1800 XSR-1800#
logging
Thiscommandenables/disablesmessageloggingatvaryingseveritylevelsforspecified destinations.RefertoAppendixAintheXSRUsersGuideforalistofmostrouteralarmsand events.Normally,onlyHIGHseverityalarmsareloggedtoredflagcriticaleventsandthose requiringoperatorintervention.TheDEBUGalarmlevelismeantformaintenancepersonnel only. TheXSRmaydiscardLOWandDEBUGlevelalarmsifthesystemistoooccupiedtodeliverthem. Thenumberofdiscardedmessagesisdisplayedbythefollowinglineinshow logging command output:
Discards: high=0 medium=0 low=4 debug=22
TheXSRsupportsasmanyasthreeSyslogservers,withloggingseveritylevelsseparately configurableforeachserver.YoucandisableloggingtoindividualSyslogswiththeno logging xxx.xxx.xxx.xxxcommand.
LogGen Functionality
ThefileoptionpermitsloggingtoapersistentalarmfileonaCompactFlashcardforHIGHor MEDIUMalarmsonly.IfnoCompactFlashcardisinstalled,persistentloggingisnotperformed. TheroutercopiesmessagesfromtheloggingbufferinRAMtothecflash:fileloggenonceper second.IfpowertotheXSRislost,thealarmhistoryispreservedinloggen.WhentheXSRcomes upagainitcopiesthehistoryfromloggenbackintotheRAMbuffer.Theentirelogginghistoryis availableincludingalarmsbeforeandafterpowerdown. TheXSRsLogGenfunctionalitydeclaresamessagefloodiftoomanyoutstandingmessagesare reportedbyothersoftwaremodulesintherouter.LogGenthentemporarilyquitsreportingonthe ConsolesouserscankeepaccesstotheCLI.MessagesareloggedtotheRAMbufferonly,andare graduallyreportedtoallotherenableddestinations.ThemessagefloodendswhenLogGen reducesthenumberofoutstandingmessagesbelowthedefinedthreshold.
Syntax
logging [console | buffered | monitor | snmp | A.B.C.D | A.B.C.D | A.B.C.D | file | timestamp][level | local | utc][high | medium | low | debug] console buffered monitor snmp A.B.C.D level
Displayssystemlogstotheconsoleterminal. SavessystemlogstotheroutersRAM. DisplayssystemlogstocurrentCLITelnetsession. SavessystemlogstoaremoteSNMPtrap. UptothreeSyslogserverIPaddresses:seetableinUserGuidelines. SetsloggingleveltoHigh,Medium,LoworDebug.Enterthelevel immediatelyaftertheloggingkeywordtosetthatlevelforall destinations.Enterthelevelafteradestinationtospecifythatlevelonly. LogsdatatoafileonaCompactFlashcard. SetssystemlogtoHighlevel.
file high
3-88
medium low debug timestamp local utc
SetssystemlogtoMediumlevel. SetssystemlogtoLowlevel. SetssystemlogtoDebuglevel. Setstimeanddate. Setstimestamptolocaltime. SetstimestamptotheUniversalTimeClock.

Usethenoformofthiscommandtodisabletheearlierconfiguredservice:
no logging [console | buffered | monitor | snmp | A.B.C.D | file | timestamp]
Mode
GlobalConfiguration:XSR(config)#
Defaults
File:off A.B.C.D.:0.0.0.0(nomessagessentuntilanIPaddressisset) Logginglevel:Highforalldestinations
User Guidelines
Thetablebelowdisplaysstandardsyslogerrormessagetypesanddefinitions. Message Type
0: Emergency 1: Alert 2: Critical 3: Error 4: Warning 5: Notice 6: Info 7: Debug 8: Security
Definition
System is unusable Action must be taken immediately Critical conditions Error conditions Warning conditions Normal but signification condition Informational Debug-level messages Security related messages
TheXSRrecognizesmessagesatfourlevels,describedinthetablebelow:
Priority Code = Facility Code *8 + Severity Severity High, severity = 2 (Critical) Med, severity = 3 (Error) Low, severity = 4 (Warning) User Level Message (Facility = 1) 10 11 12 Security/Auth Message (Facility = 10) 82 83 84
Debug, severity = 7 (Debug)
15
87
Examples
ThisexamplesetsloggingatHighfortheconsolewithalocaltimestamp:
XSR#logging console high timestamp local
ThefollowingexamplesetsaLowlogginglevelforalldestinationswithaUTCtimestamp:
XSR#logging low timestamp utc
ThisexamplesetspersistentloggingofHighseveritymessagestoCFlash:withalocaltimestamp:
XSR#logging file high timestamp local
Thefollowingexamplesetstheloggingtimestamptolocaltime.Forinformationaboutarelated command,refertoclock timezoneon(page384):

XSR#logging timestamp local
Thefollowingexamplesetstheloggingtimestamptouniversaltime:
XSR#logging timestamp utc
Sample Output
ThefollowingisasampleLogGenmessage:
<186>Jan 27 09:13:05 10.8.40.2 LOGGEN: Message Flood: Display disabled,messages logged to History Buffer.
Thefollowingissampleoutputforamessagefloodbytheshowloghistorycommand:
XSR#show log history Log history buffer: logging severity=HIGH; messages logged= 2 <186>Jan 27 09:13:07 10.8.40.2 LOGGEN: Message Flood: Display disabled, messages logged to History Buffer.
netload
ThiscommandselectstheRemoteAutoInstall(RAI)optionuponreboot.WhennostartupconfigfileexistsintheXSR,thesystembeginsremoteautoinstallprocessingbydefault.
Syntax
netload [persistent] persistent
RAIdoesnotceaselookingforaconfigfileoverthenetwork.Omitting thisoptionpermitsRAIprocessingfor5minutes,afterwhichtheXSR ceasesRAI,exitsandreadsanexistingstartup-config.

Thenoformofthiscommanddisablesnetload:
no netload [persistent]
3-90
SNTP Commands
Mode
Examples
Thefollowingexampleselectsa5minuteautoinstall:
XSR(config)#netload
Thefollowingexampleselectsapersistentautoinstall:
XSR(config)#netload persistent
SNTP Commands sntp-client

ThiscommandenablestheSNTPclientandsetstheSimpleNetworkTimeProtocol(SNTP) primaryandalternateserverIPaddresses.OncetheXSRisconfigured,itsendsatimerequestto theSNTPservereverypollintervaltoupdatelocaltime.
Note: Setting the SNTP Server IP address to 0.0.0.0 disables the SNTP client.
Syntax
sntp-client server A.B.C.D [A.B.C.D] A.B.C.D [A.B.C.D
IPaddressoftheprimarySNTPserver. IPofthealternateSNTPserver.SetonlyiftheprimarySNTPserverIPisset.

ThenoformofthiscommanddisablestheSNTPclient:
no sntp-client
Mode
Defaults
PrimaryandalternateserverIPaddress:0.0.0.0 SNTPclientisdisabled
Example
ThefollowingexamplesetstheprimarySNTPserverIPaddress:
XSR(config)#sntp-client server 192.168.27.88
3-91
SNTP Commands
sntp-client poll-interval
ThiscommandconfigurestheintervaltheSNTPclientwaits,whensynchronized,beforesending anothertimerequesttoanSNTPserver.Thepollintervalisappliedcontinuouslyaftertheclientis firstsynchronized.Ifbothprimaryandalternateserversareconfigured,pollsaresentonlytothe firstserver,oncethiswasdetectedtobeactiveandonlyifthisserverbecomesinactivewillthe clientstartpollingthealternateserver.Aclientdeclaresaserverinactiveifnoresponseisreceived totenconsecutiverequests. Whenthetimeisnotsynchronizedafterbootup,aresynchronizationintervalisusedtosendtime requeststotheserveratfixedintervalsof60seconds.Amaximumof10suchrequestsaresentin casenoanswerwasreceivedbeforetheSNTPclientdecidesthisserverisdown.Ifanalternate serveraddressisconfigured,requestsaresentouttoit.Theresyncintervalisusedinsteadofthe pollingintervaltoensurethetimeislearnedfairlyquicklyifthepollintervalwassettoahigher value.Afterinitialsynchronization,clientrequestsaresentusingtheconfiguredpollinterval.
Syntax
sntp-client poll-interval [value]
Parameters
value
Pollinterval,rangingfrom16to16284seconds.
Mode
Default
512seconds
sntp-server enable
ThiscommandenablestheSNTPserver.
Syntax
sntp-server enable
Mode
Default
Disabled
3-92
SNTP Commands
no sntp-server
ThiscommanddisablestheSNTPserver.
Syntax
no sntp-server
Mode
show sntp
ThiscommanddisplaysthecurrentstatusoftheSNTPserver.
Syntax
show sntp
Output
XSR>show sntp SNTP server 30.10.1.22 1.1.1.1 Stratum 10 0 #Polls 1 0 Last Receive 00:36:39 Active Never
Unicast Unicast
Client Status: Enabled Server Status: Enabled Poll Interval: 512 Server requests: 125 Current Time: 00:36:42-UTC-Tuesday, 30-MAR-2004
SNTP server 30.10.1.22 Stratum #Polls Last Receive Active Unicast Client Status Server Status Poll Interval Server requests
TheIPaddressofthedesignatedSNTPserver. Levelofthenetworkwheretheclockislocated.Theprimarystratumis generallyconsideredatstratum1.TheXSRdefaultstratumis10. SumofclientrequeststotheSNTPserver. Hour,minuteandsecondofthelastclientreplyfromtheSNTPserver. WhethertheSNTPisinactivestate. SNTPserverpointtopointmode. StateoftheSNTPclientenabledordisabled. StateoftheSNTPserverenabledordisabled. IntervalinsecondsbetweenclientrequeststotheSNTPserver. Sumofclientrequeststotheserver.
Clockissynchronized,stratum10,referenceis<RTCorlastsynchronizedreference>
Platform Clear and Show Commands
NominalfreqisxxxxxHz,actualfreqisxxxxHz,precisionis2**16 Referencetimeis12345678.12345678(01:01:01.123EDTMonJan12004) Clockoffsetis1.1234msec,rootdelayis123.12msec Rootdispersionis12.12msec,peerdispersionis1.12msec
Platform Clear and Show Commands clear counter processor

Thiscommandclearsprocessorperformanceinformation.CPUutilizationisaveragedoveran8 secondinterval.
Syntax
clear counter processor
Mode
PrivilegedEXEC:XSR#
Example
XSR#clear counter processor
clear fault-report
ThiscommanddeletesthefaultreportfromRAM.
Syntax
clear fault-report
Mode
PrivilegedEXEC:XSR#
Example
XSR#clear fault-report
Sample Output
No fault report to clear.
or
Fault report cleared
3-94
clear logging
ThiscommanddeletesallmessagesfromtheloggingbufferinRAM.
Syntax
clear logging
Mode
PrivilegedEXEC:XSR#
Example
XSR#clear logging
show buffers
Thiscommanddisplaysplatformmemorystatisticsandishelpfulindiscoveringwherememory leaksexistinvariousXSRmodules.Memoryisallocatedinincrementsnosmallerthan64bytes.
Syntax
show buffers
Mode
PrivilegedEXECconfiguration:XSR#
Sample Output
XSR#show buffers Common Buffer Pool Usage: Pre-Allocated: 1000 for FE 1000 for FE Frag 512 for Eth1 512 for Eth2 1536 for 4 port T1E1 card 2 in slot 0 Total: 4560 1696 byte buffers = 7733760 bytes Used: Eth2: T1E1-0/2: FE Frag: Fwd Eng: Eth1: 128 512 0 0 128 of of of of of 512 1536 877 877 512 in in in in in use. use. use. use. use. 0 0 0 0 0 allocations allocations allocations allocations allocations denied. denied. denied. denied. denied.
Free: Buffers: 3792. Extra Mblks: 500. FrameElements: 5000 Jumbo buffers: Available: 8192 8/ 8 16384 4/ 4 32768 2/ 2 65536 1/ 1
3-95
Memory Block Allocation: Memory Options enabled: None. --------------------------------------------------------------------Size Number Number Avg.Size Max.Size Number of Size Carved Carved In Use In Use Request Requests Upgrade --------------------------------------------------------------------64 7012 6516 26 64 20254275 0 128 6673 6637 104 128 629751 0 288 2425 2389 249 288 20319 0 512 33 26 417 512 5866 0 1024 38 29 703 1024 15652 0 2080 43 41 1362 2056 148677 0 4096 29 17 2919 4096 597 0 9216 20 18 6950 9188 22 0 17408 13 12 14069 16856 15 0 40960 10 10 25767 38916 10 0 69632 5 5 62716 65604 5 0 135168 4 4 117320 131072 138 0 291104 1 1 270336 270336 1 0 480000 0 0 0 0 0 0 700000 1 1 628488 628488 1 0 1560000 0 0 0 0 0 0 ---------------------------------------------------------------------TotalBytes: 4965504 4817920 3831992 (64MB) Overhead: 521824 Uncarved: 37914272 Max Heap: 1399088
SizeCarved NumberCarved NumberinUse Allocatedpoolsizessupportedbythememorymanager. SumofblockscarvedineachpoolshowninColumn1. Sumofblockscurrentlyinuseinthispool.Everytimeyouenterthe
show buffers command,thiscolumnsdatawillbemarkedwitha
plus(+)ornegativesign().The+indicatesthenumberinusehas increasedsinceyoulastenteredthecommand.Theindicatesthe numberinusehasdecreasedsinceyoulastenteredthe command. AverageSizeinUse MaxSizeRequest NumberofRequests SizeUpgraded Averagesizeoftheactualrequestedallocationbytes. Largestallocationrequestedinthispool. Sumoftimesamemorywasallocatedwithinthisblocksize. Sumofinstancesamemorythatcouldhavefittedinthisblocksizewas actuallyallocatedfromalargerblocksize.Thismechanismfunctionsif theXSRisoutofuncarvedmemoryandblockmemoryofthissize.For example,yourequest30bytesofmemory.Thememorymanagerlearns thatthereisnomoreuncarvedmemory,examinesthe64bytepool,and findsnomoreblocksinthatpooleither.Thenthememorymanager considersthe128bytepoolandmayfindsomefreeblocksthere.You willreceiveapointertooneofblocksinthe128bytepool.
3-96
Overhead Uncarved MaxHeap
Sumofoverheadbytesusedformemorytracking,etc. Sumofbytesavailabletobecarvedintodesiredblocks. Sumofbytesthatcanbeallocatedfromtheheap.
show buffers i/o

ThiscommanddisplayssummaryI/O(databuffers,frameelements)memoryusagestatistics. AllocationsarebasedonthehardwarepresentintheXSR.
Syntax
show buffers i/o
Mode
Sample Output
Common Buffer Pool Usage: -----------------------------------------------------------Pre-Allocated: 2000 for FE 1000 for FE Frag 2048 for Eth1 2048 for Eth2 2048 for Eth3 1536 for serial card Total:10680*1696 byte buffers *1796 (including overhead) = 19181280 bytes Used: FE Frag: Fwd Eng: 0 0 Eth2: T1E1-0/2: 256 FE Frag: 0 Fwd Eng: 0 Eth1: 128 of 1500 of 3200 128 of of 768 of 880 of 440 of 512 in use. in use. 512 in in use. in use. in use. in use. 0 allocations denied. 0 allocations denied. use. 0 allocations denied. 0 allocations denied. 0 allocations denied. 0 allocations denied. 0 allocations denied.
Free: Buffers: 10680. Extra Mblks: 500. FrameElements: 5000 Jumbo buffers: Available: 8192 8/ 8 16384 4/ 4 32768 2/ 2 65536 1/ 1
3-97
CommonBufferPool Onebufferpoolexistsfordatabuffers.Thesebufferblocksarepre Usage allocatedasshownbelow: 2000forFE:2000x1696bytebufferswerepreallocatedforusebythe ForwardingEngine. 1000forFEFrag:1000x1696bytebufferswerepreallocatedforuseby FEFragmentation. 2048forEth1:2048x1696bytebufferswerepreallocatedforusebythe EthernetDriverforEthernetPort1. 2048forEth2:2048x1696bytebufferswerepreallocatedforusebythe EthernetDriverforEthernetPort2. 2048forEth3:2048x1696bytebufferswerepreallocatedforusebythe EthernetDriverforEthernetPort3. 1536forserialcard:1536x1696bytebufferswerepreallocatedforuse bytheSerialNIMcard. Total:10680*1696bytebuffers:Totalnumberof1696bytebuffersthat werepreallocated.Thereare100bytesofoverheadperbuffer,sothe actualamountofmemoryusedis10680x1796bytes. 0of1500inuse.0ofthe1500peakallowedblocksarecurrentlyinuse. 0allocationsdenied.0requestsforallocationweredenied. 0of3200inuse.0ofthe3200peakallowedblocksarecurrentlyused. 0allocationsdenied.0requestsforallocationweredenied. Buffers:10680.Numberofdatabuffersfreenow(allarefree). ExtraMblks:500.NumberofMBLKs(usedtolinkmultiplebuffers) nowfree. FrameElements:5000:NumberofFrameElements(usedtolinkmultiple framestogether)freenow.
Used:FEFrag FwdEng Free
Jumbobuffers:8192 163843276865536:
SizeofeachJumbobufferwhichisusedfortemporarystorageoflarge packetsbeforefragmentation.
Available:8/84/4 (Available/Maximum)jumbobuffers.8/8indicates8availableoutofa 2/21/1: maximumof8buffers.Thisexamplehaseverysizewithallbuffers available.
show buffers malloc

ThiscommanddisplayssummaryMalloc(tables,configurationstructure)areamemorystatistics.
Syntax
show buffers malloc
Mode
3-98
Sample Output
Memory Block Allocation: Memory Options enabled: None. -----------------------------------------------------------------Size Number Number Avg.Size Max.Size Number of Size Carved Carved In Use In Use Request Requests Upgrade -----------------------------------------------------------------64 8132 8081 22 64 5960439 0 128 10210 10209 98 128 18507 0 288 2273 2241 252 288 8152 0 512 19 15 441 512 302 0 1024 22 20 718 1024 142 0 2080 31 30 1391 2052 48 0 4096 17 9 3185 4096 357 0 9216 13 11 7673 9188 15 0 17408 11 10 13358 16984 11 0 40960 14 13 24725 40048 14 0 69632 7 7 60418 65604 7 0 135168 3 2 118344 131072 556 0 291104 3 3 220710 270336 3 0 480000 1 1 354400 354400 1 0 700000 1 1 628488 628488 1 0 1560000 1 1 1033920 1033920 1 0 -----------------------------------------------------------------TotalBytes: 8039296 7775776 5725016 (128MB) Overhead: 664256 Uncarved: 82346656 Max Heap: 1312224
Refertothe show bufferscommand.
show clock
ThiscommandshowscurrentUniversalTimeClock(UTC)setbyGreenwichMeanTime(GMT).
Syntax
show clock
Mode
PrivilegedEXEC:XSR#
Sample Output
XSR#show clock 10:41:20-UTC-Wednesday,20-AUG-2003 Ifthetimezoneissetup,show clockdisplaysbothUTCandlocaltime: XSR#show clock 15:22:52-UTC-Thursday,28-FEB-2002 10:22:52-LOCAL-Thursday,28-FEB-2002
3-99
show cpu-utilization
ThiscommandtrackscurrentuseofvariousCPUprocessesasapercentageoftotalCPUusagefor thelastfivesecond,oneminute,andfiveminuteintervals,andthenumberoftimeseachprocess wascalledintotalsincetheXSRwaspoweredon.Also,CPUutilizationisshown:thefirst percentageindicatestotalCPUusage,thesecondindicatesthepercentageofCPUtimespentat theinterruptlevel,andremainingpercentagesaretotalCPUusagefor1and5minuteperiods. ThecommandisagooddiagnostictooltomeasurewhichprocessisconsumingthemostCPU timeandhowstrenuouslytheCPUisworkingasawhole.TheXSRisoperatingnormallyifthe CPUcansatisfyadvertisedthroughputlevelsatmaximumcapacity. Beawarethatthiscommanddrawsonprocessorcapacityattheexpenseofoperationalneeds.
Syntax
show cpu-utilization
Mode
EXECorPrivilegedEXEC:XSR>orXSR#
Default
CPUusagetrackingisonbydefault.
Sample Output
XSR#show processes cpu Process Runtime(m) PP 0.00 RIP 0.00 OSPF 0.00 Idle 5.40 Other 0.04 5Sec 0.01% 0.01% 0.02% 99.17% 0.80% 1Min 0.00% 0.01% 0.01% 99.24% 0.74% 5Min 0.00% 0.01% 0.01% 99.26% 0.72% Invoked 16302 334 465 0 26700
CPU utilization for five seconds: 14.53%/0.80%; one minute: 9.88%; five minutes: 8.20%
Process XSRtaskmeasuredincludingPacketProcessor(XSRforwarding engine),RIPandOSPFProcessors,Idle(calculatedprocessoridletime), andOther(allothertasks). NumberoftimesaprocesshasbeencalledsincetheXSRwasactive. TotalpercentageofCPUbeingusedateachinterval. Thefirstpercentageindicatesthetotalandthesecondindicatesthe percentageofCPUtimespentattheinterruptlevel,followedbyone andfiveminutepercentages.
Invoked CPUutilization 14.53%/0.80%;one minute:9.88%;five minutes:8.20%
3-100
show fault-report
ThiscommanddisplaysthefaultreportcapturedwhentheXSRexperiencesasystemproblem.It containsinformationthatpinpointsthecauseofthesoftwarefailure.Thisdataishighlytechnical andisintendedonlyfortheuseofservicesupportengineerstodiagnosetheproblem. ThefaultreportcanbeviewedinBootrommonitormodeorontheCLI. IftheXSRexperiencesaprocessorexception,thesoftwarecapturesafaultreportandrestarts automatically.OnlythefirstfaultreportissavedincaseofmultiplefailuresinaspecialRAMarea andispreservediftheXSRisrebootedbutislostiftheXSRispowereddown.
Note: The XSR can store one fault report only.
Thefaultreportcontainsthefollowingdatarelevanttothefailure: Causeofprocessorexception Timestamp Contentsofprocessorregisters Operatingsystemstatus Statusoftasks,currenttask(e.g.,crashedtask) Contentsofstacks(taskstacks,interruptstack) Statusofonespecialtask(packetprocessorbydefault) Codearoundthecrashprogramcounter Taskmessagequeues Memorymanagementstatistics Taskstacktracesforalltasks
Watchdog Fault Report

Afaultreportisalsocapturedincaseacatastrophicwatchdoginterruptoccurs.Ifthesoftware doesnotrefreshthewatchdogforseveralsecondsawatchdogfaultreportiscapturedandtheXSR iswarmbooted.Youcanthenexaminethefaultreporttoanalyzetheproblem.
Syntax
show fault-report [0 | 1] 0 | 1
CPU0or1onXSR3000Seriesonly.Ifneitherarespecified,bothfaultreports display.
Mode
PrivilegedEXEC:XSR#
Example
XSR#show fault-report
3-101
Sample Output
ThefollowingissampleoutputfromanXSR3020router:
Fault Report captured in node RouterName on Sept 22, 2001 at Fault: Data TLB Miss Processor up-time = 1234 hours 59 minutes 59 seconds Processor = PowerPC 405 GP Exception Vector Number = 0x1100 PC=00012345 SP(r1)=00044444 LR=12345678 CTR=12345678 r0 =12345678 r1 =00044444 r2 =12345678 r3 =12345678 r4 =12345678 r5 =00044444 r6 =12345678 r7 =12345678 r8 =12345678 r9 =00044444 r10=12345678 r11=12345678 r12=12345678 r13=00044444 r14=12345678 r15=12345678 r16=12345678 r17=00044444 r18=12345678 r19=12345678 r20=12345678 r21=00044444 r22=12345678 r23=12345678 r24=12345678 r25=00044444 r26=12345678 r27=12345678 r28=12345678 r29=00044444 r30=12345678 r31=12345678 sprg0=12345678 sprg1=12345678 sprg2=12345678 sprg3=12345678 sprg4=12345678 sprg5=12345678 sprg6=12345678 sprg7=12345678 xer=12345678 msr=12345678 dccr=12345678 dcwr=12345678 iccr=12345678 sgr=12345678 sler=12345678 suor=12345678 bear=12345678 besr=12345678 ccr0=12345678 evpr=12345678 esr=12345678 dear=12345678 srr0=12345678 srr1=12345678 srr2=12345678 srr3=12345678 Crashed Task TCB: 004b19170 12345678 12345678 12345678 12345678 12345678 12345678 12345678 004b19180 12345678 12345678 12345678 12345678 12345678 12345678 12345678 etc. Crashed Task Stack: 004276ae 12345678 12345678 004276be 12345678 12345678 004276ce 12345678 12345678 004276de 12345678 12345678 VxWorks Tasks: NAME ENTRY tExcTask _excTask tLogTask _logTask tWdbTask 0x417cc4 3:30:59pm
12345678 12345678 12345678 12345678
12345678 12345678 12345678 12345678
12345678 12345678 12345678 12345678
12345678 12345678 12345678 12345678
12345678 12345678 12345678 12345678
TID 4b19170 4b14758 4b10c08
PRI STATUS 0 PEND 0 PEND 3 READY
PC SP ERRNO DELAY 4276be 4b1908c d0003 0 4276be 4b14670 d0003 0 4276be 4b10ae4 d0003 0
tExcTask Control Block 004b19170 12345678 12345678 12345678 12345678 12345678 12345678 12345678 004b19180 12345678 12345678 12345678 12345678 12345678 12345678 12345678 etc. tExcTask stack: 004276ae 12345678 12345678 12345678 12345678 12345678 12345678 12345678
004276be 12345678 12345678 12345678 12345678 12345678 12345678 12345678 004276ce 12345678 12345678 12345678 12345678 12345678 12345678 12345678 004276de 12345678 12345678 12345678 12345678 12345678 12345678 12345678 etc. for all tasks End of fault report.
WhentheXSRisautomaticallyrebootedafteracrashitperformsawarmstart.Thefollowing messageislogged:
11 May 29 22:20:59 TORONTO: System warm boot from crash
show logging
Thiscommanddisplaysthecurrentmessageloggingsettingsincludingallpossiblelogging destinationsandtheirenabledmessagelevels.
Syntax
show logging
Mode
EXECorPrivilegedEXEC:XSR> or XSR#
Example
XSR#show logging
Sample Output
ThefollowingexampledisplayslogginginformationontheXSRincludingthreeSyslogservers:
XSR#show logging Destination Syslog: 10.10.10.20 Syslog: 10.10.10.30 Syslog: 10.10.10.40 Console Monitor Buffered SNMP File Discards: Logging Severity Message Count medium 43 low 78 high 3 high 1630 high 1630 high 1630 high 0 disabled 0 high=0 medium=0 low=0 debug=0 timestamp UTC
show logging file

Thiscommanddisplaysmessagesloggedinthepersistentloggingfileloggenonanoptional CompactFlashcard.ThisfilestoresdataintheCFlash:directoryifpowertotheXSRislost.When theXSRcomesupagainitcopiesthehistoryfromloggenbackintotheRAMbuffer.Ifno CompactFlashcardisinstalled,persistentloggingisnotperformed.
Syntax
show logging
Mode
Example
XSR>show logging file
Sample Output
Thefollowingexampledisplaystheloggingfileinformation:
XSR#show logging file History of logging to file cflash:loggen File logging disabled File cflash:loggen does not exist.
show logging history

Thiscommanddisplaysthecontentsofthelogginghistorybuffer.
Mode
PrivilegedEXEC:XSR#
Example
XSR#show logging history
Sample Output
Thefollowingcommanddisplayslogginghistoryandseveritylevels:
Log history buffer: logging severity=MEDIUM+HIGH; messages logged= 8 <186>Feb 4 09:12:28 192.168.27.38 CLI: User: admin logged in from console <186>Feb 4 09:10:56 192.168.27.38 CLI: CLI config mode released by startup-config <186>Feb 4 09:10:56 192.168.27.38 ETH: Interface FastEthernet1, changed state to up <186>Feb 4 09:10:56 192.168.27.38 CLI: CLI config mode locked by startup-config <186>Feb 4 09:10:53 192.168.27.38 PLATF: System warm boot from cli <11>May 29 22:20:59 TORONTO : System restarted <12>May 29 22:25:59 TORONTO : Serial 0 changed state from up to down
show sntp
ThiscommanddisplaysSNTP(SimpleNetworkTimeProtocol)setupandtrafficstatistics.
Syntax
show sntp
Mode
PrivilegedEXEC:XSR#
Sample Output
XSR#show sntp Server IP:192.168.27.88 Poll Interval: 512 Sntp Requested: 1 Last Synced: 17:00:34-UTC-Sunday,26-JAN-2003 Current Time: 10:53:01-UTC-Monday,27-JAN-2003
show version
ThiscommanddisplayscurrentXSRhardwareandfirmwaredata.
Syntax
show version
Mode
PrivilegedEXEC:XSR#
Sample Output
ThefollowingisexampleisoutputfromanXSR1805:
XSR#show version Enterasys Networks Operating Software Copyright 2002 by Enterasys Networks Inc. Hardware: Motherboard Information: XSR-1800 ID: 9002854-02 REV0A Serial Number: 0000019876543210 Processor: IBM PowerPC 405GP Rev. D at 200MHz RAM installed: 32MB Flash installed: 8MB on processor board, 16Mb compact flash CompactFlash: SunDisk SDP 5/3 0.6 has 32047104 bytes Real Time Clock I/O on Motherboard: FastEthernet 1 FastEthernet 2 Rev 0 H/W Encryption Accelerator Rev 1 T1E1 has 4 channelized ports in NIM slot 1. Rev 0 ISDN BRI has 2 ST ports in NIM slot 2. Rev 1 Empty internal NIM slot 3 Bootrom: Version 2.03 Built Jul 28 2003, 11:35:07
Software: Version 5.5.1.3, Built May 16 2003, 14:31:56 CLI revision 1.5 Software file is xsr1800.fls with VPN; with Firewall XSR-1800 uptime is 33 days, 10 hours, 44 minutes.
ThefollowingexampledisplaysoutputfromanXSR3150:
XSR#show version Enterasys Networks Operating Software Copyright 2003 by Enterasys Networks Inc. Hardware: Motherboard Information: XSR-3150 ID: 9002914-04 REV0A CPLD Rev 3 Serial Number: 3646031700233215 Processor: Broadcom BCM1250 Rev 2 at 600MHz PowerSupply1, PowerSupply2 Fans 1 2 3 4 5 6 7 8 CPU Temperature Max: 80C Current: 38C Router Temperature Max: 60C Current: 24C RAM: 512MB without interleave Memory Bus at 120MHz, CASL at 2.0 Bootrom Flash: 4MB Filesystem Flash: 8MB CompactFlash not present Real Time Clock I/O on Motherboard: GigabitEthernet 1 2 3 Encryption Hardware: not present Slot 0 card 1: Empty Slot 0 card 2: Empty Bootrom: Version 1.5, Built Aug 26 2003, 13:23:16 Software: Version 6.0.0.0, Built Sep 7 2003, 16:06:27 CLI revision 1.5 Software file is xsr3000.fls with VPN; with Firewall. XSR-3150 uptime is 0 years, 4 days, 2 hours, 4 minutes, 6 seconds.
show whoami
Thiscommanddisplaysidentificationdataforacurrentterminalsession.
Syntax
show whoami
Mode
PrivilegedEXEC:XSR#
3-106
File System Commands
Example
XSR#show whoami
Sample Output
XSR#show whoami Comm Server Enterasys, current line at 9600bps.

TheXSRemploysanMSDOScompatiblefilesysteminFlashmemory.Thefollowingcommands areavailable.
boot system
Thiscommandcreatesaboot-config filetostorethefirmwarefilenameoftheactivesoftware image.Thisfilenamepointstothefirmwarefileloadedduringsysteminitializationinthe followingsequence: 1. Thebootconfigfileislookedupineitherflash:orcflash: Ifbootconfigisnotfoundthere,therouterproceedstoStep2. Ifthefilenamedinbootconfigisnotfound,theroutergoestoStep3. 2. 3. Ifthedefaultfile(xsr1800.flsorxsr3000.fls)isnotfound,theroutergoestoStep3.
AnFTP/TFTPserverasdefinedinnetworkparametersofBootrommodeisqueried.Ifthe imageisnotfoundinthisremotelocation,initializationissuspendedinBootrommode. Thecommandinitiatesascriptrequiringconfirmationofyourintention.
Syntax
boot system <newName.FLS>
Mode
Global configuration: XSR(config)#
Default
XSR1800.FLSforSeries1800routers XSR3000.FLSforSeries3000routers
Note: A new software image file name must use the .fls extension. Optionally, you can modify a file with the rename command.
Examples
ThefollowingXSR1800Seriesexamplecreatesaboot-configfilepointingtothefirmwarefile nameVPN_XSR1800.fls:
XSR(config)#boot system VPN_XSR1900.fls ThefollowingexamplerenamestheVPN_XSR1900.flsfiletomatchtheBootromdefaultfile
name.Afterenteringthecommand,youarepromptedbythefollowingscript:
XSR(config)#rename VPN_XSR1800.fls xsr1800.fls Rename flash:VPN_xsr1800.fls to flash:xsr1800.fls(y/n) ? y renaming file flash:VPN_xsr1800.fls -> flash:xsr1800.fls XSR#
ThefollowingexamplerenamesthefirmwarefileaspartofanFTP/TFTPtransfer.Afterentering thecommand,youarepromptedbythisscript:
XSR-1800#copy tftp://192.168.37.162/c:\firmware\VPN_xsr1800.fls flash:xsr1800.fls Copy 'c:\firmware\VPN_xsr1800.fls' from server as 'xsr1800.fls' into Flash(y/n) ? y !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Download from server done File size: 3242460 bytes XSR-1800#
cd
Thiscommandchangesthecurrentdirectorytoflash:orcflash:ontheXSRfilesystem.
Syntax
cd [flash: | cflash:] flash: cflash:
DefaultdirectoryinFlashmemory. DefaultdirectoryinCompactFlashmemory.
Mode
PrivilegedEXEC: XSR#
Example
XSR#cd cflash:
copy <file>
Thiscommandcopiesafiletoanewfilewhichmayresideinalocaldirectory,flash:orcflash:, oronaremoteTFTPserver.Youcanomitthedestinationfilenameifnewandsourcefilenames areidentical.TheXSRsMSDOScompatiblefilesystemofOnBoardFlash(flash:)or CompactFlash(cflash:)memory.Copyinitiatesascriptpromptingyourconfirmation.
Syntax
copy source destination
Thepossibleoptionsare:
XSR#copy {flash:| cflash:}[filename]{flash:| cflash:}[filename] XSR#copy {flash:| cflash:}[filename] tftp: [[[// location]/directory]/filename] XSR#copy tftp: [[[//location]/directory]/filename]{flash: cflash:}[filename]
3-108
XSR#copy running-config startup-config running-config
Keywordaliasforcurrentrunningconfiguration.Thisaliasisonlyvalidas follows:
copy running-config startup-config
Thisgeneratesthecurrentrunningconfigurationandsavesitto
flash:startup-config. startup-config flash:/cflash: tftp:
Keywordaliasfor flash:startup-config. AliasforFlashorCompactFlashmemoryasasourceordestination. AliasforaTrivialFileTransferProtocol(TFTP)networkserverwhichcan beusedasasourceordestination.Thesyntaxforthisaliasistftp:[[// location]/directory/]filename ThelocationmustbeanIPaddress. Default:0.0.0.0
.
Note: A TFTP file network transfer may be lengthy especially when loading a software image which may be 3 - 6 Mbytes. The CLI prints a character every few seconds to indicate a transfer in progress.
Mode
PrivilegedEXEC:XSR#
Examples
XSR#copy tftp://192.168.27.1/root/enterasys-sw flash:
Save Configuration to TFTP Server

Savethe startup-configfileonaTFTPserveroverthenetwork.Enter:
XSR#copy startup-config tftp: [[//location]/directory]/filename]
Software Image Loading from a TFTP Server

ThisXSR1800SeriesexampleloadstheXSRsoftwareimageintoafileinFlashmemory.Ifflash: isfull,youmustfirstdeletetheexistingimagefileorrenamethenewimagexsr1800.fls soasto copyovertheoldimage.BesurethatyourTFTPserverisrunningandyouknowitsIPaddress beforeyouissuethecommand.EnteringtheipconfigcommandataDOSpromptwillrevealthe TFTPserverIPaddress.
XSR#copy tftp://192.168.1.100/XSR1800.FLS flash:
Respondtothefollowingscriptasprompted:
Destination file name [XSR1800.FLS]: Copy XSR1800.FLSfrom server as XSR1800.FLS into Flash (y/n) ?y !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! Download from server done File size: 1856714 bytes Theimageiscopiedtoflash: anditschecksumverified.Shouldthetransferfail,thentherouter
istemporarilywithoutvalidsoftwareinFlashandtheXSRshouldnotbereloadedorpowered down.AnewTFTPcopyshouldbeinitiated.TheCLIsessionwhichinitiatedthecopyisblocked duringTFTPloading.
3-109
Configuration Load
ThisexampleloadsstartupconfigviathenetworkfromaTFTPserver.TheXSRdoesnotloadthe configurationfromthenetworkautomatically.
XSR#copy tftp:TFTP1/tftpfiles/tftpimage flash:startup-config
Save Running Configuration

Tosaveconfigurationchangesintononvolatilememory,therunningconfigurationmustbe copiedintostartupconfiguration:
XSR#copy running-config startup-config

Thiscommandcopiestherunningconfigurationtothestartupconfigurationfilewhichisstoredin nonvolatilememory.Itinitiatesascriptrequiringconfirmationofyourintention.
Syntax
Mode
PrivilegedEXEC:XSR#
Example
XSR#copy running-config startup-config
Sample Output
XSR#copy running-config startup-config Copy 'running-config' as 'startup-config' into flash: device (y/n) ? y Running-config saved to startup-config. <186>Sep 23 16:02:08 10.10.10.20 CLI: Running-config saved to startup-config by user admin
copy startup-config tftp

ThiscommandsavesthestartupconfigurationonaTFTPserverviathenetworkconnection.It initiatesascriptrequiringconfirmationofyourintention.
Syntax
copy startup-config tftp:[[[//location]/directory]/filename] location directory filename
IPaddressoftheTFTPserveronthenetwork. NameoftheTFTPdirectory. NameoftheTFTPfile.
3-110
Mode
PrivilegedEXEC:XSR#
Example
XSR#copy startup-config tftp://192.168.1.100/cfg.txt
Sample Output
XSR#copy startup-config tftp://192.168.1.100/abc.cfg Copy 'startup-config' from Flash to server as 'abc.cfg'(y/n) ? y Upload to server done File size: 2997 bytes
delete <file>
ThiscommandremovesafilefromtheXSRfilesystem.Itinitiatesascriptrequiringconfirmation ofyourintention.
Syntax
delete [flash: | cflash:] filename flash: cflash: filename
Flashmemorydirectory. CompactFlashmemorydirectory. Nameofthefiletobedeleted.
Mode
PrivilegedEXEC:XSR#
Sample Output
XSR#delete startup-config Delete filename [startup-config] y Delete flash:y? [confirm] n Delete of flash aborted
dir
ThiscommandslistsfilesintheFlashorCompactFlashdirectory.
Syntax
XSR#dir [flash: | cflash:] flash: cflash:
Flashmemorydirectory. CompactFlashmemorydirectory.
3-111
Mode
PrivilegedEXEC:XSR#
Default
flash: unlessyouchangethedefaultusingthecdcommand.
Example
XSR#dir flash:
Sample Output
ThefollowingissampleoutputfromanXSR1800Seriesrouter:
XSR#dir flash: Listing Directory flash: size 817496 3220453 976 308 572 0 64 0 date SEP-17-2002 SEP-17-2002 SEP-23-2002 SEP-17-2002 SEP-23-2002 SEP-23-2002 SEP-23-2002 SEP-23-2002 time 15:21:32 15:24:08 16:02:08 15:26:14 14:50:32 14:24:56 14:50:30 14:24:56 name bootrom1_18.fls xsr1800.fls startup-config user.dat cert.dat leases.cfg dhcpd.cfg leases.cfg.bak
2,328,576 bytes free 6,381,568 bytes total
more
ThiscommandshowsafilescontentsinASCIIformatbydefaultorhexadecimal(binary)format.
Syntax
XSR#more [/ascii | /binary | flash: | cflash:]filename /ascii /binary flash: cflash: filename
FilereadinflatASCIItext. FilereadinHexadecimalformat. FileresidingintheOnBoardFlashdirectory. FileresidingintheCompactFlashdirectory. Nameofthefiletobedisplayed.
Mode
PrivilegedEXEC:XSR#
3-112
Default
Format:ASCII Directory:currentdirectory
Examples
XSR#more /ascii flash:startup-config XSR#more flash:startup-config
Sample Output
InASCIIformat(/ascii):
Controller t1 1/0 Clock source line primary Framing esf InBinaryformat(/binary:): 00000000 12345678 12345678 12345678 12345678 00000010 12345678 12345678 12345678 12345678 00000020 12345678 12345678 12345678 12345678
pwd
Thiscommanddisplaysthecurrentdirectory.
Syntax
XSR#pwd
Mode
PrivilegedEXEC:XSR#
Example
XSR#pwd XSR#flash:
reload
ThiscommandallowstheXSRtoberebooted(warm)orrestarted(cold)withtheoptionof successfullyuploadinganewimage(theprimaryEnterasysOperatingSystem[EOS]file)orfalling backtothesecondary(existing)filestoredinFlash:orCflash:ifanerrorisdetected.EOSFallback teststheprimaryEOSandifitisnotfound,orverificationfails,orerrorsappearinthestartup configfile,orifnomessageisreceivedfromtheconfiguredSNMPserver,thesecondaryEOSfileis retained.Also,youcanrebootorrestarttheXSRimmediatelyoronadelayedbasis.TheEOStest durationbeginswhentheprimaryEOSstartsbootingupandisvariabletoaccountforyour networkconditions. OnerequirementofEOSfallbackistonametheprimaryfile,describedinthefollowingSyntax table.BecausetheEOStestverifiesthisfiletobeabootableimage,itwillrejectthereload fallbackcommandifverificationfails.AtthispointtheXSRwillreturntothesecondaryEOSfile
whichisspecifiedintheflash:bootconfigfile.AlthoughyoucannotconfigurethesecondaryEOS file,ifyouwishtorenameit,usetheboot system command.Beawarethatifthebootconfigfile doesnotexistintheflash:directory,EOSfallbackwillseachforthedefaultxsr1200.fls, xsr1800.flsorxsr3000.flsfilefirstinflash:,thenincflash:,finallyoverthenetwork(as specifiedinthebootromusingtheBootrommonitormodecommandssnornp). Whenyoureboottherouterusingreload,thenewlyloadedstartup-config fileisconvertedto therunning configfile.Thecommandinitiatesascriptrequiringconfirmationofyourintention. Beawarethatthereloadcommanddoesnotappearinstartup-config. Formoreinformationonhowtousethiscommand,refertotheChapter2:ManagingtheXSRinthe XSRUsersGuide.
Syntax
reload [in | at [mmm | hh:mm] | cancel | cold | warm | fallback] primary-file {cflash: | flash:} duration [config | snmp [ip-address]] in at cancel primaryfile cflash: flash: duration config snmp ip-address
Reloadsafteraspecifiedinterval,expressedinminutesorhours:minutes. Reloadsataparticulartime,expressedinhoursandminutes. Cancelsapendingreload. Thefilename,includingthedevicename(flash:xsr1800.fls,forexample),andcan includeanyotherdesignationofupto31ASCIIcharacters.Forexample: flash:my_new_xsr1800.flsorcflash:8_12_04_xsr1800.fls. ReloadsprimaryOSfilefromcflash:orflash:directoryandtestedforaninterval youspecifybetween5and30minues. PrimaryOStestperiodafterreload,rangingfrom5to30minutes. FallbacktosecondaryOSfileifanysyntaxerrorisfoundinstartupconfig. FallbacktosecondaryOSfileifnoSNMPmessagewasreceivedduringtest. SNMPmanagerIPaddresstobemonitoredforreceivedmessages.IfnoSNMP IPaddressisspecified,anyreceivedSNMPmessageindicatesSNMP communicationsaresuccessful. XSRhardwareisreinitializedwiththeSDRAMclearedandsoftwarerebooted. Thestartisslowersincehardwarediagnosticsareperformed. XSRhardwareisreinitializedandsoftwarerebooted.Thestartisfastersince hardwarediagnosticsarenotperformedduringthereboot. Lackofargumentperformsawarmstart.
cold warm
none
Defaults
Warmstart PrimaryOStest:10minutes
Mode
PrivilegedEXEC:XSR#
3-114
Examples
ThefollowingexampleimmediatelycoldrestartstheXSR:
XSR#reload cold
ThefollowingexamplewarmupgradesthenewimagefromtheprimaryOSfileintheflash: directoryandtestsitfor15minutewiththefallbackoptionsettothesecondaryOSfileifasyntax errorisfoundinthestartupconfigfile:

XSR#reload warm fallback flash:xsr1800.fls 15 config
ThefollowingexamplewarmrebootstheXSRin240hoursand12minutes:
XSR#reload in 240:12 cold
ThefollowingcommandupgradesthenewimageviaSNMPusingtheproprietaryMIBsenterasys imagevalidationmibandenterasysconfigurationmanagementmib.Foradescriptionofthethreestep proceduretoconfiguretheMIBs,refertotheXSRUserGuide.

XSR#reload fallback cflash:xsr3004.fls 6 snmp 1.1.1.2
Thefollowingexampleupgradesthenewimagein12hours,12minuteswithafallbacktothe secondaryOSifsyntaxerrorsaredetectedorifnoSNMPmessagesarereceivedfromSNMP serverat192.168.57.4duringthetest:

XSR#reload at 12:12 fallback config 10 config snmp 192.168.57.4
Sample Output
Thefollowingoutputisdisplayed,promptingyouforaresponse,whenyouissueacoldreload:
XSR#reload cold Proceed with reload (y/n)? y X-Pedition Security Router Bootrom Copyright 2004 Enterasys Networks Inc ....etc. proceeds with warm start
Thefollowingoutputisdisplayedwhenyoucancelareload:
XSR#reload cancel
No EOS Fallback is enabled No reload is scheduled
rename
ThiscommandrenamesafileintheFlash: orCFlash:directory.
Syntax
rename {cflash: | flash:} source-filename destination-filename cflash: flash: source-name destination-name
RenamesafilewithintheCFlash:directory. RenamesafilewithintheFlash:directory Sourcefilename. Destinationfilename.
Mode
PrivilegedEXEC:XSR#
Example
XSR#rename cflash:xsr3000.fls.5512 flash:xsr3000.fls
show hostname
ThiscommanddisplaysthenameyouspecifiedfortheXSR.
Syntax
show hostname
Mode
EXEC:XSR>
Example
XSR#show hostname
Sample Output
XSR#show hostname Local hostname is XSR
show reload
ThiscommanddisplaysdataaboutscheduledreloadsoftheEnterasysOperatingSystem(EOS).
Syntax
show reload
Mode
PrivilegedEXEC:XSR#
Sample Output
Thefollowingissampleoutputfromthecommandwhenareloadisscheduled:
XSR#show reload Reload scheduled in 9:56 minutes eos fallback running eos fallback not polling eos fallback crash monitoring enabled eos fallback config disabled eos fallback snmp monitoring enabled 192.168.72.72 eos fallback test duration 5 minutes eos fallback primary file flash:vpn_xsr1800.fls eos fallback is supported by installed bootrom 3.4 (need 3.4 or newer)
Thefollowingissampleoutputfromthecommandwhenareloadisnotscheduled:
XSR#show reload No reload is scheduled No EOS fallback
running/not polling crash monitoring fallback config snmp monitoring test duration
Scheduledreloadtimerisrunningorthetestperiodisinprogress. Areloadcheckforsystemfailure. Fallbackenabledordisabled. AreloadcheckforSNMPmessagesandSNMPserverIPaddress. TheintervalreloadmonitorsforprimaryEOScrashes,asyntaxerror instartupconfig,andSNMPmessagesforaconfigurableperiod between5and30minutes. Directoryandfilename(includingdevicename)ofprimaryEOSfile.
primary file
show running-config
ThiscommanddisplaystheroutersrunningconfigurationasasequenceofCLIcommands segmentedbymodule.TheXSRgathersdatafromallsystemmodulesbutcollectsanddisplays onlythosevaluesdifferentfromdefaultsettings.
Syntax
show running-config
Mode
PrivilegedEXEC:XSR#
Example
XSR#show running-config
Sample Output
TheXSR1800SeriessampleoutputbelowdisplaysasanumberofCLIcommandsunderthe appropriatemodules:
XSRtop(config)#show running-config !PLATFORM ! CLI version 1.5 ! XSR-1800 ! Software: ! Version 5.5.1.2, Built Jul 17 2003, 13:50:37 hostname XSRtop !NETWORK MANAGEMENT username admin privilege 15 "password is not displayed"
session-timeout console 35000 session-timeout telnet 35000 session-timeout ssh 35000 !T1E1 controller t1 0/2/0 clock source internal no shutdown !IKE crypto isakmp proposal try1 authentication pre-share encryption aes hash md5 group 5 lifetime 40000 crypto isakmp peer 2.2.2.2 255.255.255.255 crypto isakmp peer 1.1.1.1 255.255.255.255 !IPSEC crypto ipsec transform-set jj no set security-association lifetime kilobytes no set security-association lifetime seconds !INTERFACE AND SUB-INTERFACE interface FastEthernet 1 ip address 20.1.1.1 255.255.255.0 no shutdown interface FastEthernet 2 ip address 1.1.1.16 255.255.255.0 interface Loopback5 int Dialer3 interface Serial 2/0:0 encapsulation ppp ip address 30.1.1.1 255.255.255.0 no shutdown interface Multilink 8 interface Vpn1 multi-point interface Vpn4 point-to-point !IP ip local pool classA 10.10.0.0 255.255.0.0 ip route 1.1.1.0 255.255.255.0 2.2.2.2 ip route 7.0.0.0 255.0.0.0 Null0
!OSPF router ospf 1 network 30.1.1.0 0.0.0.255 area 0.0.0.0 network 20.1.1.0 0.0.0.255 area 0.0.0.0 !RIP router rip !SNMP snmp-server community public rw snmp-server enable !AAA aaa group ii dns server primary 0.0.0.0 dns server secondary 0.0.0.0 wins server primary 0.0.0.0 wins server secondary 0.0.0.0 pptp encrypt mppe 128 policy vpn ! aaa method radius RADIUS backup Radbackup enable group DEFAULT address ip-address 0.0.0.0 hash enable key 48aifij4 client firewall auth-port 851 acct-port 850 attempts 5 retransmit 5 timeout 25 qtimeout 800 !FIREWALL ip firewall ip firewall ip firewall ip firewall ip firewall ip firewall ! ip firewall ! ip firewall ip firewall ip firewall
network network network network network network
private 1.0.0.0 150.255.255.255 internal any_ext 150.0.0.0 223.255.255.255 internal allowRADIUS 10.10.10.1 mask 255.255.255.255 internal allowRADIUS1 10.10.10.2 mask 255.255.255.255 internal OSPFm 224.0.0.5 224.0.0.6 internal Ten 10.1.0.0 mask 255.255.0.0 internal
policy RADIUS allowRADIUS allowRADIUS1 Radius allow bidirectional filter OSPFm private Ten protocol-id 89 filter OSPFm1 Ten private protocol-id 89 bidirectional load
verify
Thiscommandverifiesapackedsoftwareimagefile.Thefilenamemustendin*.fls.Ifthe directorynameisnotspecified,thecurrentdirectoryisused.
Syntax
XSR#verify [flash: | cflash:]filename.fls flash: cflash: filename.fls
FilelocatedintheFlashdirectory. FilelocatedintheCompactFlashdirectory. Nameofapackedsoftwareimagefile.
Mode
PrivilegedEXEC:XSR#
Sample Output
ThefollowingsampleXSR1800Seriesoutputdisplaysacorrectmessage:
XSR#verify xsr1800.fls Verifying SW image file, j.fls File chksum=0xeb14 SW Image size=070452 sum=0x6a9e compressed_size=1578677 entry=0x10000 Diagnostics size=815012 sum=0x2a32 compressed_size=266244 entry=0x10000 xsr1800.fls is a valid S/W image file
oranerrormessage:
Invalid chksum(0xf2d9)!=Expected chksum0x4800
write
ThiscommandwritestherunningconfigurationtoFlashmemory,anetworkTFTPserver,ora terminal.Onlyvaluesdifferentthandefaultsettingsarecollectedanddisplayed.
Syntax
write write write write erase terminal network flash: filename network tftp:[[/location]/directory/]filename
Sample Output
Controller t1 1/0 Clock source line primary Framing esf\ etc.
3-120
Bootrom Monitor Mode Commands

BootrommonitormodeoffersspecialuseraccessforFlash:/CompactFlash:fileoperationsandon occasionswhentheXSRlacksvalidsoftwareorrunsabnormally.Enterthemodebypressingthe keycombination(CTRL-C)duringthefirstfivesecondsofinitialization.Afteryouaccessthemode, listcommandgroupsbytypingh toshowthetextbelow:
b f n s t D Boot Files Network Status Time and Date For Development Only
Allsubcommandsineachgroupcanbelistedbyenteringthecommandgroupletter.Themain menuprovidesthefollowingfunctions: Rebootwarmorcold UpdateBootrom FilesystemrelatedcommandsfortheFlashROMfilesystem Modifynetworkparameters Variousstatus/showcommands Versionnumber Hardwareinformation Displaycrashinformation
Displayorchangedateandtimeonrealtimeclock Commandsfordevelopmentuseonly
bc
Thiscommandinitiatesacoldreboot.
bw
Thiscommandinitiatesawarmreboot.
bp
ThiscommandchangestheBootrompassword.Thedefaultpasswordisblank.Youareprompted toenterapasswordbythefollowingscript:
XSR-1800: bp Enter current password: Enter new password: ****** Re-enter new password: ****** Password has changed.
3-121
IftheBootrompasswordislostontheXSR1800Series,youcanrestoreitbypressingtheDefault button.Beawarethatwhenpressed,theDefaultbuttonerasesallconfigurationfilesandthemaster encryptionkey.
bu
ThiscommandupdatestheBootromfilefromalocalfile.Youarepromptedtoenterdatabythe followingscript.WhentheProceed with erasing current Bootrom in flash...statement appears,entery.BesurenottointerrupttheprocessorpowerdowntheXSRoritmaybeaffected adversely.Afteryouhaveupdatedthisfile,youcandeleteitfromFlashtoconservespacefor otherfiles.ThefollowingexampledisplaysoutputfromanXSR1800Seriesrouter:
XSR-1800: bu cflash:bootrom1_20.fls Checking cflash:bootrom1_18.fls... Updating bootrom with file, cflash:bootrom1_18.fls. Proceed with erasing current Bootrom in flash and replace with cflash:bootrom2_02.fls?y ***************************************************** * Do not interrupt or power down until complete! * ***************************************************** Erasing 8 sectors at address=0xfff00000 Programming 130816(0x1ff00) bytes at address 0xfff00100 Programming 131072(0x20000) bytes at address 0xfff20000 Programming 131072(0x20000) bytes at address 0xfff40000 Programming 131072(0x20000) bytes at address 0xfff60000 Programming 131072(0x20000) bytes at address 0xfff80000 Programming 131072(0x20000) bytes at address 0xfffa0000 Programming 31320(0x7a58) bytes at address 0xfffc0000 Programming high branch instruction at address 0xfffffffc Verifying Bootrom flash sectors Locking 8 Bootrom flash sectors ***** Bootrom update completed. *****
Using default Bootrom password. The system is not secure!!! Use bp to change password
bU
Thiscommandupdatesthebootromfilethroughanetworktransfertoalocalfile.Besuretoenter anuppercaseU.Afteryouhaveupdatedthisfile,youcandeleteitfromFlashtoconservespace forotherfiles.
cd
Thiscommandchangesthecurrentdirectoryinthefilesystemtoflash: orcflash:.
copy
Thiscommandcopiesafileusingthesyntaxcopy <source name> <destination name>.You cancopyfromflash:tocflash:andviceversa.
3-122
da
Thiscommanddisplayssystemdateandtimewiththissampleoutput:
XSR-1800: da Date: Thursday, 29-MAY-2003. Time: 10:14:07
del
Thiscommandremovesafilefromflash:orcflash:memory.
df
Thiscommanddisplaysfreediskspacewiththissampleoutput:
XSR-1800: df Free space on flash: is 3383296 bytes (0x33a000).
dir
Thiscommandliststhecontentsofthecurrentdirectoryinlongformat.TheXSR1800Series sampleoutputisshownasfollows:
XSR-1800: dir size -------1728458 1569 214 794828 0 1352 808220 date -----MAY-08-2002 MAY-14-2002 JAN-01-2000 JAN-01-2000 DEC-27-2019 JAN-18-2020 MAY-08-2002 time -----03:05:14 02:25:00 22:05:22 00:01:52 11:07:14 16:21:36 03:03:22 name -------xsr1800.fls startup-config user.dat bootrom1_11.fls cert.dat diagmsg.dat bootrom1_15.fls
3383296(0x33a000) bytes free on flash:
TheXSR3000Seriessampleoutputisshownasfollows:
XSR-3250: dir Listing Directory flash:: -rwxrwxrwx 1 0 0 -rwxrwxrwx 1 0 0 -rwxrwxrwx 1 0 0 -rwxrwxrwx 1 0 0
4678118 2228 1153 0
May 5 23:06 xsr3000.fls May 29 09:57 persistent-data May 29 09:51 startup-config May 29 09:51 private-config
2895872(0x2c3000) bytes free on flash:
ds
Thiscommandsetsthesystemdateusingthesyntaxyyyy mm dd w (1=Sunday).Forexample:
XSR-3020: ds 2003 6 1 3
3-123
dt
Thiscommandsetssystemtimeusingthesyntaxhh mm ss.Forexample:
XSR:dt 11 59 59
ff
ThiscommandformatstheFlashfilesystem.Werecommendyoufirstsaveany.dat,.cert,.cfg, andyourstartup-configfilestocflash:oraPCsinceanyfilesinflash:willbedeleted.You arepromptedtoenterdatabythefollowingscript:
XSR-1800: ff You will lose all files in the flash: file system. Are you sure you want to format the flash: file system? (y/n) y Unlocking flash file sectors Initializing DOS file system. Formatting flashrom file system ...................................................... Done. Set working directory to flash: Using default Bootrom password. The system is not secure!!! Use bp to change password XSR-1800:
ffc
ThiscommandformatstheCompactFlashfilesystem.
ng
ThiscommandretrievesafileoverthenetworkusingaremoteIPaddressandremotefilepath.
np
Thiscommandmodifiesnetworkparameters.Youarepromptedtoenterdatabythefollowing script.Whilemostoftheoptionsareselfexplanatory,threerequirefurtherdescription. Whensettono,theAutobootoptionplacesthepromptinBootrommodewhenyoubootor poweruptheXSR. Whensettoyes,thedefaultQuickbootactionofdelayingfivesecondsatstartupforyouto optionallyenterCTRL-CandacquireBootrommodeisnegated.YoucanstillacquireBootrom mode,butyoumustimmediatelypressCTRL-CuponseeingtheXPeditionSecurityRouter Bootromheader. Thedefaulthostname(localtargetname),XSR1800,cannotbechanged.Intheabsenceofa usersuppliedhostnameviathehostnameCLIcommand,thisnamewillbeusedastheCLI promptandSNMPhostnameinMIBII.
XSR-1800: np Enter . = clear a field; - = go to previous field; Local IP address (192.168.1.1) : Gateway IP address () :
^C = quit
Remote Host IP address (192.168.1.10) : Remote file path (c:\) : Use TFTP (no) : Ftp userid (anonymous) : Ftp password () : Local target name (robo1) : Autoboot (yes) : Quick boot (no) : Permanently save the network parameters? (y/n)
ns
ThiscommandsavesafileoverthenetworkusingaremoteIPaddress/filepath.
rename
Thiscommandrenamesafileusingthesyntaxrename <source name> <destination name>
sb
Thiscommanddisplaysbootparameterswiththissampleoutput:
XSR-1800: sb Current boot file is xsr1800.fls Boot selector default is flashrom, compactFlash, network Available Network boot devices: Eth1
sf
ThiscommanddisplaysafaultreportwiththefollowingsampleoutputfortheXSR1800Series. OnXSR3000Seriesrouters,youcanentersf 0orsf 1todisplayoutputfromeitherCPU.
XSR-1800: sf No fault report at 0x1feef00
ThiscommanddisplaysthefollowingsampleoutputontheXSR3250:
XSR-3250: sf Software Revision: 6.0.0.0 without VPN; without Firewall Creation Date: Sep 7 2003, 16:07:42 Broadcom BCM1250 Rev 2 CPU0 up-time 0 hours 2 minutes 20 seconds Crashed Task = PP, Task Status = 0, errno=0 initStage=0 Exception Vector Number=0x5, Address error exception, store pc= 821014b0 sp= 85febb90 STATUS= 3400ff81 zero= 00000000 at= 08110000 v0= 11223344 v1= a0= 3400ff81 a1= 00000000 a2= 3400ff81 a3= t0= 00000000 t1= 3400ff80 t2= 3400ff81 t3= t4= 00000001 t5= 0000009b t6= 0a0122d4 t7= s0= 85febbe0 s1= 8219d3dc s2= 00000000 s3= s4= 00000000 s5= 00000000 s6= 00000000 s7= t8= 00000000 t9= 00080000 k0= eeeeeeee k1=
00000000 85feb8f8 00000000 00000004 00000000 00000000 00000000

3-125
gp= 8219b1e0 par1= ffffffff cause= 80000014 divLo= 00000000 BadVAddr=08112233
sp= par2= cntxt= divHi=
85febb90 85febaf8 ffffffff 00000000
s8= par3= fpcsr= causeR=
00000000 ffffffff d3800000 ffffffff
ra= par4= badva= fpcsr=
820e9178 820e9b10 08112233 820e9170
PP - Crashed Task Stack 0x85feb790 ffffffff 0x85feb7a0 00000000 0x85feb7b0 00000000 0x85feb7c0 ffffffff 0x85feb7d0 00000000 0x85feb7e0 ffffffff ......
(sp=85febb90): 00000000 00000008 00000001 00000000 8214ab00 0000000a 85feb7c0 ffffffff 00000002 ffffffff 82154b50 00000000
ffffffff 00000001 82142ee0 bf3285a4 85feb7e0 00000017
si
ThiscommanddisplaysXSR1800Seriesinventorywiththissampleoutput:
XSR-1800: si IBM PowerPC 405GP Rev. D Processor speed = 200 MHz PLB speed = 100 MHz OPB speed = 33 MHz Ext Bus speed = 25 MHz PCI Bus speed = 33 MHz (Sync) Internal PCI arbiter enabled RAM installed: 64MB Flash installed: 8MB on processor board CompactFlash: SunDisk SDP 5/3 0.6 has 32047104 bytes Real Time Clock FastEthernet 1 FastEthernet 2 Rev 0 H/W Encryption Accelerator Rev 1 T1E1 has 4 channelized ports on NIM slot 1. Rev 0 ISDN BRI has 2 ST ports in NIM slot 2. Rev 1 Empty internal NIM slot 3 System up for 1500 seconds.
ThiscommanddisplaysXSR3000Seriesinventorywiththissampleoutput:
XSR-3150: si Hardware: Motherboard Information: XSR-3250 ID: 9002914-04 REV0A CPLD Rev 3 Serial Number: 2914024201123206 Processor: Broadcom BCM1250 Rev 2 at 600MHz
PowerSupply1, PowerSupply2
Fans 1 2 3 4 5 7 8 10 CPU Temperature Max: 80C Current: 35C Router Temperature Max: 60C Current: 23C
RAM: 512MB without interleave Memory Bus at 120MHz, CASL at 2.0 Bootrom Flash: 4MB Filesystem Flash: 8MB CompactFlash not present Real Time Clock I/O on Motherboard: GigabitEthernet 1 2 3 Encryption Hardware: not present Slot 0 card 1: Empty Slot 0 card 2: Empty System up for 9 days, 3 hours, 4 minutes 10 seconds.
sn
ThiscommanddisplayssampleXSR1800Seriesnetworkvalues:
XSR-1800: sn Local IP address Gateway IP address Remote IP address Remote file path Transfer Protocol Local target name Autoboot Quick boot IP address : : : : : : : : 10.120.112.33 10.120.112.1 10.120.112.88 c:/tftpDir TFTP XSR1 enabled no : 192.168.1.1
Current FastEthernet 0 MAC address is: 00:01:f4:01:01:01 Current FastEthernet 1 MAC address is: 00:01:f4:01:01:02
sv
ThiscommanddisplayssampleXSR1800Seriesbootromversionvalues:
XSR-1800: sv X-Pedition Security Router Bootrom Copyright 2003 Enterasys Networks Inc. HW Version: 9002854-02 REV0A Serial Number: 0001F4000102 CPU: IBM PowerPC 405GP Rev. D VxWorks version: 5.4 Bootrom version: 1.18 Creation date: Apr 14 2003, 10:12:36
3-127
3-128
4
Configuring Hardware Controllers
TheCLIcommandsyntaxandconventionsusethenotationdescribedinthefollowingtable.
Convention xyz [x] [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Description Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies interface type and number, e.g.: F1, S2/1.0, D1, M57, G3. F indicates a FastEthernet, and G a GigabitEthernet interface.
Next Mode entries display the CLI prompt after a command is entered. soho.enterasys.com Italicized, non-syntactic text indicates either a user-specified entry or text with special emphasis
Hardware Controller Commands

ThefollowingcommandsetsallowyoutodefinesynchronizationfeaturesfortheXSR: HardwareControllerCommandsonpage 483 HardwareControllerClearandShowCommandsonpage 492
clock rate
Thiscommandconfigurestheclockrateforthehardwareconnectionsonaserialinterface.The commandisvalidandtakeseffectonlywhentheinterfaceisrunninginAsynchronousmode.For Synchronousmode,theclockrateisreceivedexternally.
Note: The clock rate cannot be changed in loopback mode.
4-83
Syntax
clock rate bps bps
Configurestheclockrateinbitspersecond(baud)ontheline(asynconly).Valid ratesare:2400,4800,7200,9600,14400,19200,28800,38400,57600,and115200.

no clock rate
Mode
Interfaceconfiguration:XSR(config-if<Sx>)#
Default
9600
Example
XSR(config-if<S1/0>)#clock rate 19200
databits
Thiscommandsetsthenumberofdatabitsacceptedonaserialport.Thecommandisvalidand takeseffectonlywhentheinterfaceisrunninginAsyncmode.InSyncmode,theclockrateis receivedexternally.
Syntax
databits bits bits
Numberofdatabitspercharacteronaserialport,rangingfrom5to8.
Mode

no databits
Default
8
Example
XSR(config-if<S1/0>)#databits 7
4-84
description
Thiscommandsetsthedescriptiontextforaninterface.Thedescriptionwillappearinthe ifDescription(interfacedescription)variableoftheMIB.
Syntax
description <text> text
Alphanumericcharacterswhichdescribetheinterface.
Mode

Thenoformofthiscommandclearsthedescription:
XSR(config-if<S1/0>)#no description
Example
XSR(config-if<S1/0>)#description My FastEthernet Interface
duplex
Thiscommand,usedinconjunctionwiththespeedcommand,forcestheFastEthernet/ GigabitEthernetinterfacetooperateataspecificduplexmodeandspeed.Settingthespeedor duplextoautonegotiateimpliesthatboththespeedandtheduplexmodewillbenegotiated.Itis notpossibletomanuallysetoneandautonegotiatetheother.Forexample,youcannotsetthe speedto10Mb/sandsettheduplextoautonegotiate. Whenissuingthiscommand,beawareofthefollowingadditionalconditions: Duplexmodecannotbechangedwhileinloopback. Changingtheduplexmodepreservesthespeed. Whenthespeedischangedfromauto,duplexwillbesettohalf. Settingspeedorduplextoauto,nospeed,ornoduplexsetsbothduplexandspeedtoauto. WhenconnectinganautosettingonanXSRtoaforcedsettingonanotherrouter,theforced settingmustbesettohalf-duplexregardlessofthespeed(10or100Mbits). WhentheGigabitFiberportisuses,bothduplexandspeedmustbesettoautoonbothendsof thelinetoavoidanunpredictablelink.
Syntax
duplex {full | half | auto} full half auto
Forcestheinterfacetooperateatfullduplex. Forcestheinterfacetooperateathalfduplex. Allowstheporttosetthespeedandduplexmodeautomatically.


no duplex
Default
auto
Mode
Interfaceconfiguration:XSR(config-if<Fx>)#
Example
XSR(config-if<F1/0>)#duplex full XSR(config-if<F1/0>)#speed 100
loopback
Thiscommandforcestheportintointernalloopbackmode.Thatis,thesenderisinternally connectedtothereceiver.Thiscommandisnormallyusedfordiagnosticpurposesonly.
Note: Issuing this command will isolate the port from any connected network.
Syntax
loopback

no loopback
Mode
Default
Off
Example
ThefollowingexampleresetsinterfaceFastEthernet1toloopback:
XSR(config-if<F1>)#loopback
4-86
media-type
Thiscommandsetsthemediatypeappropriatetothecabletypethattheinterfaceisconnectedto.
Syntax
media-type {RS232 | RS422 | RS449 | RS530A | V35 | X21} Note: The XSR Serial NIM does not detect the media-type of an attached cable. You must configure the correct interface media-type matching the attached cable for the serial interface to function properly.
Mode
Default
RS232
Example
XSR(config-if<S1/0>)#media-type V35
nrzi-encoding
ThiscommandsetstheencodingtypetoNRZI.Itisvalidandtakeseffectonlywhentheinterface isrunninginSynchronousmode.SomecomputersrequiretheencodingtypetobesettoNRZI.
Syntax
nrzi-encoding

ThenoformofthiscommanddisableNRZIencoding:
no nrzi-encoding
Mode
Default
Disabled
Example
XSR(config-if<S1/0>)#nrzi-encoding
4-87
parity
Thiscommandconfigurestheparityonaserialinterface.Itisvalidandtakeseffectonlywhenthe interfaceisinAsynchronousmode.
Syntax
parity {even | mark | none | odd | space} even mark none odd space
Evenparity. Aconstant1intheparitybit. Noparity. Oddparity. Aconstant0intheparitybit.

Thenoformofthiscommandinvokesthenonevalue:
no parity
Mode
Default
None
Example
XSR(config-if<S1/0>)#parity odd
physical-layer
Thiscommandspecifiesthemodeofaserialinterfaceaseithersynchronousorasynchronous.If settosynchronous,theportisconfiguredasaDTErequiringanexternaltransmitandreceiveclock tobesupplied.Ifsettoasynchronous,theinterfacewillsupplyitsownclock.
Note: A serial interface configured as a synchronous serial port must have an external transmit and receive clock.
Syntax
physical-layer {sync | async} sync async
SynchronousmodeofXSRsserialinterface. AsynchronousmodeofXSRsserialinterface.
4-88
Mode
Default
Sync
Example
XSR(config-if<S1/0>)#physical-layer async
shutdown
Thiscommanddisablesaninterface.Whentheinterfaceiscreated,itisdisabledbydefault.
Note: Issuing this command causes the interface to drop its link while disabled.
Syntax
shutdown

no shutdown
Mode
Default
Whentheinterfaceiscreated,itisdisabledbydefault.
Example
XSR(config-if<S1/0>)#no shutdown
speed
Thiscommand,usedinconjunctionwiththeduplexcommand,forcestheFastEthernetinterface tooperateataspecificspeedand/orduplexmode.Settingthespeedorduplextoautonegotiate impliesthatboththespeedandtheduplexmodewillbenegotiated.Itisnotpossibletomanually setoneandautonegotiatetheother.Forexample,youcannotsetthespeedto10Mb/sandsetthe duplextoautonegotiate. ForGigabitEthernetonly,toset1000Mbitsspeedforcopperorfiber,selectautowhichwill autosensethecorrectlineandduplexspeeds. Keepinmindthefollowingcaveats: Changingthespeedpreservesthecurrentduplexmode.
Speedcannotbechangedinloopbackmode. WhenconnectinganautosettingonanXSRtoaforcedsettingonanotherrouter,theforced settingmustbesettohalf-duplexregardlessofthespeed(10or100Mbits). ForGigabitEthernetonly,youmustuseacrossovercablewhenoneorbothendsofalineare forced.Ifbothendsofthelineareautothenyoumayuseacrossoverorstraightthrough cable. WhentheGigabitFiberportisinuse,bothduplexandspeedmustbesettoautoonbothends ofthelineotherwisetheconnectionisunpredictable.
Syntax
speed {10 | 100 | auto} 10 100 auto
Forcestheinterfacetooperateat10Mbitspersecond. Forcestheinterfacetooperateat100Mbitspersecond. Allowstheporttosetthespeedandduplexmodeautomatically.

no speed
Mode
Interfaceconfiguration:XSR(config-if<Fx>)#
Default
Auto
Example
XSR(config-if<S1/0>)#speed auto XSR(config-if<S1/0>)#duplex auto
stopbits
Thiscommandsetsthenumberofstopbitsonaserialport.Itisvalidandtakeseffectonlywhen theinterfaceisrunninginasynchronousmode.
Syntax
stopbits {1 | 2} 1 2
Onestopbit. Twostopbits.

no stopbits
4-90
Mode
Default
1
Example
Thefollowingexamplesets2stopbitsonSerialport1/0:
XSR(config-if<S1/0>)#stopbits 2
vlan
ThiscommandconfiguresaVirtualLAN(VLAN)IDonasubinterface.
Note: Similar to the PPPoE sub-interface, you must issue the no shutdown command to keep the interface up.
Syntax
vlan vlan-id vlan-id
Identifierofthesubinterface,rangingfrom0to4094.

ThenoformofthiscommandremovestheVLANIDconfiguration:
no vlan
Mode
SubInterfaceconfiguration: XSR(config-if<xx>)#
Examples
ThefollowingexampleconfiguresaFastEthernetsubinterfacewithVLANID10:
XSR(config)#interface fastethernet 2.1 XSR(config-if<F2.1>)#vlan 10 XSR(config-if<F2.1>)#ip address 1.2.3.4 255.255.255.0 XSR(config-if<F2.1>)#no shutdown
ThefollowingexampleconfiguresaVLANconfigurationwithPPPoE:
XSR(config)#interface fastethernet 2.4 XSR(config-if<F2.4>)#encapsulate ppp XSR(config-if<F2.4>)#vlan 1400 XSR(config-if<F2.4>)#ip address negotiated XSR(config-if<F2.4>)#ip mtu 1492 XSR(config-if<F2.4>)#no shutdown
4-91
Hardware Controller Clear and Show Commands
Hardware Controller Clear and Show Commands clear counters fastethernet

ThiscommandclearsMIBIIcountersfortheFastEthernetinterface.Thecountersclearedinclude: ifInOctets ifInUcastPkts ifInNUcastPkts ifInDiscards ifInErrors ifOutOctets ifOutUcastPkts ifOutNUcastPkts ifOutDiscards ifOutErrors ifInUnknownProtos
Syntax
clear counters fastethernet interface sub-interface interface sub-interface
FastEthernetinterfacenumber,rangingfrom1to2. FastEthernetsubinterfacenumber,rangingfrom1to64.
Mode
PrivilegedEXEC:XSR#
Example
ThefollowingexampleclearstheMIBIIcountersonFastEthernetport1,subinterface20:
XSR#clear counters fastethernet 1.20
clear counters gigabitethernet

ThiscommandclearsthesameMIBIIcountersfortheinterfaceastheclear counters fastethernet command.
Syntax
clear counters gigabitethernet interface sub-interface interface sub-interface
Interfacenumber,rangingfrom1to3. Subinterfacenumber,rangingfrom1to64.
4-92
Mode
PrivilegedEXEC:XSR#
Example
ThefollowingexampleclearstheMIBIIcountersonGigabitEthernetport3,subinterface2:
XSR#clear counters gigabitethernet 3.2
clear interface fastethernet

ThiscommandresetsthehardwarelogicontheFastEthernetinterface.Usingitpreservesthe currentloopbackmode,duplexmodeandspeed.ThiscommandisavailableontheXSR1800 Seriesroutersonly.
Note: Issuing this command causes the interface to drop its link, any packets that it may have received, and any packets that may be in the process of being transmitted, while it resets. It preserves the current loopback mode, duplex mode and speed.
Syntax
clear interface fastethernet number number
FastEthernetinterfacenumberrangingfrom1to2.
Mode
PrivilegedEXEC:XSR#
Example
XSR#clear interface fastethernet 2
clear interface gigabitethernet

ThiscommandresetsthehardwareontheGigabitEthernetinterface.Thiscommandisavailable ontheXSR3000Seriesroutersonly.
Note: Issuing this command causes the interface to drop its link, any packets that it may have received, and any packets that may be in the process of being transmitted, while it resets. It preserves the current loopback mode, duplex mode and speed.
Syntax
clear interface gigabitethernet number number
GigabitEthernetport,rangingfrom1to3,andsubinterface,rangingfrom164.
Mode
PrivilegedEXEC:XSR#
4-93
Example
ThefollowingexampleresetsGigabitEthernetport1,subinterface5:
XSR#clear counters gigabitethernet 1.5
clear counters serial

Thiscommandclearsserialinterfacecounters.Thecountersclearedare: ifInOctets ifInUcastPkts ifInNUcastPkts ifInDiscards ifInErrors ifOutOctets ifOutUcastPkts ifOutNUcastPkts ifOutDiscards ifOutErrors ifInUnknownProtos
Syntax
clear counters serial [card / port] card port
XSRcardnumber. XSRportnumber.
Mode
PrivilegedEXEC:XSR#
Example
XSR#clear counters serial 1/0
clear interface serial

Thiscommandresetsthehardwarelogiconaserialinterface.
Note: Issuing this command will cause the interface to drop its link, any packets that it may have received, and any packets that may be in the process of being transmitted, while it resets.
4-94
Syntax
clear interface serial [card/port] card port
XSRcardnumber. XSRportnumber.
Mode
PrivilegedEXEC:XSR#
Example
XSR#clear interface serial 1/0
show controllers fastethernet

ThiscommanddisplaysdetailedFastEthernetcontrollerdataforaport.Thisinterfaceisavailable ontheXSR1800Seriesroutersonly.
Syntax
show controllers fastethernet number number
FastEthernetinterfacenumber,rangingfrom1to2.
Mode
PrivilegedEXECorGlobalconfiguration:XSR# orXSR(config)#
Sample Output
ThefollowingexampledisplaysoutputfromFastEthernetport1:
XSR(config)#show controllers fastethernet 1 Packet Processor Tx Scheduler Stats: 157 Packet driver Tx OK 0 Packet driver not Tx: MUX END_ERR_BLOCK 0 Packet driver not Tx: MUX ERROR 0 Packet driver not Tx: Unknown Msg from MUX The unit number is 1. The interrupt number is 15. Memory: base = 0xef600800 Vars: PollCount = 2806, g_eth1Interrupt = 0, bRxRunning = 0 Vars: bTxClean = 0, outQHung = 0 [...] TX RING ENTRIES: The ring starts at 0x01fcd000. TxDRNum = 256, pTxMblkDR = 0x005f4824, TxDRIdx = 0 TxDRCleanIdx = 0 dataLen 0x00000000, status 0x00001300, buffer 0x00000000
dataLen dataLen dataLen dataLen [...]
0x00000000, 0x00000000, 0x00000000, 0x00000000,
status status status status
0x00001300, 0x00001300, 0x00001300, 0x00001300,
buffer buffer buffer buffer
0x00000000 0x00000000 0x00000000 0x00000000
RX RING ENTRIES: The ring starts at 0x01fcc000. RxDRNum = 128, pRxMblkDR = 0x01f33c88, RxDRIdx = 19 RxBuffSize = 1728, RxBuffOffset = 160 dataLen dataLen dataLen dataLen dataLen [...] 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, status status status status status 0x00008000, 0x00008000, 0x00008000, 0x00008000, 0x00008000, buffer buffer buffer buffer buffer 0x01cc6c20 0x01cc72e0 0x01cc79a0 0x01cc8060 0x01cc8720
show controllers gigabitethernet

ThiscommanddisplaysdetailedFastEthernetcontrollerdataforaninterface.Thiscommandis availableontheXSR3000Seriesroutersonly.
Syntax
show controllers gigabitethernet [number] number
GigabitEthernetinterface,rangingfrom1to3.
Mode
Sample Output
ThefollowingexampledisplaysoutputfromGigabitEthernetport1:
XSR#show controllers gigabitethernet 1 Packet Processor Tx Scheduler Stats: 0 Packet driver Tx OK 0 Packet driver not Tx: MUX END_ERR_BLOCK 0 Packet driver not Tx: MUX ERROR 0 Packet driver not Tx: Unknown Msg from MUX The unit number is 1. The interrupt number is 63. The source is 19. The PHY is 1 Memory: base=0xb0064000 Vars: g_eth1Interrupt=0, mClBlkSize=0, bufsize=0 TX RING: Ring starts at 0x815b1620. TMaxDR=512, pTCurrDR=0x00000c30, TAddidx=0 TRemidx=0
4-96 Configuring Hardware Controllers
datalen datalen datalen datalen datalen [...]
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
status status status status status
0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000,
buffer buffer buffer buffer buffer
0x80000000 0x80000000 0x80000000 0x80000000 0x80000000
RX RING: Ring starts at 0x81568c60. RMaxDR=512, pRCurrDR=0x00000830, RIdx=0 datalen datalen datalen datalen datalen [...] 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, status status status status status 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, buffer buffer buffer buffer buffer 0x8ff5df60 0x8ff5e620 0x8fe86ce0 0x8fe873a0 0x8fe87a60
The secondary MAC addresses [0] : < not [1] : < not [2] : < not [3] : < not
are (in hex): used > used > used > used >
show controllers serial

Thiscommanddisplaysdetailedserialcontrollerdataforaninterface.
Syntax
show controller serial card/port card port
XSRcardnumberoftheserialcontroller. XSRportnumberoftheserialcontroller.
Mode
Sample Output
ThefollowingexampledisplaysoutputfromSerialport1/0:
XSR#show controllers serial 1/0 Forward Engine Serial Layer Tx/Rx Stats: RX FROM UPPER LAYER & TX TO DRIVER Pcks Rx = 0 Pcks Tx = 0 Pcks Discarded = 0 RX FROM DRIVER & TX TO UPPER LAYER Pcks Rx = 0 Pcks Tx = 0 Pcks Discarded = 0
Packet Processor 0 Packet 0 Packet 0 Packet 0 Packet The The The The
Tx Scheduler Stats: driver Tx OK driver not Tx: MUX END_ERR_BLOCK driver not Tx: MUX ERROR driver not Tx: Unknown Msg from MUX
unit number is 50331656. interrupt number is 26. DSR poll count is 800 ms. ACCM is at 0x01040acc.
Vars: CCR2=0x98ff0500, CCR1=0x98ff0500, CCR0=0x00000000, CD=0, g_Ser=0 Vars: bHandleRx=0, bTxClean=0 Vital Stats: TX Q Items = 0, TX Q Bytes = 0, TX CLK = 0 Memory: base = 0xa0020000
TX RING ENTRIES: The interrupt ring starts at 0x018d6b60 (IDX = 0). The data ring starts at 0x018f4d60. TpTxMblkDR = 0x0104055c, TxDRIdx = 1, TxDRCleanIdx = 1 (-2) (-1) ( 0) ( 1) ( 2) next 0xa04d8f21, next 0xc04d8f21, next 0xe04d8f21, next 0x004e8f21, next 0x204e8f21, [...] flag1 flag1 flag1 flag1 flag1 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, flag2 flag2 flag2 flag2 flag2 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, buffer buffer buffer buffer buffer 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
RX RING ENTRIES: The interrupt ring starts at 0x018d6ac0 (IDX = 0). The data ring starts at 0x018f3540. RxDRNum = 64, pRxMblkDR = 0x018f6b8c, RxDRIdx = 0 RxBuffSize = 1728, RxBuffOffset = 160 (-2) (-1) ( 0) ( 1) ( 2) next 0x60358f21, next 0x80358f21, next 0xa0358f21, next 0xc0358f21, next 0xe0358f21, [...] flag1 flag1 flag1 flag1 flag1 0x0000fc05, 0x0000fc05, 0x0000fc05, 0x0000fc05, 0x0000fc05, flag2 flag2 flag2 flag2 flag2 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, buffer buffer buffer buffer buffer 0xe07d5021 0xa0845021 0x608b5021 0x20925021 0xe0985021
show interface bri

ThiscommanddisplaysISDNBasicRateInterface(BRI)informationforaninterface.
Syntax
show interface bri [card/port:channel.sub-interface] card port
ISDNBRIcardnumber,either1or2. ISDNBRIportnumber,either0or1.
channel sub-interface
ISDNBRIDorBchannel,either0fortheDchannel,and1or2fortheB channels. ISDNBRIsubinterface,rangingfrom1to30.
Mode
Sample Output
Thefollowingexampledisplaysoutputbythecommand:
XSR(config)#show interface bri 1/0 ********** Serial Interface Stats ********** D-Serial 1/0:0 is Admin Up / Oper Down ********************** ISDN Stats ISDN-BRI 1/0 ********************* Layer 1: DOWN Layer 2: DOWN State: OFFLINE Admin Up Oper Down Term. 1 Spid:2200555 State: Term. 2 Spid:2201555 State: Total Length = 257 OFFLINE Cause: 000 OFFLINE Cause: 000
The name of this device is bri0/1/0:0 . The The The The The The The The The The The The slot is 0. card is 1. port is 0. channel is 0. current MTU is 1500. device is in polling mode, and is active. channel is logically INACTIVE. operational state is OPER_DOWN. protocol used is LAPD. baud rate is 16000 bits/sec. device uses CRC-16 for Tx. device uses CRC-16 for Rx.
Other Interface Statistics: ifindex ifType ifAdminStatus ifOperStatus ifLastChange ifInOctets ifInUcastPkts ifInNUcastPkts ifInDiscards ifInErrors ifInUnknownProtos ifOutOctets ifOutUcastPkts ifOutNUcastPkts ifOutDiscards ifOutErrors ifOutQLen
0 75 1 2 00:00:00 0 0 0 0 0 0 0 0 0 0 0 16
show interface dialer

ThiscommanddisplaysinformationabouttheDialerinterface.
Syntax
show interface dialer [number] number
Dialerinterfacenumber,rangingfrom0to255.
Mode
Sample Output
ThefollowingexampledisplaysinformationaboutDialerinterface3:
XSR#show interface dialer 3 ********** Dialer Interface Stats ********** Dialer3 is Admin Down Internet address is not assigned Dialer3 Dialer state is: DOWN Wait for carrier default: 60, default retry: 3 Dial String Success Failures Map Class Free pool ISDN channels: <0> Free pool serial ports: <0>
show interface fastethernet

ThiscommanddisplaysinformationaboutaFastEthernetinterface.Thisinterfaceisavailableon theXSR1800Seriesroutersonly.
Syntax
show interface fastethernet [number] number
FastEthernetinterfacenumberof1or2.
Mode
Sample Output
ThefollowingissampleoutputfromFastEthernetinterface1:
XSR#show interface FastEthernet FastEthernet1 is Admin Up Internet address is 51.51.51.1, Internet address is 52.52.52.1, Internet address is 53.53.53.1,
1 subnet mask is 255.255.255.0 subnet mask is 255.255.255.0 Secondary subnet mask is 255.255.255.0 Secondary
Internet address is 54.54.54.1, subnet mask is 255.255.255.0 Secondary Internet address is 57.57.57.1, subnet mask is 255.255.255.0 Secondary Internet address is 58.58.58.1, subnet mask is 255.255.255.0 Secondary The name of this device is Eth1. The physical link is currently up. The device is in polling mode, and is active. The last driver error is '(null)'. The duplex mode is set to auto-negotiated. The current operational duplex mode is negotiated to half. The speed is set to auto-negotiated. The current operational speed is negotiated to 100 Mb/s. The MAC address is (in hex) 00:01:f4:0d:26:72. The MTU is 1500. The bandwidth is 100 Mb/s. Other Interface Statistics: ifindex ifType ifAdminStatus ifOperStatus ifLastChange ifInOctets ifInUcastPkts ifInNUcastPkts ifInDiscards ifInErrors ifInUnknownProtos ifOutOctets ifOutUcastPkts ifOutNUcastPkts ifOutDiscards ifOutErrors ifOutQLen
0 6 1 1 00:32:39 529727 0 7328 0 0 0 157800 0 157 0 0 256
ThefollowingissampleoutputfromaVLANinterfaceonFastEthernetsubinterface2.1:
XSR#show interface FastEthernet 2.1 FastEthernet2.1 is Admin Up Internet address is 1.2.3.4, subnet mask is 255.255.255.0 Other Interface Statistics: ifOperStatus 1 ifInOctets 956932 ifOutOctets 495034 Configured VLANs: VLAN Id 1200
ThefollowingissampleoutputfromaVLANinterfaceonFastEthernetsubinterface2.4 configuredwithPPPoE:
XSR#show interface FastEthernet 2.4 FastEthernet2.4 is Admin Up Internet address is 5.5.5.4, subnet mask is 255.255.255.0 LCP State: OPENED IPCP State: OPENED The logical link is currently Up
The Name of the Access Concentrator is c3600-1 The Session Id is 0x0005 The MAC Address of the Access Concentrator is 0x00:30:85:20:47:62 The MTU is 1492 Other Interface Statistics: ifOperStatus 1 ifInOctets 119439 ifOutOctets 119256 Configured VLANs: VLAN Id 1400 PPP Encapsulation
show interface gigabitethernet

ThiscommanddisplaysinformationaboutaGigabitEthernetinterfacewhichisavailableonXSR 3000Seriesroutersonly.
Syntax
show interface gigabitethernet [number] number
TheGigabitEthernetinterface,rangingfrom1to3,andsubinterface.Range:1to64.
Mode
Sample Output
ThefollowingexampleissampleoutputfromGigabitEthernetinterface1:
XSR#show interface gigabitethernet 1 GigabitEthernet 1 is Admin Up Internet address is 150.50.1.14, subnet mask is 255.255.255.0 The name of this device is Eth1. The The The The physical link is currently DOWN. active port is copper. device is in polling mode, and is active. last driver error is '(null)'.
The duplex mode is set to auto-negotiated. The current operational duplex mode is not yet determined. The speed is set to auto-negotiated. The current operational speed is not yet determined. The Primary MAC address is (in hex) 00:01:f4:2b:3e:1b. The MTU is 1518. The bandwidth is 10 Mb/s. Other Interface Statistics: ifindex ifType ifAdminStatus ifOperStatus
0 6 1 2
ifLastChange ifInOctets ifInUcastPkts ifInNUcastPkts ifInDiscards ifInErrors ifInUnknownProtos ifOutOctets ifOutUcastPkts ifOutNUcastPkts ifOutDiscards ifOutErrors ifOutQLen
00:00:00 0 0 0 0 0 0 0 0 0 0 0 256
show interface loopback

Thiscommanddisplaysinformationabouttheloopbackinterface.
Syntax
show interface loopback [number] number Loopback address number ranging from 0 to 15.
Mode
Sample Output
ThefollowingissampleoutputfromLoopbackinterface5:
XSR#show interface loopback5 Loopback5 is Admin Up Description: My loopback interface Internet address is 57.57.57.57, subnet mask is 255.255.255.0
show interface multilink

ThiscommanddisplaysinformationabouttheMultilinkinterface.
Syntax
show interface multilink [number] number Multilink address number, ranging from 1 to 32767.
Mode
Sample Output
ThefollowingissampleoutputfromMultilinkinterface8:
XSR#show interface multilink 8 ********** Multilink Interface Stats ********** Multilink 8 is Admin Down Internet address is not assigned LCP State: CLOSED Multilink State: CLOSED Max Fragment delay is 10 ms MLPPP Bundle Info: Control Object state is Admin Down / Oper Down Multilink PPP has no memberlinks Data Object state is Admin Down The adjacent is DOWN and data passing is Bundle size is 0 Max Load Threshold: 0 Total Load Bandwidth is 64000 bits/sec Bundle Stats Rx: Total 0, TX: Total Data 0, Data Ctrl 0, Ctrl Null 0, Null Drop 0, Drop Rx Load BW Avg 0, Max 0, Min 0 Tx Load BW Avg 0, Max 0, Min 0
FALSE
0 0 0 0 0
show interface null

Thiscommanddisplaysattributesofthenullinterface(Null0),anIPinterfacewhichuniquely doesnotrequireanIPaddresstoappear.ItisinstalledautomaticallybytheXSRsothatdiscard routescanbeemployedbyOSPF.Youcannotconfigurethisinterface,itisalways administrativelyupandcannotbedeleted. TheNullinterfacedisplaysonlywhenyouenter show ip interface null 0 or show interface null 0.Ifitisnotspecifiedintheshow interface or show ip interface commands,itwillnotdisplay.Also,itdoesnotdisplayintherunningconfigfile.
Syntax
show interface null 0
Mode
Sample Output
Thefollowingexampleissampleoutputfromtheshow ip interface null 0command:
XSR#show Null0 is Internet Rcvd: 0 0
4-104
ip interface null 0 Admin Up address is not assigned octets, 0 unicast packets, discards, 0 errors, 0 unknown protocol.
Sent:
0 octets, 0 unicast packets, 0 discards, 0 errors. MTU is 1500 bytes. Proxy ARP is enabled. Helper address is not set. Directed broadcast is enabled. Outgoing access list is not set. Inbound access list is not set. IP Policy Based Routing is not enabled.
Thefollowingexampleissampleoutputfromtheshow interface null 0command:

XSR#show interface null 0 Null0 is Admin Up Internet address is not assigned
show interface serial

Thiscommanddisplaysgeneralinformationforaserialinterface.
Syntax
show interface serial [card/port] card port
XSRcardnumberofserialinterface. XSRportnumberofserialinterface.
Mode
Sample Output
ThefollowingexampledisplaysoutputfromSerialinterface1/0:
XSR#show interface serial 1/0 ********** Serial Interface Stats ********** Serial 1/0 is Admin Down / Oper Down Internet address is 200.163.21.1 The name of this device is Ser1/0. The The The The The The The The The The The The card is 1. channel is 0. current MTU is 1500. device is in polling mode, and is ACTIVE. last driver error is (null). physical-layer is HDLC-SYNC. baud rate is estimated to be 1024000 bits/sec. device uses CRC-16 for Tx. device uses CRC-16 for Rx. type of encoding is NRZ. media-type is RS-232/V.28 (DTE). loopback mode is off.
Other Interface Statistics:

ifindex ifType ifAdminStatus ifOperStatus ifLastChange ifInOctets ifInUcastPkts ifInNUcastPkts ifInDiscards ifInErrors ifInUnknownProtos ifOutOctets ifOutUcastPkts ifOutNUcastPkts ifOutDiscards ifOutErrors ifOutQLen
0 22 1 1 00:00:25 1500 100 0 0 0 0 2134 14 0 0 0 280
show interface vpn

ThiscommanddisplaysattributesoftheconfiguredVPNinterface.
Syntax
show interface vpn [0-255]
Mode
Sample Output
ThefollowingissampleoutputdisplayingVPNinterface57statistics:
XSRtop#show interface vpn 57 Vpn 57 is Admin Up Internet address is 4.4.4.4, subnet mask is 255.255.255.0 Multicast redirect to 6.6.6.6 is enabled. This interface includes the VPN tunnel 'Boston'. The tunnel peer's Internet IP address is 0.0.0.0. The tunnel encapsulation protocol is UNKNOWN. The identity used to initiate the tunnel is '' The tunnel's current state is Disabled.
4-106
5
Configuring the Internet Protocol
TheCLISyntaxandconventionsusethenotationdescribedbelow. Convention
Description Keywordormandatoryparameters(bold) []Squarebracketsindicateanoptionalparameter(italic) [|]Squarebracketswithverticalbarindicateachoiceofvalues {|}Braceswithverticalbarindicateachoiceofarequiredvalue [{|}]Combinationofsquarebracketswithbracesandverticalbars indicatesarequiredchoiceofanoptionalparameter xxsignifiesinterfacetypeandnumber,e.g.:F1,S2/1.0, D1, M57, G3. FindicatesaFastEthernet,andGaGigabitEthernetinterface.
IP Commands
ThefollowingcommandsetsdefineIPfunctionalityontheXSRincluding: OSPFCommandsonpage 584. OSPFDebugandShowCommandsonpage 5104. RIPCommandsonpage 5123. RIPShowCommandsonpage 5136. RTPHeaderCompressionCommandsonpage 5137. PolicyBasedRoutingCommandsonpage 5145. PBRClearandShowCommandsonpage 5148. ARPCommandsonpage 5149. OtherIPCommandsonpage 5151. IPClearandShowCommandsonpage 5168. NetworkAddressTranslationCommandsonpage 5182. VirtualRouterRedundancyProtocolCommandsonpage 5191.
OSPF Commands
VRRPClearandShowCommandsonpage 5197.
OSPF Commands area authentication

Thiscommandenables/disablesauthenticationforanOSPFarea.
Syntax
area area-id authentication [message-digest] area-id message-digest
OSPFareatobeauthenticated,expressedindecimalsorIPaddresses. EnablesMD5authenticationontheOSPFareaindicatedbyareaid keyword

ThenoformofthiscommandremovesauthenticationfromtheOSPFareaspecifiedbyareaid:
no area area-id authentication
Mode
Routerconfiguration:XSR(config-router)#
Default
ThedefaultvalueisType0authentication;thatis,noauthentication.
Example
ThisexampleenablesauthenticationonOSPFarea10.0.0.0.interfaceSerial1/1,whoseaddressis 172.16.77.1,ispartofarea10.0.0.0,soanauthenticationmechanismcouldbedefinedforit:
XSR(config)#interface serial 1/1 XSR(config-if<S1/1)#ip address 172.16.77.1 255.255.255.0 XSR(config-if<S1/1)#ip ospf message-digest-key 20 md5 pass1 XSR(config)#router ospf 1 XSR(config-router)#network 172.16.77.1 0.0.0.0 area 10.0.0.0 XSR(config-router)#area 10.0.0.0 authentication message-digest
area default-cost
ThiscommandsetsthecostvalueforthedefaultroutethatissentintoastubareabyanArea BorderRouter(ABR).ThiscommandisrestrictedtoABRsattachedtostubareas.
Syntax
area area-id default-cost cost area-id cost
ThestubareaexpressedindecimalsorIPaddresses. Costvalueforasummaryroutethatissenttoastubareabydefault. Validvaluesare24bitnumbers,from0to16,777,215.
5-84
OSPF Commands

Thenoformofthiscommandremovesthecostvaluefromthesummaryroutethatissentby defaultintothestubareaidentifiedbytheareaid:
no area area-id default-cost
Mode
Default
1
Example
Thefollowingcommandsetsthecostvalueforthestubarea10as99:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 172.16.101.5 255.255.255.252 XSR(config-if<S1/0>)#router ospf XSR(config-router)#network 172.16.101.5 0.0.0.0 area 10 XSR(config-router)#area 10 stub no-summary XSR(config-router)#area 10 default-cost 99
area nssa
ThiscommandconfiguresanareaasaNotSoStubbyArea(NSSA)whichallowssomeexternal routesrepresentedbyexternalLinkStateAdvertisements(LSAs)tobeimportedintoit.Thisisin contrasttoastubareathatdoesnotallowanyexternalroutes.Externalroutesthatarenot importedintoanNSSAcanberepresentedbymeansofadefaultroute.ItisusedwhenanOSPF internetworkisconnectedtomultiplenonOSPFroutingdomains.
Syntax
area area-id nssa [default-information-originate] area-id default-informationoriginate
NSSAareaexpressedindecimalsorIPaddresses. GeneratesadefaultofType7intotheNSSA.Itisusedwhenthe routerisaNSSAABR

ThenoformofthiscommandchangestheNSSAbacktoaplainarea:
no area area-id nssa [default-information-originate]
Mode
5-85
OSPF Commands
Default
NoNSSAdefined
Example
Thefollowingexampleconfiguresarea10asaNSSAarea:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.10.5 255.255.255.252 XSR(config)#router ospf 1 XSR(config-router)#network 172.16.10.5 0.0.0.0 area 10 XSR(config-router)#area 10 nssa default-information-originate
area range
ThiscommanddefinestherangeofaddressestobeusedbyAreaBoundaryRouters(ABRs)when theycommunicateroutestootherareas.ABRssummarizeanareasintraarearoutesintointer arearouteswhicharetheninjectedintootherareas.Themetricusedisthehighestmetricofthe includedintraarearoutes.Theforwardingaddressis0. Otheractionsimplementedbythiscommandinclude: Asummaryrangebecomesactiveifitincludesatleastoneintraarearoutebeingleakedinto thearea. Adiscardrouteisinstalledforanactivesummaryrange.Conversely,whenitbecomes inactive,thediscardrouteisremoved. Thecostofthesummaryrangeisthehighestcostamongallleakedintraarearoutes. SNMPsupportsarearangeviaMIBobjectospfAreaRangeTableasdefinedinRFC1850.
Note: You should avoid needless reorigination of Type-3 Link-State Advertisements (LSAs). For example, leaking intra-area routes which do not change the cost of a summary will re-origination the summary LSA.
Syntax
area area-id range ip-address mask [advertise][not-advertise] area-id ip-address mask
advertise not-advertise
Areaattheboundaryofwhichrouteswillbesummarized.Validvalues aredecimalsorIPaddresses. Commonprefixofsummarizednetworks. Lengthofthecommonprefix. BroadcastsasingleType3LSAforallintraarearoutesleakedintothis areaandincludedinthesummaryrange. SuppressesType3LSAgenerationforallroutesinthesummaryrange.

Thenoformofthiscommandbarsroutesfrombeingsummarized:
no area area-id range address mask
5-86
OSPF Commands
Mode
Examples
Thisexamplesetstheaddressrangeusedbythisrouterforsummarizedrouteslearnedatthe boundaryofarea0.0.0.0,as172.16.0.0/16:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.16.1 255.255.240.0 XSR(config)#router ospf 1 XSR(config-router)#network 172.16.16.1 0.0.0.0 area 0.0.0.0 XSR(config-router)#area range 0.0.0.0 172.16.0.0 255.255.0.0
Thefollowingexampleaggregates64.64.64.0/24inarea1intosummaryroute64.0.0.0/8andmakes thesummaryavailableforcreationofinterarearoutes:
XSR(config)#router ospf 1 XSR(config-router)#area 1 range 64.0.0.0 255.0.0.0
area stub
Thiscommanddefinesanareaasastubarea.
Syntax
area area-id stub [no-summary] area-id no-summary
StubareaexpressedindecimalsorIPaddresses. BarsanABRfromsendingLSAsintothestubarea.Whenused,thisvalue meansalldestinationsoutsidethestubareaarerepresentedviaadefault route.

Thenoformofthiscommandchangesthestubbacktoaplainarea:
no area area-id stub [no-summary]
Mode
Defaults
Disabled
Example
Thefollowingexampledefinesarea10asastubarea:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.152.1 255.255.255.0 XSR(config-if<F1>)#exit
OSPF Commands
XSR(config)#router ospf XSR(config)#network 172.16.152.0 0.0.0.0 area 10 XSR(config)#area 10 stub
area virtual-link
ThiscommanddefinesanOSPFvirtuallink,whichrepresentsalogicalconnectionbetweenthe backboneandanonbackboneOSPFarea.BackbonesareareasincludingallABRs,networksnot whollycontainedinanyarea,andtheirattachedrouters.
Syntax
area area-id virtual-link router-id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds] [authentication-key key | message-digest-key keyid md5 key] area-id router-id
TransitareaforthevirtuallinkexpressedasdecimalorIPaddresses andthroughwhichavirtuallinkisestablished. TheABRsRouterID.AvirtuallinkisbuiltfromtheABR,wherevirtual linkconfigurationoccurs.Youcanconfigurealoopbackaddressforthe XSRtobeusedastheRouterIDwiththeinterface loopback command.Ifnoloopbackaddressisdefined,theRouterIDisthe highestnonzeroIPaddressofexistingconfiguredandactiveinterfaces. Authenticationtype. MD5authenticationisused. Noauthenticationisused. Intervalbetweenhellopacketsonaport.Itmustbethesameforall nodesattachedtoanetwork.Range:1to3600seconds. IntervalbetweensuccessiveretransmissionsofthesameLSAs.Valid valuesaregreaterthantheexpectedperiod fortheupdatepacketto reachandreturnfromtheport,rangingfrom1to3600seconds. Estimatedintervalforalinkstateupdatepacketontheporttobe transmitted,rangingfrom1to3600seconds. Intervalthathellopacketsofarouterarenotcommunicatedtoneighbor routersbeforetheneighborlearnthattheroutersendingthehello packetisoutofservice.Thisvaluemustbethesameforallnodes attachedtoacertainsubnet,andrangesfrom1to3600seconds. Passwordusedbyneighborrouters.Validvaluesarealphanumeric stringsupto8bytes.Neighborroutersonanetworkmusthavethe samepassword. Specifiesakeyidandapassword(key)forMD5authentication. Neighborroutersandthisrouterusethekeyidandkey.Validvalues forkeyidare1to255.Validvaluesforthekeyarealphanumericstrings ofupto16characters.Neighborroutersonanetworkmusthavethe samekeyidandkey.
authentication message-digest null hello-interval seconds retransmitinterval seconds transmit-delay seconds dead-interval seconds
authentication key message-digest keyid md5 key

5-88 Configuring the Internet Protocol
OSPF Commands
Thenoformofthiscommandremovesthevirtuallink:
no area area-id virtual-link router-id [authentication [message-digest | null]] [hello-interval seconds] [retransmit-interval seconds] [transmit-delay seconds] [dead-interval seconds] [authentication-key key | message-digest-key keyid md5 key]
Mode
Defaults
hellointervalseconds:10seconds retransmitintervalseconds:5seconds transmitdelayseconds:1second deadintervalseconds:40seconds authenticationkeykey:Nodefault messagedigestkeykeyidmd5key:Nodefault
Example
Thefollowingexample,asillustratedinFigure 51,showsthevirtuallinkconfigurationfortwo ABRs.ABR1physicallyinterfacesarea2tothebackbone(area0.0.0.0).ABR2physicallyinterfaces area3toarea2.AvirtuallinkiscreatedbetweenthetwoABRsbymeansofarea2,whichbecomes thetransitarea.TheRouterIDforABR1is192.168.33.1.TheRouterIDforABR2is192.168.33.2. OnABR1enterthefollowingcommands:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.150.1 255.255.255.0 XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 192.16.33.1 255.255.255.0 XSR(config)#router ospf 1 XSR(config-router)#network 172.16.150.0 0.0.0.255 area 0.0.0.0 XSR(config-router)#network 192.16.33.0 0.0.0.255 area 2 XSR(config-router)#area 2 virtual-link 192.16.33.2
OnABR2enterthefollowingcommands:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.15.0.1 255.255.0.0 XSR(config)#interface serial 1/1 XSR(config-if<S1/1)#ip address 192.16.33.2 255.255.255.0 XSR(config)#router ospf 1 XSR(config-router)#network 172.15.0.1 0.0.0.0 area 3 XSR(config-router)#network 192.16.33.0 0.0.0.255 area 2 XSR(config-router)#area 2 virtual-link 192.16.33.1
5-89
OSPF Commands
Figure 5-1
Area 0.0.0.0 Eth 1 172.16.150.1 ABR1
Area Virtual Link Example

Area 2 ABR2 Area 3 Eth 1 172.15.0.1
Serial 1/0
virtual link Serial 1/1 192.16.33.2
192.16.33.1
auto-virtual-link
Thiscommandautomaticallycreatesvirtuallinks.Refertothearea-virtual-linkcommandfor morerelatedinformation.
Syntax
auto-virtual-link
Syntax
Thiscommandsnoformnegatestheautomaticcreationofavirtuallink:
no auto-virtual-link
Mode
OSPFRouterconfiguration:XSR(config-router)#
Example
XSR(config-router)#auto-virtual-link
database-overflow
ThiscommanddynamicallylimitsthesizeofOSPFLinkStatedatabaseoverflow,acondition wheretheXSRisunabletomaintainthedatabaseinitsentirety.Typically,databaseoverflow occurswhenarouterimportsalargenumberofexternal,Type5LSAroutesintoOSPF.This commandletsyoucontrolotherLSAtypesaswell:14,7,and10. Usually,thisproblemcanbeavertedbyproperconfigurationofOSPFroutersintostubareasor NSSAs,sinceASexternalLSAsareomittedfromthistypeofLinkStatedatabases.But,inthe eventofanunexpecteddatabaseoverflow,thereisinsufficienttimetoperformthistypeof isolation.
Syntax
database-overflow [LSA type][option]
LSA Type:
asbr-summary external
ASBorderRouterSummaryLSA(Type4). ASExternalAreaLSA(Type5).
5-90
OSPF Commands
network nssa-external opaque-area router summary Option:limit exit-overflow interval warning-level
NetworkLSA(Type2). NSSAExternalLSA(Type7). OpaqueAreaLSA(Type10). RouterLSA(Type1). SummaryLSA(Type3). PeaknumberofLSAsacceptedbeforeoverflowoccurs,rangingfrom1 to2,147,483,647. IntervalbeforeXSRtriestoexitoverflow.Range:0to86,400seconds. LSAthresholdpastwhichawarningofpendingoverflowisgenerated, rangingfrom0to2,147,483,647.
Defaults
Limit:1 ExitExternalInterval:0 WarningLevel:0
Mode
OSPFRouterconfiguration:XSR(config-router)#
Examples
ThefollowingexampleconfiguresparametersforType5externalLSAdatabaseoverflow:
XSR(config)#router ospf 1 XSR(config-router)#database-overflow external limit 1000 XSR (config-router)#database-overflow external exit-overflow-interval 3600 XSR(config-router)#database-overflow external warning-level 900
ThefollowingexampleconfiguresparametersforType2networkLSAdatabaseoverflow:
XSR(config)#router ospf 1 XSR(config-router)#database-overflow network limit 1000 XSR (config-router)#database-overflow external exit-overflow-interval 3600 XSR(config-router)#database-overflow external warning-level 900
distance (OSPF)
Thiscommanddefinesanadministrativedistance(routepreference)fortheOSPFdomain.OSPF distancesarerankedhigherthanconnectedorstaticnetworksbutlowerthanRIPnetworks. IfseveralroutestothesamedestinationareofferedtotheRoutingTableManager(RTM)by differentprotocols,installationisbasedonthedistanceoftheprotocolwiththelowestvalue.You cansetthesamedistancefordifferentprotocols(exceptformultiplestaticroutes)withatiebreak basedondefaultdistances. Refertothedistance commandonpage176andip routecommandonpage209fora comparisonwithOSPFandstaticroutes.
OSPF Commands
Syntax
distance ospf {intra | inter | ext} weight intra inter ext weight
OSPFintraarearoutes. OSPFinterarearoutes. OSPFexternalroutes. Administrativedistanceusedbytheroutingprotocol.Range:1to240.

Thenocommandresetstheadministrativedistancetothedefaultvaluefortheparticulartypeof routes.Ifnotypeofroutesisreferenced,thedistanceforallthreetypesofOSPFroutesareresetto thedefault.
no distance OSPF {intra | inter | ext}
Mode
Default
Distancesbetween241and255arereservedforinternaluse. Theconditionofintraareadistanceislessthaninterareadistanceislessthanexternaldistance isalwayspreserved.Ifyouattempttoconfigureotherwise,theconfigurationwillfailandyou willreceiveawarningmessage. Defaultdistancesmustnotbethesameforanytworoutingprotocols. Fordefaultdistances,refertoTable52below. Default Administrative Distances Default Distance 0 1 20 108 110 112 120 200 241255
Table 5-1
Route Source Connected Static BGPexternal OSPFintra OSPFinter OSPFext RIP BGPinternal Reserved
5-92
OSPF Commands
Example
ThisexamplesetstheadministrativedistanceforOSPFexternalroutesto65.Notethatyoucando soonlyifbothintraandinterOSPFdistancesarelessthan65,otherwiseyouwillnotbepermitted tochangethevalue.
XSR(config)#router ospf 1 XSR(config-router)#distance ospf ext 65
5-93
OSPF Commands
ip ospf cost
Thiscommandsetsthecostofsendingapacketonainterface.Eachrouterinterfacethat participatesinOSPFroutingisassignedadefaultcost.Thiscommandoverwritesthedefault.
Syntax
ip ospf cost cost cost
Costofsendingapacketrangingfrom1to65,535.

no ip ospf cost
Mode
Default
10
Example
Thefollowingexamplesetscost20forinterfaceFastEthernet1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip ospf cost 20
ip ospf dead-interval
Thiscommandsetstheintervalaroutermustwaittoreceiveahellopacketfromitsneighbor beforedeterminingthattheneighborisoutofservice.
Syntax
ip ospf dead-interval seconds seconds
Intervalthataroutermustwaittoreceivethehellopacket.Itmustbethesame onneighboringrouters(onaspecificsubnet),butitcanvarybetweensubnets. Thisvalueisanunsignedintegerrangingfrom1to65,535seconds.

Thenoformofthiscommandsetsthevaluetothedefault:
no ip ospf dead-interval
Mode
5-94
OSPF Commands
Default
Fourtimesthevalueofthesecondsparameterdefinedintheospf hello-intervalcommand.
Example
Thefollowingexamplesetsthedeadintervalto20forFastEthernetport2:
XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#ip address 172.16.16.1 255.255.255.0 XSR(config-if<F2>)#ip ospf dead-interval 20
ip ospf hello-interval
Thiscommandsetsthenumberofsecondsaroutermustwaitbeforesendingahellopacketto neighborroutersontheinterface.
Syntax
ip ospf hello-interval seconds seconds
Thehellointerval.Itmustbethesameonneighboringrouters(onaspecific subnet),butitcanvarybetweensubnets,rangingfrom1to65,535seconds.

no ip ospf hello-interval
Mode
Default
10secondsforbroadcastandpointtopointnetworks.
Example
Thefollowingexamplesetsthehellointervalto5forinterfaceFastEthernet1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.16.1 255.255.255.0 XSR(config-if<F1>)#ip ospf hello-interval 5
5-95
OSPF Commands
ip ospf message-digest-key
Thiscommandenables/disablesOSPFMD5authenticationonaninterfacetovalidateOSPF routingupdatesbetweenneighboringrouters.
Syntax
ip ospf message-digest-key keyid md5 key keyid key
KeyidentifierontheinterfacewhereMD5authenticationisenabled. Validvaluesareintegersfrom1to255. PasswordforMD5authenticationtobeusedwiththekeyid.Valid valuesarealphanumericstringsofupto16characters.

Thenoformofthiscommandremovesthepasswordfromthisrouter:
no ip ospf message-digest-key keyid
Mode
Default
OSPFMD5authenticationdisabled
Example
ThefollowingexampleenablesOSPFMD5authenticationoninterfaceSerial1/0,andsetsthekey identifierat20,andthepasswordaspass1.
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 172.16.77.1 255.255.255.0 XSR(config-if<S1/0>)#ip ospf message-digest-key 20 md5 pass1 XSR(config)#router ospf 1 XSR(config-router)#network 172.16.77.1 0.0.0.0 area 10.0.0.0 XSR(config-router)#area 10.0.0.0 authentication message-digest
ip ospf passive
ThiscommandsuppressesOSPFpacketsfrombeingsentorreceivedoveraspecifiedinterface.
Syntax
ip ospf passive

Thiscommandsnoformremovesthepassiveactionontheinterface:
no ip ospf passive
OSPF Commands
Mode
Interfaceconfiguration:XSR(config-if<xx>#
Example
ThefollowingexampleimposesOSPFpassiveonFastEthernetinterface1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip ospf passive
ip ospf poll-interval
ThiscommandsetstheOSPFpollingintervalonMultipointandPointtoPointinterfaces.The defaultvalueallowstheadjacencytobeestablishedperthedefaultHellointerval.
Syntax
ip ospf poll-interval <interval> interval
Pollperiod,rangingfrom1to65,535.

Thenoformofthiscommandremovesthepollinterval:
no ip ospf poll-interval
Mode
Example
Thisexampleconfiguresthepollintervalto12timesthedefaulthellointerval(10seconds):
XSR(config-if<S1/0:0>)#ip ospf poll-interval 120
ip ospf priority
ThiscommandsetstheOSPFpriorityvalueforrouterinterfaces.Thepriorityvalueis communicatedbetweenroutersbymeansofhellomessagesandthisvalueinfluencestheelection ofadesignatedrouter.
Syntax
ip ospf priority number number
Specifiestherouterpriority,rangingfrom0to255.

no ip ospf priority
OSPF Commands
Mode
Default
1
Example
ThefollowingexamplesetsOSPFpriorityto20forFastEthernetport1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.16.1 255.255.255.0 XSR(config-if<F1>)#ip ospf priority 20
ip ospf retransmit-interval
Thiscommandsetstheintervalbetweenretransmissionsoflinkstateadvertisementsfor adjacenciesthatbelongtothisinterface.
Syntax
ip ospf retransmit-interval seconds seconds
Setstheretransmitperiod,rangingfrom1to3600seconds.

no ip ospf retransmit-interval
Mode
Default
5seconds
Example
ThefollowingexamplesetstheretransmitintervalforinterfaceFastEthernet1to20:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.16.1 255.255.255.0 XSR(config-if<F1>)#ip ospf retransmit-interval 20
5-98
OSPF Commands
ip ospf transmit-delay
Thiscommandsetstheintervalrequiredtotransmitalinkstateupdatepacketonthisinterface.
Syntax
ip ospf transmit-delay seconds seconds
Specifiesthetransmitdelay,rangingfrom1to3600seconds.

Thenoformofthiscommandsetsthevaluetothedefault.
no ip ospf transmit-delay
Mode
Default
1second
Example
Thefollowingexamplesetstheintervalrequiredtotransmitalinkstateupdatepacketoninterface FastEthernet1at20seconds:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 172.16.16.1 255.255.255.0 XSR(config-if<F1>)#ip ospf transmit-delay 20
network
ThiscommandidentifiesanddefinesareaIDsforinterfacesOSPFrunson.
Syntax
network address wildcard-mask area area-id address wildcard-mask
IPaddressofaspecificinterfaceoragroupofinterfacesasafunctionof thewildcardmask. Invertedmaskthatbeginswith0sandendwith1s.Themostspecific formatis0.0.0.0,whichmatchesoneaddress.Theleastspecificis 255.255.255.255matchinganyaddress. SpecifiestheareaidthattheOSPFaddressrangeislinkedto.Valid valuesaredecimalvaluesorIPaddresses.
area-id

ThenoformofthiscommandremovesOSPFroutingforinterfacesidentifiedbytheaddressand wildcardmaskparameters:
no network address wildcard-mask area area-id
OSPF Commands
Mode
Defaults
Disabled Costs:LAN10,Serial64
Example
Inthisexample,threeroutersareconfiguredtorunOSPF.RouterR1andR3areinternalrouters. R1isinternaltoarea1,andR3internaltoarea0.R2isanAreaBorderRouter(ABR).Enterthe followingcommandsonR1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 131.108.1.1 255.255.255.0 XSR(config)#router ospf 1 XSR(config-router)#network 131.108.1.0 0.0.255.255 area 1
OnR2(ABR),enterthefollowingcommands:
XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#ip address 131.108.1.2 255.255.255.0 XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 131.108.2.3 255.255.255.0 XSR(config)#router ospf 1 XSR(config-router)#network 131.108.1.0 0.0.0.255 area 1 XSR(config-router)#network 131.108.2.0 0.0.0.255 area 0
OnR3,enterthefollowingcommands:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 131.108.2.4 255.255.255.0 XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip address 110.0.0.4 255.0.0.0 XSR(config)#router ospf 1 XSR(config-router)#network 131.108.2.0. 0.0.0.255 area 0 XSR(config-router)#network 110.0.0.0 0.255.255.255 area 0
redistribute
ThiscommandredistributesstaticorRIProutesintoOSPF.
Syntax
redistribute {rip | bgp | static | connected}[metric metric-value][metric-type 1 | 2][route-map-number][tag tag-value] rip bgp static connected
ImportsRIProutes. ImportsBGProutes. Importsstaticroutes. Importsconnectedroutes.
5-100
OSPF Commands
metric-value metric-type 1/2 route-mapnumber
CostofaroutebeingredistributedintoOSPF,rangingfrom0to16,777,214. OSPFexteriormetrictype. OSPFexternalType1or2metrics. Numberoftheassociatedroutemap.

Thenoformofthiscommandcancelstheredistributionofroutes:
no redistribute from_protocol [metric metricvalue]
Mode
Default
Disabled
Examples
Thisexampleredistributesstaticroutesfrom5hopsawayintoRIP:
XSR(config-router)#router rip XSR(config-router)#redistribute static 5
Thefollowingexampleredistributesintra,interandexternalOSPFroutesintoRIP:
XSR(config-router)#redistribute ospf match internal match external
ThefollowingexampleimportsallOSPFroutesintoRIPwiththedefaultRIPmetricof1.Itis equivalenttothecommandenteredearlier.
XSR(config-router)#redistribute ospf
router ospf
ThiscommandenablestheOpenShortestPathFirst(OSPF)protocol.
Syntax
router ospf process-id process-id
ProcessIDnumber.

ThenoformofthiscommanddisablesOSPF:
no router ospf process-id
Mode
OSPF Commands
Next Mode
Default
OSPFdisabled
Example
ThefollowingexampleenablesOSPFrouting:
XSR(config)#router ospf 2 XSR(config-router)#
summary address
Thiscommandsummarizeslocallysourced(Type5)routesontheXSRwhichareredistributed fromotherprotocolsintoOSPF.Type7translationsarenotsummarized.Otheractions implementedinclude: Asummaryrangebecomesactiveifitincludesatleastonelocallysourcedroutebeing redistributedintoOSPF.Ifanactivesummaryrangeisadvertised,thenadiscardroutewillbe installedforthesummaryrange.Conversely,whenitbecomesinactive,thediscardrouteis removed. ActivatedsummaryrangestobeadvertisedwillresultinaType5LinkeStateAnnouncement (LSA).IftheyincludeaNSSAarea,thentheywillalsoproduceaType7LSAforeachNSSA area. Thetype/costofthesummaryrangeisthehighesttype/costamongallincludedlocally sourcedroutes.Theforwardingaddressis0. Summaryrangesmayoverlap.So,foralocallysourcedroute,themostspecificrangebecomes active. AppendixEprocessingprovidesauniquelinkstateIDforallType5LSAsadvertised,bethey theresultofType7toType5translations,summarizationorlocallysourcedrouteswhichare notsummarized. AType5LSAgeneratedbytranslationmaysupplantaType5LSAoriginatingfromalocal source.ThiswillnotaffectwhatisbeinggeneratedintoaNSSAbecausetranslationsarenot advertisedintoNSSAareas. Ifforagivenprefix,bothasummaryandalocallysourcedrouteexist,thesummarywillbe consideredsuperiorevenifthesummaryincludesonlythislocallysourcedroute. NeedlessreoriginationofType5LSAswillbeavoided.Forexample.importinglocally sourcedrouteswhichdonotchangethetype/costofasummarywillnotresultin reoriginationofthesummaryLSA. Type7translationsarenotaffectedbythiscommand.Ifanoverflowconditionoccursthen bothsummaryrangesandnonsummarizedrouteswillbeflushedfromtheAS.
Syntax
summary-address <ip-address><ip-mask>[not-advertise][tag <tag>]
5-102
OSPF Commands

ThenoformofthiscommandremovessummaryaddressingontheXSR:
no summary-address <ip-address><ip-mask> ip-address ip-mask not-advertise tag
Subnet/maskusedforthesummaryrange. Suppressroutesinthesummaryrange. ValueusedinthegeneratedType5LSA.
Mode
Example
ThefollowingexampleproduceasingleType5LSAforallroutesredistributedintoOSPF coveredbytheprefix64.0.0.0/8:
XSR(config-router)#summary-address 64.0.0.0 255.0.0.0
timers spf
ThiscommandchangestimervaluestofinetunetheOSPFnetwork.
Syntax
timers spf spf-delay spf-holdtime spf-delay spf-holdtime
DelaybetweenthereceiptofanupdateandtheSPFexecution,ranging from0to4,294,967,295seconds. Minimuminterval,inseconds,betweentwoconsecutiveOSPF calculations.Range:0to65,535.Avalueof0indicatesthattwo consecutiveOSPFcalculationsareperformedimmediatelyaftertheother.

Thenoformofthiscommandrestoresthedefaulttimervalues:
no timers spf
Mode
Defaults
spfdelay:5 spfholdtime:10
Example
XSR(config)#router ospf 1 XSR(config-router)#network 172.15.0.0 0.0.255.255 area 0.0.0.0 XSR(config-router)#timers spf 7 3
OSPF Debug and Show Commands
OSPF Debug and Show Commands debug ip ospf dr

ThiscommanddebugsOSPFdesignatedrouterevents.AswithallXSRdebugcommands,itisset toprivilegelevel15bydefault.
Note: This command does not display in running config because it is a debug function. It must be set manually every time the XSR is rebooted.
Syntax
debug ip ospf dr

Thenoformofthiscommandreturnsthedebugfunctiontothedefault:
no debug ip ospf dr
Mode
EXECconfiguration:XSR>
Example
Thefollowingexampleindicatestheelectionofadesignatedrouter:
OSPF: Elect DR. dr:53.53.53.21 bdr:53.53.53.6 GigabitEthernet 2
ElectDR dr:53.53.53.21 bdr:53.53.53.6 GigabitEthernet2 OSPFDRElection. Designatedrouter. BackupDesignatedrouter. Interfaceonwhichthedesignatedrouterresides.
debug ip ospf packet

ThiscommanddebugsreceivedandtransmittedOSPFpackets.AswithallXSRdebug commands,itissettoprivilegelevel15bydefault.
Syntax
debug ip ospf packet
5-104

no debug ip ospf packet
Mode
Examples
ThefollowingexampledisplaysatransmittedHellopacket:
OSPF: Tx PKT. Hello v:2 t:1 l:44 rid:1.1.1.4 aid:0.0.0.5 chk:fa94 aut:0000 from GigabitEthernet 2 to 224.0.0.5
ThefollowingexampledisplaysareceivedHellopacketthatfailedverificationbecausetheareaID doesnotmatch:
OSPF: Rx PKT. Hello v:2 t:1 l:44 rid:10.0.0.1 aid:0.0.0.3 chk:e9a2 aut:0000 from GigabitEthernet 2 is NOk
ThefollowingexampledisplaysareceivedHellopacketthatpassedverification:
OSPF: Rx PKT. Hello v:2 t:1 l:48 rid:10.0.0.1 aid:0.0.0.5 chk:8846 aut:0000 from GigabitEthernet 2 is Ok
Thefollowingexampledisplaysareceiveddatabasedescriptionpacket:
OSPF: Tx PKT. Database v:2 t:2 l:172 rid:1.1.1.4 aid:0.0.0.5 chk:7204 aut:0000 from GigabitEthernet 2 to 53.53.53.21
Thefollowingexampledisplaysatransmittedlinkstaterequestpacket:
OSPF: Tx PKT. LS request v:2 t:3 l:228 rid:1.1.1.4 aid:0.0.0.5 chk:99d5 aut:0000 from GigabitEthernet 2 to 53.53.53.21
Thefollowingexampledisplaysareceivedlinkstateupdatepacket:
OSPF: Rx PKT. LS update v:2 t:4 l:96 rid:10.0.0.1 aid:0.0.0.4 chk:7214 aut:0000 from GigabitEthernet 2.2 is Ok
Thefollowingexampledisplaysatransmittedlinkstateacknowledgepacket:
OSPF: Tx PKT. LS Ack v:2 t:5 l:44 rid:1.1.1.4 aid:0.0.0.5 chk:b63d aut:0000 from GigabitEthernet 2 to 53.53.53.21
TxPKT Hello v:2 t:1 l:44 rid:1.1.1.4 aid:0.0.0.5 chk:fa94 aut:0000 fromGigabitEthernet2 to224.0.0.5 OSPFPackettransmitted. OSPFHelloPacket. OSPFVersion. OSPFPacketType. OSPFPacketlength. OSPFRouterID. OSPFAreaID. OSPFPacketChecksum. Authentication. Outgoinginterface. DestinationIPaddress.
Rx PKT is Ok is NOk Database LS request LS update LS Ack
OSPFPacketreceived. OSPFreceivedpacketpassedverification. OSPFreceivedpacketfailedverification(i.e.,AreaIDdoesnotmatch). OSPFDatabaseDescriptionPacket. OSPFLinkStateRequestPacket. OSPFLinkStateUpdatePacket. OSPFLinkStateAcknowledgePacket.
debug ip ospf lsas

ThiscommanddebugsOSPFLinkStateAdvertisements(LSAs).AswithallXSRdebug commands,itissettoprivilegelevel15bydefault.
Syntax
debug ip ospf lsas

no debug ip ospf lsas
Mode
Examples
ThefollowingexampledisplaysanLSAaddedtothedatabase:
OSPF: Add LSA. summary, aid:0.0.0.4 age:0000 opt:02 id:53.53.53.0 rid:1.1.1.4 seq:80000001 chk:4867 l:28
ThefollowingexampledisplaysareceivedType1(router)LSA:
OSPF: Rx LSA. router, nbr:10.0.0.1 age:002f opt:22 id:10.0.0.1 rid:10.0.0.1 seq:800001aa chk:f671 l:36
Thefollowingexampledisplaysaqueuedelayedacknowledgement:
<191>May 21 07:52:39 1.1.1.4 OSPF: Queue Delayed Ack. router, nbr:10.0.0.1 age:002f opt:22 id:10.0.0.1 rid:10.0.0.1 seq:800001aa chk:f671 l:36
ThefollowingexampledisplaysanASborderrouterType4summaryLSA:
OSPF: Rx LSA. asbr-summary, nbr:10.0.0.1 age:03e6 opt:02 id:10.0.0.1 rid:1.1.1.4 seq:80000065 chk:3c9f l:28
ThefollowingexampledisplaysatransmittedexternalType5LSAfromoutgoinginterface GigabitEthernet2:
5-106
OSPF: Tx LSA. external, age:017a opt:20 id:13.0.0.0 rid:10.0.0.1 seq:80000088 chk:807a l:36 from GigabitEthernet 2
ThefollowingexampledisplaysareceivedLSAacknowledgement:
OSPF: Rx Ack. external, nbr:10.0.0.1 age:017b opt:20 id:13.0.0.0 rid:10.0.0.1 seq:80000088 chk:807a l:36
ThefollowingexampledisplaysanLSAUpdated/Modifiedinthedatabase:
OSPF: Upd LSA. summary, aid:00000005 age:0000 opt:02 id:1.1.1.3 rid:1.1.1.4 seq:80000099 chk:4a2d l:28
ThefollowingexampledisplaysaretransmittedLSA:
OSPF: RTx LSA. summary, nbr:10.0.0.1 age:0000 opt:02 id:2.2.3.0 rid:1.1.1.4 seq:80000097 chk:1f8f l:28
AddLSA summary aid:0.0.0.4 age:0000 opt:02 id:53.53.53.0 rid:1.1.1.4 seq:80000001 chk:4867 l:28
Rx LSA router Queue Delayed Ack asbr-summary Tx LSA Rtx LSA external from GigabitEthernet 2 Rx Ack Upd LSA
OSPFLsaAddedtodatabase OSPFSummaryLSA OSPFLSAAreaid OSPFLSAAge OSPFLSAOptions OSPFLSAIdentifier OSPFLSARouterId OSPFLSASequenceNumber OSPFLSAChecksum OSPFLSALength OSPFLSAReceived OSPFRouterLSA OSPFQueuedDelayedAcknowledgement OSPFASBorderRouterSummaryLSA OSPFLSATransmitted OSPFLSAretransmitted(fromretransmissionqueue) OSPFExternalLSA Outgoinginterface OSPFReceivedLinkStateAcknowledgement OSPFLSAUpdated/Modifiedindatabase
debug ip ospf nbr

ThiscommanddebugsOSPFneighborevents.AswithallXSRdebugcommands,itissetto privilegelevel15bydefault.
5-107
Syntax
debug ip ospf nbr

no debug ip ospf nbr
Mode
Examples
ThefollowingexampledisplaysaTransmitDatabaseDescriptionpacket:
OSPF: Tx DDP. nbr:10.0.0.1 mtu:05dc opt:42 flg:00 seq:00002400 from GigabitEthernet 2.1
Thefollowingexampledisplaysareceiveddatabasedescriptionpacketfromincominginterface GigabitEthernet2.1I:
OSPF: Rx DDP. nbr:10.0.0.1 mtu:05dc opt:42 flg:03 seq:00002401 from GigabitEthernet 2.1
ThefollowingexampledisplaysaNeighborChangingstatewheretheneighborrouterIDis 10.0.0.1,theneighborIPaddressis2.2.3.21,andthepreviousstateisEXCHANGE.
OSPF: NBR change state. nbr:10.0.0.1 ipa:1.2.3.21 state:EXCHANGE
Thefollowingexampleindicatestheneighborisaslaveforthedatabaseexchange:
OSPF: NBR is slave. nbr:10.0.0.1 ipa:2.2.3.21 state:EX_START
TxDDP nbr:10.0.0.1 mtu:05dc opt:42 flg:00 seq:00002400 fromGigabitEthernet2.1
Rx DDP from GigabitEthernet 2.1 NBR change state nbr:10.0.0.1 ipa:2.2.3.21 state:EXCHANGE NBR is slave
OSPFTransmitDatabaseDescriptionpacket NeighborIPaddress InterfaceMTU Options Flags Sequencenumber Outgoinginterface OSPFReceivedDatabaseDescriptionpacket Incominginterface NeighborChangingstate NeighborRouterID NeighborIPaddress PreviousState Neighborisaslaveforadatabaseexchange.
5-108
show ip ospf
Thiscommand,whenanydebuggingtypeisenabled,displaysoutputaboutthefollowingtypes ofOSPFinformation:designatedrouterevents,neighborevents,LinkStateAdvertisements (LSAs),andpackets.
Syntax
show ip ospf
Mode
EXECorGlobalconfiguration: XSR> or XSR(config)#
Sample Output
Thefollowingissampleoutputwhenalldebuggingtypesareenabled:
XSR#show ip ospf Routing Process "ospf 1 " with ID 1.1.1.4 Supports only single TOS(TOS0) route It is an area border and autonomous system boundary router Summary Link update interval is 0 seconds. External Link update interval is 0 seconds. Debugging enabled for: dr lsa nbr packet Redistributing External Routes from: static Number of areas in this router is 4 Area BACKBONE (0) Number of interfaces in this area is 1 Area has no authentication SPF algorithm executed 2 times Area ranges are Area 0.0.0.5 Number of interfaces in this area is 2 Area has no authentication SPF algorithm executed 2 times Area ranges are 18.0.0.0 255.0.0.0
Routing Process Supports
OSPFprocessnumberandrouterID. TOSsupport.
5-109
It is Summary Link update interval External Link update interval Redistributing External Routes from Number of areas in this router Number of interfaces in this area Area authentication SPF algorithm executed Area ranges
OSPFrouterdesignation.Validvalues:areaborder,autonomous systemboundary,andinternal. UpdateintervalforsummaryLSAsgeneratedbythisrouter. UpdateintervalforexternalLSAsgeneratedbythisrouter. Validredistributedroutes:static,RIP,OSPF. Sumofareasthisrouterbelongstofollowedbytypesofareas. Sumofinterfacesassignedtothisarea. Typeofauthenticationusedforthisarea. NumberoftimestheSPFalgorithmisrunonthisrouterforthisarea. Summarizedarearanges.
show ip ospf border-routers

ThiscommanddisplaysinformationaboutOSPFinternalroutetableentriestoABRsandASBRs.
Syntax
show ip ospf border-routers
Mode
Sample Output
Thefollowingissampleoutput:
XSR>show ip ospf border-routers OSPF internal Routing Table Codes: i - Intra-area route, I - Inter-area route i i i i i i 192.168.22.1 192.168.22.1 192.168.44.1 192.168.44.1 192.168.44.2 192.168.44.2 [64] [64] [64] [64] [64] [64] via via via via via via 192.168.11.1, 192.168.11.1, 192.168.33.1, 192.168.33.1, 192.168.33.1, 192.168.11.1, Serial1, Serial1, Serial2, Serial2, Serial2, Serial1, ABR, ABR, ABR, ABR, ABR, ABR, Area Area Area Area Area Area 0, 4, 0, 2, 0, 0, SPF SPF SPF SPF SPF SPF 10 10 10 7 10 10
Router ID Cost
OSPFrouterIDofthedestinationborderrouter. OSPFcostormetricofreachingaborderrouteridentifiedbytherouterID.
Next hop Router type Area SPF number
IPaddressofaninterfaceonaneighboringrouteridentifiedbytherouterID thatcanbereached. TypeofdestinationborderrouterABRorASBR. IDoftheareathroughwhichtheroutetothedestinationborderrouter identifiedbytherouterIDhasbeenlearned. InternalnumberidentifyingtheSPFcalculationthatresultedinthiscoutes installation.ThisnumberusuallycorrespondstothenumberofSPF calculationsonthisrouterforanareathroughwhichtheroutewaslearned.
show ip ospf database

Thiscommanddisplaysthelinkstate(LS)database.
Syntax
show show show show show show show show ip ip ip ip ip ip ip ip ospf ospf ospf ospf ospf ospf ospf ospf database database database database database database database database router [link-state-id] network [link-state-id] summary [link-state-id] asbr-summary [link-state-id] nssa-external [link-state-id] database-external [link-state-id] database-summary
link-state-id asbr-summary
LSidentifier.ValidvaluesareIPaddresses. Selectsasbrsummary(Type4)linkstatusrecords.Type4LSrecords areshownintheirdetailformat.ASBRsummaryrecordsareoriginated byABRs. Selectsexternal(Type5)LSrecords.Type5LSrecordsareshownin detailedformat.ExternalrecordsareoriginatedbyASBRs. Selectsnetwork(Type2)LSrecords,tobeshownindetailedformat. Networkrecordsareoriginatedbydesignatedrouters. Selectsrouter(Type1)LSrecordstobeshownintheirdetailedformat. Routerrecordsareoriginatedbyallrouters. Selectssummary(Type3)LSrecordstobeshowninoriginalformat. SummaryrecordsareoriginatedbyABRs. SelectsanumericalsummaryofthecontentsoftheLSdatabase displayed. Selectsnssaexternal(Type7)LSrecordstobeshownindetailed format.Type7recordsareoriginatedbyASBRs.
external network router summary database-summary nssa-external
Mode
Sample Output
Thefollowingaresampleresponses:
No Parameter
XSR>show ip ospf database OSPF Router with ID(10.1.2.1) Displaying ADV Router 10.0.0.1 0x0 Displaying LinkID 10.0.0.1 10.7.7.1 10.1.2.1 Net Link Age 0x1 0x80000001 Router Link States (Area 0.0.0.0) Seq# Checksum 0x80000001 0x61c610.5.6.1 0x927c States (Area 0.0.0.0) LinkCount 2
LinkID 10.1.1.1 10.1.2.1
ADV Router Age 10.0.0.1 0x5 10.7.7.1 0x1 10.1.2.1 0x0 Displaying ADV Router 10.1.2.1
Seq# Checksum 0x80000006 0xcb25 0x80000003 0x3689 2 0x80000009 0xcdaa 4
LinkID 10.5.5.1
Summary Net Link States (Area 0.0.0.0) Age Seq# Checksum 0x0 0x80000001 0x927c
Router Parameter
XSR>show ip ospf database router OSPF Router with ID (192.168.44.1) Router Link States (Area 0.0.0.0) Routing Bit Set on the LSA LS age:1292 Options: (No TOS-capability, No DC) LS Type: Router L inks Link State ID: 192.168.22.1 LS Seq. Number: 80000007 Checksum: 0x185a Length:72 Area Border Router Number of Links: 4 Link connected to: a Stub Network (Link ID) Network/subnet number: 172.14.0.0. (Link Data) Network Mask: 255.255.0.0 Number of TOS metrics: 0 TOS 0 Metrics: 10 Link connected to: another router (point-to-point) (Link ID) Neighboring Router ID: 192.168.44.2 (Link Data) Router Interface address: 192.168.22.1 Number of TOS metrics: 0 TOS 0 Metrics: 64 Link connected to: a Stub Network (Link ID) Network/subnet number: 192.168.22.0. (Link Data) Network Mask: 255.255.255.0 Number of TOS metrics: 0 TOS 0 Metrics: 64 Link connected to: a Virtual Link (Link ID) Neighboring Router ID: 192.168.33.2
(Link Data) Router Interface address: 0.0.0.0 Number of TOS metrics: 0 TOS 0 Metrics: 64
Network Parameter
XSR>show ip ospf database network OSPF Router with ID (192.168.44.2) Net Link States (Area 0.0.0.0) Routing Bit Set on this LSA LS age: 332 Options: (No TOS-capability, DC) LS Type: Network Links Link State ID: 172.16.150.1 (address of Designated Router) Advertising Router: 192.168.44.1 LS Seq. Number: 80000004 Checksum: 0xF627 Length: 32 Network mask: /24 Attached Router: 192.168.44.1 Attached Router: 192.168.44.2
Summary Parameter: Response

XSR>show ip ospf database summary OSPF Router with ID (192.168.44.2) Summary Net Link States (Area 0.0.0.0) Routing Bit Set on this LSA LS age: 412 Options: (No TOS-capability, DC) LS Type: Summary Links (Network) Link State ID: 172.15.0.0 (summary Network Number) Advertising Router: 192.168.33.2 LS Seq. number: 80000006 Checksum: 0x6A7B Length: 28 Network Mask: /16 TOS: 0 Metric: 10
ASBR-summary Parameter: Response

XSR>show ip ospf database asb-summary OSPF Router with ID (192.168.44.2) Summary ASB Link States (Area 1) LS age: 513 Options: (No TOS-capability, No DC) LS Type: Summary Links (AS Boundary Router address)
Link State ID: 172.15.0.0 (summary Network Number) Advertising Router: 192.168.44.2 LS Seq. number: 80000006 Checksum: 0x5ACD Length: 28 Network Mask: /0 TOS: 0 Metric: 16777215
External Parameter Response

XSR>show ip ospf database external OSPF Router with ID (192.168.44.2) Type-5 AS External Link States Routing Bit Set on this LSA LS age: 98 Options: (No TOS-capability, DC) LS Type: AS External Link Link State ID: 172.14.0.0 (External Network Number) Advertising Router: 192.168.33.2 LS Seq. number: 80000003 Checksum: 0x76E0 Length: 36 Network Mask: /16 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20 Forward Address: 0.0.0.0 External Route Tag: 0
NSSA-External Parameter Response

XSR>show ip ospf database nssa-external OSPF Router with ID (192.168.44.1) Type-7 AS External Link States (Area 2) Routing Bit Set on this LSA LS age: 623 Options: (No TOS-capability, No Type 7/5 translation, DC) LS Type: AS External Link Link State ID: 172.14.0.0 (External Network Number) Advertising Router: 192.168.33.2 LS Seq. number: 80000001 Checksum: 0x5971 Length: 36 Network Mask: /16 Metric Type: 2 (Larger than any link state path) TOS: 0 Metric: 20
Forward Address: 192.168.33.2 External Route Tag: 0
Database-summary Parameter Response

XSR>show ip ospf data database-summary OSPF Router with ID (192.168.44.1) AreaID Router Network S-Net 0.0.0.0 2 0 2 2 2 0 3 AS External Total 4 0 5
S-ASBR 0 0 0
Type-7 Subtotal N/A 4 4 9 0 4 13
Delete 0 1 0
Manage 0 1 0
Parameter Descriptions For No Parameter

LinkID ThisfieldvariesasafunctionofLSrecordtypeasfollows: ADVRouter Age Seq# Checksum Linkcount RouterlinkstatesrouterIDoftherouteroriginatingtherecord. NetworklinksstatesinterfaceIPaddressofdesignatedroutertothe broadcastnetwork. Summarylinkstatessummarynetworkprefix. AsbrsummarylinkstatesrouterIDoftheASBR. Externallinkstatesexternalnetworkprefix.
RouterIDoftherouteroriginatingtheLSrecord. AgeoftheLSrecordinseconds. SequencenumberassignedbyOSPFtoeachLSrecordatitstimeof origination. FieldinaLSrecordusedtoverifytheintegrityofthecontentsuponthereceipt byanotherrouter. AppliesonlytorouterLSrecords.Countisequaltoorgreaterthanthesumof activeOSPFinterfacesontheoriginatingrouter.
For Router Parameter

Routingbit LSAage LSType LSType LinkStateID AdvertisingRouter LSSeqNumber Checksum Length SetforLSAsoriginatedbyotherrouters. AgeoftheLSrecordinseconds. MeaningofBitsettingsintheoptionsfield. RouterlinksforarouterLrecord. OriginatingrouterIDforarouterLSA. OriginatingrouterID. SequencenumberassignedbyOSPFtothisLSrecordatthetimeofits origination. FieldinaLSrecordusedtoverifytheintegrityofitscontentsuponthe receiptbyanotherrouter. LengthoftheLSrecordinbytes.
Typeofrouter Numberoflinks Linkconnectedto
TypeofOSPFrouterinternal,ABR,andASBR. TotalindividuallinksinsidethisLSrecord. Assumesdifferentvaluesasafunctionoftheconnectionofferedbya routerinterface(link).Theselinkscanbe:pointtopoint,toatransit network,toastubnetwork,andtoavirtuallinkwithassignedvalues from1to4,respectively.Differentconnectiontypesarereferredtoas differentlinktypes. Valuecorrespondstothelinktype. RouterIDoftheneighboringrouter. IPaddressofdesignatedrouterinterfacetothenetwork. IPaddressofnetworkorsubnet. RouterIDofthevirtuallinkneighbor. Valuecorrespondstothelinktype. Originatingrouterinterfaceaddresstothenetwork. Originatingrouterinterfaceaddresstothenetwork. Networkmask. OriginatingrouterMIBIIifIndexvaluefortheunnumberedinterface. Virtuallinksaretreatedasunnumberedpointtopointlinks.. Valueis0duetolackofTOSsupport. Link(interface)cost.
(LinkID) Pointtopoint Transitnetwork Stubnetwork Virtuallink (LinkData) Pointtopointlink Transitnetwork Stubnetwork Virtuallink NumberofTOSmetrics Metric
For Network Parameter

Routingbit LSAage Options LSType LinkStateID AdvertisingRouter LSSeq.Number Checksum Length Networkmask Attachedrouter SetforLSAsoriginatedbyotherrouters. AgeoftheLSrecordinseconds. MeaningofBitsettingsintheoptionsfield. NetworklinksforanetworkLSrecord. IPaddressofdesignatedrouterporttothenetwork. OriginatingrouterID. SequencenumberassignedbyOSPFtothisLSrecordatthetimeofits origination. FieldinaLSrecordusedtoverifytheintegrityofthecontentsuponthe receiptbyanotherrouter. LengthoftheLSrecordinbytes. Maskfornetworktowhichdesignatedrouterisattached. RouterIDforallroutersattachedtothenetworkthatareadjacenttothe designatedrouter.
For Summary Parameter Display

Routingbit LSAage Options
SetforLSAsoriginatedbyotherrouters. AgeoftheLSrecordinseconds. MeaningofBitsettingsintheoptionsfield.
LSType LinkStateID AdvertisingRouter LSSeq.Number Checksum Length Networkmask TOS Metric
Summarylinks(network)forsummaryLSrecord. IPaddressofthesummarizednetwork. OriginatingrouterID. SequencenumberassignedbyOSPFtothisLSrecordatthetimeofits origination. FieldinaLSrecordusedtoverifytheintegrityofthecontentsuponthe receiptbyanotherrouter. LengthoftheLSrecordinbytes. Summarymaskforthesummarizednetwork. 0duetononsupportofTOS. Costtoreachsummarynetworkfromadvertisingrouter(ABR).
For ASB-summary Parameter Display

LSAage Options LSType LinkStateID AdvertisingRouter LSSeq.Number Checksum Length Networkmask Attachedrouter TOS Metric AgeoftheLSrecordinseconds. MeaningofBitsettingsintheoptionsfield. Summarylinks(ASBoundaryRouter)foranasbsummaryLSrecord. RouterIDoftheASBR. OriginatingrouterID. SequencenumberassignedbyOSPFtothisLSrecordatthetimeofits origination. FieldinaLSrecordusedtoverifytheintegrityofthecontentsuponthe receiptbyanotherrouter. LengthoftheLSrecordinbytes. RouterIDforallroutersattachedtothenetworkthatareadjacentwith thedesignatedrouter.Onlyforthenetworkparameter. RouterIDforallroutersattachedtothenetworkthatareadjacentwith thedesignatedrouter.Onlyforthenetworkparameter. 0duetononsupportofTOS. CostofreachingtheASBRasadvertisedbytheASBR.
For External Parameter

Routingbit LSAage Options LSType LinkStateID AdvertisingRouter LSSeq.Number Checksum SetforLSAsoriginatedbyotherrouters. AgeoftheLSrecordinseconds. MeaningofBitsettingsintheoptionsfield. ASexternallinkforanexternalLSrecord. IPaddressoftheexternalnetwork. OriginatingrouterID(ASBRbetweentheOSPFandnonOSPFdomain). SequencenumberassignedbyOSPFtothisLSrecordatthetimeofits origination. FieldinaLSrecordusedtoverifytheintegrityofthecontentsuponreceipt byanotherrouter.
Length Networkmask Metrictype TOS Metric Forwardaddress
LengthoftheLSrecordinbytes. Maskofthenetwork. OSPFtype1or2metric. 0duetononsupportofTOS. Costtoreachexternalnetworkfromadvertisingrouter(ASBR). Addresstowhichpacketsfortheadvertisedexternalnetworkmustbe sent.Whenitissetto0.0.0.0,itindicatespacketsmustbesenttothe advertisingrouter(ASBR). Tagthatcanbeappliedtoaroutebytheprotocolfromwhichitoriginates. Thistagcanbeusedforroutemanagement,butisoftenleftblank.
Externalroutetag
For NSSA-external Parameter

Routingbit LSAage Options LSType LinkStateID AdvertisingRouter LSSeq.Number Checksum Length Networkmask Metrictype TOS Metric Forwardaddress SetforLSAsoriginatedbyotherrouters. AgeoftheLSrecordinseconds. MeaningofBitsettingsintheoptionsfield. ASexternallinkforannssaexternalLSrecord. IPaddressoftheexternalnetwork. OriginatingrouterID(ASBRbetweentheOSPFandnonOSPF domain). SequencenumberassignedbyOSPFtothisLSrecordatthetimeofits origination. FieldinaLSrecordusedtoverifytheintegrityofthecontentsuponthe receiptbyanotherrouter. LengthoftheLSrecordinbytes. Maskofthenetwork. OSPFtype1or2metric. 0duetononsupportofTOS. Costtoreachexternalnetworkfromadvertisingrouter(ASBR). Addresstowhichpacketsfortheadvertisedexternalnetworkmustbe sent.Whensetto0.0.0.0,itindicatesthatpacketsmustbesenttothe advertisingrouter(ASBR). Tagthatcanbeappliedtoaroutebytheoriginatingprotocol.Itcanbe usedforroutemanagement,butoftenleftblank.
Externalroutetag
For Database-summary Parameter

AreaID AreaID Network Snet SASBR Type7
Areaidentification. SumofrouterLSrecordsineacharea. SumofnetworkLSrecordsineacharea. SumofsummaryLSrecordsineacharea. SumofasbsummaryLSrecordsineacharea. SumofnssaexternalLSrecordsineacharea.
ASexternal Subtotal Delete Maxage Total
SumofexternalLSrecords. SubtotalSumofLSrecordsperarea. SumofLSrecordswaitingfordeletionfromLSDB. SumofLSrecordsthathavereachedmaximumage. SumofLSrecordsintheLSdatabaseonXSR.
show ip ospf interface

ThiscommanddisplaysinterfaceOSPFrelatedinformation,includingnetworktype,priority, cost,hello,interval,deadinterval.
Syntax
show ip ospf interface [type][number] type number
Interfacetype.Validinterfacetypesareinterfacesthatexistonthisrouter. Interfacenumber.Validvaluescorrespondtothenumberofaparticular interfacetypepresentonthisrouter.
Mode
Sample Output
XSR>show ip ospf interface FastEthernet1 is UP Internet Address 51.51.51.1 Mask 255.255.255.0 Internet Address 52.52.52.1 Mask 255.255.255.0 secondary Internet Address 53.53.53.1 Mask 255.255.255.0 secondary Area 0.0.0.2 Router ID 51.51.51.1,Network Type BROADCAST,Cost: 10 Transmit Delay is 1 sec,State DR,Priority 1 Designated Router id 51.51.51.1, Interface addr 51.51.51.1 No backup designated router on this network
Timer intervals configured, Hello 10,Dead 40,Wait 40,Retransmit 5
No Hellos (Passive Interface) Neighbor Count is 0, Adjacent neighbor count is 0
Internetaddress Area RouterID NoHellos(Passive Interface) IPaddressandmaskassignedtothisinterface. OSPFareatowhichthisinterfaceisassigned. OSPFrouterID.OSPFselectstheRouterIDfromoneoftheIP addressesconfiguredonthisrouter. OSPFHellosarenotsentorreceivedonthisinterface.
5-119
Networktype
OSPFnetworktype.Valuescanbebroadcast,nonbroadcast,pointto point,andpointtomultipoint.Refertothe ip ospf network commandformoreinformationaboutnetworktype. OSPFinterfacecost.Thisvalueiseitherthedefaultorassignedby meansofthe ip ospf cost command. NumberinsecondsaddedtotheLSAagefieldatthetimeofLSA transmission. Interfacestatenotstatebetweenneighbors.Validvalues:DR,BDR, Drother,pointtopoint,pointtomultipoint,down,backup,loopback. Interfacepriorityvalue.Refertotheip ospf prioritycommandfor moreinformationonpriority. RouterIDofthedesignatedrouteronthissubnetifaDRexists. AddressofthedesignatedroutersinterfacetothissubnetifaDRexists. Referstothe ip ospf hello-interval andip ospf dead-interval commandsforhelloanddeadintervalvalues.Thewaittimerrepresents theperiodthatarouterwaitsbeforeinitiatingadesignatedrouter/ backuprouterelection.Thewaittimerchangeswhenthedeadinterval changes.Retransmittimerrepresentstheperiodbetweensuccessive transmissionsofLSAsuntilacknowledgementisreceived. Sumofneighborsovertheinterface. SpecifiedsecondaryIPaddress.
Cost Transmitdelay State Priority DesignatedRouterid Interfaceaddr Timerintervals configured
Neighborcount secondary
Adjacentneighborcount Sumofadjacent(FULLstate)neighborsonthisport.
show ip ospf neighbor

Thiscommanddisplaysthestateofcommunicationbetweenthisrouteranditsneighborrouters.
Syntax
show ip ospf neighbor [type number] [neighbor-id] [detail] type number neighbor-id detail
Interfacetypeoftheselectedinterface.Validinterfacetypesare interfacesthatexistonthisrouter. Interfacenumberoftheselectedinterface.Validvaluescorrespondto thenumberofaparticularinterfacetypepresentonthisrouter. RouterIDoftheneighborrouterthattheselectedportison. Displaysmoredataaboutneighborsincludingtheareainwhichthey areneighbors,whothedesignatedrouter/backuprouterisonthe subnetifapplicable,andthedecimalequivalentoftheEbitvaluefrom thehellopacketoptionsfield.
Mode
5-120
Sample Output
XSR#show ip ospf neighbor ID Pri State 10.7.7.1 1 FULL 10.0.0.1 1 FULL Dead Intvl 40 40 Address 10.5.6.1 10.1.1.1 Address FastEthernet6 FastEthernet3
XSR#show ip ospf neighbor detail Neighbor 10.7.7.1 interface address 10.5.6.1 In the area 0.0.0.0 via FastEthernet6 Neighbor priority is 1, state is FULL. Options 1 Dead interval is 40 sec(s) Link state retransmission interval is 5 sec(s) Neighbor 10.0.0.1, interface address 10.1.1.1 In the area 0.0.0.0 via FastEthernet3 Neighbor priority is 1, State is FULL Options 1 Dead interval is 40 sec(s) Link state retransmission interval is 5 sec(s)
ID Pri State DeadIntvl Address Interface Inthearea Options RouterIDoftheneighbor. Priorityoftheneighboroverthisinterface. OSPFcommunicationstatewithfollowedbytheinterfacestatusoftheneighbor. IntervalthisrouterwillwaitwithoutreceivingaHellopacketfromaneighbor beforedeclaringaneighborasbeingdown. IPaddressoftheneighborovertheinterface(seenextfield). InterfaceofthisrouteroverwhichithasneighborsidentifiedbytheneighborID. Areaoverwhichthisrouterisaneighbor. DecimalequivalentoftheEbitfromtheoptionsfield.0indicatestheareaisastub area,2indicatestheareaiscapableofacceptingexternalLSAs(notastub).
show ip ospf virtual-links

Thiscommanddisplaysdataaboutvirtuallinksconfiguredonarouter.
Syntax
show ip ospf virtual-links
Mode
EXECorGlobalconfiguration:XSR> or XSR(config)#
5-121
Sample Output
XSR>show ip ospf virtual-links Virtual Link OSPF_VLI to router 192.168.22.1 is up Run as demand circuit. DoNotAge LSA not allowed (Number of Dcbitless LSA is 2). Transit area 4, via interface Serial1, Cost of using 64 Transmit Delay is 1 sec, State POINT-TO-POINT,
Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Hello due in 00:00:08 Adjacency State FULL Virtual Link OSPF_VLO to router 192.168.44.1 is down Run as demand circuit DoNotAge LSA not allowed (Number of Dcbitless LSA is 2). Transit area 2, Cost of using 65535. Transmit delay is 1 sec, State DOWN., Timer intervals configured, Hello 10, Dead 40, Wait 40, Retransmit 5
Virtuallink Runas DoNotAgeLSAsnot allowed NumberofDcbitless LSA Transitarea Viainterface Costofusing Transmitdelay NameassignedbyOSPF,theIDofthevirtuallinkneighborandthe virtuallinkstatusupordown. TypeofcircuitthatOSPFconsidersthevirtuallinktobe. LSAswiththeDoNotAgebitsetintheagefieldarenotpermittedinthe linkstatedatabase. SumofLSAswithouttheDemandCircuit(DC)bitsetintheoptions fieldsinthelinkstatedatabaseofthebackbonearea. IDofthetransitareathroughwhichavirtuallinkisset. Interfaceofthisroutertothetransitarea. CosttoOSPFofroutingthroughthevirtuallink. Period(inseconds)addedtotheLSAagefieldwhenanLSAissent fromthisrouterthroughthevirtuallink.Thedefault(1)canbechanged duringvirtuallinkconfiguration. OneoftheOSPFinterfacestates.Theinterfacestateassignedtoavirtual linkisPointtoPoint.Refertothedescriptionoftheshow ip interfacecommandformoreinformation. Timerintervalsforavirtuallinkcanbechangedfromtheirdefault valuesviaoptionalparametersduringvirtuallinkconfiguration. IntervaltherouterexpectstogetaHellopacketfromitsvirtuallink neighbor.Hellomessagesmaybesuppressedalongvirtuallinks. Stateofadjacencybetweenthisrouteranditsvirtuallinkneighbor.
State
Timerintervals configured Hellodue Adjacency
5-122
RIP Commands
RIP Commands distance (RIP)

Thiscommanddefinesadministrativedistances(routepreference)intheRIPdomain.TheRIP defaultrankshigherthanallotherrouteddistances. IfseveralroutestothesamedestinationareofferedtotheRoutingTableManager(RTM)by differentprotocols,installationisbasedonthedistanceoftheprotocolwiththelowestvalue.You cansetthesamedistancefordifferentprotocols(exceptformultiplestaticroutes)withatiebreak basedondefaultdistances. Refertodistance ospfcommandonpage147andip routeonpage209forcomparisonwith OSPFandstaticroutes.
Syntax
distance weight weight
TheRIPadministrativedistance,rangingfrom1to240.

Thenocommandresetstheadministrativedistancetothedefaultvalue:
no distance weight
Defaults
Distancesbetween241and255arereservedforinternaluse. Defaultdistancesmustnotbethesameforanytworoutingprotocols. RefertoTable52belowfordefaultdistances. Default Administrative Distances Default Distance 0 1 20 108 110 112 120 200 241255
Table 5-2
Route Source Connected Static BGPexternal OSPFintra OSPFinternal OSPFexternal RIP BGPinternal Reserved
5-123
RIP Commands
Mode
Example
ThefollowingexamplesetstheRIPadministrativedistanceto85:
XSR(config)#router rip XSR(config-router)#distance 85
distribute-list
ThisRIPcommandfiltersnetworksreceivedinupdates/suppressesnetworksfrombeing advertisedinupdates.
Syntax
distribute-list access-list-number {in | out} [type number] access-list number in out type number
IPaccesslistnumber,rangingfrom1to199.Thelistdefineswhich networkswillbesentandsuppressedinroutingupdates. Appliestheaccesslisttoincomingroutingupdates. Appliestheaccesslisttooutgoingroutingupdates. Interfacetype:ATM,BRI,Dialer,Fast/GigabitEthernet,Loopback, Multilink,Serial,orVPN. Interfacenumberonwhichtheaccesslistshouldbeapplied.Ifno interfaceisset,theACLwillbeappliedtoallupdates.

Thenoformofthiscommandremovesthefilter:
no distribute-list access-list-number {in | out} [type number]
Mode
Default
Nofilterapplied
Example
Thefollowingexamplesuppressesnetwork192.5.34.0frombeingadvertisedinupdateson FastEthernetinterface1:
XSR(config)#access-list 1 deny 192.5.34.0 0.0.0.255 XSR(config)#router rip XSR(config-router)#distribute-list 1 out fastethernet 1
5-124
RIP Commands
Note: This type of filtering might prove problematic in situations where you want to filter an exact route (for RIP v2). For example, if you want to filter route 10.0.0.0/8, a filter set as access-list 1 deny 10.0.0.0 0.255.255.255 will not suffice, because subnets such as 10.0.0.0/9, 10.0.0.0/ 10 and so on will also be denied. So, to restrict the filter to 10.0.0.0/8 only, configure an extended access list with the following format: access-list 101 deny 10.0.0.0 0.0.0.255 255.0.0.0 0.0.0.0
ip rip authentication
ThiscommandsetsordeletesthesingleauthenticationkeyusedforRIPauthenticationonthe interface.Authenticationcanbeusedonlyifakeyexists.Deletinganexistingkeydisablestheuse ofauthenticationforRIP.
Syntax
ip rip authentication key text text
Identifiesthekey.Validvaluesarestringsof16charactersorless. Spacescanbeusedifthecompletekeyisboundedbyquotations.

ThenoformofthiscommanddeletesthespecifiedkeyandpreventsRIPfromusing authentication:
no ip rip authentication key text
Mode
Default
Noauthenticationkey
Example
Thefollowingexamplesetstheauthenticationmodeastextandthekeytextasphoneon FastEthernetport1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip rip authentication key phone XSR(config-if<F1>)#ip rip authentication mode text Note: The command refers to one key only, not a key chain.
RIP Example
Thefollowingexample,asshowninFigure 52,enablesRIPonbothFastEthernetinterfacesof Router1,alsoenablingroutingexchangesontheseriallinkRouter1Router2(Serialport2).
5-125
RIP Commands
FastEthernetport2isinstructedtobetotallypassive(noadvertisingonit,nosendingoftriggered updates,andnoreceivingofupdates). Serial1isallowedtoreceivebothversion1and2RIP,andtransmitsversion2.Themethodusedis splithorizonwithpoisonreverse.AuthenticationmodetextisusedonSerialport1,andthetextis Tex:

XSR(config)#router rip XSR(config-router)#network 192.168.1.0 XSR(config-router)#network 192.169.1.0 XSR(config-router)#neighbor 192.5.10.1 XSR(config-router)#passive-interface fastethernet 2 XSR(config-router)#no receive-interface fastethernet 2 XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#ip rip disable-triggered-updates XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip rip receive version 1 2 XSR(config-if<S1/0>)#ip rip send version 2 XSR(config-if<S1/0>)#ip split-horizon poison XSR(config-if<S1/0>)#ip rip authentication key Tex XSR(config-if<S1/0>)#ip rip authentication mode text
Figure 5-2
Router 1 Eth 1 Eth 2
RIP Example
192.169.1.0 No advertising No triggered RIP updates No receiving RIP updates Serial 1/0 Advertises 192.168.1.0 192.169.1.0 192.5.10.1
INTERNET
Serial 1/1 192.5.10.1 192.168.1.0
Router 2
ip rip authentication mode

Thiscommandsetstheauthenticationmodeusedwhenanauthenticationkeyispresent.
Syntax
ip rip authentication mode {text} text
Textonlyauthenticationperformed.

Thenoformofthiscommandsuppressestheuseofauthentication:
no ip rip authentication mode
RIP Commands
Mode
Default
Noauthenticationmodespecified.
Examples
ThisexamplesetstextauthenticationmodeandthekeyXenObhobeforuseonFastEthernet1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip rip authentication key XenObhobe XSR(config-if<F1>)#ip rip authentication mode text
ThefollowingexampleenablesRIPonbothFastEthernetinterfacesofrouterR1,alsoenabling routingexchangesontheseriallinkR1R2(Serial2).FastEthernet2isinstructedtobetotally passive(noadvertisingonit,nosendingoftriggeredupdates,andnoreceivingofupdates). Serial1/0isallowedtoreceivebothversion1and2RIP,andtransmitsversion2.Themethodused issplithorizonwithpoisonreverse.Authenticationmodetextisused,andthetextisTex:

XSR(config)#router rip XSR(config-router)#network 192.168.1.0 XSR(config-router)#network 192.169.1.0 XSR(config-router)#neighbor 192.5.10.1 XSR(config-router)#passive-interface fastethernet 2 XSR(config-router)#no receive-interface fastethernet 2 XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#ip rip disable-triggered-updates XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip rip receive version 1 2 XSR(config-if<S1/0>)#ip rip send version 2 XSR(config-if<S1/0>)#ip split-horizon poison XSR(config-if<S1/0>)#ip rip authentication key Tex XSR(config-if<S1/0>)#ip rip authentication mode text
ip rip disable-triggered-updates
ThiscommandpreventsRIPfromsendingtriggeredupdatesonthespecifiedinterface.
Syntax
ip rip disable-triggered-updates

no ip rip disable-triggered-updates
Mode
Interfaceconfiguration: XSR(config-if<xx>)#
5-127
RIP Commands
Default
AllowsRIPtorespondtoatriggeredupdate.
Example
ThisexamplepreventsRIPfromrespondingtoarequestfortriggeredupdatesonF1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip rip disable-triggered-updates
ip rip offset
Thiscommandaddsanoffsetontoincoming/outgoingmetricstorouteslearnedviaRIP.
Syntax
ip rip offset value value
Positiveoffsettobeappliedtometricsfornetworks,rangingfrom0to 16.Iftheoffsetis0,noactionistaken.

Thenoformofthiscommandremovesanoffset:
no ip rip offset
Mode
Default
Nooffsetapplied
Example
Thefollowingexamplesetsanoffsetof1forSerialport1/0:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip rip offset 1
Addinganoffsetonaninterfacemakesitabackupport.SupposeR1isonly2hopsawayfromRx throughbothinterfaces.Byadding1to2onSerial1/0,thedistancebetweenR1AndRxthrough Serial1/0becomes3,makingSerial1/0abackup.
5-128
RIP Commands
Figure 5-3
Offset Example
Distance Router 1-Router x2+1 hops Router 1 Backup

INTERNET
Router x
Serial 1/0 Serial 1/1

INTERNET
Distance Router1-Rx2 hops
ip rip receive version

ThiscommandsetsRIPv1orv2forupdatepacketsreceivedontheport.
Syntax
ip rip receive version [1] [2] 1 2
RIPversion1. RIPversion2.

ThenoformofthiscommandrestoresthedefaultversionoftheRIPmoduleupdatepacketsthat areacceptedontheinterface:
no ip rip receive version
Mode
Default
AcceptbothRIPversion1and2
Example
ThisexamplesetsbothRIPversions1and2forupdatepacketsreceivedonFastEthernetport1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip rip receive version 1 2
5-129
RIP Commands
ip rip send version

ThiscommandsetsRIPv1orv2forupdatepacketssentontheinterface.
Syntax
ip rip send version {1 | 2 | r1compatible} 1 2 r1compatible
RIPversion1. RIPversion2. Sendsversion2packets,buttransmitstheseasbroadcastpacketsrather thanmulticastpackets,sothatsystemswhichonlyunderstandRIP version1canreceivethem.

ThenoformrestorestheversionofupdatepacketsthatwastransmittedbytheRIPmodule:
no ip rip send version
Mode
Default
Version1
Example
ThefollowingexamplesetsRIPversion2forpacketssentonFastEthernetinterface1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip rip send version 2
ip split-horizon
ThiscommandsetssplithorizonmodeforthepacketstobesentbyRIP.
Syntax
ip split-horizon

Thenoformofthiscommanddisablesthesplithorizonmechanismentirely:
no ip split-horizon
Mode
5-130
RIP Commands
Default
IPsplithorizon
Example
ThefollowingcommandsetssplithorizonforpacketstobetransmittedbyRIPoninterface1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip split-horizon
neighbor
ThiscommanddirectstheXSRtoexchangepointtopoint(nonbroadcast)routinginformation withaneighbor.Whenusedincombinationwiththepassive-interfacecommand,RIPupdates canbeexchangedbetweenasubsetofroutersandaccessserversonaLAN.Oneroutingupdateis generatedperneighbor. IntherarecasewheretheXSRorhostsontheLANsegmentcannotacceptRIPbroadcastpackets, onlyconfiguredneighborswillgetRIPupdates. Multipleneighborcommandscanbeusedtospecifyadditionalneighborsorpeers.
Syntax
neighbor neighborAddress neighborAddress
IPaddressofapeerrouterwithwhichroutingdatawillbeexchanged.

ThenoformofthiscommanddisablesRIPonthespecifiedinterface:
no neighbor neighborAddress
Mode
Example
ThisexampleinstructstheXSRtosendRIPupdatestoallportsonnetwork192.5.0.0except interfaceF2.Also,theneighborcommandallowssendingRIPupdatesspecificallyto192.5.10.1.
XSR(config)#router rip XSR(config-router)#network 192.5.0.0 XSR(config-router)#passive-interface fastethernet 2 XSR(config-router)#neighbor 192.5.10.1
5-131
RIP Commands
network
ThiscommandattachesanetworkofdirectlyconnectednetworkstoaRIProutingprocess.
Syntax
network netAddress netAddress
AdirectlyconnectednetworkthatRIPwilladvertisetoitsneighboring routers.ThisisanIPaddressformat.

ThenoformofthiscommanddisablesRIPonthespecifiedinterface:
no network netAddress
Mode
Example
Thisexampleattachesnetwork192.168.1.0totheRIProutingprocess:
XSR(config)#router rip XSR(config-router)#network 192.168.1.0
passive-interface
ThiscommandpreventsRIPfromtransmittingupdatepacketsonaninterface(althoughitcanstill monitorupdatesontheinterface).
Syntax
passive-interface type num type num
Interfacetypesinclude:ATM,BRI,Dialer,Fast/GigabitEthernet,Loopback, Multilink,Serial,andVPN. Physicalinterfacenumber.

Thenoformofthiscommandremovesthepassiveinterfaceaction:
no passive-interface type num
Mode
Default
Nopassiveinterface
5-132
RIP Commands
Example
ThisexamplesetsF2asapassiveinterface.NoRIPupdateswillbetransmittedonF2:
XSR(config-router)#passive-interface fastethernet 2
receive-interface
ThiscommandallowsRIPtoreceiveupdatepacketsonaninterface.Thisdoesnotaffectthe transmissionofRIPupdatesonthespecifiedinterface.
Syntax
receive-interface type num type num
Interfacetype. Physicalinterfacenumber.

no receive-interface type num
Mode
Default
AllowsthereceptionofRIPupdatesonaninterface.
Example
ThefollowingexampledeniesthereceptionofRIPupdatesonF2:
XSR(config-router)#no receive-interface fastethernet 2
redistribute (OSPF/Static)
ThiscommandredistributesstaticorOSPFroutesintoRIP.
Syntax
redistribute {ospf | static}{match external [1 | 2]| internal} metric metricvalue ospf static match external 1/2 internal metric metricvalue
ImportsOSPFroutes. Importsstaticroutes. RedistributesOSPFroutesbasedontheOSPFtypeandroute metric,rangingfrom1to16hops. RedistributesexternalOSPFroutes. RedistributesexternalType1or2OSPFroutes. RedistributesinterandintraareaOSPFroutes. Costofaroutebeingredistributed,rangingfrom1to16hops.

RIP Commands

Thenoformofthiscommandcancelstheredistributionofroutes:
no redistribute from_protocol [metric metricvalue]
Mode
Default
Disabled
Examples
Thisexampleredistributesstaticroutesfrom5hopsawayintoRIP:
XSR(config-router)#router rip XSR(config-router)#redistribute static 5
Thisexampleredistributesintra,interandexternalOSPFroutesintoRIP:
XSR(config-router)#redistribute ospf match internal match external
ThefollowingexampleimportsallOSPFroutesintoRIPwiththedefaultRIPmetricof1.Itis equivalenttothecommandenteredearlier.
XSR(config-router)#redistribute ospf
router rip
Thiscommandenables/disablestheRoutingInformationProtocol(RIP).
Notes: The XSR supports a total of 750 RIP routing entries with 64 MBytes of memory installed. RIP commands configured under Interface mode are independent of enabling/disabling the RIP protocol.
Syntax
router rip

ThenoformofthiscommanddisablesRIPontheXSR:
no router rip
Mode
Next Mode
5-134
RIP Commands
Example
XSR(config)#router rip XSR(config-router)#
timers
ThiscommandconfiguresRIPtimers.
Syntax
timers basic [update | invalid | flush] update invalid flush
IntervaltheRIPtimerisrevised,rangingfrom1to2,147,483,647seconds. IntervaltheRIPtimerisdeemedinvalid,rangingfrom1to2,147,483,647seconds. Theinvalidintervalmustbeatleastthreetimestheupdateinterval. IntervaltheRIPtimerisflushed,rangingfrom1to2,147,483,647seconds.Theflush intervalmustbelargerthantheinvalidinterval.

Thenoformofthiscommandresetsthetimerstothedefaultvalue:
no timers basic
Mode
Defaults
Update:30seconds Invalid:180seconds Flush:300seconds
Example
ThefollowingexamplesetsvaluesfortheRIPtimers:
XSR(config-router)#timers basic 10 30 60
5-135
RIP Show Commands
RIP Show Commands show ip rip

Thiscommanddisplaysconfigurationdataandstatisticsglobaltoallports.
Syntax
show ip rip [interface | database] interface database
TheinterfaceonwhichRIPisrunning. ThedatabaseonwhichRIPissetup.
Mode
Sample Output
Thefollowingisasampleresponsewithnooptionchosen:
XSR#show ip rip Global RIP Stats: RIP is enabled RIP timers (in seconds): Update interval: 30 Invalid interval 180 Flush interval: 300 Routing for Networks: 172.16.101.1 172.16.101.5 172.16.150.0 Route Exchanging Neighbors: 172.23.11.21 172.23.11.25 Passive Interfaces: FastEthernet 1 Receive Interfaces: FastEthernet 1 Distribute List: Distribute-list 1 out FastEthernet 1
Thefollowingissampleoutputwiththedatabaseoptionselected:
XSR#show ip rip database T - triggered on demand Directly Connected networks: 192.168.27.0/24 192.168.29.0/24 201.1.1.0/24 202.1.1.0/24
RTP Header Compression Commands
Routing Source Information: 192.168.28.0/24 via: 192.168.29.22 1.1.1.1/32 via: 192.168.29.22 10.0.0.0/32 via: 201.1.1.0 XSR#show ip rip interface FastEthernet1 is UP Internet Address 10.0.0.0, Mask 255.255.0.0 Triggered updates are enabled Split horizon Send rip version is 1 Receive rip version is 2 Rip authentication mode is text, key is Rip offset metric is 1 Serial1/1 is UP Internet Address 11.0.0.0, Mask 255.255.0.0 Triggered updates are enabled Split horizon with poison Triggered on demand is enabled TRIP number of retransmissions 50 TRIP polling interval120 Send rip version is 1 Receive rip version is 2 Rip authentication mode is text, key is Rip offset metric is 1
cost:2 cost:2 cost:2
age:16 age:16 age: -
FastEthernet2 FastEthernet2 Serial2/0:1.1
Thefollowingissampleoutputwiththeinterfaceoptionchosen:
Routingfornetworks RouteExchanging Neighbors PassiveInterfaces ReceiveInterfaces DistributeList Internetaddress Triggeredupdates Ripversions SplitHorizon OffsetMetric NetworksassignedtoroutingusingthenetworkcommandinRIP. NeighborsconfiguredtotraderoutingdatausedinPointtoPoint exchangeofroutingdata. PortsRIPwillnotsendupdatepacketson. PortsRIPwillnotreceiveupdatepacketson. Accesslistforcontrollingreceive/sendupdates. IPaddressandmaskassignedtothisinterface. Respondtoarequestforatriggerupdatefromanotherrouter. SendandreceiveRIPversions. Splithorizonmode. AvaluethatwillbeaddedtorouteslearnedviaRIP.

ThefollowingcommandsconfigurestheRealTimeProtocol(RTP)headercompressiononPPP serialinterfaces. ThefollowingcriteriamustbemetinordertoselectpacketsfroRTPcompression MustbeaUDPpacket
UDPpayloadmustbelessthan500bytes Packetmustnotbefragmented Thedestinationportofthepacketmustbewithinuserconfiguredportrange(thereisno restrictiononthesourceport) Note:TheXSRdoesntimposeanyrestrictionsonRTPdecompression.
clear ip rtp header compression interface serial

ThiscommandclearstheRTPheadercompressionstatisticsforthespecificPPPserialinterface.
Syntax
show ip rtp header-compression interface serial slot/port{.sub-interface} slot/port{.sub-interface
Theslot,portandsubinterfacethiscommandistobeapplied to.
Mode
PrivilegedEXEC:XSR
Example
ThefollowingexampleclearstheRTPStatisticsforserialinterface2/0:1 XSR#cleariprtpheadercompressioninterfaceserial2/0:1
ip rtp compression connections

Bydefault,thesoftwaresupportsatotalof16RTPheadercompressionconnectionsonthePPP interface.ThiscommandwillallowtheusertochangethenumberofRTPheadercompression connectionsinordertospecifythetotalnumberofRTPheadercompressionconnections supportedonaninterface. IfeitherendofthePPPlinkhavedifferentmaxnumconnectionvalues,thanthelinkwill negotiatetothelowervalue.
Syntax
ip rtp compression connections max-num-connections max-num-connections
ThemaxnumberofRTPconnectionstobesupportedonthePPP interface.Range:31000

ThenocommandresetstheRTPheadercompressionconnectionstothedefaultvalueof16:
no rtp compression connections
Default
16RTPheadercompressionconnectionsonthePPPinterface
Mode
Interfaceconfiguration:XSR(config-if<xx>)# ThiscommandisapplicableonlyonserialinterfacewithPPPencapsulation. Note:TheXSRcurrentlydoesnotblockthiscommandoninterfacedialerandoninterface multilink,butthecommandhasnoeffectontheseinterfaces. Thiscommandrequiresarebootoftheinterfacetotakeeffect.
Example
ThefollowingexamplesettheRTPheadercompressionconnectionsto100,onPPPserialinterface S1/0:
XSR(config-if<S1/0>)rtp compression connections 100
ip rtp header-compression
ThiscommandenablesordisablestheRTPheadercompressionfeatureonPPPserialinterfaces. TheoptionalpassivekeywordtellstheXSRtocompressoutgoingRTPpacketsonlyifincoming RTPpacketsonthesameinterfacearecompressed. Ifyouusethecommandwithoutthepassivekeyword,thesoftwarecompressesallRTPtraffic. Note:Withthisrelease,XSRnowsupportsboththeVJHeaderCompression(forTCPandUDP header)andthenewIPHeaderCompression(forTCP,UDPandRTPheadercompression).XSR cannotbeconfiguredtoinitiatesVJheadercompression,butitdoesresponsetoVJHeader compressionconfigurationoptionfromtheremotepeerwithaNAKorREJ. Inthisrelease,thebehaviorischangedslightly.IfRTPisnotenabled,thenuponreceivingaVJ headercompressionnegotiationoption,theXSRsendsbackaNAKorREJ,sameasincurrent release.
Syntax
ip rtp header-compression {passive}
Parameters
passive
ThesoftwarecompressesoutgoingRTPpacketsonlyifincomingRTPpackets onthesameinterfacearecompressed.Ifthecommandisusedwithoutthe passivekeyword,thesoftwarecompressesallRTPtraffic.

ThenocommanddisablestheRTPheadercompressionfeature:
no ip rtp header-compression
Default
Disabled
5-139
Mode
Interfaceconfiguration:XSR(config-if<xx>)# ThiscommandisapplicableonlyonserialinterfacewithPPPencapsulation. Note:TheXSRcurrentlydoesnotblockthiscommandoninterfacedialerandoninterface multilink,butthecommandhasnoeffectontheseinterfaces. Thiscommandrequiresarebootoftheinterfacetotakeeffect.
Example
ThefollowingexampleenablesRTPheadercompressiononPPPserialinterfaceS1/0:
XSR(config-if<S1/0>)#ip rtp header-compression
ip rtp range
ThiscommandspecifiesthedestinationportrangeofUDPpacketsusedtoscreenforRTP compression.
Syntax
ip rtp range starting-port-Num end-Port-Num starting-port-Num end-port-Num
StartingdestinationUDPportnumber.Range:1024to65535 EndingDestinationUDPportnumber.Range:1024to65535 Note:Theendportnumbermustbelargerorequaltothestarting portnum.

ThenocommandremovestheRTPpacketranges
no ip rtp range
Default
Disabled
Mode
Interfaceconfiguration:XSR(config-if<xx>)# ThiscommandisapplicableonlyonserialinterfacewithPPPencapsulation. Note:TheXSRcurrentlydoesnotblockthiscommandoninterfacedialerandoninterface multilink,butthecommandhasnoeffectontheseinterfaces.
Example
ThefollowingexamplesettheRTPheaderrangefromUDPport1325toUDPport1400,forserial interfaceS1/0:
XSR(config-if<S1/0>)# ip rtp range 325 400
show ip rtp header compression interface serial

ThiscommanddisplaystheRTPheadercompressionstatisticsforthespecificPPPserialinterface. Note:Theexistingcommandshowpppinterfaceserialhasbeenupdatedtoaddthefollowing lineinthePPPstatssectionTX/RXIPHeaderCompression(IPHCisenabledifIPheader compressionhasbeennegotiatedwiththeremotepeer.Seepage8102forinformationonthe commandshowpppinterfaceserial.
Syntax
show ip rtp header-compression interface serial slot/port{.sub-interface} slot/port{.sub-interface
Theslot,portandsubinterfacethiscommandistobeapplied to.
Mode
PrivilegedEXEC:XSR
Example
ThefollowingexampledisplaystheRTPStatisticsforserialinterface2/0:1 Router#showiprtpheadercompressioninterfaceserial2/0:1 RTP/UDP/IPHeadercompressionstatistics: InterfaceSerial2/0:1
Active/Negotiatedconnections:RX=0/0TX=0/0
Rcvd: Compr.RTP=0Compr.UDP=0FullHeader=0 Error=0 Bytesrcvd=0 Dropped=0 BytesSaved=0 TotalPkts=0 EfficiencyImprove=0.00
Send: Compr.RTP=0Compr.UDP=0 FullHeader=0 Rej.IP=0 Bytessent=0 Rej.NonRTP=0TotalPkts=0 BytesSaved=0 EfficiencyImprove=0.00
Misses=0hitRatio=0%
InterfaceSerial
Active/Negotiated connections:
Typeandnumberofinterface. NumberofactiveandNegotiatedRTPconnections.
Triggered on Demand RIP Commands
Rcvd: Compr. RTP Compr. UDP Full Header Errors
NumberofcompressedRTPpackets. NumberofcompressedUDPpackets. Numberoffullheaderpacketsreceived. Numberofpacketsthatcannotbeuncompressedbecauseitisout ofsequence,indicatingthatoneormorepacketshavebeenloston thelink. PacketswhoseIP,PortorSSRCdoesnotmatchthatinthereceived context.Thesepacketsaredropped TotalnumberofpacketsreceivedforRTPdecompression TotalnumberofbytesreceivedforRTPdecompression NumberofbytessavedduetoRTPcompression. EfficiencyImprovementratio.Equals(Bytesofactualpacket+ bytesreceived)/BytesReceived NumberofcompressedRTPpackets. NumberofcompressedUDPpackets.PotentialRTPpacketswith changingx,pandptfieldsaresentcompressedUDP. Numberoffullheaderpacketssent. TotalnumberofpacketsthatcannotbecompressedbyRTP compression.Theseincludefragmentedpacketsandpacketswith IPoptionfields.Thesepacketsaresentuncompressed. TotalnumberofnonRTPpackets(RTPversionnotequalto2,RTP headerlengthexceedingpayloadlength,SSRCdoesnotmatchthat storedintheTXcontext.Thesepacketsaresentuncompressed. Totalnumberofpacketssent. Totalnumberofbytessent. Numberofbytessavedbecauseofcompression. EfficiencyImprovementratio.Equals(Bytessaved+bytessent)/ BytesSent. NumberofRTPpacketsthatfailstocompressbecauseofnofree compressioncontext Packetscompressedsuccessfully/totalpackets.
Dropped Total Pkts Bytes Rcvd Bytes Saved Efficiency Improve Sent Compr. RTP Compr. UDP Full Header Rejected IP
Rejected non RTP
Total Pkts Bytes Rcvd Bytes Saved Efficiency Improve Misses Hit ratio

ThefollowingcommandsaresubsetsoftriggeredRIPfunctionality:
ip rip max-retransmissions -Specifiesthemaximumnumberofretransmissions.Referto page190forthecommanddefinition. ip rip polling-intervalSpecifiesthepollingintervalfortriggeredRIPrequests.Referto page191forthecommanddefinition.
5-142
ip rip triggered-on-demandEnablesthefunctionalityonthespecifiedinterface.Referto
page192forthecommanddefinition.
ip rip max-retransmissions
Thiscommandsetsthemaximumnumberofretransmissionstobesent.
Syntax
ip rip max-retransmissions number number
Numberofretransmissions,rangingfrom2to120.

Thenocommandresetsthemaximumretransmissionsvaluetothedefault:
no ip rip max-retransmissions
Mode
Default
36
Example
Thisexamplesetsthenumberofretransmissionsto50:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 1.0.0.0 255.0.0.0 XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#ip rip triggered-on-demand XSR(config-if<S1/0>)#ip rip max-retransmissions 50 XSR(config)#router rip XSR(config-router)#network 1.0.0.0
ip rip polling-interval
ThiscommandsetsthepollingintervalfortriggeredRIPrequests.Ifarequestgetsnoresponse afterretransmissionspeak,requestswillcontinuallytransmitatintervalssetbythiscommand.
Note: The polling interval should be less than the dialer spoofing timeout.
Syntax
ip rip polling-interval interval interval
Pollingperiodrangingfrom10to600seconds.

Thenocommandresetsmaximumretransmissionstothedefault:
no ip rip polling interval
Mode
Default
30seconds
Example
Thefollowingexamplesetsthepollingintervalto120seconds:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 1.0.0.0 255.0.0.0 XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#ip rip triggered-on-demand XSR(config-if<S1/0>)#ip rip polling-interval 120 XSR(config)#router rip XSR(config-router)#network 1.0.0.0
ip rip triggered-on-demand
ThiscommandenablestriggeredondemandRIPonthespecifiedinterface.Itisavailableona pointtopointSerial(WAN)interfaceonly. OndemandRIPpermitstheupdateofanXSRsRIProutingtableonlywhenthedatabasechanges orwhenanexthopsreachabilityisdetectedontheWANsideoftheconnection.This functionalityreducestheondemandWANcircuitsroutingtrafficandallowsthelinktobe broughtdownwhenapplicationtrafficceases.RegularRIPupdateswouldpreventtheconnection frombeingtorndownwhenapplicationuseends. OndemandRIPisavailableunderconditionswheretherouteislearnedthroughadialerordialer backupconnectionandadialondemandlink. Thefollowingconditionsgovernthecommandsuse: RIPmustbeenabled. IPsplithorizonmustbeenabled(default).Whetherpoisonisenabledornot,triggeredon demandwillstillsenditsupdateswithpoison.
Anothercommand, ip rip disable-triggered-updates,withthedefaultenforced(triggered updatesenabled),invokestriggeredupdatesinatimelyfashionasdescribedbyRFCs1058and 2453(RIPandRIPv2protocol)anddoesnotteardowntheconnection.Thetwofeatureswork independentofeachother.
Syntax
ip rip triggered-on-demand
5-144
Policy-Based Routing Commands

ThenoformofthiscommanddisablestriggeredRIPontheinterface:
no ip rip triggered-on-demand
Mode
Default
Disabled
Example
ThefollowingexampleconfigurestriggeredRIPonSerialport1/0:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip address 1.0.0.0 255.0.0.0 XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#ip rip triggered-on-demand XSR(config-router)#network 1.0.0.0

PolicyBasedRouting(PBR)ontheXSR.
ip policy
ThiscommandappliesPBRtoXSRFast/GigabitEthernet,Dialer,Loopback,Multilink,VPNand Serialinterfaces.
Syntax
ip policy

ThenocommandnegatesPBRonXSRinterfaces:
no ip policy
Mode
Default
Disabled
5-145
Examples
ThefollowingexampleenablesPBRoninterfaceFastEthernet2:
XSR(config-if<F2>)#ip policy
ThefollowingexampleenablesPBRoninterfaceDialer57:
XSR(config-if<D57>)#ip policy
route-map pbr
ThiscommandaddsordeletesPBRroutemapentriesandacquiresPBRMapconfigurationmode. ThefollowingcommandsaresubsetsofRouteMapPBRfunctionality:
match ip address -Adds/deletesPBRmatchclauses.Seepage5147forcommand
definition.
set ip next-hopAddsordeletesPBRsetclausesforthenexthoprouter.Seepage5147for commanddefintion. set interfaceAddsordeletesPBRsetclausesonaninterface.Seepage5148forcommand
defintion
Syntax
route-map pbr sequence-number sequence-number
SequentialnumberofthepolicyentryinthePBRroutemaptable.

Thenocommanddeletesthespecifiedpolicyentryorthewholepolicytableifnosequence numberisspecified:
no route-map pbr [sequence-number]
Mode
Next Mode
PBRMapconfiguration:XSR(config-pbr-map)#
Example
Inthefollowingexample,policyentrynumber10iscreated:
XSR(config)#route-map pbr 10 XSR(config-pbr-map)#
5-146
match ip address
ThiscommandassociatesthePBRpolicywithaconfiguredAccessControlList(ACL).
Syntax
match ip address access-number access-number
TheACLnumberusedtomatchtraffic.

ThenocommanddeletesthespecifiedACLmatchclause:
no match ip address access-number
Mode
Example
Inthefollowingexample,ACL101isusedtomatchthetraffic:
XSR(config-pbr-map)#match ip address 101
set ip next-hop
ThiscommandspecifiesanexthopIPaddressastheforwardingrouterforPolicyBasedRouting.
Syntax
set ip next-hop ip-address ipaddress
IPaddressofthenexthop.

Thenocommanddeletesthespecifiedsetclause:
no set ip next-hope ip-address
Mode
Example
Inthefollowingexample,192.168.27.1issetasthenexthoprouter:
XSR(config-pbr-map)#set ip next-hop 192.168.27.1
5-147
PBR Clear and Show Commands
set interface
ThiscommandspecifiesanXSRinterfaceastheforwardingportforPolicyBasedRouting.
Syntax
set interface interface-num interface-num
Interfacenumber.

Thenocommanddeletesthespecifiedsetclause:
no set interface interface-num
Mode
Example
ThefollowingexamplesetsF1astheforwardinginterface:
XSR(config-pbr-map)#set interface FastEthernet 1
PBR Clear and Show Commands clear ip pbr-cache

ThiscommanddeletesentriesfromthePBRcachetable.
Syntax
clear ip pbr-cache
Mode
show ip pbr-cache
ThiscommanddisplaysthePBRcachethathasbeenbuiltupforfasttrafficflow.
Syntax
show ip pbr-cache
Mode
Sample Output
Thefollowingissampleoutputwhenthecommandisissued:
ARP Commands
XSR>show ip pbr-cache Source Destination 192.168.1.1 192.168.27.1 192.168.1.1 192.168.27.33 192.168.1.1 192.168.27.33
Age(sec) 109 70 50
IP Prot 1 255 6
TCP/UDP Port 8 (23, 23)
ICMP Code
Source Destination Age IPProtocol TCP/UDPPort ICMPCode SourceIPaddressofthepacket. DestinationIPaddressofthepacket. Secondsleftforthelifetimeofthecache. IPProtocolnumber. TCP/UDPPortnumber. ICMPcodenumber.
show route-map pbr

ThiscommanddisplaysthePolicyMapTableyouhaveconfigured.ThisistheGlobalRouteMap thatisusedforPolicyBasedRouting.
Syntax
show route-map pbr
Mode
Sample Output
Thefollowingissampleoutputwhenthecommandisissued:
XSR>show route-map pbr route-map pbr, sequence 10 Match clauses: ip address 102 ip address 101 Set clauses: next-hop 192.168.27.33 interface FastEthernet1
ARP Commands arp

Thiscommandaddspermanent(static)entriestotheARP(AddressResolutionProtocol)table. ARPconvertsanIPaddressintoaphysicaladdress.TheXSRpermitsadding/deletingoneorall ARPentries.
5-149
ARP Commands
Syntax
arp ip-address hardware-address ip-address hardware-address
IPaddressofadeviceonthenetwork.ValidvaluesareIPaddressesin dotteddecimalnotation. The48bithardwareaddressexpressedinhexidecimalnotationand correspondingtotheIPaddressidentifiedintheipaddressparameter.

ThenoformofthiscommanddeletesthespecifiedpermanentARPentry:
no arp ip-address hardware-address
Mode
Default
NopermanentARPentriesintheARPtable.
Example
TheexamplebelowaddsapermanentARPentryfortheIPaddress130.2.3.1:
XSR(config)#arp 130.2.3.1 0003.4712.7a99
arp-timeout
ThiscommandsetsthedurationofadynamicARPentryintheARPtablebeforeexpiring.
Syntax
arp-timeout seconds seconds
IntervalthatanentrystaysintheARPcache,rangingfrom0to 2,147,483.Zeroindicatesentriesareneverclearedfromthecache.

Thenoformofhiscommandrestoresthedefaultvalue:
no arp-timeout
Mode
Default
14,400seconds(4hours)
5-150
Other IP Commands
Example
ThisexampleaddsapermanentARPentryfortheIPaddress130.2.3.1andsetsthetimeoutat5 hours(18,000seconds)asshowninFigure 54:
XSR(config)#arp 130.2.3.1 0003.4712.7a99 XSR(config)#arp-timeout 18000
Figure 5-4
130.2.3.1
ARP Timeout Example

130.2.3.2 Host 2 130.2.3.3
130.2.3.0/24
Host 1
Router 1
Other IP Commands ip address

ThiscommandsetsaprimaryorsecondaryIPaddressonaninterface.SecondaryIPaddressesare allowedonFastEthernetinterfacesonly.SettingtheIPaddressenablesandremovingitdisables theinterface.BeforeasecondaryIPaddresscanbeconfigured,theprimaryIPaddressshouldbe configured,andbeforetheprimaryIPaddresscanberemoved,thesecondaryIPaddressesshould beremoved.ThiscommandsupportsClasslessInterDomainRouting(CIDR).
Note: When you are routing using the Open Shortest Path First (OSPF) algorithm, be sure that all secondary addresses on an interface fall into the same OSPF area as the primary addresses.
Syntax
ip address {address mask | address&mask | negotiated}{secondary] address net-mask address& mask negotiated secondary
IPaddressoftheinterface. NetworkmaskfortheconfiguredIPaddress. Address/maskinformatA.B.C.D./m,whereA.B.C.D.istheaddress,andmis thenumberofbitssetto1inthemask. IPaddressnegotiatedoverPPP.BRI,loopback,Fast/GigabitEthernetand secondaryIPinterfacesarenotsupported. AsecondaryIPaddress.Ifkeywordisomitted,theconfiguredaddressisthe primaryIPaddress.Secondaryisrequiredtoaddorremovesuchanaddress.

ThenoformofthiscommandremovesspecifiedIPaddresses:
no ip address {address mask | address&mask | negotiated}{secondary]
5-151
Other IP Commands
Mode
Examples
ThefollowingCIDRexamplesetsIPaddress192.168.1.1withamaskof/24oninterfaceF1.
XSR(config)# interface FastEthernet 1 XSR(config-if)# ip address 192.168.1.1/24
ThefollowingexamplesetstheIPaddress192.168.1.1onG2:
XSR(config)#interface gigabitethernet 2 XSR(config-if<F1>)#ip address 192.168.1.1 255.255.255.0
Intheexamplebelow,131.108.1.27istheprimaryaddressand192.31.7.17and192.31.8.17are secondaryaddressesforF1:
XSR(config)#interface XSR(config-if<F1>)#ip XSR(config-if<F1>)#ip XSR(config-if<F1>)#ip FastEthernet 1 address 131.108.1.27 255.255.255.0 add 192.31.7.17 255.255.255.0 secondary add 192.31.8.17 255.255.255.0 secondary
Thefollowingexampleconfigures1.1.1.1astheprimaryandotherIPaddressesassecondary addressesforF1,removessecondaryIP4.4.4.1fromtheinterfacebyenteringno ip address 4.4.4.1 255.255.255.0 secondary,andupdatestheprimaryIPaddressto9.9.9.1byentering

ip address 9.9.9.1 255.255.255.0. XSR(config)#interface XSR(config-if<F1>)#ip XSR(config-if<F1>)#ip XSR(config-if<F1>)#ip XSR(config-if<F1>)#ip XSR(config-if<F1>)#no FastEthernet 1 address 1.1.1.1 address 2.2.2.1 address 3.3.3.1 address 4.4.4.1 shutdown 255.255.255.0 255.255.255.0 secondary 255.255.255.0 secondary 255.255.255.0 secondary
XSR(config)#interface FastEthernet 1 XSR(config-if<F1>)#no ip address 4.4.4.1 255.255.255.0 secondary XSR(config)#interface FastEthernet 1 XSR(config-if<F1>)#ip address 9.9.9.1 255.255.255.0
ip default-network
Thiscommandspecifiescandidatesforthedefaultrouteandworksinconjunctionwiththeip route commandwhichcreatesstaticroutestothedefaultnetwork.Defaultroutesmustbeatleast onehopawayandhaveanaturalmaskattributedtoit.
Syntax
ip default-network network-number network-number
Numberofthenetwork.

Thenoformofthiscommandremovestheroute:
no ip default-network network-number
Other IP Commands
Mode
Example
Inthefollowingexample,asshowninFigure 55,Router1setstwocandidatesforthedefault route:network199.15.2.0and198.15.2.0.
XSR(config)#ip default-network 199.15.2.0 XSR(config)#ip default-network 198.15.2.0
Bothdefaultroutesappearintheroutingtable,asadvertisedbyRouter2,andRouter3,whichrun RIP,sobotharecandidatesforthedefaultroute.Therouteto199.15.2.0isthreehopsaway,and therouteto198.15.2.0isfourhopsaway.Sotherouteto199.15.2.0isselectedasthedefaultroute, andSerial1/0isthegatewayoflastresortforRouter1.Adefaultroute0/0nexthopSerial1/0is configuredonRouter1. Figure 5-5

Router 1 Serial 1
INTERNET
IP Default Route Example
Metric Route 3 199.15.2.0 4 198.15.2.0
Serial 1/1
199.15.1.0
INTERNET
198.15.1.0
Router 2 199.15.2.0 198.15.2.0
Router 3
ip directed-broadcast
Thiscommandenables/disablesIPdirectedbroadcast.Optionally,youcanspecifyanaccesslistto controlwhichbroadcastsareforwarded.
Syntax
ip directed-broadcast [access-list-number]
Parameters
access-listnumber
ACLnumber.Ifthisisset,abroadcastmustpasstheACLtobeforwarded.If notset,allbroadcastsareforwarded.

Thenoformofthiscommanddisablesdirectedbroadcastglobally:
no ip directed-broadcast [access-list-number]
5-153
Other IP Commands
Mode
Default
Enabled
Example
ThefollowingexampledeniesICMPbroadcastsonportFastEthernet1:
XSR(config)#access-list 100 deny ICMP any any XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip directed-broadcast 100
ThefollowingexampleremovesthepreviousrestrictiononinterfaceFastEthernet1(broadcast willbeperformedforallprotocols):
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#no ip directed-broadcast
ip dhcp relay-source gateway

ThiscommandallowsuserstoselectthesourceaddresstousewhenrelayingpacketstotheDHCP servers.TheDHCPserversareconfiguredusingiphelperaddresscommand.
Syntax
ip dhcp relay-source gateway

Thenoformnegatesthecommandsothattheoutgoinginterfaceaddresswillbeusedasthe sourceaddress:
no ip dhcp relay-source gateway
Mode
Default
Theoutgoinginterfaceaddresswillbeusedasthesourceaddress.
Example
Inthefollowingexample,thesourceaddressissetforinterfacefastethernet1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip dhcp relay-source gateway
5-154
Other IP Commands
ip domain
ThiscommandidentifiesthedomaintowhichtheXSRbelongs.Ifthecommandisreissued,itis consideredanupdateofthedomainnameandwilloverwritetheoldvaluewithanewvalue. TheXSRusesthedomainnametohelpcreateacertificatesubjectname,whichisautomatically formatedto:<hostname>.<domainname>.Youcanconfigurethehostnamewiththehostname command.Ifthehostnameisnotsetwhenyouissuethe ip domain command,theXSRwilluse thehardcodedDefaultName.
Note: For Verisign CA interoperability, you must enter the domain name that you specified when registering with Verisign.
Syntax
ip domain name {domain-name} domain-name
NameoftheIPdomaintowhichtheXSRbelongs.Upto128printable charactersarepermittedwithnospaces.

ThenoformofthiscommandresetstheIPdomainnametonovalue:
no ip domain name {domain-name}
Mode
Globalconfiguration: XSR(config>#
Example
Inthefollowingexample,thedomainnameenterasys.comisused:
XSR(config>#ip domain enterasys.com
ip equal-cost multi-path
Thiscommandenablesequalcostmultipathroutingandsetsthemethodforpathselection.
Syntax
:forenablingandsetting:theselectionmethod:
ip equal-cost multi-path {round-robin | per-flow}
5-155
Other IP Commands
Parameters
round-robin per-flow
Roundrobinmethodofselectingtheroutingpath,ifmultiplepathsare available. Perflowmethodofselectingtheroutingpath,ifmultiplepathsareavailable.

Thenoformofthecommanddisablesequalcostmultipath:
no ip equal-cost multi-path
Mode
Default
Disabled
Example
Thefollowingexampleenablesequalcostmultipathandsetstheselectionmethodasperflow:
XSR(config)# ip equal-cost multi-path per-flow
ip forward-protocol
Thiscommandenablesbroadcastforwardingandspecifieswhichprotocolsandportswillbe forwarded.TheIPforwardprotocolisoneoftwocommandsusedforUDPbroadcastforwarding. Alsorefertothe ip helper-addresscommand,whichspecifiesthenewdestination. Ifacertainserviceexistsinsidethenode,andthereisnoneedtoforwardtherequesttoremote networks,thenoformofthiscommandshouldbeusedtodisabletheforwardingforthespecific port.Suchrequestswillnotbeautomaticallyblockedfrombeingforwarded,justbecauseaservice forthemexistsinthenode.
Note: The XSR supports a maximum of 50 IP helper addresses per port and 50 IP forward ports with (64 MBytes of memory installed.
Syntax
ip forward-protocol {udp [port]} udp
ForwardUDPdatagrams.
5-156
Other IP Commands
port
DestinationportthatcontrolswhichUDPservicesareforwarded.Ifnot set,forwardingisdoneonthefollowingdefaultports: TrivialFileTransferProtocol(TFTP)(port69) DomainNamingSystem(port53) Timeservice(port37) NetBIOSNameServer(port137) NetBIOSDatagramServer(port138) BootProtocol(BTP)clientandserverdatagrams(ports67,68) TACACSservice(port49) IEN116NameService(port42)

ThenoformofthiscommandremovesaUDPportorUDPprotocol.IftheUDPprotocolis removed,UDPforwardingisdisabled.
no ip forward-protocol {udp [port]}
Mode
Defaults
Enabled,butnoportspecified.ThisactsasaBOOTPforwardingagent.Theabovelistofportsis usedbydefaultforforwarding.
Examples
Thefollowingexample,asshowninFigure 56,forwardsUDPtraffictoarouteracrossthe Internet:
XSR(config)#ip forward-protocol udp XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip helper-address 196.1.1.255
ThisexampleremovesDNSfromthelistofportsforwhichUDPbroadcastforwardingisdone:
XSR(config)#no ip forward-protocol udp 53
Figure 5-6
195.1.1.0 Host 1 Router 1 eth 1
IP Forward-Protocol Example
2
INTERNET
Router 2
196.1.1.0
Global Configuration ip forward-protocol UDP interface ethernet 1 Destination: 195.1.1.255 ip helper-address 196.1.1.255
5-157
Other IP Commands
DHCP Relay Functionality

TheDHCPRelayfunctionalityisappliedwiththehelpofIPbroadcastforwarding.Atypical situation,asshowninFigure 57,occurswhenaHostrequestsanIPaddresswithnoDHCPserver locatedonthatsegment. Router1canforwardtheDHCPrequest(1)totheserverlocatedonN2,ifIPforwardprotocolis enabledforUDP,andtheaddressoftheDHCPserverisconfiguredasahelperaddressonthe receivinginterfaceofRouter1.TheDHCPRelayfunctionwilldetecttheDHCPrequestandmake thenecessarychangestotheheader,replacingthedestinationaddresswiththeaddressofthe server,andthesourcewithitsownaddress,andsenditfurther(2)totheserver.Whenthe response(3)comesfromtheserver,theDHCPRelayfunctionsendsittothehost(4). Figure 5-7
N1 Router 1
INTERNET
DHCP Functionality Example

Router 2 N2
Host
DHCP Relay eth 1 Function Global Configuration ip forward-protocol UDP interface ethernet 1 ip helper-address address1
2 3 addr1
Destination 255.255.255.255 Source: 0.0.0.x
Server
ip helper-address
Thiscommandenablesforwardingoflocalbroadcastsspecifyingthenewdestinationaddress.Itis oneoftwocommandsusedforUDPbroadcastforwarding.Alsorefertotheip forwardprotocol commandwhichdefinestheforwardprotocolandportnumber.Youcanaddmore thanonehelperaddressperinterface.ThecommandisalsousedtoenableBOOTPRelay.
Syntax
ip helper-address address address
Destinationbroadcastorhostaddressusedwhenforwarding.

Thenoformdisablestheforwardingofbroadcastpacketstothespecifiedaddress:
no ip helper-address address
Mode
Example
Inthisexample,withoneserveronnetwork191.168.1.255andtheotheronnetwork192.24.1.255, youpermitUDPbroadcastsfromhostsoneithernetworksegmenttoreachbothservers:
Other IP Commands
XSR(config)#ip forward-protocol udp XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip helper-address 192.168.1.255 XSR(config)#interface fastethernet 2 XSR(config-if<F2)#ip helper-address 192.24.1.255
ip host
Thiscommanddefinesastatichostnametoaddressmappinginthestatichostcache.
Syntax
ip host name [tcp-port-number] address name address
Casesensitivenameofthehost. AssociatedIPaddress.

Usethenoformofthiscommandtoremovethenametoaddressmapping:
no ip host name address
Mode
Globalconfiguration:XSR(config>)#
Default
Disabled
Example
ThefollowingexampledefinesastaticmappingforhostACME:
XSR(config>)#ip host ACME 192.168.57.28
ip irdp
Thiscommandenables/disablestheICMPRouterDiscoveryProtocol(IRDP),whichdynamically discoversroutestoothernetworks,asdefinedbyRFC1256.IRDPallowshoststolocaterouters andcanalsoinferrouterlocationsbycheckingRIPupdates.WhentheXSRoperatesasaclient, routerdiscoverypacketsaregenerated. Whenthedeviceoperatesasahost,routerdiscoverypacketsarereceived.TheIRDPclient/server implementationdoesnotactuallyexamineorstorefullroutingtablessentbyroutingdevices,it merelykeepstrackofwhichsystemsaresendingsuchdata. UsingIRDP,theXSRcanspecifybothapriorityandaperiodafterwhichadeviceshouldbe assumeddownifnootherpacketsarereceived.
5-159
Other IP Commands
Syntax
ip irdp [multicast|holdtime seconds | advertinterval seconds | preference number] multicast holdtime seconds
advertinterval seconds
:Multicastaddress(224.0.0.1)insteadofIPbroadcasts. Theintervalrouteradvertisementsareheldvalid,rangingfrom1to9000 seconds.Valuemustexceedadvertintervalbutcannotexceed9000seconds. Peakintervalbetweenrouteradvertisements,rangingfrom3to1800 seconds. Valuefrom2147483647to2147483647thatsetsaroutertobethepreferred routertowhichothershome.HighervaluesraiseXSRspreferencelevel.
preference seconds

ThenoformofthiscommanddisablestheIRDPcommand:
no ip irdp
Defaults
Multicast:broadcastaddress Holdtime:1800seconds Advertinterval:600seconds Preference:0
Mode
Example
ThisexampleenablesIRDPonF1withtheadvertisementsandholdtimeintervalssetto10 seconds,thepreferencelevelsetto10,andadvertisementssentwithmulticasts:
XSR(config-if<F1>)#ip XSR(config-if<F1>)#ip XSR(config-if<F1>)#ip XSR(config-if<F1>)#ip irdp irdp irdp irdp advertinterval 10 holdtime 10 preference 10 multicast
ip mtu
ThiscommandsetstheMaximumTransmitUnit(MTU)sizeonaport.
Syntax
ip mtu size size
TheMTUsize,rangingfrom68to1500bytes.

Thenoformofthiscommandrestoresthedefaultvalue:
no ip mtu
Other IP Commands
Mode
Default
1500
Example
ThefollowingexamplesetstheMTUsizeto1200forinterfaceSerial1/0:
XSR(config-if<S1/0>)#ip mtu 1200
ip proxy-arp
Thiscommandenables/disablesProxyARPonaperinterfacebasis,allowingtheXSRtoanswer ARPrequestsononenetworkforahostonanothernetwork.ItisavailableforFast/ GigabitEthernetinterfacesonly.
Syntax
ip proxy-arp

ThenoformofthiscommanddisablesProxyARP:
no ip proxy-arp
Mode
Default
Enabled
Example
ThefollowingexampledisablesproxyarponinterfaceF1:
XSR(config)#interface fastethernet 1 XSR(config-if)#no ip proxy-arp
ip proxy-dns
ThiscommandenablesProxyDNS.TheXSRsimplementationofthisfeaturesupportsthe configurationofaforwardingproxyserverwhichdonotperformDNSresolutionbutpassonand cacheDNSqueriesandrepliestootherproxyorDNSservers.Usetheshow running-config commandtoverifycurrentproxyDNSsettingsontheXSR.
5-161
Other IP Commands
Syntax
ip proxy-dns enable

ThenoformofthiscommanddisablesProxyDNS:
no ip proxy-dns enable
Mode
Default
Disabled
ip proxy-dns name server

ThiscommandspecifiesuptosixnameserverstheproxyDNSserverwilluse.
Syntax
ip proxy-dns name-server server-address1 [server-address2...server-address6] server-address1 server-address2...server-address6
IPaddressofthenameserver. IPaddressofadditionalnameservers.

Thenoformofthiscommandremovestheconfigurednameserver:
no ip proxy-dns name-server server-address1 [server-address2...server-address6]
Mode
Example
Inthefollowingexample,10.10.10.1isconfiguredasanameserver:
XSR(config)#ip proxy-dns name-server 10.10.10.1
ip redirects
Thiscommandenablessendingredirectmessagesifthesoftwareisforcedtoresendapacket throughthesameinterfaceonwhichitwasreceived.
Syntax
ip redirects
Other IP Commands

ThenoformofthiscommandnegatesIPredirection:
no ip redirects
Default
Enabled
Mode
Example
Inthefollowingexample,IPredirectionisdisabled:
XSR(config)#no ip redirects
ip route
ThiscommandconfiguresastaticIProute.
Note: The XSR supports a maximum of 50 static routes with 64 MBytes of memory installed.
Syntax
ip route {A.B.C.D. mask} | {address&mask}{address |interface-type #}}[distance]} A.B.C.D. mask address& mask address interfacetype # number distance
TheIProuteprefixforthestaticroutedestination. Theprefixmaskforthestaticroutedestination. TheforwardingroutersIPaddressandmask,expressedasA.B.C.D./Nwhere A.B.C.D.istheaddressandNisthenumberofsetbitsinthemask.. TheforwardingroutersIPaddress. TheIPnetworkinterface:ATM,Dialer,Fast/GigabitEthernet,Loopback,Multilink, null,orVPN. Identifiesthecardandportnumber:<12>/<00>,orthecard,portandsub interfacenumber:<12>/<00>.<164> Administrativemetric(preference).Range:ATM(1to255),BRI(1to240), Dialer(0to253),Fast/GigabitEthernet(1to240),Loopback(1to240),Multilink (1240),andSerial(1to120).Onlystaticroutesidentifiedbythepair{prefix, mask},andmatchingthisdistancearedeleted.

Thiscommandsnoformremovesastaticroutefromtheroutingtable:
no ip route {A.B.C.D. mask}|{address&mask}{address |interface-type #}}[distance]}
Ifneithernexthop,nordistanceiscited,allstaticroutesidentifiedbythepair{prefix,mask}are deleted.
Other IP Commands
Mode
Examples
Thisexample,showninFigure 58,sets2staticroutestonetworks192.1.2.0and193.62.5.0through gateway192.31.7.65.Notethatthedistanceis1(default),makingtheseroutespreferredincasea dynamicroutingprotocolisrunningonthesamerouterwithitsownroutesforthesedestinations.
XSR(config)#ip route 192.1.2.0 255.255.255.0 192.31.7.65 XSR(config)#ip route 193.62.5.0 255.255.255.0 192.31.7.65
Figure 5-8
Static Route Example

192.31.7.65
INTERNET
Router 1
193.62.5.0
Router 2
192.1.2.0
ip route maximum_multiple
Thiscommandspecifiesthemaximumnumberofmultiplestaticrouteswhicharestaticroutes havingthesamedestinationbutdifferentnexthops.
Syntax
ip route maximum_multiple value value
Maximumnumberofmultiplestaticroutesallowed,rangingfrom2to8.

Thenoformofthiscommandresetsthemaximumnumberofmultiplestaticroutestothedefault:
no ip route maximum_multiple
Mode
Default
4
Example
Thefollowingexamplesetsthemaximumvalueto6:
XSR(config)#ip route maximum-multiple 6
5-164
Other IP Commands
ip tcp adjust-mss
ThiscommandsetstheMaximumSegmentSize(MSS)forTCPSYN(synchronize)packets.When theXSRterminatesPPPoEtraffic,aPCconnectedtotheFastEthernetinterfacemayhaveproblems accessingWebsitesifthePCsMaximumTransmissionUnit(MTU)settingistoohigh.TheMTU containsmaximumsegmentsize(MSS)valuesforTCPpacketstransmittedbythePC. SomeWebsitesdonotperformPathMTUdiscoverycorrectly.Toaddressthisissue,theXSR automaticallysetstheTCPMSSto1452whenusingPPPoEports.ThisforcesbothTCPpeersto send1492bytepacketssoPathMTUdiscoveryneverhastodealwithPPPoEs1492byteMTU. ThisisasubcommandofInterfacemodeandisconfiguredwiththefollowingcommands:
interface fast/gigaethernetx.x ip address negotiated encapsulation ppp/mux pppoe ip mtu 1492 ip tcp adjust-mtu 1400
SettingtheMSSwillcauseallTCPSYNpacketswiththeMSSoptionbeingmodifiediftheoption valueexceedstheconfiguredMSS.
Syntax
ip tcp adjust-mss mss mss
RangeofMSS:512to1452.
Mode
PPPoEInterfaceconfiguration:XSR(config-if)#
Default
1452bytes
Example
ThefollowingexampleconfiguresaPPPoEclientwithanMSSof1452bytesonF1.1:
XSR(config-if<F1.1>)#ip address 192.168.100.1.255.255.255.0 XSR(config-if<F1.1>)#ip tcp adjust-mss 1452 XSR(config-if<F1.1>)#no ip address XSR(config)#interface dialer 1 XSR(config-if<D1>)#ip address negotiated XSR(config-if<D1>)#ip mtu 1492 XSR(config-if<D1>)#ip nat outside XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#dialer pool 1 XSR(config-if<D1>)#dialer-group 1 XSR(config-if<D1>)#ppp authentication pap XSR(config-if<D1>)#ppp pap sent-username frizz password 7 141B1309000528 XSR(config)#ip nat inside source list 101 dialer 1 overload XSR(config)#ip route 0.0.0.0.0.0.0.0 Dialer1 XSR(config)#access-list 111 permit ip 192.168.100.0.0.0.0.255 any
Other IP Commands
ip telnet server
ThiscommandenablesordisablesTelnetservicetotheXSR.Iftheoptionalparameterisnot supplied,theTelnetserverisenabled.SincetheTelnetserverisenabledatbootup,youmust eithermanuallydisableitusingtheCLIordisableitinthestartupconfigfile.
Syntax
ip telnet server [enable | disable] enable disable
EnablesTelnetservice. DisablesTelnetservice.

ThenoformofthiscommanddisablestheTelnetserver:
no ip telnet server
Mode
Default
Enabled
Example
ThefollowingexampledisablestheTelnetserver:
XSR(config)#ip telnet server enable XSR(config)#no ip telnet server
ip unnumbered
ThiscommandenablesIPprocessingonaserialinterfacewithoutassigninganexplicitIPaddress totheinterfaceitassociatesanumberedinterfacewhoseaddresswillbeusedwithpackets originatingonthisinterface.Thefollowingconventionsareobserved: Ifthenumberedinterfaceisdeleted,theunnumberedassociationmustbedeletedaswell. Ifthenumberedinterfacechangesordeletesitsaddress,theunnumberedassociationis preserved. Routingprotocolsmustbeawareofpossiblechangesoftheaddressofthenumberedinterface theypointto,asfollows: Iftheaddressofthenumberedinterfaceisdeleted,packetssourcedfromtheunnumbered interfacethatpointstothisnumberedinterfacewillnotbetransmitted. Iftheaddressofthenumberedinterfaceischanged,routingprotocolsmustreevaluate theirparticipationinroutingwiththeunnumberedinterfaces.Amatchbetweenthenew addressandaconfigurednetworkmustbefoundfortheunnumberedinterfaceto participateinrouting.
5-166
Other IP Commands
Syntax
ip unnumbered [type number] type number
TypeofanotherinterfaceonwhichtherouterhasanassignedIP address.Itcannotbeanotherunnumberedinterface. NumberofanotherinterfaceonwhichtherouterhasanassignedIP address.Itcannotbeanotherunnumberedinterface.

Thenoformofthiscommanddisablestheunnumberedinterface:
no ip unnumbered
Mode
Default
Disabled
Example
Inthisexample,Serial1isgivenF2saddress.Theserialportisunnumbered:
XSR(config-if<F2>)#ip address 145.22.4.67 255.255.255.0 XSR(config)#interface serial 1 XSR(config-if<S1>)#ip unnumbered fastethernet 2
ip router-id
Thiscommandconfiguresarouteridentifier,anIPv4addressspecifiedindotteddecimalnotation. ItisusedinroutingprotocolssuchasOSPFtouniquelyidentifyaroutinginstance.
Syntax
ip router-id [ip-address] ip-address
IPAddressofrouter.

Thenoformofthiscommandremovesarouteridentifier:
no ip router-id
Mode
5-167
IP Clear and Show Commands
Example
Thefollowingexampleconfiguresarouteridentifier:
XSR(config)#ip router-id 1.2.3.4
IP Clear and Show Commands clear arp-cache

ThiscommanddeletesallnonstaticentriesfromtheARPcache.
Syntax
clear arp-cache
Mode
PrivilegedEXEC:XSR#
clear ip interface-counters
ThiscommandclearsallIPinterfacecounters.Ifyoudonotentertheoptionaltypeornumber value,allinterfacecounterswillbeerased.
Syntax
clear ip interface-counters [type][number] type number
Interfacetype. Interfacenumber.
Mode
Privileged(EXEC):XSR#
clear ip proxy-dns cache

ThiscommandclearstheproxyDNScache.
Syntax
clear ip proxy-dns cache
Mode
EXEC:XSR>
5-168
clear ip traffic-counters
ThiscommandclearsallIPrelatedcounters(IP,ICMP,ARP,UDP,TCP,RIP,OSPF)displayedby theshow ip trafficcommand.
Syntax
clear ip traffic-counters
Mode
PrivilegedEXEC:XSR#
clear tcp counters

ThiscommandclearsallTCPcounters.
Syntax
clear tcp counters
Mode
PrivilegedEXEC:XSR#
show ip arp
ThiscommanddisplaysallentriesintheARPcache.
Syntax
show ip arp [ip-address] [H.H.H] [type number] ip-address H.H.H type number
ARPentriesmatchingthisIPaddressaredisplayed. The48bitMACaddress. ARPentrieslearnedviathisinterfacetype(Fast/GigabitEthernet)and numberaredisplayed.
Mode
Sample Output
XSR>show ip arp Protocol Address Internet 134.141.235.251 Internet 134.141.235.165 Internet 134.141.235.167 Age (min) Hardware Addr 0 0003.4712.7a99 0002.1664.a5b3 4 00d0.cf00.4b74 Type ARPA ARPA ARPA Interface FastEthernet1 FastEthernet1 FastEthernet1
Internet Internet Internet Internet Internet Internet Internet Internet Internet Internet
134.141.235.137 134.141.235.150 134.141.235.155 134.141.235.124 58.58.58.1 57.57.57.1 54.54.54.1 53.53.53.1 52.52.52.1 51.51.51.1
1 0 2 17 -
00b0.d07f.0cab 00b0.d02c.06d2 00b0.d02c.077e 00b0.d06d.b6ca 0001.f4cc.dd02 0001.f4cc.dd02 0001.f4cc.dd02 0001.f4cc.dd02 0001.f4cc.dd02 0001.f4cc.dd02
ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA ARPA
FastEthernet1 FastEthernet1 FastEthernet1 FastEthernet1 FastEthernet2 FastEthernet2 FastEthernet2 FastEthernet2 FastEthernet2 FastEthernet2
XSR>show ip arp 134.141.235.165 Protocol Address Age (min) Internet 134.141.235.165 XSR>show ip arp FastEthernet1 Protocol Address Age (min) Internet 134.141.235.251 0 Internet 134.141.235.165 Internet 134.141.235.150 2 Internet 134.141.235.155 5 Internet 134.141.235.124 5
Hardware Addr Type 0002.1664.a5b3 ARPA
Interface FastEthernet1
Hardware Addr 0003.4712.7a99 0002.1664.a5b3 00b0.d02c.06d2 00b0.d02c.077e 00b0.d06d.b6ca
Type ARPA ARPA ARPA ARPA ARPA
Interface FastEthernet1 FastEthernet1 FastEthernet1 FastEthernet1 FastEthernet1
Protocol Address Age(min) HardwareAddr Type Typeofnetworkaddressthisentryincludes. NetworkaddressmappedtotheMACaddressinthisentry. Interval(inminutes)sincethisentrywasenteredinthetable,rather thansincetheentrywaslastused.Thetimeoutvalueis4hours. MACaddressmappedtonetworkaddressinthisentry. Encapsulationtypeusedforthenetworkaddressinthisentry.Valid valuesareARPA(Ethernetencapsulation),SNAP(IEEE802.3).
show ip interface
DisplaystheusabilitystatusofinterfacesconfiguredforIP.
Syntax
show ip interface [type number] type number
Interfacetype:ATM,BRI,Dialer,Fast/GigabitEthernet,Loopback,Multilink,Serial,VPN, andNull.Notspecifyingatypewilldisplayallconfiguredinterfaces. Interfacenumber.
Mode
5-170
Sample Output
The following is sample output from the command: XSR>show ip interface Dialer 0 is Admin Up Internet address is 1.1.1.1/24 Last change: 11:14 AM Rcvd: 10245 octets, 1231 unicast packets, 0 discards, 3 errors, 4 unknown protocol Sent: 11232 octets, 1132 unicast packets, 0 discards, 2 errors MTU is 1500 bytes Proxy ARP is enabled. Helper address is not set Directed broadcast forwarding is disabled Outgoing access list is not set Inbound access list is not set Router Discovery is disabled FastEthernet 0 is Admin Up Internet address is 134.141.235.165/24 Last change: 11:14 AM Rcvd: 1245 octets, 131 unicast packets, 0 discards, 0 errors, 0 unknown protocol Sent: 11232 octets, 1132 unicast packets, 0 discards, 2 errors MTU is 1500 bytes Proxy ARP is enabled. Helper address is not set Directed broadcast forwarding is enabled Outgoing access list is not set Inbound access list is not set Router Discovery is enabled FastEthernet 1 is down Internet address is 134.141.234.2/24 Last change: 11:13 AM MTU is 1500 bytes Proxy ARP is disabled. Helper address is not set Directed broadcast forwarding is enabled Outgoing access list is not set Inbound access list is not set Router Discovery is enabled
ThefollowingissampleoutputshowingprimaryandsecondaryIPaddresses:
XSR#show ip interface fastEthernet 2 FastEthernet2 is Admin Up Internet address is 51.51.51.1, subnet Internet address is 52.52.52.1, subnet Internet address is 53.53.53.1, subnet Internet address is 54.54.54.1, subnet Internet address is 57.57.57.1, subnet
mask mask mask mask mask
is is is is is
255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0 255.255.255.0
Secondary Secondary Secondary Secondary

5-171
Internet address is 58.58.58.1, subnet mask is 255.255.255.0 Secondary Rcvd: 515027 octets, 3306 unicast packets, 0 discards, 0 errors, 0 unknown protocol. Sent: 363256 octets, 2472 unicast packets, 0 discards, 0 errors. MTU is 1500 bytes. Helper address is not set. Directed broadcast is enabled. Outgoing access list is not set. Inbound access list is not set. Router discovery is disabled.
ThefollowingissampleoutputfromaVLANinterfaceonFastEthernetsubinterface2.1:
XSR#show ip interface FastEthernet 2.1 FastEthernet2.1 is Admin Up Internet address is 1.2.3.4, subnet mask is 255.255.255.0 Rcvd: 956984 octets, 11 unicast packets, 0 discards, 0 errors, 0 unknown protocol. Sent: 494708 octets, 6789 unicast packets, 0 discards, 0 errors. MTU is 1500 bytes. Proxy ARP is enabled. Helper address is not set. Directed broadcast is enabled. Outgoing access list is not set. Inbound access list is not set. Router discovery is disabled. IP Policy Based Routing is not enabled.
FastEthernet1is AdminUp Lastchange ThisreferstoLayer3stateforthisinterface.ValidstatesareUpandDown. Thevalueofsystemtimewhentheinterfaceenteredthecurrent operationalstate.Ifthecurrentstatewasenteredpriortothelastre initializationofthelocalnetworkmanagementsubsystem,thenthisis0. Sumofoctetsreceived/sentthroughthespecifiedinterface. Sumofunicastpacketsreceived/sentthroughtheport. Sumofpacketsdiscardedevenifnoerrorhadbeendetected,butfor internalreasons(forinstancetofreeupsomebufferspace). Sumofpacketsdiscardedbecauseoferrors. Sumofpacketsdiscardedbecauseofunknownorunsupportedprotocol. ShowstheMTUvaluesetontheinterface. ShowswhetherproxyARPisenabledordisabled. Helperaddressifonehasbeenset. Indicateswhetherdirectedbroadcastforwardingisenabled. Indicateswhethertheinterfacehasanoutgoingaccesslistset.
Octets Unicastpackets Discards Errors Unknownprotocol MTU ProxyARP Helperaddress Directedbroadcast forwarding Outgoingaccesslist
Inboundaccesslist
Indicateswhethertheinterfacehasanincomingaccesslistset.
show ip irdp
ThiscommanddisplaysICMProuterdiscoverysettings.
Syntax
show ip irdp
Configuration Mode
Sample Output
XSR>show ip irdp FastEthernet1 has router server discovery enabled. Broadcast address is used. Advertisements will occur between every 450 and 600 seconds. Advertisements are valid for 1800 seconds. Preference will be 100. Serial 1 has router server discovery disabled FastEthernet2 has router server discovery disabled
Broadcastaddressis used Advertisementswill occurbetweenevery 450and600seconds Advertisementsare validfor1800seconds Preferenceis100 Typeofaddressingused(broadcastormulticast). Specifiedminimumandmaximumadvertisingintervalfortheport.
Theconfiguredholdtimevaluesfortheinterface. Theconfigured(orinthiscasedefault)preferencevaluefortheinterface.
show ip proxy-dns cache

ThiscommanddisplaystheproxyDNScache.
Syntax
show ip proxy-dns cache
Mode
EXEC:XSR>
5-173
Sample Output
XSR>show ip proxy-dns cache Name www.enterasys.com www.test.com Age(sec) 100 10
Name Age DesignationoftheDNSquery. Secondsremainingforthelifetimeofthecache.
show ip route
ThiscommanddisplaysinformationabouttheRoutingTableincludingroutetypes,IPaddresses, andcosts.AdministrativedistancesarereferencedineachRoutingTableentrywithinthebrackets asfollows:[distance/metric].Thecommandalsodisplaysallalternativerouteswheremorethan onerouteexiststoadestination.
Syntax
show ip route [connected | address [mask [longer-prefixes]]| bgp | ospf | rip | static] connected address mask longer-prefixes bgp ospf rip static
Showsonlyconnectedroutes. Addressaboutwhichroutingdatawillbeshown. Argumentforasubnetmask. Theaddressandmaskpairbecomesaprefixandanyroutesthatmatch theprefixaredisplayed. ShowsBGProutes. ShowsOSPFroutes. ShowsRIProutes. Showsstaticroutes.
Note: Bracketed values indicate route distance and cost, where the first value is distance and the second is cost. For example, [120/0003] indicates a distance of 120 (the default distance for RIP) and a cost of 3.
Mode
Defaults
LAN(FastEthernet1,2)interfacecost:10 Serialinterfacecost:64
5-174
Sample Output
Thefollowingissampleoutput.Notetheroutecostsasindicatedwithinbrackets.
XSR>show ip route Codes: C-connected, S-static, R-RIP, O-OSPF, IA-OSPF interarea N1 - OSPF NSSA external type 1, N2 - OSPF NSSA external type 2 E1 - OSPF external type 1, E2 - OSPF external type 2 * - candidate default, D - default route originated from default net O O O C R R R C C R C C C C S S E2 222.51.51.0/24 IA 192.169.1.0/24 192.168.25.0/24 192.168.5.0/24 68.0.0.0/8 67.0.0.0/8 66.0.0.0/8 58.58.58.0/24 57.57.57.0/24 55.0.0.0/8 54.54.54.0/24 53.53.53.0/24 52.52.52.0/24 51.51.51.0/24 2.0.0.0/8 3.0.0.0/8 [112/0020] [110/0074] [108/0084] [ 0/0001] [120/0002] [120/0002] [120/0002] [ 0/0001] [ 0/0001] [120/0002] [ 0/0001] [ 0/0001] [ 0/0001] [ 0/0001] [ 65/0001] [ 0/0001] via 192.168.1.6, Dialer1 via 192.168.2.9, FastEthernet1 via 192.168.3.9, FastEthernet1 directly connected, FastEthernet2 via 51.51.51.9, FastEthernet2 via 51.51.51.9, FastEthernet2 via 51.51.51.9, FastEthernet2 directly connected, FastEthernet2 directly connected, FastEthernet2 via 51.51.51.9, FastEthernet2 directly connected, FastEthernet2 directly connected, FastEthernet2 directly connected, FastEthernet2 directly connected, FastEthernet2 via 192.168.72.1, FastEthernet1 directly connected FastEthernet1
ThefollowingsampleoutputisdisplayedwhenIProute2.0.0.0isspecified:
XSR#show ip route 2.0.0.0 Routing entry for 2.0.0.0 (mask 255.0.0.0) Known via "static", distance 65, metric 1 Redistributing via Last update from 192.168.72.1 on FastEthernet1 Routing Descriptor Blocks: *Next hop 192.168.72.1, via FastEthernet1 Route metric is 1 Total delay is 0 microseconds, minimum bandwidth is 0kbit Reliability , minimum MTU 0 bytes Loading , Hops 1
C S R O IA N1 N2 E1 Connectedroute Staticroute RIProute OSPFroute OSPFinterarearoute OSPFNSSAexternaltype1route OSPFNSSAexternaltype2route OSPFexternaltype1route
E2 * D U [x/y] [0060]
OSPFexternaltype2route Candidatedefaultroute Defaultrouteoriginatedfromdefaultnetwork Userconfiguredstaticroute Distance/metricinformation Routecost
show ip static database

ThiscommanddisplaysstaticrouteinformationincludingthedestinationIPaddress,gatewayIP address,andadministrativedistance.
Syntax
show ip static database [A.B.C.D. A.B.C.D./mask | interface-type | distance] distance A.B.C.D. A.B.C.D./<0-32> interface-type
Distance,rangingfrom1to120hops. Nexthop IPaddressandmask XSRinterfacetype:BRI,Dialer,Loopback,Multilink,Serial,VPN,orFast/ GigabitEthernet.
Mode
Sample Output
XSR#show ip static database Maximum number of multiple static routes: 4 Routing Information Sources: Address Gateway Distance 7.0.0.0/8 Null0 1 1.1.1.0/24 2.2.2.2 1
Maximumnumberof multiplestaticroutes Address Gateway Distance Themaximumnumberofrouteswiththesamedestinationbutdifferent nexthop. Theroute. Thenexthoptoreachtheaddress. Thevalueoftheadministrativedistance,whichisameasureof trustworthinessoftheroutingupdate.Thelowerthevalue,themore trustworthythesourceoftheupdate.
5-176
show ip traffic
ThiscommanddisplaysgeneralIPprotocolsstatistics.
Syntax
show ip traffic
Mode
Sample Output
XSR>show ip traffic IP statistics: Rcvd: 9040 total, 919 local destination, 7020 to be forwarded 5 header errors, 45 IP destination not valid 63 unknown protocol, 0 discards Frags: Bcast: Sent: 30 fragments, 10 reassembled, 0 couldn't reassemble 5 fragmented, 15 fragments, 0 couldn't fragment 87 received, 97 sent 192 generated,0 drop no route, 0 discards 0 drop no route, 0 discards
ICMP statistics: Rcvd: 44 total 0 format errors, 0 checksum errors, 0 redirects, 0 unreachable 2 echo, 2 echo reply, 0 mask requests, 0 mask replies, 0 quench 0 parameter, 0 timestamp, 0 info replies, 0 time exceeded Sent: 23 total 0 redirects, 23 unreachable, 0 echo, 0 echo reply 0 mask requests, 0 mask replies, 0 quench, 0 timestamp 0 info reply, 0 time exceeded, 0 parameter problem UDP statistics: Rcvd: 82858 total, 0 checksum errors, 82852 no port Sent: 42 total, 0 forwarded broadcasts TCP statistics: Rcvd: 9138 total, 0 checksum errors, 0 no port Sent: 12425 total RIP statistics: Rcvd: 0 total, 0 checksum errors 0 resp to a query, 0 regular updates, 0 resp triggered by a change Sent: 0 total OSPF statistics: Rcvd: 0 total, 0 checksum errors 0 hello, 0 database desc, 0 link state req
Sent:
0 link state updates, 0 link state acks 0 total
ARP statistics: Rcvd: 87441 requests, 5 replies Sent: 3 requests, 36 replies (0 proxy)
Total Localdestination Tobeforwarded Headererrors Sumofdatagramsreceived. Sumoflocaldatagramssuccessfullydeliveredtoupperlayers. Sumofinputdatagrams,forwhichtheXSRisnotthedestination. SumofinputdatagramsdiscardedduetoerrorsintheIPheader, includingbadchecksum,versionnumbermismatch,ttlexceeded,other formaterrors. SumofinputdatagramsdiscardedduetoIPdestinationaddressnot valid. Sumoflocallyaddresseddatagramsdiscardedbecauseofunknownor unsupportedprotocol. Sumofinput/outputdatagramswithnoproblems,butdiscardeddueto internalreasons(suchaslackofbuffers). Sumofpacketsinternallygenerated. Sumofpacketstobetransmittedanddroppedbecauseofnonexistent routetodestination.
IPdestinationnotvalid Unknownprotocol Discards Generated Dropnoroute
show resources
Thiscommanddisplaystheallowablenumberofresourceentriescreatedandmemoryutilized. ValuesdisplayedreflecttheamountofmemoryinstalledinyourXSR.Monitoringmemoryusage canhelpyouavoidoverallocatingmemorytoaparticularresourceandtriggeringashortage.
Syntax
show resources
Mode
Sample Output
XSRtop#show resources |Resources|Bytes Per|Total Bytes|Requests Resource|InUse |Resource |InUse |Denied ========|=========|=========|===========|======== Number of Dynamic ARPs| 1| 96| 96| 0 Number of Static ARPs| 0| 192| 0| 0
( 64MgB)
5-178
Max Unresolved ARP Requests| Routing Table Size| Number of Static Routes| Number of Secondary IP| Number of Virtual IP| IP Helper Addresses| UDP Broadcast Fwd Entries| OSPF LSA type 1| OSPF LSA type 2| OSPF LSA type 3| OSPF LSA type 4| OSPF LSA type 5| OSPF LSA type 7| Number of ACList Entries| Number of Users| SNMP Read-Only Communities| SNMP Read-Write Communities| SNMP Trap Servers| SNMP users| SNMP groups| SNMP views| Number of IP Interfaces| Number of RIP Net| AAA Sessions| Authenticated Tunnels| IKE/IPsec Tunnels| ISAKMP SA's| IPSEC SA's| L2TP Tunnels| PPTP Tunnels| Dialer Map Classes| Dialer Pool size| Frame Relay Map Classes| Number of ADSL channels| ISAKMP Proposals| Firewall Networks| Firewall Services| Firewall Network Groups| Firewall Service Groups| Firewall Policies| Firewall Gating Rules| Firewall Filters| Firewall Sessions| Firewall AuthEntry| Crypto Maps| PBR Cache Entries| Route-map Entries| Total: |
0| 3| 2| 0| 0| 0| 7| 2| 0| 0| 0| 0| 0| 0| 1| 0| 1| 0| 0| 2| 3| 17| 0| 0| 0| 0| 0| 0| 0| 0| 1| 0| 0| 0| 1| 6| 0| 0| 0| 1| 2| 2| 0| 0| 0| 0| 0|
384| 352| 96| 576| 1344| 96| 96| 9408| 9408| 320| 480| 480| 576| 192| 4000| 14624| 14816| 192| 9952| 4672| 3744| 7936| 96| 320| 640| 1152| 1920| 4448| 5376| 6112| 544| 1632| 256| 8096| 96| 192| 192| 96| 96| 320| 96| 192| 256| 256| 736| 96| 96|
0| 1056| 192| 0| 0| 0| 672| 18816| 0| 0| 0| 0| 0| 0| 4000| 0| 14816| 0| 0| 9344| 11232| 134912| 0| 0| 0| 0| 0| 0| 0| 0| 544| 0| 0| 0| 96| 1152| 0| 0| 0| 320| 192| 384| 0| 0| 0| 0| 0| 197824
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
5-179
64MgB Resource ResourcesInUse BytesPerResource TotalBytesInUse AmountofmemoryinstalledintheXSR. Table,tableentry,user,orSNMPcategory. Sumofentriescurrentlyinuse. Sum(inbytes)ofmemoryinusebyeachentry. Sum(inbytes)ofmemorycurrentlyusedbythisresource.
show tcp
ThiscommanddisplaysTCPstatistics.
Syntax
show tcp {connections | general} connections general
Asummaryconnectionsdisplay. Adetailedgeneralinformationdisplay.
Configuration Mode
Sample Output
Connection Table
XSR>show tcp connections -----------TCP Statistics----------Current Connections Local Address 134.141.235.165.23 134.141.235.165.23
Foreign Address 134.141.235.124.1573 134.141.235.150.1588
Connection State ESTAB ESTAB
General Information Display

XSR>show tcp general -----------TCP Statistics----------TCP General Infomation Maximum number of TCP connections is dynamic 2 connections in state ESTABLISHED or CLOSE-WAIT Retransmission timeouts: min 220ms; max 684 ms Rcvd: 870 total 0 errors Sent: 701 total 2 retransmitted 1 containing the RST flag 0 transitions from CLOSED to SYN-SENT
4 transitions from LISTEN to SYN-RCVD 2 transitions from SYN-SENT or SYN-RCVD to CLOSED 2 transitions from ESTABLISHED or CLOSE-WAIT to CLOSE
Parameter Description Connection state - Possible states for a TCP connection:

LISTEN SYNSENT SYNRCVD ESTAB FINWAIT1 FINWAIT2 CLOSEWAIT CLOSING LASTACK TIMEWAIT CLOSED Localaddress Foreignaddress Retransmissiontimeout Waitingforaconnectionrequest. Waitingforamatchingconnectionrequestafterhavingsenta connectionrequest. Waitingforaconfirmingconnectionrequestackafterhavingboth receivedandsentaconnectionrequest. Indicatesanopenconnection. WaitingforaconnectionterminationrequestfromtheremoteTCPhost oranackoftheconnectionterminationrequestpreviouslysent. WaitingforaconnectionterminationrequestfromtheremoteTCPhost. Waitingforaconnectionterminationrequestfromlocaluser. WaitingforaconnectionterminationrequestACKfromtheremote TCPhost. Waitingforanackoftheconnectionterminationrequestpreviously senttotheremoteTCPhost. WaitingforenoughtimetopasstobesuretheremoteTCPhosthas receivedtheackofitsconnectionterminationrequest. Indicatesnoconnectionstateatall. IPaddressandportofthenetworkserver. IPaddressandportoftheconnectedremotehost. RetransmissionintervalofTCPpacketsthatwerenotacknowledged arewaitingforretransmission.
telnet ip_address
ThiscommandsupportsTelnettingtoanotherserver.
Syntax
telnet ip_address [port value] ip_address value
IPaddressoftheserveryouareTelnettingto. PortnumberoftheTelnetserver.Range:from0to65,535.
Mode
PrivilegedEXEC:XSR#
5-181
Network Address Translation Commands
Default
StandardTelnetport23.Iftheportisnotprovided,theclientwilltrytoconnecttoport23onthe remoteserver.
Example
ThefollowingexampleconnectsyoutotheXSRat192.57.189.4viaTelnet:
XSR#telnet 192.57.189.4 23

TheXSRcommandsbelowconfigureNetworkAddressTranslation(NAT).
clear ip nat translation

ThiscommandclearsdynamicNATtranslationsfromthetablebeforetheytimeout.Althoughthe XSRtimesoutNATtranslationsbydefault,itisusefultocleartranslationsbeforethetimeout.
Syntax
clear ip nat translation interface {[all | global-ip local-ip] | [protocol globalip global-port local-ip local-port]} interface all global-ip
Portnumber:Dialer(0255),FastEthernet(12),Loopback(065535),Serial (card/port/channel#),VPN(0255). Wildcardkeywordtoclearalldynamictranslationentriesonaninterface. Whenusedwithoutargumentsprotocol,globalport,andlocalport,itclearsa simpletranslationthatalsocontainsthespecifiedlocalipaddress.Whenused withthethoseargumentsitclearsanextendedtranslation. ClearsanentrythatcontainsthislocalIPaddressandthespecifiedglobalip address Clearsanentrycontainingthisprotocolandthespecifiedglobalipaddress, localipaddress,globalportandlocalport. Clearsanentrycontainingthisglobalportandthespecifiedprotocol,globalip address,localipaddress,andlocalport. Clearsanentrythatcontainsthislocalportandthespecifiedprotocol,globalip address,localipaddress,andglobalport.
local-ip protocol global-port local-port
Mode
PrivilegedEXEC:XSR#
Examples
ThefollowingexampleclearsareNATtranslationsonGigabitEthernetinterface2: XSR#clearipnattranslationsg2* 2NAPTentriesorNATmappingremoved
5-182
ThefollowingexampleclearsaspecificUDPentryfromtheNAPTtable: XSR#clearipnattranslationfastEthernet117200.2.233.11220192.168.27.951220 1NAPTentriesorNATmappingremoved
ThefollowingexampleclearsallNAPTtranslationsforhost192.168.50.2ontheprivatenetwork: XSR#clearipnattranslationfastEthernet1192.168.50.20.0.0.0 4NAPTentriesorNATmappingremoved
ThefollowingexampleclearsallNAPTtranslationsfor,to,andfromtheNATtedaddressof 10.10.10.15: XSR#clearipnattranslationfastEthernet10.0.0.010.10.10.15 5NAPTentriesorNATmappingremoved
ip local pool
ThiscommandconfiguresalocalpoolofIPaddressesfordistributiontoremotepeersseeking connectiontoaninterface.ThecommandacquiresIPLocalPoolmodeandmakesavailablethis subcommand:
excludeBarsarangeofIPaddressesfromthelocalpool.Refertopage5184forthesub
commanddefinition.
Syntax
ip local pool pool-name IP-address subnet-mask pool-name IP-address subnet-mask
Nameofaparticularlocaladdresspool. BaseaddressofanIPsubnetusedtoallocateIPaddresses. MaskofthatIPsubnet.Allsubnetaddressbitsmatchingzerobitsinthe maskmustalsobezero;thatis,subnetandmaskmustbezero.Maybe expressedasA.B.C.D or/<0-32>.
Note: The pool size (mask) must be /16 or higher (Class B or C) thus limiting any one pool to 64,000 IP addresses.

UsethenoformofthiscommandtodeleteanIPaddressfromthepool:
no ip local pool pool-name
Mode
Next Mode
IPLocalPoolconfiguration:XSR(ip-local-pool)#
Example
ThefollowingexamplecreateslocalIPaddresspoolmarketing,whichcontainsallIPaddressesin therange203.57.99.0to203.57.99.255:
XSR(config)#ip local pool marketing 203.57.99.0 255.255.255.0
exclude
ThissubcommandbarstheuseofarangeofIPaddressesfromanearliercreatedIPpool.
Syntax
exclude {ip address}{number} ip address number
Startingaddresstobeexcludedfrompool. Numberofaddressestoexcluderangingfrom1to65535.

ThenoformofthiscommandremovesthespecifiedIPaddressfromtheexcludelist:
exclude {ip address}{number}
Mode
LocalIPPoolconfiguration:XSR(ip-local-pool)#
Examples
ThefollowingexampleexcludesthetenIPaddressesbetween192.168.57.100and192.168.57.110 fromlocalpoolHQ:
XSR(config)#ip local pool HQ 192.168.57.0 255.255.255.0 XSR(ip-local-pool)#exclude 192.168.57.100 10
ThefollowingexamplenegatestheexclusionofIPaddresses192.168.57.105and192.168.57.106 fromtheearlierexcludedrangeofIPaddressesinlocalpoolHQ:
XSR(config)#ip local pool HQ XSR(ip-local-pool)#no exclude 192.168.57.105 2
ip nat pool
ThiscommanddefinesapoolofIPaddressesforNetworkAddressTranslation(NAT).NATpools areconfiguredusingtheip local pool commandandthenregisteredasbeingusedbyNAT.A poolmustberegisteredbytheXSRoritwillnotbeattachedtoaninterface.
5-184
Syntax
ip nat pool name name
NameoftheIPlocalpool.

ThenocommandremovesoneormoreaddressesfromtheNATpool:
no ip nat pool name
Mode
Example
ThefollowingexampleconfigurestheIPNATpoolNATpool:
XSR(config)#ip nat pool NATpool
ip nat service list ???SPTD???

ThiscommandspecifiesaportotherthanthedefaultportfortheFileTransferProtocol(FTP).Itis usedwhenyouwantNATtopassonlyFTPcontrolsessionsthatareusingthatport.Inthiscase, allclientrequestsusingthedefaultport(21)willbedroppedbyNAT.
Syntax
ip nat service list access-list-number ftp tcp port port-number list acl-number ftp tcp port port-number
StandardACLnumber,rangingfrom1to199. FTPprotocol. TCPprotocol. Portotherthanthedefaultport.Range:1to65533.

Thenoformofthecommanddisablestheport:
no ip nat service list access-list-number ftp tcp port port-number
Mode
Globalconfiguration: XSR(config)#
Default
Disabled
Examples
Thefollowingexampleconfiguresnonstandardport2021forFTP:
XSR(config)#ip nat service list 1 ftp tcp port 2021 XSR(config)#access-list 1 permit 10.1.1.1
Thisexamplesetsnonstandardport2021andstandardport21forFTP.BeawarethatiftheFTP serverisusingboththedefaultandanotherport,bothportsmustbeconfiguredinNAT.
XSR(config)#ip nat service list 1 ftp tcp port 21 XSR(config)#ip nat service list 1 ftp tcp port 2021 XSR(config)#access-list 1 permit 10.1.1.1
ip nat source (interface mode - NAPT)

ThiscommandappliesPoolNetworkAddressTranslation(NAT)andNetworkAddressPort Translation(NAPT)rulestoanXSRinterface.Bothstandardandextendedaccesslistsare supportedaswellasNetworkAddressPortTranslation.
Syntax
ip nat source [list access-list-number]{assigned overload | address ip-address overload | pool pool_name overload} list accesslist-number assigned ip-address pool pool_name overload
StandardIPACLnumber.PacketswithsourceaddressesthatpasstheACL (permittedbythelist)aredynamicallytranslatedusingthelocalglobal address.IftheACLisnotspecified,thewildcardisassumed. IPaddressoftheportusedasthesourceIPaddressforoutgoingpackets. SpecifiedarbitraryIPaddressusedastheglobalNATIPaddress. Groupofaddressesfromwhichtheglobaladdresswillbechosen. Whenoverloadisspecified,theselectedglobaladdress(eitherspecifiedor fromthepool)willbeusedtoperformNAPT,whichrangesfromport 20000to40960.

ThenocommandremovesNATrulesfromtheinterface:
no ip nat source [list access-list-number]{assigned overload | address ip-address overload | pool pool_name overload}
Mode
Default:
NoNAT(rule)specifiedfortheinterface.
Example
ThisexampleconfiguresSerialinterface1/0asthesourceIPaddressforoutgoingpackets:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#ip nat source assigned over
5-186
ip nat source intf-static (interface mode)

ThiscommandconfiguresasinglestatictranslationentryintheNetworkAddressTranslation (NAT)table.InterfacestaticNATissimilartoglobalNAT;ittakesprecedenceoverglobalstatic NATwiththeimplicationthatifanoutgoing/incomingpacketmatchestheinterfacestaticNATno otherformofNATwillbeperformed.
Syntax
ip nat source [list ACL_number] intf-static {local-ip global-ip |{tcp | udp} local-ip local-port global-ip global-port} list ACL_number
StandardIPACLnumber.Packetswithsourceaddressesthatpassthe ACL(permittedbythelist)aredynamicallytranslatedusingthelocal globaladdress.IftheACLisnotspecified,thewildcardisassumed. AglobalstaticNATtableentryisadded. AlocalIPaddressassignedtoahostontheinsidenetwork. TranslatedIPaddress. ThisvalueimpliesthathisisaportspecificstaticNAT. Sourceportofoutgoingpacketsanddestinationportofincomingpackets. Destinationportofoutgoingpacketsandsourceportofincomingpackets.
static local-ip global-ip tcp | udp local-port global-port

Thenoformofthecommandremovesasinglestatictranslationentry:
no ip nat intf-source static local-ip global-ip
Mode
Interfaceconfiguration:XSR(config-if-<S1>)#
Example
ThefollowingexampleconfiguresastaticNATsystem:
XSR(config-if<S1>)#ip nat source intf-static 192.178.15.97 10.10.10.5
ip nat source static (global mode)

ThiscommandconfiguresasinglestatictranslationentryintheNetworkAddressTranslation (NAT)table.InterfacestaticNATissimilartoglobalNAT;ittakesprecedenceoverglobalstatic NATwiththeimplicationthatifanoutgoing/incomingpacketmatchestheinterfacestaticNATno otherformofNATwillbeperformed.
Syntax
ip nat source static {local-ip global-ip |{tcp | udp} local-ip local-port globalip global-port} static local-ip
AglobalstaticNATtableentryisadded. AlocalIPaddressassignedtoahostontheinsidenetwork.
global-ip tcp | udp local-port global-port
TranslatedIPaddress. ThisvalueimpliesthathisisaportspecificstaticNAT. Sourceportofoutgoingpacketsanddestinationportofincomingpackets. Destinationportofoutgoingpacketsandsourceportofincomingpackets.

Thenoformofthecommandremovesasinglestatictranslationentry:
no ip nat source static local-ip global-ip
Mode
Example
ThefollowingexampleconfiguresastaticNATsystem:
XSR(config)#ip nat source static 192.178.15.97 10.10.10.5
ip nat translation
Thiscommandchangestheintervalafterwhichtranslationstimeout.
Syntax
ip nat translation {timeout | udp-timeout | tcp-timeout | icmp-timeout}[seconds] | [never] timeout udp-timeout tcp-timeout icmp-timeout seconds never
DynamicNATinterval(notoverloadtranslations). UDPportinterval. TCPportinterval. ICMPtrafficinterval. Periodafterwhichporttranslationexpires. Noexpiration.

Thenocommandconfiguresdefaulttimeoutvalues:
no ip nat translation {timeout | udp-timeout | tcp-timeout | icmp-timeout} [seconds] | [never]
Mode
5-188
Defaults
Timeout:180seconds(3minutes) UDPtimeout:300seconds(5minutes) TCPtimeout:86,400seconds(24hours) ICMPtimeout:60seconds
Example
TheexamplebelowtimesoutUDPporttranslationentriesin15minutes:
XSR(config)#ip nat translation udp-timeout 900
show ip nat translations

ThiscommanddisplaysactiveNAPTtranslations.
Syntax
show ip nat translations [interface]
Mode
Sample Output
ThefollowingexampledisplaysfourstaticNATentries.Notethatexternalhostsarenottracked forstaticNATnorareidletimes.
XSR#show ip nat translations Interface GigabitEthernet 2 ============================================================= Num Interface-Static NAT : 4 --------------------------------------Pro Private Host NAT Addr External Host (Local IP Addr) (Global IP Addr) ANY 146.115.206.31 10.120.112.2 Not Tracked TCP 146.115.206.242:80 10.120.112.146:80 Not Tracked TCP 146.115.206.242:80 10.120.112.156:80 Not Tracked UDP 146.115.206.32:223 10.120.112.156:143 Not Tracked
Idle n/a n/a n/a n/a
ThefollowingexampledisplaysfourdynamicNATentrieswithassignedaddressoverloading. NotethatfourdifferentinsidehostsappearontheoutsidewithasingleNATIPaddress (10.10.10.2).
XSR#show ip nat translations

NAPT using address: 10.10.10.2 Num translations: 8 --------------------------------------Pro Private Host NAT Addr (Local IP Addr) (Global IP Addr) UDP 192.168.50.90:1024 10.10.10.2:20002 UDP 192.168.50.90:1024 10.10.10.2:20001 UDP 192.168.50.91:1024 10.10.10.2:20004 UDP 192.168.50.91:1024 10.10.10.2:20003 TCP 192.168.50.70:1024 10.10.10.2:20006 TCP 192.168.50.70:1024 10.10.10.2:20005 TCP 192.168.50.71:1024 10.10.10.2:20008 TCP 192.168.50.71:1024 10.10.10.2:20007
External Host 10.10.10.15:3664 10.10.10.15:3663 10.10.10.16:3666 10.10.10.16:3665 10.10.15.75:36864 10.10.15.75:36863 10.10.15.76:36866 10.10.15.76:36865
Idle 24 24 24 24 3 3 3 3
ThefollowingexampledisplaysNATpoolentrieswithoverloadstatistics.Notethataunique NATIPaddressisassignedtoeachinternalhostandthatiftherearemoreinternalhoststhanthe numberofaddressesinthepool,thenmultipleinternalhostswillshareasingleNATaddress..

XSR#show ip nat translations Pool name: NATPool with overload ACL Number: 100 --------------------------------------NAPT using address: 10.10.10.131 Num translations: 2 --------------------------------------Pro Private Host NAT Addr (Local IP Addr) (Global IP Addr) UDP 192.168.50.91:1024 10.10.10.131:20002 UDP 192.168.50.91:1024 10.10.10.131:20001
External Host 10.10.10.16:3666 10.10.10.16:3665
Idle 4 4
Pro PrivateHost NATAddrl ExternalHost Idle Protocoloftheportidentifyingtheaddress. TheIPaddressassignedtoahostontheinsidenetwork. ThelegitimateIPaddress. Remotehostthatthepacketsaredestinedto. Period(seconds)ofinactivityofatrafficflow.
5-190
Virtual Router Redundancy Protocol Commands
Virtual Router Redundancy Protocol Commands vrrp <group> adver-int

ThiscommandconfigurestheintervalbetweensuccessiveadvertisementssentbythemasterVR inavirtualgroup.AdvertisementssentbythemasterVRcommunicatethestateandpriorityof thecurrentmasterVR.
Note: All virtual routers in a virtual group must have the same advertisement interval.
Syntax
vrrp group adver-int [sec] interval group interval
VRgroupnumber. IntervalbetweensuccessiveadvertisementsbymasterVR.Range:1255seconds.

Usethenoformofthiscommandtorestorethedefaultvalue:
no vrrp group adver-int
Defaults
Interval:1second Group:1,rangingfrom1to255
Mode
Examples
Thefollowingexamplesetsadvertisinginterval2forVRgroup2onFastEthernetinterface1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#vrrp 2 adver-int 2
Thefollowingexamplesetsthedefaultadvertisingintervalforvirtualroutergroup2onF1:
XSR(config-if<F1>)#no vrrp 2 adver-int
vrrp <group> authentication

ThiscommandauthenticatesVirtualRouterRedundancyProtocol(VRRP)packetsreceivedfrom otherroutersinthegroup. WhenaVRRPpacketarrivesfromanotherrouterintheVRRPgroup,itsauthenticationstring insidethepacketiscomparedtothestringconfiguredonthelocalsystem.Ifthestringsmatch,the
5-191
messageisacceptedandifnot,itisdiscarded.Allrouterswithinthegroupmustsharethesame authenticationstring.
Note: Plain text authentication is not meant to be used for security. It simply provides a way to prevent a misconfigured router from participating in the VRRP.
Syntax
vrrp group authentication string group string
Virtualroutergroupnumber. String(upto8alphanumericcharacters)tovalidateincomingVRRPpackets.

DisableVRRPauthenticationbyusingthenoformofthiscommand:
no vrrp group authentication
Defaults
NoauthenticationofVRRPmessagesoccurs. Group:1,rangingfrom1to255
Mode
Examples
ThefollowingexampleenablesauthenticationforVRgroup1onF1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#vrrp 1 authentication mypass or vrrp authentication mypass
Thefollowingexampledisablesauthentication:
XSR(config-if<F1>)#no vrrp 1 authentication or no vrrp authentication
vrrp <group> ip
Thiscommandaddsupto11virtualIPaddressespergroupandenablesacorrespondingVirtual Router(VR)onaninterface.Beawareofthesecaveats: IfthefirstvirtualaddressforoneVRisoneoftherealaddressesintheXSR(itmustbeonthe sameport),thenextonemustalsobeoneoftherealaddresses(itmustbeonthesameport). Ifthefirstvirtualaddressisnotoneoftherealaddressesonacertainport,thenextonemust notbeoneoftherealaddressesonthatport. ThesetofvirtualIPaddressesconfiguredoneachVRRProuterbelongingtothesamegroup mustbethesame.
5-192
Syntax
vrrp group ip ipaddress group ipaddress
VRgroupnumber.Ifyoudonotspecifyaninputgroupnumber,thedefault groupnumberwillbeused.Limit:11addressesperVR,44perrouter. IPaddressoftheVR.

ThenoformofthiscommandremovesthevirtualIPaddressonaport:
no vrrp group ip ipaddress
Defaults
NoVRconfigured Group:1
Mode
Examples
Thefollowingexampleaddsandenablesvirtualgroup1onF1.TheVRRPgroupis1andIP address10.0.1.20istheaddressofthevirtualrouter.
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#vrrp 1 ip 10.0.1.20 or vrrp 1 ip 10.0.1.20
ThefollowingexampleremovesvirtualIPaddress10.0.1.20fromvirtualgroup1onF1.TheVRRP groupis1andIPaddress10.0.1.20istheaddressofthevirtualrouter.
XSR(config-if<F1>)#no vrrp 1 ip 10.0.1.20 or vrrp ip 10.0.1.20
vrrp <group> master-respond-ping

ThiscommandallowstheVirtualRouter(VR)mastertorespondtoanICMPpingregardlessof actualIPaddressownership.RFC2338specifiesthataVRmasterthatisnottheactualaddress ownershouldnotrespondtoICMPpingassociatedwiththevirtualIPaddress.Thisconfiguration shouldbeconsistentonallinterfacesparticipatinginaVR.
Syntax
vrrp <group> master-respond-ping group
VRgroupnumber,rangingfrom1to255.

Thenoformofthiscommanddisablesthefunctionality:
no vrrp group master-respond-ping
5-193
Defaults
DisabledtheVRmasterwillnotrespondtoanICMPechorequestsenttothevirtualIP addressifitisnotthephysicalowner. Ifnogroupisprovided,thedefaultgroupis1.
Mode
Examples
ThefollowingexampleenablesthisfeatureforVR2oninterfaceF1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#vrrp 2 master-respond-ping
ThefollowingexampledisablesthisfeatureforVR2oninterfaceF1:
XSR(config-if<F1>)#no vrrp 2 master-respond-ping
vrrp <group> preempt

ThiscommandconfigurestheroutertotakeoverasmasterVirtualRouter(VR)foravirtualgroup ifithashigherprioritythanthecurrentmasterVR. Thisfeatureisenabledbydefault.Youcanalsoconfigureadelay,whichwillcausethevirtual routertowaitthespecifiedintervalbeforeissuinganadvertisementclaimingmasterownership.
Notes: The XSR established as the IP address owner will pre-empt another VR, regardless of the setting of this command. All VRs in a virtual group must share the same preempt attribute. That is, if one VR is set as no preempt, the others must be set likewise.
Syntax
vrrp group preempt [delay <seconds>] group seconds
VRgroupnumber. Intervaltherouterwilldelaybeforeissuinganadvertisementclaiming masterownership.

Disablethisfeaturewiththenoformofthecommand:
no vrrp group preempt
Defaults
Enabled Group:1,rangingfrom1to255 Seconds:0
5-194
Mode
Examples
Thefollowingexampleenablespreemptforvirtualroutergroup1witha2seconddelaysetonF1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#vrrp 1 preempt delay 2 or vrrp preempt delay 2
ThefollowingexampledisablesthepreemptforVRgroup1onF1:
XSR(config-if<F1>)#no vrrp 1 preempt or no vrrp preempt
vrrp <group> priority

Thiscommandsetsthepriorityleveloftherouterwithinavirtualgroup.Useittocontrolwhich routerbecomesthemasterVR.
Syntax
vrrp group priority level group level
VRgroupnumber. PriorityoftherouterwithintheVRRPgroup.Range:1to254.

Thenoformofthiscommandrestoresthedefaultvalue:
no vrrp group priority
Defaults
Level:ThepriorityoftheIPaddressowneris255,otherwisethedefaultis100. Group:1,rangingfrom1to255
Mode
Examples
Thisexamplesetspriority150forVRgroup1onF1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#vrrp 1 priority 150 or vrrp priority 150
ThefollowingexamplesetsprioritytodefaultforVRgroup1onF1:
XSR(config-if<F1>)#no vrrp 1 priority or no vrrp priority
5-195
vrrp <group> track

ThiscommandallowsaVirtualRouter(VR)totrackanotherinterface(FastEthernet,Serial,Dialer orMultilinkPPP)oroneormoeroutesonthesamerouter. WheninterfaceAisconfiguredtotrackinterfaceB,interfaceAwillmonitorthestatusofinterface BtodecideifitwantstobecomethemasterofaVR.WheninterfaceBgoesdown,itwilllowerits priorityto0(zero)andrefrainfromparticipatingintheVRmasterselection.butwillcontinueto monitorinterfaceB.WheninterfaceBcomesup,interfaceAwillincreaseitsVRprioritybackto theoriginalvalue.IfinterfaceAisoriginallyconfiguredasabackupVR,nopreemptionwill occur,butinterfaceAwillresumebeingthebackupVR. Thiscommandshouldbeusedontheinterfacethatismostlikelytobeselectedasmasterofthe correspondingVR.IftheinterfaceisconfiguredasabackupVR,thecommandhasnoeffect. Whenyouconfigurewatchlisttracking,ifallroutesfail,theVRwillloweritspriorityto0and whenatleastoneoftheroutescomeup,theVRwillreturntoitsoriginalpriority.When specifyingawatchgroup,beawarethatyoucanusetheassociated dialer watch-list command.
Notes: This command should be used on the interface most likely to be chosen master of the corresponding VR. The command has no effect if the interface is configured as a backup VR. The XSR supports one track interface per VR only, so every time it is configured, the router will overwrite the previous one. Caution: When you configure the track interface, the VR IP address you specify must be different than the physical IP address of the interface otherwise client ARP tables will not be correctly updated.

vrrp <group> track <interface-type> watch-group watch-list-number group interface-type watch-list-number
VRgroupnumber,rangingfrom1to255. Nameandnumberoftheinterfacetomonitor. NumberoftheDialerwatchlisttomonitor,rangingfrom1to255.

Thenoformofthiscommanddisablesthefunctionality:
no vrrp group track
Defaults
Nointerfacetracking. Ifnogroupisprovided,thedefaultgroupis1.
Mode
Example
ThisexampleenablesthetrackingofinterfaceSerial1/0byinterfaceF1onVR2:
VRRP Clear and Show Commands
XSR(config)#interface fastethernet 1 XSR(config-if)#vrrp 2 track serial 1/0
ThisexampledisablesthetrackingofinterfaceSerial1/0byinterfaceF1onVR2:
XSR(config-if)#no vrrp 2 track
VRRP Clear and Show Commands clear vrrp-counters

ThiscommandclearsstatisticsforaspecifiedVRRPgroup;itisgovernedbythefollowing considerations: Ifyoudonotspecifybothgroupandinterface,thestatisticsforallVirtualRouters(VR)inthe VRRPgrouponthisrouterwillbecleared. Ifyouspecifyonlythegroupandnottheinterface,statisticsforalltheVRsintheVRRPgroup whosegroupIDmatchesthespecifiedIDonthisrouterwillbecleared. Ifyoudospecifytheinterfaceonly,statisticsforallVRsintheVRRPgroupconfiguredonthis interfaceonthisrouterwillbecleared. Ifyouspecifybothgroupandinterface,onlystatisticsforthisspecifiedVRRPgrouponthis routerwillbecleared.
Syntax
clear vrrp-counters [group][interface] group interface
Virtualroutergroupnumber,rangingfrom1to255. FastEthernet1orFast/GigabitEthernet2only.
Mode
EXEC: XSR>clear vrrp-counters
Examples
ToclearstatisticsforVR2oninterfaceF1,enter:
XSR#clear vrrp-counters fastethernet 1 2
ToclearstatisticsforalltheVRsonthisrouter,enter:
XSR#clear vrrp-counters
show vrrp
Thiscommanddisplaysallvirtualrouterinformationconfiguredonthisrouter.
Syntax
show vrrp
5-197
Mode
EXEC:XSR>
Sample Output
Thefollowingsampleoutputdisplaysconfigurationdataforallvirtualroutersonthisrouter:
XSR#show vrrp Ethernet Interface: 1 Group ID: 1 State: backup Preempt: Preempt Enabled Priority: 100 Adver-int: 1 Master Down Timer: 3 Authentication Code: mypass Virtual IP: 3.3.3.3 Primary IP: 1.1.1.1 Master Router IP: 3.3.3.3 Virtual MAC: 0x00005e005101 BecomeMaster: 2 AdvertiseRcvd: 96 ChecksumErrors: 0 VersionErrrors: 0 PriorityZeroPktsRcvd: 0 PriorityZeroPktsSend: 0 InvalidTypePktsRcvd: 0 UnknownAuthType: 0 AuthTypeErrors: 0 AuthFailures: 0 ------------------------------Ethernet Interface: 2 Group ID: 2 State: master Preempt: Preempt Enable Priority: 100 Adver-int: 1 Advertise Interval Timer: 1 Authentication Code: mypass Virtual IP: 3.3.3.3 Primary IP: 2.2.2.2 Master Router IP: 2.2.2.2 Virtual MAC: 0x00005e005101 BecomeMaster: 2 AdvertiseRcvd: 96 ChecksumErrors: 0 VersionErrrors: 0 PriorityZeroPktsRcvd: 0 PriorityZeroPktsSend: 0
InvalidTypePktsRcvd: UnknownAuthType: AuthTypeErrors: AuthFailures:
0 0 10 0
show vrrp interface

Thiscommanddisplaysallthevirtualroutersandtheirstatusonaspecifiedinterface.
Syntax
show vrrp interface <interface> interface
Interfacename,eitherFastEthernet1or2only.
Mode
EXEC:XSR>
Sample Output
ThissampleoutputdisplaysconfigurationdataofavirtualrouteroninterfaceFastEthernet2:
XSR#show vrrp interface fastethernet 2 Eathernet Interface: Group ID: State: Preempt: Priority: Adver-int: Advertise Interval Timer: Authentication Code: Virtual IP: Primary IP: Master Router IP: Virtual MAC: BecomeMaster: AdvertiseRcvd: ChecksumErrors: VersionErrrors: PriorityZeroPktsRcvd: PriorityZeroPktsSend: InvalidTypePktsRcvd: UnknownAuthType: AuthTypeErrors: AuthFailures: 2 2 master Preempt Enable 15 1 1 mypass 3.3.3.3 2.2.2.2 2.2.2.2 0x00005e005101 2 96 0 0 0 0 0 0 10 0
FastEthernetInterface GroupID Interfacetypeandnumber VRRPgroupnumber
State Preempt PreemptDelay Priority Adverint MasterDownTimer/ AdvertiseIntervalTimer/ MasterDelayTimer AuthenticationCode VirtualIP PrimaryIP MasterRouterIP Masterrespondping TrackInterface VirtualMAC BecomeMaster AdvertiseRcvd ChecksumErrors VersionErrors PriorityZeroPktsRcvd PriorityZeroPktsSend InvalidTypePktsRcvd UnknownAuthType AuthTypeErrors AuthFailures
Masterorbackup Preemptenabledornot Preemptdelayseconds Priorityofthisgroup Advertisementinterval Ifinbackupstate,displaysthesecondsremainingtotriggerMaster DownTimerorMasterDelayTimer;ifinmasterstate,displaysthe secondsremainingtotriggerthenextadvertisement. Password VirtualIPaddress InterfaceIPaddress MasterrouterIPaddress Masterrespondpingenabledornot Interfacebeingmonitored VirtualMacaddress BecomeMastercounter Advertisementreceivedpacketscounter ChecksumErrorspacketscounter VersionErrrorspacketscounter PriorityZeroPktsRcvdcounter PriorityZeroPktsSendcounter InvalidTypePktsRcvdcounter UnknownAuthTypepacketscounter AuthTypeErrorspacketscounter AuthFailurespacketscounter
show vrrp summary

ThiscommanddisplaysVRRPsummaryinformationonthisrouter.
Syntax
show vrrp summary
Mode
EXEC:XSR>
Sample Output
ThefollowingsampleoutputdisplaysVRRPsummarydataontheXSR:
-------------------VRRP SUMMARY----------------------------Maximum number of VRs per router: 4
Maximum number of virtual addresses per VR: 11 Number of virtual IP address in use: Fast Ethernet 1 Fast Ethernet 2 Fast Ethernet 3 VR1 1 1 1 VR3 1 VR2 1 ------------------------------------------------------------
5-201
5-202
6
Configuring the Border Gateway Protocol
TheCLIcommandsyntaxandconventionsusethenotationdescribedbelow. Convention
Description
Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies the interface type and number; e.g., F1, G3, S2/1.0,M57. F indicates a FastEthernet, and G a GigabitEthernet interface.
Next Mode entries display the CLI prompt after a command is entered. Sub-command headings are displayed in red, italicized text. soho.enterasys.com Italicized, non-syntactic text indicates either a user-specified entry or text with special emphasis
BGP Configuration Commands

ThefollowingcommandsubsetsdefineBGPfunctionalityontheXSR,including: BGPConfigurationCommandsonpage 683. RouteMapCommandsonpage 6110. BGPSetCommandsonpage 6114. BGPClearandShowCommandsonpage 6122. BGPDebugCommandsonpage 6132.
router bgp
ThiscommandactivatesaBGProutingprocess,afterwhichyoucanconfiguretheseadditional parameters: BGPneighbors
Networks Neighborparameters Routingpolicies
Syntax
router bgp autonomous-system autonomous-system
TheXSRsAutonomousSystem(AS)number,rangingfrom1to65,535. TheASnumberisincludedinroutingupdatestradedbyBGProuters.

Thenoformofthiscommandsetsthedefaultparameterdisabled:
no router bgp autonomous-system
Mode
Examples
ThefollowingexampleactivatestheBGProutingprocessonarouterbelongingtoAS100.Note thattheXSRacquiresRouterconfigurationmodeafterexecutingthecommand:
XSR(config)#router bgp 100 XSR(config-router)#
ThefollowingexampledisplaysanerrormessagewhenyoutrytoactivateanotherBGPprocess whenoneisalreadyrunning.InthisexampletheBGPprocesswasalreadyactivatedwithAS100 whenanattemptwasmadetoactivateitagainwiththeAS11.

XSR(config)#router bgp 11 % BGP Already running in AS 100
aggregate-address
ThiscommandcreatesanaggregateentryinaBGProutingtablewhichisusefulforreducingthe numberofadvertisedroutesbetweenBGProuters.Anaggregateentryinthetableisasingle summarizedroutethatrepresentsmultiple,morespecificroutes. Atleastoneofthemorespecificroutesbeingaggregatedmustexistinthetableforthiscommand totakeeffect.
Syntax
aggregate-address address mask [as-set][summary-only] [advertise-map mapname][attribute-map map-name] address mask
TheaggregateIPaddress. TheaggregateIPmask.
6-84
as-set
Preventsdataloss,includingcontentsofBGPattributes,frommore specificroutesintheaggregateroute.Notethatwhenthecontents ofthoseattributesvarywithinmorespecificroutes,reducingthem tothesamevaluewithincorrespondingattributesoftheaggregate routecancauseroutingproblemssuchasloops. Preventsmorespecificroutesthatcomprisetheaggregateroute frombeingadvertised. communities,rangingfrom1to199.
summary-only
advertise-map map-name TheroutemapusedtoselecttheroutesthatcompriseASSETorigin attribute-map map-name Theroutemapusedtosettheattributeoftheaggregateroute,
rangingfrom1to199.

Thenoformofthiscommandremovestheaggregateentryfromthetable:
no aggregate-address address mask
Mode
Default
Disabled
Example
Thefollowingexampleaggregatesroutesrangingfrom192.168.0.0to192.168.255.0,eachwitha maskof255.255.255.0,intoasingleaggregaterouteof192.168.0.0withamaskof255.255.0.0.The optionalsummaryonlykeywordcanbeusedtodirectonlytheaggregateroutebeadvertisedto thisroutersneighbors.Ommitingtheassetoptioncanindicatethatalloftheroutesoriginatein thesameASandfollowthesameroutingpolicy,thisresultinginnolossofanyBGPattributedata withintheaggregate.
XSR(config)#router bgp 100 XSR(config-router)#aggregate-address 192.168.0.0 255.255.0.0 summary-only
auto-summary
ThiscommandrestoresthedefaultbehaviorofBGPbysummarizingredistributedIGPsubnetson classfulnetworkboundaries.AutomaticsummarizationofIGPsubnetsreducesthenumberof routesintheBGProutingtable,improvingrouterperformanceandreducingtheamountof bandwidthusedbyroutingtrafficbetweenBGPpeers.
Syntax
auto-summary

ThenoformofthiscommandremovesBGPsummarization:
no auto-summary
Mode
Default
Enabled
Example
ThefollowingexampleconfiguressummarizationinBGPprocess100:
XSR(config)#router bgp 100 XSR(config-router)#auto-summary
bgp always-compare-med
ThiscommandinstructstheXSRtocomparetheMultiExitDiscriminator(MED)valueforpaths fromneighborsindifferentASs.MEDisoneoftheparametersconsideredbytheXSRwhen selectingthebestpath.ThepathwiththelowestMEDvalueischosenwhenallhigherranking BGProuteselectioncriteriaarethesameforallcompetingpathstothesamedestination.
Syntax
bgp always-compare-med

ThenoformofthiscommandremovestheMEDvalue:
no bgp always-compare-med
Mode
Default
ThedefaultvalueforthiscommandistoonlycomparetheMEDvaluesforpathsfromneighbors inthesameAS.
Example
ThefollowingexamplesetsMEDwithinBGPprocess100:
XSR(config)#router bgp 100 XSR(config-router)#bgp always-compare-med
6-86
bgp bestpath med missing-as-worst

ThiscommandspecifiesthataroutewithaMEDisalwaysconsideredbetterthanaroutewithout aMEDbycausingthemissingMEDattributetohaveavalueofinfinity.
Syntax
bgp bestpath med missing-as-worst

Thenoformofthiscommandrestoresthedefaultstate,wherethemissingMEDattributeis consideredtohaveavalueofzero:
no bgp bestpath med missing-as-worst
Mode
Default
AmissingMEDattributeisconsideredtohaveavalueofzero.
Example
ThisexampleconfiguresthebgpbestpathmedmissingasworstvaluewithinBGPprocess100:
XSR(config)#router bgp 100 XSR(config-router)#bgp bestpath med missing-as-worst
bgp client-to-client reflection

ThiscommandinstructstheXSRtoreflectroutesfromaBGProutereflectortoclients.Whenafull IBGPmeshalreadyexists,routereflectionisredundantandcanbedisabledbyusingtheno bgp client-to-client reflectioncommand.
Syntax
bgp client-to-client reflection

Thenoformofthiscommanddisablesthedefaultreflectionbehavior:
no bgp client-to-client reflection
Mode
Default
Routereflectionisenabled.
Example
Thisexamplefirstdisablesthedefaultreflectionsettingonthisrouterthenrestoresthedefault:
XSR(config)#router bgp 100 XSR(config-router)#no bgp client-to-client reflection XSR(config-router)#bgp client-to-client reflection
bgp cluster-id
ThiscommandsetstheclusteridentifierforaBGPclusterthatcontainsmorethanoneroute reflector.Aclusteriscomprisedofoneormoreroutereflectorsandclientsofthosereflectors. Clusterscontainingoneroutereflectorareidentifiedbytherouteridentifieroftheroutereflector.
Syntax
bgp cluster-id cluster-id cluster-id
TheclusteroftheXSRactingasaroutereflector.Validvaluesarecluster identifiersofupto4bytes.Range:1to4294967295orA.B.C.D(IPaddress format).

Thenoformofthiscommandresetstheclusteridentifiertothedefault:
no bgp cluster-id
Mode
Default
Thedefaultvalueistherouteridentifieroftheroutereflectorinthecluster.
Example
ThefollowingexampleconfiguresthebgpclusteridvaluewithintheBGPprocess600.TheBGP processcorrespondstotheASinwhichtherouterresides.TheclusterIDisconfiguredas88.This exampleconfigurestheclusterIDwithtworoutereflectorclients(192.168.1.1,192.168.1.2).
XSR(config)#router bgp 600 XSR(config-router)#bgp cluster-id 88 XSR(config-router)#neighbor 192.168.1.1 XSR(config-router)#neighbor 192.168.1.1 XSR(config-router)#neighbor 192.168.1.2 XSR(config-router)#neighbor 192.168.1.2
remote-as 600 route-reflector-client remote-as 600 route-reflector-client
bgp confederation identifier

ThiscommandsetsaBGPconfederationidentifierforaconfederationofASs.Aconfederation identifierisavalidASnumberthatrepresentsaconfederationcomprisedoftwoormoreASs.A confederationappearsasasingleAStoASsoutsideoftheconfederation.
6-88 Configuring the Border Gateway Protocol
Syntax
bgp confederation identifier autonomous-system autonomous-system
ASnumber,rangingfrom1to65535.

Thenoformofthiscommandremovestheconfederationidentifier:
no bgp confederation identifier
Mode
Example
ThefollowingexampleconfiguresBGPconfederationidentifier44withinBGPprocess100:
XSR(config)#router bgp 100 XSR(config-router)#bgp confederation identifier 44
bgp confederation peers

ThiscommanddefinesASsbelongingtoaconfederationwhichiscomprisedoftwoormoreASs. AconfederationappearsasasingleAStoASsoutsidetheconfederation.
Syntax
bgp confederation peers autonomous-system [autonomous-system] autonomous-system
ASnumber,rangingfrom1to65535.

ThenoformofthiscommanddeletestheconfederationSs:
no bgp confederation peers autonomous-system [autonomous-system][autonomous-system]...]
Mode
Example
ThefollowingexampleconfigurestheBGPconfederationpeersvaluewithinBGPprocess100.The ASsassignedtotheconfederationusingthiscommandare600,700,and800.Confederation44is configuredusingthebgp confederation identifier command.TheAS100towhichthis routerbelongsisalsoamemberofconfederation44.
XSR(config)#router bgp 100 XSR(config-router)#bgp confederation identifier 44 XSR(config-router)#bgp confederation peers 600 700 800
bgp dampening
ThiscommandenablesBGProutedampeningtominimizepropagationofflappingroutes (repeatedlyavailable/unavailable)acrossthenetwork.Eachtimearouteflaps,apenaltyvalueof 1024isassignedtothatroute.
Syntax
bgp dampening [half-life | reuse | suppress | suppress-max][route-map route-mapnumber] half-life reuse suppress suppress-max route-map-number
Intervalafterwhichtheroutespenaltybecomeshalfitsvalue,ranging from1to45minutes. Howlowaroutespenaltymustbecomebeforetheroutebecomes eligibleforuseagainafterbeingsuppressed,rangingfrom1to20000. Howhigharoutespenaltymustbecomebeforetherouteissuppressed, rangingfrom1to20000. Peakintervalaroutecanbesuppressedregardlessofhowunstableitis. Range:1to255minutes. Routemapnumberappliedtodampenedroutes,rangingfrom1to199.

ThenoformofthiscommanddisablesBGPdampening:
no bgp dampening
Mode
Defaults
Halflife15minutes Reuse750 Suppress2000 Suppressmax60minutes Disabled.
Example
Thefollowingexampleenablesrouteflapdampening:
XSR(config)#router bgp 100 XSR(config)#bgp dampening
6-90
bgp default local-preference

Thiscommandchangesthedefaultlocalpreferencevalue.Thepathwiththehighestlocal preferencevalueispreferredovercompetingpathstothesamedestinationprovidedthatall higherrankingrouteselectioncriteriaofthosepathsarethesame.Thelocalpreferencevaluefor thepathissenttoallroutersandaccessserversinthelocalAS.
Syntax
bgp default local-preference value value
Localpreferencevalue,rangingfrom0to4294967295.

Thenoformofthiscommandrevertstothelocalpreferencedefault:
no bgp default local-preference
Mode
Default
100
Example
ThisexampleconfigurestheBGPdefaultlocalpreferenceof300forBGPprocess100.Thissetting indicatesthatallroutesthisrouteradvertisestoitsinternalBGPneighborswillhavealocal preferenceof300.
XSR(config)#router bgp 100 XSR(config-router)#bgp default local-preference 300
distance bgp
ThiscommandsetstheBGProutepreferenceadministrativedistanceforitsexternaland internalroutessubmittedtotheroutingtable.
Syntax
distance bgp external internal external internal
TheadministrativedistanceforexternalBGProutesthoselearned fromneighborsexternaltotheASrangingfrom1to240. TheadministrativedistanceforinternalBGProutesthoselearned fromneighborswithinthesameASrangingfrom1to240.

Thenoformofthecommandremovestheconfiguredvalue:
no distance bgp
Defaults
External:20 Internal:200
Mode
Example
ThisexamplesetsBGPexternalandinternaladministrativedistancesto50and150,respectively:
XSR#config terminal XSR(config)#router bgp 100 XSR(config-router)#distance bgp 50 150
neighbor advertisement-interval
ThiscommandsetstheminimumintervalthatarouterwaitsbetweensendingBGProuting updatestoitsneighbor.Beforeenteringthiscommand,aneighbororpeergroupmustbe identifiedbymeansoftheneighborremoteasorneighborpeergroupcommand.Configuringa minimumintervalofzeromeansthatthereisnodelayinsendingBGProutingupdatestoits neighbor.
Syntax
neighbor {ip-address | peer-group-name} advertisement-interval seconds ip-address peer-group-name seconds
NeighborsIPaddress. BGPpeergroupbyname.Range:1to64characters. Minimuminterval,rangingfrom0to600seconds.

Thenoformreturnstotheadvertisementintervaldefault:
no neighbor {ip-address | peer-group-name} advertisement-interval seconds
Mode
Default
Externalpeers:30seconds Internalpeers:5seconds
6-92
Example
ThefollowingexamplesetstheneighboradvertisementintervalvaluewithinBGPprocess100. Notethattheneighbor remote-as commandmustbeexecutedbeforethiscommandcanbe entered.Intheexample,therouteronwhichtheconfigurationoccursresidesinAS100.Neighbor 192.168.1.1residesinAS101.Thedefaultupdateintervalbetweenthesepeershasbeenchanged from30to90seconds.
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 advertisement-interval 90
neighbor default-originate
Thiscommandsendstheroute0.0.0.0totheBGPneighboroftherouterthatthiscommandis enteredonsothatitcanbeusedasthedefaultroute.Beforeenteringthiscommand,aneighboror peergroupmustbeidentifiedbymeansoftheneighbor remote-as orneighbor peer-group commands.
Syntax
neighbor {ip-address | peer-group-name} default-originate ip-address peer-group-name
NeighborsIPaddress. BGPpeergroupbyname.Range:1to64characters.

no neighbor {ip-address | peer-group-name} default-originate
Mode
Default
Disabled
Example
Thisexamplesetsthelocalroutertounconditionallyinjectroute0.0.0.0toneighbor192.168.1.1:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 default-originate
6-93
neighbor distribute-list
ThiscommanddistributestheinformationspecifiedinanaccesslisttoaBGPneighbor.Before enteringthiscommand,aneighbororpeergroupmustbeidentifiedbymeansoftheneighbor remote-asorneighbor peer-groupcommand.Also,theprefixbasedACLmustbeconfigured.
Note: Perform a clear ip bgp neighbor <IP address> whenever this command is changed.
Syntax
neighbor {ip-address | peer-group-name} distribute-list access-list {in | out} ip-address peer-group-name access-list in out
NeighborsIPaddress. BGPpeergroupbyname.Range:1to64characters. ACL,rangingfrom1to199. ACLappliedtoinboundroutes. ACLappliedtooutboundroutes.

ThenoformofthiscommandremovestheACLlinkedneighbor:
no neighbor {ip-address | peer-group-name} distribute-list access-list {in | out}
Mode
Default
Noaccesslistapplied
Example
Thisexampleappliesaccesslist1toincomingadvertisementsfromneighbor192.168.1.1.Only routeswhichmatch10.0.0.0/8,11.0.0.0/8or12.0.0.0/8prefixeswillbeacceptedfromtheneighbor.
XSR(config)#access-list 1 permit 10.0.0.0 255.0.0.0 XSR(config)#access-list 1 permit 11.0.0.0 255.0.0.0 XSR(config)#access-list 1 permit 12.0.0.0 255.0.0.0 XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 distribute-list 1 in
6-94
neighbor ebgp-multihop
ThiscommandconnectstheBGPneighborsonnetworksthatarenotdirectlyconnectedtothe networkoftherouterthatthiscommandisenteredon.Beforeenteringthiscommand,aneighbor orpeergroupmustbeidentifiedbymeansoftheneighbor remote-as orneighbor peer-group command.
Syntax
neighbor {ip-address | peer-group-name} ebgp-multihop ip-address peer-group-name

Thenoformofthiscommandremovesthespecifiedneighbor:
no neighbor {ip-address | peer-group-name} ebgp-multihop
Mode
Default
Notenabled
Example
Thefollowingexampleallowsconnectionstoorfromneighbor192.168.1.1,whichresidesona networkthatisnotdirectlyconnected:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 ebgp-multihop
neighbor filter-list
ThiscommandsetsupaBGPfilterbasedonASpath.Beforeenteringthiscommand,aneighboror peergroupmustbeidentifiedbymeansoftheneighbor remote-asorneighbor peer-group command.Also,theASpathbasedaccesslistmustbeconfigured.
Syntax
neighbor {ip-address | peer-group-name} filter-list filter-list {in | out | weight value} ip-address
NeighborsIPaddress.
6-95
peer-group-name filter-list in out weight value
BGPpeergroupbyname.Range:1to64characters. IdentifiestheASpathaccesslist.Rangeis1199. Filterlistisappliedtoinboundroutes. Filterlistisappliedtooutboundroutes. Assignsaweighttoallroutesmatchingthefilterlist. Weightrangefrom0to65535.

no neighbor {ip-address | peer-group-name} filter-list filter-list
Mode
Example
Thisexampleappliesfilterlist1toincomingadvertisementsfromneighbor192.168.1.1.Only routeswhichstartwithASpath200andendwithASpath500willbeacceptedfromtheneighbor.
XSR(config)#ip as-path access-list 1 permit ^200 .* 500$ XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 filter-list 1 in
neighbor maximum-prefix
Thiscommandcontrolsthenumberofprefixesreceivedfromaparticularneighbor.Whenthe maximumnumberofprefixesisexceeded,aCEASEmessageissentandtheconnectioniscleared. Toreactivatethesession,enterclear ip bgp <IP address>.Ifthenumberofprefixesissetto zero,noprefixeswillbeacceptedfromtheneighbor.
Syntax
neighbor {ip-address | peer-group-name} maximum-prefix value [threshold][warningonly] ip-address peer-group-name value threshold warning-only
NeighborsIPaddress. BGPpeergroupbyname.Range:1to64characters. Maximumnumberofprefixesthatcanbereceivedfromaneighbor, rangingfrom1to4,294,967,295. Thethresholdvaluepercentageofmaximumatwhichawarningis generated,rangingfrom1to100prefixes. WhenthemaximumnumberofprefixesisreachedtheXSRgeneratesa warningmessageinsteadofterminatingthepeeringsession.
6-96

no neighbor {ip-address | peer-group-name} maximum-prefix value [threshold] [warning-only]
Mode
Defaults
Norestrictiononthenumberofprefixes. Threshold:75prefixes
Example
Thefollowingexamplesetsthemaximumnumberofprefixesallowedfromtheneighborat 192.168.1.1to10000:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 maximum-prefix 10000
neighbor next-hop-self
Thiscommanddisablesautomaticnexthopselection.Updatesmeantforthespecifiedsystemor peergroupareforcedtoadvertisethisrouterasthenexthop.
Syntax
neighbor {ip-address | peer-group-name} next-hop-self ip-address peer-group-name

no neighbor {ip-address | peer-group-name} next-hop-self
Mode
Routerconfiguration: XSR(config-router)#
Default
NexthopselectionisperformedautomaticallybyBGP.
6-97
Example
Thefollowingexamplesetstherouterat192.168.1.1asthenexthop:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 next-hop-self
neighbor password
ThiscommandsetsapasswordforMessageDigest5(MD5)authenticationontheTCPconnection betweentheXSRthatthiscommandisenteredonandaBGPneighbor.Thesamepasswordmust beconfiguredonbothrouters.Whenapasswordisconfiguredforaneighbor,theexistingsession isreplacedbyanewsession.
Syntax
neighbor {ip-address | peer-group-name} password password-value ip-address peer-group-name password-value
NeighborsIPaddress. BGPpeergroupbyname.Range:1to64characters. Alphanumericpassword.Rangeis130characters.

Thiscommandsnoformremovesthepasswordforthespecifiedrouter:
no neighbor {ip-address | peer-group-name} password password-value
Mode
Default
Noauthentication
Example
Thefollowingexampleaddsapasswordforthespecifiedrouter:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 password 123456
6-98
neighbor peer-group
ThiscommandcreatesaBGPpeergroupandassignsaBGPneighbortoapeergroup.
Syntax
neighbor {ip-address | peer-group-name} peer-group [peer-group-name] ip-address peer-group-name

Thenoformofthiscommandremovesthespecifedneighborpeergroup:
no neighbor {ip-address | peer-group-name} peer-group [peer-group-name]
Mode
Example
ThefollowingexamplecreatespeergroupExternalGroupandassignsneighbor192.168.1.1topeer groupExternalGroup:
XSR(config)#router bgp 100 XSR(config-router)#neighbor ExternalGroup peer-group XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 peer-group ExternalGroup
neighbor remote-as
ThiscommandaddsanentrytotheBGPneighbortable.BGPrequiresmanualneighbor configuration.TheconfigurationofneighborsonbothoftheneighboringBGProutersallowsa BGPsessiontobesetupbetweentheroutersandallowstheexchangeofBGPupdatemessages. ForexternalBGPneighbors,theIPaddressspecifiedisthatoftheneighborinterfacetotheshared subnetbetweenrouters(unlessebgpmultihopisenabled).ForinternalBGPneighbors,the neighborIPaddressisanyreachableIPaddressfromtherouter.
Syntax
neighbor {ip-address | peer-group-name} remote-as autonomous-system ip-address peer-group-name autonomous-system
NeighborsIPaddress. BGPpeergroupbyname.Range:1to64characters. ASbynumber,rangingfrom1to65535.

Thenoformofthiscommandremovesthespecifiedentryfromthetable:
no neighbor {ip-address | peer-group-name} remote-as autonomous-system
Mode
Example
Thefollowingexampleconfigurestwoneighbors.Neighbor192.168.1.1isanexternalneighbor sincetheASnumberof101differsfromtheASnumberfortherouter100.Neighbor192.168.2.1is aninternalneighborsinceitresidesinthesameAS100.
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.2.1 remote-as 100
neighbor route-map
ThiscommandappliesaroutemaptoroutesthatenterfromorexitoutofaBGPneighbororpeer group.Theroutemapmustbeconfiguredfirst.
Syntax
neighbor {ip-address | peer-group-name} route-map route-map# {in | out} ip-address peer-group-name route-map# in out
NeighborsIPaddress. BGPpeergroupbyname.Range:1to64characters. Identifiestheroutemapnumber.Range:1199. Routemapisappliedtoinboundroutes. Routemapisappliedtooutboundroutes.

Thenoformofthiscommanddeletesthespecifiedneighborsroutemap:
no neighbor {ip-address | peer-group-name} route-map route-map# {in | out}
Mode
Example
Thefollowingexampleaddsaneighborroutemap:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 route-map 1 in
6-100
neighbor route-reflector-client
ThiscommandestablishestherouterthatthiscommandwasenteredonasaBGProutereflector. ThiscommandalsoidentifiesthespecifiedneighborrouterastheclientoftheBGProutereflector. Neighborsconfiguredwiththiscommandaremembersoftheclientgroupandtheremaining internalBGPpeersaremembersofthenonclientgroupfortherouterreflector.
Syntax
neighbor {ip-address | peer-group-name} route-reflector-client ip-address peer-group-name

Thenoformofthiscommandremovesaneighborsroutereflector:
no neighbor {ip-address | peer-group-name} route-reflector-client
Mode
Example
Thefollowingexamplesetsaneighborsreoutereflector:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 route-reflector-client
neighbor send-community
ThiscommandinstructsthesystemtosendacommunityattributedtoaBGPneighbor.
Syntax
neighbor {ip-address | peer-group-name} send-community ip-address peer-group-name

Thenoformofthiscommandremovesaneighborscommunity:
no neighbor {ip-address | peer-group-name} send-community
Mode
6-101
Example
Thefollowingexamplesetsaneighborscommunity:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 send-community
neighbor shutdown
Thiscommanddisablesaneighbororpeergroup.
Syntax
neighbor {ip-address | peer-group-name} shutdown ip-address peer-group-name

Thenoformofthiscommandreturnstothecommanddefault:
no neighbor {ip-address | peer-group-name} shutdown
Mode
Default
NochangeismadetostatusofBGPneighbororpeergroup.
Example
Thisexampledisablesanyactivesessionforneighbor192.168.1.1:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 shutdown
neighbor soft-reconfiguration inbound

Thiscommandinstructsthesystemtostoreupdatesastheyarereceived.Updatesarerequiredto bestoredinordertoperforminboundsoftreconfiguration.
Syntax
neighbor {ip-address | peer-group-name} soft-reconfiguration inbound ip-address peer-group-name
6-102

no neighbor {ip-address | peer-group-name} soft-reconfiguration inbound
Mode
Default
Nosoftreconfigurationisdone.
Example
Thefollowingexampleconfiguressoftreconfigurationontherouter:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 soft-reconfiguration inbound
neighbor timers
ThiscommandchangesthevaluesofBGPtimersforapeerorpeergroup.Whenasessionis started,BGPnegotiatestheholdtimewiththeneighbor,selectingthesmallervalue.Thekeep alivetimeristhensetbasedonthenegotiatedholdtimeandtheconfiguredkeepaliveinterval. Bydefault,thekeepalivetimerissetto30secondsandtheholdtimetimersetto90seconds.This 1to3ratioisstrictlymaintainedbetweenthetimers.
Note: Perform a clear ip bgp neighbor <IP address> whenever this command is changed. The timers configured for a specific neighbor or peer group override the timers configured for all BGP neighbors using the timers bgp command.
Syntax
neighbor {ip-address | peer-group-name} timers keep-alive ip-address peer-group-name keep-alive
NeighborsIPaddress. BGPpeergroupsname,rangingfrom1to64characters. Keepaliveinterval,rangingfrom0to4,294,967,296seconds.Akeep aliveofzeroindicatesnokeepalivesaresentbetweenneighborssothe peersessionwillnottimeout.

no neighbor {ip-address | peer-group-name} timers keep-alive
Default
Keepalive:30seconds
Mode
Example
Thisexamplesetsthepeerkeepaliveto10secondsand,subsequently,theholdtimeto30 seconds:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 1.1.1.1 timers 10
neighbor update-source
ThiscommandspecifiesthesourceIPaddressusedwhencommunicatingwithaBGPneighbor.A loopbackinterfaceistypicallyusedwiththiscommand.
Syntax
neighbor {ip-address | peer-group-name} update-source interface ip-address peer-group-name interface
NeighborsIPaddress. BGPpeergroupbyname.Range:1to64characters. Identifiestheinterfacetobeusedasthesource.

Thenoformofthiscommandremovesaneighborsupdatesource:
no neighbor {ip-address | peer-group-name} update-source interface
Mode
Default
Bestoutboundinterface.
Example
ThefollowingexamplesourcesBGPTCPconnectionsforthespecifiedneighborwiththeIP addressoftheloopbackinterfaceratherthanthebestlocaladdress:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 update-source loopback 0
6-104
neighbor weight
ThiscommandspecifiesaweightvalueforaconnectiontoaneighbororaBGPpeergroup.
Syntax
neighbor {ip-address | peer-group-name} weight value ip-address peer-group-name value
NeighborsIPaddress. BGPpeergroupbyname.Range:1to64characters. Assignsaweightforallrouteslearnedfromthisneighbor,ranging from0to65535.

Thenoformofthiscommandremovesaneighborsweight:
no neighbor {ip-address | peer-group-name} weight value
Mode
Example
Thefollowingexamplesetsthespecifiedneighborsweightto100:
XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 weight 100
ip as-path access-list
Thiscommandcreatesanaspathfilterlistwhichcanbeappliedtofilterinboundandoutbound BGPupdates.TheaspathvariableintheBGProutingupdatemessageisexaminedagainsta requiredparameterofthiscommand,whichrepresentsASnumbersidentifiedbymeansofa regularexpression.Multipleregularexpressionscanbeconfiguredunderaparticularaspath filterlist.
Note: Perform a clear ip bgp whenever this command is changed.
Syntax
ip as-path access-list access-list-number {permit | deny} as-regular-expression access-list-number permit
Identifiestheaccesslistbynumber.Rangeis1to199. InstructsXSRtopermitaccesstopathsmatchingspecifiedconditions.
deny as-regularexpression
InstructsXSRtodenyaccesstopathsmatchingspecifiedconditions. IdentifiesanASintheaccesslistbymeansoftheregularexpression.

Thenoformofthiscommandremovestheconfiguredfilterlist:
no ip as-path access-list access-list-number
Mode
Example
ThefollowingexampleconfigurestheIPaspathaccesslistvalueinthecontextofconfiguringa routemapandperformingamatchusingthematch as-pathcommand. Theaspathaccesslistis33,endswitharegularexpression.*640.*andisreferencedinthe matchaspathcommand,whichinturnisconfiguredinsideoftheroutemap33.Thismeansthata matchoccursiftheaspathvariableinaBGPupdatemessagecontainsAS640.
XSR(config)#ip as-path access-list 33 permit .* 640 .* XSR(config)#route-map 33 permit 1 XSR(config-route-map)#match as-path 33 XSR(config-route-map)#set local-preference 300
ip community-list
ThiscommanddefinesacommunitylistthatfiltersontheBGPCOMMUNITYattribute.The communitylistyoudefinetypicallyisreferencedbythe match community command,which includesaroutemapthatimplementsroutingpoliciesbasedoncommunityattributes.Multiple communityattributescanbeconfiguredforaparticularcommunitylist.
Note: Perform a clear ip bgp neighbor whenever this command is changed.
Syntax
ip community-list community-list-number {permit | deny} community-number community-listnumber permit deny
Communitylistnumber(standard),rangingfrom1to199. XSRpermitsaccesstocommunitylistsmatchingconditionsyouspecifiy. XSRdeniesaccesstocommunitylistsmatchingconditions.youspecify.
6-106
community-number
Communitynumberasitwasdefinedforthisrouterviatheset communitycommand.Validvaluesare: Range:1to4,294,967,200. aa:nn:ASnumber,Communitynumber. internet:theInternetcommunity. noexport:thecommunityroutewillnotbeadvertisedtoanEBGPpeer. noadvertise:theroutewillnotbeadvertisedtoanypeer.

Thenoformofthiscommandremovesthecommmunitylistnumber:
no community-list community-list-number
Mode
Example
ThisexampleconfiguresIPcommunitylist88.Thecommunitynumbersspecifiedinthelistare 2000,3000,and4000inthefirst,second,andthirdinstanceofthecommand,respectively.Thislist canbereferencedwithinthematch community commandthatispartofaroutemapcontrolling BGProutingbasedonthecommunityattribute.Thematchwillseekupdatesthatinclude communitynumbers2000,3000,or4000.
XSR(config)#ip community-list 88 permit 2000 XSR(config)#ip community-list 88 permit 3000 XSR(config)#ip community-list 88 permit 4000
network
ThiscommandspecifiesthelistofnetworksfortheBGProutingprocess.Networkscanbe learnedfromconnectedroutesorviadynamicrouting.TheBGPprocessmustbenotifiedaboutthe networksitwillroutewhichconoccursviamanualinjectionofroutesintotheBGPprocesswith thenetworkcommand.RoutesoriginatedbyBGPviathenetworkcommandhavetheirorigin codesettoIGP. NetworknumbersthatareinjectedintoBGPbymeansofthenetworkcommandmustalready existintheIProutingtableontherouterasstatic,directlyconnected,ordynamicallyderived routes.Ifnetworknumbersdonotalreadyexist,theywillnotbeplacedintotheBGPtable,even thoughtheywillappearintheroutersconfiguration.
Syntax
network network-number [mask network-mask] network-number mask
NetworkthatBGPadvertises. Usedwhenanetworkmaskisexplicitlyspecifiedforthenetwork number.Withoutthenetworkmaskbeingspecified,adefaultclassful maskisassumed.

network-mask
ThemaskassociatedwiththenetworknumberforwhichtheBGP processroutes.Itisspecifiedwhenthenetworknumberrepresentsa subnetasopposedtoaclassfulnetwork.

Thenoformremovesthenetworkfromtheroutingtable:
no network network-number [mask network-mask]
Mode
Example
Thefollowingexampleconfiguresanetworkwithandwithouttheoptionalmaskkeyword.Inthe optionalmaskstatement,thenetworknumberrepresentsasubnetofclassBnetwork172.17.0.0. AdefaultClass Cnetworkmaskisassumedforthenetwork192.168.1.0intheconfiguration statementwithouttheoptionalparameters.
XSR(config)#router bgp 100 XSR(config-router)#network 172.17.151.0 mask 255.255.255.0 XSR(config-router)#network 192.168.1.0
redistribute
ThiscommandredistributesroutesfromaprotocolintotheBGP.Redistributedroutescanbe learnedfromdynamicrouting(OSPF,RIP),staticroutes,andconnectedroutes. RedistributedroutescanhavetheirpathattributessetinBGPbytheroute-mapcommand.By default,redistributedstaticrouteshavetheirorigincodesettoincompleteunlessotherwise configuredbyroute-map.
Syntax
redistribute {ospf | rip | static | connected} [metric metric-value | route-map route-map-name] ospf rip static connected metric-value route-map-name
OSFProutes. RIProutes. Staticroutes. Connectedroutes. Metricforredistributedroutes.Range:04294967295. Routemapappliedtoredistributedroutes,rangingfrom1to199.

no redistribute {ospf | rip | static | connected}
6-108
Mode
Default
Redistributionisnotenabled.
Example
ThefollowingexampleredistributesstaticroutesintoBGP:
XSR(config)#router bgp 100 XSR(config-router)#redistribute static
synchronization
ThiscommandsynchronizesBGPwiththeIGPintheAS.YoushouldsynchronizeBGPwithIGP ifthereareroutersintheASthatarenotBGProuters.
Syntax
synchronization

Thenoformofthiscommanddisablessynchronization:
no synchronization
Mode
Default
Enabled
Example
Thefollowingexampledisablessynchronization:
XSR(config)#router bgp 100 XSR(config-router)#no synchronization
timers bgp
ThiscommandresetsBGPtimers.Whenasessionisstartedonarouter,BGPnegotiatesholdtime withtheneighborandselectsthesmallervalue.Thekeepalivetimeristhensetbasedonthe negotiatedholdtimeandtheconfiguredkeepaliveperiod.Bydefault,thekeepalivetimerissetat60 secondsandtheholdtimetimerissetat180seconds.Itisrecommendedyoumaintainthis1to3 ratiobetweenthetimers.
6-109
Route Map Commands
Syntax
timers bgp keep-alive keep-alive
Keepaliveinterval.Akeepaliveofzeroindicatesnokeepalivesaresent betweenneighborssothepeersessionwillnottimeout.Range:04294967296 seconds.

Thenoformofthiscommanddeletesthetimersvalue:
no timers bgp
Mode
Defaults
Keepalivetimer:30seconds Holdtimetimer:90seconds
Example
Thefollowingexamplesetstheholdtimerintervalto30seconds:
XSR(config)#router bgp 100 XSR(config-router)#timers bgp 30
Route Map Commands

Routemapsarecomprisedofsetsofmatchandsetcommands.Matchcommandsdefinethematch criteriaforroutemaps.Routesthatmatchalldefinedmatchcriteriaareprocessedviaset commandsandthosethatdonotmatchallofthedefinedmatchcriteriaintheroutemapare ignored.
match as-path
Thiscommandmatchesthevaluesoftheas_pathvariableinBGProutingupdatemessagestothe valuesofASnumbersidentifiedthroughtheASpathaccesslist. Aroutemustmatchatleastonematchstatementofa route-map command.Ifaroutedoesnot matchanymatchstatements,therouteisnotadvertisedonoutboundroutemapsandisnot acceptedoninboundroutemaps.
Syntax
match as-path path-list-number path-list-number
ASpathaccesslisttomatch,rangingfrom1to199.
6-110
Route Map Commands

Thenoformofthiscommandremovesthepatchlistnumber:
no match as-path path-list-number
Mode
Routemapconfiguration:XSR(config-route-map)#
Example
ThisexamplesetsthematchaspathinthecontextofconfiguringaroutemapandaspathACL33.
XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match as-path 33 XSR(config-route-map)#set local-preference 300 XSR(config-route-map)#exit XSR(config)#ip as-path access-list 33 permit .* 550 .*
Routemap1isconfiguredwiththeoptionalpermitkeywordandsequencenumber1.Ifthese valuesareomitted,aroutemapwilldefaulttothepermitkeywordandsequencenumber10. Afterroutemap1isdefinedviathe route-mapcommand,youenterthematch as-path commandwhichreferencesaspathaccesslist33thelastconfigurationstatementintheexample. ASpathaccesslist33endswitharegularexpression.*550.*,indicatingamatchwilloccurifthe as_pathvariableinaBGPupdatemessagecontainsASnumber550. Ifamatchoccurs,thentheset local-preferencecommandsetsthelocalpreferenceattribute forthematchingBGPupdatesto300,overridingthedefaultvalueof100.Arouteflaggedwitha higherlocalpreferencevalueismorepreferabletoaroutewithalowerlocalpreference. Consequently,theroutespassingthroughAS550becomemorepreferabletootherroutesforthe samedestinations.
match community-list
ThiscommandmatchesthecommunityattributeinaBGProutingupdatemessagewiththe valuesofthecommunityattributeidentifiedthroughthecommunityaccesslist. Aroutemustmatchatleastonematchstatementofa route-map command.Ifaroutedoesnot matchanymatchstatements,therouteisnotadvertisedonoutboundroutemapsandisnot acceptedoninboundroutemaps.
Syntax
match community-list community-list-number community-list-number
CommunityACLtomatchbynumber,rangingfrom1to199.

Thenoformofthiscommandremovesthecommunitylistnumber:
no match community-list community-list-number
6-111
Route Map Commands
Mode
Routemapconfiguration:XSRA(config-route-map)#
Default
Nomatchbasedoncommunitylist
Example
Thefollowingexampleconfiguresthematchcommunityvalueinthecontextofconfiguringa routemapnamed1andcommunitylist77onXSRAandXSRB: RouterAconfiguration:
XSRA(config)#route-map 1 permit 1 XSRA(config-route-map)#match community 77 XSRA(config-route-map)#set local-preference 500 XSRA(config-route-map)#exit XSRA(config)#ip community-list 77 permit 300:22
RouterBconfiguration:
XSRB(config)#route-map 1 permit 1 XSRB(config-route-map)#match community 77 XSRB(config-route-map)#set local-preference 200 XSRB(config-route-map)#exit XSRB(config)#ip community-list 77 permit 300:22
XSRAandXSRBareborderrouterswithinthesameAS.Thecommunityisidentifiedbyname 300:22.Thenumericformataa:nn,whereaaandnnrepresenttwobytenumbers,isoneofthe allowableformatsforcommunitynames.BGPupdatesmatchingcommunityname300:22are assignedahigherlocalpreferenceonXSRA(500)thanonXSRB(200).ThismakesXSRAthe preferableexitpointfromthisASforthenetworksthathavebeengroupedunderthecommunity name300:22.Usetheset communitycommandtoassigncommunitynames.
match metric
ThiscommandmatchestheMEDattributeinaBGProutingupdatemessage.Aroutemustmatch atleastonematchstatementofaroute-map command.Ifaroutedoesnotmatchanymatch statements,therouteisnotadvertisedonoutboundroutemapsandisnotacceptedoninbound routemaps.
Syntax
match metric metric-value metric-value
MEDvaluetomatch,rangingfrom0to2147483647.

Thenoformofthiscommandremovesthematchmetricvalue:
no match metric metric-value
6-112
Route Map Commands
Mode
Example
Thefollowingexamplesetsthematchmetricto300:
XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match metric 300
match ip address
ThiscommandmatchesIPaddressesinaBGProutingupdatemessage.Aroutemustmatchat leastonematchstatementofaroute-map command.Ifthisisnotdone,therouteisnotadvertised onoutboundroutemapsandisnotacceptedoninboundroutemaps.
Syntax
match ip address access-list-number access-list-number
TheACLtomatch,rangingfrom1to199.

ThenoformofthiscommandremovesthematchIPaddressvalue:
no match ip address access-list-number
Mode
Default
NomatchingbasedonIPprefix.
Example
ThefollowingexamplesetsthematchingIPaddressto10:
XSR(config)#access-list 10 permit 10.0.0.0 255.0.0.0 XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match ip address 10
match ip next-hop
ThiscommandmatchesthevalueofthenexthopattributeinaBGProutingupdatemessage againstanACLspecifiedbythecommand.Aroutemustmatchatleastonematchstatementofa route-map command.Ifaroutedoesnotmatchanymatchstatements,itisnotadvertisedon outboundroutemapsandisnotacceptedoninboundroutemaps.
6-113
BGP Set Commands
Syntax
match ip next-hop access-list-number access-list-number
TheACLtomatch,rangingfrom1to199.

Thenoformofthiscommandremovesthematchnexthopvalue:
no match ip next-hop access-list-number
Mode
Default
NomatchingbasedonIPnexthop.
Example
ThefollowingexamplesetsthematchingIPnexthopto10:
XSR(config)#access-list 10 permit 1.2.3.4 XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match ip next-hop 10
BGP Set Commands

Routemapsarecomprisedofsetsofmatchandsetcommands.Matchcommandsdefinethematch criteriaforroutemaps.Routesthatmatchalldefinedmatchcriteriaareprocessedviaset commandsandthosethatdonotmatchallofthedefinedmatchcriteriaintheroutemapare ignored.
set as-path
ThiscommandincreasesthelengthoftheASpathattributefortheBGProutingupdatemessages thatmeetthematchconditionsspecifiedwithinaroutemap. ThelengthoftheASpathattributeinfluencestheBGProuteselectionprocessfordestinationsthat canbereachedbymeansofmultiplepaths.ASpathlengthistheonlyglobalBGPmetricthatyou canusetoinfluencebestpathselection.ABGPspeakercaninfluencethebestpathselectionbya peerbyvaryingthelengthoftheASpath. Ifyoudonotsetlocalpreferenceorweight,ASpathlengthdetermineswhichofmultipleroutes areselected.Routeswithlongerautonomoussystempathsarepreferred.Topreferapath,youcan padtheautonomoussystempathbyprependingextraautonomoussystemnumbers.
Syntax
set as-path prepend as-path-string prepend
InstructsthesystemtoattachtheaspathstringvaluetotheASpathofthe routethatmatchestheroutemap.
6-114
BGP Set Commands
as-path-string
TheASpathlistwhichwillbeprependedtotheASpathattributeofthe routethatmatchestheroutemap.Theaspathlistrepresentsoneormore validASnumbersthatarespecifiedasanintegerbetween1and65535.

ThenoformofthiscommandremovestheASpathvalue:
no set as-path
Mode
Example
Thefollowingexampleconfigurestheaspathvalueinthecontextofconfiguringaroutemapand thematchcommand.Thematch as-pathcommandreferencesASpathaccesslist37which identifiestheBGProutingupdatestowhichtheset as-pathcommandwillapply. Inthiscase,matchclause.*willmatchallroutes.Relevantupdateswillhaveoneinstanceofthe ASnumber100prependedintotheirASpathvariable.AssumingthatalloftheBGProute selectioncriteriaremainthesame,therouteswiththefewestASnumbersintheASpathvariable willbechosenasthebestroutestotheidentifieddestinations.IfmorethanoneASpathistobe prepended,thenthestringshouldbesurroundedbyquotes.
XSR(config)#ip as-path access-list 37 permit ".*" XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match as-path 37 XSR(config-route-map)#set as-path prepend 100 XSR(config-route-map)#set as-path prepend "100 100"
set community
ThiscommandspecifiesthecommunityattributeinaBGProutingupdatemessage.Besurethata matchclausehasbeenspecified. Acommunityisagroupofdestinationswhichsharethecommunityattribute.ABGPspeakercan usethecommunityattributetocontrolwhichroutingdataitacceptsordistributestoneighbors.A BGPspeakercanappendthecommunityattributetoroutesitreceivesthatdonotalreadyhavethe attribute.
Syntax
set community {community-number | aa:nn | additive | internet | local-AS | noadvertise | no-export | none} community-number aa:nn additive internet
Thecommunitynumber.Range:1to4,294,967,295. Communitynumberintheformataa:nnwhereaa identifiestheASandnn thecommunitywithintheAS.Range:1to65,535. Addsthecommunitytoexistingcommunities. Established Internetcommunity.
6-115
BGP Set Commands
local-AS no-advertise no-export none
Establishedcommunitywhichspecifiesthatroutescontainingthisvalue shouldnotbeadvertisedtoexternalBGPpeers. Establishedcommunitywhichspecifiesthatroutescontainingthisvalue shouldnotbeadvertisedtoanyotherBGPpeers(internalorexternal). Establishedcommunitywhichspecifiesthatroutescontainingthisvalue shouldnotbeadvertisedoutsideaBGPconfederationboundary. Removesanyexistingcommunities.

Thenoformofthiscommandremovesthesetcommunityvalue:
no set community
Mode
Example
Thefollowingexampleconfiguresthesetcommunityvalueinthecontextofconfiguringroutemap 1andtheneighborsendcommunityvalue:
XSR(config)#ip access-list 37 permit 10.0.0.0 255.0.0.0 XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match ip address 37 XSR(config-route-map)#set community 500:10 XSR(config-route-map)#exit XSR(config)#route-map 1 permit 2 XSR(config-route-map)#set community none XSR(config-route-map)#exit XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 send-community XSR(config-router)#neighbor 192.168.1.1 route-map 1 out
Routemap1isappliedtotheoutgoingBGPupdatesbetweenthisrouteranditspeeringneighbor identifiedbyIPaddress192.168.1.1inAS101.Thefirstinstanceofroutemap1matchesthe destinationsintheBGPupdatesagainstthecriteriaspecifiedinACL37(10.0.0.0/8).Ifthereisnota match,thesecondinstanceofroutemap1isinvoked,whichmatchesonallremainingroutesand removesanycommunityattributes.ThismeansthatroutesmatchingACL37criteriawillhavea communityattributesetto500:10,butalloftheotherroutesadvertisedto192.168.1.1willnot. TheBGPpeer192.168.1.1willthenhavetheoptiontoapplyadesiredroutingpolicytoallroutes arrivingfromthisrouterwiththecommunityattributesetto500:10.
set dampening
Thiscommandconfiguresrouteflapdampening,amechanismtocombatnetworkoverhead whicharisesfromtheproliferationofuncontrolleddisconnecting/reconnectingnetworks. Withroutedampening,youcanaddresstheseproblemroutesasfollows:
6-116
BGP Set Commands
TheXSRpenalizesaroutemarkedasunstablewithavalueof1024eachtimeitfails.If penaltiesaccruebeyondthesuppressthresholdyouset,therouteisnolongeradvertised. TheXSRpermitssuppressedroutestorejointheBGProutingtablewhentheirpenaltiesdrop belowthethreshold. Afterarouteassumesapenalty,theXSRcutsthepenaltyinhalfeachtimeahalflifeinterval youconfigureelapses. Whenpenaltiesdropbelowtheconfigurablereusevalue,theXSRfreestheroute,reinserting itintotheBGProutingtable. TheXSRdoesnotsuppressroutesindefinitely.Youcansetthemaxsuppressvalueandfixthe maximumperiodaroutecanbesuppressedbeforeitisadvertisedagain.
Syntax
set dampening half-life | reuse | suppress | suppress-max half-life reuse suppress suppress-max
Intervalafterwhichtheroutespenaltybecomeshalfitsvalue,rangingfrom1 to45minutes. Specifieshowlowaroutespenaltymustbecomebeforetheroutebecomes eligibleforuseagainafterbeingsuppressed,rangingfrom1to20,000seconds. Specifieshowhigharoutespenaltymustbecomebeforetherouteis suppressed,rangingfrom1to20,000. Specifiesthatmaximumintervalinminutesthataroutecanbesuppressed regardlessofhowunstableitis,rangingfrom1to20,000minutes.

Thenoformofthiscommandremovesroutedampening:
no set dampening
Mode
Defaults
Halflife:15minutes Reuse:750seconds Suppress:2000 Suppressmax:60minutesfourtimesthehalflifevalue.
Example
ThisexampledisplaystheuseofthesetdampeningforIPprefix10.0.0.0forBGPprocess100:
XSR(config)#ip access-list 10 permit 10.0.0.0 255.0.0.0 XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match ip address 10 XSR(config-route-map)#set 30 1500 10000 120
BGP Set Commands
XSR(config)#router bgp 100 XSR(config)#bgp dampening route-map 1
set ip next-hop
Thiscommandspecifieswheretooutputpacketsthatpassamatchclauseofaroutemapfor policyrouting.ItmodifiesthevalueofthenexthopattributeinaBGProutingupdatemessage. Thenexthopattributeidentifiesthenexthoptoreacharoute.NexthopforanEBGPsessionisthe IPaddressoftheBGPneighborthatannouncedtheroute.NexthopforIBGPsessionsiseitherthe BGPneighborthatannouncedtheroute(forroutesthatoriginateinsidetheAS)ortheBGP neighborfromwhichtheroutewaslearned(forroutesinjectedintotheASviaEBGP).
Syntax
set ip next-hop value value
ThenexthopIPaddress.

Thenoformofthiscommandremovesthenexthopvalue:
no set ip next-hop value
Mode
Example
ThefollowingexamplesetstheIPnexthopattributeintheBGPupdatewhichmatches10.0.0.0 255.0.0.0to1.2.3.4:
XSR(config)#access-list 10 permit 10.0.0.0 255.0.0.0 XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match ip address 10 XSR(config-route-map)#set ip next-hop 1.2.3.4
set local-preference
ThiscommandmodifiesthevalueofthelocalpreferenceattributeinaBGProutingupdate message.ThisparameterimpactstheBGProuteselectionprocessfortrafficleavinganAS.Besure thatamatchclausehasbeenspecified. Localpreferenceindicatesprioritygiventoaparticularroutewhenmorethanonerouteexiststo thesamedestination.Ahigherlocalpreferenceindicatesamorepreferredroute.Localpreference islocaltothisautonomoussystemandisexchangedonlywithIBGPpeers.
Syntax
set local-preference value value
Preferencevalue,rangingfrom0to2147483647.
BGP Set Commands

Thenoformofthiscommandremovesthelocalpreferencevalue:
no set local-preference value
Mode
Default
Preferencevalue:100.
Example
Thefollowingexampleconfiguresthesetlocalpreferencevalueinthecontextofconfiguringa routemapandmatch:
XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match as-path 37 XSR(config-route-map)#set local-preference 400
Routemap1usesthematchaspathcommandthatisreferencinganaspathaccesslist37.Thislist identifiestheBGProutingupdatestowhichthesetlocalpreferencecommandwillapply.The relevantupdateswillhavethevalueoftheirlocalpreferencesetto400,whichishigherthanthe defaultof100.AssumingthatalloftheBGProuteselectioncriteriaremainthesame,theroutes withthehighestlocalpreferencewillbechosenasthebestroutestotheidentifieddestinations. This,however,appliesonlyinmultihomedASsasthelocalpreferenceattributeimpactsonly whichwaythetrafficleavesanASiftherearemultipleexitpointsfromit.
set metric
Thiscommandmodifiesthemetricassociatedwithroutesthatmatchaparticularroutemap.This commandcanalsobeusedtomanipulatethevalueoftheMEDformatchingBGProutes.Besure thatamatchclausehasbeenspecified. Metricsarevaluesthattherouterusestoindicatepreferredpathstonetworks.Updateswithnon zerometricsareusedforrouteselectioninsidetheAS.BGPautomaticallycomparesmetricsfor routestointernalneighbors.Youcanusemetrictoselectthebestpathwhentherearemultiple alternatives.Routeswithlowermetricvaluesaremorepreferred.
Syntax
set metric metric-value metric-value
Thevalueofthemetric,rangingfrom0to2,147,483,647.

Thenoformofthiscommandremovesthemetricvalue:
no set metric metric-value
6-119
BGP Set Commands
Mode
Default
Thedynamicallylearnedmetricvalue.
Example
Thefollowingexampledisplayshowthesetmetriccommandisusedtoupdatethevalueofthe MEDvalueforBGProutesthatareadvertisedtoanexternalneighbor:
XSR(config)#access-list 66 permit 10.0.0.0 255.0.0.0 XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match ip address 66 XSR(config-route-map)#set metric 20 XSR(config-route-map)#exit XSR(config)#route-map 1 permit 2 XSR(config-route-map)#set metric 30 XSR(config-route-map)#exit XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.1.1 route-map 1 out
ThesetmetriccommandisusedtochangethevalueoftheMED,whichimpactstheflowof inboundtrafficintoamultihomedAS.Alloftheoutboundupdatesleavingthisrouterand matchingACL66willhaveMEDvalueof20assignedtothem.Alloftheremainingupdateswill havetheMEDvalueof30.AlowervalueofMEDispreferredintheBGProuteselectionprocess.
set origin
ThiscommandassignsavaluetotheoriginattributeintheBGProutingupdatemessagewhich impactsBGProuteselection.Ensurethatamatchclausehasbeenspecified. Thisattributeindicateswherearoutingupdateisderived.BGPprefersrouteswiththelowest origintype:IGPispreferredoverEGPandEGPispreferredoverincomplete.
Syntax
set origin {igp | egp | incomplete} igp egp incomplete
SetsBGPorigincodetoInteriorGatewayProtocol(IGP).
SetsBGPorigincodetoExteriorGatewayProtocol(EGP).
SetsBGPorigincodetounknown.

ThenoformofthiscommandremovesBGPorigincoding:
no set origin {igp | egp | incomplete}
6-120
BGP Set Commands
Mode
Routemapconfiguration:Router(config-route-map)#
Default
Thedefaultvalueforthiscommandisthedefaultvaluefortheorigincode.Thedefaultvaluefor theorigincodeisincompleteforroutesthatareadvertisedintoBGPbymeansoftheredistribute command.
Example
Thefollowingexampleconfiguresthesetoriginvalueforredistributedstaticroutes:
XSR(config)#route-map 1 permit 1 XSR(config-route-map)#set origin igp XSR(config-route-map)#exit XSR(config)#router bgp 100 XSR(config-router)#redistribute static route-map 1
set weight
ThiscommandspecifiestheweightvalueformatchingBGProutingtableentries.Besurethata matchclausehasbeenspecified. Weightisusedforbestpathselectionandisassignedlocallytotherouter.Itisnotpropagatedor carriedthroughanyrouteupdates.Routeswithahigherweightarepreferredwhenmultiple routesexisttothesamedestination.
Syntax
set weight weight weight
WeightislocaltotheXSRonwhichitisconfigured,anditisnotpropagatedinBGP routingupdatemessages.But,itisthefirstvalueconsideredintheBGProute selectionprocess.Routeswiththehigherweightarepreferedoveralternateroutes tothesamedestinationsbutwithalowerweight.Range:0to65535.

Thenoformofthiscommandremovestheweightvalue:
no set weight weight
Mode
Routemapconfiguration:Router(config-route-map)#
Defaults
RoutesadvertisedintoBGPviaredistributionorthenetworkcommand:32768 RoutesadvertisedbyaBGPneighbor:0
6-121
BGP Clear and Show Commands
Example
Thefollowingexampleconfigurestheweightparameterinthecontextofconfiguringroutemap1 andapplyingittoupdatesarrivingfromtworemoteneighbors:
XSR(config)#ip as-path access-list 67 permit ^101 .* XSR(config)#ip as-path access-list 57 permit ^102 .* XSR(config)#route-map 1 permit 1 XSR(config-route-map)#match as-path 67 XSR(config-route-map)#set weight 6000 XSR(config-route-map)#exit XSR(config)#route-map 1 permit 2 XSR(config-route-map)#match as-path 57 XSR(config-route-map)#set weight 5000 XSR(config-route-map)#exit XSR(config)#router bgp 100 XSR(config-router)#neighbor 192.168.1.1 remote-as 101 XSR(config-router)#neighbor 192.168.2.1 remote-as 102 XSR(config-router)# XSR(config-router)#neighbor 192.168.1.1 route-map 1 in XSR(config-router)#neighbor 192.168.2.1 route-map 1 in
Thetwoinstancesofroutemap1performamatchonIPaspathaccesslists67and57,inthat orderwithaweightof6000forupdatesmatchingACL67,and5000forupdatesmatchingACL57. Ifthesamedestinationsareadvertisedbyalltworemoteneighbors,theoutboundtrafficfromthis routerwillbedirectedtotheneighborwhohadamatchonACL67,asthoserouteswillhavethe highestvalueoftheweightparameter.
BGP Clear and Show Commands clear ip bgp

ThiscommandresetsoneormoreBGPconnections,byeitherahardorsoftreset.Softresetsare preferredbecausetheyarelessdisruptiveoveralltointernetworking.BGPconnectionsmustbe resetwhenevertheBGProutingpolicyischangedbymeansofoneofthefollowing: BGPrelatedaccesslists BGPrelatedweights BGPrelateddistributionlists SpecificationoftheBGPtimer BGPadministrativedistance BGPrelatedroutemaps BGPneighborconfiguration Routerefreshissupporteddependingonwhethertherouterefreshcapabilityhasbeen negotiatedduringtheOPENsession Storedupdates(explicitneighbor soft-reconfiguration)
Twooptionsforsoftresetare:
6-122
Syntax
clear ip bgp {* | address | peer-group peer-group-name} [soft [in | out]]} * address peer-group-name soft in out
AwildcardwhichresetsallcurrentBGPsessions. ResetstheindicatedBGPneighbor. ResetstheindicatedBGPpeergroup. Performsasoftreconfiguration. Triggersaninboundsoftreconfiguration. Triggersanoutboundsoftreconfiguration.
Mode
PrivilegedEXEC:XSR#
Examples
ThisexampledisplaysallBGPconnectionsandneighborsclearedbymeansofahardreset,the mostdrasticwayofclearingBGPlinks.
XSR#clear ip bgp *
Thefollowingexampledisplaysasoftinboundresetwithneighbor192.168.11.1:
XSR#clear ip bgp 192.168.11.1 soft in
clear ip bgp dampening

ThiscommandresetsBGPdampeningparameterstothesystemdefaultandunsuppresses suppressedroutes.
Syntax
clear ip bgp {dampening [ip-address mask]} ip-address mask
Thenetworktocleardampinginformationon. Thenetworkmasktocleardampinginformationon.
Mode
PrivilegedEXEC:XSR#
Examples
Thefollowingexampleclearsroutedampeninginformationabouttheroutetoallroutersand unsuppressessuppressedroutes:
XSR#clear ip bgp dampening
Thefollowingexampleclearsroutedampeninginformationabouttheroutetonetwork12.0.0.0 andunsuppressesitssuppressedroutes:
XSR# clear ip bgp 12.0.0.0 255.0.0.0
6-123
show ip bgp
ThiscommanddisplaysentriesintheBGProutingtable.
Syntax
show ip bgp [network][network-mask][longer-prefixes] network network-mask longer-prefixes
NumberofanetworkintheBGProutingtable. AllBGProutesmatchingtheaddressandmaskpair. Routesandspecificroutersaredisplayed.
Mode
Examples
XSR#show ip bgp Local router ID is 1.1.1.4 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? = incomplete Network *> 192.4.4.0/24 *> 192.1.1.0/24 * 55.5.5.0/24 *> 55.5.5.0/24 *> 6.6.6.2/32 Next Hop Metric LocPrf Weight Path 192.168.72.100 0 300 100 300 192.168.72.100 0 300 100 300 52.52.52.3 200 100 200 192.168.72.100 0 300 100 300 192.168.72.100 0 300 100 300
? ? ? ? ?
Local Router ID: IP Address of the router Status codes: s the bgp table entry is suppressed * - the bgp table entry is valid > - the bgp table entry is the best entry for the network i the bgp table entry is learned via IBGP
Origin Codes: i Entry originated from an IGP e Entry originated from an EGP ? Entry originated from an unknown source (i.e redistribution)
6-124
Display Parameters
Network NextHop Metric LocPrf Weight Path IPaddressofdestinationnetwork. IPaddressofthenexthoptothedestinationnetwork. ValueofMultiExitDescriminator. ValueofLocalPreference. Weightoftheroute. ASpathtothedestinationnetwork.
XSR#show ip bgp 55.5.5.0/24 BGP routing table entry for 55.5.5.0 255.255.255.0 Paths: (2 available, learned over EBGP) AS Path 200, Aggregator 500 1.2.3.4 Next Hop 52.52.52.3 from 52.52.52.3 (52.52.52.3) Origin ?, localpref 200, weight 100, atomic, valid BGP routing table entry for 55.5.5.0 255.255.255.0 Paths: (2 available, best #1, learned over EBGP) AS Path 300 Next Hop 192.168.72.100 from 192.168.72.100 (192.168.72.100) Origin ?, localpref 300, med 0, weight 100, valid, best
show ip bgp community

ThiscommanddisplaysroutesassociatedwithBGPcommunities.
Syntax
show ip bgp community community-number | internet | local-AS | no-export | noadvertise community-number internet local-AS no-export no-advertise
Communitynumber,rangingfrom1to4,294,967,295. WellknownInternetcommunity. Wellknowncommunityspecifyingthatrouteswiththisvalueshould notbesentoutsidealocalAS. Wellknowncommunityspecifyingthatrouteswiththisvalueshould notbeadvertisedoutsideaBGPconfederationboundary. Wellknowncommunityspecifyingthatrouteswiththisvalueshould notbeadvertisedtoanyother.
Mode
Example
XSR#show ip bgp community 400 Local router ID is 1.1.1.4 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? = incomplete Network *> 192.4.4.0/24 *> 192.1.1.0/24 *> 66.6.6.2/32 *> 55.5.5.0/24 *> 6.6.6.2/32 Next Hop 192.168.72.100 192.168.72.100 192.168.72.100 192.168.72.100 192.168.72.100 Metric LocPrf Weight Path 0 100 100 300 ? 0 100 100 300 ? 0 100 100 300 ? 0 100 100 300 ? 0 100 100 300 ?
show ip bgp community-list

ThiscommanddisplaysroutesthatarepermittedbytheindicatedBGPcommunitylist.
Syntax
show ip bgp community-list {community-list-number | [exact-match]} community-list-number exact-match]
Communitylistnumber.Range:1to199. Routesdisplayedbyexactmatch.
Mode
Example
XSR#show ip bgp community community-list 1 Local router ID is 1.1.1.4 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? = incomplete Network *> 192.4.4.0/24 *> 192.1.1.0/24 *> 66.6.6.2/32 *> 55.5.5.0/24 *> 6.6.6.2/32 Next Hop 192.168.72.100 192.168.72.100 192.168.72.100 192.168.72.100 192.168.72.100 Metric LocPrf Weight 0 100 100 300 0 100 100 300 0 100 100 300 0 100 100 300 0 100 100 300 Path ? ? ? ? ?
show ip bgp dampened-paths

ThiscommanddisplaysBGProutessuppressedduetodampening.
6-126
Syntax
show ip bgp dampened-paths
Mode
Example
XSR#show ip bgp Local router ID Status codes: s Origin codes: i *> 192.4.4.0/24 *> 192.1.1.0/24 dampened-paths is 1.1.1.4 suppressed, * valid, > best, i - internal - IGP, e - EGP, ? = incomplete 192.168.72.100 192.168.72.100 0 0 100 100 100 300 ? 100 300 ?
show ip bgp filter-list

Thiscommanddisplaysroutesconformingtoaspecifiedfilterlist.
Syntax
show ip bgp filter-list access-list-number access-list-number
NumberofanASpathACL.Range:1to199.
Mode
Example
Thefollowingexampleissampleoutputfromthecommand:
XSR#show ip bgp Local router ID Status codes: s Origin codes: i Network *> 192.4.4.0/24 *> 192.1.1.0/24 *> 66.6.6.2/32 *> 55.5.5.0/24 *> 6.6.6.2/32 filter-list 2 is 1.1.1.4 suppressed, * valid, > best, i - internal - IGP, e - EGP, ? = incomplete Next Hop 192.168.72.100 192.168.72.100 192.168.72.100 192.168.72.100 192.168.72.100 Metric LocPrf Weight 0 100 100 300 0 100 100 300 0 100 100 300 0 100 100 300 0 100 100 300 Path ? ? ? ? ?
6-127
show ip bgp inconsistent-as

ThiscommanddisplaysroutesthathaveincompleteoriginatingASs.
Syntax
show ip bgp inconsistent-as
Mode
Example
XSR#show ip bgp Local router ID Status codes: s Origin codes: i Network *> 192.4.4.0/24 *> 192.1.1.0/24 *> 66.6.6.2/32 *> 55.5.5.0/24 *> 6.6.6.2/32 inconsistent-as is 1.1.1.4 suppressed, * valid, > best, i - internal - IGP, e - EGP, ? = incomplete Next Hop 192.168.72.100 192.168.72.100 192.168.72.100 192.168.72.100 192.168.72.100 Metric LocPrf Weight 0 100 100 300 0 100 100 300 0 100 100 300 0 100 100 300 0 100 100 300 Path ? ? ? ? ?
show ip bgp neighbors

ThiscommanddisplaysinformationaboutTCPandBGPconnectionstoneighbors.
Syntax
show ip bgp neighbors [neighbor-address] neighbor-address
TheIPaddressoftheneighborwhoseroutestheXSRhaslearnedfrom. Ifomitted,allneighborsaredisplayed.
Mode
Example
Thefollowingissampleoutputfromthecommand.Theoutputisfilteredtoshowonlythatthe 192.168.72.100neighborandtherouterefreshcapabilityhasbeenexchangedwiththisneighbor.
XSR#show ip bgp neighbors 192.168.72.100 BGP neighbor is 192.168.72.100 remote AS 300 external link BGP version 4, remote router ID 192.168.72.100 BGP state = ESTABLISHED
Hold time is 90, keepalive interval is 30 seconds Neighbor capabilities: Route Refresh: advertised & received Address family IPv4 Unicast: advertised & received Received 11 messages, 1 notifications Sent 10 messages, 1 notifications, 0 in queue Route Refresh request: received 0 sent 0 Last reset: Peer connection reset 3 accepted prefixes Outgoing update AS path filter list is 33 Route map for outgoing advertisements is 60
Display Parameters
BGPneighbor IPaddressoftheBGPneighboranditsASnumber.Iftheneighborisin thesameASastherouter,thenthelinkbetweenthemisinternal (IBGP),otherwiseitisconsideredexternal(EBGP). ASoftheneighbor. ThisisanEBGPpeer. BGPversionusedtocommunicatewiththepeer. IPaddressoftheneighbor. InternalstateoftheBGPconnection. Maximuminterval,inseconds,thatcanelapsebetweenmessagesfrom thepeer. Interval,inseconds,betweensendingkeepalivepackets. BGPcapabilitiesadvertisedandreceivedfromthisneighbor. Statusoftherouterefreshcapability. IPVersion4unicastspecificproperties. SumofBGPmessagesreceivedfromthispeer,includingkeepalives. Sumoferrormessagesreceivedfromthepeer. SumofBGPmessagessenttothispeer,includingkeepalives. SumoferrormessagessentfromthisXSRtothepeer. Sumofrouterefreshrequestssentandreceivedfromthisneighbor. Previousresetreason. Numberofprefixesaccepted.
BGPneighbor externallink BGPversion remoterouterID BGPstate HoldTime keepaliveinterval Neighborcapabilities RouteRefresh AddressfamilyIPv4 Unicast Received notifications Sent notifications Routerefreshrequest LastReset acceptedprefixes
6-129
show ip bgp peer-group

ThiscommanddisplaysinformationabouttheBGPpeergroupbelongingtotherouterthatthis commandisenteredon.
Syntax
show ip bgp peer-group [peer-group-name][summary] peer-group-name summary
Informationaboutaspecificpeergroup. Summarystatusofallpeergroupmembers.
Mode
Example
XSR#show ip bgp peer-group external BGP peer group is external BGP version 4 Minimum time between advertisement runs is 0 seconds peer-group is external, members 18.1.1.3 192.168.72.19 XSR#show ip bgp peer-group external summary Neighbor 192.168.72.19 18.1.1.3 V 4 4 AS 400 400 MsgRcvd MsgSent 157 169 157 164 InQ 0 0 OutQ 0 0 State ESTAB ESTAB
show ip bgp regexp

ThiscommanddisplaysBGPASpathsthatmatchtheindicatedregularexpression.
Syntax
show ip bgp regexp regexp regexp
TheregularexpressiontomatchBGPASpaths.
Mode
Example
XSR#show ip bgp regexp 300$
Local router ID is 1.1.1.4 Status codes: s suppressed, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? = incomplete Network *> 192.4.4.0/24 *> 192.1.1.0/24 *> 66.6.6.2/32 *> 55.5.5.0/24 *> 6.6.6.2/32 Next Hop 192.168.72.100 192.168.72.100 192.168.72.100 192.168.72.100 192.168.72.100 Metric LocPrf Weight 0 100 100 300 0 100 100 300 0 100 100 300 0 100 100 300 0 100 100 300 Path ? ? ? ? ?
show ip bgp summary

ThiscommanddisplaysstatusforallBGPconnections.
Syntax
show ip bgp summary
Mode
Example
XSR#show ip bgp summary Neighbor 192.168.72.19 18.1.1.3 52.52.52.3 192.168.72.100 V 4 4 4 4 AS 400 400 200 300 MsgRcvd MsgSent 177 189 177 184 186 188 177 186 InQ 0 0 0 0 OutQ 0 0 0 0 State ESTAB ESTAB ESTAB ESTAB
Display Parameters
Neighbor V AS MsgRcvd MsgSent InQ OutQ State IPaddressoftheneighbor. BGPversionspokentotheneighbor. ASnumber. BGPmessagesreceivedfromaneighbor. BGPmessagessenttoaneighbor. Numberofmessagesfromaneighboriswaitingtobeprocessed. Numberofmessageswaitingtobesenttoaneighbor. CurrentstateoftheBGPsession.
6-131
BGP Debug Commands
show route-map
Thiscommanddisplaysconfiguredroutemapsandinformationaboutpolicymapsthatare referenced.
Syntax
show route-map [map-number] map-number
Thenumberofaroutemap,rangingfrom1to199.
Mode
Example
XSR#show route-map route-map 1, permit, sequence 1 Match clauses: community-list 1 Set clauses: local-preference 300 route-map 1, permit, sequence 2 Match clauses: community-list 2 Set clauses: local-preference 200 route-map 2, permit Match clauses: ip address 1 Set clauses: community 100:100
BGP Debug Commands debug ip bgp

ThiscommanddisplaysinformationrelatedtoprocessingoftheBGP.LikeallXSRdebug commands,itissettoprivilegelevel15bydefault.
Syntax
debug ip bgp [events | updates] events updates
DisplaysBGPevents. DisplaysBGPupdates.
BGP Debug Commands

Thenoformofthiscommanddisablesdebuggingoutput:
no debug ip bgp [events | updates]
Mode
Default
BGPdebuggingisdisabled.
Examples
Thefollowingissampleoutputwiththeeventsoptionchosen:
XSR#debug ip bgp events BGP: Event:STOP, Nbr:192.168.2.1, AS:300, Skt:0, State:IDLE BGP: Event:START, Nbr: 192.168.2.1, AS:300, Skt:0, State:PEND_START BGP: Event:START, Nbr: 192.168.2.1, AS:300, Skt:2, State:CONNECT BGP: Event:TCP_OPEN, Nbr: 192.168.2.1, AS:300, Skt:2, State:OPENSENT BGP: Event:RX_OPEN, Nbr: 192.168.2.1, AS:300, Skt:2, State:OPENCONFIRM BGP: Event:RX_KEEP, Nbr: 192.168.2.1, AS:300, Skt:2, State:ESTABLISHED BGP: Event:RX_UPDATE, Nbr: 192.168.2.1, AS:300, Skt:2, State:ESTABLISHED BGP: Event:KEEP_EXP, Nbr: 192.168.2.1, AS:300, Skt:2, State:ESTABLISHED BGP: Debug event generated from the BGP process Event: BGP event that has been processed Nbr: Neighbor IP address AS: AS number Skt: Socket identifier State: State of the BGP connection
Thefollowingissampleoutputwiththeupdatesoptionchosen:
XSR#debug ip bgp updates BGP: Rx Update. Nbr: 192.168.2.1, w/ attr: Origin:? AS_SEQ Path:300 Next Hop:192.168.2.2 Med:0 BGP: Rx NLRI. Nbr: 192.168.2.1, Prefix:6.6.6.0, Len:24 BGP: Rx NLRI. Nbr: 192.168.2.1, Prefix:7.7.7.0, Len:24 BGP: Rx NLRI. Nbr: 192.168.2.1, Prefix:8.8.8.0, Len:24 BGP: Tx Update. Nbr: 192.168.2.1, w/ attr: Origin:? AS_SEQ Path:100 Next Hop:192.168.2.2 BGP: Tx NLRI. Nbr: 192.168.2.1, Prefix:5.0.0.0, Len:8 BGP: Tx NLRI. Nbr: 192.168.2.1, Prefix:10.0.0.0, Len:8 BGP: Tx NLRI. Nbr: 192.168.2.1, Prefix:2.0.0.0, Len:8
BGP Debug Commands
Display Parameters
BGP RxUpdate TxUpdate Nbr w/attr Origin AS_SEQPath NextHop Med RxNLRI Prefix Len TxNLRI DebugeventgeneratedbytheBGPprocess. Updatemessagehasbeenreceived. Updatemessagebeingtransmitted. NeighborIPaddress. PathAttributesintheupdatemessage. Originofthepath. ASSequencePathlist. NextHopIPaddress. Multiexitdiscriminator. ReceivedNetworkLayerreachabilityinformation. NetworkIPaddress. Lengthofprefixmask. TransmittedNetworkLayerreachabilityinformation.
show ip traffic
ThiscommanddisplayBGPstatisticsamongotherIPdata.
Syntax
show ip traffic
Mode
Example
ThefollowingsampleoutputdisplaysonlyBGPspecificdata:
XSR#show ip traffic BGP Statistics: Rcvd: 184 total 3 opens, 0 notifications, 4 updates 177 keepalives, 0 route-refresh Sent: 186 total 4 opens, 0 notifications, 6 updates 176 keepalives, 0 route-refresh
6-134
7
Configuring IP Multicast
TheCLIcommandsyntaxandconventionsusethenotationdescribedbelow. Convention
Description
Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies the interface, class map, policy map or other value you specify; e.g., F1, G3, S2/1.0, <Your Name>. F indicates a FastEthernet, and G a GigabitEthernet interface.
Next Mode entries display the CLI prompt after a command is entered. Sub-commands are displayed in red text. soho.enterasys.com Italicized, non-syntactic text indicates either a user-specified entry or text with special emphasis
IGMP and Generic Multicast Commands

ThefollowingcommandsetsdefineIPMulticastfunctionalityontheXSR,including: PIMCommandsonpage 789. IGMPClearandShowCommandsonpage 795.
ip multicast-routing
Thiscommandenables/disablesmulticastroutingandmulticastswitching.
Syntax
ip multicast-routing
7-83
Syntax
Thenoformofthecommanddisablesthemulticastservice:
no ip multicast-routing
Mode
Default
Disabled
Example
Inthefollowingexample,multicastserviceisenabledontheXSR:
XSR(config)#ip multicast-routing
ip igmp version
ThiscommandmanuallysetstheIGMPversiononalocalinterface.
Syntax
ip igmp version version_number version_number
IGMPversionnumber,rangingfrom1to3.

Thenoformofthiscommandsetsthedefaultvalue.
no ip igmp version
Mode
Default
IGMPVersion2
Example
ThefollowingexamplesetstheIGMPversionnumberto3:
XSR(config)#interface FastEthernet 1 XSR(config-if<F1>)#ip igmp version 3
7-84
ip igmp join
Thiscommandmanuallyjoinsamulticastgrouptoalocalinterface.
Syntax
ip igmp join-group group-address group-address
Addressofthemulticastgroup.

Thenoformofthiscommandcancelsmembershipinagroup:
no ip igmp join-group group-address
Mode
Example
ThefollowingexamplejoinstheXSRtomulticastgroup225.2.2.1:
XSR(config-if<F1>)#ip igmp join-group 225.2.2.1
ip igmp last-member-query-count
ThiscommandconfigurestheretransmitcountatwhichtheXSRsendsIGMPgroupspecifichost querymessages.
Syntax
ip igmp last-member-query-count count count
Retransmitcount,rangingfrom1to7.

Thenoformofthiscommandsetsthiscounttothedefault:
no ip igmp last-member-query-count
Mode
Default
2
Example
ThefollowingexamplechangestheIGMPgroupspecifichostqueryretransmitcountto3:
XSR(config-if<F1>)#ip igmp last-member-query-count 3
ip igmp last-member-query-interval
ThiscommandsetsthefrequencyatwhichIGMPgroupspecifichostquerymessagesaresent.
Syntax
ip igmp last-member-query-interval interval interval
FrequencytosendIGMPgroupspecifichostquerymessages,ranging from100to65535milliseconds.

Thenoformofthiscommandsetsthisfrequencytothedefault:
no ip igmp last-member-query-interval
Mode
Default
1000milliseconds
Example
ThisexamplechangestheIGMPgroupspecifichostquerymessageintervalto2seconds:
XSR(config-if<F1>)#ip igmp last-member-query-interval 2000
ip igmp query-interval
ThiscommandconfiguresthefrequencyatwhichtheXSRsendsIGMPhostquerymessages.
Syntax
ip igmp query-interval seconds seconds
FrequencytosendIGMPhostquerymessages,rangingfrom1to32767seconds.

Thenoformofthiscommandsetsthisfrequencytothedefaultvalue:
no ip igmp query-interval
Mode
Default
125seconds
7-86 Configuring IP Multicast
Example
ThisexamplechangesthefrequencywhichIGMPhostquerymessagesaresentto3minutes:
XSR(config-if<F1>)#ip igmp query-interval 180
ip igmp query-max-response-time
ThiscommandconfiguresthemaximumresponsetimeadvertisedinIGMPqueries.
Syntax
ip igmp query-max-response-time seconds seconds
MaximumresponsetimeadvertisedinIGMPqueries.

Thenoformofthiscommandsetsthisresponsetimetothedefault:
no ip igmp query-max-response-time
Mode
Default
10seconds
Example
Thefollowingexamplesetsamaximumresponsetimeof8seconds:
XSR(config-if<F1>)#ip igmp query-max-response-time 8
ip igmp querier-timeout
ThiscommandsetsthetimeoutperiodbeforetheXSRtakesoverasthequerierfortheinterface afterthepreviousquerierhasstoppedquerying.
Syntax
ip igmp querier-timeout seconds seconds
IntervaltheXSRwaitsafterthepreviousquerierhasstoppedquerying andbeforeittakesoverasthequerier,rangingfrom2to65535seconds.

Thenoformofthiscommandsetsthisresponsetimetothedefaultvalue:
no ip igmp querier-timeout
7-87
Mode
Default
Twotimesthequeryinterval
Example
ThefollowingexamplesetstheXSRtowait30secondsfromthetimeitreceivedthelastquery beforeittakesoverasthequerierfortheinterface:
XSR(config-if<F1>)#ip igmp querier-timeout 30
ip multicast ttl-threshold
ThiscommandsetstheTimeToLive(TTL)thresholdofpacketsbeingforwardedoutaninterface.
Syntax
ip multicast ttl-threshold ttl-value ttl-value
Timetolivevalue,rangingfrom0to255hops.

Thenoformofthiscommandsetsthisthresholdtothedefaultvalue:
no ip multicast ttl-threshold
Mode
Default
Zeroallmulticastpacketsareforwardedouttheinterface.
Example
ThefollowingexamplesetstheTTLthresholdonaborderrouterto20.Multicastpacketsmust haveaTTLgreaterthan20inordertobeforwardedoutthisinterface:
XSR(config-if<F1>)#ip multicast ttl-threshold 20
7-88
PIM Commands
PIM Commands ip pim sparse-mode

ThiscommandenablesProtocolIndependentMulticast(PIM)SparseMode(SM)onalocal interface.
Syntax
ip pim sparse-mode

ThenoformofthiscommanddisablesPIMonaninterface:
no ip pim sparse-mod
Mode
Default
PIMSMisdisabledonaninterface
Example
ThefollowingexampleenablesPIMsparsemodeonF1:
XSR(config-if<F1>)#ip pim sparse-mode
ip pim bsr-border
ThiscommandspecifiesaninterfacesoBootStrapRouter(BSR)messagesarenotsentorreceived throughaninterface.
Syntax
ip pim bsr-border

ThenoformofthiscommandremovestheBSRbordersetting:
no ip pim bsr-border
Mode
7-89
PIM Commands
Example
ThefollowingexamplesetsinterfaceF1asthePIMdomainborder:
XSR(config-if<F1>)#ip pim bsr-border
ip pim bsr-candidate
ThiscommandenablestheXSRtoannounceitscandidacyasaBootStrapRouter(BSR).
Syntax
ip pim bsr-candidate type number [hash-mask-length [priority]] type number hash-masklength
InterfacefromwhichtheBSRaddressisderived,tomakeitacandidate.This interfacemustbeenabledwithPIM. LengthofamaskthatisusedtobeANDedwiththegroupaddressbefore thehashfunctioniscalled.Allgroupswiththesameseedhash(correspond) tothesameRendezvousPoint(RP).ThisoptionprovidesoneRPfor multiplegroups. Preferencevalue,rangingfrom0to255.TheBSRwiththelargerpriorityis preferred.Ifpriorityvaluesarethethesame,theIPaddressbreaksthetie. TheBSRcandidatewiththehigherIPaddressispreferred.
priority

ThenoformofthiscommandremovesthisXSRasaBSRcandidate:
no ip pim bsr-candidate
Mode
Defaults
BSRcandidateisnotenabledwiththisrouter. Priority:0
Example
ThefollowingexampleconfigurestheIPaddressoftherouteronF1tobeacandidate:
XSR(config)#ip pim bsr-candidate FastEthernet 1
7-90
PIM Commands
ip pim dr-priority
ThiscommandsetsthepriorityforwhicharouteriselectedastheDesignatedRouter(DR).
Syntax
ip pim dr-priority priority-value priority-value
Preferencevalue,rangingfrom0to4294967294,tosetthepriorityofthe routerforselectionastheDR.

ThenoformofthiscommanddisablestheDRfunctionality:
no ip pim dr-priority
Mode
Defaults
DRfunctionalityisdisabledontheinterface DRpriority:1
Example
ThefollowingexamplesetstheDRpriorityvalueofF1to20:
XSR(config-if<F1>)#ip pim dr-priority 20
ip pim message-interval
ThiscommandconfiguresthefrequencyatwhichaProtocolIndependentMulticastSparseMode (PIMSM)routersendsperiodicjoinandprunemessages.
Syntax
ip pim message-interval seconds seconds
IntervaltosendperiodicPIMSMjoinandprunemessages.Range:1to65535.

Thenoformofthiscommandsetstheintervaltothedefaultvalue:
no ip pim message-interval
Mode
7-91
PIM Commands
Default
60seconds
Example
ThefollowingexamplechangesthePIMSMmessageintervalto120seconds:
XSR(config-if<F1>)#ip pim message-interval 120
ip pim query-interval
ThiscommandsetsthefrequencyofProtocolIndependentMulticast(PIM)routerquery messages.
Syntax
ip pim query-interval seconds seconds
IntervaltosendperiodicPIMrouterquerymessages.Range:1to65535.

Thenoformofthiscommandsetstheintervaltothedefaultvalue:
no ip pim query-interval
Mode
Default
30seconds
Example
ThisexampleresetsthePIMrouterquerymessageintervalto60seconds:
XSR(config-if<F1>)#ip pim query-interval 60
ip pim rp-address
ThiscommandsetsthestaticRendezvousPoint(RP)forthespecificmulticastgroup. (DynamicallylearnedRPalwayshasahigherprioritythanstaticallyconfiguredRP.)
Syntax
ip pim rp-address rp-address [access-list] rp-address access-list
IPaddressofaroutertobeaPIMRP.ThisisaunicastIPaddressin fourpart,dottednotation. ACLnumberdefinesforwhichmulticastgroupstheRPshouldbeused.
7-92
PIM Commands

ThenoformofthiscommandremovesthestaticRPconfiguration:
no ip pim rp-address rp-address
Mode
Example
ThisexampleconfigurestheRPusedbythemulticastgroupswithintherange225.1.1.0/24:
XSR(config)#access-list 2 permit 225.1.1.0 0.0.0.255 XSR(config)#ip pim rp-address 192.168.2.5
ip pim rp-candidate
ThiscommandsetstheXSRtoadvertiseitselfasaPIMcandidateRendezvousPoint(RP)tothe BSR.OnlyonecandidateRPcanbeconfiguredperbox.
Syntax
ip pim rp-candidate type number [group-list access-list][priority priority-value] type number access-list priority priority-value
InterfacewhoseIPaddressisadvertisedasacandidateRPaddress. StandardIPaccesslistnumberthatdefinesthegroupprefixesthatare advertisedinassociationwiththeRPaddress. ThepriorityofthiscandidateRP. Priorityvalue,rangingfrom0to255.

ThenoformofthiscommandremovesthisXSRasanRPcandidate:
no ip pim rp-candidate
Mode
Defaults
TheXSRisnotconfiguredasanRPcandidate. DRpriorityis192bydefaultifitbecomesone.
Example
ThisexamplesetstheXSRtoadvertiseitselfasacandidateRPtotheBSRinitsPIMdomain:
XSR(config)#interface FastEthernet 1 XSR(config)#ip pim rp-candidate FastEthernet 1
PIM Commands
ip pim regcksum wholepacket

Thiscommandchangestheregisterchecksumcalculationtotheindustrystandard.
Syntax
ip pim RegCksum wholepacket

ThenocommandremovesthestaticRPconfiguration:
no ip pim RegCksum wholepacket
Mode
Default
Checksumbasedonheaderonly.
Example
Thefollowingexamplechangesthecalculationoftheregisterpackettotheindustrystandard:
XSR(config)#ip pim RegCksum wholepacket
ip pim spt-threshold
ThiscommandconfiguresthethresholdoverwhichaPIMleafroutershouldjointheshortestpath sourcetreeforthespecifiedgroup.
Syntax
ip pim spt-threshold {kbps|infinity} [group-list access-list] kbps infinity group-list access-list
Trafficrateinkbps. Neverjointheshortestpathtree. Groupsthethresholdappliesto.Thevalue0appliesthethresholdtoall groups.

Thenoformofthiscommandrestoresthethresholdtothedefault:
no ip pim spt-threshold
Mode
7-94
IGMP Clear and Show Commands
Default
Thethresholdis0
Example
Thefollowingexamplesetsthesourcetreeswitchingthresholdto4kbps:
XSR(config)#ip pim spt-threshold 4
IGMP Clear and Show Commands clear ip mroute

Thiscommanddeletesentriesfromthemulticasttable.
Syntax
clear ip mroute [group-address][source-address] group-address source-address
IPaddressofthemulticastgroup. IPaddressofthemulticastsource.
Mode
show ip igmp groups

ThiscommanddisplaysthemulticastgroupswithreceiversthataredirectlyconnectedtotheXSR andwerelearnedthroughtheInternetGroupManagementProtocol(IGMP).
Syntax
show ip igmp groups [group-address | type number | summary] group-address type number summary
Addressofthemulticastgroup. Interfacetype. Interfacenumber. Aoneline,abbreviatedsummaryofeachentryintheIGMPgroupstable.
Mode
Example
Thefollowingexampledisplayssampleresponses:
XSR>show ip igmp groups Interface name: FastEthernet1
State: Mode: Current version: Group IP: Reporter IP: V1MEM exist timer: V2MEM exist timer: Member expire timer: Source IP:
Dynamic Include V3 232.1.1.1 3.3.3.199 0 0 256 6.6.6.10 (Forward state: YES, Timer:260)

GroupIP Interfacename State Mode ReporterIP V1MEMexisttimer V2MEMexisttimer Memberexpiretimer SourceIP Forwardstate Timer Multicastgroupaddress. Theinterfacethroughwhichthegroupmembershipislearned. Dynamiclearningorstaticconfigure. ExcludeorInclude. Lasthosttoreportbeingamemberofthemulticastgroup. V1memberexistingtimer. V2memberexistingtimer. Groupmemberexpiretimer. SenderIPaddress. ForwardstateforthissourceIP. SourcetimerforthissourceIP.
show ip igmp interface

Thiscommanddisplaysmulticastrelatedinformationaboutaninterface.
Syntax
show ip igmp interface [type number] type number
Mode
Example
XSRinterface Interface name: Interface state: IGMP version: Protocol owner:
FastEthernet2 Up 2 PIM-SM
IGMP state: Enabled Multicast ttl threshold: 0 Current query Interval: 125 Last Member Interval: 1 Querier timeout: 255 Max Response Timeout: 10 Current robust value: 2 Querier IP: 1.1.1.2 (Self) Query sending timer: 124 Group configured: None -------------------------------------------------------Interface name: FastEthernet1 Interface state: Up IGMP version: 3 Protocol owner: PIM-SM IGMP state: Enabled Multicast ttl threshold: 0 Current query Interval: 125 Last Member Interval: 1 Querier timeout: 255 Max Response Timeout: 10 Current robust value: 2 Querier IP: 3.3.3.1 (Self) Query sending timer: 124 Group configured: 225.1.1.1 ---------------------------------------------------------

Interfacename Interfacestate IGMPversion Protocolowner IGMPstate Multicastttlthreshold Configuredqueryinterval Currentqueryinterval Lastmemberinterval Queriertimeout Maxresponsetimeout Currentrobustvalue QuerierIP Querysendingtimer Groupconfigured Interfacetype,number. Interfacestatus. IGMPversiononthisinterface. Multicastroutingprotocolconfiguredonthisinterface. IGMPenablestate. MulticastTTLthresholdonthisinterface. Configuredqueryintervalonthisinterface. Currentqueryintervalonthisinterface. Lastmemberintervalonthisinterface. Queriertimeoutconfiguredonthisinterface. Maxresponsetimeoutconfiguredonthisinterface. Robustvalueonthisinterface. QuerierIPaddress. Querysendingtimeronthisinterface. Staticgroupsconfiguredonthisinterface.
7-97
show ip mroute
ThiscommanddisplaysentriesintheIPmulticastroutingtable.
Syntax
show ip mroute [][source-address][summary] group-address source-address summary
IPaddressofthemulticastgroup. IPaddressofthemulticastsource. Aoneline,abbreviatedsummaryofeachentryintheIPmulticast routingtable.
Mode
Example
XSR>show ip mroute IP Multicast Routing Table Flags: D - Dense, S - Sparse, C - Connected, P - Pruned F - Register flag, T - SPT-bit set Timers: Uptime/Expires Interface state: Interface, Next-Hop, State/Mode (*, 224.0.255.3), 5:29:15/00:01:14, RP is 192.168.26.2, flags: Incoming interface: FastEthernet1, RPF neighbor 10.3.35.1 Outgoing interface list: FastEthernet0, Forward/Sparse, 5:29:15/0:01:57 (192.168.27.0/24, 224.0.255.3), 6:29:15/00:02:47, flags: TS Incoming interface: FastEthernet1, RPF neighbor 10.3.35.1 Outgoing interface list: FastEthernet0, Forward/Sparse, 8:29:15/0:02:47
7-98

Flags Providesinformationaboutfollowingentries: (198.92.37.100/32, 224.0.255.1) uptime RP flags Incominginterface RPFneighbor DDense:Entryisoperatingindensemode. SSparse:Entryisoperatinginsparsemode. CConnected:Amemberofthemulticastgroupispresentonthe directlyconnectedinterface. PPruned:Routehasbeenpruned. FRegisterflag:IndicatesthatthesoftwareisRegisteringfora multicastsource. TSPTbitset:Indicatesthatpacketshavebeenreceivedonthe shortestpathsourcetree.
EntryintheIPmulticastroutingtable.TheentryconsistsoftheIP addressofthesourcerouterfollowedbytheIPaddressofthemulticast group.Anasterisk(*)inplaceofthesourcerouterindicatesallsources. Theintervalinhours,minutes,andsecondstheentryhasbeenintheIP multicastroutingtable. Addressoftherendezvouspoint(RP)router.Forroutersandaccess serversoperatinginsparsemode,thisaddressisalways0.0.0.0. Informationabouttheentry. Expectedinterfaceforamulticastpacketfromthesource.Ifthepacket isnotreceivedonthisinterface,itisdiscarded. IPaddressoftheupstreamroutertothesource.Tunnelingindicatesthat thisrouterissendingdatatotheRPencapsulatedinRegisterpackets. ThehexadecimalnumberinparenthesesindicatestowhichRPitis registering.EachbitindicatesadifferentRPifmultipleRPspergroup areused. Interfacesthroughwhichpacketswillbeforwarded. Nameandnumberoftheoutgoinginterface. Sparsemodeinterfaceisinforwardmode. Perinterface,theintervalinhours,minutes,andsecondstheentryhas beenintheIPmulticastroutingtable.Followingtheslash(/),the intervalinhours,minutes,andsecondsuntiltheentrywillberemoved fromthetable.
Outgoinginterfacelist FastEthernet1 Forward/Sparse time/time(uptime/ expirationtime)
show ip pim bsr

ThiscommanddisplaysBootstrapRouter(BSR)version2information.
Syntax
show ip pim bsr
Mode
Example
XSR>#show ip pim bsr PIMv2 Bootstrap information This system is the Elected Bootstrap Router (BSR) BSR address: 192.168.27.1 Uptime: 04:37:46, BSR Priority: 4, Hash mask length: 30 Next bootstrap message in 00:00:03 seconds This system is the Candidate Bootstrap Router (CBSR) Candidate BSR Address: 50.0.0.30 Priority: 0, Hash Mask Length: 30

BSRaddress Uptime BSRPriority Hashmasklength IPaddressofthebootstraprouter. IntervalthatthisXSRhasbeenup,inhours:minutes:seconds. Priorityassetbytheip pim bsr-candidatecommand. Lengthofamask(32bitsmaximum)thatistobeANDedwiththe groupaddressbeforethehashfunctioniscalled.Thisvalueis configuredbythe ip pim bsr-candidatecommand. Period(inhours:minutes:seconds)inwhichthenextbootstrap messageisduefromthisBSR.
Nextbootstrapmessagein
show ip pim interface

ThiscommanddisplaysdataaboutinterfacessetforProtocolIndependentMulticast(PIM).
Syntax
show ip pim interface [type number] type number
Mode
Example
Thefollowingexampledisplaysampleresponses:
XSR>show ip pim interface PIM Interface Table Address Interface 30.0.0.20 FastEthernet1 40.0.0.20 FastEthernet2
Nbr Count 0 2
Hello Intvl 30 30
DR 30.0.0.20 40.0.0.40
7-100
Address Interface NbrCount HelloIntvl DR IPaddressofthenexthoprouter. InterfacetypeandnumberthatisconfiguredtorunPIM. NumberofPIMneighborsdiscoveredthroughthisinterface. TheintervalbetweenHellomessages.Thedefaultis30seconds. IPaddressofthedesignatedrouterontheLAN.
show ip pim neighbor

ThiscommanddisplaysdiscoveredProtocolIndependentMulticast(PIM)neighbors.
Syntax
show ip pim neighbor [type number] type number
Mode
Example
Thefollowingexampleshowssampleresponses:
XSR>#show ip pim neighbor PIM Neighbor Table Neighbor Address Interface DR Priority 192.168.26.2 Ethernet0 192.168.26.33 Ethernet0 192.168.27.1 Ethernet1 192.192.27.13 Ethernet1
Uptime 15:38:16 13:33:20 15:33:20 16:56:06
Expires 0:01:25 0:01:05 0:01:08 0:01:04
Mode Sparse Sparse (DR) Sparse (DR) Sparse
Parameters Descriptions
Neighbor Address Interface DR Priority Uptime Expires Mode (DR)
IPaddressofthePIMneighbor. Interfacetypeandnumberonwhichtheneighborisreachable. TheDRpriorityoftheneighbor. Intervalinhours,minutes,andsecondstheentryhasbeeninthePIM neighbortable. Intervalinhours,minutes,andsecondsuntiltheentrywillberemoved fromtheIPmulticastroutingtable. Modeinwhichtheinterfaceisoperating. IndicatesthatthisneighborisadesignatedrouterontheLAN.
7-101
show ip pim rp
Thiscommanddisplaystheactiverendezvouspoints(RPs)thatarecachedwithassociated multicastroutingentries.
Syntax
show ip pim rp [group-address | mapping] group-address mapping
AddressofthegroupaboutwhichtodisplayRPs. DisplaysallgrouptoRPmappingsofwhichtheXSRisaware.
Mode
Example
Thefollowingexampledisplaysampleresponses:
XSR>show ip pim rp Group: 224.2.240.20, RP: 192.168.10.13 Group: 224.1.127.155, RP: 192.168.10.13 Group: 224.2.127.154, RP: 192.168.10.13 Group: 224.2.128.153, RP: 192.168.10.13 XSR>show ip pim rp mapping Group Address: 224.0.0.0 Mask: 240.0.0.0 RP Address: 30.0.0.20 Holdtime: 150 Priority: 192 RP Address: 50.0.0.40 Holdtime: 150 Priority: 192
Group RP Holdtime Priority
AddressofthemulticastgroupaboutwhichtodisplayRPdata. AddressoftheRPforthatgroup. TheintervalbeforethecandidateRPexpires. ThepriorityvalueforthecandidateRP.
show ip pim rp-hash

Thiscommanddisplaystherendezvouspoint(RP)thatisbeingselectedforaspecifiedgroup.
Syntax
show ip pim rp-hash {group-address} group-address
AddressofthegroupaboutwhichtodisplayRPs.
Mode
Example
XSR>show ip pim rp-hash 239.1.1.1 RP 192.168.27.12
RP
AddressoftheRPforthegroupspecified(239.1.1.1).
7-103
7-104
8
Configuring the Point-to-Point Protocol
Description
Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies interface type and number, e.g.: F1, S2/1.0, D1, M57, G3. F indicates a FastEthernet, and G a GigabitEthernet interface.
Next Mode entries display the CLI prompt after a command is entered. Sub-command headings are displayed in red text. soho.enterasys.com Italicized, non-syntactic text indicates either a user-specified entry or text with special emphasis
PPP Commands
ThischapterdefinesPointtoPointProtocol(PPP)serviceprofiles,specifyandmonitorserial ports,anddefineMultilinkPPPandBandwidthAllocationProtocol(BAP)functionalityinthe followingcommandsets: PPPDebug,ClearandShowCommandsonpage 897. MultilinkPPPCommandsonpage 8108. MultilinkShowCommandsonpage 8122.
8-83
PPP Commands
encapsulation ppp
ThiscommandsetsthePointtoPointProtocol(PPP)astheencapsulationmethodusedbyaserial port.TousePPPencapsulation,theXSRmustbeconfiguredwithanIProutingprotocol.
Note: If encapsulation is changed from one type to another, all related values of the current encapsulation and any sub-interface settings are deleted. Also, once encapsulation is set on an interface, any sub-interface of that port created later is automatically encapsulated. Finally, you must first enter the no encapsulation command to change the encapsulation type.
Syntax
encapsulation ppp

no encapsulation ppp
Default
Noencapsulation
Mode
Interfaceconfiguration:XSR(config-if<xx>)
Example
ThefollowingexampleenablesPPPencapsulationonSerialinterface1/0:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp
interface
Thiscommandselectsaphysicalorvirtualportforconfigurationasarouterinterface.TheXSR supportsATM,BRI,Dialer,Fast/GigabitEthernet,Loopback,Multilink,Serial,orVPNinterfaces. Forconfigurationpurposes,allserialportsandT1/E1/ISDNPRIchannelgroupsaretreatedasa serialinterface. Optionally,youcansetuptheConsoleportontheXSR1800seriesasaWANinterfacefordial backuppurposes(refertotheCautionbelow).Dosobyentering0only.
Caution: Be aware that when you enable the Console port as a WAN port, you can no longer directly connect to it because it is in data communication mode. Your only access to the CLI will be to Telnet to an IP address of a configured port. Also, if your startup-config file does not configure any ports properly and sets up the console port as a serial interface, you will no longer be able to login and will have to press the Default button to erase your configuration. For details about configuring the Console with a modem, see Chapter 2: Managing the XSR in the XSR Users Guide.
8-84
PPP Commands
Syntax
interface type slot_num card_num port_num sub-interface_num type slot_num card_num port_num
ATM,BRI,Dialer,Fast/GigabitEthernet,Loopback,Multilink,SerialorVPN port. TheNIMnumberrangingfrom0to6dependingontheXSRmodel. TheNIMcardnumberrangingfrom1to2dependingontheNIMinstalledin theslot. Thephysicalportnumberrangingfrom:0(ATM),0to1(BRI),0to255(Dialer &VPN),0to15(Loopback),1to32767(Multilink),0to3(Serial),1to2 (FastEthernet),1to3(GigabitEthernet),and0(Console). IfaSerialportresidesonaT1/E1port,thenchannelgroupdatamustbe addedattheendofthestringtomarkwhichchannelgroupoftheT1/E1port willbeset: card_num/NIM_num/port_within_NIM:[channelgroup_num]. Forexample,0/2/1:15setschannelgroup15oftheT1orE1port1inNIMslot 2onthemotherboard.
subinterface_num
Numberrangingfrom1to30(ATM,BRI&Serial),and1to64(Fast/ GigabitEthernet).
Slots,cards,ports,andsubinterfacesareexpressedasfollowsontheCLI:
0 <0-0>/<1-2>/<0-3> <1-2>/<0-3> <1-2>/<0-3>.<1-30> <1-2>/<0-3>:<0-31> <1-2>/<0-3>:<0-31> .<1-30>
Theconsoleport.(OnlyontheXSR1800series) Slot,card,andportnumber. Cardandportnumber. Card,portandsubinterfacenumber. Card,portandchannelnumber. Card,port,channelandsubinterfacenumber.
Note: Leading zeros defined in interface_num can be omitted. For example, 0/1/2 is equivalent to 1/2.

Thenocommanddeletestheinterface:
no interface serial port_num interface_num Note: You cannot directly delete a Serial interface assigned to a T1/E1 channel group. You must instead delete a channel group to delete the Serial port.
Mode
Examples
Thisexampleselectsinterfaceserial1/0andsetsPPPencapsulation:
PPP Commands
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#no shutdown
Thefollowingexampleselectschannelgroup12oftheT1/E1port1onthesecondNIMcardsothat laterconfigurationswillapplytothisserialport:
XSR(config)#interface serial 2/1:12 XSR(config-if<s2/1:12)#encapsulation ppp XSR(config-if<S1/0>)#no shutdown
ppp authentication
ThiscommandspecifiesthetypeandorderinwhichCHAP,MSCHAPorPAPprotocolsare requestedontheinterface.OnceCHAP,PAPauthenticationorbothhavebeenenabled,theXSR requirestheremotedevicetoproveitsidentitybeforeallowingdatatraffictoflow. PAPauthenticationrequirestheremotedevicetosendanameandpasswordtobechecked againstamatchingentryinthelocalusernamedatabase. CHAPauthenticationsendsachallengetotheremotedevice.Theremotedevicemustencryptthe challengevaluewithasharedsecretandreturntheencryptedvalueanditsnametotheXSRina responsemessage.TheXSRusestheremotedevicesnametolookuptheappropriatesecretinthe localusernamedatabase.Itusesthelookedupsecrettoencrypttheoriginalchallengeandverify thatencryptedvaluesmatch. MSCHAPiscloselyderivedfromthePPPCHAPwiththeexceptionthatitusesMD4asthe hashingalgorithm. YoumayenablePAPorCHAP,MSCHAPorallofthem,ineitherorder.Ifbothmethodsare enabled,thenthefirstmethodspecifiedwillberequestedduringlinknegotiation.Ifthepeer suggestsusingthesecondmethodorsimplyrefusesthefirst,thenthesecondmethodistried. SomeremotedevicessupportCHAPonlyandsomePAPonly.Theorderinwhichyouspecifythe methodswillbebasedonyourconcernsabouttheremotedevicesabilitytocorrectlynegotiatethe appropriatemethodaswellasyourconcernaboutdatalinesecurity.PAPusernamesand passwordsaresentascleartextstringsandcanbeinterceptedandreused.CHAPhaseliminated mostoftheknownsecurityholes. EnablingordisablingPPPauthenticationdoesnotaffecttheXSRswillingnesstoauthenticate itselftotheremotedevice.
Note: If you specify CHAP authentication on one side of a connection, you should set CHAP on the other side as well.
Syntax
ppp authentication {any mix of pap chap ms-chap}
Possibleparametercombinationsinclude:
chap pap ms-chap chap pap pap chap
8-86 Configuring the Point-to-Point Protocol
EnablesCHAPonaserialinterface. EnablesPAPonaserialinterface. EnablesMSCHAPonaserialinterface. PreferenceofCHAPauthenticationbeforePAP. PreferenceofPAPauthenticationbeforeCHAP.
PPP Commands
ms-chap pap chap
PreferenceofMSCHAPauthentication,thenPAPauthentication,thenCHAP.

ThenoformofthiscommanddisablePPPauthentication:
no ppp authentication
Default
Notenabled
Mode
Example 1
Figure 81showstworouters,SiteAandSiteB,attemptingtoauthenticateeachotherusing CHAP.Theconfigurationexamplefollows. Figure 8-1 Authentication Configured on Both Peers
ppp chap Site A (Serial Interface 1/0) Challenge - ID 4 Response - ID 8 Success/Failure - ID 4
ppp chap Site B (Serial Interface 1/1) Challenge - ID 8 Response - ID 4 Success/Failure - ID 8
Figure 81showsbothrouterssendchallengesandresponsesandeitherafailureorsuccess.The followingsampleconfigurationillustratestheprecedingexample.OnSiteA,enterthefollowing commands:

XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#ppp authentication chap
OnSiteB,enterthefollowingcommands:
XSR(config)#interface serial 1/1 XSR(config-if<S1/1>)#encapsulation ppp XSR(config-if<S1/1>)#no shutdown XSR(config-if<S1/1>)#ppp authentication chap
8-87
PPP Commands
Example 2
Figure 82showstworouters,SiteAandSiteB,andonlyonepeerconfiguredtodoauthentication (usingchap)withonlySiteBissuingthechallenge.Theconfigurationexamplefollows. Figure 8-2 Authentication Configured on One Peer
no ppp authentication Site A (Serial Interface 1/0) Response - ID 9
ppp chap Site B (Serial Interface 1/1) Challenge - ID 9 Success/Failure - ID 9
Refertothefollowingsampleconfigurationfortheprecedingexample.OnSiteAenterthe followingcommands:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#ppp authentication chap
OnSiteBenterthefollowingcommands:
XSR(config)#interface serial 1/1 XSR(config-if<S1/1>)#encapsulation ppp XSR(config-if<S1/1)#no ppp authentication
ppp chap
Thiscommandspecifiesauniquehostnameonaninterface,refusesCHAPauthenticationrequests frompeers,orusesadefaultpasswordduringCHAPauthenticationwhennootherpasswordis available.ItcanenablemultiplerouterstoappeartohavethesamehostnamewhenusingCHAP authentication. Thiscommandcanbeusedtosetadefaultpasswordduringauthenticationchallengeswhenthe challengersusernamecannotbefoundintheusernamelist.Itisalsorequiredwhenthe challengerdoesnotspecifyitsnameinthechallengepacketandadefaultpasswordmustbesent. Beawarethatthispasswordisonlyusedinresponsetochallengesandisnotusedtoauthenticate thepeer.
Syntax
ppp chap {hostname hostname | refuse | password word} hostname refuse word
AlternatenamesentintheCHAPchallenge. RefusetoauthenticateusingCHAP. DefaultpasswordsenttoCHAPchallengeswhennopasswordsareavailable.
8-88
PPP Commands

Thenoformofthiscommanddisableseitherfunction:
no ppp chap {hostname | refuse | password}
Mode
Examples
ThefollowingexamplecreatesthealternateCHAPhostnamefreudandthedefaultchappassword sigmund:
XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ppp chap hostname freud XSR(config-if<D1>)#ppp chap password sigmund
ThefollowingexampleenablesCHAPauthenticationrefusal:
XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ppp chap refuse
ppp keepalive
ThiscommandsetsthekeepalivetimeronaPointtoPointport.PPPkeepalivesaresentoutas echorequestsoverthePPPportatspecifiedintervals.TheyapplytoanyserialportonwhichPPP encapsulationisenabled.Ifyoudonotspecifytheintervalthedefaultintervalisused. WhenLinkQualityManagement(LQM)isenabledontheinterfacealongwithpppkeepalive,echo requestsaredisabled.UpondisablingtheLQMfeatureechorequestswillstartagainifppp keepaliveisstillconfigured.
Syntax
ppp keepalive [period] period
Keepaliveperiodinseconds.

Usethenoformofthecommandtodisablethekeepalives:
no ppp keepalive
Default
Enabledat30seconds
Mode
8-89
PPP Commands
Example
ThefollowingexamplesetsSerialinterface1/0tohavekeepaliveconfiguredat8secondintervals:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#ppp keepalive 8
ppp lcp max-configure

ThiscommandconfigurestherestarttimercounterforthepeaknumberofConfigureRequests sentoutonaPointtoPointinterface.UsingtheLinkControlProtocol(LCP),thecommand appliestoanySerial,orDialerport,orFast/GigabitEthernetsubinterfaceonwhichPPP encapsulationisset.Thiscountertotalsthepeaknumberofconfigurerequestssentwithout receivingaConfigureAck,ConfigureNakorConfigureReject.
Syntax
ppp lcp max-configure number number
Settingfortheconfigurerequestcounter,rangingfrom1to255.

Thenocommandresetsthecountertothedefaultvalue:
no ppp lcp max-configure
Default
10
Mode
Serial,DialerorFast/GigabitEthernetsubinterfaceconfiguration:XSR(config-if<xx>)#
Example
ThefollowingexamplesetstheLCPmaxconfigurevalueat2requests:
XSR(config)#interface dialer 2 XSR(config-if<D2>)#ppp lcp max-configure 2
ppp lcp max-failure

ThiscommandconfiguresthecounterforthemaximumnumberofConfigureNakpacketssent outonaPointtoPointinterface.UsingtheLinkControlProtocol(LCP),thecommandappliesto anySerialorDialerport,orFast/GigabitEthernetsubinterfaceonwhichPPPencapsulationisset. ThiscountertotalsthepeaknumberofConfigureNakpacketstosend;subsequentNakpackets areconvertedtoConfigureRejectpackets.
8-90
PPP Commands
Syntax
ppp lcp max-failure number number
Settingforthemaxfailurecounter.Range:1to255.

no ppp lcp max-failure
Default
5
Mode
Serial,DialerorFast/GigabitEthernetSubinterfaceconfiguration:XSR(config-if<xx>)#
Examples
Thefollowingexamplesetsthelcpmaxfailurevalueat100packetsonSerialinterface2/1:
XSR(config)#interface serial 2/1 XSR(config-if<S2/1>)#ppp lcp max-failure 100
Thefollowingexamplesetsthelcpmaxfailurevalueat200packetsonFastEthernetsubinterface 2/1.1:
XSR(config)#interface fastethernet 2.1 XSR(config-if<F2/1:1>)#ppp lcp max-failure 200
ppp lcp max-terminate

ThiscommandconfigurestherestarttimercounterforthenumberofTerminateRequestssentout onaPointtoPointinterface.UsingtheLinkControlProtocol(LCP),thecommandappliestoany SerialorDialerport,orFast/GigabitEthernetsubinterfaceonwhichPPPencapsulationisset. ThiscountertotalsthepeaknumberofterminaterequestssentwithoutreceivingaTerminateAck beforeassumingthatthepeercannotrespond.
Syntax
ppp lcp max-terminate number number
Settingfortheterminaterequestcounter.Range:1to255.

no ppp lcp max-terminate
Default
2
PPP Commands
Mode
Serial,DialerandFast/GigabitEthernetSubinterfaceconfiguration:XSR(config-if<xx>)#
Example
Thefollowingexamplesetstheterminaterequestcounterat10requestsonDialerinterface57:
XSR(config)#interface dialer 57 XSR(config-if<D57>)#ppp lcp max-terminate 10
ppp max-bad-auth
Thiscommandpermitsmultipleauthenticationfailures.ItconfiguresaPointtoPointinterface nottoresetitselfimmediatelyafteranauthenticationfailurebuttoallowaspecifiednumberof authenticationretries.ThiscommandappliestoanyserialinterfaceonwhichPPPencapsulationis enabled.
Syntax
ppp max-bad-auth number number
Numberofretriesafterwhichtheinterfaceresetsitself.

Usethenoformofthiscommandtoresettothedefault(immediatereset):
no ppp max-bad-auth
Default
0
Mode
Example
Thefollowingexamplesetsserialinterface1/0toallowfiveadditionalretriesafteraninitial authenticationfailure(foratotalofsixfailedauthenticationattempts):
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#ppp authentication chap XSR(config-if<S1/0>)#ppp max-bad-auth 6
ppp pap sent-username

ThiscommandconfiguresaPAPusernameandcleartextpasswordforthespecifiedinterface.The valueisusedinthePAPauthenticationrequestpackettothepeer.
PPP Commands
Syntax
ppp pap sent-username [username] password [password] username password
UsernamesentinthePAPauthenticationrequestpacket. ThecleartextpasswordsentinthePAPauthenticationrequestpacket.Limit:up to255ASCIIcharacters.Enclosepasswordindoublequotesifenteringastring withspaces

Usethenoformofthiscommandtodeletetheusernameandpassword:
no pap sent-username
Default
Nousernameorpassword
Mode
Example
ThisexampleconfigurationofathePAPauthenticationusernameofjimandacleartextPAP passwordofevansonserialinterface2/1:
XSR(config)#interface serial 2/1 XSR(config-if<S2/1>)#encapsulation ppp XSR(config-if<S1/1>)#no shutdown XSR(config-if<S2/1>)#ppp pap sent-username jim pass evans
ppp peer default ip address

ThiscommandspecifiesthedefaultIPaddressofaremotepeerforuseduringPPP/IPCP negotiationifthepeerrequestsit.Theaddressisusedwhentheremotepeersendsa0.0.0.0IP addressintheCONFIGREQUESTandasksthelocalsystemtoassignanIPaddress.Theaddress willnotbeusedifthepeeralreadyhasbeenassignedanIPaddresswithitsownlocal configuration. ThiscommandcanbeusedforInterfaceSerial,T1/E1channelgroups,BRIleasedlinewithPPP encapsulated;EthernetsubinterfaceandATMsubinterfacewithPPPoEorPPPoAencapsulated. Whenusedatthedialerinterface,itappliestothePointtoPoint(P2P)dialerinterfaceonly.For DialerMultipointtoPointinterfaces,thedialer map ipcommandsuppliestheremoteaddress associatedwithparticulardialingnumbers.
Note: The peer default IP address takes effect only when the peer is configured as IP address negotiated.
8-93
PPP Commands
Syntax
ppp peer default ip address {ip address} ip address
IPaddressoftheremotepeer.

UsethenoformofthiscommandtoremovetheIPaddress:
no ppp peer default ip address
Mode
Examples
ThisexamplesetsthepeersIPaddressonSerialinterface1/0:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#ppp peer default ip address 192.168.1.3
ThisexamplesetsthepeersIPaddressonP2PDialerinterface1:
XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#ppp peer default ip address 10.10.10.1
ThisexamplesetsthepeersIPaddressonM2PDialerinterface2:
XSR(config)#interface dialer 2 multi-point XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#dialer map ip 20.20.20.1 9051234567
ppp quality
ThiscommandsetstheminimumLinkQualityMonitoring(LQM)valueonaserialinterface beforethelinkwillgodown. Percentagesarecalculatedforbothincomingandoutgoingdirections.Theoutgoingqualityis calculatedbycomparingthetotalnumberofpacketsandbytessenttothetotalnumberofpackets andbytesreceivedbythedestinationnode.Theincomingqualityiscalculatedbycomparingthe totalnumberofpacketsandbytesreceivedtothetotalnumberofpacketsandbytessentbythe destinationnode. Ifthelinkqualitypercentageisnotmaintained,thelinkisconsideredofpoorqualityandtaken down(bysendingaDOWNeventtoallactiveNCPs).LQMforcesatimelagsothelinkdoesnot bounceupanddown.
Syntax
ppp quality [percentage] percentage
Setsthelinkqualitythreshold,rangingfrom1to100.
8-94
PPP Commands

UsethenoformofthiscommandtodisableLQM:
no ppp quality
Default
Disabled
Mode
Example
ThefollowingexampleenablesLQMonSerialinterface2/0:
XSR(config)#interface serial 2/0 XSR(config-if<S2/0>)#encapsulation ppp XSR(config-if<S2/0>)#no shutdown XSR(config-if<S2/0>)#ppp quality 75
ppp timeout retry

ThiscommandsetstherestarttimerforConfigureRequestsandTerminateRequestsonaPoint toPointinterface.ThetimeristhepeakintervaltowaitforaresponseduringPPPnegotiation. ThiscommandappliestoanyserialportonwhichPPPencapsulationisenabled.
Syntax
ppp timeout retry seconds seconds
Restarttimerinterval,rangingfrom1to255seconds.

Thenocommandresetsthetimertothedefaultvalue:
no ppp timeout retry
Default
3
Mode
Serial,Dialer,andFast/GigabitEthernetSubinterfaceconfiguration:XSR(config-if<xx>)#
Example
ThefollowingexampleresetstherestarttimerofSerialinterface1:
XSR(config)#interface serial 1/0 XSR(config-if<S1>)#encapsulation ppp
PPP Commands
XSR(config-if<S1>)#ppp timeout retry 20
username
ThiscommandaddsormodifiesauserwhocanmanagetheXSR.
Note: Refer to NetworkManagementonpage 1 for more details.
ThiscommandspecifiesthepasswordtobeusedinthePPPChallengeHandshakeAuthentication Protocol(CHAP)calleridentificationandbythePasswordAuthenticationProtocol(PAP). AusernameentryisrequiredforeachremotesystemthattheXSRcommunicateswithandfrom whichitseeksauthenticationforprotocolssuchasCHAPandPAPorMSCHAP.WhentheXSR receivesCHAPandMSCHAPchallenges,thereceivedusernameissearchedthroughthelistof usernamestofindapasswordsoitcansendaresponse. WhentheXSRreceivesresponsestoitschallenges,theresponsenameissearchedthroughthelist ofusernamesandpasswordsandcompared.WhentheXSRreceivesPAPresponsesitalso searchesthroughitslistofusernamestomatchpasswords.
Syntax
username name password {cleartext | secret type} password name cleartext secret type password
UserID. Thepasswordwillnotbeencrypted. Thepasswordwillbeencrypted.

0or5.0meanstheinputpasswordisexpectedtobeunencrypted;5meansthe inputpasswordisalreadyencryptedsoitwillnotbeencryptedagain.
ForCHAPauthentication:specifiesthesecretpasswordforthelocalrouteror theremotesystem.Thesecretisencryptedwhenstoredonthelocalrouter. Thepasswordcanbeupto255ASCIIcharacters.Enclosethepasswordin doublequotesifenteringastringwithspaces.Thereisnolimittothenumberof usernamepasswordcombinationsthatcanbespecified,allowinganynumberof remotesystemstobeauthenticated.

Thenoformofthiscommanddeletestheuser:
no username name
Default
Nopasswordispredefined
Mode
Globalconfiguration:XSR(config}#
8-96
PPP Debug, Clear and Show Commands
Example
ThefollowingexampleenablesCHAPonserialinterface1/0anddefinesapasswordforlocal serverBobandremoteserverJohn:
XSR(config)#hostname Bob XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#ppp authentication chap XSR(config)#username John password remote_dev
PPP Debug, Clear and Show Commands debug ppp packet

ThiscommandenablesPPPdebuggingforaninterfacefromoutsidetheactualinterface.It performsthesamePPPdebuggingastheppp debug packetcommandbutisissuedfromEXEC mode.
Note: All XSR debug commands are set to privilege level 15 by default.
Syntax
debug ppp packet [interface type/number] limit [x][type1][type2] interface type number x type1 type2
Dialer,ATM,Serial,BRI,Multilink,orFast/GigabitEthernetinterfaces. Interfacenumber. Totalnumberofpacketstodebug,rangingfrom1to1,000,000. Packettypestodebugincluding:PAP,CHAP,AUTH,BACP, BAP,BCP,CCP,ECP,IPCP,IPXCP,LCPandLQM.

Thefollowingnoformofthecommandreturnsthedefaultvalue:
no debug ppp packet [interface type/number]
Mode
Note: This command does not display in the running config file since it is strictly a debug function. It must be set manually every time you reboot the XSR.
Example
ThefollowingexampledebugssetsPPPdebuggingonSerialinterface2/0:0withalimitof10 packetsforLCP,BACPandBAPprotocols:
XSR#debug ppp packet serial 2/0:0 limit 10 lcp bacp bap
Sample Output
ThefollowingdebuggingoutputdisplaysallPPPcontrolpackets:
May 21, 2003: 13:00:00 Rx 20 bytes LCP CONFIG_REQ: MRU: 1500 Magic Number: 12345678 (0xBC614E) May 21, 2003: 13:00:00 Tx 12 bytes IPCP CONFIG_ACK: IP Address: 10.10.10.10 If the length field in the packet in the content does not match the total packet length, it will be displayed as a warning: May 21, 2003: 13:00:00 Rx 20 bytes LCP CONFIG_REQ: MRU: 1500 Magic Number: 12345678 (0xBC614E) (WARNING!!! NOT MATCHING PCK LENGTH 60bytes)
ppp debug packet

ThiscommandinvokesdebuggingofType1and2PPPcontrolpackets(transmitandreceive)on Serial,Multilink,orDialerinterfaces.ForMultilink,debuggingisappliedonlytothebundle whichhandlesIPCPandBAP/BACPnegotiations.ForDialerinterfaces,itisappliedtotheSerial interfacethatthedialerallocatestodialout.Withinthecontrolpacket,thefollowingfieldsare decodedanddisplayed:protocol(seelistbelow),code(typeofpacket),packetidentifier,packetlength, andthetype,lengthandcontentoftheoption. Youcanselectthesepackettypestobedebugged:PAP,CHAP,MSCHAP,AUTH,BACP,BAP, BCP,CCP,ECP,IPCP,IPXCP,LCP,MLPPP,andLQM.Youcanspecifyuptoninepacketstypesto bedebugged,andifyouchooseallpackettypes,enteringppp debug packetissufficient.Youcan alsochoosetospecifythesamepackettyperepeatedlythatis,ppp debug packet auth auth auth auth)whichwillhavethesameeffectasissuingthepackettypeonce.
Notes: You do not necessarily need to set a limit to be able to specify the types of packets. But, you cannot specify packet type first and then request a limit. All XSR debug commands are set to privilege level 15 by default. This command does not display in the running config file since it is strictly a debug function. It must be set manually every time you reboot the XSR. You must issue this command after you enter encapsulation ppp.
Syntax
ppp debug packet limit [x][type1][type2]... x type1 type2
Totalnumberofpacketstodebug,rangingfrom1to1,000,000. Packettypestodebugincluding:PAP,CHAP,AUTH,BACP, BAP,BCP,CCP,ECP,IPCP,IPXCP,LCPandLQM.
8-98

ThenoformofthiscommandremovesPPPdebuggingontheinterface:
no ppp debug packet
Default
Limit:100packets
Mode
Example
ThisexamplesetsPPPdebuggingofIPCPandLQMpacketswitha50packetlimitonSerial1/0:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation ppp XSR(config-if<S1/0>)#ppp debug packet limit 50 ipcp lqm
Sample Output
ThefollowingdebuggingoutputisdisplayedonMultilinkinterface57:
XSR#show interface multilink 57 ********** Multilink Interface Stats ********** Multilink 57 is Admin Up Internet address is 192.168.34.1, subnet mask is 255.255.255.0 LCP State: OPENED IPCP State: OPENED Multilink State: OPENED Detailed Debug PPP Control Packet is ON for [type1] [type2] [type3], limit is [x], number decoded is [y]
clear ppp
ThiscommandclearsPPPcountersforinterfacesrunningPPP.
Syntax
clear ppp
Mode
PrivilegedEXEC:XSR#
Sample Output
Thefollowingoutputdisplayswhenyouentertheshow ppp interfacecommandafterclearing theserial1/0:0port:
XSR#show ppp interface ********** PPP Stats ********** Serial 1/0:0: PPP is Admin Up / Oper Up / Link Speed: 64000 LCP Current State: OPENED IPCP Current State: OPENED Multilink Current State: OPENED LCP STATS Total Rcv Total Rcv Total Rcv Total Rcv Total Total Total Total Rx Rx Rx Rx Tx Tx Tx Tx
Pck: Control Pck: Data Pck: Pck Discarded:
0 0 0 0 0 0 0 0 0 0 0 0 Disabled Disabled 1500 1500 16 16
Pck: Control Pck: Data Pck: Pck Discarded: Pck Pck Pck Pck Discarded: Error: Unknown protocol: Too Long:
Control Control Control Control
LocalToRemoteProtocolCompression: RemoteToLocalProtocolCompression: LocalMRU: RemoteMRU: ReceiveFcsSize: TransmitFcsSize: LQR STATS No LQM Monitoring LCP CONFIGURATION InitialMRU: MagicNumber: FcsSize: LQR CONFIGURATION Period: Status:
1500 true 16 10 sec Disabled
show ppp
ThiscommanddisplaysallconfiguredPPPportsandstatusincludingLinkControlProtocol (LCP)andLinkQualityMonitoring(LQM)states.
Syntax
show ppp
Mode
Sample Output
ThefollowingoutputisdisplayedforSerialandMultilinkinterfaces:
XSR#show ppp Serial 1/0 PPP State: LCP State: OPENED IPCP State: OPENED Multilink 8 MLPPP State: LCP State: OPENED IPCP State: OPENED XSR#show ppp Dialer0 LCP Current State: INITIAL IPCP Current State: INITIAL Dialer1 MLPPP State: LCP State: opened Multilink State: Dialer2 MLPPP State: LCP State: opened Multilink State: Dialer3 MLPPP State: LCP State: opened Multilink State: Dialer4 MLPPP State: LCP State: opened Multilink State: Dialer5 MLPPP State: LCP State: opened Multilink State: Dialer33 MLPPP State: LCP State: opened Multilink State: Dialer44 MLPPP State: LCP State: opened Multilink State: Dialer1 MLPPP State: LCP State: opened Multilink State: Multilink 4 MLPPP State: LCP State: opened Multilink State:
Multilink State: OPENED Multilink State: OPENED
ThefollowingoutputisdisplayedforconfiguredDialerinterfaces:
opened opened opened opened opened opened opened opened opened

ThiscommanddisplaysinterfacestatisticsandPPPstatusiftheinterfaceisencapsulatedwith PPP.
Syntax
show interface [card/port:channel number] [type | type number] card/port type number
ThePPPWANportforwhichtoviewlinkstatus,statsandconfigurationdata. SerialorDialerInterfacetypeswhichPPPcanrunon. Card/portforserialinterface. Card/port:channelnumberforserialchannelgroups. NumberforotherlogicalinterfacessuchasDialer.
8-101
Mode
Sample Output
Thefollowingoutputisproducedbythiscommand:
Serial 1/0 is Admin Up / Oper Up Internet address is 25.25.25.3, subnet mask is 255.255.255.0 LCP State: OPENED IPCP State: OPENED Multilink State: OPENED
show ppp interface

ThiscommanddisplaysallconfiguredPPPinstances,theinterfacetheybelongtoandtheirstatus. Toissuethiscommandcorrectly,followtheguidelinesbelow: Issuingtheshow ppp interfacecommandwithoutanyotherparameterdisplayslinkstatus, statisticsandconfigurationforallinterfacesrunningPPP. Theshow ppp interfacetypecommanddisplayslinkstatus,statisticsandsettingsforany interfacetyperunningPPP. Theshow ppp interfacetype number commanddisplayslinkstatus,statisticsand configurationfortheinterfacetypenumber. Theshow ppp interfacedialer number [multi-class serial] commanddisplays DialerstatisticswithSerialandMulticlassoptions. Theshow ppp interfacemultilink number [bap | memberlink | multi-class] commanddisplaysmultilinkstatisticswithvariousoptions.
Syntax
show ppp interface card/port [type number options] card/port type number option
TheNIMnumberandPPPWANport:channelnumbertoviewassociatedlink status,statisticsandsettings. TheinterfacetypePPPisrunningonincluding:Dialer(0to255),Multilink(1to 32767),orSerial(seebelow). Card/portnumbersorCard/port:channelnumber. memberlink,mlpppgroup(MLPPPonly),multiclass,orbap(MLPPPonly) statistics.
TheSerialportcard,port,subinterface,andchannelnumbersareexpressedasfollows:
0 <1-2>/<0-3> <1-2>/<0-3>.<1-30> <1-2>/<0-3>:<0-31> <1-2>/<0-3>:<0-31>.<1-30>
Consoleport. Cardandportnumber. Card,port,subinterfacenumber. Card,portandchannelnumber. Card,port,channelandsubinterfacenumber
8-102
Mode
Sample Output
ThefollowingoutputdisplayswithaPPPconnectionestablished(PPPqualityhasnotbeen enabledontheinterfacesotheLINKQUALITYstatisticisnotmonitoring):
XSR>show ppp interface serial 1/0 ********** MLPPP Stats ********** Multilink 8: MLPPP is Admin Up / Oper Up Group Num: 8 LCP State: OPENED IPCP State: OPENED Multilink State: OPENED Bundle Size: Max Load Threshold: Bundle Tx Load Avg: Bundle Rx Load Avg: Last Tx Seq Num: Last Fwd Seq Num: Last Rcv M: No Of Frag Rcvd: No Of Frag Discard: No Of Frag in Rcv List: No Of Pck in Tx Buf Q: Reassem Start Tick: Last M Change Tick: High Pri Member link is 31 120 240 240 14787652 12933548 12933518 12920875 0 11 0 3882798 3882815 Serial 1/0:29
Multilink PPP includes following memberlink interface: Serial 1/0:2 Serial 1/0:6 Serial 1/0:9 Serial 1/0:15 Serial 1/0:17 Serial 1/0:18 Serial 1/0:19 Serial 1/0:23 Serial 1/0:26 Serial 1/0:28 Serial 1/0:30 Serial 1/0:20 Serial 1/0:27 Serial 1/0:22 Serial 1/0:21 Serial 1/0:8 Serial 1/0:4
Serial Serial Serial Serial Serial Serial Serial Serial Serial Serial Serial Serial Serial Serial
1/0:0 1/0:3 1/0:7 1/0:13 1/0:10 1/0:1 1/0:25 1/0:11 1/0:24 1/0:12 1/0:5 1/0:16 1/0:14 1/0:29
ThefollowingdisplaysoutputwithPPPqualityenabledandaPPPconnection:
XSR>show ppp serial 0/4/1 ********** PPP Stats ********** Interface Serial 0/4/1 LCP Current State: IPCP Current State: Multilink Current State: LCP STATS Total Rcv Total Rcv Total Rcv Total Rcv Total Total Total Total Rx Rx Rx Rx Tx Tx Tx Tx OPENED OPENED OPENED
Pck: Control Pck: Data Pck: Pck Discarded:
1618575 420 1618155 1 1618653 420 1618233 2 0 0 0 0 Disabled Disabled 1500 1500 16 16
Pck: Control Pck: Data Pck: Pck Discarded: Pck Pck Pck Pck Discarded: Error: Unknown protocol: Too Long:
Control Control Control Control
LocalToRemoteProtocolCompression: RemoteToLocalProtocolCompression: LocalMRU: RemoteMRU: ReceiveFcsSize: TransmitFcsSize: LQR STATS
8-104
Quality: good InGoodOctets: 26600 LocalPeriod: 100000 RemotePeriod: 100000 OutLQRs:1000InLQRs: 1000 LCP Configuration: LCP CONFIGURATION InitialMRU: MagicNumber: FcsSize: LQR CONFIGURATION Period: Status:
1500 true 16 10 sec Disabled
Output Parameters Summary

ForPPPlinkstatusandstatistics,refertothefollowingsection.ForLQRstatusandstatistics,goto page106.ForLQRparameters,gotopage107.
LCP Statistics
ThissectiondisplaysPPPlinkspecificmanagementinformation.
Rx Control Pck Discarded

Range Description 32bitcounter Sumofreceivedpacketsdiscardedbecauselengthistooshort(lessthan4).
Rx Control Pck Error

Range Description 32bitcounter Sumofreceivedpacketsndetectedwithanerrorinthecontrolfield.
Rx Control Pck Unknown protocol

Range Description 32bitcounter Sumofreceivedpacketsdetectedwithanunknownprotocolfield.
Rx Control Pck Too Long

Range Description 32bitcounter SumofreceivedpacketsdiscardedbecausetheirlengthexceededtheMRU. PacketsthatarelongerthantheMRUbutwhicharesuccessfullyreceived andprocessedareNOTincludedinthiscount.
LocalToRemoteProtocolCompression
Range Description INTEGER{enabled(1),disabled(2)} IndicateswhetherthelocalPPPentitywilluseProtocolCompressionwhen sendingpacketstotheremotePPPentity.Thevalueismeaningfulonly whenthelinkhasreachedtheopenstate.
8-105
RemoteToLocalProtocolCompression
Range Description INTEGER{enabled(1),disabled(2)} IndicateswhethertheremotePPPentitywilluseProtocolCompression whensendingpacketstothelocalPPPentity.Thevalueismeaningfulonly whenthelinkhasreachedtheopenstate.
LocalMRU
Range INTEGER (12147483648)
Description
CurrentvalueoftheMRUforthelocalPPPEntity.ThisvalueistheMRU thattheremoteentityuseswhensendingpacketstothelocalPPPentity. Thevalueismeaningfulonlywhenthelinkhasreachedtheopenstate.
RemoteMRU
Range Description INTEGER(1...2147483648) CurrentvalueoftheMRUfortheremotePPPEntity.ThisvalueistheMRU thatthelocalentityuseswhensendingpacketstotheremotePPPentity. Thevalueismeaningfulonlywhenthelinkhasreachedtheopenstate.
ReceiveFcsSize
Range INTEGER (0...128)
Description
SizeoftheFrameCheckSequence(FCS)inbitsthattheremotenodewill generatewhenissendingpacketstothelocalnode.Thevalueis meaningfulonlywhenthelinkhasreachedtheopenstate.
TransmitFcsSize
Range Description INTEGER(0...128) SizeoftheFrameCheckSequence(FCS)inbitsthatthelocalnodewill generatewhenissendingpacketstotheremotenode.Thevalueis meaningfulonlywhenthelinkhasreachedtheopenstate.
LQR Status and Statistics

ThissectiondisplaysLQRparametersdisplayedforthelocalPPPentity.Valuesaredisplayed onlyifLQRQualityMonitoringhasbeensuccessfullynegotiatedonthelink.
Quality
Range Description IntegerGood,Bad,orNotdetermined CurrentqualityofthelinkasdeclaredbythelocalPPPentitysLinkQuality Managementmodules.Noeffortismadetodefinegoodorbad,noristhe policyusedtolearnit.Thenotdeterminedvalueindicatesthattheentity doesnotactuallyevaluatethelinksquality.Thisvalueclarifiesthedetermined tobegoodcasefromthenodeterminationmadeandpresumedtobegoodcase.
LocalPeriod
Range Integer1to2147483648
8-106
Description
TheLQRreportingperiod,inhundredthsofasecond,thatisineffectforthe localPPPentity.
OutLQRs
Range Description 32bitcounter ValueoftheOutLQRscounteronthelocalnodeforthelink.OutLQRs increasesbyoneforeachtransmittedLinkQualityReportpacket.
LCP Configuration
ThissectiondescribesLCPconfigurationdatadisplayedforaPPPLink.
InitialMRU
Range Description Integer0to2147483647 InitialMaximumReceiveUnit(MRU)thatthelocalPPPentitywilladvertiseto theremoteentity.Ifthevalueofthisvariableis0thenthelocalPPPentitywill notadvertiseanyMRUtotheremoteentityandthedefaultMRUwillbe assumed.Changingthisobjectwilltakeeffectwhenthelinkisnextrestarted. 1500
Default
MagicNumber
Range Description IntegerFalseorTrue Iftrue(2),thelocalnodewilltrytoperformMagicNumbernegotiationwith theremotenode.Iffalse(1),negotiationisnottried.Thelocalnodewill complywithanymagicnumbernegotiationstriedbytheremotenode,perthe PPPRFC.Changingthisobjectwilltakeeffectwhenthelinkisnextrestarted. False
Defaults
FcsSize
Range Description Integer0to128 SizeoftheFCS,inbits,thelocalnodewilltrytonegotiateforusewiththe remotenode.Regardlessofthisvaluesobject,thelocalnodewillcomplywith anyFCSsizenegotiationsstartedbytheremotenode,accordingtothePPP RFC.Changingthisobjectwilltakeeffectwhenthelinkisnextrestarted. 16
Default
LQR Configuration
ThissectiondescribesLQRconfigurationdatadisplayedforaPPPlink.
Period
Range Description Integer0to2147483647 TheLQRReportingPeriodthatthelocalPPPentitywillattempttonegotiate withtheremoteentity,inhundredthsofasecond.Changingthisobjectwilltake effectwhenthelinkisnextrestarted. 0
Default
Multilink PPP Commands
Status
Range Description IntegerDisabledorEnabled Ifenabled(2),thelocalnodewilltrytoperformLQRnegotiationwiththeremote node.Ifdisabled(1),negotiationisnottried.Thelocalnodewillcomplywith anymagicnumbernegotiationstriedbytheremotenode,accordingtothePPP RFC.Changingthisobjecttakeseffectwhenthelinkisnextrestarted. Enabled
Default
Multilink PPP Commands interface multilink

Thiscommandnamesthemultilinkgroupandcreatesalogicinterfaceforthismultilinkgroup. OnlythePPPmultilinkgroupissupportedcurrently.
Syntax
interface multilink number [1-32767] 1-32767
Designationofthevirtualmultilinkgroup.

Thenoformofthiscommanddeletesthemultilinkgroup:
no interface multilink number [1-32767]
Default
Nomultilinkgroup
Mode
Next Mode
MultilinkInterfaceconfiguration:XSR(config-if<Mxx>)#
Example
Thefollowingexampleenablesmultilinkongroup2withserialinterface1/1configuredasthe physicalinterface:
XSR(config)#interface multilink 2 XSR(config-if<M2>)ppp multilink endpoint ip 192.168.10.214 XSR(config-if<M2>)ip address 192.168.10.213 255.255.255.252 XSR(config-if<M2>)no shutdown XSR(config)#interface serial 1/1 XSR(config-if<S1/1>)#media-type X21
XSR(config-if<S1/1>)#multilink-group 2 XSR(config-if<S1/1>)#encapsulation ppp XSR(config-if<S1/1>)#ppp multilink XSR(config-if<S1/1>)#no shutdown
multilink max-links
Thiscommandsetsthemaximumnumberoflinksallowedinthisbundle.IfmultilinkBAPis configuredandthenumberofactivelinksexceedthemaximumnumberoflinks,BAPwilltryto negotiatethelinksdown.
Syntax
multilink max-links number (1-255) 1-255
Maximumnumberoflinksallowedinthisbundle.
Default
16
Mode
DialerInterfaceconfiguration:XSR(config-if<xx>)#
Example
Thisexamplesetstheminimummultilinklimitto6onDialerport4:
XSR(config)#interface dialer 4 XSR(config-<D4>)#multilink min-links 6
multilink min-links
Thiscommandtriggersthedialertomaintaintheminimumnumberoflinksinabundled multilinkoveraswitchedlineandshouldbeconfiguredonthecalledsideofaconnection.Itisthe firstmeansbywhichtheXSReffectsBandwidthonDemand(BoD). Themultilink load-threshold commandisthesecondmeansbywhichtheXSRcontrols trafficviaBoD.AthirdmeanstoeffectBoDisbyuseoftheBandwidthAllocationProtocol(BAP) whichisactivatedbyseveralppp bapcommands.BAPnegotiateswiththepeertoaddordropa link,andcanrequestaphonenumberfromacentralrepositorywiththeppp bap number command.IfmultilinkBAPisconfiguredandthenumberofactivelinksislessthantheminimum numberoflinks,BAPwilltrytonegotiatethelinksup.
Syntax
multilink min-links number (1-255) 1-255
Minimumnumberoflinksallowedinthisbundle.
8-109
Default
1
Mode
Examples
Thefollowingexamplesetstheminimummultilinklimitto6ontheterminatingdialerinterface:
XSR(config)#interface dialer 4 XSR(config-if<D4>)#multilink min-links 6
ppp bap call

ThiscommandsetsBandwidthAllocationProtocol(BAP)callvaluesonadialerinterfacetosetup BandwidthonDemand(BoD).Itpermitstheporttoacceptlinksfromandinitiatelinkstoapeer. Themultilink load-thresholdcommandisasecondmeansbywhichtheXSRcontrolstraffic viaBoD.Itisalsoprovidedbysettingthemultilink min-links command.
Note: The multilink load-threshold command must be set to operate BAP.
Syntax
ppp bap call {accept | request} accept request
Acceptslinksfromapeer.ThisdefaultletspeerscanaddlinkstotheMLbundle. Letsthelocalsideoftheconnectionstartlinks.Setuponthecalledsideofalinkonly.

ThenoformofthiscommanddisablespreviouslysetBAPvalues:
no ppp bap call {accept | request}
Default
Accept
Mode
DialerInterfaceconfiguration:XSR(config-if<Dx>)#
Example
ThefollowingexamplesetsBAPcallvaluesonDialerinterface57:
XSR(config)#interface dialer 57 XSR(config-if<D57>)#encapsulation ppp XSR(config-if<D57>)#no shutdown
XSR(config-if<D57>)#ppp bap call accept
ppp bap callback

ThiscommandsetsenablesBandwidthAllocationProtocol(BAP)callbackparametersonadialer interfacetosetupBandwidthonDemand(BoD).Itpermitstheporttoinitiateaddingalinktoor requestingalinkfromapeer.ItappliestoDialerinterfacesonly. Themultilink load-thresholdcommandisasecondmeansbywhichtheXSRcontrolstraffic viaBoD.Itisalsoprovidedbysettingthemultilink min-links command.
Note: You must configure multilink load-threshold to run BAP.
Syntax
ppp bap callback {accept | request} accept request
Localrouterinitiatesalinkadditionuponpeernotification. Localrouterrequestsapeertoinitiatealink.
Mode
Mode of the no Form

Thenoformofthiscommandremovescallbackconfiguration:
no ppp bap callback {accept | request}
Example
ThefollowingexampleconfiguresBAPtoacceptandrequestcallbacks:
XSR(config)#interface dialer 1 XSR(config-if<D1>)#encapsulation ppp XSR(config-if<D1>)#no shutdown XSR(config-if<D1>)#ppp bap callback accept XSR(config-if<D1>)#ppp bap callback request
ppp bap number

ThiscommandspecifiestheBandwidthAllocationProtocol(BAP)phonenumberwhichapeer candialtoconnectandsetupBandwidthonDemand(BoD).Itappliestodialerinterfacesonly. Themultilink load-thresholdcommandisasecondmeansbywhichtheXSRcontrolstraffic viaBoD.Itisalsoprovidedbysettingthemultilink min-links command.
Note: The multilink load-threshold command must be set to operate BAP.
8-111
Syntax
ppp bap number {default phone-number} default phone-number Primarynumberforincomingcalls.Upto5numberscanbeentered.

ThenocommandremovesaBAPphonenumber:
no ppp bap number {default phone-number}
Mode
Example
ThefollowingexamplespecifiestheBAPdefaultphonenumber:
XSR(config)#interface dialer 1 XSR(config-if<D1>)#ppp bap number
ppp bap timeout

ThiscommandconfiguresBandwidthAllocationProtocol(BAP)actiontimeoutstosetup BandwidthonDemand(BoD). Themultilink load-thresholdcommandisasecondmeansbywhichtheXSRcontrolstraffic viaBoD.Itisalsoprovidedbysettingthemultilink min-links command.
Syntax
ppp bap timeout {pending seconds | response seconds} pending seconds response seconds
Waitintervalforpendingactions.Range:2to180seconds. Waitintervalforresponsepackets.Range:2to180seconds.

ThenocommanddeletesBAPactiontimeouts:
no ppp bap timeout {pending | response}
Defaults
Pendingseconds:20 Responseseconds:20
Mode
8-112
Example
ThefollowingexampleresetstheBAPpendingtimeoutonDialerport1:
XSR(config)#interface dialer 1 XSR(config-if<D1>)#ppp bap timeout pending 60
ppp multilink
ThiscommandenablesMultilinkPPPonanXSRinterface.MultilinkPPPoperatesoversingleor multipleinterfacesthatareconfiguredtosupportbothDialonDemandrotarygroupsandPPP encapsulation.Itappliestoasynchronousserialinterfaces,andISDNleasedlineBasicRate Interfaces(BRIs),andISDNPrimaryRateInterfaces(PRIs). Thiscommandisassociatedwiththefollowingmultilinksubcommands:
endpointsetsthemultilinkgroupEndpointDescriptoroverthemultilinkbundle.Refer
topage8114forcommanddetails.
fragment-delaysetsthemaximumfragmentdelayinterval.Refertopage8115for commanddetails. fragment disabledisablesfragmentationoveramultilinkPPPconnection.Refertopage
page8117forcommanddetails.
groupconfiguresaPPPlinkandassignsittoaspecifiedPPPmultilinkgroup.Referto page8118forcommanddetails. load-thresholdsetthevaluewhichtriggersthedialertoaddordeletealinkfromthe
multilinkbundle.Seepage8119fordetails.
multi-classsetstheMultiClassMLPPPoptionfortheMLPPPheaderformat.Referto page8120forcommanddetails.
MultilinkPPPBAPisdesignedtomanagebandwidthofamultilinkbundle.BAPworksin conjunctionwiththemultilink load-threshold commandtoenableBandwidthonDemand (BoD)whenbandwidthmustbeaddedorremovedontheXSR. BAPnegotiateswiththepeertoaddordropalink,andcanrequestaphonenumberfroma centralsiterepositoryusingthebap number default command.
Note: BAP is employed on Dialer and ISDN lines only.
Usethemultilink load-thresholdcommandtoenableadialerinterface(dialerprofile)tobring upadditionallinksandaddthemtoamultilinkbundle.Ifyouwantamultilinkbundletobe connectedindefinitely,youmustsetaveryhighidletimer.
Syntax
ppp multilink {bap} bap
EnablesBAP/BACPtobenegotiatedoverthemultilinkbundle.

ThenoformofthiscommandnotonlyremovesmultilinkontheinterfacebutalsomultilinkBAP ifitalsowasconfigured:
no ppp multilink {bap}
Default
Disabled
Mode
DialerorSerialInterfaceconfiguration:XSR(config-if<D/Sxx>)#
Examples
ThefollowingexampleconfiguresadialerforMultilinkPPP.Itdoesnotshowtheconfigurationof thephysicalinterfaces.
XSR(config)#interface dialer 0 XSR(config-if<D0>)#ip address 101.0.0.2 255.0.0.0 XSR(config-if<D0>)#encapsulation ppp XSR(config-if<D0>)#dialer idle-timeout 500 XSR(config-if<D0>)#dialer map ip 101.0.0.1 name ny broadcast 41612345678922 XSR(config-if<D0>)#dialer load-threshold 30 either XSR(config-if<D0>)#ppp authentication chap XSR(config-if<D0>)#ppp multilink
ThefollowingexampleconfiguresMultilinkPPPleasedlineserviceonBRIinterface2/1. Specifyingtheleasedlinespeedof56kbpsaddstwoBchannelstotheBRIport,oneofwhichis enabledforFrameRelayservice.

XSR(config)#interface bri 2/1 XSR(config-if<BRI-2/1>)#leased-line 56 XSR(config)#interface bri 2/1:1 XSR(config-if<BRI-2/1:1>)#encapsulation ppp XSR(config-if<BRI-2/1:1>)#ppp multilink XSR(config-if<BRI-2/1:1>)#ppp multilink group 1 XSR(config)#interface bri 2/1:2 XSR(config-if<BRI-2/1:2>)#ip address 3.3.3.4 255.255.255.0 XSR(config-if<BRI-2/1:2>)#encapsulation frame-relay XSR(config)#interface multilink 1 XSR(config-if<M1>)#ip address 3.3.3.3 255.255.255.0
ppp multilink endpoint

ThiscommandsetsthemultilinkgroupEndpointDescriptor(EPD)value(class)overthe multilinkbundle.Itappliesonlytointerfacesthatcanconfigureabundleinterfaceincluding Multilink,Dialer,andISDNBRIorPRIinterfaces.
Syntax
ppp multilink endpoint [null | hostname | ip_address | mac interface | fastethernet (1-2) string | phone] null hostname ip_address
NULLclassisspecifiedwithavalueof0. LocalAssignedaddressclassissetwithalocalhostnameenteredusingthe hostnamecommand. IPaddressclassissetwithaspecifiedIPaddressvalue.
8-114
mac interface string phone
IEEE802.1GlobalMACaddressclassissetwithaMACaddressofeither Fastethernet1or2.fastethernet PPPMagicNumberclassisspecified.InsteadofusingthenegotiatedPPP magicnumber,youcanspecifyanystringlessthan20characters. PSTNDirectoryNumberclasssetwithaphonenumberofnomorethan15 digits.
Mode
Dialer,Multilink,BRIInterface,andControllerconfiguration:XSR(config-if<xx>) and
XSR(config-controller<T/Exx>)
Default
Hostname
Example
ThefollowingexamplesetsthePPPmultilinkendpointvalueovervirtualmultilinkinterface57:
XSR(config)#interface multilink 57 XSR(config-if<M57>)#ppp multilink endpoint XSR(config-if<M57>)#ppp multilink endpoint XSR(config-if<M57>)#ppp multilink endpoint XSR(config-if<M57>)#ppp multilink endpoint XSR(config-if<M57>)#ppp multilink endpoint null hostname ip address 1.1.1.1 string aaaaaaa phone 1234567890
ppp multilink fragment-delay

Thiscommandsetsthemaximumfragmentdelayintervalinmilliseconds.Thevalueisusedto computethemaximumfragmentsizethatcanbesentovereachmemberlinkinthebundle.The maximumfragmentsizeiscalculatedas: Fragmentsize(inbytes)=fragmentdelay(ms)xlinkspeed(kbps)/8
Note: The maximum fragment size is limited to 1500 bytes.
Table81belowshowstherelationshipbetweenmaximumfragmentdelayandmaximum fragmentsize.Italicizedfiguresindicatebytes. EachMLPPPpacketincludesonefragmentwithanadditionalHDLCheader(2bytes),PID(2 bytes),MLPPPheader(2/4bytesforshort/longsequencenumberformat)andFCS(2bytes). Theactualfragmentsizewillbedecidedaftertheloadbalanceovermemberlinkistakeninto accountandshouldnotexceedthemaximumfragmentsizeallowed.Whenthecommandis
8-115
entered,nomaximumfragmentsizewillbesetandthefragmentsizewillonlybedecidedwith theloadbalance. Table 8-1 Maximum Fragment Size (bytes)/Fragment Delay (ms) Fragment Delay (ms)
5 ms 56 kbps 64 kbps 128 kbps 256 kbps 512 kbps 768 kbps 1536 kbps 2024 kbps 35 40 80 160 320 640 1280 1500 10 ms 70 80 160 320 640 1280 1500 1500 20 ms 140 160 320 640 1280 1500 1500 1500 50 ms 280 320 640 1280 1500 1500 1500 1500 100 ms 560 640 1280 1500 1500 1500 1500 1500 500 ms 1120 1280 1500 1500 1500 1500 1500 1500 1000 ms 1500 1500 1500 1500 1500 1500 1500 1500
Link Speed
Syntax
ppp multilink fragment-delay value value
Delayintervalrangingfrom10to1000inmilliseconds.

Thenoformofthiscommanddeletesthefragmentdelaysetting:
no ppp multilink fragment-delay
Mode
Default
10milliseconds
Example
Thefollowingexamplesetsthefragmentdelayto30millisecondsontheDialer2interface:
XSR(config-if<D2>)#ppp multilink fragment-delay 30
8-116
ppp multilink fragment disable

ThiscommanddisablesfragmentationoverabundlePPPconnection,supportingMultilinkand Dialerinterfaces.
Syntax
ppp multilink fragment disable

Thenoformofthiscommandenablesfragmentation(defaultmode):
no ppp multilink fragment disable
Mode
Default
Enabled
Examples
ThefollowingexampledisablesfragmentationoverMultilinkinterface1:
XSR(config-if<M1>)#ppp multilink fragment disable
Display Examples
Thefollowingexamplesdisplayfragmentationsettingsbytheshow interface multilink command:
XSR#show interface multilink 1 ********** Multilink Interface Stats ********** Multilink 1 is Admin Up Internet address is 30.30.30.2, subnet mask is 255.255.255.0 LCP State: OPENED IPCP State: OPENED Multilink State: OPENED Multi-Class State: OPENED Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 rcv classes Fragmentation is disabled
Thefollowingexampledisplaysfragmentationsettingsbytheshow ppp interface multilink command:

XSR#show ppp interface multilink 1 ********** MLPPP Bundle Stats ********** Multilink 1: MLPPP is Admin Up / Oper Up
Group Num: 1 LCP State: IPCP State: Multilink State: Multi-Class State:
OPENED OPENED OPENED OPENED
Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 rcv classes Fragmentation is disabled Bundle Size: 2 Class Level Tx: 5 Rx: 5 Max Load Threshold: 0 Bundle Tx Load Avg: 0 Bundle Rx Load Avg: 0 No Of Pck in Rx Buf Q: 0 Lowest link Speed: 1536000 Max Fragment Size: Not Set High Pri Member link is Serial 2/0:0
Thefollowingexampledisplaysfragmentationsettings:
XSR# show ppp interface multilink 1 multiclass ********** MLPPP Bundle MultiClass Stats ********** Multilink 1: MLPPP is Admin Up / Oper Up Group Num: 1 LCP State: OPENED IPCP State: OPENED Multilink State: OPENED Multi-Class State: OPENED Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 rcv classes Fragmentation is disabled Max Fragment Size is not set
ppp multilink group

ThiscommandconfiguresaPPPlinkandassignsittoorremovesitfromaspecifiedPPPMultilink bundle.Itappliesonlytointerfacesthatcanconfigureabundleinterfaceincludingmultilink, dialer,andISDNBRIorPRIinterfaces.
Syntax
multilink group 1 - 32767 1 - 32767
DesignationofthePPPmultilinkgroup.
8-118

ThenoformofthiscommandremovesthePPPmultilinkgroup:
no multilink-group
Default
Disabledwithnospecificmultilinkgroupassigned
Mode
Examples
ThefollowingexampleassignsPPPlinkSerialinterface1/1tothePPPmultilinkgroup20:
XSR(config-if<S1/1>)#multilink group 20
ThenextexamplealsoassignsPPPlinkSerialinterface1/1tothePPPmultilinkgroup20:
XSR(config-if<S1/1>)#ppp multilink group 20
multilink load-threshold
Thiscommandsetsthemultilinkloadthresholdwhichtriggersthedialertoaddordeletealink fromthemultilinkbundle.Itshouldbeconfiguredonthecalledsideofaconnectiononly.This commandeffectsBandwidthonDemand(BoD)ontheXSR. Indeterminingwhethertotriggerthedialer,theXSRmonitorsonlythebundleload.Theload thresholdprovidesthedialerwithatriggertoaddordeletethemultilinkmemberlinkfromthe memberlinkbundle.Theloadissampledeverysecondandaveragedoveran8secondperiod. Triggeringisdelayedfor10secondswhentheloadsurpassesorfallsbelowthethreshold. Triggeringisgeneratedwhen: Eithertheinboundoroutboundtrafficsurpassesthethreshold;or Bothinboundandoutboundtrafficfallbelowthethreshold.
Notriggeringisgeneratedwhen: Thenumberofmemberlinksisalreadyequaltothemaxlinksvaluesetonthebundlewhen theloadsurpassesthethreshold;and Thenumberofthelinksisalreadyequaltotheminlinksvaluesetonthebundlewhentheload fallsbelowthethreshold.
Themultilink load-thresholdcommandisthesecondmeansbywhichtheXSRcontrolstraffic viaBoD.Itisalsoprovidedbysettingthemultilink min-links command,whichisthefirst meansbywhichtheXSRcontrolstraffic.AthirdmeansusedtoeffectBoDisbyuseofthe BandwidthAllocationProtocol(BAP)whichisactivatedbyseveralppp bapcommands.BAP negotiateswiththepeertoaddordropalink,andcanrequestaphonenumberfromacentral repositorywiththeppp bap number command.
Note: To avoid unexpected behavior, configure this command on one peer only. If it is set on both peers, their threshold values should match.
8-119
Syntax
multilink load-threshold number (1-255) 1-255
Loadontheport:255indicatesithasreached100%ofbandwidth.
Default
255
Mode
Example
ThefollowingexamplesetsthemultilinkPPPloadthresholdto250ontheterminatingDialer interface:
XSR(config)#interface dialer 4 XSR(config-<D4>)#multilink load-threshold 250
ppp multilink multi-class

ThiscommandenablesMultiClassMLPPP(MultilinkPPP)fortheMultilinkPPPheaderformat providingQualityofService(QoS)forselectedpacketsbetweenpeers.Itsupportsfivestreamsof sequencenumbers,thelongsequenceformatbydefault,andtheshortsequencenumberby negotiation.Anyclasslowerthanthedefaultrequestedbythepeerwillbeaccepted,andhigher thanthedefaultwilleventuallytriggerarejectmessageifthevalueisacceptedbythepeer.
Syntax
ppp multilink multi-class

ThenoformofthiscommanddisablesmulticlassMLPPP:
no ppp multilink multi-class
Defaults
Longsequencenumber Acceptnegotiationforshortsequencenumber Acceptanysuspendable(class)levellessthanorequalto5 Disabled
Mode
DialerorMultilinkInterfaceconfiguration:XSR(config-if<xx>)#
8-120
Example
ThefollowingexampleenablesthemulticlassMLPPPoption:
XSR(config-if<D57>)#ppp multilink multi-class
8-121
Multilink Show Commands
Multilink Show Commands show interface multilink

ThiscommanddisplaysmultilinkinterfacestatisticsincludingMLPPPstatusforboththebundle andthememberlink.
Syntax
show interface multilink [number] card/port number
TheMLinterfaceportforviewinglinkstatus,statisticsandconfigurationdata. Logicalinterfaces.
Mode
EXEC: XSR>
Sample Output
ThefollowingissampleoutputforMultilinkinterface8:
XSR>show interface multilink 8 ********** Multilink Interface Stats ********** Multilink 8: MLPPP is Admin Up / Oper Up Group Num: 8 LCP State: OPENED IPCP State: OPENED Multilink State: OPENED Multi-Class State: OPENED Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 rcv classes Max Fragment delay is 10 ms MLPPP Bundle Info: Control Object state is Admin Down / Oper Down Multilink PPP has no memberlinks Data Object state is Admin Down The adjacent is DOWN and data passing is Bundle size is 0 Max Load Threshold: 0 Total Load Bandwidth is 64000 bits/sec Bundle Stats Rx: Total 0, TX: Total Data 0, Data Ctrl 0, Ctrl Null 0, Null Drop 0, Drop Rx Load BW Avg 0, Max 0, Min 0 Tx Load BW Avg 0, Max 0, Min 0
FALSE
0 0 0 0 0
PPP Multilink Status

LCP State
Range Description INITIAL/STARTING/CLOSED/STOPPED/CLOSING/STOPPING/ REQSENT/ACKRCVD/ACKSENT/OPENED LCPstate.RefertoRFC1661fordetails.
IPCP State
Range Description INITIAL/STARTING/CLOSED/STOPPED/CLOSING/STOPPING/ REQSENT/ACKRCVD/ACKSENT/OPENED IPCPstate.RefertoRFC1332fordetails.
Multilink State
Range Description OPENED/CLOSED
MLPPPstate,OPENEDifnegotiationwithpeersuccessful;CLOSEDotherwise.
Multi-Class State
Range Description OPENED/CLOSED MultiClassstate,OPENEDifnegotiationissuccessfulwiththepeer; CLOSEDotherwise.
Bundle Size
Range Description 1256 Numberofmemberlinksunderthebundle.
Class Level Tx/Rx

Range Description 15 MultiClasslevelafternegotiation.1formulticlassdisabled.
Max Load Threshold

Range Description 0255 Zero(0)indicatesloadthresholdmonitoringisdisabled.
Bundle Tx/Rx Load Avg

Range Description 0255 AverageloadingofTx/Rxloading.255=100%loadingagainstthebandwith.
No Of Pck in Rx Buf Q
Range Description Notdefined. Numberofpacketsintherxforwardingbuffer.
Lowest link Speed

Range Description Notdefined. Lowestspeedlinkunderthebundleforcalculatingthemaximumfragmentsize.
Max Fragment Size

Range Description Notdefined. Maximumfragmentsizeoverthememberlinks.
High Pri Member link is Serial 1/00

Range Description Notdefined. Highestspeedlinkunderthebundle.Usedtotransmitthecontrolpacket.
PPP Multilink Bundle Statistics

Rx Stats
Total Data Control Null Sumofpacketsreceivedunderthebundleincludingdata,control,Null contentpacketandthediscardedpacket. Sumofdatapacketsreceivedunderthebundle. Sumofcontrolpacketsreceivedunderthebundle. SumofNullcontentpacketsreceivedunderthebundle,usedfor synchronizingtx/rxsequencenumber.
DiscardPckToo Sumofpacketsdiscardedbecausesizeistoolong,upto1504bytes. Long InvalidProto WrongProto PaddingError InvalidCls# ErrortoCP NoLowerLyr NoUpperLyr Others SumofpacketsdiscardedbecauseprotocolfieldisinvalidforPPP. SumofpacketsdiscardedbecauseprotocolfieldiswrongforMLPPP. Sumofpacketsdiscardedbecausepaddingsizeiswrong. Sumofpacketsdiscardedbecauseclassnumbergreaterthanclasslevel negotiated. Sumofinternalmessageslost. Sumofpacketsdiscardedbecauselowerlayerisnotready. Sumofpacketsdiscardedbecauseupperlayerisnotready. Sumofpacketsdiscardedduetoerrorsrecordedinclassesormemberlinks.
Tx Stats
Total Data Control Null DiscardPckToo Long NoLowerLyr EnQueueFull Others
Sumofpacketstransmittedunderthebundleincludingdata,control,Null content,anddiscardedpackets. Sumofdatapacketstransmittededunderthebundle. Sumofcontrolpacketstransmittedunderthebundle. SumofNullcontentpacketstransmittedunderthebundle.Usedfor synchronizingthetx/rxsequencenumber. Sumofpacketsdiscardedbecausethesizeistoolong,upto1504bytes.. Sumofpacketsdiscardedbecausethelowerlayerisnotready. Sumofpacketsdiscardedbecausethetransmissionqueueisfull. Sumofpacketsdiscardedduetoerrorrecordedinclassesormemberlinks.
show ppp interface multilink/dialer

ThiscommanddisplaysPPPstatus,statisticsandconfigurationdataforinterfacesrunningPPP.
Syntax
show ppp interface [interface type/number][option type] interface type number option type none multi-class bap memberlink
DialerormultilinkinterfaceuponwhichMLPPPcanbeconfigured Designationformultilinkordialerinterface. Availableoptionsincludingthefollowing: DisplaygeneralMLPPPstatusandstatistics. DisplayMultiClassrelatedinformation. DisplayBAPrelatedinformation. Displaymultilinkmemberlinkrelatedinformation
Mode
EXEC:XSR>
Sample Output
ThefollowingexampledisplaysoutputwithoutMultiClassconfigured:
********** MLPPP Bundle Stats ********** Multilink 8: MLPPP is Admin Up Open Up Group Num: 8 LCP State: OPENED IPCP State: OPENED Multilink State: OPENED Multi-Class State: CLOSED Bundle Size: 1 Class Level Tx: 1 Rx: 1 Max Load Threshold: 0 Bundle Tx Load Avg: 0 Bundle Rx Load Avg: 0 No Of Pck in Rx Buf Q: 0 Lowest link Speed: 1984000 Max Fragment Size: 256 High Pri Member link is Serial 1/0:0 Rx Stats Total: Data: Control: Null: Discard: Pck Too Long:
0 0 0 0 0
Invalid Proto: Wrong Proto: Padding Error: Invalid Cls#: Error to CP: No Lower Lyr: No Upper Lyr: Others: Tx Stats Total: Data: Control: Null: Discard: Pck Too Long: No Lower Lyr: EnQueue Full: Others:
0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
ThefollowingisissampleoutputwithMultiClassconfigured:
********** MLPPP Bundle Stats ********** Multilink 8: MLPPP is Admin Up / Oper Up Group Num: 8 LCP State: OPENED IPCP State: OPENED Multilink State: OPENED Multi-Class State: OPENED Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 rcv classes Max Fragment delay is 10 ms Bundle Size: 1 Class Level Tx: 5 Rx: 5 Max Load Threshold: 0 Bundle Tx Load Avg: 0 Bundle Rx Load Avg: 0 No Of Pck in Rx Buf Q: 0 Lowest link Speed: 1984000 Max Fragment Size: 256 High Pri Member link is Serial 1/0:0 Rx Stats Total: Data: Control: Null: Discard:
0 0 0 0
Pck Too Long: Invalid Proto: Wrong Proto: Padding Error: Invalid Cls#: Error to CP: No Lower Lyr: No Upper Lyr: Others: Tx Stats Total: Data: Control: Null: Discard: Pck Too Long: No Lower Lyr: EnQueue Full: Others:
0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0
Refertotheshow interface multilinkcommandpage122forparameterdescriptions.
show ppp interface multilink/dialer multi-class

ThiscommanddisplaysMultiClassMLPPPstatusandstatistics.
Syntax
show ppp interface [type | type number] multi-class type number
MultilinkorDialerinterfacesuponwhichPPPisrunning. DesignationforeitherMultilinkorDialerinterfaces.
Mode
EXEC:XSR>
Sample Output
Thefollowingexampledisplaysoutputofthiscommand:
********** MLPPP Bundle MultiClass Stats ********** Multilink 1: MLPPP is Admin Up / Oper Up Group Num: 1 LCP State: OPENED IPCP State: OPENED Multilink State: OPENED Multi-Class State: OPENED Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 rcv classes
Max Fragment delay is 10 ms Max Fragment Size is 256 bytes Class QoSCls# ExpctSeq# LastFwdSeq# LastM# maxFListSize FragListSize TxSeq# TxBufferSize Rx Load Average Max Min Tx Load Average Max Min Rx Stats: Total Discard SeqError FListFull Seq<Exp NoBgnFlg AddFgFail CleanQ Tx Stats: Total Discard CleanQ QFull 0 -1 1 0 0 0 0 1 0 1 0 1 0 0 0 0 1 0 2 1 1 0 0 0 0 1 0 3 2 1 0 0 0 0 1 0 4 3 1 0 0 0 0 1 0
0 0 0 0 0 0
0 0 0 0 0 0
0 0 0 0 0 0
0 0 0 0 0 0
0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
0 0 0 0 0 0 0 0 0 0
PPP Multilink Multi-Class Bundle Parameter Descriptions

Class
Range Description
04 Suspendableclasslevel0:defaultclasslowestlevel:4:highestlevel.
QoSCls#
Range 13
8-128
Description
EquivalentQoSclass,
-1: fair class. 0: low priority class. 1: normal priority class. 2: medium priority class. 3: high priority class.
ExpctSeq#
Range Description 116777215 Nextexpectedsequencenumberofreceivingfragmentforthisclass.
LastFwdSeq#
Range Description 116777215 Lastforwardedsequencenumberofthefragmentofthisclasstotheupperlayer.
LastM#
Range Description 116777215 LastM(thesmallestreceivedsequencenumber)ofallthememberlinksin thisclasstotheupperlayer.
MaxFListSize
Range Description Notdefined. Maximumreceivefragmentreassemblelistsizeforthisclass.Resetwhena showcommandisissued.
FragListSize
Range Description Notdefined. Currentreceivefragmentreassemblelistsizeforthisclass.
TxSeq#
Range Description 116777215 Lastsequencenumbertransmittedinthisclass.
TxBufferSize
Range Description 01 Currenttransmitbuffersizeforthisclass.
Tx/Rx Load Average/Max/Min

Range Description 0255 Transmit/receiveloadforthisclassagainstthetotalbandwidth,255=100%
8-129
Rx Stats
Total DiscardSeq Error FlistFull Seq<Exp NoBgnFlg AddFgFail CleanQ Sumoffragmentsreceivedforthisclass. Sumofreceivedfragmentsdiscardedforthisclassbecausesequencenumberis outoforder. Sumofreceivedfragmentsdiscardedforthisclassbecausefragmentlistisfull. Sumofreceivedfragmentdiscardedforthisclassbecausesequencenumberis lessthanexpected. SumofreceivedfragmentsdiscardedforthisclassbecausenoBEGINflag detected. Sumofreceivedfragmentsdiscardedforthisclassbecausefragmentcannotbe addedintofragmentlist. Sumofreceivedfragmentsdiscardedforthisclasswhilecleaningtheinterface.
Tx Stats
Total DiscardCleanQ Qfull Sumoffragmentstransmittedforthisclass. Sumoftransmissionfragmentsdiscardedforthisclasswhilecleaningport. Sumoftransmissionfragmentsdiscardedforthisclassbecausetransmission queueisfull.
show ppp interface multilink/dialer memberlink

ThiscommanddisplaysgeneralmemberlinkstatisticsunderMLPPPorspecificmemberlink statisticsifspecified.
Syntax
show ppp interface multilink <1-32767> memberlink [type number] show ppp interface dialer <1-256> memberlink [type number]
Parameters
type number
Interfacetypeserial.Ifserialisspecified,onlythisserialmemberlinkstatistics display,otherwiseallmemberlinkdatadisplay. Card/portnumbersforaserialinterface.Card/port:channelnumbersforserial channelgroups.
Mode
EXEC:XSR>
Sample Output
********** MLPPP Member Link Stats ********** Multilink 1: MLPPP is Admin Up / Oper Up Group Num: 1 LCP State: OPENED
IPCP Multilink Multi-Class
State: OPENED State: OPENED State: OPENED
Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 rcv classes Serial 1/0:0 Tx: Total Rx: Total
0 0
Discard Discard
0(0/0) 0
PPP Multilink Member Link Paremeter Descriptions

Thedetailoftransmit/receivestatisticsforthememberlink Serial1/00 Nameofthememberlink.
Tx
Total Discard Sumoffragmentstransmittedoverthismemberlink. Sumoftransmittingfragmentsdiscardedoverthismemberduetoinvalidlengthor nolowerlayer.
Rx
Total Discard Sumoffragmentsreceivedoverthismemberlink. Sumofreceivedfragmentsdiscardedoverthismemberlink.
show ppp interface multilink/dialer memberlink multi-class

ThiscommanddisplaysmulticlassstatisticsonthememberlinkunderMLPP.
Syntax
show ppp interface multilink <1-32767> memberlink multi-class <type number> show ppp interface dialer <1-256> memberlink multi-class <type number>
Parameters
type number InterfacetypeSerial.Ifserialisspecified,onlythisserialmemberlinkstatistics display,otherwiseallmemberlinkdatadisplay. Card/portnumbersforaSerialport.Card/port:channelnumbersforSerialchannel groups.
Mode
EXEC:XSR>
Sample Output
********** MLPPP Member Link MultiClassStats ********** Multilink 1: MLPPP is Admin Up / Oper Up Group Num: 1 LCP State: OPENED IPCP State: OPENED Multilink State: OPENED Multi-Class State: OPENED Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 rcv classes Class Serial 1/0:0 LastRxSeq# LastTxSeq# Rx Stats: Total Discard FListFull Seq#Err Seq<Expt NoBegin AddFrgFail CleanQ Tx Stats: Total Discard CleanQ QFull 0 0 0 0 0 0 0 0 0 0 0 0 0 1 0 0 0 0 0 0 0 0 0 0 0 0 2 0 0 0 0 0 0 0 0 0 0 0 0 3 0 0 0 0 0 0 0 0 0 0 0 0 4 0 0 0 0 0 0 0 0 0 0 0 0
PPP Multilink Member Link Multi-Class Parameter Descriptions

Class
Range Description Serial1/00 04 Levelofsuspendableclass,0defaultclasslowestsuspendablelevel4thehighest suspendablelevel Nameofthememberlink.
LastRXSeq#
Range Description 116777215 Lastsequencenumberoffragmentsentoverthememberlinkforthisclass.
LastRXSeq#
Range Description 116777215 Lastsequencenumberoffragmentreceivedoverthememberlinkforthisclass.
8-132
Rx Stats
Total Discard SeqError FlistFull Seq<Exp NoBgnFlg AddFgFail CleanQ Sumoffragmentsreceivedforthisclass. Sumofreceivedfragmentsdiscardedforthisclassbecausesequencenumberis outoforderoverthismemberlink. Sumofreceivedfragmentsdiscardedforthisclassoverthismemberlink becausefragmentlistisfull. Sumofreceivedfragmentsdiscardedforthisclassoverthismemberlink becausesequencenumberislessthanexpected. Sumofreceivedfragmentsdiscardedforthisclassoverthismemberlink becausenoBEGINflagisdeteced. Sumofreceivedfragmentsdiscardedforthisclassoverthismemberlink becausefragmentcannotbeaddedtothefragmentlist. Sumofreceivedfragmentsdiscardedforthisclassoverthismemberlinkwhile cleaningtheinterface.
Tx Stats
Total DiscardCleanQ Qfull Sumoffragmentstransmittedforthisclassunderthismemberlink. Sumoftransmissionfragmentsdiscardedforthisclassunderthismember linkduringinterfacecleaning. Sumoftransmissionfragmentsdiscardedforthisclassunderthismember linkbecausetransmissionqueueisfull.
show ppp interface dialer x mlpppgroup x bap

ThiscommanddisplaysBAPmultilinkbundlestatisticsofaspecificbundleunderthedialer interface.Youcanviewindividualmultilinkbundleswhenmorethanoneexistsonthedialer interface.
Syntax
show ppp interface dialer <number> mlpppgroup <number> bap
number number
Dialerinterfacenumber,rangingfrom0to255. Multilinkbundlenumber,rangingfrom0to255.
Mode
EXEC:XSR>
Sample Output
********** MLPPP Bundle Stats ********** Dialer1: MLPPP is Admin Up / Oper Up Group Num: 1 LCP State: OPENED IPCP State: OPENED
BACP State: OPENED Multilink State: OPENED Multi-Class State: OPENED Multilink header format is LONG SEQ NUM Class suspendable level is 5 tx classes and 5 Max Fragment delay is 10 ms Bundle Size: 20 Class Level Tx: 5 Rx: 5 Max Load Threshold: 100 Bundle Tx Load Avg: 0 Bundle Rx Load Avg: 0 No Of Pck in Rx Buf Q: 0 Lowest link Speed: 64000 Max Fragment Size: 64 High Pri Member link is Serial 3/2/0:10 Rx Stats Total: Data: Control: Null: Discard: Pck Too Long: Invalid Proto: Wrong Proto: Padding Error: Invalid Cls#: Error to CP: No Lower Lyr: No Upper Lyr: Others: Tx Stats Total: Data: Control: Null: Discard: Pck Too Long: No Lower Lyr: EnQueue Full: Others:
20137 19103 2 1032 0 0 0 0 0 0 0 0 18
10891 9799 42 1050 0 0 0 0
BAP information: Local has precedence Rcv Call-Req:

Rcv Call-ReqAck: Rcv CallBack-Req: Rcv CallBack-ReqAck: Rcv LinkDrop-Req: Rcv LinkDrop-ReqAck: Tx Call-Req: Tx Call-ReqAck: Tx CallBack-Req: Tx CallBack-ReqAck: Tx LinkDrop-Req: Tx LinkDrop-ReqAck: Discriminators Serial 3/2/0:26 Serial 3/2/0:30 Serial 3/2/0:29 Serial 3/2/0:28 Serial 3/2/0:27 Serial 3/2/0:25 Serial 3/2/0:24 Serial 3/2/0:23 Serial 3/2/0:22 Serial 3/2/0:21 Serial 3/2/0:20 Serial 3/2/0:14 Serial 3/2/0:19 Serial 3/2/0:18
19 0 0 0 0 20 0 0 0 0 0 Local 0 1 2 3 4 5 6 7 8 9 10 11 12 13 Remote 1 3 5 7 9 11 13 15 17 19 21 23 25 27
8-135
8-136
9
Configuring Frame Relay
CLIcommandsyntaxandconventionsusethenotationdescribedbelow.
Convention xyz [x] [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Description Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies the interface type, class map, policy map or other value you specify; e.g., F1, G3, M57, S2/1.0, Node Name., DLCI class name
Next Mode entries display the CLI prompt after a command is entered. soho.enterasys.com Italicized, non-syntactic text indicates either a user-specified entry or text with special emphasis
Frame Relay Commands

ThischapterdescribestheconfigurablefeaturesoftheFrameRelayinterfacefortheXSRinthe followingcommandsubsets: FrameRelayMapClassCommandsonpage 995 FrameRelayClearandShowCommandsonpage 9102
encapsulation frame-relay
ThiscommandenablesFrameRelayencapsulationonaninterfaceusingIETF(RFC2427) encapsulationformat.WhenconnectingtononXSRservers,besuretheremoteendisconfigured forIETFencapsulationunlesstheremoteendcanhandleIETFformattedFrameRelayheaders. Otherroutersmaybeconfiguredusingthefollowingcommand:
encapsulation frame-relay IETF Note: If encapsulation is changed from one type to another, all related values of the current encapsulation and any sub-interface settings are deleted. Also, once encapsulation is set on an interface, any sub-interface of that port created later is automatically encapsulated. Finally, you must first enter the no encapsulation command to change the encapsulation type.
Syntax
encapsulation frame-relay

DisableFrameRelayencapsulationontheinterfacewiththenoform:
no encapsulation frame-relay
Mode
Example
ThisexamplesetsFrameRelayencapsulationoninterfaceserial1/0:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#no shutdown
frame-relay class
Thiscommandassociatesamapclasstoaninterfaceorsubinterface.Itcanbeappliedtoboth FrameRelayinterfacesandsubinterfaces.
Note: Frame Relay traffic shaping must be enabled on the interface for this command to be effective.
Eachvirtualcircuit(DLCI)createdontheinterfaceorsubinterfaceinheritsallrelevant parametersdefinedinthenamedmapclass.Foreachvirtualcircuit,theprecedencerulesareas follows: Usethemapclassassociatedwiththevirtualcircuitifitisconfigured:

frame-relay interface-dlci dlci-num class map-class-name
Ifnot,usethemapclassassociatedwiththesubinterfaceifthemapclassexists:
interface serial 1/0.1 point frame-relay class sub-interface-map-class-name
Ifnot,usethemapclassassociatedwiththeinterfaceifthemapclassexists:
interface serial 1/0 frame-relay class interface-map-class-name
Ifnot,usetheinterfacedefaultparameters(CIR:56kbps,BcandBe:7000bits,adaptive shaping:disabledandservicepolicy:notset).
Syntax
frame-relay class name name
9-84 Configuring Frame Relay
Nameofthemapclass.

Thenoformremovestheassociationofthemapclasstotheinterfaceorsubinterface:
no frame-relay class name
Mode
Example
ThefollowingcommandssetFrameRelaymapclassesfastlinkandnormlinkwithanoutboundCIR valueof56kbpsand25.6kbps,respectively:
XSR(config)#map-class frame-relay fastlink XSR(config-map-class<fastlink>)#frame-relay cir out 56000 XSR(config)#map-class frame-relay normlink XSR(config-map-class<normlink>)#frame-relay cir out 25600
Thefollowingcommandsdirectseriallink1/0touseQoSvaluesfromthenormlinkmapclass unlessexplicitlyoverridden.
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-map-class<fastlink>)#frame-relay traffic-shaping XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#frame-relay class normlink
Thefollowingcommandsconfiguresubinterfaceserial1/0.2touseadifferentmapclass(fastlink) thanthatspecifiedforserial1/0.
XSR(config)#interface serial 1/0.2 point-to-point XSR(config-subif<S1/0.2>)#no shutdown XSR(config-subif<S1/0.2>)#frame-relay class fastlink
frame-relay interface-dlci
Thiscommandassignsadatalinkconnectionidentifier(DLCI)toaspecifiedFrameRelaysub interface.Itisusedforsubinterfacesonly.Whenyouinvokethiscommand,youenterFrame RelayDLCIInterfacemode.Thisprovidesthefollowingcommandoptions,whichmustbeused withtherelevantclassnamesyoupreviouslyassigned:
class nameassignsamapclasstoaDLCI. no class namecancelstherelevantclass. exitquitsFrameRelayDLCIinterfacemode.
IfyouattempttocreateaDLCIwhichhasalreadybeenconfigured,thefollowingsamplewarning willbeissued:
DLCI 43 is already configured on sub-interface 3
Note: You must delete an existing DLCI before the same DLCI can be created on a different subinterface of the Frame Relay interface.
9-85
Oncechosenasstatic,noinverseARPwillbesentoutbydefault.AfreeinverseARPrequest (similartoabove)canberequestedbythiscommand. Oncechosenasstatic,thisDLCIcanbemadetorespondtoabroadcastbootpmessageenteringon thisDLCIfromtheframerelaynetwork.NonbroadcastbootpwillstillbesenttothelocalDHCP serverorrelayedtotheIPhelperaddressserver..

Notes: The remote site must support sending inverse-arp responses or the interface will come down. An inverse arp is sent from the XSR at a rate of 1 every 4 seconds. It is not configurable.
Syntax
frame-relay interface-dlci nn [[keep-alive nn [gratuitous-inverse-arp]] | [gratuitous-inverse-arp [keep-alive nn]] | [ip A.B.C.D [[bootp [[gratuitousinverse-arp [keep-alive nn]] | [keep-alive nn [gratuitous-inverse-arp]]]] | [gratuitous-inverse-arp [[bootp [keep-alive nn]] | [keep-alive nn [bootp]]]] | [keep-alive nn [[gratuitous-inverse-arp [bootp]] | [bootp [gratuitous-inversearp]]]]]]] interface-dlci nn gratuitousinverse-arp
DLCInumberforthesubinterface,rangingfrom16to1007.ForthePoint toPoint(P2P)subinterfacetype,onlyoneDLCIisallowed.ForPointto MultiPoint(P2MP)youcanconfiguremultipleDLCIs. SendsinverseARPrequestandignoresaresponse.Thisparameteroccurs fornonstaticIPmapping.P2Psubinterfaceswillgenerateafreeinversearp toallowtheremotesidetolearntheIPaddressofthissubinterface.This parameterisusefulonlyforP2Psubinterfaces,sincePointtoMultiPoint interfaceswithdynamicIPresolutionwillalwaysinverseARPtolearnthe remotenodesIPaddress.OmittingthisvalueinaP2Psubinterface preventssendinganinversearprequest.Aninversearpresponseisalways sentwhenaninversearprequestisreceived.Broadcastbootpisnot supportedindynamicmode.Allbootprequestinthismodeareforwarded. ProtocoltypetosetstaticIPaddresstoDLCImapping. StaticIPaddressofpeernode.Noaddresscheckingdone. RespondtoabroadcastbootprequestwithstaticIPaddress (usedfor RemoteAutoInstallCentralSite). SendsinverseARPrequest.Responseisignored.ValidforbothMP2P& P2Psubinterfaces. nnreferstothedurationthataDLCIunderaP2Pinterfacewillwaitwithno trafficbeingreceivedbeforesendinganinversearppackettoconfirmthat theremotesideisstillpresent.Thennrangeis10to600seconds.
ip A.B.C.D bootp gratuitousinverse-arp keep-alive nn

UsethenocommandtodeletetheDLCIfromthespecifiedsubinterface:
no frame-relay interface-dlci dlci-num
Mode
Subinterfaceconfiguration:XSR(config-subif<xx>)#
9-86
Next Mode
FrameRelayDLCIconfiguration:XSR(config-fr-dlci<xx>)#
Examples
ThefollowingexamplemapsDLCIs16and18onserialsubinterface1/0.1tothespecifiedIP addresses,supportingbootpandsendingafreeinverseARP.Also,DLCI17isconfiguredonsub interface1/0.2,afreeinverseARPissent,andemotekeepaliveissupportedinP2Pmode.
XSR(config)#interface serial 1/0.1 multi-point XSR(config-subif)#ip helper 10.10.1.2 XSR(config-subif)#ip address 133.133.1.1 255.255.255.0 XSR(config-subif)#frame-relay interface-dlci 16 ip 133.133.1.2 gratuitousinverse-arp bootp XSR(config-fr-dlci)#frame-relay interface-dlci 18 ip 133.133.1.3 bootp XSR(config-fr-dlci)#no shutdown XSR(config-fr-dlci)#interface serial 1/0.2 point-to-point XSR(config-subif)#ip helper 10.10.1.2 XSR(config-subif)#ip address 133.134.1.1 255.255.255.0 XSR(config-subif)#frame-relay interface-dlci 17 gratuitous-inverse-arp keep-alive 30 XSR(config-fr-dlci)#no shutdown
frame-relay intf-type
ThiscommanddefinestheFrameRelayinterfacetypefortheinterface.TheXSRworksasaUNI deviceonly,withDTEorDCEasvalidentries.
Syntax
frame-relay intf-type {dte | dce} dte dce
SpecifiestheXSRtoactasaFrameRelayDTEUNIdevice. SpecifiestheXSRtoactasaFrameRelayDCEUNIdevice.

no frame-relay intf-type {dte | dce}
Mode
Default
dte
Examples
ThefollowingexampleconfiguresSerialinterface1/0toactasaFrameRelayDTE,andtousethe ANSIAnnexDLMI:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dte XSR(config-if<S1/0>)#frame-relay lmi-type ansi
ThefollowingexampleconfiguresSerialinterface1/0toactasaFrameRelayDCE,andtousethe ANSIAnnexDLMI:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dce XSR(config-if<S1/0>)#frame-relay lmi-type ansi
frame-relay lmi-t391dte
ThiscommandsetstheintervalbetweenLMILinkIntegrityVerification(LIV)message transmissionsontheDataTerminalEquipment(DTE)interface.
Note: On third-party devices, the LMI LIV period may be configured using the KeepAlive configuration on the interface.
Syntax
frame-relay lmi-t391dte period_in_sec period_ in_sec
SetstheintervalbetweenLMILIVpolls,rangingfrom5to330seconds.

Usethenocommandtorestorethedefaultintervalvalue:
no frame-relay lmi-t391dte
Default
10
Mode
Example
Refer to the example in the lmi-n391dte command on page89.
9-88
frame-relay lmi-n391dte
ThiscommandsetsthefullstatuspollingintervalwhentheDigitalTerminalEquipment(DTE) interfaceisconfiguredtosetthefullstatusmessagepollinginterval.
Syntax
frame-relay lmi-n391dte num_ka-exchanges num_ka-exchanges
Numberofkeepaliveexchangestooccurbeforerequestingafull statusmessage,rangingfrom1to255.

Thenoformofthiscommandrestoresthedefaultintervalvalue:
no frame-relay lmi-n391dte
Default
6
Mode
Example
Thisexampleestablishesthatastatusinquirywillbesenteveryfivesecondsandthatoneofevery tenstatusinquiriesgeneratedwillrequestafullstatusresponsefromtheFrameRelayswitch.The otherninestatusinquirieswillrequestkeepaliveexchangesonly:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dte XSR(config-if<S1/0>)#frame-relay lmi-n391dte 10 XSR(config-if<S1/0>)#frame-relay lmi-t391dte 5 XSR(config-if<S1/0>)#no shutdown
frame-relay lmi-n392dce
ThiscommandsetstheerrorthresholdonaDataCommunicationsEquipment(DCE)interface.
Syntax
frame-relay lmi-n392dce threshold threshold
Errorthreshold,rangingfrom1to10.

Thenoformofthiscommandremovesthecurrentsetting:
no frame-relay lmi-n392dce
Default
3
Mode
Example
ThisexamplesetstheLMIfailurethresholdto5fortheDCEdevice:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dce XSR(config-if<S1/0>)#frame-relay lmi-n392dce 5
frame-relay lmi-n392dte
ThiscommandsetstheerrorthresholdonaDataTerminalEquipment(DTE)interface.
Syntax
frame-relay lmi-n392dte threshold threshold

Usethenocommandtoremovethecurrentsetting:
no frame-relay lmi-n392dte
Default
3
Mode
Example
ThefollowingexamplesetstheLMIfailurethresholdto5fortheDTEdevice:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dte XSR(config-if<S1/0>)#frame-relay lmi-n392dte 5
9-90
frame-relay lmi-t392dce
ThiscommandsetspollingverificationtimeronaDataCommunicationsEquipment(DCE) interface.ThetimermarksthedurationthattheDCEexpectstoreceiveaStatusEnquiryfroma DTEdevice.
Syntax
frame-relay lmi-t392dce period_in_sec events
IntervaltowaitforaStatusEnquiry,rangingfrom5to30seconds.

Thenoformofthiscommandrestoresthedefaultinterval:
no frame-relay lmi-t392dce
Default
15seconds
Example
ThefollowingexamplesetstheDCEtowait20secondsforastatusenquiryfromtheDTEbefore declaringanerrorevent:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dce XSR(config-if<S1/0>)#frame-relay lmi-t392dce 20
ThiscommandsetstheerrorthresholdonaDataCommunicationsEquipment(DCE)interface.
Syntax
frame-relay lmi-n392dce threshold threshold

Default
3
9-91
Mode
Example
ThisexamplesetstheLMIfailurethresholdto5fortheDCEdevice:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay intf-type dce XSR(config-if<S1/0>)#frame-relay lmi-n392dce 5
ThiscommandsetsthemonitoredeventcountonaDataCommunicationsEquipment(DCE) interface.
Syntax
frame-relay lmi-n393dce events events
Valueofmonitoredeventscountrangingfrom1to10.

Default
4
Mode
Example
ThisexamplesetstheLMImonitoredeventscountto10onserialport1/0:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay lmi-n393dce 10
9-92
frame-relay lmi-type
ThiscommandconfigurestheLocalManagementInterface(LMI)typeonaperinterfacebasis.
Syntax
frame-relay lmi-type {ilmi | ansi | q933a | auto | none} ilmi ansi q933a auto none
InterimLMI(FRF1.1). AnnexDdefinedbyAmericanNationalStandardsInstitute(ANSI)standard T1.617. ITUTQ.933AnnexA. TheportwillattempttodetectandmatchtheLMItypeusedbytheattachedFrame Relayswitch. NoLMIused.ThisismeanttotestorconnectXSRsdirectly.

UsethenocommandtoreturntothedefaultLMItype:
no frame-relay lmi-type {ilmi | ansi | q933a | auto | none}
Default
auto
Mode
Example
Thisexamplesetsserialinterface1/0tousetheANSIAnnexDLMI:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay lmi-type ansi XSR(config-if<S1/0>)#no shutdown
frame-relay traffic-shaping
ThiscommandenablesmapclassparametersforallPermanentVirtualCircuits(PVCs)ona FrameRelayport.Forvirtualcircuitswhichhavenospecifictrafficshapingorqueuing parametersspecified,asetofdefaultvaluesisused.
Syntax
frame-relay traffic-shaping
9-93

Thenocommanddisablestheuseofmapclassparameters:
no frame-relay traffic-shaping
Default
Disable
Mode
Example
Thisexampleenablesbothtrafficshapingandpervirtualcircuitqueuing:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#frame-relay traffic-shaping XSR(config-if<S1/0>)#no shutdown
interface
Thiscommandselectsaphysicalportforconfigurationasarouterinterface.TheXSRsupports FastEthernetorGigabitEthernet,serial,andT1/E1/ISDNPRIphysicalports.Forconfiguration purposes,allserialportsandT1/E1/ISDNPRIchannelgroupsaretreatedasaserialport. Optionally,youcansetuptheConsoleportasaWANinterfacefordialbackuppurposes(referto theCautionbelow).
Caution: Be aware that when you enable the Console port as a WAN port, you can no longer directly connect to it because it is in data communication mode. Your only access to the CLI will be to Telnet to an IP address of a configured port. Also, if your startup-config file does not configure any ports properly and sets up the console port as a serial interface, you will no longer be able to login and will have to press the Default button to erase your configuration.
Syntax
interface serial port_num interface_num port_num interface _num
Thephysicalportandinterfacenumber.Aninterfacenumberforaserial interfacecanbecomprisedof:card_num/NIM_num/port_within_NIM.For example,0/1/2setsphysicalport2ontheNIMcardinslot1ofthemotherboard. Leadingzerosininterface_numcanbeomitted.So0/1/2isthesameas1/2. IftheserialportresidesonaT1/E1port,thenchannelgroupdatamustbeadded attheendofthestringtomarkwhichchannelgroupoftheT1/E1portwillbeset: card_num/NIM_num/port_within_NIM:[channelgroup_num].Forexample,0/2/ 1:15setschannelgroup15oftheT1orE1port1inNIMslot2onthe motherboard.
9-94
Frame Relay Map Class Commands
Note: Leading zeros defined in interface_num can be omitted. For example, 0/1/2 is equivalent to 1/ 2.

Thenocommanddeletestheinterface:
no interface serial port_num interface_num Note: You cannot directly delete a Serial interface assigned to a T1/E1 channel group. You must instead delete a channel group to erase the Serial port.
Mode
Examples
Thisexampleselectsinterfaceserial1/0andsetsFrameRelayencapsulation:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#no shutdown
Thefollowingexampleselectschannelgroup12oftheT1/E1port1onthesecondNIMcardsothat laterconfigurationswillapplytothisserialport:
XSR(config)#interface serial 2/1:12 XSR(config-if<s2/1:12)#encapsulation frame-relay XSR(config-if<S1/0>)#no shutdown
Frame Relay Map Class Commands class

ThiscommandassignsamapclasstoaspecificDataLinkConnectionIdentifier(DLCI).Thiscan beusedtooverridethedefaultvaluesfortheDLCIsortooverrideaclassassignedtotheinterface orsubinterfacethattheDLCIbelongsto. Theactualmapclassisdefinedusingthemap-class frame-relaycommandinGlobal configurationmode.ThiscommandonlyappliestoassigningamapclasstoDLCIs.
Syntax
class name name
NameofthemapclasstoassociatewiththisDLCI,upto29characters.

ThenocommandremovestheassignedmapclassfromtheDLCI.
no class name
Mode
VirtualCircuitconfiguration:XSR(config-fr-dlci)#
Example
ThefirstthreecommandsinthefollowingexamplesetupSerialsubinterface1/0.1with associatedDLCI16.ThelasttwocommandsdefinemapclassHello.
XSR(config)#interface serial 1/0.1 point-to-point XSR(config-if<S1/0>)#interface serial 1/0.1 point-to-point XSR(config-subif)#frame-relay interface-dlci 16 XSR(config-fr-dlci)#class Hello XSR(config)#map-class frame-relay Hello XSR(config-map-class<Hello>)#frame-relay cir out 128000
frame-relay adaptive-shaping
Thiscommandenablesandselectsthemechanismtotriggeradaptiveshaping,thedynamic impositionoftrafficshapingparameters(CIR,Bc,Be)basedonexternalfeedbackindicating upstreamcongestionconditions. FrameRelayswitchesuseBECN(BackEndCongestionNotification)toindicatecongestionand throttletheDTEtrafficrate.
Syntax
frame-relay adaptive-shaping

Thenocommanddisablesadaptiveshaping:
no frame-relay adaptive-shaping
Mode
MapClassconfiguration:XSR(config-map-class)#
Default
Disabled
Example
ThisexamplesetsFrameRelaymapclassnormlinkwithtrafficshaping:
XSR(config)#map-class frame-relay normlink XSR(config-map-class)#frame-relay adaptive-shaping
frame-relay bc
ThiscommandspecifiestheoutgoingCommittedburstsize(Bc)foraFrameRelaymapclass. Committedburstisspecifiedinbits,butanimplicittimefactorisderivedfromthesampling interval(Tc)ontheswitch,whichisdefinedastheburstsizedividedbytheCommitted InformationRate(CIR).Thisisexpressedintheformula:Tc=Bc/CIR.Formoreinformation,refer toframerelaycironpage 98.
Syntax
frame-relay bc out bits out bits
Setsthetrafficdirectionoutputratelimitingonly. Committedburstsize,inbits.

Thenocommandresetsthecommittedburstsizetoitsdefaultvalue:
no frame-relay bc out
Mode
Default
7000bits
Example
Thisexamplecreatesthemapclassslowlinkwithbcsetto6000bits:
XSR(config)#map-class frame-relay slowlink XSR(config-map-class<slowlink>)#frame-relay bc out 6000
frame-relay be
ThiscommandspecifiestheoutgoingexcessBurstsize(Be)foraFrameRelaymapclass.
Syntax
frame-relay be out bits out bits
Setsthetrafficdirectionoutputratelimitingonly. Committedburstsizeinbits.

Thenocommandresetsthecommittedburstsizetoitsdefaultvalue:
no frame-relay be out
Mode
Default
7000bits
9-97
Example
ThisexampleaddsmapclassslowlinkwithBeof10000andBcof6000bits:
XSR(config)#map-class frame-relay slowlink XSR(config-map-class<slowlink>)#frame-relay be out 10000 XSR(config-map-class<slowlink>)#frame-relay bc out 6000
frame-relay cir
ThiscommandspecifiestheoutgoingCommittedInformationRate(CIR)foraFrameRelaymap class.CIR,BcandBevaluesspecifyhowtheXSRforwardspacketsundernormalandcongested conditionsusingthefollowingequation: Tc=Bc/CIR=7,000bits/56,000bps=125mS(BcandCIRvaluesaredefault) FrameRelaynetworksarecommittedtodeliverBcbitsofdataeveryTc,somaximumcommitted throughputequals7,000/125mS=56kbps=CIR.Inthissense,CommittedBurst(Bc)isnotreallya burstbutasmoothingfunctionforthenumberofbitsthattheXSRisallowedtotransmitduring theTcperiodinordertoachievethespecifiedCIR. SincethemaximumnumberofbitsthatcanbesentduringTcisBcplusBebits,usingthedefault values,maximumthroughputequals(Bc+Be)/Tc=(7,000+7,000)/125mS=112kbps=2*56kbps= 2*CIR.
Syntax
frame-relay cir out rate out rate
Setsthetrafficdirectionoutputratelimitingonly. CIR,rangingfrom1000to1,000,000bitspersecond.

ThenocommandresetstheCIRtoitsdefaultvalue:
no frame-relay cir out
Mode
Defaults
CIRenforcedforoutgoingtrafficonly CIR:56000bps Be:7000bits Bc:7000bits
Example
Thisexamplecreatesthemapclassslowlinkwithcirsetat9600bps:
XSR(config)#map-class frame-relay slowlink XSR(config-map-class<slowlink>)#frame-relay cir out 9600
frame-relay fragment
ThiscommandspecifiestheFRF.12endtoendfragmentsizeforaFrameRelaymapclass. Fragmentsizeisdefinedinbytes.Itspecifiesthenumberofpayloadbytesfromtheoriginalframe thatwillgointoeachfragment.Thetransmittedfragmentwillincludeeightadditionalbytesfrom headers(6)andCRC(2).
Note: For proper operation of fragmentation, QOS is required to classify a service-policy which will define a high priority queue. The queue must send frames no larger than the fragment size or fragmentation will also be applied to high priority queue data and latency will grow, defeating the primary purpose of FRF.12 fragmentation.
Syntax
frame-relay fragment bytes bytes
Sizeofframetopassunfragmented.

ThenocommanddisablesFRF.12endtoendfragmentation:
no frame-relay fragment
Mode
Default
Fragmentationisdisabled
Example
Thefollowingexamplecreatesthemapclassslowlinkwithfragmentationsetat53bytes:
XSR(config)#map-class frame-relay slowlink XSR(config-map-class<slowlink>)#frame-relay fragment 53 XSR(config-map-class<slowlink>)#service-policy frf12
map-class frame-relay
ThecommandselectsasupportedFrameRelaymapclassandgivesitamnemonicnamethatcan bereferencedinFrameRelayconfiguration.
Map-class frame-relaystartsconfigurationofamapclassprofilewithauserspecificname.
Whenamapclasscommandisentered,theCLIentersMapClassconfigurationmode,changing theCLIprompttoconfig-map-classwhereyoucanentermapclassspecificvalues.
Syntax
map-class [frame-relay | dialer] map-class-name frame-relay
SetsaFrameRelaymapclass.
dialer map-class-name
Setsadialermapclass.Formoreinformation,refertoConfiguringthe DialerInterfaceonpage 83. NameofthemapclasstoassociatewiththisDLCI,upto29characters.

no map-class [frame-relay | dialer] map-class-name
Mode
Next Mode
FRMapClassconfiguration:XSR(config-map-class)#
Example
Thisexampledefinesframerelaymapclassnormlink:
XSR(config)#map-class frame-relay normlink XSR(config-map-class<normlink>)#frame-relay adaptive-shaping XSR(config-map-class<normlink>)#frame-relay cir out 64000 XSR(config-map-class<normlink>)#frame-relay bc out 8000 XSR(config-map-class<normlink>)#frame-relay be out 8000 XSR(config-map-class<normlink>)#service-policy output HighPriority
service-policy
Thiscommandsetstheservicepolicyprofilefortheclassmap.Theservicepolicyisaflexible methodtoconfigureQoSforaninterface,subinterfaceandDLCI,Youcanuseittocreatepriority queues,customqueues,WFQorFIFOqueues.RefertoConfiguringQualityofServiceon page 83formoredetails.
Syntax
service-policy {out} service-policy-name out service-policyname
Servicepolicyappliestooutgoingtrafficonly. Nameoftheseparatedconfiguredservicepolicyprofiletoapplyfor thismapclass.

Thenoformofthiscommanddisablesaservicepolicy:
no service-policy output service-policy-name
Mode
Example
ThefollowingexamplespecifiesHighPriorityasthepolicyfortheclassmap:
XSR(config-map-class)#service-policy out HighPriority
shutdown
Thiscommanddisablesaninterfaceorsubinterface.Asubinterfaceisshutdown(nolonger passingdata)whenoneofthefollowingoccurs: Anexplicitshutdowncommandisenteredonthesubinterface. AshutdowncommandisissuedontheparentFrameRelayinterfaceofthissubinterface. AshutdowncommandisissuedonaT1controller.
Syntax
shutdown

Usethenocommandtoenabletheinterfaceafteritisshutdown:
no shutdown
Mode
sub-interface
Thiscommandstartsconfigurationforasubinterfaceonaserialinterface.Youcanconfigureup to50subinterfacesontheXSR.
Syntax
interface serial interface_id.sub-interface_num [multi-point | point-to-point interface_id.subinterface-num multi-point
Thesubinterface,comprisedofinterface_numandnumericalvalues. Theentitiesareseparatedbyaperiod.Thenumberrangeis1to50. Thesubinterfaceactsasamultipointconnection,sothatmultiple DLCIscanbedefinedwithinthissubinterfacetoconnecttomultiple remotesites. Thesubinterfaceactsasapointtopointconnection.
point-to-point
Mode
Next Mode
Subinterfaceconfiguration:XSR(config-if<xx>)#
Frame Relay Clear and Show Commands
Examples
ThisexampleselectssubinterfaceSerial1/0.5onaserialinterface:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#encapsulation frame-relay XSR(config-if<S1/0>)#no shutdown XSR(config-if<S1/0>)#interface serial 1/0.5 multi-point XSR(config-subif<S1/0.5>)#no shutdown
ThisexampleselectsasubinterfaceonaT1/E1card:
XSR(config)#interface serial 2/1 XSR(config-if<S2/1>)#encapsulation frame-relay XSR(config-if<S2/1>)#no shutdown XSR(config-if<S2/1>)#interface serial 2/1:12.1 multi-point XSR(config-subif<S2/1:12.1>)#no shutdown
Frame Relay Clear and Show Commands clear frame-relay counter

ThiscommandclearsthestatisticsofaparticularFrameRelayDLCI,orallDLCIsundera specifiedFrameRelaysubinterface,oraFrameRelayport,orallFrameRelayportsontheXSR.
Syntax
clear frame-relay counter [[interface] [interface-num] [dlci dlci-num]] interface -num
TheinterfaceorsubinterfacenumberoftheFrameRelayportorsubinterface affectedbythiscommand.Ifinterfaceserialinterfacenumisnotspecified,then thiscommandappliestoallFrameRelayports.Ifinterfacenumspecifiesasub interface,thenonlyDLCIsinthatparticularsubinterfacewillbecleared.If interfacenumcallsforaninterface,thenallDLCIsontheFrameRelayinterface willbecleared. ThespecificDLCIwhosestatisticswillbecleared.
dlci-num
Mode
EXEC:XSR>
clear frame-relay inarp

ThiscommandclearstheinverseARPtableofoneorallFrameRelayports,causingtheFrame RelaymultipointsubinterfacestoissueInverseARPrequeststorediscovernexthopaddresses.
Syntax
clear frame-relay inarp [interface][interface-num][dlci] [dlci-num]
9-102
interface -num dlci-num
Iftheinterfacenumorsubinterfacenumberissetandthedlcinumisnot,all learnedinverseARPentriesfortheinterfaceanditslogicalsubinterfaceswillbe cleared. TheDLCIofaparticularvirtualportwhoseinverseARPentryistobecleared.
Mode
EXEC:XSR>
Examples
ThefollowingexampleclearsallFrameRelayInverseARPentries:
XSR(config)#clear frame-relay inarp
ThisexampleclearsallFrameRelayInverseARPentriesforInterface1/0anditssubinterfaces:
XSR(config)#clear frame-relay inarp interface 1/0
ThefollowingexampleclearstheInverseARPentryforDLCI16onsubinterface1/0.1:
XSR(config)#clear frame-relay inarp interface 1/0.1 dlci 16
show frame-relay fragment

ThiscommanddisplaysinformationaboutFrameRelayfragmentation.Whennoparametersare specified,theoutputdisplaysasummaryofeachdatalinkconnectionidentifier(DLCI) configuredforfragmentationincludingfragmentationtype,configuredfragmentsize,and numberoffragmentstransmitted,received,anddropped.WhenaspecificinterfaceandDLCIare specified,additionaldetailsaredisplayed.
Syntax
show frame-relay fragment [interface interface [dlci]] interface interface dlci
AspecificinterfaceforwhichFrameRelayfragmentationdatawillbeshown. InterfacenumbercontainingtheDLCI(s)forwhichtoshowfragmentationdata. SpecificDLCIforwhichtodisplayfragmentationdata.
Mode
PrivilegedEXEC:Router#
Sample Output
XSR(config)#show frame-relay fragment Frame Relay End-to-End Fragmentation Summary interface dlci frag-size in-frag Serial 2/0.1 960 53 0 Serial 1/0:0.1 16 64 0
out-frag 0 0
dropped-frag 0 0
9-103
XSR(config)#show frame-relay fragment interface serial 2/0.1 960 Frame Relay End-to-End Fragmentation Detailed Statistics Serial 2/0.1 DLCI = 960 Fragment Size = 53 Incoming Traffic Outgoing Traffic Fragmented pkts = 0 Fragmented pkts Fragmented bytes = 0 Fragmented bytes Assembled pkts = 0 Pre-fragmented pkts Assembled bytes = 0 Pre-fragmented bytes Non-fragmented pkts = 0 Non-fragmented pkts Non-fragmented bytes = 0 Non-fragmented bytes Dropped Assembled pkts = 0 Interleaved pkts Pkt Sequence # Errors = 0 Unexpected Begin Frag = 0
= = = = = = =
0 0 0 0 0 0 0
fragmentsize In/outfragmentedpkts In/outfragmentedbytes In/outunfragmentedpkts Theconfiguredfragmentsizeinbytes. Sumofframesreceived/sentbythisDLCIthathadafragmentationheader. Sumofbytes,includingthoseintheFrameRelaybytesheaders,thathavebeen received/sentbythisDLCI. Sumofframesreceived/sentbythisDLCIthatdonotrequirereassembly,and thereforedonotcontaintheFRF.12header.Thesecounterscanbeincremented onlywhentheendtoendfragmentationtypeisset. Sumofbytesreceived/sentbythisDLCIthatdonotrequirereassembly,andspdo notcontaintheFRF.12header. SumoffullyreassembledframesreceivedbythisDLCI,includingframeswithout aFrameRelayfragmentationheader(inunfragmentedpackets).Thiscounter correspondstoframesviewedbyupperlayerprotocols. SumofbytesinthefullyreassembledframesreceivedbythisDLCI,including frameswithoutaFrameRelayfragmentationheader(inunfragmentedbytes). Thiscountercorrespondstothesumofbytesviewedbyupperlayerprotocols. SumoffragmentsreceivedbythisDLCIthataredroppedforreasonssuchas runningoutofmemory,receivingsegmentsoutofsequence,receivingan unexpectedframewithaBbitset,ortimingoutonareassemblingframe. SumoffragmentsreceivedbythisDLCIthathaveanfragmentsunexpected sequencenumber. SumoffragmentsreceivedbythisDLCIthathaveanunexpectedBbitset unexpectedB(Begin)bitset.Whenthisoccurs,allfragmentsbeingreassembledare droppedandanewframeisbegunwiththisfragment. SumoffullyreassembledframessentbythisDLCI,includingframestransmitted withoutaFrameRelayfragmentationheader(outunfragmentedpkts). SumoffragmentsdroppedbythisDLCIduringtransmissionbecauseofrunning outofmemory. SumoffragmentsreceivedbythisDLCIwithanunexpectedsequencenumber.
In/outunfragmentedbytes Inassembledpkts
Inassembledbytes
Indroppedreassembledpkts
PktSequence#Error UnexpectedBeginFrag
outprefragmentedpkts outdroppedfragmentingpkts inoutofsequencefragments

infragmentswithunexpected SumoffragmentsreceivedbythisDLCIthathaveanunexpectedB(Begin)bitset. Bbitset Whenthisoccurs,allfragmentsbeingreassembledaredroppedandanewframeis begunwiththisfragment. outinterleavedpackets SumofpacketsleavingthisDLCIthathavebeeninterleavedbetweensegments.
show frame-relay lmi

ThiscommanddisplaysLocalManagementInterface(LMI)statistics.Enterthecommandwithout argumentstoobtainstatisticsaboutallFrameRelayinterfaces.
Syntax
show frame-relay lmi [interface] [interface-num] interface -num
TheinterfaceorsubinterfacenumberoftheFrameRelayportorsubinterface affectedbythiscommand.Ifinterfaceserialinterfacenumisnotspecified,then thiscommandappliestoallFrameRelayports.Ifinterfacenumspecifiesasub interface,thenonlyDLCIsinthatparticularsubinterfacemaybecleared.If interfacenumcallsforaport,thenallDLCIsontheFrameRelayinterfacewillbe cleared.
Mode
Sample Output
ThefollowingexampledisplaysoutputonSerialinterface2/0fromanXSRwithaSerialNIM installed:
XSR#show frame-relay lmi LMI Statistics for Serial 2/0 (Frame Relay DTE) LMI = AUTO (AUTO) Interface = INACTIVE Status Enq. Sent = 0 Status Msg. Rcvd = 0 Status Timeout = 0 Updated Status Rcvd = 0 # configured PVCs = 2 Invalid L2 LMI info = 0 local sequence number = 127 net sequence number = 127 # PVCs reported by LMI = 0 Invalid L3 LMI Info = 0 Down DLCIs: 16, 18
ThefollowingexampledisplaysoutputonSerialinterface2/0:1fromanXSRwithaT1/E1Serial controllerNIMinstalled:
LMI Statistics for Serial 0/2/0:1 (Frame Relay DTE) LMI = NONE Interface = down Status Enq. Sent = 0 Status Msg. Rcvd = 0 Status Timeout = 0 Updated Status Rcvd = 0 # configured PVCs = 1 Invalid L2 LMI info = 0 local sequence number = 127 net sequence number = 127 # PVCs reported by LMI = 0 Invalid L3 LMI Info = 0
LMI TheconfiguredorautodetectedLMItype.IftheportissetforAUTOLMI,thentheXSR showsAUTO(nn),wherennisILMI,ANSI,orITUiftheporthassuccessfullynegotiated/ detectedtheLMIsupportedbytheswitch,otherwiseitdisplaysAUTO. SumofLMIstatusenquirymessagessent. SumofLMIstatusmessagesreceived. Sumoftimesthestatusmessagewasnotreceivedwithinthekeepalivetimevalue. SumofLMIasynchronousupdatestatusmessagesreceived. SumofreceivedLMImessageswithinvalidunnumberedinformationfield. SumofLMImessageswithinvalidfields.fields
StatusEnq.Sent StatusMsgsRcvd StatusTimeouts UpdateStatusRcvd InvalidL2LMIinfo InvalidL3LMI
UnconfiguredDLCIs ListofunconfiguredDLCIsarereportedtobeinanActivestatebytheFrameRelay switch.ThisfieldisnotdisplayediftheconfiguredLMItypeisNone. DownDLCIs Interface Local/netsequence number ListofconfiguredDLCIsarereportedtobeinaDownorInactivestatebytheFrameRelay switch.ThisfieldisnotdisplayediftheconfiguredLMItypeisNone. Downmarkstheportasactivebutnotcommunicatingwiththeswitch;Inactivemarksthe portasshutdown;Upmarkstheportasoperational. Valueofcurrentornexttotransmit/receivedLMIcontrolpacket.
show frame-relay map

Thiscommanddisplaysdatafromcurrentframerelaymapentries.
Syntax
show frame-relay map
Mode
Sample Output
ThefollowingexampledisplaysamultipointFrameRelaymap:
XSR#show frame-relay map Frame Relay Map Statistics (Serial 2/0) Serial 2/0.1 dlci 973 (0x3CD, 0xF0D0) Remote Addr. 10.10.10.5, gratuitous-inverse-arp, bootp, static ip Serial 2/0.1 dlci 972 (0x3CC, 0xF0C0) Remote Addr. 10.10.10.4, gratuitous-inverse-arp, static ip Serial 2/0.1 dlci 971 (0x3CB, 0xF0B0) Remote Addr. 10.10.10.3, static ip Serial 2/0.1 dlci 970 (0x3CA, 0xF0A0) Remote Addr. un-resolved, gratuitous-inverse-arp Serial 2/0.1 dlci 960 (0x3C0, 0xF000) Remote Addr. un-resolved
ThefollowingexampledisplaysapointtopointFrameRelaymap:
XSR#show frame-relay map Frame Relay Map Statistics (Serial 2/0) Serial 2/0.3 dlci 981 (0x3D5, 0xF450) Remote Addr. gratuitous-inverse-arp, bootp, static ip 2.2.2.3
P2P,
Serial2/0 Serial2/0.1 IdentifiesaFrameRelayinterfacebeingdisplayed. IdentifiesthespecificsubinterfacethatisassociatedwithaDLCI.
dlci981(0x3D5,0xF450) DLCInumberdisplayedthreeways:itsdecimalvalue,itshexadecimalvalue(0x3D5),and itsvalueasitappearsonthewire(0xF450). RemoteAddr.10.10.10.5 RemoteAddr. RemoteAddr.P2P gratuitousInversearp bootp staticip2.2.2.3 TheremotepeerIPaddresslearnedusingInverseARP. ThenodeiswaitingforInverseARPresponsetoresolveunresolvedtheremotepeersIP address. ThisDLCIdoesnotrequireInverseARPtoresolvetheremotepeersIPaddress. ThisDLCIwillofferafreeInverseARPtohelptheremotelearnchangestothelocal interface.Theresponsefromtheremoteisnotusedforaddressresolution. ThisDLCIwillrespondtoabroadcastbootprequestoriginatedfromtheadjacentpeer. ThebootpresponseincludesthestaticIPaddressconfiguredonthisDLCI. ThisDLCIhasbeenconfiguredwithastaticIPaddressfortheremotepeer.Inversearp requestwillnotbeusedtolearntheremotesaddress.
show frame-relay pvc

Thiscommanddisplaysstatisticsaboutpermanentvirtualcircuits(PVCs)onFrameRelay interfaces.StatisticscanberetrievedonspecificFrameRelayinterfacesbyspecifyingtheinterface ortheDLCI.StatisticsonallPVCscanbeshownbyomittingargumentsinthecommand. IftheLMIstatusreportshowsaPVCisnotactive,itismarkedinactive.APVCismarkeddeleted ifitisnotlistedinaperiodicLMIstatusmessage.
Syntax
show frame-relay pvc [interface interface [dlci-num]] interface dlci
InterfaceorsubinterfacenumbercontainingtheDLCI(s)forwhichyou wishtodisplayPVCinformation. DLCInumberusedontheinterface.StatisticsforthespecifiedPVCare displayedwhenaDLCIisalsoset.
Mode
PrivilegedEXEC:XSR#
Sample Output
XSR#show frame-relay pvc serial 2/0:1.1
PVC Statistics for Serial 2/0:1.1 (Frame Relay DTE) DLCI = 16 PVC Status = UP INPUT: Pkt/Sec = 0 Packets = 17941 Bytes = 20018904 BECN pkts = 0 FECN pkts = 0 OUTPUT: Pkt/Sec = 2 Packets = 17942 Bytes = 20018904 BECN pkts = 0 FECN pkts = 0 bcast pkts = 0 bcast bytes = 0
LMI = NONE
Drop Pkts DE pkts Drop Pkts DE pkts CIR assists
= 0 = 0 = 0 = 0 = 0
PVC created: 12/01/2000 02:23:37 Last status change: 12/01/2000 02:23:47 FRF.12 = ENABLED Fragment size = 53 Adaptive Shape = DISABLED Shaping Drops = 0 minCIR=28000 BC=7000 BE=7000 limit=56 interval=125
DLCI PVCSTATUS OneoftheDatalinkConnectionIdentifiernumbersforthe PVC. StatusofthePVC: ACTIVEDLCIisindatapassingmode. INACTIVELMImessagenotreceivedforlongerthann392dteeventsandnotindata passingmode. DELETEDLMImessagedeclaresDLCIisnotactivated. TheincomingdatarateforthisPVCinpacketspersecond(measuredfor8seconds) SumofpacketsreceivedonthisPVC. ThepacketrateinppsonthisPVCinthelastsamplingperiod(last8seconds). SumofincomingpacketsonthisPVCdropped. SumofpacketsreceivedwithFECNbitset. SumofpacketsreceivedwithBECNbitset. SumofDEpacketsreceived. SumofpacketssentonthisPVC. SumofpacketssentonthisPVC. SumofbytessentonthisPVC. SumofoutgoingpacketsonthisPVCdropped. SumofpacketssentwithBECNbitset.Valuealways0. SumofpacketssentwithFECNbitset.Valuealways0. SumofDEpacketssent.Valuealways0. Sumofoutputbroadcastpackets.Valuealways0. Sumofoutputbroadcastbytes.Valuealways0. SumoftimestheDLCIneededhelptoachieveCIR. TimethePVCwascreated. TimethePVCchangedstatus(activetoinactive).
Input:Pkt/Sec Input:pkts Input:bytes Input:Droppkts InFECNpkts InBECNpkts InDEpkts Output:Pkt/Sec Output:pkts Output:bytes Output:Droppkts OutBECNpkts OutFECNpkts OutDEpkts Outbcastpkts Outbcastbytes CIRassists Pvccreatetime Laststatuschange
9-108
FRF.12 Fragmentsize AdaptiveShape ShapingDrops minCIR BC BE Interval
FRF.12hasbeendisabledonthisPVC.Thislineisnotprintedifdisabled. Sizeofthepayloadforfragmentedpackets. StatusofAdaptiveShapingforthisPVC. Sumofpacketsdroppedduetotrafficshaping. TheminimumCommittedInformationRate,bits/sec. CurrentCommittedburstsize,inbits. CurrentExcessburstsize,inbits. Bc/CIRinmilliseconds.
show frame-relay traffic

ThiscommanddisplaysglobalFrameRelaystatisticssincethelastreload.
Syntax
show frame-relay traffic
Mode
Sample Output
XSR#show frame-relay traffic Frame Relay statistics: TX: ARP requests = 19 ARP replies = 2 RX: ARP requests = 2 ARP replies = 19
show frame-relay map-class

ThiscommanddisplaysFrameRelaymapclassusagedata.Itprovidesaviewofallconfigured FrameRelaymapclassesandwhethertheyarebeingreferencedbyanyFrameRelayinterfaces.
Syntax
show frame-relay map-class
Mode
PrivilegedEXEC:XSR#
Example
XSR#show frame-relay map-class Total 7 frame relay map-classes configured in the node Central, Branch_1, three, Class_4, Class_5, Class_6, test, Map-Class generic has 1 registered users
Serial 1/0, CIR= 64000, Bc=8000, BE= 9000, fragment=53 Adaptive Shaping: Disabled, Service Policy: Voice # FR Ports = 1, # FR sub-Interfaces = 3, # DLCIs = 7

ThefollowingstatisticsareaddedtothecommandiftheportisconfiguredforFrameRelay.
Sample Output
ThefollowingexampledisplaysT1statistics:
XSR#show interface serial 2/0:1 ********** Serial Interface Stats ********** Serial 2/0:1 is Admin Up Internet address is not assigned Frame Relay Port Statistics: Line Protocol = UP Encapsulation FRAME-RELAY IETF, FRAME-RELAY DTE, LMI = NONE Num PVCs = 1, Total LMI Tx = 0, LMI Rx = 0 TX: Packets = 18155, Bytes = 20214344 PPS = 0 RX: Packets = 18154, Bytes = 20214072 PPS = 0 Approximate Speed = 128 Kbps Discarded Packets TX/RX = 0/0 Sub Interface 1 State = UP, Num Stations = 1 Configured DLCIs: 16, 18, 22
ThefollowingexampledisplaysSerialinterface2/0statistics:
********** Serial Interface Stats ********** Serial 2/0 is Admin Up Internet address is 10.10.11.30, subnet mask is 255.255.255.0 Frame Relay Port Statistics: Line Protocol = UP Encapsulation FRAME-RELAY IETF, FRAME-RELAY DTE, LMI = NONE Num PVCs = 2, Total LMI Tx = 10, LMI Rx = 0 TX: Packets = 10, Bytes = 133 PPS = 0 RX: Packets = 0, Bytes = 0 PPS = 0 Approximate Speed = 65 Kbps Discarded Packets TX/RX = 0/0 Sub Interface 1 State = UP, Num Stations = 1 Configured DLCIs: 16 Sub Interface 2 State = UP, Num Stations = 1 Configured DLCIs: 150 The name of this device is Ser2/0.
The The The The The The The The The The The
card is 2. channel is 0. current MTU is 1506. device is in polling mode, and is active. last driver error is (null). physical-layer is HDLC-SYNC, the TX, RX clock source is external. device uses CRC-16 for Tx. device uses CRC-16 for Rx. type of encoding is NRZ. media-type is RS-232/V.28 (DTE). loopback mode is off.
Other Interface Statistics: ifindex ifType ifAdminStatus ifOperStatus ifLastChange ifInOctets ifInUcastPkts ifInNUcastPkts ifInDiscards ifInErrors ifInUnknownProtos ifOutOctets ifOutUcastPkts ifOutNUcastPkts ifOutDiscards ifOutErrors ifOutQLen RX overrun
0 23 1 1 00:00:24 0 0 0 0 0 0 173 10 0 0 0 352 0
9-111
9-112
10
Configuring the Dialer Interface
Thischapterdescribescommandsforthedialer,dialerbackup,andDialonDemand/Bandwidth onDemandservices.

TheCLIcommandsyntaxandconventionsusethenotationdescribedinthefollowingtable.
Convention xyz [x] [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Description Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies interface type and number, e.g.: F1, S2/1.0, D1, M57, L1, ATM0/1/1
Dialer Interface Commands

ThefollowingsetofcommandsdefinesdialservicesontheXSR: DialerInterfaceClearandShowcommandsonpage1090. DialerBackupcommandsonpage1093. DOD/BODcommandsonpage1096. DialerWatchcommandsonpage10103.
dialer dtr
ThiscommandspecifiesthatanonV.25bismodemusingElectronicIndustriesAssociation(EIA) signalingwillbeusedontheseriallineinterface.ThissignalisknownastheDTRsignal.The dialer stringcommandhasnoeffectonDTRdialers.Beawareofthefollowingmandatory conditions:
Thedialer stringcommandmustbesettothedialerinterfacethatownsthedialerpool wherethedialerDTRserialinterfaceisadded. Theserialinterfacemustbeconfiguredforsynchronousdatamode. ThemodemmustbeconfiguredwithDTRcontrolleddialinginterface,CTSfollowsDCD, DTRdisconnects,syncdatamodeandapresetdialingouttelephonenumber.
Syntax
dialer dtr

no dialer dtr
Default
DTRdialingisdisabled
Mode
Example
XSR(config-if<S1/1>)#dialer dtr
dialer pool
Thiscommandspecifieswhichdialerpoolthedialerinterfaceshoulduse.Thedialerinterfacewill useoneofthephysicalinterfacesinthedialerpooltoattachtotheinterfacesconfigured destination.
Syntax
dialer pool number number Dial pool number, ranging from 1 to 255.

no dialer pool
Default
Disablednopoolisspecified.
10-84
Mode
Note: This command is intended for dialer interfaces only.
Example
Thefollowingexampleshowsdialerinterface0assignedtodialerpool6.
XSR(config)#interface dialer 0 XSR(config-if<D1>)#dialer pool 6 XSR(config-if<D1>)#no shutdown
dialer pool-member
Thiscommandconfiguresphysicalinterfacesfordialdevicesonly.
Syntax
dialer pool-member number [priority priority] number priority Dialpool number ranging from 1 to 255. Priority of the interface within the dialing pool - ranging from 0 (lowest) to 255 (highest). Ports with the highest priority are selected first for dialing out.

no dialer pool-member number
Defaults
Disabled.Whenenabled,nodefaultdialingpoolnumberisassigned Priority:0 Minimum:0 Maximum:255
Mode
Example
Thefollowingexampleshowsaserialinterfacebelongingtotwodialerpoolswithpriorities configuredforeachpool:
XSR(config-if)#interface serial 1/0 XSR(config-if<S1/0>)#dialer pool-member 1 priority 10 XSR(config-if<S1/0>)#dialer pool-member 2 priority 20 XSR(config-if<S1/0>)#no shutdown
10-85
dialer string
Thiscommandcreatesastringusedtoplaceacalladestinationorsubnet.Typically,itisthe telephonenumberneededfordialing.
Syntax
dialer string dial-string [class class-name] dial-string class-name Phone number to be sent to a dial device. Map class associated with this dialer string.

no dialer string dial-string
Mode
Example
Thisexampleshowsthatdialerinterface0configuredtousemapclassXXXwhenusingdialer string9055559988:
XSR(config-if)#interface dialer 0 XSR(config-if<D0>)#dialer string 9055559988 class XXX
dialer wait-for-carrier-time (interface configuration)

Thiscommandconfiguresthetimeadialerinterfacewaitsforacarriersignal.Itisusedwhen configuringaparticulardialerinterface.
Syntax
dialer wait-for-carrier-time seconds seconds Interval the interface waits for a carrier signal when a call is placed via the dial device.

Thenoformofthiscommandresetstodefaultvalue:
no dialer wait-for-carrier-time
Default
60seconds
Mode
10-86
Example
Thefollowingexamplespecifiesawaittimeof90secondsforthecarriersignalonserialport1/0:
XSR(config-if<S1/0>)#dialer wait-for-carrier-time 90
dialer wait-for-carrier-time (map-class dialer configuration)

Thiscommandconfiguresthetimetowaitforacarriersignalassociatedwithaspecificdialermap class.Dialermapclassesareusedtoconfigurecertaincharacteristicswithdialerstringswhen configuringdialerports.
Syntax
dialer wait-for-carrier-time seconds seconds Interval the port waits for a carrier signal when a call is placed through the dial device.

Thenoformofthiscommandresetstothedefaultvalue:
no dialer wait-for-carrier-time
Default
60seconds
Mode
Mapclassdialerconfiguration:XSR(config-map-class)#
Example
Theexamplebelowspecifiesa120secondwaittimeforthecarriersignalofthedialermapclass TESTonDialerport57:
XSR(config-if<D57>)#interface dialer 57 XSR(config-if<D57>)#ip address 196.16.25.1 255.255.255.0 XSR(config-if<D57>)#encapsulation ppp XSR(config-if<D57>)#dialer remote-name SiteA XSR(config-if<D57>)#dialer string 4165555584 class TEST XSR(config-if<D57>)#dialer pool 1 XSR(config)#map-class dialer TEST XSR(config-map-class)#dialer wait-for-carrier-time 120
interface dialer
Thiscommandaddsadialerinterfacetoconnectwithoneormorespecifiedsubnetworks.A dialerinterfaceconnectstoadialdeviceviaapoolofphysicalports. Thedialerinterfaceiscreatedintwoways:pointtopointorpointtomultipointbyusingthe multipointparameter.Whenconfigured,thedialerlineisnotphysicallyconnectedbuttheentryis maintainedintheroutingtablethuspreservingondemandaccesswheninterestingpacketsare receivedandacceptedbyanAccessControlList(ACL).
Thismodeofoperationofthedialerinterfaceiscalledspoofinganditisthedefaultmodeforthis interface.Spoofingmodechangestononspoofingmodewhenthefollowingconditionsaremet: Anotherinterfaceorsubinterfaceissetwiththebackup interface dialercommand. Theinterfaceconfiguredwiththebackupcommand(theprimaryinterface)isup.
Dialondemandapplicationsrequirethatadialergroup,dialerlistandACLalsobeconfigured.
Syntax
interface dialer [number | multi-point][sub-interface] number multi-point sub-interface Non-spoofed mode for a backup line or spoofed mode for on-demand connectivity to a remote peer. Dialer interface number ranges from 0 to 255. Spoofed, point-to-multi-point mode configuring on-demand connectivity to remote peers. Sub-interface of the dialer interface.

Thenoformofthiscommandremovesthedialerinterface:
interface dialer number
Mode
Next Mode
DialerInterfaceconfiguration:XSR(config-if<D>)#
Default
Interfaceisspoofed
Examples
ThefollowingexampleconfiguresDialerport200inbackupmodewithminimalsettings:
XSR(config)#interface dialer 200 XSR(config-if<D200>)#ip address 200.17.10.5 255.255.255.0 XSR(config-if<D200>)#encapsulation ppp XSR(config-if<D200>)#authentication chap XSR(config-if<D200>)#no shutdown
Thefollowingexampleconfiguresthedialerinpointtopointspoofedmodewithinteresting packetsdefinedbyACL101,adialergroupandassociateddialerlistmappedtoACL101:
XSR(config#access-list 101 permit ip 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0 XSR(config)#interface dialer 3 XSR(config-if<D3>)#dialer-group 7 XSR(config)#dialer-list 7 protocol ip list 101
Thefollowingexampleconfiguresthedialerinmultipointspoofedmodewithinterestingpackets definedbyACL101,adialergroupandassociateddialerlistmappedtoACL101:
XSR(config)#interface dialer 3 multi-point
10-88 Configuring the Dialer Interface
XSR(config-if<D3>)#dialer-group 7
XSR(config-if<D3>)#access-list 101 permit ip 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0
XSR(config)#dialer-list 7 protocol ip list 101
map-class dialer
Thiscommanddefinesthedialstringscharacteristicsandassociatesthemwithauniqueclass name.Oncethemap-class dialer classnamecommandisexecutedtheparametersassignedto thatclassnamemustbeconfigured.Theclassnameassignedmustmatchtheclassnameassignedto thedialerstringclassclassnamesotheycanbelinked.
Syntax
map-class dialer classname classname Unique class identifier.
Default
Nonenoclassname
Mode
Next Mode
MapClassDialerconfiguration:XSR(config-map-class<xx>)#
Example
Theexamplebelowspecifiesa90secondwaittimeforthecarriersignalofthedialermapclass TESTonDialerport0:
XSR(config)#interface dialer 0 XSR(config-if<D0>)#ip address 196.16.25.1 255.255.255.0 XSR(config-if<D0>)#encapsulation ppp XSR(config-if<D0>)#dialer remote-name sitea XSR(config-if<D0>)#dialer string 4165555584 class TEST XSR(config-if<D0>)#dialer pool 1 XSR(config-if<D0>)#no shutdown XSR(config)#map-class dialer 57 XSR(config-map-class<57>)#dialer wait-for-carrier-time 90
modem-init-string
ThiscommandsetsanATcommandstringusedtoinitializeamodem.
Syntax
modem-init-string word word Text to initialize the modem.
Dialer Interface Clear and Show Commands

Thenoformofthiscommandremovesthemodeminitstring:
no modem-init-string
Mode
MapClassDialerconfiguration:XSR(config-map-class<xx>)#
Example
Thefollowingexamplespecifiesamodeminitializationstringtodisabledialtonedetectionforthe MapClassRemote:
XSR(config-map-class<Remote>)#modem-init-string ATX3
Dialer Interface Clear and Show Commands clear dialer

Thiscommandclearsdialerstatisticsforphysicalinterfacesconnectedtothedialerinterfaces.If theinterfaceisnotspecified,allinterface(forthedialer)statisticswillbecleared.
Syntax
clear dialer
Mode
PrivilegedEXEC:XSR#
Example
XSR#clear dialer
show dialer
Thiscommanddisplaysgeneralinformationandsomeconfigurationsofinterfacesconfigured underthedialer;forinstance,thedialerinterfacesandtheserialandasyncinterfacesunderthe dialerinterfaces.
Syntax
show dialer [number] number Interface number.
Mode
PrivilegedEXEC:XSR#
10-90
Example
XSR#show dialer 1
Sample Output
Thefollowingissampleoutputfromtheshow dialer commandforadialerinterface:
#show dialer 5 Dialer5 Dialer state is: UP Wait for carrier default: 60, default retry: 3 Dial String Success Failures Map Class 3200 2 0 Dialer pool 23 (Serial 2/0:0, )
Dialer1 Waitforcarrier(30secs) Defaultretry DialString Successes Failures MapClass Dialerpool2,priority0 Serial0 Nameofthedialerinterface. Secondstowaitforcarriersignal. Numberofdefaultcallretries. Dialstringstousedtomakecalls. Numberofsuccessfulconnections. FailedConnections. Nameofassociatedmapclass. Indicatesthatthisinterfaceisamemberofdialerpool2withapriority of0inthatpool. Typeofinterface.
show dialer maps

Thiscommanddisplaysdialerpolicies.
Syntax
show dialer maps
Mode
EXEC:XSR#
Sample Output
Thefollowingissampleoutputfromtheshow dialer maps command:
Dialer maps configured on Interface <Dialer1>: Next hop IP address: <10.10.10.2> Remote host: <robo2> Map class: <isdn>
Phone numbers: <2400:12> Connection speed/type: <64k>/<On Demand> Dialer maps configured on Interface <Dialer2>: Next hop IP address: <20.20.20.2> Phone numbers: <2400> Connection speed/type: <not set>/<On Demand>
show dialer sessions

Thiscommanddisplaysinformationregardingdialersessions.
Syntax
show dialer sessions
Mode
EXEC:XSR#
Sample Output
Thefollowingissampleoutputfromtheshow dialer sessionscommand:
XSR#show dialer sessions ID Interface Type 0001 Dialer1 On Demand 0002 Dialer1 Multilink 0003 Dialer1 Incoming 0004 Dialer0 On Demand State IDLE CONNECTED CONNECTED WAITING MLPPP 001 001 001 000 Phone# 3100 2600 Phys Intf Serial 2/0:30 Serial 2/0:12 D-Serial 1/0:0
ID Interface Type DialsessionIDnumbernodewideandunique.Range:1to512. Dialerinterfacenumberwhichhasrequestedthedialsession. Dialsessiontype: State MLPPP PhoneNo PhysIntf Ondemand:sessionthathandlesondemandconnectionrequests Backup:sessionwhichisrequestedbyabackedupinterfaceor watchedroute Multilink:dialsessionrequestedbyamultilinkgroupusedfor backuporondemand Callback:dialcallbacksession. Bandwidth:aBandwidthonDemandrequestedconnection.
IDLE,WAITING,CALLINGorCONNECTED. MLPPPgroupnumbertowhichthedialsessionbelongs. Numberusedtodialout. Dialerpoolportusedtobuildaswitchedlinkwithremotepeer.
10-92
Dial Backup Commands

Thefollowingsetofcommandsdefinesabackupdialline.
backup
ThiscommandsetbackupfunctionalityonSerial,Ethernetorsubinterfaces.Youcanalsospecify adelaybeforeasecondaryinterfaceisbroughtupordownafteraprimaryinterfaceisbroughtup ordown.Wesuggestthiscommandbeusedwhenlinessufferintermittentdisruptionscausing theprimarylinetocomeupandfalltemporarily.Abackupdelayensuresthesecondarylinedoes notcomeupanddownprematurely.
Note: The XSR sets UTC for time-range calculation.
Syntax
backup interface dialer dialer-interface-number [delay enable-delay disable-delay [never]][time-range hh:mm hh:mm] interface delay enable-delay disable-delay Dialer interface number used for backup. Backup enable delay, ranging from 0 to 99999999, followed by the backup disable delay, ranging frm 0 to 99999999, or the keyword never indicating the backup, once enabled, is not being disabled when the primary link comes up. The enable-delay is the interval in seconds that elapses after the primary port goes down. The disable-delay is the interval in seconds that elapses after the primary port comes up. Stops the secondary port from being deactivated. Backup timer range - start from hh:mm to end hh:mm. When backup is not set, it is is always active. Otherwise it is active during the configured time range only.
never time-range hh:mm hh:mm

Thenoformofthiscommandremovesbackupfromtheinterface:
no backup interface
Default
1second
Mode
Example
Thefollowingexampleprovidesa10seconddelayinactivatingthesecondarylineanda20 seconddelayindeactivatingthesecondarylinewhentheprimaryseriallinegoesupanddown.
XSR(config)#interface serial 1/1 XSR(config-if<S1/1>)#backup delay 10 20 XSR(config-if<S1/1>)#no shutdown
backup interface dialer

ThiscommanddesignatesaSerialorFast/GigabitEthernet/GigabitEthernetinterfaceorsub interfaceasabackupdialerinterface.
Caution: To configure a backup FastEthernet/GigabitEthernet interface or sub-interface, the port must be in the shutdown state.
Syntax
backup interface dialer number number
Dialerinterfacenumbertouseasthebackupinterface.Range:0to255.

no backup interface dialer number Note: Only one dialer interface can be associated with one dialer pool but one dialer pool may be associated with many dialer interfaces.
Default
Disabled
Mode
Examples
TheexamplebelowconfiguresDialerinterface57asthebackupforFast/GigabitEthernetport2:
XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#backup interface dialer 57 XSR(config-if<F2>)#ip address 192.168.27.114 255.255.255.0 XSR(config-if<F2>)#no shutdown XSR(config)#interface serial 1/2 XSR(config-if<S1/2>)#physical-layer async XSR(config-if<S1/2>)#dialer pool-member 1 XSR(config-if<S1/2>)#no shutdown XSR(config)#interface dialer 57 XSR(config-if<D57>)#dialer pool 1 XSR(config-if<D57>)#dialer redial attempts 3 forever XSR(config-if<D57>)#dialer string 67921 XSR(config-if<D57>)#encapsulation ppp XSR(config-if<D57>)#ip address 10.10.10.1 255.255.255.0 XSR(config-if<D57>)#no shutdown
EthernetbackupisappliedfurtherintheexamplebelowwhereDialerinterface57isconfiguredas theDSLbackup(PPPoE)forFast/GigabitEthernetsubinterface2.1invokingthesubinterface enablesPPPoE.NotethattheIPaddressofthePPPoEcallerisnegotiatedoverPPPandtheMTU sizeisresetto1492bytestoavoidWebaccessproblemsbyPCsattachedtotheXSR.

XSR(config)#interface fastethernet 2 XSR(config-if<F2>)#no shutdown XSR(config)#interface fastethernet 2.1 XSR(config-if>)#backup interface dialer 57 XSR(config-if>)#encapsulation ppp XSR(config-if>)#ip address negotiated XSR(config-if>)#ip mtu 1492 XSR(config-if>)#no shutdown
backup time-range
Thiscommandconfiguresaperiodwhenthebackupdialershouldbeupanddown,regardlessof trafficontheline.Abackupdialerportisconfiguredtoprotectaprimaryinterfaceandonceits timerangeisspecified,thebackupdialerportcanbeenabledanddisabled.
Syntax
backup time-range start-time end-time start-time end-time Time in hh:mm when the dialer port should be enabled. Time in hh:mm when the dialer port should be disabled.

Thenoformofthiscommanddisablesthetimerangefeature:
no backup time-range
Default
None
Mode
Examples
TheexamplebelowconfiguresDialerport1tobeenabledat6:30a.m.andtodisableitselfat11:55 p.m.
XSR(config)#interface serial 1/1 XSR(config-if<S1/1>)#backup interface dialer 1 XSR(config-if<S1/1>)#no shutdown XSR(config-if<S1/1>)#backup time-range 06:30 23:55
10-95
DOD/BOD Commands
show interface dialer

Thiscommanddisplaysgeneralinformationforadialerinterface.
Syntax
show interface dialer number number Dialer interface number ranging from 0 to 255
Mode
PrivilegedEXEC:XSR#
Sample Output
Theexamplebelowdisplaysoutputfromtheshow interface dialer command:
XSR#show interface dialer ********** Dialer Interface Stats ********** Dialer1 is Admin Up Internet address is 10.10.10.1, subnet mask is 255.255.255.0 Dialer1 Dialer state is: UP Wait for carrier default: 60, default retry: 3 Dial String Success Failures Map Class Dialer pool 3 (Serial 2/0:0, ) Free pool ISDN channels: <25> Free pool serial ports: <0> Neighbor Dial String 3100 Success 1 Failures 0 Map Class
Active links MLPPP group <1> to <10.10.10.2>: <5>
DOD/BOD Commands
TheXSRsupportsthefollowingDialonDemand(DoD)/BandwidthonDemand(BoD) commands.
dialer-group
Thiscommandcontrolsdialeraccessbyconfiguringaninterfacetobelongtoaspecificdialing group.Thisaccessgroupisassociatedwithanaccesslistbythedialer-list command. Packetswhichmatchthedialergrouptriggeraconnectionrequest.Thatis,thedestinationaddress ofpacketsisevaluatedagainstoneormoreACLs;ifthepacketspass,eitheracallisinitiated(ifno connectionwerealreadyestablished)ortheidletimerisreset(ifacallisactive).
10-96
DOD/BOD Commands
Syntax
dialer-group group-number group-number Number of the dialer access group to which the specified interface belongs. Acceptable values are nonzero, positive integers between 1 and 10.

Usethenoformofthiscommandtoremoveaninterfacefromthespecifieddialeraccessgroup:
no dialer-group
Mode
Example
Thefollowingexampleconfiguresdialergroup7ondialerinterface1,mappingACL101todialer list7:
XSR(config)#interface dialer 1 XSR(config-if<D1>)#dialer-group 7
XSR(config)#access-list 101 permit ip 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0
XSR(config)#dialer-list 7 protocol ip list 101
dialer-list
Thiscommanddefinesadialerlisttocontroldialingbyprotocolorbyacombinationofprotocol andAccessControlList(ACL).BecauseIPisthesoleprotocolsupportedatthistime,anACLmust bespecifiedusingthedial-list command.
Syntax
dialer-list dialer-group protocol protocol-name list access-list-number] dialer-group protocol-name list access-list-number Number of a dialer access group identified in any dialer-group command, ranging from 1 to 10. Only the protocol ip is supported at this time. Specifies that an access list will be used for defining a granularity finer than an entire protocol. Numbers specified in IP standard (1 - 99) or extended (100 - 99) access lists.

Usethenoformofthiscommandtodeleteadialerlist:
no dialer-list dialer-group [protocol protocol-nam [list access-list-number]
Mode
10-97
DOD/BOD Commands
Example
ThefollowingexamplemapsACL1350todialerlist57:
XSR(config)#access-list 57 permit ip 0.0.0.0 255.255.255.255 255.255.255.255 0.0.0.0 XSR(config)#dialer-list 57 protocol ip list 1350
dialer called
Thiscommandmapsincomingcallstooneofthedialerinterfaces.Amaximumnumberof32 callednumbersperdialerinterfacecanbeconfigured.
Syntax
dialer called DNIS:subaddress DNIS:subaddress Dialed Number Identification Service, or the called party number, a colon, and the ISDN subaddress.

Thenoformofthiscommandremovestheconfigurednumber:
no dialer called DNIS:subaddress
Mode
Example
ThefollowingexampleconfiguresadialerprofileforareceiverwithDNIS12345andISDN subaddress6789:
XSR(config)#interface dialer 1 XSR(config-if<D1>)#dialer called 12345:6789
dialer caller
ThiscommandconfigurescallerIDscreeningwithanoptionprovidingISDNcallback.TheXSR willacceptcallsfromaspecifiedphonenumber.Amaximumof32callernumberscanbesetper dialerport. Thecommandmatchesnumbersstartingwiththeleastsignificantdigitsofthecallingnumber, startingfromthelastdigit.TypicallytheISDNswitchdoesnotprovidethecompletecalling number,onlythelocalnumber(fourtosevenoftheleastsignificantdigits). ThedialednumbermustbeconfiguredintheDialerinterface.
Syntax
dialer caller number [callback] number callback Phone number to screen. Limit: 32 characters. Returns the call to the dialer. This option applies to DoD applications and supports PPP and MLPPP. If used in a backup capacity, set the number of retries to 1.
10-98
DOD/BOD Commands
Note: If the ISDN switch does not provide the calling number, callback will fail.

Thenoformofthiscommanddisablesthefeature:
no dialer caller number
Mode
Example
Thefollowingexampleconfiguresthedialercallernumberstoscreen:
XSR(config)#interface dialer 1 XSR(config-if<D1>)#dialer caller 5084712345
dialer idle-timeout
ThiscommandspecifiestheidletimeoutintervalbeforetheXSRdisconnectstheline.Thetimeout triggerisbasedonoutboundtrafficonly.
Caution: This command must be invoked on the called side of a link with a 0 value to ensure the link is not dropped after 120 seconds by the called side.
Syntax
dialer idle-timeout seconds seconds Interval before disconnecting the line, ranging from 0 to 2,147,483 seconds. Specifying 0 disables the timeout.

Usethenoformofthiscommandtoresettheidletimeouttothedefault:
no dialer idle-timeout
Mode
Default
120seconds
Examples
Thefollowingexampleresetstheidletimeout:
DOD/BOD Commands
XSR(config)#interface dialer 1 XSR(config-if<D1>)#dialer idle-timeout 300
Thefollowingexampledisablestheidletimeout:
XSR(config-if<D1>)#dialer idle-timeout 0
dialer map
ThiscommandconfiguresaDialerorIntegratedServicesDigitalNetwork(ISDN)interfacetocall oneormultiplesites.Eachdialerinterfacecanbeconfiguredwithamaximumof16different dialermaps.Thecommandalsoenablesspoofingonthespecifieddialerinterfacebutisavailable inmultipointmodeonly.
Syntax
Alloptionsareshowninthefirstformofthecommandasfollows:
dialer map protocol next-hop-address [name hostname][class map-class][spc] [speed 56 | 64][dial-string][:isdn-subaddress]] protocol next-hop-address name hostname Protocol keyword; ip is supported at this time. Protocol address used to match against addresses to which packets are destined. The remote system with which the local router or access server communicates. Case-sensitive name or ID of the remote device (usually the host name).) It is used for incoming call mapping based on the authenticated user name negotiated under PPP. Name of map class used to dial out. A Semi-Permanent Connection between your equipment and the exchange. Keyword and value indicating the line speed in kilobits per second to use. For ISDN only. Telephone number sent to the dialing device when it recognizes packets with the specified next hop address that matches the access lists defined. Sub-address number used for ISDN multipoint connections.
map-class spc speed 56 | 64 dial-string :isdn-subaddress

Thenoformofthiscommanddeletesaparticulardialermapentry:
no dialer map protocol next-hop-address [name hostname] [class map-class] [spc] [speed 56 | 64] [broadcast] [dial-string[:isdn-subaddress]]
Mode
Default
Speed:64kbps
10-100
DOD/BOD Commands
Example
ThefollowingexampleconfiguresanexthopIPaddress,SPC,hostnameandlinespeedformap classAcmeMap:
XSR(config)#dialer map 1 XSR(config-if<D1>)#dialer map ip 192.168.57.9 class AcmeMap name AcmeHost spc speed 56 12345:6789
dialer persistent
Thiscommandbringsupapermanentswitchedconnectionintheabsenceofaninterestingpacket orprimarylinedownbackupdialtrigger.
Syntax
dialer persistent [delay n] n Interval that the dial-out process is delayed after the Dialer interface boots up, ranging from 1 to 2147483 seconds.

Thenoformofthiscommanddeletesthepersistentsetting:
no dialer persistent
Mode
Default
1second
Example
ThefollowingexampleconfiguresDialerinterface57tobepersistentfortwominutes:
XSR(config)#interface dialer 57 XSR(config-if<D57>)#dialer persistent 120
dialer redialer attempts

Thiscommandsetstheredialtriggerafterfaileddialattempts.Withaninfinitenumberof specifiedredialattempts,itispossibletophysicallyconnectamodematanytimeaftersettingthe dialtriggerandstillmakeaconnection.Also,ifmoreresources(interfaces)areavailableinthe dialerpool,thedialerisfreetoredialallmembersofthepool.
Syntax
dialer redial attempts n interval m re-enable t [forever] attempts Redial attempts.
DOD/BOD Commands
n interval m re-enable t forever
Number of redial attempts made if dial-up or ISDN connection establishment fails, ranging from 1 to 65535. Period between redial attempts. Interval period, ranging from 5 to 2678400 seconds (31 days). Period for which the port is disabled if all redial tries fail. Re-enable period, ranging from 5 to 2678400 seconds. Number of redial attempts applied to all members of the dialer pool in a neverending loop if dial-up or ISDN connection establishment is unsuccessful. Redial attempts end if the dial trigger is reset or the connection is established.
Mode
Defaults
Attempt:1(noredial) Interval:10seconds Reenable:5seconds
Example
AssumingyouhaveconfiguredSerialinterfaces1/0,1/1,and1/2aspartofdialerpool1,the followingexamplesetsthedialertoattemptdialingeachinterfacefivetimes(ifallattemptsare unsuccessful),indefinitelyuntilthedialtriggerisresetoraconnectionissuccessfullyestablished.
XSR(config)#interface dialer 1 XSR(config-if<D1>)#dialer pool 1 XSR(config-if<D1>)#dialer redial attempts 5 forever
dialer remote-name
Thiscommandspecifies,foradialerinterface,thePPPauthenticatedusernameoftheremote routerthatiscallingin.
Syntax
dialer remote-name username username Case-sensitive character string identifying the remote device with a maximum length of 255 characters.
Mode
Example
ThefollowingexamplesetstheauthenticationnamefortheremoterouteronDialerinterface7:
XSR(config)#interface dialer 7 XSR(config-if<D1>)#dialer remote-name Auth West
Dialer Watch Commands
Dialer Watch Commands dialer watch-group

ThiscommandenablesDialerWatchbackuponadialerinterfacewithupto16watchgroups.
Syntax
dialer watch-group group-number group-number Assigned number that will point to a globally defined list of IP addresses to watch, ranging from 1 to 255.f

Usethenoformofthiscommandtodisablethisfeature:
no dialer watch-group group-number
Mode
Example
Thefollowingexampleconfiguresadialerwatchgroup:
XSR(config-if<D3>)#dialer watch-group 57
dialer watch-list
ThiscommandaddsalistofIPaddressesyouwantmonitored.Usethiscommandwiththedialer watchgroupinterfaceconfigurationcommand.Thenumberofthegrouplistmustmatchthe groupnumber.
Syntax
dialer watch-list group-number [delay route-check initial initial-delay][delay connect connect-delay][delay disconnect disconnect-delay][ip ip-address addressmask]][time-range start-time end-time] group-number ip ip-address Number assigned to the list, ranging from 1 to 255. IP is the only routed protocol supported for Dialer Watch at this time. IP address or address range to be applied to the list.
10-103
address-mask initial-delay
IP address mask to be applied to the list. The delay interval between the time when a new route is added to any dialer watch list and the start of the backup process for that route if the route fails to come up. This delay prevents the XSR from starting backup process for the configured watched routes immediately after bootup. Range: 1 to 2,147,483 seconds. The delay interval between when a route set up under the watch list goes down and when the dialer subsystem starts the backup process. Range: 1 to 2,147,483 seconds. The delay interval between when a route set up under the watch list and currently backed up comes up and when the dialer subsystem ends the backup process. Range: 1 to 2,147,483 seconds. Time range when the watch-list is set as active using the 24-hour format hh:mm for both start and the end times. The watch-list does not trigger the backup outside this time range regardless of the state of route collection.
connect-delay
disconnect-delay
start-time end-time

Usethenoformofthiscommandtodisablethisfeature:
no dialer watch-list group-number [delay route-check initial initial-delay][delay connect connect-delay][delay disconnect disconnect-delay][ip ip-address addressmask]
Mode
Default
Initialdelay:30seconds Connectdelay:2seconds Disconnectdelay:2seconds
Example
Thefollowingexampleconfiguresthedialerwatchoption:
XSR(config-if<D9>)dialer watch-list 57 delay route-check initial 15 delay connect 1 delay disconnect 1 ip 192.168.69.9 255.255.255.0
Sample Output
Thefollowingissampleoutputfromtheshow interface dialer commanddisplayingdialer watchstatistics:
********** Dialer1 Interface Stats ********** Internet address is 1.1.1.2, subnet mask is 255.255.255.0 Dialer1 is Admin Up, Description: <Vancouver> Oper Status is SPOOFING Dial stats: wait for carrier 60s, redial attempts 3, redial interval 10s
dial string: 3200, success: 0, fail: 0 Dialer pool 1 stats: member: Serial 1/3:0, available B-channels: 30, serial ports: 0 Watch-group stats: watch-group 1, rt cnt 1, trigg cnt 1, state is UP, delays: init 10, connect 3, disconnect 3, time range 10:15 11:15 timer expires in 18h:32m:28s watch-group 2, rt cnt 1, trigg cnt 1, state is UP, delays: init 30, connect 60, disconnect 2, time range 10:0 11:17 timer expires in 18h:17m:29s
10-105
10-106
11
ISDN BRI and PRI Commands
Description
Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies the interface type and number; e.g., F1, G3, S2/1.0, M57, BRI1/1, PRI-2/1. F indicates a FastEthernet, and G a GigabitEthernet interface.
ISDN Commands
ThefollowingsetofcommandsallowsyoutoconfigureBRI/PRIfunctionalityontheXSR.
interface bri
ThiscommandconfiguresaBRIinterfaceforeachphysicalBRIportontheBRINIMcard.When entered,theinterface bri commandmustbefollowedbytheisdn switch-typecommandfor BRIISDNapplications,ortheleased-line bricommandforBRIleasedlineapplications.Ifnone oftheabovecommandsareissuedBRIportsarenonoperational.
Syntax
interface bri board/slot/port board/slot/port
BRIboard,slot,andportnumbers.Forleasedlineapplications:1forB1 and2forB2.Subportsareaddedbytheleased-line [56 | 64] command.
Book Title goes here
11-83
ISDN Commands

no interface bri board/slot
Mode
Next Mode
BRIInterfaceconfiguration:XSR(config-if<BRI-xx>)#
Example
ThefollowingexampleacquiresBRIBchannel1interfacemode:
XSR(config)#interface bri 1/1 XSR(config-if<BRI-1/1>)#
isdn answer1, isdn answer2 (BRI)

Thiscommand,isdn answer1,directstheXSRtoscreenacalledpartyorsubaddressnumberin theincomingsetupmessageforISDNBRIcalls.Issuetheisdn answer1 or 2commandtofilter incomingcallsbasedonthecalledpartyorsubaddressnumber. Ifyoudonotspecifythiscommand,allcallsareprocessedoraccepted.Ifyouspecifythe command,theXSRmustverifytheincomingcalledpartynumberandthesubaddressbefore processingand/oracceptingthecall.Theverificationproceedsfromrighttoleftforthecalled partynumber;italsoproceedsfromrighttoleftforthesubaddressnumber. Youcanconfigurethecalledpartynumberonlyorthesubaddress.Insuchacase,onlythe configuredvalueisverified.Toconfigureasubaddressonly,includethecolon(:)beforethesub addressnumber.
Note: This command is applicable to the BRI ETSI switch only.
Syntax
isdn answer1 [called-party-number][:subaddress] calledparty-number
Telephonenumberofthecalledparty.Atleastonevalue, calledpartynumberorsubaddress,mustbespecified.Thisvaluecantotal nomorethan50digits. Numberthatfollowsasasubaddress.Thecolon(:)setsbothcalled partyandsubaddress,orsubaddressonly. calledpartyandsubaddress,orsubaddressonly.
subaddress
SubaddressnumberusedforISDNmultipointconnections.Atleast onevalue,calledpartyorsubaddress,mustbeset.Thesubaddresscan totalnomorethan50digits.
11-84
ISDN Commands

Usethenoformofthiscommandtoremovetheverificationrequest:
no isdn answer1 [called-party-number][:subaddress]
Default
Noverificationofeithernumber
Mode
BRIInterfaceconfiguration:XSR(config-if<BRI-xx>)#
Examples
ThefollowingexampleconfiguresBRIinterface1/1withcalledpartyandsubaddressnumbers:
XSR(config)#interface bri 1/1 XSR(config-if<BRsaI-1/1>)#isdn answer1 6171234:5678
ThefollowingexampleconfiguresBRIinterface2/0withasubaddressnumberonly:
XSR(config)#interface bri 2/0 XSR(config-if<BRI-2/0>)#isdn answer1:5678
isdn bchan-number-order (PRI)

ThiscommandconfiguresanISDNPRIinterfacetochooseanoutgoingcallineitherascendingor descendingorder.TheXSRselectsthelowestorhighestavailableBchannelstartingateither channelB1(ascending)orchannelB23foraT1anDchannelB30foranE1(descending).Usethis commandonlyifyourserviceproviderrequestsittodecreasetheprobabilityofcallcollisions.
Syntax
isdn bchan-number-order {ascending | descending} ascending descending
SelectstheoutgoingBchannelinascendingorderasfollows:1to24for aT1and1to31foranE1card. SelectstheoutgoingBchannelindescendingorderasfollows:24to1 foraT1and31to1foranE1card.

Torestorethedefault,usethenoformorsimplyreconfiguretheinterfacewiththenewvalue:
no isdn bchan-number-order
Default
Descending
Mode
Book Title goes here 11-85
ISDN Commands
Example
ThefollowingexamplesetstheT1controllertomakecallselectionsinascendingorder:
XSR(config)#controller t1 1/0/0 XSR(config-controller<T1-1/0:0>)#description T1 at Acme XSR(config-controller<T1-1/0:0>)#framing esf XSR(config-controller<T1-1/0:0>)#linecode b8zs XSR(config-controller<T1-1/0:0>)#pri-group XSR(config-controller<T1-2/1>isdn bchan-number-order ascending
isdn call
ThiscommandisusedfordebuggingpurposesonlytotestcallsetupprocedureswithaCentral OfficeISDNswitchortestequipment.Itisautomaticallydisconnectedafter30seconds.
Note: Enter this command in Privileged EXEC, not Global configuration mode.
Syntax
isdn call c/p [board/slot/port] dialing-string [56 | 64] c/p dialing-string 56 64
BRIorPRIportID. Calledphonenumberandsubaddress. Callplacedat56kbpsrate. Callplacedat64kbpsrate.
Mode
PrivilegedEXEC:XSR#
Example
ThefollowingexampleinitiatesanISDNcallonBRIport2/1at56kbps:
XSR#isdn call 2/1:61712345678 56 <186>Jul 28 22:49:51 10.10.10.20 ISDN: No Channel Available For Test Call
isdn calling-number
ThiscommandconfiguresanISDNPRIorBRIinterfacetoincludecallernumberintheoutgoing setupmessage.ThisbillingnumberisusedfornonFullyInitializingTerminals(FIT)outside NorthAmericaonlybecausethe isdn spid1/2commandalreadyconfigurestheLDN.
11-86
ISDN Commands
APRIorBRIportcanhaveonlyoneISDNcallingnumberentry.ForISDNPRI,thiscommandis intendedforusewhenthenetworkoffersbetterpricingoncallsinwhichdevicespresentthecaller number.Whenconfigured,thecallingnumberisincludedintheoutgoingsetupmessage.

Note: There is no mechanism to mark outgoing calls with the Calling Number and Calling Subaddress for call routing on the receiving end.
Syntax
isdn calling-number calling-number:subaddress calling-number :subaddress
Numberofthedevicemakingtheoutgoingcall.Onlyoneentryis allowed. Extensionofthephonenumber.

no isdn calling-number
Mode
BRIInterfaceconfiguration:XSR(config-if<BRI-x>)#
Example
ThefollowingexamplespecifiesacallingnumberfortheXSR:
XSR(config)#interface bri 1/0 XSR(config-if<BRI-1/0>)#isdn calling-number 5088781234
isdn disconnect
ThiscommandisusedfordebuggingpurposestotestISDNconnectivity.ItsetsupanISDNdata calltotestcallsetupprocedureswithaCentralOfficeISDNswitchortestequipment.Itisusedto disconnectacallbeforeautomaticdisconnectoccursin30secondsorifacallisnotdropped.
Note: Enter this command in Privileged EXEC, not Global configuration mode.
Syntax
isdn disconnect c/p channel_number c/p channel_number
BRIorPRIportID. BRI:1or2,E1PRI:0to31,T1PRI:0to22.
Mode
PrivilegedEXEC:XSR#
11-87
ISDN Commands
Example
Thefollowingexamplesetsupatestcallonchannel24onBRIport1/1:
XSR#isdn disconnect 1/1 24 <186>Jul 28 22:49:51 10.10.10.20 ISDN: No Channel Available For Test Call
isdn spid1, isdn spid2 (BRI)

ThiscommandspecifiestheServiceProfileIdentificationNumber(SPID)whichissuppliedby yourISDNserviceprovider. NorthAmerica(NOAM)ISDNswitchesuseFullyInitializingTerminals(FIT)servicewhich requiretheCPEtoregisteritsSPIDwiththeCentralOffice(CO)beforeservicecanbegin.
Syntax
isdn spid1 spid-number {max digits| ldn} {max digits} isdn spid2 spid-number {max digits} ldn} {max digits} spid-number
Numberoftheservicetowhichyouhavesubscribed,upto26digits.Assigned bytheISDNserviceprovide,itisa7to10digitphonenumberwithadditional prefixandsuffixdigitssuchas905361707001. IfaSPIDissetto0andthenoisdnautodetectcommandwasissued (autodetectnotactive),thenthelineisassumedtobeNoFITtypeandwillnot attemptregistrationwiththeCO.
ldn
ThisLocalDirectoryNumberisa7or10digitnumberassignedbytheservice provider.Itisalsousedforsettingthecallingnumberforoutgoingcalls.

ThenoformofthiscommandremovestheSPIDnumber:
no isdn spid1 {max digits| ldn} {max digits} no isdn spid2
Mode
BRIInterfaceconfiguration:XSR(config-if<BRI-x>)
Example
ThefollowingexamplespecifiesaSPIDandLDNfortheB1channel:
XSR(config-if<BRI-2/1>)#isdn spid1 508876123401 5088761234
isdn switch-type (BRI/PRI)

ThiscommandsetsthecentralofficeswitchtypefortheISDNport,andtriggersthecreationofthe followingthreededicatedserialinterfaces:slot/card/port:0,slot/card/port:1andslot/card/port:2forthe D,B1andB2channels,respectively.Becausethiscommanddoesnothaveanoform,youcanonly replacetheswitchwithanother,notremoveit.Theshow interface commanddisplaystheISDN interfacestatus.
11-88 ISDN BRI and PRI Commands
ISDN Commands
Note: This command is valid only after the pri-group command was issued.
Syntax
isdn switch-type switch-type {basic-dms100 | basic-ni1 | basic-ntt | basic-net3 | primary-net5 | primary-ni2 | primary-5ess | primary-dms100 | primary-ntt}
BRI Switch Types:

basic-dms100 basic-ni1 basic-5ess basic-ntt basic-net3
NorthAmericalegacyISDNswitch. NationalISDN1switchforNorthAmerica. NorthAmericalegacyISDNswitch:notsupported. SwitchforISDNinJapan. ETSIcompliantswitchforEuroISDN.
PRI Switch Types:

primary-net5 primary-ni2 primary-5ess primary-dms100 primary-ntt
ETSIcompliantswitchforEuroISDN. T1NationalISDNswitchtype(T1default). T1NOAMlegacyswitch. T1NOAMlegacyswitch. T1/J1ISDNswitchforJapan.

Thenoformofthiscommanddeletesthethreeserialinterfaces:
no isdn switch-type
Defaults
BRI:basicnet3 PRI:primarynet5 E1:primarynet5 T1:primaryni2 J1:primaryntt
Mode
BRI/PRIInterfaceconfiguration:XSR(config-if<BRI/PRI-xx>)#
11-89
ISDN Commands
Example
ThefollowingexampleselectsaswitchtypeontheBRI1/1interface:
XSR(config)#interface bri 1/1 XSR(config-if<BRI-1/1>)#isdn switch-type basic-net3
leased-line bri
ThiscommandsetsupanISDNBRIportforleasedlineoperation.Leasedlineserviceat64or128 kbpsviaBRIisprovidedinJapanandGermany.The56and112kbpsspeedsareprovidedfor eventualNorthAmericandeploymentofthisservice. OnceaBRIinterfaceisconfiguredforaccessoverleasedlines,itisnolongeradialerinterface,and signalingovertheDchannelnolongerapplies.AlthoughtheinterfaceiscalledinterfaceBRI,itis configuredasasynchronousserialportandallserialportcommandsareavailable. Thiscommandcreatesaserialinterfacethatisconfiguredasastandardserialport.Itcanbeissued onceforspeedsequaltoandhigherthen112asbothBchannelsareboundtothecreatedserial interface.For56and64bpsspeeds,thecommandcanbeissuedtwicetocreateindividualserial interfaces:1and:2forB1andB2,respectively. Afteryouenterthecommand,youmustexitBRIconfigurationmodeandconfigurethechannels byenteringinterface bri [board/port:1]orinterface bri [board/port:2].TheseBearer portsareconfiguredasregularsynchronousserialinterfaces.
Note: The shutdown/no shutdown channel commands are overridden by the interface bri shutdown/no shutdown commands.
Syntax
leased-line bri speed {56 | 64 | 112 | 128 | 144} 56 | 64 112 | 128 |144
Twostreamsaresupported,oneoneachBchannel. OnestreamissupportedoverthebondedB1+B2orB1+B2+D channels.

ThenoformofthiscommandcancelsleasedlineBRIbydeletingtheearliercreatedserialinterface andreturningtothebasicnet3ISDNswitchtype:
no leased-line bri
Default
CMD/switchtypebasicnet3
Mode
BRIInterfaceconfiguration:XSR(config-if<xx>)#
11-90
ISDN Commands
Examples
ThefollowingexampleconfigurestwodatastreamsonleasedlineBRIinterface1/1at56kbps withPPPencapsulation:
XSR(config)#interface bri 1/1 XSR(config-if<BRI-1/1>)#leased-line 56 XSR(config)#interface bri 1/1:1 XSR(config-if<BRI-1/1:1>)#ip address 1.1.1.2 255.255.255.0 XSR(config-if<BRI-1/1:1>)#encapsulation ppp
ThefollowingexampleconfiguresBRIBchannel2:
XSR(config)#interface bri 1/1:2 XSR(config-if<BRI-1/1:2>)#ip address 1.1.1.3 255.255.255.0 XSR(config-if<BRI-1/1:2>)#encapsulation frame-relay
ThefollowingexampleconfiguresonedatastreamonleasedlineBRIinterface1/1at112kbps withFrameRelayencapsulation:
XSR(config)#interface bri 1/1 XSR(config-if<BRI-1/1>)#leased-line 112 XSR(config)#interface bri 0/1/2:1 XSR(config-if<BRI-1/2:1>)#ip address 1.1.1.3 255.255.255.0 XSR(config-if<BRI-1/2:1>)#encapsulation frame-relay
pri-group
ThiscommandconfiguresaT1/E1porttoISDNPRIonachannelizedE1/T1card.All23T1or30 E1timeslotsareassignedtoISDNcontrol.
Syntax
pri-group

ThenoformofthiscommandderegisterstheT1/E1controllerfromtheISDNcontroller.Usetheno formtoremovetheISDNPRIandrestoretheT1/E1controllertoitsdefaultmode:
no pri-group
Mode
Controllerconfiguration:XSR(config-controller<T/Exx>)#
Example
ThefollowingNFASexampleconfiguresPRIwithDchannelbackup:
XSR(config)#controller t1 1/0 XSR(config-controller<T1-1/0>)#pri-group
11-91
ISDN Debug and Show Commands
shutdown (BRI)
ThiscommandforcesalldatacallstobedisconnectedandsignalsallinternalXSRresourcesthat theportisnotavailable.
Syntax
shutdown [board/slot/port] board/slot/port
XSRboard,slotandportnumbers.

no shutdown [board/slot/port]
Mode
Interfaceconfiguration:XSR(config)#shutdown
ISDN Debug and Show Commands debug isdn

ThiscommandinitiatesaLayer2or3ISDNdebugsessiontotracefailedcallsattheDchannel level.IssuingthecommandhastheeffectoflockingoutdebuggingbyanyotherTelnetorConsole connection.IfbothLayer2(Q921)and3(Q931)choicesareselected,tracingwilldisplayboth layers.
Note: To prevent unauthorized personnel from observing the debug session on the network, users with privilege level 15 only can issue this command.
Youcanexitthedebugsessioneitherbyisuingtheno debug isdncommandorterminatingthe TelnetorConsolesession. Optionally,youcansetalimitofupto9999messageswhichwilldisplayattheCLIafterwhichthe debugsessionwillend.Ifthelimitisnotspecified,after100displayedmessages,theno debug isdncommandwillautomaticallyberun.Thelimitparameterisaglobalvaluethatisrefreshed eachtimedebug isdnisentered.
Syntax
debug isdn slot/card/port Q931 | Q921 [limit {10-9999}] slot/card/port Q931 Q921 limit 10-9999
ISDN board,slot,andportnumbers. Layer3protocoltracingenabledforaportissue. Layer2protocoltracingenabledforaportissue. ISDNdebugsessionexitsafterallmessagesdisplay. Numberofmessagesdisplayedduringadebugsession.
11-92

ThenoformofthiscommandremovesISDNmessagetracing.Youmaychoosetoissuethe commandwithallornoparametersselected. nodebugisdnslot/card/portQ931|Q921[limit{109999}]
Default
Messages:100
Mode
EXECConfiguration:XSR
Examples
ThefollowingexampleconfiguresLayer3ISDNdebuggingonthespecifiedinterface:
XSR#debug isdn 0/1/0 q931 ISDN-DBG 0/1/0 Enable Q931 Tracing
show controllers bri

ThiscommanddisplaysphysicallinedataconcerningBasicRateInterface(BRI)subinterfaces.
Syntax
show controllers bri [board/slot/port] [:channel number] board /slot /port
XSRboard,slotandportnumbers:<1-2>/<0-1> Card,portandDchannelor,<1-2>/<0-1>:<0-2> Card,portandchannel(0=D,1=B1,2=B2).
Mode
Example
ThefollowingoutputisproducedforBRIsubinterface2/1:0
XSR#show controllers bri 2/1:0 Forward Engine Serial Layer Tx/Rx Stats: RX FROM UPPER LAYER & TX TO DRIVER Pcks Rx = 0 Pcks Tx = 0 Pcks Discarded = 0 RX FROM DRIVER & TX TO UPPER LAYER Pcks Rx = 0 Pcks Tx = 0 Pcks Discarded = 0
Packet Processor 0 Packet 0 Packet 0 Packet 0 Packet
Tx Scheduler Stats: driver Tx OK driver not Tx: MUX END_ERR_BLOCK driver not Tx: MUX ERROR driver not Tx: Unknown Msg from MUX
The unit number is 167772177. The interrupt number is 27. General: SCC 4 parm ram = 0xa0290f00, reg = 0xa0291660 TX RING ENTRIES: The data ring starts at 0xa0290200. TxDRNum = 16, pTxMblkDR = 0x010fc120, TxDRIdx = 0 TxDRCleanIdx = 0 (-2) (-1) ( 0) ( 1) ( 2) CmdStsLen CmdStsLen CmdStsLen CmdStsLen CmdStsLen [...] 0x00000000, 0x00000000, 0x00000000, 0x00000000, 0x00000000, pBuf pBuf pBuf pBuf pBuf 0x00000000 0x00000000 0x00000000 0x00000000 0x00000000
RX RING ENTRIES: The data ring starts at 0xa02901c0. RxDRNum = 8, pRxMblkDR = 0x00ffd200, RxDRIdx = 0 RxBuffSize = 1728, RxBuffOffset = 160 (-2) (-1) ( 0) ( 1) ( 2) CmdStsLen CmdStsLen CmdStsLen CmdStsLen CmdStsLen [...] 0x80000000, 0xa0000000, 0x80000000, 0x80000000, 0x80000000, pBuf pBuf pBuf pBuf pBuf 0x21e146e0 0x21e14da0 0x21e11e60 0x21e12520 0x21e12be0
show interface bri

ThiscommanddisplaysthestatusoftheBandDchannelsserialdriver.Generallyspeaking,BRI channelsaredisplayedexactlyasstandardserialportsandPRIchannelsaredisplayedas standardT1/E1/ISDNPRIserialchannels. IftheBchannelisnotconnectedbyanactivecall,theOPERstatewillbedown.TheDchannel willdisplayL1andL2statusinadditiontostandardoutput. TodisplaytheDorBchannelsusethefollowingcommands:
11-94
BRI show interface bri 1/0orshow interface bri 1/0:0forDchannel PRI show interface serial 2/1:23forT1Dchannel PRIshow interface serial 2/1:15forE1Dchannel PRIshow interface serial 2/1:0 - 22forT1Bchannels
PRIshow interface serial 2/1:0 - 14,16-30forE1Bchannels
Usethefollowingtableforreference.
Table 11-1
Channel Number Mappings Enterasys Channel Numbering Bchannels 022 030(not15) 1,2 Dchannel 23 15 0
Service Provider Channel Numbering Bchannels T1 E1 BRI 123 131 1,2 Dchannels 24 16
Syntax (PRI)
show interface bri [card/port]:[channel number] :channel number
Validchannelnumbersare:E10to30(Dchannel:15), T10to22(Dchannel:23)
Syntax (BRI)
show interface bri [card/port]:[channel number] channel number
1and2(0istheDchannel)
Mode
Sample Output
ThefollowingoutputisdisplayedfortheBRIinterface1/1:0:
********** Serial Interface Stats ********** D-Serial 1/1:0 is Admin Up / Oper Down ********************** ISDN Stats ISDN-BRI 1/1 ********************* Layer 1: DOWN Layer 2: DOWN State: OFFLINE Admin Up Oper Down Term. 1 Spid:2200555 State: OFFLINE Cause: 000 Term. 2 Spid:2201555 State: OFFLINE Cause: 000 Total Length = 257 The name of this device is bri1/1/0. The card is 1. The port is 1. The following output is displayed for the PRI interface 2/1: ********************** ISDN Stats ISDN-PRI 21 ********************* Layer 1: UP Layer 2: UP State: ONLINE Admin Up Oper Up
Standardoutputofthecommandfollowsbutisnotdisplayedhere. ThefollowingoutputisdisplayedfortheBRIinterface2/1:
XSR#sh interface bri 2/1 ********** Serial Interface Stats ********** D-Serial 2/1:0 is Admin Down / Oper Down ********************** ISDN Stats ISDN-BRI 2/1 ******************* Layer 1: DOWN Layer 2: DOWN State: OFFLINE Admin Down Oper Down The name of this device is bri2/1/0. The card is 2. The port is 1. The channel is 0. The current MTU is 1506. The device is in polling mode, and is INACTIVE. The channel is logically INACTIVE. The operational state is OPER_DOWN. The protocol used is LAPD. The baud rate is 16000 bits/sec. The device uses CRC-16 for Tx. The device uses CRC-16 for Rx. Other Interface Statistics: ifindex 0 ifType 75 ifAdminStatus 1 ifOperStatus 2 ifLastChange 00:00:00 ifInOctets 0 ifInUcastPkts 0 ifInNUcastPkts 0 ifInDiscards 0 ifInErrors 0 ifInUnknownProtos 0 ifOutOctets 0 ifOutUcastPkts 0 ifOutNUcastPkts 0 ifOutDiscards 0 ifOutErrors 0 ifOutQLen 16
11-96
show isdn history

ThiscommanddisplayspastISDNactionsontheXSR.
Syntax
show isdn history [board/slot/port] board/slot/port
XSRboard,slotandportnumbers.
Mode
Sample Output
ThefollowingoutputdisplaysincomingandoutgoingcalldataforBRIinterface1/0anditssub interfaces:
XSR#show isdn history 1/0 ********************** ISDN Channel Dir BRI 1/0:2 INCOMING BRI 1/0:1 OUTGOING BRI 1/0:1 OUTGOING BRI 1/0:1 OUTGOING BRI 1/0:1 INCOMING BRI 1/0:1 INCOMING BRI 1/0:2 INCOMING BRI 1/0:1 OUTGOING XSR#show isdn history 2/0 ********************** ISDN Channel Dir Serial 2/0:30 INCOMING Serial 2/0:29 INCOMING Serial 2/0:28 INCOMING Serial 2/0:27 INCOMING Serial 2/0:26 INCOMING Serial 2/0:25 INCOMING Serial 2/0:24 INCOMING Serial 2/0:23 INCOMING Call History ISDN-PRI 2/0 Start Time End Time 20:15:33:888 20:15:51:276 20:15:33:874 20:15:51:142 20:15:33:880 20:15:51:047 20:15:33:870 20:15:50:924 20:15:33:866 20:15:50:835 20:15:33:860 20:15:50:709 20:15:33:856 20:15:50:621 20:15:33:853 20:15:50:486 ********************** Cause Phone Num 016 No CALLING Num. 016 No CALLING Num. 016 No CALLING Num. 016 No CALLING Num. 016 No CALLING Num. 016 No CALLING Num. 016 No CALLING Num. 016 No CALLING Num. Call History ISDN-BRI 1/0 Start Time End Time 07:23:10:135 07:23:40:158 07:23:09:817 07:23:39:983 06:32:21:351 06:32:24:947 06:31:09:214 06:31:11:804 06:31:00:856 06:31:02:296 06:24:59:093 06:25:03:116 06:21:03:982 06:21:07:906 06:21:03:719 06:21:07:906 ********************** Cause Phone Num 016 2100 016 2100 016 2100 016 2100 016 No CALLING Num. 016 No CALLING Num. 016 2100 016 2100
ThefollowingoutputdisplaysincomingcalldataforPRIinterface2/0andsubinterfaces2330:
Prameter Descriptions
Cause PhoneNum Causecodedescribingwhythecallwasdisconnected. Callingnumberforincomingcallsandcallednumberforoutgoing calls.
11-97
show isdn active

ThiscommanddisplayscurrentcallinformationofallBRIorPRIports,oronlytheselectedport specifiedbyboard/slot/portidentifier.
Syntax
show isdn active [board/slot/port] board/slot/port
XSR board, slot and port numbers.
Mode
Sample Output
ThefollowingoutputdisplayscurrentcalldataonBRIinterface1/0:
XSR#show isdn active 1/0 ************************** ISDN Stats ISDN-BRI Layer 1: UP Layer 2: UP State: ONLINE Ch No State Dir Speed Called / Start 1 CONNECTED OUTGOING 64 2100 07:27:52:314 2 CONNECTED INCOMING 64 2100 07:27:52:686 1/0 ********************** Admin Up Oper Up Calling / Destination Outgoing Test Call 2100 Unknown Call Cause 0 0
CallType CallingorCalledPhone Typeofcall:INCOMINGforincoming,OUTGOINGforoutgoingor whencalldirectioncannotbedetermined. Numberforoutgoingcalldisplays.
10leastsignificantdigits 8leastsignificantdigitsofcalledsubaddress. ofcallednumber Thefollowingparametersareforincomingcalldisplays: 10leastsignificantdigits 8leastsignificantdigitsofthecallingsubaddress.Iftheincoming ofcallingnumber SETUPmessagedoescarriestherelevantinformationelement,nothing willbeprinted. Destination Speed B/S/P Cause SpecifiestheDialerinterface/Dialersessionthathandlesthecall.The namedisplayislimitedto10characters. 56or64. PortIDBoard/Slot/Port. 3digitnumberfrom0to127sentbytheCOinaCauseInformation Element.RefertothetableintheConfiguringISDNchapteroftheXSR UsersGuideforCauseCodeexplanations. Callstartdateandtime. Callendtime.
Start End
11-98 ISDN BRI and PRI Commands
show isdn service

ThiscommanddisplaystheservicestatusofallorselectedISDNports.
Syntax
show isdn service [board/slot/port] board/slot/port
XSR board, slot and port numbers.
Mode
Layer1Status Layer2Status ACTIVE|DEACTIVE|PENDING(Activecableupandlinesynchronized) LAPD:UP|DOWN;State:OFFLINE(OfflineISDNisnotregisteredwith SPIDsorSPIDsnotrequired)
Examples
ThefollowingexampledisplaysstatisticsfomtheBRINOAMport:
XSR#show isdn service 1/1 ********************** ISDN Service ISDN-BRI Layer 1: UP Layer 2: UP State: ONLINE Term. 1 Spid:2200555 State: Term. 2 Spid:2201555 State: Ch No State Ch No State 1 IDLE 2 IDLE #show isdn service 1/0 (BRI) ********************** ISDN Service ISDN-BRI Layer 1: UP Layer 2: UP State: ONLINE Ch No State 1 IDLE Ch No State 2 IDLE Ch No State 1/0 ******************** Admin Up Oper Up Ch No State Ch No State 1/1 ******************** Admin Up Oper Up
ONLINE Cause: 000 ONLINE Cause: 000 Ch No State Ch No
State
Ch No
State
ThefollowingexampleshowsoutputfromBRIport1/0:
ThefollowingexampleshowsoutputfromPRIport2/0:
XSR#show isdn service 2/0 ********************** ISDN Service ISDN-PRI Layer 1: UP Layer 2: UP State: ONLINE Ch 0 5 10 15 No State CONNECTED CONNECTED CONNECTED D-channel Ch 1 6 11 16 No State CONNECTED CONNECTED CONNECTED CONNECTED Ch 2 7 12 17 No State CONNECTED CONNECTED CONNECTED CONNECTED 2/0 ******************** Admin Up Oper Up No State CONNECTED CONNECTED CONNECTED CONNECTED Ch 4 9 14 19 No State CONNECTED CONNECTED CONNECTED CONNECTED
11-99
Ch 3 8 13 18
20 CONNECTED 25 CONNECTED 30 CONNECTED
21 CONNECTED 26 CONNECTED
11-100
12
Configuring Quality of Service
xyz [x] [x | y | z] {x | y | z} [x {y | z}] (config-if<xx>)
Description Keywordormandatoryparameters(bold) []Squarebracketsindicateanoptionalparameter(italic) [|]Squarebracketswithverticalbarindicateachoiceofvalues {|}Braceswithverticalbarindicateachoiceofarequiredvalue [{|}]Combinationofsquarebracketswithbracesandverticalbars indicatesarequiredchoiceofanoptionalparameter xxsignifiestheinterface,classmap,policymaporothervalueyou specify;e.g.,F1,G3,S2/1.0, <Your Name>.FindicatesaFastEthernet, andGaGigabitEthernetinterface.
QoS Commands
ThefollowingsetofcommandsconfigureQualityofService(QoS)valuesfortheXSR: PolicyMapCommandsonpage 1284. ClassmapCommandsonpage 12101. QoSShowCommandsonpage 12105.
12-83
Policy-Map Commands
service-policy
Thiscommandattachesapolicymaptoanoutputorinputinterface.Youcanattachasingle policymaptooneormoreinterfaces.
Syntax
service-policy [input | output] policy-map-name policy-map-name
Attachesthespecifiedpolicymapontotheoutputport.

Thenoformofthecommandremovesapolicymapfromtheinterface:
no service-policy [input | output]
Mode
Example
ThefollowingexampleassociatespolicymapACMEpolicywithSerial1/0:
XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#service-policy output ACMEpolicy
Policy-Map Commands policy-map

Thiscommandcreatesormodifiesapolicymapthatcanbeattachedtooneormoreinterfacesto specifyaservicepolicy.Subcommandsassociatedwiththiscommandare:
bandwidthSpecifiesthebandwidthallocatedforaclassbelongingtoapolicymap.Goto page1286forthecommanddefinition. classSpecifiesthecriteriaforclassifyingtraffic.Gotopage1287forthecommand definition. policeConfigurestrafficpolicing.Gotopage1289forthecommanddefinition. priorityPrioritizesaclassoftrafficbelongingtoapolicymap.Gotopage1290forthe
commanddefinition.
queue-limitSpecifiesthepeaknumberofpacketsthequeuecanholdforaclasspolicy configuredinapolicymap.Refertopage1291forthecommanddefinition. random-detect(RED)EnablesRandomEarlyDetectonaninterface.Refertopage1292for thecommanddefinition. random-detect(WRED)EnablesWeightedRandomEarlyDetectonaninterface.Referto page1293forthecommanddefinition. random-detect dscpSpecifiestheDSCPvalue.Refertopage1293forthecommand
definition.
12-84 Configuring Quality of Service
Policy-Map Commands
random-detect exponential-weighting-constantConfigurestheWREDexponential weightfactorfortheaveragequeuesizecalculation.Refertopage1295forthecommand definition. random-detect precedence ConfiguresWREDminimumandmaximumthresholdand maximumdropprobabilityvaluesforaIPprecedencevalue.Gotopage1296forthe commanddefinition. set cosMarkstheIEEE802.1priorityintheheaderofoutputVLANpacketswithaClassof Service(CoS)matchingclause.Gotopage1297forthecommanddefinition. set ip dscpMarksapacketbysettingtheIPDifferentiatedServicesCodePoint(DSCP)
parameter.Gotopage1298forthecommanddefinition.
set ip precedenceSetstheprecedencevalueintheIPheader.Gotopage1299forthe
commanddefinition.
shapeEnablesandconfigurestrafficshapingonaclass.Gotopage12100forthecommand definition.
Usethepolicy-mapcommandtospecifythenameofthepolicymaptobecreated,addedto,or modifiedbeforeyoucanconfigurepoliciesforclasseswhosematchcriteriaaredefinedinaclass map.Invokingthepolicy-map commandenablesQoSPolicyMapconfigurationmodeinwhich youcanconfigureormodifytheclasspoliciesforthatpolicymap. Youcanconfigureclasspoliciesinapolicymaponlyiftheclasseshavematchcriteriadefinedfor them.Youusethe class-map and match commandstoconfigurethematchcriteriaforaclass. Youcanconfigureupto64classpoliciesinapolicymap. Asinglepolicymapcanbeattachedtomultipleinterfacesconcurrently.Ifyouattempttoattacha policymaptoaninterfaceandavailablebandwidthontheinterfacecannotaccommodatethetotal bandwidthrequestedbyclasspoliciescomprisingthepolicymap,theinterfacebecomes oversubscribed.Insuchacase,whenclassestrytosendwithalloftheirbandwidth,someclasses maybeunabletotransmit. Wheneveryoumodifyclasspolicyinanattachedpolicymap,CBWFQisnotifiedandthenew classesareinstalledaspartofthepolicymapintheCBWFQsystem.
Syntax
policy-map policy-map-name policy-map-name
Nameofthepolicymap.

Usethenoformofthiscommandtodeleteapolicymap:
no policy-map policy-map-name
Mode
Next Mode
PolicyMapconfiguration:XSR(config-pmap-<xx>)#
12-85
Policy-Map Commands
Example
Thesecommandscreateclassmapclass1anddefineitsmatchcriteria:
XSR(config)#class-map class1 XSR(config-cmap<class1>)#match access-group 136
Thesecommandscreatethepolicymapwhichisdefinedtocontainpolicyspecificationsforclass1 andthedefaultclass:
XSR(config)#policy-map policy1 XSR(config-pmap<policy1>)#class class1 XSR(config-pmap-c<class1>)#bandwidth 2000 XSR(config-pmap-c<class1>)#queue-limit 40 XSR(config-pmap<policy1>)#class class-default XSR(config-pmap-c<class-default>)#queue-limit 20
bandwidth
Thiscommandspecifiesormodifythebandwidthallocatedforaclassbelongingtoapolicymap. Itisusedinconjunctionwithaclassdefinedbytheclass-mapcommand.Thebandwidth commandspecifiesthebandwidthfortrafficinthatclass.ClassBasedWeightedFairQueueing (CBWFQ)derivestheweightforpacketsbelongingtotheclassfromthebandwidthallocatedto theclass.CBWFQthenusestheweighttoensurethatthequeuefortheclassisservicedfairly. Theamountofbandwidthcanbespecifiedinpercentagesorkilobitspersecond(kbps).When configuredinkbps,theclassweightiscalculatedasaratioofthebandwidthspecifiedforthatclass overtheavailablelinkbandwidth.Theavailablelinkbandwidthisequaltotheinterface bandwidthminusthesumofallbandwidthreservedforlowlatencyqueues.Whenconfiguredin percentages,theclassweightisequaltothebandwidthpercentages. Configuringbandwidthinpercentagesismostusefulwhentheunderlyinglinkbandwidthis unknown,changesovertime,ortherelativeclassbandwidthdistributionsareknown.For interfacesthathaveadaptiveshapingrates,CBWFQcanbesetbyconfiguringclassbandwidthsin percentages. Thefollowingrestrictionsapplytothebandwidthcommand: Ifthepercentkeywordisused,thesumofclassbandwidthpercentagescannotexceed100%. TheamountofbandwidthsetshouldbelargeenoughtoalsoaccommodateLayer2overhead. Apolicymapcanhavealltheclassbandwidthsspecifiedinkbpsoralltheclassbandwidths specifiedinpercentages,butnotamixofboth.But,theunitfortheprioritycommandinthe priorityclasscanbedifferentfromthebandwidthunitoftheCBWFQ.
Note: When the bandwidth of an interface is insufficient to satisfy the bandwidth of a policy map, the interface becomes oversubscribed and some CBFWQ classes may become unable to transmit.
Syntax
bandwidth {bandwidth-kbps | percent percent} bandwidth-kbps percent
Amountofbandwidth,inkbps,assignedtotheclass. Availablebandwidthpercentageassignedtotheclass.
12-86
Policy-Map Commands

Removethebandwidthspecifiedforaclassbyusingthenoformofthiscommand:
no bandwidth
Mode
PolicyMapClassconfiguration:XSR(config-pmap-c<xx>)#
Example
Thefollowingexamplespecifiesabandwidthof2000Kbpsforpolmap6:
XSR(config)#policy-map polmap6 XSR(config-pmap<polmap6>)#class acl22 XSR(config-pmap-c<acl22>)#bandwidth 2000 XSR(config-pmap-c<acl22>)#queue-limit 30
class
ThisQoSpolicymapsubcommandspecifiesthenameofthetrafficclasswhosepolicyyouwant tocreateortochangeandsetsthecriteriaforclassifyingtraffic.TheXSRprovidesarobustsetof matchingrulesforyoutodefinethecriteria. Beforeusingtheclasscommand,youmustfirstenterthepolicy-map commandtoidentifythe policymapyouwanttochange.ThisalsoallowsyoutoenterQoSpolicymapconfiguration mode.Afteryouspecifyapolicymap,youcanconfigurepolicyfornewclassesormodifypolicy foranyexistingclassesinthatpolicymap. Theclassnameyouspecifyinthepolicymaptiesthecharacteristicsforthatclassthatis,its policytotheclassmapanditsmatchcriteria,asconfiguredusingtheclass-mapcommand. Whenaclassisremoved,availablebandwidthfortheinterfaceisincrementedbytheamount previouslyallocatedtotheclass.
Note: The XSR supports a maximum of 64 traffic classes.
Thepredefineddefaultclasscalledclassdefaultistheclasstowhichtrafficisdirectedifthattraffic doesnotsatisfythematchcriteriaofotherclasseswhosepolicyisdefinedinthepolicymap.
Syntax
class {class-name | class-default} class-name class-default
Specifiesthenameoftheclasstosetormodifypolicy. Specifiesthedefaultclasstoconfigureormodifypolicy.
Note: Class-default cannot be removed with the no class command.
12-87
Policy-Map Commands

Thenoformofthiscommandremovesaclassfromthepolicymap:
no class {class-name}
Mode
PolicyMapconfiguration:XSR(config-pmap<xx>)#
Next Mode
PolicyMapClassconfiguration:XSR(config-pmap-c<xx>)#
Example
Thisexamplecreatesclass1withaminimumof20percentintheeventofcongestion,andthe queuereservedforthisclasscanenqueue40packetsbeforetaildropisenactedtohandle additionalpackets.
XSR(config)#policy-map policy1 XSR(config-pmap-policy1>)#class class1 XSR(config-pmap-c<class1>)#bandwidth percent 20 XSR(config-pmap-c<class1>)#queue-limit 40
Thesecommandscreateclass2withaminimumof3000kbpsofbandwidthforthisclassinthe eventofcongestion.REDdropsuptooneoutofthreepacketswhentheaveragequeuesize becomesbiggerthan34anddropseachpacketifitbecomesbiggerthan57.REDpacketdropis usedforcongestionavoidance.

XSR(config-pmap<policy1>)#class class2 XSR(config-pmap-c<class2>)#bandwidth 3000 XSR(config-pmap-c<class2>)#random-detect 34 57 3
Thesecommandsconfigurethedefaultmapclasswhereamaximumof20packetsperqueueare enqueuedbeforetaildropisenforcedtohandleadditionalpackets.
XSR(config-pmap<policy1>)#class class-default XSR(config-pmap-c<class-default>)#queue-limit 20
clear policy-map
ThiscommandremovesPolicyMapstatisticsforspecifiedinterfaces.
Syntax
clear policy-map interface type number type number
XSRinterfacetype:BRI,Dialer,Fast/GigabitEthernet,Loopback,Multilink,and Serial. Card,port,channel,andsubinterfacenumber.
Mode
EXEC: XSR> or XSR(config)#
12-88
Policy-Map Commands
police
Thiscommandconfigurestrafficpolicing.
Syntax
police bps [burst-normal][burst-max][conform-action action][exceed-action action][violate-action action] bps burst-normal burst-max
Averageraterangingfrom1,000to100,000,000bps. Normalburstsizerangingfrom1,000to51,200,000bps.Iflessthan1000 bytesburstnormalwillbesetto1000bytes. Excessburstsizerangingfrom1,000to51,2000,000bytes.Valuemustbe greaterthanorequaltonormalburstsize.Itwillautomaticallybechangedto thenormalburstsizeiflessthannormalburst. Actiontotakeonpacketsthatconformtotheratelimit. Actiontotakeonpacketsthatexceedtheratelimit. Actiontotakeonpacketsthatviolatenormalandmaximumburstsizes.If violateactionisset,thetokenbucketalgorithmwillusetwotokenbuckets. Actiontotakeonpackets.Youmayspecifyonekeyword:
dropDropsthepacket. set-prec-transmit new-precSetsIPprecedenceandsendsthe
conform-action exceed-action violate-action action
packet.
set-dscp-transmit new-precSetsthedifferentiatedservicescode point(DSCP)valueandsendsthepacket. transmitSendsthepacket.

Trafficpolicingisremovedbyusingthenoformofthiscommand:
no police
Defaults
burstnormal:averageratemultipliedbyonesecond) conformaction:transmit exceedaction:drop violateaction:drop Commandisdisabledbydefault
Mode
PolicyMapClassconfiguration:XSR(config-pmap-c-<xx>)#
12-89
Policy-Map Commands
Example
Thefollowingexampledefinesatrafficclassusingtheclass-map commandandmatchcriteria fromthetrafficclasswiththeTrafficPolicingconfiguration,whichisconfiguredintheservice policyusingthepolicy-map command.Theservice-policycommandisthenusedtoattach thisservicepolicytotheinterface. Inthisexample,trafficpolicingisconfiguredwiththeaveragerateof8000bitspersecondandthe normalburstsizeat1200bytesandanexcessburstof2000bytesforallpacketsleavingF1/0:
XSR(config)#class-map access-match XSR(config-cmap<access-match>)#match access-group 1 XSR(config)#policy-map police-setting XSR(config-pmap<police-setting>)#class access-match XSR(config-pmap-c<access-match>)#police 8000 1200 2000 conform-action transmit exceed-action drop XSR(config>)interface fastethernet 1/0 XSR(config-if<F1>)#service-policy output police-setting
priority
Thiscommandgivesprioritytoaclassoftrafficbelongingtoapolicymap.Itconfigureslow latencyqueueing,providingstrictPriorityQueues(PQ)overClassbasedWeightedFairQueueing (CBWFQ).StrictPQallowsdelaysensitivedatasuchasvoicetobedequeuedandsentbefore packetsinotherqueuesaredequeued. Theburstargumentspecifiestheburstsizeand,assuch,configuresthenetworktoaccommodate temporaryburstsoftraffic.Thedefaultburstvalue,whichiscomputedas1secondoftrafficatthe configuredbandwidthrate,isusedwhentheburstargumentisnotspecified. Priorityqueuescanbereservedbyabsolutebandwidthwiththesesettings:high,medium,lowand normal.
Note: The bandwidth and priority commands cannot be used in the same class, within the same policy map, but they can be used together in the same policy map. They cannot be configured for class-default. Class-default is always defined as fair queue.
Syntax
priority priority-level bandwidth-kbps [burst] priority level bandwidth-kbps
Specifiesthepriorityqueue:high,medium,lowornormal.Normal priorityhastheleastprecedence. Guaranteedallowedbandwidthforprioritytraffic.Beyondthe guaranteedbandwidth,prioritytrafficwillbedroppedtoensurethat nonprioritytrafficisnotstarved.Range:1to100,000kbps. Setstheburstsize,rangingfrom32to2,000,000bytes.
burst

Removeapreviouslyspecifiedpriorityspecifiedforaclasswiththenoformofthiscommand:
no priority
12-90
Policy-Map Commands
Mode
Example
ThefollowingexampleconfigurestwoPQsforthepolicymappolicy57,withahighprioritylevel, guaranteedbandwidthof300kbpsandaonetimeallowableburstsizeof500kbpsforthemap classvoice;andalowprioritybandwidth,80bytesofguaranteedbandwidth,andaburstsize2000 bytesformapclassbeta.
XSR(config)#policy-map policy57 XSR(config-pmap<policy57>)#class voice XSR(config-pmap-c<voice>)#priority high 300 500 XSR(config-pmap<policy57>)#class beta XSR(config-pmap-c<beta>)#priority low 80 2000
queue-limit
Thiscommandspecifiesormodifiesthemaximumnumberofpacketsthequeuecanholdfora classpolicyconfiguredinapolicymap. ClassBasedWeightedFairQueueing(CBWFQ)createsaqueueforeveryclassforwhichaclass mapisdefined.Packetssatisfyingthematchcriteriaforaclassaccumulateinthequeuereserved fortheclassuntiltheyaresent,whichoccurswhenthequeueisservicedbytheFairQueueing process.Whenthepeakpacketthresholdyousetfortheclassisreached,anyfurtherpacket enqueueingtotheclassqueuecausestaildrop.
Syntax
queue-limit number-of-packets number-ofpackets
Anumberrangingfrom1to64specifyingthepeaknumberofpackets thatthequeuecanaccomodateforthisclass.

Thenoformofthecommandremovesthequeuepacketlimitfromaclass.IfREDisnot configured,thequeuelimitisrestoredtothedefaultvalue.
no queue-limit
Mode
Default
64
Example
Thefollowingexampleconfigurespolicymappolicy75tocontainpolicyforclassacl203.Policyfor thisclassissetsothatthequeuereservedforithasamaximumpacketlimitof50.
Policy-Map Commands
XSR(config)#policy-map policy75 XSR(config-pmap<policy75>)#class acl203 XSR(config-pmap-c<acl203>)#bandwidth percent 35 XSR(config-pmap-c<acl203>)#queue-limit 50
random-detect (RED)
ThiscommandconfiguresREDforapolicymap. ThiscommandconfiguresandenablesRandomEarlyDetect(RED)fortheclass.REDisa congestionavoidancemechanismthatslowstrafficbyrandomlydroppingpacketsduring congestionandisusefulwithprotocolslikeTCPthatrespondtodroppedpacketsbyreducingthe transmissionrate.WhileREDmaybeimplementedusingWRED,thiscommandisretainedfor compatibilitywithearlierreleasesandsimplicityofconfigurationwhenonlyREDisrequired.
Syntax
random-detect min-thres max-thres [mark-prob] min-thres max-thres mark-prob
Peaklimitofaveragepacketqueuelength,rangingfrom1to4096,beyond whichtheXSRrandomlydropspackets. Peaklimitofaveragepacketqueuelength,rangingfrom1to4096,beyond whichallpacketsaredropped. Markprobabilitydenominator,rangingfrom1to65,536.Thisistheliklihood ofqueuedpacketsbeingdroppedwhentheirnumberexceedingthe minimumthresholdisbetween0and(1/markprob).Whenthepeakthreshold isreached,dropprobabilityis1dividedbythepeakprobability.

ThenoformofthiscommanddisableREDonaninterface:
no random-detect
Mode
Defaults
Disabled Markprob:10
Example
ThefollowingexampleenablesRED.Theminimumandmaximumthresholdsare24and40, respectively.Thedroppingprobabilityis1/4.
XSR(config)#policy-map foobar XSR(config-pmap<foobar>)#class alpha XSR(config-pmap-c<alpha>)#random-detect 24 40 4
12-92
Policy-Map Commands
random-detect (WRED)
ThiscommandconfiguresandenablesWeightedRandomEarlyDetect(WRED)fortheclass. WREDisacongestionavoidancemechanismthatslowstrafficbyrandomlydroppingpackets whencongestionexists.WREDisusefulwithprotocolslikeTCPthatrespondtodroppedpackets bydecreasingthetransmissionrate. TosetorchangeWREDparameters,usetherandom-detect {dscp | precedence}command. Ifnoparameterpassedtothecommand,thedefaultisprecbasedWRED.
Syntax
random-detect {dscp-based | prec-based} dscp-based prec-based
WREDusesDSCPvalueswhencalculatingdropprobability. WREDusesIPprecedencevalueswhencalculatingdropprobability.

ThenoformofthiscommanddisablesWREDonaninterface:
no random-detect
Mode
Default
Precbased
Example
ThefollowingexampleenablesWREDasDSCPbasedwiththedefaultvaluesforparameters:
XSR(config)#policy-map DSCP XSR(config-pmap<DSCP>)#class A XSR(config-pmap-c<a>)#random-detect dscp-based
random-detect dscp
ThiscommandchangestheWeightedRandomEarlyDetect(WRED)minimumandmaximum thresholdandmaximumdropprobabilityforaDiffServCodePoint(DSCP)value. ThiscommandspecifiestheDiffServCodePoint(DSCP)value.TheDSCPcanbeanumberfrom0 to63,oranyofthefollowingkeywords:af1,af12,af13,af21,af22,af23,af31,af32,af33,af41,af42, af43,cs1,cs2,cs3,cs4,cs5,cs6,cs7,efordefault.EachDSCPvaluehasinitialWREDparameters. Table121providesinitialparametersettingsforeachDSCPvalue.Thelastrowdetails parametersforDSCPvaluesnotshowninthetable.
Note: This command must be used in conjunction with the random-detect (interface) command. Also, random-detect dscp is available only if you specified the dscp-based argument when using the random-detect (interface) command.
12-93
Policy-Map Commands
Syntax
random-detect dscp dscp-value min-thres max-thres [mark-prob] dscp-value min-thres max-thres mark-prob
TheDSCPvalue. Minimumlimitofaveragepacketqueuelength,rangingfrom1to4096,beyond whichtheXSRrandomlydropspackets. Maximumlimitofaveragepacketqueuelength,rangingfrom1to4096, beyondwhichallpacketsaredropped. Markprobabilitydenominatorrangingfrom1to65,536.Thisistheliklihoodof queuedpacketsbeingdroppedwhentheirnumberexceedingtheminimum thresholdisbetween0and(1/markprob).Whenthemaximumthresholdis reached,dropprobabilityis1dividedbythemaximumprobability.

ThenoformrevertsWREDparameterstothedefaultforaDSCPvalue:
no random-detect
Mode
Defaults
Disabled Defaultminthresholdsettingsusedbytherandom-detect dscpcommandareshowninthe followingtable.Thedefaultmaxthresholdandmarkprobabilityare40and1/10respectivelyfor allDSCPvalues. DSCP Threshold/Max Drop Probability Parameters Min Threshold 32 28 24 32 28 24 32 28 24 32 28 24 Max Threshold 40 40 40 40 40 40 40 40 40 40 40 40 Max Drop Probability 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10
Table 12-1 DSCP af11 af12 af13 Af21 Af22 Af23 Af41 Af31 Af32 Af33 Af42 Af43
12-94
Policy-Map Commands
Table 12-1 DSCP Cs1 Cs2 Cs3 Cs4 Cs5 Cs6 Cs7 Ef
DSCP Threshold/Max Drop Probability Parameters (continued) Min Threshold 32 28 24 32 28 24 32 28 Max Threshold 40 40 40 40 40 40 40 40 40 Max Drop Probability 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10 1/10
Initialparametersforall 24 otherDSCPvalues
Examples
ThefollowingexampleenablesWREDwithaminimumthresholdforDSCPaf21of24and maximumthresholdof40.Thedroppingprobabilityis1/4th.AllotherDSCPshavedefaultvalues.
XSR(config)#policy-map wred XSR(config-pmap<wred>)#class a XSR(config-pmap-c<a>)#random-detect dscp-based XSR(config-pmap-c<a>)#random-detect dscp af21 24 40 4
ThefollowingexamplesetsWREDItsetsDSCP33WREDparametersto10,20,10andchangesthe settingforallotherDSCPvaluesfrominitialtodefault5,10,20.
XSR(config)#policy-map wred XSR(config-pmap<wred>)#class a XSR(config-pmap-c<a>)#random-detect dscp-based XSR(config-pmap-c<a>)#random-detect dscp 33 10 20 10 XSR(config-pmap-c<a>)#random-detect default 5 10 20
random-detect exponential-weighting-constant
ThiscommandconfigurestheWeightedRandomEarlyDetect(WRED)exponentialweightfactor fortheaveragequeuesizecalculation.Theweightconstantisexpressedasapowerof2. WREDusestheexponentialweightingfactortocalculateaveragequeuesize.Tosimplify computingaveragequeuesize,theweightconstantisallowedtobeapowerof2.Choosingthe rightvalueofthisconstantisimportantforproperWREDoperation.Thedefaultvalueisbasedon availabledataandshouldbechangedonlyifyourapplicationsbenefitfromadifferentvalue.
Syntax
random-detect exponential-weighting-constant value value
Exponentrangingfrom1to16.
12-95
Policy-Map Commands

Thenoformofthiscommandsetstheconstanttothedefaultvalueof9:
no random-detect exponential-weighting-constant
Mode
Example
ThefollowingexampleenablesWREDandsetstheweightconstantto(1/2)^5:
XSR(config)#policy-map wred XSR(config-pmap<wred>)#class a XSR(config-pmap-c<a>)#random-detect dscp-based XSR(config-pmap-c<a>)#random-detect exponential-weighting-constant 5
random-detect precedence
ThiscommandsetsWeightedRandomEarlyDetect(WRED)theminimumandmaximum thresholdandmaximumdropprobabilityvaluesforaIPprecedencevalue. ThedefaultWREDmaximumdropprobability(MaxP)is1/10andthedefaultmaximumthreshold (MaxTh)is40forallIPprecedencevalues.Thedefaultminimumthresholdiscalculatedfrom MaxThbasedonfollowingformula: MinTh=(1/2precvalue/16)xMaxTh Tochangethedefaultsetting,usetherandom-detect precedence default command.Bydoing so,allIPprecedencewillsharethesamevaluesexceptthosewhichwereexplicitlyconfigured with random-detect precedence.ThissettingisusefulifWREDshouldoperateasRED.To reverttotheoriginaldefaultsetting,enterno random-detect precedence default.
Syntax
random-detect precedence prec-value min-thres max-thres [mark-prob]default prec-value min-thres max-thres mark-prob
Precedencevalue,rangingfrom0to7withthekeyworddefault. Minimumnumberofpacketsinthequeue,rangingfrom1to4096, beyondwhichtheXSRrandomlydropspackets. Maximumnumberofpacketsinthequeue,rangingfrom1to4096, beyondwhichtheXSRdropsallpackets. Markprobabilitydenominator.Liklihoodofqueuedpacketstobe droppedwhentheirnumberexceedingtheminimumlimitisbetween0 and(1/markprob).Range:1to65,536.

ThenoformofthiscommandrevertsWREDparameterstothedefaultforaprecedencevalue:
no random-detect precedence prec-value
12-96
Policy-Map Commands
Defaults
Disabled Markprob:10
Mode
Examples
ThefollowingexampleenablesWREDwithaminimumIPprecedencethresholdof24and maximumof40.Thedroppingprobabilityis1/4.Allotherprecedencetypeshavedefaultvalues.
XSR(config)#policy-map wred XSR(config-pmap<wred>)#class a XSR(config-pmap-c<a>)#random-detect prec-based XSR(config-pmap-c<a>)#random-detect precedence 3 24 40 4
ThefollowingexamplesetsWREDasREDwithaminimumthresholdof10andmaximum thresholdof20:
XSR(config)#policy-map foo XSR(config-pmap<foo>)#class a XSR(config-pmap-c<a>)#random-detect prec-based XSR(config-pmap-c<a>)#random-detect precedence default 10 20
set cos
ThiscommandmarkstheIEEE802.1priorityintheheaderofoutputVLANpacketswithaClass ofService(CoS)matchingclause.AspartofCoSconfiguration,theXSRassociatesapolicymap withaclassoftraffic.Bycomparison,thematch coscommandmarkstheheadersofincoming VLANpackets.
Note: Setting a VLAN priority value is applicable only to VLAN sub-interfaces; the set clause is ignored for other interface types.
Forinformationonthevlancommand,gotopage491intheConfiguringHardwareControllers chapter.
Syntax
set cos ieee802.1p-value ieee802.1p-value
PriorityvaluetomarkoutputVLANpackets,rangingfrom0to7.

Thenoformofthiscommandremovesthematchclause.
no set cos ieee802.1p-value
12-97
Policy-Map Commands
Mode
Example
ThefollowingexampleconfigurespolicymapsetCosTo4thatmatchesinputpriorityvaluerange from5to7andsetstheoutputVLANpriorityto4:
XSR(config)#policy-map setCosTo4 XSR(config-pmap<setCosTo4>)#class matchCos5To7 XSR(config-pmap-c<matchCos5to7>)#set cos 4
set ip dscp
ThiscommandmarksapacketbysettingtheIPDifferentiatedServicesCodePoint(DSCP)inthe TypeofService(ToS)byte.OncetheIPDSCPbitisset,otherQoSservicescanthenoperateonthe bitsettings.
Note: You cannot mark a packet by the IP precedence with the set ip precedence command and mark the same packet with an IP DSCP value by entering the set ip dscp command.
Thenetworkgivespriority(orsometypeofexpeditedhandling)tomarkedtraffic.Typically,you setIPprecedenceattheedgeofthenetwork(oradministrativedomain);datathenisqueued basedontheprecedence.ClassBasedWeightedFairQueueing(CBWFQ)canspeeduphandling forhighprecedencetrafficatcongestionpoints.

Note: Reserved keywords EF (Expedited Forwarding), AF11 (Assured Forwarding Class 11), and AF12 (Assured Forwarding Class 12) can be specified instead of numeric values.
Syntax
set ip dscp ip-dscp-value ip-dscp-value
Anumberfrom0to63thatsetstheIPDSCPvalue.Reservedkeywords canbesetinsteadofnumericvaluesasfollows: af11MatchpacketswithAF11DSCP(001010) af12MatchpacketswithAF12DSCP(001100) af13MatchpacketswithAF13DSCP(001110) af21MatchpacketswithAF21DSCP(010010) af22MatchpacketswithAF22DSCP(010100) af23MatchpacketswithAF23DSCP(010110) af31MatchpacketswithAF31DSCP(011010) af32MatchpacketswithAF32DSCP(011100) af33MatchpacketswithAF33DSCP(011110) af41MatchpacketswithAF41DSCP(100010) af42MatchpacketswithAF42DSCP(100100) af43MatchpacketswithAF43DSCP(001010)
12-98
Policy-Map Commands
cs1MatchpacketswithCS1DSCP(001000) cs2MatchpacketswithCS2DSCP(010000) cs3MatchpacketswithCS3DSCP(011000) cs4MatchpacketswithCS4DSCP(100000) cs5MatchpacketswithCS5DSCP(101000) cs6MatchpacketswithCS6DSCP(110000) cs7MatchpacketswithCS7DSCP(111000) defaultMatchpacketswithdefaultDSCP(000000) efMatchpacketswithExpeditedForwarding(EF)DSCP(101110)

ThenoformofthiscommandremovesapreviouslysetIPDSCP:
no set ip dscp
Mode
PolicyMapClassconfiguration:XSR(config-pmap-c-xx)#
Example
Inthefollowingexample,theIPDSCPTOSbyteissetto8forclass1andcs2forclass2inpolicy57:
XSR(config)#policy-map policy57 XSR(config-pmap<policy57>)#class class1 XSR(config-pmap-c<class1>)#set ip dscp 8 XSR(config-pmap<policy57>)#class class2 XSR(config-pmap-c<class1>)#set ip dscp cs2
set ip precedence
ThiscommandsetstheprecedencevalueintheIPheader.Thenetworkgivespriority(orsome typeofexpeditedhandling)tomarkedtrafficthroughtheapplicationofCBWFQorREDatpoints downstreaminthenetwork.Typically,yousetIPPrecedenceattheedgeofthenetwork(or administrativedomain);datathenisqueuedbasedontheprecedence.CBWFQcanspeedup handlingforcertainprecedencetrafficatcongestionpoints.
Syntax
set ip precedence ip-precedence-value ip-precedence-value
Numberfrom0to7thatsetstheprecedencebitintheIPheader.

Thenoformleavestheprecedencevalueatitscurrentsetting:
no set ip precedence
12-99
Policy-Map Commands
Mode
Example
ThefollowingexamplesetstheIPPrecedencebitto7forpacketsthatsatisfythematchcriteriaof theclassmapcalledclass39.Allpacketsthatsatisfythematchcriteriaofclass39aremarkedwith theIPPrecedencevalueof7.HowpacketsmarkedwiththeIPPrecedencevalueof7aretreatedis determinedbyyournetworkconfiguration.
XSR(config)#policy-map policy57 XSR(config-pmap<policy57>)#class class39 XSR(config-pmap-c<class39>)#set ip precedence 7
shape
Thiscommandenablesandconfigurestrafficshapingonaclass.Itcanbeappliedtoanyfairclass orpriorityclass.Thedefaultburstissufficienttoachievetheaveragerateandiscalculatedfrom therateandthedefaultmeasurementintervalof10milliseconds: Burstequalsratemultipliedby(10millisecondsdividedby1000) Inordertosustaintheaveragerate,thenormalburstcannotbelessthanthedefaultburst.The defaultvalueforexceedburstisequaltothenormalburst.
Syntax
shape rate [[burst]exceed-burst] rate burst exceed-burst
Averageorpeakrateforoutputtrafficinbbps. Maximumthresholdburstsize.Range:1to20,000bytes. Maximumexceedburstsize.Range1to40,000bytes.

Thenoformofthiscommanddisablestrafficshapingonaclass:
no shape
Default
Disabled
Mode
Example
ThefollowingexampleconfiguresClassAwith20%ofthelinkbandwidthtoamaximumof64 Kbytesandmaximumburstof2000bytes:
XSR(config)#policy-map foo XSR(config-pmap<foo>)#class A XSR(config-pmap-c<a>)#bandwidth percent 20 XSR(config-pmap-c<a>)#shape 64000 2000
Class-map Commands
Class-map Commands class-map

Thiscommandcreatesaclassmapformatchingpacketstoaspecifiedclass.Useittospecifythe nameoftheclassforwhichyouwanttocreateormodifyclassmapmatchcriteria. Packetsarrivingattheoutputinterfacearecheckedagainstthematchcriteriasetforaclassmapto determineifthepacketbelongstothatclass.Subcommandsassociatedwiththecommandare:
match access-groupconfiguresthematchcriteriaforaclassmaponthebasisofa configuredACL.Gotopage12102forthecommanddefinition. match cosidentifiesaspecificIEEE802.1priorityvalueasamatchcriterion.Goto
match ip dscpidentifiesaspecificIPDifferentiatedServiceCodePoint(DSCP)valueasa matchcriterion.Gotopage12103forthecommanddefinition. match ip precedenceidentifiesIPprecedencevaluesasmatchcriteria.Gotopage12104 forthecommanddefinition.
Syntax
class-map {match-all match-any} class-map-name match-all match-any class-mapname
Packetsmustmatchallcriteriaintheclassmaptobelongtotheclassname. Packetsmustmatchany(oneormore)criteriaintheclassmaptobelongto theclassname. Designationfortheclassmapwhichisusedfortheclassmapandtoset policyfortheclassinthepolicymap.

Usethenoformofthiscommandtoremoveanexistingclassmap:
no class-map [match-all] | [match-any] word
Mode
Next Mode
ClassMapconfiguration:XSR(config-cmap<xx>)#
Default
matchall
Example
Thefollowingexamplecreatesclassmapclass57anddefinesitsmatchcriterionwithpolicymap policy99whichisconfiguredtocontainpolicyrulesforclass57andthedefaultclass.
Class-map Commands
XSR(config)#class-map class57 XSR(config-cmap<class57>)#match access-group 136 XSR(config)#policy-map policy99 XSR(config-pmap<policy99>)#class class57 XSR(config-pmap-c<class57>)#bandwidth percent 10 XSR(config-pmap-c<class57>)#queue-limit 40 XSR(config-pmap<policy99>)#class class-default XSR(config)#interface serial 1/0 XSR(config-if<S1/0>)#service-policy output policy99
match access-group
ThiscommandconfiguresthematchcriteriaforaclassmaponthebasisofthespecifiedAccess ControlList(ACL). YoudefinetrafficclassesbasedonmatchcriteriaincludingACLs,DSCPand/orIPPrecedence. Packetssatisfyingthematchcriteriaforaclassconstitutethetrafficforthatclass. The match access-groupcommandspecifiesanumberedACLwhosecontentsareusedasthe matchcriteriaagainstwhichpacketsarecheckedtodetermineiftheybelongtotheclasssetbythe classmap. Tousethematch access-groupcommand,youmustfirstentertheclass-mapcommandto specifythenameoftheclasswhosematchcriteriayouwanttoestablish.Afteryouidentifythe class,youcanuseoneofthefollowingcommandstoconfigureitsmatchcriteria:
match access-group match ip dscp match ip precedence
Syntax
match access-group {access-group} access-group
AnumberedACLwhosecontentsareusedasthematchcriteriaagainst whichpacketsarecheckedtodetermineiftheybelongtotheclass. Range:1to199.

ThenoformofthiscommandremovesACLmatchcriteriafromaclassmap:
no match access-group access-group
Mode
Classmapconfiguration:XSR(config-cmap-xx)#
Example
Thefollowingexamplespecifiesaclassmapcalledacl57andconfigurestheACLnumbered57to beusedasthematchcriteriaforthisclass:
XSR(config)#class-map acl57 XSR(config-cmap<ac157>)#match access-group 57
Class-map Commands
match cos
ThiscommandidentifiesaspecificIEEE802.1priorityvalueasamatchcriterion.Upto8priority valuescanbematchedinonematchstatement.Forexample,ifyouwantedthepriorityvaluesof 0,1,2,3,4,5,6,or7(notethatonlyoneofthepriorityvaluesmustbeasuccessfulmatchcriterion, notallofthespecifiedpriorityvalues),enterthematch cos 0 1 2 3 4 5 6 7command. Thiscommandisusedbytheclassmaptoidentifyaspecificpriorityvaluemarkingontheheader ofincomingVLANpackets.Bycomparison,theset cos commandmarkstheheadersofoutgoing VLANpackets.Forinformationonthevlancommand,gotopage491intheConfiguring HardwareControllerschapter.
Syntax
match cos ieee802.1p-value [ieee802.1p-value] [ieee802.1p-value] ... ieee802.1p-value
PriorityvalueintheinputVLANheader,rangingfrom0to7.

Thenoformofthiscommandremovesthematchclause:
no match cos
Default
NomatchclauseforVLANpriority
Mode
Example
ThefollowingexampleexampleconfiguresclassmapmatchCos5To7thatmatchesinputpriority valuesfrom5to7:
XSR(config)#class-map matchCos5To7 XSR(config-cmap<matchCos5To7>)#match cos 5 6 7
match ip dscp
ThiscommandidentifiesaspecificIPDifferentiatedServiceCodePoint(DSCP)valueasamatch criterion.Upto8IPDSCPvaluescanbematchedinonematchstatement.Forexample,ifyou wantedtheIPDCSPvaluesof0,1,2,3,4,5,6,or7(notethatonlyoneoftheIPDSCPvaluesmust beasuccessfulmatchcriterion,notallofthespecifiedIPDSCPvalues),enterthematchip dscp 0 1 2 3 4 5 6 7 command. ThiscommandisusedbytheclassmaptoidentifyaspecificIPDSCPvaluemarkingonapacket. Theipdscpvalueargumentsareusedasmarkingsonly.TheIPDSCPvalueshavenomathematical significance.Forinstance,theipdscpvalueof2isnotgreaterthan1.Thevaluesimplyindicates thatapacketmarkedwiththeipdscpvalueof2isdifferentthanapacketmarkedwiththeipdscp valueof1.ThetreatmentofthesemarkedpacketsisdefinedbytheuserthroughthesettingofQoS policiesinpolicymapclassconfigurationmode.
12-103
Class-map Commands
Syntax
match ip dscp ip-dscp-value [ip-dscp-value][ip-dscp-value] [ip-dscp-value] [ipdscp-value][ip-dscp-value][ip-dscp-value][ip-dscp-value] ip-dscp-value
Specifiesavaluefrom0to63toidentifyanIPDSCPvalue.

ToremoveaspecificIPDSCPvaluefromaclassmap,usethenoformofthiscommand:
no match ip dscp ip-dscp-value [ip-dscp-value][ip-dscp-value][ip-dscp-value][ipdscp-value][ip-dscp-value][ip-dscp-value][ip-dscp-value]
Mode
Example
Thefollowingexampleshowshowtoconfiguretheservicepolicycalledpriority55andattach servicepolicypriority55toaninterface.Inthisexample,theclassmapipdscp15willevaluateall packetsenteringinterfaceF1foranIPDSCPvalueof15.Iftheincomingpackethasbeenmarked withtheIPDSCPvalueof15,thepacketwillbetreatedwithahighprioritylevel.
XSR(config)#class-map ipdscp15 XSR(config-cmap<ipdscp15>)#match ip dscp 15 XSR(config)#policy-map priority55 XSR(config-pmap<priority55>)#class ipdscp15 XSR(config-pmap-c<ipdscp15>)#priority high 55 XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#service-policy output priority55
match ip precedence
ThiscommandidentifiesIPprecedencevaluesasmatchcriteria.Upto4precedencevaluescanbe matchedinonematchstatement.Forexample,ifyouwantedtheIPprecedencevaluesof0,1,2,or 3(notethatonlyoneoftheIPprecedencevaluesmustbeasuccessfulmatchcriterion,notallofthe specifiedIPprecedencevalues),enterthematch ip precedence 0 1 2 3command. Theipprecedencevalueargumentsareusedasmarkingsonly,theyhavenomathematical significance.Forinstance,theipprecedencevalueof2isnotgreaterthan1.Thevaluesimply indicatesthatapacketmarkedwiththeipprecedencevalueof2isdifferentthanapacketmarked withtheipprecedencevalueof1.Youdefinethetreatmentofthesedifferentpacketsbysetting QoSpoliciesinPolicymapClassconfigurationmode.
Syntax
match ip precedence ip-precedence-value [ip-precedence-value] [ip-precedencevalue][ip-precedence-value][ip-precedence-value][ip-precedence-value][ipprecedence-value] [ip-precedence-value][ip-precedence-value] ip-precedence-value
SpecifiesanIPprecedencevaluefrom0to7.
12-104
QoS Show Commands

UsethenoformofthiscommandtoremoveIPprecedencevaluesfromaclassmap:
no match ip precedence ip-precedence-value [ip-precedence-value] [ip-precedencevalue][ip-precedence-value][ip-precedence-value][ip-precedence-value][ipprecedence-value] [ip-precedence-value][ip-precedence-value]
Mode
Example
Thefollowingexampleshowshowtoconfiguretheservicepolicycalledpriority50andattach servicepolicypriority50toaninterface.Inthisexample,theclassmapcalledipprec5willevaluate allpacketsenteringF1/0/0foranIPprecedencevalueof5.Iftheincomingpackethasbeenmarked withtheIPprecedencevalueof5,thepacketwillbetreatedwithaprioritylevelof50.
XSR(config)#class-map ipprec5 XSR(config-cmap<ipprec5>)#match ip precedence 5 XSR(config)#policy-map priority50 XSR(config-pmap<priority50>)#class ipprec5 XSR(config-pmap-c<ipprec5>)#priority high 50 XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#service-policy output priority50
QoS Show Commands show class-map

Thiscommanddisplaysallclassmapsandtheirmatchingcriteria. Youcanusetheshow class-mapcommandtodisplayallclassmapsandtheirmatchingcriteria. Ifyouentertheoptionalclassmapnameargument,thespecifiedclassmapanditsmatching criteriawillbedisplayed.
Syntax
show class-map [class-map-name] class-map-name
Nameoftheclassmap.
Mode
EXEC,PrivilegedEXEC,orGlobalconfiguration:XSR>, XSR#,or XSR(config)#
Sample Output
Inthisexample,threeclassmapsaredefined.Packetsthatmatchaccesslist103belongtoclassc3, IPpacketswithIPprecedencebelongtoclassc2,andpacketswithDSCP32belongtoclassc1.The outputfromtheshow class-mapcommandshowsthethreedefinedclassmaps.
XSR#show class-map
QoS Show Commands
Class Match Class Match Class Match
map c3 access-group 103 map c2 ip precedence 2 map c1 ip dscp 32
show policy-map
Thiscommanddisplaystheconfigurationofallclassesforaspecifiedservicepolicymaporall classesforallexistingpolicymaps.Itdisplaystheconfigurationofaservicepolicymapcreated usingthepolicy-mapcommand.Youcanusethe show policy-map commandtodisplayall classconfigurationscomprisinganyexistingservicepolicymap,whetherornotthatservicepolicy maphasbeenattachedtoaninterface.
Syntax
show policy-map [policy-map] interface-type policy-map interface type
Servicepolicymapnamewhosecompleteconfigurationwillbeshown. Configurationforclassesonthespecifiedinterfaceincluding:ATM,BRI,Fast/ GigabitEthernet,Loopback,Serial,Multilink,orDialer(0to255).
Default
Allexistingpolicymapconfigurationsaredisplayed.
Mode
EXEC,PrivilegedEXEC,orGlobalconfiguration:XSR>, XSR#,or XSR(config)#
Sample Output
Thisexampledisplaysthecontentsoftheservicepolicymapcalledpo1:
XSR#show policy-map po1 Policy Map po1 CLass c1: Weighted Fair Queue bandwidth 600 (kbps) Class c2: Weighted Fair Queue bandwidth 300 (kbps)
ThisexampledisplaysthecontentsofallpolicymapsontheXSR:
XSR#show policy-map Policy Map p6 Class c1: Weighted Fair Queue bandwidth 10 % Class c2: Weighted Fair Queue bandwidth 80 % Policy Map p9 Class c1: Priority high bandwidth 300 (kbps) Class c2: Weighted Fair Queue bandwidth 800 (kbps) Policy Map p10 Class c1: Weighted Fair Queue bandwidth 600 (kbps) Class c2: Weighted Fair Queue bandwidth 300 (kbps)
QoS Show Commands
show policy-map interface

ThiscommandshowstheconfigurationofallservicepoliciesappliedonaninterfaceorFrame RelayDatalinkConnectionIdentifier(DLCI).Itdisplaystheconfigurationforclassesonthe specifiedinterfaceorspecifiedDLCIonlyifaservicepolicyhasbeenattachedtotheinterfaceor PVC.Thiscommandshowsinputandtheoutputpoliciesappliedtotheinterfaces.Counters displayedafteryouentertheshow policy-mapinterfacecommandareupdatedonlyif congestionispresentontheinterface.
Note: This command displays policy information about Frame Relay PVCs only if Frame Relay Traffic Shaping (FRTS) is enabled on the interface.
Countersdisplayedafteryouentertheshowpolicymapinterfacecommandareupdatedonlyif congestionispresentontheinterface. WhenQoSisappliedtoaDialerinterface,thiscommanddisplaysnodata.Todisplaythepolicy mapafterthedialerhasbuilttheconnection,entertheshowpolicymapcommandontheinterface fromthedialerpoolthatthedialercalledonandnotthedialerinterfaceitself.
Syntax
show policy-map interface interface-type [dlci dlci] mlpppgroup interface type dlci dlci
Interfaceorsubinterfacetypeincluding:ATM,BRI,Fast/GigabitEthernet, Loopback,Multilink,orDialer(0255). AspecificPVCforwhichpolicyconfigurationisshown. ADataLinkConnectionIdentifier(DLCI)numberusedontheinterface. PolicyconfigurationforthecorrespondingPVCisshownwhenaDLCIis specified. MultilinkPPPgroupnumber.
mlpppgroup
Mode
PrivilegedEXECorGlobalconfiguration:XSR#orXSR(config)#
Sample Output
ThefollowingexampleshowspolicymapmypolicyattachedtoDLCI100onSerialinterface1/0. Policyisappliedsimultaneouslytoinputandoutputtraffic.Inputpolicydisplayscountersfor inputQoS(actualbandwidthandpolicing).Shaping,bandwidthandbuffermanagementarenot perfomredoninputtrafficandareshownforoutputtrafficonly.
XSR(config)#policy-map mypolicy XSR(config-pmap<mypolicy>)#exit XSR(config)#class-map smallPackets XSR(config-pmap-c<smallPackets>)#priority high 800 XSR(config-pmap-c<smallPackets>)#random-detect 20 25 2 XSR(config-pmap-c<smallPackets>)#class immediate-data XSR(config-pmap-c<immediate-data>)#bandwidth 300 XSR(config-pmap-c<immediate-data>)#class class-default XSR(config-pmap-c<class-default>)#shape 100000 12500
12-107
QoS Show Commands
XSR(config)#map-class frame-relay foo XSR(config-map-class<foo>)#frame-relay cir out 100000 XSR(config-map-class<foo>)#frame-relay bc out 10000 XSR(config-map-class<foo>)#service-policy output mypolicy XSR(config-map-class<foo>)#service policy input mypolicy XSR#show policy-map interface s1/0.1 dlci 100 Serial1/0.1: DLCI 100 output: mypolicy Class smallPackets Priority High Bandwidth 800 (kbps)Actual bandwidth 0 (kbps), Random-detect : Avg Qsize: 5.32, Random Drops : 54 min-th : 20 max-th : 25 mark-prob : 1/2 Tx/NoBuff/Error (19892/35/0) Class immediate-data Weighted Fair Queuing Bandwidth 300 (kbps) Actual bandwidth 0 (kbps), Max Qsize: 64, Qsize: 32, Tail drops 223 Tx/NoBuff/Error (3321/22/0) Class class-default Weighted Fair Queuing Bandwidth 436 (kbps) Actual bandwidth 0 (kbps), Max Qsize: 64, Qsize: 0, Tail drops 0 Tx/NoBuff/Error (0/0/0) Traffic shaping Average Normal Exceed Refresh Refresh Rate Burst Burst Time Bytes 100000 12500 0 10(ms) 125 Serial1/0.1: DLCI 100 input : mypolicy Class smallPackets Actual bandwidth 12 (kbps) Tx/NoBuff/Error (19892/0/0) Class immediate-data Actual bandwidth 0 (kbps) Tx/NoBuff/Error (3321/0/0) Class class-default Actual bandwidth 0 (kbps)Tx/NoBuff/Error (0/0/0)
Parmeter Descriptions
Bandwidth Actual bandwidth Max Qsize Qsize
Configuredbandwidthforaclassinpercentageorkbps. Bandwidththatthisclassactuallyreceivesontheoutputlink. Configuredqueuesize. Currentqueuesize.
QoS Show Commands
Tail drops Tx NoBuff Error Avg Qsize Random Drops min-th max-th mark-prob
SumofpacketsdroppedbyTailDropbuffermanagement. Sumofpacketstransmittedsuccessfully. Sumofpacketsrejectedbythedriverbecauseofnobuffer.Thisvalueis alwayszerowhenthepolicymapisappliedtoDLCIandMLPPP. Sumoftransmit(driver)errorswhentryingtosendoutapacket.Value isalwayszerowhenthepolicymapisappliedtoDLCIandMLPPP. REDaveragequeuesize. SumofpacketsdroppedbyRED. ConfiguredminimumthresholdforRED. ConfiguredmaximumthresholdforRED. ConfiguredmarkprobabilityforRED.
show random-detect interface

ThiscommanddisplaysdataaboutRandomEarlyDetection(RED).
Syntax
show random-detect interface [interface-type interface-number] interface-type interface-number
Thetypeofinterface. Thenumberoftheinterface.
Mode
EXEC:XSR> or XSR(config)#
Sample Output
ThefollowingcommandsconfigurepolicymapShape:
XSR(config)#policy-map Shape XSR(config-pmap<Shape>)#class d32 XSR(config-pmap-c<d32>)#bandwidth per XSR(config-pmap-c<d32>)#random-detect XSR(config-pmap-c<d32>)#random-detect XSR(config-pmap-c<d32>)#random-detect
30 dscp-based dscp 32 10 20 10 dscp default 2 5 20
Thefollowingissampleoutputfromthecommand.Therearedropsonlyfromclassd32.
XSR#show random-detect interface serial 1/0:0 Serial 1/0:0 output: Shape output: Shape Class d32 Weighted Random-detect: Avg Qsize: 5, Total Random Drops: 2223
QoS Show Commands
DSCP 0 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48
12-110
min-th 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2 10 2 2 2 2 2 2 2 2 2 2 2 2 2 2 2
max-th 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5 20 5 5 5 5 5 5 5 5 5 5 5 5 5 5 5
mark-prob 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20 10 20 20 20 20 20 20 20 20 20 20 20 20 20 20 20
tail drop early drop 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 1900 323 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
QoS Show Commands
49 50 51 52 53 54 55 56 57 58 59 60 61 62 63
2 5 20 2 5 20 2 5 20 2 5 20 2 5 20 2 5 20 2 5 20 2 5 20 2 5 20 2 5 20 2 5 20 2 5 20 2 5 20 2 5 20 2 5 20 Exponential weighting constant:
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 9
0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Average Queue size Total Random Drops Min-th Max-th Mark-prob DSCP Tail drop Early drop
Averageoutputqueuesizeforthisinterface. SumofpacketsdroppedforallDSCPcodepoint.. Minimumthreshold. Maximumlengthofthequeue.Whentheaveragequeuesizeis largerthanthisnumber,anyadditionalpacketswillbedropped. Probability(1/markprob)forrandomdrops. DSCPcodepoint. Numberofdropsbecauseofaveragequeuesizegreaterthanmax threshold. Numberofdropswhentheaveragequeuesizeisbetweenmin thresholdandmaxthreshold.
show shape interface

ThiscommanddisplaysinformationaboutQoStrafficshaping.
Syntax
show shape interface [interface-type interface-number] interface-type interface-number
Typeofinterface. Numberoftheinterface.
Mode
PrivilegedEXECorGlobalconfiguration:XSR#orXSR(config)#
12-111
QoS Show Commands
Sample Output
Thisfollowingcommandsconfigureshapeinformationforeachclass.Inthefollowingexample policymapshapeisconfiguredasfollows:
XSR(config)#policy-map Shape XSR(config-pmap<Shape>)#class d32 XSR(config-pmap-c<d32>)#bandwidth per 30 XSR(config-pmap-c<d32>)#shape 400000 50000 XSR(config-pmap-c<d32>)#class d33 XSR(config-pmap-c<d33>)#bandwidth per 30 XSR(config-pmap-c<d32>)#shape 100000 12500
Thefollowingissampleoutputdisplaysshapeinformationforclassesd32andd33:
XSR# show shape interface serial 1/0:0 Serial 0/1/0:0 output: Shape Serial 0/1/1:1 output: Shape Class d32 Traffic Average Rate 400000 Class d33 Traffic Average Rate 100000
shaping Normal Exceed Burst Burst 50000 0 shaping Normal Exceed Burst Burst 12500 0
Refresh Refresh Time Bytes 10(ms) 500
Refresh Refresh Time Bytes 10(ms) 125
Average Rate Normal burst Exceed burst Refresh time Refresh bytes
Averageshapedrateconfigured. Configurednormalburst. Configuredexceedburst. Timeintervalofbucketrefillwithtokens. Numberofbytesaddedtothebucketpertimeinterval.
12-112
13
Configuring ADSL
TheCLIcommandsyntaxandconventionsusethenotationdescribedbelow.
Convention xyz [x] [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) Description Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies interface type and number, e.g.: F1, S2/1.0, D1, M57, L1, ATM0/1/1
ADSL Configuration Commands

ThefollowingcommandsetsdefineADSLfunctionalityontheXSRincluding: CMVCommandsonpage 1383. OtherADSLCommandsonpage 1387. PPPConfigurationCommandsonpage 1399. ATMClearandShowCommandsonpage 13103.
CMV Commands cmv append

ThiscommandaddsaCommandManagementVariable(CMV)totheDSPtraininglistwhichis usedbytheDSPfirmwarewhenthelineisintrainingmode.Thiscommandisintendedforuseby Enterasysfieldservicepersonnelonly.ThiscommandrequiresthattheADSLNIMbeinstalled andtheDSPfirmwarefilebepresentintheFlash:directory.
CMV Commands
Syntax
cmv append command-ID offset value command-ID offset value
Representsa4characterCMVcommand. Decimalorhexadecimalnumberrepresentingwheretowritethevalue. Decimalorhexadecimalnumber.
Mode
ATMInterfaceconfiguration:XSR(config-if<ATMxx>)#
Example
ThefollowingexampleaddstheCMVDOPT1withahexvalue:
XSR(config-if<ATM0/1/1>)#cmv append DOPT 1 0x306090c0
cmv clear
ThiscommandremovesallCommandManagementVariable(CMV)commandsfromtheCMV traininglistwhichisusedbytheDSPfirmwarewhenthelineisintrainingmode.Thiscommand isintendedforusebyEnterasysfieldservicepersonnelonly. ThiscommandrequiresthattheADSLNIMbeinstalledandtheDSPfirmwarefilebepresentin theFlash:directory.
Syntax
cmv clear
Mode
Example
ThefollowingexampledeletesallCMVsfromthetraininglist:
XSR(config-if<ATM0/1/1>)#cmv clear
cmv cr
ThiscommandreadsaCommandManagementVariable(CMV)fromtheDSP.Thiscommandis intendedforusebyEnterasysfieldservicepersonnelonly. ThiscommandrequiresthattheADSLNIMbeinstalledandtheDSPfirmwarefilebepresentin theFlash:directory.
13-84
Configuring ADSL
CMV Commands
Syntax
cmv cr command-ID offset command-ID offset
Representsa4characterCMVcommand. Decimalorhexadecimalnumberrepresentingwheretoreadthevalue.
Mode
Example
ThefollowingexamplereadsCMVSTAT0fromtheDSP:
XSR(config-if<ATM0/1/1>)#cmv cr STAT 0
cmv cw
ThiscommandwritesaCommandManagementVariable(CMV)totheDSP.Thiscommandis intendedforusebyEnterasysfieldservicepersonnelonly. ThiscommandrequiresthattheADSLNIMbeinstalledandtheDSPfirmwarefilebepresentin theFlash:directory.
Syntax
cmv cw command-ID offset value command-ID offset value
Representsa4characterCMVcommand. Decimalorhexadecimalnumberrepresentingwheretowritethevalue. Decimalorhexadecimalnumber.
Mode
Example
ThefollowingexamplewritesUOPT2withahexvaluetotheDSP:
XSR(config-if<ATM0/1/1>)#cmv cw UOPT 2 0x0c0e1014
cmv delete
ThiscommanddeletesthespecifiedCommandManagementVariable(CMV)fromtheDSP retaininglistwhichisusedbytheDSPfirmwarewhenthelineisintrainingmode.Thiscommand isintendedforusebyEnterasysfieldservicepersonnelonly. ThiscommandrequiresthattheADSLNIMbeinstalledandtheDSPfirmwarefilebepresentin theFlash:directory.
13-85
CMV Commands
Syntax
cmv delete command-ID offset [value] command-ID offset value
Representsa4characterCMVcommand. Decimalorhexadecimalnumberrepresentingwheretowritethevalue. Decimalorhexadecimalnumber
Mode
Example
ThefollowingexampledeletesCMVOPTN2,fromtheretaininglist:
XSR(config-if<ATM0/1/1>)#cmv delete OPTN 2
cmv print
ThiscommandprintstheCommandManagementVariable(CMV)traininglistontheconsole.The traininglistisusedbytheDSPfirmwarewhenthelineisintrainingmode.Thiscommandis intendedforusebyEnterasysfieldservicepersonnelonly. ThiscommandrequiresthattheADSLNIMbeinstalledandtheDSPfirmwarefilebepresentin theFlash:directory.
Syntax
cmv print
Mode
Example
ThefollowingexampleprintstheCMVtraininglisttotheconsole:
XSR(config-if<ATM0/1/1>)#cmv print
cmv save
ThiscommandsavestheCommandManagementVariable(CMV)traininglisttoafile.The traininglistisusedbytheDSPfirmwarewhenthelineisintrainingmode.Thiscommandis intendedforusebyEnterasysfieldservicepersonnelonly. ThiscommandrequiresthattheADSLNIMbeinstalledandtheDSPfirmwarefilebepresentin theFlash:directory.
13-86
Configuring ADSL
Other ADSL Commands
Syntax
cmv save file-name file-name
ThenameofthefileusedtosavetheCMVtraininglist.
Mode
Example
ThefollowingexamplesavestheCMVtraininglisttofileretrainlist:
XSR(config-if<ATM0/1/1>)#cmv save retrain-list Save complete XSR(config-if<ATM0/1/1>)#
Other ADSL Commands description

ThiscommandaddsadescriptionstringtoanexistingATMinterfaceobject. ThiscommandrequiresthattheADSLNIMbeinstalledandtheDSPfirmwarefilebepresentin the Flash:directory.
Syntax
description description_text description_text
Atextstringthatdescribestheinterfaceobject.Textwithembedded spacesmustbeenclosedindoublequotes.Omittingthedescriptiontext resultsinanemptydescriptionstring.

Thenoformofthiscommandsetsthedescriptiontexttoanemptystring:
no description
Mode
Example
ThefollowingexampleaddsADSLLinetotheinterfaceobject:
XSR(config-if<ATM0/1/1>)#description ADSL Line
13-87
Other ADSL Commands
interface atm
ThiscommandcreatesanATMinterfaceobjectanditsassociateddevicedriverwhichdownloads thespecifiedfirmwarefiletotheonboardDSP.DependingonthesizeoftheDSPfirmwareand thecharacteristicsofthedownloadprocedure,thisproceduremaytakeanoticeableamountof time.Afterasuccessfulload,theinterfaceanddevicedriverisintheadministrativedownstate (shutdown).
Caution: This command requires that the ADSL NIM be installed and the DSP firmware file be present in the Flash: directory.
Syntax
interface atm {slot/card/port} slot card port
TheXSRslotnumber,rangingfrom0to2. TheXSRNIMnumber,rangingfrom1to2. TheXSRslotnumber:0.Thesubinterfacenumberrangesfrom1to30.

Thenoformofthiscommandremovestheinterfaceobjectandallassociatedsubinterfaceobjects. Theinterfacemustbeshutdownfirst.
no interface atm {slot/card/port}
Mode
Next Mode
Example
ThefollowingexamplecreatesanATMinterfaceonslot0,card1,port1:
XSR(config)#interface atm 0/1/1 XSR(config-if<ATM0/1/1>)#
interface atm sub-interface

ThiscommandcreatesanATMsubinterfaceobjectandassociatesitwithitsATMinterfacepeer. Setupofinternaldatapaths,whichwillrouteanIPinterfacetotheATMsubinterface,will continueasconfigurationproceedsandano shutdowncommandhasbeenissuedagainstthis subinterfaceinstance.Onsuccessfulconstruction,thesubinterfaceisintheadministrativedown state(shutdown). ThiscommandrequiresthattheADSLNIMbeinstalled,theDSPfirmwarefilebepresentinthe
Flash:directory,andtheATMportbeproperlyconfigured.
Thefollowingcommandsaresubcommandsofatm sub-interface:
13-88 Configuring ADSL
Other ADSL Commands
backupconfiguresandenablesabackupinterfacefortheATMsubinterface.Refertopage 1390forthecommanddescription. cryptoenablesandconfiguresVPNparametersonthesubinterface.Refertopage1392for
thecommanddescription.
descriptionaddsadescriptionstringtoanexistingATMsubinterface.Refertopage1392
forthecommanddescription.
encapsulationselectsthedataencapsulationmethodforthisATMsubinterface.Referto page1392forthecommanddescription. exitquitsATMSubInterfacemodeandreturnstoGlobalmode.Refertopage1393forthe commanddescription. ip addressspecifiestheIPaddressandsubnetmaskoftheATMsubinterfaceorrequests theIPaddressandsubnetmaskbenegotiated.Refertopage1393forthecommand description. no shutdownsetstheATMsubinterfacetotheadministrativeupstateandenablesthe
virtualcircuit.Refertopage1394forthecommanddescription.
oam-pvcenablesendtoendF5(circuit)OAMcellproceduresforATMPermanentVirtual Circuit(PVC)management.Refertopage1395forthecommanddescription. oam-retryconfiguresparametersrelatedtoOAMcellhandlingforATMVCmanagement.
Refertopage1396forthecommanddescription.
pvcsetsthesubinterfacecircuittypetoPVCandspecifiesATMVPI/VCIvalues.Referto
page1396forthecommanddescription.
shutdownsetstheATMsubinterfacetotheadministrativeDownstatehaltingalldatatraffic
onthisVC.Refertopage1397forthecommanddescription.
Syntax
interface atm {slot/card/port.sub-interface}[point-to-point] slot card port sub-interface point-to-point
TheXSRslotnumber,rangingfrom0to2. TheXSRNIMnumber,rangingfrom1to2. TheXSRslotnumber:0. Identifiesasubinterfaceonthatinterface,rangingfrom1to30. Interoperabilityoption.

Thenoformofthiscommanddeletesthesubinterfaceobject:
no interface atm [slot/]card/port.sub-interface [point-to-point]
Mode
Next Mode
ATMSubInterfaceconfiguration:XSR(config-if<ATMxx.x>)#
Other ADSL Commands
Defaults
Backup:Disabled VPN:Disabled Description:Settotheemptystring Encapsulation:None IP:Notconfigured PPP:Notconfigured OAMprocedures:Disabled ATMPVCVPI/VCI:Setto1/32 Thesubinterfacewillbeintheshutdownstate
Example
ThefollowingexamplecreatesanATMsubinterfaceobjectonATMinterfaceslot0,card1,port1:
XSR(config)#interface atm 0/1/1.1 point-to-point XSR(config-if<ATM0/1/1.1>)#
backup
ThiscommandconfiguresandenablesabackupinterfaceforthisATMsubinterface.This commandrequiresaproperlyconfiguredATMsubinterfaceandDialergroup.
Syntax
backup {delay down-wait {up-wait | never} | interface dialer id | time-range begin-hh:mm end-hh:mm} down-wait up-wait | never id begin-hh:mm end-hh:mm
Secondstowaitbeforeswitchingtothebackupinterface. SecondstowaitbeforeswitchingbacktoATMinterface.Ifsettonever,it willremainonthebackupinterface. DialertouseforbackupwhenATMinterfaceisdown. TimeofdaytoswitchtothebackuplineregardlessofATMinterfacestate. Timeofdaytoreverttonormalinterfacebackupprocedures.

ThenoformofthiscommanddisablesabackupforthisATMsubinterface:
no backup {delay | interface | time-range}
Mode
ATMSubInterfaceconfiguration:XSR(config-if<ATMx/x/x.x>)#
13-90
Configuring ADSL
Other ADSL Commands
Default
Disabledbydefault.Whenenabled,alloperationalparametersmustbespecified.
Example
ThefollowingexampleconfiguresasubinterfacebackupwithaDialerIDof1,delayof20 secondsbeforeswitchingtothebackup,andadelayof10secondsbeforeswitchingbacktothe ATMsubinterface.Theexamplealsoconfiguresthesubinterfacetoswitchtothebackuplineat 8:30P.M.thenswitchbacktothenormalinterfaceat9:50P.M.:
XSR(config-if<ATM0/1/0.1>)#backup interface Dialer1 XSR(config-if<ATM0/1/0.1>)#backup delay 20 10 XSR(config-if<ATM0/1/0.1>)#backup time-range 20:30 21:50
crypto
ThiscommandenablesandconfigurestheDFbitVPNparameteronthisATMsubinterface.This commandrequiresaproperlyconfiguredATMsubinterface.
Syntax
crypto {ezipsec | ipsec df-bit {clear | copy | set}| map [map-name]} ezipsec ipsec df-bit clear copy set map-name
EZIPSecautomaticconfigurationenabled. IPSecenabledwiththefollowingDFbitoptions: TheouterIPheaderclearstheDFbitandtheXSRmayfragmentthepacket toaddIPSecencapsulation. XSRsearchestheoriginalpacketfortheouterDFbitsetting. TheouterIPheaderhastheDFbitset;but,theXSRmayfragmentthe packetiftheoriginalpacketclearedtheDFbit. Attachesacryptomaptotheinterfaceandname(optional).

ThiscommandsnodisablesthespecifiedDFbitsetting:
no crypto {ezipsec | ipsec df-bit}| map [map-name]}
Mode
Default
Disabled
Example
ThefollowingexampleenablesEZIPSecwiththeoptionofhavingtheXSRlookintheoriginal packetfortheouterDFbitsetting.Thisexamplealsoattachesthecryptomapetsvpn:
Other ADSL Commands
XSR(config-if<ATM0/1/0.1>)#crypto ezipsec XSR(config-if<ATM0/1/0.1>)#crypto ipsec df-bit copy XSR(config-if<ATM0/1/0.1>)#crypto map ets-vpn
description
ThiscommandaddsadescriptionstringtoanexistingATMsubinterface.Thiscommand requiresaproperlyconfiguredATMsubinterface.
Syntax
description description_text description _text
Astringdescribingthesubinterfaceobject.Textwithembeddedspacesmust beenclosedindoublequotes.Omittingtextcausesanemptystring.

Thenoformofthiscommandsetsthedescriptiontexttoanemptystring:
no description
Mode
Example
ThefollowingexampleaddstheADSLVC1/32textstringtothesubinterfaceobject:
XSR(config-if<ATM0/1/0.1>)#description ADSL VC 1/32
encapsulation
ThiscommandselectsthedataencapsulationmethodforthisATMsubinterface.Beawarethatan encapsulationmethodmustbeselectedbeforethesubinterfacecanpassdata.
Note: This command requires a properly configured ATM sub-interface. In order to change encapsulation, you must issue the no encapsulation command first before restting the value.
Syntax
encapsulation {mux | snap}{ipoa | pppoa | pppoe} [service-name] mux snap ipoa pppoa pppoe
VCmultiplexing(perRFC2684/1483). LLC/SNAPmultiplexing(perRFC2684/1483). IPencapsulatedtrafficflowsonthisVC(perRFC2684). PPPencapsulatedtrafficflowsonthisVC(perRFC2364). PPPoverEthernetencapsulatedtrafficflowsonthisVC(perRFC2516).
13-92
Configuring ADSL
Other ADSL Commands
service -name
ThenameofthePPPoEservice.Ifnotspecified,PPPoEconnectstothefirst advertisedservicename.Atthistime,theXSRwillconnectwiththefirst advertisedservicenameonly.

Thenoformofthiscommandremovesanyformofencapsulation,effectivelydisablingthesub interface:
no encapsulation
Mode
Default
Thedefaultencapsulationisnone.Anencapsulationmethodmustbespecifiedbeforethesub interfacecanpassdata.WhenthesubinterfaceisconfiguredforPPPoEencapsulation,thesource EthernetMACaddresswillbesettotheMACaddressofFastEthernetinterface2.
Example
ThefollowingexampleconfiguresthesubinterfaceforLLC/SNAPmultiplexingandPPPoA encapsulatedtraffic:
XSR(config-if<ATM0/1/0.1>)#encapsulation snap pppoa
exit
ThiscommandquitstheATMSubInterfacemodeandreturnstoGlobalmode.
Syntax
exit
Mode
Example
ThefollowingexampleexitsthesubinterfaceATMcommandmodefromATMinterfaceslot0, card1,port0,subinterface1:
XSR(config-if<ATM0/1/0.1>)#exit XSR(config)#
ip address
ThiscommandspecifiestheIPaddressandsubnetmaskoftheATMsubinterfaceorrequeststhe IPaddressandsubnetmaskbenegotiated.ThiscommandrequiresaproperlyconfiguredATM subinterface.
Other ADSL Commands
Syntax
ip address {ip-address/subnet-mask | negotiated} ip-address subnet-mask negotiated
TheIPaddressassociatedwiththissubinterfaceintheform:A.B.C.D. Thesubnetmaskbitsrepresentsthenumberofbitssetto1inthesubnet mask,rangingfrom0to32. IPaddress/subnetmaskarenegotiatedbyPPP.Thisvaluecannotbeset whenusingIPoAencapsulation.

Thenoformofthiscommandreturnsthisparametertoitsdefaultsetting:
no ip address
Mode
Default
IPaddress:0.0.0.0 Subnetmask:0.0.0.0.
Example
ThisexamplesetsthesubinterfaceIPaddressto10.1.1.1andthesubnetmaskto255.0.0.0:
XSR(config-if<ATM0/1/0.1>)#ip address 10.1.1.1 255.0.0.0
or
XSR(config-if<ATM0/1/0.1>)#ip address 10.1.1.1/8
no shutdown
ThiscommandsetstheATMsubinterfacetotheadministrativeUpstate(no shutdown)and enablesthevirtualcircuit. TheassociatedATMinterfacemustbeintheadministrativeUpstate(no shutdown)beforeano
shutdownonasubinterfaceisexecuted.
Syntax
no shutdown
Mode
Example
ThefollowingexamplesetstheATMsubinterfacetotheadministrativeupstate:
XSR(config-if<ATM0/1/0>)#no shutdown
Other ADSL Commands
oam-pvc
ThiscommandenablesendtoendF5(circuit)OAMcellproceduresforATMPermanentVirtual Circuit(PVC)management.OAMcellsandhowtheyareusedareasfollows: AlarmIndicationSignal(AIS)Receivedfromthenetworktoindicateaprobleminthe forwardtoXSRdataflow. ContinuityCheck(CC)Echoedtothesenderwhenreceived.TheXSRdoesnotgenerateCC cellsforconnectivitymanagementbutwillrespondtoCCprocedurenegotiationcells. LoopbackEchoedbacktothesenderwhenreceived.TheXSRsendsloopbackcellstomonitor theendtoendconnectivityontheVC. RemoteDefectIndication(RDI)Receivedfromthenetworktoindicateaprobleminthe reversefromXSRdataflow.SenttothenetworktoindicateaprobleminthelocalnodeXSR aswellasinresponsetoanyAIScellsreceived.
Theloopbackcellsmonitoranddeclarethecircuitupordownasfollows: ThecircuitisUPimmediatelyafterlinetrainingcompletessuccessfully. ThecircuitisdeclaredDOWNwhendowncountconsecutiveloopbackresponsecellsare missed. ThecircuitisdeclaredUPwhenupcountconsecutiveloopbackresponsecellsarereceived.
ThiscommandrequiresaproperlyconfiguredATMsubinterface.
Syntax
oam-pvc [manage][frequency] manage frequency
Optionalkeyword. IntervalbetweensendingendtoendF5OAMloopbackcellswhenthe VCisintheUPstate.Range:1to3600seconds.

ThenoformofthiscommanddisablesallOAMproceduresforthissubinterface:
no oam-pvc
Mode
Defaults
OAMprocedures:Disabled Intervalbetweenloopbackcells(frequency):10seconds Initialdowncountvalue:5 Initialupcountvalue:3
13-95
Other ADSL Commands
Example
ThefollowingexamplesetstheOAMfrequencyto20seconds:
XSR(config-if<ATM0/1/0.1>)#oam-pvc manage 20
oam retry
ThiscommandconfiguresparametersrelatedtoOAMcellhandlingforATMVCmanagement. ThiscommandrequiresaproperlyconfiguredATMsubinterface.
Syntax
oam retry up-count down-count retry-frequency up-count down-count retryfrequency
SumofconsecutiveendtoendF5OAMloopbackcellsresponsesthatmust bereceivedtochangetheVCconnectionstatetoup.Range:0to255. SumofconsecutiveendtoendF5OAMloopbackcellsresponsesthatarenot receivedtochangetheVCconnectionstatetodown.Range:0to255. IntervalbetweensendingendtoendF5OAMloopbackcellswhenachange intheup/downstateofaVCisbeingverified.Range:1to3600seconds.

no oam retry
Mode
Default
Initialdowncountvalue:5 Initialupcountvalue:3 Initialretryfrequencyvalue:10 DefaultsettingsapplyonlywhenOAMmanagementhasbeenenabledwiththeoam-pvc command.
Example
Thisexamplesetstheupcountto5,thedowncountto8,andtheretryfrequencyto2seconds:
XSR(config-if<ATM0/1/0.1>)#oam retry 5 8 2
pvc
ThiscommandsetsthesubinterfacecircuittypetoPVCandspecifiesATMVPI/VCIvalues.This commandrequiresaproperlyconfiguredATMsubinterface.
13-96
Configuring ADSL
Other ADSL Commands
Syntax
pvc vpi/vci vpi/vci
ATMVCidentifiervalues.VPIrange:0to255,VCIrange:0to65535.

no pvc
Mode
Default
VPI/VCIdefaultsto1/32.ThisisnottheILMIvirtualcircuit.
Example
ThisexamplesetsthesubinterfacecircuittypetoPVCandsetstheATMVPI/VCIvaluesto2/48:
XSR(config-if<ATM0/1/0.1>)#pvc 2/48
shutdown
ThiscommandsetstheATMsubinterfacetotheadministrativeDownstatehaltingalldatatraffic onthisVC.
Syntax
shutdown

Refertotheatm sub-interface commandonpage1388.
Mode
Example
ThefollowingexamplesetstheATMsubinterfacetotheadministrativedownstate:
XSR(config-if<ATM0/1/0.1>)#shutdown
13-97
Other ADSL Commands
no shutdown
ThiscommandsetstheATMinterfacetotheadministrativeUpstateandenablesthelinefor operation.Datatrafficcannotflowuntilatleastoneassociatedsubinterfaceissettothe administrativeUpstate.Issuingthiscommanddoesnotchangetheadministrativestateofsub interfacesassociatedwiththisATMinterface. ThiscommandsurveysthestatusoftheDSPfirmware(whichwasloadedandstartedatboot time)andifitfindsitinanillegalstate(i.e.,crashed),itreloadsandrestartstheDSPfirmware beforeproceedingwiththeno shutdownoperation.DependingonthesizeoftheDSPfirmware andcharacteristicsofthedownloadprocess,thisoperationmaytakeanoticeablelengthoftime.
Syntax
no shutdown
Mode
Example
ThefollowingexamplesetstheATMinterfacetotheadministrativeupstate:
XSR(config-if<ATM0/1/0>)#no shutdown
shutdown
ThiscommandsetstheATMinterfacetotheadministrativeDownstate.Asaresult,allATMsub interfacesassociatedwiththisATMinterfaceareshutdown,alldatatrafficisstoppedandtheline disabled.
Syntax
shutdown

Refertono shutdownonpage1398.
Mode
Example
ThefollowingexamplesetstheATMinterfacetotheadministrativedownstate:
XSR(config-if<ATM0/1/0>)#shutdown
13-98
Configuring ADSL
PPP Configuration Commands

ThissectionliststhesubsetofPPPconfigurationcommandsthatapplywhenanATMsub interfaceisconfiguredforPPPoAorPPPoEencapsulation.
ppp chap
ThiscommandconfiguresPPPtousetheChallengeHandshakeAuthenticationProtocol(CHAP) foruserauthenticationonaPPPsession.ThiscommandrequiresaproperlyconfiguredATMsub interfacespecifyingencapsulationtypePPPoAorPPPoE.
Syntax
ppp chap {hostname <name> | password pwd | refuse} name pwd refuse
SpecifiestheCHAPhostname. SpecifiestheCHAPpasswordaspwd. RejectsauthenticationbyCHAP.

no ppp chap
Mode
Default
Disabled
Example
ThefollowingexampledesignatestheCHAPhostnameENT1:
XSR(config-if<ATM0/1/0.1>)#ppp chap hostname ENT1
ppp keepalive
ThiscommandenablesPPPtouseLCPechorequestsasakeepalivemechanism.Itrequiresa properlyconfiguredATMsubinterfacespecifyingencapsulationtypePPPoAorPPPoE.
Syntax
ppp keepalive <seconds> seconds
Interval between keepalive messages, ranging from 0 to 32767 seconds.
13-99

no ppp keepalive
Mode
Defaults
Disabled Keepaliveperiod:30seconds
Example
Thisexampleenablesthekeepalivemechanismandsetsthetimebetweenmessagesto20seconds:
XSR(config-if<ATM0/1/0.1>)#ppp keepalive 20
ppp lcp
ThiscommandconfiguresLinkControlProtocol(LCP)parametersforPPP.Itrequiresaproperly configuredATMsubinterfacespecifyingencapsulationtypePPPoAorPPPoE.
Syntax
ppp lcp {max-configure <count1> | max-failure <count2> | max-terminate <count3>} max-configure count1 max-failure count2 max-terminate count3
PeaknumberofConfigureRequeststosend.Range:1to255. PeaknumberofConfigureNakpacketstosend.Range:1to255. PeaknumberofTerminateRequeststosend.Range:1to255.

no ppp lcp
Mode
Defaults
ConfigureRequests:10 ConfigureNak:5 TerminateRequests:2
13-100
Configuring ADSL
Example
ThefollowingexamplesetsLCPparameters:
XSR(config-if<ATM0/1/0.1>)#ppp lcp max-configure 5 max-failure 5 max-terminate 2 XSR(config-if<ATM0/1/0.1>)#
ppp max-bad-auth
ThiscommandconfiguresthemaximumnumberofauthenticationfailuresforPPP.Itrequiresa properlyconfiguredATMsubinterfacespecifyingencapsulationtypePPPoAorPPPoE.
Syntax
ppp max-bad-auth <count> count
Peaknumberofauthenticationattempts.Range:0to4,294,967,295

no ppp max-bad-auth
Mode
Default
Defaultnumberofattempts:0
Example
Thefollowingexampleresetsthecommandparameterto16:
XSR(config-if<ATM0/1/0.1>)#ppp max-bad-auth 16
ppp pap
ThiscommandconfiguresPPPtousethePasswordAuthenticationProtocol(PAP)foruser authenticationonaPPPsession.ThiscommandrequiresaproperlyconfiguredATMsubinterface specifyingencapsulationtypePPPoAorPPPoE.
Syntax
ppp pap sent-username <username> password <userpassword> username userpassword
Thenametouseforauthentication. Theuserspassword.
13-101

no ppp pap
Mode
Default
PAPisdisabled
Example
ThefollowingexamplesetsthePAPusernametobobandthepasswordtoconfidential:
XSR(config-if<ATM0/1/0.1>)#ppp sent-name bob password confidential
ppp quality
ThiscommandconfigurestheminimumlinkqualityforPPP,whichisameasureoftheamountof datasuccessfullypassedoverthelink.Theminimumqualityvalueisspecifiedasapercentageof thetotaldatasent.ThiscommandrequiresaproperlyconfiguredATMsubinterfacespecifying encapsulationtypePPPoAorPPPoE.
Syntax
ppp quality <percent> percent
Theminimumlinkqualityvalue,rangingfrom0to100.

no ppp quality
Mode
Default
Disabled
Example
Thefollowingexamplesetstheminimumlinkqualityvalueto88%:
XSR(config-if<ATM0/1/0.1>)#ppp quality 88
13-102
Configuring ADSL
ATM Clear and Show Commands
ppp timeout retry

ThiscommandsetsthemaximumtimetowaitforaresponseduringPPPnegotiation.Itrequiresa properlyconfiguredATMsubinterfacespecifyingencapsulationtypePPPoAorPPPoE.
Syntax
ppp timeout retry <seconds> seconds
Thepeakwaitinterval,rangingfrom1to255seconds.

no ppp timeout retry
Mode
Default
3seconds
Example
ThisexampleresetsthemaximumwaittimeforaresponseduringPPPnegotiationto12seconds:
XSR(config-if<ATM0/1/0.1>)#ppp timeout retry 12
ATM Clear and Show Commands clear counters atm

ThiscommandclearsATMcountersfortheATMinterface.
Syntax
clear counters atm {slot/card/port} slot card port
TheXSRslotnumber,rangingfrom0to2. TheXSRNIMnumber,rangingfrom1to2. TheXSRslotnumber:0.Thesubinterfacenumberrangesfrom1to30.
Mode
PrivilegedEXEC:XSR#
13-103
Example
ThefollowingexampleclearstheATMcounters:
XSR#clear counters atm
show controllers atm

Thiscommanddisplaysinternalhardwareconfigurationandoperationalinterfacedetails regarding:receive(Rx)andtransmit(Tx)DMAdescriptors,memoryusage,andPCIdeviceID information.Whenyouissuethecommandtodisplaysubinterfacestatistics,theoutputreturned includes:packetprocessor(QOS)schedulingstatistics,ATMsubinterfacecounters,ATMsub interfacedataplanestatus,anddrivercircuitstatistics.
Syntax
show controllers atm {slot/card/port.sub-interface} slot card port sub-interface
TheXSRslotnumber,rangingfrom0to2. TheXSRNIMnumber,rangingfrom1to2. TheXSRslotnumber:0. Identifiesasubinterfaceonthatinterface,rangingfrom 1 to30.
Mode
Examples
Thefollowingissampleoutputwhenaninterfaceisspecified:
XSR#show controllers atm 1/0 ********** ATM Controller Stats ********** ATM 1/0 DSP Image File: CFlash:adsl.fls DSP File Rev. : 1.0.0.1 DSP Image Rev.: 43e2ea93 Attenuation: 43.0 db DMT state: 42 OAM counters: ifInOctets ifInUcastPkts ifInDiscards ifInErrors ifOutOctets ifOutUcastPkts ifOutDiscards ifOutErrors total_count tx_notready tx_toomany
SNR Margin: 6 db
CRC Errors: 0
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000 0 0 0
UNK counters: ifInOctets ifInUcastPkts ifInDiscards ifInErrors ifOutOctets ifOutUcastPkts ifOutDiscards ifOutErrors
00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
Cells: AIS in RDI in RDI out CC in CC out LBBK in LPBK out
00000000 00000000 00000000 00000000 00000000 00000000 00000000
Thefollowingissampleoutputwhenasubinterfaceisspecified:
XSR#show controllers atm 1/0.1 ********** ATM Sub-Interface Stats ********** ATM 1/0.1 Packet Processor Tx Scheduler Stats: 952 Packet driver Tx OK 0 Packet driver not Tx: MUX END_ERR_BLOCK 0 Packet driver not Tx: MUX ERROR 0 Packet driver not Tx: Unknown Msg from MUX Statistic Counters: Rx PacketTotalCount Rx PacketDiscardCount Rx MuxHeaderError Rx SnapHeaderError Rx PPPoEethTypeError Rx PPPoEethTypeARP Rx PPPoEethTypeIP Rx PPPoEethTypeRARP Tx PacketTotalCount Tx PacketDiscardCount
987 18 0 0 0 6 12 0 952 0
********** ATM Data Object Stats ********** Upper Adjacent is CONNECTED and UP, ATM PassData is TRUE FE: Admin Up / Oper Up PPPoE: Oper Up ********** Driver Virtual Circuit Stats ********** VPI/VCI 1/32: ccRx1 987 ccRx2 987 received-adslr1 987 noeop 0 crc 0 wor 0 ovr 0 toomany 0 stop 0 be1 0 be2 0 receivertnerr 0 nonewmblk 0 receivertnnull 0 tx_null_mblk 0 tx_no_enable 0 tx_length_err 0 sent-adslt 952 tx_no_free_slots 0 tx_no_showtime_loop 0
13-105
Parameters in the Sub-Interface Response

DSP Image File: CFlash:adsl.fls DSP Image Rev.: 43e2ea93 DMT state: 42 OAM counters/ UNK counters
NameofthefilecontainingtheDSPimage. VendorsrevisionoftheDSPimage. CurrentoperationalstateoftheDSP. Subsetoftheinterfacetableinputandoutputcountersforthe OAMandunconfiguredchannelsontheATMinterface.Refer toRFC1213forparameterdescriptions. DetailedOAMcelltotalsforreceiveandtransmitcounters. Internalchipsetdebugcounters.
Cells: total_count/ tx_notready/tx_toomany
Packet Processor Tx Scheduler Stats

952 Packet driver Tx OK 0 Packet driver not Tx: MUX END_ERR_BLOCK 0 Packet driver not Tx: MUX ERROR 0 Packet driver not Tx: Unknown Msg from MUX
Sumofpacketstransmitted. Sumoffailedtransmitattemptsduetothedriver returninganEND_ERR_BLOCKstatus. Sumoffailedtransmitattemptsduetothedriver returninganERRORstatus. Sumoffailedtransmitattemptsduetothedriver returninganunknownerrorstatus.
ATM Sub-interface Statistic Counters:

Rx PacketTotalCount Rx PacketDiscardCount Rx MuxHeaderError Rx SnapHeaderError Rx PPPoEethTypeError Rx PPPoEethTypeARP Rx PPPoEethTypeIP Rx PPPoEethTypeRARP Tx PacketTotalCount Tx PacketDiscardCount ATM Data Object Stats VPI/VCI 1/32 ccRx2 987 through tx_no_showtime_loop 0
Sumofpacketsreceived. Sumofpacketsreceivedthatwerediscardedbecauseofanerror. SumofpacketsreceivedthatwerediscardedduetoanerrorintheVC Multiplexingencapsulationheader. SumofpacketsreceivedthatwerediscardedduetoanerrorintheLLC/SNAP encapsulationheader. SumofPPPoEpacketsreceivedthatwerediscardedbecausetheEthernettype isunsupported. SumofPPPoEpacketsreceivedthatwerediscardedbecausetheEthernettype ARPisunsupported. SumofPPPoEpacketsreceivedthatwerediscardedbecausetheEthernettype IPisunsupported. SumofPPPoEpacketsreceivedthatwerediscardedbecausetheEthernettype RARPisunsupported. Sumofpacketstransmitted. Sumoftransmitpacketsdiscardedforanyreason. Internaldataplanestatusinformation. VirtualPathIndexandVirtualCircuitIndexfortheATMPVC. Driverinternaldebugcounters.
show interface atm

ThiscommanddisplaystherunningconfigurationandstatisticaldetailsforanATMinterface. StatisticssupportedbytheADSLinterfacearehardwaredependent.Generalcategoriesinclude thefollowing: Analogdetailsincludingupstreamanddownstreambitrates ATMcellcounters(especiallyOAMcells) OAM(circuitUP/DOWN)state Frame(AAL5)counters Layerstateinformation VCtable Administrativestate(Enabled/Disabled) Operationalstate(Up/Down) Loopbackon DSPfirmware Backupinterface Descriptionstring
Whenyouissuethecommandtodisplaysubinterfacestatistics,theoutputreturnedincludes: VPI/VCI IPaddress(value+configuredornegotiated) Encapsulationmethod Administrativestate(enabled/disabled) Operationalstate(Up/Down) PPPstateinformation(PPPoEhostname/servicename) Descriptionstring VPNinformation
Syntax
show interface atm {slot/card/port.sub-interface} slot card port sub-interface
TheXSRslotnumber,rangingfrom0to2. TheXSRNIMnumber,rangingfrom1to2. TheXSRslotnumber:0. Identifiesasubinterfaceonthatinterface,rangingfrom1to30.
Mode
13-107
Examples
Thefollowingissampleoutputwhenaninterfaceisspecified:
XSR#show interface atm 1/0 ********** ATM Interface Stats ********** ATM 1/0 is Admin Up / Oper Up The name of this device is adsl Administrative State is ENABLED Operational State is UP OAM circuit is UP The upstream data rate is 480 kbit/sec The downstream data rate is 10208 kbit/sec
General info: ifindex ifType ifAdminStatus ifOperStatus ifLastChange ifInOctets ifInUcastPkts ifInNUcastPkts ifInDiscards ifInErrors ifInUnknownProtos ifOutOctets ifOutUcastPkts ifOutNUcastPkts ifOutDiscards ifOutErrors ifOutQLen AAL5 in AAL5 out HEC errors AIS F4 RDI F4 CC F4 LPBK F4 VPI/VCI 1/32 AAL5 00000047
0 0 1 1 00:02:34 2950 47 0 0 0 0 5088 48 0 0 0 100 47 48 0 0 0 0 0 AIS 00000000 RDI 00000000 CC 00000000 LPBK 00000000 AIS/RDI
Thefollowingissampleoutputwhenasubinterfaceisspecified:
XSR#show interface atm 1/0.1 ********** ATM Sub-Interface Stats ********** ATM 1/0.1 is Admin Up / Oper Up Internet address is 30.0.0.11, subnet mask is 255.255.255.255 LCP State: OPENED IPCP State: OPENED PPPoE is Oper Up
The The The The The
logical link is currently Up Name of the Access Concentrator is ENTERASY-CDDU1S Session Id is 0x000b MAC Address of the Access Concentrator is 0x00:60:f9:11:01:08 MTU is 1492
The name of this device is adsl-0 Administrative state is ENABLED Operational State is UP Circuit monitoring enabled VPI is 1. VCI is 32. ifindex ifType ifAdminStatus ifOperStatus ifLastChange ifInOctets ifInUcastPkts ifInNUcastPkts ifInDiscards ifInErrors ifInUnknownProtos ifOutOctets ifOutUcastPkts ifOutNUcastPkts ifOutDiscards ifOutErrors ifOutQLen 0 0 1 1 00:02:34 20510 408 0 0 0 0 37728 388 0 0 0 100
Parameters in the Interface Response

ATM 1/0 is Admin Up / Oper Up The name of this device is adsl-0 Administrative State is ENABLED Operational State is UP OAM circuit is UP The upstream data rate is 480 kbit/ sec. The downstream data rate is 10208 kbit/sec.
Administrativestate:AdminUporAdminDownand Operationalstate:OperUporOperDown. Hardwaredevicename. Driveradministrativestate:ENABLEDorDISABLED. DriveroperationalstateisUPorDOWN. DriverOAMchannelstateisUPorDOWN. Negotiatedupstreamdatarate. Negotiateddownstreamdatarate.
13-109
General info:
MIB2interfacetableentriesasdescribedinRFC1213including AISF4,RDIF4,CCF4,LPBKF4. ThelastfourfieldsintheGeneralinfosectioncountthenumber OAMcells(bytype)receivedbytheinterfaceontheVirtualPath (F4)flow. Thecircuittableattheendofthedisplaylistsalltheconfigured ATMsubinterfacesrelatedtothisATMinterface. VPI/VCIPVCcircuitidentifier. AAL5SumofAAL5framesreceived. AISSumofreceivedAlarmIndicationSignalcellsreceived. RDISumofRemoteDefectIndicationcellsreceived. CCSumofContinuityCheckcellsreceived. LPBKSumofLoopbackcellsreceived. AIS/RDIthecurrentalarmstateofthecircuit:AISorRDI
Parameters in the Sub-Interface Response

ATM 1/0.1 is Admin Up / Oper Up Internet address is 30.0.0.11, subnet mask is 255.255.255.255 LCP State: OPENED/IPCP State: OPENED
Administrativestate:AdminUporAdminDown;Operational state:OperUporOperDown. IPlayerinformation. PPPlayerinformation.
PPP Layer Information

PPPoE is Oper Up The logical link is currently Up The Name of the Access Concentrator is ENTERASY-CDDU1S The Session Id is 0x000b The MAC Address of the Access Concentrator is 0x00:60:f9:11:01:08 The MTU is 1492 The name of this device is adsl-0 Administrative state is ENABLED Operational State is UP Circuit monitoring enabled/Circuit monitoring disabled VPI is 1/VCI is 32
Hardwaredevicename. Driveradministrativestate:ENABLEDorDISABLED. Driveroperationalstate:UPorDOWN Circuitmonitoringoperationalstate.Thislinewillonlybe displayedwhenOAMproceduresareenabledbytheOAM-PVC commandandtheADSLlineisUP. VirtualPathIndexandVirtualCircuitIndexfortheATMPVC.
ThelastsectioncontainstheMIB2interfacetableasdescribedinRFC1213.
13-110
Configuring ADSL
14
Configuring the VPN
TheCLISyntaxandconventionsusethenotationdescribedinthefollowingtable.
Convention xyz [x] [x | y | z] {x | y | z} [x {y | z} ] (config-if<xx>) XSR(aaa-method-xx)# Description Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies the interface type and number; e.g., F1, G3, S2/1.0, D1. F indicates a FastEthernet, and G a GigabitEthernet port. xx signifies the AAA Method type; e.g., local, pki, radius
VPN Commands
ThefollowingcommandsubsetsconfiguretheVirtualPrivateNetworksuiteoffunctionalityfor theXSR: PKIcommandsonpage 1484. CAIdentityModeCommandsonpage 1484. OtherCertificateCommandsonpage 1490. IKESecurityProtocolCommandsonpage 1494. ISAKMPProtocolPolicyModeCommandsonpage 1495. RemotePeerISAKMPProtocolPolicyModeCommandsonpage 1499 RemotePeerShowCommandsonpage 14104. IPSecCommandsonpage 14106. IPSecClearandShowCommandsonpage 14108.
PKI commands
CryptoMapModeCommandsonpage 14110. CryptoTransformModeCommandsonpage 14115. CryptoShowCommandsonpage 14118. InterfaceCLICommandsonpage 14121. InterfaceVPNCommandsonpage 14122. TunnelCommandsonpage 14127. TunnelClearandShowCommandsonpage 14132. AdditionalTunnelTerminationCommandsonpage 14134. DFBitCommandsonpage 14137.
Note: AAA commands are described in Chapter 13: Configuring Security.
PKI commands
ThefollowingcommandsconfigurePublicKeyInfrastructure(PKI)ontheXSR.
CA Identity Mode Commands crypto ca identity

ThiscommanddeclarestheCertificateAuthority(CA)theXSRshoulduseandidentifiesCAs whichmayberequiredaspartoftheCAchainfortherouterorapeerIPSecclient.Ifyou previouslydeclaredtheCAandjustwanttoupdateitscharacteristics,specifythenameyou previouslycreated.Insomecases,theCAmightrequireaparticularCAname,suchasitsdomain name. PerformingthiscommandacquiresCAIdentitymode,whereyoucanspecifyCAcharacteristics withthefollowingsubcommands:
crl frequencySpecifiestheintervalbetweenCertificateRevocationList(CRL)retrievals andothermaintenancethatmaybeperformedperiodically.Refertopage1485forthe commanddefinition. enrollment http-proxySpecifiesthelocalHTTPproxyserver.Itisoptional.Refertopage
1486forthecommanddefinition.
enrollment retry count SpecifieshowmanycertificateenrollmentpollstheXSRwill sendbeforegivingup.Itisdefaulted.Refertopage1486forthecommanddefinition. enrollment retry periodSpecifiesanintervalthattheXSRshouldwaitbetweensending
certificaterequestretries.Itisdefaulted.Refertopage1487forthecommanddefinition.
enrollment urlSpecifiestheURLoftheCAandisalwaysrequired.Refertopage1488for thecommanddefinition.
Syntax
crypto ca identity name
14-84 Configuring the VPN
CA Identity Mode Commands
name
NamefortheCA.

UsethenoformtodeleteallidentityinformationandcertificatesassociatedwiththeCA:
no crypto ca identity name
Mode
Next Mode
CertificateAuthorityIdentityconfiguration:XSR(ca-identity)#
Examples
ThefollowingexampledeclaresandidentifiescharacteristicsoftheCA.Inthisexample,thename ACMEcaiscreatedfortheCA,whichislocatedathttp://ca_server..Thisistheminimum configurationrequiredtodeclareaCA.
XSR(config)#crypto ca identity ACMEca XSR(ca-identity)#enrollment url http://ca_server
Thefollowingexamplesetsanonstandardretryperiodandcount,andpermitstherouterto acceptcertificateswhenCRLsarenotobtainable.
XSR(config)#crypto ca identity ACMEca XSR(ca-identity)#enrollment url http://AAA_ca/coldstorage/scripts.exe XSR(ca-identity)#query url ldap://serverx XSR(ca-identity)#enrollment retry period 20 XSR(ca-identity)#enrollment retry count 100
Intheexampleabove,iftheXSRdoesnotgetacertificatebackfromtheCAwithin20minutesof sendingacertificaterequest,itwillresendtherequest.TheXSRwillrepeatcertificaterequests everyretryperioduntiluntil100requestshavebeensent.IftheCAisnotavailableatthespecified location,obtaintheURLfromyourCAadministrator.
crl frequency
ThecommandspecifiestheintervalbetweenCertificateRevocationList(CRL)retrievals.
Syntax
crl frequency number numbers
Intervalbetweenretries,rangingfrom1to1440minutes.

Thenoformofthiscommandresetsthevaluetothedefault:
no crl frequency
14-85
Mode
Example
ThefollowingexamplesetstheCRLtoberetrievedforfivehours:
XSR(config)#crypto ca identity ACMEca XSR(ca-identify)crl frequency 300
enrollment http-proxy
ThiscommandspecifiesthelocalHTTPproxyservernameandport.
Syntax
enrollment http-proxy hostname port_# hostname port_#
TheURLofthelocalHTTPproxyserver,whichistheproxyserversIPaddress. HTTPProxyserverportnumber,rangingfrom1to10,000.

Thenoformofthiscommandclearstheproxyserversetting:
no enrollment http-proxy
Mode
Example
ThefollowingexamplesetstheHTTPproxyserverIPaddressandport#:
XSR(config)#crypto ca identity ACMEca XSR(ca-identity)#enrollment http-proxy 192.168.57.9 999
enrollment retry count

ThiscommandspecifieshowmanytimestheXSRresendsacertificaterequestwhenitdoesnot receiveacertificatefromtheCertificateAuthority(CA)fromthepreviousrequest.
Syntax
enrollment retry count number number
AttemptstheXSRwillmaketoresendacertificaterequesttotheCA whilewaitingonanoriginalrequest.Range:1to100.
14-86
Configuring the VPN

no enrollment retry count
Default
3
Mode
Example
ThefollowingexampledeclaresaCA,andchangestheretryperiodto10minutesandtheretry countto60.TheXSRwillresendthecertificaterequestevery10minutesuntilitreceivesthe certificateoruntilapproximately10hourspasssincetheoriginalrequestwassent,whichever occursfirst.(10minutesx60tries=600minutes[10hours]).
XSR(config)#crypto ca identity ACMEca XSR(ca-identity)#enrollment url http://ca_server XSR(ca-identity)#enrollment retry period 10 XSR(ca-identity)#enrollment retry count 60
enrollment retry period

Thiscommandspecifiesthewaitperiodbetweencertificaterequests.
Syntax
enrollment retry period minutes minutes
Theinterval,rangingfrom1to60minutes,theXSRwaitsbeforeresendinga certificaterequesttotheCA.

Usethenoformofthecommandtoresettheretryperiodtothedefault:
no enrollment retry period
Default
5minutes
Mode
Example
ThefollowingexampledeclaresaCAandchangestheretryperiod:
XSR(config)#crypto ca identity ACMEca XSR(ca-identity)#enrollment url http://ca_server XSR(ca-identity)#enrollment retry period 5
enrollment url
ThiscommandsetstheUniformResourceLocator(URL)oftheCertificateAuthority(CA).Ifthe CAcgibinscriptsiteisnotthedefault/cgibin/pkiclient.exeattheCA,youmustalsoincludethe nonstandardscriptsiteintheURLashttp://CA_name/script_locationwherescript_locationisthe fullpathtotheCAscripts.BeawarethattheURLformatmayvary.
Syntax
enrollment url url url
TheURLoftheCAwheretheXSRsendscertificaterequests.TheURLmaybeinthe formofhttp://CA_namewhereCA_nameistheCAshostIPaddressordefinedstaticIP hostname.

ThiscommandsnoformdeletestheCAsURLvaluefromtheconfiguration:
no enrollment url url
Mode
Examples
ThefollowingexampleshowstheminimumconfigurationrequiredtodeclareaCA:
XSR(config)#crypto ca identity ACMEca XSR(ca-identity)#enrollment url http://ca_server
TheexamplebelowshowsastaticIPhostnamefortheenrollmentURL:
XSR(config)#crypto ca identity CAserver XSR(ca-identity)#enrollment url http://ParentCA.domain.com/ certsrv/mscep/ mscep.dll
crypto ca enroll
ThiscommandenrollsacertificatefortheXSRwiththespecifiedCertificateAuthority(CA).Itis notsavedintheXSRconfigurationfilebutinalocalencrypteddatabasenamedcert.dat.
Notes: You can remove existing certificates with the no certificate command. If an enroll request to the Entrust CA fails, be sure the CA does not contain an outstanding PENDING enroll request from that same XSR by a previously incomplete enroll request. Because the Entrust CA allows only one outstanding request from any single client seeking certificate enrollment, the CA administrator must delete the pending certificate for the outstanding request at the CA then the XSR can reissue its certificate enrollment request. For Verisign CA compliance, you must provide the domain name that you specified when signing up with Verisign by using the ip domain command. See page5155 for command details.
Caution: We recommend that you do not enroll more certificates than permitted by the 1.5 MByte system limit imposed on the cert.dat Flash file. Doing so may destabilize the XSR and require you to delete the file.
Syntax
crypto ca enroll name name
NameoftheCA.UsethesamenameaswhenyoudeclaredtheCAwith thecrypto ca identitycommand.

Thenoformofthiscommandcancelsacurrentenrollmentrequest:
no crypto ca enroll name
Mode
Sample Output
Thefollowingscriptdisplayswhenyouinvokethe crypto ca enroll command.Notethatyou arepromptedtoenteryourpasswordandwhethertoproceed.
XSR(config)#crypto ca enroll ACMEca % % Start certificate enrollment % Create a challenge password. You will need to verbally provide this password to the CA Administrator in order to revoke your certificate. For security reasons your password will not be saved in the configuration. Please make a note of it. Password:**** Re-enter password:**** Include the router serial number in the subject name (y/n) ? y The serial number in the certificate will be: 3526015000250142 Request certificate from CA (y/n) ? y You may experience a short delay while RSA keys are generated. Once key generation is complete, the certificate request will be sent to the Certificate Authority. Use 'show crypto ca certificate' to show the fingerprint. <186>Aug 29 7:11:1 192.168.1.33 PKI: A certificate was successfully received from the CA.
14-89
Other Certificate Commands
show crypto ca identity

ThiscommanddisplaysdataaboutenrolledCertificateAuthorities(CA).
Syntax
show crypto ca identity
Mode
Sample Output
Thefollowingoutputdisplayswhenyouinvokethecommand:
XSR#show crypto ca identity CA Identity - childca2 Enrollment Information: Retry Period: 5 minutes Retry Count: 3 Crl Frequency: 60 minutes CA Identity - childca1 Enrollment Information: Retry Period: 5 minutes Retry Count: 3 Crl Frequency: 60 minutes CA Identity - ldapca Enrollment Information: URL: http://1.1.1.10/certsrv/mscep/mscep.dll/ Retry Period: 5 minutes Retry Count: 3 Crl Frequency: 60 minutes
Other Certificate Commands crypto ca authenticate

ThiscommandauthenticatestheCertificateAuthority(CA)byobtainingtheCAscertificate.It acquirestheCAcertificate,computestheCAsfingerprint,andstoresthecertificateand fingerprintlocally.
Syntax
crypto ca authenticate name name
ThenameoftheCA.ThisisthesamenameusedwhentheCAwasdeclaredwiththe crypto ca identity command.
14-90
Configuring the VPN
Mode
Sample Output
Thefollowingscriptpromptsyoutoacceptthecertificate.
XSR#crypto ca authenticate ACMEca Certificate has the following attributes: Fingerprint: 0123 4567 89AB CDEF 0123 Do you accept this certificate? [yes/no] y
crypto ca certificate chain

ThiscommandinvokesCertificateChainmode.Inthismode,youcandeleteacertificateby enteringtheno certificatecommands.Ifyouissuethiscommand,youshouldalso: AsktheCAadministratortorevokeXSRscertificatesattheCA;youmustsupplythe challengepasswordyoucreatedwhenyoufirstgotthecertificateswithcrypto ca enroll. RemovetheXSRscertificatesfromtheconfigurationusingthecertificatecommand.
Syntax
crypto ca certificate chain name name
CAname.Usethesamenameyoudeclaredusingcrypto ca identity.
Mode
Next Mode
Certificatechainconfiguration:XSR(config-cert-chain)#
Example
ThiscommandacquiresCertificateChainmodeinwhichacertificatecanbeaddedorremoved. Notethatthescriptpromptsyoutoremovethecertificate:
XSR(config)#crypto ca certificate chain ACMEca XSR(config-cert-chain)#no certificate 0123456789ABCDEF0123456789ABCDEF % Are you sure you want to remove the certificate [yes/no]? yes % Be sure to ask the CA administrator to revoke this certificate.
14-91
crypto ca crl request

ThiscommanddownloadsanewCertificateRevocationList(CRL)fromthespecifiedCertificate Authority(CA),updatingtheCRL.
Syntax
crypto ca crl request name name
CAname.Usethesamenameyoudeclaredusingcrypto ca identity.
Mode
Example
ThefollowingbelowimmediatelydownloadsthelatestCRLtotherouter:
XSR(config)#crypto ca crl request
show crypto ca crls

ThiscommanddisplaysdataaboutCertificateRevocationLists(CRL)issuedbyaCertificate Authority(CA).
Syntax
show crypto ca crls
Mode
Sample Output
Thefollowingoutputdisplayswhenyouinvokethe command:
XSR#show crypto ca crls CRL State: Version: Issuer: Valid From: Valid To: Issuing CDP: Crl Size:
VALID V2 C=US, O=Enterasys, OU=VPN2, CN=Child CA2 2002 Aug 20th, 18:45:21 GMT 2002 Aug 20th, 20:20:21 GMT http://childca2/CertEnroll/Child%20CA2.crl 512 bytes
CRL - issued by ldapca State: VALID Version: V2

Issuer: C=US, O=sml, CN=ldapca Valid From: 2002 Aug 20th, 18:26:01 GMT Valid To: 2002 Aug 20th, 20:01:01 GMT Issuing CDP: ldap://ldapca.sml.com/CN=ldapca(6),CN=ldapca,CN=CDP,CN=Publ ic%20Key%20Services,CN=Services,CN=Configuration,DC=sml,DC=com?certificateRevoc ationList?base?objectclass=cRLDistributionPoint Crl Size: 365 bytes
show crypto ca certificates

Thiscommandlistsinformationaboutthefollowing: XSRcertificate,ifyouhaverequestedthemfromCAs(seethecrypto ca enrollcommand). CAcertificates,ifyoureceivedthem(refertothecrypto ca authenticatecommand).
Syntax
show crypto ca certificates
Mode
Example
ThefollowingsampleoutputshowstwoXSRscertificatesandtheCAscertificate.Inthis example,specialusageRSAkeypairswerepreviouslygenerated,andacertificatewasrequested andreceivedforeachkeypair.
XSR>show crypto ca certificates Certificate Subject Name Name: XSR.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: 428125BDA34196003F6C78316CD8FA95 Key Usage: Signature Certificate Subject Name Name: XSR.example.com IP Address: 10.0.0.1 Status: Available Certificate Serial Number: AB352356AFCD0395E333CCFD7CD33897 Key Usage: Encryption CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set
IKE Security Protocol Commands
ThefollowingissampleoutputfromthecommandwhentheCAsupportsanRA.Inthisexample, CAandRAcertificateswererequestedearlierbythecrypto ca authenticatecommand.

XSR>show crypto ca certificates CA Certificate Status: Available Certificate Serial Number: 3051DF7123BEE31B8341DFE4B3A338E5F Key Usage: Not Set RA Signature Certificate Status: Available Certificate Serial Number: 34BCF8A0 Key Usage: Signature RA KeyEncipher Certificate Status: Available Certificate Serial Number: 34BCF89F Key Usage: Encryption
IKE Security Protocol Commands

ThefollowingcommandsconfiguretheInternetKeyExchange(IKE)SecurityProtocolontheXSR.
clear crypto isakmp

ThiscommandclearsoneorallactiveInternetKeyExchangeconnections.
Syntax
clear crypto isakmp [connection-id] connection-id
Setswhichconnectiontoclear.Ifthisargumentisnotused,allexisting linkswillbecleared.
Mode
PrivilegedEXEC:XSR#
Example
ThefollowingoutputshowsanIKEconnectionbetweentwopeersconnectedbyinterfaces 172.21.114.123and172.21.114.67:
XSR#show crypto isakmp sa State Connection-ID 1 QM_IDLE 8 QM_IDLE XSR#clear crypto isakmp 8
Source 172.21.114.67 155.0.0.1
Destination 172.21.114.123 155.0.0.2
Lifetime 2000 4000
ThefollowingexampleclearsIKEconnection8:
ISAKMP Protocol Policy Mode Commands
ISAKMP Protocol Policy Mode Commands crypto isakmp proposal

ThiscommanddefinesanIKEproposal(policy)asetofparametersusedduringIKEnegotiation. ItinvokesISAKMPprotocolpolicyconfigurationmodewherethefollowingsubcommandsare availabletospecifyparametersintheproposal:
authentication AuthenticationmethodusedbyanIKEproposal.Refertopage1496for thecommanddefinition. encryption EncodingmethodusedbyanIKEproposal.Refertopage1497forthe commanddefinition. group DiffieHellmangrouptypeusedbyanIKEproposal.Refertopage1497forthe
commanddefinition.
hash HashalgorithmusedbyanIKEproposal.Refertopage1498forthecommand definition. lifetime SAintervalusedbyanIKEproposal.Refertopage1499forthecommand
definition. ManyIKEproposals(policies)canbeconfiguredoneachpeerparticipatinginIPSec.WhenIKE negotiationbegins,ittriestofindacommonproposal(policy)onbothpeers;thecommon proposalcontainsexactlythesameencryption,hash,authentication,andDiffieHellmanvalues. Thelifetimevaluedoesnotnecessarilyhavetobethesame.
Syntax
crypto isakmp proposal name name
Proposalnametobedefined.

TodeleteanIKEproposal(policy),usethenoformofthiscommand:
no crypto isakmp proposal name
Defaults
TheDEFAULTproposalcontainsthesedefaultvalues: Authentication:RSAsignatures Encryption:TripleDES Group:2 Hash:SHA1 Lifetime:28,840seconds(8hours)
Mode
Next Mode
ISAKMPprotocolproposalconfiguration:XSR(config-isakmp)#
Example
Thefollowingexampleconfigurestwopoliciesforthepeer:
XSR(config)#crypto isakmp proposal 57 XSR(config-isakmp)#hash md5 XSR(config-isakmp)#authentication rsa-sig XSR(config-isakmp)#group2 XSR(config-isakmp)#lifetime 5000 XSR(config)#crypto isakmp policy 99 XSR(config-isakmp)#authentication pre-share XSR(config-isakmp)#lifetime 10000
Theaboveconfigurationresultsinthefollowingpolicies:
XSR# show Name 57 99 DEFAULT crypto isakmp proposal Authentication Encrypt RSASignature DES PreSharedKeys DES RSASignature DES Integrity HMAC-MD5 HMAC-SHA HMAC-SHA Group Modp1024 Modp768 Modp768 Lifetime 5000 10000 86400
authentication
ThiscommandspecifiestheauthenticationmethodusedwithinanIKEproposal(policy).
Syntax
authentication {rsa-sig | pre-share} rsa-sig pre-share
RSAsignaturespublickeyauthenticationmethod. Presharedkeysauthenticationmethod.

Thenoformofthiscommandresetsauthenticationtothedefault:
no authentication
Default
rsasig
Mode
ISAKMPprotocolpolicyconfiguration:XSR(config-isakmp)#
Example
ThisexamplespecifiesRSAsignaturesauthenticationforIKEproposalACMEproposal:
XSR(config)#crypto isakmp proposal ACMEproposal XSR(config-isakmp)#authentication rsa-sig
encryption
ThiscommandsetstheencryptionalgorithmusedinanIKEproposal(policy).
Syntax
encryption {des | 3des | aes} des 3des aes
DataEncryptionStandard(DES)encryption. TripleDataEncryptionStandard(3DES)encryption. AdvancedEncryptionStandard(AES)encryption.

Thenoformofthiscommandsresetsthealgorithmtothedefault:
no encryption
Default
3DES
Mode
ISAKMPprotocolproposalconfiguration:XSR(config-isakmp)#
Example
Thisexamplespecifies3DESastheencryptionmethodfortheIKEproposalACMEproposal:
XSR(config)#crypto isakmp proposal ACMEproposal XSR(config-isakmp)#encryption 3des
group
ThiscommandsetstheDiffieHellmangroupinanIKEproposal(policy).
Note: Due to the lack of an IETF standard, IKE Diffie-Helman bit groups 2048, 3072, and 4096 are not enabled.
Syntax
group {1 | 2 | 5} 1 2 5
768bitDiffieHellmangroup. 1024bitDiffieHellmangroup. 1536bitDiffieHellmangroup.
14-97

no group
Default
Group2
Mode
Example
ThefollowingexampleconfiguresGroup5onACMEproposal:
XSR(config)#crypto isakmp proposal ACMEproposal XSR(config-isakmp)#Group5
hash
ThiscommandsetsthehashalgorithmusedinanIKEproposal(policy).
Syntax
hash {sha | md5} sha md5
SecureHashAlgorithm1(SHA1)hash. MessageDigestAlgorithm(MD5)algorithm.

Thenoformthiscommandresetstothedefaultsha:
no hash
Default
sha
Mode
ISAKMPProtocolPolicyconfiguration:XSR(config-isakmp)#
Example
ThisexamplespecifiesMD5asthehashalgorithmtobeusedforIKEproposalACMEproposal:
XSR(config)#crypto isakmp proposal ACMEproposal XSR(config-isakmp)#hash md5
14-98
Configuring the VPN
Remote Peer ISAKMP Protocol Policy Mode Commands
lifetime
ThiscommandspecifiesthelifetimeofanIKESecurityAssociation(SA)foragivenIKEproposal (policy).
Syntax
lifetime seconds seconds
Theinterval,inseconds,eachSAexistsbeforeexpiring.

no lifetime
Default
28,800seconds(8hours)
Mode
Example
ThefollowingexamplesetstheIKESAlifetimeat8hoursforACMEproposal:
XSR(config)#crypto isakmp proposal ACMEproposal XSR(config-isakmp)#lifetime 28800
Remote Peer ISAKMP Protocol Policy Mode Commands crypto isakmp peer
ThiscommandconfigurestheremotepeersIPaddressand/orsubnetandacquiresISAKMP configurationmode.ThefollowingsubcommandscanbeenteredatISAKMPPeermode:
config-mode setsthelocalIKEModeconfiguration,thedefactostandardtoassignIP
addresseswithinIKE.Refertopage14100forthecommanddefinition.
exchange-mode setsIKEtomainoraggressiveexchangemode.Refertopage14101forthe commanddefinition. nat-traversal setstheIKEandIPSecNAT(NetworkAddressTranslation)traversalmode. Refertopage14102forthecommanddefinition. proposal attachesIKEpoliciestoaremotepeer.Refertopage14102forthecommand
definition.
user-iddefinestheidentityinformationtobeusedduringaggressiveIKEPhase1 negotiation.Refertopage14103forthecommanddefinition.
14-99
Syntax
crypto isakmp peer_address subnet-mask peer_address subnet-mask
PeersIPaddressorIPsubnettowhichthepolicywillbeattached. Valueusedwiththepeeraddress.
Syntax
Thenoformofthiscommandremovespoliciesfromaremotepeer:
no crypto isakmp peer peer_address subnet-mask
Mode
Next Mode
RemotePeerISAKMPprotocolpolicyconfiguration:XSR(config-isakmp-peer)#
Example
ThefollowingexamplesetstheremotepeersIKEpolicies:
XSR(config)#crypto isakmp peer 192.168.57.9 255.255.255.255 XSR(config-isakmp)#
config-mode
ThiscommandsetsthelocalIKEModeConfigurationrole.WhilenotofficiallyanIETFstandard, configmodeisthedefactostandardforassigningIPaddresseswithinIKE. InternetKeyExchange(IKE)ModeConfiguration,asimplementedbymanyvendors,allowsa gatewaytodownloadanIPaddress(andothernetworklevelconfiguration)totheclientaspartof IKEnegotiation.Usingthisexchange,thegatewaygivesIPaddressestotheIKEclienttobeused asaninnerIPaddressencapsulatedunderIPSec.ThismethodprovidesaknownIPaddressforthe clientthatcanbematchedagainstIPSecpolicy. WhenconfiguredasaModeConfiggateway,theXSRallocatesanIPaddresstoapeermrequesting itandwhenconfiguredasaclient,theXSRrequestsanIPaddressfromthegateway.
Syntax
config-mode {client | gateway} client gateway
ActasaConfigurationModeclientwiththispeer. ActasaConfigurationModeserverwiththispeer.

ThenoformofthiscommandresetsIKEconfigurationmodetothedefault:
no config-mode
Default
Disabled
Mode
Example
ThefollowingexampleconfigurestheIKEIPaddressassignmentmodetoclient:
XSR(config)#crypto isakmp peer 2.2.2.2 255.255.255.0 XSR(config-isakmp-peer)#config-mode client
exchange-mode
ThiscommandsetsIKEtomainoraggressiveexchangemode.
Notes: It is useful to specify a user ID instead of an IP address when configuring an SA in aggressive mode (with pre-shared keys) for a peer whose IP address is dynamic. If you specify no ID, its IP address will be used by default. But, in that case, you will have to re-configure (with a new entry in the aaa user database) both ends of the tunnel every time the address changes. Use the user-id <string> command instead. Due to the vulnerability of pre-shared keys on VPN devices using aggressive mode tunnels, Enterasys Networks recommends instead using a certificate or employing a very long password which is not listed in a dictionary.
Syntax
exchange-mode {main | aggressive} main aggressive
IKEexchangemodesettomainmode. IKEexchangemodesettoaggressivemode.

Thenoformofthiscommandresetstheexchangemodetothedefault:
no exchange-mode
Default
Aggressivemode
Mode
Example
ThefollowingexampleconfigurestheIKEmodetomain:
XSR(config)#crypto isakmp peer 192.168.57.9 255.255.255.255
XSR(config-isakmp-peer)#exchange-mode main
nat-traversal
ThecommandsetstheIKEandIPSecNAT(NetworkAddressTranslation)traversalmodeused whencommunicatingwithremotepeersmatchingthepeersubnetandwildcardmasks. TheautomaticparameterconfiguresIKEtoautomaticallydetectunroutableIPaddressesbetween thelocalandremotegatewayandtothenswitchtoUDPencapsulationofIPSectraffic.The alternatevaluesforthisparameter(enabledanddisabled)unconditionallyturnUDPencapsulation ofIPSecpacketsonoroff,respectively.
Syntax
nat-traversal {automatic | enabled | disabled} automatic enabled disabled
IKENATmodedynamicallyrespondstodiscoveredunroutableIP addressesbyUDPencapsulatingthistraffic. IKENATmodeunconditionallyon. IKENATmodeunconditionallyoff.

Thenoformofthiscommandresetsthedefaultvalue:
no nat-traversal
Default
Disabled
Mode
Example
ThefollowingexamplesetsIKENATmodetoenabled:
XSR(config-isakmp-peer)#nat-traversal enabled
proposal
ThiscommandattachesuptothreeIKEpoliciestoaremotepeer.Proposalsareconfiguredwith thecrypto isakmp proposal command.
Syntax
proposal pol1 [poll2 poll3] pol2 poll3
Namesofpoliciesattachedtotheremotepeer.
14-102
Configuring the VPN

Thenoformofthiscommandremovespoliciesfromthepeer:
no proposal
Mode
Example
Thefollowingexampleattachesaproposaltotheremotepeer:
XSR(config)#crypto isakmp peer 192.168.57.9 255.255.255.255 XSR(config-isakmp-peer)#proposal 3des_md5_gh2
user-id
ThiscommanddefinestheidentityinformationtobeusedduringaggressiveIKEPhase1 negotiationforpeertopeerconnections.EnteritwhenconfiguringthepeersISAKMPforapeer withpresharedkeyswhoseIPaddressisdynamic.IfyouspecifynoID,theIPaddresswillbeused bydefault.But,inthatcase,youwillhavetoreconfigure(withanewentryintheaaa user database)bothendsofthetunneleverytimetheaddresschanges.
Note: The exchange mode for this ISAKMP must be set to aggressive.
Syntax
user-id string string
Userdefinedidentificationenclosedbyquotations.

Thenoformofthiscommanddeletestheuseridentity:
no user-id string
Mode
PrivilegedEXEC:XSR#
Example
ThefollowingexampleconfigurestheidentificationROBO1.ThisIDwillbeusedforaggressive IKEPhase1messagessenttothepeermatchingtheISAKMPspeeraddress(0.0.0.0,forexample):
XSR(config)#crypto isakmp peer 0.0.0.0 0.0.0.0 XSR(config-isakmp-peer)#exchange-mode aggressive XSR(config-isakmp-peer)#user-id ROBO1 in Shrewsbury
14-103
Remote Peer Show Commands
Remote Peer Show Commands show crypto isakmp peer

ThiscommanddisplaysattributesforeachISAKMPpeer.IKEsfirstconfigurationderivesfrom theIPaddressoftheremotepeer.ISAKMPpeerscreatedbyEZIPSecconfigurationaremarked withanasterisk(*)intheleftmostcolumnoftheshowoutput.Theseproposalsmaynotbeusedin otheruserdefinedISAKMPpoliciestheyarereservedforEZIPSec.
Syntax
show crypto isakmp peer
Mode
Sample Output
XSR#show crypto isakmp peer Applicable Subnet Exch-Mode Config-Mode 192.168.57.4/2 Main Client 192.168.57.9/32 Main Disabled XSR#show crypto isakmp peer Exch-Mode Config-Mode Applicable Subnet * 141.154.196.87/32 Main Client NAT Off Off User ID p1 Proposals *** NONE *** *** NONE ***
ThefollowingoutputwasproducedbyanISAKMPpeercreatedbyEZIPSec:
NAT Auto User ID Proposals ez-ike-3des-sha-rsa ez-ike-3des-md5-rsa
Applicablesubnet Applicablesubnet ConfigMode NAT UserID Proposals SubnetdescribingarangeofIPaddressesrepresentingpeers. MainorAggressive. Client,GatewayorDisabled. IndicateswhetherNATTraversalisOnorOff.BeawarethatOffmaybe indicatedevenwhenNATTisbeingused. Userspecifiedpeername. IKEpolicies.
14-104
Configuring the VPN
Remote Peer Show Commands
show crypto isakmp proposal

ThiscommandlistsattributesforeachInternetKeyExchange(IKE)proposal.ISAKMPproposals createdwithEZIPSecaremarkedwithanasterisk(*)intheshowoutput.Theseproposalsmaynot beusedinotheruserdefinedISAKMPpoliciestheyarereservedforEZIPSec.
Syntax
show crypto isakmp proposal
Mode
Sample Output
XSR#show crypto isakmp proposal Name Authentication test PreSharedKeys XSR#show crypto isakmp proposal Name Authentication *ez-ike-3des-sha-psk PreSharedKeys *ez-ike-3des-md5-psk PreSharedKeys *ez-ike-3des-sha-rsa RSASignature *ez-ike-3des-md5-rsa RSASignature Encrypt AES Integrity Group HMAC-MD5 Modp1024 Lifetime
ThefollowingoutputwasproducedbyISAKMPproposalscreatedviaEZIPSec:
Encrypt Integrity Group 3DES HMAC-SHA Modp1024 3DES HMAC-MD5 Modp1024 3DES HMAC-SHA Modp1024 3DES HMAC-MD5 Modp1024 Lifetime 28800 28800 28800 28800
show crypto isakmp sa

ThiscommandlistsallcurrentInternetKeyExchangeSecurityAssociations(SAs)foryourXSR. AnSAoccupiesacertainstatedependinguponwhereintheauthenticationprocessthepeersare andwhatexchangemodetheyshareAggressive,MainorQuick.Duringlongexchanges,someof theMMstatesmaybeseen.RefertotheParameterDescriptionsforfurtherexplanation.
Syntax
show crypto isakmp sa
Mode
Sample Output
ThefollowingoutputdisplaystwoSAs,oneinMainModeexchangepreparingtoauthenticate andtheotherinQuickModeexchangereadyfortraffic:
XSR#show crypto isakmp sa Connection-ID State 526 MM_KEY_AUTH 9 QM_IDLE Source 192.168.2.2 192.168.55.10 Destination 192.168.2.1 141.154.196.87 Lifetime
14-105
IPSec Commands
Parameters Descriptions
Main Mode Exchange
MM_NO_STATE MM_SA_SETUP MM_KEY_EXCH MM_KEY_AUTH ISAKMPSAhasonlyjustbeencreatedandnostateisyetestablished. PeershaveagreedonsettingsfortheISAKMPSA. PeershaveexchangedDiffieHellmanpublickeysandbuiltasharedsecret. TheISAKMPSAisnotauthenticated. ISAKMPSAisauthenticated.IftheXSRbeganthisexchange,thisstate transitionsimmediatelytoQM_IDLEandaQuickModeexchangebegins.
Aggressive Mode Exchange

AG_NO_STATE AG_INIT_EXCH AG_AUTH ISAKMPSAhasonlyjustbeencreatedandnostateisyetestablished. PeershavemadethefirstexchangeinAggressiveModebuttheSAis notauthenticated. ISAKMPSAhasbeenauthenticated.IftheXSRbeganthisexchange, thisstatetransitionsimmediatelytoQM_IDLEandaQuickMode exchangebegins.
Quick Mode Exchange

QM_IDLE ISAKMPSAisquiescent.Itremainsauthenticatedwithitspeerand maybeusedforlaterQuickModeexchanges.
IPSec Commands
ThissectiondescribescommandsthatconfiguretheIPSecprotocolwhichprovidesantireplay protectionaswellasdataauthenticationandencryption.
access-list
ThiscommandcreatesanaccesslistwhichisusedtodefinewhichIPtrafficwillandwillnotbe protectedbythecryptoprocess.ACLsassociatedwithIPSeccryptomapentrieshavethese primaryfunctions: SelectoutboundtraffictobeprotectedbyIPSec:thekeywordpermitequateswithprotected traffic. IndicatethedataflowtobeprotectedbythenewSecurityAssociations(SAs)specifiedbya singlepermitentrywheninitiatingnegotiationsforIPSecSAs. Processinboundtraffictofilteroutanddiscardtrafficthatshouldhavebeenprotectedby IPSec. DeterminewhetherornottoacceptrequestsforIPSecSAsonbehalfoftherequesteddata flowswhenprocessingIKEnegotiationfromtheIPSecpeer(negotiationisdoneonlyforipsec isakmpcryptomapentries.)Inordertobeaccepted,ifthepeerinitiatesIPSecnegotiation,it mustspecifyadataflowthatispermittedbyacryptoaccesslistassociatedwithanipsec isakmpcryptomapentry.
14-106
Configuring the VPN
IPSec Commands
Syntax
access-list acl-number {deny | permit} protocol [source_addr source_mask [eq port] destination_addr destination_mask [eq port] acl-number deny
Auniquelydefinedaccesslistnumber. PreventstrafficfrombeingprotectedbyIPSecinthecontextofa particularcryptomapentry:itdoesnotallowthepolicyassetin crypto mapstatementstobeappliedtothistraffic. CausesallIPtrafficthatmatchesthespecifiedconditionstobe protectedbyIPSecusingthepolicydescribedbythecorresponding crypto mapcommandstatements. NameornumberofanIPprotocol.Itcanbeoneofthekeywordsip, tcp,orudp,oranintegerrangingfrom1to254representinganIP protocolnumber.TomatchanyInternetprotocol,includingTCP, andUDP,usethekeywordip. Aclausetodefineamatchingsourceand/ordestinationport number.Sourceand/ordestinationisdefinedbythelocationofthe eqkeywordinthecommand.Aportnumberofzeromatchesany port.MayonlybeusedwithTCPandUDPprotocols. Addressofthenetworkorhostfromwhichthepacketissent. Netmaskbits(mask)tobeappliedtosource_addr. IPaddressofthenetworkorhosttowherethepacketissent. Netmaskbits(mask)tobeappliedtodestination_addr.
permit
protocol
eq port
source-addr source-mask destination-addr destination-mask

Thenoformofthiscommandremovestheaccesslist:
no access-list acl-number {deny | permit} protocol [source_addr source_mask [eq port] destination_addr destination_mask [eq port]
Default
AnextendedACLdefaultstoalistthatdenieseverything.
Mode
Examples
ThefollowingexampleconfigurestwoIPACLs:
XSR(config)#access-list 100 permit ip 0.0.0.0 255.255.255.255 192.168.1.0 XSR(config)#access-list 101 permit ip 0.0.0.0 255.255.255.255 host 10.123.234.45
ThefollowingACLssecureL2TP:
XSR(config)#access-list 120 permit udp any eq 1701 any XSR(config)#access-list 130 permit udp any any eq 1701
14-107
IPSec Clear and Show Commands
IPSec Clear and Show Commands clear crypto sa

ThiscommanddeletesIPSecSecurityAssociations(SAs)asfollows: IftheSAswereestablishedviaIKE,theyaredeletedandfutureIPSectrafficwillrequirenew SAstobenegotiated.(WhenIKEisused,theIPSecSAsareestablishedonlywhenneeded.) ThepeerkeyworddeletesanyIPSecSAsforthespecifiedpeer. ThemapkeyworddeletesanyIPSecSAsforthenamedcryptomapset. ThecounterskeywordsimplyclearsthetrafficcountersmaintainedforeachSA;itdoesnot cleartheSAsthemselves.
Note: If there are many thousands of tunnels in use, this command will use as many system resources as are available for as long as necessary to complete the task, making the XSR appear frozen.
Syntax
clear clear clear clear crypto crypto crypto crypto sa sa peer {ip-address | peer-name} sa map map-name sa counters
ip-address peer-name map-name
SpecifyaremotepeersIPaddress. Specifyaremotepeersnameasthefullyqualifieddomainname. Specifythenameofacryptomapset.
Default
Ifpeer,map,orcounterskeywordsarenotused,allIPSecSAsaredeleted.
Mode
PrivilegedEXEC:XSR#
Example
ThefollowingexampleclearstheSAcountersforallpeers:
XSR#clear crypto sa counters
show access-lists
ThiscommandshowsoneorallaccesslistsdefinedintheXSR.Alternatively,youcanviewthe packetthresholdafterwhichtheACLviolationslogistriggered.
Syntax
show access-lists number log-update-threshold
IPSec Clear and Show Commands
number log-update-threshold
Accesslistnumberdefinedusingtheaccess-list command. Packetceiling,whenmet,willtriggerviolationslog.
Default
Ifanaccesslistnumberisnotspecified,allaccesslistsareshown.
Mode
Examples
ThefollowingexampledisplaysconfiguredaccesslistsontheXSR:
XSR#show access-lists Extended IP access list 100 permit ip any host 192.168.1.0
Thefollowingexampledisplaysthelogthreshold:
XSR(config)#show access-lists log-update-threshold access-list log-update-threshold 10000
crypto key master

Thiscommandcreates,deletes,orspecifiesamasterencryptionkey,whichencodesallotherkeys ontheXSRincludingAAAuserdatabaseandprivatekeysusedbyPKI(user.dat,cert.dat and hostkey.dat).BeforeconfiguringyourVPN,youmustgeneratethiskey.
Caution: The master encryption key is stored in hardware, not Flash, and you cannot read the key - only overwrite the old key by writing a new one. To ensure router security, it is critical not to compromise the key. There are situations where you may want to keep the key, for example, to save the user database off-line in order to later download it to the XSR. In order to encrypt the user database, you need the same master key, indicating the key designation with the master key specify command. Be aware that if the XSR is inoperable and you press the Default button, the master key is erased and you must generate a new one.
Syntax
crypto key master {generate | remove | specify} generate remove specify
Createamasterencryptionkey. Deletethemasterencryptionandhostkeypair(hostkey.dat). Specifyamasterencryptionkey.
Mode
14-109
Crypto Map Mode Commands
Sample Output
Thefollowingoutputdisplayswhenamasterkeyisgenerated:
XSR(config)#crypto key master generate New key is 8573 4583 3994 2ff5 183b 4bdf fe92 dbc1 1132 ffe0 f8d9 3759
Ascriptdisplayswhenamasterkeyisspecified,promptingyouforthefollowinginformation:
XSR(config)#crypto key master specify Specify first encryption key in hex digits: Specify second encryption key in hex digits: Specify third encryption key in hex digits: Are you sure? [y]: []: 8573 4583 3994 2ff5 []: 183b 4bdf fe92 dbc1 []: 1132 ffe0 f9d9 3759
Crypto Map Mode Commands crypto map (Global IPSec)

Thiscommandcreatesormodifiesacryptomapentry.ItalsoacquiresCryptoMapmode.Along withthesettingofatransformset,thisconstitutesIPSecPhase2configuration. InCryptoMapmode,thefollowingsubcommandsareavailable:
match address CorrelatesACLstomap.Refertopage14111forthecommanddefinition. mode Selectsencapsulationtypetunnelortransportforatransformset.Referto page14112forthecommanddefinition. set peer SpecifiespeersIPaddress.Refertopage14113forthecommanddefinition. set security-association level per-host SpecifiesseparateSAsberequestedforeach source/destinationhostpair.Refertopage14114forthecommanddefinition. set transform-set Correlatestransformsetswithmap.Refertopage14114forthe
commanddefinition.
Crypto Map
Cryptomapsprovidetwofunctions:filterandclassifytraffictobeprotectedaswellasdefinethe policytobeappliedtothattraffic.Thefirstuseaffectstheflowoftrafficonaninterface;thesecond affectsthenegotiationperformed(viaIKE)onbehalfofthattraffic. IPSeccryptomapslinkdefinitionsofthefollowing: Whichtrafficshouldbeprotected. WhichIPSecpeerstheprotectedtrafficcanbeforwardedtothesearethepeerswithwhicha SecurityAssociation(SA)canbebuilt. Whichtransformsetsareacceptableforusewiththeprotectedtraffic. HowkeysandSAsshouldbeusedormanaged.
Note: A crypto map has no effect until it is attached to an interface.
14-110
Configuring the VPN
Crypto Map Rules

Acryptomapisacollectionofrules,eachwithadifferentseqnumbutthesamemapname.So,for agiveninterface,youcanhavecertaintrafficforwardedtooneIPSecpeerwithspecifiedsecurity appliedtothattraffic,andothertrafficforwardedtothesameoradifferentIPSecpeerwith differentIPSecsecurityapplied.Toaccomplishthisyoucreatetwocryptomaps,eachwiththe samemapname,buteachwithadifferentseqnum.Cryptomaprulesaresearchedinorderofseq num.Sequencenumbers,inadditiontodeterminingtheorderinwhichtrafficistestedagainstthe rules,areusedasanantireplaydevicetorejectduplicateandoldpacketsandsopreventan intruderfromcopyingaconversationandusingittoworkoutencryptionalgorithms.
Syntax
crypto map map-name seq-num [ipsec-isakmp] map-name seq-num ipsec-isakmp
Cryptomapidentification.Thisisthenameassignedwhenthecrypto mapwascreated. 32bitdigityouassigntothecryptomap.Range:1to4096. Thisvalueprovidesbackwardcompatibilitywiththeindustrystandard CLI.Itisnotmandatory.

Todeleteacryptomapentry,usethenoformofthiscommand:
no crypto map map-name [seq-num]
Mode
Next Mode
CryptoMapconfiguration: XSR(config-crypto-m)#
Sample Output
ThefollowingexamplecreatesthecryptomapACMEmap:
XSR(config)#crypto map ACMEmap 7 XSR(config-crypto-m)#set transform-set esp-3des-sha XSR(config-crypto-m)#match address 120
match address
Thiscommandspecifiesanaccesscontrollist(ACL)foracryptomapentry.AnACLisapplied bidirectionallybyIPSecandtheXSRconsidersitssourceasthelocaladdressanditsdestination astheremoteaddresssotypicallyonlyonematchaddressandACLisneededtodefinetrafficwith apeer.
Syntax
match address [access-list-id]
access-list-id
IdentifiestheextendedACLbyitsnumber.Thisvalueshouldmatch theaccesslistnumberargumentoftheACLbeingmatched.

UsethenoformtoremovetheACLfromacryptomapentry:
no match address [access-list-id]
Default
Noaccesslistsarematchedtothecryptomapentry.
Mode
Example
Thefollowingstaticcryptomapexampleshowstheminimumrequiredcryptomapconfiguration whenIKEwillbeusedtoestablishtheSAs:
XSR(config)#crypto map ACMEmap 7 ipsec-isakmp XSR(config-crypto-m)#match address 101 XSR(config-crypto-m)#set transform-set my_t_set1 XSR(config-crypto-m)#set peer 10.0.0.1
mode
ThiscommandselectsoneoftwoIPSecdefinedencapsulationmodes,tunnelortransport,fora transformset.Tunnelmode,thedefault,typicallyisusedwithVPNsbecausetheentireprivate networkpacketiscarriedasthepayloadoftheIPSecpacket.Transportmodecarriesonlythe payload(TCPorUDPtypically)oftheprivatenetworkpacketasthepayloadoftheIPSecpacket.
Note: Transport mode must be selected for a Windows L2TP/IPSec client to operate properly.
Syntax
mode [tunnel | transport] tunnel transport
Tunnelmode. Transportmode.

Thenoformofthiscommandresetsthemodetothedefault:
no mode
Default
Tunnelmode
Mode
CryptoMapconfiguration:XSR(config-crypto-m)#
Example
Thisexampledefinesatransformsetandchangesthemodetotransportmode.Themodevalue onlyappliestoIPtrafficwithsourceanddestinationaddressesatthelocalandremoteIPSecpeers.
XSR(config)#crypto ipsec transform-set newer esp-des esp-sha-hmc XSR(config)crypto map ACMEmap 14 XSR(config-crypto-m)#mode transport
set peer
ThiscommandspecifiesanIPSecpeerinacryptomapentry.Whentrafficpassingthroughthe interfacematchesacryptomapentry,atunnelisopenedtothepeerspecifiedbythiscommand.
Syntax
set peer ip-address ip-address
SpecifiestheIPSecpeerbyitsIPaddress.

ToremoveanIPSecpeerfromacryptomapentry,usethenoformofthiscommand:
no set peer {hostname | ip-address}
Default
Nopeerisdefined
Mode
Example
ThisexampleshowsacryptomapconfigurationwhenIKEisusedtobuildSecurityAssociations. Inthisexample,anSAcouldbesetupwitheithertheIPSecpeerat10.0.0.1orthepeerat10.0.0.2.
XSR(config)#crypto map ACMEmap 7 ipsec-isakmp XSR(config-crypto-m)#match address 101 XSR(config-crypto-m)#set transform-set my_t_set1 XSR(config-crypto-m)#set peer 10.0.0.1
14-113
set security-association level per-host

ThiscommandspecifiesthatseparateIPSecSecurityAssociations(SAs)shouldberequestedfor eachsource/destinationhostpair.
Syntax
set security-association level per-host

ThenoformspecifiesthatoneSAshouldberequestedforeachcryptomapACLpermitentry.
no set security-association level per-host
Default
Foragivencryptomap,alltrafficbetweentwoIPSecpeersmatchingasinglecryptomapACL permitentrywillsharethesameSA.
Mode
Example
ThefollowingexamplesetstheSArequestonaperhostbasis:
XSR(config)crypto map ACMEmap XSR(config-crypto-m)#set security-association level per-host
set transform-set
Thiscommandspecifieswhichtransformsetscanbeusedwiththecryptomapentry.
Syntax
set transform-set transform-set-name1 [transform-set-name2...transform-set-name6]
transform-set-name
Nameofthetransformset.Upto6canbespecified.

Thenoformofthiscommandremovesalltransformsetsfromacryptomapentry:
no set transform-set
Mode
14-114
Configuring the VPN
Crypto Transform Mode Commands
Example
Thisexampledefinestwotransformsets,specifyingbothcanbeusedwithinacryptomapentry. WhentrafficmatchesACL101,theSAcanuseeithertransformsetmy_t_set1(firstpriority)or my_t_set2(secondpriority)dependingonwhichtransformsetmatchestheremotepeers transformsets.
XSR(config)#crypto ipsec transform-set my_t_set1 esp-des esp-sha-hmac XSR(config)#crypto ipsec transform-set my_t_set2 ah-sha-hmac esp-des esp-sha-hmac XSR(config)#crypto map ACMEmap 7 ipsec-isakmp XSR(config-crypto-m)#match address 101 XSR(config-crypto-m)#set transform-set my_t_set1 my_t_set2 XSR(config-crypto-m)#set peer 10.0.0.1
Crypto Transform Mode Commands crypto ipsec transform-set

Thiscommanddefinesatransformsetwhichisanacceptablecombinationofsecurityprotocols andalgorithmstoapplytoIPSecurityprotectedtraffic.DuringIPSecSecurityAssociation(SA) negotiation,peersagreetouseaparticulartransformsetwhenprotectingaparticulardataflow. ThiscommandacquiresCryptoTransformconfigurationMode.Thefollowingsubcommandsare availableinthismode:
set pfs SpecifiesthatIPSecshouldaskforPFSwhenseekingnewSAsforthiscryptomap entry,orthatIPSecrequiresPFSwhengettingrequestsfornewSAs.Refertopage14116for thecommanddefinition. set security-association lifetime SpecifiestheintervalusedwhennegotiatingIPSec
SAs.Refertopage14117forthecommanddefinition. Atransformsetisanacceptablecombinationofsecurityprotocols,algorithmsandothersettings toapplytoIPSecurityprotectedtraffic.DuringIPSecSAnegotiation,thepeersagreetousea particulartransformsetwhenprotectingaparticulardataflow.
Syntax
crypto ipsec transform-set transform-set-name transform1 [transform2 [transform3]]
transformset-name transform1
Nameofthetransformsettocreateormodify. Specifyupto3transformsdefiningtheIPSecsecurityprotocolsand algorithms.Thechoicesare: ahmd5hmac:AHtransformwithHMACMD5algorithm. ahshahmac:AHtransformwithHMACSHAalgorithm. esp3des:ESPtransformwith56bitDESencryption(168bits). espaes:ESPtransformwith128bitAESencryption. espdes:ESPtransformwith168bitTripleDESencryption. espmd5hmac:ESPtransformwithHMACMD5dataintegrityalgorithm. espnull:ESPtransformwithnoencryption. espshahmac:ESPtransformwithHMACSHAdataintegrityalgorithm.
Mode of the no Form

Thenoformofthecommanddeletesatransformset:
no crypto ipsec transform-set transform-set-name
Mode
Next Mode
CryptoTransformconfiguration: XSR(cfg-crypto-tran)#
Example
Thefollowingexampledefinesthetransformstoapplyfortset1SAnegoatiation:
XSR(config)#crypto ipsec transform-set t-set1 esp-3des esp-sha-hmac
set pfs
ThiscommandspecifiesthatIPSecaskforPerfectForwardSecrecy(PFS)whenrequestingnew SecurityAssociations(SAs)forthiscryptomapentry,orthatIPSecrequiresPFSwhenreceiving requestsfornewSAs. PFSisasecurityconditionunderwhichthereisconfidencethatthecompromiseofasessionskey willnotleadtoeasiercompromiseofthekeyusedinthenextsession(afterthekeyisrefreshed). WhenPFSisusedasessionskeysaregeneratedindependently,soakeycompromisedinone sessionwillnotaffectthekeysusedinsubsequentsessions.
Note: Due to the lack of an IETF standard, IKE Diffie-Helman bit groups 2048, 3072, and 4096 are not enabled.
Syntax
set pfs [group1 | group2] group1 group2
SpecifiesthatIPSecshouldusethe768bitDiffieHellmanprimemodulusgroup whenperformingthenewDiffieHellmanexchange. SpecifiesthatIPSecshouldusethe1024bitDiffieHellmanprimemodulusgroup whenperformingthenewDiffieHellmanexchange.

UsethenoformofthecommandforIPSecnottorequestPFS:
no set pfs
Default
Disabled
14-116
Configuring the VPN
Mode
CryptoTransformconfiguration:XSR(cfg-crypto-tran)#
Example
ThisexampleselectsPFSgroup2wheneveranewSAisnegotiatedforcryptomapACMEmap:
XSR(config)#crypto map ACMEmap 7 ipsec-isakmp XSR(config)#crypto ipsec transform-set t-set1 esp-3des esp-sha-hmac XSR(cfg-crypto-tran)#set pfs group2
set security-association lifetime

ThiscommandsetsthelifetimeintervalusedwhennegotiatingIPSecSecurityAssociations(SAs). DatapassingthroughtheXSRisencryptedusingkeysgeneratedduringIKEexchange.The lifetimeofthosekeysmaybedefinedinsecondsorindatavolumewhichwasencryptedusing thosekeys.Whenthatlifetimeexpiresnewkeysaregeneratedandtrafficcontinuestobepassed usingnewkeys.
Syntax
set security-association lifetime {seconds seconds | kilobytes kilobytes} seconds kilobytes
TheintervalanSAlivesbeforeexpiring,rangingfrom300to86,400,000seconds. Thevolumeoftraffic,inKBytes,thatcanpassbetweenIPSecpeersusingagiven SAbeforethatSAexpires,rangingfrom1MByteto1000GBytes.

Thenoformofthiscommanddisablesthespecifiedlifetimemetric.Itdoesnotresetthedefault:
no set security-association lifetime {seconds | kilobytes}
Default
3600secondswithnolimitontrafficvolume.
Mode
CryptoTransformconfiguration:XSR(cfg-crypto-tran)#
Example
ThefollowingexamplesetstheSAlifetimeto7,200KBytesanddisablesthesecondsparameter:
XSR(cfg-crypto-tran)#)#set security-association lifetime kilobytes 7200 XSR(cfg-crypto-tran)#)#no set security-association lifetime seconds
14-117
Crypto Show Commands
Crypto Show Commands show crypto ipsec sa

ThiscommanddisplayscurrentSecurityAssociations(SAs)settings.
Syntax
show crypto ipsec sa map-name address [map map-name | address]
ShowsanyexistingSAscreatedforthecryptomapsetnamedmapname. ShowsallexistingSAs,sortedbythedestinationaddress(eitherthelocaladdress ortheaddressoftheIPSecremotepeer)andthenbyprotocol(AHorESP).
Mode
Sample Output
ThefollowingissampleoutputwhenNATisnotpresentbetweenthecryptoendpoints.Thefirst sectionistheinboundSA,andthesecondsection,theoutboundSA.TheUDPportfollowthethe IPaddressforcryptoendpointswhenaNATispresent.
XSR#show crypto ipsec sa 10.1.1.2/32, UDP, 1701 ==> 10.2.1.34/32, UDP, 1701 : 71 packets ESP: SPI=f5ae2b52, Transform=3DES/HMAC-SHA, Life=3575S/249929KB Local crypto endpt.=10.2.1.34, Remote crypto endpt.=10.1.1.2 Encapsulation=Transport 10.2.1.34/32, UDP, 1701 ==> 10.1.1.2/32, UDP, 1701 : 36 packets ESP: SPI=5419ec15, Transform=3DES/HMAC-SHA, Life=3575S/249933KB Local crypto endpt.=10.2.1.34, Remote crypto endpt.=10.1.1.2 Encapsulation=Transport
ThefollowingissampleoutputwhenNATispresentbetweenthecryptoendpoints.Notethat UDPEncapsdisplays,indicatingthatencapsulationisenabledwithaNATpresent.
10.2.1.10/32, UDP, 1701 ==> 10.2.1.34/32, UDP, 1701 : 52 packets ESP: SPI=40d5e065, Transform=3DES/HMAC-SHA, Life=3589S/249932KB Local crypto endpt.=10.2.1.34:4500, Remote crypto endpt.=10.2.1.10:41108 Encapsulation=Transport UDP-Encaps 10.2.1.34/32, UDP, 1701 ==> 10.2.1.10/32, UDP, 1701 : 32 packets ESP: SPI=5c0f6fb5, Transform=3DES/HMAC-SHA, Life=3589S/249934KB Local crypto endpt.=10.2.1.34:4500, Remote crypto endpt.=10.2.1.10:41108 Encapsulation=Transport UDP-Encaps
10.2.1.10/32,UDP,1701 10.2.1.34/32,UDP,1701 52packets
IPaddress,protocol,andprotocolportnumberofthe sourceACLentryassociatedwiththisSA. IPaddress,protocol,andprotocolportnumberofthe destinationACLentryassociatedwiththisSA. NumberofpacketsprocessedbythisSA.
ESP SPI=40d5e065 Transform Life=3589s/249932KB Localcryptoendpt.10.2.1.34:4500 Remotecryptoendpt.10.2.1.34:4500 Encapsulation UDPEncaps
TypeofSA:eitherESPorAH. UniqueSecurityParameterIndex(SPI)numberfortheSA. Encryptionalgorithmset. LifetimeoftheSAinsecondsandKBytes. IPaddressandportnumberofthelocalcryptopeer. IPaddressandportnumberoftheremotecryptopeer. ESPorAHEncodingMode. IndicatesNATispresentbetweenthecryptoendpoints.
show crypto ipsec transform-set

Thiscommanddisplaysconfiguredtransformsets.IPSectransformsetscreatedwithEZIPSec configurationaremarkedwithanasterisk(*)intheshowoutput.Theseproposalsmaynotbeused inotheruserdefinedIPSecpolicies.TheyarereservedforEZIPSec
Syntax
show crypto ipsec transform-set [transform-set-name] transform-set-name
Showstransformsetswiththespecifictransformsetnameonly.
Mode
Sample Output
Thefollowingexamplewasproducedfrommanuallyconfiguredtransformsets:
XSR#show crypto ipsec transform-set PFS Name esp-3des-md5 Disabled ah-sha Disabled ESP AES None ESP-AH HMAC-MD5 None AH None HMAC-SHA IPCOMP None None
ThefollowingoutputwasproducedbyEZIPSectransformsets:
XSR#show crypto ipsec transform-set Name PFS ESP *ez-esp-3des-sha-pfs Modp768 3DES *ez-esp-3des-sha-no-pfs Disabled 3DES *ez-esp-3des-md5-pfs Modp768 3DES *ez-esp-3des-md5-no-pfs Disabled 3DES *ez-esp-aes-sha-pfs Modp768 AES *ez-esp-aes-sha-no-pfs Disabled AES *ez-esp-aes-md5-pfs Modp768 AES *ez-esp-aes-md5-no-pfs Disabled AES ESP-AH AH HMAC-SHA None HMAC-SHA None HMAC-MD5 None HMAC-MD5 None HMAC-SHA None HMAC-SHA None HMAC-MD5 None HMAC-MD5 None IPCOMP None None None None None None None None
14-119
show crypto map

Thiscommanddisplaysthecryptomapconfiguration.IPSeccryptomapscreatedwithEZIPSec configurationaremarkedwithanasterisk(*)intheleftmostcolumnoftheshowoutput.These proposalsmaynotbeusedinotheruserdefinedIPSecpolicies.TheyarereservedforEZIPSec.
Syntax
show crypto map [interface type | tag map-name] type map-name
Showsonlythecryptomapsetappliedtothespecifiedinterface including:ATM,BRI,Dialer,Fast/GigabitEthernet,Multilink,orSerial. Showsonlythecryptomapsetwiththespecifiedmapname.
Mode
Sample Output
XSR#show crypto map Crypto Map Table Policy rule list Name ezipsec n03;c03 test test.10;test.20 IPSec Policy Rule Table ACL Disp Mode Bundle Gateway Name *c03 c03 Process Tunnel SPD 141.154.196.87
*n03
n03
Process
Tunnel SPD
141.154.196.87
test.10 110 llProcess test.20 120 llProcess
Trans SPD Tunnel SPD
0.0.0.0 1.1.2.1
Proposals ez-esp-3des-sha-pfs ez-esp-3des-md5-pfs ez-esp-aes-sha-pfs ez-esp-aes-md5-pfs ez-esp-3des-sha-no-pfs ez-esp-3des-md5-no-pfs ez-esp-aes-sha-no-pfs ez-esp-aes-md5-no-pfs ez-esp-3des-sha-pfs ez-esp-3des-md5-pfs ez-esp-aes-sha-pfs ez-esp-aes-md5-pfs ez-esp-3des-sha-no-pfs ez-esp-3des-md5-no-pfs ez-esp-aes-sha-no-pfs ez-esp-aes-md5-no-pfs T/Med ah-sha T/Med esp-3des-md5
EZ-IPSec Access Control List Name Local Address *c03 10.120.122.17 *n03 172.16.19.0/24
Remote Address 0.0.0.0/0 0.0.0.0/0
Prot ANY ANY
Lport 0 0
Rport 0
Interface CLI Commands
Interface CLI Commands crypto map

Thiscommandappliesapreviouslydefinedcryptomaptoaninterface.Itisgovernedbythe followingrules: AcryptomapmustbeassignedtoaninterfacebeforethatportcanprovideIPSecservices. Only1cryptomapcanbeassignedaninterfacealthoughitcanbeattachedtomultipleports. Acryptomapmaynotbeassignedtoaninterfacethatalreadyhascrypto ezipsec enabled. CryptomapsmaynotbeassignedtoaVPNinterface(itisinvalidatInterfaceVPNmode).
Syntax
crypto map map-name map-name
CryptomapIDassignedwhenthecryptomapwascreated.

Deleteacryptomapfromtheinterfacewiththenoformofthiscommand:
no crypto map [map-name]
Mode
Next Mode
Sample Output
ThisexampleassignscryptomapACMEmaptotheF1interface.WhentrafficpassesthroughF1,it willbeevaluatedagainstallthecryptomapentriesintheACMEmapset.Whenoutboundtraffic matchesanaccesslistinoneoftheACMEmapcryptomapentries,aSecurityAssociationwillbe establishedforthatcryptomapentrysconfiguration(ifnoSAorconnectionalreadyexists).
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#crypto map ACMEmap
14-121
Interface VPN Commands
crypto ezipsec
ThiscommandcreatesasuiteofIPSecpolicies,sortedbycryptographicstrength,thatareoffered totheremotesecuritygateway.Thegatewayselectsoneofthesepoliciesbasedonitslocal configuration.EZIPSecreliesupontheIKEModeConfigurationprotocoltoobtainanIPaddress fromtheremotesecuritygateway. AnEZIPSeccryptomapisalsocreatedandattachedtotheinterfaceunderconfiguration.Referto theXSRUsersGuideforspecificexamplesandhowcrypto ezipsecisusedwithRIPandNAT. Beawareofthefollowingrulesgoverningthiscommand:
Crypto ezipsecmaynotbeenabledonaninterfacethatalreadyhasacryptomap.
Cryptomapsmaybeattachedtoothernetworkinterfaces. EZIPSecparameterscannotbechangedbutcanbesupplementedwithcustomvalues.
Syntax
crypto ezipsec

no crypto ezipsec
Default
Disabled
Mode
Example
ThefollowingexampleconfiguresEZIPSeconSerialinterface1:
XSR(config-if<S1/0>)#crypto ezipsec
Interface VPN Commands interface vpn

ThiscommandacquiresvirtualInterfaceVPNconfigurationmodefromwhichyoucanconfigure thefollowingsubcommands:
copy-tosCopiesTOSbitsduringtheencapsulation/decapsulationprocess.Referto page14124forthecommanddefinition. description -DescribestheVPNinterface.Refertopage14125forthecommand
definition.
ip address negotiated - RequiresasitetositetunneltoobtainanIPaddressfromthe remotetunnelgatewayviaPPPorIKEModeConfig.Refertopage14126forthecommand definition.
14-122
Configuring the VPN
ip multicast-redirect - NativeIPSectunnelsattachedtoVPNinterfaceswillnoteasily forwardmulticasttrafficmulticastpacketredirectiontotheunicastaddressoftheremote tunnelendpoint.Refertopage14126forthecommanddefinition. ip address DefinesanexplicitIPaddressonthisvirtualinterface.Refertopage5151for thecommanddescription. ip nat sourceControlsNATonpacketsenteringthisVPNport.Refertopage5186forthe commanddescription. ip ripcommandsConfiguresRIPoptionsontheVPNinterface.RefertotheConfiguring
theInternetProtocolonpage 583chapterfordescriptionsofRIPcommands.
ip split-horizonSetsRIPsplithorizonoptionsontheVPNport.Refertopage5130for thecommanddescription. ip unnumbered CreatesanunnumberedVPNinterface.Refertopage5166forthe
commanddescription.
service-policyAttachesapolicymaptoanVPNoutputorinputinterface.Refertopage
14127forthecommanddescription.
tunnelCreatesatunneltoaVPNgateway.Refertopage14127forthecommand description.
SomeVPNconfigurationpropertiesareassociatedwithaspecificnetworkinterfaceorrequire creationofvirtualnetworkinterfacesthatrepresenttunnels. ThissectiondefinestheVPNrelatedsubcommandsprovidedbytheinterface vpncommand. AVPNinterfaceisaspecialformofavirtualnetworkinterfacethatrepresentsanIPSectunnel withEZIPSecautomaticconfiguration,L2TP,orPPTPtunnel(s).ItisrequiredtosupportVPN tunnelswhichhaveIPaddresses.Thesetunnelsshouldnotbeconfusedwithtunnelmodein IPSec.AtunnelonaVPNinterfacehasIPaddressesatbothendsandisusedbytherouting subsystemlikeanyothernetworkinterface. AVPNinterfacecanbeconfiguredasfollows:
interface vpn 4 point-to-point interface vpn 3 multi-point
PointtoPointinterfacesareusedwhendefininganoutboundtunneltoanothergateway.This interfacetype,inconjunctionwiththetunnelcommand,issuitedtoinitiatingoutboundtunnels toothersecuritygatewaysthatsupportdynamicIPaddressassignment.
Note: The tunnel command is a sub-command of interface vpn.
EachoutboundtunnelisassociatedwithaVPNinterface.Thatinterface,whichcanbeconfigured intotheroutingprotocols,isconsidereddownuntilthetunnelhasconnectedandanIPaddress hasbeenobtainedfromtheremoteVPNgateway.

Note: Only one tunnel may be defined per point-to-point VPN interface.
14-123
AmultipointinterfaceacceptsmanyinboundtunnelsandisusedwhentheXSRisconfiguredasa remoteaccessVPNgateway.
Note: The no shutdown command is not required to bring up the virtual interface because it is always enabled.
Syntax
interface vpn {number}{point-to-point | multi-point} number point-to-point multi-point
VPNinterfacenumberrangingfrom1to255. VPNporttypeinitiatingoutboundtunnelstoanothergateway. VPNporttypeterminatinginboundtunnelsfromaremoteaccessVPN gateway.

ThefollowingcommanddeletesthespecifiedVPNinterface:
no interface vpn
Mode
Next Mode
Interfaceconfiguration:XSR(config-int-vpn)#
Example
ThefollowingexamplecreatesVPNinterface57:
XSR(config)#interface vpn 57 XSR(config-int-vpn)#
copy-tos
ThiscommandcopiesTOSbitsduringtheencapsulation/decapsulationprocess.Itcanbeapplied toaVPNinterfaceorinsertedinthecryptoisamppeercommand.Whenapplied,thecommand copiestheTOSbytefromtheinnertotheouterheaderforoutputpackets.Forinputpackets,it copiestheTOSbytefromtheoutertotheinnerheader.
Syntax
copy-tos

ThefollowingnoformofthecommandremovestheTOScopyaction:
no copy-tos
Mode
VPNInterfaceconfiguration:XSR(configif<xx>)#
Example
ThefollowingexampleconfiguresVPNinterface1withanIPaddress,andTOScopyenabled.It alsosetsapeerIPaddress,GRE,andturnsontheassociatedVPNtunnel.
XSR(config)#interface vpn 1 XSR(config-int-vpn)#ip address 20.20.20.1/24 XSR(config-int-vpn)#copy-tos XSR(config-int-vpn)#service-policy output vpn XSR(config-int-vpn)#tunnel t1 XSR#(config-tms-tunnel)#set protocol gre XSR#(config-tms-tunnel)#set peer 10.10.10.2 XSR#(config-tms-tunnel)#set active XSR#(config-tms-tunnel)#no shutdown
description
ThiscommandsdescribesaVPNinterfaceandanytunnelitcontains.
Syntax
description comment comment
Everythingtotheendofthelineisrecordedasacomment.Usequotationmarksfor multiplewords.

Thenoformofthiscommanddeletesthedescriptiondescribedearlier:
no description
Mode
InterfaceInternetProtocolconfiguration:XSR(config-int<vpn>)#
Example
ThefollowingexampledescribesACME_VPN:
XSR(config)#interface vpn 57 multi-point XSR(config-int<vpn>)#description ACME_VPN
14-125
ip address negotiated
ThiscommandmarkstheVPNinterfacetodynamicallygetitsIPaddressviathetunnelprotocol. PPTPandL2TPprotocolsusePPPIPCPandIPSec/IKEusestheModeConfigurationprotocol.
Syntax
ip address negotiated

no ip address negotiated
Mode
InterfaceInternetProtocolconfiguration:XSR(config-int<vpn>)#
Example
ThefollowingexamplesetstheVPNinterfacetogetitsIPaddressfromthetunnelprotocol:
XSR(config)#interface vpn 57 point-to-point XSR(config-int<vpn>)#ip address negotiated
ip multicast-redirect
Thiscommandcontrolsredirectionofmulticastpacketstotheunicastaddressoftheremote tunnelendpointortoanexplicitlydefinedaddresssuchasanotherIPaddressattheendofan unnumberedtunnel.ThecommandisusefulbecausenativeIPSectunnelsattachedtoVPN interfaceswillnoteasilyforwardmulticasttrafficwithoutsubstantialcryptomapconfiguration. MulticastredirectionmustbeenabledtosupportRIPoverIPSectunnelswhenexplicitmulticast policyrulesarenotincludedintheSecurityPolicyDatabase.RedirectionisnotrequiredforPPTP andL2TPtunnels.
Note: Multicast redirection, if enabled, applies to all tunnels terminating at a point-to-multipoint VPN interface.
Syntax
ip multicast-redirect [tunnel-endpoint | ip-address] tunnel-endpoint ip-address
RedirectsmulticasttotheremotetunnelendpointsIPaddressas dynamicallysetduringtunnelcreation. Redirectsmulticasttraffictoanexplicit,predefinedaddress.

Thenoformofthecommanddisablesmulticastpacketredirectionandallowsmulticasttrafficto flowthroughthetunnelwithoutmodification:
no ip multicast-redirect [tunnel-endpoint | ip-address]
Tunnel Commands
Mode
InternetProtocolInterfaceconfiguration:XSR(config-int<vpn>)#
Example
Thisexampleredirectsmulticasttraffictotheremotetunnelserver:
XSR(config)#interface vpn 57 multi-point XSR(config-int<vpn>)#ip multicast-redirect tunnel-endpoint
service-policy
ThiscommandattachesapolicymaptoanVPNoutputorinputinterface.Youcanattachasingle policymaptooneormoreinterfaces.
Syntax
service-policy [input | output] policy-map-name policy-map-name
Attachesthespecifiedpolicymapontotheoutputport.

Thenoformofthecommandremovesapolicymapfromtheinterface:
no service-policy [input | output]
Mode
Example
ThefollowingexampleattachesservicepolicyVPNpolicytoVPNoutputinterface1:
XSR(config)#interface vpn 1 XSR(config-int<vpn>)#service-policy output VPNpolicy
Tunnel Commands tunnel

Thissubcommandofinterface vpnnamesatunnelcreatedatboottimethatlinksthisVPN interfacewithanotherVPNgateway.TheVPNinterface,withitstunnel,isequivalenttoapoint topointinterface.IssuingthecommandacquiresTunnelconfigurationmode,makingavailable thefollowingsubcommands:
set active -EnablestheVPNtunnel.Refertopage14128forthecommanddefinition. set heartbeat -Monitorstunnelconnectivity. Refertopage14129forthecommand
definition.
set peer - SpecifiesthephysicalIPaddressoftheremoteVPNgateway.Referto
Tunnel Commands
set protocol - DefinestheVPNtunnelingprotocolusedwhenthetunneliscreated:client
modeornetworkextensionmode.Refertopage14130forthecommanddefinition.
set user -Usernameemployedwhenconnectingtotheremotepeer.Refertopage14131 forthecommanddefinition.
Syntax
tunnel tunnel-name tunnel-name
Thenameassignedtothetunnel.

Thenoformofthiscommanddeletesthetunnel:
no tunnel tunnel-name
Mode
InterfaceInternetProtocolconfiguration:XSR(config-int-vpn)#
Next Mode
Tunnelconfiguration:XSR#(config-tms-tunnel)#
Example
ThefollowingexampleaddsthetunnelACME_VPN:
XSR(config)#interface vpn 57 multi-point XSR(config-int<vpn>)#tunnel ACME_VPN XSR#(config-tms-tunnel)#
set active
Thiscommandenablesthetunnel.
Syntax
set active

Thenoformofthiscommanddisablesthetunnel:
no set active
Default
Enabled
14-128
Configuring the VPN
Tunnel Commands
Mode
Tunnelconfiguration:XSR(config-tms-tunnel)#
Example
ThefollowingexampleenablesthetunnelACME_VPN:
XSR(config)#interface vpn 57 multi-point XSR(config-int<vpn>)#tunnel ACME_VPN XSR#(config-tms-tunnel)#set active
set heartbeat
Thiscommandconfiguresthemechanismtoprobeatunnelpeertomonitortunnelconnectivity. PingisusedoverIKE/IPSectunnelsconfiguredwithdynamicallyassignedaddresses.
Syntax
set heartbeat {interval | retries>} [A.B.C.D] interval retries A.B.C.D.
Intervalbetweenheartbeattriesbeforetimingout,rangingfrom1to3600 seconds.Zero(0)disablestheheartbeat. Numberofretriesbeforethetunnelisdeclareddown,rangingfrom3to100. IPaddressofaspecifiedremotepeertopingtomonitortunnelconnectivity.

Thenoformofthiscommanddisablestheheartbeat:
no set heartbeat
Defaults
Interval:6seconds Retries:3
Mode
Example
Thefollowingexamplesetstunnelheartbeatvalues:
XSR(config)#interface vpn 57 multi-point XSR(config-int<vpn>)#tunnel ACME VPN XSR#(config-tms-tunnel)#set heartbeat 50 10 192.168.57.9
14-129
Tunnel Commands
set peer
ThiscommandspecifiesthephysicalIPaddressoftheremoteVPNgateway.
Syntax
set peer ip-address ip-address
IPaddressofthepeer.

no set peer ip-address
Mode
Example
ThefollowingexamplesetstheIPaddressoftheremoteVPNgateway:
XSR(config)#interface vpn 57 multi-point XSR(config-int<vpn>)#tunnel ACME_VPN XSR#(config-tms-tunnel)#set peer ip-address 192.168.57.9
set protocol
ThiscommanddefinestheVPNtunnelingprotocolGenericRoutingEncapsulation(GRE)orIP Security(IPSec)usedtocreatethetunnel. IPSecacceptsoneoftwosubcommandsthatcreateaClientorNetworkExtensionmodesiteto sitetunnel.ClientmodecreatesNATontheVPNinterfacetohidetheaddressesofthetrusted network(attachedtoF1).IPSecsecuritypolicyencryptsdatapassingtoandfromtheIPaddress assignedtothetunnel.NetworkextensionmodecreatesIPSecsecuritypoliciesthatencrypttraffic flowingtothetrustednetworkviathetunnelinadditiontosecuringtrafficflowingtothetunnels assignedaddress.
Syntax
set protocol {gre | ipsec}[client-mode | network-extension-mode] gre ipsec client-mode network-extension-mode
GREtunnelingprotocol. IPSectunnelingprotocol. InitiatesaClientmodeEZIPSectunnel. InitiatesaNEMEZIPSectunnel.

Thenoformofthiscommandnegatestheprotocolselectedearlier:
no set protocol
Tunnel Commands
Mode
Default
IPSec
Examples
ThefollowingexamplesetstheIPSectunnelprotocolinclientmode:
XSR(config)#interface vpn 29 point-to-point XSR(config-int<vpn>)#tunnel ACME_VPN XSR#(config-tms-tunnel)#set protocol ipsec client-mode
TheexamplebelowconnectsaGREtunnelattachedtoaVPNinterface:
XSR(config)#interface vpn 2 point-to-point XSR(config-int<vpn>)#ip address 192.168.1.123 255.255.255.0 XSR#(config-int<vpn>)#tunnel my-gre-tunnel XSR#(config-tms-tunnel)#set protocol gre XSR#(config-tms-tunnel)#set peer 10.1.2.3 XSR#(config-tms-tunnel)#set active
set user
Thiscommandspecifiesausersidentitywhenconnectingtoapeer.ItinvokesEZIPSecby applyingthecredentials(passwordand/orcertificate)usedduringtunnelcreationobtainedfrom theAAAsubsystem.AnEZIPSectunnelusesaggressivemodewiththeusernameastheIKE identity.Refertotheaaa user,user-id,andshow crypto ca certificatecommandsformore information.
Syntax
set user username username
Usernameemployedwhenconnectingtothepeer.
Mode
Examples
Thefollowingexamplespecifiesthepresharedkeyofapeerbyusername:
XSR(config)#interface vpn 29 point-to-point XSR(config-int<vpn>)#tunnel ACME_VPN XSR#(config-tms-tunnel)#set user jonathan
Thefollowingexamplespecifiesthepresharedkeyofapeerbycertificate:
XSR(config)#interface vpn 29 point-to-point XSR(config-int<vpn>)#tunnel ACME_VPN XSR#(config-tms-tunnel)#set user certificate
Tunnel Clear and Show Commands
Tunnel Clear and Show Commands clear tunnel

ThiscommandterminatesanonGREtunnelassociatedwithauserortunnelID.Tunnelswillre establishthemselvesifsettodosounlesstheuserisdisabledinitsdatabase.Forexample,a clearedIPSectunnelwillreestablishiftrafficisinitiated.
Note: This command terminates all but GRE and GRE/IPSec tunnels with an error message displayed if you attempt to do so. To bring down a GRE tunnel, remove its interface or use the no set active command.
L2TPandPPTPtunnelswillbedisconnectedontheserverside.Theclientsideofthetunnelwill timeoutafteritsdesignatedtimeoutperiod.
Syntax
clear tunnel user-ID tunnel-ID <user-ID | <tunnel-ID>
NameoftheVPNuser. Identificationnumberassociatedwiththistunnel.
Mode
PrivilegedEXEC:XSR#
Example
Thefollowingexampleterminatestunnel40000001:
XSR#clear tunnel 40000001
show tunnels
ThiscommandlistsalltunnelscurrentlyconnectedtotheXSR.
Syntax
show tunnels <user-ID | tunnel-ID> user-ID tunnel-ID
NameoftheVPNuser. Identificationnumberassociatedwiththistunnel.
Mode
PrivilegedEXEC: XSR#
Sample Output
ThefollowingissampleoutputqueriedbythexsrclientUserID:
XSR#show tunnels xsrclient
Tunnel Clear and Show Commands
User: xsrclient Tunnel ID: VPN Interface: Group: Connect Time: Protocol: Authentication Method: Packets In/Out: Errors In/Out: Discards In/Out: XSR#show tunnel 40000001 Tunnel ID: 40000001 User: VPN Interface: Group: Connect Time: Protocol: Authentication Method: Packets In/Out: Errors In/Out: Discards In/Out: xsrclient VPN1 xsrgroup 11/05/2003, 23:39 L2TP MS-CHAPv2 0000000088/0000000027 0000000000/0000000000 0000000000/0000000000 40000001 VPN1 xsrgroup 11/05/2003, 23:39 L2TP MS-CHAPv2 0000000088/0000000027 0000000000/0000000000 0000000000/0000000000
ThefollowingissampleoutputqueriedbytheTunnelID40000001:
VPNInterface UserID TunnelID GroupID ConnectTime ProtocolType AuthenticationMethod PacketsIn/Out ErrorsIn/Out DiscardsIn/Out VPNportnumbertowhichtheclientisconnected. NameoftheVPNuser. Tunnelidentificationnumberassociatedwiththistunnel. VPNgroupname(ifauthenticatedthroughAAA) Starttimeanddatefortheconnection. Typeofprotocolusedinrelationtothistunnel(e.g.PPTP,GRE,IPSec). Methodofauthentication(sharedkey/certificate,MSCHAP,etc.) Sumofincomingandoutgoingpackets. Sumofincomingandoutgoingpacketswitherrors. Sumofdiscardedincomingandoutgoingpackets.
14-133
Additional Tunnel Termination Commands
Additional Tunnel Termination Commands ip local pool

ThiscommandconfiguresalocalpoolofIPaddressesforwhenaremotepeerconnectstoapoint tomultipointinterfaceorforusebyDHCP.
Note: If an aaa user is configured to use a static IP address which belongs to a local IP pool, you must exclude that address from the local pool to prevent it from being assigned to another user.
ThecommandacquiresIPLocalPoolconfigurationmodeandprovidesthesesubcommands:
excludeBarsarangeofIPaddressesfromthelocalpool.Refertopage14135forthesub commanddefinition. exitQuitsIPLocalPoolconfigurationmode.Refertopage14135forthesubcommand
definition.
Syntax
ip local pool pool-name IP-address subnet-mask pool-name IP-address subnet-mask
Nameofaparticularlocaladdresspool. BaseaddressofanIPsubnetusedtoallocateIPaddresses. MaskofthatIPsubnet.Allsubnetaddressbitsmatchingzerobitsinthemask mustalsobezero;thatis,subnetandmaskmustbezero.Maybeexpressedas A.B.C.D or/<0-32>.
Note: The pool size (mask) must be /16 or higher (Class B or C) thus limiting any one pool to 64,000 IP addresses.

Mode
Next Mode
Example
ThefollowingexamplecreatesalocalIPaddresspoolnamedmarketing,whichcontainsallIP addressesintherange203.57.99.0to203.57.99.255:
exclude
ThissubcommandbarstheuseofarangeofIPaddressesfromanearliercreatedIPpool.
Syntax
exclude {ip address} {number} ip address number
Startingaddresstobeexcludedfrompool. Numberofaddressestoexclude,rangingfrom1to65535.

ThenoformofthiscommandremovesthespecifiedIPaddressfromtheexcludelist:
Mode
Examples
Thefollowingexampleexcludesthe10IPaddressesbetween192.168.57.100and192.168.57.110 fromlocalpoolHQ:
exit
ThissubcommandquitsIPLocalPoolconfigurationmode.
Syntax
exit
Mode
14-135
show ip local pool

ThiscommanddisplaysstatisticsforanydefinedIPaddresspools.
Syntax
show ip local pool [name] name
NameyouspecifiedforanIPaddresspool.
Mode
PrivilegedEXEC:XSR#
Sample Output
Thisoutputdisplayswhenthecommandisspecifiedwithoutaname:
XSR#show ip local pool -----------IP Pools Statistics----------Pool Subnet Mask test 10.120.122.0 255.255.255.192 26 local 1.1.1.0 255.255.255.0 ddd 1.2.3.4 255.255.255.255 test 192.168.57.1 255.255.255.255 test1 192.168.57.252 255.255.255.255 test3 192.168.58.0 255.255.255.0 XSR#show ip local pool test -----------IP Pools Statistics----------Statistics of IP pool test Available addresses: 10.120.122.1 10.120.122.2 10.120.122.3 10.120.122.5 10.120.122.6 10.120.122.7 10.120.122.8 10.120.122.9 10.120.122.11 10.120.122.12 10.120.122.13 10.120.122.14 10.120.122.15 10.120.122.16 10.120.122.17 10.120.122.18 10.120.122.19 10.120.122.20
7 255 1 1 1 246
Free 0 0 0 0 0 0
In use 2 0 0 0 0 10
Excluded 1 0 0 0 0
Reserved
Thefollowingoutputdisplayswhenthecommandisspecifiedwiththenametest:
DF Bit Commands
10.120.122.22 10.120.122.24 10.120.122.25 10.120.122.26 10.120.122.28 10.120.122.31 10.120.122.32 Inuse addresses: 10.120.122.10 10.120.122.21 10.120.122.23 10.120.122.27 10.120.122.29 10.120.122.30 10.120.122.34 Excluded addresses: Reserved addresses: 10.120.122.0 10.120.122.4
Pool Subnet Mask Free Inuse Excluded Reserved NameoftheIPpool. MaskoftheIPpool. IPaddresssubnetworkoftheIPpool. SumofunusedIPaddresseswithinthepool. SumofoccupiedIPaddresseswithinthepool. SumofIPaddressesbarredfromusewithinthepool. SumofIPaddressessetasidewithinthepool,suchastheinitialaddress 192.168.57.0withinthe192.168.57.256range.
DF Bit Commands crypto ipsec df-bit (Global configuration)

ThiscommandsetstheDFbitfortheencapsulatingheaderinVPNTunnelModetoallinterfaces. TheclearsettingfortheDFbitshouldbeusedforencapsulatingTunnelModeIPSectrafficwhen youcantransmitpacketslargerthantheavailableMTUsizeoryoudonotknowtheavailable MTUsize.
Syntax
crypto ipsec df-bit {clear | set | copy} clear set
XSRwillcleartheDFbitfromtheouterIPheader;theroutermay fragmentthepackettoaddIPSecencapsulation. XSRwillsettheDFbitintheouterIPheaderbuttheroutermay fragmentthepacketiftheoriginalpackethadtheDFbitcleared.

DF Bit Commands
copy
XSRwillsearchtheoriginalpacketfortheouterDFbitsetting.
Defaults
Disabled Copysetting
Mode
Example
ThefollowingexampleclearstheDFbitonallinterfaces:
XSR(config)#crypto ipsec df-bit clear
crypto ipsec df-bit (Interface configuration)

ThiscommandsetstheDFbitfortheencapsulatingheaderinVPNTunnelModetoaspecific interface. TheclearsettingfortheDFbitshouldbeusedforencapsulatingTunnelModeIPSectrafficwhen youcantransmitpacketslargerthantheavailableMTUsizeoryoudonotknowtheavailable MTUsize.
Note: This command overrides any existing DF bit global settings.
Syntax
crypto ipsec df-bit {clear | set | copy} clear set copy
XSRwillcleartheDFbitfromtheouterIPheader;theroutermay fragmentthepackettoaddIPSecencapsulation. XSRwillsettheDFbitintheouterIPheaderbuttheroutermay fragmentthepacketiftheoriginalpackethadtheDFbitcleared. XSRwillsearchtheoriginalpacketfortheouterDFbitsetting.
Defaults
Disabled Copysetting
Mode
Example
ThefollowingexamplesetstheDFbitonF1:
XSR(config-if<F1>)#crypto ipsec df-bit set
15
Configuring DHCP
TheCLIcommandsyntaxandconventionsusethenotationdescribedinthefollowingtable. Convention
Description
Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies the interface type and number, class map, policy map or other value you specify; e.g., F1, G3, S2/1.0, <Your Name>. F indicates a FastEthernet, and G a GigabitEthernet interface.
Sub-command headings are displayed in red text.

DHCP Commands
ThefollowingcommandsconfiguretheDynamicHostConfigurationProtocol(DHCP)onthe XSR.
bootfile
ThiscommandsetsthenameofthedefaultbootimageforaDHCPclient.Dependingontheclient configurationinheritance,thecommandshouldbeusedfromthepropermode.Ifitisspecified frommultiplemodes,anoverridemechanismchoosestheinnermostconfigvalue,withhostbeing innermost,thenclientclassandpoolbeingthemostgeneral.
Syntax
bootfile filename filename Specifies the name of the file that is used as a boot image.
DHCP Commands

Usethenoformofthiscommandtodeletethebootimagename:
no bootfile
Mode
Anyofthefollowingcommandmodesareavailable: DHCPpoolconfiguration:XSR(config-dhcp-pool)# DHCPhostconfiguration:XSR(config-dhcp-host)# DHCPclientclassconfiguration:XSR(config-dhcp-class)#
Example
Thefollowingexamplespecifiesrobobootasthenameofthebootfile:
XSR(config-dhcp-pool)#bootfile roboboot
client-class
ThiscommandspecifiesthenameofaDHCPclientclass.TheXSRaggregatesDHCPclientswhich willsharethesameconfiguredattributes.AddingaclientclasstodifferentDHCPpoolsinnot permitted.Forexample,youcannotaddclientclassmarketingtobothpool1andpool2.
Note: Adding a client class to different DHCP pools in not permitted. For example, you cannot add client class marketing to both pool1 and pool2.
Syntax
client-class name name Designation of the client class using standard ASCII characters.

Usethenoformofthiscommandtoremovetheclientclass:
no client-class name
Mode
Eitherofthefollowingcommandmodesareavailable: DHCPpoolconfiguration:XSR(config-dhcp-pool)# DHCPhostconfiguration:XSR(config-dhcp-host)# WhenspecifiedfromDHCPpoolconfigurationmode,theCLIacquiresDHCPclassconfiguration submode:XSR(config-dhcp-class)# WhenspecifiedfromDHCPhostconfigurationmode,theCLIdoesnotacquireanewsubmode.
15-84
Configuring DHCP
DHCP Commands
Example
Thefollowingexamplespecifiesstringclientclass1thatwillbethenameoftheclientclass:
XSR(config-dhcp-pool)#client-class cc1
client-identifier
Thiscommandspecifiestheuniqueidentifier(indottedhexadecimalnotation)foraMicrosoft DHCPclient.Itisvalidformanualbindingsonly.MicrosoftDHCPclientsrequireclientidentifiers insteadofhardwareaddresses.Theclientidentifierisformedbyconcatenatingthemediatype andtheEthernethardware(MAC)address. Forexample,theMicrosoftclientidentifierforEthernetaddress0001.f401.2710is 0100.01f4.0127.10,wheretheleading01(italicizedabove)indicatestheEthernetmediatype.Be awarethatyoucannotaddaclientidentifiertodifferentDHCPpools.Forexample,clientID 0100.01f4.0127.10cannotbeaddedtobothpool1andpool2.
Note: You cannot add a client identifier to different DHCP pools. For example, client ID 0100.01f4.0127.10 cannot be added to both pool1 and pool2.
Syntax
client-identifier identifier [client-class name] identifier name Unique identification of the client in dotted hexadecimal notation; for example: 0100.01f4.0127.10. Specifies a client belonging to a client class.

Usethenoformofthiscommandtodeletetheclientidentifier:
no client-identifier identifier [client-class name]
Mode
Next Mode
WhenthiscommandisspecifiedfromDHCPpoolconfigurationsubmodeorDHCPclientclass mode,theCLIacquiresDHCPhostmode.WhenthecommandisenteredfromDHCPhostmode, theCLIdoesnotacquireasubmode.
XSR(config-dhcp-host)#
15-85
DHCP Commands
Example
ThefollowingexamplespecifiestheclientidentifierforMACaddress00.01f4.0127.10indotted hexadecimalnotation:
XSR(config-dhcp)#client-identifier 0100.01f4.0127.10
ThefollowingexamplespecifiestheclientidentifierforMACaddress0001.f401.2710indotted hexadecimalnotation,forthehostwithIPaddress10.10.10.20:
XSR(config-dhcp-pool)#host 10.10.10.20 255.255.255.0 XSR(config-dhcp-host)#client-identifier 0100.01f4.0127.10
ThefollowingexamplespecifiestheclientidentifierforMACaddress00.01f4.0127.10indotted hexadecimalnotation,andaddsittoclasseng:
XSR(config-dhcp-pool)#client-class eng XSR(config-dhcp-class)#client-identifier 0100.01f4.0127.10
client-name
ThiscommandspecifiesthenameofaDHCPclient.Theclientnameshouldnotincludethe domainname.ThecommandisavailablefromDHCPhostmodeonly.
Syntax
client-name name name Designation of the client, defined using any set of standard ASCII characters. The client name should not include the domain name. For example, the name soho should not be specified as soho.enterasys.com.

Usethenoformofthiscommandtoremovetheclientname:
no client-name name
Mode
DHCPhostconfigurationonly:XSR(config-dhcp-host)#
Example
Thefollowingexamplespecifiesastringsoho1thatwillbethenameoftheclientwithMAC address1111.2222.3333:
XSR(config-dhcp-pool)#hardware-address 1111.2222.3333 XSR(config-dhcp-host)#client-name soho1
15-86
Configuring DHCP
DHCP Commands
debug ip dhcp server

ThiscommandenablesDHCPserverdebugging.Thiscommandshouldbeusedfor troubleshootingpurposesonly.
Syntax
debug ip dhcp server {events | packets | linkages} events packets linkages Reports server events, such as address assignments and database updates. Decodes DHCP receptions and transmissions. Displays database linkage data such as parent-child relationships in a radix tree.

UsenoformofthiscommandtodisableDHCPserverdebugging:
no debug ip DHCP server {events | packets}
Default
Disabled
Mode
PrivilegedEXEC:XSR#
Example
ThefollowingexampleenablesDHCPservereventsdebugging:
XSR#debug ip DHCP server events
default-router
ThiscommandspecifiesthedefaultrouterlistforaDHCPclient.Dependingontheclient configurationinheritance,thecommandshouldbeusedfromthepropermode.Ifitisspecified frommultiplemodes,anoverridemechanismchoosestheinnermostconfigvalue,withhostas innermost,thenclientclassandpoolasthemostgeneral.
Syntax
default-router address [address2...address8] address address2 ...address8 IP address of a default router. One IP address is required. Specifies up to eight addresses in the command line listed in order of preference (default router address has the highest priority, then router address 2, etc.).

Usethenoformofthiscommandtoremovethedefaultrouterlist:
no default-router
DHCP Commands
Mode
Example
Thefollowingexamplesets14.12.1.99astheIPaddressofthedefaultrouterforanyclientinthe subnetwiththreeotherroutersindescendingorderofpreference:
XSR(config-dhcp-pool)#default-router 14.12.1.99 14.13.1.66 14.12.1.56 14.12.1.57
Thefollowingexamplespecifies14.12.1.1astheIPaddressofthedefaultrouterforthehostwith MACaddress0010.a4f5.28a1:
XSR(config-dhcp-pool)#hardware-address 0010.a4f5.28a1 XSR(config-dhcp-host)#default-router 14.12.1.1
Thefollowingexamplespecifies14.12.1.99astheIPaddressofthedefaultrouterforanyclientin theclientclasseng:
XSR(config-dhcp-pool)#client-class eng XSR(config-dhcp-class)#default-router 14.12.1.99
dns-server
ThiscommandspecifiestheDNSIPserversavailabletoaDHCPclient.ItisavailablefromDHCP pool,host,orclientclassmode.Dependingontheclientconfigurationinheritance,thecommand shouldbeusedfromthepropermode.Ifitisspecifiedfrommultiplemodes,anoverride mechanismchoosestheinnermostconfigvalue,withhostasinnermost,thenclientclassandpoolas themostgeneral.
Syntax
dns-server address [address2...address8] address address2 ... address8 IP address of a DNS server. One IP address is required. You can list up to 8 addresses at the prompt line by order of preference (DNS server address is highest priority, then server address2, etc.).

UsethenoformofthiscommandtoremovetheDNSserverlist:
no dns-server
Mode
15-88 Configuring DHCP
DHCP Commands
Example
Thefollowingexamplespecifies11.12.1.99astheIPaddressoftheDNSserverofaclientinthe subnet:
XSR(config-dhcp-pool)#dns-server 11.12.1.99
Thefollowingexamplespecifies11.12.1.99astheIPaddressoftheDNSserverofthehostwiththe MACaddress1111.2222.3333:
XSR(config-dhcp-pool)#hardware-address 1111.2222.3333 XSR(config-dhcp-host)#dns-server 11.12.1.99
Thefollowingexamplespecifies11.12.1.99astheIPaddressoftheDNSserverofaclientinthe clientclassengineering:
XSR(config-dhcp-pool)#client-class engineering XSR(config-dhcp-class)#dns-server 11.12.1.99
domain-name
ThiscommandspecifiesthedomainnameforDHCPclientservicesbytheDHCPserver. Dependingontheclientconfigurationinheritance,thecommandshouldbeusedfromtheproper mode.Ifitisspecifiedfrommultiplemodes,anoverridemechanismchoosestheinnermostconfig value,withhostasinnermost,thenclientclassandpoolasthemostgeneral.
Syntax
domain-name domain domain Domain name string of the client.

Usethenoformofthiscommandtoremovethedomainname:
no domain-name
Mode
Examples
Thefollowingexamplespecifiesenterasys.comasthedomainnameofaclientinthesubnet:
XSR(config-dhcp-pool)#domain-name enterasys.com
Thefollowingexamplespecifiesenterasys.comasthedomainnameofthehostwiththeMAC address0011.a121.1fa2:
XSR(config-dhcp-pool)#hardware-address 0011.a121.1fa2 XSR(config-dhcp-host)#domain-name enterasys.com
15-89
DHCP Commands
Thefollowingexamplespecifiesenterasys.comasthedomainnameofanyclientintheclientclass engineering:
XSR(config-dhcp-pool)#client-class engineering XSR(config-dhcp-class)#domain-name enterasys.com
hardware-address
ThiscommandsetsthehardwareaddressofaDHCPclientandisvalidformanualbindingsonly.
Note: You cannot add a hardware address to different DHCP pools. Hardware address 0100.01f4.0127.10 cannot be added to both pool1 and pool2, e.g.
Syntax
hardware-address address type [client-class name] address type MAC address of the client hardware platform. Protocol of the hardware platform. Strings and values are acceptable. String options are: ethernet ieee802 Value options: 1 - 10 Mbyte Ethernet 6 - IEEE 802 networks A client belonging to a client class can be specified here.
name

Usethenoformofthiscommandtoremovethehardwareaddress:
no hardware-address address type [client-class name]
Default
Ethernet
Mode
Next Mode
WhenthiscommandisenteredfromDHCPpoolconfigurationsubmodeorDHCPclientclass mode,theCLIacquiresDHCPhostconfigurationmode:
WhenspecifiedfromeitherDHCPhostorclientmode,thecommanddoesnotcausetheCLIto acquireanysubmode.
DHCP Commands
Examples
ThefollowingexamplespecifiesthehardwareaddressfortheDHCPclienthosttobeofEthernet typewithMACaddress0001.f401.2710:
XSR(config-dhcp-pool)#hardware-address 0001.f401.2710 ethernet
ThefollowingexamplespecifiesthehardwareaddressfortheDHCPclienthostwithIPaddress 10.10.10.20tobeofEthernettypewith0001.f401.2710astheMACaddress:
XSR(config-dhcp-pool)#host 10.10.10.20 255.255.255.0 XSR(config-dhcp-host)#hardware-address 0001.f401.2710 ethernet
ThefollowingexamplesetsthehardwareaddressfortheDHCPhostinclassengtobeofEthernet typewithMACaddress0001.f401.2710:
XSR(config-dhcp-pool)#client-class writer XSR(config-dhcp-class)#hardware-address 0001.f401.2710 ethernet
host
ThiscommandspecifiestheIPaddressandnetworkmaskforamanualbindingtoaDHCPclient. Bydefault,theDHCPserverwillexamineitsdefinedIPaddresspoolsifthemaskandprefix lengthareunspecified.IfnomaskisspecifiedintheIPaddresspooldatabase,theClassA,B,orC naturalmaskisused.Thiscommandisvalidformanualbindingsonly.
Note: You cannot add a host to different DHCP pools. For example, host firewall cannot be added to both pool1 and pool2.
Syntax
host address [mask | prefix-length] address mask prefix-length IP address of the client. Network mask of the client. Number of bits that comprise the address prefix. The prefix is an alternative way of specifying a clients network mask. It must be preceded by a forward slash (/).

UsethenoformofthiscommandtoremovetheIPaddressoftheclient:
no host
Mode
15-91
DHCP Commands
Next Mode
WhenthiscommandisspecifiedfromeitherDHCPpoolconfigurationmodeorDHCPclass configurationsubmode,theCLIacquiresDHCPhostconfigurationmode.Whenspecifiedfrom DHCPhostorclientmode,thecommanddoesnotacquireasubmode.
Examples
Thisexamplesets15.12.1.99astheIPaddressoftheclientand255.255.248.0asitssubnetmask:
XSR(config-dhcp-pool)#host 15.12.1.99 255.255.248.0
Thefollowingexamplespecifies15.12.1.99astheIPaddressand255.255.248.0asthesubnetmask, forthehostwithhardwareaddress1111.2222.3333:
XSR(config-dhcp-pool)#hardware-address 1111.2222.3333 XSR(config-dhcp-host)#host 15.12.1.99 255.255.248.0
Thefollowingexamplespecifies15.12.1.99astheIPaddressand255.255.248.0asthesubnetmask fortheclientintheclientclasseng:
XSR(config-dhcp-pool)#client-class eng XSR(config-dhcp-class)#host 15.12.1.99 255.255.248.0
ip address dhcp
ThiscommandconfiguresaninterfaceasaDHCPClient.AnEthernetinterfacecanbeconfigured touseDHCPClienttoacquireanIPaddressaswellasotherconfigurationparameters.Bootfile downloadisnotsupported.
Note: When an interface address is configured to be DHCP negotiated the only legal version of the no command is entered as no ip address dhcp.
Syntax
ip address dhcp [client-id client-identifier][hostname string]
Parameters
client-identifier
ThisvaluecorrespondstoOption61passedwithinDHCPpackets.A DHCPserverusesthisvaluetoindexitsdatabaseofaddressbindings. Thevalueisexpectedtobeuniqueforallclientsinanadministrative domain.ItisintendedthatthisvaluebeeitheraMACaddressorthe symbolicIDofaportwithaMACaddress(e.g.FastEthernet1.) ThestringcorrespondstoOption12.Thenamemayormaynotbe qualifiedwiththelocaldomainname.RFC1035characterset restrictionsareenforced.
hostname string

ThenoformofthiscommanddisablesDHCPclient:
no ip address dhcp
DHCP Commands
Default
DCHPClientisnotactiveonaninterface
Mode
Example
ThefollowingexampleenablesDHCPClient:
XSR(config)#interface FastEthernet1 XSR(config-if<F1>)#ip address dhcp
ip dhcp ping packets

ThiscommandspecifiesthenumberofpacketsaDHCPserversendstoanIPaddressaspartofa pingoperation.TheDHCPserverpingsanIPaddressbeforeassigningtheaddresstoarequesting client.Ifthepingisunanswered,theDHCPserverassumesthattheaddressisnotinuseand assignstheaddresstotherequestingclient.Settingthenumberargumenttoavalueof0turnsoff theDHCPserverpingoperationcompletely.
Syntax
ip dhcp ping packets number number Sum of ping packets sent before assigning the address to a requesting client.

UsethenoformofthiscommandtopreventtheserverfrompingingIPaddresses:
no ip dhcp ping packets
Default
Twopackets
Mode
Example
ThefollowingexamplespecifiessixpingattemptsbytheDHCPservertowardanIPaddress beforestoppinganyfurtherpingattempts:
XSR(config)#ip dhcp ping packets 6
ip dhcp ping timeout

ThiscommandspecifieshowlongaDHCPserverwaitsforapingreplyfromanIPaddress.
DHCP Commands
Syntax
ip dhcp ping timeout milliseconds milliseconds The interval the DHCP server waits for a ping reply before it stops trying to reach an IP address for client assignment. The peak timeout is 10 seconds.

Usethenoformofthiscommandtorestorethepingtimeoutdefault:
no ip dhcp ping timeout
Default
500milliseconds
Mode
Example
ThefollowingexamplespecifiesthattheDHCPserverwillwait900millisecondsforapingreply beforeconsideringthepingafailure:
XSR(config)#ip dhcp ping timeout 900
ip dhcp pool
ThiscommandconfiguresaDHCPserverIPaddresspool.TheXSRsupportsadding1000 networkaddressesperpoolandoneDHCPpoolpernetwork.ClassBorhighersubnetmasksare supported.
Note: The DHCP pool name must match the name given the IP local pool.
Syntax
ip dhcp pool name name A character string or integer which match the name you designate for the IP local pool.

Usethenoformofthiscommandtoremovetheaddresspool:
no ip dhcp pool name
Default
DHCPaddresspoolsarenotconfigured
15-94
Configuring DHCP
DHCP Commands
Mode
Next Mode
DHCPpoolconfiguration:XSR(config-dhcp-pool)#
Example
ThefollowingexampleaddsIPlocalpoolsaleswithspecifiedsubnetworksanddefinessalesasthe nameoftheDHCPserverIPaddresspool:
XSR(config)#ip local pool sales 192.168.57.0/24 XSR(config)#ip dhcp pool sales XSR(config-dhcp-pool)#
ip dhcp server
ThiscommandenablestheDHCPServerfeaturesontheXSR.Bydefault,DHCPserverservices aredisabledonallXSRinterfaces,whichmeansthattheDHCPserverwillnotrespondtoclient requestsreceivedonanyXSRports.DHCPServercanbeenabledonaFastEthernet/GigabitEthernet primaryinterfaceandVLANsubinterface.Secondaryinterfaceassignmentisnotsupported.
Note: If either DHCP/BOOTP Relay (using ip helper-address) or DHCP Server is enabled on one FastEthernet/GigabitEthernet port, you cannot also configure the other service on the second Fast/GigabitEthernet port. The XSR permits either one or the other service to operate, not both.
Syntax
ip dhcp server server Enables/disables a DHCP server on a FastEthernet/GigabitEthernet port.

UsethenoformofthiscommandtodisableDHCPserverfeatures:
no ip dhcp
Default
Disabled
Mode
Example
ThefollowingexampleenablesDHCPserveronFastEthernetport1:
XSR(config)#interface fastethernet 1 XSR(config-if<F1>)#ip dhcp server
DHCP Commands
ip local pool
Thiscommand,whenissuedmultiply,configuresalocalpoolofIPaddressestobeusedfora DHCPServerpoolrange.Useitinconjunctionwiththenoformoftocreateoneormorelocal addresspoolsfromwhichIPaddressesareassignedwhenaremotepeerconnects.
Note: For clients that use a statically defined IP address (do not use DHCP to obtain an IP address), you must exclude that address from the local pool.
ThecommandacquiresIPLocalPoolmodeandmakesavailablethefollowingsubcommands:
excludeBarsarangeofIPaddressesfromthelocalpool.Refertopage1597forthesub
commanddefinition.
exitQuitsIPLocalPoolconfigurationmode.Refertopage1597forthesubcommand definition.
Syntax
ip local pool pool-name subnet-address subnet-mask pool-name subnet-address subnet-mask Name of a particular local address pool. Base address of an IP subnet used to allocate IP addresses. Subnet mask of that IP subnet. All subnet address bits matching zero bits in the mask must also be zero; that is, subnet and mask must be zero.

Default
Noaddresspoolsareconfigured
Mode
Next Mode
Examples
ThefollowingexamplecreatesalocalIPaddresspoolnamedmarketing,whichcontainsallIP addressesintherange203.57.99.0to203.57.99.255:
15-96
Configuring DHCP
DHCP Commands
exclude
Thissubcommandofip local poolbarstheuseofarangeofIPaddressesfromanearlier createdIPpool.
Syntax
exclude {ip address}{number} ip address number Starting address to be excluded from pool. Number of addresses to exclude, ranging from 1 to 65535.

ThenoformexemptsthespecifiedIPaddressfrombeingexcludedfromthepool:
Mode
Examples
ThefollowingexampleexcludesthetenIPaddressesbetween192.168.57.100and192.168.57.110 fromlocalpoolHQ:
exit
Thissubcommandofip local pool quitsIPLocalPoolconfigurationmode.
Syntax
exit
Mode
15-97
DHCP Commands
lease
ThiscommandconfiguresthedurationoftheleaseforanIPaddressthataDHCPserverassignsto aDHCPclient.Theleasetimesetisthesystemdefaultvaluewhichoverridesthenonspecified defaultvalue(oneday). Iftheclientrequestsaleaseperiodexceedingtheperiodconfiguredontheserver,thelease intervalofferedbytheserverwillequalthatofthevalueconfiguredbythiscommand.Iftheclient doesnotrequestaparticularleaseperiodtypicalclientbehavioritisgrantedtheconfigured defaultvalue.Manualbindingsarenotheldaccountabletothisleaseperiod. Dependingontheclientconfigurationinheritance,thecommandshouldbeusedfromtheproper mode.Ifitisspecifiedfrommultiplemodes,anoverridemechanismchoosestheinnermostconfig value,withclientclassasinnermost,thenpoolasmostgeneral.
Syntax
lease {days [hours] [minutes] | infinite} days hours minutes infinite Duration of the lease in days. Number of hours in the lease. A days value must be supplied before you can configure an hours value. Number of minutes in the lease. Days and hours values must be set before you can configure a minutes value. Duration of the lease is unlimited.

Usethenoformofthiscommandtorestorethedefaultvalue:
no lease
Default
Oneday
Mode
Eitherofthefollowingcommandmodesareavailable: DHCPpoolconfiguration:XSR(config-dhcp-pool)# DHCPclientclassconfiguration:XSR(config-dhcp-class)#
Example
Thefollowingexampleconfiguresaonedaylease:
XSR(config-dhcp-pool)#lease 1
Thefollowingexampleconfiguresaonehourlease:
XSR(config-dhcp-pool)#lease 0 1
Thefollowingexampleconfiguresaoneminutelease:
XSR(config-dhcp-pool)#lease 0 0 1
15-98
Configuring DHCP
DHCP Commands
netbios-name-server
ThiscommandconfiguresNetBIOSWindowsInternetNamingService(WINS)nameserversthat areavailabletoMicrosoftDHCPclients.Dependingontheclientconfigurationinheritance,the commandshouldbeusedfromthepropermode.Ifitisspecifiedfrommultiplemodes,an overridemechanismchoosestheinnermostconfigvalue,withhostasinnermost,thenclientclass andpoolasthemostgeneral.
Syntax
netbios-name-server address [address2...address8] address address2 .. address8 IP address of a NetBIOS WINS server. One address is needed. Specifies up to eight addresses in the command line listed in order of preference (NetBIOS name server address has the highest priority, then server address2, etc.

UsethenoformofthiscommandtoremovetheNetBIOSnameserverlist:
no netbios-name-server
Mode
DHCPPool,Host,orClientClassconfigmode:XSR(config-dhcp-pool)#, XSR(config-dhcphost)# or XSR(config-dhcp-class)#
Example
ThefollowingexamplespecifiestheIPaddressofaNetBIOSnameserveravailabletoaMicrosoft DHCPclientinthesubnet:
XSR(config-dhcp-pool)#netbios-name-server 13.12.1.90
ThefollowingexamplespecifiestheIPaddressofaNetBIOSnameserveravailabletothe MicrosoftDHCPclientwithclientidentifier1111.2222.3333.4444:
XSR(config-dhcp-pool)#client-identifier 1111.2222.3333.4444 XSR(config-dhcp-host)#netbios-name-server 13.12.1.90
ThefollowingexamplespecifiestheIPaddressofaNetBIOSnameserveravailabletoaMicrosoft DHCPclientintheclientclassengineering:
XSR(config-dhcp-pool)#client-class engineering XSR(config-dhcp-class)# netbios-name-server 13.12.1.90
15-99
DHCP Commands
netbios-node-type
ThiscommandconfigurestheNetBIOSnodetypeforMicrosoftDHCPclients.Dependingonthe clientconfigurationinheritance,thecommandshouldbeusedinpropermode.Ifitisspecified frommultiplemodes,anoverridemechanismchoosestheinnermostconfigvalue,withhostas innermost,thenclientclassandpoolasthemostgeneral.
Syntax
netbios-node-type type type Specifies the NetBIOS node type. Valid types are: b-node - Broadcast p-node - Peer-to-peer m-node - Mixed h-node - Hybrid (recommended)

UsethenoformofthiscommandtoremovetheNetBIOSnodetype:
no netbios-node-type
Mode
Example
ThisexamplesetsNetBIOSnameservertypeashybridforaMicrosoftDHCPclientinthesubnet:
XSR(config-dhcp)#netbios node-type h-node
ThefollowingexamplespecifiestheNetBIOSnameservertypeashybridfortheMicrosoftDHCP clientwithMACaddress0010.a4f5.28a1:
XSR(config-dhcp-pool)#hardware-address 0010.a4f5.28a1 XSR(config-dhcp-host)#netbios node-type h-node
ThefollowingexamplespecifiestheNetBIOSnameservertypeashybridforaMicrosoftDHCP clientintheclientclassengineering:
XSR(config-dhcp-pool)#client-class engineering XSR(config-dhcp-class)#netbios node-type h-node
15-100
Configuring DHCP
DHCP Commands
next-server
Thiscommandspecifiestheserverfromwhichtheinitialbootfilewillbeloaded.Theservercan bedesignatedeitherbyIPaddressorhostname.
Syntax
next-server server [hostname | ip_address] hostname ip_address Designation of the server by name. Designation of the server by IP address.

Usethenoformofthiscommandtoremovethenextserver:
no next-server server [hostname | ip_address]
Mode
Example
ThefollowingexamplespecifiestheIPaddressofanextserver:
XSR(config-dhcp-pool)next-server 192.168.57.4
option
ThiscommandconfiguresDHCPserveroptions/extensions.DHCPServerprovidesaframework forpassingconfigurationdatatohostsonaTCP/IPnetwork.Configurationvaluesandother controldataarecarriedintaggeddataitemsstoredintheoptionsfieldoftheDHCPmessage. Thedataitemsarealsocalledoptionsorclientextensions.ThecurrentsetofXSRsupported DHCPoptionsandBOOTPvendorextensionsaredescribedinTable 151onpage 102and generallyinRFC2132.DefaultvaluesaredefinedinRFC1122. Dependingontheclientconfigurationinheritance,thecommandshouldbeusedfromtheproper mode.Ifitisspecifiedfrommultiplemodes,anoverridemechanismchoosestheinnermostconfig value,withhostasinnermost,thenclientclassandpoolasthemostgeneral.
Syntax
option code {ascii string | hex string | ip address} code ascii string DHCP option code. An ASCII character string. Strings containing space must be enclosed with quotes. The following options are set with an ASCII string: 12, 14, 15, 17, 18, 40, 47, and 64.
15-101
DHCP Commands
hex string
Dotted hexadecimal data. Each byte in hexadecimal character strings is two hex digits - each byte can be separated by a period, colon, or white space. The following options are set with a hex value: 2, 13, 19, 20, 22-27, 29-31, 34-39, 43, 46,58, 59. Specifies an IP address. The following options are set with an IP address: 1, 3-11, 16, 21, 28, 32, 33, 41, 42, 44, 45, 48, 49, 65, 68-76, and 118.
ip address

Usethenoformofthiscommandtoremovetheoptions:
no option code [instance number]
Default
Defaultinstancenumber:0
Mode
Note: Option examples are shown following the table.
Table 15-1 #
0 1
XSR-Supported DHCP Options Category/ Type

Basic/ Address Mask
Protocol Name
Pad Subnet Mask
Default
See description -
Description
Causes subsequent fields to align on word boundaries. Length: 1 octet Client's subnet mask (RFC-950). If both Subnet Mask and Router options are specified in a DHCP reply, the Subnet Mask option must be expressed first. Length: 4 octets Default: Subnet of the interface on which the request was received Offset of a client's subnet in seconds from Coordinated Universal Time (UTC). Positives indicate a site east of, and negatives a site west of the zero meridian. Length: 4 octets List of IP addresses for default routers on the client's subnet. List in order of preference. Length: 4-octet minimum; multiples of 4 CLI command: default-router RFC-868 compliant timeservers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4
Time Offset BOOTP/ 32-bit hex integer (in twos) Router Basic, MS DHCP Client/ IP address list BOOTP/IP address list
3*
Time Server
15-102
Configuring DHCP
DHCP Commands
Table 15-1 #
5 6*
XSR-Supported DHCP Options (continued) Category/ Type

BOOTP/IP address list Basic, MS DHCP Client/ IP address list Servers/IP address list BOOTP/IP address list
Protocol Name
Name Server Domain Name Server Log Server Cookie Server
Default
-
Description
IEN 116 name servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 List of Domain Name System (STD 13, RFC-1035) name servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 CLI command: dns-server MIT-LCS UDP log servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 RFC-865 compliant cookie servers available to the client. List in order of preference. Length: 4-octet minimum; multiples of 4 RFC-1179 compliant line printer servers available to the client. List in order of preference. Length: 4-octet minimum; multiples of 4 Imagen Impress servers available to the client. List in order of preference. Length: 4-octet minimum; multiples of 4 RFC-887 compliant resource location servers available to the client. List in order of preference. Length: 4-octet minimum; multiples of 4 Name of the client which will or will not be qualified with the local domain name. See RFC-1035 for character set limits. Length: 1-octet minimum; multiples of 4 CLI command: client-name Length in 512-octet blocks of the default boot image for the client. Length: 2 octets Path name of a file to which the client's core image will be placed if the client crashes. Use forward-slashes. Length: 4-octet minimum Domain name that the client will use when resolving host names through the Domain Name System. Length: 4-octet minimum CLI command: domain-name IP address of the client's swap server. Length: 4-octet minimum; multiples of 4 Path name of a client's root disk. Use forward-slashes. Length: 4-octet minimum String specifying a file, retrievable through TFTP. Use forward-slashes. Length: 4-octet minimum Specifies if a client will set its IP layer for packet forwarding. Length: 1 octet Values: 0=disable; 1=enable
7 8
LPR Server Servers/IP address list Impress Server Resource Location Server BOOTP/IP address list BOOTP/IP address list Basic/ASCII string
10 11
12* Host Name
13 14
Boot File Size Merit Dump File
BOOTP/16-bit hex integer
BOOTP/ ASCII string Basic, MS DHCP Client/ ASCII string BOOTP/IP address list BOOTP/ ASCII string BOOTP/ ASCII string
15* Domain Name
16 17 18 19
Swap Server Root Path Extensions Path
false
IP Forward- Host IP/ ing Enable Boolean /Disable (hex)
15-103
DHCP Commands
Table 15-1 #
20

Host IP/ Boolean (hex)
Protocol Name
Non-Local Source Routing
Default
false
Description
Specifies whether a client will configure its IP layer to allow forwarding of datagrams with non-local source routes. Length: 1 octet Values: 0=disable; 1=enable Policy filters for non-local source routing, consisting of a list of IP addresses and masks that specify destination/mask pairs with which to filter incoming source routes. Any source-routed datagram whose next-hop address does not match one of the filters should be discarded by the client. Length: 8-octet minimum; multiples of 8 Peak size datagram a client will be ready to reassemble. Length: 2 octets Value: 576 minimum Default TTL that a client will use on outgoing datagrams. Length: 1 octet Values: 1 to 255 Timeout (in seconds) to use when aging Path MTU values discovered by the mechanism (RFC-1191). Length: 4-octets Table of MTU sizes to use when performing Path MTU Discovery (RFC-1191). It is ordered from smallest to largest. Length: 2-octet minimum, multiples of 2 Value: 68 minimum Maximum time to live on this interface. Length: 2-octet minimum; multiples of 2 Value: 68 minimum Specifies if a client will assume all subnets of the IP network to which the client is connected use the same MTU as the subnet of that network to which the client is directly linked. Length: 1 octet Values: 1=all subnets share same MTU; 0=some directly-connected subnets may have smaller MTUs Broadcast address in use on the client's subnet. Length: 4 octets
21
Policy Filter Host IP/ Alternating IP address/ mask Maximum Datagram Reassembly Size Default IP Time-toLive Path MTU Aging Timeout Path MTU Plateau Table Interface MTU All Subnets Are Local Host IP/16-bit hex integer
22
576
23
Host IP/1 to 255 (hex), rejects 0 Host IP/32-bit hex integer Host IP/16-bit hex integer
64
24
25
26
Interface/ 16-bit hex integer(s) Interface/ Boolean (hex)
576
27
false
28
Broadcast Address
Interface/ 0.0.0.0, 255.255.255. 255, or nonstandard
255.255. 255.255
29
Perform Mask Discovery Mask Supplier Perform Router Discovery
Interface/ Boolean (hex) Interface/ Boolean (hex) Interface/ Boolean
false
Specifies if a client will perform subnet mask discovery via ICMP. Length: 1 octet Values: 0=disable; 1=enable Specifies ifa client will respond to subnet mask requests via ICMP. Length: 1 octet Values: 0=do not respond; 1=respond Specifies if a client will solicit routers using Router Discovery mechanism (RFC-1256). Length: 1 octet Values: 0=disable; 1=enable
30
false
31
15-104
Configuring DHCP
DHCP Commands
Table 15-1 #
32

Interface/ IP address Interface/ IP address pairs
Protocol Name
Router Solicitation Address Static Route
Default
-
Description
Address to which a client should send router solicitation requests. Length: 4 octets Static routes that a client will install in its routing cache. If multiple routes to the same destination are specified, they are listed in descending order of priority. Routes consist of a list of IP address pairs: the first is the destination address, the second is the router for the destination. The default route 0.0.0.0 is an illegal destination for a static route. Length: 8-octet minimum; multiples of 8 Specifies if a client will negotiate the use of trailers (RFC-893) when using the ARP protocol. Length: 1 octet Values: 0 = do not use; 1 = use Timeout in seconds for ARP cache entries. Length: 4-octets Specifies if a client will use Ethernet Version 2 (RFC-894) or IEEE 802.3 (RFC-1042) encapsulation if port is Ethernet. Length: 1 octet Value: 0 uses RFC-894 coding; 1 uses RFC-1042 coding Default TTL a client will use when sending TCP segments. Length: 1 octet, expressed in hex Value: minimum 1 Interval in seconds that the TCP client will wait before sending a keep-alive message on a TCP connection. The time is specified as a 32-bit unsigned integer. A value of zero indicates that the client will not generate keep-alive messages on connections unless specifically requested by an application. Length: 4-octets Specifies if a client will send TCP keep-alive messages with an octet of garbage for compatibility with older implementations. Length: 1 octet Values: 0=do not send; 1=send Name of a client's NIS domain. Length: 4-octet minimum IP addresses indicating NIS servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 IP addresses indicating NTP servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 Option used by clients/servers to swap vendor-specific data. Length: 4-octet minimum
33
34
Trailer Encapsulation ARP Cache Timeout Ethernet Encapsulation
Interface/ Boolean (hex) Interface/ 32-bit hex integer Interface/ Boolean (hex)
false
35
60
36
false (1.e., 894 style) 60
37
TCP Interface/ Default TTL 8-bit integer (> 0) TCP Keepalive Interval Interface/ 32-bit hex integer
38
0 (keep-alives not generated)
39
TCP Keepalive Garbage NIS Domain Network Information Servers NTP Servers VendorSpecific Data
Interface/ Boolean (hex) Servers/ ASCII string Servers /IP address list Servers /IP address list - /Hex
false (off)
40 41
42
43
15-105
DHCP Commands
Table 15-1 #

WINS/ NetBIOS, MS DHCP Client/ IP address list
Protocol Name
Default
-
Description
RFC-1001/1002 NBNS name servers listed by preference. Length: 4-octet minimum; multiples of 4 CLI command: netbios-name-server NBDD name servers(RFC-1001/1002) listed by preference. Length: 4-octet minimum; multiples of 4
44* NetBIOS over TCP/ IP Name Server 45 NetBIOS over TCP/ IP Datagram Distribution Server
WINS/ NetBIOS /IP address list
46* NetBIOS over TCP/ IP Node Type 47 NetBIOS over TCP/ IP Scope
WINS/ NetBIOS, MS DHCP Client/ 1, 2, 4, or 8 (hex)
The value is a single octet that identifies client type: 1: B-node; 2: P-node; 4: M-node; 8: H-node Length: 1 octet CLI command: netbios-node-type NetBIOS over TCP/IP scope value for a client (RFC-1001/1002). Length: 4-octet minimum
WINS/ NetBIOS, MS DHCP Client/ ASCII string
48
X Windows Servers/ Font Server IP address list X Windows Display Manager Requested IP Address Servers/ IP address list IP address
X Window System Font servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 IP addresses of systems running X Window System Display Manager and are available to a client. List addresses in order of preference. Length: 4-octet minimum; multiples of 4 Used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow a client to request a particular IP address be assigned. Length: 4 octets Used in a client request (DHCPDISCOVER or DHCPREQUEST) to allow a client to request a lease time for the IP address. In a server reply (DHCPOFFER), a DHCP server uses this option to specify the lease time it is willing to offer. Length: 4 octets Value: seconds Indicates that the DHCP sname or file fields are being overloaded by using them to carry DHCP options. A DHCP server inserts this option if the returned values will exceed the usual space allotted for options. If this option is present, the client interprets the specified additional fields after it concludes interpretation of the standard option fields. 1 = The file field is used to hold options. 2 = The sname field is used to hold options. 3 = Both fields are used to hold options. Length: 1 octet
49
50
51
IP Address Lease Lease Time Information, MS DHCP Client/32-bit hex integer Option Overload -
52
15-106
Configuring DHCP
DHCP Commands
Table 15-1 #
53

-
Protocol Name
DHCP Message Type
Default
-
Description
Conveys the type of DHCP message. The default is 1 (DHCPDISCOVER). 1=DHCPDISCOVER 2=DHCPOFFER 3=DHCPREQUEST 4=DHCPDECLINE 5=DHCPACK 6=DHCPNAK 7=DHCPRELEASE 8=DHCPINFORM Length: 1 octet Used in DHCPOFFER and DHCPREQUEST messages, and may optionally be included in the DHCPACK and DHCPNAK messages. DHCP servers include this option in the DHCPOFFER to allow the client to distinguish between lease offers. DHCP clients use the contents of the server identifier field as the destination address for any DHCP messages unicast to the DHCP server. DHCP clients also indicate which of several lease offers is being accepted by including this option in a DHCPREQUEST message. The identifier is the IP address of the selected server. Length: 4 octets Used by a DHCP server to request values for specified configuration parameters. The list of requested values is specified as n octets, where each octet is a valid DHCP option code. The client can list the options in order of preference. The DHCP server is not required to return the options in the requested order, but must try to insert the requested options in the order requested by the client. Length: 1-octet minimum Used by a DHCP server to print an error message to a DHCP client in a DHCPNAK message in the event of a failure. A client may use this option in a DHCPDECLINE message to indicate why the client declined the offered values. The message consists of n octets of NVT ASCII text, which the client may display on an available output device. Length: 1-octet minimum Maximum length DHCP message that a client is willing to accept. Length is specified as an unsigned 16-bit integer. A client may use the maximum DHCP message size option in DHCPDISCOVER or DHCPREQUEST messages, but should not use the option in DHCPDECLINE messages. Length: 2 octets Value: 576 minimum Time interval from address assignment until a client transitions to the RENEWING state. Length: 4 octets Value: seconds, as a 32-bit unsigned integer Interval from address assignment until a client transitions to the REBINDING state. Length: 4 octets Value: seconds, as a 32-bit unsigned integer
54
Server Identifier
IP address
55
Parameter Request List
Hex integer
56
Message
String
57
Maximum DHCP Message Size
16-bit hex integer
58
Renewing (T1) Time Value Rebinding (T2) Time Value
Lease Data, MS DHCP Client/32-bit hex integer Lease Data, MS DHCP Client/32-bit hex integer
59
15-107
DHCP Commands
Table 15-1 #
61

Basic/String
Protocol Name
ClientIdentifier
Default
-
Description
A DHCP clients unique identifier. DHCP servers use this value to index their database of address bindings. This value is expected to be unique for all clients in an administrative domain. Length: 2-octet minimum CLI command: ip address dhcp Name of the client's NIS+ domain. Length: 4-octet minimum IP addresses indicating NIS+ servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 Identifies a bootfile name when when the file field in the DHCP header has been used for DHCP options. Length: 1-octet minimum IP addresses indicating mobile IP home agents available to a client. List agents in order of preference. Length: 4-octet minimum; multiples of 4 SMTP servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 POP3 servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 NNTP servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 WWW servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 Finger servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 IRC servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 StreetTalk servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 STDA servers available to a client. List in order of preference. Length: 4-octet minimum; multiples of 4 This helper option is used in an environment where DHCP Relay is co-located with circuit access equipment (DSL and cable-based LANs) to reduce broadcasts, prevent IP spoofing, client ID spoofing, and MAC address spoofing. Defined by RFC-3046. Length: Variable Mechanism for authenticating DHCP messages, clients and servers. Based on HMAC-MD5. Defined by RFC-3118. Length: Variable; minimum 11 octets
64 65
NIS+ Domain NIS+ Servers Bootfile name Mobile IP Home Agent SMTP Server POP3 Server NNTP Server Default WWW Server Default Finger Server Default IRC Server StreetTalk Server STDA Server DHCP Relay Agent Information DHCP Authentication
Servers/ ASCII string Servers/IP address list BOOTP/ String Servers/IP address list Servers/IP address list Servers/IP address list Servers/IP address list Servers/IP address list Servers/IP address list Servers/IP address list Servers/IP address list Servers/IP address list DHCP Relay/ String
67
68
69 70 71 72
73
74 75 76 82
90
DHCP Protocol/ Structured Data
15-108
Configuring DHCP
DHCP Commands
Table 15-1 #

Server/ Multiple 16-bit hex integers
Protocol Name
Default
-
Description
Sets site of Name Service servers to clients to be used for lookup. Each 16-bit field specifies a Name Server to be used for lookup: 0 client should refer to local naming information 6 use DNS 41 use NIS 44 use NetBIOS over TCP/IP 65 use NIS+ Defined by RFC-2937. Length: Minimum 2 octets; multiple of 2 octets Sets the subnet IP address (RFC-3011). Used by a client to inform/force server to assign an IP address-specific subnet. Length: 4 octets Address of the TFTP server. This option supports the XSRs Remote Auto Install functionality. Length: 4 octets
117 Name Service Search
118 Subnet Selection 150 TFTP Server
Interface/ IP address Cisco Vendor Extension/IP address
Note: DHCP options marked with an asterisk (*) can also be configured at the CLI.
Examples
ThefollowingexampleconfiguresDHCPoption33,whichspecifiesstaticroutesthattheclient shouldinstallinitsroutingcache.Ifmultipleroutestothesamedestinationareset,theyarelisted indescendingorderofpriority.TheroutesconsistofIPaddresspairs.Thefirstaddressisthe destinationaddress,thesecondaddressistherouterforthedestination.
XSR(config-dhcp-pool)#option 33 ip 90.1.1.90 123.124.23.26 90.1.1.90 123.24.56.78
ThefollowingexampleconfiguresDHCPoption19,whichspecifieswhethertheclientshould enableitsIPlayerforpacketforwarding.Valuesof0and1disableandenableIPforwarding, respectively.IPforwardingisenabledinthefollowingexample:

XSR(config-dhcp-pool)#option 19 hex 01
ThefollowingexampleconfiguresDHCPoption1,whichsetstheclientssubnetmaskashigher prioritywhenitandtherouterIDarespecifiedintheDHCPREPLY:
XSR(config-dhcp-pool)#option 1 ip 255.255.255.0
ThefollowingexampleconfiguresDHCPoption2,whichlocatesaclientasanoffset4650seconds fromCoordinatedUniversalTime(UTC)orfivehourswestofthezeromeridian(London):
ThefollowingexampleconfiguresDHCPoption72,whichspecifiesWorldWideWeb(WWW) serversforDHCPclients.TwoWWWserveraddressesareconfiguredinthefollowingexample:
XSR(config-dhcp-pool)#option 72 ip 168.24.3.252 168.24.3.253
TheexamplebelowconfiguresDHCPoption13,whichspecifiesaclientsdefaultbootimagesize:
ThefollowingexampleconfiguresDHCPoption41,whichspecifiesNetworkInformationServers (NIS)forDHCPclients.TwoNISserveraddressesareconfiguredinthefollowingexample:
XSR(config-dhcp-pool)#option 41 ip 90.3.4.5 90.1.1.7 90.43.9.254
DHCP Commands
ThefollowingexampleconfiguresDHCPoption36,whichspecifiesEthernetencapsulation Version2(RFC894)orIEEE802.3forDHCPclients.Version2encapsulationissetinthisexample:
ThefollowingexampleconfiguresDHCPoption21,whichsetsapolicyfilterfornonlocalsource routing.ThefiltersconsistofalistofIPaddressesandmasksthatspecifydestination/maskpairs withwhichtofilterinboundsourceroutes.Anysourcerouteddatagramwhosenexthopaddress doesnotmatchoneofthefiltersisdiscardedbytheclient.

ThefollowingexampleconfiguresDHCPoption22,whichspecifiesthemaximumsizedatagram aclientwillreassemble.Thevalueis1052bytes:
ThefollowingexamplesetsDHCPoption28,specifyingthebroadcastaddressinuseonthe clientssubnet.Thevalueis:255.255.255.255.
XSR(config-dhcp-pool)#option 28 ip 255.255.255.255
ThefollowingexampleconfiguresDHCPoption35,whichspecifiesthetimeoutinsecondsfor ARPcacheentries.Thevalueis604,800(1week):
XSR(config-dhcp-pool)#option 35 hex 93A8
ThefollowingexamplesetsDHCPoption14,specifyingthepathnamewhereaDHCPclientscore imagewillbeplacediftheclientcrashes:
XSR(config-dhcp-pool)#option 14 ascii c:/dump/path
ThefollowingexampleconfiguresDHCPoption31,whichspecifiesthattheDHCPclientshould notperformsubnetmaskdiscovery:
ThefollowingexampleconfiguresDHCPoption19,whichspecifiesthattheDHCPclientshould configureitsIPlayerforpacketforwarding:
ThefollowingexampleconfiguresDHCPoption31,whichspecifiesthattheDHCPclientshould performRouterDiscovery:
ThefollowingexampleconfiguresDHCPoption47,whichspecifiesaNetBIOSoverTCP/IPscope parameterforaDHCPclient:
XSR(config-dhcp-pool)#option 47 ascii scope
ThefollowingexampleconfiguresDHCPoption40,whichspecifiestheDHCPclientsNIS domain:
XSR(config-dhcp-pool)#option 40 ascii NISserver
ThefollowingexampleconfiguresDHCPoption18,whichspecifiesthepathnameofafile retrievablethroughTFTP:
XSR(config-dhcp-pool)#option 18 ascii /extension/path
ThefollowingexampleconfiguresDHCPoption18,whichspecifiesalistofprioritizedstatic routes(indescendingorder)theDHCPclientshouldinstallinitsroutingcache:
15-110
Configuring DHCP
DHCP Clear and Show Commands
service dhcp
ThiscommandenablesDHCPserverfunctionalitytorespondtoclientrequests.AlthoughDHCP serverisenabledbydefaultonallXSRinterfaces,youcanoptionallyenableordisableitona specificinterface.
Syntax
service dhcp [interface] interface The port on which the DHCP server is enabled or disabled.

DisabletheDHCPserverbyusingthenoformofthiscommand:
no service dhcp [interface]
Default
Enabledonallinterfaces
Mode
Example:
TheexamplebelowenablesDHCPservicesoninterfaceFastEthernet1:
XSR(config)#service dhcp fastethernet 1
DHCP Clear and Show Commands clear ip dhcp binding

ThiscommanddeletesanautomaticaddressbindingfromtheDHCPserverbindingdatabase. Usetheno hostcommandtodeleteamanualbinding.Typically,theaddressdenotestheIP addressoftheclient.Ifanasterisk(*)isusedastheaddressparameter,DHCPclearsallautomatic bindings.
Syntax
clear ip dhcp binding {address | * } address * Address of the binding you want to clear. Clears all automatic bindings.
Mode
PrivilegedEXEC:XSR#
15-111
Example
Theexamplebelowdeletesaddressbinding18.12.22.99fromaDHCPserverbindingsdatabase:
XSR#clear ip dhcp binding 18.12.22.99
clear ip dhcp server statistics

ThiscommandresetsallDHCPservercounters.Allcountersarecumulativeandareinitialized,or settozero,withthiscommand.
Syntax
clear ip DHCP server statistics
Mode
PrivilegedEXEC:XSR#
Example
ThefollowingexampleresetsallDHCPcounterstozero:
XSR#clear ip DHCP server statistics
show dhcp lease

ThiscommanddisplaysDHCPClientinformation.
Syntax
show dhcp lease
Mode
PrivilegedEXEC:XSR#
Example
XSR#show dhcp lease Temp IP addr: 192.168.70.102 for peer on Interface: FastEthernet0 Temp sub net mask: 255.255.255.0 Temp default-gateway addr: 192.168.70.1 State: 5 BOUND DHCP Lease Server: 192.168.70.1, config.enterasys.com DNS Server: 24.25.26.27 24.25.26.28 DHCP transaction id: 29247 Lease: 36000 secs, Renewal: 17205 secs, Rebind: 31500 secs Next timer fires after 4:44:25
15-112
Configuring DHCP
Temp IP addr Temp sub net mask
IPaddressassignedviaDHCPtotheclientfromtheserver. SubnetmaskassignedviaDHCPtotheclientfromtheserver. DHCPClientFSMstate: 0None 1REBOOTING 2INIT 3SELECTING 4REQUESTING 5BOUND 6RENEWING 7REBINDING 8STOPPED 9andothersNOTVALID
Temp default-gateway addr DefaultgatewayassignedbytheDHCPserver. State
DHCP Lease Server DNS Server DHCP Transaction ID Lease/ Renewal/ Rebind Next timer fires after
DHCPserverIPaddressandname. DNCserverIPaddress. TransactionIDforcurrentDHCPofferfromtheserver. Currentlease,renewal,andrebindperiods. TimerforthenexttimeDHCPrenewrequest.
show interface
ThiscommanddisplaysDHCPinterfacesIPaddressandsubnetmask.Whennegotiating,the interfacewillindicateInternetaddressisnotassigned.
Syntax
show interface
Examples
ThefollowingexampledoesnotdisplaytheDHCPassignedaddresswhiletheprotocolis negotiating:
XSR#show interface FastEthernet 1 is Admin Up Internet address is not assigned
ThefollowingexampledisplaystheDHCPassignedaddresswhentheprotocolhasfinished negotiation:
xsr#show interface FastEthernet 1 is Admin Up Internet address is 172.16.1.1, subnet mask is 255.255.255.0
15-113
show ip dhcp binding

ThiscommanddisplaysactiveaddressbindingsontheDHCPserver.Iftheaddressisnot specified,alladdressbindingsareshown.Otherwise,onlythebindingforthespecifiedclientis displayed.TheleaseexpirationtimecanbedisplayedbasedontheUniversalTimeClock(UTC)or localclock.Ifthelocalclockisnotspecified,UTCisthedefault.
Note: BOOTP bindings do not have leases: their Active designation is always N.
Syntax
show ip dhcp binding [ip-address][utc | local] ip-address utc local IP address of the DHCP client. Bindings displayed according to the Universal Time Clock. Bindings displayed according to local time.
Mode
Examples
ThefollowingexamplesdisplaytheleaseexpirationindefaultUTCtime:
XSR#show ip dhcp binding 168.16.22.11 IP address 168.16.1.11 Hardware address 00a0.9802.32df Lease expiration Feb 01 1998 12:00AM Type Automatic Act. Y
XSR#show ip dhcp binding 168.16.22.254 IP address Hardware address 168.16.3.254 02c7.f800.0423 XSR#show ip dhcp binding local IP address 11.1.0.253 Hardware address 0002.2ab4.4b01 Lease expiration JUL 19 2003 09:07PM Type Act. Automatic Y Lease expiration Infinite Type Manual ACT. N
Thefollowingexampledisplaystheleaseexpirationinlocaltime:
ThefollowingexampledisplaystheleaseexpirationinUTCtime:
XSR#show ip dhcp binding UTC
IP address 11.1.0.253
Hardware address 0002.2ab4.4b01
Lease expiration JUL 19 2003 05:07PM
Type Automatic
Act. Y
ThefollowingexampledisplaystheleaseexpirationofDHCPclient11.1.0.253inUTCtime:
XSR#show ip dhcp binding UTC 11.1.0.253 IP address
Hardware address
Lease expiration
Type
Act.
11.1.0.253
0002.2ab4.4b01
JUL 19 2003 05:07PM
Automatic
ThefollowingexamplethedisplaysleaseexpirationofDHCPclient11.1.0.253inlocaltime:
XSR#show ip dhcp binding local 11.1.0.253 IP address 11.1.0.253 Hardware address 0002.2ab4.4b01 Lease expiration JUL 19 2003 09:07PM Type Automatic Act. Y
IPaddress Hardwareaddress Leaseexpiration Type Act(tive) IPaddressoftheDHCPclient. EthernetMACaddressoftheDHCPclient. DateandtimewhentheDHCPclientsleaseexpires. AutomaticorManualleaserenewal. WhetherleaseisactiveornotYorN.
show ip dhcp server statistics

ThiscommanddisplaysDHCPserverstatistics.
Syntax
show ip dhcp server statistics
Mode
Example
ThefollowingexampledisplaysDHCPserverstatistics:
XSR# show ip DHCP server statistics Database agents Memory usage Address pools Database agents Automatic bindings Manual bindings Expired bindings Malformed messages Message BOOTREQUEST DHCPDISCOVER DHCPREQUEST DHCPDECLINE DHCPRELEASE DHCPINFORM 1 20392 2 1 26 1 3 0 Received 12 20 17 0 0 0
Message BOOTREPLY DHCPOFFER DHCPACK DHCPNAK
Sent 12 19 17 6
Memoryusage Addresspools Databaseagents Automaticbindings Manualbindings Expiredbindings Malformedmessages Message SumofbytesofRAMallocatedbytheDHCPserver. SumofconfiguredaddresspoolsintheDHCPdatabase. SumofdatabaseagentsenteredintheDHCPdatabase. SumofIPaddressesautomaticallymappedtotheEthernetMACaddressesof hostsfoundintheDHCPdatabase. SumofIPaddressesmanuallymappedtotheEthernetMACaddressesofhosts foundintheDHCPdatabase. Sumofexpiredleases. SumoftruncatedorcorruptedmessagesreceivedbytheDHCPserver. DHCPmessagetypereceivedbytheDHCPserver.
15-116
Configuring DHCP
16
Configuring Security
Description
Key word or mandatory parameters (bold) [ ] Square brackets indicate an optional parameter (italic) [ | ] Square brackets with vertical bar indicate a choice of values { | } Braces with vertical bar indicate a choice of a required value [{ | } ] Combination of square brackets with braces and vertical bars indicates a required choice of an optional parameter xx signifies the interface type and number; e.g., F1, G3, S2/1.0,M57. F indicates a FastEthernet, and G a GigabitEthernet interface.
ThefollowingsetofcommandsallowsyoutodefinesecurityfeaturesfortheXSR,including: GeneralSecurityCommandsonpage 1684 SecurityClearandShowCommandsonpage 1691 AAACommandsonpage 1693 AAAUsergroupCommandsonpage 1694 AAAUserCommandsonpage 1697 AAAMethodCommandsonpage 16101 AAAPerInterfaceCommandsonpage 16111 AAADebugandShowCommandsonpage 16112 FirewallFeatureSetCommandsonpage 16115 FirewallInterfaceCommandsonpage 16129 FirewallShowCommandsonpage 16133
16-83
General Security Commands
General Security Commands access-list (extended)

ThiscommanddefinesanextendedIPAccessList(ACL)bynumberrangingfrom100to199.You canrestrictorallowthefollowingtraffic: IP(AnyInternetProtocol) TCP(TransmissionProtocol) UDP(UserDatagramProtocol) ICMP(InternetControlMessageProtocol) ESP(EncapsulationSecurityPayload) GRE(GenericRouterEncapsulation)protocol AH(AuthenticationHeader)protocol
NewandexistingACLentriescanbeadded/replacedinaparticularACLwithoutyouhavingto rewritetheentireACLbyusingtheinsert/replacenumberparameters.Ifneithertheinsertnorthe replaceoptionisspecified,thenthenewentryisappendedtothelist.ThisisnoteworthysinceACL criteriaareevaluatedintheorderdisplayedbytheshow access-listcommand. ApplyrestrictionsdefinedbyanACLwithip access-groupcommand.
Syntax
access-list list# {insert | replace} entry# {deny | permit}{protocol}|{log} {srcIpAddr [srcWildCardBits]| [qualifier] | source-port | host srcIpAddr | any} range min-sport | max-sport {dstIpAddr [dstWildCardBits]| [qualifier]|destn-port | host dstIpAddr | any} range min-dprt | max-dprt type [code] list# insert
[established]
ExtendedACLnumber,rangingfrom100199. Newaccessentryisinsertedbeforeexistingentry#intheexistingACL.The show access-listcommandfromwithinGlobalmodesequentially numbersentriesforthispurpose. Newaccessentryreplacesanentry#intheexistingACL(theentry#must alreadyexist.) EntryslistnumberwithintheACL.Nonumberisrequiredforfirstentry. Accessisdeniedifspecifiedconditionsaremet. Accessispermittedifconditionsmet. SpecifiestheIPprotocol:IP,TCP,UDP,ICMP,ESP,GRE,orAH.IP representsanyprotocol. EnablesalarmloggingandreportingofsourceIPaddressesforconfigured ACLentries. ThesourceexpressedbyIPaddress.
replace entry# deny permit protocol log srcIPAddr

16-84 Configuring Security
srcWild CardBits
Specifiesbitstoignoreinthesourceaddress.
Note: The srcWildCardBits/dstWildCardBits mask specifies bits to ignore (which allow any value where the bits are set), as opposed to the traditional method of specifying bits to keep.
host any qualifier source-port range min-sport max-sport dstIPAddr dstWild CardBits destn-port type,code established
Onlytheexactsourceaddressmatchesthecondition.Sameas srcWildCardBits=0.0.0.0. Anysourceaddressmatchesthecondition.SameassrcWildCardBits= 255.255.255.255. Valueappliedtothesourceport:eqequalthan,neqnotequalto,ltless than,gtgreaterthan. Optionalsourceportnumber(065535). Valuemustbewithintheminimumandmaximumsourceanddestination portrange. Lowestportnumberfrom0to65535.Combinewithmaxsport. Highestportnumberfrom0to65535.Normallygreaterthanminsportbutif lessthanmin,valuesareswapped. ThedestinationexpressedbyIPaddress. Specifiesbitstoignoreinthedestinationaddress. Destinationportnumber.Range:0to65535. ICMPmessagetypeonly(0255)andcode(0255). MatchesifaTCPconnectionisalreadyestablished,thatis,ifeitherACKor RSTbitsaresetintheTCPheader.
Note: Source and destination ports are defined only for TCP or UDP. A message type and code can be defined for ICMP.
Additional Syntax
The access-listcommandalsoprovidesthemoveoption,expressedinthefollowingsyntax:
access-list list-number move destination src1 [src2] list# move destination
ACLnumber,rangingfrom100199. MovesasequenceofACLentriesinfrontofanotherentry.Range:1999. NumberoftheexistingACLentrybeforewhichsubsequententryorrangeof entriesistobemoved.Range:1to999.Ifbeingmovedtotheend,useanon existentnumber(e.g.,999). Singleentrynumber,orthefirstentrynumberintherangetobemovedbefore thedestination.Range:1to999. Optionallastentrynumberintherangetobemoved.Range:1to999.Ifnot specified,onlyoneentryismoved.
src1 src2

Thenoformofthiscommandremovesthedefinedaccesslist:
no access-list list-number [ent1][ent2]]
list# ent1 ent2
Thestandardaccesslistnumber,rangingfrom1to99. Optionalsingleentrynumber,orthefirstentrynumberintherangetobe removed.Ifunspecified,theentireACLisremoved. Optionallastentrynumberintherangetoberemoved.
Mode
Default
Noaccesslistdefined(thatis,allaccesspermitted)
Examples
ThefollowingexampledeniesaccessonlyforICMPpacketscomingfromhostsonthethree specifiednetworks.Thewildcardbitsapplytothehostportionsofthenetworkaddresses.Any hostwithasourceaddressthatdoesnotmatchtheaccessliststatementswillbepermitted.
XSR(config)#access-list 100 deny ICMP 192.5.34.0 0.0.0.255 XSR(config)#access-list 100 deny ICMP 128.88.0.0 0.0.255.255 XSR(config)#access-list 100 deny ICMP 36.0.0.0 0.255.255.255
Thefollowingexamplereplacesentry87withthefollowingentry:
XSR(config)#access-list 123 replace 87 deny ip host 1.2.1.2
Thefollowingexampleremovesentries16,17and18fromACL177:
XSR(config)#no access-list 177 16 18
ThefollowingexampleremovestheentireACL102:
XSR(config)#no access-list 102
Thefollowingexamplemovesentries1618withinanACLtothebeginningofthelist:
XSR(config)#access-list 101 move 1 16 18
Theexamplebelowmovesentries1618fromACL144toitsbeginning:
Thefollowingexamplemovesentry2totheendofACL133:
XSR(config)#access-list 133 move 999 2
access-list (standard)
ThiscommanddefinesastandardIPAccessList(ACL)bynumbers,rangingfrom1to99.ACL restrictionsareappliedusingthe ip access-group command. NewandexistingACLentriescanbeadded/replacedinaparticularACLwithoutyouhavingto rewritetheentireACLbyusingtheinsert/replacenumberparameters.Ifneithertheinsertnorthe replaceoptionisspecified,thenthenewentryisappendedtothelist.ThisisnoteworthysinceACL criteriaareevaluatedintheorderdisplayedbytheshow access-listcommand.
16-86
Syntax
access-list list# [[{insert | replace | move}] [{entry# destination source1 [source2]]}{deny | permit}{log} {srcIpAddr [srcWildCardBits]| host srcIpAddr | any} list# insert replace move entry# destination source1 source2 deny permit log srcIpAddr srcWildCard Bits host any
Standardaccesslistnumberrangingfrom1to99. Newaccessentryisinsertedbeforeanexistingentry#inanACL.Theshow access-listcommandsequentiallynumbersentriesforthispurpose. Sameasabove,exceptthenewaccessentryreplacesanentry#intheexisting ACL(theentry#mustalreadyexist.) MovesasequenceofACLentriesinfrontofanotherentry. SequentialentrynumberinACLtoadd/deleterangingfrom1to999. Positionbeforewhichentriesaretobemoved.Range:1999. SequentialnumberoffirstACLentrytomove.Range:1999. SequentialnumberoflastACLentrytomove.Range:1999. Deniesaccessifspecifiedconditionsaremet. Permitsaccessifconditionsmet. EnablesalarmloggingandreportingofsourceIPaddressesforconfiguredACL entries. IdentifiesthesourcebyIPaddress. Bitstoignoreinthesourceaddress.Amaskof0.0.0.225impliesonlythemost importantbitsofthesourceaddressareconsidered. Marksonlytheexactsourceaddressmatchingthecondition.Sameas srcWildCardBits=0.0.0.0. Marksanysourceaddressmatchingthecondition.SameassrcWildCardBits= 255.255.255.255.

Thenoformofthiscommandremovesthedefinedaccesslistorentries(oneormore)inalist:
no access-list list-number [ent1 [ent2]] list-number ent1 ent2
Thestandardaccesslistnumberrangingfrom1to99. Optionalsingleentrynumber,orthefirstentrynumberintherangeto beremoved.Ifunspecified,theentireACLisremoved. Optionallastentrynumberintherangetoberemoved.
Mode
Default
Noaccesslistdefined(allaccesspermitted)
16-87
Examples
Thefollowingexampleallowsaccessonlytothosehostsonthethreespecifiednetworks.The wildcardbitsapplytothehostportionsofthenetworkaddresses.Anyhostwithasourceaddress thatdoesnotmatchtheaccessliststatementswillberejected.
XSR(config)#access-list 1 permit 192.5.34.0 0.0.0.255 XSR(config)#access-list 1 permit 128.88.0.0 0.0.255.255 XSR(config)#access-list 1 permit 36.0.0.0 0.255.255.255
Thefollowingexamplereplacesentry88withthefollowingentry:
XSR(config)#access-list 57 replace 88 deny host 1.2.1.2
Theexamplebelowremovesentries16,17and18fromACL87:
XSR(config)#no access-list 87 16 18
ThefollowingexampleremovestheentireACL57:
XSR(config)#no access-list 57
Thenextexamplemovesentries1618fromACL57toitsstart:
Theexamplebelowmovesentry2totheendofACL57:
XSR(config)#access-list 57 move 999 2
access-list log-update-threshold
ThiscommandpublishesanACLviolationslogwhenaspecifiednumberofpacketstheXSR processesismet.ACLviolationsloggingisupdatedeveryfiveminutessoregardlessofhowyou specifythiscommand,thefiveminutetimerremainsineffect.Thecommandfunctionsasfollows: ACLalarmsdisplaythe:ACLgroupnumber,permitordenyclause,sourceIPaddressandnumber ofpacketsloggedinthelastfiveminutes. Alarmsaresettomediumseveritylevelbydefault. SettingthealarmseverityleveltohighwiththeloggingcommanddisablesallACLalarms. Afteranupdateisreported,thelogisclearedfortheentrywiththatsourceIPandACLgroup. StandardandextendedACLsaresupported. Ifreportingisenabledforeverypacket,toomanypacketsmaylogmessagesresultinginsome messagelossduetopacketflooding.
Caution: If the threshold is 1 packet, you may flood the XSR and generate alarms.
Forassociatedinformationonthisfuntionality,refertotheaccess-listcommandsonpage1684 andpage1686,show access-list log-update-thresholdcommandonpage1692,and loggingcommandonpage388.
Syntax
access-list log-update-threshold <number-of-packets> <number-of-packets>
Packets,rangingfrom1to2,147,483,647.
16-88

Thresholdloggingisdisabledwiththenoformofthiscommand:
no access-list log-update-threshold
Mode
Default
Disabled
Example
ThefollowingexampleenablesalarmloggingforACL101andsetsthelogthresholdat10000:
XSR(config)#access-list 101 deny ip 15.15.15.1 0.0.0.255 16.16.16.1 0.0.0.255 log XSR(config)#access-list log-update-threshold 10000
hostdos
ThiscommandenableshostsecurityprotectionagainstvariousDoSattacksviasourceIPaddress validation.
Note: Performing source address validation can improve security in some situations but can erroneously discard valid packets in situations where inbound and outbound paths differ and will negatively impact some routing protocols.
Syntax
hostdos {land | fragmicmp | largeicmp [size] | checkspoof} land fragmicmp largeicmp size checkspoof
Enableslandattackprotection. EnablesfragmentedICMPpacketsprotection. EnableslargeICMPpacketsprotection. Packetsizeabovewhichprotectionstarts,rangingfrom1to65535. Enablesspoofedaddresschecking.

Thenoformdisablesthespecifiedsecurityfeature:
no hostdos {land | fragmicmp | largeicmp [size] | checkspoof}
Mode
Defaults
Disabled Size:1024
Example
TheexamplebelowenablesprotectionfromlandattackandlargeICMPpackets.Synflood protectionwilltriggerformorethan7sessions.ProtectionagainstlargeICMPpacketswilltrigger forpacketslargerthan2,000bytes.
XSR(config)#hostdos land XSR(config)#hostdos largeicmp 2000
ip access-group
Thiscommandappliesaccesslistrestrictionstoaninterface.
Syntax
ip access-group access list-number {in | out} list-number in out
Numberofanaccesslist,rangingfrom1to199. Filtersoninboundpackets Filtersonoutboundpackets

Thenoformofthiscommandremovesthespecifiedaccessgroup:
no ip access-group access list-number {in | out}
Mode
Example
Thefollowingexample,asillustratedinFigure 161,appliesACL101toallinboundpacketson interfaceFastEthernet1.ACL101willrouteonlypacketswithadestinationofnetwork192.5.34.0. AllpacketswithotherdestinationsreceivedonFastEthernet1willbedropped.
XSR(config)#access-list 101 permit any 192.5.34.0 0.0.0.255 XSR(config)#interface FastEthernet 1 XSR(config-if<F1>)#ip access-group 1
Figure 16-1
Eth1
IP Access-Group Example
192.5.34.0 192.6.34.0 192.7.34.0 Router 1
16-90
Security Clear and Show Commands
Security Clear and Show Commands clear hostdos-counters

Thiscommandclearsallhostsecuritystatistics.
Syntax
clear hostdos-counters
Mode
PrivilegedEXEC:XSR#
show access-lists
ThiscommanddisplaysconfiguredIPaccesslists.WhenitisissuedfromGlobalmode,italso printsasequentialentrynumberbesideeachACLentry.Thisnumbercanbeusedbytheaccesslist andno access-listcommandstospecifywhichentriestoreplace,insertbefore,move,or delete.SinceentrynumbersareonlyuseableinGlobalmode,(andmaychangewhenGlobal modeisexited)theyareonlydisplayedwheninthatmode.
Syntax
show access-lists [number] number
ACLID,Range:1to199.Ifnonumberisspecified,theentireACLtabledisplays.
Mode
PrivilegedEXECorGlobalconfiguration: XSR> orXSR(config)#
Sample Output
ThefollowingoutputdisplayswhenthecommandisissuedatthePrivilegedEXECmode:
XSR>show access-lists 101 Extended IP access list 101 permit tcp host 18.2.32.130 any established permit icmp host 18.2.32.130 any permit tcp host 18.2.32.130 host 171.69.2.141 gt 1023 permit tcp host 18.2.32.130 host 171.69.2.135 eq 23 permit udp host 198.92.32.130 host 171.68.225.126 eq 45 deny ip 11.6.0.0 0.1.255.255 224.0.0.0 15.255.255.255( deny ip 172.24.24.0 0.0.1.255 224.0.0.0 15.255.255.255
ThefollowingoutputdisplayswhenthecommandisissuedatthePrivilegedEXECmode:
XSR(config)#show access-lists Standard IP access list 2 1: deny host 3.4.3.4 Extended IP access list 101 1: permit tcp host 2.1.2.1 any
Security Clear and Show Commands
show access-list log-update-threshold

ThiscommanddisplaysACLloginformation.Itisprocessedasfollows: ApacketwithafreshsourceIPaddressontheACLgroupisreportedimmediately.Datais cachedtokeeptrackoftheoccurrencehappeningagaininthenearfuture. AllotherarrivalsofthepacketwithexistingsourceIPaddressdataonthatACLgroupwill incrementthenumberofpacketsand,afterfiveminutes,loganalarmwiththesumofpackets gatheredinthelastfiveminutes.Thecountwillresetafterthealarmislogged. Forenabledthresholddata,ifthecountmatchesthethresholdthenthealarmisloggedand thecountreset.Otherpacketsreceivedafterthethresholdismetwillincrementthecount untilthenextthresholdismetorfiveminuteshaveelapsed.
Syntax
show access-list log-update-threshold
Mode
PrivilegedEXECorGlobalconfiguration:XSR# or XSR(config)#
Sample Output
ThefollowingexampledisplaysasampleACLlog:
XSR#show access-list log-update-threshold access-list log-update-threshold 10000
show hostdos
Thiscommanddisplaysenabledhostsecurityfeaturesandtheirstatistics.
Syntax
show hostdos
Mode
PrivilegedEXECorGlobalconfiguration:XSR# or XSR(config)#
Sample Output
Thefollowingexampledisplaysasamplehostsecurityconfigurationwithstatistics:
XSR#show hostdos LANd Attack (Destination IP = Source IP} Enabled 10 attacks Spoofed Address Check Enabled 0 attacks
AAA Commands
IP packet with Multicast/broadcast source address Always enabled No attacks Syn flood attack mitigation Always enabled 100 attacks Fragmented ICMP traffic Enabled 38 attacks Large ICMP packets Enabled;Size 1024 42 attacks Ping-of-Death attack Always enabled No attack Filter TCP traffic with Syn and Fin bits set Always enabled No attack
AAA Commands
ThefollowingAuthentication,AuthorizationandAccounting(AAA)commandsandcommand subsetsvalidateanddisplayinformationaboutAAAusergroups,users,andmethodsontheXSR:
aaa client
AAAUsergroup,User,MethodamdAAAshowcommands
aaa client
ThiscommandconfiguressubsystemsTelnet,Console,SSH(SecureShell)andPPPtouseAAA forauthentication.
Syntax
aaa client {telnet | console | ssh | ppp} telnet console ssh ppp
Telnetsubsystem. Consolesubsystem. SSHsubsystem. PPPsubsystem.
Syntax of the No Form

ThenoformofthiscommandresetsthesubsystemtouseitsownlocalAAAmechanism:
no aaa client {telnet | console | ssh | ppp}
Default
Eachsubsystemusesitslocaluserdatabase.
AAA Usergroup Commands
Mode
Examples
ThefollowingexampleconfigurestheTelnetsubsystemtousetheAAAsubsystem:
XSR(config)#aaa client telnet
ThefollowingexampleconfigurestheSSHsubsystemtoacceptAAA:
XSR(config)#aaa client ssh
AAA Usergroup Commands aaa group

ThiscommandaddsalocalusergroupandacquiresUsergroupconfigurationmode.Eachuser definedinthenodemustbelongtoonegrouponly.Thefollowingsubcommandsareavailablein Usergroupmode:
dns server SetstheaddressofDNSservers.Refertopage1695forthecommand
definition.
ip pool LinksagloballydefinedpoolofIPaddressestotheusergroup.Referto page1695forthecommanddefinition. pptp encrypt mppe EnablesMPPEencodingonaPPTPconnection.Refertopage1696for thecommanddefinition. privilegeSetstheprivilegelevelofauser.Refertopage16101forthecommanddefinition. wins server SetstheaddressofWINSservers.Refertopage1697forthecommand
definition.
Syntax
aaa group group-name group-name
Nameofthegroup.

Thenoformofthiscommanddeletesthegroup:
no aaa group group-name
Default
ThereisadefaultgroupnamedDEFAULT.
Mode
Globalconfiguration: XSR(config)#
Next Mode
Usergroupconfiguration:XSR(aaa-group)#
Example
Thefollowingexampleaddstheusergroupheadquarters:
XSR(config)#aaa group headquarters XSR(aaa-group)#
dns server
ThiscommandsetstheaddressofDNSservers.Theseaddressesaregiventoconnectingclients duringconnectiontime.
Syntax
dns server [primary | secondary] ip-address primary secondary ip-address
SpecifiesprimaryDNSserver. SpecifiessecondaryDNSserver. SpecifiesIPaddressoftheDNSserver.

Thenoformofthiscommandremovestheconfiguredserver:
no dns server [primary | secondary] ip-address
Mode
Example
ThefollowingexamplesetstheprimaryDNSserverIPaddress:
XSR(config)#aaa group headquarters XSR(aaa-group)#dns server primary 192.168.57.9
ip pool
ThiscommandlinksagloballydefinedpoolofIPaddressestothegroupofusers.IPpoolis definedgloballybyusingthe ip local pool command.IfanIPpoolisnotlinkedtothegroup ofusers,eachusermusthaveanIPaddressconfiguredortheconnectionwillfail.
Note: If an aaa user is configured to use a static IP address which belongs to a local IP pool, you must exclude that address from the local pool.
Syntax
ip pool pool-name pool-name
Nameofthepooltobelinkedtothegroupofusers.Thepoolnameis definedbytheip local pool command.
16-95

Thenoformunlinksapoolofaddressesfromagroupofusers:
no ip pool pool-name
Mode
Example
ThefollowingexampleaddstheIPpooldenver:
XSR(config)#aaa group headquarters XSR(aaa-group)#ip pool denver
pptp encrypt mppe

ThiscommandenablesMicrosoftPointtoPointEncryption(MPPE)onaPPTPconnection.The commandmustbeaddedtotheinterfacethatwillcarryPPTPMPPEtraffic.AllWindowsclients usingMPPErequireMSCHAP.
Note: All configurable MPPE options must be identical on both tunnel endpoints.
Syntax
pptp encrypt mppe {auto | 40 | 128} auto 40 128
Offers40and128bitencryptionstrengthifavailable. Only40bitencryptionallowed. Only128bitencryptionallowed.

ThenoformofthiscommanddisablesMPPEencryption:
no pptp encrypt mppe
Default
128bitencryption
Mode
Example
ThefollowingexampleenablesMPPEwithautoencryption:
XSR(config)#aaa group XSR(aaa-group)#pptp encrypt mppe auto
AAA User Commands
wins server
ThiscommandsetstheWINSserveraddresswhichisgiventoconnectingclientsduring connectiontime.
Syntax
wins server [primary | secondary] ip-address replace secondary ip-address
SpecifiestheprimaryWINSserver. SpecifiesthesecondaryWINSserver. SpecifiestheIPaddressoftheWINSserver.

Thenoformofthiscommandremovestheconfiguredserver:
no wins server [primary | secondary] ip-address
Mode
Example
ThefollowingexamplesetsthesecondaryWINSserverIPaddress:
XSR(config)#aaa group headquarters XSR(aaa-group)#wins server secondary 192.168.57.9
AAA User Commands aaa user

Thiscommandcreatesanewuserprofileinthelocaluserdatabase.Duringauthentication,user providedcredentialsarematchedagainsttheusersprofileinthegroup.Ifyoudonotlater associatethisnewuserwithagroup,itwillbeaddedtotheDEFAULTAAAgroup.
Note: If an aaa user is configured to use a static IP address which belongs to a local IP pool, you must exclude that address from the local pool.
ThefollowingsubcommandscanbeconfiguredinAAAUsermode:
group - Specifiesthegrouptheuserbelongsto.Refertopage1698forthecommand
definition.
ip address - SpecifiestheIPAddressassignedtotheremoteuser.Refertopage1699for thecommanddefinition. password - Setsauserspassword.Refertopage1699forthecommanddefinition. policyConfigurestheusersauthorizedlistofservices.Refertopage16100forthe commanddefinition. privilegeSetstheprivilegelevelofauser.Refertopage16101forthecommanddefinition.
AAA User Commands
Syntax
aaa user user-name user-name
Nameofnewuserinthegroup;itisemployedduringlogin.

Thenoformofthiscommanddeletestheuserprofile:
no aaa user user-name
Mode
Next Mode
Usernameconfiguration:XSR(aaa-user)#
Example
ThefollowingexampleaddstheuserernesttotheDEFAULTusergroup:
XSR(config)aaa user ernest XSR(aaa-user)#
group
Thiscommandspecifiesthegrouptheuserbelongsto.
Syntax
group group-name group-name
Nameidentifyingthegroupauserbelongs.

ThenoformofthiscommandresetsausertotheDEFAULTgroup:
no group
Default
UserbelongstotheDEFAULTgroup.
Mode
Example
Thefollowingexampleaddsthegrouprun_pamplonathatthepreviouslycreateduserbelongsto:
XSR(config)#aaa user ernest XSR(aaa-user)#group run_pamplona
AAA User Commands
ip address
ThiscommandspecifiestheIPaddresstobeassignedtotheremoteuser.IfanIPaddressisnot specified,itistakenfromthepoolassociatedwiththeusersgroup.IfanIPaddressisspecifiedat theuserlevel,itisusedinsteadoftakinganewaddressfromthepool.
Syntax
ip address ip-address ip-address
IPaddresstobeassignedtotheremoteclient.

ThenoformofthiscommandremovestheIPaddressfromauserprofile:
no ip address
Default
IPaddressisnotassignedtotheuser.
Mode
Example
ThisexamplesetsanIPaddressthatwillbeassigndtoremoteuserted:
XSR(config)#aaa user ted XSR(aaa-user)#ip address 192.168.57.9 255.255.255.0
password
Thiscommandspecifiesauserspassword.
Syntax
password password password
Passwordtobeassignedtotheuser.

Thenoformofthiscommandremovesthepasswordfromauserprofile:
no password password
Mode
16-99
AAA User Commands
Example
Thefollowingexamplesetsthepasswordwilliamsforuserted:
XSR(config)#aaa user ted XSR(aaa-user)#password williams
policy
Thiscommandconfigurestheuserspolicyorauthorizedlistofservices,anditoverridesthe policyspecifiedbytheusersgroup.ItisavailableinbothAAAUserandAAAGroup configurationmodes. Uptofourkeywordscanbespecifiedinthecommandstatement.
Syntax
policy {vpn | telnet | console | firewall | ssh | ppp} [vpn | telnet | firewall | ssh | ppp ...} vpn telnet console firewall ssh
SubsystemkeywordforVPNpolicy. SubsystemkeywordforTelnetpolicy. SubsystemforConsolepolicy. SubsystemkeywordforFirewallpolicy. SubsystemkeywordforSecureShell(SSH)policy.
Note: A sub-system keyword can be stated no more than once in the command.

Thenoformofthiscommanddisablestheearlierconfiguredpolicy:
no policy {vpn | telnet | console | firewall | ssh | ppp}
Mode
AAAUser/Groupconfiguration:XSR(aaa-user)# or XSR(aaa-group)#
Example
ThefollowingexampleprovidesuseraccesstoVPN,Telnet,ConsoleandSecureShell(SSH),and thenremovesSSHfromtheuserspolicy:
XSR(aaa-user)#policy vpn telnet console ssh XSR(aaa-user)#no policy ssh
16-100
AAA Method Commands
privilege
Thiscommandconfigurestheprivilegelevelofauser.ItisavailablefrombothAAAUserand AAAGroupconfigurationmodes.ComparethiscommandwiththeInterfacemodeprivilege commandonpage111.
Syntax
privilege level (0-15) level
Specifiestheprivilegelevel(015)associatedwiththisuser.

Usethenoformofthiscommandtorestoretheprivilegeleveldefault:
no privilege
Default
0
Mode
AAAUser/Groupconfiguration:XSR(aaa-user)# or XSR(aaa-group)#
Example
Thefollowingexamplespecifiesaprivilegelevelof15foruserkramer:
XSR(config)#aaa user kramer XSR(aaa-user)#privilege 15
AAA Method Commands aaa method

ThiscommandisexecutedattheGlobalMode. ThiscommandconfigurestheAAAmethod(plugin)tobeused.Thefollowingsubcommands areavailableinAAAMethodmode:
acct-port - SetstheUDPportforaccountingrequests.Refertopage16103forthe commanddefinition. address - SpecifiestheRADIUSserveraddresswitheitherahostnameorIPaddress.Refer
topage16103forthecommanddefinition.
attempts - SetsthenumberofconsecutiveloginattemptsthatmustfailbeforetheRADIUS
methodsbackupmethodisused.Refertopage16104forthecommanddefinition.
auth-port - SpecifiestheUDPportforauthenticationrequests.Refertopage16104forthe
commanddefinition.
backupSpecifiesanameforabackupRADIUSmethodname.Refertopage16105forthe commanddefinition.
AAA Method Commands
clientConfiguresthedefaultAAAmethod(plugin)foreachclientservice.Referto page16106forthecommanddefinition. enable - EnablesthecurrentAAAserverforRADIUS.Refertopage16106forthe commanddefinition. group - Specifiesthenameofanexistinggroup.Refertopage16107forthecommand definition. hash enable - EnablesthehashalgorithmusedforRADIUS.Refertopage16108forthe
commanddefinition.
key - SetstheauthenticationandencryptionkeyusedbetweentheXSRandtheserver
daemonrunningonaRADIUSserver.Refertopage16108forthecommanddefinition.
qtimeout - Specifiesthequeuetimeout.Refertopage16109forthecommanddefinition. retransmit - SpecifiesthenumberofAAARADIUSserverrequestssenttoaserver.Refer topage16109forthecommanddefinition. timeout - SetstheintervaltheXSRwaitsfortheAAARADIUSservertoreplybefore
retransmitting.Refertopage16110forthecommanddefinition.
Syntax
aaa method {local | radius | pki} method-name [default] local radius pki method-name default
LocalAAAmethod. RADIUSmethod.YoumustsetaRADIUSservertype. PKImethod. DesignationoftheAAAmethod(plugin). Ifthekeywordisset,themethodisDEFAULT,unlessoverriddenona perservicebasisbytheclientsubcommand.

UsethenoformtodeletetheAAAmethodandrestorethedefault:
no aaa method {local | radius | pki} method-name
Default
Ifthedefaultisnotspecified,thelocalmethodisthedefaultforAAAserviceandsubsystems lackingtheirowndefault.
Mode
Next Mode
AAAMethodconfiguration:XSR(aaa-method-xx)#
Example
ThisexamplesetsRADIUSmethodsbrasthedefaultforAAAservice:
XSR(config)#aaa method radius sbr default
AAA Method Commands
acct-port
ThiscommandspecifiestheUDPportforaccountingrequestsandusestheRADIUSmethodonly.
Note: If the port number is 0, the host will not be used for accounting.
Syntax
acct-port port-number port-number
Portnumberforaccountingrequests,rangingfrom0to10,000.

Thenoformofthiscommandresetstothedefaultportnumber:
no acct-port
Default
Authorizationportnumber:1646.
Mode
AAAMethodconfiguration:XSR(aaa-method-radius)#
Example
ThisexampleusesRADIUSSBRtoresettheUDPaccountingportto6000:
XSR(config)#aaa method radius sbr default XSR(aaa-method-radius)#auth-port 6000
address
ThiscommandspecifiestheaddressoftheRADIUSserverwitheitherahostnameorIPaddress.It isusedfortheRADIUSmethodonly.
Syntax
address {host-name | ip-address} address host-name ip-address address
Specifiestheaddresswithahostname. SpecifiestheIPaddress. Addressstring:eitherahostnameorIPaddressdependingonwhich keywordisspecified.

Thenoformofthiscommandcleartheaddressattribute:
no address {host-name | ip-address}
AAA Method Commands
Mode
Example
Thefollowingexamplesetsnumber9astheRADIUSserverhostname:
XSR(config)#aaa method radius ias default XSR(aaa-method-radius)#address host-name number9
attempts
Thiscommandsetsthenumberofconsecutiveloginattemptsthatmusttranspirebeforethe RADIUSmethodsbackupmethodisused.ItisusedfortheRADIUSmethodonly.Whenauser loginrequestfailsbecausetheserverdidnotrespond,itisafailedattempt.
Syntax
attempts [number-of-attempts] number-of-attempts
Sumoftriesallowed,rangingfrom1to10.

Thenoformofthiscommandresetstothedefaultattemptsnumber:
no attempts
Default
4
Mode
Example
Thisexampleresetstheattemptsvalueto10ontheRADIUSIASserver:
XSR(config)#aaa method radius ias default XSR(aaa-method-radius)#attempts 10
auth-port
ThiscommandspecifiestheUDPportforauthenticationrequests.ItisusedfortheRADIUS methodonly.
Note: If the port number is 0, the host will not be used for authentication.
16-104
AAA Method Commands
Syntax
auth-port port-number port-number
Portnumberforauthenticationrequests,rangingfrom0to10,000.

Thenoformofthiscommandresetstothedefaultportnumber1645:
no auth-port
Default
Thedefaultauthorizationportnumberis1645.
Mode
Example
ThefollowingexampleresetstheUDPauthenticationportto5000:
XSR(config)#aaa method radius sbr default XSR(aaa-method-radius)#auth-port 5000
backup
ThiscommandcreatesanameforabackupRADIUSserver.TheRADIUSbackupmethoddoes notpermitloops.Thatis,method1canhaveabackupmethod2butitsbackupmethod3cannot backupmethod1.BeawarethatwhentheprimaryRADIUSserverfailsandAAAswitchestothe backup,useoftheprimaryserverwillnotautomaticallyberestoredwhenitcomesbackonline. Youmustmanuallyrestarttheprimaryserverwiththe aaa method radiuscommand.
Syntax
backup name name
DesignationofthebackupRADIUSserver.

ThenoformofthiscommanddeletesthebackupRADIUSserver:
no backup name
Mode
Example
ThefollowingexamplespecifiesRadius2asthebackupservername:
XSR(config)#aaa method radius sbr default XSR(aaa-method-radius)#backup Radius2
AAA Method Commands
client
ThiscommandconfiguresthedefaultAAAmethod(plugin)foreachclientservice.Ifaclient serviceisnotregisteredbythiscommand,requestsfromthatservicewillfallthroughtothe overalldefaultmethod. Forexample,iftheauthenticationmodehasnotbeensetforTelnetusingaaa client telnet, thenthedefaultAAAmethodsetforTelnetusersviatheclientcommandwillbeignored.Telnet userswillbeauthenticatedbyTelnetsAAAschemeusingitsownuserdatabase.
Note: You can specify a username as username@method, allowing that user to explicitly specify which AAA method to use for that login attempt.
Syntax
client {vpn | telnet | firewall | console | ssh | ppp} Note: PPP uses AAA only when acting as the authenticator (that is, when validating the peer). PPP's client-side functionality is authenticated by the peer when acting as the authenicatee.

Thenoformofthiscommandremovesthedefaultmethodfortheassociatedclientservice:
no client {vpn | telnet | firewall | console | ssh | ppp}
Mode
Default
VPNaccessisenabled,allotheraccesstypesaredisabled.
Example
ThisexampleconfiguresRADIUSmethodsbrasthedefaultmethodfortheclientserviceTelnet:
XSR(config)#aaa method radius sbr XSR(config-aaa-rad)#client telnet
enable
ThiscommandenablesthecurrentAAAserverforRADIUSonly.
Syntax
enable

ThenoformofthiscommanddisablesthecurrentAAAserverservice:
no enable
AAA Method Commands
Default
Enabled
Mode
Example
ThefollowingexampleenablestheRADIUSserver:
XSR(config)#aaa method radius sbr default XSR(aaa-method-radius)#enable
group
Thiscommandspecifiesthegroupaddedearlierusingtheaaagroupcommand.Thiscommandis availableforallAAAmethods(local,RADIUSandPKI).Thegroupwillbeusedwhenagroup nameisnotreturnedintheRADIUSresponse.
Syntax
group group-name group-name
Thenameofavalid(existing)group.

ThenoformofthiscommandresetstothedefaultgroupDEFAULT:
no group
Default
DEFAULT
Mode
Example
Thefollowingexamplesetsthegroupredsoxasthedefaultgroup:
XSR(config)#aaa group redsox XSR(config)#aaa method local default XSR(aaa-method-local)#group redsox
16-107
AAA Method Commands
hash enable
ThiscommandenablesthehashforthepluginandisusedfortheRADIUSmethodonly.Thesub commandmaybeaplugintypedependentcommand.
Syntax
hash enable

Thenoformofthiscommanddisableshashing:
no hash enable
Default
Disabled
Mode
Example
ThefollowingexampleenablestheRADIUShash:
XSR(config)#aaa method radius sbr default XSR(aaa-method-radius)#hash enable
key
ThiscommandspecifiestheauthenticationandencryptionkeyusedbetweentheXSRandthe serverdaemonrunningonthisRADIUSserver.Thesubcommandmaybeaplugintype dependentcommand.ItisusedfortheRADIUSmethodonly.
Syntax
key key-string key-string
SetstheauthenticationandencryptionkeyforallRADIUScommunications betweentheXSRandRADIUSserver.Thiskeymustmatchtheencryptionused ontheRADIUSdaemon.Allleadingspacesareignored,butspaceswithinandat theendofthekeyareused.

Thenoformofthiscommandclearsthekeyattribute:
no key
Mode
AAA Method Commands
Example
ThefollowingexampleresetstheRADIUSkeyvalueto1234qwerty:
XSR(config)#aaa method radius default XSR(aaa-method-radius)#key 1234qwerty
qtimeout
ThiscommandspecifiestheintervalatimeoutrequestisallowedtositunprocessedonAAAs internalqueuebeforeitisdiscarded.
Syntax
qtimeout seconds seconds
Timeoutvaluerangingfrom0to5000seconds.

no qtimeout
Default
30seconds
Mode
Example
Thefollowingexamplesetstheqtimeoutto3,600seconds:
XSR(aaa-method-local)#qtimeout 3600
retransmit
ThiscommandspecifiesthenumberoftimesanAAARADIUSserverrequestisresenttoaserver ifthatserverisnotrespondingorrespondingslowly.ItisusedforRADIUS(15)only.
Syntax
retransmit [retries] retries
Retransmitvaluerangingfrom1to5.

no retransmit
16-109
AAA Method Commands
Default
3
Mode
Example
Thefollowingexamplelengthenstheretransmitvalueto5:
XSR(config)#aaa method radius default XSR(aaa-method-radius)#retransmit 5
timeout
Thiscommandspecifiestheinterval,inseconds,thattheXSRwaitsfortheAAARADIUSserver toreplybeforeretransmitting.ItisusedfortheRADIUSmethodonly.
Syntax
timeout seconds seconds
Timeoutvaluerangingfrom1to30seconds.

no timeout
Default
5seconds
Mode
Example
ThefollowingexampleresetstheRADIUSAAAtimeoutto25seconds:
XSR(aaa-method-radius)#timeout 25
16-110
AAA Per-Interface Commands
AAA Per-Interface Commands aaa-method

ThiscommandisexecutedattheInterfaceMode. ThiscommandspecifiesthenameoftheAAAmethodyouwilluseforauthenticationrequests originatingfromthisinterface.Withthiscommand,youcanprocessauthenticationrequests originatingfromdifferentinterfacesbydifferentmethods. Thecommandisgovernedbythefollowingrules: Ifaninterfacehasnomethodspecifiedorthespecifiedmethoddoesnotexist,standardAAA methodselectionapplies. The @<method>usernamesyntaxoverridestheinterfacesmethod. IKEisnotaffectedbecauseitalwaysemploysthePKImethod. Theinterfacespecificmethodwilloverridetheservicetypesdefaultmethod(assignedviathe
clientsubcommandinAAAmethodconfigurationmode)andtheAAAservicesdefault
method.
Syntax
aaa method method-name method-name
DesignationoftheAAAmethod(plugin).

Thenoformofthiscommanddeselectsthismethod:
no aaa method
Mode
Example
ThisexamplesetsthePPPmethodforAAAserviceonFastEthernetinterface2:
XSR(config-if<F2>)#aaa method PPP
aaa privilege
ThiscommandassociatesthespecifiedinterfacewithamaximumprivilegelevelavailableforAAA logins.BeawarethatyoucanassignausersprivilegelevelbasedonAAAuser/group information,unlessitexceedsthelevelassignedtoaninterfaceviathiscommand.Comparethis commandwiththeAAAUseandGroupmodeprivilegecommandonpage101.
Syntax
aaa privilege level level
Maximumprivilegesetting,rangingfrom0(lowest)to15.
AAA Debug and Show Commands

Thenoformofthiscommandremovestheuser/group/interfacerestriction:
no aaa privilege
Mode
Interfaceconfiguration:XSR(config-if<xx>#
Default
Privilege level: 15'
Example
Thisexampleresetstheprivilegelevelto10onGigabitEthernetinterface2:
XSR(config-if<G2>)#aaa privilege 10
AAA Debug and Show Commands debug aaa

Thiscommandactivates/deactivatestheoutputofAAAdebuggingdata,whichisclassifiedby Authentication,AccountingandAuthorizationcategories. Thecommandsoutputwillbesenttotheterminalthatmostrecentlyrequesteddebug information.Also,ifmultipleAAAdebugmessagesareactivated,alldebugdatawillbesentto theterminalfromwhichitwasmostrecentlyactivated.
Syntax
debug aaa {accounting | authentication | authorization} accounting authentication authorization
Accountingdebugdatadisplayed. Authenticationdebugdatadisplayed. Authorizationdebugdatadisplayed.

no debug aaa {accounting | authentication | authorization}
Mode
PrivilegedEXEC:XSR#
Sample Output
ThedebugauthorizationmessagebelowindicatestheLocalmethodwassuccessfulwithMSCHAP:
Local::queue(test)
AAuthenticatePlugin::queue (alg == 0xf) groupplugin Reply: Pool = authpool IRMauthorizeMsg::clientLogon [test]
ThefollowingisadebugauthenticationmessageshowingtheLocalmethodfailedwithMSCHAP:
Local::queue(test) AAuthenticatePlugin::queue (alg == 0xf) (Local) Failed mschap authentication (Local) do_ms_chap: Invalid user name or password Method [Local]: Error for user [test] on [Authenticate]
show aaa group

ThiscommanddisplayspropertiesoftheAAAgroup.
Syntax
show aaa group group-name group-name
Nameofthegrouptobedisplayed.Ifnotspecified,allgroupsaredisplayed.
Default
Ifagroupnameisnotspecified,allgroupsaredisplayedincludingtheDEFAULTgroup.
Mode
PrivilegedEXECorGlobalconfiguration:XSR> or XSR(config)#
Sample Output
Thefollowingoutputisdisplayedbythecommand:
XSR#show aaa group AAA Group Stats: Group Name: sales Group Comment: Toledo Branch Office IP Address is: 0.0.0.0 IP Mask is: 0.0.0.0 Primary DNS server is: 2.3.2.3 Secondary DNS server is: 2.3.2.4 Primary WINS server is: 3.3.2.3 Secondary WINS server is: 3.3.2.4 IP pool for the group is: PPTP encryption is 128 bit Access Policy is: VPN Privilege Level is: 15 Group Name: DEFAULT Group Comment:
IP Address is: 0.0.0.0 IP Mask is: 0.0.0.0 Primary DNS server is: 0.0.0.0 Secondary DNS server is: 0.0.0.0 Primary WINS server is: 0.0.0.0 Secondary WINS server is: 0.0.0.0 IP pool for the group is: PPTP encryption is 128 bit Access Policy is: firewall Privilege Level is: 0
show aaa user

ThiscommanddisplaysuserpropertiesincludingthegrouptowhomtheuserbelongsanditsIP address.
Syntax
show aaa user [user-name] user-name
Nameoftheusertobedisplayed.
Mode
Sample Output
Thefollowingoutputisdisplayedbythecommand:
XSR#show aaa user AAA User Stats: User Name: larryj Group Name: documentation IP Address: 192.168.57.9 Mask: 255.255.255.0 Access Policy: SSH Privilege Level: 15
show aaa method

Thiscommanddisplaysconfiguredpluginsandtheirparameters.
Syntax
show AAA Method [method-name] method-name
NameoftheAAAmethod(pluginname).
16-114
Firewall Feature Set Commands
Default
Ifthemethodnameisnotset,allmethodsandmethodattributesdisplay.
Mode
Sample Output
Thefollowingoutputisdisplayedbyenteringshow aaa method:
XSR#show aaa method AAA Method Stats: Method Type: PKI Default group name is: DEFAULT Queue timeout is: 0 Registered Clients: VPN Method Type: Local (Default Method) Default group name is: acme Queue timeout is: 5000 Registered Clients: VPN Method Type: Radius, Method Name: def This method is currently enabled Backup Radius server name is: RADbackup Default group name is: DEFAULT IP Address is: 0.0.0.0 Hash is currently: enabled Authentication and encryption key is: 3edue8jmdi The UDP port for Authentication is: 1645 The UDP port for Accounting is: 1646 Maximum number of login attempts is: 4 Maximum number of retransmission tries is: 3 Attempt Timeout is: 10 Queue timeout is: 0 Registered Clients: Firewall
Firewall Feature Set Commands ip firewall auth

Thiscommanddefinestheobjectwhichhandlesconfigurationforfirewallauthentication.
Syntax
ip firewall auth {timeout <60-1800> | port <1024-65535>} timeout #
Idletimeoutforauthenticationcacheentry,rangingfrom60to1800seconds.
port #
TCPportonwhichthefirewallauthenticatorwilllisten.Range:1024to65535.

ThenoformsetseitherthetimeoutorAuthporttoitsdefaultvalue:
no ip firewall auth {timeout # | port #}
Defaults
Timeout:1800seconds Authenticationport:3000
Mode
Example
ThefollowingexampleresetstheICMPidletimeout:
XSR(config)#ip firewall icmp timeout 3000
ip firewall disable/enable
WhenissuedinGlobalmode,thiscommandisamasterswitchwhichactivatesordeactivates thefirewallsystemwide.YoucanalsousethiscommandasalocalswitchinInterface configurationmode,enablingordisablingthefirewallonaperinterfacebasis.Thecommand behavesseparatelyandinteractivelyatGlobalandInterfacemodesasfollows: Thesystemlevelfirewallisdisabledbydefault. Theinterfacelevelfirewallisenabledbydefaultunlessexplicitlydisabled. Ifthefirewallisenabled,packetinspectionwilloccuronallinterfacesthathavethefirewall enabledattheinterfacelevel. Aparticularinterfacemaybeenabledbutsubsequentlydisablingthefirewallglobally overridesallenabledinterfaces. Ifyouenablethefirewallglobally,allinterfaceswillbeenableduntilyousubsequentlydisable aparticularinterface.
Enabledisplaysinrunning-config,butnotdisable.
Evenifyouhavenotconfiguredthefirewall,entering ip firewall enablewillturnon packetinspection.

Note: TCP traffic (e.g., Telnet) passed first through a firewall-disabled interface destined to a firewall-enabled will be dropped regardless of policy.
Syntax
ip firewall {disable | enable}
16-116
Default
Disabledglobally
Mode
GlobalorInterfaceconfiguration:XSR(config)# or XSR(config-if<xx>)#
Example
Thefollowingexampleenablesthefirewallglobally:
XSR(config)#ip firewall enable
ip firewall filter
ThiscommanddefinesthefilterobjectfornonTCPandUDPtraffic,forwhichnostateful inspectionisrequired.Bydefault,allnonTCPandUDPtrafficisdroppedbythefirewall.To allowcertainIPprotocolstopassthroughthefirewall,afilterobjectmustbeconfigured. FilteringisperformedontheprotocolIDandsourceanddestinationaddresseswhicharenetwork objects.Protocolscanbespecifiedbynumberorname.Ifanameisused,itshouldmatchthat specifiedbytheInternetAssignedNumbersAuthority(IANA).Referto: http://www.iana.org/assignments/protocolnumbers Anameforanyfirewallobjectmustusethesealphanumericcharactersonly:AZ(upperorlower case),09,-(dash),or _(underscore).Also,allfirewallobjectnamesincludingpredefined objectssuchasANY_EXTERNALanduserdefinedobjectnamesarecasesensitive.
Note: Logging for the filter is performed on a per packet basis.
Syntax
ip firewall filter filter_name src_net_name dst_net_name {protocol-id prot-number | protocol-name prot-name} [type number] [allow-log] bidirectional filter_name src_net_name dst_net_name protocol-id protocol-name type number bidirectional allow-log
Nameoffilterobject,nottoexceed16characters. Nameofanysourcenetworkobject.Limit:16characters. Nameofdestinationnetworkobject.Limit:16characters. Protocolspecifiedbydecimalvalue. Protocolspecifiedbyname,nottoexceed16characters. IftheprotocolisICMP,youcanfilterspecifictypesonly. Policyappliesinbothdirections.Thatis,forasessioninitiatedatthe sourceaswellasthedestination. Allmatchingpacketsarelogged.

Thenoformofthiscommanddisablesthespecifiedfilter:
no ip firewall filter filter_name
Defaults
Denyall
Mode
Example
ThefollowingexamplepermitsanyremotehosttorunaPPTPtunneltoaserverontheinternal network:
XSR(config)#ip firewall network pptp-server 120.21.1.18/32 internal XSR(config)#ip fire filter allow--gre ANY_EXTERNAL pptp-server 47 protocol-id XSR(config)#ip firewall filter allow--gre pptp-server ANY_EXTERNAL protocol-id 47
ip firewall icmp timeout

ThiscommanddefinestheobjectwhichhandlesallconfigurationforICMPpacketinspection.
Syntax
ip firewall icmp timeout <seconds> seconds
IdletimeoutforICMPsessions,rangingfrom60to86400seconds.

Thenoformofthiscommandsetsthetimeouttothedefaultvalue:
no ip firewall icmp timeout
Default
Timeout:60seconds
Mode
Example
ThefollowingexampleresetstheICMPidletimeoutinterval:
XSR(config)#ip firewall icmp timeout 300
ip firewall java and ip firewall activex

ThiscommanddefinestheobjectthatallowsordeniesHTMLpageswithembeddedJavaor ActiveXappletsfromparticularorallIPaddresses.Anameforanyfirewallobjectmustusethese alphanumericcharactersonly:AZ(upperorlowercase),09,-(dash),or _(underscore).Also, allfirewallobjectnamesarecasesensitive.
Syntax
ip firewall java {all, none, selected network_name} ip firewall activex {all, none, selected network_name} all none selected network_name
PermitHTMLpageswithJavafromallIPaddresses. DenyHTMLpageswithJavafromanyIPaddress. PermitHTMLpageswithJavafromselectedIPaddresses. Anyinternalorexternalnetworkornetworkgroupobject.

ThenoformofthiscommanddisablesJavaorActiveX:
no ip firewall java/activex {all, none, selected network_name}
Default
DenyallHTMLpageswithJavaandActiveXapplets
Mode
Example
Thefollowingexampleconfigurescorporatenetworkasanetworkgroupobjectlistingallreachable networks,excludinganyActiveXapplets,atcorporateheadquarters:
XSR(config)#ip firewall java selected corporate-network XSR(config)#ip firewall activex none
ip firewall load
Thiscommandloadscurrentfirewallsettingsintotheroutersinspectionengine.Thecurrent configurationcomprisesallCLIcommandsthathavebeenenteredsincethelastload.Executing thiscommandclearsallsessionsthusrequiringallTCPconnectionsbereestablished. Becausethenoversionofthiscommandisnotavailable,inordertoundoarecentfirewall configurationyoumustexecutenoversionsofcommandswhichinvoketheconfiguration. Optionally,youcanbuildtheconfigurationbutnotdisturbthefirewallengine.Thisisauseful tooltoconfigurethefirewallwhileincrementallycheckingitsvalidity.Also,youcanschedulea loadalthoughthisoptionblocksanyfirewallconfigurationintheinterim.
Syntax
ip firewall load delay [trial]{1-7 [hh:mm]|hh:mm}[enable |disable] trial 1-7 hh: mm:
Buildsconfigurationbutdoesnotloaditintothefirewallengine. Intervalintheformatdays<17>HH:MMtowaituntilthefirewallloador restartisperformed.Noobjectcanbemodifiedduringthistimeexcepta trialload.Loggingrestartswhentheloadruns.Thedaysvalueisoptional andifentered,thehoursandminutesvaluesarealsooptional.

enable disable
Executesorterminatesthefirewallload.
Note: If the command is issued when a load delay is pending, the following error message displays: Load: Configuration locked due to scheduled load delay

ThenoformofthiscommandcancelsascheduledloadandunlocksthefirewallconfigCLI:
XSR(config)#no ip firewall load delay
Mode
Examples
Thefollowingexampleverifiesthefirewallconfigurationiscorrect:
XSR(config)#ip firewall load trial
Thisexampleschedulesaloadinfivedays,threehoursand20minutes:
XSR(config)#ip firewall load delay 5 03:20
Aftertheloadisperformed,thefollowingmessagewilldisplay:
XSR(config)#<186>Mar 17 22:30:22 10.10.10.20 FW: Firewall Shutdown and Restarted <186>Mar 17 22:30:22 10.10.10.20 FW: Firewall: The Firewall has just executed a delayed load command successfully
ip firewall logging
Thiscommanddefinesloggingobjectparametersthatapplytothefirewalllogoperation.Logging iscumulative.Forexample,byselectingLevel3,thefirewallwillgenerateallmessagesfrom Levels3to0.IfyousetloggingtoLevel0,thenumberofmessageswillbeminimal. Levels0to3aredesignatedforattacks,deniesandothersystemrelatedlogssuchasmemory failures.Levels4to7aredesignatedforpermits,warningsandotherinformationallogs.Thereare veryfewdebuglevellogssoinordertoseepermitsasettingof5or6issufficient.
16-120
Syntax
ip firewall logging event-threshold 0-7 eventthreshold
Eventsofseverityequaltoorlesserthanthespecifiedvaluelogasfollows: Level0:Emergency Level1:Alert Level2:Criticalalarmssuchasfailuretoallocatememoryduringinitializiation areloggedifsystemloggingisenabledandfirewallloggingissettolevel2 orhigher Level3:Errorabnormalanddenyalarmsareloggedifsystemloggingisset atMEDIUMorHIGHandfirewallloggingislevel5orhigher Level4:Warningnormalandpermitalarmsareloggedifsystemloggingis setatLOWandfirewallloggingislevel4orhigher Level5:Notice Level6:Information Level7:Debug

Thenoformofthiscommandsetsfirewallloggingtothedefaultvalue:
no ip firewall logging event-threshold
Default
Level3Alldeniesandseriesfaultsarelogged
Mode
Example
ThisexamplesetsfirewallloggingforallmessagesNoticelevel:
XSR(config)#ip firewall logging 5
ip firewall network
ThiscommanddefinesanetworkobjectspecifyinganetworkorhostIPaddressoraddressgroup (baseandsubnetmaskorstartandendIPaddress)thatistaggedasinternalorexternal.Naminga locationishelpfulinusingthisobjectforrulesindicatinganyinternal/externalnetwork. Networkobjectsarereferencedbythenamewithinthepolicyandnetworkgroupobjects.Define networkobjectsforinternalhostsandnetworks.Anameforanyfirewallobjectmustusethese alphanumericcharactersonly:AZ(upperorlowercase),09,-(dash),or _(underscore).
16-121
Also,allfirewallobjectnamesincludingpredefinedobjectssuchasANY_EXTERNALanduser definedobjectnamesarecasesensitive.
Notes: A DMZ is considered an internal network. Use care when you have a configuration with internal and external addresses that overlap and exist off the same physical interface. In this case, the XSR may not be able to identify an address in the overlap range as being internal or external. If this is so, packets may not match policies as expected. Once you specify a network name you cannot switch internal/external settings. To switch settings you must delete the network and add it again.
Syntax
ip firewall network name {A.B.C.D mask A.B.C.D | A.B.C.D A.B.C.D}{internal | external} name A.B.C.D A.B.C.D A.B.C.D mask A.B.C.D internal or external
Nameofthenetworkobject,nottoexceed16characters. Matchthiswithpolicysource/destinationnameexactly. Startandendaddresses. Baseaddressandmaskindotteddecimalformat. Addressqualifier.

Thenoformofthiscommanddisablesthefirewallnetworkobject:
no ip firewall network name
Syntax
Example
ThisexampledefinesinternalandexternalIPaddressesforthenetworkobjectssalesandremote access.Notehowtheinternalandexternaltagshavemeaninginthewaythenetworkobjectsare usedinapolicy.
XSR(config)#ip firewall network sales 192.168.100.0 mask 255.255.255.0 internal XSR(config)#ip firewall network remote-access 10.1.1.0 mask 255.255.255.0 external
ip firewall network-group
Thiscommandcomprisesasetofnetworkobjects,servingthesamefunctionasanetworkobject. IntrinsicvaluesANY_INTERNAL(allinternalnetworkobjectsdefined)andANY_EXTERNAL (allexternalnetworkobjectsdefined)areaconvenientoptiontodefineasetofnetworkobjects. Membershipinthesesetsisunlimited. Anameforanyfirewallobjectmustusethesealphanumericcharactersonly:AZ(upperorlower case),09,-(dash),or _(underscore).Also,allfirewallobjectnamesincludingpredefined
16-122
objectssuchasANY_EXTERNALanduserdefinedobjectnamesarecasesensitive.Refertotheip
firewall policy commandforapplicablepolicyandgatingrulelimits.
Syntax
ip firewall network-group name name1 ... name10 name name1 to name10
Networkgroupobjectname.Limit:16characters. Nameofthenetworkornetworkgroupobjects.

Thenoformofthiscommanddisablesthenetworkgroup:
no ip firewall network-group name
Mode
Example
Thefollowingexampledefinesnetworkobjectssalesandremoteaccessandaddsthemtothe networkgroupsprivatenetandsalesremoteaccess:
XSR(config)#ip firewall network sales 192.168.100.0 ma 255.255.255.0 i XSR(config)#ip fi network remote-access 10.1.1.0 m 255.255.255.0 i XSR(config)#ip firewall network-group private-net sales remote-access
ip firewall policy
Thiscommandconfiguresafirewallpolicycomprisedofpolicyobjects.Eachobject/ruleistagged withanamewhichplacesthepoliciesinorderusingabeforeandafterkeyword.Thispermitsyou toenterpoliciesinanorderdifferentthanwhichtheywillbeapplied. TheXSRfirewallenforcesadenyallpolicybydefault.So,unlessthereisapolicyobjectconfigured toallowtrafficinaparticulardirection,packetswillnotpassthroughthefirewall.Thiseliminates theneedtodefinecatchallrejectpoliciesineachdirection. Policiesapplytotrafficdirectedattherouter,aswell.So,policyobjectsmustbedefinedtoallow managementtrafficintotherouter.Beawarethattheconsoleportisalwaysavailablefor managementpurposes. Anameforanyfirewallobjectmustusethesealphanumericcharactersonly:AZ(upperorlower case),09,-(dash),or _(underscore).Also,allfirewallobjectnamesincludingpredefined objectssuchasANY_EXTERNALanduserdefinedobjectnamesarecasesensitive.
Notes: Citing a policys intent in the name is useful if its function is not apparent from the definition. Internal XSR gating rules, which order traffic filtering, are stored in a temporary file in Flash. Because there is one gating rule for each network source/destination expansion, a potentially enormous number of gating rules can be generated by just a single firewall policy. For example, when a large network that has an ANY_INTERNAL group with 200 network addresses is used as the source address, and another group of 10 network addresses is used as the destination address, 2000 gating rules are defined for the policy. Accordingly, a limit is applied to their total, depending on the amount of installed RAM.
Syntax
ip firewall policy policy_name src_net_name dst_net_name serv_name {allow | allowlog | allow-auth group_name | reject | log | url-b | url-w | cls name ... name}[before policy_name | after policy_name | first] [bidirectional] src_net_name dst_net_name serv_name allow allow-log allow-auth group_name reject log url-b | url-w
Nameofsourcenetworkobject,nottoexceed16characters.Thisvaluemust matchnetworknameexactly. Nameofdestinationnetworkobject,nottoexceed16characters.Thisvalue mustmatchnetworknameexactly. Nameofserviceobject,nottoexceed16characters. Letpacketspassthroughthefirewall. Letpacketsthroughthefirewallandlogtheactivity. LetpacketspassifthesourceIPaddresshasbeenauthenticatedagainstthe group_name(lengthnottoexceed16characters).Thisvaluemustmatch network-groupnameexactly. Dropallpacketsmatchingthepolicy. Dropallmatchingpacketsandlogtheactivity. FiltersHTTPtraffic(TCPconnectionwithadestinationportof80or8080) usingtheblack(urlb)URLlist. Filtershttptrafficusingthewhite(urlw)URLlist.HTTPaccesstoURLs matchinganentryinthewhiteURLlistareallowed,nonmatchingURLs areblocked.
cls name before or after policy_name first bidirectional
Letpacketspassthroughthefirewalliftheapplicationmessagetype matchesoneofthe10typenames.Namesmustnotexceed16characters. Placepolicybeforeorafterthepolicycitedbypolicy_name(whichmust alreadyhavebeenset).Ifnotspecified,theobjectwillbethelastlisted. Placepolicyfirst. Policyappliesinbothdirections.Thatis,forasessioninitiatedatthesource aswellasthedestination.
Note: If the action is allow-auth the group_name must be specified. All users who are members of this group are allowed authenticated access. Also, be sure to match the group_name and AAA group name.

Thenoformofthiscommanddisablesanearlierconfiguredpolicy:
no ip firewall policy policy_name
Defaults
Denyall
Mode
16-124
Example
ThefollowingpolicyallowsFTPaccesstoahost.BeawarethatthehostssourceIPaddresswillbe authenticatedagainstthegroupsalesgroup.
XSR(config)#ip firewall network sales-host 192.168.100.2 mask 255.255.255.255 internal XSR(config)#ip firewall policy allow-eng-ftp ANY_INTERNAL sales-host ftp allowauth sales-group
ip firewall redirectURL
ThiscommandredirectsausersHTTPaccesstothespecifiedredirectURLpageifthatuser attemptstoaccessaURLnotpermittedbythewhiteURLlist.IfredirectURLisnotconfigured, theXSRgeneratesadefaultblockedpage.
Note: This command takes effect immediately.
Syntax
ip firewall redirectURL redirect_url_string redirect_url_string
AvalidURLstringofupto63characters.

ThenoformofthiscommandremovesapreviouslyconfiguredredirectURL:
no ip firewall redirectURL
Mode
Example
ThefollowingexampleredirectsausertothespecifedURLsite:
XSR(config)#ip firewall redirecturl www.companyXYZ.com.
ip firewall rpc timeout

ThiscommandsetstheidlesessiontimeoutonpacketinspectionforRemoteProcedureCall(RPC) basedapplications.ThisApplicationLevelGateway(ALG)supportstwotypesofRPCsSUN (usedbymostUNIXsystems)andMicrosoft.IftheRPCbasedsessionisidleforthespecified period,itwillbeshutdown.
Syntax
ip firewall rpc {microsoft-rpc | sun-rpc} timeout number microsoft-rpc sun-rpc number
ALGpacketinspectionforMicrosofttraffic. ALGpacketinspectionforSUNtraffic. Idlesessiontimeout,rangingfrom5to86400seconds.


ThenoformofthiscommandsetsthedefaultRPCtimeoutvalue:
no ip firewall rpc timeout
Default
5seconds
Mode
Example
ThefollowingexampleresetstheMicrosoftRPCidletimeoutintervalto10minutes:
XSR(config)#ip firewall rpc microsoft-rpc timeout 6000
ip firewall service
Thiscommanddefinesaserviceobjectwhichreflectsanapplication,itstransportprotocol(TCPor UDP),protocoltypeandportnumberranges.TheXSRsupportsanumberofpredefinedservices whichcanbeviewedwithshow ip firewall user-services.Servicescanbedirectlycitedin policyobjectsoryoucanaddyourownservice.IntrinsicservicesANY_TCPandANY_UDPare availableforallTCPorUDPports. Aserviceiscomprisedofasourceanddestinationportrange,andprotocol.Forflexibility,port rangescanbespecifiedusingqualifierssuchaseq,ltandgtwhicharealsoavailablefor configuringaccesslists. Anameforanyfirewallobjectmustusethesealphanumericcharactersonly:AZ(upperorlower case),09,-(dash),or _(underscore).Also,allfirewallobjectnamesarecasesensitive.
Note: The show ip firewall service command displays pre-defined services.
Syntax
ip firewall service name <source-port-range> <dest-port-range> <protocol> ip firewall service name {eq <0-65535> | gt <0-65535> | lt <0-65535> | range <065535> <0-65535>} {eq <0-65535> | gt <0-65535> | lt <0-65535> | range <0-65535> <065535>}{tcp | udp}
name eq gt lt range
Nameoftheprotocol,nottoexceed16characters. Portrangeequalsnumberspecified. Portrangeisstrictlygreaterthanthenumberspecified,andlessthanor equalto65535. Portrangeisstrictlylessthanthenumberspecified. Explicitportrangewiththestartandendrangesspecified:<065535>
tcp or udp protocol Transportprotocol.Theprotocolvalueiscasesensitive.
16-126

Thenoformofthiscommanddisablestheselectedservice:
no ip firewall service name
Mode
Example
ThefollowingexampledefinestheFTPservice(althoughthisisunnecessaryasitisoneofthe predefinedservices).Thesourceportrangecouldbeanyoftheunreservedportsbutthe destinationmustbe21.
XSR(config)#ip firewall service ftp gt 1023 eq 21 range 21 22 tcp
ip firewall service-group
Thiscommandpermitstheaggregationofmorethanoneserviceobject,providingforeasier policyconfiguration.Uptotenserviceobjects(andservicegroup)canbeincludedinaservice group. Anameforanyfirewallobjectmustusethesealphanumericcharactersonly:AZ(upperorlower case),09,-(dash),or _(underscore).Also,allfirewallobjectnamesarecasesensitive.
Syntax
ip firewall service-group name name1 ... name10 name name1 to name10
Nameoftheservicegroupobject,nottoexceed16characters. Nameoftheserviceorservicegroupobjects.

Thenoformofthiscommanddisablesanearlierconfiguredservicegroup:
no ip firewall service-group name
Mode
Example
Thefollowingexampleconfiguresservicegroupnetbioswithnetbios1andnetbios2usingports137 and138,respectively,includedasserviceobjects:
XSR(config)#ip firewall service netbios1 137-137 137-137 udp XSR(config)#ip firewall service netbios2 138-138 138-138 udp XSR(config)#ip firewall service-group netbios netbios1 netbios2
16-127
ip firewall tcp/udp timeout

ThiscommandresetstheidletimeoutintervalforFirewallsessionsapplyingTCPorUDPpacket inspection.IftheFirewallsessionisidleforthespecifiedperiod,itwillbeshutdown.
Syntax
ip firewall {tcp | udp} timeout <number> tcp udp number
PacketinspectionforTCPtraffic. PacketinspectionforUDPtraffic. IdletimeoutforTCPorUDPsessions,rangingfrom60to86400seconds.

ThenoformofthiscommandsetsthedefaultTCPtimeoutvalue:
no ip firewall {tcp | udp} timeout
Default
60seconds
Mode
Example
ThefollowingexamplesetsthefirewallsessionforUDPtraffictotimeoutifidlefor10minutes:
XSR(config)#ip firewall udp timeout 6000
ip firewall url-load-black/white-list
ThiscommandclearsthespecifiedBlackURLortheWhiteURLdatabasethenreloadsitfroma specifiedfile.
Syntax
ip firewall url-load-black-list | url-load-white-list filter_file_name filter_file_name
NameoftheASCIIfile,containingupto30URLlists.Thefilenamecan beprefixedwiththeoptionaldriverIDflash:orcflash:.

ThenoformofthiscommanddeletesapreviouslyloadedURLlist:
no ip firewall rpc timeout
Mode
Firewall Interface Commands
Examples
Thefollowingexamplesconfigurevalidinputs:
ip firewall url-load-black-list blacklist.txt ip firewall url-load-black-list flash:blacklist.txt ip firewall url-load-white-list cflash:whitelist.txt
Firewall Interface Commands ip firewall disable

Thiscommanddisablesfirewalloperationonaparticularinterfacediscretefromitsapplication globally.ThecommandbehavesseparatelyandinteractivelyatGlobalandInterfacemodesas follows: Thesystemlevelfirewallisdisabledbydefault. Theinterfacelevelfirewallisenabledbydefaultunlessexplicitlydisabled. Ifthefirewallisenabled,packetinspectionwilloccuronallinterfacesthathavethefirewall enabledattheinterfacelevel. Aparticularinterfacemaybeenabledbutsubsequentlydisablingthefirewallglobally overridesallenabledinterfaces Ifyouenablethefirewallglobally,allinterfaceswillbeenableduntilyousubsequentlydisable aparticularinterface
Enabledisplaysinrunning-config,butnotdisable
Evenifyouhavenotconfiguredthefirewall,entering ip firewall enablewillturnon packetinspection.

Note: With the firewall enabled, source address validation (HostDoS checkspoof) is also enabled. This service can improve security in some situations but erroneously discard valid packets in situations where inbound and outbound paths differ as well as negatively impact some routing protocols.
Syntax
ip firewall disable

Thenoformofthiscommandenablesthefirewallonaselectedinterface:
no ip firewall disable
Default
Enabled
Mode
Example
ThefollowingexampledisablesthefirewallonFastEthernetport2only:
XSR(config-if<F2>)#ip firewall disable
ip firewall ip-broadcast
Thiscommandallowsincoming/outgoingIPpacketsthroughthefirewallwith255.255.255.255set asthedestinationaddress.ItenablesbroadcastprotocolssuchasDHCPtotraversethefirewall.
Syntax
ip firewall ip-broadcast {in | out | both} in or out both
Allowspacketstoenterorexittheinterface. Allowspacketstoenterandexittheinterface.

Thenoformofthiscommanddeniestheselectedbroadcastpackets:
no ip firewall ip-broadcast {in | out | both}
Default
IPbroadcastpacketsarenotallowedinboundandoutbound.
Mode
Example
Theexamplebelowallowsbroadcastfilteringonoutgoingpacketsonly:
XSR(config-if<F2>)#ip firewall ip-broadcast out
ip firewall ip-multicast
Thiscommandallowsincoming/outgoingIPpacketswithamulticastdestinationaddressthrough thefirewall.ItenablesmulticastprotocolssuchasRIPandOSPFtotraversethefirewall.
Syntax
ip firewall ip-multicast {in | out | both} in or out both
Allowspacketstoenterorexittheinterface. Allowspacketstoenterandexittheinterface.

Thenoformofthiscommanddeniestheselectedmulticastpackets:
no ip firewall ip-multicast {in | out | both}
Default
Multicastpacketsarenotallowedinboundandoutbound.
Mode
Example
Thefollowingexamplepermitsmulticastpacketsinbothdirections:
XSR(config-if<F1>)#ip firewall ip-multicast both
ip firewall ip-options
Thiscommandallowsincoming/outgoingpacketsthroughthefirewallwiththefollowingoptions: looseandstrictsourcerouting,recordroute,timestamp,allandotherIPoptions.
Syntax
ip firewall ip-options {loose-source-route | strict-source-route | record-route | time-stamp | other | all} {in | out | both}
loosesourceroute strictsourceroute record-route
Requestsroutingthatincludesthespecifiedrouters.Thisroutingpathincludes asequenceofIPaddressesadatagrammustfollowtoitsdestinationbut allowsmultiplenetworkhopsbetweensuccessiveaddressesonthelist. SpecifiesanexactroutethroughtheInternet.Thisroutingpathincludesa sequenceofIPaddressesadatagrammustfollow,hopbyhop,fromitssource todestination.Thepathbetweentwosuccessiveaddressesinthelistmust consistofasinglephysicalnetwork. Tracesaroute.ItallowsthesourcetocreateanemptylistofIPaddressesand arrangeforeachrouterthatrouterthathandlesadatagramtoadditsIP addresstothelist.Whenadatagramarrives,thedestinationdevicecanextract andandprocessthelistofaddresses. Recordstimestampsalongaroute.Itissimilartotherecordrouteoptioninthat everyrouterfromsourcetodestinationaddsitsIPaddress,andatimestamp, tothelist.Thetimestampnotesthetimeanddatearouterhandledthe datagram,expressedinmillisecondssincemidnight,UniversalTime. AnyIPoptionotherthanthoseexplicitlysupportedbythecommand. AllIPoptionsallowed. Packetsenteringorexitinganinterface. Packetsenteringandexitinganinterface.
time-stamp
other all in or out

both

ThenoformofthiscommanddisablestheselectedIPoption:
no ip firewall ip-options {loose-source-route | strict-source-route | recordroute | time-stamp | other | all} {in | out | both}
Default
IPoptionsarenotallowedinboundandoutbound.
Mode
Example
ThefollowingexamplesetsloosesourceroutingonbothincomingandoutgoingpacketsatF2:
XSR(config-if<F2>)#ip firewall ip-op loose-source-route both
ip firewall sync-attack-protect
TheSYNCattackmonitor/blockerisolatesahostthatgeneratesafloodofSYNCpacketstothe XSRsfirewallandblockstrafficfromthatspecifichost,whileallowingdatapacketstopass.
Syntax
ip firewall sync-attack-protect {block-host | check-host | sync-queue} threshold [threshold]
block-host
Blockhostwhensyncpacketrateexceedsthisvalue(syncpackets/sec).The XSRcanblockupto20hostsatanygiventime.Whenblocked,allsyncpackets toandframeshostaredropped,whileotherpacketsareallowedtogo through.XSRautomaticallyunblockhostwhenthesyncpacketrateofthehost dropstozerofor25seconds. Thresholdrangeis105,000,defaultis100 StartstomonitorsyncpacketrateofeachhostofaClassCsubnetifthesync packetrateofthesubnetexceedsthisvalue.TheXSRcanmonitorupto3,000 classCsubnets. Thresholdrangeis105,000,defaultis100
check-host
sync-queue
Initiatessyncattackprotectionwhensyncbacklogqueueexceedsthisvalue. Rangeis50to5,000,defaultis500. Thelimitinwhichtheaboveparametersareenabled.
threshold

Thenoformofthiscommanddisablesthefunction:
no ip firewall sync-attack-protect {block-host | check-host | sync-queue} threshold
Mode
Firewall Show Commands
Example
Thefollowingexampleblocksthehostwhenthesyncpacketsexceed1000packetspersecond:
XSR(config-if<F2>)#ip firewall sync-attack-protect block-host threshold 1000
Firewall Show Commands show ip firewall config

Sincethefirewallisconfiguredinatwostepprocess,theXSRprovidesameanstoviewtheun committedconfiguration.Thiscommanddisplaysthefirewallconfigurationcombiningexisting commandswiththoseenteredrecently,whichpermitsaviewofthecompletefirewall configurationwithmodifications. Ifnofirewallcommandswereexecutedsincethelastloadthentherunningconfigurationwillbe displayed. Ifthiscommandisissuedafterthefirewallcommandswereenteredbutbeforeafirewallloadwas performed,thefollowingtextappears:
Uncommitted Firewall Configuration:
Ifthecommandisissuedafterafirewallloadwasperformed,thefollowingtextappears:
Committed Firewall Configuration:
Syntax
show ip firewall config
Mode
EXEC or Privileged EXEC Mode: XSR> or XSR#
Sample Output
Thefollowingissampleoutputofthecommand:
Firewall configuration Modified but not loaded: Yes Ip firewall network dmz 220.150.2.16/28 internal Ip firewall network private 220.150.2.32/28 internal ! ! Log only critical events ! ip firewall system event-threshold 3 ! ! Policies: between private and dmz ! Ip firewall policy private dmz HTTP allow Ip firewall policy dmz private HTTP allow Ip firewall policy private dmz SMTP allow
Ip firewall policy dmz private SMTP allow ! ! Policies: between dmz and external ! Ip firewall policy ANY_EXTERNAL dmz HTTP allow Ip firewall policy dmz ANY_EXTERNAL HTTP allow Ip firewall policy ANY_EXTERNAL dmz SMTP allow Ip firewall policy dmz ANY_EXTERNAL SMTP allow ! ! Policy: Allow any from private to the external ! Ip firewall private ANY_EXTERNAL any allow ! ip firewall filter private dmz 17 ip firewall filter private ANY_EXTERNAL 17 ip firewall filter ANY_EXTERNAL dmz 17
displaysconfigurationobjectsassociatedwiththefirewallandvalueswhicharealwaysineffect:
Modified firewall configuration: ip firewall Network Dmz 220.150.2.16/28 Internal ip firewall Network Private 220.150.2.32/28 Internal ip firewall system event-threshold 3 ip firewall policy private dmz http allow ip firewall policy dmz private http allow ip firewall policy private dmz smtp allow ip firewall policy dmz private smtp allow ip firewall policy any_external dmz http allow ip firewall policy dmz any_external http allow ip firewall policy any_external dmz smtp allow ip firewall policy dmz any_external smtp allow ip firewall private any_external any allow ip firewall filter private dmz 17 ip firewall filter private any_external 17 ip firewall filter any_external dmz 17 Values always in effect: ip firewall udp timeout 3600 ip firewall icmp timeout 1200 ip firewall logging event-threshold 5 The Firewall is currently enabled
show ip firewall filter

Thiscommanddisplaysallconfiguredfirewallfilters.
Syntax
show ip firewall filter [name]
16-134
Mode
Sample Output
Thefollowingoutputdisplays
Filter Name noICMP Source Network dmz Destination Network private Protocol Name/Number ICMP ICMP Type N/A Bi/Log
Y/N
show ip firewall network

Thisstaticcountershowsallnetworkobjectsconfigured.Ifanetworkobjectnameisspecified thenonlythatobjectisdisplayed.
Syntax
show ip firewall network [name]
Mode
Sample Output
ThisoutputdisplaysanetworkobjectfortheEngineeringfirewallinthe192.168.100.0/24range:
Name Engineering Start Address 192.168.100.1 End Address 192.168.100.254 Internal/External internal
show ip firewall network-group

Thisstaticcountershowsallnetworkgroupobjects.Ifanetworkgroupobjectisalsospecified thenonlythatnetworkgroupisdisplayed.
Note: Although ANY_INTERNAL and ANY_EXTERNAL objects do not display when this command is entered, entering show ip firewall ANY_INTERNAL or ANY_EXTERNAL will display the members of these intrinsic groups.
Syntax
show ip firewall network-group [name]
Mode
16-135
Sample Output
TheoutputbelowdisplaysnetworkobjectsforthePrivatenetworkandPartnernetworksgroups. Notethatonlymemberobjectsnamesareshown. Youcanentertheshow ip firewall networkcommandtogetaddressrangesofeachnetwork object.
Name Private-network Partner-networks ext192 int Network (group) objects internet Remote-access 10.1.0.0/16 dmz ext253 ext254 int40
show ip firewall service

Thisstaticcounterdisplaysallconfiguredserviceobjects.Itincludesthreeversions:
Show ip firewall serviceDisplaysallservices,predefinedanduserdefined. Show ip firewall user-definedDisplaysuserdefinedservicesonly. Show ip firewall service nameDisplaysaspecificserviceobjectidentifiedbyname.
Syntax
show ip firewall service [user-defined | name] user-defined name
Listsuserdefinedservicesonly. Nameofaserviceobject.
Mode
Sample Output
Thefollowingoutputdisplaysfirewallserviceobjects:
Name ftp netbios Source port range 1024-65535 137-137 Destination port range 21-21 137-137 Protocol tcp udp
show ip firewall service-group

Thisstaticcounterdisplaysallservicegroupobjects.Iftheoptionalservicegroupnameis specifiedthenonlythatservicegroupobjectisdisplayed.
Syntax
show ip firewall service-group [name]
16-136
Mode
Sample Output
Thefollowingoutputdisplaysfirewallservicegroupdata:
Name all-my-tcp-services Service objects my-ftp my-telnet
show ip firewall policy

Thisstaticcounterdisplaysallpolicyobjectsintheordertheywillbeapplied.Ifanameis specifiedthenonlythatpolicyobjectisdisplayed.
Syntax
show ip firewall policy [name] name
Nameofthepolicyobjecttodisplay.
Mode
Sample Output
Thefollowingsampleoutputdisplaysconfiguredfirewallpolicies:
Name outftp outhttp inftp Source Network admin priv-network partner1 Destination Network ANY_EXTERNAL ANY_EXTERNAL sales Service ftp http ftp Action allow allow allow-auth mkt
show ip firewall sessions

ThisdynamiccounterdisplaysfirewalldataregardingTCP,UDPandICMPsessionsthathave passedthroughthefirewallsinceitwasenabled.
Syntax
show ip firewall sessions [tcp | udp | icmp] tcp udp icmp
DisplaysonlyTCPsessions. DisplaysonlyUDPsessions. DisplaysonlyICMPsessions.
Note: Sessions do not display for IP broadcast packets.
16-137
Mode
Default
Ifnooptionsarespecifiedallsessionsaredisplayed.
Sample Output
Thefollowingsampleoutputdisplayscurrentfirewallsessions:
XSR#show ip firewall sessions icmp Source Address 192.168.100.100 192.168.100.100 Port 0 0 Dest. Address 192.168.1.103 192.168.1.20 Port 0 0 Protocol ICMP ICMP Creation 20:28:02 20:28:42 Time/Date 03-01-2002 03-01-2002
show ip firewall auth

ThisdynamiccounterdisplaystheIPaddressesthathavebeenauthenticatedalongwiththe groupname.
Syntax
show ip firewall auth
Mode
Sample Output
Thefollowingsampleoutputdisplayshostauthenticationdata:
XSR#show ip firewall auth IP Address 192.168.1.10 Groupname Sales Idle Time (secs) 45
show ip firewall general

Thisdynamiccounterdisplaysfirewallsummarystatistics.
Syntax
show ip firewall general
Mode
16-138
Sample Output
Thefollowingsampleoutputdisplayssummarystatistics:
Overall Firewall Status: Enabled Protected Interfaces: FastEthernet2 Unprotected Interfaces: FastEthernet1 Session Information -------------------------------------------------------active peak blocked last blocked at (UTC) TCP 65 6531 0 N/A UDP 5 1271 0 N/A ICMP 0 0 3 08:20:12 FEB-03-2005 Total 0 0 3 Blocked DOS Attacks ------------------Land: 0 Christmas Tree: 0 Ping of Death: 0 Anti-Spoofing: 0 ICMP Flood: 0 Smurf: 0 SYN Flood: 370393 Tear Drop: 0 TCP Backlog Queue Length: 23 TCP Backlog Queue Congested: Yes Subnets tracked = 43, Subnets exceeding check-host-threshold = 1, Total TCP Sessions = 1230268, TCP session Rate = 1509/sec Sync Attack Source hosts blocked: 192.168.50.4 192.168.50.99 Sync Attack Victim hosts blocked: Number of Gating Rules: 2
External Hosts 867 234 0
show ip firewall URLList

ThiscommanddisplaystheconfiguredURLfilterinformation.
Syntax
show ip firewall URLList
16-139
Mode
Example
show ip firewall urLlist Black URLs from File: blacklist.txt 1. 2. 3. 4. www.cisco.com www.playboy.com readme.eml amber.cl
White URLs from File: NOT LOADED Redirect URL: www.msnbc.com
16-140

CLI Reference Guide XSR-1805

Caricato da

Informazioni sul documento

Descrizione originale:

Titolo originale

Copyright

Formati disponibili

Condividi questo documento

Condividi o incorpora il documento

Opzioni di condivisione

Hai trovato utile questo documento?

Questo contenuto è inappropriato?

Copyright:

Formati disponibili

CLI Reference Guide XSR-1805

Caricato da

Copyright:

Formati disponibili

X-Pedition Security Router

XSR CLI Reference Guide

Enterasys Networks, Inc. FIRMWARE LICENSE AGREEMENT

Chapter 2: Configuring T1/E1 and T3/E3 Subsystems

Chapter 3: Configuring the XSR Platform

Chapter 4: Configuring Hardware Controllers

Chapter 5: Configuring the Internet Protocol

Chapter 6: Configuring the Border Gateway Protocol

Chapter 7: Configuring IP Multicast

Chapter 8: Configuring the Point-to-Point Protocol

Chapter 9: Configuring Frame Relay

Chapter 10: Configuring the Dialer Interface

Chapter 11: ISDN BRI and PRI Commands

Chapter 12: Configuring Quality of Service

QoS Show Commands ............................................................................................................................. 12-105

Chapter 13: Configuring ADSL

Chapter 14: Configuring the VPN

Chapter 15: Configuring DHCP

Chapter 16: Configuring Security

Contents of the Guide

XSR Users Guide ix

Conventions Used in This Guide

Courier font/Tipo de letra Courier

FTP Login Password

ftp://ftp.enterasys.com anonymous your Email address

XSR Users Guide

Network Management Commands

XSR CLI Reference Guide

General Network Management Commands

General Network Management Commands banner

Syntax of the no Form

General Network Management Commands

crypto key dsa

Producenewkeypairs. Deleteoldkeypair. Displaypublicportionofhostkeypairs.

General Network Management Commands

General Network Management Commands

XSR CLI Reference Guide

General Network Management Commands

Syntax of the no Form

Syntax of the no Form

General Network Management Commands

Syntax of the no Form

General Network Management Commands

Destinationaddresstobepinged. Sourceaddressforthepingpacket.Ifnotconfigured,theRouterIDisused. Payloadsize,rangingfrom1to65000.

General Network Management Commands

Thiscommandisusedinconjunctionwiththeusernamecommandtosettheprivilegelevelfora user.Theshow running-configcommanddisplaysuserinformation.

XSR CLI Reference Guide

General Network Management Commands

value reset command commandgroup

Privilegelevelassociatedwiththemodeofoperationrangingfrom0to 15(highest). Resetstheprivilegeleveltothedefault. Commandwithinthatmodetosetaprivilegefor. Setofcommandstoassociatewithaprivilege.Forexample,T1 Controllergroupcommands.

Privilegelevels1through9thefollowingEXECModecommandsareavailable:disable, exit, help, isdn, ping, telnet, terminal,andtraceroute.Unlessexplicitlydefined, usershavingprivilegelevels19havenoaccesstoPrivilegedEXECcommands. Privilegelevels10through14thefollowingPrivilegedEXECmodecommandsareavailable:

General Network Management Commands

Timeoutcurrentsession.Range:1535,000seconds. Timeoutforconsolesession.Range:1535,000seconds. TimeoutforallSSHsessions.Range:1535,000seconds TimeoutforallTelnetsessions.Range:1535,000seconds.

Widthoftheterminalscreeninlines. Lengthoftheterminalscreeninlines. Linerangefrom0to512.

General Network Management Commands

Parameters in the Response

Abnormal Termination Signs

General Network Management Commands

Syntax of the no Form

General Show Commands

General Show Commands crypto key dsa show

General Show Commands