Configuring System Management Functions

This chapter describes the basic tasks for configuring Cisco DSLAM general system features such as access control and basic DSLAM management. These sections describe these tasks:

System Management Tasks

The role of the administration interface is to provide a simple, command-line interface to all internal management and debugging DSLAM facilities. This section describes the system management tasks you need to perform to maximize system performance.

Configuring a Command Alias

To create and configure a command alias, perform these tasks in global configuration mode:

Step
Command
Task

1
alias mode alias-name alias-command-line

Create a command alias.

2
alias mode

Configure the command mode of the original and alias commands.

3
alias name

Configure the command alias.

Step	Command	Task
1	alias mode alias-name alias-command-line	Create a command alias.
2	alias mode	Configure the command mode of the original and alias commands.
3	alias name	Configure the command alias.

To display all aliases, use the privileged EXEC command:

Command
Task

show aliases [mode]

Display all alias commands, or the alias commands in a specified mode.

Command	Task
show aliases [mode]	Display all alias commands, or the alias commands in a specified mode.

Configuring Buffers

To make adjustments to initial buffer pool settings and to the limits at which temporary buffers are created and destroyed, use the global configuration command:

Command
Task

buffers {small | middle | big | large | verylarge| huge | type number}

Configure buffers. The default buffer size is 18024 bytes.

show buffers [all | alloc [dump]]

Display statistics for the buffer pools on the network server.

Command	Task
buffers {small \| middle \| big \| large \| verylarge\| huge \| type number}	Configure buffers. The default buffer size is 18024 bytes.
show buffers [all \| alloc [dump]]	Display statistics for the buffer pools on the network server.

To display the buffer pool statistics, use the privileged EXEC command:

Command
Task

show buffers [all | alloc [dump]]

Display statistics for the buffer pools on the network server.

Command	Task
show buffers [all \| alloc [dump]]	Display statistics for the buffer pools on the network server.

Configuring the Cisco Discovery Protocol

To specify the frequency with which the DSLAM sends Cisco Discover Protocol (CDP) updates, perform the tasks in global configuration mode:

Step
Command
Task

1
cdp holdtime seconds

Specify the hold time in seconds, to be sent in packets.

2
cdp timer seconds

Specify the frequency with which your DSLAM sends CDP updates.

3
cdp run

Enable CDP.

Step	Command	Task
1	cdp holdtime seconds	Specify the hold time in seconds, to be sent in packets.
2	cdp timer seconds	Specify the frequency with which your DSLAM sends CDP updates.
3	cdp run	Enable CDP.

To reset CDP traffic counters to zero (0) on your DSLAM, perform the tasks in privileged EXEC mode:

Step
Command
Task

1
clear cdp counters

Clear CDP counters.

2
clear cdp table

Clear CDP tables.

Step	Command	Task
1	clear cdp counters	Clear CDP counters.
2	clear cdp table	Clear CDP tables.

To show the CDP configuration, use the privileged EXEC commands:

Command
Task

show cdp

Display global CDP information.

show cdp entry-name [protocol | version]

Display information about a neighbor device listed in the CDP table.

show cdp interface [type number]

Display interfaces on with CDP enabled.

show cdp neighbors [interface-type interface-number] [detail]

Display CDP neighbor information.

show cdp traffic

Display CDP traffic information.

Command	Task
show cdp	Display global CDP information.
show cdp entry-name [protocol \| version]	Display information about a neighbor device listed in the CDP table.
show cdp interface [type number]	Display interfaces on with CDP enabled.
show cdp neighbors [interface-type interface-number] [detail]	Display CDP neighbor information.
show cdp traffic	Display CDP traffic information.

Configuring the Enable Password

To log on to the DSLAM at a specified level, use the EXEC command:

Command
Task

enable level

Enable login.

Command	Task
enable level	Enable login.

To configure the enable password for a given level, use the global configuration command:

Command
Task

enable password [level level] [encryption-type] password

Configure the enable password.

Command	Task
enable password [level level] [encryption-type] password	Configure the enable password.

Configuring the Load-Interval

To change the length of time for which data is used to compute load statistics, perform these tasks, beginning in global configuration mode:

Step
Command
Task

1
interface type slot/port

Select the physical interface to be configured.

2
load-interval seconds

Configure the load interval.

Step	Command	Task
1	interface type slot/port	Select the physical interface to be configured.
2	load-interval seconds	Configure the load interval.

Configuring Logging

To log messages to a syslog server host, use the global configuration commands:

Command
Task

logging host

Configure the logging name or IP address of the host to be used as a syslog server.

logging buffered

To log messages to an internal buffer, use the logging buffered global configuration command. The no logging buffered command cancels the use of the buffer and writes messages to the console terminal, which is the default.

logging console level

To limit messages logged to the console based on severity, use the logging console global configuration command.

logging facility facility-type

To configure the syslog facility in which error messages are sent, use the logging facility global configuration command. To revert to the default of local, use the no logging facility global configuration command.

logging monitor level

To limit messages logged to the terminal lines (monitors) based on severity, use the logging monitor global configuration command. This command limits the logging messages displayed on terminal lines other than the console line to messages with a level at or above the value of level. The no logging monitor command disables logging to terminal lines other than the console line.

logging on

To control logging of error messages, use the logging on global configuration command. This command enables or disables message logging to all destinations except the console terminal. The no logging on command enables logging to the console terminal only.

logging synchronous [level severity-level | all]
[limit number-of-buffers]

To synchronize unsolicited messages and debug output with solicited DSLAM output and prompts for a specific console port line, auxiliary port line, or virtual terminal line, use the logging synchronous line configuration command. Use the no form of the command to disable synchronization of unsolicited messages and debug output.

logging trap level

To limit messages logged to the syslog servers based on severity, use the logging trap global configuration command. The command limits the logging of error messages sent to syslog servers to only those messages at the specified level. The no logging trap command disables logging to syslog servers.

Command	Task
logging host	Configure the logging name or IP address of the host to be used as a syslog server.
logging buffered	To log messages to an internal buffer, use the logging buffered global configuration command. The no logging buffered command cancels the use of the buffer and writes messages to the console terminal, which is the default.
logging console level	To limit messages logged to the console based on severity, use the logging console global configuration command.
logging facility facility-type	To configure the syslog facility in which error messages are sent, use the logging facility global configuration command. To revert to the default of local, use the no logging facility global configuration command.
logging monitor level	To limit messages logged to the terminal lines (monitors) based on severity, use the logging monitor global configuration command. This command limits the logging messages displayed on terminal lines other than the console line to messages with a level at or above the value of level. The no logging monitor command disables logging to terminal lines other than the console line.
logging on	To control logging of error messages, use the logging on global configuration command. This command enables or disables message logging to all destinations except the console terminal. The no logging on command enables logging to the console terminal only.
logging synchronous [level severity-level \| all] [limit number-of-buffers]	To synchronize unsolicited messages and debug output with solicited DSLAM output and prompts for a specific console port line, auxiliary port line, or virtual terminal line, use the logging synchronous line configuration command. Use the no form of the command to disable synchronization of unsolicited messages and debug output.
logging trap level	To limit messages logged to the syslog servers based on severity, use the logging trap global configuration command. The command limits the logging of error messages sent to syslog servers to only those messages at the specified level. The no logging trap command disables logging to syslog servers.

Configuring Login Authentication

To enable Extended Terminal Access Controller Access Control System (TACACS+) authentication for logins, perform these steps, beginning in global configuration mode:

Command
Task

line [aux | console | vty] line-number

Select the line to configure.

login authentication {default | list-name}

Configure login authentication.

Command	Task
line [aux \| console \| vty] line-number	Select the line to configure.
login authentication {default \| list-name}	Configure login authentication.

Configuring the Scheduler

To control the maximum amount of time that can elapse without running the lowest-priority system processes, use these global configuration commands:

Command
Task

scheduler allocate milliseconds milliseconds

Configure the scheduler allocate integer that specifies the interval, in milliseconds. The minimum interval that you can specify is 500milliseconds. There is no maximum value.

scheduler process-watchdog {hang | normal | reload | terminate}

Configure scheduler process-watchdog.

Command	Task
scheduler allocate milliseconds milliseconds	Configure the scheduler allocate integer that specifies the interval, in milliseconds. The minimum interval that you can specify is 500milliseconds. There is no maximum value.
scheduler process-watchdog {hang \| normal \| reload \| terminate}	Configure scheduler process-watchdog.

Configuring Miscellaneous System Services

To configure miscellaneous system services, use these global configuration commands:

Command
Task

service alignment

Configure alignment correction and logging.

service compress-config

Compress the configuration file.

service config

Load config TFTP files.

service decimal-tty

Interpret TTY line numbers in decimal.

service exec-callback

Enable EXEC callback.

service exec-wait

Configure a delay of the startup of the EXEC on noisy lines.

service finger

Allow Finger protocol requests (defined in RFC 742) from the network server.

service hide-telnet-addresses

Hide destination addresses in Telnet command.

service linenumber

Enable a line number banner for each EXEC.

service nagle

Enable the Nagle congestion control algorithm.

service old-slip-prompts

Allow old scripts to operate with SLIP/PPP.

service pad

Enable Packet Assembler Dissembler commands.

service password-encryption

Enable encrypt passwords.

service prompt

Enable a mode-specific prompt.

service tcp-keepalives {in | out}

Configure keepalive packets on idle network connections.

service tcp-small-servers

Enable small TCP servers (for example, ECHO).

service telnet-zero-idle

Set the TCP window to zero (0) when the Telnet connection is idle.

service timestamps

Display timestamp debug and log messages.

service udp-small-servers

Enable small UDP servers (for example, ECHO).

Command	Task
service alignment	Configure alignment correction and logging.
service compress-config	Compress the configuration file.
service config	Load config TFTP files.
service decimal-tty	Interpret TTY line numbers in decimal.
service exec-callback	Enable EXEC callback.
service exec-wait	Configure a delay of the startup of the EXEC on noisy lines.
service finger	Allow Finger protocol requests (defined in RFC 742) from the network server.
service hide-telnet-addresses	Hide destination addresses in Telnet command.
service linenumber	Enable a line number banner for each EXEC.
service nagle	Enable the Nagle congestion control algorithm.
service old-slip-prompts	Allow old scripts to operate with SLIP/PPP.
service pad	Enable Packet Assembler Dissembler commands.
service password-encryption	Enable encrypt passwords.
service prompt	Enable a mode-specific prompt.
service tcp-keepalives {in \| out}	Configure keepalive packets on idle network connections.
service tcp-small-servers	Enable small TCP servers (for example, ECHO).
service telnet-zero-idle	Set the TCP window to zero (0) when the Telnet connection is idle.
service timestamps	Display timestamp debug and log messages.
service udp-small-servers	Enable small UDP servers (for example, ECHO).

Configuring SNMP Access Policy

To create or update an access policy, use these global configuration commands:

Command
Task

snmp-server access-policy destination-party source-party context privileges

Configure global access policy.

snmp-server chassis-id text

Provide a message line identifying the SNMP server serial number.

snmp-server community string [RO | RW] [number]

Configure the SNMP community access string.

snmp-server contact text

Configure the system contact (syscontact) string.

snmp-server context context-name context-oid view-name

Configure a context record.

snmp-server host host community-string [envmon] [frame-relay] [sdlc] [snmp] [tty] [x25]

Configure the recipient of an SNMP trap operation.

snmp-server location text

Configure a system location string.

snmp-server packetsize byte-count

Configure the largest SNMP packet size permitted when the SNMP server is receiving a request or generating a reply.

snmp-server party party-name party-oid [protocol-address] [packetsize size] [local | remote] [authentication {md5 key [clock clock]
[lifetime lifetime] | snmpv1 string}]

Configure a party record.

snmp-server queue-length length

Configure the message queue length for each trap host.

snmp-server system-shutdown

Configure SNMP message reload.

snmp-server trap-authentication
[snmpv1 | snmpv2]

Configure trap message authentication.

snmp-server trap-timeout seconds

Configure the frequency with which to resend trap messages on the retransmission queue.

snmp-server userid user-id [view view-name]
[RO | RW] [password password]

Configure SNMP v.2 security context using the simplified security conventions method.

snmp-server view view-name oid-tree
{included | excluded}

Configure view entry.

Command	Task
snmp-server access-policy destination-party source-party context privileges	Configure global access policy.
snmp-server chassis-id text	Provide a message line identifying the SNMP server serial number.
snmp-server community string [RO \| RW] [number]	Configure the SNMP community access string.
snmp-server contact text	Configure the system contact (syscontact) string.
snmp-server context context-name context-oid view-name	Configure a context record.
snmp-server host host community-string [envmon] [frame-relay] [sdlc] [snmp] [tty] [x25]	Configure the recipient of an SNMP trap operation.
snmp-server location text	Configure a system location string.
snmp-server packetsize byte-count	Configure the largest SNMP packet size permitted when the SNMP server is receiving a request or generating a reply.
snmp-server party party-name party-oid [protocol-address] [packetsize size] [local \| remote] [authentication {md5 key [clock clock] [lifetime lifetime] \| snmpv1 string}]	Configure a party record.
snmp-server queue-length length	Configure the message queue length for each trap host.
snmp-server system-shutdown	Configure SNMP message reload.
snmp-server trap-authentication [snmpv1 \| snmpv2]	Configure trap message authentication.
snmp-server trap-timeout seconds	Configure the frequency with which to resend trap messages on the retransmission queue.
snmp-server userid user-id [view view-name] [RO \| RW] [password password]	Configure SNMP v.2 security context using the simplified security conventions method.
snmp-server view view-name oid-tree {included \| excluded}	Configure view entry.

To display the SNMP status, use the EXEC command:

Command
Task

show snmp

Check the status of communications between the SNMP agent and SNMP manager.

Command	Task
show snmp	Check the status of communications between the SNMP agent and SNMP manager.

Establishing Username Commands

To establish a username-based authentication system at login, use the global configuration commands:

Command
Task

username name [no password | password encryption-type password]

Configure username-based authentication system at login.

username name password secret

Configure username-based CHAP authentication system at login.

username name [autocommand command]

Configure username-based authentication system at login with an additional command to be added.

username name [noescape] [nohangup]

Configure username-based authentication system at login without escape but with another login prompt.

Command	Task
username name [no password \| password encryption-type password]	Configure username-based authentication system at login.
username name password secret	Configure username-based CHAP authentication system at login.
username name [autocommand command]	Configure username-based authentication system at login with an additional command to be added.
username name [noescape] [nohangup]	Configure username-based authentication system at login without escape but with another login prompt.

Configuring the Privilege Level

This section describes how to configure and display the privilege level access to the DSLAM. You can configure access privileges at the global level for the entire DSLAM, or at the line level for a specific line.

Configuring the Global Privilege Level

To set the privilege level for a command, use the global configuration command:

Command
Task

privilege mode level level command

Set the privilege level.

Command	Task
privilege mode level level command	Set the privilege level.

To display your current level of privilege, use the privileged EXEC command:

Command
Task

show privilege

Display the privilege level.

Command	Task
show privilege	Display the privilege level.

Configuring Privilege Level for a Line

To set the default privilege level for a line, perform these tasks, beginning in global configuration mode:

Step
Command
Task

1
line [aux | console | vty] line-number

Select the line to configure.

2
privilege level level

Configure the default privilege level.

Step	Command	Task
1	line [aux \| console \| vty] line-number	Select the line to configure.
2	privilege level level	Configure the default privilege level.

To display your current level of privilege, use the privileged EXEC command:

Command
Task

show privilege

Display the privilege level.

Command	Task
show privilege	Display the privilege level.

Configuring the Network Time Protocol

This section describes how to configure the Network Time Protocol (NTP) on the DSLAM.

To control access to the system NTP services, use the global NTP configuration commands in this section. To remove access control to the system's NTP services, use the no ntp command. See the example configuration at the end of this section and the output examples to confirm the NTP configuration.

To view a list of the NTP commands enter a ? in EXEC configuration mode. This example shows the list of commands available for NTP configuration:

DSLAM(config)# ntp ?
  access-group        Control NTP access
  authenticate        Authenticate time sources
  authentication-key  Authentication key for trusted time sources
  broadcastdelay      Estimated round-trip delay
  clock-period        Length of hardware clock tick
  master              Act as NTP master clock
  max-associations    Set maximum number of associations
  peer                Configure NTP peer
  server              Configure NTP server
  source              Configure interface for source address
  trusted-key         Key numbers for trusted time sources
  update-calendar     Periodically update calendar with NTP time

To control access to the system NTP services, use the global configuration command:

Command
Task

ntp access-group {query-only | serve-only | serve | peer} access-list-number

Configure a NTP access group.

Command	Task
ntp access-group {query-only \| serve-only \| serve \| peer} access-list-number	Configure a NTP access group.

To enable NTP authentication, perform these steps in global configuration mode:

Step
Command
Task

1
ntp authenticate

Enable NTP authentication.

2
ntp authentication-key number md5 value

Define an authentication key.

Step	Command	Task
1	ntp authenticate	Enable NTP authentication.
2	ntp authentication-key number md5 value	Define an authentication key.

To specify that a specific interface should send NTP broadcast packets, perform these steps, beginning in Global Configuration mode:

Step
Command
Task

1
interface type slot/port

Select the physical interface to be configured.

2
ntp broadcastdelay microseconds

Configure the system to receive NTP broadcast packets.

Step	Command	Task
1	interface type slot/port	Select the physical interface to be configured.
2	ntp broadcastdelay microseconds	Configure the system to receive NTP broadcast packets.

As the NTP compensates for any error in the system clock, it keeps track of the correction factor needed to correct this error. The system automatically saves this correction factor into the system configuration using the ntp clock-period global configuration command.

Caution Do not enter the ntp clock-period command. It is documented for informational purposes only. The system automatically generates this command as the NTP determines the clock error and compensates.

To prevent an interface from receiving NTP packets, perform these steps, beginning in global configuration mode:

Step
Command
Task

1
interface type slot/port

Select the physical interface to be configured.

2
ntp disable

Disable the NTP receive interface.

To configure the DSLAM as a NTP master clock to which peers synchronize themselves when an external NTP source is not available, use the global configuration command:

Command
Task

ntp master [stratum]

Configure the DSLAM as a NTP master clock.

To configure the DSLAM as a NTP peer that receives its clock synchronization from an external NTP source, use the global configuration command:

Command
Task

ntp peer ip-address [version number] [key keyid] [source interface] [prefer]

Configure the DSLAM system clock to synchronize a peer or to be synchronized by a peer.

To allow the DSLAM system clock to be synchronized by a time server, use the global configuration command

:

Command
Task

ntp server ip-address [version number] [key keyid] [source interface] [prefer]

Configure the DSLAM system clock to allow it to be synchronized by a time server.

To use a particular source address in NTP packets, use the global configuration command:

Command
Task

ntp source interface

Configure a particular source address in NTPpackets.

To authenticate the identity of a system to which the NTP will synchronize, use the global configuration command:

Command
Task

ntp trusted-key key-number

Configure a NTP synchronize number.

To periodically update the DSLAM calendar from the NTP, use the global configuration command:

Command
Task

ntp update-calendar

Update a NTP calendar.

Example

This example configures the DSLAM to synchronize its clock and calendar to a NTP server, using Ethernet port 0/0:

DSLAM# config terminal
Enter configuration commands, one per line.  End with CNTL/Z.
DSLAM(config)# ntp server 198.92.30.32
DSLAM(config)# ntp source Ethernet 0/0
DSLAM(config)# ntp authenticate
DSLAM(config)# ntp max-associations 2000
DSLAM(config)# ntp trusted-key 22507
DSLAM(config)# ntp update-calendar

To show the status of NTP associations, use the privileged EXEC commands:

Command
Task

show ntp associations [detail]

Display NTP associations.

show ntp status

Display the NTP status.

Examples

This example displays the DSLAM detail NTP configuration:

DSLAM# show ntp associations detail
198.92.30.32 configured, our_master, sane, valid, stratum 3
ref ID 171.69.2.81, time B6C04E67.6E779000 (18:18:15.431 UTC Thu Feb 27 1997)
our mode client, peer mode server, our poll intvl 128, peer poll intvl 128
root delay 109.51 msec, root disp 377.38, reach 377, sync dist 435.638
delay -3.88 msec, offset 7.7674 msec, dispersion 1.57
precision 2**17, version 3
org time B6C04F19.437D8000 (18:21:13.263 UTC Thu Feb 27 1997)
rcv time B6C04F19.41018C62 (18:21:13.253 UTC Thu Feb 27 1997)
xmt time B6C04F19.41E3EB4B (18:21:13.257 UTC Thu Feb 27 1997)
filtdelay =    -3.88   -3.39   -3.49   -3.39   -3.36   -3.46   -3.37   -3.16
filtoffset =    7.77    6.62    6.60    5.38    4.13    4.43    6.28   12.37
filterror =     0.02    0.99    1.48    2.46    3.43    4.41    5.39    6.36

This example displays the DSLAM NTP status:

DSLAM# show ntp status
Clock is synchronized, stratum 4, reference is 198.92.30.32
nominal freq is 250.0000 Hz, actual freq is 249.9999 Hz, precision is 2**24
reference time is B6C04F19.41018C62 (18:21:13.253 UTC Thu Feb 27 1997)
clock offset is 7.7674 msec, root delay is 113.39 msec
root dispersion is 386.72 msec, peer dispersion is 1.57 msec

Configuring the Clock and Calendar

If no other source of time is available, you can manually configure the current time and date after the system is restarted. The time setting remains accurate until the next system restart. Cisco recommends that you use manual configuration only as a last resort.

Note If you have an outside source to which the DSLAM can synchronize, you do not need to manually set the system clock.

Configuring the Clock

To configure, read, and set the DSLAM as a time source for a network based on its calendar, perform these steps in global configuration mode:

Step
Command
Task

1
clock calendar-valid

Set the DSLAM as the default clock.

2
clock summer-time zone recurring [week day month hh:mm week day month hh:mm [offset]]

Configure the system to automatically switch to summer time (daylight savings time), use one of the formats of the clock summer-time configuration command. Use the no form of this command to configure the DSLAM to not automatically switch to summer time.

3
clock timezone zone

Configure the system time zone.

To manually read and set the calendar for the DSLAM system clock, perform these steps in privileged EXEC mode:

Step
Command
Task

1
clock read-calendar

Manually read the calendar into the DSLAM.

2
clock set hh:mm:ss day month year

Manually set the system clock.

3
clock update-calendar

Set the calendar.

To display the system clock information, use the EXEC command:

Command
Task

show clock [detail]

Display the system clock.

Configuring the Calendar

To set the system calendar, use the privileged EXEC command:

Command
Task

calendar set hh:mm:ss day month year

Configure the calendar.

To display the system calendar information, use the EXEC command:

Command
Task

show calendar

Display the calendar setting.

Configuring the Terminal Access Control Access System

You can configure the DSLAM to use one of three s pecial TCP/IP protocols related to Terminal Access Controller Access Control System (TACACS): regular TACACS, extended TACACS, or AAA/TACACS+. TACACS services are provided by and maintained in a database on a TACACS server running on a workstation. You must have access to and configure a TACACS server before configuring the TACACS features described in this publication on your Cisco device. Cisco basic TACACS support is modeled after the original Defense Data Network (DDN) application.

A comparative description of the supported versions follows. Table 4-1 compares the versions by commands.

TACACS—Provides password checking, authentication, and notification of user actions for security and accounting purposes.
Extended TACACS—Provides information about protocol translator and DSLAM use. This information is used in UNIX auditing trails and accounting files.
AAA/TACACS+—Provides more detailed accounting information as well as more administrative control of authentication and authorization processes.

You can establish TACACS-style password protection on both user and privileged levels of the system EXEC.

Table 4-1: TACACS Command Comparison

Command TACACS Extended TACACS TACACS+

aaa accounting

X

aaa authentication arap

X

aaa authentication enable default

X

aaa authentication login

X

aaa authentication local override

X

aaa authentication ppp

X

aaa authorization

X

aaa new-model

X

arap authentication

X

arap use-tacacs

X

X

enable last-resort

X

X

enable use-tacacs

X

X

login authentication

X

login tacacs

X

X

ppp authentication

X

X

X

ppp use-tacacs

X

X

X

tacacs-server attempts

X

X

X

tacacs-server authenticate

X

X

tacacs-server extended

X

tacacs-server host

X

X

X

tacacs-server key

X

tacacs-server last-resort

X

X

tacacs-server notify

X

X

tacacs-server optional-passwords

X

X

tacacs-server retransmit

X

X

X

tacacs-server timeout

X

X

X

Enabling TACACS and Extended TACACS

This section describes the features available with TACACS and Extended TACACS. The Extended TACACS software is available using FTP (see the README file in the ftp.cisco.com directory).

Note You cannot use several original TACACS and extended TACACS commands after you initialize AAA/TACACS+. To identify which commands you can use with the three versions, refer to Table 4-1.

These sections describe TACACS configuration:

Configuring AAA Access Control with TACACS+

To enable the AAA access control model that includes TACACS+, use the global configuration command:

Command
Task

aaa new-model

Enable the AAA access control model.

Configuring AAA Accounting

To enable the AAA accounting of requested services for billing or security purposes when using TACACS+, perform these steps in global configuration mode:

Step
Command
Task

1
aaa accounting system

Perform accounting for all system-level events not associated with users, such as reloads.

2
aaa accounting network

Run accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP.

3
aaa accounting connection

Run accounting for outbound Telnet and rlogin.

4
aaa accounting exec

Run accounting for Execs (user shells). This keyword might return user profile information such as autocommand information.

5
aaa accounting command

Run accounting for all commands at the specified privilege level.

6
start-stop tacacs+

Send a start record accounting notice at the beginning of a process and a stop record at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the accounting server receives the start accounting record.

7
wait-start tacacs+

As in start-stop, sends both a start and a stop accounting record to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent.

8
stop-only tacacs+

Send a stop record accounting notice at the end of the requested user process.

Configuring a TACACS Server

To configure a TACACS server, perform these steps in global configuration mode:

Step
Command
Task

1
tacacs-server attempts count

Configure the number of login attempts allowed.

2
tacacs-server authenticate {connection [always] | enable | slip [always] [access-lists]}

Configure if the user may perform an action.

3
tacacs-server extended

Configure extended TACACS mode.

4
tacacs-server host name

Configure a TACACS host.

5
tacacs-server last-resort {password | succeed}

Configure a network server to request a privileged password as verification.

6
tacacs-server notify {connection [always] | enable | logout [always] | slip [always]}

Configure transmission to the TACACS server.

7
tacacs-server optional-passwords

Configure the initial TACACS request to a TACACS server to be made without password verification.

8
tacacs-server retransmit retries

Configure the number of times the system software will search the list of TACACS server hosts.

9
tacacs-server timeout seconds

Configure the interval that the server waits for a server host to reply.

Configuring PPP Authentication

To enable Challenge Handshake Authentication Protocol (CHAP) or Password Authentication Protocol (PAP) and to enable an AAA authentication method on an interface, perform these steps, beginning in global configuration mode:

Step
Command
Task

1
interface type slot/port

Select the physical interface to be configured.

2
ppp authentication {chap | pap} [if-needed] [list-name]

Configure PPP authentication.

3
ppp use-tacacs [single-line]

Enable the PPP authentication for TACACS.

To enable TACACS to determine whether a user can access the privileged command level, use the global configuration command:

Command
Task

enable use-tacacs

Enable TACACS.

Testing the System Management Functions

This section describes the commands you use to monitor and display the system management functions.

Showing Active Processes

To display information about the active processes, use the privileged EXEC commands:

Command
Task

show processes [cpu]

Display active processes.

show processes memory

Display memory utilization.

Showing Protocols

To display the configured protocols, use the privileged EXEC command:

Command
Task

show protocols

Display the global and interface-specific status of any configured Level 3 protocol; for example, IP, DECnet, Internet Packet Exchange (IPX), and AppleTalk.

Showing Stacks

To monitor the stack utilization of processes and interrupt routines, use the privileged EXEC command:

Command
Task

show stacks

Display system stack trace information.

The show stacks display includes the reason for the last system reboot. If the system was reloaded because of a system failure, a saved system stack trace is displayed. This information is of use only to Cisco engineers analyzing system failure in the field. It is included here in case you need to read the displayed statistics to an engineer over the telephone.

Showing Routes

To discover the IP routes that the switch packets take when the packets travel to their destination, use the EXEC command:

Command
Task

traceroute [protocol] [destination]

Display switch packets through the network.

Showing Temperature and Voltage Information

To display temperature and voltage information on the DSLAM console, use the EXEC commands:

Command
Task

show environment

Display temperature and voltage information.

show environment all

Display all temperature and voltage information.

show environment last

Display the last logs of the last measured value from each of the six test points to internal nonvolatile memory.

show environment table

Display environmental measurements and a table that lists the ranges of environment measurement.

Checking Basic ATM and IP Network Connectivity

To diagnose basic ATM and IP network connectivity, use the privileged EXEC command:

Command
Task

ping atm interface atm slot/port[.vpt] vpi vci

Use ping to check the ATM network connection.

Step	Command	Task
1	interface type slot/port	Select the physical interface to be configured.
2	ntp disable	Disable the NTP receive interface.

Command	Task
show ntp associations [detail]	Display NTP associations.
show ntp status	Display the NTP status.

Command	TACACS	Extended TACACS	TACACS+
aaa accounting			X
aaa authentication arap			X
aaa authentication enable default			X
aaa authentication login			X
aaa authentication local override			X
aaa authentication ppp			X
aaa authorization			X
aaa new-model			X
arap authentication			X
arap use-tacacs	X	X
enable last-resort	X	X
enable use-tacacs	X	X
login authentication			X
login tacacs	X	X
ppp authentication	X	X	X
ppp use-tacacs	X	X	X
tacacs-server attempts	X	X	X
tacacs-server authenticate	X	X
tacacs-server extended		X
tacacs-server host	X	X	X
tacacs-server key			X
tacacs-server last-resort	X	X
tacacs-server notify	X	X
tacacs-server optional-passwords	X	X
tacacs-server retransmit	X	X	X
tacacs-server timeout	X	X	X

Step	Command	Task
1	aaa accounting system	Perform accounting for all system-level events not associated with users, such as reloads.
2	aaa accounting network	Run accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP.
3	aaa accounting connection	Run accounting for outbound Telnet and rlogin.
4	aaa accounting exec	Run accounting for Execs (user shells). This keyword might return user profile information such as autocommand information.
5	aaa accounting command	Run accounting for all commands at the specified privilege level.
6	start-stop tacacs+	Send a start record accounting notice at the beginning of a process and a stop record at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the accounting server receives the start accounting record.
7	wait-start tacacs+	As in start-stop, sends both a start and a stop accounting record to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent.
8	stop-only tacacs+	Send a stop record accounting notice at the end of the requested user process.

Step	Command	Task
1	tacacs-server attempts count	Configure the number of login attempts allowed.
2	tacacs-server authenticate {connection [always] \| enable \| slip [always] [access-lists]}	Configure if the user may perform an action.
3	tacacs-server extended	Configure extended TACACS mode.
4	tacacs-server host name	Configure a TACACS host.
5	tacacs-server last-resort {password \| succeed}	Configure a network server to request a privileged password as verification.
6	tacacs-server notify {connection [always] \| enable \| logout [always] \| slip [always]}	Configure transmission to the TACACS server.
7	tacacs-server optional-passwords	Configure the initial TACACS request to a TACACS server to be made without password verification.
8	tacacs-server retransmit retries	Configure the number of times the system software will search the list of TACACS server hosts.
9	tacacs-server timeout seconds	Configure the interval that the server waits for a server host to reply.

Command	Task
show processes [cpu]	Display active processes.
show processes memory	Display memory utilization.

Command	Task
show environment	Display temperature and voltage information.
show environment all	Display all temperature and voltage information.
show environment last	Display the last logs of the last measured value from each of the six test points to internal nonvolatile memory.
show environment table	Display environmental measurements and a table that lists the ranges of environment measurement.

Table of Contents

Configuring System Management Functions

Example

Examples