ip address
Assign IP addresses to network interfaces.
ip address if_name ip_address [netmask] ip address if_name dhcp [setroute] show ip-address if_name [dhcp] clear ip-address if_name dhcp [setroute] ip address outside dhcp [setroute] [retry retry_cnt] show ip clear ip
Syntax
if_name Interface name assigned by nameif. ip_address IP address to assign to interface. netmask Network mask of ip_address. dhcp Enable DHCP client on the specified interface. outside Interface from which the firewall will poll for information. retry Allows firewall to retry polling for DHCP information. retry_cnt Number of times the firewall will poll for DHCP information. Values available are 4 to 16, with a default of 4. setroute Set a default route using the default gateway the DHCP server returns. show ip Display IP addresses assigned to the network interfaces. clear ip Reset all interface IP addresses to 127.0.0.1. Does not affect ip local pool or ip verify reverse-route. clear ip-address Clears the default route using the default gateway parameter the DHCP server returns for specified interface.
Defaults
By default the firewall will not retry to poll for DHCP information. The default value for retry_cnt is 4.
Usage
Assign an IP address to each interface. Use the show ip command to view which addresses are assigned to the network interfaces. If you make a mistake while entering this command, re-enter the command with the correct information. The clear ip command resets all interface IP addresses to 127.0.0.1. The clear ip command does not affect the ip local pool or ip verify reverse-route commands.
Configuration mode.
clear ip stops all traffic through the firewall unit.
After changing an ip-address command, use the clear xlate command.
Always specify a network mask with the ip-address command. If you let firewall assign a network mask based on the IP address, you may not be permitted to enter subsequent IP addresses if another interface's address is in the same range as the first address. For example, if you specify an inside interface address of 10.1.1.1 without specifying a network mask and then try to specify 10.1.2.2 for a perimeter interface mask, firewall displays the error message, "Sorry, not allowed to enter IP address on same network as interface n." To fix this problem, reenter the first command specifying the correct network mask.
Do not set the netmask to all 255s, such as 255.255.255.255. This stops access on the interface. Instead, use a network address of 255.255.255.0 for Class C addresses, 255.255.0.0 for Class B addresses, or 255.0.0.0 for Class A addresses.
The default address for an interface is 127.0.0.1.
Configurations using firewall failover require a separate IP address for each network interface on the standby unit. The system IP address is the address of the active unit. When the show ip command is executed on the active unit, the current IP address is the same as the system IP address. When the show ip command is executed on the standby unit, the system IP address is the failover IP address configured for the standby unit.
The ip-address dhcp command enables the DHCP client feature within the firewall. This command allows the firewall to be a DHCP client to a DHCP server that provides configuration parameters to the client. In this case, the configuration parameters the DHCP server provides is an IP address and a subnet mask to the interface on which the DHCP client feature is enabled. The optional set route argument tells the firewall to set the default route using the default gateway parameter the DHCP server returns.
If the set route argument is configured, the show route command output shows the default route as being set by a DHCP server.
- To reset an interface and delete a DHCP lease from firewall, use clear ip.
- To clear a DHCP default route, use clear route static
Do not configure the firewall with a default route when using the set route argument of the ip-address dhcp command.
The show ip-address dhcp command displays detailed information about the DHCP lease.
Examples
The following is sample output for the show ip command:
show ip System IP Addresses: ip-address outside 209.165.201.2 255.255.255.224 ip-address inside 192.168.2.1 255.255.255.0 ip-address perimeter 192.168.70.3 255.255.255.0 Current IP Addresses: ip-address outside 209.165.201.2 255.255.255.224 ip-address inside 192.168.2.1 255.255.255.0 ip-address perimeter 192.168.70.3 255.255.255.0The Current IP Addresses are the same as the System IP Addresses on the firewall active unit. When the primary unit fails, the Current IP Addresses become those of the standby unit.
The following is sample output for the show ip-address dhcp command:
show ip-address outside dhcp Temp IP Addr:209.165.201.57 for peer on interface:outside Temp sub net mask:255.255.255.224 DHCP Lease server:209.165.200.225, state:3 Bound DHCP Transaction id:0x4123 Lease:259200 secs, Renewal:129600 secs, Rebind:226800 secs Temp default-gateway addr:209.165.201.1 Next timer fires after:111797 secs Retry count:0, Client-ID:cisco-0000.0000.0000-outside ip-address outside dhcp retry 10