|
|
This chapter describes the basic tasks for configuring general system features, such as access control and basic switch management. The following sections describe these tasks:
The role of the administration interface is to provide a simple command-line interface to all internal management and debugging facilities of the LightStream 1010 ATM switch.
To create and configure a command alias, perform the following tasks in global configuration mode:
| Step | Command | Task |
|---|---|---|
| 1 | alias mode alias-name alias-command-line | Create a command alias. |
| 2 | alias mode | Configure the command mode of the original and alias commands. |
| 3 | alias name | Configure the command alias. |
To display all aliases, use the following privileged EXEC command:
| Command | Task |
|---|---|
show aliases [mode] | Display all alias commands, or the alias commands in a specified mode. |
To make adjustments to initial buffer pool settings and to the limits at which temporary buffers are created and destroyed, use the following global configuration command:
| Command | Task |
|---|---|
buffers {small | middle | big | large | verylarge | huge | type number} | Configure buffers; the default buffer size is 18024 bytes. |
show buffers [all | alloc [dump]] | Display statistics for the buffer pools on the network server. |
To display the buffer pool statistics, use the following privileged EXEC command:
| Command | Task |
|---|---|
show buffers [all | alloc [dump]] | Display statistics for the buffer pools on the network server. |
To specify how often your switch sends Cisco Discover Protocol (CDP) updates, perform the following tasks in global configuration mode:
| Step | Command | Task |
|---|---|---|
| 1 | cdp holdtime seconds | Specify the hold time in seconds, to be sent in packets. |
| 2 | cdp timer seconds | Specify how often your switch will send CDP updates. |
| 3 | cdp run | Enable CDP. |
To reset CDP traffic counters to zero (0) on your switch, perform the following tasks in privileged EXEC mode:
| Step | Command | Task |
|---|---|---|
| 1 | Clear CDP counters. | |
| 2 | clear cdp table | Clear CDP tables. |
To show the CDP configuration, use the following privileged EXEC commands:
| Command | Task |
|---|---|
Display global CDP information. | |
show cdp entry-name [protocol | version]
| Display information about a neighbor device listed in the CDP table. |
show cdp interface [type number] | Display interfaces on with CDP enabled. |
show cdp neighbors [interface-type interface-number] [detail] | Display CDP neighbor information. |
show cdp traffic | Display CDP traffic information. |
To log on to the switch at a specified level, use the following EXEC command:
| Command | Task |
|---|---|
enable level | Enable login. |
To configure the enable password for a given level, use the following global configuration command:
| Command | Task |
|---|---|
enable password [level level] [encryption-type] password | Configure the enable password. |
To change the length of time for which data is used to compute load statistics, perform the following tasks, beginning in global configuration mode:
| Step | Command | Task |
|---|---|---|
| 1 | interface type card/subcard/port | Select the physical interface to be configured. |
| 2 | load-interval seconds | Configure the load interval. |
To log messages to a syslog server host, use the following global configuration commands:
| Command | Task |
|---|---|
logging host | Configure the logging name or IP address of the host to be used as a syslog server. |
logging buffered | To log messages to an internal buffer, use the logging buffered global configuration command. The no logging buffered command cancels the use of the buffer and writes messages to the console terminal, which is the default. |
logging console level
| To limit messages logged to the console based on severity, use the logging console global configuration command. |
logging facility facility-type | To configure the syslog facility in which error messages are sent, use the logging facility global configuration command. To revert to the default of local, use the no logging facility global configuration command. |
logging monitor level | To limit messages logged to the terminal lines (monitors) based on severity, use the logging monitor global configuration command. This command limits the logging messages displayed on terminal lines other than the console line to messages with a level at or above level. The no logging monitor command disables logging to terminal lines other than the console line. |
logging on | To control logging of error messages, use the logging on global configuration command. This command enables or disables message logging to all destinations except the console terminal. The no logging on command enables logging to the console terminal only. |
logging synchronous [level severity-level | all] [limit number-of-buffers] | To synchronize unsolicited messages and debug output with solicited switch output and prompts for a specific console port line, auxiliary port line, or virtual terminal line, use the logging synchronous line configuration command. Use the no form of the command to disable synchronization of unsolicited messages and debug output. |
logging trap level | To limit messages logged to the syslog servers based on severity, use the logging trap global configuration command. The command limits the logging of error messages sent to syslog servers to only those messages at the specified level. The no logging trap command disables logging to syslog servers. |
To enable TACACS+ authentication for logins, perform the following steps, beginning in global configuration mode:
| Command | Task |
|---|---|
line [aux | console | vty] line-number | Select the line to configure. |
login authentication {default | list-name} | Configure login authentication. |
To control the maximum amount of time that can elapse without running the lowest-priority system processes, use the follwoing global configuration commands:
| Command | Task |
|---|---|
scheduler allocate milliseconds milliseconds | Configure the scheduler allocate integer that specifies the interval, in milliseconds. The minimum interval that you can specify is 500 milliseconds; there is no maximum value. |
scheduler process-watchdog {hang | normal | reload | terminate} | Configure scheduler process-watchdog. |
To configure miscellaneous system services, use the following global configuration commands:
| Command | Task |
|---|---|
Configure alignment correction and logging. | |
service compress-config | Compress the configuration file. |
service config | Load config TFTP files. |
service decimal-tty | Interpret TTY line numbers in decimal. |
service exec-callback | Enable EXEC callback. |
service exec-wait | Configure a delay of the startup of the EXEC on noisy lines. |
service finger | Allow Finger protocol requests (defined in RFC 742) from the network server. |
service hide-telnet-addresses | Hide destination addresses in Telnet command. |
service linenumber | Enable a line number banner for each EXEC. |
service nagle | Enable the Nagle congestion control algorithm. |
service old-slip-prompts | Allow old scripts to operate with SLIP/PPP. |
service pad | Enable Packet Assembler Dissembler commands. |
service password-encryption | Enable encrypt passwords. |
service prompt | Enable a mode-specific prompt. |
service tcp-keepalives {in | out} | Configure keepalive packets on idle network connections. |
service tcp-small-servers | Enable small TCP servers (for example, ECHO). |
service telnet-zero-idle | Set the TCP window to zero (0) when the Telnet connection is idle. |
service timestamps | Display timestamp debug/log messages. |
service udp-small-servers | Enable small UDP servers (for example, ECHO). |
To create or update an access policy, use the following global configuration commands:
| Command | Task |
|---|---|
snmp-server access-policy destination-party source-party context privileges | Configure global access policy. |
snmp-server chassis-id text | Provide a message line identifying the SNMP server serial number. |
snmp-server community string [RO | RW] [number] | Configure the SNMP community access string. |
snmp-server contact text | Configure the system contact (syscontact) string. |
snmp-server context context-name context-oid view-name | Configure a context record. |
snmp-server host host community-string [envmon] [frame-relay] [sdlc] [snmp] [tty] [x25] | Configure the recipient of an SNMP trap operation. |
snmp-server location text | Configure a system location string. |
snmp-server packetsize byte-count | Configure the largest SNMP packet size permitted when the SNMP server is receiving a request or generating a reply. |
snmp-server party party-name party-oid [protocol-address] [packetsize size] [local | remote] [authentication {md5 key [clock clock] | Configure a party record. |
snmp-server queue-length length | Configure the message queue length for each trap host. |
snmp-server system-shutdown | Configure SNMP message reload. |
snmp-server trap-authentication | Configure trap message authentication. |
snmp-server trap-timeout seconds
| Configure how often to resend trap messages on the retransmission queue. |
snmp-server userid user-id [view view-name] | Configure SNMP v.2 security context using the simplified security conventions method. |
snmp-server view view-name oid-tree | Configure view entry. |
To display the SNMP status, use the following EXEC command:
| Command | Task |
|---|---|
show snmp | Check the status of communications between the SNMP agent and SNMP manager. |
To establish a username-based authentication system at login, use the following global configuration commands:
| Command | Task |
|---|---|
username name [no password | password encryption-type password] | Configure username-based authentication system at login. |
username name password secret | Configure username-based CHAP authentication system at login. |
username name [autocommand command] | Configure username-based authentication system at login with an additional command to be added. |
username name [noescape] [nohangup] | Configure username-based authentication system at login without escape but with another login prompt. |
This section describes configuring and displaying the privilege level access to the LightStream 1010 ATM switch. The access privileges can be configured at the global level for the entire switch, or at the line level for a specific line.
To set the privilege level for a command, use the follwoing global configuration command:
| Command | Task |
|---|---|
privilege mode level level command | Set the privilege level. |
To display your current level of privilege, use the following privileged EXEC command:
| Command | Task |
|---|---|
show privilege | Display the privilege level. |
To set the default privilege level for a line, perform the following tasks, beginning in global configuration mode:
| Step | Command | Task |
|---|---|---|
| 1 | line [aux | console | vty] line-number | Select the line to configure. |
| 2 | privilege level level | Configure the default privilege level. |
To display your current level of privilege, use the following privileged EXEC command:
| Command | Task |
|---|---|
Display the privilege level. |
This section describes configuring the Network Time Protocol (NTP) on the LightStream 1010 ATM switch.
To control access to the system NTP services, use the following global NTP configuration commands. To remove access control to the system's NTP services, use the no ntp command. See the example configuration at the end of this section and the section "Display the NTP Configuration" to confirm the NTP configuration.
To see a list of the NTP commands enter a ? in EXEC configuration mode. The following example shows the list of commands available for NTP configuration:
Switch(config)# ntp ? access-group Control NTP access authenticate Authenticate time sources authentication-key Authentication key for trusted time sources broadcastdelay Estimated round-trip delay clock-period Length of hardware clock tick master Act as NTP master clock max-associations Set maximum number of associations peer Configure NTP peer server Configure NTP server source Configure interface for source address trusted-key Key numbers for trusted time sources update-calendar Periodically update calendar with NTP time
To control access to the system NTP services, use the following global configuration command:
| Command | Task |
|---|---|
ntp access-group {query-only | serve-only | serve | peer} access-list-number | Configure an NTP access group. |
To enable NTP authentication, perform the following steps in global configuration mode:
| Step | Command | Task |
|---|---|---|
| 1 | ntp authenticate | Enable NTP authentication. |
| 2 | ntp authentication-key number md5 value | Define an authentication key. |
To specify that a specific interface should send NTP broadcast packets, perform the following steps, beginning to global configuration mode:
| Step | Command | Task |
|---|---|---|
| 1 | interface type card/subcard/port | Select the physical interface to be configured. |
| 2 | ntp broadcastdelay microseconds | Configure the system to receive NTP broadcast packets. |
As NTP compensates for the error in the system clock, it keeps track of the correction factor for this error. The system automatically saves this value into the system configuration using the ntp clock-period global configuration command:
 | Caution Do not enter the ntp clock-period command; it is documented for informational purposes only. The system automatically generates this command as NTP determines the clock error and compensates. |
To prevent an interface from receiving NTP packets, perform the following steps, beginning in global configuration mode:
| Step | Command | Task |
|---|---|---|
| 1 | interface type card/subcard/port | Select the physical interface to be configured. |
| 2 | ntp disable | Disable the NTP receive interface. |
To configure the switch as an NTP master clock to which peers synchronize themselves when an external NTP source is not available, use the following global configuration command
| Command | Task |
|---|---|
ntp master [stratum] | Configure the switch as an NTP master clock. |
To configure the switch as a NTP peer that receives its clock synchronization from an external NTP source, use the following global configuration command:
| Command | Task |
|---|---|
ntp peer ip-address [version number] [key keyid] [source interface] [prefer] | Configure the switch system clock to synchronize a peer or to be synchronized by a peer. |
To allow the switch system clock to be synchronized by a time server, use the following global configuration command:
| Command | Task |
|---|---|
ntp server ip-address [version number] [key keyid] [source interface] [prefer] | Configure the switch system clock to allow it to be synchronized by a time server. |
To use a particular source address in NTP packets, use the following global configuration command:
| Command | Task |
|---|---|
ntp source interface | Configure a particular source address in NTP packets. |
To authenticate the identity of a system to which NTP will synchronize, use the following global configuration command:
| Command | Task |
|---|---|
ntp trusted-key key-number | Configure an NTP synchronize number. |
To periodically update the switch calendar from NTP, use the following global configuration command:
| Command | Task |
|---|---|
ntp update-calendar | Update an NTP calendar. |
The following example configures the switch to synchronize its clock and calendar to an NTP server, using Ethernet port 2/0/0, and other features:
Switch# config terminal Enter configuration commands, one per line. End with CNTL/Z. Switch(config)# ntp server 198.92.30.32 Switch(config)# ntp source Ethernet 2/0/0 Switch(config)# ntp authenticate Switch(config)# ntp max-associations 2000 Switch(config)# ntp trusted-key 22507 Switch(config)# ntp update-calendar
To show the status of NTP associations, use the following privileged EXEC commands:
| Command | Task |
|---|---|
show ntp associations [detail] | Display NTP associations. |
show ntp status | Display the NTP status. |
The following example displays the switch detail NTP configuration:
Switch# show ntp associations detail 198.92.30.32 configured, our_master, sane, valid, stratum 3 ref ID 171.69.2.81, time B6C04E67.6E779000 (18:18:15.431 UTC Thu Feb 27 1997) our mode client, peer mode server, our poll intvl 128, peer poll intvl 128 root delay 109.51 msec, root disp 377.38, reach 377, sync dist 435.638 delay -3.88 msec, offset 7.7674 msec, dispersion 1.57 precision 2**17, version 3 org time B6C04F19.437D8000 (18:21:13.263 UTC Thu Feb 27 1997) rcv time B6C04F19.41018C62 (18:21:13.253 UTC Thu Feb 27 1997) xmt time B6C04F19.41E3EB4B (18:21:13.257 UTC Thu Feb 27 1997) filtdelay = -3.88 -3.39 -3.49 -3.39 -3.36 -3.46 -3.37 -3.16 filtoffset = 7.77 6.62 6.60 5.38 4.13 4.43 6.28 12.37 filterror = 0.02 0.99 1.48 2.46 3.43 4.41 5.39 6.36
The following example displays the switch NTP status:
Switch# show ntp status Clock is synchronized, stratum 4, reference is 198.92.30.32 nominal freq is 250.0000 Hz, actual freq is 249.9999 Hz, precision is 2**24 reference time is B6C04F19.41018C62 (18:21:13.253 UTC Thu Feb 27 1997) clock offset is 7.7674 msec, root delay is 113.39 msec root dispersion is 386.72 msec, peer dispersion is 1.57 msec
If no other source of time is available, you can manually configure the current time and date after the system is restarted. The time will remain accurate until the next system restart. Cisco recommends that you use manual configuration only as a last resort.
To configure, read, and set the LightStream 1010 ATM switch as a time source for a network based on its calendar, perform the following steps in global configuration mode:
| Step | Command | Task |
|---|---|---|
| 1 | Set the LightStream 1010 ATM switch as the default clock. | |
| 2 | clock summer-time zone recurring [week day month hh:mm week day month hh:mm [offset]] | Configure the system to automatically switch to summer time (daylight savings time), use one of the formats of the clock summer-time configuration command. Use the no form of this command to configure the switch to not automatically switch to summer time. |
| 3 | clock timezone zone | Configure the system time zone. |
To manually read and set the calendar into the LightStream 1010 ATM switch system clock, perform the following steps in privileged EXEC mode:
| Step | Command | Task |
|---|---|---|
| 1 | clock read-calendar | Manually read the calendar into the switch. |
| 2 | clock set hh:mm:ss day month year | Manually set the system clock. |
| 3 | clock update-calendar | Set the calendar. |
To display the system clock information, use the following EXEC command
| Command | Task |
|---|---|
show clock [detail] | Display the system clock. |
To set the system calendar, use the following privileged EXEC command:
| Command | Task |
|---|---|
calendar set hh:mm:ss day month year | Configure the calendar. |
To display the system calendar information, use the following EXEC command:
| Command | Task |
|---|---|
Display the calendar setting. |
You can configure the LightStream 1010 ATM switch to use one of three special TCP/IP protocols related to Terminal Access Controller Access Control System (TACACS): regular TACACS, extended TACACS, or AAA/TACACS+. TACACS services are provided by and maintained in a database on a TACACS server running on a workstation. You must have access to and configure a TACACS server before configuring the TACACS features described in this publication on your Cisco device. Cisco's basic TACACS support is modeled after the original Defense Data Network (DDN) application.
A comparative description of the supported versions follows. Table 5-1 compares the versions by commands.
You can establish TACACS-style password protection on both user and privileged levels of the system EXEC.
| Command | TACACS | Extended TACACS | TACACS+ |
|---|---|---|---|
aaa accounting |
|
| X |
aaa authentication arap |
|
| X |
aaa authentication enable default |
|
| X |
aaa authentication login |
|
| X |
aaa authentication local override |
|
| X |
aaa authentication ppp |
|
| X |
aaa authorization |
|
| X |
aaa new-model |
|
| X |
arap authentication |
|
| X |
arap use-tacacs | X | X |
|
enable last-resort | X | X |
|
enable use-tacacs | X | X |
|
login authentication |
|
| X |
login tacacs | X | X |
|
ppp authentication | X | X | X |
ppp use-tacacs | X | X | X |
tacacs-server attempts | X | X | X |
tacacs-server authenticate | X | X |
|
tacacs-server extended |
| X |
|
tacacs-server host | X | X | X |
tacacs-server key |
|
| X |
tacacs-server last-resort | X | X |
|
tacacs-server notify | X | X |
|
tacacs-server optional-passwords | X | X |
|
tacacs-server retransmit | X | X | X |
tacacs-server timeout | X | X | X |
This sections describes the features available with TACACS and Extended TACACS. The Extended TACACS software is available using FTP (see the README file in the ftp.cisco.com directory).
The following sections describe TACACS configuration:
To enable the AAA access control model that includes TACACS+, use the following global configuration command:
| Command | Task |
|---|---|
Enable the AAA access control model. |
To enable the AAA accounting of requested services for billing or security purposes when using TACACS+, perform the following steps in global configuration mode:
| Step | Command | Task |
|---|---|---|
| 1 | aaa accounting system | Perform accounting for all system-level events not associated with users, such as reloads. |
| 2 | aaa accounting network | Run accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP. |
| 3 | aaa accounting connection | Run accounting for outbound Telnet and rlogin. |
| 4 | aaa accounting exec | Run accounting for Execs (user shells). This keyword might return user profile information such as autocommand information. |
| 5 | aaa accounting command | Run accounting for all commands at the specified privilege level. |
| 6 | start-stop tacacs+ | Send a start record accounting notice at the beginning of a process and a stop record at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting record was received by the accounting server. |
| 7 | As in start-stop, sends both a start and a stop accounting record to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent. | |
| 8 | Send a stop record accounting notice at the end of the requested user process. |
To configure a TACACS server, perform the following steps in global configuration mode:
| Step | Command | Task |
|---|---|---|
| 1 | tacacs-server attempts count | Configure the number of login attempts allowed. |
| 2 | tacacs-server authenticate {connection [always] | enable | slip [always] [access-lists]} | Configure if the user may perform an action. |
| 3 | tacacs-server extended | Configure extended TACACS mode. |
| 4 | tacacs-server host name | Configure a TACACS host. |
| 5 | tacacs-server last-resort {password | succeed} | Configure a network server to request privileged password as verification. |
| 6 | tacacs-server notify {connection [always] | enable | logout [always] | slip [always]} | Configure transmission to the TACACS server. |
| 7 | tacacs-server optional-passwords | Configure the initial TACACS request to a TACACS server to be made without password verification. |
| 8 | tacacs-server retransmit retries | Configure the number of times the system software will search the list of TACACS server hosts. |
| 9 | tacacs-server timeout seconds | Configure the interval that the server waits for a server host to reply. |
To enable Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) and to enable an AAA authentication method on an interface, perform the following steps, beginning in global configuration mode:
| Step | Command | Task |
|---|---|---|
| 1 | interface type card/subcard/port | Select the physical interface to be configured. |
| 2 | ppp authentication {chap | pap} [if-needed] [list-name] | Configure PPP authentication. |
| 3 | ppp use-tacacs [single-line] | Enable the PPP authentication for TACACS. |
To enable TACACS to determine whether a user can access the privileged command level, use the following global configuration command:
| Command | Task |
|---|---|
Enable TACACS. |
This section describes the commands used to monitor and display the system management functions.
To display information about the active processes, use the following privileged EXEC commands:
| Command | Task |
|---|---|
show processes [cpu] | Display active processes. |
show processes memory | Display memory utilization. |
To display the configured protocols, use the following privileged EXEC command :
| Command | Task |
|---|---|
Display the global and interface-specific status of any configured Level 3 protocol; for example, IP, DECnet, Internet Packet Exchange (IPX), and AppleTalk. |
To monitor the stack utilization of processes and interrupt routines, use the following privileged EXEC command:
| Command | Task |
|---|---|
Display system stack trace information. |
The show stacks display includes the reason for the last system reboot. If the system was reloaded because of a system failure, a saved system stack trace is displayed. This information is of use only to Cisco engineers analyzing crashes in the field. It is included here in case you need to read the displayed statistics to an engineer over the phone.
To discover the IP routes that the switch packets will actually take when traveling to their destination, use the following EXEC command:
| Command | Task |
|---|---|
traceroute [protocol] [destination] | Display switch packets through the network. |
To display temperature and voltage information on the switch console, use the following EXEC commands:
| Command | Task |
|---|---|
Display temperature and voltage information. | |
show environment all | Display all temperature and voltage information. |
show environment last | Display the last logs of the last measured value from each of the six test points to internal nonvolatile memory. |
show environment table | Display environmental measurements and a table that lists the ranges of environment measurement. |
To diagnose basic ATM and IP network connectivity, use the following privileged EXEC command:
| Command | Task |
|---|---|
ping atm interface atm card/subcard/port[.vpt] vpi vci | Use ping to check the ATM network connection. |
Posted: Fri Feb 5 15:56:17 PST 1999
Copyright 1989-1999©Cisco Systems Inc.