|
|
To control the number of login attempts that can be made on a line set up for TACACS verification, use the tacacs-server attempts global configuration command. Use the no form of this command to remove this feature and restore the default.
tacacs-server attempts count| count | Integer that sets the number of attempts. |
Three attempts
Global configuration
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server attempts global configuration command.
The following example changes the login attempt to just one try.
Switch# tacacs-server attempts 1
To send only a username to a specified server when a direct request is issued, use the tacacs-server directed-request global configuration command. To disable the direct-request feature, use the no form of this command.
tacacs-server directed-requestThis command has no keyword or arguments.
Disabled
Global configuration
This command sends only the portion of the username before the "@" symbol to the host specified after the "@" symbol. With the directed-request feature enabled, you can direct a request to any of the configured servers, and only the username is sent to the specified server.
Disabling tacacs-server directed-request causes the entire string, both before and after the "@" symbol, to be sent to the default tacacs server. When the directed-request feature is disabled, the switch queries the list of servers, starting with the first one in the list, sending the entire string, and accepting the first response that it gets from the server. The tacacs-server directed-request command is useful when you want to develop you own TACACS server software that parses the whole string and makes decisions based on the output.
When tacacs-server directed-request is enabled, only configured TACACS servers can be specified by the user after the "@" symbol. If the host name specified by the user does not match the IP address of a TACACS server configured by the administrator, the user input is rejected.
Use the no form of this command to disable the ability of the user to choose between configured TACACS servers and to cause the entire string to be passed to the default server.
The following example enables tacacs-server directed-request so that the entire user input is passed to the default TACACS server.
Switch(config)# no tacacs-server directed-request
To enable IP Domain Name System alias lookup for TACACS+, use the tacacs dns-alias-lookup global configuration command. To disable this feature, use the no form of this command.
tacacs dns-alias-lookupThis command has no keywords or arguments.
Disabled
Global Configuration
This command enables IP Domain Name System alias lookup for TACACS servers.
To enable an extended TACACS mode, use the tacacs-server extended global configuration command. Use the no form of this command to disable the mode.
tacacs-server extendedThis command has no arguments or keywords.
Disabled
Global configuration
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server extended global configuration command.
The following example enables extended TACACS mode.
Switch(config)# tacacs-server extended
To specify a TACACS host, use the tacacs-server host global configuration command. You can use multiple tacacs-server host commands to specify multiple hosts. The software searches for the hosts in the order you specify them. The no form of this command deletes the specified name or address.
tacacs-server host name| name | Name or IP address of the host. |
No TACACS host is specified.
Global configuration
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server host global configuration command.
The following example specifies a TACACS host named SCACAT.
Switch(config)# tacacs-server host SCACAT
aaa authentication ppp
login
slip
To set the authentication/encryption key used for all TACACS+ communications between the access server and the TACACS+ daemon, use the tacacs-server key global configuration command. To disable the key, use the no form of the command to disable the key.
tacacs-server key key| key | Key used to set authentication and encryption. This key must match the key used on the TACACS+ daemon. |
Disabled
Global Configuration
After enabling AAA with the aaa new-model command, you must set the authentication and encryption key using the tacacs-server key command.
The key entered must match the key used on the TACACS+ daemon. All leading spaces are ignored; spaces within and at the end of the key are not. If you use spaces in your key, do not enclose the key in quotation marks unless the quotation marks themselves are part of the key.
The following example shows how to set the authentication and encryption key to dare to go.
Switch(config)# tacacs-server key dare to go
aaa new-model
tacacs-server host
To cause the network server to request the privileged password as verification or to force successful login without further input from the user, use the tacacs-server last-resort global configuration command. The no form of this command restores the system to the default behavior.
tacacs-server last-resort {password | succeed}| password | Allows the user to access the EXEC command mode by entering the password set by the enable command. |
| succeed | Allows the user to access the EXEC command mode without further question. |
If, when running the TACACS server, the TACACS server does not respond, the default action is to deny the request.
Global configuration
Use the tacacs-server last-resort command to be sure that login can occur; for example, a systems administrator must log in to troubleshoot TACACS servers that might be down.
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server last-resort global configuration command.
The following example forces successful login.
Switch(config)# tacacs-server last-resort succeed
To specify that the first TACACS request to a TACACS server be made without password verification, use the tacacs-server optional-passwords global configuration command. Use the no form of this command to restore the default.
tacacs-server optional-passwordsThis command has no arguments or keywords.
Disabled
Global configuration
When the user enters in the login name, the login request is transmitted with the name and a zero-length password. If accepted, the login procedure completes. If the TACACS server refuses this request, the server software prompts for a password and tries again when the user supplies a password. The TACACS server must support authentication for users without passwords to make use of this feature. This feature supports all TACACS requests--login, SLIP, enable, and so on.
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server optional-passwords global configuration command.
The following example configures the first login to not require TACACS verification.
Switch(config)# tacacs-server optional-passwords
To specify the number of times the switch software searches the list of TACACS server hosts before giving up, use the tacacs-server retransmit global configuration command. The switch software tries all servers, allowing each one to timeout before increasing the retransmit count. The no form of this command restores the default.
tacacs-server retransmit retries| retries | Integer that specifies the retransmit count. |
Two retries
Global configuration
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server retransmit global configuration command.
The following example specifies a retransmit counter value of five times.
Switch(config)# tacacs-server retransmit 5
To set the interval that the server waits for a server host to reply, use the tacacs-server timeout global configuration command. The no form of this command restores the default.
tacacs-server timeout seconds| seconds | Integer that specifies the timeout interval in seconds. |
5 seconds
Global configuration
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server timeout global configuration command.
The following example changes the interval timer to 10 seconds.
Switch(config)# tacacs-server timeout 10
To log on to a host that supports Telnet, use the telnet EXEC command.
telnet host [keyword] [port]| host | A host name or an IP address. |
| keyword | (Optional) One of the options listed in Table 19-1. |
| port | (Optional) A decimal TCP port number; the default is the Telnet router port (decimal 23) on the host. |
| Option | Description |
|---|---|
| /debug | Enables Telnet debugging mode. |
| /line | Enables Telnet line mode. In this mode, the Cisco IOS software sends no data to the host until you press Return. You can edit the line using the standard Cisco IOS software command-editing characters. The /line keyword is only on the local switch. |
| /noecho /route path | Specifies loose source routing. The path argument is a list of host names or IP addresses that specify network nodes and ends with the final destination. |
| /source-interface
/stream | Turns on stream processing, which enables a raw TCP stream with no Telnet control sequences. A stream connection does not process Telnet options and can be appropriate for connections to ports running UUCP and other non-Telnet protocols. |
| port-number | Port number. |
| chargen | Character generator. |
| cmd rcmd | Remote commands. |
| daytime | Daytime. |
| discard | Discard. |
| domain | Domain Name Service. |
| echo | Echo. |
| exec | EXEC. |
| finger | Finger. |
| ftp | File Transfer Protocol. |
| ftp-data | FTP data connections (used infrequently). |
| gopher | Gopher. |
| hostname | NIC hostname server. |
| ident | Ident Protocol. |
| irc | Internet Relay Chat. |
| klogin | Kerberos login. |
| kshell | Kerberos shell. |
| login | Login (rlogin). |
| lpd | Printer service. |
| nntp | Network News Transport Protocol. |
| node | Connect to a specific LAT node. |
| pop2 | Post Office Protocol v2. |
| pop3 | Post Office Protocol v3. |
| port | Destination LAT port name. |
| smtp | Simple Mail Transport Protocol. |
| syslog | Syslog. |
| tacacs | Specify TACACS security. |
| talk | Talk. |
| telnet | Telnet. |
| time | Time. |
| whois | Nickname. |
| www | World Wide Web (HTTP). |
This command has no default setting.
EXEC
With the Cisco IOS implementation of TCP/IP, you are not required to enter the connect or telnet commands to establish a Telnet connection. You can just enter the learned host name after you meet the following conditions:
To display a list of the available hosts, use the show hosts command. To display the status of all TCP connections, use the show tcp command.
The Cisco IOS software assigns a logical name to each connection, and several commands use these names to identify connections. The logical name is the same as the host name, unless that name is already in use, or you change the connection name with the name-connection EXEC command. If the name is already in use, the Cisco IOS software assigns a null name to the connection.
The Telnet software supports special Telnet commands in the form of Telnet sequences that map generic terminal control functions to operating system-specific functions. To issue a special Telnet command, enter the escape sequence and then a command character. The default escape sequence is Ctrl-^ (press and hold the Control and Shift keys and the 6 key). You can enter the command character as you hold down Ctrl or with Ctrl released; you can use either uppercase or lowercase letters. Table 19-2 lists the special Telnet escape sequences.
| Task | Escape Sequence1 |
|---|---|
| Break | Ctrl-^ b |
| Interrupt Process (IP) | Ctrl-^ c |
| Erase Character (EC) | Ctrl-^ h |
| Abort Output (AO) | Ctrl-^ o |
| Are You There? (AYT) | Ctrl-^ t |
| Erase Line (EL) | Ctrl-^ u |
At any time during an active Telnet session, you can list the Telnet commands by pressing the escape sequence keys followed by a question mark at the system prompt:
Ctrl-^ ?
A sample of this list follows. In this sample output, the first caret (^) symbol represents the Control key, while the second caret represents Shift-6 on your keyboard:
Switch> ^^?
[Special telnet escape help]
^^B sends telnet BREAK
^^C sends telnet IP
^^H sends telnet EC
^^O sends telnet AO
^^T sends telnet AYT
^^U sends telnet EL
You can switch back and forth between several open session. To open a subsequent session, first suspend the current connection by pressing the escape sequence (Ctrl-Shift-6 then x [Ctrl^x]) to return to the system command prompt. Then open a new connection with the telnet command.
To terminate an active Telnet session, issue any of the following commands at the prompt of the device to which you are connecting:
The following example switches packets from the source system host1 to kl.sri.com, then to 10.1.0.11, and finally back to host1:
Switch> telnet host1 /switch:kl.sri.com 10.1.0.11 host1
connect
The following terminal commands are documented under the following parameter names:
| Command | Description |
|---|---|
| data-character-bits | Size of characters being handled. |
| databits | Set number of data bits per character. |
| downward-compatible-config | Put line in download mode. |
| editing | Enable command line editing. |
| escape-character | Change the current lines escape character. |
| escape-character-bits | Size of characters to the command exec. |
| flowcontrol | Set the flow control. |
| full-help | Provide help to unprivileged user. |
| help | Description of the interactive help system. |
| history | Enable and control the command history function. |
| ip | IP options. |
| length | Set number of lines on a screen. |
| monitor | Copy debug output to the current terminal line. |
| no | Negate a command or set its defaults. |
| notify | Inform users of output from concurrent sessions. |
| padding | Set padding for a specified output character. |
| parity | Set terminal parity. |
| rxspeed | Set the receive speed. |
| special-character-bits | Size of the escape (and other special) characters. |
| speed | Set the transmit and receive speeds. |
| start-character | Define the start character. |
| stop-character | Define the stop character. |
| stopbits | Set async line stop bits. |
| terminal-type | Set the terminal type. |
| transport preferred | Define transport protocols for line. |
| txspeed | Set the transmit speeds. |
| width | Set width of the display terminal. |
To specify the type of terminal connected to a line, use the terminal-type line configuration command. The command records the type of terminal connected to the line. The no form of this command removes any information about the type of terminal and resets the line to the default terminal emulation.
terminal-type terminal-name| terminal-name | Terminal name and type. |
VT100
Line configuration
The argument terminal-name provides a record of the terminal type and allows terminal negotiation of display management by hosts that provide that type of service.
The following example defines the terminal on the console as a type VT220.
Switch(config)#line consoleSwitch(config-line)#terminal-type VT220
terminal terminal-type
To test the system interfaces on the modular switch, use the test EXEC command.
testThis command has no arguments or keywords.
EXEC
The test EXEC command is intended for the factory checkout of network interfaces. It is not intended for diagnosing problems with an operational switch. The test output does not report correct results if the switch is attached to an active network. For each network interface that has an IP address that can be tested in loopback (MCI and ciscoBus Ethernet and all serial interfaces), the test command sends a series of ICMP echoes. Error counters are examined to determine the operational status of the interface.
The following example illustrates how to begin the interface test.
Switch# test
To specify that the switch or Flash device operates as a TFTP server, use the tftp-server global configuration commands. To remove a previously defined filename, use the no form of this command with the appropriate filename.
tftp-server flash [device:] filename1 [alias filename2] [rom alias filename2] [atm-accounting| flash | Specifies TFTP service of a file in Flash memory. |
| device: | Specifies TFTP service of a file on a Flash memory device. The colon (:) is required. Valid devices are as follows:
· bootflash: This device is the internal Flash memory. · slot0: This device is the first PCMCIA slot ASP card. · slot1: This device is the second PCMCIA slot on the ASP card. |
| filename1 | Name of a file in Flash or in ROM that the TFTP server uses in answering TFTP Read Requests. |
| alias | Specifies an alternate name for the file that the TFTP server uses in answering TFTP Read Requests. |
| filename2 | Alternate name of the file that the TFTP server uses in answering TFTP Read Requests. A client of the TFTP server can use this alternate name in its Read Requests. |
| atm-accounting | Specifies the name of the file the TFTP server uses in answering TFTP Read Requests. |
| filename3 | Alternate name of the file that the TFTP server uses in answering TFTP Read Requests. A client of the TFTP server can use this alternate name in its Read Requests. |
Disabled
Global configuration
You can specify multiple filenames by repeating the tftp-server command. The system sends a copy of the system image contained in ROM or one of the system images contained in Flash memory to any client that issues a TFTP Read Request with this filename.
If the specified filename1 or filename2 exists in Flash memory, a copy of the Flash image is sent. On systems that contain a complete image in ROM, the system sends the ROM image if the specified filename1 or filename2 is not found in Flash memory.
Images that run from ROM cannot be loaded over the network. Therefore, you should not use TFTP to offer the ROMs on these images.
The system sends a copy of the file contained on one of the Flash memory devices to any client that issues a TFTP Read Request with its filename.
In the following example, the system uses TFTP to send a copy of the version-11.1 file located in Flash memory in response to a TFTP Read Request for that file. The requesting host is checked against access list 22.
Switch(config)# tftp-server flash version-11.1 22
In the following example, the system uses TFTP to send a copy of the version-11.1.4 file in response to a TFTP Read Request for that file. The file is located on the Flash memory card inserted in slot 0 of the ASP card.
Switch(config)# tftp-server flash slot0:version-11.1.4
To configure the PNNI timers, use the timer PNNI node configuration command. To return to the default values, use the no form of this command.
timer [ack delay tenths_of_seconds] [hello-holddown tenths_of_seconds]| ack-delay | Specifies the waiting period before sending an accumulated PTSE acknowledgment packet. Default is 1 second. |
| hello-holddown | Specifies the holddown period for event-triggered hellos. This is mainly used for hello packets between outside neighbors. Default is 1 second. |
| hello-interval | Interval that defines the frequency, in seconds, at which hello packets are transmitted. Default is 15 seconds. |
| inactivity-factor | Specifies the dead-interval time (the period after which you declare a neighbor down if no hello is received) as a factor of the hello interval. Default is 5. |
| retransmit-interval | Specifies the waiting period before retransmitting a PTSE, PTSE request, or database summary packet. Default is 5 seconds. |
See individual syntax descriptions.
PNNI node configuration
Decreasing the hello-interval allows PNNI to detect neighbor nodes that have stopped functioning more quickly. The inactivity-factor is used as a multiplier of the hello-interval in received hello packets to determine the dead interval, the time after which the neighbor node is declared down if no hello packets are received. The inactivity-factor can be increased on unreliable interfaces to avoid false alarms.
Decreasing the retransmit-interval causes retransmission to increase when a PNNI packet gets lost. However, this increases the risk of unnecessarily retransmitting PNNI packets that are delayed but actually reaches the neighbor. Increasing ack-delay causes more PTSEs to be acknowledged in one ack packet. Lowering hello-holddown allows another hello packet to be sent shortly after one was sent. To avoid an overload in switch processing, you should adjust these parameters carefully.
For more information, refer to the LightStream 1010 ATM Switch Software Configuration Guide.
The following script shows how to change the hello-interval to 5 seconds.
Switch#configure terminalSwitch(config)#atm router pnniSwitch(config-atm-router)#node 1Switch(config-pnni-node)#timer hello-interval 5
Use the traceroute EXEC command to discover the IP routes the switch's packets actually take when traveling to their destination.
traceroute [protocol] [destination]| protocol | (Optional) Protocol that can be used is ip. |
| destination | (Optional) Destination address or host name on the command line. The default parameters for the appropriate protocol are assumed, and the tracing action begins. |
The protocol argument is based on the switch's examination of the format of the destination argument. For example, if the switch finds a destination in IP format, the protocol defaults to ip.
EXEC
The traceroute command works by taking advantage of the error messages generated by switches when a datagram exceeds its time-to-live (TTL) value.
The traceroute command starts by sending probe datagrams with a TTL value of 1. This causes the first switch to discard the probe datagram and send back an error message. The traceroute command sends several probes at each TTL level and displays the round-trip time for each.
The traceroute command sends out one probe at a time. Each outgoing packet may result in one or two error messages. A "time exceeded" error message indicates that an intermediate switch detected and discarded the probe. A "destination unreachable" error message indicates that the destination node received and discarded the probe because it could not deliver the packet. If the timer goes off before a response comes in, traceroute prints an asterisk (*).
The traceroute command terminates when the destination responds, when the maximum TTL is exceeded, or when the user interrupts the trace with the escape sequence. By default, to invoke the escape sequence, enter ^ X.
Due to bugs in the IP implementation of various hosts and switches, the IP trace command may behave in unexpected ways.
Not all destinations respond correctly to a probe message by sending back an "ICMP port unreachable" message. A long sequence of TTL levels with only asterisks, terminating only when the maximum TTL is reached, may indicate this problem.
There is a known problem with the way some hosts handle an "ICMP TTL exceeded" message. Some hosts generate an ICMP message, but they reuse the TTL of the incoming packet. Since this is zero, the ICMP packets do not make it back. When you trace the path to such a host, you may see a set of TTL values with asterisks (*). Eventually the TTL gets high enough that the "ICMP" message can get back. For example, if the host is six hops away, traceroute times out on responses 6 through 11.
The following display shows sample IP traceroute output when a destination host name is specified.
Switch# traceroute ip ABA.NYC.mil
Type escape sequence to abort.
Tracing the route to ABA.NYC.mil (26.0.0.73)
1 DEBRIS.CISCO.COM (131.108.1.6) 1000 msec 8 msec 4 msec
2 BARRNET-GW.CISCO.COM (131.108.16.2) 8 msec 8 msec 8 msec
3 EXTERNAL-A-GATEWAY.STANFORD.EDU (192.42.110.225) 8 msec 4 msec 4 msec
4 BB2.SU.BARRNET.NET (131.119.254.6) 8 msec 8 msec 8 msec
5 SU.ARC.BARRNET.NET (131.119.3.8) 12 msec 12 msec 8 msec
6 MOFFETT-FLD-MB.in.MIL (192.52.195.1) 216 msec 120 msec 132 msec
7 ABA.NYC.mil (26.0.0.73) 412 msec 628 msec 664 msec
Table 19-3 describes the fields shown in the display.
| Field | Description |
|---|---|
| 1 | Indicates the sequence number of the switch in the path to the host. |
| DEBRIS.CISCO.COM | Host name of this switch. |
| 131.108.1.61 | IP address of this switch. |
| 1000 msec 8 msec 4 msec | Round-trip time for each of the three probes that are sent. |
Table 19-4 describes the characters that can appear in traceroute output.
| Char | Description |
|---|---|
| nn msec | For each node, the round-trip time in milliseconds for the specified number of probes. |
| * | The probe timed out. |
| ? | Unknown packet type. |
| Q | Source quench. |
| P | Protocol unreachable. |
| N | Network unreachable. |
| U | Port unreachable. |
| H | Host unreachable. |
To indicate to the network that this node does not allow calls to transit through, use the transit-restricted PNNI node configuration command. To allow calls to transit through the node, use the no form of this command.
transit-restrictedThis command has no keywords or arguments.
Enabled
PNNI node configuration
This command enables the network administrator to prevent connections from transiting nodes that only originate or terminate connections, for example, low-end edge switches that do not have the capacity to support transit calls.
For more information, refer to the LightStream 1010 ATM Switch Software Configuration Guide.
The following script shows how to access the transit-restricted PNNI node configuration command.
Switch#configure terminalSwitch(config)#atm router pnniSwitch(config-atm-router)#node 1Switch(config-pnni-node)#transit-restricted
To specify the transport protocol the switch uses if the user does not specify a transport protocol when initiating a connection, use the transport preferred line configuration command.
transport preferred {telnet | none}| telnet | Selects the TCP/IP Telnet protocol. It allows a user at one site to establish a TCP connection to a login server at another site. |
| none | Prevents any protocol selection on the line. The system normally assumes that any unrecognized command is a host name. If the protocol is set to none, the system no longer makes that assumption. The connection is not attempted if the command is not recognized. |
Telnet
Line configuration
Specify transport preferred none to prevent errant connection attempts.
The following example sets the preferred protocol to Telnet on virtual terminal line 1.
Switch(config)#line vty 1Switch(config-line)#transport preferred telnet
terminal transport preferred
transport preferred
To set the terminal transmit baud rate (to terminal), use the txspeed line configuration command. Use the no form of this command to disable this feature.
txspeed bps| bps | Baud rate in bits per second (bps); see the Usage Guidelines below for settings. |
9600 bps
Line configuration
Set the speed to match the baud rate of whatever device you have connected to the port. Some baud rates available on devices connected to the port might not be supported on the switch. The switch indicates if the speed you select is not supported. The following is a list of available line speeds, shown in bits per second.
75, 110, 134, 150, 300, 600, 1200, 2000, 2400, 4800, 1800, 9600, 19200, 38400
The following example sets the auxiliary line transmit speed to 2400 bps.
Switch(config)#line aux 0Switch(config-line)#txspeed 2400
|
|