To enter home agent configuration mode, use the ipv6mobilehome-agentcommand in global configuration mode. To reset to the default settings of the command, use the no form of this command.
ipv6mobilehome-agent
noipv6mobilehome-agent
Syntax Description
This command has no arguments or keywords.
Command Default
Mobile IPv6 home agent is disabled.
Command Modes
Global configuration
Command History
Release
Modification
12.3(14)T
This command was introduced.
Usage Guidelines
Use the ipv6mobilehome-agent command to enter home agent configuration mode. Once in home agent configuration mode, you can configure binding parameters using the binding command. Once an interface is configured to provide the home-agent service, the ipv6mobilehome-agentglobal configuration command automatically appears in the global configuration.
The home agent service needs to be started on each interface using the ipv6mobilehome-agentcommand in interface configuration mode. The ipv6mobilehome-agentcommand in global configuration mode does not start home agent service on an interface.
Examples
In the following example, the user enters home agent configuration mode:
Router(config)# ipv6 mobile home-agent
Router(config-ha)#
Related Commands
Command
Description
binding
Configures binding options for the Mobile IPv6 home agent feature in home agent configuration mode.
ipv6mobilehome-agent(interfaceconfiguration)
Initializes and starts the Mobile IPv6 home agent on a specific interface.
showipv6mobileglobals
Displays global Mobile IPv6 parameters.
ipv6 mobile home-agent (interface configuration)
To initialize and start the Mobile IPv6 home agent on a specific interface, use the ipv6mobilehome-agentcommand in interface configuration mode. To discard bindings and any interface parameter settings, and to terminate home agent operation on a specific interface, use the no form of this command.
(Optional) Configures the Mobile IPv6 home agent preference value on a specified interface. The preference-value argument is an integer to be configured for preference in the home agent information option. The range is from 0 to 65535. The default preference value is 0.
Command Default
Mobile IPv6 home agent is disabled.
The default preference value is 0.
Command Modes
Interface configuration
Command History
Release
Modification
12.3(14)T
This command was introduced.
Usage Guidelines
Before you enable the ipv6mobilehome-agent (interface configuration) command on an interface, you should configure common parameters using the binding command. Once an interface is configured to run the home agent feature, the ipv6mobilehome-agentcommand in global configuration mode automatically appears in the global configuration.
Once enabled, the ipv6mobilehome-agent(interface configuration) command cannot be disabled if there is a home agent configured on at least one of the interfaces. If there is no home agent service on any interfaces, the no form of the command disables home agent capability from the router.
To configure the home agent preference value, use the optional preferencepreference-value keyword and argument. A preference value is a 16-bit signed integer used by the home agent sending a router advertisement. The preference value orders the addresses returned to the mobile node in the home agent addresses field of a home agent address discovery reply message. The higher the preference value, the more preferable is the home agent.
If a preference value is not included in a router advertisement, the default value is 0. Values greater than 0 indicate a home agent more preferable than this default value.
Examples
In the following example, the user initializes and starts Mobile IPv6 agent on Ethernet interface 2:
Router(config)# interface Ethernet 2
Router(config-if)# ipv6 mobile home-agent
In the following example, the home agent preference value is set to 10:
Router(config-if)# ipv6 mobile home-agent preference 10
Related Commands
Command
Description
binding
Configures binding options for the Mobile IPv6 home agent feature in home agent configuration mode.
ipv6mobilehome-agent(globalconfiguration)
Enters home agent configuration mode.
showipv6mobileglobals
Displays global Mobile IPv6 parameters.
ipv6 mobile router
To enable IPv6 network mobility (NEMO) functionality on a router and place the router in IPv6 mobile router configuration mode, use the ipv6mobilerouter command in global configuration mode. To disable NEMO functionality on the router, use the no form of the command.
ipv6mobilerouter
noipv6mobilerouter
Syntax Description
This command has no arguments or keywords.
Command Default
NEMO functionality is not enabled.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
The mobile router is a router that operates as a mobile node. The mobile router can roam from its home network and still provide connectivity for devices on its networks. The mobile networks are locally attached to the router.
Examples
In the following example, the mobile router is enabled:
Router(config)# ipv6 mobile router
ipv6 mobile router-service roam
To enable the IPv6 mobile router interface to roam, use the ipv6mobilerouter-serviceroam command in interface configuration mode. To disable roaming, use the no form of this command.
(Optional) Enables the mobile router to use the largest configured lifetime value.
cost-efficient
(Optional) Prevents a binding update unless a dialup link is up and a valid care-of address is available.
priorityvalue
(Optional) Priority value that is compared among multiple configured interfaces to select the interface in which to send the registration request. When multiple interfaces have highest priority, the highest bandwidth is the preferred choice. When multiple interfaces have the same bandwidth, the interface with the highest IPv6 address is preferred. The range is from 0 to 255; the default is 100. Lower values equate to a higher priority.
Command Default
Roaming is not enabled.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
The mobile router discovers home agents and foreign agents by receiving agent advertisements.
The bandwidth-efficient keyword enables the mobile router to use the largest configured lifetime value, even when the home agent recommends a shorter lifetime in a binding refresh advice message. This option can be used when the bandwidth is expensive.
Examples
The following example shows how to enable roaming for the IPv6 mobile router interface:
Router(config-if)# ipv6 mobile router-service roam
Related Commands
Command
Description
showipv6mobilerouter
Displays configuration information and monitoring statistics about the IPv6 mobile router.
ipv6 mtu
To set the maxi
mum transmission unit (MTU) size of IPv6 packets sent on an interface, use the ipv6mtucommand in interface configuration mode. To restore the default MTU size, use the no form of this command.
ipv6mtubytes
noipv6mtubytes
Syntax Description
bytes
MTU (in bytes).
Command Default
The default value depends on the interface medium, but the minimum for any interface is 1280 bytes.
Command Modes
Interface configuration
Command History
Release
Modification
12.2(2)T
This command was introduced.
12.0(21)ST
This command was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S
This command was integrated into Cisco IOS Release 12.0(22)S.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Usage Guidelines
If a nondefault value is configured for an interface, an MTU option is included in router advertisements.
IPv6 routers do not fragment forwarded IPv6 packets. Traffic originating from IPv6 routers may be fragmented.
All devices on a physical medium must have the same protocol MTU in order to operate.
In addition to the "IPv6 MTU value" (set by using the ipv6 mtu command), interfaces also have a nonprotocol specific "MTU value," which is set by using the mtu interface configuration command.
Note
The "MTU value" configured by using the mtu interface configuration command must not be less than 1280 bytes.
Examples
The following example sets the maximum IPv6 packet size for serial interface 0/1 to 2000 bytes:
Router(config)# interface serial 0/1
Router(config-if)# ipv6 mtu 2000
Related Commands
Command
Description
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 multicast aaa account receive
To enable authentication, authorization, and accounting (AAA) accounting on specified groups or channels, use the ipv6multicastaaaaccountreceivecommand in interface configuration mode. To disable AAA accounting, use the no form of this command.
Access list to specify which groups or channels are to have AAA accounting enabled.
throttle
(Optional) Limits the number of records sent during channel surfing. No record is sent if a channel is viewed for less than a specified, configurable period of time.
throttle-number
(Optional) Throttle or surfing interval, in seconds.
Command Default
No AAA accounting is performed on any groups or channels.
Command Modes
Interface configuration
Command History
Release
Modification
12.4(4)T
This command was introduced.
Usage Guidelines
Note
Including information about IPv6 addresses in accounting and authorization records transmitted between the router and the RADIUS or TACACS+ server is supported. However, there is no support for using IPv6 to communicate with that server. The server must have an IPv4 address.
Use the ipv6multicastaaaaccountreceivecommand to enable AAA accounting on specific groups or channels and to set throttle interval limits on records sent during channel surfing.
Examples
The following example enables AAA accounting using an access list named list1:
Enables AAA accounting of IPv6 multicast services for billing or security purposes when you use RADIUS.
ipv6 multicast boundary scope
To configure a multicast boundary on the interface for a specified scope, use the ipv6multicastboundaryscopecommand in interface configuration mode. To disable this feature, use the no form of this command.
ipv6multicastboundaryscopescope-value
noipv6multicastboundaryscopescope-value
Syntax Description
scope-value
The scope value can be one of the following:
Link-local address
Subnet-local address
Admin-local address
Site-local address
Organization-local
Virtual Private Network (VPN)
Scope number, which is from 2 through 15
Command Default
Multicast boundary is not configured on the interface.
Command Modes
Interface configuration
Command History
Release
Modification
12.3(14)T
This command was introduced.
12.2(18)SXE
This command was integrated into Cisco IOS Release 12.2(18)SXE.
Usage Guidelines
If the ipv6multicastboundaryscopecommand is configured for a particular scope on the Reverse Path Forwarding (RPF) interface, then packets are not accepted on that interface for groups that belong to scopes that are less than or equal to the one configured. Protocol Independent Multicast (PIM) join/prune messages for those groups are not sent on the RPF interface. The effect of the scope can be verified by checking the output of the showipv6mribroute command. The output will not show the RPF interface with Accept flag.
If the ipv6multicastboundaryscopecommand is configured for a particular scope on an interface in the outgoing interface list, packets are not forwarded for groups that belong to scopes that are less than or equal to the one configured.
Protocol Independent Multicast (PIM) join/prune (J/P) messages are not processed when received on the interface for groups that belong to scopes that are less than or equal to the one configured. Registers and bootstrap router (BSR) messages are also filtered on the boundary.
Examples
The following example sets the scope value to be a scope number of 6:
ipv6 multicast boundary scope 6
Related Commands
Command
Description
ipv6pimbsrcandidatebsr
Configures a router to be a candidate BSR.
ipv6pimbsrcandidaterp
Configures the candidate RP to send PIM RP advertisements to the BSR.
showipv6mribroute
Displays the MRIB route information.
ipv6 multicast group-range
To disable multicast protocol actions and traffic forwarding for unauthorized groups or channels on all the interfaces in a router, use the ipv6multicastgroup-rangecommand in global configuration mode. To return to the command’s default settings, use the no form of this command.
(Optional) Specifies a virtual routing and forwarding (VRF) configuration.
access-list-name
(Optional) Name of an access list that contains authenticated subscriber groups and authorized channels that can send traffic to the router.
Command Default
Multicast is enabled for groups and channels permitted by a specified access list and disabled for groups and channels denied by a specified access list.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.4(4)T
This command was introduced.
15.0(1)M
This command was integrated into Cisco IOS Release 15.0(1)M.
12.2(33)SRE
This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRE.
Cisco IOS XE Release 2.6
This command was introduced on Cisco ASR 1000 series routers.
15.1(4)M
The vrfvrf-name keyword and argument were added.
Usage Guidelines
The ipv6multicastgroup-range command provides an access control mechanism for IPv6 multicast edge routing. The access list specified by the access-list-name
argument specifies the multicast groups or channels that are to be permitted or denied. For denied groups or channels, the router ignores protocol traffic and actions (for example, no Multicast Listener Discovery (MLD) states are created, no mroute states are created, no
Protocol Independent Multicast (
PIM) joins are forwarded), and drops data traffic on all interfaces in the system, thus disabling multicast for denied groups or channels.
Using the ipv6multicastgroup-range global configuration command is equivalent to configuring the MLD access control and multicast boundary commands on all interfaces in the system. However, the ipv6multicastgroup-range command can be overridden on selected interfaces by using the following interface configuration commands:
ipv6mldaccess-groupaccess-list-name
ipv6multicastboundaryscopescope-value
Because the noipv6multicastgroup-range command returns the router to its default configuration, existing multicast deployments are not broken.
Examples
The following example ensures that the router disables multicast for groups or channels denied by an access list named list2:
Router(config)# ipv6 multicast group-range list2
The following example shows that the command in the previous example is overridden on an interface specified by int2:
On int2, MLD states are created for groups or channels permitted by int-list2 but are not created for groups or channels denied by int-list2. On all other interfaces, the access-list named list2 is used for access control.
In this example, list2 can be specified to deny all or most multicast groups or channels, and int-list2 can be specified to permit authorized groups or channels only for interface int2.
Related Commands
Command
Description
ipv6mldaccess-group
Performs IPv6 multicast receiver access control.
ipv6multicastboundaryscope
Configures a multicast boundary on the interface for a specified scope.
ipv6 multicast limit
To configure per-interface multicast route (mroute) state limiters in IPv6, use the ipv6multicastlimit command in interface configuration mode. To remove the limit imposed by a per-interface mroute state limiter, use the no form of this command.
(Optional) Limits mroute states created for an Access Control List (ACL)-classified set of multicast traffic on an incoming (Reverse Path Forwarding [RPF]) interface that is directly connected to a multicast source by counting each time that an mroute permitted by the ACL is created or deleted.
rpf
(Optional) Limits the number of mroute states created for an ACL-classified set of multicast traffic on an incoming (RPF) interface by counting each time an mroute permitted by the ACL is created or deleted.
out
(Optional) Limits mroute outgoing interface list membership on an outgoing interface for an ACL-classified set of multicast traffic by counting each time that an mroute list member permitted by the ACL is added or removed.
limit-acl
Name identifying the ACL that defines the set of multicast traffic to be applied to a per-interface mroute state limiter.
max
Maximum number of mroutes permitted by the per interface mroute state limiter. The range is from 0 to 2147483647.
threshold
(Optional) The mCAC threshold percentage.
threshold-value
(Optional) The specified percentage. The threshold notification default is 0%, meaning that threshold notification is disabled.
Command Default
No per-interface mroute state limiters are configured.
Threshold notification is set to 0%; that is, it is disabled.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.2(33)SRE
This command was introduced.
Cisco IOS XE Release 2.6
This command was introduced on Cisco ASR 1000 series routers.
Usage Guidelines
Use the ipv6multicastlimit command to configure mroute state limiters on an interface.
For the required limit-acl argument, specify the ACL that defines the IPv6 multicast traffic to be limited on an interface. A standard or extended ACL can be specified.
The ipv6multicastlimitcostcommand complements the per-interface ipv6multicastlimitcommand. Once the limit-acl argument is matched in the ipv6multicastlimitcommand, the access-list
argument in the ipv6multicastlimitcostcommand is checked to see which cost to apply to limited groups. If no cost match is found, the default cost is 1.
The threshold notification for mCAC limit feature notifies the user when actual simultaneous multicast channel numbers exceeds or fall below a specified threshold percentage.
Examples
The following example configures the interface limit on the source router’s outgoing interface Ethernet 1/3:
Applies a cost to mroutes that match per-interface mroute state limiters in IPv6.
ipv6multicastlimitrate
Configures the maximum allowed state on the source router.
ipv6 multicast limit cost
To apply a cost to mroutes that match per-interface mroute state limiters in IPv6, use theipv6multicastlimitcost command in global configuration mode. To restore the default cost for mroutes being limited by per-interface mroute state limiters, use the no form of this command.
(Optional) Specifies a virtual routing and forwarding (VRF) configuration.
access-list
Access Control List (ACL) name that defines the mroutes for which to apply a cost.
cost-multiplier
Cost value applied to mroutes that match the corresponding ACL. The range is from 0 to 2147483647.
Command Default
If the ipv6multicastlimitcost command is not configured or if an mroute that is being limited by a per-interface mroute state limiter does not match any of the ACLs applied to ipv6multicastlimitcostcommand configurations, a cost of 1 is applied to the mroutes being limited.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.2(33)SRE
This command was introduced.
Cisco IOS XE Release 2.6
This command was introduced on Cisco ASR 1000 series routers.
15.1(4)M
The vrfvrf-name keyword and argument were added.
Usage Guidelines
Use the ipv6multicastlimitcostcommand to apply a cost to mroutes that match per-interface mroute state limiters (configured with the ipv6multicastlimit command in interface configuration mode). This command is primarily used to provide bandwidth-based Call Admission Control (CAC) in network environments where multicast flows utilize different amounts of bandwidth. Accordingly, when this command is configured, the configuration is usually referred to as a bandwidth-based multicast CAC policy.
The ipv6multicastlimitcostcommand complements the per-interface ipv6multicastlimitcommand. Once the limit-acl argument is matched in the ipv6multicastlimitcommand, the access-list
argument in the ipv6multicastlimitcostcommand is checked to see which cost to apply to limited groups. If no cost match is found, the default cost is 1.
Examples
The following example configures the global limit on the source router.
Configures per-interface mroute state limiters in IPv6.
ipv6 multicast limit rate
To configure the maximum allowed state globally on the source router, use the ipv6multicastlimitratecommand in global configuration mode. To remove the rate value, use the no form of this command.
ipv6multicastlimitraterate-value
noipv6multicastlimitraterate-value
Syntax Description
rate-value
The maximum allowed state on the source router. The range is from 0 through 100.
Command Default
The maximum state is 1.
Command Modes
Global configuration (config)
Command History
Release
Modification
Cisco IOS XE Release 2.6
This command was introduced.
Usage Guidelines
The ipv6 multicast rate limit command is set to a maximum state of 1 message per second. If the default is set to 0, the syslog notification rate limiter is disabled.
Examples
The following example configures the maximum state on the source router:
ipv6 multicast limit rate 2
Related Commands
Command
Description
ipv6multicastlimit
Configures per-interface mroute state limiters in IPv6.
ipv6 multicast multipath
To enable load splitting of IPv6 multicast traffic across multiple equal-cost paths, use the ipv6multicastmultipathcommand in global configuration mode. To disable this function, use the no form of this command.
ipv6multicast
[ vrfvrf-name ]
multipath
noipv6multicast
[ vrfvrf-name ]
multipath
Syntax Description
vrfvrf-name
(Optional) Specifies a virtual routing and forwarding (VRF) configuration.
Command Default
This command is enabled.
Command Modes
Global configuration
Command History
Release
Modification
12.3(7)T
This command was introduced.
12.2(25)S
This command was integrated into Cisco IOS Release 12.2(25)S.
15.1(4)M
The vrfvrf-name keyword and argument were added.
Usage Guidelines
The ipv6multicastmultipath command is enabled by default. In the default scenario, the reverse path forwarding (RPF) neighbor is selected randomly from the available equal-cost RPF neighbors, resulting in the load splitting of traffic from different sources among the available equal cost paths. All traffic from a single source is still received from a single neighbor.
When the noipv6multicastmultipath command is configured, the RPF neighbor with the highest IPv6 address is chosen for all sources with the same prefix, even when there are other available equal-cost paths.
Because the ipv6multicastmultipathcommand changes the way an RPF neighbor is selected, it must be configured consistently on all routers in a redundant topology to avoid looping.
Examples
The following example enables load splitting of IPv6 traffic:
Router(config)# ipv6 multicast multipath
Related Commands
Command
Description
showipv6rpf
Checks RPF information for a given unicast host address and prefix.
ipv6 multicast pim-passive-enable
To enable the Protocol Independent Multicast (PIM) passive feature on an IPv6 router, use the ipv6multicastpim-passive-enablecommand in global configuration mode. To disable this feature, use the no form of this command.
ipv6multicastpim-passive-enable
noipv6multicastpim-passive-enable
Syntax Description
This command has no arguments or keywords.
Command Default
PIM passive mode is not enabled on the router.
Command Modes
Global configuration (config)
Command History
Release
Modification
Cisco IOS XE Release 2.6
This command was introduced.
Usage Guidelines
Use the ipv6multicastpim-passive-enablecommand to configure IPv6 PIM passive mode on a router. Once PIM passive mode is configured globally, use the ipv6pimpassive command in interface configuration mode to configure PIM passive mode on a specific interface.
Examples
The following example configures IPv6 PIM passive mode on a router:
Router(config)# ipv6 multicast pim-passive-enable
Related Commands
Command
Description
ipv6pimpassive
Configures PIM passive mode on a specific interface.
ipv6
multicast-routing
To enable multicast
routing using Protocol Independent Multicast (PIM) and Multicast Listener
Discovery (MLD) on all IPv6-enabled interfaces of the router and to enable
multicast forwarding, use the
ipv6multicast-routingcommand in global configuration
mode. To stop multicast routing and forwarding, use the
no form of this
command.
ipv6multicast-routing
[ vrfvrf-name ]
noipv6multicast-routing
Syntax Description
vrfvrf-name
(Optional) Specifies a virtual routing and forwarding (VRF) configuration.
Command Default
Multicast routing
is not enabled.
Command Modes
Global configuration
Command History
Release
Modification
12.3(2)T
This
command was introduced.
12.2(18)S
This
command was integrated into Cisco IOS Release 12.2(18)S.
12.0(26)S
This
command was integrated into Cisco IOS Release 12.0(26)S.
12.2(25)SG
This
command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This
command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This
command was integrated into Cisco IOS Release 12.2(33)SXH.
15.1(4)M
This
command was modified. The
vrfvrf-name
keyword and argument were added.
15.0(1)SY
This
command was integrated into Cisco IOS Release 15.0(1)SY.
15.0(2)SE
This
command was integrated into Cisco IOS Release 15.0(2)SE.
15.1(1)SY
This
command was integrated into Cisco IOS Release 15.1(1)SY.
15.4(1)S
This command was implemented on the Cisco ASR 901 series
routers.
Usage Guidelines
Use the
ipv6
multicast-routingcommand to enable multicast forwarding. This
command also enables Protocol Independent Multicast (PIM) and Multicast
Listener Discovery (MLD) on all IPv6-enabled interfaces of the router being
configured.
You can configure
individual interfaces before you enable multicast so that you can then
explicitly disable PIM and MLD protocol processing on those interfaces, as
needed. Use the
noipv6pim or the
noipv6mldroutercommand to disable IPv6 PIM or MLD router-side processing,
respectively.
For the Cisco
Catalyst 6500 and Cisco 7600 series routers, you must configure the
ipv6
multicast-routing command to use IPv6 unicast routing.
Examples
The following
example enables multicast routing and turns on PIM and MLD on all interfaces:
ipv6 multicast-routing
Related Commands
Command
Description
ipv6pimrp-address
Configures the address of a PIM RP for a particular group range.
noipv6pim
Turns
off IPv6 PIM on a specified interface.
noipv6mldrouter
Disables MLD router-side processing on a specified interface.
ipv6 multicast rpf
To enable IPv6 multicast reverse path forwarding (RPF) check to use Border Gateway Protocol (BGP) unicast routes in the Routing Information Base (RIB), use the ipv6multicastrpfcommand in global configuration mode. To disable this function, use the no form of this command.
Configure per-interface multicast route (mroute) state limiters in IPv6.
ipv6multicastmultipath
Enables load splitting of IPv6 multicast traffic across multiple equal-cost paths.
ipv6 nat
To designate that traffic originating from or destined for the interface is subject to
Network Address Translation--Protocol Translation (NAT-PT), use the ipv6natcommand in interface configuration mode. To prevent the interface from being able to translate, use the no form of this command.
ipv6nat
noipv6nat
Syntax Description
This command has no keywords or arguments.
Command Default
Traffic leaving or arriving at this interface is not subject to NAT-PT.
Command Modes
Interface configuration
Command History
Release
Modification
12.2(13)T
This command was introduced.
Usage Guidelines
The ipv6nat command is usually specified on at least one IPv4 interface and one IPv6 interface at the networking device where you intend to use NAT-PT.
Examples
The following example assigns the IPv4 address 192.168.30.1 to Fast Ethernet interface 1/0 and the IPv6 address 2001:0DB8:0:1::1 to Fast Ethernet interface 2/0. IPv6 routing is globally enabled and both interfaces are configured to run IPv6 and enable NAT-PT translations.
Configures an IPv6 link-local address for an interface and enables IPv6 processing on the interface.
ipv6addresseui-64
Configures an IPv6 address for an interface and enables IPv6 processing on an interface using an EUI-64 interface ID in the low-order 64 bits of the address.
showipv6interface
Displays the usability status of interfaces configured for IPv6.
showipv6nattranslations
Displays active NAT-PT translations.
ipv6 nat max-entries
To specify the maximum number of Network Address Translation--Protocol Translation (NAT-PT) translation entries stored by the router, use the ipv6natmax-entries command in global configuration mode. To restore the default number of NAT-PT entries, use the no form of this command.
ipv6natmax-entriesnumber
noipv6natmax-entries
Syntax Description
number
(Optional) Specifies the maximum number (1-2147483647) of NAT-PT translation entries. Default is unlimited.
Command Default
Unlimited number of NAT-PT entries.
Command Modes
Global configuration
Command History
Release
Modification
12.2(13)T
This command was introduced.
Usage Guidelines
Use the ipv6natmax-entries command to set the maximum number of NAT-PT translation entries stored by the router when the router memory is limited, or the actual number of translations is important.
Examples
The following example sets the maximum number of NAT-PT translation entries to 1000:
ipv6 nat max-entries 1000
Related Commands
Command
Description
clearipv6nattranslation
Clears dynamic NAT-PT translations from the translation table.
showipv6nattranslations
Displays active NAT-PT translations.
ipv6 nat prefix
To assign an IPv6 prefix where matching IPv6 packets will be translated using Network Address Translation--Protocol Translation (NAT-PT), use the
ipv6natprefixcommand in global configuration or interface configuration mode. To prevent the IPv6 prefix from being used by NAT-PT, use the
no form of this command.
ipv6natprefixipv6-prefix/prefix-length
noipv6natprefixipv6-prefix/prefix-length
Syntax Description
ipv6-prefix
The IPv6 network used as the NAT-PT prefix.
This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
/prefix-length
The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). The only prefix length supported is 96. A slash mark must precede the decimal value.
Command Default
No IPv6 prefixes are used by NAT-PT.
Command Modes
Global configuration
Interface configuration
Command History
Release
Modification
12.2(13)T
This command was introduced.
Usage Guidelines
The
ipv6natprefixcommand is used to specify an IPv6 address prefix against which the destination prefix in an IPv6 packet is matched. If the match is successful, NAT-PT will translate the IPv6 packet to an IPv4 packet using the configured mapping rules.
Use the
ipv6natprefixcommand in global configuration mode to assign a global NAT-PTNAT-PT prefix, or in interface configuration mode to assign a different NAT-PT prefix for each interface. Using a different NAT-PT prefix on several interfaces allows the NAT-PT router to support an IPv6 network with multiple exit points to IPv4 networks.
Examples
The following example assigns the IPv6 prefix 2001:0DB8:1::/96 as the global NAT-PT prefix:
ipv6 nat prefix 2001:0DB8:1::/96
The following example assigns the IPv6 prefix 2001:0DB8:2::/96 as the NAT-PT prefix for the Fast Ethernet interface 1/0, and the IPv6 prefix 2001:0DB8:4::/96 as the NAT-PT prefix for the Fast Ethernet interface 2/0:
Configures an IPv6 link-local address for an interface and enables IPv6 processing on the interface.
ipv6addresseui-64
Configures an IPv6 address for an interface and enables IPv6 processing on an interface using an EUI-64 interface ID in the low-order 64 bits of the address.
showipv6interface
Displays the usability status of interfaces configured for IPv6.
showipv6nattranslations
Displays active NAT-PT translations.
ipv6 nat prefix v4-mapped
To enable customers to send traffic from their IPv6 network to an IPv4 network without configuring IPv6 destination address mapping, use the ipv6natprefixv4-mapped command in global configuration or interface configuration mode. To disable this feature, use the no form of this command.
IPv6 prefix for Network Address Translation--Protocol Translation (NAT-PT).
access-list-name
Name of an IPv6 access list. Names cannot contain a space or quotation mark, or begin with a numeric.
Command Default
This command is not enabled.
Command Modes
Global configuration
Interface configuration
Command History
Release
Modification
12.3(14)T
This command was introduced.
Usage Guidelines
The IPv6 target address of a packet arriving at an interface is checked to discover if it has a NAT-PT prefix that was configured with the ipv6natprefixv4-mapped command. If the prefix does match, then an access-list check is performed to discover if the source address matches the access list or prefix list. If the prefix does not match, the packet is dropped.
If the prefix matches, source address translation is performed. If a rule has been configured for the source address translation, the last 32 bits of the destination IPv6 address is used as the IPv4 destination and a flow entry is created.
Examples
In the following example, the access list permits any IPv6 source address with the prefix 2001::/96 to go to the destination with a 2000::/96 prefix. The destination is then translated to the last 32 bit of its IPv6 address; for example: source address = 2001::1, destination address = 2000::192.168.1.1. The destination then becomes 192.168.1.1 in the IPv4 network:
To change the amount of time after which Network Address Translation--Protocol Translation (NAT-PT) translations time out, use the ipv6nattranslation command in global configuration mode. To disable the timeout, use the no form of this command.
Specifies that the timeout value applies to dynamic translations. Default is 86400 seconds (24 hours).
udp-timeout
Specifies that the timeout value applies to the User Datagram Protocol (UDP) port. Default is 300 seconds (5 minutes).
dns-timeout
Specifies that the timeout value applies to connections to the Domain Naming System (DNS). Default is 60 seconds.
tcp-timeout
Specifies that the timeout value applies to the TCP port. Default is 86400 seconds (24 hours).
finrst-timeout
Specifies that the timeout value applies to Finish and Reset TCP packets, which terminate a connection. Default is 60 seconds.
icmp-timeout
Specifies the timeout value for Internet Control Message Protocol (ICMP) flows. Default is 60 seconds.
syn-timeout
Specifies that the timeout value applies when a TCP SYN (request to synchronize sequence numbers used when opening a connection) flag is received but the flag is not followed by data belonging to the same TCP session.
seconds
Number of seconds after which the specified translation timer expires. The default is 0.
never
Specifies that the dynamic translation timer never expires.
Dynamic translations time out after a period of time without any translations. The default timeout period is 24 hours. When port translation is configured, there is finer control over translation entry timeouts because each entry contains more context about the traffic that is using it. Non-DNS UDP translations time out after 5 minutes, and DNS times out in 1 minute. TCP translations time out in 24 hours, unless an RST or FIN flag is seen on the stream, in which case they will time out in 1 minute.
Examples
The following example causes UDP port translation entries to time out after 10 minutes:
ipv6 nat translation udp-timeout 600
Related Commands
Command
Description
clearipv6nattranslation
Clears dynamic NAT-PT translations from the translation table.
showipv6nattranslations
Displays active NAT-PT translations.
ipv6 nat v4v6 pool
To define a pool of IPv6 addresses for Network Address Translation--Protocol Translation (NAT-PT), use the ipv6natv4v6poolcommand in global configuration mode. To remove one or more addresses from the pool, use the no form of this command.
Starting IPv6 address that defines the range of IPv6 addresses in the address pool.
end-ipv6
Ending IPv6 address that defines the range of IPv6 addresses in the address pool.
prefix-lengthprefix-length
Number that indicates how many bits of the address indicate the network. Specify the subnet of the network to which the pool addresses belong.
Command Default
No pool of addresses is defined.
Command Modes
Global configuration
Command History
Release
Modification
12.2(13)T
This command was introduced.
Usage Guidelines
This command defines a pool of IPv6 addresses using start address, end address, and prefix length. The pool is used when NAT-PT needs a dynamic mapping of an IPv6 address to translate an IPv4 address.
Examples
The following example configures a dynamic NAT-PT mapping to translate IPv4 addresses to IPv6 addresses using a pool of IPv6 addresses named v6pool. The packets to be translated by NAT-PT are filtered using an access list named pt-list2. One static NAT-PT mapping is configured to access a Domain Naming System (DNS) server. Ethernet interface 3/1 is an IPv6-only host and Ethernet interface 3/3 is an IPv4-only host.
Clears dynamic NAT-PT translations from the translation table.
showipv6nattranslations
Displays active NAT-PT translations.
ipv6 nat v4v6 source
To configure IPv4 to IPv6 address translation using Network Address Translation--Protocol Translation (NAT-PT), use the ipv6natv4v6sourcecommand in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.
ipv6natv4v6source
{ list
{ access-list-number | name }
poolname | ipv4-addressipv6-address }
noipv6natv4v6source
{ list
{ access-list-number | name }
poolname | ipv4-addressipv6-address }
Syntax Description
listaccess-list-number
Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
listname
Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
poolname
Name of the pool from which global IP addresses are allocated dynamically.
ipv4-address
Sets up a single static translation. This argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.
ipv6-address
Sets up a single static translation. This argument establishes the globally unique IP address of an inside host as it appears to the outside world.
Command Default
No NAT-PT translation of IPv4 to IPv6 addresses occurs.
Command Modes
Global configuration
Command History
Release
Modification
12.2(13)T
This command was introduced.
Usage Guidelines
This command has two forms: dynamic and static address translation. The form with an IPv6 access list establishes dynamic translation. Packets from IPv4 addresses that match the standard access list are translated using IPv6 addresses allocated from the pool named with the ipv6natv4v6pool command. The access list is used to specify which traffic is to be translated.
Alternatively, the syntax form using the ipv4-address andipv6-addressarguments establishes a single static translation.
Examples
The following example configures a dynamic NAT-PT mapping to translate IPv4 addresses to IPv6 addresses using a pool of IPv6 addresses named v6pool. The packets to be translated by NAT-PT are filtered using an access list named pt-list2. Ethernet interface 3/1 is an IPv6-only host and Ethernet interface 3/3 is an IPv4-only host.
Clears dynamic NAT-PT translations from the translation state table.
ipv6natv4v6pool
Defines a pool of IPv6 addresses for NAT-PT.
ipv6natv6v4source
Enables NAT-PT for an IPv6 source address.
showipv6nattranslations
Displays active NAT-PT translations.
ipv6 nat v6v4 pool
To define a pool of IPv4 addresses for Network Address Translation--Protocol Translation (NAT-PT), use the ipv6natv6v4poolglobal configuration command. To remove one or more addresses from the pool, use the no form of this command.
Starting IPv4 address that defines the range of IPv4 addresses in the address pool.
end-ipv4
Ending IPv4 address that defines the range of IPv4 addresses in the address pool.
prefix-lengthprefix-length
Number that indicates how many bits of the address indicate the network. Specify the subnet of the network to which the pool addresses belong.
Command Default
No pool of addresses is defined.
Command Modes
Global configuration
Command History
Release
Modification
12.2(13)T
This command was introduced.
Usage Guidelines
This command defines a pool of IPv4 addresses using start address, end address, and prefix length. The pool is used when NAT-PT needs a dynamic mapping of IPv4 addresses to translate IPv6 addresses.
Examples
The following example configures a dynamic NAT-PT mapping to translate IPv6 addresses to IPv4 addresses using a pool of IPv4 addresses named v4pool. The packets to be translated by NAT-PT are filtered using an IPv6 access list named pt-list1. One static NAT-PT mapping is configured to access a Domain Naming System (DNS) server. Ethernet interface 3/1 is an IPv6-only host and Ethernet interface 3/3 is an IPv4-only host.
Clears dynamic NAT-PT translations from the translation table.
showipv6nattranslations
Displays active NAT-PT translations.
ipv6 nat v6v4 source
To configure IPv6 to IPv4 address translation using Network Address Translation--Protocol Translation (NAT-PT), use the ipv6natv6v4sourcecommand in global configuration mode. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.
IPv6 access list name. Packets with source addresses that pass the access list are translated using global addresses from the named pool.
route-mapmap-name
Sets up a single static translation. This keyword and argument combination establishes the globally unique IP address assigned to a host on the outside network by its owner. It was allocated from globally routable network space.
poolname
Name of the pool from which global IP addresses are allocated dynamically.
ipv6-address
Sets up a single static translation. This argument establishes the globally unique IP address of an inside host as it appears to the outside world.
ipv4-address
Sets up a single static translation. This argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.
overload
Enables multiplexing of IPv6 addresses to a single IPv4 address for TCP, UDP, and ICMD.
Command Default
No NAT-PT translation of IPv6 to IPv4 addresses occurs.
Command Modes
Global configuration
Command History
Release
Modification
12.2(13)T
This command was introduced.
12.3(2)T
The overload keyword was added to support Port Address Translation (PAT), or Overload, multiplexing multiple IPv6 addresses to a single IPv4 address or to an IPv4 address pool.
Usage Guidelines
Dynamic and Static Address Translation
This command has two forms: dynamic and static address translation. The form with an IPv6 access list establishes dynamic translation. Packets from IPv6 addresses that match the IPv6 access list are translated using IPv4 addresses allocated from the pool named with the ipv6natv6v4pool command. The access list is used to specify which traffic is to be translated.
Alternatively, the syntax form using the ipv6-address andipv4-addressarguments establishes a single static translation.
Port Address Translation
When used for PAT, the command can be used for a single IPv4 interface or for a pool of IPv4 interfaces.
Examples
Examples
The following example configures a dynamic NAT-PT mapping to translate IPv6 addresses to IPv4 addresses using a pool of IPv4 addresses named v4pool. The packets to be translated by NAT-PT are filtered using an IPv6 access list named pt-list1. Ethernet interface 3/1 is an IPv6-only host and Ethernet interface 3/3 is an IPv4-only host.
interface Ethernet3/1
ipv6 address ffe:aaaa:bbbb:1::9/64
ipv6 enable
ipv6 nat
!
interface Ethernet3/3
ip address 192.168.30.9 255.255.255.0
ipv6 nat
!
ipv6 nat v6v4 source list pt-list1 pool v4pool
ipv6 nat v6v4 pool v4pool 10.21.8.1 10.21.8.10 prefix-length 24
ipv6 nat prefix 3ffe:c00:::/96
!
ipv6 access-list pt-list1
permit ipv6 3ffe:aaaa:bbbb:1::/64 any
Examples
The following example shows a static translation where the IPv6 address 3ffe:aaaa:bbbb:1::1 is translated into the IPv4 address 10.21.8.10:
ipv6 nat v6v4 pool v6pool 10.1.1.1 10.1.1.10 subnetmask 255.255.255.0
ipv6 nat v6v4 source list v6list interface e1 overload
ipv6 accesslist v6list
permit 3000::/64 any
Related Commands
Command
Description
clearipv6nattranslation
Clears dynamic NAT-PT translations from the translation state table.
debugipv6nat
Diaplays debugging messages for NAT-PT.
ipv6natv6v4pool
Defines a pool of IPv4 addresses for NAT-PT.
ipv6natv4v6source
Enables NAT-PT for an IPv4 source address.
showipv6nattranslations
Displays active NAT-PT translations.
ipv6 nd advertisement-interval
To configure the advertisement interval option in router advertisements (RAs), use the
ipv6ndadvertisement-interval in interface configuration mode. To reset the interval to the default value, use the
no form of this command.
ipv6ndadvertisement-interval
noipv6ndadvertisement-interval
Syntax Description
This command has no arguments or keywords.
Command Default
Advertisement interval option is not sent.
Command Modes
Interface configuration
Command History
Release
Modification
12.3(14)T
This command was introduced.
15.2(2)S
This command was implemented on the Cisco ASR 901 Series Aggregation Services devices.
Usage Guidelines
Use the
ipv6ndadvertisement-intervalcommand to indicate to a visiting mobile node the interval at which that node may expect to receive RAs. The node may use this information in its movement detection algorithm.
Examples
The following example enables the advertisement interval option to be sent in RAs:
Device(config-if)# ipv6 nd advertisement-interval
Related Commands
Command
Description
ipv6mobilehome-agent(interfaceconfiguration)
Initializes and starts the Mobile IPv6 home agent on a specific interface.
ipv6ndra-interval
Configures the interval between Mobile IPv6 RA transmissions on an interface.
ipv6 nd autoconfig default-router
To allow Neighbor Discovery to install a default route to the Neighbor Discovery-derived default router, use the
ipv6 nd autoconfig default-router command in interface configuration mode. To remove the default route configured through interface configuration mode from the interface, use the
no form of this command.
ipv6ndautoconfigdefault-router
noipv6ndautoconfigdefault-router
Syntax Description
This command has no arguments or keywords.
Command Default
This command is enabled in host mode.
Command Modes
Interface configuration (config-if)#
Command History
Release
Modification
15.2(1)T
This command was introduced.
Usage Guidelines
If the
ipv6 nd autoconfig default-router command is configured on a router, Neighbor Discovery installs a default route to the Neighbor Discovery-derived default router. Using this command sends a router solicitation (RS) message to solicit a router advertisement (RA), thus eliminating any delay in waiting for the next periodic RA.
Uses Neighbor Discovery to install all valid on-link prefixes from RAs received on the interface.
ipv6 nd route-owner
Inserts Neighbor Discovery-learned routes into the routing table with "ND" status and enables ND autoconfiguration behavior.
ipv6 nd autoconfig prefix
To use Neighbor Discovery to install all valid on-link prefixes from router advertisements (RAs) received on the interface, use the
ipv6 nd autoconfig prefix command in interface configuration mode. To remove the prefix from the RIB, use the
no form of the command.
ipv6ndautoconfigprefix
noipv6ndautoconfigprefix
Syntax Description
This command has no arguments or keywords.
Command Default
This command is not enabled.
Command Modes
Interface configuration (config-if)#
Command History
Release
Modification
15.2(1)T
This command was introduced.
Usage Guidelines
Using the
ipv6 nd autoconfig prefix command command sends a router solicitation (RS) message to solicit a router advertisement (RA), thus eliminating any delay in waiting for the next periodic RA. The router receives a prefix from a neighboring router, and installs the prefix in the RIB.
Use of the
ipv6 nd autoconfig prefix command command allows Neighbor Discovery to install all valid on-link prefixes from RAs received on the interface. The prefixes are installed as Neighbor Discovery-owned static routes in same manner as a Neighbor Discovery default route. If both
ipv6 address autoconfig and
ipv6 nd autoconfig prefix are both configured, then the handling of /64 autoconfiguration and on-link prefixes will be unchanged. All other valid Neighbor Discovery prefixes will be installed as static routes.
Allows Neighbor Discovery to install a default route to the Neighbor Discovery-derived default router.
ipv6 nd route-owner
Inserts Neighbor Discovery-learned routes into the routing table with "ND" status and enables ND autoconfiguration behavior.
ipv6 nd cache expire
To configure the length of time before an IPv6 neighbor discovery (ND) cache entry expires, use the
ipv6ndcacheexpire command in interface configuration mode. To remove this configuration, use the
no form of this command.
The time range is from 1 through 65536 seconds. The default is 14400 seconds, or 4 hours.
refresh
(Optional) Automatically refreshes the ND cache entry.
Command Default
This expiration time is 14400 seconds (4 hours)
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.2(33)SXI7
This command was introduced.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
By default, an ND cache entry is expired and deleted if it remains in the STALE state for 14,400 seconds, or 4 hours. The
ipv6ndcacheexpire command allows the user to vary the expiry time and to trigger autorefresh of an expired entry before the entry is deleted.
When the
refresh keyword is used, an ND cache entry is autorefreshed. The entry moves into the DELAY state and the neighbor unreachability detection (NUD) process occurs, in which the entry transitions from the DELAY state to the PROBE state after 5 seconds. When the entry reaches the PROBE state, a neighbor solicitation (NS) is sent and then retransmitted as per the configuration.
Examples
The following example shows that the ND cache entry is configured to expire in 7200 seconds, or 2 hours:
Router(config-if)# ipv6 nd cache expire 7200
ipv6 nd cache interface-limit (global)
To configure a neighbor discovery cache limit on all interfaces on the device, use the
ipv6ndcacheinterface-limitcommand in global configuration mode. To remove the neighbor discovery from all interfaces on the device, use the
no form of this command.
ipv6ndcacheinterface-limitsize
[ lograte ]
noipv6ndcacheinterface-limitsize
[ lograte ]
Syntax Description
size
Cache size.
lograte
(Optional) Adjustable logging rate, in seconds. The valid values are 0 and 1.
Command Default
Default logging rate for the device is one entry every second.
Command Modes
Global configuration (config)
Command History
Release
Modification
Cisco IOS XE Release 2.6
This command was introduced.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T.
15.1(1)SY
This command was integrated into Cisco IOS Release 15.1(1)SY.
15.3(1)S
This command was integrated into Cisco IOS Release 15.3(1)S.
Usage Guidelines
The
ipv6ndcacheinterface-limitcommand in global configuration mode imposes a common per-interface cache size limit on all interfaces on the device.
Issuing the
no or default form of the command will remove the neighbor discovery limit from every interface on the device that was configured using global configuration mode. It will not remove the neighbor discovery limit from any interface configured using the
ipv6ndcacheinterface-limitcommand in interface configuration mode.
The default (and maximum) logging rate for the device is one entry every second.
Examples
The following example shows how to set a common per-interface cache size limit of 4 seconds on all interfaces on the device:
Device(config)#
ipv6 nd cache interface-limit 4
Related Commands
Command
Description
ipv6ndcacheinterface-limit(interface)
Configures a neighbor discovery cache limit on a specified interface on the device.
ipv6 nd cache interface-limit (interface)
To configure a neighbor discovery cache limit on a specified interface on the , use the
ipv6ndcacheinterface-limitcommand in interface configuration mode. To remove the neighbor discovery limit configured through interface configuration mode from the interface, use the
no form of this command.
ipv6ndcacheinterface-limitsize
[ lograte ]
noipv6ndcacheinterface-limitsize
[ lograte ]
Syntax Description
size
Cache size.
lograte
(Optional) Adjustable logging rate, in seconds. The valid values are 0 and 1.
Command Default
Default logging rate for the device is one entry every second.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
Cisco IOS XE Release 2.6
This command was introduced.
15.1(3)T
This command was integrated into Cisco IOS Release 15.1(3)T.
15.1(1)SY
This command was integrated into Cisco IOS Release 15.1(1)SY.
Usage Guidelines
The
ipv6ndcacheinterface-limit command in interface configuration mode allows you to configure a per-interface neighbor discovery limit on the associated interface. The limit configured by this command overrides any limit configured using the
ipv6ndcacheinterface-limit command in global configuration mode.
Issuing the
no or default form of the command removes the neighbor discovery limit configured using interface configuration mode from the interface. Then, if the
ipv6ndcacheinterface-limit command in global configuration mode has been issued, the neighbor discovery limit on the interface reverts to that specified by global configuration. If the globally configured limit is smaller than the interface limit, then excess entries are removed. If the
ipv6ndcacheinterface-limit command in global configuration mode has not been issued, then no limit is set on the interface.
The number of entries in the neighbor discovery cache is limited on an interface basis. Once the limit is reached, no new entries are allowed.
Examples
The following example shows how to set the number of entries in a neighbor discovery cache (on an interface basis) to 1:
Configures a neighbor discovery cache limit on all interfaces on the devices.
ipv6 nd dad attempts
To configure the number of consecutive neighbor solicitation messages that are sent on an interface while duplicate address detection is performed on the unicast IPv6 addresses of the interface, use the
ipv6nddadattempts command in interface configuration mode. To return the number of messages to the default value, use the
no form of this command.
ipv6nddadattemptsvalue
noipv6nddadattemptsvalue
Syntax Description
value
The number of neighbor solicitation messages. The acceptable range is from 0 to 600. Configuring a value of 0 disables duplicate address detection processing on the specified interface; a value of 1 configures a single transmission without follow-up transmissions. Default is one message.
Command Default
Duplicate address detection on unicast IPv6 addresses with the sending of one neighbor solicitation message is enabled.
Command Modes
Interface configuration
Command History
Release
Modification
12.2(4)T
This command was introduced.
12.0(21)ST
This command was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S
This command was integrated into Cisco IOS Release 12.0(22)S.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
15.2(2)SNG
Th is command was implemented on the Cisco ASR 901 Series Aggregation Services devices.
15.2(2)SA2
This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.
Usage Guidelines
Duplicate address detection verifies the uniqueness of new unicast IPv6 addresses before the addresses are assigned to interfaces (the new addresses remain in a tentative state while duplicate address detection is performed). Duplicate address detection uses neighbor solicitation messages to verify the uniqueness of unicast IPv6 addresses.
The DupAddrDetectTransmits node configuration variable (as specified in RFC 2462, IPv6 Stateless Address Autoconfiguration) is used to automatically determine the number of consecutive neighbor solicitation messages that are sent on an interface while duplicate address detection is performed on a tentative unicast IPv6 address.
The interval between duplicate address detection, neighbor solicitation messages (the duplicate address detection timeout interval) is specified by the neighbor discovery-related variable RetransTimer (as specified in RFC 2461, Neighbor Discovery for IP Version 6 [IPv6] ), which is used to determine the time between retransmissions of neighbor solicitation messages to a neighbor when resolving the address or when probing the reachability of a neighbor. This is the same management variable used to specify the interval for neighbor solicitation messages during address resolution and neighbor unreachability detection. Use the
ipv6ndns-interval command to configure the interval between neighbor solicitation messages that are sent during duplicate address detection.
Duplicate address detection is suspended on interfaces that are administratively "down." While an interface is administratively "down," the unicast IPv6 addresses assigned to the interface are set to a pending state. Duplicate address detection is automatically restarted on an interface when the interface returns to being administratively "up."
Note
An interface returning to administratively "up" restarts duplicate address detection for all of the unicast IPv6 addresses on the interface. While duplicate address detection is performed on the link-local address of an interface, the state for the other IPv6 addresses is still set to TENTATIVE. When duplicate address detection is completed on the link-local address, duplicate address detection is performed on the remaining IPv6 addresses.
When duplicate address detection identifies a duplicate address, the state of the address is set to DUPLICATE and the address is not used. If the duplicate address is the link-local address of the interface, the processing of IPv6 packets is disabled on the interface and an error message similar to the following is issued:
%IPV6-4-DUPLICATE: Duplicate address FE80::1 on Ethernet0
If the duplicate address is a global address of the interface, the address is not used and an error message similar to the following is issued:
%IPV6-4-DUPLICATE: Duplicate address 3000::4 on Ethernet0
All configuration commands associated with the duplicate address remain as configured while the state of the address is set to DUPLICATE.
If the link-local address for an interface changes, duplicate address detection is performed on the new link-local address and all of the other IPv6 address associated with the interface are regenerated (duplicate address detection is performed only on the new link-local address).
Duplicate address detection is performed on all multicast-enabled IPv6 interfaces, including the following interface types:
ATM permanent virtual circuit (PVC)
Cisco High-Level Data Link Control (HDLC)
Ethernet, Fast Ethernet, and Gigabit Ethernet
FDDI
Frame Relay PVC
Point-to-point links
PPP
Examples
The following example configures five consecutive neighbor solicitation messages to be sent on Ethernet interface 0 while duplicate address detection is being performed on the tentative unicast IPv6 address of the interface. The example also disables duplicate address detection processing on Ethernet interface 1.
Device(config)# interface ethernet 0
Device(config-if)# ipv6 nd dad attempts 5
Device(config)# interface ethernet 1
Device(config-if)# ipv6 nd dad attempts 0
Note
Configuring a value of 0 with the
ipv6nddadattempts command disables duplicate address detection processing on the specified interface; a value of 1 configures a single transmission without follow-up transmissions. The default is one message.
To display the state (OK, TENTATIVE, or DUPLICATE) of the unicast IPv6 address configured for an interface, to verify whether duplicate address detection is enabled on the interface, and to verify the number of consecutive duplicate address detection, neighbor solicitation messages that are being sent on the interface, enter the
showipv6interface command:
Device# show ipv6 interface
Ethernet0 is up, line protocol is up
IPv6 is stalled, link-local address is FE80::1 [TENTATIVE]
Global unicast address(es):
2000::1, subnet is 2000::/64 [TENTATIVE]
3000::1, subnet is 3000::/64 [TENTATIVE]
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is enabled, number of DAD attempts: 1
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.
Ethernet1 is up, line protocol is up
IPv6 is stalled, link-local address is FE80::2
Global unicast address(es):
2000::2, subnet is 2000::/64
3000::3, subnet is 3000::/64
Joined group address(es):
FF02::1
FF02::2
FF02::1:FF00:1
MTU is 1500 bytes
ICMP error messages limited to one every 100 milliseconds
ICMP redirects are enabled
ND DAD is disabled, number of DAD attempts: 0
ND reachable time is 30000 milliseconds
ND advertised reachable time is 0 milliseconds
ND advertised retransmit interval is 0 milliseconds
ND router advertisements are sent every 200 seconds
ND router advertisements live for 1800 seconds
Hosts use stateless autoconfig for addresses.
Related Commands
Command
Description
ipv6ndns-interval
Configures the interval between IPv6 neighbor solicitation transmissions on an interface.
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd dad-proxy
To enable the IPv6 Neighbor Discovery (ND) Duplicate Address Detection (DAD) Proxy feature, use the ipv6 nd dad-proxy command in global configuration mode or interface configuration mode.
ipv6nddad-proxy
noipv6nddad-proxy
Command Default
The IPv6 ND DAD Proxy feature is disabled.
Command Modes
Global configuration (config)
Command History
Release
Modification
15.1(2)SG
This command was introduced.
Usage Guidelines
Use the
ipv6 nd dad-proxy
command to enable the IPv6 ND DAD Proxy feature on a device or an interface.
On devices where the IPv6 ND Multicast Suppress feature is not available on the device platform, you use the ipv6 nd dad-proxy
command in global configuration mode to configure the feature on the device.
Examples
The following example shows how to configure IPv6 ND DAD proxy on a device:
Device(config)# ipv6 nd dad-proxy
ipv6 nd dad time
To configure the neighbor solicitation (NS) retransmit interval for duplicate address detection (DAD) separately from the NS retransmit interval for address resolution, use the ipv6nddadtime command in global configuration or interface configuration mode. To remove the NS retransmit interval for DAD, use the no form of this command.
ipv6nddadtimemilliseconds
noipv6nddadtime
Syntax Description
milliseconds
The interval between IPv6 neighbor solicit transmissions for DAD. The range is from 1000 to 3600000 milliseconds.
Global configuration (config)
Interface configuration (config-if)
Command History
Release
Modification
Cisco IOS XE Release 3S
This command was introduced.
Usage Guidelines
The ipv6nddadtime command allows you to configure the NS retransmit interval for DAD separately from the NS retransmit interval for address resolution. This command also allows you to set the behavior globally for the whole router or on a per-interface basis.
Examples
The following example shows how to increase the default NS retransmit interval on an interface for address resolution to 3 seconds but keep the DAD NS retransmit interval at the default value of 1 second:
Router(config-if)# ipv6 nd ns-interval 3000
Router(config-if)# ipv6 nd dad time 1000
Related Commands
Command
Description
ipv6ndns-interval
Configures the interval between IPv6 neighbor solicitation retransmissions for address resolution on an interface.
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd host mode strict
To enable the conformant, or strict, IPv6 host mode, use the
ipv6ndhostmodestrict command in global configuration mode. To reenable conformant, or loose, IPv6 host mode, use the
no form of this command.
ipv6
ndhostmodestrict
Syntax Description
This command has no arguments or keywords.
Command Default
Nonconformant, or loose, IPv6 host mode is enabled.
Command Modes
Global configuration (config)
Command History
Release
Modification
15.0(2)SE
This command was introduced.
Usage Guidelines
The default IPv6 host mode type is loose, or nonconformant. To enable IPv6 strict, or conformant, host mode, use the
ipv6 nd host mode strict command. You can change between the two IPv6 host modes using the
no form of this command.
The
ipv6 nd host mode strict command selects the type of IPv6 host mode behavior and enters interface configuration mode. However, the
ipv6 nd host mode strict command is ignored if you have configured IPv6 routing with the
ipv6 unicast-routing command. In this situation, the default IPv6 host mode type, loose, is used.
Examples
The following example shows how to configure the device as a strict IPv6 host and enables IPv6 address autoconfiguration on Ethernet interface 0/0:
To apply the Neighbor Discovery Protocol (NDP) Inspection feature, use the
ipv6ndinspection command in interface configuration mode. To remove the NDP Inspection feature, use the
no form of this command.
(Optional) Applies the ND Inspection feature to a VLAN on the interface.
add
(Optional) Adds a VLAN to be inspected.
except
(Optional) Inspects all VLANs except the one specified.
none
(Optional) Specifies that no VLANs are inspected.
remove
(Optional) Removes the specified VLAN from NDP inspection.
all
(Optional) Inspects NDP traffic from all VLANs on the port.
vlan-id
(Optional) A specific VLAN on the interface. More than one VLAN can be specified. The VLAN number that can be used is from 1 to 4094.
Command Default
All NDP messages are inspected. Secure Neighbor Discovery (SeND) options are ignored. Neighbors are probed based on the criteria defined in the Neighbor Tracking feature. Per-port IPv6 address limit enforcement is disabled. Layer 2 header source MAC address validations are disabled. Per-port rate limiting of the NDP messages in software is disabled.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
15.0(2)SE
This command was integrated into Cisco IOS Release 15.0(2)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
The
ipv6ndinspection command applies the NDP Inspection feature on a specified interface. If you enable the optional
attach-policy or
vlan keywords, NDP traffic is inspected by policy or by VLAN. If no VLANs are specified, NDP traffic from all VLANs on the port is inspected (which is equivalent to using the
vlanall keywords).
If no policy is specified in this command, the default criteria are as follows:
All NDP messages are inspected.
SeND options are ignored.
Neighbors are probed based on the criteria defined in neighbor tracking feature.
Per-port IPv6 address limit enforcement is disabled.
Layer 2 header source MAC address validations are disabled.
Per-port rate limiting of the NDP messages in software is disabled.
If a VLAN is specified, its parameter is either a single VLAN number from 1 to 4094 or a range of VLANs described by two VLAN numbers, the lesser one first, separated by a dash (for example,
vlan1-100,200,300-400). Do not enter any spaces between comma-separated VLAN parameters or in dash-specified ranges.
Examples
The following example enables NDP inspection on a specified interface:
Router(config-if)# ipv6 nd inspection
ipv6 nd inspection policy
To define the neighbor discovery (ND) inspection policy name and enter ND inspection policy configuration mode, use the
ipv6ndinspection command in ND inspection configuration mode. To remove the ND inspection policy, use the
no form of this command.
This command was integrated into Cisco IOS Release 15.0(2)SE.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
The
ipv6ndinspectionpolicy command defines the ND inspection policy name and enters ND inspection policy configuration mode. Once you are in ND inspection policy configuration mode, you can use any of the following commands:
device-role
drop-unsecure
limitaddress-count
sec-levelminimum
tracking
trusted-port
validatesource-mac
Examples
The following example defines an ND policy name as policy1:
Specifies the role of the device attached to the port.
drop-unsecure
Drops messages with no or invalid options or an invalid signature.
limitaddress-count
Limits the number of IPv6 addresses allowed to be used on the port.
sec-levelminimum
Specifies the minimum security level parameter value when CGA options are used.
tracking
Overrides the default tracking policy on a port.
trusted-port
Configures a port to become a trusted port.
validatesource-mac
Checks the source MAC address against the link-layer address.
ipv6 nd managed-config-flag
To set the "managed address configuration flag" in IPv6 router advertisements, use the ipv6ndmanaged-config-flagcommand in interface configuration mode. To clear the flag from IPv6 router advertisements, use the no form of this command.
ipv6ndmanaged-config-flag
noipv6ndmanaged-config-flag
Syntax Description
This command has no arguments or keywords.
Command Default
The "managed address configuration flag" flag is not set in IPv6 router advertisements.
Command Modes
Interface configuration
Command History
Release
Modification
12.2(2)T
This command was introduced.
12.0(21)ST
This command was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S
This command was integrated into Cisco IOS Release 12.0(22)S.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Usage Guidelines
Setting the "managed address configuration flag" flag in IPv6 router advertisements indicates to attached hosts whether they should use stateful autoconfiguration to obtain addresses. If the flag is set, the attached hosts should use stateful autoconfiguration to obtain addresses. If the flag is not set, the attached hosts should not use stateful autoconfiguration to obtain addresses.
Hosts may use stateful and stateless address autoconfiguration simultaneously.
Examples
The following example configures the "managed address configuration flag" flag in IPv6 router advertisements on Ethernet interface 0/0:
Configures which IPv6 prefixes are included in IPv6 router advertisements
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd na glean
To configure neighbor discovery (ND) to glean an entry from an unsolicited neighbor advertisement (NA), use the
ipv6ndnaglean command in interface configuration mode. To disable this feature, use the
no form of this command.
ipv6ndnaglean
noipv6ndnaglean
Syntax Description
This command has no arguments or keywords.
Command Default
The router ignores an unsolicited NA.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.2(33)SXI7
This command was introduced.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
IPv6 nodes may choose to emit a multicast unsolicited NA packet following the successful completion of duplicate address detection (DAD). By default, these unsolicited NA packets are ignored by other IPv6 nodes. The
ipv6ndnaglean command configures the router to create an ND entry on receipt of an unsolicited NA packet (assuming no such entry already exists and the NA has the link-layer address option). Use of this command allows a router to populate its ND cache with an entry for a neighbor in advance of any data traffic exchange with the neighbor.
Examples
The following example configures ND to glean an entry from an unsolicited neighbor advertisement:
Router(config-if)# ipv6 nd na glean
ipv6 nd ns-interval
To configure the interval between IPv6 neighbor solicitation (NS) retransmissions on an interface, use the ipv6ndns-intervalcommand in interface configuration mode. To restore the default interval, use the no form of this command.
ipv6ndns-intervalmilliseconds
noipv6ndns-interval
Syntax Description
milliseconds
The interval between IPv6 neighbor solicit transmissions for address resolution. The acceptable range is from 1000 to 3600000 milliseconds.
Command Default
0 milliseconds (unspecified) is advertised in router advertisements and the value 1000 is used for the neighbor discovery activity of the router itself.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.2(2)T
This command was introduced.
12.0(21)ST
This command was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S
This command was integrated into Cisco IOS Release 12.0(22)S.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
15.2(2)SA2
This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.
Usage Guidelines
By default, using the ipv6ndns-interval command changes the NS retransmission interval for both address resolution and duplicate address detection (DAD). To specify a different NS retransmission interval for DAD, use the ipv6nddadtimecommand.
This value will be included in all IPv6 router advertisements sent out this interface. Very short intervals are not recommended in normal IPv6 operation. When a nondefault value is configured, the configured time is both advertised and used by the router itself.
Examples
The following example configures an IPv6 neighbor solicit transmission interval of 9000 milliseconds for Ethernet interface 0/0:
Configures the NS retransmit interval for DAD separately from the NS retransmit interval for address resolution.
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd nud retry
To configure the number of times neighbor unreachability detection (NUD) resends neighbor solicitations (NSs), use the
ipv6ndnudretry command in interface configuration mode. To disable this feature, use the
no form of this command.
ipv6ndnudretrybaseintervalmax-attempts
noipv6ndnudretrybaseintervalmax-attempts
Syntax Description
base
The base NUD value.
interval
The time interval, in milliseconds, between retries.
max-attempts
The maximum number of retry attempts, depending on the base value.
Command Default
Three NS packets are sent 1 second apart.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.2(33)SXI7
This command was introduced.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
When a router runs NUD to re-resolve the ND entry for a neighbor, it sends three NS packets 1 second apart. In certain situations (for example, spanning-tree events, high traffic, the end host being reloaded), three NS packets sent at an interval of 1 second may not be sufficient. To help maintain the neighbor cache in such situations, use the
ipv6ndnudretry command to configure exponential timers for NS retransmits.
The maximum number of retry attempts is configured using the
max-attempts argument. The retransmit interval is calculated with the following formula:
tm
•
t = Time interval
•
m = Base (1, 2, or 3)
•
n = Current NS number (where the first NS is 0)
The
ipv6ndnudretry command affects only the retransmit rate for NUD, not for initial resolution, which uses the default of three NS packets sent 1 second apart.
Examples
The following example provides a fixed interval of 1 second and three retransmits:
Router(config-if)# ipv6 nd nud retry 1 1000 3
The following example provides a retransmit interval of 1, 2, 4, and 8:
Router(config-if)# ipv6 nd nud retry 2 1000 4
The following example provides the retransmit intervals of 1, 3, 9, 27, 81:
Router(config-if)# ipv6 nd nud retry 3 1000 5
ipv6 nd other-config-flag
To set the "other stateful configuration" flag in IPv6 router advertisements, use the ipv6ndother-config-flagcommand in interface configuration mode. To clear the flag from IPv6 router advertisements, use the no form of this command.
ipv6ndother-config-flag
noipv6ndother-config-flag
Syntax Description
This command has no arguments or keywords.
Command Default
The "other stateful configuration" flag is not set in IPv6 router advertisements.
Command Modes
Interface configuration
Command History
Release
Modification
12.2(2)T
This command was introduced.
12.0(21)ST
This command was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S
This command was integrated into Cisco IOS Release 12.0(22)S.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(18)SXE
This command was integrated into Cisco IOS Release 12.2(18)SXE.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRE
This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRE.
Usage Guidelines
The setting of the "other stateful configuration" flag in IPv6 router advertisements indicates to attached hosts how they can obtain autoconfiguration information other than addresses. If the flag is set, the attached hosts should use stateful autoconfiguration to obtain the other (nonaddress) information.
Note
If the "managed address configuration" flag is set using the ipv6ndmanaged-config-flag command, then an attached host can use stateful autoconfiguration to obtain the other (nonaddress) information regardless of the setting of the "other stateful configuration" flag.
Examples
The following example configures the "other stateful configuration" flag in IPv6 router advertisements on Ethernet interface 0/0:
Sets the "managed address configuration" flag in IPv6 router advertisements.
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd prefix
To configure which IPv6 prefixes are included in IPv6 Neighbor Discovery (ND) router advertisements, use the
ipv6ndprefixcommand in interface configuration mode. To remove the prefixes, use the
no form of this command.
The IPv6 network number to include in router advertisements.
This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
/prefix-length
The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.
default
Default values are used.
no-advertise
(Optional) The prefix is not advertised.
valid-lifetime
(Optional) The amount of time (in seconds) that the specified IPv6 prefix is advertised as being valid.
preferred-lifetime
(Optional) The amount of time (in seconds) that the specified IPv6 prefix is advertised as being preferred.
off-link
(Optional) Configures the specified prefix as off-link. The prefix will be advertised with the L-bit clear. The prefix will not be inserted into the routing table as a Connected prefix. If the prefix is already present in the routing table as a Connected prefix (for example, because the prefix was also configured using the
ipv6address command), then it will be removed.
no-rtr-address
(Optional) Indicates that the router will not send the full router address in prefix advertisements and will not set the R bit.
no-autoconfig
(Optional) Indicates to hosts on the local link that the specified prefix cannot be used for IPv6 autoconfiguration. The prefix will be advertised with the A-bit clear.
no-onlink
(Optional) Configures the specified prefix as not on-link. The prefix will be advertised with the L-bit clear.
atvalid-datepreferred-date
(Optional) The date and time at which the lifetime and preference expire. The prefix is valid until this specified date and time are reached. Dates are expressed in the form
date-valid-expiremonth-valid-expireyear-valid-expireand
hh:mm-valid-expiredate-prefer-expiremonth-prefer-expireyear-valid-expirehh:mm-prefer-expire.
Command Default
All prefixes configured on interfaces that originate IPv6 router advertisements are advertised with a valid lifetime of 2,592,000 seconds (30 days) and a preferred lifetime of 604,800 seconds (7 days).
Note that by default:
All prefixes will be inserted in the routing table as Connected prefixes
All prefixes will be advertised as on-link (for example, the L-bit will be set in the advertisement)
All prefixes will be advertised as an autoconfiguration prefix (for example, the A-bit will be set in the advertisement)
Command Modes
Interface configuration
Command History
Release
Modification
12.2(13)T
This command was introduced. This command replaces the
ipv6ndprefix-advertisement command.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.3(11)T
The
no-rtr-address keyword was added.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
12.2(32.08.01)REC154
The
no-onlink keyword was added. <<Correct release? Looks odd>>
15.2(2)SA2
This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.
Usage Guidelines
This command allows control over the individual parameters per prefix, including whether the prefix should be advertised.
By default, prefixes configured as addresses on an interface using the
ipv6address command are advertised in router advertisements. If you configure prefixes for advertisement using the
ipv6ndprefixcommand, then only these prefixes are advertised.
Default Parameters
The
default keyword can be used to set default parameters for all prefixes.
Prefix Lifetime and Expiration
A date can be set to specify the expiration of a prefix. The valid and preferred lifetimes are counted down in real time. When the expiration date is reached, the prefix will no longer be advertised.
On-Link
When on-link is "on" (by default), the specified prefix is assigned to the link. Nodes sending traffic to such addresses that contain the specified prefix consider the destination to be locally reachable on the link.
Autoconfiguration
When autoconfiguration is "on" (by default), it indicates to hosts on the local link that the specified prefix can be used for IPv6 autoconfiguration.
The configuration options affect the L-bit and A-bit settings associated with the prefix in the IPv6 ND Router Advertisement, and presence of the prefix in the routing table, as follows:
Default L=1 A=1 In Routing Table
no-onlink L=0 A=1 In Routing Table
no-autoconfig L=1 A=0 In Routing Table
no-onlink no-autoconfig L=0 A=0 In Routing Table
off-link L=0 A=1 Not in Routing Table
off-link no-autoconfig L=0 A=0 Not in Routing Table
Examples
The following example includes the IPv6 prefix 2001:0DB8::/35 in router advertisements sent out Ethernet interface 0/0 with a valid lifetime of 1000 seconds and a preferred lifetime of 900 seconds:
Configures an IPv6 link-local address for an interface and enables IPv6 processing on the interface.
ipv6addresseui-64
Configures an IPv6 address and enables IPv6 processing on an interface using an EUI-64 interface ID in the low-order 64 bits of the address.
ipv6mobilehome-agent(interfaceconfiguration)
Initializes and starts the IPv6 Mobile home agent on a specific interface.
ipv6ndmanaged-config-flag
Sets the "managed address configuration" flag in IPv6 router advertisements.
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd prefix framed-ipv6-prefix
To add the prefix in a received RADIUS framed IPv6 prefix attribute to the interface’s neighbor discovery prefix queue, use the ipv6ndprefixframed-ipv6-prefixcommand in interface configuration mode. To disable this feature, use the no form of this command.
ipv6ndprefixframed-ipv6-prefix
noipv6ndprefixframed-ipv6-prefix
Syntax Description
This command has no arguments or keywords.
Command Default
Prefix is sent in the router advertisements (RAs).
Command Modes
Interface configuration
Command History
Release
Modification
12.3(14)T
This command was introduced.
12.2(18)SXE
This command was integrated into Cisco IOS Release 12.2(18)SXE.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
Usage Guidelines
Use the ipv6ndprefixframed-ipv6-prefixcommand to add the prefix in a received RADIUS framed IPv6 prefix attribute to the interface’s neighbor discovery prefix queue and include it in RAs sent on the interface’s link. By default, the prefix is sent in RAs. If the prefix in the attribute should be used by other applications such as the Dynamic Host Configuration Protocol (DHCP) for IPv6 server, administrators can disable the default behavior with the no form of the command.
Examples
The following example adds the prefix in a received RADIUS framed IPv6 prefix attribute to the interface’s neighbor discovery prefix queue:
ipv6 nd prefix framed-ipv6-prefix
ipv6 nd prefix-advertisement
Note
Effective with Cisco IOS Release 12.2(13)T, the
ipv6ndprefix-advertisement command is replaced by the
ipv6ndprefix command. See the
ipv6ndprefix command for more information.
To configure which IPv6 prefixes are included in IPv6 router advertisements, use the
ipv6ndprefix-advertisementcommand in interface configuration mode. To remove the prefixes, use the
no form of this command.
The IPv6 network number to include in router advertisements.
This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
/prefix-length
The length of the IPv6 prefix. A decimal value that indicates how many of the high-order contiguous bits of the address comprise the prefix (the network portion of the address). A slash mark must precede the decimal value.
valid-lifetime
The amount of time (in seconds) that the specified IPv6 prefix is advertised as being valid.
preferred-lifetime
The amount of time (in seconds) that the specified IPv6 prefix is advertised as being preferred.
onlink
(Optional) Indicates that the specified prefix is assigned to the link. Nodes sending traffic to such addresses that contain the specified prefix consider the destination to be locally reachable on the link.
autoconfig
(Optional) Indicates to hosts on the local link that the specified prefix can be used for IPv6 autoconfiguration.
Command Default
All prefixes configured on interfaces that originate IPv6 router advertisements are advertised with a valid lifetime of 2592000 seconds (30 days) and a preferred lifetime of 604800 seconds (7 days), and with both the "onlink" and "autoconfig" flags set.
Command Modes
Interface configuration
Command History
Release
Modification
12.2(2)T
This command was introduced.
12.0(21)ST
This command was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S
This command was integrated into Cisco IOS Release 12.0(22)S.
12.2(13)T
This command was replaced by the
ipv6ndprefix command.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
Usage Guidelines
By default, prefixes configured on an interface using the
ipv6address command are advertised with "onlink" and "autoconfiguration" flags set. If you configure prefixes for advertisement using the
ipv6ndprefix-advertisementcommand, then only these prefixes are advertised.
Examples
The following example includes the IPv6 prefix 2001:0DB8::/35 in router advertisements sent out Ethernet interface 0/0 with a valid lifetime of 1000 seconds, a preferred lifetime of 900 seconds, and both the "onlink" and "autoconfig" flags set:
Configures an IPv6 link-local address for an interface and enables IPv6 processing on the interface.
ipv6addresseui-64
Configures an IPv6 address and enables IPv6 processing on an interface using an EUI-64 interface ID in the low-order 64 bits of the address.
ipv6ndmanaged-config-flag
Sets the "managed address configuration" flag in IPv6 router advertisements.
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd ra dns server
To configure the IPv6 router advertisement of DNS server addresses on an interface, use the ipv6 nd ra dns server command in interface configuration mode. To remove the IPv6 router advertisement of DNS server addresses, use the no form of this command.
ipv6 nd ra dns serveripv6-addressseconds
no ipv6 nd ra dns serveripv6-address
Syntax Description
seconds
The amount of time (in seconds) that the Domain Naming System (DNS) server is advertised in an IPv6 router advertisement (RA). The range is from 200 to 4294967295.
Command Default
The DNS server is not advertised in an IPv6 RA.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Usage Guidelines
You can use the ipv6 nd ra dns server command to configure up to eight DNS server addresses in an RA.
If you configure a seconds value of zero, the DNS server will no longer be used.
Examples
The following example configures a DNS server with an IPv6 address of 2001:DB8:1::1 to be advertised in an RA with a lifetime of 600 seconds:
Router(config)# interface ethernet 0/0
Router(config-if)# ipv6 nd ra dns server 2001:DB8:1::1 600
Related Commands
Command
Description
ipv6ndrainterval
Configures the interval between IPv6 router advertisement transmissions on an interface.
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd ra interval
To configure the
interval between IPv6 router advertisement (RA) transmissions on an interface,
use the
ipv6ndrainterval command in interface configuration mode.
To restore the default interval, use the
no form of this
command.
Maximum
interval between IPv6 RA transmissions in seconds.
minimum-secs
(Optional) Minimum interval between IPv6 RA transmissions in seconds. The range
is from 3 to 150.
msec
Intervals
specified in milliseconds.
maximum-ms
Maximum
interval between IPv6 RA transmissions in milliseconds.
minimum-ms
(Optional) Minimum interval between IPv6 RA transmissions in milliseconds. The
smallest possible minimum RA interval is 30 milliseconds.
Command Default
The default is 200
seconds.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(2)T
This
command was introduced. This command replaces the
ipv6ndra-intervalcommand.
12.2(25)SG
This
command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This
command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This
command was integrated into Cisco IOS Release 12.2(33)SXH.
12.2(33)SB
This
command was integrated into Cisco IOS Release 12.2(33)SB.
15.2(2)SA2
This
command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.
Usage Guidelines
The interval
between transmissions should be less than or equal to the IPv6 router
advertisement lifetime if you configure the route as a default router by using
the
ipv6ndralifetimecommand. To prevent synchronization with
other IPv6 nodes, the actual interval used is randomly selected from a value
between the minimum and maximum values.
Users can
explicitly configure a minimum RA interval. The minimum RA interval may never
be more than 75% of the maximum RA interval and never less than 3 seconds (if
specified in seconds). If the minimum RA interval is not configured, then it is
calculated as 75% of the maximum RA interval.
If the user
specifies the time in milliseconds, then the smallest minimum RA interval is 30
milliseconds. This limit allows configuration of very short RA intervals for
Mobile IPv6.
The maximum and
the minimum RA interval govern only the unsolicited RA messages. The solicited
RA messages are transmitted as router solicitation (RS) on the interface.
However, if multiple RS messages are received every second, there is a minimum
delay of 3 seconds between the RA messages. This limits the number of solicited
RA messages transmitted from the interface.
Examples
The following
example configures an IPv6 router advertisement interval of 201 seconds for
Ethernet interface 0/0:
Device(config)# interface ethernet 0/0
Device(config-if)# ipv6 nd ra interval 201
The following
examples shows a maximum RA interval of 200 seconds and a minimum RA interval
of 50 seconds:
Device(config-if) ipv6 nd ra interval 200 50
The following
examples shoes a maximum RA interval of 100 seconds and a minimum RA interval
of 30 milliseconds, which is the smallest value allowed:
Device(config-if) ipv6 nd ra interval msec 100 30
Related Commands
Command
Description
ipv6mobilehome-agent(interfaceconfiguration)
Initializes and starts the Mobile IPv6 home agent on a specific interface.
ipv6ndadvertisement-interval
Configures the advertisement interval option to be sent in RAs.
ipv6ndralifetime
Configures the router lifetime value in IPv6 router advertisements on an
interface.
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd ra lifetime
To configure the router lifetime value in IPv6 router advertisements on an interface, use the ipv6ndralifetimecommand in interface configuration mode. To restore the default lifetime, use the no form of this command.
ipv6ndralifetimeseconds
noipv6ndralifetime
Syntax Description
seconds
The validity of this router as a default router on this interface (in seconds).
Command Default
The default lifetime value is 1800 seconds.
Command Modes
Interface configuration
Command History
Release
Modification
12.4(2)T
This command was introduced. This command replaces the ipv6ndra-lifetime command.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
15.2(2)SA2
This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.
Usage Guidelines
The "router lifetime" value is included in all IPv6 router advertisements sent out the interface. The value indicates the usefulness of the router as a default router on this interface. Setting the value to 0 indicates that the router should not be considered a default router on this interface. The "router lifetime" value can be set to a non zero value to indicate that it should be considered a default router on this interface. The non zero value for the "router lifetime" value should not be less than the router advertisement interval.
Examples
The following example configures an IPv6 router advertisement lifetime of 1801 seconds for Ethernet interface 0/0:
Router(config)# interface ethernet 0/0
Router(config-if)# ipv6 nd ra lifetime 1801
Related Commands
Command
Description
ipv6ndrainterval
Configures the interval between IPv6 router advertisement transmissions on an interface.
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd ra suppress
To suppress IPv6 router advertisement transmissions on a LAN interface, use the ipv6ndrasuppresscommand in interface configuration mode. To reenable the sending of IPv6 router advertisement transmissions on a LAN interface, use the no form of this command.
ipv6ndrasuppress [all]
noipv6ndrasuppress
Syntax Description
all
(Optional) Suppresses all router advertisements (RAs) on an interface.
Command Default
IPv6 router advertisements are automatically sent on Ethernet and FDDI interfaces if IPv6 unicast routing is enabled on the interfaces. IPv6 router advertisements are not sent on other types of interfaces.
Command Modes
Interface configuration
Command History
Release
Modification
12.4(2)T
This command was introduced. This command replaces the ipv6ndsuppress-racommand.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Cisco IOS XE Release 2.1
This command was integrated into Cisco IOS XE Release 2.1.
15.2(2)SA2
This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.
Usage Guidelines
The ipv6ndrasuppress command only suppresses periodic unsolicited RAs. It does not suppress RAs sent in response to a router solicitation. To suppress all RAs, including those sent in response to a router solicitation, use the ipv6ndrasuppress command with the all keyword.
Use the no ipv6ndrasuppresscommand to enable the sending of IPv6 RA transmissions on non-LAN interface types (for example, serial or tunnel interfaces).
Examples
The following example suppresses IPv6 router advertisements on Ethernet interface 0/0:
Router(config)# interface ethernet 0/0
Router(config-if)# ipv6 nd ra suppress
The following example enables the sending of IPv6 router advertisements on serial interface 0/1:
Router(config)# interface serial 0/1
Router(config-if)# no ipv6 nd ra suppress
Related Commands
Command
Description
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd raguard
To apply the router advertisements (RA) guard feature, use the ipv6ndraguardcommand in interface configuration mode.
ipv6ndraguard
noipv6ndraguard
Syntax Description
This command has no arguments or keywords.
Command Default
An RA guard policy is not configured.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.2(33)SXI4
This command was introduced.
12.2(54)SG
This command was modified. Support for Cisco IOS Release 12.2(54)SG was added.
Usage Guidelines
The ipv6ndraguard command enables the RA guard feature. If the RA does not match with the configured option, the packet is dropped.
Examples
The following example applies the RA guard:
Router(config-if)# ipv6 nd raguard
ipv6 nd raguard attach-policy
To apply the IPv6 router advertisement (RA) guard feature on a specified interface, use the
ipv6ndraguardattach-policy command in interface configuration mode.
(Optional) Applies the IPv6 RA guard feature to a VLAN on the interface.
add
Adds a VLAN to be inspected.
except
All VLANs are inspected except the one specified.
none
No VLANs are inspected.
remove
Removes the specified VLAN from RA guard inspection.
all
ND traffic from all VLANs on the port is inspected.
vlan
(Optional) A specific VLAN on the interface. More than one VLAN can be specified (vlan1,
vlan2,
vlan3...). The range of available VLAN numbers is from 1 through 4094.
Command Default
An IPv6 RA guard policy is not configured.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
15.2(4)S
This command was integrated into Cisco IOS Release 15.2(4)S.
15.0(2)SE
This command was integrated into Cisco IOS Release 15.0(2)SE.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
If no policy is specified using the
policy-name argument, the port device role is set to host and all inbound router traffic (for example, RA and redirect messages) is blocked.
If no VLAN is specified (which is equal to entering the
vlanall keywords after the
policy-name argument), RA guard traffic from all VLANs on the port is analyzed.
If specified, the VLAN parameter is either a single VLAN number from 1 through 4094 or a range of VLANs described by two VLAN numbers, the lesser one first, separated by a dash. Do not enter any spaces between comma-separated vlan parameters or in dash-specified ranges; for example, vlan 1-100,200,300-400.
Examples
In the following example, the IPv6 RA guard feature is applied on GigabitEthernet interface 0/0:
To define the router advertisement (RA) guard policy name and enter RA guard policy configuration mode, use the
ipv6ndraguardpolicy command in global configuration mode.
ipv6ndraguardpolicypolicy-name
Syntax Description
policy-name
IPv6 RA guard policy name.
Command Default
An RA guard policy is not configured.
Command Modes
Global configuration (config)#
Command History
Release
Modification
12.2(50)SY
This command was introduced.
15.2(4)S
This command was integrated into Cisco IOS Release 15.2(4)S.
15.0(2)SE
This command was integrated into Cisco IOS Release 15.0(2)SE.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Use the
ipv6ndraguardpolicy command to configure RA guard globally on a router. Once the device is in ND inspection policy configuration mode, you can use any of the following commands:
device-role
drop-unsecure
limitaddress-count
sec-levelminimum
trusted-port
validatesource-mac
After IPv6 RA guard is configured globally, you can use the
ipv6ndraguardattach-policy command to enable IPv6 RA guard on a specific interface.
Examples
The following example shows how to define the RA guard policy name as policy1 and place the device in policy configuration mode:
Specifies the role of the device attached to the port.
drop-unsecure
Drops messages with no or invalid options or an invalid signature.
ipv6ndraguardattach-policy
Applies the IPv6 RA guard feature on a specified interface.
limitaddress-count
Limits the number of IPv6 addresses allowed to be used on the port.
sec-levelminimum
Specifies the minimum security level parameter value when CGA options are used.
trusted-port
Configures a port to become a trusted port.
validatesource-mac
Checks the source MAC address against the link layer address.
ipv6 nd reachable-time
To configure the amount of time that a remote IPv6 node is considered reachable after some reachability confirmation event has occurred, use the ipv6ndreachable-timecommand in interface configuration mode. To restore the default time, use the no form of this command.
ipv6ndreachable-timemilliseconds
noipv6ndreachable-time
Syntax Description
milliseconds
The amount of time that a remote IPv6 node is considered reachable (in milliseconds).
Command Default
0 milliseconds (unspecified) is advertised in router advertisements and the value 30000 (30 seconds) is used for the neighbor discovery activity of the router itself.
Command Modes
Interface configuration
Command History
Release
Modification
12.2(2)T
This command was introduced.
12.0(21)ST
This command was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S
This command was integrated into Cisco IOS Release 12.0(22)S.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
15.2(2)SA2
This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.
Usage Guidelines
The configured time enables the router to detect unavailable neighbors. Shorter configured times enable the router to detect unavailable neighbors more quickly; however, shorter times consume more IPv6 network bandwidth and processing resources in all IPv6 network devices. Very short configured times are not recommended in normal IPv6 operation.
The configured time is included in all router advertisements sent out of an interface so that nodes on the same link use the same time value. A value of 0 means indicates that the configured time is unspecified by this router.
Examples
The following example configures an IPv6 reachable time of 1,700,000 milliseconds for Ethernet interface 0/0:
Displays the usability status of interfaces configured for IPv6.
ipv6 nd resolution data limit
To configure the number of data packets queued pending Neighbor Discovery resolution, use the ipv6ndresolutiondatalimit command in global configuration mode.
ipv6ndresolutiondatalimitnumber-of-packets
noipv6ndresolutiondatalimitnumber-of-packets
Syntax Description
number-of-packets
The number of queued data packets. The range is from 16 to 2048 packets.
Command Default
Queue limit is 16 packets.
Command Modes
Global configuration
Command History
Release
Modification
Cisco IOS XE Release 2.6
This command was introduced.
Usage Guidelines
The ipv6ndresolutiondatalimit command allows the customer to configure the number of data packets queued pending Neighbor Discovery resolution. IPv6 Neighbor Discovery queues a data packet that initiates resolution for an unresolved destination. Neighbor Discovery will only queue one packet per destination. Neighbor Discovery also enforces a global (per-router) limit on the number of packets queued. Once the global queue limit is reached, further packets to unresolved destinations are discarded. The minimum (and default) value is 16 packets, and the maximum value is 2048.
In most situations, the default value of 16 queued packets pending Neighbor Discovery resolution is sufficient. However, in some high-scalability scenarios in which the router needs to initiate communication with a very large number of neighbors almost simultaneously, then the value may be insufficient. This may lead to loss of the initial packet sent to some neighbors. In most applications, the initial packet is retransmitted, so initial packet loss generally is not a cause for concern. (Note that dropping the initial packet to an unresolved destination is normal in IPv4.) However, there may be some high-scale configurations where loss of the initial packet is inconvenient. In these cases, the customer can use the ipv6ndresolutiondatalimit command to prevent the initial packet loss by increasing the unresolved packet queue size.
Examples
The following example configures the global number of data packets held awaiting resolution to be 32:
Router(config)# ipv6 nd resolution data limit 32
ipv6 nd route-owner
To insert Neighbor Discovery-learned routes into the routing table with "ND" status and to enable ND autoconfiguration behavior, use the
ipv6 nd route-owner command. To remove this information from the routing table, use the
no form of this command.
ipv6
ndroute-owner
Syntax Description
This command has no arguments or keywords.
Command Default
The status of Neighbor Discovery-learned routes is "Static."
Command Modes
Global configuration (config)#
Command History
Release
Modification
15.2(1)T
This command was introduced.
Usage Guidelines
The
ipv6 nd route-owner command inserts routes learned by Neighbor Discovery into the routing table with a status of "ND" rather than "Static" or "Connected."
This global command also enables you to use the
ipv6 nd autoconfig default or
ipv6 nd autoconfig prefix commands in interface configuration mode. If the
ipv6 nd route-owner command is not issued, then the
ipv6 nd autoconfig default and
ipv6 nd autoconfig prefix commands are accepted by the router but will not work.
Examples
Device (config)# ipv6 nd route-owner
Related Commands
Command
Description
ipv6 nd autoconfig default
Allows Neighbor Discovery to install a default route to the Neighbor Discovery-derived default router.
ipv6 nd autoconfig prefix
Uses Neighbor Discovery to install all valid on-link prefixes from RAs received on the interface.
ipv6 nd router-preference
To configure a default router preference (DRP) for the router on a specific interface, use the ipv6ndrouter-preferencecommand in interface configuration mode. To return to the default DRP, use the no form of this command.
ipv6ndrouter-preference
{ high | medium | low }
noipv6ndrouter-preference
Syntax Description
high
Preference for the router specified on an interface is high.
medium
Preference for the router specified on an interface is medium.
low
Preference for the router specified on an interface is low.
Command Default
Router advertisements (RAs) are sent with the medium preference.
Command Modes
Interface configuration
Command History
Release
Modification
12.4(2)T
This command was introduced.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
Cisco IOS XE Release 2.1
This command was integrated into Cisco IOS XE Release 2.1.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
RA messages are sent with the DRP configured by the ipv6ndrouter-preference command. If no DRP is configured, RAs are sent with a medium preference.
A DRP is useful when, for example, two routers on a link may provide equivalent, but not equal-cost, routing, and policy may dictate that hosts should prefer one of the routers.
Examples
The following example configures a DRP of high for the router on gigabit Ethernet interface 0/1:
Router(config)# interface Gigabit ethernet 0/1
Router(config-if)# ipv6 nd router-preference high
Related Commands
Command
Description
ipv6ndrainterval
Configures the interval between IPv6 router advertisement transmissions on an interface.
showipv6interface
Displays the usability status of interfaces configured for IPv6.
ipv6 nd secured certificate-db
To configure the maximum number of entries in an IPv6 Secure Neighbor Discovery (SeND) certificate database, use the ipv6ndsecuredcertificate-dbcommand in global configuration mode. To disable any maximum number of entries set for a SeND certificate database, use the no form of this command.
Specifies the maximum number of entries in the certificate database. The range is from 1 to 1000.
Command Default
No SeND certificate database is configured.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.4(24)T
This command was introduced.
Usage Guidelines
This command allows you to set up a maximum size for the certificate database (DB), to protect against denial of service (DoS) certificate flooding. When the limit is reached, new certificates are dropped.
The certificate DB is relevant on a router in host mode only, because it stores certificates received from routers.
Examples
The following example configures a SeND certificate database with a maximum number of 500 entries:
Enables SeND security mode on a specified interface.
ipv6ndsecuredkey-length
Configures SeND key-length options.
ipv6ndsecuredtimestamp
Configures the SeND time stamp.
ipv6ndsecuredtimestamp-db
Configures the maximum number of entries that did not reach the destination in a SeND time-stamp database.
ipv6 nd secured full-secure
To enable the secure mode for IPv6 Secure Neighbor Discovery (SeND) on a router, use the ipv6ndsecuredfull-securecommand in global configuration mode. To disable SeND security mode, use the no form of this command.
ipv6ndsecuredfull-secure
noipv6ndsecuredfull-secure
Syntax Description
This command has no arguments or keywords.
Command Default
Non-SeND neighbor discovery messages are accepted by the router.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.4(24)T
This command was introduced.
Usage Guidelines
The ipv6ndsecuredfull-secure command in global configuration mode allows you to configure the router to accept or reject non-SeND neighbor discovery messages. If this command is enabled, non-SeND messages are rejected by the specified router.
Examples
The following example enables SeND security mode on a router:
Router(config)# ipv6 nd secured full-secure
Related Commands
Command
Description
ipv6ndsecuredfull-secure(interfaceconfiguration)
Enables SeND security mode on a specified interface.
ipv6 nd secured full-secure (interface)
To enable the secure mode for IPv6 Secure Neighbor Discovery (SeND) on a specified interface, use the ipv6ndsecuredfull-securecommand in interface configuration mode. To provide the co-existence mode for secure and nonsecure neighbor discovery messages on an interface, use the no form of this command.
ipv6ndsecuredfull-secure
noipv6ndsecuredfull-secure
Syntax Description
This command has no arguments or keywords.
Command Default
Non-SeND messages are accepted by the interface.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(24)T
This command was introduced.
Usage Guidelines
The ipv6ndsecuredfull-secure command in interface configuration mode allows you to configure a specified interface to accept or reject non-SeND neighbor discovery messages. If this command is enabled, non-SeND messages are rejected by the interface. If this command is not enabled, secure and nonsecure neighbor discovery messages can coexist on the same interface.
Examples
The following example enables SeND security mode on an interface:
To configure IPv6 Secure Neighbor Discovery (SeND) key-length options, use the ipv6ndsecuredkey-lengthcommand in global configuration mode. To disable the key length, use the no form of this command.
ipv6ndsecuredkey-length
[ [ minimum | maximum ]
value ]
noipv6ndsecuredkey-length
Syntax Description
minimum value
(Optional) Sets the minimum key-length value, which should be at least 384 bits. The range is from 384 to 2048 bits, and the default key-length value is 1024 bits.
maximum value
(Optional) Sets the maximum key-length value. The range is from 384 to 2048 bits, and the default key-length value is 1024 bits.
Command Default
The key length is 1024 bits.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.4(24)T
This command was introduced.
Usage Guidelines
When used by SeND, the key length is checked against the key-length value, as set in the ipv6ndsecuredkey-length command. When packets are received from a neighbor with a key length that is out of the configured boundaries, the packets are treated as unsecure.
Examples
The following example sets the minimum key-length value to 512 bits and the maximum value to 1024 bits:
Configures the maximum number of entries in a SeND certificate database.
ipv6ndsecuredfull-secure(globalconfiguration)
Enables SeND security mode on a specified router.
ipv6ndsecuredfull-secure(interfaceconfiguration)
Enables SeND security mode on a specified interface.
ipv6ndsecuredtimestamp
Configures the SeND time stamp.
ipv6ndsecuredtimestamp-db
Configures the maximum number of entries in a SeND time-stamp database.
ipv6 nd secured sec-level
To configure the minimum security value that IPv6 Secure Neighbor Discovery (SeND) will accept from its peer, use the
ipv6ndsecuredsec-levelcommand in global configuration mode. To disable the security level, use the
no form of this command.
ipv6ndsecuredsec-level
[ minimumvalue ]
noipv6ndsecuredsec-level
Syntax Description
minimum
value
(Optional) Sets the minimum security level, which is a value from 0 through 7. The default security level is 1.
Command Default
The default security level is 1.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.4(24)T
This command was introduced.
Usage Guidelines
The
ipv6ndsecuredsec-level command allows the user to configure the minimum security value the router will accept from its peer.
Examples
The following example sets the minimum security level to 2:
Router(config)# ipv6 nd secured sec-level 2
Related Commands
Command
Description
ipv6ndsecuredcertificate-db
Configures the maximum number of entries in a SeND certificate database.
ipv6ndsecuredfull-secure(globalconfiguration)
Enables SeND security mode on a specified router.
ipv6ndsecuredfull-secure(interfaceconfiguration)
Enables SeND security mode on a specified interface.
ipv6ndsecuredkey-length
Configures SeND key-length options.
ipv6ndsecuredtimestamp
Configures the SeND time stamp.
ipv6ndsecuredtimestamp-db
Configures the maximum number of unreached entries in a SeND time-stamp database.
ipv6 nd secured timestamp
To configure the IPv6 Secure Neighbor Discovery (SeND) time stamp, use the ipv6ndsecuredtimestampcommand in interface configuration mode. To return to the default settings, use the no form of this command.
ipv6ndsecuredtimestamp
{ deltavalue | fuzzvalue }
noipv6ndsecuredtimestamp
Syntax Description
deltavalue
Specifies the maximum time difference accepted between the sender and the receiver. Default value is 300 seconds.
fuzzvalue
Specifies the maximum age of the message, when the delta is taken into consideration; that is, the amount of time, in seconds, that a packet can arrive after the delta value before being rejected. Default value is 1 second.
Command Default
Default time-stamp values are used.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(24)T
This command was introduced.
Usage Guidelines
The ipv6ndsecuredtimestamp command configures the amount of time the router waits before it accepts or rejects packets it has received.
Examples
The following example configures the SeND time stamp to be 600 seconds:
Configures the maximum number of entries in a SeND certificate database.
ipv6ndsecuredfull-secure(globalconfiguration)
Enables SeND security mode on a specified router.
ipv6ndsecuredfull-secure(interfaceconfiguration)
Enables SeND security mode on a specified interface.
ipv6ndsecuredkey-length
Configures SeND key-length options.
ipv6ndsecuredtimestamp-db
Configures the maximum number of unreached entries in a SeND time-stamp database.
ipv6 nd secured timestamp-db
To configure the maximum number of unreached entries in an IPv6 Secure Neighbor Discovery (SeND) time-stamp database, use the ipv6ndsecuredtimestamp-dbcommand in global configuration mode. To return to the default settings, use the no form of this command.
Configures the maximum number of entries in a SeND certificate database.
ipv6ndsecuredfull-secure(globalconfiguration)
Enables SeND security mode on a specified router.
ipv6ndsecuredfull-secure(interfaceconfiguration)
Enables SeND security mode on a specified interface.
ipv6ndsecuredkey-length
Configures SeND key-length options.
ipv6ndsecuredtimestamp
Configures the SeND time stamp.
ipv6 nd secured trustanchor
To specify an IPv6 Secure Neighbor Discovery (SeND) trusted anchor on an interface, use the ipv6ndsecuredtrustanchorcommand in interface configuration mode. To remove a trusted anchor, use the no form of this command.
ipv6ndsecuredtrustanchortrustanchor-name
noipv6ndsecuredtrustanchortrustanchor-name
Syntax Description
trustanchor-name
The name to be found in the certificate of the trustpoint.
Command Default
No trusted anchor is defined.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(24)T
This command was introduced.
Usage Guidelines
The ipv6ndsecuredtrustanchorcommand is used to select the certificate authority (CA) you want to authenticate. The trusted anchors configured by this command act as as references to the trustpoints configured.
A crypto Public Key Infrastructure (PKI) trustpoint can be a self-signed root CA or a subordinate CA. The trustpoint-nameargument refers to the name to be found in the certificate of the trustpoint.
The ipv6ndsecuredtrustanchorand ipv6ndsecuredtrustpointcommands both generate an entry in the SeND configuration database that points to the trustpoint provided. More than one trustpoint can be provided for each command, and the same trustpoint can be used in both commands.
Examples
The following example specifies trusted anchor anchor1 on Ethernet interface 0/0:
Declares the trustpoint that your router should use.
ipv6ndsecuredtrustpoint
Specifies which trustpoint should be used for selecting the certificate to advertise.
ipv6 nd secured trustpoint
To specify which trustpoint should be used in the ipv6 Secure Neighbor Discovery (SeND) protocol for selecting the certificate to advertise, use the ipv6ndsecuredtrustpointcommand in interface configuration mode. To disable the trustpoint, use the no form of this command.
ipv6ndsecuredtrustpointtrustpoint-name
noipv6ndsecuredtrustpointtrustpoint-name
Syntax Description
trustpoint-name
The name to be found in the certificate of the trustpoint.
Command Default
SeND is not enabled on a specified interface.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(24)T
This command was introduced.
Usage Guidelines
The ipv6ndsecuredtrustpoint command enables SeND on an interface and specifies which trustpoint should be used. The trustpoint points to the Rivest, Shamir, and Adelman (RSA) key pair and the trusted anchor (which is the certificate authority [CA] signing your certificate).
The ipv6ndsecuredtrustpoint and ipv6ndsecuredtrustanchorcommands both generate an entry in the SeND configuration database that points to the trustpoint provided. More than one trustpoint can be provided for each command, and the same trustpoint can be used in both commands. However, the trustpoint provided in the ipv6ndsecuredtrustpoint command must include a router certificate and the signing CA certificate. It may also include the certificate chain up to the root certificate provided by a CA that hosts (connected to the router) will trust.
The trustpoint provided in the ipv6ndsecuredtrustanchor command must only include a CA certificate.
Examples
The following example specifies trusted anchor anchor1 on Ethernet interface 0/0:
Declares the trustpoint that your router should use.
ipv6ndsecuredtrustanchor
Specifies a trusted anchor on an interface.
ipv6 nd suppress attach-policy
To apply the IPv6 neighbor discovery (ND) suppress feature on a specified interface, use the
ipv6ndsuppressattach-policy command in interface configuration mode.
(Optional) Applies the IPv6 ND suppress feature to a VLAN on the interface.
add
Adds a VLAN to be inspected.
except
All VLANs are inspected except the one specified.
none
No VLANs are inspected.
remove
Removes the specified VLAN from IPv6 ND suppression.
all
ND traffic from all VLANs on the port is inspected.
vlan
(Optional) A specific VLAN on the interface. More than one VLAN can be specified (vlan1,
vlan2,
vlan3...). The range of available VLAN numbers is from 1 through 4094.
Command Default
An IPv6 ND suppress policy is not configured.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
15.3(1)S
This command was introduced.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
If no VLAN is specified (which is equal to entering the
vlanall keywords after the
policy-name argument), RA guard traffic from all VLANs on the port is analyzed.
If specified, the VLAN parameter is either a single VLAN number from 1 through 4094 or a range of VLANs described by two VLAN numbers, the lesser one first, separated by a dash. Do not enter any spaces between comma-separated vlan parameters or in dash-specified ranges; for example, vlan 1-100,200,300-400.
Examples
In the following example, the IPv6 ND suppress feature is applied on Ethernet interface 0/0:
Enables IPv6 ND multicast suppress and enter ND suppress policy configuration mode
ipv6 nd suppress policy
To enable IPv6 Neighbor Discovery (ND) multicast suppress and enter ND suppress policy configuration mode, use the
ipv6ndsuppresspolicy command in global configuration mode.
ipv6
ndsuppresspolicypolicy-name
Syntax Description
policy-name
IPv6 ND suppress policy name.
Command Default
An ND suppress policy is not configured.
Command Modes
Global configuration (config)
Command History
Release
Modification
15.3(1)S
This command was introduced.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Use the
ipv6ndsuppresspolicy command to configure NA suppress globally on a device. After IPv6 ND suppress is configured globally, you can use the
ipv6ndsuppressattach-policy command to enable IPv6 ND suppress on a specific interface.
Examples
The following example shows how to define the ND suppress policy name as policy1 and place the device in policy configuration mode:
Applies the IPv6 ND suppress feature on a specified interface.
ipv6 neighbor
To configure a static entry in the IPv6 neighbor discovery cache, use the ipv6neighbor command in global configuration mode. To remove a static IPv6 entry from the IPv6 neighbor discovery cache, use the no form of this command.
The IPv6 address that corresponds to the local data-link address.
This argument must be in the form documented in RFC 2373 where the address is specified in hexadecimal using 16-bit values between colons.
interface-type
The specified interface type. For supported interface types, use the question mark (?) online help function.
interface-number
The specified interface number.
hardware-address
The local data-link address (a 48-bit address).
Command Default
Static entries are not configured in the IPv6 neighbor discovery cache.
Command Modes
Global configuration
Command History
Release
Modification
12.2(8)T
This command was introduced.
12.0(21)ST
This command was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S
This command was integrated into Cisco IOS Release 12.0(22)S.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
15.2(2)SA2
This command was implemented on the Cisco ME 2600X Series Ethernet Access Switches.
Usage Guidelines
The ipv6neighborcommand is similar to the arp (global) command.
If an entry for the specified IPv6 address already exists in the neighbor discovery cache--learned through the IPv6 neighbor discovery process--the entry is automatically converted to a static entry.
Use the showipv6neighbors command to view static entries in the IPv6 neighbor discovery cache. A static entry in the IPv6 neighbor discovery cache can have one of the following states:
INCMP (Incomplete)--The interface for this entry is down.
REACH (Reachable)--The interface for this entry is up.
Note
Reachability detection is not applied to static entries in the IPv6 neighbor discovery cache; therefore, the descriptions for the INCMP and REACH states are different for dynamic and static cache entries. See the showipv6neighborscommand for descriptions of the INCMP and REACH states for dynamic cache entries.
The clearipv6neighbors command deletes all entries in the IPv6 neighbor discovery cache, except static entries. The noipv6neighbor command deletes a specified static entry from the neighbor discovery cache; the command does not remove dynamic entries--learned from the IPv6 neighbor discovery process--from the cache. Disabling IPv6 on an interface by using the noipv6enable command or the noipv6unnumbered command deletes all IPv6 neighbor discovery cache entries configured for that interface, except static entries (the state of the entry changes to INCMP).
Static entries in the IPv6 neighbor discovery cache are not modified by the neighbor discovery process.
Note
Static entries for IPv6 neighbors can be configured only on IPv6-enabled LAN and ATM LAN Emulation interfaces.
Examples
The following example configures a static entry in the IPv6 neighbor discovery cache for a neighbor with the IPv6 address 2001:0DB8::45A and link-layer address 0002.7D1A.9472 on Ethernet interface 1:
To change the defaults of neighbor binding entries in a binding table, use the ipv6neighborbinding command in global configuration mode. To return the networking device to its default, use the no form of this command.
(Optional) The maximum time, in seconds, an entry is considered reachable without getting a proof of reachability (direct reachability through tracking, or indirect reachability through Neighbor Discovery protocol [NDP] inspection). After that, the entry is moved to stale. The range is from 1 through 3600 seconds, and the default is 300 seconds (or 5 minutes).
stale-lifetimevalue
(Optional) The maximum time, in seconds, a stale entry is kept in the binding table before the entry is deleted or proof is received that the entry is reachable.
The default is 24 hours (86,400 seconds).
down-lifetimevalue
(Optional) The maximum time, in seconds, an entry learned from a down interface is kept in the binding table before the entry is deleted or proof is received that the entry is reachable.
The default is 24 hours (86,400 seconds).
Command Default
Reachable lifetime: 300 seconds
Stale lifetime: 24 hours
Down lifetime: 24 hours
Command Modes
Global configuration (config)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
Usage Guidelines
Use the ipv6neighborbinding command to configure information about individual entries in a binding table. If no keywords or arguments are configured, the IPv6 neighbor binding entry defaults are used.
If the trackingreachable-lifetime command is configured, it overrides ipv6neighborbindingreachable-lifetime configuration. If the trackingstale-lifetime command is configured, it overrides ipv6neighborbindingstale-lifetime configuration.
Examples
The following example shows how to change the reachable lifetime for binding entries to 100 seconds:
To change the default of a neighbor binding entry’s down lifetime, use the ipv6neighborbindingdown-lifetimecommand in global configuration mode. To return the networking device to its default, use the no form of this command.
ipv6neighborbindingdown-lifetime
{ value | infinite }
noipv6neighborbindingdown-lifetime
Syntax Description
value
The maximum time, in minutes, an entry learned from a down interface is kept in the table before deletion. The range is from 1 to 3600 minutes.
The default is 24 hours (86,400 seconds).
infinite
Keeps an entry in the binding table for an infinite amount of time.
Command Default
A neighbor binding entry is down for 24 hours before it is deleted from the binding table.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
Usage Guidelines
Use the ipv6neighborbindingdown-lifetimecommand to change the amount of time a neighbor binding is down before that binding is removed from the binding table.
Examples
The following example shows how to change a binding entry’s down lifetime to 2 minutes before it is deleted from the binding table:
To add a static entry to the binding table database for an interface, use the
ipv6neighborbindinginterface command in global configuration mode. To remove the static entry, use the
no form of this command.
(Optional) Verifies a static entry’s reachability directly.
disable
(Optional) Disables tracking for a particular static entry.
enable
(Optional) Enables tracking for a particular static entry.
retry-intervalseconds
(Optional) Verifies a static entry’s reachability, in seconds, at the configured interval. The range is from 1 to 3600, and the default is 300.
reachable-lifetimeseconds
(Optional) Specifies the maximum time, in seconds, an entry is considered reachable without getting a proof of reachability (direct reachability through tracking, or indirect reachability through Neighbor Discovery Protocol [NDP] inspection). After that, the entry is moved to stale. The range is from 1 to 3600 seconds, and the default is 300 seconds.
Command Default
Static entries are not added to the binding table database for an interface.
Command Modes
Global configuration (config)
Command History
Release
Modification
Cisco IOS XE Release 3.9S
This command was introduced.
Usage Guidelines
The
ipv6neighborbindinginterface command is used to control the content of the binding table. Use this command to add a static entry in the binding table database. The binding table manager is responsible for aging out entries and directly verifying their reachability by probing them (if the
tracking keyword is enabled). Use of the
tracking keyword overrides any general behavior provided globally by the
ipv6neighbortracking command for this static entry. The
disable keyword disables tracking for this static entry. The
reachable-lifetime keyword defines the maximum time (300 seconds) that the entry will be kept once it is determined not to be reachable (or stale).
Examples
The following example shows how to change the reachable lifetime for binding entries to 100 seconds:
Specifies the maximum number of entries that are allowed to be inserted in the cache.
ipv6 neighbor tracking
Tracks entries in the binding table.
ipv6 neighbor binding logging
To enable the logging of binding table main events, use the
ipv6neighborbindinglogging command in global configuration mode. To disable this function, use the
no form of this command.
ipv6neighborbindinglogging
noipv6neighborbindinglogging
Syntax Description
This command has no arguments or keywords.
Command Default
Binding table events are not logged.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
15.0(2)SE
This command was integrated into Cisco IOS Release 15.0(2)SE.
15.3(1)S
This command was integrated into Cisco IOS Release 15.3(1)S.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Theipv6neighborbindinglogging command enables the logging of the following binding table events:
An entry is inserted into the binding table.
A binding table entry was updated.
A binding table entry was deleted from the binding table.
A binding table entry was not inserted into the binding table, possibly because of a collision with an existing entry, or because the maximum number of entries has been reached.
Examples
The following example shows how to enable binding table event logging:
Router(config)# ipv6 neighbor binding logging
Related Commands
Command
Description
ipv6neighborbindingvlan
Adds a static entry to the binding table database.
ipv6 neighbor tracking
Tracks entries in the binding table.
ipv6snoopingloggingpacketdrop
Configures IPv6 snooping security logging.
ipv6 neighbor binding max-entries
To specify the maximum number of entries that are allowed to be inserted in the binding table cache, use the
ipv6neighborbindingmax-entries command in global configuration mode. To return to the default, use the
no form of this command.
Number of entries that can be inserted into the cache.
vlan-limitnumber
(Optional) Specifies a neighbor binding limit per number of VLANs.
interface-limitnumber
(Optional) Specifies a neighbor binding limit per interface.
mac-limitnumber
(Optional) Specifies a neighbor binding limit per number of Media Access Control (MAC) addresses.
Command Default
This command is disabled.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
15.0(2)SE
This command was integrated into Cisco IOS Release 15.0(2)SE.
15.3(1)S
This command was integrated into Cisco IOS Release 15.3(1)S.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
The
ipv6neighborbindingmax-entries command is used to control the content of the binding table. This command specifies the maximum number of entries that are allowed to be inserted in the binding table cache. Once this limit is reached, new entries are refused, and the Neighbor Discovery Protocol (NDP) traffic source with the new entry is dropped.
If the maximum number of entries specified is lower than the current number of entries in the database, no entries are cleared, and the new threshold is reached after normal cache attrition.
The maximum number of entries can be set globally per VLAN, interface, or MAC addresses.
Examples
The following example shows how to specify globally the maximum number of entries inserted into the cache:
Adds a static entry to the binding table database.
ipv6 neighbor tracking
Tracks entries in the binding table.
ipv6 neighbor binding stale-lifetime
To set the length of time a stale entry is kept in the binding table, use the ipv6neighborbindingstale-lifetimecommand in global configuration mode. To return to the default setting, use the no form of this command.
ipv6neighborbindingstale-lifetime
{ value | infinite }
noipv6neighborbinding
Syntax Description
value
The maximum time, in minutes, a stale entry is kept in the table before it is deleted or some proof of reachability is seen. The range is from 1 to 3600 minutes, and the default is 24 hours (or 1440 minutes).
infinite
Keeps an entry in the binding table for an infinite amount of time.
Command Default
Stale lifetime: 1440 minutes (24 hours)
Command Modes
Global configuration (config)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
Usage Guidelines
Use the ipv6neighborbindingstale-lifetimecommand to configure the length of time a stale entry is kept in the binding table before it is removed.
Examples
The following example shows how to change the stale lifetime for a binding entry to 720 minutes (or 12 hours):
Router(config)# ipv6 neighbor binding stale lifetime 720
Related Commands
Command
Description
ipv6neighborbinding
Changes the defaults of neighbor binding entries in a binding table.
ipv6 neighbor binding vlan
To add a static entry to the binding table database, use the
ipv6neighborbindingvlan command in global configuration mode. To remove the static entry, use the
no form of this command.
Adds static entries by the specified interface type and number.
ipv6-address
IPv6 address of the static entry.
mac-address
Media Access Control (MAC) address of the static entry.
tracking
(Optional) Verifies a static entry’s reachability directly.
disable
(Optional) Disables tracking for a particular static entry.
enable
(Optional) Enables tracking for a particular static entry.
retry-intervalvalue
(Optional) Verifies a static entry’s reachability, in seconds, at the configured interval. The range is from 1 to 3600, and the default is 300.
reachable-lifetimevalue
(Optional) Specifies the maximum time, in seconds, an entry is considered reachable without getting a proof of reachability (direct reachability through tracking, or indirect reachability through Neighbor Discovery Protocol [NDP] inspection). After that, the entry is moved to stale. The range is from 1 to 3600 seconds, and the default is 300 seconds.
Command Default
Retry interval: 300 seconds
Reachable lifetime: 300 seconds
Command Modes
Global configuration (config)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
15.0(2)SE
This command was integrated into Cisco IOS Release 15.0(2)SE.
15.3(1)S
This command was integrated into Cisco IOS Release 15.3(1)S.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
The
ipv6neighborbindingvlan command is used to control the content of the binding table. Use this command to add a static entry in the binding table database. The binding table manager is responsible for aging out entries and verifying their reachability directly by probing them (if the
tracking keyword is enabled). Use of the
tracking keyword overrides any general behavior provided globally by the
ipv6neighbortracking command for this static entry. The
disable keyword disables tracking for this static entry. The
stale-lifetime keyword defines the maximum time the entry will be kept once it is determined to be not reachable (or stale).
Examples
The following example shows how to change the reachable lifetime for binding entries to 100 seconds:
Specifies the maximum number of entries that are allowed to be inserted in the cache.
ipv6 neighbor tracking
Tracks entries in the binding table.
ipv6 neighbor tracking
To track entries in the binding table, use the
ipv6neighbortracking command in global configuration mode. To disable entry tracking, use the
no form of this command.
ipv6neighbortracking
[ retry-intervalvalue ]
noipv6neighbortracking
[ retry-intervalvalue ]
Syntax Description
retry-intervalvalue
(Optional) Verifies a static entry’s reachability at the configured interval time, in seconds, between two probings. The range is from 1 to 3600, and the default is 300.
Command Default
Entries in the binding table are not tracked.
Command Modes
Global configuration (config)
Command History
Release
Modification
12.2(50)SY
This command was introduced.
15.0(2)SE
This command was integrated into Cisco IOS Release 15.0(2)SE.
15.3(1)S
This command was integrated into Cisco IOS Release 15.3(1)S.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
The
ipv6neighbortracking command enables the tracking of entries in the binding table. Entry reachability is tested at every interval configured by the optional
retry-interval keyword (or every 300 seconds, which is the default retry interval) using the neighbor unreachability detection (NUD) mechanism used for directly tracking neighbor reachability.
Reachability can also be established indirectly by using Neighbor Discovery Protocol (NDP) inspection up to the VERIFY_MAX_RETRIES value (the default is 10 seconds). When there is no response, entries are considered stale and are deleted after the stale lifetime value is reached (the default is 1440 minutes).
When the
ipv6neighbortracking command is disabled, entries are considered stale after the reachable lifetime value is met (the default is 300 seconds) and deleted after the stale lifetime value is met.
To change the default values of neighbor binding entries in a binding table, use the
ipv6neighborbinding command.
Examples
The following example shows how to track entries in a binding table:
Router(config)# ipv6 neighbor tracking
Related Commands
Command
Description
ipv6 neighbor binding
Changes the defaults of neighbor binding entries in a binding table.
ipv6 next-hop-self eigrp
To instruct a device configured with the Enhanced Interior Gateway Routing Protocol (EIGRP) that the IPv6 next hop is the local outbound interface address, use the
ipv6next-hop-selfeigrp command in interface configuration mode. To instruct EIGRP to use the received next hop instead of the local outbound interface, use the
no form of this command.
(Optional) Evaluates all paths to a network before advertising the paths out of an interface.
Command Default
The IPv6 next-hop-self state is enabled.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(6)T
This command was introduced.
12.2(33)SRB
This command was integrated into Cisco IOS Release 12.2(33)SRB.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Cisco IOS XE Release 2.1
This command was integrated into Cisco IOS XE Release 2.1.
15.2(1)S
This command was integrated into Cisco IOS Release 15.2(1)S. The
no-ecmp-mode keyword was added.
Cisco IOS XE Release 3.5S
This command was modified. The
no-ecmp-mode keyword was added.
15.2(3)T
This command was modified. The
no-ecmp-mode keyword was added.
Usage Guidelines
EIGRP, by default, sets the next-hop value to the local outbound interface address for routes that it is advertising, even when advertising those routes back out of the same interface on which they were learned. To change this default, use the
noipv6next-hop-selfeigrp command to instruct EIGRP to use the received next-hop value when advertising these routes. Some exceptions to this guideline are as follows:
If your topology does not require spoke-to-spoke dynamic tunnels, you need not configure the
noipv6next-hop-selfeigrp command.
If your topology requires spoke-to-spoke dynamic tunnels, you must use process switching on the tunnel interface on spoke devices. Otherwise, you will need to use a different routing protocol over Dynamic Multipoint VPN (DMVPN).
The
no-ecmp-mode option is an enhancement to the
no ipv6 next-hop-self eigrp command. When this option is enabled, all routes to a network in the EIGRP table are evaluated to check whether routes advertised from an interface were learned on the same interface. If a route advertised by an interface was learned on the same interface, the
no ipv6 next-hop-self eigrp configuration is honored and the received next hop is used to advertise this route. Disabling the IPv6 next-hop self functionality is primarily useful in DMVPN spoke-to-spoke topologies.
Examples
The following example shows how to change the default IPv6 next-hop value by disabling the
ipv6 next-hop-self functionality and configuring EIGRP to use the received next-hop value to advertise routes:
Device(config)# interface serial 0
Device(config-if)# no ipv6 next-hop-self eigrp 1 no-ecmp-mode
Related Commands
Command
Description
next-hop-self
Instructs an EIGRP device that the IPv6 next hop is the local outbound interface.
ip next-hop-self eigrp
Enables EIGRP to advertise routes with the local outbound interface address as the next hop.
ipv6 nhrp authentication
To configure the authentication string for an interface using the Next Hop Resolution Protocol (
NHRP), use the ipnhrpauthenticationcommand ininterface configuration mode. To remove the authentication string, use the no form of this command.
ipv6nhrpauthenticationstring
noipv6nhrpauthentication [string]
Syntax Description
string
Authentication string configured for the source and destination stations that controls whether NHRP stations allow intercommunication. The string can be up to eight characters long.
Command Default
No authentication string is configured. Cisco IOS software adds no authentication option to NHRP packets it generates.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
All routers configured with NHRP within one logical nonbroadcast multiaccess (NBMA) network must share the same authentication string.
Examples
In the following example, the authentication string named examplexx must be configured in all devices using NHRP on the interface before NHRP communication occurs:
ip nhrp authentication examplexx
ipv6 nhrp holdtime
To change the number of seconds that Next Hop Resolution Protocol
(NHRP) nonbroadcast multiaccess (NBMA) addresses are advertised as valid in authoritative NHRP responses, use the ipv6nhrpholdtimecommand ininterface configuration mode. To restore the default value, use the no form of this command.
ipv6nhrpholdtimeseconds
noipv6nhrpholdtime [seconds]
Syntax Description
seconds
Time, in seconds, that NBMA addresses are advertised as valid in positive authoritative NHRP responses.
Command Default
7200 seconds (2 hours)
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
The ipv6nhrpholdtime command affects authoritative responses only. The advertised holding time is the length of time the Cisco IOS software tells other routers to keep information that it is providing in authoritative NHRP responses. The cached IPv6-to-NBMA address mapping entries are discarded after the holding time expires.
The NHRP cache can contain static and dynamic entries. The static entries never expire. Dynamic entries expire regardless of whether they are authoritative or nonauthoritative.
Examples
In the following example, NHRP NBMA addresses are advertised as valid in positive authoritative NHRP responses for 1 hour:
ipv6 nhrp holdtime 3600
ipv6 nhrp interest
To control which IPv6 packets can trigger sending a Next Hop Resolution Protocol (NHRP) request packet, use the ipv6nhrpinterestcommand ininterface configuration mode. To restore the default value, use the no form of this command.
ipv6nhrpinterestipv6-access-list
noipv6nhrpinterest [ipv6-access-list]
Syntax Description
ipv6-access-list
IPv6 access list number in the range from 1 to 199.
Command Default
All non-NHRP packets can trigger NHRP requests.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
Use the ipv6nhrpinterest command with theipv6access-list command to control which IPv6 packets trigger NHRP requests.
Examples
In the following example, the IPv6 packets specified by the IPv6 access list named list2 will trigger NHRP requests:
Router(config)# ipv6 access-list list2
permit any any
Router(config-if)# ipv6 nhrp interest list2
Related Commands
Command
Description
ipv6access-list
Defines an IPv6 access list.
ipv6 nhrp map
To statically configure the IPv6-to-nonbroadcast multiaccess (NBMA) address mapping of IPv6 destinations connected to an NBMA network, use the ipv6nhrpmapcommand in interface configuration mode. To remove the static entry from Next Hop Resolution Protocol
(NHRP) cache, use the no form of this command.
ipv6nhrpmapipv6-addressnbma-address
noipv6nhrpmapipv6-addressnbma-address
Syntax Description
ipv6-address
IPv6 address of the destination reachable through the NBMA network. This address is mapped to the NBMA address.
nbma-address
An IPv4 or IPv6 NBMA address that is directly reachable through the NBMA network. The address format varies depending on the medium you are using. For example, ATM has a network service access point (NSAP) address, Ethernet has a MAC address, and Switched Multimegabit Data Service (SMDS) has an E.164 address.
Command Default
No static IPv6-to-NBMA cache entries exist.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
15.2(1)T
This command was modified. The nbma-address argument was enhanced to support IPv4 and IPv6 addresses.
Usage Guidelines
The ipv6nhrpmap command accepts IPv6 prefixes in the form of prefix/prefix-length, as shown in the following example:
ipv6 nhrp map abcd::abcd/128 172.16.1.1
Because the NBMA supports IPv4 addresses, only IPv4 destinations are accepted in the ipv6nhrpmap command. IPv6 prefixes can be mapped to IPv4 addresses.
You will probably need to configure at least one static mapping in order to reach the next hop server. Repeat this command to statically configure multiple IPv6-to-NBMA address mappings.
Examples
In the following example, this station in a multipoint tunnel network is statically configured to be served by two next hop servers 2001:0DB8:3333:4::5 and 2001:0DB8:4444:5::6. The NBMA address for 2001:0DB8:3333:4::5 is statically configured to be 2001:0DB8:5555:5::6 and the NBMA address for 2001:0DB8:4444:5::6 is 2001:0DB8:8888:7::6.
To map destination IPv6 addresses to IPv4 nonbroadcast multiaccess (NBMA) addresses, use the ipv6nhrpmapmulticastcommand in interface configuration mode. To remove the destination IPv6 addresses, use the no form of this command.
IPv4 NBMA address (IPv6 over IPv4 transport) that is directly reachable through the NBMA network.
ipv6-nbma-address
IPv6 NMBA address that is directly reachable through the NBMA network.
Command Default
No NBMA addresses are configured as destinations for broadcast or multicast packets.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
15.2(1)T
This command was modified. Support was extended to IPv6 NBMA addresses.
Usage Guidelines
The ipv6nhrpmapmulticastcommand works only with tunnel interfaces.
The command is useful for supporting broadcasts over a tunnel network when the underlying network does not support IPv4 multicasts. If the underlying network supports IPv4 multicasts, you should use the tunneldestination command to configure a multicast destination for the transmission of tunnel broadcasts or multicasts.
When multiple NBMA addresses are configured, the system replicates the broadcast packet for each address.
Examples
In the following example, an IPv6 address is mapped to the IPv4 address 10.11.11.99:
To allow
Next Hop Resolution Protocol (NHRP) to automatically add routers to the multicast NHRP mappings
, use the ipv6nhrpmapmulticastdynamiccommand in
interface
configuration mode. To disable this functionality, use the no form of this command
ipv6nhrpmapmulticastdynamic
noipv6nhrpmapmulticastdynamic
Syntax Description
This command has no arguments or keywords.
Command Default
Routers are not automatically added to the multicast NHRP mapping.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
Use the ipv6nhrpmapmulticastdynamic command when spoke routers need to initiate multipoint generic routing encapsulation (GRE) and IP security (IPsec) tunnels and register their unicast NHRP mappings. This command is needed to enable dynamic routing protocols to work over the Multipoint GRE and IPsec tunnels because IGP routing protocols use multicast packets. This command prevents the hub router from needing a separate configuration line for a multicast mapping for each spoke router.
Examples
The following example shows how to enable the ipv6nhrpmapmulticastdynamiccommand on the hub router:
crypto ipsec profile cisco-ipsec
set transform-set cisco-ts
!
interface Tunnel0
bandwidth 100000
ip address 10.1.1.99 255.255.255.0
no ip redirects
ip nhrp map multicast dynamic
delay 50000
ipv6 address 2001:0DB8::99/100
ipv6 address FE80::0B:0B:0B:8F link-local
ipv6 enable
ipv6 eigrp 1
no ipv6 split-horizon eigrp 1
no ipv6 next-hop-self eigrp 1
ipv6 nhrp map multicast dynamic
ipv6 nhrp network-id 99
tunnel source Ethernet0/0
tunnel mode gre multipoint
tunnel protection ipsec profile cisco-ipsec
Related Commands
Command
Description
ipv6nhrpnetwork-id
Enables NHRP on an interface.
ipv6 nhrp max-send
To change the maximum frequency at which Next Hop Resolution Protocol (NHRP) packets can be sent, use the ipv6nhrpmax-sendcommand in interface configuration mode. To restore this frequency to the default value, use the no form of this command.
ipv6nhrpmax-sendpkt-counteveryseconds
noipv6nhrpmax-send
Syntax Description
pkt-count
Number of packets that can be sent in the range from 1 to 65535. Default is 100 packets.
everyseconds
Specifies the time (in seconds) in the range from 10 to 65535. Default is 10 seconds.
Command Default
Maximum frequency default settings are used.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
The software maintains a per-interface quota of NHRP packets that can be sent. NHRP traffic, whether locally generated or forwarded, cannot be sent at a rate that exceeds this quota. The quota is replenished at the rate specified by the secondsargument:
The user needs to consider the number of spoke routers being handled by this hub and how often they send NHRP registration requests. To support this load you would need:
Number of spokes / registration timeout * max-send-interval
Example:
500 spokes with 100-second registration timeout
Max send value = 500/100*10 = 50
The maximum number of spoke-spoke tunnels that are expected to be up at any one time across the whole DMVPN network.
This formula covers spoke-spoke tunnel creation and the refreshing of spoke-spoke tunnels that are used for longer periods of time:
Example
2000 spoke-spoke tunnels with 250-second hold timeout
Max send value = 2000/250*10 = 80
Then add these together and multiply this by 1.5 to 2.0 to give a buffer:
Example
Max send = (50 + 80) * 2 = 260
The max-send interval can be used to keep the long-term average number of NHRP messages allowed to be sent constant, but to allow greater peaks:
Example
400 messages in 10 seconds
In this case, it could peak at approximately 200 messages in the first second of the 10-second interval, but still keep to a 40-messages-per-second average over the 10-second interval:
4000 messages in 100 seconds
In this case, it could peak at approximately 2000 messages in the first second of the 100-second interval, but it would still be held to 40-messages-per-second average over the 100-second interval. In the second case, it could handle a higher peak rate, but risk a longer period of time when no messages can be sent if it used up its quota for the interval.
By default, the maximum rate at which the software sends NHRP packets is five packets per 10 seconds. The software maintains a per-interface quota of NHRP packets (whether generated locally or forwarded) that can be sent.
Examples
In the following example, only one NHRP packet can be sent from serial interface 0 each minute:
interface serial 0
ipv6 nhrp max-send 1 every 60
Related Commands
Command
Description
ipv6nhrpinterest
Controls which IP packets can trigger sending an NHRP request.
ipv6nhrpuse
Configures the software so that NHRP is deferred until the system has attempted to send data traffic to a particular destination multiple times.
ipv6 nhrp network-id
To enable the Next Hop Resolution Protocol (
NHRP) on an interface, use the ipv6nhrpnetwork-idcommand ininterface configuration mode. To disable NHRP on the interface, use the no form of this command..
ipv6nhrpnetwork-idnetwork-id
noipv6nhrpnetwork-idnetwork-id
Syntax Description
network-id
Globally unique, 32-bit network identifier from a nonbroadcast multiaccess (NBMA) network. The range is from 1 to 4294967295.
Command Default
NHRP is disabled on the interface.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
In general, all NHRP stations within one logical NBMA network must be configured with the same network identifier.
Examples
The following example shows how to enablle NHRP on the interface:
Router(config-if)# ipv6 nhrp network-id 99
Related Commands
Command
Description
ipv6nhrpmapmulticastdynamic
Allows
NHRP to automatically add routers to the multicast NHRP mappings.
ipv6 nhrp nhs
To specify the IPv6 prefix of one or more Next Hop Resolution Protocol (NHRP) servers, use the ipv6nhrpnhscommand ininterface configuration mode. To remove the prefix address, use the no form of this command.
(Optional) Next hop address (NHS) fully qualified domain name (FQDN) string.
multicast
(Optional) Specifies to use NBMA mapping for broadcasts and multicasts.
priorityvalue
(Optional) Assigns a priority to hubs to control the order in which spokes select hubs to establish tunnels. The range is from 0 to 255, where 0 is the highest and 255 is the lowest priority.
clustervalue
(Optional) Specifies NHS groups. The range is from 0 to 10, where 0 is the highest and 10 is the lowest value. The default value is 0.
max-connectionsvalue
Specifies the number of NHS elements from each NHS group that need to be active. The range is from 0 to 255.
dynamic
Configures the spoke to learn the NHS protocol address dynamically.
fallbackseconds
Specifies the duration, in seconds, for which the spoke must wait before falling back to an NHS of higher priority upon recovery.
Command Default
No next hop servers are explicitly configured, so normal network layer routing decisions are used to forward NHRP traffic.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
15.1(2)T
This command was modified. The net-address argument was removed and the nbma, nbma-address, fqdn-string, multicast, priorityvalue, clustervalue, max-connectionsvalue, dynamic, and fallbackseconds keywords and arguments were added.
15.2(1)T
This command was modified. The nbma-address argument was modified to support IPv4 addresses.
Usage Guidelines
Use the ipv6nhrpnhs command to specify the IPv6 prefix of a next hop server and the networks it serves. Normally, NHRP consults the network layer forwarding table to determine how to forward NHRP packets. When next hop servers are configured, these next hop IPv6 prefixes override the forwarding path that would otherwise be used for NHRP traffic.
For any next hop server that is configured, you can specify multiple networks by repeating this command with the same nhs-addressargument, but with different IPv6 network addresses.
Examples
The following example shows how to register a hub to a spoke using NBMA and FQDN:
Statically configures the IP-to-NBMA address mapping of IPv6 destinations connected to an NBMA network.
showipv6nhrp
Displays NHRP mapping information.
ipv6 nhrp record
To reenable the use of forward record and reverse record options in Next Hop Resolution Protocol (NHRP) request and reply packets, use the ipv6nhrprecordcommand in interface configuration mode. To suppress the use of such options, use the no form of this command.
ipv6nhrprecord
noipv6nhrprecord
Syntax Description
This command has no arguments or keywords.
Command Default
Forward record and reverse record options are used in NHRP request and reply packets.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
Forward record and reverse record options provide loop detection and are enabled by default. Using the no form of this command disables this method of loop detection. For another method of loop detection, see the ipv6nhrprespondercommand.
Examples
The following example suppresses forward record and reverse record options:
no ipv6 nhrp record
Related Commands
Command
Description
ipv6nhrpresponder
Designates the primary IP address of which interface the next hop server will use in NHRP reply packets when the NHRP requester uses the Responder Address option.
ipv6 nhrp redirect
To enable Next Hop Resolution Protocol (NHRP) redirect, use the ipv6nhrpredirectcommand in interface configuration mode. To remove the NHRP redirect, use the no form of this command.
ipv6nhrpredirect
[ timeoutseconds ]
noipv6nhrpredirect
[ timeoutseconds ]
Syntax Description
timeoutseconds
(Optional) Indicates the interval, in seconds, that the NHRP redirects are sent for the same nonbroadcast multiaccess (NBMA) source and destination combination. The range is from 2 to 30 seconds.
Command Default
NHRP redirect is disabled.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
The NHRP redirect message is an indication that the current path to the destination is not optimal. The receiver of the message should find a better path to the destination.
This command generates an NHRP redirect traffic indication message if the incoming and outgoing interface is part of the same dynamic multipoint VPN (DMVPN) network. The NHRP shortcut switching feature depends on receiving the NHRP redirect message. NHRP shortcut switching does not trigger an NHRP resolution request on its own. It triggers an NHRP resolution request only after receiving an NHRP redirect message.
Most of the traffic would follow a spoke-hub-spoke path. NHRP redirect is generally required to be configured on all the DMVPN nodes in the event the traffic follows a spoke-spoke-hub-spoke path.
Do not configure this command if the DMVPN network is configured for full-mesh. In a full-mesh configuration, the spokes are populated with a full routing table, with the next hop being the other spokes.
Examples
The following example shows how to enable NHRP redirects on the interface:
ipv6 nhrp redirect
Related Commands
Command
Description
ipv6nhrpshortcut
Enables NHRP shortcut switching.
ipv6 nhrp registration
To enable the client to set the unique flag in the Next Hop Resolution Protocol (NHRP) request and reply packets, use the ipv6nhrpregistrationcommand in interface configuration mode. To reenable this functionality, use the no form of this command.
(Optional) Specifies the time between periodic registration messages:
seconds--Number of seconds. The range is from 1 through the value of the NHRP hold timer.
If the timeout keyword is not specified, NHRP registration messages are sent every number of seconds equal to one-third the value of the NHRP hold timer.
no-unique
(Optional) Enables the client to not set the unique flag in the NHRP request and reply packets.
Command Default
The default settings are used.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
If the unique flag is set in the NHRP registration request packet, a next hop server (NHS) must reject any registration attempts for the same private address using a different nonbroadcast multiaccess (NBMA) address. If a client receives a new IP address-for example, via DHCP-and tries to register before the cache entry on the NHS times out, the NHS must reject it.
By configuring the ipnhrpregistration command and no-unique keyword, the unique flag is not set, and the NHS can override the old registration information.
This command and keyword combination is useful in an environment where client IPv6 addresses can change frequently such as a dial environment.
Examples
The following example configures the client not to set the unique flag in the NHRP registration packet:
Changes the number of seconds that NHRP NBMA addresses are advertised as valid in authoritative NHRP responses
ipv6 nhrp responder
To designate the primary IPv6 address the next hop server that an interface will use in Next Hop Resolution Protocol (NHRP) reply packets when the NHRP requestor uses the
Responder Address option, use the ipv6nhrprespondercommand ininterface configuration mode. To remove the designation, use the no form of this command.
Interface type whose primary IPv6 address is used when a next hop server complies with a Responder Address option (for example, serial or tunnel).
interface-number
Interface number whose primary IPv6 address is used when a next hop server complies with a Responder Address option.
Command Default
The next hop server uses the IPv6 address of the interface where the NHRP request was received.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
If an NHRP requestor wants to know which next hop server generates an NHRP reply packet, it can request that information through the Responder Address option. The next hop server that generates the NHRP reply packet then complies by inserting its own IPv6 address in the Responder Address option of the NHRP reply. The next hop server uses the primary IPv6 address of the specified interface.
If an NHRP reply packet being forwarded by a next hop server contains the IPv6 address of that next hop server, the next hop server generates an Error Indication of type "NHRP Loop Detected" and discards the reply packet.
Examples
In the following example, any NHRP requests for the Responder Address will cause this router acting as a next hop server to supply the primary IPv6 address of serial interface 0 in the NHRP reply packet:
ipv6 nhrp responder serial 0
ipv6 nhrp server-only
To configure the interface to operate in Next Hop Resolution Protocol
(NHRP) server-only mode, use the ipv6nhrpserver-onlycommand ininterface configuration mode. To disable this feature, use the no form of this command.
ipv6nhrpserver-only [non-caching]
noipv6nhrpserver-only
Syntax Description
non-caching
(Optional) Specifies that the router will not cache NHRP information received on this interface.
Command Default
The interface does not operate in NHRP server-only mode.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
When the interface is operating in NHRP server-only mode, the interface does not originate NHRP requests or set up an NHRP shortcut Switched Virtual Circuit (SVC).
Examples
The following example shows that the interface is configured to operate in server-only mode:
ipv6 nhrp server-only
ipv6 nhrp shortcut
To enable Next Hop Resolution Protocol (NHRP) shortcut switching, use the ipv6nhrpshortcutcommand in interface configuration mode. To remove shortcut switching from NHRP, use the no form of this command.
ipv6nhrpshortcut
noipv6nhrpshortcut
Syntax Description
This command has no arguments or keywords.
Command Default
NHRP shortcut switching is disabled.
Command Modes
Interface configuration (config-if)#
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
Do not configure this command if the dynamic multipoint VPN (DMVPN) network is configured for full-mesh. In a full-mesh configuration, the spokes are populated with a full routing table, with the next hop being the other spokes.
Examples
The following example shows how to configure an NHRP shortcut on an interface:
Router(config-if)# ipv6 nhrp shortcut
Related Commands
Command
Description
ipv6nhrpredirect
Enables NHRP redirect.
ipv6 nhrp trigger-svc
To configure when the Next Hop Resolution Protocol (NHRP) will set up and tear down a switched virtual circuit (SVC) based on aggregate traffic rates, use the ipv6nhrptrigger-svccommand ininterface configuration mode. To restore the default thresholds, use the no form of this command.
Average traffic rate calculated during the load interval, at or above which NHRP will set up an SVC for a destination. The default value is 1 kb/s.
teardown-threshold
Average traffic rate calculated during the load interval, at or below which NHRP will tear down the SVC to the destination. The default value is 0 kb/s.
Command Default
The SVC default settings are used.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
The two thresholds are measured during a sampling interval of 30 seconds, by default.
Examples
In the following example, the triggering and teardown thresholds are set to 100 kb/s and 5 kb/s, respectively:
ipv6 nhrp trigger-svc 100 5
ipv6 nhrp use
To configure the software so that the Next Hop Resolution Protocol (NHRP) is deferred until the system has attempted to send data traffic to a particular destination multiple times, use the ipv6nhrpusecommandininterface configuration mode. To restore the default value, use the no form of this command.
ipv6nhrpuseusage-count
noipv6nhrpuseusage-count
Syntax Description
usage-count
Packet count in the range from 1 to 65535. Default is 1.
Command Default
The first time a data packet is sent to a destination for which the system determines NHRP can be used, an NHRP request is sent.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.4(20)T
This command was introduced.
Usage Guidelines
When the software attempts to send a data packet to a destination for which it has determined that NHRP address resolution can be used, an NHRP request for that destination normally is sent immediately. Configuring the usage-countargument causes the system to wait until the configured number of data packets have been sent to a particular destination before it attempts NHRP. The usage-count argument for a particular destination is measured over 1-minute intervals (the NHRP cache expiration interval).
The usage count applies perdestination. So if the usage-count argument is configured to be 3, and four data packets are sent toward 2001:0DB8:3333:4::5 and one packet toward 2001:0DB8:5555:5::6, then an NHRP request is generated for 2001:0DB8:3333:4::5 only.
If the system continues to need to forward data packets to a particular destination, but no NHRP response has been received, retransmission of NHRP requests is performed. This retransmission occurs only if data traffic continues to be sent to a destination.
The ipv6nhrpinterest command controls which packets cause NHRP address resolution to take place; the ipv6 nhrp use command controls howreadily the system attempts such address resolution.
Examples
In the following example, if in the first minute five packets are sent to the first destination and five packets are sent to a second destination, then a single NHRP request is generated for the second destination.
If in the second minute the same traffic is generated and no NHRP responses have been received, then the system resends its request for the second destination.
ipv6 nhrp use 5
Related Commands
Command
Description
ipv6nhrpinterest
Controls which IPv6 packets can trigger sending an NHRP request.
ipv6nhrpmax-send
Changes the maximum frequency at which NHRP packets can be sent.
ipv6 ospf area
To enable Open Shortest Path First version 3 (OSPFv3) on an interface, use the
ipv6ospfarea command in interface configuration mode. To disable OSPFv3 routing for interfaces defined, use the
no form of this command.
Internal identification. It is locally assigned and can be any positive integer. The number used here is the number assigned administratively when enabling the OSPFv3 routing process.
area-id
Area that is to be associated with the OSPFv3 interface.
instanceinstance-id
(Optional) Instance identifier.
Command Default
OSPFv3 is not enabled.
Command Modes
Interface configuration
Command History
Release
Modification
12.0(24)S
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.2(18)S
This command was integrated into Cisco IOS Release 12.2(18)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Cisco IOS XE Release 2.1
This command was integrated into Cisco IOS XE Release 2.1.
15.1(3)S
Use of the
ospfv3areacommand can affect the
ipv6ospfarea command.
Cisco IOS XE Release 3.4S
Use of the
ospfv3areacommand can affect the
ipv6ospfarea command.
15.2(1)T
Use of the
ospfv3areacommand can affect the
ipv6ospfarea command.
15.1(1)SY
This command was integrated into Cisco IOS Release 15.1(1)SY.
15.2(2)SNG
This command was implemented on the Cisco ASR 901 Series Aggregation Services devices.
Usage Guidelines
If the
ospfv3areacommand is configured with the
process-id argument, it overwrites the
ipv6ospfarea configuration if OSPFv3 was attached to the interface using the ipv6 ospf area command.
Before you enable OSPFv3 on an interface using the
ipv6ospfarea command, you must enable IPv6 on the interface, and you must enable IPv6 routing.
An OSPFv3 instance (also known as an OSPFv3 process) can be considered a logical device running OSPFv3 in a physical device. Use the instance ID to control selection of other devices as your neighbors. You become neighbors only with devices that have the same instance ID.
In IPv6, users can configure many addresses on an interface. In OSPFv3, all addresses on an interface are included by default. Users cannot select some addresses to be imported into OSPFv3; either all addresses on an interface are imported, or no addresses on an interface are imported.
There is no limit to the number of
ipv6ospfarea commands you can use on the device. You must have at least two interfaces configured for OSPFv3 to run.
Examples
The following example enables OSPFv3 on an interface:
Enables an OSPFv3 instance with the IPv4 or IPv6 address family.
router ospfv3
Enables OSPFv3 router configuration mode for the IPv4 or IPv6 address family.
ipv6 ospf authentication
To specify the authentication type for an Open Shortest Path First version 3 (OSPFv3) interface, use the
ipv6ospfauthentication command in interface configuration mode. To remove the authentication type for an interface, use the
no form of this command.
Number used in the calculation of the message digest. When MD5 authentication is used, the key must be 32 hexadecimal digits (16 bytes) long. When SHA-1 authentication is used, the key must be 40 hexadecimal digits (20 bytes) long.
null
Overrides area authentication.
Command Default
No authentication.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.3(4)T
This command was introduced.
12.4(4)T
This command was modified. The
sha1 keyword was added.
15.1(3)S
This command was modified. Use of the
ospfv3authentication command can affect the
ipv6ospfauthentication command.
Cisco IOS XE Release 3.4S
This command was modified. Use of the
ospfv3authentication command can affect the
ipv6ospfauthentication command.
15.2(1)T
This command was modified. Use of the
ospfv3authentication command can affect the
ipv6ospfauthentication command.
15.0(2)SE
This command was integrated into Cisco IOS Release 15.0(2)SE.
Usage Guidelines
You need to ensure that the same policy (the SPI and the key) is configured on all of the interfaces on the link. SPI values may automatically be used by other client applications, such as tunnels.
The policy database is common to all client applications on a device. This means that two IPsec clients, such as OSPFv3 and a tunnel, cannot use the same SPI. Additionally, an SPI can be used only in one policy.
The
null keyword is used to override existing area authentication. If area authentication is not configured, then it is not necessary to configure the interface with the
ipv6ospfauthenticationnull command.
Beginning with Cisco IOS Release 12.4(4)T, the
sha1 keyword can be used to choose SHA-1 authentication instead of entering the
md5 keyword to use MD5 authentication. The SHA-1 algorithm is considered to be somewhat more secure than the MD5 algorithm, and it requires a 40-hexadecimal-digit (20-byte) key rather than the 32-hexadecimal-digit (16-byte) key that is required for MD5 authentication.
Examples
The following example shows how to enable MD5 authentication and then override area authentication:
Specifies the authentication type for an OSPFv3 instance.
router ospfv3
Enables OSPFv3 router configuration mode for the IPv4 or IPv6 address family.
ipv6 ospf bfd
To enable Bidirectional Forwarding Detection (BFD) on a specific interface configured for Open Shortest Path First version 3 (OSPFv3), use the ipv6ospfbfdcommand in interface configuration mode.To remove the ospfbfd command, use the no form of this command.
ipv6ospfbfd [disable]
noipv6ospfbfd
Syntax Description
disable
(Optional) Disables BFD for OSPFv3 on a specified interface.
Command Default
When the disable keyword is not used, the default behavior is to enable BFD support for OSPFv3 on the interface.
Command Modes
Interface configuration
Command History
Release
Modification
Cisco IOS XE Release 2.1
This command was introduced.
12.2(33)SRE
This command was modified. It was integrated into Cisco IOS Release 12.2(33)SRE.
15.1(3)S
Use of the ospfv3bfdcommand can affect the ipv6ospfbfdcommand.
Cisco IOS XE Release 3.4S
Use of the ospfv3bfdcommand can affect the ipv6ospfbfdcommand.
15.2(1)T
Use of the ospfv3bfdcommand can affect the ipv6ospfbfdcommand.
Usage Guidelines
Enter the ipv6ospfbfd command to configure an OSPFv3 interface to use BFD for failure detection. If you have used the bfdall-interfaces command in router configuration mode to globally configure all OSPFv3 interfaces for an OSPFv3 process to use BFD, you can enter the ipv6ospfbfd command in interface configuration mode with the disable keyword to disable BFD for a specific OSPFv3 interface.
Examples
In the following example, the interface associated with OSPFv3, Fast Ethernet interface 3/0, is configured for BFD:
Enables OSPFv3 router configuration mode for the IPv4 or IPv6 address family.
ipv6 ospf cost
To explicitly specify the cost of sending a packet on an Open Shortest Path First version 3 (OSPFv3) interface, use the
ipv6 ospf cost command in interface configuration mode. To reset the interface cost to the default value, use the
no form of this command.
Unsigned integer value expressed as the link-state metric. It can be a value in the range from 1 to 65535.
dynamic
Default value on VMI interfaces.
weight
(Optional) Amount of impact a variable has on the dynamic cost.
throughput
percent
Throughput weight of the Layer 2 link, expressed as a percentage. The percent value can be in the range from 0 to 100. The default value is 100.
resources
percent
Resources weight (such as battery life) of the router at the Layer 2 link, expressed as a percentage. The percent value can be in the range from 0 to 100. The default value is 100.
latency
percent
Latency weight of the Layer 2 link, expressed as a percentage. The percent value can be in the range from 0 to 100. The default value is 100.
L2-factor
percent
Quality weight of the Layer 2 link expressed as a percentage. The percent value can be in the range from 0 to 100. The default value is 100.
hysteresis
(Optional) Value used to dampen cost changes.
thresholdthreshold-value
(Optional) Cost change threshold at which hysteresis will be implemented. The threshold range is from 0 to 64K, and the default threshold value is 10K.
Command Default
Default cost is based on the bandwidth.
Default cost on VMI interfaces is dynamic.
Command Modes
Interface configuration (config-if)
Command History
Release
Modification
12.0(24)S
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.2(18)S
This command was integrated into Cisco IOS Release 12.2(18)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
12.4(15)XF
The following keywords and arguments were added to support Virtual Multipoint Interfaces (VMI) and Mobile Adhoc Networking:
dynamic argument
weight,
resources
percent
,
latency
percent
, and
L2-factor
percent
keywords and arguments.
12.4(15)T
This command was integrated into Cisco IOS Release 12.4(15)T.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
15.1(3)S
Use of the
ospfv3 cost command can affect the
ipv6 ospf cost command.
Cisco IOS XE Release 3.4S
Use of the
ospfv3 cost command can affect the
ipv6 ospf cost command.
15.2(1)T
Use of the
ospfv3 cost command can affect the
ipv6 ospf cost command.
Using this formula, the default path costs were calculated as noted in the following list. If these values do not suit your network, you can use your own method of calculating path costs.
56-kbps serial link-Default cost is 1785.
64-kbps serial link-Default cost is 1562.
T1 (1.544-Mbps serial link)-Default cost is 64.
E1 (2.048-Mbps serial link)-Default cost is 48.
Ethernet-Default cost is 10.
16-Mbps Token Ring-Default cost is 6.
FDDI-Default cost is 1.
X25-Default cost is 5208.
Asynchronous-Default cost is 10,000.
ATM- Default cost is 1.The dynamic cost is calculated using the following formula:
L2L3API
For a dynamic cost to have the same cost as a default cost, all parameters must equal zero.
Each Layer 2 feedback can contribute a cost in the range of 0 to 65535. To tune down this cost range, use the optional
weight keyword in conjunction with the
throughput,
resources,
latency, or
L2-factor keyword. Each of these weights has a default value of 100% and can be configured in the range from 0 to 100. When 0 is configured for a specific weight, that weight does not contribute to the OSPFv3 cost.
Because cost components can change rapidly, you may need to dampen the amount of changes in order to reduce network-wide churn. Use the optional
hysteresis keyword with the
thresholdthreshold-value keyword and argument to set a cost change threshold. Any cost change below this threshold is ignored.
Examples
The following example sets the interface cost value to 65:
ipv6 ospf cost 65
The following example sets the interface cost value for a VMI interface:
Creates a virtual multipoint interface that can be configured and applied dynamically.
ipv6 ospf neighbor
Configures OSPFv3 routers interconnecting to nonbroadcast networks.
ospfv3 cost
Explicitly specifies the cost of sending a packet on an interface.
router ospfv3
Enables OSPFv3 router configuration mode for the IPv4 or IPv6 address family.
ipv6 ospf database-filter all out
To filter outgoing link-state advertisements (LSAs) to an Open Shortest Path First version 3 (OSPFv3) interface, use the ipv6ospfdatabase-filteralloutcommand in interface configuration mode. To restore the forwarding of LSAs to the interface, use the noform of this command.
ipv6ospfdatabase-filterallout
noipv6ospfdatabase-filterallout
Syntax Description
This command has no arguments or keywords.
Command Default
All outgoing LSAs are flooded to the interface.
Command Modes
Interface configuration
Command History
Release
Modification
12.0(24)S
This command was introduced.
12.2(15)T
This command was integrated into Cisco IOS Release 12.2(15)T.
12.2(18)S
This command was integrated into Cisco IOS Release 12.2(18)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
15.1(3)S
Use of the ospfv3database-filtercommand can affect the ipv6ospfdatabase-filteralloutcommand.
Cisco IOS XE Release 3.4S
Use of the ospfv3database-filtercommand can affect the ipv6ospfdatabase-filteralloutcommand.
15.2(1)T
Use of the ospfv3database-filtercommand can affect the ipv6ospfdatabase-filteralloutcommand.
Usage Guidelines
This command performs the same function that the neighbordatabase-filtercommand performs on a neighbor basis.
Examples
The following example prevents flooding of OSPFv3 LSAs to broadcast, nonbroadcast, or point-to-point networks reachable through Ethernet interface 0:
interface ethernet 0
ipv6 ospf database-filter all out
Related Commands
ospfv3database-filter
Filters outgoing LSAs to an OSPFv3 interface
router ospfv3
Enables OSPFv3 router configuration mode for the IPv4 or IPv6 address family.