IP Services Commands
Use the commands in this chapter to configure
various IP services. For configuration information and examples on IP
services, refer to the "Configuring IP Services" chapter of the
Network Protocols Configuration Guide,
Part 1.
access-class
To restrict incoming and outgoing connections
between a particular virtual terminal line (into a Cisco device) and the
addresses in an access list, use the access-class
line configuration command. To remove access restrictions, use the
no form of this command.
access-class
access-list-number
{in
| out}
no access-class
access-list-number
{in |
out}
Syntax Description
|
access-list-number |
Number of an IP access list. This is a
decimal number from 1 to 199 or from 1300 to 2699.
|
|
in
|
Restricts incoming connections between
a particular Cisco device and the addresses in the access
list. |
|
out
|
Restricts outgoing connections between
a particular Cisco device and the addresses in the access
list. |
Defaults
No access lists are defined.
Command Modes
Line configuration
Command History
|
Release
|
Modification
|
|
10.0 |
This command was introduced.
|
Usage Guidelines
Remember to set identical
restrictions on all the virtual terminal lines because a user can
connect to any of them.
To display the access lists for a particular
terminal line, use the show line EXEC command and
specify the line number.
Examples
The following example defines an access list that
permits only hosts on network 192.89.55.0 to connect to the virtual
terminal ports on the router:
access-list 12 permit 192.89.55.0 0.0.0.255
The following example defines an access list that
denies connections to networks other than network 36.0.0.0 on terminal
lines 1 through 5:
access-list 10 permit 36.0.0.0 0.255.255.255
Related Commands
|
Command
|
Description
|
|
show line
|
Displays the parameters of a terminal
line. |
access-list (IP extended)
To define an extended IP access list, use the
extended version of the access-list global
configuration command. To remove the access lists, use the
no form of this command.
access-list
access-list-number
[dynamic
dynamic-name
[timeout
minutes]]
{deny
| permit}
protocol source
source-wildcard
destination
destination-wildcard
[precedence
precedence]
[tos
tos]
[log |
log-input] [fragments]
no
access-list
access-list-number
Internet Control Message Protocol (ICMP)
access-list
access-list-number
[dynamic
dynamic-name [timeout
minutes]]
{deny
| permit}
icmp source
source-wildcard
destination
destination-wildcard
[icmp-type
| [[icmp-type
icmp-code] | [icmp-message]]
[precedence
precedence]
[tos
tos]
[log
| log-input] [fragments]
Internet Group Management Protocol (IGMP)
access-list
access-list-number
[dynamic
dynamic-name [timeout
minutes]]
{deny
| permit}
igmp source
source-wildcard destination destination-wildcard
[igmp-type]
[precedence
precedence]
[tos
tos]
[log |
log-input] [fragments]
TCP
access-list
access-list-number
[dynamic
dynamic-name [timeout
minutes]]
{deny
| permit}
tcp
source
source-wildcard [operator
port [port]]
destination destination-wildcard
[operator port
[port]]
[established]
[precedence
precedence]
[tos
tos]
[log |
log-input] [fragments]
User Datagram Protocol (UDP)
access-list
access-list-number
[dynamic
dynamic-name [timeout
minutes]]
{deny
| permit}udp
source
source-wildcard [operator
port [port]]
destination
destination-wildcard
[operator
port [port]]
[precedence
precedence]
[tos
tos]
[log
| log-input] [fragments]
Caution
Enhancements
to this command are backward compatible; migrating from releases
prior to Release 11.1 will convert your access lists automatically.
However, releases prior to Release 11.1 are not upwardly compatible
with these enhancements. Therefore, if you save an access list with
these images and then use software prior to Release 11.1, the
resulting access list will not be interpreted correctly.
This could cause you severe security problems.
Save your old configuration file before booting these images.
Syntax Description
|
access-list-number |
Number of an access list. This is a
decimal number from 100 to 199 or from 2000 to 2699.
|
|
dynamic
dynamic-name |
(Optional) Identifies this access list
as a dynamic access list. Refer to lock-and-key access
documented in the "Configuring Lock-and-Key Security
(Dynamic Access Lists)" chapter in the
Security Configuration Guide. |
|
timeout
minutes |
(Optional) Specifies the absolute
length of time (in minutes) that a temporary access list
entry can remain in a dynamic access list. The default is an
infinite length of time and allows an entry to remain
permanently. Refer to lock-and-key access documented in the
"Configuring Lock-and-Key Security (Dynamic Access Lists)"
chapter in the Security Configuration
Guide. |
|
deny
|
Denies access if the conditions are
matched. |
|
permit
|
Permits access if the conditions are
matched. |
|
protocol
|
Name or number of an IP protocol. It
can be one of the keywords eigrp,
gre, icmp, igmp,
igrp, ip,
ipinip, nos,
ospf, pim,
tcp, or udp,
or an integer in the range 0 to 255 representing an IP
protocol number. To match any Internet protocol (including
ICMP, TCP, and UDP) use the keyword ip.
Some protocols allow further qualifiers described below.
|
|
source
|
Number of the network or host from
which the packet is being sent. There are three alternative
ways to specify the source: •Use
a 32-bit quantity in four-part, dotted-decimal format.
•Use
the keyword any as an abbreviation
for a source and
source-wildcard of 0.0.0.0
255.255.255.255. •Use
host source
as an abbreviation for a source
and source-wildcard of
source 0.0.0.0. |
|
source-wildcard
|
Wildcard bits to be applied to source.
Each wildcard bit set to zero indicates that the
corresponding bit position in the packet's ip address must
exactly match the bit value in the corresponding bit
position in the source. Each wildcard bit set to one
indicates that both a zero bit and a one bit in the
corresponding position of the packet's ip address will be
considered a match to this access list entry. There are three alternative ways to
specify the source wildcard: •Use
a 32-bit quantity in four-part, dotted-decimal format. Place
ones in the bit positions you want to ignore.
For example, 0.0.255.255 to require an exact match of only
the first 16 bits of the source.
•Use
the keyword any as an abbreviation
for a source and
source-wildcard of 0.0.0.0
255.255.255.255. •Use
host source
as an abbreviation for a source
and source-wildcard of
source 0.0.0.0. Wildcard bits set to one do not need to
be contiguous in the source-wildcard.
For example, a source-wildcard of
0.255.0.64 would be valid. |
|
destination
|
Number of the network or host to which
the packet is being sent. There are three alternative ways
to specify the destination: •Use
a 32-bit quantity in four-part, dotted-decimal format.
•Use
the keyword any as an abbreviation
for the destination and
destination-wildcard of 0.0.0.0
255.255.255.255. •Use
host
destination as an abbreviation for a
destination and
destination-wildcard of
destination 0.0.0.0. |
|
destination-wildcard |
Wildcard bits to be applied to the
destination. There are three alternative ways to specify the
destination wildcard:
•Use
a 32-bit quantity in four-part, dotted-decimal format. Place
ones in the bit positions you want to ignore. •Use
the keyword any as an abbreviation
for a destination and
destination-wildcard of 0.0.0.0
255.255.255.255. •Use
host
destination as an abbreviation for a
destination and
destination-wildcard of
destination 0.0.0.0. |
|
precedence
precedence |
(Optional) Packets can be filtered by
precedence level, as specified by a number from 0 to 7 or by
name as listed in the section "Usage Guidelines."
|
|
tos
tos |
(Optional) Packets can be filtered by
type of service level, as specified by a number from 0 to 15
or by name as listed in the section "Usage Guidelines."
|
|
icmp-type
|
(Optional) ICMP packets can be filtered
by ICMP message type. The type is a number from 0 to 255.
|
|
icmp-code
|
(Optional) ICMP packets that are
filtered by ICMP message type can also be filtered by the
ICMP message code. The code is a number from 0 to 255.
|
|
icmp-message
|
(Optional) ICMP packets can be filtered
by an ICMP message type name or ICMP message type and code
name. The possible names are found in the section "Usage
Guidelines." |
|
igmp-type
|
(Optional) IGMP packets can be filtered
by IGMP message type or message name. A message type is a
number from 0 to 15. IGMP message names are listed in the
section "Usage Guidelines." |
|
operator
|
(Optional) Compares source or
destination ports. Possible operands include
lt (less than),
gt (greater than), eq (equal),
neq (not equal), and
range (inclusive range). If the operator is positioned after the
source
and source-wildcard, it must
match the source port. If the operator is positioned after the
destination and
destination-wildcard, it must
match the destination port. The range
operator requires two port numbers. All other operators
require one port number. |
|
port
|
(Optional) The decimal number or name
of a TCP or UDP port. A port number is a number from 0 to
65535. TCP port names are listed in the section "Usage
Guidelines." TCP port names can only be used when filtering
TCP. UDP port names are listed in the section "Usage
Guidelines." UDP port names can only be used when filtering
UDP. TCP port names can only be used when
filtering TCP. UDP port names can only be used when
filtering UDP. |
|
established
|
(Optional) For the TCP protocol only:
Indicates an established connection. A match occurs if the
TCP datagram has the ACK, FIN, PSH, RST, SYN or URG control
bits set. The nonmatching case is that of the initial TCP
datagram to form a connection. |
|
log
|
(Optional) Causes an informational
logging message about the packet that matches the entry to
be sent to the console. (The level of messages logged to the
console is controlled by the logging
console command.) The message includes the access list
number, whether the packet was permitted or denied; the
protocol, whether it was TCP, UDP, ICMP or a number; and, if
appropriate, the source and destination addresses and source
and destination port numbers. The message is generated for
the first packet that matches, and then at 5-minute
intervals, including the number of packets permitted or
denied in the prior 5-minute interval. The logging facility might drop some
logging message packets if there are too many to be handled
or if there is more than one logging message to be handled
in 1 second. This behavior prevents the router from crashing
due to too many logging packets. Therefore, the logging
facility should not be used as a billing tool or an accurate
source of the number of matches to an access list. |
|
log-input
|
(Optional) Includes the input interface
and source MAC address or VC in the logging output. |
|
fragments
|
(Optional)
The access list entry applies to noninitial fragments
of packets; the fragment is either permitted or denied
accordingly. For more details about the
fragments keyword, see the "Access
List Processing of Fragments" and "Fragments
and Policy Routing" sections in the "Usage Guidelines"
section. |
Defaults
An extended access list defaults to a list that
denies everything. An extended access list is terminated by an implicit
deny statement.
Command Modes
Global configuration
Command History
|
Release
|
Modification
|
|
10.0 |
This command and the UDP form of this
command were introduced. |
|
10.3 |
The ICMP, IGMP, and TCP forms of this
command were introduced. The following keywords and arguments
were added: •source
•source-wildcard
•destination
•destination-wildcard
•precedence
precedence •icmp-type
•icm-code
•icmp-message
•igmp-type
•operator
•port
•established
|
|
11.1 |
The following keywords and arguments
were added: •dynamic
dynamic-name •timeout
minutes |
|
11.2 |
The following keyword was added:
•log-input
|
|
12.0(11)
|
The fragments
keyword was added. |
Usage Guidelines
You can use access lists to control the
transmission of packets on an interface, control virtual terminal line
access, and restrict contents of routing updates. The Cisco IOS software
stops checking the extended access list after a match occurs.
Note
After
an access list is created initially, any subsequent additions (possibly
entered from the terminal) are placed at the end of the list. In other
words, you cannot selectively add or remove access list command lines
from a specific access list.
The following is a list of precedence names:
|
•critical
•flash
•flash-override
•immediate
•internet
•network
•priority
•routine
The following is a list of type of service (TOS)
names: •max-reliability
•max-throughput
•min-delay
•min-monetary-cost
•normal
The following is a list of ICMP message type names
and ICMP message type and code names: •administratively-prohibited
•alternate-address
•conversion-error
•dod-host-prohibited
•dod-net-prohibited
•echo
•echo-reply
•general-parameter-problem
•host-isolated
•host-precedence-unreachable
•host-redirect
•host-tos-redirect
•host-tos-unreachable
•host-unknown
•host-unreachable
•information-reply
•information-request
|
•mask-reply
•mask-request
•mobile-redirect
•net-redirect
•net-tos-redirect
•net-tos-unreachable
•net-unreachable
•network-unknown
•no-room-for-option
•option-missing
•packet-too-big
•parameter-problem
•port-unreachable
•precedence-unreachable
•protocol-unreachable
•reassembly-timeout
•redirect
•router-advertisement
•router-solicitation
•source-quench
•source-route-failed
•time-exceeded
•timestamp-reply
•timestamp-request
•traceroute
•ttl-exceeded
•unreachable
|
|
The following is a list of IGMP message names:
|
|
|
•dvmrp
•host-query
•host-report
•pim
•trace
|
|
|
The following is a list of TCP port names that can
be used instead of port numbers. Refer to the current Assigned Numbers
RFC to find a reference to these protocols. Port numbers corresponding
to these protocols can also be found by typing a ? in the place of a
port number.
|
|
•bgp
•chargen
•daytime
•discard
•domain
•echo
•finger
•ftp
•ftp-data
•gopher
•hostname
•irc
•klogin
•kshell
•lpd
|
•nntp
•pop2
•pop3
•smtp
•sunrpc
•syslog
•tacacs-ds
•talk
•telnet
•time
•uucp
•whois
•www
|
|
The following is a list of UDP port names that can
be used instead of port numbers. Refer to the current Assigned Numbers
RFC to find a reference to these protocols. Port numbers corresponding
to these protocols can also be found by typing a ? in the place of a
port number.
|
|
•biff
•bootpc
•bootps
•discard
•dns
•dnsix
•echo
•mobile-ip
•nameserver
•netbios-dgm
•netbios-ns
•ntp
•rip
|
•snmp
•snmptrap
•sunrpc
•syslog
•tacacs-ds
•talk
•tftp
•time
•who
•xdmcp
|
| |
|
Access List Processing of Fragments
The behavior of access-list entries regarding the
use or lack of the fragments keyword can be
summarized as follows:
|
If the Access-List Entry has...
|
Then..
|
|
...no fragments
keyword (the default behavior), and assuming all of the
access-list entry information matches, |
For an access-list entry containing
only Layer 3 information: •The
entry is applied to nonfragmented packets, initial fragments
and noninitial fragments. For an access list entry containing
Layer 3 and Layer 4 information: •The
entry is applied to nonfragmented packets and initial
fragments. –If
the entry is a permit statement,
the packet or fragment is permitted. –If
the entry is a deny statement,
the packet or fragment is denied. •The
entry is also applied to noninitial fragments in the
following manner. Because noninitial fragments contain only
Layer 3 information, only the Layer 3 portion of an
access-list entry can be applied. If the Layer 3 portion of
the access-list entry matches, and –If
the entry is a permit statement,
the noninitial fragment is permitted. –If
the entry is a deny statement,
the next access-list entry is processed.
Note
The
deny statements are handled
differently for noninitial fragments versus nonfragmented or
initial fragments.
|
|
...the fragments
keyword, and assuming all of the access-list entry
information matches, |
The access-list entry is applied only
to noninitial fragments.
Note
The
fragments keyword cannot be
configured for an access-list entry that contains any Layer
4 information.
|
Be aware that you should not simply add the
fragments keyword to every access list entry
because the first fragment of the IP packet is considered a nonfragment
and is treated independently of the subsequent fragments. An initial
fragment will not match an access list permit
or deny entry that contains the
fragments keyword, the packet is compared to the
next access list entry, and so on, until it is either permitted or
denied by an access list entry that does not contain the
fragments keyword. Therefore, you may need two
access list entries for every deny entry. The
first deny entry of the pair will not include
the fragments keyword, and applies to the
initial fragment. The second deny entry of
the pair will include the fragments keyword and
applies to the subsequent fragments. In the cases where there are
multiple deny access list entries for the
same host but with different Layer 4 ports, a single
deny access-list entry with the
fragments keyword for that host is all that
needs to be added. Thus all the fragments of a packet are handled in the
same manner by the access list.
Packet fragments of IP datagrams are considered
individual packets and each counts individually as a packet in access
list accounting and access list violation counts.
Note
The
fragments keyword cannot solve all cases
involving access lists and IP fragments.
Fragments and Policy Routing
Fragmentation and the fragment control feature
affect policy routing if the policy routing is based on the
match ip address command and the access list
had entries that match on Layer 4 through 7 information. It is possible
that noninitial fragments pass the access list and are policy routed,
even if the first fragment was not policy routed or the reverse.
By using the fragments
keyword in access list entries as described earlier, a better match
between the action taken for initial and noninitial fragments can be
made and it is more likely policy routing will occur as intended.
Examples
In the following example, serial interface 0 is
part of a Class B network with the address 128.88.0.0, and the mail
host's address is 128.88.1.2. The
keyword established is used only for the TCP
protocol to indicate an established connection. A match occurs if the
TCP datagram has the ACK or RST bits set, which indicate that the packet
belongs to an existing connection.
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25
The following example also permit Domain Naming
System (DNS) packets and ICMP echo and echo reply packets:
access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established
access-list 102 permit tcp any host 128.88.1.2 eq smtp
access-list 102 permit tcp any any eq domain
access-list 102 permit udp any any eq domain
access-list 102 permit icmp any any echo
access-list 102 permit icmp any any echo-reply
The following examples show how wildcard bits are
used to indicate the bits of the prefix or mask that are relevant. They
are similar to the bitmasks that are used with normal access lists.
Prefix/mask bits corresponding to wildcard bits set to 1 are ignored
during comparisons and prefix/mask bits corresponding to wildcard bits
set to 0 are used in comparison.
In the following example, permit 192.108.0.0
255.255.0.0 but deny any more specific routes of 192.108.0.0 (including
192.108.0.0 255.255.255.0).
access-list 101 permit ip 192.108.0.0 0.0.0.0 255.255.0.0 0.0.0.0
access-list 101 deny ip 192.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
In the following example, permit 131.108.0/24 but
deny 131.108/16 and all other subnets of 131.108.0.0.
access-list 101 permit ip 131.108.0.0 0.0.0.0 255.255.255.0 0.0.0.0
access-list 101 deny ip 131.108.0.0 0.0.255.255 255.255.0.0 0.0.255.255
Related Commands
|
Command
|
Description
|
|
access-class |
Restricts incoming and outgoing
connections between a particular vty (into a Cisco device)
and the addresses in an access list. |
|
access-list (IP standard) |
Defines a standard IP access list.
|
|
clear access-template
|
Clears a temporary access list entry
from a dynamic access list manually. |
|
distribute-list in
(IP) |
Filters networks received in updates.
|
|
distribute-list out
(IP) |
Suppresses networks from being
advertised in updates. |
|
ip access-group |
Controls access to an interface.
|
|
ip access-list |
Defines an IP access list by name.
|
|
ip accounting |
Enables IP accounting on an interface.
|
|
logging console
|
Limits messages logged to the console
based on severity. |
|
show access-lists |
Displays the contents of current IP and
rate-limit access lists. |
|
show ip access-list |
Displays the contents of all current IP
access lists. |
access-list (IP standard)
To define a standard IP access list, use the
standard version of the access-list global
configuration command. To remove a standard access lists, use the
no form of this command.
access-list
access-list-number
{deny
| permit}
source
[source-wildcard]
[log]
no access-list
access-list-number
Caution
Enhancements
to this command are backward compatible; migrating from releases
prior to Release 10.3 will convert your access lists automatically.
However, releases prior to Release 10.3 are not upwardly compatible
with these enhancements. Therefore, if you save an access list with
these images and then use software prior to Release 10.3, the
resulting access list will not be interpreted correctly.
This could cause you
severe security problems. Save your old configuration file
before booting these images.
Syntax Description
|
access-list-number |
Number of an access list. This is a
decimal number from1 to 99 or from 1300 to 1999. |
|
deny
|
Denies access if the conditions are
matched. |
|
permit
|
Permits access if the conditions are
matched. |
|
source
|
Number of the network or host from
which the packet is being sent. There are two alternative
ways to specify the source: Use a 32-bit quantity in four-part,
dotted-decimal format. Use the keyword any
as an abbreviation for a source
and source-wildcard of 0.0.0.0
255.255.255.255. |
|
source-wildcard
|
(Optional) Wildcard bits to be applied
to source. Each wildcard bit set to zero indicates that the
corresponding bit position in the packet's ip address must
exactly match the bit value in the corresponding bit
position in the source. Each wildcard bit set to one
indicates that both a zero bit and a one bit in the
corresponding position of the packet's ip address will be
considered a match to this access list entry. There are two alternative ways to
specify the source wildcard: Use a 32-bit quantity in four-part,
dotted-decimal format. Place ones in the bit positions you
want to ignore. For example,
0.0.255.255 to require an exact match of only the first 16
bits of the source.
Use the keyword any
as an abbreviation for a source
and source-wildcard of 0.0.0.0
255.255.255.255. Wildcard bits set to one do not need to
be contiguous in the source-wildcard.
For example, a source-wildcard of
0.255.0.64 would be valid. |
|
log
|
(Optional) Causes an informational
logging message about the packet that matches the entry to
be sent to the console. (The level of messages logged to the
console is controlled by the logging
console command.) The message includes the access list
number, whether the packet was permitted or denied, the
source address, and the number of packets. The message is
generated for the first packet that matches, and then at
5-minute intervals, including the number of packets
permitted or denied in the prior 5-minute interval. The logging facility might drop some
logging message packets if there are too many to be handled
or if there is more than one logging message to be handled
in 1 second. This behavior prevents the router from crashing
due to too many logging packets. Therefore, the logging
facility should not be used as a billing tool or an accurate
source of the number of matches to an access list. |
Defaults
The access list defaults to an implicit deny
statement for everything. The access list is always terminated by an
implicit deny statement for everything.
Command Modes
Global configuration
Command History
|
Release
|
Modification
|
|
10.3 |
This command was introduced.
|
|
11.3(3)T
|
The log keyword
was added. |
Usage Guidelines
Plan your access conditions carefully and be aware
of the implicit deny statement at the end of the access list.
You can use access lists to control the
transmission of packets on an interface, control virtual terminal line
access, and restrict the contents of routing updates.
Use the
show access-lists EXEC command to display the
contents of all access lists.
Use the
show ip access-list EXEC command to display the
contents of one access list.
Examples
The following example of a standard access list
allows access for only those hosts on the three specified networks. The
wildcard bits apply to the host portions of the network addresses. Any
host with a source address that does not match the access list
statements will be rejected.
access-list 1 permit 192.5.34.0 0.0.0.255
access-list 1 permit 128.88.0.0 0.0.255.255
access-list 1 permit 36.0.0.0 0.255.255.255
! (Note: all other access implicitly denied)
The following example of a standard access list
allows access for devices with IP addresses in the range 10.29.2.64 to
10.29.2.127. All packets with a source address not in this range will be
rejected.
access-list 1 permit 10.29.2.64 0.0.0.63
! (Note: all other access implicitly denied)
To specify a large number of individual addresses
more easily, you can omit the wildcard if it is all zeros. Thus, the
following two configuration commands are identical in effect:
access-list 2 permit 36.48.0.3
access-list 2 permit 36.48.0.3 0.0.0.0
Related Commands
|
Command
|
Description
|
|
access-class |
Restricts incoming and outgoing
connections between a particular vty (into a Cisco device)
and the addresses in an access list. |
|
access-list (IP extended) |
Defines an extended IP access list.
|
|
distribute-list in
(IP) |
Filters networks received in updates.
|
|
distribute-list out
(IP) |
Suppresses networks from being
advertised in updates. |
|
ip access-group |
Controls access to an interface.
|
|
show access-lists |
Displays the contents of current IP and
rate-limit access lists. |
|
show ip access-list |
Displays the contents of all current IP
access lists. |
clear access-list counters
To clear the counters of an access list, use the
clear access-list counters EXEC command.
clear access-list counters
{access-list-number
|
name}
Syntax Description
|
access-list-number |
Access list number of the access list
for which to clear the counters. |
|
name
|
Name of an IP access list. The name
cannot contain a space or quotation mark, and must begin
with an alphabetic character to avoid ambiguity with
numbered access lists. |
Command Modes
EXEC
Command History
|
Release
|
Modification
|
|
11.0 |
This command was introduced.
|
Usage Guidelines
Some access lists keep counters that count the
number of packets that pass each line of an access list. The
show access-lists command displays the counters as
a number of matches. Use the
clear access-list counters command to restart the counters for a
particular access list to 0.
Examples
The following example clears the counters for
access list 101:
clear access-list counters 101
Related Commands
|
Command
|
Description
|
|
show access-lists |
Displays the contents of current IP and
rate-limit access lists. |
clear ip accounting
To clear the active or checkpointed database when
IP accounting is enabled, use the clear ip
accounting EXEC command.
clear ip accounting
[checkpoint]
Syntax Description
|
checkpoint
|
(Optional) Clears the checkpointed
database. |
Command Modes
EXEC
Command History
|
Release
|
Modification
|
|
10.0 |
This command was introduced.
|
Usage Guidelines
You can also clear the checkpointed database by
issuing the clear ip accounting command twice
in succession.
Examples
The following example clears the active database
when IP accounting is enabled:
Related Commands
|
Command
|
Description
|
|
ip accounting |
Enables IP accounting on an interface.
|
|
ip accounting-list |
Defines filters to control the hosts
for which IP accounting information is kept. |
|
ip accounting-threshold |
Sets the maximum number of accounting
entries to be created. |
|
ip accounting-transits |
Controls the number of transit records
that are stored in the IP accounting database. |
|
show ip accounting |
Displays the active accounting or
checkpointed database or displays access list violations.
|
clear ip drp
To clear all statistics being collected on Director
Response Protocol (DRP) requests and replies, use the
clear ip drp EXEC command.
clear ip drp
Syntax Description
This command has no arguments or keywords.
Command Modes
EXEC
Command History
|
Release
|
Modification
|
|
11.2 F
|
This command was introduced.
|
Examples
The following example clears all DRP statistics:
Related Commands
clear tcp statistics
To clear TCP statistics, use the
clear tcp statistics EXEC command.
clear tcp statistics
Syntax Description
This command has no arguments or keywords.
Command Modes
Privileged EXEC
Command History
|
Release
|
Modification
|
|
11.3 |
This command was introduced.
|
Examples
The following example clears all TCP statistics:
Related Commands
deny (IP)
To set conditions for a named IP access list, use
the deny access-list configuration command.
To remove a deny condition from an access list, use the
no form of this command.
deny
{source [source-wildcard]
| any} [log]
no deny
{source
[source-wildcard]
| any}
deny
protocol
source
