Feedback
Contents
ipv6-i4
- ipv6 snooping attach-policy
- ipv6 snooping policy
- ipv6 traffic-filter
- ipv6 verify unicast source reachable-via
- managed-config-flag
- match ipv6
- match ipv6 access-list
- match ipv6 address
- match ipv6 destination
- match ipv6 hop-limit
- match ra prefix-list
- max-through
- medium-type
- mode dad-proxy
- network (IPv6)
- other-config-flag
- passive-interface (IPv6)
- passive-interface (OSPFv3)
- permit (IPv6)
- prefix-glean
- protocol (IPv6)
- redistribute (IPv6)
- router-preference maximum
ipv6 snooping attach-policy
To apply an IPv6 snooping policy to a target, use the ipv6 snooping attach-policy command in IPv6 snooping configuration mode. To remove a policy from a target, use the no form of this command.
Usage Guidelines
Once a policy has been identified or configured, it is applied on a target using the ipv6 snooping attach-policy command. This command is applied on any target, which varies depending on the platform. Examples of targets (depending on the platform used) include device ports, switchports, Layer 2 interfaces, Layer 3 interfaces, and VLANs.
ipv6 snooping policy
To configure an IPv6 snooping policy and enter IPv6 snooping configuration mode, use the ipv6 snooping policy command in global configuration mode. To delete an IPv6 snooping policy, use the no form of this command.
Usage Guidelines
Use the ipv6 snooping policy command to create an IPv6 snooping policy. When the ipv6 snooping policy command is enabled, the configuration mode changes to IPv6 snooping configuration mode. In this mode, the administrator can configure the following IPv6 first-hop security commands:
- The data-glean/destination-glean command enables IPv6 first-hop security binding table recovery using data or destination address gleaning.
- The limit address-count maximum command limits the number of IPv6 addresses allowed to be used on the port.
- security-level specifies the level of security enforced.
Once a policy has been identified or configured, it is applied on a device using the ipv6 snooping attach-policy command.
ipv6 traffic-filter
To filter incoming or outgoing IPv6 traffic on an interface, use the ipv6 traffic-filtercommand in interface configuration mode. To disable the filtering of IPv6 traffic on an interface, use the no form of this command.
Command History
Release
Modification
12.2(2)T
This command was introduced.
12.0(21)ST
This command was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S
This command was integrated into Cisco IOS Release 12.0(22)S.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Cisco IOS XE Release 2.1
This command was introduced on Cisco ASR 1000 series routers.
12.2(33)SXI4
The out keyword and therefore filtering of outgoing traffic is not supported in IPv6 port-based access list (PACL) configuration.
12.2(54)SG
This command was modified. Support for Cisco IOS Release 12.2(54)SG was added.
12.2(50)SY
This command was modified. The out keyword is not supported.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Examples
The following example filters inbound IPv6 traffic on Ethernet interface 0/0 as defined by the access list named cisco:
Router(config)# interface ethernet 0/0 Router(config-if)# ipv6 traffic-filter cisco inipv6 verify unicast source reachable-via
To verify that a source address exists in the FIB table and enable Unicast Reverse Path Forwarding (Unicast RPF), use the ipv6 verify unicast source reachable-via command in interface configuration mode. To disable URPF, use the no form of this command.
ipv6 verify unicast source reachable-via { rx | any } [allow-default] [allow-self-ping] [access-list-name]
no ipv6 verify unicast
Syntax Description
rx
Source is reachable through the interface on which the packet was received.
any
Source is reachable through any interface.
allow-default
(Optional) Allows the lookup table to match the default route and use the route for verification.
allow-self-ping
(Optional) Allows the router to ping a secondary address.
access-list-name
(Optional) Name of the IPv6 access list. Names cannot contain a space or quotation mark, or begin with a numeral.
Usage Guidelines
The ipv6 verify unicast reverse-path command is used to enable Unicast RPF for IPv6 in loose checking mode.
Use the ipv6 verify unicast source reachable-viacommand to mitigate problems caused by malformed or forged (spoofed) IP source addresses that pass through an IPv6 router. Malformed or forged source addresses can indicate denial-of-service (DoS) attacks based on source IPv6 address spoofing.
The URPF feature checks to see if any packet received at a router interface arrives on one of the best return paths to the source of the packet. The feature does this by doing a reverse lookup in the CEF table. If URPF does not find a reverse path for the packet, U RPF can drop or forward the packet, depending on whether an access control list (ACL) is specified in the ipv6 verify unicast source reachable-via command. If an ACL is specified in the command, then when (and only when) a packet fails the URPF check, the ACL is checked to see if the packet should be dropped (using a deny statement in the ACL) or forwarded (using a permit statement in the ACL). Whether a packet is dropped or forwarded, the packet is counted in the global IP traffic statistics for U RPF drops and in the interface statistics for Unicast RPF.
If no ACL is specified in the ipv6 verify unicast source reachable-via command, the router drops the forged or malformed packet immediately and no ACL logging occurs. The router and interface Unicast RPF counters are updated.
U RPF events can be logged by specifying the logging option for the ACL entries used by the ipv6 verify unicast source reachable-via command. Log information can be used to gather information about the attack, such as source address, time, and so on.
managed-config-flag
To verify the advertised managed address configuration parameter, use the managed-config-flag command in RA guard policy configuration mode.
Usage Guidelines
The managed-config-flag command enables verification of the advertised managed address configuration parameter (or "M" flag). This flag could be set by an attacker to force hosts to obtain addresses through a DHCPv6 server that may not be trustworthy.
Examples
The following example shows how the command defines a router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and enables M flag verification:
Router(config)# ipv6 nd raguard policy raguard1 Router(config-ra-guard)# managed-config-flag onmatch ipv6
To configure one or more of the IPv6 fields as a key field for a flow record, use the match ipv6 command in Flexible NetFlow flow record configuration mode. To disable the use of one or more of the IPv6 fields as a key field for a flow record, use the no form of this command.
match ipv6 { dscp | flow-label | next-header | payload-length | precedence | protocol | traffic-class | version }
no match ipv6 { dscp | flow-label | next-header | payload-length | precedence | protocol | traffic-class | version }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv6 { dscp | precedence | protocol | tos }
no match ipv6 { dscp | precedence | protocol | tos }
Cisco IOS XE Release 3.2SE
match ipv6 { protocol | traffic-class | version }
no match ipv6 { protocol | traffic-class | version }
Syntax Description
dscp
Configures the IPv6 differentiated services code point DSCP (part of type of service (ToS)) as a key field.
flow-label
Configures the IPv6 flow label as a key field.
next-header
Configures the IPv6 next header as a key field.
payload-length
Configures the IPv6 payload length as a key field.
precedence
Configures the IPv6 precedence (part of ToS) as a key field.
protocol
Configures the IPv6 protocol as a key field.
tos
Configures the IPv6 ToS as a key field.
traffic-class
Configures the IPv6 traffic class as a key field.
version
Configures the IPv6 version from IPv6 header as a key field.
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The flow-label, next-header, payload-length,traffic-class, and version keywords were removed.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was modified. The dscp, flow-label, next-header, payload-length, and precedence keywords were removed.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
NoteSome of the keywords of the match ipv6 command are documented as separate commands. All of the keywords for the match ipv6 command that are documented separately start with match ipv6. For example, for information about configuring the IPv6 hop limit as a key field for a flow record, refer to the match ipv6 hop-limit command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the IPv6 DSCP field as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 dscpThe following example configures the IPv6 DSCP field as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match ipv6 dscpmatch ipv6 access-list
To verify the sender’s IPv6 address in inspected messages from the authorized prefix list, use the match ipv6 access-list command in RA guard policy configuration mode.
Usage Guidelines
The match ipv6 access-list command enables verification of the sender’s IPv6 address in inspected messages from the configured authorized router source access list. If the match ipv6 access-list command is not configured, this authorization is bypassed.
An access list is configured using the ipv6 access-list command. For instance, to authorize the router with link-local address FE80::A8BB:CCFF:FE01:F700 only, define the following IPv6 access list:
Router(config)# ipv6 access-list list1 Router(config-ipv6-acl)# permit host FE80::A8BB:CCFF:FE01:F700 any
NoteThe access list is used here as a convenient way to define several explicit router sources, but it should not be considered to be a port-based access list (PACL). The match ipv6 access-list command verifies the IPv6 source address of the router messages, so specifying a destination in the access list is meaningless and the destination of the access control list (ACL) entry should always be "any." If a destination is specified in the access list, then matching will fail.
Examples
The following example shows how the command defines a router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and matches the IPv6 addresses in the access list named list1:
Router(config)# ipv6 nd raguard policy raguard1 Router(config-ra-guard)# match ipv6 access-list list1match ipv6 address
To distribute IPv6 routes that have a prefix permitted by a prefix list or to specify an IPv6 access list to be used to match packets for policy-based routing (PBR) for IPv6, use the match ipv6 address command in route-map configuration mode. To remove the match ipv6 address entry, use the no form of this command.
Command Default
No routes are distributed based on the destination network number or an access list.
Command History
Release
Modification
12.2(2)T
This command was introduced.
12.0(21)ST
This command was integrated into Cisco IOS Release 12.0(21)ST.
12.0(22)S
This command was integrated into Cisco IOS Release 12.0(22)S.
12.3(7)T
This command was modified. The access-list-name argument was added.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SXI4
This command was modified. The prefix-list prefix-list-name keyword-argument pair argument is not supported in Cisco IOS Release 12.2(33)SXI4.
Cisco IOS XE Release 3.2S
This command was integrated into Cisco IOS XE Release 3.2S.
15.1(1)SY
This command was integrated into Cisco IOS Release 15.1(1)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Use the route-map command and the match and set commands to define the conditions for redistributing routes from one routing protocol to another. Each route-map command has a list of match and set commands associated with it. The match commands specify the match criteria--the conditions under which redistribution is allowed for the current route-map command. The set commands specify the set actions, which are the particular redistribution actions to be performed if the criteria enforced by the match commands are met.
The match ipv6 address command can be used to specify either an access list or a prefix list. When using PBR, you must use the access-list-name argument; the prefix-list prefix-list-name keyword-argument pair argument will not work.
Examples
In the following example, IPv6 routes that have addresses specified by the prefix list named marketing are matched:
Device(config)# route-map name Device(config-route-map)# match ipv6 address prefix-list marketingIn the following example, IPv6 routes that have addresses specified by an access list named marketing are matched:
Device(config)# route-map Device(config-route-map)# match ipv6 address marketingRelated Commands
Command
Description
match as-path
Matches a BGP autonomous system path access list.
match community
Matches a BGP community.
match ipv6 address
Specifies an IPv6 access list to be used to match packets for PBR for IPv6.
match ipv6 next-hop
Distributes IPv6 routes that have a next-hop prefix permitted by a prefix list.
match ipv6 route-source
Distributes IPv6 routes that have been advertised by routers at an address specified by a prefix list.
match length
Bases policy routing on the Level 3 length of a packet.
match metric
Redistributes routes with the specified metric.
match route-type
Redistributes routes of the specified type.
route-map
Defines conditions for redistributing routes from one routing protocol into another.
set as-path
Modifies an autonomous system path for BGP routes.
set community
Sets the BGP community attribute.
set default interface
Specifies the default interface to output packets that pass a match clause of a route map for policy routing and have no explicit route to the destination.
set interface
Specifies the default interface to output packets that pass a match clause of a route map for policy routing.
set ipv6 default next-hop
Specifies an IPv6 default next hop to which matching packets will be forwarded.
set ipv6 next-hop (PBR)
Indicates where to output IPv6 packets that pass a match clause of a route map for policy routing.
set ipv6 precedence
Sets the precedence value in the IPv6 packet header.
set level
Indicates where to import routes.
set local preference
Specifies a preference value for the autonomous system path.
set metric
Sets the metric value for a routing protocol.
set metric-type
Sets the metric type for the destination routing protocol.
set tag
Sets a tag value of the destination routing protocol.
set weight
Specifies the BGP weight for the routing table.
match ipv6 destination
To configure the IPv6 destination address as a key field for a flow record, use the match ipv6 destination command in Flexible Netflow flow record configuration mode. To disable the IPv6 destination address as a key field for a flow record, use the no form of this command.
match ipv6 destination { address | { mask | prefix } [ minimum-mask mask ] }
no match ipv6 destination { address | { mask | prefix } [ minimum-mask mask ] }
Cisco Catalyst 6500 Switches in Cisco IOS Release 12.2(50)SY
match ipv6 destination address
no match ipv6 destination address
Cisco IOS XE Release 3.2SE
match ipv6 destination address
no match ipv6 destination address
Syntax Description
address
Configures the IPv6 destination address as a key field.
mask
Configures the mask for the IPv6 destination address as a key field.
prefix
Configures the prefix for the IPv6 destination address as a key field.
minimum-mask mask
(Optional) Specifies the size, in bits, of the minimum mask. Range: 1 to 128.
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
12.2(50)SY
This command was modified. The mask, prefix, and minimum-mask keywords were removed.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was modified. The mask, prefix, and minimum-mask keywords were removed.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures a 16-bit IPv6 destination address prefix as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 destination prefix minimum-mask 16The following example specifies a 16-bit IPv6 destination address mask as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 destination mask minimum-mask 16The following example configures a 16-bit IPv6 destination address mask as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match ipv6 destination mask minimum-mask 16match ipv6 hop-limit
To configure the IPv6 hop limit as a key field for a flow record, use the match ipv6 hop-limit command in Flexible NetFlow flow record configuration mode. To disable the use of a section of an IPv6 packet as a key field for a flow record, use the no form of this command.
Command Default
The use of the IPv6 hop limit as a key field for a user-defined flow record is not enabled by default.
Command History
Release
Modification
12.4(20)T
This command was introduced.
12.2(33)SRE
This command was modified. Support for this command was implemented on the Cisco 7200 and Cisco 7300 Network Processing Engine (NPE) series routers.
15.2(2)T
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.5S
This command was modified. Support for the Cisco Performance Monitor was added.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
This command can be used with both Flexible NetFlow and Performance Monitor. These products use different commands to enter the configuration mode in which you issue this command, however the mode prompt is the same for both products. For Performance Monitor, you must first enter the flow record type performance-monitor command before you can use this command.
Because the mode prompt is the same for both products, here we refer to the command mode for both products as flow record configuration mode. However, for Flexible NetFlow, the mode is also known as Flexible NetFlow flow record configuration mode; and for Performance Monitor, the mode is also known as Performance Monitor flow record configuration mode.
A flow record requires at least one key field before it can be used in a flow monitor. The key fields differentiate flows, with each flow having a unique set of values for the key fields. The key fields are defined using the match command.
Examples
Cisco Performance Monitor in Cisco IOS Release 15.2(2)T and XE 3.5S
The following example configures the hop limit of the packets in the flow as a key field:
Router(config)# flow record FLOW-RECORD-1 Router(config-flow-record)# match ipv6 hop-limitThe following example configures the hop limit of the packets in the flow as a key field:
Router(config)# flow record type performance-monitor RECORD-1 Router(config-flow-record)# match ipv6 hop-limitmatch ra prefix-list
To verify the advertised prefixes in inspected messages from the authorized prefix list, use the match ra prefix-list command in RA guard policy configuration mode.
Usage Guidelines
The match ra prefix-list command enables verification of the advertised prefixes in inspected messages from the configured authorized prefix list. Use the ipv6 prefix-list command to configure an IPv6 prefix list. For instance, to authorize the 2001:101::/64 prefixes and deny the 2001:100::/64 prefixes, define the following IPv6 prefix list:
Router(config)# ipv6 prefix-list listname1 deny 2001:0DB8:101:/64 Router(config)# ipv6 prefix-list listname1 permit 2001:0DB8:100::/64Examples
The following example shows how the command defines an router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and verifies the advertised prefixes in listname1:
Router(config)# ipv6 nd raguard policy raguard1 Router(config-ra-guard)# match ra prefix-list listname1max-through
To limit multicast router advertisements (RAs) per VLAN per throttle period, use the max-through command in IPv6 RA throttle policy configuration mode. To reset the command to its defaults, use the no form of this command.
Syntax Description
mt-value Number of multicast RAs allowed on the VLAN before throttling occurs. The range is from 0 through 256.
inherit Merges the setting between target policies.
no-limit Multicast RAs are not limited on the VLAN.
Command History
medium-type
To indicate whether a device is wired or wireless, use the medium-type command in IPv6 RA throttle policy configuration mode. To reset the command to its defaults, use the no form of this command.
Syntax Description
access-point The attached device is a radio access point and is throttled.
wired The attached device is wired and is not throttled.
Command History
mode dad-proxy
To enable duplicate address detection (DAD) proxy mode for IPv6 Neighbor Discovery (ND) suppress, use the mode dad-proxy command in ND suppress policy configuration mode. To disable this feature, use the no form of this command.
Command History
Release Modification 15.1(2)SG
This command was introduced.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
The IPv6 Dad proxy feature responds on behalf of the address's owner when an address is already in use. Use the mode dad-proxy command to enable IPv6 DAD proxy when using IPv6 ND suppress. If your device does not support IPv6 multicast suppress, you can enable IPv6 DAD proxy by entering the ipv6 nd dad-proxy command in global configuration mode.
network (IPv6)
To configure the network source of the next hop to be used by the PE VPN, use the network command in router configuration mode. To disable the source, use the no form of this command.
Command History
Release
Modification
12.2(33)SRB
This command was introduced.
12.2(33)SB
This command was integrated into Cisco IOS Release 12.2(33)SB.
12.2(33)SXI
This command was integrated into Cisco IOS Release 12.2(33)SXI.
Cisco IOS XE Release 3.1S
This command was integrated into Cisco IOS XE Release 3.1S.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Examples
The following example places the router in address family configuration mode and configures the network source to be used as the next hop:
Router(config)# router bgp 100 Router(config-router)# network 2001:DB8:100::1/128Related Commands
Command
Description
address-family ipv6
Enters address family configuration mode for configuring routing sessions such as BGP that use standard IPv6 address prefixes.
address-family vpnv6
Places the router in address family configuration mode for configuring routing sessions that use standard VPNv6 address prefixes.
other-config-flag
To verify the advertised “other” configuration parameter, use the other-config-flag command in RA guard policy configuration mode.
Usage Guidelines
The other-config-flag command enables verification of the advertised "other" configuration parameter (or "O" flag). This flag could be set by an attacker to force hosts to retrieve other configuration information through a Dynamic Host Configuration Protocol for IPv6 (DHCPv6) server that may not be trustworthy.
Examples
The following example shows how the command defines a router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and enables O flag verification:
Router(config)# ipv6 nd raguard policy raguard1 Router(config-ra-guard)# other-config-flag onpassive-interface (IPv6)
To disable sending routing updates on an interface, use the passive-interface command in router configuration mode. To reenable the sending of routing updates, use the no form of this command.
passive-interface [ default | interface-type interface-number ]
no passive-interface [ default | interface-type interface-number ]
Command Default
No interfaces are passive. Routing updates are sent to all interfaces on which the routing protocol is enabled.
Command History
Release
Modification
12.2(15)T
This command was introduced.
12.4(6)T
Support for Enhanced Internal Gateway Routing Protocol (EIGRP) IPv6 was added.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(33)SRB
This command was integrated into Cisco IOS Release 12.2(33)SRB.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
If you disable the sending of routing updates on an interface, the particular address prefix will continue to be advertised to other interfaces, and updates from other routers on that interface continue to be received and processed.
The default keyword sets all interfaces as passive by default. You can then configure individual interfaces where adjacencies are desired using the no passive-interface command. The default keyword is useful in Internet service provider (ISP) and large enterprise networks where many of the distribution routers have more than 200 interfaces.
OSPF for IPv6 routing information is neither sent nor received through the specified router interface. The specified interface address appears as a stub network in the OSPF for IPv6 domain.
For the Intermediate System-to-Intermediate System (IS-IS) protocol, this command instructs IS-IS to advertise the IP addresses for the specified interface without actually running IS-IS on that interface. The no form of this command for IS-IS disables advertising IP addresses for the specified address.
passive-interface (OSPFv3)
To suppress sending routing updates on an interface when using an IPv4 Open Shortest Path First version 3 (OSPFv3) process, use the passive-interface command in router configuration mode. To reenable the sending of routing updates, use the no form of this command.
passive-interface [ default | interface-type interface-number ]
no passive-interface [ default | interface-type interface-number ]
Command Default
No interfaces are passive. Routing updates are sent to all interfaces on which the routing protocol is enabled.
Command History
Release
Modification
15.1(3)S
This command was introduced.
Cisco IOS XE Release 3.4S
This command was integrated into Cisco IOS XE Release 3.4S.
15.2(1)T
This command was integrated into Cisco IOS Release 15.2(1)T.
15.1(1)SY
This command was integrated into Cisco IOS Release 15.1(1)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
If you suppress the sending of routing updates on an interface, the particular address prefix will continue to be advertised to other interfaces, and updates from other routers on that interface continue to be received and processed.
The default keyword sets all interfaces as passive by default. You can then configure individual interfaces where adjacencies are desired using the no passive-interface command. The default keyword is useful in Internet service provider (ISP) and large enterprise networks where many of the distribution routers have more than 200 interfaces.
permit (IPv6)
To set permit conditions for an IPv6 access list, use the permit command in IPv6 access list configuration mode. To remove the permit conditions, use the no form of this command.
permit protocol { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [ reflect name [ timeout value ] ] [routing] [ routing-type routing-number ] [ sequence value ] [ time-range name ]
no permit protocol { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [ reflect name [ timeout value ] ] [routing] [ routing-type routing-number ] [ sequence value ] [ time-range name ]
Internet Control Message Protocol
permit icmp { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ icmp-type [icmp-code] | icmp-message ] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [routing] [ routing-type routing-number ] [ sequence value ] [ time-range name ]
Transmission Control Protocol
permit tcp { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ack] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [established] [fin] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [ neq { port | protocol } ] [psh] [ range { port | protocol } ] [ reflect name [ timeout value ] ] [routing] [ routing-type routing-number ] [rst] [ sequence value ] [syn] [ time-range name ] [urg]
User Datagram Protocol
permit udp { source-ipv6-prefix/prefix-length | any | host source-ipv6-address | auth } [ operator [port-number] ] { destination-ipv6-prefix/prefix-length | any | host destination-ipv6-address | auth } [ operator [port-number] ] [ dest-option-type [ doh-number | doh-type ] ] [ dscp value ] [ flow-label value ] [fragments] [hbh] [log] [log-input] [mobility] [ mobility-type [ mh-number | mh-type ] ] [ neq { port | protocol } ] [ range { port | protocol } ] [ reflect name [ timeout value ] ] [routing] [ routing-type routing-number ] [ sequence value ] [ time-range name ]
Syntax Description
Command History
Release
Modification
12.0(23)S
This command was introduced.
12.2(13)T
This command was integrated into Cisco IOS Release 12.2(13)T.
12.2(14)S
This command was integrated into Cisco IOS Release 12.2(14)S.
12.4(2)T
The icmp-type argument was enhanced. The dest-option-type, mobility, mobility-type, and routing-type keywords were added. The doh-number, doh-type, mh-number, mh-type, and routing-number arguments were added.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Cisco IOS XE Release 2.1
This command was introduced on Cisco ASR 1000 series routers.
12.4(20)T
The auth keyword was added.
12.2(33)SRE
This command was integrated into Cisco IOS Release 12.2(33)SRE.
15.2(3)T
This command was modified. Support was added for the hbh keyword.
15.1(1)SY
This command was integrated into Cisco IOS Release 15.1(1)SY.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
The permit (IPv6) command is similar to the permit (IP) command, except that it is IPv6-specific.
Use the permit (IPv6) command following the ipv6 access-list command to define the conditions under which a packet passes the access list or to define the access list as a reflexive access list.
Specifying IPv6 for the protocol argument matches against the IPv6 header of the packet.
By default, the first statement in an access list is number 10, and the subsequent statements are incremented by 10.
You can add permit, deny, remark, or evaluate statements to an existing access list without retyping the entire list. To add a new statement anywhere other than at the end of the list, create a new statement with an appropriate entry number that falls between two existing entry numbers to indicate where it belongs.
In Cisco IOS Release 12.2(2)T or later releases, 12.0(21)ST, and 12.0(22)S, IPv6 access control lists (ACLs) are defined and their deny and permit conditions are set by using the ipv6 access-list command with the deny and permit keywords in global configuration mode. In Cisco IOS Release 12.0(23)S or later releases, IPv6 ACLs are defined by using the ipv6 access-list command in global configuration mode and their permit and deny conditions are set by using the deny and permit commands in IPv6 access list configuration mode. Refer to the ipv6 access-list command for more information on defining IPv6 ACLs.
NoteIn Cisco IOS Release 12.0(23)S or later releases, every IPv6 ACL has implicit permit icmp any any nd-na, permit icmp any any nd-ns, and deny ipv6 any any statements as its last match conditions. (The former two match conditions allow for ICMPv6 neighbor discovery.) An IPv6 ACL must contain at least one entry for the implicit deny ipv6 any any statement to take effect. The IPv6 neighbor discovery process makes use of the IPv6 network layer service; therefore, by default, IPv6 ACLs implicitly allow IPv6 neighbor discovery packets to be sent and received on an interface. In IPv4, the Address Resolution Protocol (ARP), which is equivalent to the IPv6 neighbor discovery process, makes use of a separate data link layer protocol; therefore, by default, IPv4 ACLs implicitly allow ARP packets to be sent and received on an interface.
Both the source-ipv6-prefix/prefix-length and destination-ipv6-prefix/prefix-length arguments are used for traffic filtering (the source prefix filters traffic based upon the traffic source; the destination prefix filters traffic based upon the traffic destination).
NoteIPv6 prefix lists, not access lists, should be used for filtering routing protocol prefixes.
The fragments keyword is an option only if the operator [port-number] arguments are not specified.
The following is a list of ICMP message names:
- beyond-scope
- destination-unreachable
- echo-reply
- echo-request
- header
- hop-limit
- mld-query
- mld-reduction
- mld-report
- nd-na
- nd-ns
- next-header
- no-admin
- no-route
- packet-too-big
- parameter-option
- parameter-problem
- port-unreachable
- reassembly-timeout
- renum-command
- renum-result
- renum-seq-number
- router-advertisement
- router-renumbering
- router-solicitation
- time-exceeded
- unreachable
Defining Reflexive Access Lists
To define an IPv6 reflexive list, a form of session filtering, use the reflect keyword in the permit (IPv6) command. The reflect keyword creates an IPv6 reflexive access list and triggers the creation of entries in the reflexive access list. The reflect keyword must be an entry (condition statement) in an IPv6 access list.
NoteFor IPv6 reflexive access lists to work, you must nest the reflexive access list using the evaluate command.
If you are configuring IPv6 reflexive access lists for an external interface, the IPv6 access list should be one that is applied to outbound traffic.
If you are configuring an IPv6 reflexive access list for an internal interface, the IPv6 access list should be one that is applied to inbound traffic.
IPv6 sessions that originate from within your network are initiated with a packet exiting your network. When such a packet is evaluated against the statements in the IPv6 access list, the packet is also evaluated against the IPv6 reflexive permit entry.
As with all IPv6 access list entries, the order of entries is important, because they are evaluated in sequential order. When an IPv6 packet reaches the interface, it will be evaluated sequentially by each entry in the access list until a match occurs.
If the packet matches an entry prior to the reflexive permit entry, the packet will not be evaluated by the reflexive permit entry, and no temporary entry will be created for the reflexive access list (session filtering will not be triggered).
The packet will be evaluated by the reflexive permit entry if no other match occurs first. Then, if the packet matches the protocol specified in the reflexive permit entry, the packet is forwarded and a corresponding temporary entry is created in the reflexive access list (unless the corresponding entry already exists, indicating that the packet belongs to a session in progress). The temporary entry specifies criteria that permit traffic into your network only for the same session.
Characteristics of Reflexive Access List Entries
The permit (IPv6) command with the reflect keyword enables the creation of temporary entries in the same IPv6 reflexive access list that was defined by the permit (IPv6) command. The temporary entries are created when an IPv6 packet exiting your network matches the protocol specified in the permit (IPv6) command. (The packet “triggers” the creation of a temporary entry.) These entries have the following characteristics:
- The entry is a permit entry.
- The entry specifies the same IP upper-layer protocol as the original triggering packet.
- The entry specifies the same source and destination addresses as the original triggering packet, except that the addresses are swapped.
- If the original triggering packet is TCP or UDP, the entry specifies the same source and destination port numbers as the original packet, except that the port numbers are swapped.
- If the original triggering packet is a protocol other than TCP or UDP, port numbers do not apply, and other criteria are specified. For example, for ICMP, type numbers are used: The temporary entry specifies the same type number as the original packet (with only one exception: if the original ICMP packet is type 8, the returning ICMP packet must be type 0 to be matched).
- The entry inherits all the values of the original triggering packet, with exceptions only as noted in the previous four bullets.
- IPv6 traffic entering your internal network will be evaluated against the entry, until the entry expires. If an IPv6 packet matches the entry, the packet will be forwarded into your network.
- The entry will expire (be removed) after the last packet of the session is matched.
- If no packets belonging to the session are detected for a configured length of time (the timeout period), the entry will expire.
Examples
The following example configures two IPv6 access lists named OUTBOUND and INBOUND and applies both access lists to outbound and inbound traffic on Ethernet interface 0. The first and second permit entries in the OUTBOUND list permit all TCP and UDP packets from network 2001:ODB8:0300:0201::/64 to exit out of Ethernet interface 0. The entries also configure the temporary IPv6 reflexive access list named REFLECTOUT to filter returning (incoming) TCP and UDP packets on Ethernet interface 0. The first deny entry in the OUTBOUND list keeps all packets from the network FEC0:0:0:0201::/64 (packets that have the site-local prefix FEC0:0:0:0201 as the first 64 bits of their source IPv6 address) from exiting out of Ethernet interface 0. The third permit entry in the OUTBOUND list permits all ICMP packets to exit out of Ethernet interface 0.
The permit entry in the INBOUND list permits all ICMP packets to enter Ethernet interface 0. The evaluate command in the list applies the temporary IPv6 reflexive access list named REFLECTOUT to inbound TCP and UDP packets on Ethernet interface 0. When outgoing TCP or UDP packets are permitted on Ethernet interface 0 by the OUTBOUND list, the INBOUND list uses the REFLECTOUT list to match (evaluate) the returning (incoming) TCP and UDP packets. Refer to the evaluate command for more information on nesting IPv6 reflexive access lists within IPv6 ACLs.
ipv6 access-list OUTBOUND permit tcp 2001:0DB8:0300:0201::/64 any reflect REFLECTOUT permit udp 2001:0DB8:0300:0201::/64 any reflect REFLECTOUT deny FEC0:0:0:0201::/64 any permit icmp any any ipv6 access-list INBOUND permit icmp any any evaluate REFLECTOUT interface ethernet 0 ipv6 traffic-filter OUTBOUND out ipv6 traffic-filter INBOUND in
NoteGiven that a permit any any statement is not included as the last entry in the OUTBOUND or INBOUND access list, only TCP, UDP, and ICMP packets will be permitted out of and in to Ethernet interface 0 (the implicit deny all condition at the end of the access list denies all other packet types on the interface).
The following example shows how to allow the matching of any UDP traffic. The authentication header may be present.
permit udp any any sequence 10The following example shows how to allow the matching of only TCP traffic if the authentication header is also present.
permit tcp any any auth sequence 20The following example shows how to allow the matching of any IPv6 traffic where the authentication header is present.
permit ahp any any sequence 30Related Commands
Command
Description
deny (IPv6)
Sets deny conditions for an IPv6 access list.
evaluate (IPv6)
Nests an IPv6 reflexive access list within an IPv6 access list.
ipv6 access-list
Defines an IPv6 access list and enters IPv6 access list configuration mode.
ipv6 traffic-filter
Filters incoming or outgoing IPv6 traffic on an interface.
show ipv6 access-list
Displays the contents of all current IPv6 access lists.
prefix-glean
To enable the device to glean prefixes from IPv6 router advertisements (RAs) or Dynamic Host Configuration Protocol (DHCP), use the prefix-glean command in IPv6 snooping configuration mode. To learn only prefixes gleaned in one of these protocols and exclude the other, use the no form of this command.
Usage Guidelines
The prefix-glean command enables the device to learn prefixes in RA and DHCP traffic.protocol (IPv6)
To specify that addresses should be gleaned with Dynamic Host Configuration Protocol (DHCP) or Neighbor Discovery Protocol (NDP) or to associate the protocol with an IPv6 prefix list, use the protocol command. To disable address gleaning with DHCP or NDP, use the no form of the command.
Command Default
Snooping and recovery are attempted using both DHCP and NDP. No prefix list is used, all address ranges are accepted.
Usage Guidelines
If an address does not match the prefix list associated with DHCP or NDP, then control packets will be dropped and recovery of the binding table entry will not be attempted with that protocol.
- If there is no prefix list specified, all protocols are supported by default. There is no check and all addresses are accepted.
- Using the no protocol {dhcp | ndp} command indicates that a protocol will not to be used for snooping or gleaning.
- However, if the no protocol dhcp command is used, DHCP can still be used for binding table recovery.
- The NDP prefix list should be a superset of the DHCP prefix list, as addresses obtained by DHCP must be confirmed by NDP later.
- When a prefix list is given and a protocol packet indicates an address that does not match the prefix list for that protocol, the packet is dropped (unless the security level is “glean”).
- Data glean can recover with DHCP and NDP, though destination guard will only recovery through DHCP.
Examples
The following example shows a valid configuration for an IPv6 prefix list (“abc”) and shows that DHCP will be used to recover addresses that match the prefix list abc:
Device(config)# ipv6 prefix-list abc seq 5 permit 2001:DB8::/64 ge 128 ! Device(config-ipv6-snooping)# protocol dhcp prefix-list abcredistribute (IPv6)
To redistribute IPv6 routes from one routing domain into another routing domain, use the redistribute command in address family configuration or router configuration mode. To disable redistribution, use the no form of this command.
redistribute source-protocol [process-id] [ include-connected { level-1 | level-1-2 | level-2 } ] [as-number] [ metric { metric-value | transparent } ] [ metric-type type-value ] [ match { external [ 1 | 2 ] | internal | nssa-external [ 1 | 2 ] } ] [ tag tag-value ] [ route-map map-tag ]
no redistribute source-protocol [process-id] [include-connected] { level-1 | level-1-2 | level-2 } [as-number] [ metric { metric-value | transparent } ] [ metric-type type-value ] [ match { external [ 1 | 2 ] | internal | nssa-external [ 1 | 2 ] } ] [ tag tag-value ] [ route-map map-tag ]
Syntax Description
Command History
Release
Modification
12.2(15)T
This command was introduced.
12.4(6)T
Support for Enhanced Internal Gateway Routing Protocol (EIGRP) IPv6 was added.
12.2(28)SB
This command was integrated into Cisco IOS Release 12.2(28)SB.
12.2(25)SG
This command was integrated into Cisco IOS Release 12.2(25)SG.
12.2(33)SRA
This command was integrated into Cisco IOS Release 12.2(33)SRA.
12.2(33)SXH
This command was integrated into Cisco IOS Release 12.2(33)SXH.
Cisco IOS XE Release 2.1
This command was introduced on Cisco ASR 1000 Series Routers.
Cisco IOS XE Release 3.2SE
This command was integrated into Cisco IOS XE Release 3.2SE.
Usage Guidelines
Changing or disabling any keyword will not affect the state of other keywords.
A router receiving an IPv6 IS-IS route with an internal metric will consider the cost of the route from itself to the redistributing router plus the advertised cost to reach the destination. An external metric considers only the advertised metric to reach the destination.
IS-IS will ignore any configured redistribution of routes configured with the include-connected keyword. IS-IS will advertise a prefix on an interface if either IS-IS is running over the interface or the interface is configured as passive.
Routes learned from IPv6 routing protocols can be redistributed into IPv6 IS-IS at Level 1 into an attached area or at Level 2. The level-1-2 keyword allows both Level 1 and Level 2 routes in a single command.
For IPv6 RIP, use the redistributecommand to advertise static routes as if they were directly connected routes.
Caution
Advertising static routes as directly connected routes can cause routing loops if improperly configured.
Redistributed IPv6 RIP routing information should always be filtered by the distribute-list prefix-listrouter configuration command. Use of the distribute-list prefix-listcommand ensures that only those routes intended by the administrator are passed along to the receiving routing protocol.
NoteThe metric value specified in the redistribute command for IPv6 RIP supersedes the metric value specified using the default-metric command.
NoteIn IPv4, if you redistribute a protocol, by default you also redistribute the subnet on the interfaces over which the protocol is running. In IPv6 this is not the default behavior. To redistribute the subnet on the interfaces over which the protocol is running in IPv6, use the include-connected keyword. In IPv6 this functionality is not supported when the source protocol is BGP.
When the no redistribute command is configured, the parameter settings are ignored when the client protocol is IS-IS or EIGRP.
IS-IS redistribution will be removed completely when IS-IS level 1 and level 2 are removed by the user. IS-IS level settings can be configured using the redistribute command only.
The default redistribute type will be restored to OSPF when all route type values are removed by the user.
Examples
The following example configures IPv6 IS-IS to redistribute IPv6 BGP routes. The metric is specified as 5, and the metric type will be set to external, indicating that it has lower priority than internal metrics.
Router(config)# router isis Router(config-router)# address-family ipv6 Router(config-router-af)# redistribute bgp 64500 metric 5 metric-type externalThe following example redistributes IPv6 BGP routes into the IPv6 RIP routing process named cisco:
Router(config)# ipv6 router rip cisco Router(config-router)# redistribute bgp 42The following example redistributes IS-IS for IPv6 routes into the OSPF for IPv6 routing process 1:
Router(config)# ipv6 router ospf 1 Router(config-router)# redistribute isis 1 metric 32 metric-type 1 tag 85In the following example, ospf 1 redistributes the prefixes 2001:1:1::/64 and 2001:99:1::/64 and any prefixes learned through rip 1:
interface ethernet0/0 ipv6 address 2001:1:1::90/64 ipv6 rip 1 enable interface ethernet1/1 ipv6 address 2001:99:1::90/64 ipv6 rip 1 enable interface ethernet2/0 ipv6 address 2001:1:2::90/64 ipv6 ospf 1 area 1 ipv6 router ospf 1 redistribute rip 1 include-connectedThe following configuration example and output show the no redistribute command parameters when the last route type value is removed:
Router(config-router)# redistribute rip process1 metric 7 Router(config-router)# do show run | include redistribute redistribute rip process1 metric 7 Router(config-router)# no redistribute rip process1 metric 7 Router(config-router)# do show run | include redistribute redistribute rip process1 Router(config-router)#Related Commands
Command
Description
default-metric
Specifies a default metric for redistributed routes.
distribute-list prefix-list (IPv6 EIGRP)
Applies a prefix list to EIGRP for IPv6 routing updates that are received or sent on an interface.
distribute-list prefix-list (IPv6 RIP)
Applies a prefix list to IPv6 RIP routing updates that are received or sent on an interface.
redistribute isis (IPv6)
Redistributes IPv6 routes from one routing domain into another routing domain using IS-IS as both the target and source protocol.
router-preference maximum
To verify the advertised default router preference parameter value, use the router-preference maximum command in RA guard policy configuration mode.
Usage Guidelines
The router-preference maximum command enables verification that the advertised default router preference parameter value is lower than or equal to a specified limit. You can use this command to give a lower priority to default routers advertised on trunk ports, and to give precedence to default routers advertised on access ports.
The router-preference maximum command limit are high, medium, or low. If, for example, this value is set to medium and the advertised default router preference is set to high in the received packet, then the packet is dropped. If the command option is set to medium or low in the received packet, then the packet is not dropped.
Examples
The following example shows how the command defines a router advertisement (RA) guard policy name as raguard1, places the router in RA guard policy configuration mode, and configures router-preference maximum verification to be high:
Router(config)# ipv6 nd raguard policy raguard1 Router(config-ra-guard)# router-preference maximum high
