Cisco IOS Service Advertisement Framework Command Reference

keepalive (SAF)

To specify a time interval for sending keepalives messages for a Cisco SAF External Clients, use the keepalive command in external-client configuration mode. To reset the keepalive to its default value, use the no form of this command.

keepalive interval_in_milliseconds

no keepalive

Syntax Description


`interval_in_ milliseconds`	The keepalive time interval in milliseconds, between 5000 and 3600000.

Command Default

7900 milliseconds.

Command Modes

External-client configuration (config-external-client-mode)

Command History


Release	Modification
15.0(1)M	This command was introduced.
12.2(33)SRE	This command was integrated into Cisco IOS Release 12.2(33)SRE.
12.2(33)XNE	This command was integrated into Cisco IOS Release 12.2(33)XNE.
Cisco IOS XE Release 2.5	This command was integrated into Cisco IOS XE Release 2.5.
12.2(33)SXI4	This command was integrated into Cisco IOS Release 12.2(33)SXI4.
15.2(1)S	This command was deprecated in Cisco IOS Release 15.2(1)S and replaced by the keepalive (xmcp) command.
Cisco IOS XE Release 3.5S	This command was deprecated in Cisco IOS XE Release 3.5S and replaced by the keepalive (xmcp) command.
15.2(2)T	This command was deprecated in Cisco IOS Release 15.2(2)T and replaced by the keepalive (xmcp) command.

Usage Guidelines

Examples

The following example configures a keepalive of 8000 milliseconds for a Cisco SAF External Client named example.


Router(config)# service-family external-client listen ipv4 2444
Router(config-external-client)# external-client
 example
Router(config-external-client-mode)# keepalive
 8000

Related Commands


Command	Description
external-client	Configures a Cisco SAF External-Clients.
service-family external-client listen	Configures a Cisco SAF External-client listen TCP port.

keepalive (XMCP)

To define the keepalive interval associated with a specific client, use the keepalive command in XMCP client configuration mode. To reset the keepalive to its default value, use the no form of this command.

keepalive seconds

no keepalive

Syntax Description


`seconds`	Time, in seconds, after which a client will be assumed to be lost if no packets are received from the client during this interval. The valid range is 5 to 3600 seconds.

Command Default

The default is 8 seconds.

Command Modes

XMCP client configuration (config-xmcp-client)

Command History


Release	Modification
15.2(1)S	This command was introduced.
Cisco IOS XE Release 3.5S	This command was integrated into Cisco IOS XE Release 3.5S.
15.2(2)T	This command was integrated into Cisco IOS Release 15.2(2)T.

Usage Guidelines

The keepalive command is used to define the length of time a client session will remain alive after receiving no further communication from the client. After the router receives any packet from the client, and the keepalive interval elapses with no further communication, the router will assume that the client has been lost and will terminate the connection.

Changes to this command will be applied to new client sessions but existing client sessions will continue to use the keepalive interval under which they were initially established.

Examples

The following example defines a keepalive interval of 30 seconds for unauthenticated clients:


Router(config)# service-routing xmcp listen 
Router(config-xmcp)# client unauthenticated
Router(config-xmcp-client)# keepalive 30
Router(config-xmcp-client)# end

Related Commands


Command	Description
client (XMCP)	Defines the properties of XMCP clients.
keepalive (SAF)	Specifies a time interval for sending keepalive messages for a Cisco SAF External Clients. This command is deprecated and replaced by the keepalive (xmcp) command.
service-routing xmcp listen	Defines a port on which XMCP clients can connect.

key

To identify an authentication key on a key chain, use the key command in key-chain configuration mode. To remove the key from the key chain, use the no form of this command.

key key-id

no key key-id

Syntax Description


`key-id`	Identification number of an authentication key on a key chain. The range of keys is from 0 to 2147483647. The key identification numbers need not be consecutive.

Command Default

No key exists on the key chain.

Command Modes

Key-chain configuration (config-keychain)

Command History


Release	Modification
11.1	This command was introduced.
12.4(6)T	Support for IPv6 was added.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains.

It is useful to have multiple keys on a key chain so that the software can sequence through the keys as they become invalid after time, based on the accept-lifetime and send-lifetime key chain key command settings.

Each key has its own key identifier, which is stored locally. The combination of the key identifier and the interface associated with the message uniquely identifies the authentication algorithm and Message Digest 5 (MD5) authentication key in use. Only one authentication packet is sent, regardless of the number of valid keys. The software starts looking at the lowest key identifier number and uses the first valid key.

If the last key expires, authentication will continue and an error message will be generated. To disable authentication, you must manually delete the last valid key.

To remove all keys, remove the key chain by using the no key chain command.

Examples

The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# interface ethernet 0
Router(config-if)# ip rip authentication key-chain chain1
Router(config-if)# ip rip authentication mode md5
!
Router(config)# router rip
Router(config-router)# network 172.19.0.0
Router(config-router)# version 2
!
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

The following named configuration example configures a key chain named chain1 for EIGRP address-family. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# router 
eigrp virtual-name
Router(config-router)# address-family ipv4 autonomous-system 4453
Router(config-router-af)# network 10.0.0.0
Router(config-router-af)# af-interface ethernet0/0
Router(config-router-af-interface)# authentication key-chain trees
Router(config-router-af-interface)# authentication mode md5
Router(config-router-af-interface)# exit
Router(config-router-af)# exit
Router(config-router)# exit
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

The following named configuration example configures a key chain named chain1 for EIGRP service-family. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4453
Router(config-router-sf)# network 10.0.0.0
Router(config-router-sf)# sf-interface ethernet0/0
Router(config-router-sf-interface)# authentication key-chain trees
Router(config-router-sf-interface)# authentication mode md5
Router(config-router-sf-interface)# exit
Router(config-router-sf)# exit
Router(config-router)# exit
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

Related Commands


Command	Description
accept-lifetime	Sets the time period during which the authentication key on a key chain is received as valid.
ip authentication key-chain eigrp	Enables authentication of EIGRP packets.
key chain	Defines an authentication key chain needed to enable authentication for routing protocols.
key-string (authentication)	Specifies the authentication string for a key.
send-lifetime	Sets the time period during which an authentication key on a key chain is valid to be sent.
show key chain	Displays authentication key information.

key chain

To define an authentication key chain needed to enable authentication for routing protocols and enter key-chain configuration mode, use the key chain command in global configuration mode. To remove the key chain, use the no form of this command.

key chain chain name-of-chain [tcp]

no key chain name-of-chain

Syntax Description


`name-of-chain`	Name of a key chain. A key chain must have at least one key and can have up to 2147483647 keys.
tcp	Optionally sets the key chain to use the TCP Authentication Option (TCP-AO).

Command Default

No key chain exists.

Command Modes

Global configuration (config)

Command History


Release	Modification
11.1	This command was introduced.
12.4(6)T	Support for IPv6 was added.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
16.12.1	Support for TCP-AO using the tcp option was added.

Usage Guidelines

Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol (RIP) Version 2 use key chains.

You must configure a key chain with keys to enable authentication.

Although you can identify multiple key chains, we recommend using one key chain per interface per routing protocol. Upon specifying the key chain command, you enter key chain configuration mode.

Examples

The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# interface ethernet 0
Router(config-if)# ip rip authentication key-chain chain1
Router(config-if)# ip rip authentication mode md5
!
Router(config)# router rip
Router(config-router)# network 172.19.0.0
Router(config-router)# version 2
!
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

The following named configuration example configures a key chain named chain1 for EIGRP address-family. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# router eigrp virtual-name
Router(config-router)# address-family ipv4 autonomous-system 4453
Router(config-router-af)# network 10.0.0.0
Router(config-router-af)# af-interface ethernet0/0
Router(config-router-af-interface)# authentication key-chain trees
Router(config-router-af-interface)# authentication mode md5
Router(config-router-af-interface)# exit
Router(config-router-af)# exit
Router(config-router)# exit
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

The following named configuration example configures a key chain named trees for service-family. The key named chestnut will be accepted from 1:30 pm to 3:30 pm and be sent from 2:00 pm to 3:00 pm. The key birch will be accepted from 2:30 pm to 4:30 pm and be sent from 3:00 pm to 4:00 pm. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# router eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4453
Router(config-router-sf)# sf-interface ethernet
Router(config-router-sf-interface)# authentication key chain trees
Router(config-router-sf-interface)# authentication mode md5
Router(config-router-sf-interface)# exit
Router(config-router-sf)# exit
Router(config-router)# exit
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string chestnut
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string birch
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

Examples

The following example configures a simple key chain for a TCP-AO enabled connection. The key named tcpao1 will be accepted from 1:30 pm to 3:30 pm and be sent from 2:00 pm to 3:00 pm. The key tcpao2 will be accepted from 2:30 pm to 4:30 pm and be sent from 3:00 pm to 4:00 pm. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.

Router(config)# key chain kc1 tcp
Router(config-keychain)# key 1
Router(config-keychain-key)# send-id 215
Router(config-keychain-key)# recv-id 215
Router(config-keychain-key)# key-string tcpao1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# cryptographic-algorithm hmac-sha-1
Router(config-keychain-key)# include-tcp-optionsRouter(config-keychain-key)# exit
outer(config-keychain)# key 2
Router(config-keychain-key)# send-id 215
Router(config-keychain-key)# recv-id 215
Router(config-keychain-key)# key-string tcpao2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# cryptographic-algorithm hmac-sha-1
Router(config-keychain-key)# include-tcp-options

Related Commands


Command	Description
accept-lifetime	Sets the time period during which the authentication key on a key chain is received as valid.
ip rip authentication key-chain	Enables authentication for RIP Version 2 packets and specifies the set of keys that can be used on an interface.
ip authentication key-chain eigrp	Enables authentication of EIGRP packets.
key	Identifies an authentication key on a key chain.
key-string (authentication)	Specifies the authentication string for a key.
send-lifetime	Sets the time period during which an authentication key on a key chain is valid to be sent.
show key chain	Displays authentication key information.

key-string (authentication)

To specify the authentication string for a key, use the key-string (authentication) command in key chain key configuration mode. To remove the authentication string, use the no form of this command.

key-string text

no key-string text

Syntax Description


`text`	Authentication string that must be sent and received in the packets using the routing protocol being authenticated. The string can contain from 1 to 80 uppercase and lowercase alphanumeric characters.

Command Default

No authentication string for a key exists.

Command Modes

Key chain key configuration (config-keychain-key)

Command History


Release	Modification
11.1	This command was introduced.
12.4(6)T	Support for IPv6 was added.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.

Usage Guidelines

Only DRP Agent, Enhanced Interior Gateway Routing Protocol (EIGRP), and Routing Information Protocol ( RIP) Version 2 use key chains. Each key can have only one key string.

If password encryption is configured (with the service password-encryption command), the software saves the key string as encrypted text. When you write to the terminal with the more system:running-config command, the software displays key-string 7 encrypted text.

Examples

The following example configures a key chain named chain1. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# interface ethernet 0
Router(config-if)# ip rip authentication key-chain chain1
Router(config-if)# ip rip authentication mode md5
!
Router(config)# router rip
Router(config-router)# network 172.19.0.0
Router(config-router)# version 2
!
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

The following example configures a key chain named chain1 for EIGRP address-family. The key named key1 will be accepted from 1:30 p.m. to 3:30 p.m. and be sent from 2:00 p.m. to 3:00 p.m. The key named key2 will be accepted from 2:30 p.m. to 4:30 p.m. and be sent from 3:00 p.m. to 4:00 p.m. The overlap allows for migration of keys or a discrepancy in the set time of the router. There is a 30-minute leeway on each side to handle time differences.


Router(config)# eigrp virtual-name
Router(config-router)# address-family ipv4 autonomous-system 4453
Router(config-router-af)# network 10.0.0.0
Router(config-router-af)# af-interface ethernet0/0
Router(config-router-af-interface)# authentication key-chain trees
Router(config-router-af-interface)# authentication mode md5
Router(config-router-af-interface)# exit
Router(config-router-af)# exit
Router(config-router)# exit
Router(config)# key chain chain1
Router(config-keychain)# key 1
Router(config-keychain-key)# key-string key1
Router(config-keychain-key)# accept-lifetime 13:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 14:00:00 Jan 25 1996 duration 3600
Router(config-keychain-key)# exit
Router(config-keychain)# key 2
Router(config-keychain-key)# key-string key2
Router(config-keychain-key)# accept-lifetime 14:30:00 Jan 25 1996 duration 7200
Router(config-keychain-key)# send-lifetime 15:00:00 Jan 25 1996 duration 3600

Related Commands


Command	Description
accept-lifetime	Sets the time period during which the authentication key on a key chain is received as valid.
ip authentication key-chain eigrp	Enables authentication of EIGRP packets.
key	Identifies an authentication key on a key chain.
key chain	Defines an authentication key-chain needed to enable authentication for routing protocols.
send-lifetime	Sets the time period during which an authentication key on a key chain is valid to be sent.
service password-encryption	Encrypts passwords.
show key chain	Displays authentication key information.

max-clients

To limit the number of simultaneous client connections permitted, use the max-clients command in XMCP configuration mode. To remove this restriction, use the no form of this command.

max-clients {unauthenticated number [total number] | total number [unauthenticated number]}

Syntax Description


unauthenticated `number`	Maximum number of unauthenticated clients. The range is 1 to 1024.
total `number`	Maximum number of connected clients of any type. The range is 1 to 1024.

Command Default

Clients are limited only by available bandwidth and memory by default.

Command Modes

XMCP configuration (config-xmcp)

Command History


Release	Modification
15.2(1)S	This command was introduced.
Cisco IOS XE Release 3.5S	This command was integrated into Cisco IOS XE Release 3.5S.
15.2(2)T	This command was integrated into Cisco IOS Release 15.2(2)T.

Usage Guidelines

The max-clients command is used to limit the number of simultaneous XMCP client connections. The limit can be applied to unauthenticated clients specifically and to all XMCP clients.

When the max-clients command is applied or modified while XMCP clients are connected, and the number of connected clients exceeds any of the new limits, the sessions of some existing clients (in no defined order) will be terminated until the total number falls within the new limits.

Examples

The following example permits a maximum of 10 unauthenticated clients at a time and no more than 20 clients total:


Router(config)# service-routing xmcp listen ipv4
Router(config-xmcp)# max-clients unauthenticated 10 total 20
Router(config-xmcp)# end

Related Commands


Command	Description
service-routing xmcp listen	Defines a port on which XMCP clients can connect.

maximum-service (EIGRP)

To specify the maximum number of services that are permitted in a Cisco SAF service family, use the maximum-service command in service-family configuration mode. To disable this service, use the no form on this command.

maximum-service number [threshold-value] dampened [default] [interface-type interface-number]

no maximum-service

Syntax Description


`number`	Limit of maximum services, entered by a number from 1 to 4294967295.
`threshold-value`	(Optional) Threshold value (%) that enables a warning message, entered by a number between 1 and 100. The default is 75 percent.
dampened	(Optional) Exponentially increases the restart time interval.
reset-time	(Optional) Specifies the duration after which the restart history is cleared.
`interval`	(Optional) Specifies the reset-time interval, in minutes, entered using a number between 1 and 65535.
restart	(Optional) Automatically reestablishes a peering session that was disabled because the maximum-service limit had been exceeded.
`interval`	(Optional) Specifies the restart interval, in minutes, entered using a number between 1 and 65535.
restart-count	(Optional) Specifies the number of times a peer is auto-restarted.
`count`	(Optional) Specifies the number of times to restart, entered using a number between 1 and 65535.
warning-only	(Optional) Generates a warning-only message when the limit is exceeded.

Command Default

Command Modes

Service-family configuration (config-router-sf)

Command History


Release	Modification
15.0(1)M	This command was introduced.
12.2(33)SRE	This command was modified. The address-family configuration mode was added.
12.2(33)XNE	This command was integrated into Cisco IOS Release 12.2(33)XNE.
Cisco IOS XE Release 2.5	This command was modified. The address-family configuration mode was added.
12.2(33)SXI4	This command was integrated into Cisco IOS Release 12.2(33)SXI4.

Usage Guidelines

To specify how much memory is consumed from services received, use the maximum-service command in service-family configuration mode. To disable this function, use the no form on this command.

When the amount of memory exceeds the maximum amount configured, the router disables the peering session (by default):

If the restart keyword is configured, the router automatically reestablishes the peering session at the configured time interval. If the restart interval is not configured, a disabled session stays down by default after the maximum-service limit is exceeded.
If the warning-only keyword is configured, the router only sends a log message, but continues peering with the sender. If the neighbor is terminated, the neighbor remains down until the clear eigrp service-family command is configured.

Use the show eigrp service-family ipv4 command with the neighbor keyword to verify neighbor configurations.

Examples

The following example sets the restart interval to 30 minutes, retries the restart 5 times, and clears the restart history after 60 minutes for service-family IPv4 autonomous-system 4533:


Router(config)# router eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4533
Router(config-router-sf)# maximum-service 1000 restart 30 restart-count 5 dampened   reset-time 60

The following example sets the maximum memory services to 1000 kilobytes, that are allowed from service-family IPv4 autonomous-system 4533:


Router(config)# router eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4533
Router(config-router-sf)# maximum-service 1000

The following example sets the maximum memory services to 500 kilobytes that are allowed from service-family IPv4 autonomous-system 4533 and configures a warning to display when the maximum-service limit has been exceeded.


Router(config)# router eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4533
Router(config-router-sf)# maximum-service 500 warning-only

Related Commands


Command	Description
clear eigrp service-family	Clears information for a Cisco SAF service family.
router eigrp	Configures the EIGRP process.
service-family	Configures commands under service-family mode.
sf-interface	Configures interface-specific commands under a service family.
show eigrp service-family	Displays information for a Cisco SAF service family.

metric weights (EIGRP)

To tune Enhanced Interior Gateway Routing Protocol (EIGRP) metric calculations, use the metric weights command in router configuration mode or address family configuration mode. To reset the values to their defaults, use the no form of this command.

metic weights tos k1 k2 k3 k4 k5

no metric weights

Syntax Description


`tos`	Type of service. This value must always be zero.
`k1` `k2` `k3` `k4` `k5`	Constants that convert an EIGRP metric vector into a scalar quantity. Valid values are 0 to 255. Default values are: `tos:` 0 `k1:` 1 `k2:` 0 `k3:` 1 `k4:` 0 `k5:` 0

Command Default

EIGRP metric K values are set to their default values.

Command Modes

Router configuration (config-router) Address family configuration (config-router-af)

Command History


Release	Modification
10.0	This command was introduced.
12.4(6)T	Support for IPv6 was added.
12.2(33)SRB	This command was integrated into Cisco IOS Release 12.2(33)SRB.
Cisco IOS XE Release 2.1	This command was integrated into Cisco IOS XE Release 2.1.
12.2SX	This command is supported in the Cisco IOS Release 12.2SX train. Support in a specific 12.2SX release of this train depends on your feature set, platform, and platform hardware.
15.0(1)M	This command was modified. The address-family configuration mode was added.
12.2(33)SRE	This command was modified. The address-family configuration mode was added.
12.2(33)XNE	This command was integrated into Cisco IOS Release 12.2(33)XNE.
Cisco IOS XE Release 2.5	This command was modified. The address-family configuration mode was added.

Usage Guidelines

Use this command to alter the default behavior of EIGRP routing and metric computation and allow the tuning of the EIGRP metric calculation for a particular type of service (ToS).

If k5 equals 0, the composite EIGRP metric is computed according to the following formula:

metric = [k1 * bandwidth + (k2 * bandwidth)/(256 - load) + k3 * delay]

If k5 does not equal zero, an additional operation is performed:

metric = metric * [k5/(reliability + k4)]

Bandwidth is inverse minimum bandwidth of the path in bps scaled by a factor of 2.56 ∗ 1012. The range is from a 1200-bps line to 10 terabits per second.

Delay is in units of 10 microseconds. The range of delay is from 10 microseconds to 168 seconds. A delay of all ones indicates that the network is unreachable.

The delay parameter is stored in a 32-bit field, in increments of 39.1 nanoseconds. The range of delay is from 1 (39.1 nanoseconds) to hexadecimal FFFFFFFF (decimal 4,294,967,040 nanoseconds). A delay of all ones (that is, a delay of hexadecimal FFFFFFFF) indicates that the network is unreachable.

The table below lists the default values used for several common media.

Table 1. Bandwidth Values by Media Type
Media Type	Delay	Bandwidth
Satellite	51,200,000 (2 seconds)	5120 (500 megabits)
Ethernet	25600 (1 millisecond [ms])	256,000 (10 megabits)
1.544 Mbps	51,200,000 (20 ms)	1,657,856 bits
64 kbps	51,200,000 (20 ms)	40,000,000 bits
56 kbps	51,200,000 (20 ms)	45,714,176 bits
10 kbps	51,20,000 (20 ms)	256,000,000 bits
1 kbps	51,200,000 (20 ms)	2,560,000,000 bits

Reliability is given as a fraction of 255. That is, 255 is 100 percent reliability or a perfectly stable link.

Load is given as a fraction of 255. A load of 255 indicates a completely saturated link.

Examples

The following example sets the metric weights to slightly different values than the defaults:


Router(config)# router eigrp 109
Router(config-router)# 
network 192.168.0.0
Router(config-router)# metric weights 0 2 0 2 0 0

The following example configures an address-family metric weight to tos: 0; K1: 2; K2: 0; K3: 2; K4: 0; K5: 0.


Router(config)# router eigrp virtual-name
Router(config-router)# address-family ipv4 autonomous-system 4533
Router(config-router-af)# metric weights 0 2 0 2 0 0

Related Commands


Command	Description
address-family (EIGRP)	Enters address-family configuration mode to configure an EIGRP routing instance.
bandwidth (interface)	Sets a bandwidth value for an interface.
delay (interface)	Sets a delay value for an interface.
ipv6 router eigrp	Configures the EIGRP for IPv6 routing process.
metric holddown	Keeps new EIGRP routing information from being used for a certain period of time.
metric maximum-hops	Causes the IP routing software advertise as unreachable routes with a hop count higher than is specified by the command (EIGRP only).
router eigrp	Configures the EIGRP address-family process.

neighbor (service-family)

To configure properties of an Enhanced Interior Gateway Routing Protocol (EIGRP) service-family neighbor, use the neighbor command in service-family configuration mode. To remove the properties of the neighbor, use the no form of this command.

neighbor ip-address {interface-type interface-number | loopback loopback-interface-number [remote maximum-hops] | description description-string maximum-service maximum-service-limit [threshold-value] [warning-only] | dampened [reset-time minutes] [restart minutes] [restart-count number]}

no neighbor ip-address {interface-type interface-number | loopback loopback-interface-number | description description-string | maximum-service}

Syntax Description


`ip-address`	IP address of the service-family neighbor, in A.B.C.D. format.
`interface-type`	Specifies the interface type.
`interface-number`	Specifies the interface number.
loopback	Specifies the loopback interface.
loopback-interface- number	Specifies the loopback interface number.
remote	(Optional) Specifies that the neighbor is remote.
maximum-hops	(Optional) Specifies the maximum number of hops, entered using a number from 3 to 100.
description	(Optional) Specifies a description for the neighbor.
`description-string`	Specifies the description string for the neighbor.
maximum-service	(Optional) Configures the maximum number of services acceptable from all neighbors.
`maximum-service- limit`	Specifies the limit of maximum services, entered by a number from 1 to 4294967295.
`threshold-value`	(Optional) Threshold value (%) that enables a warning message, entered by a number between 1 and 100. The default is 75 percent.
warning-only	(Optional) Generates a warning-only message when the configured limit is exceeded.
dampened	(Optional) Exponentially increases the restart-time interval.
reset-time	(Optional) Specifies the duration after which the system clears the restart history.
`minutes`	(Optional) Specifies the reset-time interval, in minutes, entered using a number between 1 and 65535.
restart	(Optional) Automatically reestablishes a peering session that was disabled because the maximum-service limit had been exceeded.
`minutes`	(Optional) Specifies the restart interval, in minutes, entered using a number between 1 and 65535.
restart-count	(Optional) Specifies the number of times that a peer is auto-restarted.
`number`	(Optional) Specifies the restart-count interval in minutes, entered using a number between 1 and 65535.

Command Default

No neighbor establishments are configured.

Command Modes

Service-family configuration (config-router-sf)

Command History


Release	Modification
15.0(1)M	This command was introduced.
12.2(33)SRE	This command was integrated into Cisco IOS Release 12.2(33)SRE.
12.2(33)XNE	This command was integrated into Cisco IOS Release 12.2(33)XNE.
Cisco IOS XE Release 2.5	This command was integrated into Cisco IOS XE Release 2.5.
12.2(33)SXI4	This command was integrated into Cisco IOS Release 12.2(33)SXI4.

Usage Guidelines

To configure a neighbor router with which to exchange routing information, use the neighbor command in service-family configuration mode. This command permits the point-to-point (non-broadcast) exchange of routing information. You can repeat this command to configure multiple neighbors.

Use the neighbor ip-address loopback interface-number remote maximum-hops command to configure neighbors that are multiple hops away and are not on the same subnet as the router. This command can be used only with loopback interfaces.

To configure the amount of memory used to store services from all EIGRP service-family neighbors, use the neighbor maximum-service command in service-family configuration mode. To disable this function, use the no form on this command.

When the amount of memory exceeds the maximum amount configured, the router disables the peering session (by default):

If the restart keyword is configured, the router automatically reestablishes the peering session at the configured time interval. If the restart-interval is not configured, a disabled session stays down by default after the maximum-service limit is exceeded.
If the warning-only keyword is configured, the router sends only a log message, but continues peering with the sender. If the neighbor is terminated, the neighbor remains down until the clear eigrp service-family command is configured.

Use the show eigrp service-family ipv4 command with the neighbor keyword to verify neighbor configurations.

Examples

The following example sets the maximum hops to three for the remote neighbor 10.1.10.2 on Ethernet interface 0/0:


Router(config)# router eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4533
Router(config-router-sf)# neighbor 10.1.10.2 
Router(config-router-sf)# Ethernet 0/0
Router(config-router-sf)# remote 3

The following example sets the restart interval to 30 minutes, retries the restart five times, and clears the restart history after 60 minutes for neighbor 10.1.10.1:


Router(config)# router eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4533
Router(config-router-sf)# neighbor 10.1.10.1
Router(config-router-sf)# reset-time 60

The following example set the maximum memory services to 1000 kilobytes that are allowed from neighbor 10.1.10.1:


Router(config)# router eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4533
Router(config-router-sf)# neighbor 10.1.10.1
Router(config-router-sf)# maximum-service 1000

The following example set the maximum memory services to 500 kilobytes that are allowed from neighbor 10.1.10.1 and configures a warning to display when the maximum-service limit has been exceeded:


Router(config)# router eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4533
Router(config-router-sf)# neighbor 10.1.10.1
Router(config-router-sf)# maximum-service 500 warning-only

Related Commands


Command	Description
clear eigrp service-family	Clears information for a Cisco SAF service family.
neighbor peer-group	Configures an EIGRP service-family neighbor to a peer group.
router eigrp	Configures the EIGRP process.
service-family	Configures commands under service-family mode.
sf-interface	Configures interface-specific commands under service-family.

nonce

To define the lifetime of the authentication nonces provide to a client, use the nonce lifetime command in XMCP client configuration mode. To disable nonces, use the nonce none command. To restore the default nonce lifetime, use the no form of this command.

nonce {lifetime seconds | none}

no nonce

Syntax Description


lifetime `seconds`	Duration, in seconds, for which each issued nonce will remain valid. Valid range is 5 to 3600.
none	Disables nonces.

Command Default

The default nonce lifetime is 800 seconds.

Command Modes

XMCP client configuration (config-xmcp-client)

Command History


Release	Modification
15.2(1)S	This command was introduced.
Cisco IOS XE Release 3.5S	This command was integrated into Cisco IOS XE Release 3.5S.
15.2(2)T	This command was integrated into Cisco IOS Release 15.2(2)T.

Usage Guidelines

The nonce command is used to define how long each authentication nonce remains valid after first being issued to an XMCP (Extensible Messaging Client Protocol) client. When the nonce lifetime expires, the nonce is invalidated, and Cisco IOS software will issue a new nonce to the client after receiving (and rejecting) a request using the previous expired nonce. Configuring a shorter nonce lifetime provides greater security against packet replay attacks but at the cost of more processing and communication overhead on the client and the Cisco IOS router.

Nonces are not used with unauthenticated clients. Therefore this command may be configured only in conjunction with the client username command.

In security engineering, nonce is an abbreviation of a number used once. It is often a random or pseudorandom number issued in an authentication protocol to ensure that old communications cannot be reused in replay attacks. For example, nonces are used in HTTP digest access authentication to calculate an MD5 (Message Digest-5) digest of the password. The nonces are different each time the 401 authentication challenge response code is presented, thus making replay attacks virtually impossible.

Examples

The following example defines a nonce lifetime of 100 seconds for clients using username user1:


Router(config)# service-routing XMCP listen
Router(config-xmcp)# client username user1 password exampleexample111
Router(config-xmcp-client)# nonce lifetime 100
Router(config-xmcp-client)# end

Related Commands


Command	Description
client (XMCP)	Defines the properties of XMCP clients.
client username	Defines the properties of XMCP clients.
service-routing xmcp listen	Defines a port on which XMCP clients can connect.

password (SAF)

To configure a password for a Cisco SAF External Client, use the password command in external-client label configuration mode. To reset the password, use the no form on this command.

password password-name

no password password-name

Syntax Description


`password-name`	Specifies the name of the password for a Cisco SAF External-Client, entered using 11 to 64 characters.

Command Default

No passwords are configured.

Command Modes

External-client label configuration (config-external-client-mode)

Command History


Release	Modification
15.0(1)M	This command was introduced.
12.2(33)SRE	This command was integrated into Cisco IOS Release 12.2(33)SRE.
12.2(33)XNE	This command was integrated into Cisco IOS Release 12.2(33)XNE.
Cisco IOS XE Release 2.5	This command was integrated into Cisco IOS XE Release 2.5.
12.2(33)SXI4	This command was integrated into Cisco IOS Release 12.2(33)SXI4.
15.2(1)S	This command was deprecated in Cisco IOS Release 15.2(1)S and replaced by the client (xmcp) command.
Cisco IOS XE Release 3.5S	This command was deprecated in Cisco IOS XE Release 3.5S and replaced by the client (xmcp) command.
15.2(2)T	This command was deprecated in Cisco IOS Release 15.2(2)T and replaced by the client (xmcp) command.

Usage Guidelines

Use the password command to set a password for a Cisco SAF External Client.

Examples

The following example configures a password named example for a Cisco SAF External Client:


Router(config)# service-family external-client listen ipv4 2444
Router(config-external-client)# external-client
 example
Router(config-external-client-mode)# password
 example

Related Commands


Command	Description
external-client	Configures Cisco SAF External-Clients.
service-family external-client listen	Configures Cisco SAF External-client listen TCP ports.

remote-neighbors source

To configure a Service Advertisement Framework (SAF) process that enables remote neighbors to accept inbound connections from any remote IP address, use the remote-neighbors source command in service-family configuration mode. To remove the configuration, use the no form of this command.

remote-neighbors sourceinterface{ unicast-listen | multicast-group group-address} [ allow-list access-list-name] [ max-neighbors max-remote-peers]

no remote-neighbors source

Syntax Description


`Interface`	Specifies the loopback interface to use as the source for packets that are sent to remote neighbors. Only loopback interfaces are permitted.
unicast-listen	Accepts connections initiated by remote neighbors and forms remote neighbor relationships without having to manually configure the remote neighbor IP address.
multicast-group	Uses IP multicast to discover remote neighbors and form remote neighbor relationships.
`group-address`	Multicast address that EIGRP will use to discover remote neighbors and exchange information. Only routers using the same group address will discover one another as neighbors.
allow-list (Optional)	Uses an access list (Access Control List) to specify the remote IP addresses from which EIGRP neighbor connections may be accepted. If you do not use the allow-list keyword, then all IP addresses (permit any) will be accepted.
`access-list-name` (Optional)	Name of the access list to use with the allow-list keyword.
max-neighbors (Optional)	Uses a maximum number of remote neighbors. If you do not use this keyword, the maximum number of remote neighbors is limited only by available memory and bandwidth.
`max-remote-peers` (Optional)	Maximum number of remote neighbors that a member of the multicast group may accept. The range is from 1 to 65535.

Command Default

No remote neighbors are specified.

Command Modes

Service-family configuration (config-router-sf)

Command History


Release	Modification
15.1(2)S	This command was introduced.
Cisco IOS XE Release 3.3S	This command was integrated into Cisco IOS XE Release 3.3S.
15.2(1)T	This command was integrated into Cisco IOS Release 15.2(1)T

Usage Guidelines

Configure the allow-list keyword for enhanced security. This keyword allows only specific IP addresses to connect to the remote neighbor.

Examples

The following example shows how to use unicast to configure remote neighbors to accept inbound connections from IP addresses that match an access list:


Router(config)# router eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4453
Router(config-router-sf-interface)# remote-neighbors source Loopback1 unicast-listen allow-list myNeighborList

The following example shows how to use multicast to discover similarly configured routers as remote neighbors, with no restriction on neighbor IP addresses (no allow-list specified), and a maximum of 30 neighbors:


Router(config)# router eigrp virtual-name
Router(config-router)# service-family ipv4 autonomous-system 4453
Router(config-router-sf-interface)# remote-neighbors source Loopback2 multicast-group 224.44.56.1 max-neighbors 30

Related Commands


Command	Description
service-family (SAF)	Enters service-family configuration mode.
neighbor (EIGRP)	Defines a neighboring router with which to exchange routing information on a router that is running Enhanced Interior Gateway Routing Protocol (EIGRP).

Bias-Free Language

Results

Chapter: SAF Commands keepalive SAF through remote-neighbors SAF

SAF Commands keepalive SAF through remote-neighbors SAF

keepalive (SAF)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

keepalive (XMCP)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

key

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

key chain

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Examples

Related Commands

key-string (authentication)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

max-clients

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

maximum-service (EIGRP)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

metric weights (EIGRP)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

neighbor (service-family)

Syntax Description

Command Default

Command Modes

Command History

Usage Guidelines

Examples

Related Commands

nonce

Syntax Description