Blog : CISCO Routing Configuring Command

Requirement  Cisco Command

Set a console password to cisco   Router(config)#line con 0
Router(config-line)#login
Router(config-line)#password cisco
Set a telnet password   Router(config)#line vty 0 4
Router(config-line)#login
Router(config-line)#password cisco
Stop console timing out   Router(config)#line con 0
Router(config-line)#exec-timeout 0 0
Set the enable password to cisco   Router(config)#enable password cisco
Set the enable secret password to peter.
This password overrides the enable password
and is encypted within the config file   Router(config)#enable secret peter
Enable an interface   Router(config-if)#no shutdown
To disable an interface   Router(config-if)#shutdown
Set the clock rate for a router with a DCE cable to 64K   Router(config-if)clock rate 64000
Set a logical bandwidth assignment of 64K to the serial interface   Router(config-if)bandwidth 64
Note that the zeroes are not missing
To add an IP address to a interface   Router(config-if)#ip addr 10.1.1.1 255.255.255.0
To enable RIP on all 172.16.x.y interfaces   Router(config)#router rip
Router(config-router)#network 172.16.0.0
Disable RIP    Router(config)#no router rip
To enable IRGP with a AS of 200, to all interfaces   Router(config)#router igrp 200
Router(config-router)#network 172.16.0.0
Disable IGRP   Router(config)#no router igrp 200
Static route the remote network is 172.16.1.0, with a mask of 255.255.255.0, the next hop is 172.16.2.1, at a cost of 5 hops   Router(config)#ip route 172.16.1.0 255.255.255.0 172.16.2.1 5
Disable CDP for the whole router   Router(config)#no cdp run
Enable CDP for he whole router   Router(config)#cdp run
Disable CDP on an interface   Router(config-if)#no cdp enable

Cisco Router Show Commands
Requirement   Cisco Command
View version information   show version
View current configuration (DRAM)   show running-config
View startup configuration (NVRAM)   show startup-config
Show IOS file and flash space   show flash
Shows all logs that the router has in its memory   show log
View the interface status of interface e0   show interface e0
Overview all interfaces on the router    show ip interfaces brief
View type of serial cable on s0   show controllers 0 (note the space between the 's' and the '0')
Display a summary of connected cdp devices   show cdp neighbor
Display detailed information on all devices   show cdp entry *
Display current routing protocols   show ip protocols
Display IP routing table   show ip route
Display access lists, this includes the number of displayed matches   show access-lists
Check the router can see the ISDN switch   show isdn status
Check a Frame Relay PVC connections   show frame-relay pvc
show lmi traffic stats   show frame-relay lmi
Display the frame inverse ARP table   show frame-relay map
Cisco Router Basic Operations
Requirement   Cisco Command
Enable   Enter privileged mode
Return to user mode from privileged   disable
Exit Router   Logout or exit or quit
Recall last command   up arrow or
Recall next command   down arrow or
Suspend or abort     and  and 6 then x
Refresh screen output   
Compleat Command   TAB
Cisco Router Copy Commands
Requirement   Cisco Command
Save the current configuration from DRAM to NVRAM   copy running-config startup-config
Merge NVRAM configuration to DRAM   copy startup-config running-config
Copy DRAM configuration to a TFTP server   copy runing-config tftp
Merge TFTP configuration with current router configuration held in DRAM   copy tftp runing-config
Backup the IOS onto a TFTP server   copy flash tftp
Upgrade the router IOS from a TFTP server   copy tftp flash
Cisco Router Debug Commands
Requirement   Cisco Command
Enable debug for RIP   debug ip rip
Enable summary IGRP debug information   debug ip igrp events
Enable detailed IGRP debug information   debug ip igrp transactions
Debug IPX RIP   debug ipx routing activity
Debug IPX SAP   debug IPX SAP
Enable debug for CHAP or PAP   debug ppp authentication
Switch all debugging off   no debug all
undebug all
Disclaimer:



Routing with Cisco 2500 and 1000 Series for LAN-ISDN Service
Commands - General
There are 3 different modes of operation within the Cisco IOS.
1.   Disabled mode
2.   Enabled mode
3.   Configuration mode
In the Disabled mode you can use a limited number of commands. This is used primarily to monitor the router.
The Enabled mode is used to show configuration information, enter the configuration mode, and make changes to the configuration.
The Configuration mode is used to enter and update the runtime configuration.
To get a list of the commands for the cisco type '?' at the prompt. To get further information about any command, type the command followed by a '?'.
clear   Reset functions
clock   Manage the system clock
configure   Enter configuration mode
debug   Debugging functions (see also 'undebug')
disable   Turn off privileged commands
enable   Turn on privileged commands
erase   Erase flash or configuration memory
exit   Exit from the EXEC
help   Description of the interactive help system
login   Log in as a particular user
logout   Exit from the EXEC
no   Disable debugging functions
ping   Send echo messages
reload   Halt and perform a cold restart
setup   Run the SETUP command facility
show   Show running system information
telnet   Open a telnet connection
terminal   Set terminal line parameters
test   Test subsystems, memory, and interfaces
traceroute   Trace route to destination
tunnel   Open a tunnel connection
undebug   Disable debugging functions (see also 'debug')
verify   Verify checksum of a Flash file
write   Write running configuration to memory, network, or terminal
________________________________________
show   
access-lists   List access lists
arp   ARP table
buffers   Buffer pool statistics
configuration   Contents of Non-Volatile memory
controllers   Interface controller status
debugging   State of each debugging option
dialer   Dialer parameters and statistics
extended   Extended Interface Information
flash   System Flash information
flh-log   Flash Load Helper log buffer
history   Display the session command history
hosts   IP domain-name, lookup style, name servers, and host table
interfaces   Interface status and configuration
ip   IP information
isdn   ISDN information
line   TTY line information
logging    Show the contents of logging buffers
memory   Memory statistics
privilege   Show current privilege level
processes   Active process statistics
protocols   Active network routing protocols
queue   Show queue contents
queueing   Show queueing configuration
reload   Scheduled reload information
route-map   route-map information
running-config    Current operating configuration
sessions    Information about Telnet connections
smf   Software MAC filter
stacks   Process stack utilization
startup-config   Contents of startup configuration
subsys   Show subsystem information
tcp   Status of TCP connections
terminal   Display terminal configuration parameters
users   Display information about terminal lines
version   System hardware and software status
Other Useful Commands
View the Software Version
View the Ethernet IP
View the Serial IP
View the Default Route
View the Filters
View the Bandwidth
Add a Static Route
Change the Dial Number
Turn Filters On and Off
Ping from the Router
Traceroute from the Router
View the Software Version
Cisco>en
Cisco#wr term  <--- Shows the running configuration   
Building configuration...
Current configuration:
!
version 11.2
no service udp-small-servers
no service tcp-small-servers
!
hostname Cisco
!
interface Ethernet0
 ip address 192.168.1.1 255.255.255.0
!
interface Serial0
 ip address 192.168.6.1 255.255.255.0
 encapsulation frame-relay
 frame-relay lmi-type ansi
!
interface Serial1
 ip address 192.168.4.2 255.255.255.0
 encapsulation frame-relay
 bandwidth 1536
 keepalive 5
 frame-relay map ip 192.168.4.1 101 IETF
!
router rip
 version 2
 network 192.168.4.0
 network 192.168.6.0
 neighbor 192.168.6.2
 neighbor 192.168.4.1
!
ip classless
ip route 0.0.0.0 0.0.0.0 192.168.6.2
ip route 0.0.0.0 0.0.0.0 192.168.4.1
!
line con 0
line aux 0
line vty 0 4
login
!
end
View the Ethernet IP
Router#wr term


This will show the running configuration.
Within the configuration, you will see an interface ethernet 0 section:


interface Ethernet0
ip address 38.150.93.1 255.255.255.0
no ip directed-broadcast
View the Serial IP
Router#wr term


Within the configuration, you will see an interface serial 0 section:


interface Serial0
ip address 38.21.10.100 255.255.255.0
ip broadcast-address 38.21.10.255
ip access-group 106 in
encapsulation frame-relay
bandwidth 56
no fair-queue
frame-relay map ip 38.21.10.1 500 IETF
View the Default Route
Router#wr term


Within the configuration, you will see an ip route section.


In the ip route section, look for a route:
ip route 0.0.0.0 0.0.0.0 38.167.29.1
The last ip address is the POP ip.
View the Filters
Router#wr term


Under interface serial 0, look for:


ip access-group 104 in
ip access-group 105 out


This means that access-group 104 is the inbound filter set and
access-group 105 is the outbound filter set.
Then, continue to look in the configuration for the access-list statements:


(Example access-list statements)
access-list 104 deny  ip 38.166.101.0 0.0.0.255 any
access-list 104 permit tcp any any established
access-list 104 permit tcp any eq ftp-data any gt 1023
access-list 104 permit udp any eq domain any gt 1023
access-list 104 permit udp any eq domain any eq domain
access-list 104 permit icmp any any
access-list 104 permit udp any eq snmp any gt 1023
access-list 105 deny  ip any 38.166.101.0 0.0.0.255
access-list 105 permit tcp any any established
access-list 105 permit tcp any any eq ftp
access-list 105 deny  udp any eq netbios-ns any
access-list 105 deny  udp any eq netbios-dgm any
access-list 105 permit ip any any
View the Bandwidth
Router#wr term


Within the config, you will see an interface serial 0 section:


interface Serial0
ip address 38.21.10.100 255.255.255.0
ip broadcast-address 38.21.10.255
ip access-group 106 in
encapsulation frame-relay
bandwidth 56
no fair-queue
frame-relay map ip 38.21.10.1 500 IETF
Add a Static Route
Cisco#config t
Enter configuration commands, one per line.  End with CNTL/Z.
Cisco(config)#ip route DEST.DEST.DEST.DEST MASK.MASK.MASK.MASK GATE.GATE.GATE.GATE
where: DEST.DEST.DEST.DEST = The destination network the static route is for
  MASK.MASK.MASK.MASK = The subnet mask of the destination network
  GATE.GATE.GATE.GATE = The gateway of the static route
Example route statement:
ip route 38.222.75.0 255.255.255.0 38.20.5.1
Cisco(config)#^Z (hit z)


Write the entry to memory:


Cisco#wr mem
Building configuration...
[OK]
Change the Dial Number
Type en to put the router in enable mode:


test.com>en


The password should be the same as the one used to telnet in.


Password:


To view the router's configuration, type:


test.com#show config


There will be a line in the configuration that says:


dialer map IP 38.1.1.1 speed 64 name LD3330 2707000


The 2707000 is the dial number.


NOTE: Record what interface the dialer map IP line is under because you will need to
use that interface when changing the number.


Type config t to configure from terminal.


test.com#config t


Enter configuration commands, one per line.  End with CNTL/Z.
Enter the interface that the dialer map IP line is under:


test.com(config)#interface BRI0


Add in the new dialer map IP line with the new phone number:


test.com(config)#dialer map IP 38.1.1.1 speed 64 name LD3330 [new number]


Now, remove the old dialer map IP line.
To remove a line, type no and then the line.
For example, to remove the old dialer map IP, type:


test.com(config)#no dialer map IP 38.1.1.1 speed 64 name LD3330 2707020


Now leave config mode:


test.com(config)# [control] z


Save changes:


test.com# write mem
Building configuration...
[OK]


Verify the new number is in the config:


test.com#show config


The new number should be in the dialer map IP line.
Turn Filters On and Off
To turn the filters off:


Router#configure terminal
Router(config)#interface Serial0
Router(config-if)#no ip access-group 104 in
Router(config-if)#no ip access-group 105 out
Router(config-if)# Hit CTRL-Z
Router#wr mem
Building configuration...
[OK]
Router#


To turn the filters on:


Router#configure terminal
Router(config)#interface Serial0
Router(config-if)#ip access-group 104 in
Router(config-if)#ip access-group 105 out
Router(config-if)# Hit CTRL-Z
Router#wr mem
Building configuration...
[OK]
Router#
Ping from the Router
Cisco#ping
Example:
Cisco#ping 38.8.14.2















IP Addressing Commands:  arp (global)
arp (interface)
arp timeout
clear arp-cache
clear host
clear ip nat translation
clear ip nhrp
clear ip route
ip address
ip broadcast-address
ip classless
ip default-gateway
ip directed-broadcast
ip domain-list
ip domain-lookup
ip domain-lookup nsap
ip domain-name
ip forward-protocol
ip forward-protocol any-local-broadcast
ip forward-protocol spanning-tree
ip forward-protocol turbo-flood
ip helper-address
ip host
ip hp-host
ip irdp
ip mobile arp
ip name-server
ip nat
ip nat inside destination
ip nat inside source
ip nat outside source
ip nat pool
ip nat translation
ip netmask-format ip nhrp authentication
ip nhrp holdtime
ip nhrp interest
ip nhrp map
ip nhrp map multicast
ip nhrp max-send
ip nhrp network-id
ip nhrp nhs
ip nhrp record
ip nhrp responder
ip nhrp use
ip probe proxy
ip proxy-arp
ip redirects
ip routing
ip subnet-zero
ip unnumbered
ping (privileged)
ping (user)
show arp
show hosts
show ip aliases
show ip arp
show ip interface
show ip irdp
show ip masks
show ip nat statistics
show ip nat translations
show ip nhrp
show ip nhrp traffic
show ip redirects
term ip netmask-format
trace (privileged)
trace (user)
tunnel mode
 
________________________________________
IP Addressing Commands
This chapter describes the function and displays the syntax for IP addressing commands. For more information about defaults and usage guidelines, see the corresponding chapter of the Network Protocols Command Reference, Part 1.
arp (global)
To add a permanent entry in the Address Resolution Protocol (ARP) cache, use the arp global configuration command. To remove an entry from the ARP cache, use the no form of this command.
arp ip-address hardware-address type [alias]
no arp ip-address hardware-address type [alias]
ip-address    IP address in four-part dotted-decimal format corresponding to the local data link address.
hardware-address    Local data link address (a 48-bit address).
type    Encapsulation description. For Ethernet interfaces, this is typically the arpa keyword. For Fiber Distributed Data Interface (FDDI) and Token Ring interfaces, this is always snap.
alias    (Optional) Indicates that the Cisco IOS software should respond to ARP requests as if it were the owner of the specified address.
arp (interface)
To control the interface-specific handling of IP address resolution into 48-bit Ethernet, FDDI, and Token Ring hardware addresses, use the arp interface configuration command. To disable an encapsulation type, use the no form of this command.
arp {arpa | probe | snap}
no arp {arpa | probe | snap}
arpa    Standard Ethernet-style ARP (RFC 826).
probe    HP Probe protocol for IEEE-802.3 networks.
snap    ARP packets conforming to RFC 1042.
arp timeout
To configure how long an entry remains in the ARP cache, use the arp timeout interface configuration command. To restore the default value, use the no form of this command.
arp timeout seconds
no arp timeout seconds
seconds    Time (in seconds) that an entry remains in the ARP cache. A value of zero means that entries are never cleared from the cache.
clear arp-cache
To delete all dynamic entries from the ARP cache, to clear the fast-switching cache, and to clear the IP route cache, use the clear arp-cache EXEC command.
clear arp-cache
 
clear host
To delete entries from the host-name-and-address cache, use the clear host EXEC command.
clear host {name | *}
name    Particular host entry to remove.
*    Removes all entries.
clear ip nat translation
To clear dynamic Network Address Translation (NAT) translations from the translation table, use the clear ip nat translation EXEC command.
clear ip nat translation {* | [inside global-ip local-ip] [outside local-ip global-ip]}
clear ip nat translation protocol inside global-ip global-port local-ip local-port [outside
local-ip global-ip]
*    Clears all dynamic translations.
inside    Clears the inside translations containing the specified global-ip and local-ip addresses.
global-ip    When used without the arguments protocol, global-port, and local-port, clears a simple translation that also contains the specified local-ip address. When used with the arguments protocol, global-port, and local-port, clears an extended translation.
local-ip    (Optional) Clears an entry that contains this local IP address and the specified global-ip address.
outside    Clears the outside translations containing the specified global-ip and local-ip addresses.
protocol    (Optional) Clears an entry that contains this protocol and the specified global-ip address, local-ip address, global-port, and local-port.
global-port    (Optional) Clears an entry that contains this global-port and the specified protocol, global-ip address, local-ip address, and local-port.
local-port    (Optional) Clears an entry that contains this local-port and the specified protocol, global-ip address, local-ip address, and global-port.
clear ip nhrp
To clear all dynamic entries from the Next Hop Resolution Protocol (NHRP) cache, use the clear ip nhrp EXEC command.
clear ip nhrp
clear ip route
To delete routes from the IP routing table, use the clear ip route EXEC command.
clear ip route {network [mask] | *}
network    Network or subnet address to remove.
mask    (Optional) Subnet address to remove.
*    Removes all routing table entries.
ip address
To set a primary or secondary IP address for an interface, use the ip address interface configuration command. To remove an IP address or disable IP processing, use the no form of this command.
ip address ip-address mask [secondary]
no ip address ip-address mask [secondary]
ip-address    IP address.
mask    Mask for the associated IP subnet.
secondary    (Optional) Specifies that the configured address is a secondary IP address. If this keyword is omitted, the configured address is the primary IP address.
ip broadcast-address
To define a broadcast address for an interface, use the ip broadcast-address interface configuration command. To restore the default IP broadcast address, use the no form of this command.
ip broadcast-address [ip-address]
no ip broadcast-address [ip-address]
ip-address    (Optional) IP broadcast address for a network.
ip classless
At times the router might receive packets destined for a subnet of a network that has no network default route. To have the Cisco IOS software forward such packets to the best supernet route possible, use the ip classless global configuration command. To disable this feature, use the no form of this command.
ip classless
no ip classless
ip default-gateway
To define a default gateway (router) when IP routing is disabled, use the ip default-gateway global configuration command. To disable this function, use the no form of this command.
ip default-gateway ip-address
no ip default-gateway ip-address
ip-address    IP address of the router.
ip directed-broadcast
To enable the translation of directed broadcast to physical broadcasts, use the ip directed-broadcast interface configuration command. To disable this function, use the no form of this command.
ip directed-broadcast [access-list-number]
no ip directed-broadcast [access-list-number]
access-list-number    (Optional) Number of the access list. If specified, a broadcast must pass the access list to be forwarded. If not specified, all broadcasts are forwarded.
ip domain-list
To define a list of default domain names to complete unqualified host names, use the ip domain-list global configuration command. To delete a name from a list, use the no form of this command.
ip domain-list name
no ip domain-list name
name    Domain name. Do not include the initial period that separates an unqualified name from the domain name.
ip domain-lookup
To enable the IP Domain Naming System (DNS)-based host name-to-address translation, use the ip domain-lookup global configuration command. To disable the DNS, use the no form of this command.
ip domain-lookup
no ip domain-lookup
ip domain-lookup nsap
To allow DNS queries for Connectionless Network System (CLNS) addresses, use the ip domain-lookup nsap global configuration command. To disable this feature, use the no form of this command.
ip domain-lookup nsap
no ip domain-lookup nsap
ip domain-name
To define a default domain name that the Cisco IOS software uses to complete unqualified host names (names without a dotted-decimal domain name), use the ip domain-name global configuration command. To disable use of the DNS, use the no form of this command.
ip domain-name name
no ip domain-name
name    Default domain name used to complete unqualified host names. Do not include the initial period that separates an unqualified name from the domain name.
ip forward-protocol
To specify which protocols and ports the router forwards when forwarding broadcast packets, use the ip forward-protocol global configuration command. To remove a protocol or port, use the no form of this command.
ip forward-protocol {udp [port] | nd | sdns}
no ip forward-protocol {udp [port] | nd | sdns}
udp    Forward User Datagram Protocol (UDP) datagrams. See the "Default" section below for a list of port numbers forwarded by default.
port    (Optional) Destination port that controls which UDP services are forwarded.
nd    Forward Network Disk (ND) datagrams. This protocol is used by older diskless Sun workstations.
sdns    Secure Data Network Service.
ip forward-protocol any-local-broadcast
To forward any broadcasts including local subnet broadcasts, use the ip forward-protocol any-local-broadcast global configuration command. To disable this type of forwarding, use the no form of this command.
ip forward-protocol any-local-broadcast
no ip forward-protocol any-local-broadcast
ip forward-protocol spanning-tree
To permit IP broadcasts to be flooded throughout the internetwork in a controlled fashion, use the ip forward-protocol spanning-tree global configuration command. To disable the flooding of IP broadcasts, use the no form of this command.
ip forward-protocol spanning-tree
no ip forward-protocol spanning-tree
ip forward-protocol turbo-flood
To speed up flooding of User Datagram Protocol (UDP) datagrams using the spanning-tree algorithm, use the ip forward-protocol turbo-flood global configuration command. To disable this feature, use the no form of this command.
ip forward-protocol turbo-flood
no ip forward-protocol turbo-flood
ip helper-address
To have the Cisco IOS software forward User Datagram Protocol (UDP) broadcasts, including BOOTP, received on an interface, use the ip helper-address interface configuration command. To disable the forwarding of broadcast packets to specific addresses, use the no form of this command.
ip helper-address address
no ip helper-address address
address    Destination broadcast or host address to be used when forwarding UDP broadcasts. There can be more than one helper address per interface.
ip host
To define a static host name-to-address mapping in the host cache, use the ip host global configuration command. To remove the name-to-address mapping, use the no form of this command.
ip host name [tcp-port-number] address1 [address2...address8]
no ip host name address1
name    Name of the host. The first character can be either a letter or a number. If you use a number, the operations you can perform are limited.
tcp-port-number    (Optional) TCP port number to connect to when using the defined host name in conjunction with an EXEC connect or Telnet command. The default is Telnet (port 23).
address1    Associated IP address.
address2...address8    (Optional) Additional associated IP address. You can bind up to eight addresses to a host name.
ip hp-host
To enter into the host table the host name of an HP host to be used for HP Probe Proxy service, use the ip hp-host global configuration command. To remove a host name, use the no form of this command.
ip hp-host hostname ip-address
no ip hp-host hostname ip-address
hostname    Name of the host.
ip-address    IP address of the host.
ip irdp
To enable ICMP Router Discovery Protocol (IRDP) processing on an interface, use the ip irdp interface configuration command. To disable IRDP routing, use the no form of this command.
ip irdp [multicast | holdtime seconds | maxadvertinterval seconds | minadvertinterval
seconds | preference number | address address [number]]
no ip irdp
multicast    (Optional) Use the multicast address (224.0.0.1) instead of IP broadcasts.
holdtime seconds    (Optional) Length of time in seconds advertisements are held valid. Default is three times the maxadvertinterval value. Must be greater than maxadvertinterval and cannot be greater than 9000 seconds.
maxadvertinterval seconds    (Optional) Maximum interval in seconds between advertisements. The default is 600 seconds.
minadvertinterval seconds    (Optional) Minimum interval in seconds between advertisements. The default is 0.75 times the maxadvertinterval. If you change the maxadvertinterval value, this value defaults to three-quarters of the new value.
preference number    (Optional) Preference value. The allowed range is -231 to 231. The default is 0. A higher value increases the router's preference level. You can modify a particular router so that it will be the preferred router to which others home.
address address [number]    (Optional) IP address (address) to proxy-advertise, and optionally, its preference value (number).
ip mobile arp
To enable local-area mobility, use the ip mobile arp interface configuration command. To disable local-area mobility, use the no form of this command.
ip mobile arp [timers keepalive hold-time] [access-group access-list-number | name]
no ip mobile arp [timers keepalive hold-time] [access-group access-list-number | name]
timers    (Optional) Indicates that you are setting local-area mobility timers.
keepalive    (Optional) Frequency, in seconds, at which the Cisco IOS software sends unicast ARP messages to a relocated host to verify that the host is present and has not moved. The default keepalive time is 300 seconds (5 minutes).
hold-time    (Optional) Hold time, in seconds. This is the length of time the software considers that a relocated host is present without receiving some type of ARP broadcast or unicast from the host. Normally, the hold time should be at least three times greater than the keepalive time. The default hold time is 900 seconds (15 minutes).
access-group    (Optional) Indicates that you are applying an access list. This access list applies only to local-area mobility.
access-list-number    (Optional) Number of a standard IP access list. It is a decimal number from 1 to 99. Only hosts with addresses permitted by this access list are accepted for local-area mobility.
name    (Optional) Name of an IP access list. The name cannot contain a space or quotation mark, and must begin with an alphabetic character to avoid ambiguity with numbered access lists.
ip name-server
To specify the address of one or more name servers to use for name and address resolution, use the ip name-server global configuration command. To remove the addresses specified, use the no form of this command.
ip name-server server-address1 [[server-address2]...server-address6]
no ip name-server server-address1 [[server-address2]...server-address6]
server-address1    IP addresses of name server.
server-address2...server-address6    (Optional) IP addresses of additional name servers (a maximum of six name servers).
ip nat
To designate that traffic originating from or destined for the interface is subject to Network Address Translation (NAT), use the ip nat interface configuration command. To prevent the interface from being able to translate, use the no form of this command.
ip nat {inside | outside}
no ip nat {inside | outside}
inside    Indicates the interface is connected to the inside network (the network subject to NAT translation).
outside    Indicates the interface is connected to the outside network.
ip nat inside destination
To enable Network Address Translation (NAT) of the inside destination address, use the ip nat inside destination global configuration command. To remove the dynamic association to a pool, use the no form of this command.
ip nat inside destination list {access-list-number | name} pool name
no ip nat inside destination list {access-list-number | name}
list access-list-number    Standard IP access list number. Packets with destination addresses that pass the access list are translated using global addresses from the named pool.
list name    Name of a standard IP access list. Packets with destination addresses that pass the access list are translated using global addresses from the named pool.
pool name    Name of the pool from which global IP addresses are allocated during dynamic translation.
ip nat inside source
To enable Network Address Translation (NAT) of the inside source address, use the ip nat inside source global configuration command. To remove the static translation or remove the dynamic association to a pool, use the no form of this command.
ip nat inside source {list {access-list-number | name} pool name [overload] | static local-ip
global-ip}
no ip nat inside source {list {access-list-number | name} pool name [overload] | static local-ip
global-ip}
list access-list-number    Standard IP access list number. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
list name    Name of a standard IP access list. Packets with source addresses that pass the access list are dynamically translated using global addresses from the named pool.
pool name    Name of the pool from which global IP addresses are allocated dynamically.
overload    (Optional) Enables the router to use one global address for many local addresses. When overloading is configured, each inside host's TCP or UDP port number distinguishes between the multiple conversations using the same local IP address.
static local-ip    Sets up a single static translation; this argument establishes the local IP address assigned to a host on the inside network. The address could be randomly chosen, allocated from RFC 1918, or obsolete.
global-ip    Sets up a single static translation; this argument establishes the globally unique IP address of an inside host as it appears to the outside world.
ip nat outside source
To enable Network Address Translation (NAT) of the outside source address, use the ip nat outside source global configuration command. To remove the static entry or the dynamic association, use the no form of this command.
ip nat outside source {list {access-list-number | name} pool name | static global-ip local-ip}
no ip nat outside source {list {access-list-number | name} pool name | static global-ip local-ip}
list access-list-number    Standard IP access list number. Packets with source addresses that pass the access list are translated using global addresses from the named pool.
list name    Name of a standard IP access list. Packets with source addresses that pass the access list are translated using global addresses from the named pool.
pool name    Name of the pool from which global IP addresses are allocated.
static global-ip    Sets up a single static translation. This argument establishes the globally unique IP address assigned to a host on the outside network by its owner. It was allocated from globally routable network space.
local-ip    Sets up a single static translation. This argument establishes the local IP address of an outside host as it appears to the inside world. The address was allocated from address space routable on the inside (RFC 1918, perhaps).
ip nat pool
To define a pool of IP addresses for Network Address Translation (NAT), use the ip nat pool global configuration command. To remove one or more addresses from the pool, use the no form of this command.
ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
  [type rotary]
no ip nat pool name start-ip end-ip {netmask netmask | prefix-length prefix-length}
  [type rotary]
name    Name of the pool.
start-ip    Starting IP address that defines the range of addresses in the address pool.
end-ip    Ending IP address that defines the range of addresses in the address pool.
netmask netmask    Network mask that indicates which address bits belong to the network and subnetwork fields and which bits belong to the host field. Specify the netmask of the network to which the pool addresses belong.
prefix-length prefix-length    Number that indicates how many bits of the netmask are ones (how many bits of the address indicate network). Specify the netmask of the network to which the pool addresses belong.
type rotary    (Optional) Indicates that the range of address in the address pool identify real, inside hosts among which TCP load distribution will occur.
ip nat translation
To change the amount of time after which Network Address Translation (NAT) translations time out, use the ip nat translation global configuration command. To disable the timeout, use the no form of this command.
ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout}
seconds
no ip nat translation {timeout | udp-timeout | dns-timeout | tcp-timeout | finrst-timeout}
timeout    Specifies that the timeout value applies to dynamic translations except for overload translations. Default is 86400 seconds (24 hours).
udp-timeout    Specifies that the timeout value applies to the UDP port. Default is 300 seconds (5 minutes).
dns-timeout    Specifies that the timeout value applies to connections to the Domain Naming System (DNS). Default is 60 seconds.
tcp-timeout    Specifies that the timeout value applies to the TCP port. Default is 86400 seconds (24 hours).
finrst-timeout    Specifies that the timeout value applies to Finish and Reset TCP packets, which terminate a connection. Default is 60 seconds.
seconds    Number of seconds after which the specified port translation times out. Default values are listed in the Default section.
ip netmask-format
To specify the format in which netmasks are displayed in show command output, use the ip netmask-format line configuration command. To restore the default display format, use the no form of this command.
ip netmask-format {bitcount | decimal | hexadecimal}
no ip netmask-format [bitcount | decimal | hexadecimal]
bitcount    Addresses are followed by a slash and the total number of bits in the netmask. For example, 131.108.11.0/24 indicates that the netmask is 24 bits.
decimal    Network masks are displayed in dotted decimal notation (for example, 255.255.255.0).
hexadecimal    Network masks are displayed in hexadecimal format, as indicated by the leading 0X (for example, 0XFFFFFF00).
ip nhrp authentication
To configure the authentication string for an interface using Next Hop Resolution Protocol (NHRP), use the ip nhrp authentication interface configuration command. To remove the authentication string, use the no form of this command.
ip nhrp authentication string
no ip nhrp authentication [string]
string    Authentication string configured for the source and destination stations that controls whether NHRP stations allow intercommunication. The string can be up to 8 characters long.
ip nhrp holdtime
To change the number of seconds that NHRP nonbroadcast, multiaccess (NBMA) addresses are advertised as valid in authoritative NHRP responses, use the ip nhrp holdtime interface configuration command. To restore the default value, use the no form of this command.
ip nhrp holdtime seconds-positive [seconds-negative]
no ip nhrp holdtime [seconds-positive [seconds-negative]]
seconds-positive    Time in seconds that NBMA addresses are advertised as valid in positive authoritative NHRP responses.
seconds-negative    (Optional) Time in seconds that NBMA addresses are advertised as valid in negative authoritative NHRP responses.
ip nhrp interest
To control which IP packets can trigger sending a Next Hop Resolution Protocol (NHRP) Request, use the ip nhrp interest interface configuration command. To restore the default value, use the no form of this command.
ip nhrp interest access-list-number
no ip nhrp interest [access-list-number]
access-list-number    Standard or extended IP access list number in the range 1 to 199.
ip nhrp map
To statically configure the IP-to-NBMA address mapping of IP destinations connected to a nonbroadcast, multiaccess (NBMA) network, use the ip nhrp map interface configuration command. To remove the static entry from NHRP cache, use the no form of this command.
ip nhrp map ip-address nbma-address
no ip nhrp map ip-address nbma-address
ip-address    IP address of the destinations reachable through the NBMA network. This address is mapped to the NBMA address.
nbma-address    NBMA address that is directly reachable through the NBMA network. The address format varies depending on the medium you are using. For example, ATM has an NSAP address, Ethernet has a MAC address, and SMDS has an E.164 address. This address is mapped to the IP address.
ip nhrp map multicast
To configure NBMA addresses used as destinations for broadcast or multicast packets to be sent over a tunnel network, use the ip nhrp map multicast interface configuration command. To remove the destinations, use the no form of this command.
ip nhrp map multicast nbma-address
no ip nhrp map multicast nbma-address
nbma-address    Nonbroadcast, multiaccess (NBMA) address which is directly reachable through the NBMA network. The address format varies depending on the medium you are using.
ip nhrp max-send
To change the maximum frequency at which NHRP packets can be sent, use the ip nhrp max-send interface configuration command. To restore this frequency to the default value, use the no form of this command.
ip nhrp max-send pkt-count every interval
no ip nhrp max-send
pkt-count    Number of packets which can be transmitted in the range from 1 to 65535. Default is 5 packets.
every interval    Time (in seconds) in the range from 10 to 65535. Default is 10 seconds.
ip nhrp network-id
To enable the Next Hop Resolution Protocol (NHRP) on an interface, use the ip nhrp network-id interface configuration command. To disable NHRP on the interface, use the no form of this command.
ip nhrp network-id number
no ip nhrp network-id [number]
number    Globally unique, 32-bit network identifier for a nonbroadcast, multiaccess (NBMA) network. The range is 1 to 4294967295.
ip nhrp nhs
To specify the address of one or more NHRP Next Hop Servers, use the ip nhrp nhs interface configuration command. To remove the address, use the no form of this command.
ip nhrp nhs nhs-address [net-address [netmask]]
no ip nhrp nhs nhs-address [net-address [netmask]]
nhs-address    Address of the Next Hop Server being specified.
net-address    (Optional) IP address of a network served by the Next Hop Server.
netmask    (Optional) IP network mask to be associated with the net IP address. The net IP address is logically ANDed with the mask.
ip nhrp record
To re-enable the use of forward record and reverse record options in NHRP Request and Reply packets, use the ip nhrp record interface configuration command. To suppress the use of such options, use the no form of this command.
ip nhrp record
no ip nhrp record
ip nhrp responder
To designate which interface's primary IP address the Next Hop Server will use in NHRP Reply packets when the NHRP requestor uses the Responder Address option, use the ip nhrp responder interface configuration command. To remove the designation, use the no form of this command.
ip nhrp responder type number
no ip nhrp responder [type] [number]
type    Interface type whose primary IP address is used when a Next Hop Server complies with a Responder Address option (for example, serial, tunnel).
number    Interface number whose primary IP address is used when a Next Hop Server complies with a Responder Address option.
ip nhrp use
To configure the software so that NHRP is deferred until the system has attempted to send data traffic to a particular destination multiple times, use the ip nhrp use interface configuration command. To restore the default value, use the no form of this command.
ip nhrp use usage-count
no ip nhrp use usage-count
usage-count    Packet count in the range from 1 to 65535. Default is 1.
ip probe proxy
To enable the HP Probe Proxy support, which allows the Cisco IOS software to respond to HP Probe Proxy Name requests, use the ip probe proxy interface configuration command. To disable HP Probe Proxy, use the no form of this command.
ip probe proxy
no ip probe proxy
ip proxy-arp
To enable proxy ARP on an interface, use the ip proxy-arp interface configuration command. To disable proxy ARP on the interface, use the no form of this command.
ip proxy-arp
no ip proxy-arp
ip redirects
To enable the sending of redirect messages if the Cisco IOS software is forced to resend a packet through the same interface on which it was received, use the ip redirects interface configuration command. To disable the sending of redirect messages, use the no form of this command.
ip redirects
no ip redirects
ip routing
To enable IP routing, use the ip routing global configuration command. To disable IP routing, use the no form of this command.
ip routing
no ip routing
ip subnet-zero
To enable the use of subnet zero for interface addresses and routing updates, use the ip subnet-zero global configuration command. To restore the default, use the no form of this command.
ip subnet-zero
no ip subnet-zero
ip unnumbered
To enable IP processing on a serial interface without assigning an explicit IP address to the interface, use the ip unnumbered interface configuration command. To disable the IP processing on the interface, use the no form of this command.
ip unnumbered type number
no ip unnumbered type number
type number    Type and number of another interface on which the router has an assigned IP address. It cannot be another unnumbered interface.
ping (privileged)
To check host reachability and network connectivity, use the ping (IP packet internet groper function) privileged EXEC command.
ping [protocol] {host | address}
protocol    (Optional) Protocol keyword. The default is IP.
host    Host name of system to ping.
address    IP address of system to ping.
ping (user)
To check host reachability and network connectivity, use the ping (IP packet internet groper function) user EXEC command.
ping [protocol] {host | address}
protocol    (Optional) Protocol keyword. The default is IP.
host    Host name of system to ping.
address    IP address of system to ping.
show arp
To display the entries in the ARP table, use the show arp privileged EXEC command.
show arp
show hosts
To display the default domain name, the style of name lookup service, a list of name server hosts, and the cached list of host names and addresses, use the show hosts EXEC command.
show hosts
show ip aliases
To display the IP addresses mapped to TCP ports (aliases) and SLIP addresses, which are treated similarly to aliases, use the show ip aliases EXEC command.
show ip aliases
show ip arp
To display the Address Resolution Protocol (ARP) cache, where SLIP addresses appear as permanent ARP table entries, use the show ip arp EXEC command.
show ip arp [ip-address] [hostname] [mac-address] [type number]
ip-address    (Optional) ARP entries matching this IP address are displayed.
hostname    (Optional) Host name.
mac-address    (Optional) 48-bit MAC address.
type number    (Optional) ARP entries learned via this interface type and number are displayed.
show ip interface
To display the usability status of interfaces configured for IP, use the show ip interface EXEC command.
show ip interface [type number]
type    (Optional) Interface type.
number    (Optional) Interface number.
show ip irdp
To display IRDP values, use the show ip irdp EXEC command.
show ip irdp
show ip masks
To display the masks used for network addresses and the number of subnets using each mask, use the show ip masks EXEC command.
show ip masks address
address    Network address for which a mask is required.
show ip nat statistics
To display Network Address Translation (NAT) statistics, use the show ip nat statistics EXEC command.
show ip nat statistics
show ip nat translations
To display active Network Address Translation (NAT) translations, use the show ip nat translations EXEC command.
show ip nat translations [verbose]
verbose    (Optional) Displays additional information for each translation table entry, including how long ago the entry was created and used.
show ip nhrp
To display the Next Hop Resolution Protocol (NHRP) cache, use the show ip nhrp EXEC command.
show ip nhrp [dynamic | static] [type number]
dynamic    (Optional) Displays only the dynamic (learned) IP-to-NBMA address cache entries.
static    (Optional) Displays only the static IP-to-NBMA address entries in the cache (configured through the ip nhrp map command).
type    (Optional) Interface type about which to display the NHRP cache (for example, atm, tunnel).
number    (Optional) Interface number about which to display the NHRP cache.
show ip nhrp traffic
To display Next Hop Resolution Protocol (NHRP) traffic statistics, use the show ip nhrp traffic EXEC command.
show ip nhrp traffic
show ip redirects
To display the address of a default gateway (router) and the address of hosts for which a redirect has been received, use the show ip redirects EXEC command.
show ip redirects
term ip netmask-format
To specify the format in which netmasks are displayed in show command output, use the term ip netmask-format EXEC command. To restore the default display format, use the no form of this command.
term ip netmask-format {bitcount | decimal | hexadecimal}
term no ip netmask-format [bitcount | decimal | hexadecimal]
bitcount    Addresses are followed by a slash and the total number of bits in the netmask. For example, 131.108.11.55/24 indicates that the netmask is 24 bits.
decimal    Netmasks are displayed in dotted decimal notation (for example, 255.255.255.0).
hexadecimal    Netmasks are displayed in hexadecimal format, as indicated by the leading 0X (for example, 0XFFFFFF00).
trace (privileged)
To discover the routes the packets follow when traveling to their destination from the router, use the trace privileged EXEC command.
trace [destination]
destination    (Optional) Destination address or host name on the command line. The default parameters for the appropriate protocol are assumed and the tracing action begins.
trace (user)
To discover the routes the router packets follow when traveling to their destination, use the trace user EXEC command.
trace ip destination
destination    Destination address or host name on the command line. The default parameters for the appropriate protocol are assumed and the tracing action begins.
tunnel mode
To set the encapsulation mode for the tunnel interface, use the tunnel mode interface configuration command. To set to the default, use the no form of this command.
tunnel mode {aurp | cayman | dvmrp | eon | gre ip [multipoint] | nos}
no tunnel mode
aurp    AppleTalk Update-Based Routing Protocol (AURP).
cayman    Cayman TunnelTalk AppleTalk encapsulation.
dvmrp    Distance Vector Multicast Routing Protocol.
eon    EON compatible CLNS tunnel.
gre ip    Generic routing encapsulation (GRE) protocol over IP.
multipoint    (Optional) Enables a GRE tunnel to be used in a multipoint fashion. Can be used with the gre ip keyword only, and requires the use of the tunnel key command.
nos    KA9Q/NOS compatible IP over IP.

























.












Cisco IP servicing commands








access-class
access-list (IP extended)
access-list (IP standard)
clear access-list counters
clear ip accounting
clear ip drp
clear tcp statistics
deny (IP)
dynamic
ip access-group
ip access-list
ip accounting
ip accounting-list
ip accounting-threshold
ip accounting-transits
ip accounting mac-address
ip accounting precedence
ip drp access-group
ip drp authentication key-chain
ip drp server
ip icmp rate-limit unreachable
ip icmp redirect
ip mask-reply
ip mtu
ip redirects
ip source-route
ip tcp chunk-size
ip tcp compression-connections
ip tcp header-compression
ip tcp path-mtu-discovery
ip tcp queuemax
ip tcp selective-ack
ip tcp synwait-time
ip tcp timestamp
ip tcp window-size
ip unreachables
permit (IP)
show access-lists
show interface mac
show interface precedence
show ip access-list
show ip accounting
show ip drp
show ip redirects
show ip sockets
show ip tcp header-compression
show ip traffic
show standby
show tcp statistics
standby authentication
standby ip
standby mac-address
standby mac-refresh
standby priority, standby preempt
standby timers
standby track
standby use-bia
transmit-interface
 
IP Services Commands
________________________________________
Use the commands in this chapter to configure various IP services. For configuration information and examples on IP services, refer to the "Configuring IP Services" chapter of the Network Protocols Configuration Guide, Part 1.
access-class
To restrict incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list, use the access-class line configuration command. To remove access restrictions, use the no form of this command.
access-class access-list-number {in | out}
no access-class access-list-number {in | out}
Syntax Description
access-list-number    Number of an IP access list. This is a decimal number from 1 to 199 or from 1300 to 2699.
in    Restricts incoming connections between a particular Cisco device and the addresses in the access list.
out    Restricts outgoing connections between a particular Cisco device and the addresses in the access list.
 
Defaults
No access lists are defined.
Command Modes
Line configuration
Command History
Release    Modification
10.0    This command was introduced.
Usage Guidelines
Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.
To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.
Examples
The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the router:
access-list 12 permit 192.89.55.0  0.0.0.255
 line 1 5
 access-class 12 in
The following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5:
access-list 10 permit 36.0.0.0 0.255.255.255
 line 1 5
 access-class 10 out
Related Commands
Command    Description
show line    Displays the parameters of a terminal line.
 
access-list (IP extended)
To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} protocol source source-wildcard destination destination-wildcard [precedence precedence] [tos tos] [log | log-input] [fragments]
no access-list access-list-number
Internet Control Message Protocol (ICMP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} icmp source source-wildcard destination destination-wildcard [icmp-type | [[icmp-type icmp-code] | [icmp-message]] [precedence precedence] [tos tos] [log | log-input] [fragments]
Internet Group Management Protocol (IGMP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} igmp source source-wildcard destination destination-wildcard [igmp-type] [precedence precedence] [tos tos] [log | log-input] [fragments]
TCP
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit} tcp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [established] [precedence precedence] [tos tos] [log | log-input] [fragments]
User Datagram Protocol (UDP)
access-list access-list-number [dynamic dynamic-name [timeout minutes]] {deny | permit}udp source source-wildcard [operator port [port]] destination destination-wildcard [operator port [port]] [precedence precedence] [tos tos] [log | log-input] [fragments]
________________________________________
Caution  Enhancements to this command are backward compatible; migrating from releases prior to Release 11.1 will convert your access lists automatically. However, releases prior to Release 11.1 are not upwardly compatible with these enhancements. Therefore, if you save an access list with these images and then use software prior to Release 11.1, the resulting access list will not be interpreted correctly. This could cause you severe security problems. Save your old configuration file before booting these images.
________________________________________
Syntax Description
access-list-number    Number of an access list. This is a decimal number from 100 to 199 or from 2000 to 2699.
dynamic dynamic-name    (Optional) Identifies this access list as a dynamic access list. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide.
timeout minutes    (Optional) Specifies the absolute length of time (in minutes) that a temporary access list entry can remain in a dynamic access list. The default is an infinite length of time and allows an entry to remain permanently. Refer to lock-and-key access documented in the "Configuring Lock-and-Key Security (Dynamic Access Lists)" chapter in the Security Configuration Guide.
deny    Denies access if the conditions are matched.
permit    Permits access if the conditions are matched.
protocol    Name or number of an IP protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp, ip, ipinip, nos, ospf, pim, tcp, or udp, or an integer in the range 0 to 255 representing an IP protocol number. To match any Internet protocol (including ICMP, TCP, and UDP) use the keyword ip. Some protocols allow further qualifiers described below.
source    Number of the network or host from which the packet is being sent. There are three alternative ways to specify the source:
• Use a 32-bit quantity in four-part, dotted-decimal format.
• Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
source-wildcard    Wildcard bits to be applied to source. Each wildcard bit set to zero indicates that the corresponding bit position in the packet's ip address must exactly match the bit value in the corresponding bit position in the source. Each wildcard bit set to one indicates that both a zero bit and a one bit in the corresponding position of the packet's ip address will be considered a match to this access list entry.
There are three alternative ways to specify the source wildcard:
• Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore. For example, 0.0.255.255 to require an exact match of only the first 16 bits of the source.
• Use the keyword any as an abbreviation for a source and source-wildcard of 0.0.0.0 255.255.255.255.
• Use host source as an abbreviation for a source and source-wildcard of source 0.0.0.0.
Wildcard bits set to one do not need to be contiguous in the source-wildcard. For example, a source-wildcard of 0.255.0.64 would be valid.
destination    Number of the network or host to which the packet is being sent. There are three alternative ways to specify the destination:
• Use a 32-bit quantity in four-part, dotted-decimal format.
• Use the keyword any as an abbreviation for the destination and destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
destination-wildcard    Wildcard bits to be applied to the destination. There are three alternative ways to specify the destination wildcard:
• Use a 32-bit quantity in four-part, dotted-decimal format. Place ones in the bit positions you want to ignore.
• Use the keyword any as an abbreviation for a destination and destination-wildcard of 0.0.0.0 255.255.255.255.
• Use host destination as an abbreviation for a destination and destination-wildcard of destination 0.0.0.0.
precedence precedence    (Optional) Packets can be filtered by precedence level, as specified by a number from 0 to 7 or by name as listed in the section "Usage Guidelines."
tos tos    (Optional) Packets can be filtered by type of service level, as specified by a number from 0 to 15 or by name as listed in the section "Usage Guidelines."
icmp-type    (Optional) ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255.
icmp-code    (Optional) ICMP packets that are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255.
icmp-message    (Optional) ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are found in the section "Usage Guidelines."
igmp-type    (Optional) IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines."
operator    (Optional) Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range).
If the operator is positioned after the source and source-wildcard, it must match the source port.
If the operator is positioned after the destination and destination-wildcard, it must match the destination port.
The range operator requires two port numbers. All other operators require one port number.
port    (Optional) The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names