Access and Communication Servers Command Reference - System Management Commands [Cisco IOS Software Releases 11.0]

Table Of Contents

System Management Commands

aaa accounting

aaa authentication arap

aaa authentication enable default

aaa authentication login

aaa authentication local-override

aaa authentication password-prompt

aaa authentication ppp

aaa authentication username-prompt

aaa authorization

aaa new-model

alias

arap authentication

buffers

buffers huge size

cdp enable

cdp holdtime

cdp run

cdp timer

clear cdp counters

clear cdp table

clock set

clock summer-time

clock timezone

custom-queue-list

downward-compatible-config

enable last-resort

enable password

enable secret

enable use-tacacs

fair-queue

hostname

ip tacacs source-interface

load-interval

logging

logging buffered

logging console

logging facility

logging monitor

logging on

logging synchronous

logging trap

login authentication

ntp access-group

ntp authenticate

ntp authentication-key

ntp broadcast

ntp broadcast client

ntp broadcastdelay

ntp clock-period

ntp disable

ntp master

ntp peer

ntp server

ntp source

ntp trusted-key

ping (user)

ping (privileged)

ppp authentication

ppp chap password

ppp use-tacacs

priority-group

priority-list default

priority-list interface

priority-list protocol

priority-list queue-limit

privilege level (global)

privilege level (line)

prompt

queue-list default

queue-list interface

queue-list protocol

queue-list queue byte-count

queue-list queue limit

scheduler-interval

service decimal-tty

service exec-wait

service finger

service nagle

service password-encryption

service prompt config

service tcp-keepalives

service tcp-small-servers

service telnet-zero-idle

service timestamps

show aliases

show buffers

show cdp

show cdp entry

show cdp interface

show cdp neighbors

show cdp traffic

show clock

show debugging

show ip accounting

show logging

show memory

show ntp associations

show ntp status

show privilege

show processes

show processes memory

show protocols

show queueing

show snmp

show stacks

show tcp

snmp-server access-policy

snmp-server chassis-id

snmp-server community

snmp-server contact

snmp-server context

snmp-server host

snmp-server location

snmp-server packetsize

snmp-server party

snmp-server queue-length

snmp-server system-shutdown

snmp-server trap-authentication

snmp-server trap-source

snmp-server trap-timeout

snmp-server userid

snmp-server view

tacacs-server attempts

tacacs-server authenticate

tacacs-server directed-request

tacacs-server extended

tacacs-server host

tacacs-server key

tacacs-server last-resort

tacacs-server notify

tacacs-server optional-passwords

tacacs-server retransmit

tacacs-server timeout

trace (user)

trace (privileged)

username

System Management Commands

This chapter describes the commands used to manage the access server system and its performance on the network.

For system management configuration tasks and examples, refer to the chapter entitled "Managing the System" in the Access and Communication Servers Configuration Guide.

aaa accounting

To enable AAA accounting of requested services for billing or security purposes when using TACACS+, use the aaa accounting global configuration command. Use the no form of this command to disable accounting.

aaa accounting {system | network | connection | exec | command level} {start-stop |
wait-start | stop-only} tacacs+
no aaa accounting {system | network | connection | exec | command level}

Syntax Description

system

Accounting is performed for all system-level events not associated with users, such as reloads.

network

Accounting is run for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP.

connection

Accounting is run for outbound Telnet and rlogin.

exec

Accounting is run for Execs (user shells). This may return user profile information such as autocommand information.

command

Accounting is run for all commands at the specified privilege level.

level

The command level that should be accounted. Valid entries are 0-15.

start-stop

A start record accounting notice is sent at the beginning of a process and a stop record is sent at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting record was received by the accounting server.

wait-start

As in start-stop, both a start and a stop accounting record are sent to the accounting server. However, if you use the wait-start keyword, the requested user service will not begin until the start accounting record is acknowledged. A stop accounting record will also be sent.

stop-only

A stop record accounting notice is sent at the end of the requested user process.

tacacs+

Mandatory. Enables the TACACS-style accounting.

Default

AAA accounting is not enabled.

Command Mode

Global configuration

Usage Guideline

The aaa accounting command allows you to set start/stop accounting for any or all of the listed functions in the Syntax Description for this command. For minimal accounting control, issue the stop-only command, which sends a stop record accounting notice at the end of the requested user process. For additional accounting control, you can issue the start-stop command, where TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. You can further control access and accounting by issuing the wait-start command, which ensures that the start notice is received by the TACACS+ server before granting the user's process request. Accounting is only done to the TACACS+ server.

Note This command, along with aaa authentication username-prompt, replaces the tacacs-server authenticate command in previous versions of TACACS, and can only be used with AAA/TACACS+.

Examples

In the following example, accounting is set for outbound Telnet and rlogin, and both a start and stop accounting notice is sent to the TACACS+ server:
aaa accounting connection start-stop tacacs+
In the following example, accounting is set for privilege level 15 commands, with a wait-start restriction:
aaa accounting command 15 wait-start tacacs+
Related Commands

aaa new-model
aaa authentication username-prompt

aaa authentication arap

To enable an AAA authentication method for AppleTalk Remote Access (ARA )users while using TACACS+, use the aaa authentication arap command. Use the no form of the command to disable this authentication.

aaa authentication arap {default | list-name} method1 [...[method4]]
no aaa authentication arap {default | list-name} method1 [...[method4]]

Syntax Description

default

Uses the listed methods that follow this argument as the default list of methods used when a user logs in.

list-name

A character string used to name the following list of authentication methods tried when a user logs in.

method

One of the methods described in .

Default

If the default list is not set, only the local user database is checked. This has the same effect as issuing the following command:
aaa authentication arap default local
Command Mode

Global configuration

Usage Guideline

The list names and default that you set using the aaa authentication arap command are used with the arap authentication command. These lists can contain up to four authentication methods that will be used when a user tries to log in with ARA. Note that ARAP guest logins are disabled by default when you enable AAA/TACACS+. To allow guest logins, you must use either the guest or auth-guest method listed in . You can only use one of these methods; they are mutually exclusive.

Create a list by entering the aaa authentication arap list-name method command, where list-name is any character string used to name this list, such as MIS-access. The method keyword refers to the list of methods the authentication algorithm will try, in the given sequence. You can enter up to four methods, which are described in .

To create a default list that will be used if no list is specified in the arap authentication command, use the default keyword followed by the methods you wish to be used in default situations.

The additional methods of authentication will only be used if the previous method returns an error, not if it fails.

Use the show running-config command to view lists of authentication methods.

Table 5-1 AAA Authentication ARAP Method Descriptions

Method

Description

guest

Allows guest logins. This method must be the first method listed, but can be followed by other methods to try if it does not succeed.

auth-guest

Allows guest logins only if the user has already logged in to EXEC. This method must be the first method listed, but can be followed by other methods to try if it does not succeed.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

tacacs+

Uses TACACS+ authentication.

Note This command cannot be used with TACACS or Extended TACACS.

Examples

The following example creates a list called MIS-access, which first tries TACACS+ authentication and then none:
aaa authentication arap MIS-access tacacs+ none
The following example creates the same list, but sets it as the default list, which will be used for all arap authentications if no other list is specified:
aaa authentication arap default tacacs+ none
Related Commands

A dagger (†) indicates that the command is documented in another chapter.

aaa authentication local-override
aaa new-model
arap authentication†

aaa authentication enable default

To enable AAA authentication to determine if a user can access the privileged command level with TACACS+, use the aaa authentication enable default command. Use the no form of the command to disable this authorization method.

aaa authentication enable default method1 [...[method4]]
no aaa authentication enable default method1 [...[method4]]

Syntax Description

method

At least one and up to four of the methods described in .

Default

If the default list is not set, the action will be to check only the enable password. This has the same effect as issuing the following command:
aaa authentication enable default enable
On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.

Command Mode

Global configuration

Usage Guideline

Use the aaa authentication enable default command to create a series of authentication methods that are used to determine if a user can access privileged command level. You can specify up to four authentication methods. Method keywords are described in . The additional methods of authentication will only be used if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.

If a default authentication routine is not set for a function, the default is none—no authentication is performed. Use the show running-config command to view currently configured lists of authentication methods.

Table 5-2 AAA Authentication Enable Default Method Descriptions

Method

Description

enable

Uses the enable password for authentication.

line

Uses the line password for authentication.

none

Uses no authentication.

tacacs+

Uses TACACS+ authentication.

Note This command cannot be used with TACACS or Extended TACACS.

Example

The following example creates an authentication list that will first try to contact a TACACS+ server. If no server can be found, then AAA will try to use the enable password. If this also returns an error (because no enable password is configured on the server), the user will be allowed access with no authentication.
aaa authentication enable default tacacs+ enable none
Related Commands

aaa authentication local-override
aaa new-model
aaa authentication username-prompt
enable password

aaa authentication login

To set AAA authentication at login when using TACACS+, use the aaa authentication login global configuration command. Use the no form of the command to disable AAA authentication.

aaa authentication login {default | list-name} method1 [...[method4]]
no aaa authentication login {default | list-name} method1 [...[method4]]

Syntax Description

default

Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in.

list-name

A character string used to name the following list of authentication methods tried when a user logs in.

method

At least one and up to four of the methods described in .

Default

If the default list is not set, only the local user database is checked. This has the same effect as issuing the following command:
aaa authentication login default local
Note On the console, login will succeed without any authentication checks if default is not set.

Command Mode

Global configuration

Usage Guideline

The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.

Create a list by entering the aaa authentication list-name method command, where list-name is any character string used to name this list, such as MIS-access. The method keyword refers to the list of methods the authentication algorithm tries, in the given sequence. Method keywords are described in .

To create a default list that is used if no list is assigned to a line with the login authentication command, use the default argument followed by the methods you want in default situations.

The additional methods of authentication is only be used if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.

If authentication is not specifically set for a line, the default is to deny access—no authentication is performed. Use the show running-config command to view currently configured lists of authentication methods.

Table 5-3 AAA Authentication Login Method Descriptions

Method

Description

enable

Uses the enable password for authentication.

line

Uses the line password for authentication.

local

Uses the local username database for authentication.

none

Uses no authentication.

tacacs+

Uses TACACS+ authentication.

Note This command cannot be used with TACACS or Extended TACACS.

Example

The following example creates an AAA authentication list called MIS-access. This authentication will first try to contact a TACACS+ server. If no server is found, TACACS+ will return an error and AAA will try to use the enable password. If this also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication login MIS-access tacacs+ enable none
The following example creates the same list, but sets it as the default list that will be used for all login authentications if no other list is specified:
aaa authentication login default tacacs+ enable none
Related Commands

aaa authentication local-override
aaa new-model
login authentication

aaa authentication local-override

To have the access server check the local user database for authentication before attempting another form of authentication, use the aaa authentication local-override command. Use the no form of the command to disable the override.

aaa authentication local-override
no aaa authentication local-override

Syntax Description

This command has no arguments or keywords.

Default

Override is disabled.

Command Mode

Global configuration

Usage Guideline

This command is useful when you want to configure an override to the normal authentication process for certain personnel such as system administrators.

When this override is set, the user is always prompted for the username. The system then checks to see if the entered username corresponds to a local account. If the username does not correspond to one in the local database, login proceeds with the methods configured using other aaa commands (such as aaa authentication login). Note that when using this command, the first prompt is fixed as Username:

Example

The following example enables aaa authentication override:
aaa authentication local-override
Related Commands

aaa authentication arap
aaa authentication enable default
aaa authentication login
aaa new-model
aaa authentication password-prompt

aaa authentication password-prompt

To change the text displayed when users are prompted for a password, use the aaa authentication password-prompt global configuration command. Use the no form of this command to return to the default password prompt text.

aaa authentication password-prompt {text-string}
no aaa authentication password-prompt {text-string}

Syntax Description

text-string

String of text that will be displayed when the user is prompted to enter a password. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your password:").

Default

This command is disabled by default.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.0.

Use the aaa authentication password-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a password. This command changes the password prompt for the enable password as well as for login passwords that are not supplied by remote security servers. The no form of this command returns the password prompt to the default value:
Password:
The aaa authentication password-prompt command does not change any dialog that is supplied by a remote TACACS+ or RADIUS server.

Example

The following example changes the text for the password prompt:
aaa authentication password-prompt "Enter your password now:"
Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

aaa authentication username prompt
aaa new-model
enable password ^†

aaa authentication ppp

To specify one or more AAA authentication methods for use on serial interfaces running PPP when using TACACS+, use the aaa authentication ppp command. Use the no form of the command to disable authentication.

aaa authentication ppp {default | list-name} method1 [...[method4]]
no aaa authentication ppp {default | list-name} method1 [...[method4]]

Syntax Description

default

Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in.

list-name

A character string used to name the following list of authentication methods tried when a user logs in.

method

At least one and up to four of the methods described in .

Default

If the default list is not set, the action will be to check only the local user database. This has the same effect as issuing the following command:
aaa authentication ppp default local
Command Mode

Global configuration

Usage Guideline

The lists that you create using the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that will be used when a user tries to log in to the serial interface.

Create a list by entering the aaa authentication ppp list-name method command, where list-name is any character string used to name this list, such as MIS-access. The method keyword refers to the list of methods the authentication algorithm tries, in the given sequence. You can enter up to four methods. Method keywords are described in .

The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.

If authentication is not specifically set for a function, the default is none—no authentication is performed. Use the show running-config command to view lists of authentication methods.

Table 5-4 AAA Authentication PPP Method Descriptions

Method

Description

if-needed

Does not authenticate if user has already been authenticated on a TTY line.

local

Uses the local username database for authentication.

none

Uses no authentication.

tacacs+

Uses TACACS+ authentication.

Note This command cannot be used with TACACS or Extended TACACS.

Example

The following example creates an AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this returns an error, the user is allowed access with no authentication.
aaa authentication ppp MIS-access tacacs+ none
Related Commands

aaa authentication local-override
aaa new-model
ppp authentication

aaa authentication username-prompt

To change the text displayed when users are prompted to enter a username, use the aaa authentication username-prompt global configuration command. Use the no form of this command to return to the default username prompt text.

aaa authentication username-prompt {text-string}
no aaa authentication username-prompt {text-string}

Syntax Description

text-string

String of text that will be displayed when the user is prompted to enter a username. If this text-string contains spaces or unusual characters, it must be enclosed in double-quotes (for example, "Enter your name:").

Default

This command is disabled by default.

Command Mode

Global configuration

Usage Guidelines

This command first appeared in Cisco IOS Release 11.0.

Use the aaa authentication username-prompt command to change the default text that the Cisco IOS software displays when prompting a user to enter a username. The no form of this command returns the username prompt to the default value:
Username:
Some protocols (for example, TACACS+) have the ability to override the use of local username prompt information. Using the aaa authentication username-prompt command will not change the username prompt text in these instances.

Note The aaa authentication username-prompt command does not change any dialog that is supplied by a remote TACACS+ server.

Example

The following example changes the text for the username prompt:
aaa authentication username-prompt "Enter your name here:"
Related Commands

A dagger (†) indicates that the command is documented outside this chapter.

aaa authentication password-prompt
aaa new-model
enable password ^†

aaa authorization

To set parameters that restrict a user's network access based on TACACS+ authorization, use the aaa authorization command. To disable authorization for a function, use the no form of the command.

aaa authorization {network | connection | exec | command level} methods
no aaa authorization {network | connection | exec | command level}

Syntax Description

network

Authorization is run for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP.

connection

Authorization is run for outbound Telnet and rlogin.

exec

Authorization is run to determine if the user is allowed to run an Exec shell. This may return user profile information such as autocommand information.

command

Authorization is run for all commands at the specified privilege level.

level

Specific command level that should be authorized. Valid entries are 0-15.

Default

Authorization is disabled for all actions (equivalent to the keyword none).

Command Mode

Global configuration

Usage Guideline

This command first appeared in Cisco IOS Release 10.0.

Note There are five commands associated with privilege level 0: disable, enable, exit, help, and logout. If you configure AAA authorization for a privilege level greater than 0, these five commands will not be included.

Use the aaa authorization command to create a list of one and up to four authorization methods that can be used when a user accesses the specified function. lists the different authorization methods.

Note This command, along with aaa accounting, replaces the tacacs-server suite of commands in previous versions of TACACS.

The additional methods of authorization are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authorization succeed even if all methods return an error.

Table 5-5 AAA Authorization Keyword Descriptions

Keyword

Description

methods

•tacacs+—request authorization information from the TACACS+ server.

•if-authenticated—allow the user to access the requested function if the user is authenticated.

•none—no authorization is performed.

•local—use the local database for authorization.

If authorization is not specifically set for a function, the default is none—no authorization is performed.

The authorization command causes a request packet containing a series of attribute value pairs to be sent to the TACACS daemon as part of the authorization process. The daemon can:

•accept the request as is

•make changes to the request

•refuse the request, and hence, refuse authorization

describes attribute value (AV) pairs associated with the aaa authorization command. Registered users can find more information about TACACS+ and attribute pairs on Cisco Connection Online (CCO).

Table 5-6 Supported TACACS+ AV Pairs

Attribute

Description

Cisco IOS Release
11.0

Cisco IOS Release11.1

Cisco IOS Release11.2

service=x

The primary service. Specifying a service attribute indicates that this is a request for authorization or accounting of that service. Current values are slip, ppp, arap, shell, tty-daemon, connection, and system. This attribute must always be included.

yes

yes

yes

protocol=x

A protocol that is a subset of a service. An example would be any PPP NCP. Currently known values are lcp, ip, ipx, atalk, vines, lat, xremote, tn3270, telnet, rlogin, pad, vpdn, http, and unknown.

yes

yes

yes

cmd=x

A shell (EXEC) command. This indicates the command name for a shell command that is to be run. This attribute must be specified if service equals "shell." A NULL value indicates that the shell itself is being referred to.

yes

yes

yes

cmd-arg=x

An argument to a shell (EXEC) command. This indicates an argument for the shell command that is to be run. Multiple cmd-arg attributes may be specified, and they are order dependent.

yes

yes

yes

acl=x

ASCII number representing a connection access list. Used only when service=shell.

yes

yes

yes

inacl=x

ASCII identifier for an interface input access list. Used with service=ppp and protocol=ip.

yes

yes

yes

inacl#<n>

ASCII access list identifier for an input access list to be installed and applied to an interface for the duration of the current connect ion. Used with service=ppp and protocol=ip, and service service=ppp and protocol =ipx.

no

no

11.2(4)F

outacl=x

ASCII identifier for an interface output access list. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx. Contains an IP output access list for SLIP or PPP/IP (for example, outacl=4). The access list itself must be preconfigured on the router. Per-user access lists do not currently work with ISDN interfaces.

yes (PPP/IP only)

yes

yes

outacl#<n>

ACSII access list identifier for an interface output access list to be installed and applied to an interface for the duration of the current condition. Used with service=ppp and protocol=ip, and service service=ppp and protocol=ipx.

no

no

11.2(4)F

zonelist=x

A numeric zonelist value. Used with service=arap. Specifies an AppleTalk zonelist for ARA (for example, zonelist=5).

yes

yes

yes

addr=x

A network address. Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=1.2.3.4.

yes

yes

yes

addr-pool=x

Specifies the name of a local pool from which to get the address of the remote host. Used with service=ppp and protocol=ip.

Note that addr-pool works in conjunction with local pooling. It specifies the name of a local pool (which must be preconfigured on the network access server). Use the ip-local pool command to declare local pools. For example:

ip address-pool local

ip local pool boo 1.0.0.1 1.0.0.10

ip local pool moo 2.0.0.1 2.0.0.20

You can then use TACACS+ to return addr-pool=boo or addr-pool=moo to indicate the address pool from which you want to get this remote node's address.

yes

yes

yes

routing=x

Specifies whether routing information is to be propagated to, and accepted from this interface. Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false (for example, routing=true).

yes

yes

yes

route

Specifies a route to be applied to an interface. Used with service=slip, service=ppp, and protocol=ip.

During network authorization, the route attribute can be used to specify a per-user static route, to be installed by TACACS+ as follows:

route="dst_address mask [gateway]"

This indicates a temporary static route that is to be applied. dst_address, mask, and gateway are expected to be in the usual dotted-decimal notation, with the same meanings as in the familiar ip route configuration command on a network access server.

If gateway is omitted, the peer's address is the gateway. The route is expunged when the connection terminates.

no

yes

yes

route#<n>

Like the route AV pair, this specifies a route to be applied to an interface, but these routes are numbered, allowing multiple routes to be applied. Used with service=ppp and protocol=ip, and service=ppp and protocol=ipx.

no

no

11.2(4)F

timeout=x

The number of minutes before an ARA session disconnects (for example, timeout=60). A value of zero indicates no timeout. Used with service=arap.

yes

yes

yes

idletime=x

Sets a value, in minutes, after which an idle session is terminated. Does not work for PPP. A value of zero indicates no timeout.

no

yes

yes

autocmd=x

Specifies an autocommand to be executed at EXEC startup (for example, autocmd=telnet muruga.com). Used only with service=shell.

yes

yes

yes

noescape=x

Prevents user from using an escape character. Used with service=shell. Can be either true or false (for example, noescape=true).

yes

yes

yes

nohangup=x

Used with service=shell. Specifies the nohangup option. Can be either true or false (for example, nohangup=false).

yes

yes

yes

priv-lvl=x

Privilege level to be assigned for the EXEC. Used with service=shell. Privilege levels range from 0 to 15, with 15 being the highest.

yes

yes

yes

callback-dialstring

Sets the telephone number for a callback (for example: callback-dialstring=408-555-1212). Value is NULL, or a dial-string. A NULL value indicates that the service may choose to get the dialstring through other means. Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.

no

yes

yes

callback-line

The number of a TTY line to use for callback (for example: callback-line=4). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.

no

yes

yes

callback-rotary

The number of a rotary group (between 0 and 100 inclusive) to use for callback (for example: callback-rotary=34). Used with service=arap, service=slip, service=ppp, service=shell. Not valid for ISDN.

no

yes

yes

nocallback-verify

Indicates that no callback verification is required. The only valid value for this parameter is 1 (for example, nocallback-verify=1). Used with service=arap, service=slip, service=ppp, service=shell. There is no authentication on callback. Not valid for ISDN.

no

yes

yes

tunnel-id

Specifies the username that will be used to authenticate the tunnel over which the individual user MID will be projected. This is analogous to the remote name in the vpdn outgoing command. Used with service=ppp and protocol=vpdn.

no

no

yes

ip-addresses

Space-separated list of possible IP addresses that can be used for the end-point of a tunnel. Used with service=ppp and protocol=vpdn.

no

no

yes

nas-password

Specifies the password for the network access server during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn.

no

no

yes

gw-password

Specifies the password for the home gateway during the L2F tunnel authentication. Used with service=ppp and protocol=vpdn.

no

no

yes

rte-ftr-in#<n>

Specifies an input access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx.

no

no

11.2(4)F

rte-ftr-out#<n>

Specifies an output access list definition to be installed and applied to routing updates on the current interface for the duration of the current connection. Used with service=ppp and protocol=ip, and with service=ppp and protocol=ipx.

no

no

yes 11.2(4)F

sap#<n>

Specifies static Service Advertising Protocol (SAP) entries to be installed for the duration of a connection. Used with service=ppp and protocol=ipx.

no

no

yes 11.2(4)F

sap-fltr-in#<n>

Specifies an input SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx.

no

no

yes 11.2(4)F

sap-fltr-out#<n>

Specifies an output SAP filter access list definition to be installed and applied on the current interface for the duration of the current connection. Used with service=ppp and protocol=ipx.

no

no

11.2(4)F

pool-def#<n>

Used to define IP address pools on the network access server. Used with service=ppp and protocol=ip.

no

no

11.2(4)F

source-ip=x

Used as the source IP address of all VPDN packets generated as part of a VPDN tunnel. This is equivalent to the Cisco vpdn outgoing global configuration command.

no

no

yes

Examples

The following example specifies that TACACS+-style authorization is used for all network-related requests. If this authorization method returns an error (if the TACACS+ server cannot be contacted), no authorization is performed, and the request is successful.
aaa authorization network tacacs+ none
The following example specifies that TACACS+-style authorization is run for level 15 commands. If this authorization method returns an error (if the TACACS+ server cannot be contacted), no authorization is performed, and the request succeeds.
aaa authorization command 15 tacacs+ none
Related Commands

aaa accounting
aaa new-model

aaa new-model

To enable the new AAA access control model that includes TACACS+, issue the aaa new-model global configuration command. Use the no form of the command to disable this functionality.

aaa new-model
no aaa new-model

Syntax Description

This command has no arguments or keywords.

Default

AAA/TACACS+ is not enabled.

Command Mode

Global configuration

Usage Guideline

This command enables the new AAA access control system and TACACS+. If you initialize this functionality and later decide to use TACACS or Extended TACACS, issue the no version of this command and then enable the version of TACACS you want to use.

After enabling AAA/TACACS+ with the aaa new-model command, you must use the tacacs-server key command to set the authentication key used in all TACACS+ communications with the TACACS+ daemon.

Example

The following example initializes AAA and TACACS+:
aaa new-model
Related Commands

aaa accounting
aaa authentication arap
aaa authentication enable default
aaa authentication local-override
aaa authentication login
aaa authentication password-prompt
aaa authentication username-prompt
tacacs-server key

alias

To create a command alias, use the alias global configuration command. Use the no alias command to delete all aliases in a command mode or to delete a specific alias, and to revert to the original command syntax.

alias mode alias-name alias-command-line
no alias mode [alias-name]

Syntax Description

mode

Command mode of the original command and alias commands. See for a list of options for this argument.

alias-name

Command alias.

alias-command-line

Original command syntax.

Defaults

Default aliases are in EXEC mode as follows:

Command Alias

Original Command

h

help

lo

logout

p

ping

r

resume

s

show

w

where

Command Mode

Global configuration

Usage Guidelines

You can use simple words as aliases or abbreviations. The aliases in the Default section are predefined. They can be turned off using the no alias command.

shows the acceptable options for the mode argument in the alias global configuration command.

Table 5-7

Argument Options

Mode

configuration

Global configuration

controller

Controller configuration

exec

EXEC

hub

Hub configuration

interface

Interface configuration

ipx-router

IPX router configuration

line

Line configuration

map-class

Map class configuration

map-list

Map list configuration

route-map

Route map configuration

router

Router configuration

Mode Argument Options

See the summary of command modes in the user interface chapter in the Access and Communication Configuration Guide for more information about command modes.

When you use online help, command aliases are indicated by an asterisk (*), as follows:
Router#lo?
*lo=logout  lock  login  logout 
When you use online help, aliases that contain spaces (for example, "telnet device.cisco.com 25") are displayed as follows:
Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# alias exec device-mail telnet device.cisco.com 25
Router(config)# end
Router# device-mail?
*device-mail="telnet device.cisco.com 25" 
When you use online help, the alias is expanded and replaced with the original command, as shown in the following example with the "td" alias:
Router(config)# alias exec td trace device
Router(config)# ^Z
Router# t?
*td="trace device"  telnet  terminal  test  tn3270
trace               
To list only commands and omit aliases, begin your input line with a space. In the following example, the alias td is not shown, because there is a space before the t? command line.
Router# t?
telnet  terminal  test  tn3270  trace
As with commands, you can use online help to display the arguments and keywords that can follow a command alias. In the following example, the alias td is created to represent the command telnet device. The /debug and /line switches can be added to telnet device to modify the command:
Router(config)# alias exec td telnet device
Router(config)# ^Z
Router#td ?
      /debug     Enable telnet debugging mode
      /line      Enable telnet line mode
      ...
      whois      Whois port
      <cr>
Router# telnet device
You must enter the complete syntax for the alias command. Partial syntax for aliases are not accepted. In the following example, the parser does not recognize the command t as indicating the alias td.
bones# t
% Ambiguous command:  "t"
Example

In the following example, the alias fixmyrt is created for the EXEC-mode command clear ip route 172.30.116.16.
alias exec fixmyrt clear ip route 172.30.116.16
Related Command

show aliases

arap authentication

To enable TACACS+ authentication for ARA on a line, use the arap authentication command. Use the no form of the command to disable authentication for an ARA line.

arap authentication {default | list-name}
no arap authentication {default | list-name}

Syntax Description

default

Use the default list created with the aaa authentication arap command.

list-name

Use the indicated list created with the aaa authentication arap command.

Default

ARAP authentication uses the default set with aaa authentication arap command. If no default has been set, the local user database is checked.

Command Mode

Line configuration

Usage Guideline

This command is a per-line command, and specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list will be used (whether or not it is specified in the command line). Defaults and lists are created by using the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default argument.

Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command.

Caution

If you use a list-name that was not configured with the aaa authentication arap command, ARAP will be disabled on this line.

Example

The following example specifies that the TACACS+ authentication list called MIS-access is used on ARA line 7:
line 7
arap authentication MIS-access
Related Command

aaa authentication arap

buffers

Use the buffers global configuration command to make adjustments to initial buffer pool settings and to the limits at which temporary buffers are created and destroyed. Use the no buffers command to return the buffers to their default size.

buffers {small | middle | big | verybig | large | huge | type number} {permanent | max-free
| min-free | initial} number
no buffers {small | middle | big | verybig | large | huge | type number} {permanent | max-free
| min-free | initial} number

Syntax Description

small

Buffer size of this public buffer pool is 104 bytes.

middle

Buffer size of this public buffer pool is 600 bytes.

big

Buffer size of this public buffer pool is 1524 bytes.

verybig

Buffer size of this public buffer pool is 4520 bytes.

large

Buffer size of this public buffer pool is 5024 bytes.

huge

Default buffer size of this public buffer pool is 18024 bytes. This value can be configured with the buffers huge size command.

type

Interface type of the interface buffer pool. Value cannot be fddi.

number

Interface number of the interface buffer pool.

permanent

Number of permanent buffers that the system tries to create and keep. Permanent buffers are normally not trimmed by the system.

max-free

Maximum number of free or unallocated buffers in a buffer pool.

min-free

Minimum number of free or unallocated buffers in a buffer pool.

initial

Number of additional temporary buffers that are to be allocated when the system is reloaded. This keyword can be used to ensure that the system has necessary buffers immediately after reloading in a high-traffic environment.

number

Number of buffers to be allocated.

Default

The default number of the buffers in a pool is determined by the hardware configuration and can be displayed with the EXEC show buffers command.

Command Mode

Global configuration

Usage Guidelines

It is normally not necessary to adjust these parameters; do so only after consulting with technical support personnel. Improper settings could adversely impact system performance.

Buffer pool allocation is a user tunable parameter. The buffer pool to tune depends on the type of encapsulation used by the interfaces. Correspondingly, the ring size changes with the size of the buffer required.

Examples