Professional Documents
Culture Documents
Cisco IOS IP Application Services Configuration Guide, Release 12.4
Cisco IOS IP Application Services Configuration Guide, Release 12.4
Cisco IOS IP Application Services Configuration Guide, Release 12.4
Configuration Guide
Release 12.4
Corporate Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 526-4100
THE SOFTWARE LICENSE AND LIMITED WARRANTY FOR THE ACCOMPANYING PRODUCT ARE SET FORTH IN THE INFORMATION PACKET THAT
SHIPPED WITH THE PRODUCT AND ARE INCORPORATED HEREIN BY THIS REFERENCE. IF YOU ARE UNABLE TO LOCATE THE SOFTWARE LICENSE
OR LIMITED WARRANTY, CONTACT YOUR CISCO REPRESENTATIVE FOR A COPY.
The Cisco implementation of TCP header compression is an adaptation of a program developed by the University of California, Berkeley (UCB) as part of UCB’s public
domain version of the UNIX operating system. All rights reserved. Copyright © 1981, Regents of the University of California.
NOTWITHSTANDING ANY OTHER WARRANTY HEREIN, ALL DOCUMENT FILES AND SOFTWARE OF THESE SUPPLIERS ARE PROVIDED “AS IS” WITH
ALL FAULTS. CISCO AND THE ABOVE-NAMED SUPPLIERS DISCLAIM ALL WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT
LIMITATION, THOSE OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF
DEALING, USAGE, OR TRADE PRACTICE.
IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, OR INCIDENTAL DAMAGES, INCLUDING,
WITHOUT LIMITATION, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE THIS MANUAL, EVEN IF CISCO
OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
CCSP, CCVP, the Cisco Square Bridge logo, Follow Me Browsing, and StackWise are trademarks of Cisco Systems, Inc.; Changing the Way We Work,
Live, Play, and Learn, and iQuick Study are service marks of Cisco Systems, Inc.; and Access Registrar, Aironet, BPX, Catalyst, CCDA, CCDP,
CCIE, CCIP, CCNA, CCNP, Cisco, the Cisco Certified Internetwork Expert logo, Cisco IOS, Cisco Press, Cisco Systems, Cisco Systems Capital,
the Cisco Systems logo, Cisco Unity, Enterprise/Solver, EtherChannel, EtherFast, EtherSwitch, Fast Step, FormShare, GigaDrive, GigaStack, HomeLink,
Internet Quotient, IOS, IP/TV, iQ Expertise, the iQ logo, iQ Net Readiness Scorecard, LightStream, Linksys, MeetingPlace, MGX, the Networkers logo,
Networking Academy, Network Registrar, Packet, PIX, Post-Routing, Pre-Routing, ProConnect, RateMUX, ScriptShare, SlideCast, SMARTnet,
The Fastest Way to Increase Your Internet Quotient, and TransPath are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the
United States and certain other countries.
All other trademarks mentioned in this document or Website are the property of their respective owners. The use of the word partner does not imply a
partnership relationship between Cisco and any other company. (0601R)
Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the
document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.
Audience xix
PART 1: IP SERVICES
Configuring IP Services 3
Contents 3
Managing IP Connections 3
Enabling ICMP Protocol Unreachable Messages 4
Configuring IP Accounting 9
Configuring IP MAC Accounting 10
Configuring IP Precedence Accounting 11
Monitoring and Maintaining the IP Network 11
Clearing Caches, Tables, and Databases 11
Monitoring and Maintaining the DRP Server Agent 12
Displaying System and Network Statistics 12
IP Services Configuration Examples 12
ICMP Services: Example 12
DRP Server Agent: Example 13
IP Accounting: Example 13
Contents 17
Feature Overview 35
Benefits 36
Related Documents 36
Supported Platforms 36
Configuration Tasks 37
Defining a Time Range 37
Referencing the Time Range 37
Verifying Distributed Time-Based Access Lists 38
Configuration Examples 38
Command Reference 39
Glossary 40
Contents 41
Contents 53
Contents 59
Where to Go Next 63
Additional References 63
Related Documents 64
Standards 64
MIBs 64
RFCs 64
Technical Assistance 64
Command Reference 65
Contents 67
Additional References 71
Related Documents 71
Standards 71
MIBs 72
RFCs 72
Technical Assistance 72
Command Reference 72
Contents 73
Restrictions for the ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry
Feature 74
Information About the ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry
Feature 74
Benefits of Using the ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry
Feature 74
How to Configure an Access List Entry with Noncontiguous Ports 74
Configuring an Access Control Entry with Noncontiguous Ports 74
Consolidating Access List Entries with Noncontiguous Ports into One Access List Entry 76
Configuration Examples for the ACL—Support for Noncontiguous Ports on an Access List Entry
Feature 78
Creating an Access list Entry with Noncontiguous Ports: Example 78
Consolidating Some Existing Access List Entries into One Access List Entry with Noncontiguous Ports:
Example 78
Additional References 79
Related Documents 79
Standards 79
MIBs 80
RFCs 80
Technical Assistance 80
Command Reference 80
PART 3: TCP
Contents 83
Feature Overview 87
Benefits 87
Related Features and Technologies 88
Related Documents 88
Supported Platforms 88
Prerequisites 89
Configuration Tasks 89
Setting the TCP Window Size 90
Verifying the Window Scaling Configuration 90
Troubleshooting Tips 90
Configuration Examples 90
Command Reference 90
Glossary 91
Contents 93
Additional References 94
Related Documents 94
MIBs 94
Technical Assistance 94
Command Reference 94
Contents 95
Contents 147
Contents 153
Contents 159
ip wccp 164
Contents 181
Prerequisites 211
Delaying the Initialization of HSRP on an Interface 213
Troubleshooting Tips 215
Configuring HSRP Priority and Preemption 215
HSRP Priority and Preemption 215
How Object Tracking Affects the Priority of an HSRP Router 215
Configuring HSRP Object Tracking 217
Configuring HSRP Authentication 219
How HSRP MD5 Authentication Works 219
Benefits of HSRP MD5 Authentication 220
Restrictions 220
Configuring HSRP MD5 Authentication Using a Key String 220
Configuring HSRP MD5 Authentication Using a Key Chain 222
Troubleshooting HSRP MD5 Authentication 224
Configuring HSRP Text Authentication 225
Customizing HSRP 227
HSRP Timers 227
HSRP MAC Refresh Interval 227
Troubleshooting Tips 228
Configuring Multiple HSRP Groups for Load Balancing 229
Enabling HSRP Support for ICMP Redirects 231
ICMP Redirects to Active HSRP Routers 231
ICMP Redirects to Passive HSRP Routers 232
ICMP Redirects to Non-HSRP Routers 232
Passive HSRP Router Advertisements 233
ICMP Redirects Not Sent 233
Configuring HSRP Virtual MAC Addresses or BIA MAC Addresses 234
Restrictions 235
Linking IP Redundancy Clients to HSRP Groups 236
Prerequisites 236
Changing to HSRP Version 2 237
HSRP Version 2 Design 237
Restrictions 238
Configuring SSO-Aware HSRP (Cisco IOS Release 12.2(25)S) 239
SSO Dual-Route Processors and Cisco Nonstop Forwarding 240
HSRP and SSO Working Together 240
Enabling SSO Aware HSRP 240
Verifying SSO Aware HSRP 241
Enabling HSRP MIB Traps 243
Configuration Examples for HSRP 244
Contents 255
Glossary 282
Contents 285
Examples 291
Tracking the Threshold of IP-Route Metrics 292
Scaled Route Metrics 292
Examples 294
Tracking IP SLAs Operations 294
Tracking the State of an IP SLAs Operation 295
Examples 296
Tracking the Reachability of an IP SLAs IP Host 296
Examples 297
Configuring a Tracked List and Boolean Expression 298
Prerequisites 298
Configuring a Tracked List and Threshold Weight 299
Prerequisites 299
Restrictions 300
Configuring a Tracked List and Threshold Percentage 301
Prerequisites 301
Restrictions 301
Configuring the Track List Defaults 302
Configuration Examples for Enhanced Object Tracking 303
Interface Line Protocol: Example 304
Interface IP Routing: Example 304
IP-Route Reachability: Example 305
IP-Route Threshold Metric: Example 306
IP SLAs IP Host Tracking: Example 306
Boolean Expression for a Tracked List: Example 306
Threshold Weight for a Tracked List: Example 307
Threshold Percentage for a Tracked List: Example 308
Additional References 308
Related Documents 308
Standards 308
MIBs 308
RFCs 309
Technical Assistance 309
Glossary 310
This chapter describes the objectives, audience, organization, and conventions of Cisco IOS software
documentation. It also provides sources for obtaining documentation, technical assistance, and
additional publications and information from Cisco Systems. It contains the following sections:
• Documentation Objectives, page xix
• Audience, page xix
• Documentation Organization for Cisco IOS Release 12.4, page xx
• Document Conventions, page xxvi
• Obtaining Documentation, page xxvii
• Documentation Feedback, page xxviii
• Cisco Product Security Overview, page xxix
• Obtaining Technical Assistance, page xxx
• Obtaining Additional Publications and Information, page xxxi
Documentation Objectives
Cisco IOS software documentation describes the tasks and commands available to configure and
maintain Cisco networking devices.
Audience
The Cisco IOS software documentation set is intended primarily for users who configure and maintain
Cisco networking devices (such as routers and switches) but who may not be familiar with the
configuration and maintenance tasks, the relationship among tasks, or the Cisco IOS software commands
necessary to perform particular tasks. The Cisco IOS software documentation set is also intended for
those users experienced with Cisco IOS software who need to know about new features, new
configuration options, and new software characteristics in the current Cisco IOS software release.
Note In some cases, information contained in Release 12.2T and 12.3T feature documents augments or
supersedes content in the accompanying documentation. Therefore it is important to review all
feature documents for a particular technology.
Table 1 lists the Cisco IOS Release 12.4 configuration guides and command references.
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 1 Cisco IOS Release 12.4 Configuration Guides and Command References (continued)
Table 2 lists the documents and resources that support the Cisco IOS Release 12.4 software
configuration guides and command references.
Table 2 Cisco IOS Release 12.4 Supporting Documents and Resources (continued)
Document Conventions
Within Cisco IOS software documentation, the term router is generally used to refer to a variety of Cisco
products (for example, routers, access servers, and switches). Routers, access servers, and other
networking devices that support Cisco IOS software are shown interchangeably within examples. These
products are used only for illustrative purposes; that is, an example that shows one product does not
necessarily indicate that other products are not supported.
The Cisco IOS documentation set uses the following conventions:
Convention Description
^ or Ctrl The ^ and Ctrl symbols represent the Control key. For example, the key combination ^D or Ctrl-D
means hold down the Control key while you press the D key. Keys are indicated in capital letters but
are not case sensitive.
string A string is a nonquoted set of characters shown in italics. For example, when setting an SNMP
community string to public, do not use quotation marks around the string or the string will include the
quotation marks.
Convention Description
bold Bold text indicates commands and keywords that you enter literally as shown.
italics Italic text indicates arguments for which you supply values.
[x] Square brackets enclose an optional element (keyword or argument).
| A vertical line indicates a choice within an optional or required set of keywords or arguments.
[x | y] Square brackets enclosing keywords or arguments separated by a vertical line indicate an optional
choice.
{x | y} Braces enclosing keywords or arguments separated by a vertical line indicate a required choice.
Nested sets of square brackets or braces indicate optional or required choices within optional or required
elements. For example:
Convention Description
[x {y | z}] Braces and a vertical line within square brackets indicate a required choice within an optional element.
Convention Description
screen Examples of information displayed on the screen are set in Courier font.
bold screen Examples of text that you must enter are set in Courier bold font.
< > Angle brackets enclose text that is not printed to the screen, such as passwords, and are used in
contexts in which the italic document convention is not available, such as ASCII text.
! An exclamation point at the beginning of a line indicates a comment line. (Exclamation points are also
displayed by the Cisco IOS software for certain processes.)
[ ] Square brackets enclose default responses to system prompts.
The following conventions are used to attract the attention of the reader:
Caution Means reader be careful. In this situation, you might do something that could result in equipment
damage or loss of data.
Note Means reader take note. Notes contain suggestions or references to material not covered in the
manual.
Timesaver Means the described action saves time. You can save time by performing the action described in the
paragraph.
Obtaining Documentation
Cisco documentation and additional literature are available on Cisco.com. Cisco also provides several
ways to obtain technical assistance and other technical resources. These sections explain how to obtain
technical information from Cisco Systems.
Cisco.com
You can access the most current Cisco documentation and technical support at this URL:
http://www.cisco.com/techsupport
Ordering Documentation
Beginning June 30, 2005, registered Cisco.com users may order Cisco documentation at the Product
Documentation Store in the Cisco Marketplace at this URL:
http://www.cisco.com/go/marketplace/
Nonregistered Cisco.com users can order technical documentation from 8:00 a.m. to 5:00 p.m.
(0800 to 1700) PDT by calling 1 866 463-3487 in the United States and Canada, or elsewhere by
calling 011 408 519-5055. You can also order documentation by e-mail at
tech-doc-store-mkpl@external.cisco.com or by fax at 1 408 519-5001 in the United States and Canada,
or elsewhere at 011 408 519-5001.
Documentation Feedback
You can rate and provide feedback about Cisco technical documents by completing the online feedback
form that appears with the technical documents on Cisco.com.
You can send comments about Cisco documentation to bug-doc@cisco.com.
You can submit comments by using the response card (if present) behind the front cover of your
document or by writing to the following address:
Cisco Systems
Attn: Customer Document Ordering
170 West Tasman Drive
San Jose, CA 95134-9883
We appreciate your comments.
Tip We encourage you to use Pretty Good Privacy (PGP) or a compatible product to encrypt any sensitive
information that you send to Cisco. PSIRT can work from encrypted information that is compatible with
PGP versions 2.x through 8.x.
Never use a revoked or an expired encryption key. The correct public key to use in your correspondence
with PSIRT is the one linked in the Contact Summary section of the Security Vulnerability Policy page
at this URL:
http://www.cisco.com/en/US/products/products_security_vulnerability_policy.html
The link on this page has the current PGP key ID in use.
Note Use the Cisco Product Identification (CPI) tool to locate your product serial number before submitting
a web or phone request for service. You can access the CPI tool from the Cisco Technical Support &
Documentation website by clicking the Tools & Resources link. Choose Cisco Product Identification
Tool from the Alphabetical Index drop-down list, or click the Cisco Product Identification Tool link
under Alerts & RMAs. The CPI tool offers three search options: by product ID or model name; by tree
view; or for certain products, by copying and pasting show command output. Search results show an
illustration of your product with the serial number label location highlighted. Locate the serial number
label on your product and record the information before placing a service call.
• Internet Protocol Journal is a quarterly journal published by Cisco Systems for engineering
professionals involved in designing, developing, and operating public and private internets and
intranets. You can access the Internet Protocol Journal at this URL:
http://www.cisco.com/ipj
• Networking products offered by Cisco Systems, as well as customer support services, can be
obtained at this URL:
http://www.cisco.com/en/US/products/index.html
• Networking Professionals Connection is an interactive website for networking professionals to share
questions, suggestions, and information about networking products and technologies with Cisco
experts and other networking professionals. Join a discussion at this URL:
http://www.cisco.com/discuss/networking
• World-class networking training is available from Cisco. You can view current offerings at
this URL:
http://www.cisco.com/en/US/learning/index.html
This chapter provides tips for understanding and configuring Cisco IOS software using the
command-line interface (CLI). It contains the following sections:
• Understanding Command Modes, page xxxiii
• Getting Help, page xxxiv
• Using the no and default Forms of Commands, page xxxviii
• Saving Configuration Changes, page xxxviii
• Filtering Output from the show and more Commands, page xxxix
• Finding Additional Feature Support Information, page xxxix
For an overview of Cisco IOS software configuration, see the Cisco IOS Configuration Fundamentals
Configuration Guide.
For information on the conventions used in the Cisco IOS software documentation set, see the “About
Cisco IOS Software Documentation for Release 12.4” chapter.
ROM monitor mode is a separate mode used when the Cisco IOS software cannot load properly. If a valid
software image is not found when the software boots or if the configuration file is corrupted at startup,
the software might enter ROM monitor mode.
Table 1 describes how to access and exit various common command modes of the Cisco IOS software.
It also shows examples of the prompts displayed for each mode.
For more information on command modes, see the “Using the Cisco IOS Command-Line Interface”
chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.
Getting Help
Entering a question mark (?) at the CLI prompt displays a list of commands available for each command
mode. You can also get a list of keywords and arguments associated with any command by using the
context-sensitive help feature.
To get help specific to a command mode, a command, a keyword, or an argument, use one of the
following commands:
Command Purpose
help Provides a brief description of the help system in any command mode.
abbreviated-command-entry? Provides a list of commands that begin with a particular character string. (No space
between command and question mark.)
abbreviated-command-entry<Tab> Completes a partial command name.
Command Purpose
? Lists all commands available for a particular command mode.
command ? Lists the keywords or arguments that you must enter next on the command line.
(Space between command and question mark.)
Command Comment
Router> enable Enter the enable command and
Password: <password> password to access privileged EXEC
Router#
commands. You are in privileged
EXEC mode when the prompt changes
to Router#.
Router# configure terminal Enter the configure terminal
Enter configuration commands, one per line. End with CNTL/Z. privileged EXEC command to enter
Router(config)#
global configuration mode. You are in
global configuration mode when the
prompt changes to Router(config)#.
Command Comment
Router(config)# interface serial ? Enter interface configuration mode by
<0-6> Serial interface number specifying the serial interface that you
Router(config)# interface serial 4 ?
/
want to configure using the interface
Router(config)# interface serial 4/ ? serial global configuration command.
<0-3> Serial interface number
Enter ? to display what you must enter
Router(config)# interface serial 4/0 ?
<cr> next on the command line. In this
Router(config)# interface serial 4/0 example, you must enter the serial
Router(config-if)# interface slot number and port number,
separated by a forward slash.
When the <cr> symbol is displayed,
you can press Enter to complete the
command.
You are in interface configuration mode
when the prompt changes to
Router(config-if)#.
Router(config-if)# ? Enter ? to display a list of all the
Interface configuration commands: interface configuration commands
.
.
available for the serial interface. This
. example shows only some of the
ip Interface Internet Protocol config commands available interface configuration
keepalive Enable keepalive commands.
lan-name LAN Name command
llc2 LLC2 Interface Subcommands
load-interval Specify interval for load calculation for an
interface
locaddr-priority Assign a priority group
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
mls mls router sub/interface commands
mpoa MPOA interface configuration commands
mtu Set the interface Maximum Transmission Unit (MTU)
netbios Use a defined NETBIOS access list or enable
name-caching
no Negate a command or set its defaults
nrzi-encoding Enable use of NRZI encoding
ntp Configure NTP
.
.
.
Router(config-if)#
Command Comment
Router(config-if)# ip ? Enter the command that you want to
Interface IP configuration subcommands: configure for the interface. This
access-group Specify access control for packets
accounting Enable IP accounting on this interface
example uses the ip command.
address Set the IP address of an interface Enter ? to display what you must enter
authentication authentication subcommands
next on the command line. This
bandwidth-percent Set EIGRP bandwidth limit
broadcast-address Set the broadcast address of an interface example shows only some of the
cgmp Enable/disable CGMP available interface IP configuration
directed-broadcast Enable forwarding of directed broadcasts commands.
dvmrp DVMRP interface commands
hello-interval Configures IP-EIGRP hello interval
helper-address Specify a destination address for UDP broadcasts
hold-time Configures IP-EIGRP hold time
.
.
.
Router(config-if)# ip
Router(config-if)# ip address ? Enter the command that you want to
A.B.C.D IP address configure for the interface. This
negotiated IP Address negotiated over PPP
Router(config-if)# ip address
example uses the ip address command.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter an IP address
or the negotiated keyword.
A carriage return (<cr>) is not
displayed; therefore, you must enter
additional keywords or arguments to
complete the command.
Router(config-if)# ip address 172.16.0.1 ? Enter the keyword or argument that you
A.B.C.D IP subnet mask want to use. This example uses the
Router(config-if)# ip address 172.16.0.1
172.16.0.1 IP address.
Enter ? to display what you must enter
next on the command line. In this
example, you must enter an IP subnet
mask.
A <cr> is not displayed; therefore, you
must enter additional keywords or
arguments to complete the command.
Command Comment
Router(config-if)# ip address 172.16.0.1 255.255.255.0 ? Enter the IP subnet mask. This example
secondary Make this IP address a secondary address uses the 255.255.255.0 IP subnet mask.
<cr>
Router(config-if)# ip address 172.16.0.1 255.255.255.0 Enter ? to display what you must enter
next on the command line. In this
example, you can enter the secondary
keyword, or you can press Enter.
A <cr> is displayed; you can press
Enter to complete the command, or
you can enter another keyword.
Router(config-if)# ip address 172.16.0.1 255.255.255.0 In this example, Enter is pressed to
Router(config-if)# complete the command.
It might take a minute or two to save the configuration. After the configuration has been saved, the
following output appears:
[OK]
Router#
On most platforms, this task saves the configuration to NVRAM. On the Class A flash file system
platforms, this task saves the configuration to the location specified by the CONFIG_FILE environment
variable. The CONFIG_FILE variable defaults to NVRAM.
For more information on the search and filter functionality, see the “Using the Cisco IOS Command-Line
Interface” chapter in the Cisco IOS Configuration Fundamentals Configuration Guide.
This module describes how to configure optional IP services. For a complete description of the IP
services commands in this chapter, refer to the Cisco IOS IP Application Services Command Reference,
Release 12.4. To locate documentation of other commands that appear in this module, use the command
reference master index, or search online.
Contents
• How to Configure IP Services, page 3
• Managing IP Connections, page 3
• Configuring IP Accounting, page 9
• Monitoring and Maintaining the IP Network, page 11
• IP Services Configuration Examples, page 12
Managing IP Connections
The IP suite offers a number of services that control and manage IP connections. Internet Control
Message Protocol (ICMP) provides many of these services. ICMP messages are sent by routers or access
servers to hosts or other routers when a problem is discovered with the Internet header. For detailed
information on ICMP, see RFC 792.
To manage various aspects of IP connections, perform the optional tasks described in the following
sections:
• Enabling ICMP Protocol Unreachable Messages, page 4 (optional)
• Enabling ICMP Redirect Messages, page 4 (optional)
• Enabling ICMP Mask Reply Messages, page 5 (optional)
• Understanding Path MTU Discovery, page 5 (optional)
• Setting the MTU Packet Size, page 6 (optional)
• Enabling IP Source Routing, page 6 (optional)
• Configuring a DRP Server Agent, page 7 (optional)
See the “ICMP Services: Example” section at the end of this chapter for examples of ICMP services.
Command Purpose
Router(config-if)# ip unreachables Enables the sending of ICMP protocol unreachable and host unreachable
messages.
To limit the rate that ICMP destination unreachable messages are generated, use the following command
in global configuration mode:
Command Purpose
Router(config)# ip icmp rate-limit Limits the rate at which ICMP destination unreachable messages are
unreachable [df] milliseconds generated.
To enable the sending of ICMP redirect messages if this feature was disabled, use the following
command in interface configuration mode:
Command Purpose
Router(config-if)# ip redirects Enables the sending of ICMP redirect messages to learn routes.
Command Purpose
Router(config-if)# ip mask-reply Enables the sending of ICMP mask reply messages.
MTU = 1500
Packet = 800 bytes
Don't fragment
MTU = 512
"Unreachable" sent
S1014a
Packet dropped
IP Path MTU Discovery is useful when a link in a network goes down, forcing the use of another,
different MTU-sized link (and different routers). As shown in Figure 1, suppose a router is sending IP
packets over a network where the MTU in the first router is set to 1500 bytes, but the second router is
set to 512 bytes. If the “Don’t fragment” bit of the datagram is set, the datagram would be dropped
because the 512-byte router is unable to forward it. All packets larger than 512 bytes are dropped in this
case. The second router returns an ICMP destination unreachable message to the source of the datagram
with its Code field indicating, “Fragmentation needed and DF set.” To support IP Path MTU Discovery,
it would also include the MTU of the next hop network link in the low-order bits of an unused header
field.
IP Path MTU Discovery is also useful when a connection is being established and the sender has no
information at all about the intervening links. It is always advisable to use the largest MTU that the links
will bear; the larger the MTU, the fewer packets the host must send.
Note IP Path MTU Discovery is a process initiated by end hosts. If an end host does not support IP Path
MTU Discovery, the receiving device will have no mechanism available to avoid fragmenting
datagrams generated by the end host.
If a router that is configured with a small MTU on an outbound interface receives packets from a host
that is configured with a large MTU (for example, receiving packets from a Token Ring interface and
forwarding them to an outbound Ethernet interface), the router fragments received packets that are larger
than the MTU of the outbound interface. Fragmenting packets slows the performance of the router. To
keep routers in your network from fragmenting received packets, run IP Path MTU Discovery on all
hosts and routers in your network, and always configure the largest possible MTU for each router
interface type.
To enable IP Path MTU Discovery for connections initiated by the router (when the router is acting as a
host), see the section “Enabling TCP Path MTU Discovery” later in this chapter.
Command Purpose
Router(config-if)# ip mtu bytes Sets the IP MTU packet size for an interface.
IP provides a provision known as source routing that allows the source IP host to specify a route through
the IP network. Source routing is specified as an option in the IP header. If source routing is specified,
the software forwards the packet according to the specified source route. This feature is employed when
you want to force a packet to take a certain route through the network. The default is to perform source
routing.
To enable IP source-route header options if they have been disabled, use the following command in
global configuration mode:
Command Purpose
Router(config)# ip source-route Enables IP source routing.
Command Purpose
Router(config)# ip drp server Enables the DRP Server Agent.
Command Purpose
Router(config)# ip drp access-group Controls the sources of valid DRP queries by applying a standard IP
access-list-number access list.
Command Purpose
Step 1 Router(config)# ip drp authentication key-chain Identifies which key chain to use to authenticate all DRP
name-of-chain requests and responses.
Step 2 Router(config)# key chain name-of-chain Identifies a key chain (match the name configured in
Step 1).
Step 3 Router(config-keychain)# key number In key-chain configuration mode, identifies the key number.
Step 4 Router(config-keychain-key)# key-string text In key-chain key configuration mode, identifies the key
string.
Step 5 Router(config-keychain-key)# accept-lifetime (Optional) Specifies the time period during which the key
start-time {infinite | end-time | duration can be received.
seconds}
Step 6 Router(config-keychain-key)# send-lifetime (Optional) Specifies the time period during which the key
start-time {infinite | end-time | duration can be sent.
seconds}
When configuring your key chains and keys, be aware of the following guidelines:
• The key chain configured for the DRP Server Agent in Step 1 must match the key chain in Step 2.
• The key configured in the primary agent in the remote router must match the key configured in the
DRP Server Agent in order for responses to be processed.
• You can configure multiple keys with lifetimes, and the software will rotate through them.
• If authentication is enabled and multiple keys on the key chain happen to be active based on the
send-lifetime values, the software uses only the first key it encounters for authentication.
• Use the show key chain command to display key chain information.
Note To configure lifetimes for DRP authentication, you must configure time services for your router. For
information on setting time services, see the Network Time Protocol (NTP) and calendar commands
in the “Performing Basic System Management” chapter of the Cisco IOS Configuration
Fundamentals Configuration Guide.
Configuring IP Accounting
Cisco IP accounting support provides basic IP accounting functions. By enabling IP accounting, users
can see the number of bytes and packets switched through the Cisco IOS software on a source and
destination IP address basis. Only transit IP traffic is measured and only on an outbound basis; traffic
generated by the software or terminating in the software is not included in the accounting statistics. To
maintain accurate accounting totals, the software maintains two accounting databases: an active and a
checkpointed database.
Cisco IP accounting support also provides information identifying IP traffic that fails IP access lists.
Identifying IP source addresses that violate IP access lists alerts you to possible attempts to breach
security. The data also indicates that you should verify IP access list configurations. To make this feature
available to users, you must enable IP accounting of access list violations using the ip accounting
access-violations interface configuration command. Users can then display the number of bytes and
packets from a single source that attempted to breach security against the access list for the source
destination pair. By default, IP accounting displays the number of packets that have passed access lists
and were routed.
To enable IP accounting, use one of the following commands for each interface in interface configuration
mode:
Command Purpose
Router(config-if)# ip accounting Enables basic IP accounting.
Router(config-if)# ip accounting Enables IP accounting with the ability to identify IP traffic that fails IP
access-violations access lists.
To configure other IP accounting functions, use the following commands in global configuration mode,
as needed:
Command Purpose
Router(config)# ip accounting-threshold Sets the maximum number of accounting entries to be created.
threshold
Router(config)# ip accounting-list Filters accounting information for hosts.
ip-address wildcard
Router(config)# ip accounting-transits Controls the number of transit records that will be stored in the IP
count accounting database.
To display IP access violations for a specific IP accounting database, use the following command in
EXEC mode:
Command Purpose
Router# show ip accounting [checkpoint] Displays IP access violation information.
access-violations
To display IP access violations, include the access-violations keyword in the show ip accounting EXEC
command. If you do not specify the keyword, the command defaults to displaying the number of packets
that have passed access lists and were routed. The access violations output displays the number of the
access list failed by the last packet for the source and destination pair. The number of packets reveals
how aggressive the attack is upon a specific destination.
Use the show ip accounting EXEC command to display the active accounting database, and traffic
coming from a remote site and transiting through a router. To display the checkpointed database, use the
show ip accounting checkpoint EXEC command. The clear ip accounting EXEC command clears the
active database and creates the checkpointed database.
Command Purpose
Step 1 Router(config)# interface type number Specifies the interface and enters interface configuration
mode.
Step 2 Router(config-if)# ip accounting mac-address Configures IP accounting based on the MAC address of
{input | output} received (input) or transmitted (output) packets
To remove IP accounting based on the MAC address from the interface, use the no ip accounting
mac-address command.
Use the EXEC command show interface mac to display MAC accounting information for interfaces
configured for MAC accounting.
Command Purpose
Step 1 Router(config)# interface type number Specifies the interface (or subinterface) and enters interface
configuration mode.
Step 2 Router(config-if)# ip accounting precedence Configures IP accounting based on the precedence of
{input | output} received (input) or transmitted (output) packets
To remove IP accounting based on IP precedence from the interface, use the no ip accounting
precedence command.
Use the EXEC command show interface precedence to display precedence accounting information for
interfaces configured for precedence accounting.
Command Purpose
Router# clear ip accounting Clears the active IP accounting or checkpointed database when IP accounting
[checkpoint] is enabled.
Command Purpose
Router# clear ip drp Clears statistics being collected on DRP requests and responses.
Router# show ip drp Displays information about the DRP Server Agent.
Command Purpose
Router# show ip accounting [checkpoint] Displays the active IP accounting or checkpointed database.
Router# show ip redirects Displays the address of the default router and the address of hosts
for which an ICMP redirect message has been received.
Router# show ip sockets Displays IP socket information.
Router# show ip traffic Displays IP protocol statistics.
IP Accounting: Example
The following example enables IP accounting based on the source and destination MAC address and
based on IP precedence for received and transmitted packets:
interface Ethernet0/5
ip accounting mac-address input
ip accounting mac-address output
ip accounting precedence input
ip accounting precedence output
Packet filtering helps control packet movement through the network. Such control can help limit network
traffic and restrict network use by certain users or devices. To permit or deny packets from crossing
specified interfaces, we provide access lists (ACLs).
You can use access lists in the following ways:
• To control the transmission of packets on an interface
• To control vty access
• To restrict contents of routing updates
This module summarizes how to create IP access lists and how to apply them.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• Information About Access Lists, page 17
• How to Configure Access Lists, page 18
• Configuration Examples for Access Lists, page 30
To create a standard access list, use the following commands in global configuration mode:
Command Purpose
Step 1 Router(config)# access-list access-list-number remark Indicates the purpose of the deny or permit
remark statement.1
Step 2 Router(config)# access-list access-list-number {deny | Defines a standard IP access list using a source
permit} source [source-wildcard] [log] address and wildcard.
or
The Cisco IOS software can provide logging messages about packets permitted or denied by a standard
IP access list. That is, any packet that matches the access list will cause an informational logging
message about the packet to be sent to the console. The level of messages logged to the console is
controlled by the logging console global configuration command.
The first packet that triggers the access list causes an immediate logging message, and subsequent
packets are collected over 5-minute intervals before they are displayed or logged. The logging message
includes the access list number, whether the packet was permitted or denied, the source IP address of the
packet, and the number of packets from that source permitted or denied in the prior 5-minute interval.
However, you can use the ip access-list log-update command to set the number of packets that, when
match an access list (and are permitted or denied), cause the system to generate a log message. You might
want to do this to receive log messages more frequently than at 5-minute intervals.
Caution If you set the number-of-matches argument to 1, a log message is sent right away, rather than caching
it; every packet that matches an access list causes a log message. A setting of 1 is not recommended
because the volume of log messages could overwhelm the system.
Even if you use the ip access-list log-update command, the 5-minute timer remains in effect, so each
cache is emptied at the end of 5 minutes, regardless of the count of messages in each cache. Regardless
of when the log message is sent, the cache is flushed and the count reset to 0 for that message the same
way it is when a threshold is not specified.
Note The logging facility might drop some logging message packets if there are too many to be handled
or if there is more than one logging message to be handled in 1 second. This behavior prevents the
router from crashing due to too many logging packets. Therefore, the logging facility should not be
used as a billing tool or an accurate source of the number of matches to an access list.
Note If you enable CEF and then create an access list that uses the log keyword, the packets that match the
access list are not CEF switched. They are fast switched. Logging disables CEF.
For an example of a standard IP access list using logs, see the section “Numbered Access List: Example”
at the end of this chapter.
To create an extended access list, use the following commands in global configuration mode:
Command Purpose
Step 1 Router(config)# access-list access-list-number Indicates the purpose of the deny or permit
remark remark statement.1
Step 2 Router(config)# access-list access-list-number {deny Defines an extended IP access list number and the
| permit} protocol source source-wildcard access conditions. Specifies a time range to restrict
destination destination-wildcard [precedence
precedence] [tos tos] [established] [log |
when the permit or deny statement is in effect. Use
log-input] [time-range time-range-name] [fragments] the log keyword to get access list logging messages,
including violations. Use the log-input keyword to
include input interface, source MAC address, or VC
in the logging output.
or
or
Router(config)# access-list access-list-number {deny Defines an extended IP access list using an
| permit} protocol any any [log | log-input] abbreviation for a source and source wildcard of
[time-range time-range-name] [fragments] 0.0.0.0 255.255.255.255, and an abbreviation for a
destination and destination wildcard of 0.0.0.0
255.255.255.255.
or or
or or
Defines a dynamic access list. For information about
Router(config)# access-list access-list-number
[dynamic dynamic-name [timeout minutes]] {deny | lock-and-key access, refer to the “Configuring Traffic
permit} protocol source source-wildcard destination Filters” chapter in the Cisco IOS Security
destination-wildcard [precedence precedence] [tos Configuration Guide.
tos] [established] [log | log-input] [time-range
time-range-name] [fragments]
1. This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.
Note The fragments keyword is described in the “Specifying IP Extended Access Lists with Fragment
Control” section.
After you create an access list, you place any subsequent additions (possibly entered from the terminal)
at the end of the list. In other words, you cannot selectively add or remove access list command lines
from a specific access list.
Note When creating an access list, remember that, by default, the end of the access list contains an implicit
deny statement for everything if it did not find a match before reaching the end.
Note In a standard access list, if you omit the mask from an associated IP host address access list
specification, 0.0.0.0 is assumed to be the mask.
Note Autonomous switching is not used when you have extended access lists.
After creating an access list, you must apply it to a line or interface, as shown in the section “Applying
Access Lists” later in this chapter. See the “Implicit Masks in Access Lists: Example” section at the end
of this chapter for examples of implicit masks.
To create a standard access list, use the following commands beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# ip access-list standard name Defines a standard IP access list using a name and
enters standard named access list configuration
mode.
Step 2 Router(config-std-nacl)# remark remark Allows you to comment about the following deny or
permit statement in a named access list.1
Step 3 Router(config-std-nacl)# deny {source Specifies one or more conditions allowed or denied,
[source-wildcard] | any}[log] which determines whether the packet is passed or
dropped.
and/or
Router(config-std-nacl)# permit {source
[source-wildcard] | any}[log]
Step 4 Router(config-std-nacl)# exit Exits access-list configuration mode.
1. This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.
To create an extended access list, use the following commands beginning in global configuration mode:
Step 1 Router(config)# ip access-list extended name Defines an extended IP access list using a name and
enters extended named access list configuration
mode.
Step 2 Router(config-ext-nacl)# remark remark Allows you to comment about the following deny or
permit statement in a named access list.1
Step 3 Router(config-ext-nacl)# deny | permit protocol In access-list configuration mode, specifies the
source source-wildcard destination conditions allowed or denied. Specifies a time range
destination-wildcard [precedence precedence] [tos
tos] [established] [log | log-input] [time-range
to restrict when the permit or deny statement is in
time-range-name] [fragments] effect. Use the log keyword to get access list logging
messages, including violations. Use the log-input
keyword to include input interface, source MAC
address, or VC in the logging output.
or or
Router(config-ext-nacl)# deny | permit protocol any Defines an extended IP access list using an
any [log | log-input] [time-range time-range-name] abbreviation for a source and source wildcard of
[fragments]
0.0.0.0 255.255.255.255, and an abbreviation for a
destination and destination wildcard of 0.0.0.0
255.255.255.255.
or or
Router(config-ext-nacl) deny | permit protocol host
source host destination [log | log-input]
Defines an extended IP access list using an
[time-range time-range-name] [fragments] abbreviation for a source and source wildcard of
source 0.0.0.0, and an abbreviation for a destination
and destination wildcard of destination 0.0.0.0.
or or
Router(config-ext-nacl)# dynamic dynamic-name Defines a dynamic access list.
[timeout minutes] {deny | permit} protocol source
source-wildcard destination destination-wildcard
[precedence precedence] [tos tos] [established] [log
| log-input] [time-range time-range-name]
[fragments]
1. This example configures the remark before the deny or permit statement. The remark can be configured after the deny or permit statement.
Note Autonomous switching is not used when you have extended access lists.
Note The fragments keyword is described in the Specifying IP Extended Access Lists with Fragment
Control section.
After you initially create an access list, you place any subsequent additions (possibly entered from the
terminal) at the end of the list. In other words, you cannot selectively add access list command lines to
a specific access list. However, you can use no permit and no deny commands to remove entries from
a named access list.
Note When making the standard and extended access list, remember that, by default, the end of the access
list contains an implicit deny statement for everything if it did not find a match before reaching the
end. Further, with standard access lists, if you omit the mask from an associated IP host address
access list specification, 0.0.0.0 is assumed to be the mask.
After creating an access list, you must apply it to a line or interface, as shown in section “Applying
Access Lists” later in this chapter.
See the “Named Access List: Example” section at the end of this chapter for an example of a named
access list.
The behavior of access-list entries regarding the presence or absence of the fragments keyword can be
summarized as follows:
...the fragments keyword, and The access-list entry is applied only to noninitial fragments.
assuming all of the access-list entry
information matches,
Note The fragments keyword cannot be configured for
an access-list entry that contains any Layer 4
information.
Be aware that you should not simply add the fragments keyword to every access list entry because the
first fragment of the IP packet is considered a nonfragment and is treated independently of the
subsequent fragments. An initial fragment will not match an access list permit or deny entry that
contains the fragments keyword, the packet is compared to the next access list entry, and so on, until it
is either permitted or denied by an access list entry that does not contain the fragments keyword.
Therefore, you may need two access list entries for every deny entry. The first deny entry of the pair
will not include the fragments keyword, and applies to the initial fragment. The second deny entry of
the pair will include the fragments keyword and applies to the subsequent fragments. In the cases where
there are multiple deny access list entries for the same host but with different Layer 4 ports, a single
deny access-list entry with the fragments keyword for that host is all that needs to be added. Thus all
the fragments of a packet are handled in the same manner by the access list.
Note The fragments keyword cannot solve all cases involving access lists and IP fragments.
Policy Routing
Fragmentation and the fragment control feature affect policy routing if the policy routing is based on the
match ip address command and the access list had entries that match on Layer 4 through 7 information.
It is possible that noninitial fragments pass the access list and are policy routed, even if the first fragment
was not policy routed or the reverse.
By using the fragments keyword in access list entries as described earlier, a better match between the
action taken for initial and noninitial fragments can be made and it is more likely policy routing will
occur as intended.
Additional Security
You are able to block more of the traffic you intended to block, not just the initial fragment of such
packets. The unwanted fragments no longer linger at the receiver until the reassembly timeout is reached
because they are blocked before being sent to the receiver. Blocking a greater portion of unwanted traffic
improves security and reduces the risk from potential hackers.
Reduced Cost
By blocking unwanted noninitial fragments of packets, you are not paying for traffic you intended to
block.
Reduced Storage
By blocking unwanted noninitial fragments of packets from ever reaching the receiver, that destination
does not have to store the fragments until the reassembly timeout period is reached.
Note Access lists containing specialized processing characteristics such as evaluate and time-range entries
are excluded from Turbo ACL acceleration.
The Turbo ACL builds a set of lookup tables from the ACLs in the configuration; these tables increase
the internal memory usage, and in the case of large and complex ACLs, tables containing 2 MB to 4 MB
of memory are usually required. Routers enabled with the Turbo ACL feature should allow for this
amount of memory usage. The show access-list compiled EXEC command displays the memory
overhead of the Turbo ACL tables for each access list.
To configure the Turbo ACL feature, perform the tasks described in the following sections. The task in
the first section is required; the task in the remaining section is optional:
• Configuring Turbo ACLs (Required)
• Verifying Turbo ACLs (Optional)
Command Purpose
Router(config)# access-list compiled Enables the Turbo ACL feature.
time-range command is described in the “Performing Basic System Management” chapter of the Cisco
IOS Configuration Fundamentals Configuration Guide. See the “Time Range Applied to an IP Access
List: Example” section at the end of this chapter for a configuration example of IP time ranges.
Possible benefits of using time ranges include the following:
• The network administrator has more control over permitting or denying a user access to resources.
These resources could be an application (identified by an IP address/mask pair and a port number),
policy routing, or an on-demand link (identified as interesting traffic to the dialer).
• Network administrators can set time-based security policy, including the following:
– Perimeter security using the Cisco IOS Firewall feature set or access lists
– Data confidentiality with Cisco Encryption Technology or IP Security Protocol (IPSec)
• Policy-based routing (PBR) and queueing functions are enhanced.
• When provider access rates vary by time of day, it is possible to automatically reroute traffic cost
effectively.
• Service providers can dynamically change a committed access rate (CAR) configuration to support
the quality of service (QoS) service level agreements (SLAs) that are negotiated for certain times of
day.
• Network administrators can control logging messages. Access list entries can log traffic at certain
times of the day, but not constantly. Therefore, administrators can simply deny access without
needing to analyze many logs generated during peak hours.
Command Purpose
Router(config-line)# access-class access-list-number {in Restricts incoming and outgoing connections between a
| out} particular vty (into a device) and the addresses in an
access list.
To restrict access to an interface, use the following command in interface configuration mode:
Command Purpose
Router(config-if)# ip access-group {access-list-number | Controls access to an interface.
access-list-name} {in | out}
For inbound access lists, after receiving a packet, the Cisco IOS software checks the source address of
the packet against the access list. If the access list permits the address, the software continues to process
the packet. If the access list rejects the address, the software discards the packet and returns an ICMP
host unreachable message.
For outbound access lists, after receiving and routing a packet to a controlled interface, the software
checks the source address of the packet against the access list. If the access list permits the address, the
software sends the packet. If the access list rejects the address, the software discards the packet and
returns an ICMP host unreachable message.
When you apply an access list that has not yet been defined to an interface, the software will act as if the
access list has not been applied to the interface and will accept all packets. Remember this behavior if
you use undefined access lists as a means of security in your network.
Command Purpose
Router# clear access-list counters {access-list-number | Clears the access list counters.
access-list-name}
The following example defines access lists 1 and 2, both of which have logging enabled:
interface ethernet 0
ip address 1.1.1.1 255.0.0.0
ip access-group 1 in
ip access-group 2 out
!
access-list 1 permit 5.6.0.0 0.0.255.255 log
access-list 1 deny 7.9.0.0 0.0.255.255 log
!
access-list 2 permit 1.2.3.4 log
access-list 2 deny 1.2.0.0 0.0.255.255 log
If the interface receives 10 packets from 5.6.7.7 and 14 packets from 1.2.23.21, the first log will look
like the following:
list 1 permit 5.6.7.7 1 packet
list 2 deny 1.2.23.21 1 packet
Five minutes later, the console will receive the following log:
list 1 permit 5.6.7.7 9 packets
list 2 deny 1.2.23.21 13 packets
For this example, the following masks are implied in the first two lines:
access-list 1 permit 0.0.0.0 0.0.0.0
access-list 1 permit 131.108.0.0 0.0.0.0
The last line in the configuration (using the deny keyword) can be left off, because IP access lists
implicitly deny all other access. Leaving off the last line in the configuration is equivalent to finishing
the access list with the following command statement:
access-list 1 deny 0.0.0.0 255.255.255.255
The following access list only allows access for those hosts on the three specified networks. It assumes
that subnetting is not used; the masks apply to the host portions of the network addresses. Any hosts with
a source address that does not match the access list statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255
access-list 1 permit 128.88.0.0 0.0.255.255
access-list 1 permit 36.0.0.0 0.255.255.255
! (Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit the address mask that is all
0s from the access-list global configuration command. Thus, the following two configuration commands
are identical in effect:
access-list 2 permit 36.48.0.3
access-list 2 permit 36.48.0.3 0.0.0.0
For another example of using an extended access list, suppose you have a network connected to the
Internet, and you want any host on an Ethernet to be able to form TCP connections to any host on the
Internet. However, you do not want IP hosts to be able to form TCP connections to hosts on the Ethernet
except to the mail (SMTP) port of a dedicated mail host.
SMTP uses TCP port 25 on one end of the connection and a random port number on the other end. The
same two port numbers are used throughout the life of the connection. Mail packets coming in from the
Internet will have a destination port of 25. Outbound packets will have the port numbers reversed. The
fact that the secure system behind the router always will be accepting mail connections on port 25 is what
makes possible separate control of incoming and outgoing services. The access list can be configured on
either the outbound or inbound interface.
In the following example, the Ethernet network is a Class B network with the address 128.88.0.0, and
the address of the mail host is 128.88.1.2. The established keyword is used only for the TCP protocol
to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set,
which indicate that the packet belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
interface ethernet 0
ip access-group 102 in
In the following example of a numbered access list, the Winter and Smith workstations are not allowed
to browse the web:
access-list 100 remark Do not allow Winter to browse the web
access-list 100 deny host 171.69.3.85 any eq http
access-list 100 remark Do not allow Smith to browse the web
access-list 100 deny host 171.69.3.13 any eq http
In the following example of a named access list, the Jones subnet is not allowed access:
ip access-list standard prevention
remark Do not allow Jones subnet through
deny 171.69.0.0 0.0.255.255
In the following example of a named access list, the Jones subnet is not allowed to use outbound Telnet:
ip access-list extended telnetting
remark Do not allow Jones subnet to telnet out
deny tcp 171.69.0.0 0.0.255.255 any eq telnet
This document describes the Distributed Time-Based Access Lists feature in Cisco IOS
Release 12.2(2)T. It includes the following sections:
• Feature Overview
• Supported Platforms
• Supported Standards, MIBs, and RFCs
• Configuration Tasks
• Monitoring and Maintaining Distributed Time-Based Access Lists
• Configuration Examples
• Command Reference
• Glossary
Feature Overview
Cisco IOS allows implementation of access lists based on the time of day. To do so, you create a time
range that defines specific times of the day and week. The time range is identified by a name and then
referenced by a function, so that those time restrictions are imposed on the function itself.
Currently, IP and IPX named or numbered extended access lists are the only functions that can use time
ranges. The time range allows the network administrator to define when the permit or deny statements
in the access list are in effect.
Before the introduction of the Distributed Time-Based Access Lists feature, time-based access lists were
not supported on line cards for the Cisco 7500 series routers. If time-based access lists were configured,
they behaved as normal access lists. If an interface on a line card was configured with time-based access
lists, the packets switched into the interface were not distributed switched through the line card but
forwarded to the Route Processor for processing.
The Distributed Time-Based Access Lists feature allows packets destined for an interface configured
with time-based access lists to be distributed switched through the line card.
For this functionality to work, the software clock must remain synchronized between the Route
Processor and the line card. This synchronization occurs through an exchange of ipc (interprocess
communications) messages from the Route Processor to the line card. When a time range or a time-range
entry is changed, added, or deleted, an ipc message is sent by the Route Processor to the line card.
Benefits
The Distributed Time-Based Access Lists feature gives network administrators more control over
permitting or denying a user access to resources. Customers can now take advantage of the performance
benefits of distributed switching and the flexibility given by time-based access lists.
Related Documents
• Cisco IOS Configuration Fundamentals Configuration Guide, Release 12.2
• Cisco IOS Configuration Fundamentals Command Reference, Release 12.2
• Cisco IOS IP Configuration Guide, Release 12.2
• Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services, Release 12.2
Supported Platforms
This feature is supported on VIP-enabled Cisco 7500 series routers.
MIBs
No new or modified MIBs are supported by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules,
go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml.
RFCs
No new or modified RFCs are supported by this feature.
Configuration Tasks
See the following sections for configuration tasks for the Distributed Time-Based Access Lists feature.
Each task in the list is identified as either optional or required.
• Defining a Time Range (required)
• Referencing the Time Range (required)
• Verifying Distributed Time-Based Access Lists (optional)
Note The time range relies on the software clock of the routing device. For the time range feature
to work the way you intend, you need a reliable clock source. We recommend that you use
Network Time Protocol (NTP) to synchronize the software clock of the routing device.
To define a time range, use the following commands beginning in global configuration mode.
Command Purpose
Step 1 Router(config)# time-range time-range-name Assigns a name to the time-range to be configured
and enters time range configuration mode.
Step 2 Router(config-time-range)# absolute [start time Specifies when the time range will be in effect. Use
date] [end time date] some combination of these commands. Multiple
periodic statements are allowed; only one absolute
or
statement is allowed.
Router(config-time-range)# periodic days-of-the-week
hh:mm to [days-of-the-week] hh:mm
Repeat these tasks if you have multiple items you want in effect at different times. For example, repeat
the steps to include multiple permit or deny statements in an access list in effect at different times. For
further details on the commands described, see the corresponding chapter in the Cisco IOS
Configuration Fundamentals Command Reference, Release 12.2.
Command Purpose
Router# show time-range ipc Displays the statistics about the time-range ipc messages between the
Route Processor and line card.
Command Purpose
Router# debug time-range ipc Enables debugging output for monitoring the time-range ipc messages
between the Route Processor and the line card.
Router# show time-range ipc Displays the statistics about the time-range ipc messages between the
Route Processor and line card.
Router# clear time-range ipc Clears the time-range ipc message statistics and counters between the
Route Processor and the line card for the time-range subsystem.
Configuration Examples
The Distributed Time-Based Access Lists feature is enabled automatically when time ranges are
configured on access lists. For an example of a time range applied to an access list, refer to the
“Configuring IP Services” chapter of the Cisco IOS IP Configuration Guide, Release 12.2.
Command Reference
The following new commands are pertinent to this feature. To see the command pages for these
commands and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
• clear time-range ipc
• debug time-range ipc
• show time-range ipc
Glossary
IPC—interprocess communications. A system that lets threads and processes transfer data and messages
among themselves; used to offer services to and receive services from other programs.
line card—Any I/O card that can be inserted in a modular chassis.
RP—Route Processor. Processor module in the Cisco 7000 series routers that contains the CPU, system
software, and most of the memory components that are used in the router. Sometimes called a
supervisory processor.
VIP—Versatile Interface Processor. Interface card used in Cisco 7000 and Cisco 7500 series routers. The
VIP provides multilayer switching and runs Cisco IOS software.
Users can apply sequence numbers to permit or deny statements and also reorder, add, or remove such
statements from a named IP access list. This feature makes revising IP access lists much easier. Prior to
this feature, users could add access list entries to the end of an access list only; therefore needing to add
statements anywhere except the end required reconfiguring the access list entirely.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• Restrictions for IP Access List Entry Sequence Numbering, page 41
• Information About IP Access Lists, page 42
• How to Use Sequence Numbers in an IP Access List, page 45
• Configuration Examples for IP Access List Entry Sequence Numbering, page 48
• Additional References, page 50
• Command Reference, page 51
• This feature does not support old-style numbered access lists, which existed before named access
lists. Keep in mind that you can name an access list with a number, so numbers are allowed when
they are entered in the standard or extended named access list (NACL) configuration mode.
• If a packet and an access list statement match, the rest of the statements in the list are skipped and
the packet is permitted or denied as specified in the matched statement. The first entry that the packet
matches determines whether the software permits or denies the packet. That is, after the first match,
no subsequent entries are considered.
• If the access list denies the address or protocol, the software discards the packet and returns an ICMP
Host Unreachable message.
• If no conditions match, the software drops the packet. This is because each access list ends with an
unwritten or implicit deny statement. That is, if the packet has not been permitted by the time it was
tested against each statement, it is denied.
• The access list must contain at least one permit statement or else all packets are denied.
• Because the software stops testing conditions after the first match, the order of the conditions is
critical. The same permit or deny statements specified in a different order could result in a packet
being passed under one circumstance and denied in another circumstance.
• If an access list is referenced by name in a command, but the access list does not exist, all packets
pass.
• Only one access list per interface, per protocol, per direction is allowed.
• Inbound access lists process packets arriving at the router. Incoming packets are processed before
being routed to an outbound interface. An inbound access list is efficient because it saves the
overhead of routing lookups if the packet is to be discarded because it is denied by the filtering tests.
If the packet is permitted by the tests, it is then processed for routing. For inbound lists, permit
means continue to process the packet after receiving it on an inbound interface; deny means discard
the packet.
• Outbound access lists process packets before they leave the router. Incoming packets are routed to
the outbound interface and then processed through the outbound access list. For outbound lists,
permit means send it to the output buffer; deny means discard the packet.
Benefits
The ability to apply sequence numbers to IP access list entries simplifies access list changes. Prior to the
IP Access List Entry Sequence Numbering feature, there was no way to specify the position of an entry
within an access list. If a user wanted to insert an entry (statement) in the middle of an existing list, all
of the entries after the desired position had to be removed, then the new entry was added, and then all
the removed entries had to be reentered. This method was cumbersome and error prone.
This feature allows users to add sequence numbers to access list entries and resequence them. When a
user adds a new entry, the user chooses the sequence number so that it is in a desired position in the
access list. If necessary, entries currently in the access list can be resequenced to create room to insert
the new entry.
• If the user enters an entry without a sequence number, it is assigned a sequence number that is 10
greater than the last sequence number in that access list and is placed at the end of the list.
• If the user enters an entry that matches an already existing entry (except for the sequence number),
then no changes are made.
• If the user enters a sequence number that is already present, the following error message is
generated:
Duplicate sequence number.
• If a new access list is entered from global configuration mode, then sequence numbers for that access
list are generated automatically.
• Distributed support is provided so that the sequence numbers of entries in the Route Processor (RP)
and line card (LC) are in synchronization at all times.
• Sequence numbers are not nvgened. That is, the sequence numbers themselves are not saved. In the
event that the system is reloaded, the configured sequence numbers revert to the default sequence
starting number and increment. The function is provided for backward compatibility with software
releases that do not support sequence numbering.
• This feature works with named standard and extended IP access lists. Because the name of an access
list can be designated as a number, numbers are acceptable.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list resequence access-list-name starting-sequence-number increment
4. ip access-list {standard | extended} access-list-name
5. sequence-number permit source source-wildcard
or
or
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip access-list resequence access-list-name Resequences the specified IP access list using the starting
starting-sequence-number increment sequence number and the increment of sequence numbers.
• This example resequences an access list named kmd1.
Example: The starting sequence number is 100 and the increment
Router(config)# ip access-list resequence kmd1 is 15.
100 15
Step 4 ip access-list {standard | extended} Specifies the IP access list by name and enters named access
access-list-name list configuration mode.
• If you specify standard, make sure you subsequently
Example: specify permit and/or deny statements using the
Router(config)# ip access-list standard kmd1 standard access list syntax.
• If you specify extended, make sure you subsequently
specify permit and/or deny statements using the
extended access list syntax.
What to Do Next
If your access list is not already applied to an interface or line or otherwise referenced, apply the access
list. Refer to the “Configuring IP Services” chapter of the Cisco IOS IP Configuration Guide for
information about how to apply an IP access list.
Additional References
The following sections provide references related to IP access lists.
Related Documents
Related Topic Document Title
Configuring IP access lists “Configuring IP Services” chapter in the Cisco IOS IP
Configuration Guide, Release 12.2
IP access list commands “IP Services Commands” chapter in the Cisco IOS IP Command
Reference, Volume 1 of 3: Addressing and Services, Release 12.2
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS
feature, and support for existing MIBs has not been releases, and feature sets, use Cisco MIB Locator found at the
modified by this feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
No new or modified RFCs are supported by this —
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, tools, and lots more.
Registered Cisco.com users can log in from this page to
access even more content.
Command Reference
The following new and modified commands are pertinent to this feature. To see the command pages for
these commands and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
New Command
• ip access-list resequence
Revised Commands
• deny (IP)
• permit (IP)
The ACL IP Options Selective Drop feature allows Cisco routers to filter packets containing IP options
or to mitigate the effects of IP options on a router or downstream routers by dropping these packets or
ignoring the processing of the IP options.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• Restrictions for ACL IP Options Selective Drop, page 53
• Information About ACL IP Options Selective Drop, page 54
• How to Configure ACL IP Options Selective Drop, page 54
• Configuration Examples for the ACL IP Options Selective Drop Feature, page 55
• Additional References, page 56
• Command Reference, page 57
Configuring Your Router and Verifying the ACL IP Options Selective Drop
Feature
This section describes how to configure your router and verify the ACL IP Options Selective Drop
feature.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip options {drop | ignore}
4. exit
5. show ip traffic
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip options {drop | ignore} Drops or ignores IP options packets that are sent to the
router.
Example:
Router(config)# ip options drop
Step 4 exit Returns to privileged EXEC mode.
Example:
Router(config)# exit
Step 5 show ip traffic Displays statistics about IP traffic.
Example:
Router# show ip traffic
What to Do Next
If you are running Cisco IOS Release 12.3(4)T or a later release, you can also use the ACL Support for
Filtering IP Options feature to filter packets based on whether the packet contains specific IP options.
% Warning:RSVP and other protocols that use IP Options packets may not function in drop or
ignore modes.
end
The following sample output will be displayed after 15,000 options packets are sent via the ip options
drop command. Notice the “forced drop” counter incrementing.
Router# show ip traffic
IP statistics:
Rcvd: 15000 total, 0 local destination
0 format errors, 0 checksum errors, 0 bad hop count
0 unknown protocol, 0 not a gateway
0 security failures, 0 bad options, 15000 with options
Opts: 0 end, 0 nop, 0 basic security, 0 loose source route
0 timestamp, 0 extended security, 0 record route
0 stream ID, 0 strict source route, 0 alert, 0 cipso
0 other
Frags: 0 reassembled, 0 timeouts, 0 couldn't reassemble
0 fragmented, 0 couldn't fragment
Bcast: 0 received, 0 sent
Mcast: 0 received, 0 sent
Sent: 0 generated, 0 forwarded
Drop: 0 encapsulation failed, 0 unresolved, 0 no adjacency
0 no route, 0 unicast RPF, 15000 forced drop
Additional References
The following sections provide references related to the ACL IP Options Selective Drop feature.
Related Documents
Related Topic Document Title
Configuring IP access lists “Configuring IP Services” chapter in the Cisco IOS IP
Configuration Guide, Release 12.3
IP access list commands “IP Services Commands” chapter in the Cisco IOS IP Command
Reference, Volume 1 of 3: Addressing and Services, Release 12.3 T
Using access lists for filtering IP options ACL Support for Filtering IP Options feature for Cisco IOS
Release 12.3(4)T
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS
feature, and support for existing MIBs has not been releases, and feature sets, use Cisco MIB Locator found at the
modified by this feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
No new or modified RFCs are supported by this —
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Command Reference
The following modified command is pertinent to this feature. To see the command pages for this
command and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
• ip options
The ACL Support for Filtering IP Options feature allows you to use access control lists (ACLs) to filter
IP Options packets, in order to prevent routers from becoming saturated with spurious packets containing
IP Options. The ACLs provide granular control, and can be used in a complementary fashion with the
no ip options command-line interface (CLI) command that is documented in the IP Options Selective
Drop feature in Cisco IOS Release 12.3(4)T.
Feature History for ACL Support for the Filtering IP Options Feature
Release Modification
12.3(4)T This feature was introduced.
12.2(25)S This feature was integrated into Cisco IOS Release 12.2(25)S.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• Restrictions for the ACL Support for Filtering IP Options Feature, page 59
• Information About ACL Support for Filtering IP Options, page 60
• How to Configure the ACL Support for Filtering IP Options Feature, page 61
• ACL Support for Filtering IP Options: Example, page 63
• Where to Go Next, page 63
• Additional References, page 63
• Command Reference, page 65
On most Cisco routers, a packet with IP Options is not switched in hardware, but requires control plane
software processing (primarily because there is a need to process the options and rewrite the IP header),
so all IP packets with IP Options will be filtered and switched in software. Also, it must be noted that
Turbo ACLs do not support ACLs with entries that filter using the option keyword and such ACLs will
not get Turbo compiled. This option keyword restriction will not affect any other ACLs on the router. In
general, not using Turbo ACLs in such cases is not considered a performance issue because the
Cisco IOS software allows for faster ACL processing starting from Cisco IOS Release 12.3(2)T.
The ACL Support for Filtering IP Options feature can be used only with named, extended ACLs.
Note To effectively eliminate all packets that contain IP Options, we recommend that the global ip options
drop command be used.
IP Options
The internet protocol uses four key mechanisms in providing its service: Type of Service, Time to Live,
Options, and Header Checksum.
The Options, commonly referred to as IP Options, provide for control functions that are required in some
situations but unnecessary for the most common communications. IP Options include provisions for time
stamps, security, and special routing.
IP Options may or may not appear in datagrams. They must be implemented by all IP modules (host and
gateways). What is optional is their transmission in any particular datagram, not their implementation.
In some environments the security option may be required in all datagrams.
The option field is variable in length. There may be zero or more options. IP Options can have one of
two formats:
• Format 1: A single octet of option-type.
• Format 2: An option-type octet, an option-length octet, and the actual option-data octets.
The option-length octet counts the option-type octet and the option-length octet and the option-data
octets.
The option-type octet is viewed as having three fields: a 1-bit copied flag, a 2-bit option class, and a 5-bit
option number. These fields form an 8-bit value for the option type field. IP Options are commonly
referred to by their 8-bit value.
For a complete list and description of IP Options, refer to the RFC 791 at the following URL:
http://www.faqs.org/rfcs/rfc791.html.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list {standard | extended} access-list-name
4. [sequence-number] permit protocol source source-wildcard destination destination-wildcard
[option option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name]
[fragments]
5. [sequence-number] deny protocol source source-wildcard destination destination-wildcard [option
option-value] [precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
6. Repeat Step 4 or Step 5 as necessary, adding statements by option value where you planned. Use the
no sequence-number form of this command to delete an entry.
7. end
8. show ip access-lists access-list-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip access-list {standard | extended} Specifies the IP access list by name and enters named access
access-list-name list configuration mode.
Example:
Router(config)# ip access-list extended mylist1 Note The ACL Support for Filtering IP Options feature
works only with named, extended ACLs.
Step 4 [sequence-number] deny protocol source Specifies a deny statement in named IP access list mode.
source-wildcard destination
destination-wildcard [option • This access list happens to use a deny statement first,
option-value][precedence precedence] [tos tos] but a permit statement could appear first, depending on
[log] [time-range time-range-name] [fragments] the order of statements you need.
• Use the option keyword option-value argument to filter
Example: packets that contain a particular IP Option. In this
Router(config-ext-nacl)# deny ip any any option instance any packet that contains the traceroute IP
traceroute Option will be filtered out.
• Use the no sequence-number form of this command to
delete an entry.
Step 5 [sequence-number] permit protocol source (Optional) Specifies a permit statement in named IP access
source-wildcard destination list mode.
destination-wildcard [option option-value]
[precedence precedence] [tos tos] [log] • This access list happens to use a permit statement first,
[time-range time-range-name] [fragments] but a deny statement could appear first, depending on
the order of statements you need.
Example: • Use the option keyword option-value argument to filter
Router(config-ext-nacl)# permit ip any any packets that contain a particular IP Option. In this
option security instance any packet that contains the security IP Option
will be permitted.
• Use the no sequence-number form of this command to
delete an entry.
Step 6 Repeat Step 4 or Step 5 as necessary, adding Allows you to revise the access list.
statements by sequence number where you planned.
Use the no sequence-number form of this command to
delete an entry.
Configuring the Access List to Filter Packets That Contain IP Options: Example
The following example shows an extended access list named mylist2 that contains access list entries
(ACEs) that are configured to permit TCP packets only if they contain the IP Options that are specified
in the ACEs:
Router> enable
Router# configure terminal
Router(config)# ip access-list extended mylist2
Router(config-ext-nacl)# 10 permit ip any any option eool
Router(config-ext-nacl)# 20 permit ip any any option record-route
Router(config-ext-nacl)# 30 permit ip any any option zsu
Router(config-ext-nacl)# 40 permit ip any any option mtup
The show access-list command has been entered to show how many packets were matched and therefore
permitted:
Router# show ip access-list mylist2
Where to Go Next
You may also want to the enter the no ip options command that is documented in the IP Options
Selective Drop feature in Cisco IOS Release 12.3(4)T.
Additional References
The following sections provide references related to the ACL Support for Filtering IP Options feature.
Related Documents
Related Topic Document Title
Configuring IP access lists “Configuring IP Services” chapter in the Cisco IOS IP
Configuration Guide
IP access list commands “IP Addressing and Services Commands” chapter in the Cisco IOS
IP Command Reference, Volume 1 of 4: Addressing and Services,
Release 12.3 T
Configuring the router to drop or ignore packets IP Options Selective Drop feature module for Cisco IOS
containing IP Options Release 12.3(4)T
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS
feature, and support for existing MIBs has not been releases, and feature sets, use Cisco MIB Locator found at the
modified by this feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
RFC 791 Internet Protocol
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Command Reference
The following modified commands are pertinent to this feature. To see the command pages for these
commands and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
• deny (IP)
• permit (IP)
The ACL TCP Flags Filtering feature provides a flexible mechanism for filtering on TCP flags. Before
Cisco IOS Release 12.3(4)T, an incoming packet was matched as long as any TCP flag in the packet
matched a flag specified in the access control entry (ACE). This behavior allows for a security loophole,
because packets with all flags set could get past the access control list (ACL). The ACL TCP Flags
Filtering feature allows you to select any desired combination of flags on which to filter. The ability to
match on a flag set and on a flag not set gives you a greater degree of control for filtering on TCP flags,
thus enhancing security.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• Restrictions for ACL TCP Flags Filtering, page 67
• Information About the ACL TCP Flags Filtering Feature, page 68
• How to Configure ACL TCP Flags Filtering, page 69
• Configuration Examples for the ACL TCP Flags Filtering Feature, page 70
• Additional References, page 71
• Command Reference, page 72
Before Cisco IOS Release 12.3(4)T, the following command-line interface (CLI) format could be used
to configure a TCP flag-checking mechanism:
permit tcp any any rst
The following format that represents the same ACE can be used with Cisco IOS Release 12.3(4)T and
later releases:
permit tcp any any match-any +rst
Both the CLI formats are accepted; however, if the new keywords match-all or match-any are chosen,
they must be followed by the new flags that are prefixed with “+” or “-”. It is advisable to use only the
old format or the new format in a single ACL. You cannot mix and match the old and new CLI formats.
Caution If a router having ACEs with the new syntax format is reloaded with an older version of Cisco IOS
software that does not support the ACL TCP Flags Filtering feature, the ACEs will not be applied,
leading to possible security loopholes.
The ACL TCP Flags Filtering Feature is supported only for Cisco IOS ACLs and Turbo ACLs.
Configuring the ACE to Filter TCP Packets and Verifying the Configuration
To configure ACEs to filter TCP packets and verify TCP packet filtering, complete the following steps.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list {standard | extended} access-list-name
4. [sequence-number] permit tcp source source-wildcard [operator [port]] destination
destination-wildcard [operator [port]] [established | {match-any | match-all} {+ | -} flag-name]
[precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
5. [sequence-number] deny tcp source source-wildcard [operator [port]] destination
destination-wildcard [operator [port]] established | {match-any | match-all} {+ | -} flag-name]
[precedence precedence] [tos tos] [log] [time-range time-range-name] [fragments]
6. Repeat Step 4 or Step 5 as necessary, adding statements by sequence number where you planned.
Use the no sequence-number command to delete an entry.
7. end
8. show ip access-lists access-list-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip access-list {standard | extended} Specifies the IP access list by name and enters named access
access-list-name list configuration mode.
Example:
Router(config)# ip access-list extended kmd1 Note The ACL TCP Flags Filtering feature works only
with named, extended ACLs.
Configuring the ACE to Filter TCP Packets Based on TCP Flags: Example
The following ACE has been configured to allow TCP packets only if the TCP flags SYN and ACK are
set and the FIN flag is not set:
Router> enable
Router# configure terminal
Router(config)# ip access-list extended aaa
Router(config-ext-nacl)# permit tcp any any match-all +ack +syn
Router(config-ext-nacl)# permit tcp any any match-any -urg +syn -psh
Router(config-ext-nacl)# end
The show access-list command has been entered to show the following matches based on the configured
ACLs:
Router# show access-list aaa
Additional References
The following sections provide references related to the ACL TCP Flags Filtering feature.
Related Documents
Related Topic Document Title
Configuring IP access lists “Configuring IP Services” chapter in the Cisco IOS IP
Configuration Guide, IPC, Part 1: IP Addressing and Services,
Release 12.3
IP access list commands “IP Services Commands” chapter in the Cisco IOS IP Command
Reference, Volume 1 of 3: Addressing and Services, Release 12.3 T
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS
feature, and support for existing MIBs has not been releases, and feature sets, use Cisco MIB Locator found at the
modified by this feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
No new or modified RFCs are supported by this —
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Command Reference
The following modified commands are pertinent to this feature. To see the command pages for these
commands and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
• deny (IP)
• permit (IP)
The ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry feature allows
you to specify noncontiguous ports on the same access control entry (ACE), which greatly reduces the
number of access list entries required in an access control list (ACL) when several ACEs have the same
source address, destination address, and protocol, but differ only in the ports. If you maintain large
numbers of access list entries that fall under this category, we recommend that you configure this feature.
Feature History for the ACL—Named ACL Support for Noncontiguous Ports on an Access Control Entry Feature
Release Modification
12.3(7)T This feature was introduced.
12.2(25)S This feature was integrated into Cisco IOS Release 12.2(25)S.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• Restrictions for the ACL—Named ACL Support for Noncontiguous Ports on an Access Control
Entry Feature, page 74
• Information About the ACL—Named ACL Support for Noncontiguous Ports on an Access Control
Entry Feature, page 74
• How to Configure an Access List Entry with Noncontiguous Ports, page 74
• Configuration Examples for the ACL—Support for Noncontiguous Ports on an Access List Entry
Feature, page 78
• Additional References, page 79
• Command Reference, page 80
SUMMARY STEPS
1. enable
2. configure terminal
3. ip access-list {standard | extended} access-list-name
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip access-list {standard | extended} Specifies the IP access list by name and enters named access
access-list-name list configuration mode.
Example:
Router(config)# ip access-list extended kmd1 Note The ACL—Named ACL Support for
Noncontiguous Ports on an Access Control Entry
feature works only with named, extended ACLs.
Step 4 [sequence-number] permit tcp source Specifies a permit statement in named IP access list
source-wildcard [operator port [port]] configuration mode.
destination destination-wildcard [operator
[port]] [established | {match-any | match-all} • This access list happens to use a permit statement first,
{+ | -} flag-name] [precedence precedence] [tos but a deny statement could appear first, depending on
tos] [log] [time-range time-range-name]
the order of statements needed.
[fragments]
• You can configure up to ten ports after the eq and neq
operators.
Example:
Router(config-ext-nacl)# permit tcp any eq
telnet ftp any eq 450 679
Consolidating Access List Entries with Noncontiguous Ports into One Access
List Entry
This task consolidates a group of access list entries with noncontiguous ports into one access list entry.
SUMMARY STEPS
1. enable
2. show ip access-lists access-list-name
3. configure terminal
4. ip access-list {standard | extended} access-list-name
5. [sequence-number] permit protocol source source-wildcard destination destination-wildcard
[option option-name] [precedence precedence] [tos tos] [log] [time-range time-range-name]
[fragments]
6. [sequence-number] permit protocol source source-wildcard destination destination-wildcard
[option option-name] [precedence precedence] [tos tos] [log] [time-range time-range-name]
[fragments]
7. Repeat Step 4 or Step 5 as necessary. Use the no sequence-number command to delete an entry.
8. end
9. show ip access-lists access-list-name
DETAILED STEPS
Example:
Router# configure terminal
Step 4 ip access-list {standard | extended} Specifies the IP access list by name and enters named access
access-list-name list configuration mode.
Example:
Router(config)# ip access-list extended mylist1 Note The ACL—Named ACL Support for
Noncontiguous Ports on an Access Control Entry
feature works only with named, extended ACLs.
Step 5 [sequence-number] permit protocol source (Required) Removes the redundant access list entries that
source-wildcard destination can be consolidated.
destination-wildcard [option option-name]
[precedence precedence] [tos tos] [log] • Repeat this step to remove all applicable access list
[time-range time-range-name] [fragments] entries.
• This access list happens to use only a permit statement
Example: first, but a deny statement could also appear, depending
Router(config-ext-nacl)# no 10 on the order of statements needed.
• In this instance, a group of access list entries that are
numbered 10, 20, 30, and 40 are removed because they
will be consolidated into one permit statement. (This
step should be repeated to remove the access list entries
20, 30, and 40.)
Step 6 [sequence-number] permit protocol source (Required) Specifies a permit statement in named access list
source-wildcard destination configuration mode.
destination-wildcard [option option-name]
[precedence precedence] [tos tos] [log] • This access list happens to use a permit statement first,
[time-range time-range-name] [fragments] but a deny statement could also appear first, depending
on the order of statements needed.
Example: • In this instance, a group of access list entries with
Router(config-ext-nacl)# permit tcp any neq 45 noncontiguous ports was consolidated into one permit
565 632 any eq 23 45 34 43 statement. You can configure up to ten ports after the eq
and neq operators.
Enter the show access-lists command to display the newly created access list entry.
Router# show access-lists aaa
Consolidating Some Existing Access List Entries into One Access List Entry
with Noncontiguous Ports: Example
The show access-lists command is used to display a group of access list entries for the access list named
abc:
Router# show access-lists abc
Because the entries are all for the same permit statement and simply show different ports, they can be
consolidated into one new access list entry. The following example shows the removal of the redundant
access list entries and the creation of a new access list entry that consolidates the previously displayed
group of access list entries:
Router# configure terminal
Router(config)# ip access-list extended abc
Router(config-ext-nacl)# no 10
Router(config-ext-nacl)# no 20
Router(config-ext-nacl)# no 30
Router(config-ext-nacl)# no 40
Router(config-ext-nacl)# permit tcp any eq telnet ftp any eq 450 679
Router(config-ext-nacl)# end
When the show access-lists command is reentered, the consolidated access list entry is displayed:
Router# show access-lists abc
Additional References
The following sections provide references related to the ACL—Named ACL Support for Noncontiguous
Ports on an Access Control Entry feature.
Related Documents
Related Topic Document Title
Configuring IP access lists “Configuring IP Services” chapter in the Cisco IOS IP
Configuration Guide.
IP access list commands “IP Services Commands” chapter in the Cisco IOS IP Command
Reference, Volume 1 of 3: Addressing and Services, Release 12.3 T
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS
feature, and support for existing MIBs has not been releases, and feature sets, use Cisco MIB Locator found at the
modified by this feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
No new or modified RFCs are supported by this —
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Command Reference
The following modified commands are pertinent to this feature. To see the command pages for these
commands and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
• deny (IP)
• permit (IP)
The Transmission Control Protocol (TCP) is a protocol that specifies the format of data and
acknowledgments used in data transfer. TCP is a connection-oriented protocol because participants must
establish a connection before data can be transferred. By performing flow control and error correction,
TCP guarantees reliable, in-sequence delivery of packets. It is considered a reliable protocol because if
an IP packet is dropped or received out of order, TCP will request the correct packet until it receives it.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• How to Configure TCP Performance Parameters, page 83
Command Purpose
Router(config)# ip tcp synwait-time seconds Sets the amount of time the Cisco IOS software will wait to attempt to
establish a TCP connection.The default is 30 seconds.
Command Purpose
Router(config)# ip tcp path-mtu-discovery [age-timer Enables Path MTU Discovery.
{minutes | infinite}]
Customers using TCP connections to move bulk data between systems on distinct subnets would benefit
most by enabling this feature. Customers using remote source-route bridging (RSRB) with TCP
encapsulation, serial tunnel (STUN), X.25 Remote Switching (also known as XOT or X.25 over TCP),
and some protocol translation configurations might also benefit from enabling this feature.
The ip tcp path-mtu-discovery global configuration command is to enable Path MTU Discovery for
connections initiated by the router when it is acting as a host. For a discussion of how the Cisco IOS
software supports Path MTU Discovery when the device is acting as a router, see the section
“Understanding Path MTU Discovery” section in the “Configuring IP Services” chapter.
The age-timer is a time interval for how often TCP should reestimate the path MTU with a larger
maximum segment size (MSS). The default Path MTU Discovery age-timer is 10 minutes; its maximum
is 30 minutes. You can turn off the age timer by setting it to infinite.
Prior to selective acknowledgment, if TCP lost packets 4 and 7 out of an 8-packet window, TCP would
receive acknowledgment of only packets 1, 2, and 3. Packets 4 through 8 would need to be re-sent. With
selective acknowledgment, TCP receives acknowledgment of packets 1, 2, 3, 5, 6, and 8. Only packets
4 and 7 must be re-sent.
Refer to RFC 2018 for more detailed information on TCP selective acknowledgment.
The feature is used only when multiple packets are dropped within one TCP window. There is no
performance impact when the feature is enabled but not used. To enable TCP selective acknowledgment,
use the following command in global configuration mode:
Command Purpose
Router(config)# ip tcp selective-ack Enables TCP selective acknowledgment.
Command Purpose
Router(config)# ip tcp timestamp Enables TCP time stamp.
If you want to use TCP header compression over a serial line, TCP time stamp and TCP selective
acknowledgment must be disabled. Both features are disabled by default. To disable TCP selective
acknowledgment once it is enabled, see the previous “Enabling TCP Selective Acknowledgment”
section.
Command Purpose
Router(config)# ip tcp chunk-size Sets the TCP maximum read size for Telnet or rlogin.
characters
Command Purpose
Router(config)# ip tcp window-size Sets the TCP window size.
bytes
Command Purpose
Router(config)# ip tcp queuemax packets Sets the TCP outgoing queue size.
Feature History
Release Modification
12.2(8)T This feature was introduced.
This document describes the TCP Window Scaling feature and includes the following sections:
• Feature Overview, page 87
• Supported Platforms, page 88
• Supported Standards, MIBs, and RFCs, page 89
• Prerequisites, page 89
• Configuration Tasks, page 89
• Configuration Examples, page 90
• Command Reference, page 90
• Glossary, page 91
Feature Overview
The TCP Window Scaling feature adds support for the Window Scaling option in RFC 1323. A larger
window size is recommended to improve TCP performance in network paths with large bandwidth,
long-delay characteristics that are called Long Fat Networks (LFNs) . This TCP Window Scaling
enhancement provides that support.
The window scaling extension in Cisco IOS software expands the definition of the TCP window to
32 bits and then uses a scale factor to carry this 32-bit value in the 16-bit window field of the TCP header.
The window size can increase to a scale factor of 14. Typical applications use a scale factor of 3 when
deployed in LFNs.
Benefits
The Cisco IOS window scaling feature complies with RFC 1323, TCP Extensions for High Performance.
The maximum window size has been increased to 1,073,741,823 bytes. The larger scalable window size
will allow TCP to perform better over LFNs.
Related Documents
• Cisco IOS IP Configuration Guide, Release 12.2.
Supported Platforms
• Cisco 800
• Cisco 805
• Cisco 820
• Cisco 1400 series
• Cisco 1600 series
• Cisco 1600R
• Cisco 1700 series
• Cisco 2600 series
• Cisco 3620
• Cisco 3640
• Cisco 3660
• Cisco 7100 series
• Cisco 7200 series
• Cisco 7500 series
• Cisco VG200
• Cisco CVA120 series
• Cisco soho70
• Cisco uBR7200 series
• Cisco uBR920
• Cisco uBR925
To access Cisco Feature Navigator, you must have an account on Cisco.com. If you have forgotten or
lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check
will verify that your e-mail address is registered with Cisco.com. If the check is successful, account
details with a new random password will be e-mailed to you. Qualified users can establish an account
on Cisco.com by following the directions at http://www.cisco.com/register.
Cisco Feature Navigator is updated regularly when major Cisco IOS software releases and technology
releases occur. For the most current information, go to the Cisco Feature Navigator home page at the
following URL:
http://www.cisco.com/go/fn
MIBs
No new or modified MIBs are supported by this feature.
To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules,
go to the Cisco MIB website on Cisco.com at the following URL:
http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml
RFCs
• RFC 1323, TCP Extensions for High Performance, the Window Scaling option
Prerequisites
Both sides of the link must be configured to support window scaling or the default of 65,535 bytes will
apply as the maximum window size.
Configuration Tasks
See the following sections for configuration tasks for the TCP Window Scaling feature. Each task in the
list is identified as either required or optional.
• Setting the TCP Window Size (required)
• Verifying the Window Scaling Configuration (optional)
Command Purpose
Router(config)# ip tcp window-size bytes Specifies the scaled TCP window size.
The bytes argument can be set to an integer from 0 to
1,073,741,823. To enable window scaling to support LFNs, the
TCP window size must be more than 65,535. The default
window size is 4128 if window scaling is not configured.
Troubleshooting Tips
Use the debug ip tcp Winscale EXEC command to enable diagnostic output concerning various events
relating to the operation of the TCP Window Scaling feature to be displayed on a console. The debug ip
tcp Winscale command is intended only for troubleshooting purposes because the volume of output
generated by the software when it is used can result in severe performance degradation on the router.
Configuration Examples
The following configuration example shows a TCP window size of 750,000 bytes being configured:
ip tcp window-size 750000
Command Reference
The following modified command is pertinent to this feature. To see the command pages for this
command and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
• ip tcp window-size
Glossary
LFN—Long Fat Networks. Large bandwidth, long-delay networks where the throughput is high and the
transmission distance is long. Networks with satellite connections are one example of an LFN. Satellite
links always have high propagation delays and typically have high bandwidth.
TCP—Transmission Control protocol. Connection-oriented transport layer protocol that provides
reliable full-duplex data transmission. TCP is part of the TCP/IP protocol stack.
The TCP Congestion Avoidance feature enables the monitoring of acknowledgement packets to the TCP
sender when multiple packets are lost in a single window of data. Previously the sender would exit
Fast-Recovery mode, wait for three or more duplicate acknowledgement packets before retransmitting
the next unacknowledged packet, or wait for the retransmission timer to slow start. This could lead to
performance issues.
To monitor the acknowledgement packets, the output of the debug ip tcp transactions command has
been enhanced to show the following conditions:
• TCP entering Fast Recovery mode.
• Duplicate acknowledgements being received during Fast Recovery mode.
• Partial acknowledgements being received.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• Additional References, page 94
• Command Reference, page 94
Additional References
The following sections provide references related to the TCP Congestion Avoidance feature.
Related Documents
Related Topic Document Title
Debug commands Cisco IOS Debug Command Reference, Release 12.3 T
MIBs
MIBs MIBs Link
None To locate and download MIBs for selected platforms, Cisco IOS
releases, and feature sets, use Cisco MIB Locator found at the
following URL:
http://www.cisco.com/go/mibs
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Command Reference
The following modified command is pertinent to this feature. To see the command pages for this
command and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
• debug ip tcp transactions
The TCP Explicit Congestion Notification (ECN) feature provides a method for an intermediate router
to notify the end hosts of impending network congestion. It also provides enhanced support for TCP
sessions associated with applications that are sensitive to delay or packet loss including Telnet, web
browsing, and transfer of audio and video data. The benefit of this feature is the reduction of delay and
packet loss in data transmissions.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
Contents
• How to Configure TCP Explicit Congestion Notification, page 96
• Configuration Examples for TCP Explicit Congestion Notification, page 99
• Additional References, page 100
• Command Reference, page 101
Prerequisites
The remote peer must be ECN enabled because the ECN capability is negotiated during a 3-way
handshake with the remote peer.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip tcp ecn
4. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip tcp ecn Enables ECN for TCP.
Example:
Router(config)# ip tcp ecn
Step 4 exit Exits global configuration mode.
Example:
Router(config) exit
SUMMARY STEPS
1. show running-config
2. show tcp tcb address
3. show tcp brief all
4. debug ip tcp ecn
5. show debugging
DETAILED STEPS
Building configuration...
!Local host
!
Connection state is ESTAB, I/O status: 1, unread input bytes: 0
Before a TCP connection can use ECN, a host sends an ECN-setup SYN (synchronization) packet to a
remote end that contains an ECE and CWR bit set in the header. This indicates to the remote end that the
sending TCP is ECN-capable, rather than an indication of congestion. The remote end sends an
ECN-setup SYN-ACK (acknowledgment) packet to the sending host.
In the example above, the “out ECN-setup SYN” text means that a SYN packet with the ECE and CWR
bit set was sent to the remote end. The “in non-ECN-setup SYN-ACK” text means that the remote end
did not favorably acknowledge the ECN request and that therefore the session is ECN capable.
The following debug output shows that ECN capabilities are enabled at both ends. In response to the
ECN-setup SYN, the other end favorably replied with an ECN-setup SYN-ACK message. This
connection is now ECN capable for the rest of the session.
Router# telnet 10.10.10.10
Building configuration...
hostname Router
!
boot-start-marker
boot-end-marker
!
no aaa new-model
ip subnet-zero
!
ip tcp ecn ! ECN is configured.
!
ip cef
!
interface FastEthernet0/0
no ip address
shutdown
duplex half
!
interface Ethernet1/0
ip address 10.1.25.35 255.255.255.0
duplex half
!
interface Ethernet1/1
no ip address
shutdown
duplex half
!
interface Ethernet1/2
no ip address
shutdown
duplex half
!
interface Ethernet1/3
ip address 23.23.23.6 255.255.255.0
shutdown
duplex half
!
end
Additional References
The following sections provide references related to the TCP Explicit Congestion Notification feature.
Related Documents
Related Topic Document Title
IP configuration overview Cisco IOS IP Configuration Guide
IP commands Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and
Services, Release 12.3 T
Configuration fundamentals Cisco IOS Configuration Fundamentals and Network Management
Configuration Guide
MIBs
MIBs MIBs Link
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS
feature, and support for existing MIBs has not been releases, and feature sets, use Cisco MIB Locator found at the
modified by this feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
RFC 3168 The Addition of Explicit Congestion Notification (ECN) to IP
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Command Reference
The following new and modified commands are pertinent to this feature. To see the command pages for
these commands and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
• debug ip tcp ecn
• ip tcp ecn
• show debugging
• show tcp
This chapter describes how to configure the IOS Server Load Balancing (SLB) feature. For a complete
description of the SLB commands in this chapter, refer to the “Server Load Balancing Commands”
chapter of the Cisco IOS IP Command Reference, Volume 1 of 3: Addressing and Services. To locate
documentation of other commands that appear in this chapter, use the command reference master index
or search online.
To identify the hardware platform or software image information associated with a feature, use the
Feature Navigator on Cisco.com to search for information about the feature or refer to the software
release notes for a specific release. For more information, see the “Identifying Supported Platforms”
section in the “Using Cisco IOS Software for Release 12.4” chapter in this book.
The SLB feature is a Cisco IOS-based solution that provides IP server load balancing. Using the
IOS SLB feature, the network administrator defines a virtual server that represents a group of real
servers in a cluster of network servers known as a server farm. In this environment the clients are
configured to connect to the IP address of the virtual server. The virtual server IP address is configured as a
loopback address, or secondary IP address, on each of the real servers. When a client initiates a connection
to the virtual server, the IOS SLB function chooses a real server for the connection based on a configured
load-balancing algorithm.
IOS SLB shares the same software code base as Cisco IOS software and has all the software features sets
of Cisco IOS software. IOS SLB is recommended for customers desiring complete integration of SLB
technology into traditional Cisco switches and routers.
On the Catalyst 6500 switch, IOS SLB takes advantage of hardware acceleration to forward data packets
at very high speed when running in dispatched mode.
IOS SLB assures continuous, high availability of content and applications with proven techniques for
actively managing servers and connections in a distributed environment. By distributing user requests
across a cluster of servers, IOS SLB optimizes responsiveness and system capacity, and dramatically
reduces the cost of providing Internet, database, and application services for large-scale sites as well as
small- and medium-sized sites.
IOS SLB facilitates scalability, availability, and ease of maintenance as follows:
• The addition of new physical (real) servers, and the removal or failure of existing servers, can occur
at any time, transparently, without affecting the availability of the virtual server.
• The slow start capability of IOS SLB allows a new server to increase its load gradually, preventing
failures caused by assigning the server too many new connections too quickly.
• IOS SLB supports fragmented packets and packets with IP options, buffering your servers from
client or network vagaries that are beyond your control.
Administration of server applications is easier. Clients know only about virtual servers; no
administration is required for real server changes.
Security of the real server is provided because its address is never announced to the external network.
Users are familiar only with the virtual IP address. You can filter unwanted flows based on both IP
address and TCP or UDP port numbers. Though it does not eliminate the need for a firewall, IOS SLB
also can help protect against some denial-of-service attacks.
In a branch office, IOS SLB allows balancing of multiple sites and disaster recovery in the event of
full-site failure, and distributes the work of load balancing.
Figure 2 illustrates a logical view of IOS SLB.
Virtual server
Catalyst 4840G
with IOS SLB
29164
Client Client
Client Client
• SynGuard
• Dynamic Feedback Protocol for IOS SLB
• Alternate IP Addresses
• Transparent Web Cache Balancing
• NAT
• Redundancy Enhancement—Stateless Backup
Note Assigning a weight of n = 1 to all of the servers in the server farm configures the IOS SLB switch to use
a simple round robin algorithm.
Note Assigning a weight of n = 1 to all of the servers in the server farm configures the IOS SLB switch to use
a simple least-connection algorithm.
Port-Bound Servers
When you define a virtual server, you must specify the TCP or UDP port handled by that virtual server.
However, if you configure NAT on the server farm, you can also configure port-bound servers.
Port-bound servers allow one virtual server IP address to represent one set of real servers for one service,
such as HTTP, and a different set of real servers for another service, such as Telnet.
Packets destined for a virtual server address for a port that is not specified in the virtual server definition
are not redirected.
IOS SLB supports both port-bound and nonport-bound servers, but port-bound servers are
recommended.
Sticky Connections
When you use sticky connections, new connections from a client IP address or subnet are assigned to the
same real server as were previous connections from that address or subnet.
IOS SLB creates sticky objects to track client assignments. The sticky objects remain in the IOS SLB
database after the last sticky connection is deleted, for a period defined by a configurable sticky timer. If
the timer is configured on a virtual server, new connections from a client are sent to the same real server
that handled the previous client connection, provided one of the following conditions is true:
• A connection for the same client already exists.
• The amount of time between the end of a previous connection from the client and the start of the
new connection is within the timer duration.
Sticky connections also permit the coupling of services that are handled by more than one virtual server.
This allows connection requests for related services to use the same real server. For example, Web server
(HTTP) typically uses TCP port 80, and HTTP over Secure Socket Layer (HTTPS) uses port 443. If
HTTP virtual servers and HTTPS virtual servers are coupled, connections for ports 80 and 443 from the
same client IP address or subnet are assigned to the same real server.
Maximum Connections
The maximum connections feature allows you to configure a limit on the number of active connections
that a real server can handle.
Automatic Unfail
When a real server fails and is removed from the list of active servers, it is assigned no new connections
for a length of time specified by a configurable retry timer. After that timer expires, the server is again
eligible for new virtual server connections and IOS SLB sends the server the next connection for which
it qualifies. If the connection is successful, the failed server is again placed back on the list of active real
servers. If the connection is unsuccessful, the server remains out of service and the retry timer is reset.
Slow Start
In an environment that uses weighted least connections load balancing, a real server that is placed in
service initially has no connections, and could therefore be assigned so many new connections that it
becomes overloaded. To prevent such an overload, the slow start feature controls the number of new
connections that are directed to a real server that has just been placed in service.
SynGuard
The SynGuard feature limits the rate of TCP SYNs handled by a virtual server to prevent a type of
network problem known as a SYN flood denial-of-service attack. A user might send a large number of
SYNs to a server, which could overwhelm or crash the server, denying service to other users. SynGuard
prevents such an attack from bringing down IOS SLB or a real server. SynGuard monitors the number
of SYNs to a virtual server over a specific time interval and does not allow the number to exceed a
configured SYN threshold. If the threshold is reached, any new SYNs are dropped.
Alternate IP Addresses
IOS SLB enables you to Telnet to the load-balancing device using an alternate IP address. To do so, use
either of the following methods:
• Use any of the interface addresses to Telnet to the load-balancing device.
• Define a secondary IP address to Telnet to the load-balancing device.
This function is similar to that provided by the LocalDirector (LD) Alias command.
Note A Web cache can start its own connections to real sites if pages are not available in its cache. Those
connections cannot be load balanced back to the same set of caches. IOS SLB addresses this situation
by allowing you to configure “client exclude” statements so that IOS SLB does not load balance
connections initiated by the Web caches.
NAT
Cisco IOS Network Address Translation (NAT), RFC 1631, allows unregistered “private” IP addresses
to connect to the Internet by translating them into globally registered IP addresses. Cisco IOS NAT also
increases network privacy by hiding internal IP addresses from external networks.
IOS SLB can operate in one of two redirection modes:
• Directed mode—The virtual server can be assigned an IP address that is not known to any of the real
servers. IOS SLB translates packets exchanged between a client and real server, translating the
virtual server IP address to a real server address via NAT.
• Dispatched mode—The virtual server address is known to the real servers; you must configure the
virtual server IP address as a loopback address, or secondary IP address, on each real server. IOS SLB
redirects packets to the real servers at the media access control (MAC) layer. Because the virtual
server IP address is not modified in dispatched mode, the real servers must be Layer 2 adjacent to
IOS SLB, or intervening routers might not be able to route to the chosen real server.
The main advantage of dispatched mode is performance. In dispatched mode, the Layer 3 and Layer 4
addresses are not modified, which means IP header checksum adjustment occurs quickly, and checksum
adjustment or recalculation for TCP or UDP is not required. Dispatched mode is also simpler than in
directed mode because packets for applications with IP addresses in the packet need not be examined
and modified.
The main disadvantage of dispatched mode is that the virtual server IP address is not modified, which
means that the real servers must be Layer 2 adjacent with the load balancer or intervening routers may
not be able to route to the chosen real server.
NAT (directed mode) is used to solve these dispatched mode problems.
IOS SLB currently supports only server NAT. By replacing the virtual server IP address with the real
server IP address (and vice versa), servers can be many hops away from the load balancer and intervening
routers can route to them without requiring tunneling. Additionally, loopback and secondary interfaces
need no longer be on the real server.
Note On the Catalyst 6000 family switches and Cisco 7200 series routers, if an IP address is configured as a
real IP address for a NAT virtual server, you cannot balance connection requests from that address to a
different virtual server (whether NAT or dispatch) on the same load balancer.
The network designer must ensure that outbound packets travel through IOS SLB using one of the
following methods:
• Direct wiring (all packets flow through a branch office IOS SLB device)
• Default gateways or policy-based routing
• IOS SLB NAT of client addresses, enabled as an outbound feature on server-side interfaces
A less common form of server NAT is server port translation, which involves replacement of a virtual
server port. Server port translation does not require server IP address translation, but the two translations
can be used together.
Note To avoid any single point of failure in an IOS SLB network, use multiple Layer 2 switches to provide
connectivity between the IOS SLB devices and the servers.
Restrictions
IOS SLB has the following restrictions:
• Operates in a standalone mode and currently does not operate as a MultiNode Load Balancing
(MNLB) Services Manager. The presence of IOS SLB does not preclude the use of the existing
MNLB Forwarding Agent with an external Services Manager in an MNLB environment.
• Does not support coordinating server load-balancing statistics among different IOS SLB instances
for backup capability.
• Supports FTP only in dispatched mode.
• Does not support load balancing of flows between clients and real servers that are on the same LAN
VLAN.
• Does not support IOS SLB and Cisco Applications and Services Architecture (CASA) configured
with the same virtual IP address, even if they are for different services.
• Supports Cisco IOS NAT in directed mode with no hardware data packet acceleration. (Hardware
data packet acceleration is performed by the Policy Feature Card (PFC), and in directed mode the
data packets are handled by the Multilayer Switched Feature Card (MSFC), not the PFC.)
Catalyst 6000 family switch restrictions are as follows:
• Requires the MSFC and the PFC.
• Requires that the Multilayer Switching (MLS) flow mode be set to full. For more information about
how to set the MLS flow, refer to the “Configuring IP Multilayer Switching” section in the Catalyst
6000 Family MSFC (12.0) & PFC Configuration Guide, Release 5.4.
• When IOS SLB is operating in dispatched mode, real servers must be Layer 2-adjacent to the
IOS SLB switch (that is, not beyond an additional router), with hardware data packet acceleration
performed by the PFC. All real servers that can be reached by a single IOS SLB device must be on
the same VLAN. The loopback address must be configured in the real servers.
• When IOS SLB is operating in directed mode with server NAT, real servers need not be Layer
2-adjacent to the IOS SLB switch. This allows for more flexible network design, because servers
can be placed several Layer 3 hops away from the IOS SLB switch.
• Requires that all real servers that can be reached by a single IOS SLB device must be on the same
VLAN. The loopback address must be configured in the real servers.
– Supports NativeIOS only and C6sup-is-mz images.
Cisco 7200 series restrictions are as follows:
• In dispatched mode, the servers must be Layer 2-adjacent or tag-switched. In directed mode, the
servers can be one or more hops away.
• Supports Cisco IOS NAT in directed mode with no hardware data packet acceleration. Provides no
hardware acceleration for the IOS SLB function for either dispatched mode or directed mode.
• Supports C7200-is-mz images.
Command Purpose
Router(config)# ip slb serverfarm serverfarm-name Adds a server farm definition to the IOS SLB
configuration and initiates SLB server farm
configuration mode.
Command Purpose
Router(config-slb-sfarm)# predictor [roundrobin | leastconns] Specifies whether the weighted round robin
algorithm or the weighted least connections
algorithm is to be used to determine how a real
server is selected.
Specifying a Bind ID
To configure a bind ID on the server farm for use by DFP, use the following command in SLB server
farm configuration mode:
Command Purpose
Router(config-slb-sfarm)# bindid [bind_id] Specifies a bind ID on the server farm for use by
DFP.
Command Purpose
Router(config-slb-sfarm)# real ip-address Identifies a real server to the IOS SLB function
and initiates real server configuration mode.
Command Purpose
Router(config-slb-real)# faildetect numconns number-conns Specifies the number of consecutive connection
[numclients number-clients] failures and, optionally, the number of unique
client connection failures, that constitute failure of
the real server.
Router(config-slb-real)# maxconns maximum-number Specifies the maximum number of active
connections allowed on the real server at one time.
Router(config-slb-real)# reassign threshold Specifies the number of consecutive unanswered
SYNs that initiates assignment of the connection
to a different real server.
Router(config-slb-real)# retry retry-value Specifies the interval (in seconds) to wait between
the detection of a server failure and the next
attempt to connect to the failed server.
Router(config-slb-real)# weight weighting-value Specifies the workload capacity of the real server
relative to other servers in the server farm.
Command Purpose
Router(config-slb-real)# inservice Enables the real server for use by IOS SLB.
Command Purpose
Router(config)# ip slb vserver virtserver-name Identifies a virtual server and enters SLB virtual
server configuration mode.
Command Purpose
Router(config-slb-vserver)# serverfarm serverfarm-name Associates a real server farm with a virtual server.
Command Purpose
Router(config-slb-vserver)# virtual ip-address {tcp | udp} Specifies the virtual server IP address, type of
port-number [service service-name] connection, port number, and optional service
coupling.
Command Purpose
Router(config-slb-vserver)# client ip-address network-mask Specifies which clients are allowed to use the
virtual server.
Router(config-slb-vserver)# delay duration Specifies the amount of time IOS SLB maintains
TCP connection context after a connection has
terminated. The default value is 10 seconds.
Router(config-slb-vserver)# idle duration Specifies the minimum amount of time IOS SLB
maintains connection context in the absence of
packet activity. The default value is 3600 seconds
(1 hour).
Router(config-slb-vserver)# sticky duration [group group-id] Specifies that connections from the same client
use the same real server, as long as the interval
between client connections does not exceed the
specified duration.
Router(config-slb-vserver)# synguard syn-count interval Specifies the rate of TCP SYNs handled by a
virtual server in order to prevent a SYN flood
denial-of -service attack.
Command Purpose
Router(config-slb-vserver)# no advertise Omits the virtual server IP address from the
routing protocol updates.
Command Purpose
Router(config-slb-vserver)# inservice Enables the virtual server for use by IOS SLB.
Command Purpose
Step 1 Router(config)# ip slb dfp [password password Configures DFP and, optionally, sets a password
[timeout]] and initiates SLB DFP configuration mode.
Step 2 Router(config-slb-dfp)# agent ip-address port [timeout Configures a DFP agent.
[retry-count [retry-interval]]]
Configuring NAT
To configure IOS SLB NAT mode for a specific server farm, use the following commands beginning in
global configuration mode:
Command Purpose
Step 1 Router(config)# ip slb serverfarm serverfarm-name Adds a server farm definition to the IOS SLB
configuration and initiates server farm
configuration mode.
Step 2 Router(config-slb-sfarm)# nat server Configures server NAT.
Step 3 Router(config-slb-sfarm)# real ip-address Identifies a real server to the IOS SLB function
and initiates real server configuration mode.
HSRP uses a priority scheme to determine which HSRP-configured Layer 3 switch is to be the default
active Layer 3 switch. To configure a Layer 3 switch as active, you assign it a priority higher than that
of all other HSRP-configured Layer 3 switches. The default priority is 100, so if you configure just one
Layer 3 switch to have a higher priority, that switch becomes the default active switch.
HSRP works by the exchange of multicast messages that advertise priority among HSRP-configured
Layer 3 switches. When the active switch fails to send a hello message within a configurable period, the
standby switch with the highest priority becomes the active switch. The transition of packet-forwarding
functions between Layer 3 switches is completely transparent to all hosts accessing the network.
HSRP-configured Layer 3 switches exchange the following types of multicast messages:
• Hello—The hello message conveys the HSRP priority and state information of the switch. By
default, an HSRP switch sends hello messages every 3 seconds.
• Coup—When a standby Layer 3 switch assumes the function of the active switch, it sends a coup
message.
• Resign—The active Layer 3 switch sends a resign message when it is about to shut down or when a
switch that has a higher priority sends a hello message.
At any time, HSRP-configured Layer 3 switches are in one of the following states:
• Active—The switch is performing packet-transfer functions.
• Standby—The switch is prepared to assume packet-transfer functions if the active router fails.
• Speaking and listening—The switch is sending and receiving hello messages.
• Listening—The switch is receiving hello messages.
Step 1 Configure the server farms. See the “Specifying a Server Farm” section earlier in this chapter.
Step 2 Configure the real servers. See the “Specifying a Real Server” section earlier in this chapter.
Step 3 Configure the virtual servers. See the “Specifying a Virtual Server”section earlier in this chapter.
Note When you use the inservice (virtual service) command to configure the virtual server as
“in-service” you must use the optional standby interface configuration command and configure
an HSRP group name.
Step 4 Configure the IP routing protocol. See the “IP Routing Protocols” part of the Cisco IOS IP Configuration
Guide.
Step 5 Configure the VLAN between the switches. See the “Virtual LANs” chapter of the Cisco IOS
Switching Services Configuration Guide.
Step 6 Enable HSRP. See the “Enabling HSRP” section earlier in this chapter.
Step 7 Customize group attributes. See the “Customizing Group Attributes” section earlier in this chapter.
Step 8 Verify the IOS SLB HSRP configuration. See the “Verifying the IOS SLB Stateless Backup
Configuration” section earlier in this chapter.
A sample stateless backup configuration is shown in the “IOS SLB Stateless Backup Configuration
Example” section.
Enabling HSRP
To enable HSRP on an IOS SLB interface, enable the protocol, then customize it for the interface. Use
the following command in interface configuration mode:
Command Purpose
Router(config-if)# standby [group-number] ip [ip-address Enables HSRP.
[secondary]]
Command Purpose
Router(config-if)# standby [group-number] authentication Selects an authentication string to be carried in all
string HSRP messages.
Router(config-if)# standby [group-number] name group-name Specifies an HSRP group name with which to
associate an IOS SLB interface.
Router(config-if)# standby [group-number] preempt Specifies that if the local router has priority over
the current active router, the local router should
attempt to take its place as the active router.
Router(config-if)# standby [group-number] priority priority Sets the Hot Standby priority used to choose the
active router.
Router(config-if)# standby [group-number] timers hellotime Configures the time between hello packets and the
holdtime hold time before other routers declare the active
router to be down.
Router(config-if)# standby [group-number] track type-number Configures the interface to track other interfaces,
[interface-priority] so that if one of the other interfaces goes down the
Hot Standby priority for the device is lowered.
h. Restart the connection, after waiting no longer than the sticky timeout value.
i. Enter the show ip slb conns EXEC command again.
j. Examine the real server connection counts again, and verify that the sticky connection is assigned
to the same real server as before.
Step 6 Start additional client connections.
Step 7 Enter the show ip slb reals detail EXEC command.
Step 8 Verify that the the connection counts are increasing.
Step 1 Use a large client population. If the number of clients is very small, tune the numclients keyword on the
faildetect SLB real server configuration command so that the servers are not displayed as failed.
Step 2 Enter the show ip slb reals detail EXEC command to show the status of the real servers.
Step 3 Examine the status and connection counts of the real servers:
• Servers that failed show a status of failed, testing, or ready_to_test, based on whether IOS SLB is
checking that the server came back up when the command was sent.
• When a real server fails, connections that are assigned but not established (no SYN or ACK is
received) are reassigned to another real server on the first inbound SYN after the reassign threshold
is met. However, any connections that were already established are forwarded to the same real server
because, although it may not be accepting new connections, it may be servicing existing ones.
• For weighted least connections, a real server that has just been placed in service starts slowly so that
it is not overloaded with new connections. (See the “Slow Start” section for more information on
this feature.) Therefore, the connection counts displayed for a new real server show connections
going to other real servers (despite the lower count of the new real server). The connection counts
also show “dummy connections” to the new real server, which IOS SLB uses to artificially inflate
the connection counts for the real server during the slow start period.
Question Answer
Why can I connect to real servers directly, but not Make sure that the virtual IP address is configured as a loopback in each
to the virtual server? of the real servers (if you are running in dispatched mode).
Why is IOS SLB not marking my real server as Tune the values for the numclients, numconns, and delay keywords.
failed when I disconnect it from the network?
If you have a very small client population (for example, in a test
environment), the numclients keyword could be causing the problem.
This parameter prevents IOS SLB from mistaking the failure of a small
number of clients for the failure of a real server.
Why is IOS SLB not marking my connections as If you are using dispatched mode, make sure there are no alternate paths
established even though I am transferring data? that allow outbound flows to bypass IOS SLB. Also, make sure that the
clients and real servers are not on the same IP subnet.
Why does IOS SLB show my real server as The inservice and outofservice states indicate whether the network
inservice even though I have taken it down or administrator intends for that real server to be used when it is operational.
physically disconnected it? A real server that was inservice but was removed from the selection list
dynamically by IOS SLB as a result of automatic failure detection, is
marked as failed. Use the show ip slb reals detail EXEC command to
display these real server states.
Beginning with Cisco IOS Release 12.1(1)E, the inservice keyword is
changed to operational, to better reflect actual condition.
Why is IOS SLB not balancing correctly? I am Enter the show mls flow command:
using dispatched mode, the servers are leaving Router# show mls flow
sockets open, and I am seeing RSTs in response
to a number of SYNs. Curiously, sometimes current ip flowmask for unicast: full flow
things work fine. current ipx flowmask for unicast: destination only
The current IP flowmask must be full flow. If it is not, correct the problem
using the mls flow ip full global configuration command:
Router# configure terminal
Enter configuration commands, one per line.
End with CNTL/Z.
Router(config)# mls flow ip full
Router(config)#
Command Purpose
Router# show ip slb conns [vservers virtserver-name] [client Displays all connections handled by IOS SLB, or,
ip-address] [detail] optionally, only those connections associated with
a particular virtual server or client.
Router# show ip slb dfp [agent ip-address port-number] Displays information about DFP and DFP agents,
[detail] [weights] and about the weights assigned to real servers.
Router# show ip slb reals [vservers virtserver-name] [detail] Displays information about the real servers defined
to IOS SLB.
Router# show ip slb serverfarms [name serverfarm-name] Displays information about the server farms
[detail] defined to IOS SLB.
Router# show ip slb stats Displays IOS SLB statistics.
Router# show ip slb sticky [client ip-address] Displays information about the sticky connections
defined to IOS SLB.
Router# show ip slb vservers [name virtserver-name] [detail] Displays information about the virtual servers
defined to IOS SLB.
Configuration Examples
This section provides the following IOS SLB configuration examples:
• IOS SLB Network Configuration Example
• NAT Configuration Example
• HSRP Configuration Example
• IOS SLB Stateless Backup Configuration Example
Restricted Restricted
Web server Web server Web server web server web server
10.1.1.1 10.1.1.2 10.1.1.3 10.1.1.20 10.1.1.21
10.1.1.x
Virtual server
10.0.0.1
10.4.4.x
29163
Client Human
Resources
Client Client
As shown in the following sample code, the example topology has three public Web servers and two
restricted Web servers for privileged clients in subnet 10.4.4.x. The public Web servers are weighted
according to their capacity, with server 10.1.1.2 having the lowest capacity and having a connection limit
imposed on it. The restricted Web servers are configured as members of the same sticky group, so that
HTTP connections and Secure Socket Layer (SSL) connections from the same client use the same real
server.
This configuration is coded as follows:
ip slb serverfarm PUBLIC Unrestricted Web server farm
predictor leastconns Use weighted least connections algorithm
real 10.1.1.1 First real server
weight 16
inservice
real 10.1.1.2 Second real server
weight 4
maxconns 1000 Restrict maximum number of connections
inservice
real 10.1.1.3 Third real server
weight 24
inservice
Clients
33459
• Server 4 has multiple HTTP server applications listening on ports 8080, 8081, and 8082.
Servers 1 and 2 are load balanced using Switch A, which is performing server address translation.
Servers 3 and 4 are load balanced using Switches B and C. These two switches are performing server
address translation. These switches also perform server port translation for HTTP packets to and from
Server 4.
The configuration statements for Switch A are as follows:
ip slb serverfarm FARM1
! Translate server addresses
nat server
! Server 1 port 80
real 10.1.1.1
inservice
! Server 2 port 80
real 10.2.1.1
inservice
!
ip slb vservers HTTP1
! Handle HTTP (port 80) requests
virtual 128.1.0.1 tcp www
serverfarm FARM1
inservice
Note Some configurations that use HSRP still require a routing protocol for convergence when a
topology change occurs. The standby Layer 3 switch becomes active, but connectivity does
not occur until convergence occurs.
If the connection between Device A and the client accessing virtual IP 1.0.0.3 fails, fast-converging
routing protocols (such as Enhanced IGRP and OSPF) can respond within seconds, ensuring that
Device B is prepared to transfer packets that would have gone through Device A.
Client
33604
HSRP group = Web_Group HSRP group = Web_Group
interface GigabitEthernet 41
ip address 1.0.0.1 255.0.0.0
standby 1 ip 1.0.0.3
standby 1 preempt
standby 1 priority 110
standby 1 authentication denmark
standby 1 timers 5 15
standby 1 name Web-Group
interface FastEthernet 1
ip address 3.0.0.1 255.0.0.0
router eigrp 1
network 1.0.0.0
network 3.0.0.0
interface GigabitEthernet 41
ip address 1.0.0.2 255.0.0.0
standby 1 ip 1.0.0.3
standby 1 preempt
standby 1 authentication denmark
standby 1 timers 5 15
standby 1 name Web-Group
interface FastEthernet 41
ip address 2.0.0.1 255.0.0.0
router eigrp 1
network 1.0.0.0
network 2.0.0.0
The standby ip interface configuration command enables HSRP and establishes 1.0.0.3 as the IP address
of the virtual router. The configurations of both Layer 3 switches include this command so that both
switches share the same virtual IP address. The number 1 establishes Hot Standby group 1. (If you do
not specify a group number, the default is group 0.) The configuration for at least one of the Layer 3
switches in the Hot Standby group must specify the IP address of the virtual router; specifying the IP
address of the virtual router is optional for other routers in the same Hot Standby group.
The standby preempt interface configuration command allows the Layer 3 switch to become the active
switch when its priority is higher than all other HSRP-configured switches in this Hot Standby group.
The configurations of both switches include this command so that each can be the standby Layer 3 switch
for the other switch. The number 1 indicates that this command applies to Hot Standby group 1. If you
do not use the standby preempt command in the configuration for a Layer 3 switch, that switch cannot
become the active Layer 3 switch.
The standby priority interface configuration command sets the HSRP priority of the Layer 3 switch to
110, which is higher than the default priority of 100. Only the configuration of Device A includes this
command, which makes Device A the default active Layer 3 switch. The number 1 indicates that this
command applies to Hot Standby group 1.
The standby authentication interface configuration command establishes an authentication string
whose value is an unencrypted eight-character string that is incorporated in each HSRP multicast
message. This command is optional. If you choose to use it, each HSRP-configured Layer 3 switch in
the group should use the same string so that each switch can authenticate the source of the HSRP
messages that it receives. The number 1 indicates that this command applies to Hot Standby group 1.
The standby timers interface configuration command sets the interval (in seconds) between hello
messages (called the hello time) to 5 seconds, and sets the interval (in seconds) that a Layer 3 switch
waits before it declares the active Layer 3 switch to be down (called the hold time) to 8 seconds. (The
defaults are 3 and 10 seconds, respectively.) To modify the default values, you must configure each Layer
3 switch to use the same hello time and hold time. The number 1 indicates that this command applies to
Hot Standby group 1.
The standby name interface configuration command associates the IOS SLB interface with an HSRP
group name (in this case, Web-Group), previously specified on an inservice (virtual server) command.
The number 1 indicates that this command applies to Hot Standby group 1.
The Web Cache Communication Protocol (WCCP) is a Cisco-developed content-routing technology that
allows you to integrate cache engines (such as the Cisco Cache Engine 550) into your network
infrastructure. Cisco IOS Release 12.1 and later releases allow the use of either Version 1 (WCCPv1) or
Version 2 (WCCPv2) of the WCCP. This chapter describes how to configure your router to redirect
traffic to cache engines (web caches), describes how to manage cache engine clusters (cache farms), and
outlines the benefits of using WCCPv2.
For a complete description of the WCCP configuration commands in this chapter, refer to the “WCCP
Commands” chapter in the Release 12.2 Cisco IOS Configuration Fundamentals Command Reference.
To locate documentation of other commands that appear in this chapter, use the command reference
master index or search online.
The tasks in this chapter assume that you have already configured cache engines on your network. For
specific information on hardware and network planning associated with Cisco Cache Engines and
WCCP, see the Product Literature and Documentation links available on the Cisco.com Web Scaling site
at http://www.cisco.com/warp/public/cc/pd/cxsr/ces/index.shtml.
Note Cisco Systems replaced the Cache Engine 500 Series platforms with Content Engine Platforms in July
2001. Cache Engine Products were the Cache Engine 505, 550, 570, and 550-DS3. Content Engine
Products are the Content Engine 507, 560, 590, and 7320.
To identify hardware or software image support for a specific feature, use Feature Navigator on
Cisco.com to search for information about the feature or refer to the software release notes for a specific
release. For more information, see the “Identifying Platform Support for Cisco IOS Software Features”
section in the “About Cisco IOS Software Documentation” chapter.
Understanding WCCP
The Cisco IOS WCCP feature allows utilization of Cisco Cache Engines (or other caches running
WCCP) to localize web traffic patterns in the network, enabling content requests to be fulfilled locally.
Traffic localization reduces transmission costs and download time.
WCCP enables Cisco IOS routing platforms to transparently redirect content requests. The main benefit
of transparent redirection is that users need not configure their browsers to use a web proxy. Instead, they
can use the target URL to request content, and have their requests automatically redirected to a cache
engine. The word “transparent” is this case means that the end user does not know that a requested file
(such as a web page) came from the cache engine instead of from the originally specified server.
When a cache engine receives a request, it attempts to service it from its own local cache. If the requested
information is not present, the cache engine issues its own request to the originally targeted server to get
the required information. When the cache engine retrieves the requested information, it forwards it to
the requesting client and caches it to fulfill future requests, thus maximizing download performance and
substantially reducing transmission costs.
WCCP enables a series of cache engines, called a cache engine cluster, to provide content to a router or
multiple routers. Network administrators can easily scale their cache engines to handle heavy traffic
loads through these clustering capabilities. Cisco clustering technology enables each cache member to
work in parallel, resulting in linear scalability. Clustering cache engines greatly improves the scalability,
redundancy, and availability of your caching solution. You can cluster up to 32 cache engines to scale to
your desired capacity.
Internet
Router
100BASE-T
Cache 1
Clients
Cache 2
Cache 3
S6529
Clients
Content is not duplicated on the cache engines. The benefit of using multiple caches is that you can scale
a caching solution by clustering multiple physical caches to appear as one logical cache.
The following sequence of events details how WCCPv1 configuration works:
1. Each cache engine is configured by the system administrator with the IP address of the control
router. Up to 32 cache engines can connect to a single control router.
2. The cache engines send their IP addresses to the control router using WCCP, indicating their
presence. Routers and cache engines communicate to each other via a control channel; this channel
is based on UDP port 2048.
3. This information is used by the control router to create a cluster view (a list of caches in the cluster).
This view is sent to each cache in the cluster, essentially making all the cache engines aware of each
other. A stable view is established after the membership of the cluster remains the same for a certain
amount of time.
4. Once a stable view has been established, one cache engine is elected as the lead cache engine. (The
lead is defined as the cache engine seen by all the cache engines in the cluster with the lowest IP
address). This lead cache engine uses WCCP to indicate to the control router how IP packet
redirection should be performed. Specifically, the lead cache engine designates how redirected
traffic should be distributed across the cache engines in the cluster.
Internet
Service group
100BASE-T
Cache 1
Clients 100BASE-T
Clients 100BASE-T
Cache 2
Clients 100BASE-T
Clients 100BASE-T
Cache 3
Clients 100BASE-T
23810
Clients
The subset of cache engines within a cluster and routers connected to the cluster that are running the
same service is known as a service group. Available services include TCP and User Datagram Protocol
(UDP) redirection.
Using WCCPv1, the cache engines were configured with the address of the single router. WCCPv2
requires that each cache engine be aware of all the routers in the service group. To specify the addresses
of all the routers in a service group, you must choose one of the following methods:
• Unicast—A list of router addresses for each of the routers in the group is configured on each cache
engine. In this case the address of each router in the group must be explicitly specified for each cache
engine during configuration.
• Multicast—A single multicast address is configured on each cache engine. In the multicast address
method, the cache engine sends a single-address notification that provides coverage for all routers
in the service group. For example, a cache engine could indicate that packets should be sent to a
multicast address of 224.0.0.100, which would send a multicast packet to all routers in the service
group configured for group listening using WCCP (see the ip wccp group-listen interface
configuration command for details).
The multicast option is easier to configure because you need only specify a single address on each cache
engine. This option also allows you to add and remove routers from a service group dynamically, without
needing to reconfigure the cache engines with a different list of addresses each time.
The following sequence of events details how WCCPv2 configuration works:
1. Each cache engine is configured with a list of routers.
2. Each cache engine announces its presence and a list of all routers with which it has established
communications. The routers reply with their view (list) of cache engines in the group.
3. Once the view is consistent across all cache engines in the cluster, one cache engine is designated
as the lead and sets the policy that the routers need to deploy in redirecting packets.
The following sections describe how to configure WCCPv2 on routers so they may participate in a
service group.
WCCPv2 Features
WCCPv2 provides the features described in the following sections:
• Support for Services Other than HTTP
• Support for Multiple Routers
• MD5 Security
• Web Cache Packet Return
• Load Distribution
MD5 Security
WCCPv2 provides optional authentication that enables you to control which routers and cache engines
become part of the service group using passwords and the HMAC MD5 standard. Shared-secret MD5
one-time authentication (set using the ip wccp [password [0-7] password] global configuration
command) enables messages to be protected against interception, inspection, and replay.
Load Distribution
WCCPv2 can be used to adjust the load being offered to individual cache engines to provide an effective
use of the available resources while helping to ensure high quality of service (QoS) to the clients.
WCCPv2 allows the designated cache to adjust the load on a particular cache and balance the load across
the caches in a cluster. WCCPv2 uses three techniques to perform load distribution:
• Hot Spot Handling—Allows an individual hash bucket to be distributed across all the cache engines.
Prior to WCCPv2, information from one hash bucket could only go to one cache engine.
• Load Balancing—Allows the set of hash buckets assigned to a cache engine to be adjusted so that
the load can be shifted from an overwhelmed cache engine to other members that have available
capacity.
• Load Shedding—Enables the router to selectively redirect the load to avoid exceeding the capacity
of a cache engine.
The use of these hashing parameters prevents one cache from being overloaded and reduces the potential
for bottlenecking.
Configuring WCCP
The following configuration tasks assume that you have already installed and configured the cache
engines you want to include in your network. You must configure the cache engines in the cluster before
configuring WCCP functionality on your routers. Refer to the Cisco Cache Engine User Guide for cache
engine configuration and setup tasks.
IP must be configured on the router interface connected to the cache engines and on the router interface
connected to the Internet. Note that Cisco Cache Engines require use of a Fast Ethernet interface for a
direct connection. Examples of router configuration tasks follow this section. For complete descriptions
of the command syntax, refer to the Release 12.2 Cisco IOS Configuration Fundamentals Command
Reference.
Perform the tasks found in the following sections to configure WCCP on a router:
• Specifying a Version of WCCP (Optional)
• Configuring a Service Group Using WCCPv2 (Required)
• Excluding Traffic on a Specific Interface from Redirection (Optional)
• Registering a Router to a Multicast Address (Optional)
• Using Access Lists for a WCCP Service Group (Optional)
• Setting a Password for a Router and Cache Engines (Optional)
Command Purpose
Router# ip wccp version {1 | 2} Specifies which version of WCCP to configure on a router. WCCPv2 is the
default running version.
WCCPv1 does not use the WCCP commands from earlier Cisco IOS versions. Instead, use the WCCP
commands documented in this chapter. If a function is not allowed in WCCPv1, an error prompt will be
printed to the screen. For example, if WCCPv1 is running on the router and you try to configure a
dynamic service, the following message will be displayed: “WCCP V1 only supports the web-cache
service.” The show ip wccp EXEC command will display the WCCP protocol version number that is
currently running on your router.
Note More than one service can run on a router at the same time, and routers and cache devices can be part of
multiple service groups at the same time.
The dynamic services are defined by the cache engines; the cache instructs the router which protocol or
ports to intercept, and how to distribute the traffic. The router itself does not have information on the
characteristics of the dynamic service group’s traffic, because this information is provided by the first
web cache to join the group. In a dynamic service, up to eight ports can be specified within a single
protocol.
Cisco Cache Engines, for example, use dynamic service 99 to specify a reverse-proxy service. However,
other cache devices may use this service number for some other service. The following configuration
information deals with enabling general services on Cisco routers. Refer to the cache server
documentation for information on configuring services on cache devices.
To enable a service on a router, use the following commands, beginning in global configuration mode:
Command Purpose
Step 1 Router(config)# ip wccp {web-cache | service-number} Specifies a web-cache or dynamic service to enable
[group-address groupaddress] [redirect-list on the router, specifies the IP multicast address used
access-list] [group-list access-list] [password
password]
by the service group, specifies any access lists to
use, specifies whether to use MD5 authentication,
and enables the WCCP service.
Step 2 Router(config)# interface type number Specifies an interface to configure and enters
interface configuration mode.
Step 3 Router(config-if)# ip wccp {web-cache | service-number} Enables WCCP redirection on the specified
redirect {out | in} interface.
As indicated by the out and in keyword options in the ip wccp service redirect command, redirection
can be specified for outbound interfaces or inbound interfaces. Inbound traffic can be configured to use
Cisco Express Forwarding (CEF), Fast Forwarding, or Process Forwarding.
Configuring WCCP for redirection for inbound traffic on interfaces allows you to avoid the overhead
associated with CEF forwarding for outbound traffic. Setting an output feature on any interface results
in the slower switching path of the feature being taken by all packets arriving at all interfaces. Setting
an input feature on an interface results in only those packets arriving at that interface taking the
configured feature path; packets arriving at other interfaces will use the faster default path. Configuring
WCCP for inbound traffic also allows packets to be classified before the routing table lookup, which
translates into faster redirection of packets.
Command Purpose
Step 1 Router(config)# ip wccp web-cache Enables the web cache service on the router.
Step 2 Router(config)# interface type number Targets an interface number for which the web cache
service will run, and enters interface configuration
mode.
Step 3 Router(config-if)# ip wccp web-cache redirect Enables the check on packets to determine if they
{out | in} qualify to be redirected to a web cache, using the
interface specified in Step 2.
Command Purpose
Step 1 Router(config)# interface type number Specifies an interface to configure, and enters
interface configuration mode.
Step 2 Router(config-if)# ip wccp redirect exclude in Allows inbound packets on this interface to be
excluded from redirection.
Command Purpose
Step 1 Router(config)# ip wccp {web-cache | service-number} Specifies the multicast address for the service
group-address groupaddress group.
Command Purpose
Step 2 Router(config)# interface type number Specifies the interface to be configured for
multicast reception.
Step 3 Router(config-if)# ip wccp {web-cache | service-number} Enables the reception of IP multicast packets
group-listen (content originating from the cache engines) on the
interface specified in Step 2.
For network configurations where redirected traffic needs to traverse an intervening router, the router
being traversed must be configured to perform IP multicast routing. You must configure the following
two components to enable traversal over an intervening router:
• Enable IP multicast routing using the ip multicast-routing global configuration mode command.
• Enable the interfaces to which the cache engines will connect to receive multicast transmissions
using the ip wccp group-listen interface configuration mode command (note that earlier Cisco IOS
versions required the use of the ip pim interface configuration command).
Command Purpose
Step 1 Router(config)# access-list access-list permit ip host Creates an access list that enables or disables traffic
host-address [destination-address | destination-host | redirection to the cache engine.
any]
Step 2 Router(config)# ip wccp web-cache group-list Indicates to the router from which IP addresses of
access-list cache engines to accept packets.
To disable caching for certain clients, use the following commands, beginning in global configuration
mode:
Command Purpose
Step 1 Router(config)# access-list access-list permit ip host Creates an access list that enables or disables traffic
host-address [destination-address | destination-host | redirection to the cache engine.
any]
Step 2 Router(config)# ip wccp web-cache redirect-list Sets the access list used to enable redirection.
access-list
Command Purpose
Router(config)# ip wccp web-cache password password Sets an MD5 password on the router.
Command Purpose
Router# show ip wccp [web-cache | service-number] Displays global information related to WCCP, including
the protocol version currently running, the number of
cache engines in the routers service group, which cache
engine group is allowed to connect to the router, and
which access list is being used.
Router# show ip wccp {web-cache | service-number} detail Queries the router for information on which cache
engines of a specific service group the router has
detected. The information can be displayed for either
the web cache service or the specified dynamic service.
Router# show ip interface Displays status about whether any ip wccp redirection
commands are configured on an interface. For example,
“Web Cache Redirect is enabled / disabled.”
Router# show ip wccp {web-cache | service-number} view Displays which devices in a particular service group
have been detected and which cache engines are having
trouble becoming visible to all other routers to which
the current router is connected. The view keyword
indicates a list of addresses of the service group. The
information can be displayed for either the web cache
service or the specified dynamic service. For further
troubleshooting information, use the show ip wccp
{web-cache | service number} service command.
The following example shows a configuration session in which redirection of HTTP traffic arriving on
interface 0/1 is enabled:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)# interface ethernet 0/1
Router(config-if)# ip wccp web-cache redirect in
Router(config-if)# ^Z
Router# show ip interface ethernet 0/1
.
.
.
WCCP Redirect inbound is enabled
WCCP Redirect exclude is disabled
.
.
.
The following example shows a router configured to run a reverse proxy service, using the multicast
address of 224.1.1.1. Redirection applies to packets outgoing via interface ethernet 0:
To disable caching for certain clients, servers, or client/server pairs, you can use WCCP access lists. The
following example shows that any requests coming from 10.1.1.1 to 12.1.1.1 will bypass the cache, and
that all other requests will be serviced normally:
Router(config)# ip wccp web-cache redirect-list 120
Router(config)# access-list 120 deny tcp host 10.1.1.1 any
Router(config)# access-list 120 deny tcp any host 12.1.1.1
Router(config)# access-list 120 permit ip any any
The following example configures a router to redirect web-related packets received via interface ethernet
0/1, destined to any host except 209.165.196.51:
Building configuration...
Current configuration:
!
version 12.0
service timestamps debug uptime
service timestamps log uptime
no service password-encryption
service udp-small-servers
service tcp-small-servers
!
hostname router4
!
enable secret 5 $1$nSVy$faliJsVQXVPW.KuCxZNTh1
enable password alabama1
!
ip subnet-zero
ip wccp web-cache
ip wccp 99
ip domain-name cisco.com
ip name-server 10.1.1.1
ip name-server 10.1.1.2
ip name-server 10.1.1.3
!
!
!
interface Ethernet0
ip address 10.3.1.2 255.255.255.0
no ip directed-broadcast
ip wccp web-cache redirect out
ip wccp 99 redirect out
no ip route-cache
no ip mroute-cache
!
interface Ethernet1
ip address 10.4.1.1 255.255.255.0
no ip directed-broadcast
The WCCP Bypass Counters feature allows you to display a count of packets that have been bypassed
by a web cache and returned to the originating router to be forwarded normally.
Contents
• Information About WCCP Bypass Counters, page 147
• How to Display WCCP Bypass Counters, page 148
• Additional References, page 150
• Command Reference, page 151
GRE is a Cisco proprietary tunneling protocol that encapsulates packet types from a variety of protocols
inside IP tunnels, creating a virtual point-to-point link to Cisco routers at remote points over an IP
internetwork. By connecting multiprotocol subnetworks in a single-protocol backbone environment, IP
tunneling that uses GRE allows expansion of the network across a single-protocol backbone
environment.
SUMMARY STEPS
1. enable
2. show ip wccp [service-number [detail | view] | web-cache [detail | view]]
DETAILED STEPS
Command Purpose
Step 1 enable Enters privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 show ip wccp [service-number [detail | view] Displays information about all web caches in the currently
| web-cache [detail | view]] configured cluster. The argument and keywords are as
follows:
Example: • service-number—(Optional) Dynamic number of the
Router# show ip wccp web-cache detail web-cache service group being controlled by the cache.
Range is from 0 to 99. For web caches that use Cisco
Cache Engines, the reverse proxy service is indicated by
a value of 99.
• web-cache—(Optional) Statistics for the web-cache
service.
• detail—(Optional) Other members of a particular
service group or web cache that have or have not been
detected.
• view—(Optional) Information about a router or all web
caches.
Troubleshooting Tips
Problems have been encountered because CPU usage is very high when WCCP is enabled. The counters
enable a determination of the bypass traffic directly on the router and can indicate whether or not this is
the cause. In some situations, 10 percent bypass traffic may be normal; in other situations, it may be high.
However, any figure above 25 percent should prompt a closer investigation of what is occurring in the
web cache.
If the counters suggest that the level of bypass traffic is high, the next step is to examine the bypass
counters in the web cache and determine why the web cache is choosing to bypass the traffic. You can
log in to the web-cache console and use CLI to investigate further. The counters allow you to determine
the percent of traffic being bypassed.
Configuration Examples
This section contains the following output example:
• WCCP Web Cache Configuration: Example, page 149
For more information about the show ip wccp web-cache command, see the Cisco IOS IP Application
Services Command Reference, Release 12.4.
Additional References
The following sections provide references related to the WCCP Bypass Counters feature.
Related Documents
Related Topic Document Title
ACL overview and configuration • “Configuring IP Services” chapter in the Cisco IOS IP
Configuration Guide
• IP Access List Entry Sequence Numbering, Release 12.2(15)T
IP addressing and services • Cisco IOS IP Configuration Guide
• Cisco IOS IP Command Reference, Volume 1 of 4: Addressing
and Services, Release 12.3 T
WCCP overview and configuration “Configuring Web Cache Services Using WCCP” chapter in the
Cisco IOS IP Application Services Configuration Guide, Release
12.4
WCCP commands Cisco IOS IP Application Services Command Reference, Release
12.4.
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS
feature, and support for existing MIBs has not been releases, and feature sets, use Cisco MIB Locator found at the
modified by this feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
No new or modified RFCs are supported by this —
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Command Reference
The following modified command is pertinent to this feature. To see the command pages for this
command and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
• show ip wccp
The WCCP Outbound ACL Check feature enables you to configure an access control list (ACL) check
for redirected traffic to prevent the possibility that cached content could be delivered to an unauthorized
client. This feature is supported by Web Cache Communication Protocol (WCCP) Version 1 and
Version 2.
Contents
• Information About WCCP Outbound ACL Check, page 153
• How to Configure WCCP Outbound ACL Check, page 154
• Configuration Examples for WCCP Outbound ACL Check, page 156
• Additional References, page 157
• Command Reference, page 158
WCCP
Web Cache Communication Protocol (WCCP) intercepts IP packets and redirects those packets to a
destination other than the destination that is specified in the IP header. Typically the packets are
redirected from a web server on the Internet to a web cache that is local to the redirecting router. If there
is an outbound ACL configured on the interface at which redirection takes place, it is possible, under
some circumstances, that hosts whose traffic is redirected will gain access to destinations to which they
would otherwise be blocked.
The WCCP Outbound ACL Check feature ensures that the outbound ACL checking is performed at the
original interface so that the checking is secure and consistent across all platforms and Cisco IOS
switching paths.
ACLs
Access control lists (ACLs) filter network traffic by controlling whether routed packets are forwarded or
blocked at the router interface. Each packet is examined to determine whether it will be forwarded or
dropped, according to the specified criteria within the ACL. ACL criteria can be the source address of
the traffic, the destination address of the traffic, or the upper-layer protocol.
An IP ACL is a sequential collection of permit and deny conditions that apply to an IP address. The
router tests addresses against the conditions in the ACL one at a time. The first match determines
whether the address is accepted or rejected. Because Cisco IOS software stops testing conditions after
the first match, the order of the conditions is critical. If no conditions match, the router rejects the
address, by virtue of an implicit “deny all” clause.
There are many types of IP ACLs that can be configured in Cisco IOS software, such as:
• Standard
• Extended
• Lock and key (dynamic ACLs)
• IP named
• Reflexive
• Time-based and distributed time-based
• Context-based
• Authentication proxy
• Turbo
Note When all redirection is performed in the hardware, the mode of redirection will change when outbound
ACL checking is enabled. The first packet is switched in software to allow the extra ACL check to be
performed before a shortcut is installed.
SUMMARY STEPS
1. enable
2. configure terminal
3. ip wccp {web-cache | service-number} [group-address multicast-address] [redirect-list
access-list] [group-list access-list] [password password]
4. ip wccp outbound-acl-check
5. exit
6. show ip wccp [service-number [detail | view] | web-cache [detail | view]]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 ip wccp {web-cache | service-number} Enables the support for Cisco Cache Engine service group
[group-address multicast-address] or any cache service group and configures a redirect ACL
[redirect-list access-list] [group-list
access-list] [password password]
list or group ACL.
Note The web-cache keyword is for WCCP version 1 and
version 2 and the service-number argument is for
Example:
WCCP version 2 only.
Router(config)# ip wccp web-cache
Step 4 ip wccp outbound-acl-check Enables the ACL outbound check on the originating
interface.
Example:
Router(config)# ip wccp outbound-acl-check
Example:
Router(config)# exit
Step 6 show ip wccp [service-number [detail | view] | Displays information about all web caches in the currently
web-cache [detail | view]] configured cluster. The argument and keywords are as
follows:
Example: • service-number—(Optional) Dynamic number of the
Router# show ip wccp 24 detail web-cache service group being controlled by the cache.
Range is from 0 to 99. For web caches that use Cisco
Cache Engines, the reverse proxy service is indicated
by a value of 99.
• web-cache—(Optional) Statistics for the web-cache
service.
• detail—(Optional) Other members of a particular
service group or web cache that have or have not been
detected.
• view—(Optional) Information about a router or all web
caches.
If the outbound ACL check is disabled, the HTTP packets from network 10.0.0.0 would be redirected to
a web cache. Users with that network address could retrieve web pages even though the network
administrator wanted to prevent it.
Additional References
The following sections provide references related to the WCCP Outbound ACL Check feature.
Related Documents
Related Topic Document Title
ACL overview and configuration • “Configuring IP Services” chapter in Cisco IOS IP
Configuration Guide
• IP Access List Entry Sequence Numbering, Release 12.2(15)T
IP addressing and services commands and • Cisco IOS IP Configuration Guide
configuration
• Cisco IOS IP Command Reference, Volume 1 of 4: Addressing
and Services, Release 12.3 T
WCCP overview and configuration “Configuring Web Cache Services Using WCCP” chapter in
Cisco IOS Configuration Fundamentals Configuration Guide
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS
feature, and support for existing MIBs has not been releases, and feature sets, use Cisco MIB Locator found at the
modified by this feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
No new or modified RFCs are supported by this —
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Command Reference
The following modified command is pertinent to this feature. To see the command pages for this
command and other commands used with this feature, go to the Cisco IOS Master Commands List,
Release 12.4, at http://www.cisco.com/univercd/cc/td/doc/product/software/ios124/124mindx/
124index.htm.
• ip wccp
Previously, all versions of Web Cache Communication Protocol (WCCP) within Cisco IOS software
supported a maximum number of eight simultaneous service definitions. As content networking
configurations became more complex, this limited number of definitions became an impediment to the
deployment of content networking solutions. The WCCP Increased Services feature increases the
number of services supported by WCCP to a maximum of 256.
Finding Support Information for Platforms and Cisco IOS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS
software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An
account on Cisco.com is not required.
Contents
• Information About WCCP Increased Services, page 159
• How to Configure WCCP Increased Services, page 160
• Configuration Examples for WCCP Increased Services, page 161
• Additional References, page 161
• Command Reference, page 163
• Feature Information for WCCP Increased Services, page 174
SUMMARY STEPS
1. enable
2. configure terminal
3. ip wccp check services all
4. ip wccp {web-cache | service-number}
5. exit
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# exit
Additional References
The following sections provide references related to the WCCP Increased Services feature.
Related Documents
Related Topic Document Title
WCCP overview and configuration tasks “Web Cache Services Using WCCP” chapter in the Cisco IOS IP
Application Services Configuration Guide, Release 12.4
WCCP commands: complete command syntax, Cisco IOS IP Application Services Command Reference, Release
command mode, command history, defaults, usage 12.2SR
guidelines, and examples
Standards
Standard Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIB MIBs Link
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS
feature, and support for existing MIBs has not been releases, and feature sets, use Cisco MIB Locator found at the
modified by this feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFC Title
No new or modified RFCs are supported by this —
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
The Cisco Technical Support & Documentation http://www.cisco.com/techsupport
website contains thousands of pages of searchable
technical content, including links to products,
technologies, solutions, technical tips, and tools.
Registered Cisco.com users can log in from this page to
access even more content.
Command Reference
This section documents modified commands only.
• ip wccp
• ip wccp check services all
• show ip wccp
ip wccp
To allocate space and to enable support of the specified Web Cache Communication Protocol (WCCP)
service for participation in a service group, use the ip wccp command in global configuration mode. To
disable the service group and deallocate space, use the no form of this command.
Usage Guidelines WCCP transparent caching bypasses Network Address Translation (NAT) when fast (Cisco Express
Forwarding [CEF]) switching is enabled. To work around this situation, WCCP transparent caching
should be configured in the outgoing direction, fast/CEF switching should be enabled on the Content
Engine interface, and the ip wccp web-cache redirect out command should be specified. Configure
WCCP in the incoming direction on the inside interface by specifying the ip wccp redirect exclude in
command on the router interface facing the cache. This configuration prevents the redirection of any
packets arriving on that interface.
You can also include a redirect list when configuring a service group and the specified redirect list will
deny packets with a network address translation (NAT) (source) IP address and prevent redirection. Refer
to the ip wccp command for configuration of the redirect list and service group.
This command instructs a router to enable or disable the support for the specified service number or the
web-cache service name. A service number can be from 0 to 254. Once the service number or name is
enabled, the router can participate in the establishment of a service group.
When the no ip wccp command is entered, the router terminates participation in the service group,
deallocates space if none of the interfaces still has the service configured, and terminates the WCCP task
if no other services are configured.
The keywords following the web-cache keyword and the service-number argument are optional and may
be specified in any order, but only may be specified once. The following sections outline the specific
usage of each of the optional forms of this command.
Note The ip wccp {web-cache | service-number} group-list command syntax resembles the ip wccp
{web-cache | service-number} group-listen command, but these are entirely different commands. The
ip wccp group-listen command is an interface configuration command used to configure an interface to
listen for multicast notifications from a cache cluster. Refer to the description of the ip wccp
group-listen command in the Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and
Services, Release 12.3T.
Examples The following example shows how to configure a router to run WCCP reverse-proxy service, using the
multicast address of 10.1.1.1:
ip multicast-routing
ip wccp 99 group-address 10.1.1.1
interface ethernet 0
ip wccp 99 group-listen
The following example shows how to configure a router to redirect web-related packets without a
destination of 10.168.196.51 to the web cache:
access-list 100 deny ip any host 10.168.196.51
access-list 100 permit ip any any
ip wccp web-cache redirect-list 100
interface ethernet 0
ip web-cache redirect out
The following example shows how to configure an access list to prevent traffic from network 10.0.0.0
leaving Fast Ethernet 0/0 interface. Because the outbound ACL check is enabled, WCCP does not
redirect that traffic. WCCP checks packets against the ACL before they are redirected.
ip wccp web-cache
ip wccp outbound-acl-check
interface fastethernet0/0
ip access-group 10 out
ip wccp web-cache redirect out
access-list 10 deny 10.0.0.0 0.255.255.255
access-list 10 permit any
If the outbound ACL check is disabled, HTTP packets from network 10.0.0.0 would be redirected to a
cache and users with that network address could retrieve web pages when the network administrator
wanted to prevent this from happening.
Usage Guidelines The ip wccp check services all command specifies a check of all WCCP services. When traffic matches
a service, it may be prevented from redirection if a redirect list is configured for that service, and no
further checks against other services are made and the packet is not redirected.
With the ip wccp check services all command, WCCP can be configured to check the other configured
services for a match and perform redirection for those services if a appropriate. The caches to which
packets are redirected can be controlled by the redirect ACL and not just the service description.
Note The ip wccp check services all command is a global WCCP command that applies to all services and is
not associated with a single service.
Examples The following example shows how to configure all WCCP services:
ip wccp check services all
show ip wccp
To display global statistics related to Web Cache Communication Protocol (WCCP), use the show ip
wccp command in privileged EXEC mode.
Syntax Description service-number (Optional) Identification number of the web-cache service group being controlled
by the cache. The number can be from 0 to 256. For web caches using Cisco Cache
Engines, the reverse proxy service is indicated by a value of 99.
web-cache (Optional) Statistics for the web-cache service.
detail (Optional) Information about the router and all web caches.
view (Optional) Other members of a particular service group have or have not been
detected.
Usage Guidelines Use the clear ip wccp command to reset the counter for the “Packets Redirected” information.
Examples This section contains examples and field descriptions for the following forms of this command:
• show ip wccp web-cache
• show ip wccp service-number view
• show ip wccp service-number detail
• show ip wccp web-cache detail
• show ip wccp web-cache detail (bypass counters displayed)
Field Description
Service Name Indicates which service is detailed.
Number of Cache Engines Number of Cisco cache engines using the router as their home
router.
Number of Routers The number of routers in the service group.
Total Packets Redirected Total number of packets redirected by the router.
Redirect access-list The name or number of the access list that determines which
packets will be redirected.
Total Packets Denied Redirect Total number of packets that were not redirected because they did
not match the access list.
Total Packets Unassigned Number of packets that were not redirected because they were not
assigned to any cache engine. Packets may not be assigned during
initial discovery of cache engines or when a cache is dropped
from a cluster.
Group access-list Indicates which cache engine is allowed to connect to the router.
Total Messages Denied to Group Indicates the number of packets denied by the group-list access
list.
Total Authentication failures The number of instances where a password did not match.
-none-
Note The number of maximum service groups that can be configured is 256.
If any web cache is displayed under the WCCP Cache Engines Not Visible field, the router needs to be
reconfigured to map the web cache that is not visible to it.
Table 5 describes the significant fields shown in the display.
Field Description
WCCP Router Informed of A list of routers detected by the current router.
WCCP Cache Engines Visible A list of cache engines that are visible to the router and other
cache engines in the service group.
WCCP Cache Engines Not Visible A list of cache engines in the service group that are not visible
to the router and other cache engines in the service group.
FFFFFFFFFFFFFFFFFFFFFFFFFF
Hash Allotment:256 (100.00%)
Packets Redirected:21345
Connect Time:00:13:46
Field Description
WCCP Router information The header for the area that contains fields for the IP address and
version of WCCP associated with the router connected to the
cache engine in the service group.
IP Address The IP address of the router connected to the cache engine in the
service group.
Protocol Version The version of WCCP being used by the router in the service
group.
WCCP Cache Engine Information Contains fields for information on cache engines.
IP Address The IP address of the cache engine in the service group.
Protocol Version The version of WCCP being used by the cache engine in the
service group.
State Indicates whether the cache engine is operating properly and can
be contacted by a router and other cache engines in the service
group.
Initial Hash Info The initial state of the hash bucket assignment.
Assigned Hash Info The current state of the hash bucket assignment.
Hash Allotment The percent of buckets assigned to the current cache engine. Both
a value and a percent figure are displayed.
Packets Redirected The number of packets that have been redirected to the cache
engine.
Connect Time The amount of time the cache engine has been connected to the
router.
Bypassed Packets
Process: 0
Fast: 0
CEF: 250
Field Description
WCCP Router information The header for the area that contains fields for the IP address and
the version of WCCP associated with the router connected to the
cache engine in the service group.
IP Address The IP address of the router connected to the cache engine in the
service group.
Protocol Version The version of WCCP that is being used by the router in the
service group.
WCCP Cache-Engine Information Contains fields for information on cache engines.
IP Address The IP address of the cache engine in the service group.
Protocol Version The version of WCCP that is being used by the cache engine in
the service group.
State Indicates whether the cache engine is operating properly and can
be contacted by a router and other cache engines in the service
group.
Initial Hash Info The initial state of the hash bucket assignment.
Assigned Hash Info The current state of the hash bucket assignment.
Hash Allotment The percent of buckets assigned to the current cache engine. Both
a value and a percent figure are displayed.
Packets Redirected The number of packets that have been redirected to the cache
engine.
Connect Time The amount of time the cache engine has been connected to the
router.
Bypassed Packets The number of packets that have been bypassed. Process, fast, and
Cisco Express Forwarding (CEF) are switching paths within
Cisco IOS software.
Note Table 8 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
This roadmap lists the features documented in the First Hop Redundancy Protocol (FHRP) modules and
maps the features to the modules in which they appear.
Roadmap History
This roadmap was first published on May 2, 2005, and last updated on May 2, 2005.
Note Table 9 lists only the Cisco IOS software release that introduced support for a given feature in a given
Cisco IOS software release train. Unless noted otherwise, subsequent releases of that Cisco IOS
software release train also support that feature.
Gateway Load Balancing Protocol (GLBP) protects data traffic from a failed router or circuit, like Hot
Standby Router Protocol (HSRP) and Virtual Router Redundancy Protocol (VRRP), while allowing
packet load sharing between a group of redundant routers.
Module History
This module was first published on May 2, 2005, and last updated on September 23, 2005.
Contents
• Prerequisites for GLBP, page 181
• Information About GLBP, page 182
• How to Configure GLBP, page 186
• Configuration Examples for GLBP, page 199
• Additional References, page 201
• Glossary, page 203
• Feature Information for GLBP, page 203
GLBP Overview
The Gateway Load Balancing Protocol feature provides automatic router backup for IP hosts configured
with a single default gateway on an IEEE 802.3 LAN. Multiple first hop routers on the LAN combine to
offer a single virtual first hop IP router while sharing the IP packet forwarding load. Other routers on the
LAN may act as redundant GLBP routers that will become active if any of the existing forwarding
routers fail.
GLBP performs a similar function for the user as HSRP and VRRP. HSRP and VRRP allow multiple
routers to participate in a virtual router group configured with a virtual IP address. One member is
elected to be the active router to forward packets sent to the virtual IP address for the group. The other
routers in the group are redundant until the active router fails. These standby routers have unused
bandwidth that the protocol is not using. Although multiple virtual router groups can be configured for
the same set of routers, the hosts must be configured for different default gateways, which results in an
extra administrative burden. The advantage of GLBP is that it additionally provides load balancing over
multiple routers (gateways) using a single virtual IP address and multiple virtual MAC addresses. The
forwarding load is shared among all routers in a GLBP group rather than being handled by a single router
while the other routers stand idle. Each host is configured with the same virtual IP address, and all
routers in the virtual router group participate in forwarding packets. GLBP members communicate
between each other through hello messages sent every 3 seconds to the multicast address 224.0.0.102,
User Datagram Protocol (UDP) port 3222 (source and destination).
In Figure 8, Router A is the AVG for a GLBP group, and is responsible for the virtual IP address
10.21.8.10. Router A is also an AVF for the virtual MAC address 0007.b400.0101. Router B is a member
of the same GLBP group and is designated as the AVF for the virtual MAC address 0007.b400.0102.
Client 1 has a default gateway IP address of 10.21.8.10 and a gateway MAC address of 0007.b400.0101.
Client 2 shares the same default gateway IP address but receives the gateway MAC address
0007.b400.0102 because Router B is sharing the traffic load with Router A.
Router A Router B
AVG 1 AVF 1.2
AVF 1.1
Virtual IP address 10.21.8.10
Virtual MAC 0007.b400.0102
Virtual MAC 0007.b400.0101
Client 1 Client 2
72264
Default gateway: Virtual IP address 10.21.8.10 Virtual IP address 10.21.8.10
Gateway MAC: Virtual MAC 0007.b400.0101 Virtual MAC 0007.b400.0102
If Router A becomes unavailable, Client 1 will not lose access to the WAN because Router B will assume
responsibility for forwarding packets sent to the virtual MAC address of Router A, and for responding
to packets sent to its own virtual MAC address. Router B will also assume the role of the AVG for the
entire GLBP group. Communication for the GLBP members continues despite the failure of a router in
the GLBP group.
GLBP Benefits
Load Sharing
You can configure GLBP in such a way that traffic from LAN clients can be shared by multiple routers,
thereby sharing the traffic load more equitably among available routers.
Preemption
The redundancy scheme of GLBP enables you to preempt an active virtual gateway with a higher priority
backup virtual gateway that has become available. Forwarder preemption works in a similar way, except
that forwarder preemption uses weighting instead of priority and is enabled by default.
Authentication
You can also use the industry-standard message digest 5 (MD5) algorithm for improved reliability,
security, and protection against GLBP-spoofing software. A router within a GLBP group with a different
authentication string than other routers will be ignored by other group members. You can alternatively
use a simple text password authentication scheme between GLBP group members to detect configuration
errors.
Customizing GLBP
This task explains how to customize your GLBP configuration.
Customizing the behavior of GLBP is optional. Be aware that as soon as you enable a GLBP group, that
group is operating. It is possible that if you first enable a GLBP group before customizing GLBP, the
router could take over control of the group and become the AVG before you have finished customizing
the feature. Therefore, if you plan to customize GLBP, it is a good idea to do so before enabling GLBP.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. glbp group timers [msec] hellotime [msec] holdtime
6. glbp group timers redirect redirect timeout
7. glbp group load-balancing [host-dependent | round-robin | weighted]
8. glbp group priority level
9. glbp group preempt [delay minimum seconds]
10. glbp group name redundancy-name
11. exit
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Specifies an interface type and number, and enters interface
configuration mode.
Example:
Router(config)# interface fastethernet 0/0
Step 4 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an interface.
Example:
Router(config-if)# ip address 10.21.8.32
255.255.255.0
Step 5 glbp group timers [msec] hellotime [msec] Configures the interval between successive hello packets
holdtime sent by the AVG in a GLBP group.
• The holdtime argument specifies the interval in seconds
Example: before the virtual gateway and virtual forwarder
Router(config-if)# glbp 10 timers 5 18 information in the hello packet is considered invalid.
• The optional msec keyword specifies that the following
argument will be expressed in milliseconds, instead of
the default seconds.
Step 6 glbp group timers redirect redirect timeout Configures the time interval during which the AVG
continues to redirect clients to an AVF.
Example: • The timeout argument specifies the interval in seconds
Router(config-if)# glbp 10 timers redirect 600 before a secondary virtual forwarder becomes invalid.
7200
Step 7 glbp group load-balancing [host-dependent | Specifies the method of load balancing used by the GLBP
round-robin | weighted] AVG.
Example:
Router(config-if)# glbp 10 load-balancing
host-dependent
Step 8 glbp group priority level Sets the priority level of the gateway within a GLBP group.
• The default value is 100.
Example:
Router(config-if)# glbp 10 priority 254
• The authentication schemes differ on the router and in the incoming packet.
• MD5 digests differ on the router and in the incoming packet.
• Text authentication strings differ on the router and in the incoming packet.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. glbp group-number authentication md5 key-string [0 | 7] key
6. glbp group-number ip [ip-address [secondary]]
7. Repeat Steps 1 through 6 on each router that will communicate.
8. end
9. show glbp
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 4 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an
interface.
Example:
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Command Purpose
Step 5 glbp group-number authentication md5 key-string [0 | 7] Configures an authentication key for GLBP MD5
key authentication.
• The number of characters in the command plus
Example: the key string must not exceed 255 characters.
Router(config-if)# glbp 1 authentication md5
key-string d00b4r987654321a • No prefix to the key argument or specifying 0
means the key is unencrypted.
• Specifying 7 means the key is encrypted. The
key-string authentication key will
automatically be encrypted if the service
password-encryption global configuration
command is enabled.
Step 6 glbp group-number ip [ip-address [secondary]] Enables GLBP on an interface and identifies the
primary IP address of the virtual gateway.
Example:
Router(config-if)# glbp 1 ip 10.0.0.10
Step 7 Repeat Steps 1 through 6 on each router that will communicate. —
Step 8 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 9 show glbp (Optional) Displays GLBP information.
• Use this command to verify your
Example: configuration. The key string and
Router# show glbp authentication type will be displayed if
configured.
SUMMARY STEPS
1. enable
2. configure terminal
3. key chain name-of-chain
4. key key-id
5. key-string string
6. exit
7. exit
8. interface type number
9. ip address ip-address mask [secondary]
DETAILED STEPS
Command Purpose
Step 1 enable Enables higher privilege levels, such as privileged
EXEC mode.
Example: • Enter your password if prompted.
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 key chain name-of-chain Enables authentication for routing protocols and
identifies a group of authentication keys.
Example:
Router(config)# key chain glbp2
Step 4 key key-id Identifies an authentication key on a key chain.
• The key-id must be a number.
Example:
Router(config-keychain)# key 100
Step 5 key-string string Specifies the authentication string for a key.
• The string can be 1 to 80 uppercase or
Example: lowercase alphanumeric characters; the first
Router(config-keychain-key)# key-string xmen382 character cannot be a numeral.
Step 6 exit Returns to keychain configuration mode.
Example:
Router(config-keychain-key)# exit
Step 7 exit Returns to global configuration mode.
Example:
Router(config-keychain)# exit
Step 8 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Command Purpose
Step 9 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an
interface.
Example:
Router(config-if)# ip address 10.21.0.1 255.255.255.0
Step 10 glbp group-number authentication md5 key-chain Configures an authentication MD5 key chain for
name-of-chain GLBP MD5 authentication.
• The key chain name must match the name
Example: specified in Step 3.
Router(config-if)# glbp 1 authentication md5 key-chain
glbp2
Step 11 glbp group-number ip [ip-address [secondary]] Enables GLBP on an interface and identifies the
primary IP address of the virtual gateway.
Example:
Router(config-if)# glbp 1 ip 10.21.0.12
Step 12 Repeat Steps 1 through 10 on each router that will —
communicate.
Step 13 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 14 show glbp (Optional) Displays GLBP information.
• Use this command to verify your
Example: configuration. The key chain and
Router# show glbp authentication type will be displayed if
configured.
Step 15 show key chain (Optional) Displays authentication key
information.
Example:
Router# show key chain
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. glbp group-number authentication text string
6. glbp group-number ip [ip-address [secondary]]
7. Repeat Steps 1 through 6 on each router that will communicate.
8. end
9. show glbp
DETAILED STEPS
Command Purpose
Step 1 enable Enables higher privilege levels, such as privileged
EXEC mode.
Example: • Enter your password if prompted.
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 4 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an
interface.
Example:
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Step 5 glbp group-number authentication text string Authenticates GLBP packets received from other
routers in the group.
Example: • If you configure authentication, all routers
Router(config-if)# glbp 10 authentication text within the GLBP group must use the same
stringxyz authentication string.
Step 6 glbp group-number ip [ip-address [secondary]] Enables GLBP on an interface and identifies the
primary IP address of the virtual gateway.
Example:
Router(config-if)# glbp 1 ip 10.0.0.10
Step 7 Repeat Steps 1 through 6 on each router that will communicate. —
Step 8 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 9 show glbp (Optional) Displays GLBP information.
• Use this command to verify your
Example: configuration.
Router# show glbp
SUMMARY STEPS
1. enable
2. configure terminal
3. track object-number interface type number {line-protocol | ip routing}
4. exit
5. interface type number
6. glbp group weighting maximum [lower lower] [upper upper]
7. glbp group weighting track object-number [decrement value]
8. glbp group forwarder preempt [delay minimum seconds]
9. end
10. show track [object-number | brief] [interface [brief] | ip route [brief] | resolution | timers]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 track object-number interface type number Configures an interface to be tracked where changes in the
{line-protocol | ip routing} state of the interface affect the weighting of a GLBP
gateway, and enters tracking configuration mode.
Example: • This command configures the interface and
Router(config)# track 2 interface POS 6/0 ip corresponding object number to be used with the glbp
routing
weighting track command.
• The line-protocol keyword tracks whether the interface
is up. The ip routing keywords also check that IP
routing is enabled on the interface, and an IP address is
configured.
Example:
Router(config-track)# exit
Step 5 interface type number Enters interface configuration mode.
Example:
Router(config)# interface fastethernet 0/0
Step 6 glbp group weighting maximum [lower lower] Specifies the initial weighting value, and the upper and
[upper upper] lower thresholds, for a GLBP gateway.
Example:
Router(config-if)# glbp 10 weighting 110 lower
95 upper 105
Step 7 glbp group weighting track object-number Specifies an object to be tracked that affects the weighting
[decrement value] of a GLBP gateway.
• The value argument specifies a reduction in the
Example: weighting of a GLBP gateway when a tracked object
Router(config-if)# glbp 10 weighting track 2 fails.
decrement 5
Step 8 glbp group forwarder preempt [delay minimum Configures the router to take over as AVF for a GLBP group
seconds] if the current AVF for a GLBP group falls below its low
weighting threshold.
Example: • This command is enabled by default with a delay of
Router(config-if)# glbp 10 forwarder preempt 30 seconds.
delay minimum 60
• Use the optional delay and minimum keywords and the
seconds argument to specify a minimum delay interval
in seconds before preemption of the AVF takes place.
Step 9 end Returns to privileged EXEC mode.
Example:
Router(config-if)# exit
Step 10 show track [object-number | brief] [interface Displays tracking information.
[brief]| ip route [brief] | resolution |
timers]
Example:
Router# show track 2
Prerequisites
If VLANs are in use on an interface, the GLBP group number must be different for each VLAN.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. glbp group ip [ip-address [secondary]]
6. exit
7. show glbp [interface-type interface-number] [group] [state] [brief]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Specifies an interface type and number, and enters interface
configuration mode.
Example:
Router(config)# interface fastethernet 0/0
Step 4 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an interface.
Example:
Router(config-if)# ip address 10.21.8.32
255.255.255.0
Examples
In the following example, output information is displayed about the status of the GLBP group, named
10, on the router:
Router# show glbp 10
FastEthernet0/0 - Group 10
State is Active
2 state changes, last state change 23:50:33
Virtual IP address is 10.21.8.10
Hello time 5 sec, hold time 18 sec
Next hello sent in 4.300 secs
Redirect time 600 sec, forwarder time-out 7200 sec
Authentication text "stringabc"
Preemption enabled, min delay 60 sec
Active is local
Standby is unknown
Priority 254 (configured)
Weighting 105 (configured 110), thresholds: lower 95, upper 105
Track object 2 state Down decrement 5
Load balancing: host-dependent
There is 1 forwarder (1 active)
Forwarder 1
State is Active
1 state change, last state change 23:50:15
MAC address is 0007.b400.0101 (default)
Owner ID is 0005.0050.6c08
Redirection enabled
Preemption enabled, min delay 60 sec
Active is local, weighting 105
Prerequisites
This task requires a router running GLBP to be attached directly to a console.
SUMMARY STEPS
1. enable
2. configure terminal
3. no logging console
4. Use Telnet to access a router port and repeat Steps 1 and 2.
5. end
6. terminal monitor
7. debug condition glbp interface-type interface-number group [forwarder]
8. terminal no monitor
DETAILED STEPS
Example:
Router# configure terminal
Step 3 no logging console Disables all logging to the console terminal.
• To reenable logging to the console, use the
Example: logging console command in global configuration
Router(config)# no logging console
mode.
Example:
Router(config)# end
Step 6 terminal monitor Enables logging output on the virtual terminal.
Example:
Router# terminal monitor
Step 7 debug condition glbp interface-type Displays debugging messages about GLBP conditions.
interface-number group [forwarder]
• Try to enter only specific debug condition glbp or
debug glbp commands to isolate the output to a certain
Example: subcomponent and minimize the load on the processor.
Router# debug condition glbp fastethernet
0/0 10 1 Use appropriate arguments and keywords to generate
more detailed debug information on specified
subcomponents.
• Enter the specific no debug condition glbp or no debug
glbp command when you are finished.
Step 8 terminal no monitor Disables logging on the virtual terminal.
Example:
Router# terminal no monitor
interface Ethernet0/1
ip address 10.0.0.1 255.255.255.0
glbp 2 authentication md5 key-chain AuthenticateGLBP
glbp 2 ip 10.0.0.10
Additional References
For following sections provide references related to GLBP.
Related Documents
Related Topic Document Title
GLBP commands: complete command syntax, Cisco IOS IP Application Services Command Reference,
command mode, command history, defaults, usage Release 12.4
guidelines, and examples
Key chains and key management commands: complete Cisco IOS IP Routing Command Reference, Release 12.4
command syntax, command mode, command history,
defaults, usage guidelines, and examples
Object Tracking “ Configuring Enhanced Object Tracking” configuration module
VRRP “Configuring VRRP” configuration module
HSRP “Configuring HSRP” configuration module
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new MIBs are supported by this feature, and To locate and download MIBs for selected platforms, Cisco IOS
support for existing MIBs has not been modified by this releases, and feature sets, use Cisco MIB Locator found at the
feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
No new or modified RFCs are supported by this —
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
The Cisco Technical Support website contains http://www.cisco.com/techsupport
thousands of pages of searchable technical content,
including links to products, technologies, solutions,
technical tips, and tools. Registered Cisco.com users
can log in from this page to access even more content.
Glossary
AVF—active virtual forwarder. One virtual forwarder within a GLBP group is elected as active virtual
forwarder for a specified virtual MAC address, and is responsible for forwarding packets sent to that
MAC address. Multiple active virtual forwarders can exist for each GLBP group.
AVG—active virtual gateway. One virtual gateway within a GLBP group is elected as the active virtual
gateway, and is responsible for the operation of the protocol.
GLBP gateway—Gateway Load Balancing Protocol gateway. A router or gateway running GLBP. Each
GLBP gateway may participate in one or more GLBP groups.
GLBP group—Gateway Load Balancing Protocol group. One or more GLBP gateways configured with
the same GLBP group number on connected Ethernet interfaces.
vIP—virtual IP address. An IPv4 address. There must be only one virtual IP address for each configured
GLBP group. The virtual IP address must be configured on at least one GLBP group member. Other
GLBP group members can learn the virtual IP address from hello messages.
Note Refer to the Internetworking Terms and Acronyms for terms not included in this glossary.
The Hot Standby Router Protocol (HSRP) is a first-hop redundancy protocol (FHRP) designed to allow
for transparent fail-over of the first-hop IP router. HSRP provides high network availability by providing
first-hop routing redundancy for IP hosts on Ethernet, Fiber Distributed Data Interface (FDDI),
Bridge-Group Virtual Interface (BVI), LAN Emulation (LANE), or Token Ring networks configured
with a default gateway IP address. HSRP is used in a group of routers for selecting an active router and
a standby router. In a group of router interfaces, the active router is the router of choice for routing
packets; the standby router is the router that takes over when the active router fails or when preset
conditions are met.
Module History
This module was first published on May 2, 2005, and last updated on February 12, 2006.
Contents
• Restrictions for Configuring HSRP, page 205
• Information About HSRP, page 206
• How to Configure HSRP, page 210
• Configuration Examples for HSRP, page 244
• Additional References, page 250
• Glossary, page 252
• Feature Information for HSRP, page 252
The Cisco 2500 series, Cisco 3000 series, Cisco 4000 series, and Cisco 4500 routers that use Lance
Ethernet hardware do not support multiple Hot Standby groups on a single Ethernet interface. The
Cisco 800 series and Cisco 1600 series that use PQUICC Ethernet hardware do not support multiple Hot
Standby groups on a single Ethernet interface. You can configure a workaround solution by using the
standby use-bia interface configuration command, which uses the burned-in address of the interface as
its virtual MAC address, instead of the preassigned MAC address.
HSRP Operation
Most IP hosts have an IP address of a single router configured as the default gateway. When HSRP is
used, the HSRP virtual IP address is configured as the host’s default gateway instead of the IP address
of the router.
HSRP is useful for hosts that do not support a router discovery protocol (such as ICMP Router Discovery
Protocol [IRDP]) and cannot switch to a new router when their selected router reloads or loses power.
Because existing TCP sessions can survive the failover, this protocol also provides a more transparent
recovery for hosts that dynamically choose a next hop for routing IP traffic.
When HSRP is configured on a network segment, it provides a virtual MAC address and an IP address
that is shared among a group of routers running HSRP. The address of this HSRP group is referred to as
the virtual IP address. One of these devices is selected by the protocol to be the active router. The active
router receives and routes packets destined for the MAC address of the group. For n routers running
HSRP, n + 1 IP and MAC addresses are assigned.
HSRP detects when the designated active router fails, at which point a selected standby router assumes
control of the MAC and IP addresses of the Hot Standby group. A new standby router is also selected at
that time.
HSRP uses a priority mechanism to determine which HSRP configured router is to be the default active
router. To configure a router as the active router, you assign it a priority that is higher than the priority
of all the other HSRP-configured routers. The default priority is 100, so if you configure just one router
to have a higher priority, that router will be the default active router.
Devices that are running HSRP send and receive multicast User Datagram Protocol (UDP)-based hello
messages to detect router failure and to designate active and standby routers. When the active router fails
to send a hello message within a configurable period of time, the standby router with the highest priority
becomes the active router. The transition of packet forwarding functions between routers is completely
transparent to all hosts on the network.
You can configure multiple Hot Standby groups on an interface, thereby making fuller use of redundant
routers and load sharing.
Figure 9 shows a network configured for HSRP. By sharing a virtual MAC address and IP address, two
or more routers can act as a single virtual router. The virtual router does not physically exist but
represents the common default gateway for routers that are configured to provide backup to each other.
You do not need to configure the hosts on the LAN with the IP address of the active router. Instead, you
configure them with the IP address (virtual IP address) of the virtual router as their default gateway. If
the active router fails to send a hello message within the configurable period of time, the standby router
takes over and responds to the virtual addresses and becomes the active router, assuming the active router
duties.
Internet or
ISP backbone
LAN
127024
HSRP is supported over Inter-Switch Link (ISL) encapsulation. Refer to the “Configuring Routing
Between VLANs with ISL Encapsulation” chapter in the Cisco IOS Switching Services Configuration
Guide, Release 12.2.
HSRP Benefits
Redundancy
HSRP employs a redundancy scheme that is time proven and deployed extensively in large networks.
Fast Failover
HSRP provides transparent fast failover of the first-hop router.
Preemption
Preemption allows a standby router to delay becoming active for a configurable amount of time.
Authentication
HSRP message digest 5 (MD5) algorithm authentication protects against HSRP-spoofing software and
uses the industry-standard MD5 algorithm for improved reliability and security.
HSRP Terminology
active router—The primary router in an HSRP group that is currently forwarding packets for the virtual
router.
standby group—The set of routers participating in HSRP that represent a virtual router.
standby router—The primary backup router.
virtual IP address—The IP address assigned to the virtual router that is used as the default gateway by
the IP hosts on the LAN.
virtual MAC address—For Ethernet and FDDI, the automatically generated MAC address when HSRP
is configured. The standard virtual MAC address used is: 0000.0C07.ACxy, where xy is the group
number in hexadecimal. The functional address is used for Token Ring. The virtual MAC address is
different for HSRP version 2.
HSRP Addressing
HSRP routers communicate between each other by exchanging HSRP hello packets. These packets are
sent to the destination IP multicast address 224.0.0.2 (reserved multicast address used to communicate
to all routers) on UDP port 1985. The active router sources hello packets from its configured IP address
and the HSRP virtual MAC address while the standby router sources hellos from its configured IP
address and the interface MAC address, which may or may not be the Burned-In MAC address (BIA).
Because hosts are configured with their default gateway as the HSRP virtual IP address, hosts must
communicate with the MAC address associated with the HSRP virtual IP address. This MAC address
will be a virtual MAC address composed of 0000.0C07.ACxy, where xy is the HSRP group number in
hexadecimal based on the respective interface. For example, HSRP group one will use the HSRP virtual
MAC address of 0000.0C07.AC01. Hosts on the adjoining LAN segment use the normal Address
Resolution Protocol (ARP) process to resolve the associated MAC addresses.
Token Ring interfaces use functional addresses for the HSRP MAC address. Functional addresses are the
only general multicast mechanism available. There are a limited number of Token Ring functional
addresses available, and many of them are reserved for other functions. The following are the only three
addresses available for use with HSRP:
• c000.0001.0000 (group 0)
• c000.0002.0000 (group 1)
• c000.0004.0000 (group 2)
Thus, only three HSRP groups may be configured on Token Ring interfaces unless the standby use-bia
interface configuration command is configured.
HSRP version 2 uses the new IP multicast address 224.0.0.102 to send hello packets instead of the
multicast address of 224.0.0.2, which is used by version 1. This new multicast address allows Cisco
Group Management Protocol (CGMP) leave processing to be enabled at the same time as HSRP.
HSRP version 2 permits an expanded group number range, 0 to 4095, and consequently uses a new MAC
address range 0000.0C9F.F000 to 0000.0C9F.FFFF.
• Configuring Multiple HSRP Groups for Load Balancing, page 229 (optional)
• Enabling HSRP Support for ICMP Redirects, page 231 (optional)
• Configuring HSRP Virtual MAC Addresses or BIA MAC Addresses, page 234 (optional)
• Linking IP Redundancy Clients to HSRP Groups, page 236 (optional)
• Changing to HSRP Version 2, page 237 (optional)
• Configuring SSO-Aware HSRP (Cisco IOS Release 12.2(25)S), page 239 (optional)
• Enabling HSRP MIB Traps, page 243 (optional)
Enabling HSRP
Perform this task to enable HSRP.
The standby ip interface configuration command activates HSRP on the configured interface. If an IP
address is specified, that address is used as the virtual IP address for the Hot Standby group. For HSRP
to elect a designated router, you must configure the virtual IP address for at least one of the routers in
the group; it can be learned on the other routers in the group.
Prerequisites
You can configure many attributes in HSRP such as authentication, timers, priority, and preemption. It
is best practice to configure the attributes first before enabling the HSRP group.
This practice avoids authentication error messages and unexpected state changes in other routers that can
occur if the group is enabled first and then there is a long enough delay (one or two hold times) before
the other configuration is entered.
We recommend that you always specify an HSRP IP address.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. standby [group-number] ip [ip-address [secondary]]
6. end
7. show standby [all] [brief]
8. show standby type number [group-number | all] [brief]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface ethernet 0
Step 4 ip address ip-address mask Configures an IP address for an interface.
Example:
Router(config-if)# ip address 172.16.6.5
255.255.255.0
Step 5 standby [group-number] ip [ip-address Activates HSRP.
[secondary]]
• If you do not configure a group number, it defaults to 0.
The group number range is from 0 to 255 for HSRP
Example: version 1 and from 0 to 4095 for HSRP version 2.
Router(config-if)# standby 1 ip 172.16.6.100
• The ip-address is the virtual IP address of the virtual
router. For HSRP to elect a designated router, you must
configure the virtual IP address for at least one of the
routers in the group; it can be learned on the other
routers in the group.
Step 6 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 7 show standby [all] [brief] (Optional) Displays HSRP information.
• This command displays information for each group.
Example: The all option display groups that are learned or that do
Router# show standby not have the standby ip command configured.
Step 8 show standby type number [group-number | all] (Optional) Displays HSRP information about specific
[brief] groups or interfaces.
Example:
Router# show standby ethernet 0
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. standby delay minimum min-delay reload min-delay
6. standby [group-number] ip [ip-address [secondary]]
7. end
8. show standby delay [type number]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 4 ip address ip-address mask Specifies an IP address for an interface.
Example:
Router(config-if)# ip address 10.0.0.1
255.255.255.0
Example:
Router(config-if)# standby 1 ip 10.0.0.3
255.255.255.0
Step 7 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 8 show standby delay [type number] (Optional) Displays HSRP information about delay periods.
Example:
Router# show standby delay
Troubleshooting Tips
We recommend that you use the standby delay minimum reload command if the standby timers
command is configured in milliseconds or if HSRP is configured on a VLAN interface of a switch.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. standby [group-number] priority priority
6. standby [group-number] preempt [delay {minimum delay | reload delay | sync delay}]
7. standby [group-number] ip [ip-address [secondary]]
8. end
9. show standby [all] [brief]
10. show standby type number [group-number | all] [brief]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 4 ip address ip-address mask Specifies an IP address for an interface.
Example:
Router(config-if)# ip address 10.0.0.1
255.255.255.0
Step 5 standby [group-number] priority priority Configures HSRP priority.
• The default priority is 100.
Example:
Router(config-if)# standby 1 priority 110
Step 6 standby [group-number] preempt [delay {minimum Configures HSRP preemption and preemption delay.
delay | reload delay | sync delay}]
• The default delay period is 0 seconds; if the router
wants to preempt, it will do so immediately. By default,
Example: the router that comes up later becomes the standby.
Router(config-if)# standby 1 preempt delay
minimum 380
Step 7 standby [group-number] ip [ip-address Activates HSRP.
[secondary]]
Example:
Router(config-if)# standby 1 ip 10.0.0.3
255.255.255.0
Step 8 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Example:
Router# show standby ethernet 0/1
SUMMARY STEPS
1. enable
2. configure terminal
3. track object-number interface type number {line-protocol | ip routing}
4. exit
5. interface type number
6. standby [group-number] track object-number [decrement priority-decrement]
7. standby [group-number] ip [ip-address [secondary]]
8. end
9. show track [object-number | brief] [interface [brief] | ip route [brief] | resolution | timers]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 track object-number interface type number Configures an interface to be tracked and enters tracking
{line-protocol | ip routing} configuration mode.
Example:
Router(config)# track 100 interface serial2/0
line-protocol
Step 4 exit Returns to global configuration mode.
Example:
Router(config-track)# exit
Step 5 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface ethernet 2
Step 6 standby [group-number] track object-number Configures HSRP to track an object and change the Hot
[decrement priority-decrement] Standby priority on the basis of the state of the object.
• By default, the priority of the router is decreased by 10
Example: if a tracked object goes down. Use the decrement
Router(config-if)# standby 1 track 100 priority-decrement keyword and argument combination
decrement 20
to change the default behavior.
• When multiple tracked objects are down and
priority-decrement values have been configured, these
configured priority decrements are cumulative. If
tracked objects are down, but none of them were
configured with priority decrements, the default
decrement is 10 and it is cumulative.
Step 7 standby [group-number] ip [ip-address Activates HSRP.
[secondary]]
• The default group number is 0. The group number
range is from 0 to 255 for HSRP version 1 and from 0
Example: to 4095 for HSRP version 2.
Router(config-if)# standby 1 ip 10.10.10.0
Example:
Router(config-if)# end
Step 9 show track [object-number | brief] [interface Displays tracking information.
[brief]| ip route [brief]| resolution | timers]
Example:
Router# show track 100 interface
Restrictions
Text authentication cannot be combined with MD5 authentication for an HSRP group at any one time.
When MD5 authentication is configured, the text authentication field in HSRP hello messages is set to
all zeroes on transmit and ignored on receipt, provided the receiving router also has MD5 authentication
enabled.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. standby [group-number] priority priority
6. standby [group-number] preempt [delay {minimum delay | reload delay | sync delay}]
7. standby [group-number] authentication md5 key-string [0 | 7] key [timeout seconds]
8. standby [group-number] ip [ip-address [secondary]]
9. Repeat Steps 1 through 8 on each router that will communicate.
10. end
11. show standby
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 4 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an
interface.
Example:
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Step 5 standby [group-number] priority priority Configures HSRP priority.
Example:
Router(config-if)# standby 1 priority 110
Step 6 standby [group-number] preempt [delay {minimum delay | Configures HSRP preemption.
reload delay | sync delay}]
Example:
Router(config-if)# standby 1 preempt
Step 7 standby [group-number] authentication md5 key-string Configures an authentication string for HSRP MD5
[0 | 7] key [timeout seconds] authentication.
• The key argument can be up to 64 characters in
Example: length and it is recommended that at least 16
Router(config-if)# standby 1 authentication md5 characters be used.
key-string d00b4r987654321a timeout 30
• No prefix to the key argument or specifying 0
means the key will be unencrypted.
• Specifying 7 means the key will be encrypted.
The key-string authentication key will
automatically be encrypted if the service
password-encryption global configuration
command is enabled.
• The timeout value is the period of time that the
old key string will be accepted to allow
configuration of all routers in a group with a
new key.
Command Purpose
Step 8 standby [group-number] ip [ip-address [secondary]] Activates HSRP.
Example:
Router(config-if)# standby 1 ip 10.0.0.3
Step 9 Repeat Steps 1 through 8 on each router that will communicate. —
Step 10 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 11 show standby (Optional) Displays HSRP information.
• Use this command to verify your
Example: configuration. The key string or key chain will
Router# show standby be displayed if configured.
Troubleshooting Tips
If you are changing a key string in a group of routers, change the active router last to prevent any HSRP
state change. The active router should have its key string changed no later than one holdtime period,
specified by the standby timers interface configuration command, after the non-active routers. This
procedure ensures that the non-active routers do not time out the active router.
SUMMARY STEPS
1. enable
2. configure terminal
3. key chain name-of-chain
4. key key-id
5. key-string string
6. exit
7. interface type number
8. ip address ip-address mask [secondary]
9. standby [group-number] priority priority
10. standby [group-number] preempt [delay {minimum delay | reload delay | sync delay}]
11. standby [group-number] authentication md5 key-chain key-chain-name
12. standby [group-number] ip [ip-address [secondary]]
13. Repeat Steps 1 through 12 on each router that will communicate.
14. end
15. show standby
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 key chain name-of-chain Enables authentication for routing protocols and
identifies a group of authentication keys.
Example:
Router(config)# key chain hsrp1
Step 4 key key-id Identifies an authentication key on a key chain.
• The key-id must be a number.
Example:
Router(config-keychain)# key 100
Step 5 key-string string Specifies the authentication string for a key.
• The string can be 1 to 80 uppercase or
Example: lowercase alphanumeric characters; the first
Router(config-keychain-key)# key-string mno172 character cannot be a number.
Step 6 exit Returns to global configuration mode.
Example:
Router(config-keychain-key)# exit
Step 7 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 8 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an
interface.
Example:
Router(config-if)# ip address 10.21.8.32 255.255.255.0
Step 9 standby [group-number] priority priority Configures HSRP priority.
Example:
Router(config-if)# standby 1 priority 110
Command Purpose
Step 10 standby [group-number] preempt [delay {minimum delay | Configures HSRP preemption.
reload delay | sync delay}]
Example:
Router(config-if)# standby 1 preempt
Step 11 standby [group-number] authentication md5 Configures an authentication MD5 key chain for
key-chain key-chain-name HSRP MD5 authentication.
• The key chain name must match the name
Example: specified in Step 3.
Router(config-if)# standby 1 authentication md5
key-chain hsrp1
Step 12 standby [group-number] ip [ip-address [secondary]] Activates HSRP.
Example:
Router(config-if)# standby 1 ip 10.21.8.12
Step 13 Repeat Steps 1 through 12 on each router that will —
communicate.
Step 14 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 15 show standby (Optional) Displays HSRP information.
• Use this command to verify your
Example: configuration. The key string or key chain will
Router# show standby be displayed if configured.
SUMMARY STEPS
1. enable
2. debug standby errors
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 debug standby errors Displays error messages related to HSRP.
• Error messages will be displayed for each
Example: packet that fails to authenticate, so use this
Router# debug standby errors command with care.
• See the “Examples” section for an example of
the type of error messages displayed when two
routers are not authenticating.
Examples
In the following example, Router A has MD5 text string authentication configured, but Router B has the
default text authentication:
Router# debug standby errors
A:Jun 16 12:14:50.337:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5
confgd but no tlv
B:Jun 16 12:16:34.287:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, Text auth
failed
In the following example, both Router A and Router B have different MD5 authentication strings:
Router# debug standby errors
A:Jun 16 12:19:26.335:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.5, MD5 auth
failed
B:Jun 16 12:18:46.280:HSRP:Et0/1 Grp 0 Auth failed for Hello pkt from 10.21.0.4, MD5 auth
failed
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. standby [group-number] priority priority
6. standby [group-number] preempt [delay {minimum delay | reload delay | sync delay}]
7. standby [group-number] authentication text string
8. standby [group-number] ip [ip-address [secondary]]
DETAILED STEPS
Command Purpose
Step 1 enable Enables higher privilege levels, such as privileged
EXEC mode.
Example: • Enter your password if prompted.
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 4 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an
interface.
Example:
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Step 5 standby [group-number] priority priority Configures HSRP priority.
Example:
Router(config-if)# standby 1 priority 110
Step 6 standby [group-number] preempt [delay {minimum delay | Configures HSRP preemption.
reload delay | sync delay}]
Example:
Router(config-if)# standby 1 preempt
Step 7 standby [group-number] authentication text string Configures an authentication string for HSRP text
authentication.
Example: • The default string is cisco.
Router(config-if)# standby 1 authentication text
sanjose
Step 8 standby [group-number] ip [ip-address [secondary]] Activates HSRP.
Example:
Router(config-if)# standby 1 ip 10.0.0.3
Step 9 Repeat Steps 1 through 8 on each router that will communicate. —
Command Purpose
Step 10 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 11 show standby (Optional) Displays HSRP information.
• Use this command to verify your
Example: configuration. The key string or key chain will
Router# show standby be displayed if configured.
Customizing HSRP
Perform this task to customize HSRP parameters.
HSRP Timers
Each HSRP router maintains three timers that are used for timing hello messages: an active timer, a
standby timer, and a hello timer. When a timer expires, the router changes to a new HSRP state. Routers
or access servers for which timer values are not configured can learn timer values from the active or
standby router. The timers configured on the active router always override any other timer settings. All
routers in a Hot Standby group should use the same timer values.
For HSRP version 1, nonactive routers learn timer values from the active router, unless millisecond timer
values are being used. If millisecond timer values are being used, all routers must be configured with the
millisecond timer values. This rule applies if either the hello time or the hold time is specified in
milliseconds. This configuration is necessary because the HSRP hello packets advertise the timer values
in seconds. HSRP version 2 does not have this limitation; it advertises the timer values in milliseconds.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. standby [group-number] timers [msec] hellotime [msec] holdtime
6. standby mac-refresh seconds
7. standby [group-number] ip [ip-address [secondary]]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 4 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an interface.
Example:
Router(config-if)# ip address 10.0.0.1
255.255.255.0
Step 5 standby [group-number] timers [msec] hellotime Configures the time between hello packets and the time
[msec] holdtime before other routers declare the active Hot Standby router to
be down.
Example: • Normally, the holdtime value is greater than or equal to
Router(config-if)# standby 1 timers 5 15 three times the value of hellotime.
• See the “HSRP Timers” concept in this section for more
information.
Step 6 standby mac-refresh seconds Changes the interval at which packets are sent to refresh the
MAC cache when HSRP is running over FDDI.
Example: • This command applies to HSRP running over FDDI
Router(config-if)# standby mac-refresh 100 only.
Step 7 standby [group-number] ip [ip-address Activates HSRP.
[secondary]]
Example:
Router(config-if)# standby 1 ip 10.0.0.3
Troubleshooting Tips
Some HSRP state flapping can occasionally occur if the holdtime is set to less than 250 milliseconds,
and the processor is busy. It is recommended that holdtime values less than 250 milliseconds be used on
Cisco 7200 platforms or better, and on Fast-Ethernet or FDDI interfaces or better. You can use the
standby delay command to allow the interface to come up completely before HSRP initializes.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. standby [group-number] priority priority
6. standby [group-number] preempt [delay {minimum delay | reload delay | sync delay}]
7. standby [group-number] ip [ip-address [secondary]]
8. On the same router, repeat Steps 5 through 7 to configure the router attributes for different standby
groups.
9. exit
10. Repeat Steps 3 through 9 to configure HSRP on another router.
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Example:
Router(config-if)# ip address 10.0.0.1
255.255.255.0
Step 5 standby [group-number] priority priority Configures HSRP priority.
Example:
Router(config-if)# standby 1 priority 110
Step 6 standby [group-number] preempt [delay {minimum Configures HSRP preemption.
delay | reload delay | sync delay}]
Example:
Router(config-if)# standby 1 preempt
Step 7 standby [group-number] ip [ip-address Activates HSRP.
[secondary]]
Example:
Router(config-if)# standby 1 ip 10.0.0.3
Step 8 On the same router, repeat Steps 5 through 7 to For example, Router A can be configured as an active router
configure the router attributes for different standby for group 1 and be configured for active or standby router
groups. for another HSRP group with different priority and
preemption values.
Step 9 exit Exits to global configuration mode.
Example:
Router(config-if)# exit
Step 10 Repeat Steps 3 through 9 on another router. Configures multiple HSRP and enables load balancing on
another router.
e1 e1
R1 R2 R4 R5
Net A
e0 Listen 1
R7 R8 Default gateway:
virtual IP 1
Host
127025
Net F Net G
If the host wants to send a packet to another host on Net D, then it first sends it to its default gateway,
the virtual IP address of HSRP group 1.
The following is the packet received from the host:
dest MAC = HSRP group 1 virtual MAC
source MAC = Host MAC
dest IP = host-on-netD IP
source IP = Host IP
Router R1 receives this packet and determines that router R4 can provide a better path to Net D, so it
prepares to send a redirect message that will redirect the host to the real IP address of router R4 (because
only real IP addresses are in its routing table).
The following is the initial ICMP redirect message sent by router R1:
dest MAC = Host MAC
source MAC = router R1 MAC
dest IP = Host IP
source IP = router R1 IP
gateway to use = router R4 IP
Before this redirect occurs, the HSRP process of router R1 determines that router R4 is the active HSRP
router for group 3, so it changes the next hop in the redirect message from the real IP address of router
R4 to the virtual IP address of group 3. Furthermore, it determines from the destination MAC address of
the packet that triggered the redirect message that the host used the virtual IP address of group 1 as its
gateway, so it changes the source IP address of the redirect message to the virtual IP address of group 1.
The modified ICMP redirect message showing the two modified fields (*) is as follows:
dest MAC = Host MAC
source MAC = router R1 MAC
dest IP = Host IP
source IP* = HSRP group 1 virtual IP
gateway to use* = HSRP group 3 virtual IP
This second modification is necessary because hosts compare the source IP address of the ICMP redirect
message with their default gateway. If these addresses do not match, the ICMP redirect message is
ignored. The routing table of the host now consists of the default gateway, virtual IP address of group 1,
and a route to Net D through the virtual IP address of group 3.
In Figure 10, redirection to router R7 is allowed because R7 is not running HSRP. In this case, the next
hop IP address is unchanged. The source IP address is changed dependent upon the destination MAC
address of the original packet. You can specify the no standby redirect unknown command to stop
these redirects from being sent.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. standby redirect [timers advertisement holddown] [unknown]
5. end
6. show standby redirect [ip-address] [interface-type interface-number] [active] [passive] [timers]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 4 standby redirect [timers advertisement Enables HSRP filtering of ICMP redirect messages.
holddown] [unknown]
• You can also use this command in global configuration
mode, which enables HSRP filtering of ICMP redirect
Example: messages on all interfaces configured for HSRP.
Router(config-if)# standby redirect
Step 5 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
Step 6 show standby redirect [ip-address] (Optional) Displays ICMP redirect information on
[interface-type interface-number] [active] interfaces configured with HSRP.
[passive] [timers]
Example:
Router# show standby redirect
on a multiple-ring, source-routed bridging environment and the HSRP routers reside on different rings,
configuring the standby use-bia command can prevent confusion about the routing information field
(RFI).
Restrictions
You cannot use the standby use-bia and standby mac-address commands in the same configuration;
they are mutually exclusive.
The standby use-bia command has the following disadvantages:
• When a router becomes active the virtual IP address is moved to a different MAC address. The newly
active router sends a gratuitous ARP response, but not all host implementations handle the
gratuitous ARP correctly.
• Proxy ARP breaks when the standby use-bia command is configured. A standby router cannot
cover for the lost proxy ARP database of the failed router.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. standby [group-number] mac-address mac-address
or
standby use-bia [scope interface]
6. standby [group-number] ip [ip-address [secondary]]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 4 ip address ip-address mask [secondary] Configures an IP address for an interface.
Example:
Router(config-if)# ip address 172.16.6.5
255.255.255.0
Example:
Router(config-if)# standby 1 ip 172.16.6.100
Prerequisites
Within the client application, you must first specify the same name as configured in the standby name
command.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. standby [group-number] name [redundancy-name]
6. standby [group-number] ip [ip-address [secondary]]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 4 ip address ip-address mask Specifies an IP address for an interface.
Example:
Router(config-if)# ip address 10.0.0.1
255.255.255.0
Step 5 standby [group-number] name [redundancy-name] Configures the name of the standby group.
• HSRP groups have a default name so it is not a
Example: requirement to specify a name.
Router(config-if)# standby 1 name HSRP-1
Step 6 standby [group-number] ip [ip-address Activates HSRP.
[secondary]]
Example:
Router(config-if)# standby 1 ip 10.0.0.11
• HSRP version 2 provides improved management and troubleshooting. With HSRP version 1, there
is no method to identify from HSRP active hello messages which physical router sent the message
because the source MAC address is the HSRP virtual MAC address. The HSRP version 2 packet
format includes a 6-byte identifier field that is used to uniquely identify the sender of the message.
Typically, this field is populated with the interface MAC address.
• The multicast address 224.0.0.2 is used to send HSRP hello messages. This address can conflict with
Cisco Group Management Protocol (CGMP) leave processing.
Version 1 is the default version of HSRP.
HSRP version 2 uses the new IP multicast address 224.0.0.102 to send hello packets instead of the
multicast address of 224.0.0.2, which is used by version 1. This new multicast address allows CGMP
leave processing to be enabled at the same time as HSRP.
HSRP version 2 permits an expanded group number range, 0 to 4095, and consequently uses a new MAC
address range 0000.0C9F.F000 to 0000.0C9F.FFFF. The increased group number range does not imply
that an interface can, or should, support that many HSRP groups. The expanded group number range was
changed to allow the group number to match the VLAN number on subinterfaces.
When the HSRP version is changed, each group will reinitialize because it now has a new virtual MAC
address.
HSRP version 2 has a different packet format than HSRP version 1. The packet format uses a
type-length-value (TLV) format. HSRP version 2 packets received by an HSRP version 1 router will have
the type field mapped to the version field by HSRP version 1 and subsequently ignored.
The Gateway Load Balancing Protocol (GLBP) also addresses the same issues relative to HSRP version
1 that HSRP version 2 does. See the Configuring GLBP configuration module for more information on
GLBP.
Restrictions
• HSRP version 2 is not available for ATM interfaces running LAN emulation.
• HSRP version 2 will not interoperate with HSRP version 1. An interface cannot operate both version
1 and version 2 because both versions are mutually exclusive. However, the different versions can
be run on different physical interfaces of the same router. You cannot change from version 2 to
version 1 if you have configured groups above the group number range allowed for version 1 (0 to
255).
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. standby version {1 | 2}
6. standby [group-number] ip [ip-address [secondary]]
7. end
8. show standby
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface vlan 400
Step 4 ip address ip-address mask Sets an IP address for an interface.
Example:
Router(config-if)# ip address 10.10.28.1
255.255.255.0
Step 5 standby version {1 | 2 } Changes the HSRP version.
Example:
Router(config-if)# standby version 2
Step 6 standby [group-number] ip [ip-address Activates HSRP.
[secondary]]
• The group number range for HSRP version 2 is
expanded to 0 through 4095. The group number range
Example: for HSRP version 1 is 0 through 255.
Router(config-if)# standby 400 ip 10.10.28.5
Step 7 end Ends the current configuration session and returns to
privileged EXEC mode.
Example:
Router(config-if)# end
Step 8 show standby (Optional) Displays HSRP information.
• HSRP version 2 information will be displayed if
Example: configured.
Router# show standby
SSO-aware HSRP alters the behavior of HSRP when a router with redundant Route Processors (RPs) is
configured for Stateful Switchover (SSO) redundancy mode. When an RP is active and the other RP is
standby, SSO enables the standby RP to take over if the active RP fails.
With this functionality, HSRP SSO information is synchronized to the standby RP, allowing traffic that
is sent using the HSRP virtual IP address to be continuously forwarded during a switchover without a
loss of data or a path change. Additionally, if both RPs fail on the active HSRP router, then the standby
HSRP router takes over as the active HSRP router.
The feature is enabled by default when the redundancy mode of operation is set to SSO.
Note You may want to disable SSO-aware HSRP by using the no standby sso command if you have LAN
segments that should switch HSRP traffic to a redundant device while SSO maintains traffic flow for
other connections.
SUMMARY STEPS
1. enable
2. configure terminal
3. redundancy
4. mode sso
5. exit
6. no standby sso
7. standby sso
8. end
DETAILED STEPS
Example:
Router# configure terminal
Step 3 redundancy Enters redundancy configuration mode.
Example:
Router(config)# redundancy
Step 4 mode sso Enables the redundancy mode of operation to SSO.
• After performing this step, HSRP is SSO aware on
Example: interfaces that are configured for HSRP and the standby
Router(config-red)# mode sso RP is automatically reset.
Step 5 exit Exits redundancy configuration mode.
Example:
Router(config-red)# exit
Step 6 no standby sso Disables HSRP SSO mode for all HSRP groups.
Example:
Router(config)# no standby sso
Step 7 standby sso Enables the SSO-aware HSRP feature if you have disabled
the functionality.
Example:
Router(config)# standby sso
Step 8 end Ends the current configuration session and returns to
privileged EXEC mode.
Example:
Router(config)# end
SUMMARY STEPS
1. show standby
2. debug standby events ha
DETAILED STEPS
Ethernet0/0/1 - Group 1
State is Init (standby RP, peer state is Active)
Virtual IP address is 10.1.0.7
Active virtual MAC address is unknown
Local virtual MAC address is 000a.f3fd.5001 (bia)
Hello time 1 sec, hold time 3 sec
Authentication text “authword”
Preemption enabled
Active router is unknown
Standby router is unknown
Priority 110 (configured 120)
Track object 1 state Down decrement 10
IP redundancy name is “name1” (cfgd)
!Active RP
*Apr 27 04:13:47.755: HSRP: Et0/0/1 Grp 101 RF Encode state Listen into sync buffer
*Apr 27 04:13:47.855: HSRP: CF Sync send ok
*Apr 27 04:13:57.755: HSRP: Et0/0/1 Grp 101 RF Encode state Speak into sync buffer
*Apr 27 04:13:57.855: HSRP: CF Sync send ok
*Apr 27 04:14:07.755: HSRP: Et0/0/1 Grp 101 RF Encode state Standby into sync buffer
*Apr 27 04:14:07.755: HSRP: Et0/0/1 Grp 101 RF Encode state Active into sync buffer
*Apr 27 04:14:07.863: HSRP: CF Sync send ok
*Apr 27 04:14:07.867: HSRP: CF Sync send ok
!Standby RP
SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server enable traps hsrp
4. snmp-server host host community-string hsrp
DETAILED STEPS
Example:
Router# configure terminal
Step 3 snmp-server enable traps hsrp Enables the router to send SNMP traps and informs, and
HSRP notifications.
Example:
Router(config)# snmp-server enable traps hsrp
Step 4 snmp-server host host community-string hsrp Specifies the recipient of an SNMP notification operation,
and that HSRP notifications be sent to the host.
Example:
Router# snmp-server host myhost.comp.com public
hsrp
Router A Configuration
interface Ethernet0/0
ip address 10.1.0.21 255.255.0.0
standby 1 priority 110
standby 1 preempt
standby 1 ip 10.1.0.1
standby 2 priority 95
standby 2 preempt
standby 2 ip 10.1.0.2
Router B Configuration
interface Ethernet0/0
ip address 10.1.0.22 255.255.0.0
standby 1 preempt
standby 1 priority 105
standby 1 ip 10.1.0.1
standby 2 priority 110
standby 2 preempt
standby 2 ip 10.1.0.2
Router A Configuration
track 100 interface serial1/0 ip routing
!
interface Ethernet0/0
ip address 10.1.0.21 255.255.0.0
standby 1 preempt
standby 1 priority 110
standby 1 track 100 decrement 10
standby 1 ip 10.1.0.1
Router B Configuration
track 100 interface serial1/0 ip routing
!
interface Ethernet0/0
ip address 10.1.0.22 255.255.0.0
standby 1 preempt
standby 1 priority 105
standby 1 track 100 decrement 10
standby 1 ip 10.1.0.1
interface Ethernet0/1
standby 1 priority 110
standby 1 preempt
standby 1 authentication md5 key-chain hsrp1
standby 1 ip 10.21.0.10
HSRP MD5 Authentication Using Key Strings and Key Chains: Example
The key ID for key-string authentication is always zero. If a key chain is configured with a key ID of
zero, then the following configuration will work:
Router 1
key chain hsrp1
key 0
key-string 54321098452103ab
interface Ethernet0/1
standby 1 authentication md5 key-chain hsrp1
standby 1 ip 10.21.0.10
Router 2
interface Ethernet0/1
standby 1 authentication md5 key-string 54321098452103ab
standby 1 ip 10.21.0.10
E0 10.0.0.1 E0 10.0.0.2
127027
Client 1 Client 2 Client 3 Client 4
The following example shows Router A configured as the active router for group 1 with a priority of 110
and Router B configured as the active router for group 2 with a priority of 110. The default priority level
is 100. Group 1 uses a virtual IP address of 10.0.0.3 and Group 2 uses a virtual IP address of 10.0.0.4.
Router A Configuration
hostname RouterA
!
interface ethernet 0
ip address 10.0.0.1 255.255.255.0
standby 1 priority 110
standby 1 preempt
standby 1 ip 10.0.0.3
standby 2 preempt
standby 2 ip 10.0.0.4
Router B Configuration
hostname RouterB
!
interface ethernet 0
ip address 10.0.0.2 255.255.255.0
standby 1 preempt
standby 1 ip 10.0.0.3
standby 2 priority 110
standby 2 preempt
standby 2 ip 10.0.0.4
In the following example, the burned-in address of Token Ring interface 3/0 will be the virtual MAC
address mapped to the virtual IP address:
interface token3/0
standby use-bia
Note You cannot use the standby use-bia command and the standby mac-address command in the same
configuration.
If SSO-aware HSRP is disabled using the no standby sso command, you can reenable it as shown in the
following example:
interface Ethernet1
ip address 10.1.1.1 255.255.0.0
standby priority 200
standby preempt
standby sso
Router A
interface Ethernet1
ip address 10.1.1.1 255.255.0.0
standby priority 200
standby preempt
standby ip 10.1.1.3
snmp-server enable traps hsrp
snmp-server host yourhost.cisco.com public hsrp
Router B
interface Ethernet1
ip address 10.1.1.2 255.255.0.0
standby priority 101
standby ip 10.1.1.3
snmp-server enable traps hsrp
snmp-server host myhost.cisco.com public hsrp
Additional References
The following sections provide references related to HSRP.
Related Documents
Related Topic Document Title
HSRP commands: complete command syntax, Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and
command mode, command history, defaults, usage Services, Release 12.4
guidelines, and examples
Key chains and key management commands: complete Cisco IOS IP Command Reference, Volume 2 of 4: Routing
command syntax, command mode, command history, Protocols, Release 12.4
defaults, usage guidelines, and examples
Object tracking “Configuring Enhanced Object Tracking” module
VRRP “Configuring VRRP” module
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new MIBs are supported by this feature, and To locate and download MIBs for selected platforms, Cisco IOS
support for existing MIBs has not been modified by this releases, and feature sets, use Cisco MIB Locator found at the
feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
RFC 1828 IP Authentication Using Keyed MD5
RFC 2281 Cisco Hot Standby Router Protocol
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Glossary
active router—The primary router in an HSRP group that is currently forwarding packets for the virtual
router.
active RP—The active RP that controls the system, provides network services, runs the routing
protocols, and presents the system management interface.
HSRP—Hot Standby Router Protocol. Protocol that provides high network availability and transparent
network-topology changes. HSRP creates a router group with a lead router that services all packets sent
to the HSRP address. The lead router is monitored by other routers in the group, and if it fails, one of
these standby HSRP routers inherits the lead position and the HSRP group address.
NSF—Nonstop Forwarding. The ability of a router to continue to forward traffic to a router that may be
recovering from a failure. Also, the ability of a router recovering from a failure to continue to correctly
forward traffic sent to it by a peer.
RF—Redundancy Facility. A structured, functional interface used to notify its clients of active and
standby state progressions and events.
RP—Route Processor. A generic term for the centralized control unit in a chassis. Platforms usually use
a platform-specific term, such as RSP on the Cisco 7500, the PRE on the Cisco 10000, or the
SUP+MSFC on the Cisco 7600.
RPR+—An enhanced Route Processor Redundancy (RPR) in which the standby RP is fully initialized.
SSO—Stateful Switchover. SSO refers to the implementation of Cisco IOS software that allows
applications and features to maintain a defined state between an active and standby RP. When a
switchover occurs, forwarding and sessions are maintained. Along with NSF, SSO makes an RP failure
undetectable to the network.
standby group—The set of routers participating in HSRP that jointly emulate a virtual router.
standby router—The backup router in an HSRP group.
standby RP—The backup RP.
switchover—An event in which system control and routing protocol execution are transferred from the
active RP to the standby RP. Switchover may be a manual operation or may be induced by a hardware or
software fault. Switchover may include transfer of the packet forwarding function in systems that
combine system control and packet forwarding in an indivisible unit.
virtual IP address—The default gateway IP address configured for an HSRP group.
Note Refer to Internetworking Terms and Acronyms for terms not included in this glossary.
Cisco IOS software images are specific to a Cisco IOS software release, a feature set, and a platform.
Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image
support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on
Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at
the login dialog box and follow the instructions that appear.
The Virtual Router Redundancy Protocol (VRRP) is an election protocol that dynamically assigns
responsibility for one or more virtual routers to the VRRP routers on a LAN, allowing several routers on
a multiaccess link to utilize the same virtual IP address. A VRRP router is configured to run the VRRP
protocol in conjunction with one or more other routers attached to a LAN. In a VRRP configuration, one
router is elected as the virtual router master, with the other routers acting as backups in case the virtual
router master fails.
Finding Support Information for Platforms and Cisco IOS and Catalyst OS Software Images
Use Cisco Feature Navigator to find information about platform support and Cisco IOS and Catalyst OS
software image support. To access Cisco Feature Navigator, go to http://www.cisco.com/go/cfn. An
account on Cisco.com is not required.
Contents
• Restrictions for VRRP, page 256
• Information About VRRP, page 256
• How to Configure VRRP, page 260
• Configuration Examples for VRRP, page 275
• Additional References, page 278
• Feature Information for VRRP, page 280
• Feature Information for VRRP, page 280
VRRP Operation
There are several ways a LAN client can determine which router should be the first hop to a particular
remote destination. The client can use a dynamic process or static configuration. Examples of dynamic
router discovery are as follows:
• Proxy ARP—The client uses Address Resolution Protocol (ARP) to get the destination it wants to
reach, and a router will respond to the ARP request with its own MAC address.
• Routing protocol—The client listens to dynamic routing protocol updates (for example, from
Routing Information Protocol [RIP]) and forms its own routing table.
• IRDP (ICMP Router Discovery Protocol) client—The client runs an Internet Control Message
Protocol (ICMP) router discovery client.
The drawback to dynamic discovery protocols is that they incur some configuration and processing
overhead on the LAN client. Also, in the event of a router failure, the process of switching to another
router can be slow.
An alternative to dynamic discovery protocols is to statically configure a default router on the client.
This approach simplifies client configuration and processing, but creates a single point of failure. If the
default gateway fails, the LAN client is limited to communicating only on the local IP network segment
and is cut off from the rest of the network.
VRRP can solve the static configuration problem. VRRP enables a group of routers to form a single
virtual router. The LAN clients can then be configured with the virtual router as their default gateway.
The virtual router, representing a group of routers, is also known as a VRRP group.
VRRP is supported on Ethernet, Fast Ethernet, BVI, and Gigabit Ethernet interfaces, and on MPLS
VPNs and VLANs.
Figure 12 shows a LAN topology in which VRRP is configured. In this example, Routers A, B, and C
are VRRP routers (routers running VRRP) that comprise a virtual router. The IP address of the virtual
router is the same as that configured for the Ethernet interface of Router A (10.0.0.1).
56623
Client 1 Client 2 Client 3
Because the virtual router uses the IP address of the physical Ethernet interface of Router A, Router A
assumes the role of the virtual router master and is also known as the IP address owner. As the virtual
router master, Router A controls the IP address of the virtual router and is responsible for forwarding
packets sent to this IP address. Clients 1 through 3 are configured with the default gateway IP address
of 10.0.0.1.
Routers B and C function as virtual router backups. If the virtual router master fails, the router
configured with the higher priority will become the virtual router master and provide uninterrupted
service for the LAN hosts. When Router A recovers, it becomes the virtual router master again. For more
detail on the roles that VRRP routers play and what happens if the virtual router master fails, see the
“VRRP Router Priority and Preemption” section later in this document.
Figure 13 shows a LAN topology in which VRRP is configured so that Routers A and B share the traffic
to and from clients 1 through 4 and that Routers A and B act as virtual router backups to each other if
either router fails.
Router A Router B
Master for virtual router 1 Backup for virtual router 1
Backup for virtual router 2 Master for virtual router 2
10.0.0.1 10.0.0.2
129284
Client 1 Client 2 Client 3 Client 4
Default gateway = Default gateway = Default gateway = Default gateway =
10.0.0.1 10.0.0.1 10.0.0.2 10.0.0.2
In this topology, two virtual routers are configured. (For more information, see the “Multiple Virtual
Router Support” section later in this document.) For virtual router 1, Router A is the owner of IP address
10.0.0.1 and virtual router master, and Router B is the virtual router backup to Router A. Clients 1 and
2 are configured with the default gateway IP address of 10.0.0.1.
For virtual router 2, Router B is the owner of IP address 10.0.0.2 and virtual router master, and Router A
is the virtual router backup to Router B. Clients 3 and 4 are configured with the default gateway IP
address of 10.0.0.2.
VRRP Benefits
Redundancy
VRRP enables you to configure multiple routers as the default gateway router, which reduces the
possibility of a single point of failure in a network.
Load Sharing
You can configure VRRP in such a way that traffic to and from LAN clients can be shared by multiple
routers, thereby sharing the traffic load more equitably among available routers.
Multiple IP Addresses
The virtual router can manage multiple IP addresses, including secondary IP addresses. Therefore, if you
have multiple subnets configured on an Ethernet interface, you can configure VRRP on each subnet.
Preemption
The redundancy scheme of VRRP enables you to preempt a virtual router backup that has taken over for
a failing virtual router master with a higher priority virtual router backup that has become available.
Authentication
VRRP message digest 5 (MD5) algorithm authentication protects against VRRP-spoofing software and
uses the industry-standard MD5 algorithm for improved reliability and security.
Advertisement Protocol
VRRP uses a dedicated Internet Assigned Numbers Authority (IANA) standard multicast address
(224.0.0.18) for VRRP advertisements. This addressing scheme minimizes the number of routers that
must service the multicasts and allows test equipment to accurately identify VRRP packets on a segment.
The IANA assigned VRRP the IP protocol number 112.
VRRP Advertisements
The virtual router master sends VRRP advertisements to other VRRP routers in the same group. The
advertisements communicate the priority and state of the virtual router master. The VRRP
advertisements are encapsulated in IP packets and sent to the IP Version 4 multicast address assigned to
the VRRP group. The advertisements are sent every second by default; the interval is configurable.
Customizing VRRP
Perform this task to customize VRRP.
Customizing the behavior of VRRP is optional. Be aware that as soon as you enable a VRRP group, that
group is operating. It is possible that if you first enable a VRRP group before customizing VRRP, the
router could take over control of the group and become the virtual router master before you have finished
customizing the feature. Therefore, if you plan to customize VRRP, it is a good idea to do so before
enabling VRRP.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. vrrp group description text
6. vrrp group priority level
7. vrrp group preempt [delay minimum seconds]
8. vrrp group timers advertise [msec] interval
9. vrrp group timers learn
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config)# interface ethernet 0
Step 4 ip address ip-address mask Configures an IP address for an interface.
Example:
Router(config-if)# ip address 172.16.6.5
255.255.255.0
Step 5 vrrp group description text Assigns a text description to the VRRP group.
Example:
Router(config-if)# vrrp 10 description
working-group
Step 6 vrrp group priority level Sets the priority level of the router within a VRRP group.
• The default priority is 100.
Example:
Router(config-if)# vrrp 10 priority 110
Step 7 vrrp group preempt [delay minimum seconds] Configures the router to take over as virtual router master
for a VRRP group if it has a higher priority than the current
virtual router master.
Example:
Router(config-if)# vrrp 10 preempt delay • The default delay period is 0 seconds.
minimum 380
• The router that is IP address owner will preempt,
regardless of the setting of this command.
Step 8 vrrp group timers advertise [msec] interval Configures the interval between successive advertisements
by the virtual router master in a VRRP group.
Example: • The unit of the interval is in seconds unless the msec
Router(config-if)# vrrp 10 timers advertise 110 keyword is specified. The default interval value is
1 second.
Note All routers in a VRRP group must use the same
timer values. If the same timer values are not set, the
routers in the VRRP group will not communicate
with each other and any misconfigured router will
change its state to master.
Step 9 vrrp group timers learn Configures the router, when it is acting as virtual router
backup for a VRRP group, to learn the advertisement
interval used by the virtual router master.
Example:
Router(config-if)# vrrp 10 timers learn
Enabling VRRP
Perform this task to enable VRRP.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. vrrp group ip ip-address [secondary]
6. end
7. show vrrp [brief | group]
8. show vrrp interface type number [brief]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Enters interface configuration mode.
Example:
Router(config)# interface ethernet 0
Step 4 ip address ip-address mask Configures an IP address for an interface.
Example:
Router(config-if)# ip address 172.16.6.5
255.255.255.0
Step 5 vrrp group ip ip-address [secondary] Enables VRRP on an interface.
• After you identify a primary IP address, you can use the
Example: vrrp ip command again with the secondary keyword to
Router(config-if)# vrrp 10 ip 172.16.6.1 indicate additional IP addresses supported by this
group.
Note All routers in the VRRP group must be configured
with the same primary address for the virtual router.
If different primary addresses are configured, the
routers in the VRRP group will not communicate
with each other and any misconfigured router will
change its state to master.
Example:
Router(config-if)# end
Step 7 Router# show vrrp [brief | group] (Optional) Displays a brief or detailed status of one or all
VRRP groups on the router.
Example:
Router# show vrrp 10
Step 8 Router# show vrrp interface type number [brief] (Optional) Displays the VRRP groups and their status on a
specified interface.
Example:
Router# show vrrp interface ethernet 0
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask
5. vrrp group shutdown
DETAILED STEPS
Example:
Router# configure terminal
Step 3 interface type number Enters interface configuration mode.
Example:
Router(config)# interface ethernet 0
Step 4 ip address ip-address mask Configures an IP address for an interface.
Example:
Router(config-if)# ip address 172.16.6.5
255.255.255.0
Step 5 vrrp group shutdown Disables VRRP on an interface.
• The command is now visible on the router.
Example: Note You can have one VRRP group disabled, while
Router(config-if)# vrrp 10 shutdown
retaining its configuration, and a different VRRP
group enabled.
Restrictions
If a VRRP group is the IP address owner, its priority is fixed at 255 and cannot be reduced through object
tracking.
SUMMARY STEPS
1. enable
2. configure terminal
3. track object-number interface type number {line-protocol | ip routing}
4. interface type number
5. vrrp group ip ip-address
6. vrrp group priority level
7. vrrp group track object-number [decrement priority]
8. end
9. show track [object-number]
DETAILED STEPS
Example:
Router# configure terminal
Step 3 track object-number interface type number Configures an interface to be tracked where changes in the
{line-protocol | ip routing} state of the interface affect the priority of a VRRP group.
• This command configures the interface and
Example: corresponding object number to be used with the
Router(config)# track 2 interface serial 6 vrrp track command.
line-protocol
• The line-protocol keyword tracks whether the interface
is up. The ip routing keyword also checks that IP
routing is enabled and active on the interface.
• You can also use the track ip route command to track
the reachability of an IP route or a metric type object.
Step 4 interface type number Enters interface configuration mode.
Example:
Router(config)# interface Ethernet 2
Step 5 vrrp group ip ip-address Enables VRRP on an interface and identifies the IP address
of the virtual router.
Example:
Router(config-if)# vrrp 1 ip 10.0.1.20
Step 6 vrrp group priority level Sets the priority level of the router within a VRRP group.
Example:
Router(config-if)# vrrp 1 priority 120
Step 7 vrrp group track object-number [decrement Configures VRRP to track an object.
priority]
Example:
Router(config-if)# vrrp 1 track 2 decrement 15
Example:
Router(config-if)# end
Step 9 show track [object-number] Displays tracking information.
Example:
Router# show track 1
Restrictions
Interoperability with vendors that may have implemented the RFC 2338 method is not enabled.
Text authentication cannot be combined with MD5 authentication for a VRRP group at any one time.
When MD5 authentication is configured, the text authentication field in VRRP hello messages is set to
all zeroes on transmit and ignored on receipt, provided the receiving router also has MD5 authentication
enabled.
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
4. ip address ip-address mask [secondary]
5. vrrp group priority priority
6. vrrp group authentication md5 key-string [0 | 7] key-string [timeout seconds]
7. vrrp group ip [ip-address [secondary]]
8. Repeat Steps 1 through 7 on each router that will communicate.
9. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 4 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an
interface.
Example:
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Command Purpose
Step 5 vrrp group priority priority Configures VRRP priority.
Example:
Router(config-if)# vrrp 1 priority 110
Step 6 vrrp group authentication md5 key-string [0 | 7] Configures an authentication string for VRRP MD5
key-string [timeout seconds] authentication.
• The key argument can be up to 64 characters in
length and it is recommended that at least 16
Example: characters be used.
Router(config-if)# vrrp 1 authentication md5
key-string d00b4r987654321a timeout 30 • No prefix to the key argument or specifying 0
means the key will be unencrypted.
• Specifying 7 means the key will be encrypted.
The key-string authentication key will
automatically be encrypted if the service
password-encryption global configuration
command is enabled.
• The timeout value is the period of time that the
old key string will be accepted to allow
configuration of all routers in a group with a
new key.
Note All routers within the VRRP group must be
configured with the same authentication
string. If the same authentication string is
not configured, the routers in the VRRP
group will not communicate with each
other and any misconfigured router will
change its state to master.
Step 7 vrrp group ip [ip-address [secondary]] Enables VRRP on an interface and identifies the IP
address of the virtual router.
Example:
Router(config-if)# vrrp 1 ip 10.0.0.3
Step 8 Repeat Steps 1 through 7 on each router that will communicate. —
Step 9 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
SUMMARY STEPS
1. enable
2. configure terminal
3. key chain name-of-chain
4. key key-id
5. key-string string
6. exit
7. interface type number
8. ip address ip-address mask [secondary]
9. vrrp group priority priority
10. vrrp group authentication md5 key-chain key-chain
11. vrrp group ip [ip-address [secondary]]
12. Repeat steps 1 through 11 on each router that will communicate.
13. end
DETAILED STEPS
Command Purpose
Step 1 enable Enables privileged EXEC mode.
• Enter your password if prompted.
Example:
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 key chain name-of-chain Enables authentication for routing protocols and
identifies a group of authentication keys.
Example:
Router(config)# key chain vrrp1
Step 4 key key-id Identifies an authentication key on a key chain.
• The key-id must be a number.
Example:
Router(config-keychain)# key 100
Step 5 key-string string Specifies the authentication string for a key.
• The string can be 1 to 80 uppercase or
Example: lowercase alphanumeric characters; the first
Router(config-keychain-key)# key-string mno172 character cannot be a number.
Step 6 exit Returns to global configuration mode.
Example:
Router(config-keychain-key)# exit
Command Purpose
Step 7 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 8 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an
interface.
Example:
Router(config-if)# ip address 10.21.8.32 255.255.255.0
Step 9 vrrp group priority priority Configures VRRP priority.
Example:
Router(config-if)# vrrp 1 priority 110
Step 10 vrrp group authentication md5 key-chain key-chain Configures an authentication MD5 key chain for
VRRP MD5 authentication.
Example: • The key chain name must match the name
Router(config-if)# vrrp 1 authentication md5 key-chain specified in Step 3.
vrrp1
Note All routers within the VRRP group must be
configured with the same authentication
string. If the same authentication string is
not configured, the routers in the VRRP
group will not communicate with each
other and any misconfigured router will
change its state to master.
Step 11 vrrp group ip [ip-address [secondary]] Enables VRRP on an interface and identifies the IP
address of the virtual router.
Example:
Router(config-if)# vrrp 1 ip 10.21.8.12
Step 12 Repeat Steps 1 through 11 on each router that will —
communicate.
Step 13 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
SUMMARY STEPS
1. show vrrp
2. debug vrrp authentication
DETAILED STEPS
Ethernet0/1 - Group 1
State is Master
Virtual IP address is 10.21.0.10
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption is enabled
min delay is 0.000 sec
Priority is 100
Authentication MD5, key-string “f00d4s”, timeout 30 secs
Master Router is 10.21.0.1 (local), priority is 100
Master Advertisement interval is 1.000 sec
Master Down interval is 3.609 sec
This output shows that MD5 authentication is configured and the f00d4s key string is used. The timeout
value is set at 30 seconds.
Step 2 debug vrrp authentication
Use this command to verify that both routers have authentication configured, that the MD5 key ID is the
same on each router, and that the MD5 key strings are the same on each router:
Router# debug vrrp authentication
VRRP: Grp 1 Advertisement from 10.24.1.1 has incorrect authentication type 0 expected 254
SUMMARY STEPS
1. enable
2. configure terminal
3. interface type number
DETAILED STEPS
Command Purpose
Step 1 enable Enables higher privilege levels, such as privileged
EXEC mode.
Example: • Enter your password if prompted.
Router> enable
Step 2 configure terminal Enters global configuration mode.
Example:
Router# configure terminal
Step 3 interface type number Configures an interface type and enters interface
configuration mode.
Example:
Router(config)# interface Ethernet0/1
Step 4 ip address ip-address mask [secondary] Specifies a primary or secondary IP address for an
interface.
Example:
Router(config-if)# ip address 10.0.0.1 255.255.255.0
Step 5 vrrp group authentication text text-string Authenticates VRRP packets received from other
routers in the group.
Example: • If you configure authentication, all routers
Router(config-if)# vrrp 1 authentication text within the VRRP group must use the same
textstring1 authentication string.
• The default string is cisco.
Note All routers within the VRRP group must be
configured with the same authentication
string. If the same authentication string is
not configured, the routers in the VRRP
group will not communicate with each
other and any misconfigured router will
change its state to master.
Step 6 vrrp group ip ip-address Enables VRRP on an interface and identifies the IP
address of the virtual router.
Example:
Router(config-if)# vrrp 1 ip 10.0.1.20
Command Purpose
Step 7 Repeat Steps 1 through 6 on each router that will communicate. —
Step 8 end Returns to privileged EXEC mode.
Example:
Router(config-if)# end
SUMMARY STEPS
1. enable
2. configure terminal
3. snmp-server enable traps vrrp
4. snmp-server host host community-string vrrp
DETAILED STEPS
Example:
Router# configure terminal
Step 3 snmp-server enable traps vrrp Enables the router to send SNMP VRRP notifications (traps
and informs).
Example:
Router(config)# snmp-server enable traps vrrp
Step 4 snmp-server host host community-string vrrp Specifies the recipient of an SNMP notification operation.
Example:
Router(config)# snmp-server host
myhost.comp.com public vrrp
Router A
interface ethernet 1/0
ip address 10.1.0.2 255.0.0.0
vrrp 1 priority 120
vrrp 1 authentication cisco
vrrp 1 timers advertise 3
vrrp 1 timers learn
vrrp 1 ip 10.1.0.10
vrrp 5 priority 100
vrrp 5 timers advertise 30
vrrp 5 timers learn
vrrp 5 ip 10.1.0.50
vrrp 100 timers learn
Router B
interface ethernet 1/0
ip address 10.1.0.1 255.0.0.0
vrrp 1 priority 100
vrrp 1 authentication cisco
vrrp 1 timers advertise 3
vrrp 1 timers learn
vrrp 1 ip 10.1.0.10
vrrp 5 priority 200
vrrp 5 timers advertise 30
vrrp 5 timers learn
vrrp 5 ip 10.1.0.50
vrrp 100 timers learn
no vrrp 100 preempt
vrrp 100 ip 10.1.0.100
no shutdown
Ethernet1/0 - Group 1
State is Master
Virtual IP address is 10.0.0.3
Virtual MAC address is 0000.5e00.0101
Advertisement interval is 1.000 sec
Preemption is enabled
min delay is 0.000 sec
Priority is 105
Track object 1 state Down decrement 15
Master Router is 10.0.0.2 (local), priority is 105
Master Advertisement interval is 1.000 sec
Master Down interval is 3.531 sec
Track 1
Interface Serial0/1 line-protocol
Line protocol is Down (hw down)
1 change, last change 00:06:53
Tracked by:
VRRP Ethernet1/0 1
In this example, VRRP queries the key chain to obtain the current live key and key ID for the specified
key chain.
interface ethernet0/2
ip address 10.168.42.1 255.255.255.0
vrrp 2 ip 10.168.42.254
Additional References
The following sections provide references related to VRRP.
Related Documents
Related Topic Document Title
VRRP commands: complete command syntax, Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and
command mode, command history, defaults, usage Services, Release 12.4
guidelines, and examples
Key chains and key management: complete command Cisco IOS IP Command Reference, Volume 2 of 4: Routing
syntax, command mode, command history, defaults, Protocols, Release 12.4
usage guidelines, and examples
Object tracking “Configuring Enhanced Object Tracking” module
HSRP “Configuring HSRP” module
GLBP “Configuring GLBP” module
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new MIBs are supported by this feature, and To locate and download MIBs for selected platforms, Cisco IOS
support for existing MIBs has not been modified by this releases, and feature sets, use Cisco MIB Locator found at the
feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
RFC 2338 Virtual Router Redundancy Protocol
Technical Assistance
Description Link
The Cisco Technical Support & Documentation http://www.cisco.com/techsupport
website contains thousands of pages of searchable
technical content, including links to products,
technologies, solutions, technical tips, and tools.
Registered Cisco.com users can log in from this page to
access even more content.
Glossary
virtual router—One or more VRRP routers that form a group. The virtual router acts as the default
gateway router for LAN clients. Also known as a VRRP group.
virtual router backup—One or more VRRP routers that are available to assume the role of forwarding
packets if the virtual router master fails.
virtual router master—The VRRP router that is currently responsible for forwarding packets sent to
the IP addresses of the virtual router. Usually the virtual router master also functions as the IP address
owner.
virtual IP address owner—The VRRP router that owns the IP address of the virtual router. The owner
is the router that has the virtual router address as its physical interface address.
VRRP router—A router that is running VRRP.
Note See Internetworking Terms and Acronyms for terms not included in this glossary.
Before the introduction of the Enhanced Object Tracking feature, the Hot Standby Router Protocol
(HSRP) had a simple tracking mechanism that allowed you to track the interface line-protocol state only.
If the line-protocol state of the interface went down, the HSRP priority of the router was reduced,
allowing another HSRP router with a higher priority to become active.
The Enhanced Object Tracking feature separates the tracking mechanism from HSRP and creates a
separate standalone tracking process that can be used by other Cisco IOS processes as well as HSRP.
This feature allows tracking of other objects in addition to the interface line-protocol state.
A client process, such as HSRP, Virtual Router Redundancy Protocol (VRRP), or Gateway Load
Balancing Protocol (GLBP), can now register its interest in tracking objects and then be notified when
the tracked object changes state.
Module History
This module was first published on May 2, 2005, and last updated on May 2, 2005.
Contents
• Information About Enhanced Object Tracking, page 285
• How to Configure Enhanced Object Tracking, page 286
• Configuration Examples for Enhanced Object Tracking, page 303
• Additional References, page 308
• Glossary, page 310
• Feature Information for Enhanced Object Tracking, page 310
SUMMARY STEPS
1. enable
2. configure terminal
3. track timer interface seconds
4. track object-number interface type number line-protocol
5. delay {up seconds [down seconds] | [up seconds] down seconds}
6. end
7. show track object-number
DETAILED STEPS
Example:
Router# configure terminal
Step 3 track timer interface seconds (Optional) Specifies the interval in which the tracking
process polls the tracked object.
Example: • The default interval that the tracking process polls
Router(config)# track timer interface 5 interface objects is 1 second.
Step 4 track object-number interface type number Tracks the line-protocol state of an interface and enters
line-protocol tracking configuration mode.
Example:
Router(config)# track 3 interface ethernet 0/1
line-protocol
Example:
Router(config-track)# delay up 30
Step 6 end Exits to privileged EXEC mode.
Example:
Router(config-track)# end
Step 7 show track object-number (Optional) Displays tracking information.
• Use this command to verify the configuration. See the
Example: display output in the “Examples” section.
Router# show track 3
Examples
The following example shows the state of the line protocol on an interface when it is tracked:
Router# show track 3
Track 3
Interface Ethernet0/1 line-protocol
Line protocol is Up
1 change, last change 00:00:05
Tracked by:
HSRP Ethernet0/3 1
The track interface ip routing command supports the tracking of an interface with an IP address
acquired through any of the following methods:
• Conventional IP address configuration
• PPP/IPCP
• DHCP
• Unnumbered interface
SUMMARY STEPS
1. enable
2. configure terminal
3. track timer interface seconds
4. track object-number interface type number ip routing
5. delay {up seconds [down seconds] | [up seconds] down seconds}
6. end
7. show track object-number
DETAILED STEPS
Example:
Router# configure terminal
Step 3 track timer interface seconds (Optional) Specifies the interval in which the tracking
process polls the tracked object.
Example: • The default interval that the tracking process polls
Router(config)# track timer interface 5 interface objects is 1 second.
Step 4 track object-number interface type number ip Tracks the IP-routing state of an interface and enters
routing tracking configuration mode.
• IP-route tracking tracks an IP route in the routing table
Example: and the ability of an interface to route IP packets.
Router(config)# track 1 interface ethernet 0/1
ip routing
Step 5 delay {up seconds [down seconds] | [up seconds] (Optional) Specifies a period of time (in seconds) to delay
down seconds} communicating state changes of a tracked object.
Example:
Router(config-track)# delay up 30
Example:
Router(config-track)# end
Step 7 show track object-number Displays tracking information.
• Use this command to verify the configuration. See the
Example: display output in the “Examples” section.
Router# show track 1
Examples
The following example shows the state of IP routing on an interface when it is tracked:
Router# show track 1
Track 1
Interface Ethernet0/1 ip routing
IP routing is Up
1 change, last change 00:01:08
Tracked by:
HSRP Ethernet0/3 1
SUMMARY STEPS
1. enable
2. configure terminal
3. track timer ip route seconds
4. track object-number ip route ip-address/prefix-length reachability
5. delay {up seconds [down seconds] | [up seconds] down seconds}
6. ip vrf vrf-name
7. end
8. show track object-number
DETAILED STEPS
Example:
Router# configure terminal
Step 3 track timer ip route seconds (Optional) Specifies the interval in which the tracking
process polls the tracked object.
Example: • The default interval that the tracking process polls
Router(config)# track timer ip route 20 IP-route objects is 15 seconds.
Step 4 track object-number ip route Tracks the reachability of an IP route and enters tracking
ip-address/prefix-length reachability configuration mode.
Example:
Router(config)# track 4 ip route 10.16.0.0/16
reachability
Step 5 delay {up seconds [down seconds] | [up seconds] (Optional) Specifies a period of time (in seconds) to delay
down seconds} communicating state changes of a tracked object.
Example:
Router(config-track)# delay up 30
Step 6 ip vrf vrf-name (Optional) Configures a VPN routing and forwarding
(VRF) table.
Example:
Router(config-track)# ip vrf VRF2
Step 7 end Returns to privileged EXEC mode.
Example:
Router(config-track)# end
Step 8 show track object-number (Optional) Displays tracking information.
• Use this command to verify the configuration. See the
Example: display output in the “Examples” section.
Router# show track 4
Examples
The following example shows the state of the reachability of an IP route when it is tracked:
Router# show track 4
Track 4
IP route 10.16.0.0 255.255.0.0 reachability
Reachability is Up (RIP)
1 change, last change 00:02:04
For example, a change in 10 in an IS-IS metric results in a change of 1 in the scaled metric. The default
resolutions are designed so that approximately one 2-Mbps link in the path will give a scaled metric of
255.
Scaling the very large metric ranges of EIGRP and IS-IS to a 0 to 255 range is a compromise. The default
resolutions will cause the scaled metric to go above the maximum limit with a 2-Mbps link. However,
this scaling allows a distinction between a route consisting of three Fast-Ethernet links and a route
consisting of four Fast-Ethernet links.
SUMMARY STEPS
1. enable
2. configure terminal
3. track timer ip route seconds
4. track resolution ip route {eigrp resolution-value | isis resolution-value | ospf resolution-value |
static resolution-value}
5. track object-number ip route ip-address/prefix-length metric threshold
6. delay {up seconds [down seconds] | [up seconds] down seconds}
7. ip vrf vrf-name
8. threshold metric {up number down number | up number | down number}
9. end
10. show track object-number
DETAILED STEPS
Example:
Router# configure terminal
Step 3 track timer ip route seconds (Optional) Specifies the interval in which the tracking
process polls the tracked object.
Example: • The default interval that the tracking process polls
Router(config)# track timer ip route 20 IP-route objects is 15 seconds.
Step 4 track resolution ip route {eigrp (Optional) Specifies resolution parameters for a tracked
resolution-value | isis resolution-value | ospf object.
resolution-value | static resolution-value}
• Use this command to change the default metric
resolution values.
Example:
Router(config)# track resolution ip route eigrp
300
Step 5 track object-number ip route ip-address/ Tracks the scaled metric value of an IP route to determine if
prefix-length metric threshold it is above or below a threshold.
• The default down value is 255, which equates to an
Example: inaccessible route.
Router(config)# track 6 ip route 10.16.0.0/16
metric threshold • The default up value is 254.
Example:
Router(config-track)# delay up 30
Step 7 ip vrf vrf-name (Optional) Configures a VRF table.
Example:
Router(config-track)# ip vrf VRF1
Step 8 threshold metric {up number down number | up (Optional) Sets a metric threshold other than the default
number | down number} value.
Example:
Router(config-track)# threshold metric up 254
down 255
Step 9 end Exits to privileged EXEC mode.
Example:
Router(config-track)# end
Step 10 show track object-number (Optional) Displays tracking information.
• Use this command to verify the configuration. See the
Example: display output in the “Examples” section.
Router# show track 6
Examples
The following example shows the metric threshold of an IP route when it is tracked:
Router# show track 6
Track 6
IP route 10.16.0.0 255.255.0.0 metric threshold
Metric threshold is Up (RIP/6/102)
1 change, last change 00:00:08
Metric threshold down 255 up 254
First-hop interface is Ethernet0/1
Tracked by:
HSRP Ethernet0/3 1
Cisco IOS IP SLAs is a network performance measurement and diagnostics tool that uses active
monitoring. Active monitoring is the generation of traffic in a reliable and predictable manner to measure
network performance. Cisco IOS software uses IP SLAs to collect real-time metrics such as response
time, network resource availability, application performance, jitter (interpacket delay variance), connect
time, throughput, and packet loss.
These metrics can be used for troubleshooting, for proactive analysis before problems occur, and for
designing network topologies.
Every IP SLAs operation maintains an operation return-code value. This return code is interpreted by
the tracking process. The return code can return OK, OverThreshold, and several other return codes.
Different operations can have different return-code values, so only values common to all operation types
are used.
Two aspects of an IP SLAs operation can be tracked: state and reachability. The difference between these
aspects relates to the acceptance of the OverThreshold return code. Table 14 shows the state and
reachability aspects of IP SLAs operations that can be tracked.
SUMMARY STEPS
1. enable
2. configure terminal
3. track object-number rtr operation-number state
4. delay {up seconds [down seconds] | [up seconds] down seconds}
5. end
6. show track object-number
DETAILED STEPS
Example:
Router# configure terminal
Step 3 track object-number rtr operation-number state Tracks the state of an IP SLAs object and enters tracking
configuration mode.
Example:
Router(config)# track 2 rtr 4 state
Step 4 delay {up seconds [down seconds] | [up seconds] (Optional) Specifies a period of time (in seconds) to delay
down seconds} communicating state changes of a tracked object.
Example:
Router(config-track)# delay up 60 down 30
Step 5 end Exits to privileged EXEC mode.
Example:
Router(config-track)# end
Step 6 show track object-number (Optional) Displays tracking information.
• Use this command to verify the configuration. See the
Example: display output in the “Examples” section of this task.
Router# show track 2
Examples
The following example shows the state of the IP SLAs tracking:
Router# show track 2
Track 2
Response Time Reporter 1 state
State is Down
1 change, last change 00:00:47
Latest operation return code: over threshold
Latest RTT (millisecs) 4
Tracked by:
HSRP Ethernet0/1 3
SUMMARY STEPS
1. enable
2. configure terminal
3. track object-number rtr operation-number reachability
4. delay {up seconds [down seconds] | [up seconds] down seconds}
5. end
6. show track object-number
DETAILED STEPS
Example:
Router# configure terminal
Step 3 track object-number rtr operation-number Tracks the reachability of an IP SLAs IP host and enters
reachability tracking configuration mode.
Example:
Router(config)# track 3 rtr 4 reachability
Step 4 delay {up seconds [down seconds] | [up seconds] (Optional) Specifies a period of time (in seconds) to delay
down seconds} communicating state changes of a tracked object.
Example:
Router(config-track)# delay up 30 down 10
Step 5 end Exits to privileged EXEC mode.
Example:
Router(config-track)# end
Step 6 show track object-number (Optional) Displays tracking information.
• Use this command to verify the configuration. See the
Example: display output in the “Examples” section of this task.
Router# show track 3
Examples
The following example shows whether the route is reachable:
Router# show track 3
Track 3
Response Time Reporter 1 reachability
Reachability is Up
Note The “not” operator is specified for one or more objects and negates the state of the object.
Prerequisites
An object must exist before it can be added to a tracked list.
SUMMARY STEPS
1. enable
2. configure terminal
3. track track-number list boolean {and | or}
4. object object-number [not]
5. delay {up seconds [down seconds] | [up seconds] down seconds}
6. end
DETAILED STEPS
Example:
Router# configure terminal
Example:
Router(config-track)# delay up 3
Step 6 end Returns to privileged EXEC mode.
Example:
Router(config-track)# end
Prerequisites
An object must exist before it can be added to a tracked list.
Restrictions
You cannot use the Boolean “not” operator in a weight or percentage threshold list.
SUMMARY STEPS
1. enable
2. configure terminal
3. track track-number list threshold weight
4. object object-number [weight weight-value]
5. threshold weight {up number down number | up number | down number}
6. delay {up seconds [down seconds] | [up seconds] down seconds}
7. end
DETAILED STEPS
Example:
Router# configure terminal
Step 3 track track-number list threshold weight Configures a tracked list object and enters tracking
configuration mode. The keywords are as follows:
Example: • threshold—Specifies that the state of the tracked list is
Router(config-track)# track 100 list threshold based on a threshold.
weight
• weight—Specifies that the threshold is based on a
specified weight.
Step 4 object object-number [weight weight-number] Specifies the object to be tracked. The object-number
argument has a valid range from 1 to 500. There is no
default. The optional weight keyword specifies a threshold
Example:
Router(config-track)# object 3 weight 30
weight for each object.
Step 5 threshold weight {up number down number | up Specifies the threshold weight. The keywords and
number | down number} arguments are as follows:
• up number—Valid range is from 1 to 255.
Example:
Router(config-track)# threshold weight up 30
• down number—Range depends upon what you select
for the up keyword. For example, if you configure 25
for up, you will see a range from 0 to 24 for down.
Example:
Router(config-track)# delay up 3
Step 7 end Returns to privileged EXEC mode.
Example:
Router(config-track)# end
Prerequisites
An object must exist before it can be added to a tracked list.
Restrictions
You cannot use the Boolean “not” operator in a weight or percentage threshold list.
SUMMARY STEPS
1. enable
2. configure terminal
3. track track-number list threshold percentage
4. object object-number
5. threshold percentage {up number down number | up number | down number}
6. delay {up seconds [down seconds] | [up seconds] down seconds}
7. end
DETAILED STEPS
Example:
Router# configure terminal
Step 3 track track-number list threshold percentage Configures a tracked list object and enters tracking
configuration mode. The keywords are as follows:
Example: • threshold—Specifies that the state of the tracked list is
Router(config-track)# track 100 list threshold based on a threshold.
percentage
• percentage—Specifies that the threshold is based on a
percentage.
Step 4 object object-number Specifies the object to be tracked. The object-number
argument has a valid range from 1 to 500. There is no
default.
Example:
Router(config-track)# object 3
Step 5 threshold percentage {up number down number | up Specifies the threshold percentage. The keywords and
number | down number} arguments are as follows:
• up number—Valid range is from 1 to 100.
Example:
Router(config-track)# threshold percentage up
• down number—Range depends upon what you have
30 selected for the up keyword. For example, if you
specify 25 as up, a range from 26 to 100 is displayed for
the down keyword.
Step 6 delay {up seconds [down seconds] | [up seconds] (Optional) Specifies a tracking delay in seconds between up
down seconds} and down states.
Example:
Router(config-track)# delay up 3
Step 7 end Returns to privileged EXEC mode.
Example:
Router(config-track)# end
SUMMARY STEPS
1. enable
2. configure terminal
3. track track-number
4. default {delay | object object-number | threshold percentage}
5. end
DETAILED STEPS
Example:
Router# configure terminal
Step 3 track track-number Enters tracking configuration mode.
Example:
Router(config)# track 3
Step 4 default {delay | object object-number | Specifies a default delay value for a tracked list, a default
threshold percentage} object, and default threshold parameters for a tracked list.
The keywords and arguments are as follows:
Example: • delay—Reverts to the default delay.
Router(config-track)# default delay
• object object-number—Specifies a default object for
the track list. The valid range is from 1 to 500.
• threshold percentage—Specifies a default threshold
percentage.
Step 5 end Returns to privileged EXEC mode.
Example:
Router(config-track)# end
Router A Configuration
track 100 interface serial1/0 line-protocol
!
interface Ethernet0/0
ip address 10.1.0.21 255.255.0.0
standby 1 preempt
standby 1 ip 10.1.0.1
standby 1 priority 110
standby 1 track 100 decrement 10
Router B Configuration
track 100 interface serial1/0 line-protocol
!
interface Ethernet0/0
ip address 10.1.0.22 255.255.0.0
standby 1 preempt
standby 1 ip 10.1.0.1
standby 1 priority 105
standby 1 track 100 decrement 10
s1/0 s1/0
88323
Router A Router B
e0/0 e0/0
10.1.0.0
Router A Configuration
track 100 interface serial1/0 ip routing
!
interface Ethernet0/0
ip address 10.1.0.21 255.255.0.0
standby 1 preempt
standby 1 ip 10.1.0.1
standby 1 priority 110
standby 1 track 100 decrement 10
Router B Configuration
track 100 interface serial1/0 ip routing
!
interface Ethernet0/0
ip address 10.1.0.22 255.255.0.0
standby 1 preempt
standby 1 ip 10.1.0.1
standby 1 priority 105
standby 1 track 100 decrement 10
Router A Configuration
track 100 ip route 10.2.2.0/24 reachability
!
interface Ethernet0/0
ip address 10.1.1.21 255.255.255.0
standby 1 preempt
standby 1 ip 10.1.1.1
standby 1 priority 110
standby 1 track 100 decrement 10
Router B Configuration
track 100 ip route 10.2.2.0/24 reachability
!
interface Ethernet0/0
ip address 10.1.1.22 255.255.255.0
standby 1 preempt
standby 1 ip 10.1.1.1
standby 1 priority 105
standby 1 track 100 decrement 10
Router A Configuration
track 100 ip route 10.2.2.0/24 metric threshold
!
interface Ethernet0/0
ip address 10.1.1.21 255.255.255.0
standby 1 preempt
standby 1 ip 10.1.1.1
standby 1 priority 110
standby 1 track 100 decrement 10
Router B Configuration
track 100 ip route 10.2.2.0/24 metric threshold
!
interface Ethernet0/0
ip address 10.1.1.22 255.255.255.0
standby 1 preempt
standby 1 ip 10.1.1.1
standby 1 priority 105
standby 1 track 100 decrement 10
In the following example, a track list object is configured to track two serial interfaces when either serial
interface is up and when both serial interfaces are down:
track 1 interface serial2/0 line-protocol
track 2 interface serial2/1 line-protocol
The following configuration example shows that tracked list 4 has two objects and one object state is
negated (if the list is up, the list detects that object 2 is down):
track 4 list boolean and
object 1
object 2 not
The above example means that the track-list object goes down only when all three serial interfaces go
down, and only comes up again when at least two serial interfaces are up (since 20+20 >= 40). The
advantage of this configuration is that it prevents the track-list object from coming up if two interfaces
are down and the third interface is flapping.
The following configuration example shows that if object 1 and object 2 are down, then track list 4 is up,
because object 3 satisfies the up threshold value of up 30. But, if object 3 is down, both objects 1 and 2
need to be up in order to satisfy the threshold weight.
track 4 list threshold weight
object 1 weight 15
object 2 weight 20
object 3 weight 30
threshold weight up 30 down 10
This configuration may be useful to you if you have two small bandwidth connections (represented by
object 1 and 2) and one large bandwidth connection (represented by object 3). Also the down 10 value
means that once the tracked object is up, it will not go down until the threshold value is lower or equal
to 10, which in this example means that all connections are down.
Additional References
For following sections provide references related to Enhanced Object Tracking.
Related Documents
Related Topic Document Title
HSRP concepts and configuration tasks “Configuring HSRP” module
GLBP concepts and configuration tasks “Configuring GLBP” module
VRRP concepts and configuration tasks “Configuring VRRP” module
GLBP, HSRP, and VRRP commands: complete Cisco IOS IP Command Reference, Volume 1 of 4: Addressing and
command syntax, command mode, command history, Services, Release 12.4
defaults, usage guidelines, and examples
Standards
Standards Title
No new or modified standards are supported by this —
feature, and support for existing standards has not been
modified by this feature.
MIBs
MIBs MIBs Link
No new or modified MIBs are supported by this To locate and download MIBs for selected platforms, Cisco IOS
feature, and support for existing MIBs has not been releases, and feature sets, use Cisco MIB Locator found at the
modified by this feature. following URL:
http://www.cisco.com/go/mibs
RFCs
RFCs Title
No new or modified RFCs are supported by this —
feature, and support for existing RFCs has not been
modified by this feature.
Technical Assistance
Description Link
Technical Assistance Center (TAC) home page, http://www.cisco.com/public/support/tac/home.shtml
containing 30,000 pages of searchable technical
content, including links to products, technologies,
solutions, technical tips, and tools. Registered
Cisco.com users can log in from this page to access
even more content.
Glossary
DHCP—Dynamic Host Configuration Protocol. DHCP is a protocol that delivers IP addresses and
configuration information to network clients.
GLBP—Gateway Load Balancing Protocol. Provides automatic router backup for IP hosts that are
configured with a single default gateway on an IEEE 802.3 LAN. Multiple first-hop routers on the LAN
combine to offer a single virtual first-hop IP router while sharing the IP packet forwarding load. Other
routers on the LAN may act as redundant (GLBP) routers that will become active if any of the existing
forwarding routers fail.
HSRP—Hot Standby Router Protocol. Provides high network availability and transparent network
topology changes. HSRP creates a Hot Standby router group with a lead router that services all packets
sent to the Hot Standby address. The lead router is monitored by other routers in the group and, if it fails,
one of these standby routers inherits the lead position and the Hot Standby group address.
IPCP—IP Control Protocol. The protocol used to establish and configure IP over PPP.
LCP—Link Control Protocol. The protocol used to establish, configure, and test data-link connections
for use by PPP.
PPP—Point-to-Point Protocol. Provides router-to-router and host-to-network connections over
synchronous and asynchronous circuits. PPP is most commonly used for dial-up Internet access. Its
features include address notification, authentication via CHAP or PAP, support for multiple protocols,
and link monitoring.
VRF—VPN routing and forwarding instance. A VRF consists of an IP routing table, a derived
forwarding table, a set of interfaces that use the forwarding table, and a set of rules and routing protocols
that determine what goes into the forwarding table. In general, a VRF includes the routing information
that defines a customer VPN site that is attached to a provider edge router.
VRRP—Virtual Router Redundancy Protocol. Eliminates the single point of failure inherent in the static
default routed environment. VRRP specifies an election protocol that dynamically assigns responsibility
for a virtual router to one of the VRRP routers on a LAN. The VRRP router that controls the IP addresses
associated with a virtual router is called the master, which forwards packets sent to these IP addresses.
The election process provides dynamic failover in the forwarding responsibility should the master
become unavailable. Any of the virtual router IP addresses on a LAN can then be used as the default
first-hop router by end hosts.
Note Refer to Internetworking Terms and Acronyms for terms not included in this glossary.