|
|
To enable AAA accounting of requested services for billing or security purposes when using TACACS+, use the aaa accounting global configuration command. To disable accounting, use the no form of this command.
aaa accounting {system | network | connection | exec | command level} {start-stop |
system | Performs accounting for all system-level events not associated with users, such as reloads. |
network | Runs accounting for all network-related service requests, including SLIP, PPP, NCPs, and ARAP. |
connection | Runs accounting for outbound Telnet and rlogin. |
exec | Runs accounting for EXECs (user shells). This keyword might return user profile information such as autocommand information. |
commands | Runs accounting for all commands at the specified privilege level. |
level | The command level that should be accounted for. Valid entries are 0 to 15. |
start-stop | Sends a start record accounting notice at the beginning of a process and a stop record at the end of a process. The start accounting record is sent in the background. The requested user process begins even if the start accounting record was received by the accounting server. |
wait-start | As in start-stop, sends both a start and a stop accounting record to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent. |
stop-only | Sends a stop record accounting notice at the end of the requested user process. |
tacacs+ | Mandatory. Enables the TACACS-style accounting. |
nested | Generates NETWORK records before EXEC-STOP records when starting PPP from EXEC. |
suppress null-username | Suppresses generation of accounting records for users with no username. |
update | Enables accounting update records. |
newinfo | Sends accounting update records only when there is new information. |
periodic | Sends accounting records at periodic intervals. |
interval | Interval, in minutes, between sending periodic updates. Valid entries are 0 to 2147483647. |
Disabled
Global configuration
The aaa accounting command allows you to set start-stop accounting for any or all of the functions listed in "Syntax Description." For minimal accounting control, use the stop-only keyword, which sends a stop record accounting notice at the end of the requested user process. For additional accounting control, you can use the start-stop keyword, where TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. You can further control access and accounting by issuing the wait-start keyword, which ensures that the start notice is received by the TACACS+ server before granting the user's process request. Accounting is done only for the TACACS+ server.
In the following example, accounting is set for outbound Telnet and rlogin, and both a start and stop accounting notice is sent to the TACACS+ server.
Switch(config)# aaa accounting connection start-stop tacacs+
In the following example, accounting is set for privilege level 15 commands, with a wait-start restriction.
Switch(config)# aaa accounting command 15 wait-start tacacs+
To enable AAA authentication to determine if a user can access the privileged command level with TACACS+, use the aaa authentication enable default global configuration command. To disable this authorization method, use the no form of this command.
aaa authentication enable default method1 [...[method4]]
method | At least one and up to four of the keywords described in Table 1-1. |
If the default list is not set, only the enable password is checked. This version has the same effect as the following command.
Switch(config)# aaa authentication enable default enable
On the console, the enable password is used if it exists. If no password is set, the process succeeds anyway.
Global configuration
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine if a user can access the privileged command level. You can specify up to four authentication methods. Method keywords are described in Table 1-1. The additional methods of authentication are used only if the previous method returns an error but not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
If a default authentication routine is not set for a function, the default is none and no authentication is performed. Use the show running-config command to view currently configured lists of authentication methods.
| Keyword | Description |
|---|---|
enable | Uses the enable password for authentication. |
line | Uses the line password for authentication. |
none | Uses no authentication. |
tacacs+ | Uses TACACS+ authentication. |
The following example creates an authentication list that first tries to contact a TACACS+ server. If no server can be found, AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
Switch(config)# aaa authentication enable default tacacs+ enable none
aaa authentication local-override
aaa authentication arap
aaa new-model
enable password
To have the LightStream 1010 ATM switch check the local user database for authentication before attempting another form of authentication, use the aaa authentication local-override global configuration command. To disable the override, use the no form of this command.
aaa authentication local-overrideThis command has no arguments or keywords.
Disabled
Global configuration
This command is useful when you want to configure an override to the normal authentication process for certain personnel, such as system administrators.
When this override is set, the user is always prompted for the username. The system then checks to see if the entered username corresponds to a local account. If the username does not correspond to one in the local database, login proceeds with the methods configured with other aaa commands (such as aaa authentication login). When using this command, the specified username is fixed as the first prompt.
The following example enables AAA authentication override.
Switch(config)# aaa authentication local-override
aaa authentication enable default
aaa authentication enable default
aaa authentication login
aaa authentication ppp
aaa new-model
To set AAA authentication at login when using TACACS+, use the aaa authentication login global configuration command. To disable AAA authentication, use the no form of this command.
aaa authentication login {default | list-name} method1 [...[method4]]
default | Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. |
list-name | Character string used to name the following list of authentication methods tried when a user logs in. |
method | At least one and up to four of the keywords described in Table 1-2. |
If the default list is not set, only the local user database is checked. This version has the same effect as the following command.
Switch(config)# aaa authentication login default local
Global configuration
The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.
Create a list by entering the aaa authentication list-name method command, where list-name is any character string used to name this list (such as MIS-access). The method argument identifies the list of methods the authentication algorithm tries, in the given sequence. Method keywords are described in Table 1-2.
To create a default list that is used if no list is assigned to a line with the login authentication command, use the default argument followed by the methods you want in default situations.
The additional methods of authentication are used only if the previous method returns an error but not if it fails. To ensure that the authentication succeeds even if all methods return an error, specify none as the final method in the command line.
If authentication is not specifically set for a line, the default is to deny access---no authentication is performed. Use the show running-config command to view currently configured lists of authentication methods.
| Keyword | Description |
|---|---|
enable | Uses the enable password for authentication. |
krb5 | Uses Kerberos 5 for authentication. |
line | Uses the line password for authentication. |
local | Uses the local username database for authentication. |
none | Uses no authentication. |
tacacs+ | Uses TACACS+ authentication. |
The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error, and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
Switch(config)# aaa authentication login MIS-access tacacs+ enable none
The following example creates the same list but sets it as the default list that is used for all login authentications if no other list is specified.
Switch(config)# aaa authentication login default tacacs+ enable none
aaa authentication local-override
aaa new-model
login authentication
To specify one or more AAA authentication methods for use on serial interfaces running PPP when using TACACS+, use the aaa authentication ppp global configuration command. To disable authentication, use the no form of this command.
aaa authentication ppp {default | list-name} method1 [...[method4]]
default | Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in. |
list-name | Character string used to name the following list of authentication methods tried when a user logs in. |
method | At least one and up to four of the keywords described in Table 1-3. |
If the default list is not set, only the local user database is checked. This version has the same effect as the following command.
Switch(config)# aaa authentication ppp default local
Global configuration
The lists that you create with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface.
Create a list by entering the aaa authentication ppp list-name method command, where list-name is any character string used to name this list, such as MIS-access. The method argument identifies the list of methods the authentication algorithm tries in the given sequence. You can enter up to four methods. Method keywords are described in Table 1-3.
The additional methods of authentication are used only if the previous method returns an error but not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.
If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the show running-config command to view lists of authentication methods.
| Keyword | Description |
|---|---|
if-needed | Does not authenticate if user has already been authenticated on a TTY line. |
krb5 | Uses Kerberos 5 for authentication. (Can only be used for PAP authentication.) |
local | Uses the local username database for authentication. |
none | Uses no authentication. |
tacacs+ | Uses TACACS+ authentication. |
The following example creates an AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is allowed access with no authentication.
Switch(config)# aaa authentication MIS-access ppp tacacs+ none
aaa authentication local-override
aaa new-model
ppp authentication
To enable the AAA access control model that includes TACACS+, use the aaa new-model global configuration command. To disable this functionality, use the no form of this command.
aaa new-modelThis command has no arguments or keywords.
AAA/TACACS+ is not enabled.
Global configuration
This command enables the AAA access control system and TACACS+. If you initialize this functionality and later decide to use TACACS or extended TACACS, issue the no form of this command and then enable the version of TACACS you want to use.
The following example initializes AAA and TACACS+.
Switch(config)# aaa new-model
aaa accounting
aaa authentication enable default
aaa authentication local-override
aaa authentication login
aaa new-model
To restrict incoming and outgoing connections between a particular virtual terminal line (into a Cisco device) and the addresses in an access list, use the access-class line configuration command. To remove access restrictions, use the no form of this command.
access-class access-list-number {in | out}
access-list-number | Number of an access list. This is a decimal number from 1 to 99. |
in | Restricts incoming connections between a particular Cisco device and the addresses in the access list. |
out | Restricts outgoing connections between a particular Cisco device and the addresses in the access list. |
No access lists are defined.
Line configuration
Remember to set identical restrictions on all the virtual terminal lines because a user can connect to any of them.
To display the access lists for a particular terminal line, use the show line EXEC command and specify the line number.
The following example defines an access list that permits only hosts on network 192.89.55.0 to connect to the virtual terminal ports on the switch.
Switch(config)# access-list 12 permit 192.89.55.0 0.0.0.255 line 1 5 access-class 12 in
The following example defines an access list that denies connections to networks other than network 36.0.0.0 on terminal lines 1 through 5.
Switch(config)# access-list 10 permit 36.0.0.0 0.255.255.255 line 1 5 access-class 10 out
To enable the switch to create a temporary access list entry in a dynamic access list, use the access-enable EXEC command.
access-enable [host | timeout minutes]
host | Sets the software to enable access only for the host from which the Telnet session originated. If not specified, the software allows all hosts on the defined network to gain access. The dynamic access list contains the network mask to use for enabling the new network. |
minutes | Specifies an idle timeout for the temporary access list entry. If the access list entry is not used within this period, it is automatically deleted and you must authenticate again. By default, the entries are there permanently. It is recommended that this value equal the idle timeout set for the WAN connection. |
EXEC
This command enables the lock-and-key access feature.
You should always define either an idle timeout (with the timeout keyword in this command) or an absolute timeout (with the timeout keyword in the access-template command). Otherwise, the temporary access list entry remains, even after the user has terminated the session.
The following example shows how to create a temporary access list entry and enable access only for the host from which the Telnet session originated. If the access list entry is not accessed within 2 minutes, it is deleted.
Switch# access-enable host timeout 2
access-list (extended)
autocommand
Currently, this command only supports the IP host. To define an extended IP access list, use the extended version of the access-list global configuration command. To remove the access lists, use the no form of this command.
access-list access-list-number [dynamic list-name] {deny | permit} protocol sourceFor ICMP, you can also use the following syntax.
access-list access-list-number [dynamic list-name] {deny | permit} icmp source source-wildcard destinationFor TCP, you can also use the following syntax.
access-list access-list-number [dynamic list-name] {deny | permit} tcp source source-wildcardFor UDP, you can also use the following syntax.
access-list access-list-number [dynamic list-name] {deny | permit} udp source
access-list-number | Number of an access list. This is a decimal number from 100 through 199. |
list-name | Name of a dynamic access list. |
deny | Denies access if the conditions are matched. |
permit | Permits access if the conditions are matched. |
protocol | Name or number of an Internet protocol. It can be one of the keywords eigrp, gre, icmp, igmp, igrp ip, ipinip, nos, ospf, tcp, udp, or an integer in the range 0 through 255 representing an IP protocol number. To match any Internet protocol, including ICMP, TCP, and UDP, use the keyword ip. Some protocols allow further qualifiers described below. |
source | Number of the network or host from which the packet is being sent. There are three ways to specify the source:
|
source-wildcard | Wildcard bits to be applied to source. There are three ways to specify the source wildcard:
|
destination | Number of the network or host to which the packet is being sent. There are three ways to specify the destination:
|
destination-wildcard | Wildcard bits to be applied to the destination. There are three ways to specify the destination wildcard:
|
precedence precedence | Packets can be filtered by precedence level, as specified by a number from 0 to 7, or by name, as listed in the section "Usage Guidelines." |
tos tos | Packets can be filtered by type of service level, as specified by a number from 0 to 15, or by name, as listed in the section "Usage Guidelines." |
icmp-type | ICMP packets can be filtered by ICMP message type. The type is a number from 0 to 255. |
icmp-code | ICMP packets which are filtered by ICMP message type can also be filtered by the ICMP message code. The code is a number from 0 to 255. |
icmp-message | ICMP packets can be filtered by an ICMP message type name or ICMP message type and code name. The possible names are listed in the section "Usage Guidelines." |
igmp-type | IGMP packets can be filtered by IGMP message type or message name. A message type is a number from 0 to 15. IGMP message names are listed in the section "Usage Guidelines." |
operator | Compares source or destination ports. Possible operands include lt (less than), gt (greater than), eq (equal), neq (not equal), and range (inclusive range). If the operator is positioned after the source and source-wildcard, it must match the source port. If the operator is positioned after the destination and destination-wildcard, it must match the destination port. The range operator requires two port numbers. All other operators require one port number. |
port | The decimal number or name of a TCP or UDP port. A port number is a number from 0 to 65535. TCP and UDP port names are listed in the section "Usage Guidelines." TCP port names can only be used when filtering TCP. UDP port names can only be used when filtering UDP. |
established | For the TCP protocol only; indicates an established connection. A match occurs if the TCP datagram has the ACK or RST bits set. The nonmatching case is that of the initial TCP datagram to form a connection. |
log | Causes an informational logging message about the packet that matches the entry to be sent to the console. (The level of messages logged to the console is controlled by the logging console command.) The message includes the access list number; whether the packet was permitted or denied; the protocol, whether it was TCP, UDP, ICMP or a number; and, if appropriate, the source and destination addresses and source and destination port numbers. The message is generated for the first packet that matches the entry and then at 5-minute intervals, including the number of packets permitted or denied in the prior 5-minute interval. |
An extended access list defaults to a list that denies everything. An extended access list is terminated by an implicit deny statement.
Global configuration
You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict contents of routing updates. The switch stops checking the extended access list after a match occurs.
Fragmented IP packets, other than the initial fragment, are immediately accepted by any extended IP access list. Extended access lists used to control virtual terminal line access or restrict contents of routing updates must not match against the TCP source port, the type of service value, or the packet's precedence.
The following is a list of precedence names:
The following is a list of TOS names:
The following is a list of ICMP message-type names and ICMP message-type and code names:
The following is a list of TCP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by entering a ? in the place of a port number.
The following is a list of UDP port names that can be used instead of port numbers. Refer to the current Assigned Numbers RFC to find a reference to these protocols. Port numbers corresponding to these protocols can also be found by entering a ? in the place of a port number.
In the following example, serial interface 0 is part of a Class B network with the address 128.88.0.0, and the mail host's address is 128.88.1.2. The keyword established is used only for the TCP protocol to indicate an established connection. A match occurs if the TCP datagram has the ACK or RST bits set, which indicate that the packet belongs to an existing connection.
Switch(config)# access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.0.0 0.0.255.255 established access-list 102 permit tcp 0.0.0.0 255.255.255.255 128.88.1.2 0.0.0.0 eq 25 interface serial 0 ip access-group 102 in
The following example also permits DNS packets and ICMP echo and echo reply packets.
Switch(config)# access-list 102 permit tcp any 128.88.0.0 0.0.255.255 established Switch(config)# access-list 102 permit tcp any host 128.88.1.2 eq smtp Switch(config)# access-list 102 permit tcp any any eq domain Switch(config)# access-list 102 permit udp any any eq domain Switch(config)# access-list 102 permit icmp any any echo Switch(config)# access-list 102 permit icmp any any echo-reply
access-class
access-list (standard)
interface
logging console
queue-list
show access-lists
show ip access-lists
To define a standard IP access list, use the standard version of the access-list global configuration command. To remove a standard access list, use the no form of this command.
access-list access-list-number {deny | permit} source [source-wildcard]
access-list-number | Number of an access list. This is a decimal number from 1 through 99. |
deny | Denies access if the conditions are matched. |
permit | Permits access if the conditions are matched. |
source | Number of the network or host from which the packet is being sent. There are two ways to specify the source:
|
source-wildcard | Wildcard bits to be applied to the source. There are two ways to specify the source wildcard:
|
The access list defaults to an implicit deny statement for everything. The access list is always terminated by an implicit deny statement for everything.
Global configuration
Plan your access conditions carefully, and be aware of the implicit deny statement at the end of the access list.
You can use access lists to control the transmission of packets on an interface, control virtual terminal line access, and restrict the contents of routing updates.
Use the show access-lists EXEC command to display the contents of all access lists.
Use the show ip access-lists EXEC command to display the contents of one access list.
The following example of a standard access list allows access for only those hosts on the three specified networks. The wildcard bits apply to the host portions of the network addresses. Any host with a source address that does not match the access list statements is rejected.
Switch(config)# access-list 1 permit 192.5.34.0 0.0.0.255 Switch(config)# access-list 1 permit 128.88.0.0 0.0.255.255 Switch(config)# access-list 1 permit 36.0.0.0 0.255.255.255 ! (Note: all other access implicitly denied)
To specify a large number of individual addresses more easily, you can omit the wildcard if it is all zeros. This means the following two configuration commands have the same effect.
Switch(config)# access-list 2 permit 36.48.0.3 Switch(config)# access-list 2 permit 36.48.0.3 0.0.0.0
access-class
access-list (extended)
interface
queue-list
show access-lists
show ip access-lists
To create a temporary access list entry to the connected switch, use the access-template EXEC command.
access-template {access-list-number | dynamic-name} temp-list source-addr dest-addr timeout minutes
access-list-number | Number of the dynamic access list (100 to 199). |
dynamic-name | Name of the dynamic access list. |
temp-list | Name of the temporary list within the access list. |
source-addr | Source address in the dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access list entry. |
dest-addr | Destination address in the dynamic access list. The keywords host and any are allowed. All other attributes are inherited from the original access list entry. |
minutes | Specifies a maximum time limit for each entry in the dynamic list. It is the absolute time that an entry can reside in the list. The default is an infinite time limit and allows an entry to remain permanently (1 to 9999). |
EXEC
This command provides a way to enable the lock-and-key access feature.
You should always define either an absolute timeout (with the timeout keyword in this command) or an idle timeout (with the timeout keyword in the access-enable command). Otherwise, the dynamic access list remains, even after the user has terminated the session.
In the following example, IP access is enabled on incoming packets in which the source address is 171.69.1.129 and the destination address is 172.21.52.12. All other source and destination pairs are discarded.
Switch# access-template 101 payroll host 171.69.1.129 host 172.21.52.12 timeout 2
access-list (extended)
autocommand
clear access-template
To configure the mode of default administrative weight assignment for PNNI interfaces, use the administrative-weight ATM router PNNI configuration command. To return to the default value, use the no form of this command.
administrative-weight {linespeed | uniform}
linespeed | The default value of the administrative weight is based on the linespeed or MaxCR of an interface. |
uniform | The uniform keyword assigns the weight of 5040 to interfaces that were not configured. |
uniform
ATM router configuration
Administrative weight is used as the primary routing metric to minimize use of network resources. In the absence of other constraints, this causes PNNI routing to minimize the number of hops. Basing administrative weight on linespeed allows path selection to prefer paths along higher bandwidth interfaces. Higher speed links have lower administrative weights and are preferred during routing. The value set in this command becomes the default for the atm pnni admin-weight command.
For more information, refer to the LightStream 1010 ATM Switch Software Configuration Guide.
The following script shows how to access the administrative-weight ATM router PNNI configuration command.
Switch# configure terminal Switch(config)# atm router pnni Switch(config-atm-router)# administrative-weight uniform
atm pnni admin-weight
show atm pnni interface
show atm pnni local-node
To convert E.164 AESAs with the E.164 AFI to the left-justified encoding format, use the aesa embedded-number left-justified ATM router configuration command. To disable this feature, use the no form of this command.
aesa embedded-number left-justifiedThis command has no keywords or arguments.
Disabled
ATM router configuration
Configure all switches within the PNNI routing domain with the aesa embedded-number left-justified ATM router configuration command.
Disable the lowest-level node (node 1) before entering the aesa embedded-number left-justified ATM router configuration command.
The following example shows how to configure embedded left-justified E.164 AESAs.
Switch# configure terminal Switch(config)# atm router pnni Switch(config-pnni-node)# node 1 disable Switch(config-pnni-node)# exit Switch(config-atm-router)# aesa embedded-number left-justified Switch(config-atm-router)# node 1 enable
debug atm pnni
show atm pnni aesa embedded-number
To configure an age timer for a particular signalling diagnostic filter entry, use the age-timer signalling diagnostics configuration command. To disable the timer, use the no form of this command.
age-timer age-timer-in-secs
age-timer-in-secs | Amount of time after which the filter entry ages out. If you don't need the entry to age out, set the timer value to -1. |
600 seconds
Signalling diagnostics configuration
The following example shows how to enter signalling diagnostics mode, using a filtering index of 1, and set the timer to age out in 552 seconds.
Switch(config)# atm signalling diagnostics 1
Switch(cfg-atmsig-diag)# age-timer 552
To specify the mode that will be used to calculate the combined metrics from multiple lower-level PNNI links into individual aggregated links to be advertised by this node, use the aggregation-mode PNNI node configuration command.
aggregation-mode link service-category {aggressive | best-link}
service-category | The service category (traffic class) to which this aggregation mode applies: cbr (constant bit rate), vbr-rt (real-time variable bit rate), vbr-nrt (non-real-time variable bit rate), abr (available bit rate), ubr (unspecified bit rate), or all. |
aggressive | Specifies the aggressive aggregation mode, in which the best values for each individual metric are chosen from all links or paths that are being aggregated. In this mode, there may be no single lower-level link that is as good as the higher-level link for all of the metrics. |
best-link | Specifies the best-link aggregation mode, in which one of the lower-level links is chosen as the best link based on one or two metrics. All metrics from the selected lower-level link are copied to the higher-level aggregated link. In this mode, there is at least one lower-level link with metrics matching the higher-level link. |
best-link for all service categories
PNNI node configuration
In the PNNI hierarchy, link aggregation is used to represent several parallel links between two peer groups as a single higher-level link. The aggregation modes control how the metrics for the higher level links are derived from the individual parallel links that have the same aggregation token.
The following example shows how to enter PNNI node configuration mode and specify a node.
switch# configure terminal switch(config)# atm router pnni switch(config-atm-router)# node 1 switch(config-pnni-node)#
The following example shows how to specify aggressive mode aggregation for the VBR-RT service category on links.
switch(config-atm-router)# aggregation-mode link vbr-rt aggressive
atm pnni aggregation-token
show atm pnni aggregation
Refer to the Router Products Command Reference publication for more information about the alias command.
To add a permanent entry in the ARP cache, use the arp global configuration command. To remove an entry from the ARP cache, use the no form of this command.
arp ip-address hardware-address type interface-type card/subcard/port [alias]
ip-address | IP address in four-part dotted-decimal format corresponding to the local data interface address. |
hardware-address | Local data interface address (a 48-bit address). |
type | Encapsulation description (arpa, sap, smds, or snap). For Ethernet interfaces, this is typically the arpa keyword. |
interface-type | Type of interface to which this entry applies. |
card/subcard/port | Interface identifier. |
alias | Indicates that the switch should respond to ARP requests as if it were the owner of the specified address. |
No entries are permanently installed in the ARP cache.
Global configuration
The switch uses ARP cache entries to translate 32-bit IP addresses into 48-bit hardware addresses.
Because most hosts support dynamic resolution, you generally do not need to specify static ARP cache entries.
The following is an example of a static ARP entry for a typical Ethernet host.
Switch(config)# arp 192.31.7.19 0800.0900.1834 arpa
To control the interface-specific handling of IP address resolution into 48-bit Ethernet, use the arp interface configuration command. To disable an encapsulation type, use the no form of this command.
arp {arpa | frame-relay | probe | snap}
arpa | Standard Ethernet-style ARP (RFC 826). |
frame-relay | ARP for a Frame Relay interface. |
probe | HP Probe protocol for IEEE-802.3 networks. |
snap | ARP packets conforming to RFC 1042. |
Standard Ethernet-style ARP
Interface configuration
Arguments to the arp command are not mutually exclusive. Each command enables or disables a specific type of ARP. For example, if you enter the arp arpa command followed by the arp probe command, the switch sends three packets (two for probe and one for arpa) each time it needs to discover a MAC address.
The arp probe command allows the switch to use the Probe protocol (in addition to ARP) whenever attempting to resolve an IEEE-802.3 or Ethernet local data interface address. The subset of Probe that performs address resolution is called Virtual Address Request and Reply. Using Probe, the switch communicates transparently with Hewlett-Packard IEEE-802.3 hosts using this type of data encapsulation.
The show interface EXEC command displays the type of ARP being used on a particular interface. To remove all nonstatic entries from the ARP cache, use the clear arp-cache privileged EXEC command.
The following example enables probe services.
Switch(config)# interface ethernet 2/0/0 Switch(config-if)# arp probe
To configure how long an entry remains in the ARP cache, use the arp timeout interface configuration command. To restore the default value, use the no form of this command.
arp timeout seconds
seconds | Time, in seconds, that an entry remains in the ARP cache. A value of 0 means that entries are never cleared from the cache. |
14400 seconds (4 hours)
Interface configuration that is not valid for ATM interfaces. Only applies to interfaces in the ASP.
This command is ignored when issued on interfaces that do not use ARP. The show interface EXEC command displays the ARP timeout value. The value follows the "Entry Timeout:" heading, as shown in the following show interface display.
Switch(config-if)# ARP type: ARPA, PROBE, Entry Timeout: 14400 sec
The following example sets the ARP timeout to 12000 seconds to allow entries to time out more quickly than the default.
Switch(config)# interface ethernet 2/0/0 Switch(config-if)# arp timeout 12000
To configure extended BOOTP requests for asynchronous interfaces as defined in RFC 1084, use the async-bootp global configuration command. To restore the default, use the no form of this command.
async-bootp tag [:hostname] data
tag | Item being requested; expressed as filename, integer, or IP dotted-decimal address. See Table 1-4 for possible values. |
hostname | This entry applies only to the host specified. The argument hostname accepts both an IP address and a logical host name and is preceded with a colon (:). |
data | List of IP addresses entered in dotted-decimal notation or as logical host names, as a number, or as a quoted string. |
| Keyword | Description |
|---|---|
bootfile | Specifies use of a server boot file from which to download the boot program. Use the optional hostname and data arguments to specify the filename. |
subnet-mask mask | Dotted-decimal address specifying the network and local subnetwork mask (as defined by RFC 950). |
time-offset offset | Signed 32-bit integer specifying the time offset of the local subnetwork in seconds from UTC. |
gateway address | Dotted-decimal address specifying the IP addresses of gateways for this subnetwork. A preferred gateway should be listed first. |
time-server address | Dotted-decimal address specifying the IP address of time servers (as defined by RFC 868). |
nbns-server address | Dotted-decimal address specifying the IP address of NBNS servers. |
DNS-server address | Dotted-decimal address specifying the IP address of Domain Name Servers (as defined by RFC 1034). |
log-server address | Dotted-decimal address specifying the IP address of an MIT-LCS UDP log server. |
quote-server address | Dotted-decimal address specifying the IP address of Quote of the Day servers (as defined in RFC 865). |
lpr-server address | Dotted-decimal address specifying the IP address of Berkeley UNIX Version 4 BSD servers. |
impress-server address | Dotted-decimal address specifying the IP address of Impress network image servers. |
rlp-server address | Dotted-decimal address specifying the IP address of RLP servers (as defined in RFC 887). |
hostname name | The name of the client, which might or might not be domain-qualified, depending on the site. |
bootfile-size value | A 2-octet value specifying the number of 512-octet (byte) blocks in the default boot file. |
If not extended, BOOTP commands are entered and the switch software generates a gateway and subnet mask appropriate for the local network.
Global configuration
Use the EXEC command show async bootp to list the configured parameters. Use the no async-bootp command to clear the list.
The following example illustrates how to specify different boot files---one for a PC and one for a Macintosh. With this configuration, a BOOTP request from the host on 128.128.1.1 results in a reply listing the boot filename as pcboot. A BOOTP request from the host named mac results in a reply listing the boot filename as macboot.
Switch(config)# async-bootp bootfile:128.128.1.1 "pcboot" Switch(config)# async-bootp bootfile:mac "macboot"
The following example specifies a subnet mask of 255.255.0.0.
Switch(config)# async-bootp subnet-mask 255.255.0.0
The following example specifies a negative time offset of the local subnetwork of -3600 seconds.
Switch(config)# async-bootp time-offset -3600
The following example specifies the IP address of a time server.
Switch(config)# async-bootp time-server 128.128.1.1
To configure the switch to execute a command or list of commands automatically when a user connects to a particular line, use the autocommand line configuration command. To disable the autocommand functionality, use the no form of this command.
autocommand command
command | Any appropriate EXEC command, including the host name and any switches that occur with the EXEC command. |
Automatic responses are not configured.
Line configuration
This command applies to all ASP interfaces.
The following example forces an automatic connection to a host named host21 (which could be an IP address). In addition, the UNIX UUCP application specifies TCP socket 25, and the /stream switch enables a raw TCP stream with no Telnet control sequences.
Switch(config-line)# line vty 4
autocommand connect host21 uucp /stream
To allow an auto FERF to be inserted when an incoming alarm is received, use the auto-ferf interface configuration command. To cancel auto FERF insertion, use the no form of this command.
auto-ferf alarmtype
alarmtype | Defined as los, oof, red, ais, or lcd. |
auto-ferf los
auto-ferf oof
auto-ferf red
auto-ferf ais
auto-ferf lcd (applies to non-plcp mode only)
Interface configuration
This command applies to DS3/E3/DS1/E1 interfaces only; red applies to DS3/DS1 only.
show controllers
show running-config
write terminal
To allow default summary addresses to be generated based on the switch's ATM address, use the auto-summary PNNI node configuration command. To disable generation of default summary addresses, use the no form of this command.
auto-summaryThis command has no arguments or keywords.
Enabled
PNNI node configuration
By default, lowest level PNNI nodes advertises 13-byte summary address prefixes based on the switch address or addresses. The summary address prefix or prefixes cover all end system addresses determined via ILMI address registration from the ILMI address prefix or prefixes, based on each switch's address. They do not cover end-system addresses determined via ILMI address registration from per-interface ILMI address prefixes (configured using the atm prefix command). Using the no form of the auto-summary command causes PNNI to advertise all end-system addresses separately (unless other summary addresses matching the end system addresses were configured).
Higher level PNNI nodes (LGNs) have a single default address configured. The length of that summary for any LGN is equal the level of the child peer group, and its value is equal to the first level bits of the child peer group identifier.
For more information, refer to the LightStream 1010 ATM Switch Software Configuration Guide.
The following script shows how to access the auto-summary node-level subcommand.
Switch# configure terminal Switch(config)# atm router pnni Switch(config-atm-router)# node 1 Switch(config-pnni-node)# auto-summary
atm address
atm prefix
show atm route
summary-address
|
|