-
Protocol Translation Configuration Guide and Command Reference
-
About This Manual
-
Product Overview
-
Configuring LAT
-
Configuring TN3270
-
Configuring a Router as an AppleTalk Remote Access Server
-
Configuring SLIP and PPP
-
Configuring XRemote
-
Configuring Protocol Translation Sessions
-
LAT Configuration Commands
-
TN3270 Commands
-
AppleTalk Remote Access Commands
-
SLIP and PPP Commands
-
XRemote Commands
-
Protocol Translation Session Commands
-
ASCII Type Codes
-
References and Recommended Reading
-
Regular Expressions
-
Ethernet Type Codes Appendix
-
X.3 PAD Parameters Appendix
-
Table Of Contents
AppleTalk Remote Access Commands
AppleTalk Remote Access Commands
This chapter describes the commands used to configure your router to act as an AppleTalk Remote Access (ARA) server. Cisco's implementation of ARA gives Macintosh users direct access to information and resources in remote locations. Macintosh users can connect to another Macintosh computer or AppleTalk network over standard telephone lines. For example, if you have a PowerBook at home and need to get a file from your Macintosh at the office, ARA software can make the connection between your home and office computers.
This chapter does not describe how to configure or use the client Macintosh. Refer to Apple Computer's Apple Remote Access Client User's Guide and the Apple Remote Access Personal Server User's Guide for information about how to use ARA software on your Macintosh. For AppleTalk Remote Access configuration tasks and examples, refer to the chapter "Configuring a Router as an AppleTalk Remote Access Server" in this publication.
access-list additional-zones
To define the action for access checks that apply to zones, use the access-list
additional-zones global configuration command.access-list access-list-number {deny | permit} additional-zones
Syntax Description
access-list-number
Number of the access list. This is a decimal number from 600 to 699.
deny
Denies access if the conditions are matched.
permit
Permits access if the conditions are matched.
Default
Access is denied.
Command Mode
Global configuration
Usage Guidelines
The access-list additional-zones command defines the action to take for access checks not explicitly defined with the access-list zone command. If you do not specify this command, the default action is to deny access.
Example
The following example creates an access list based on AppleTalk zones:
access-list 610 deny zone Twilightaccess-list 610 permit additional-zonesRelated Commands
access-list cable-range
access-list includes
access-list network
access-list other-access
access-list within
access-list zonesaccess-list cable-range
To define an AppleTalk access list for a cable range (for extended networks only), use the access-list cable-range global configuration command. To remove an access list, use the no form of this command.
access-list access-list-number {deny | permit} cable-range cable-range
no access-list access-list-number {deny | permit} cable-range cable-rangeSyntax Description
Default
No AppleTalk access lists are defined for a cable range.
Command Mode
Global configuration
Usage Guidelines
The access-list cable-range command affects matching on extended networks only. The conditions defined by this access list are used only when the packet's cable range exactly matches the cable range specified in the access-list network command. The conditions are never used to match a network number (for a nonextended network) even if the cable range has the same starting and ending number as the nonextended network number.
To delete an access list, specify the minimum number of keywords and arguments needed to delete the proper access list. For example, to delete the entire access list, use the following command:
no access-list access-list-number
To delete the access list for a specific network, use the following command:
no access-list access-list-number {deny | permit} cable-range cable-range
Example
The access list created by the following commands allows all packets to be forwarded except those destined to cable range 10 to 20:
access-list 600 deny cable-range 10-20access-list 600 permit other-accessRelated Commands
access-list additional-zones
access-list includes
access-list network
access-list other-access
access-list within
access-list zoneaccess-list includes
To define an AppleTalk access list that overlaps any part of a range of network numbers or cable ranges (for both extended and nonextended networks), use the access-list includes global configuration command. To remove an access list, use the no form of this command.
access-list access-list-number {deny | permit} includes cable-range
no access-list access-list-number {deny | permit} includes cable-rangeSyntax Description
Default
No AppleTalk access list that overlaps any part of a range of network numbers or cable ranges is defined.
Command Mode
Global configuration
Usage Guidelines
The access-list includes command affects matching on extended and nonextended AppleTalk networks. The conditions defined by this access list are used when the packet's cable range or network number overlaps, either partially or completely, one (or more) of those specified in the access-list network command.
To delete an access list, specify the minimum number of keywords and arguments needed to delete the proper access list. For example, to delete the entire access list, use the following command:
no access-list access-list-number
To delete the access list for a specific network, use the following command:
no access-list access-list-number {deny | permit} includes cable-range
Example
The following example defines an access list that permits access to packets destined to any nonextended or extended network whose network number or cable range overlaps any part of the range 10 to 20. This means, for example, that packets whose cable ranges are 13 to 16 and 17 to 25 will be forwarded. This access list also allows all other packets to be forwarded.
access-list 600 permit includes 10-20access-list 600 permit other-accessRelated Commands
access-list additional-zones
access-list cable-range
access-list network
access-list other-access
access-list within
access-list zoneaccess-list network
To define an AppleTalk access list for a single network number (that is, for a nonextended network), use the access-list network global configuration command. To remove an access list, use the no form of this command.
access-list access-list-number {deny | permit} network network
no access-list access-list-number {deny | permit} network networkSyntax Description
Default
No AppleTalk access list for a single network number is defined.
Command Mode
Global configuration
Usage Guidelines
The access-list network command affects matching on nonextended networks only. The conditions defined by this access list are used only when the packet's network number matches a network number specified in one of the access-list network commands. The conditions are never used to match a cable range (for an extended network) even if the cable range has the same starting and ending number.
To delete an access list, specify the minimum number of keywords and arguments needed to delete the desired access list. For example, to delete an entire access list, use the following command:
no access-list access-list-number
To delete the access list for a specific network, use the following command:
no access-list access-list-number {deny | permit} network network
Example
The following example defines an access list that forwards all packets except those destined for networks 1 and 2:
access-list 650 deny network 1access-list 650 deny network 2access-list 650 permit other-accessRelated Commands
access-list additional-zones
access-list cable-range
access-list includes
access-list other-access
access-list within
access-list zoneaccess-list other-access
To define the action to take for access checks that apply to networks or cable ranges, use the
access-list other-access global configuration command.access-list access-list-number {deny | permit} other-access
Syntax Description
access-list-number
Number of the access list. This is a decimal number from 600 to 699.
deny
Denies access if the conditions are matched.
permit
Permits access if the conditions are matched.
Default
Other access is denied.
Command Mode
Global configuration
Usage Guidelines
The access-list other-access command defines the action to take for access checks not explicitly defined with an access-list network, access-list cable-range, access-list includes, or access-list within command. If you do not specify this command, the default action is to deny other access.
Example
The following example defines an access list that forwards all packets except those destined for networks 1 and 2:
access-list 650 deny network 1access-list 650 deny network 2access-list 650 permit other-accessRelated Commands
access-list additional-zones
access-list cable-range
access-list includes
access-list network
access-list within
access-list zoneaccess-list within
To define an AppleTalk access list for an extended or a nonextended network whose network number or cable range is included entirely within the specified cable range, use the access-list within global configuration command. To remove this access list, use the no form of this command.
access-list access-list-number {deny | permit} within cable-range
no access-list access-list-number {deny | permit} within cable-rangeSyntax Description
Default
No AppleTalk access list is defined for an extended or a nonextended network whose network number or cable range is included entirely within the specified cable range.
Command Mode
Global configuration
Usage Guidelines
The access-list within command affects matching on extended and nonextended AppleTalk networks. The conditions defined by this access list are used when the packet's cable range or network number is completely included in one (or more) of those specified in the access-list network command.
To delete an access list, specify the minimum number of keywords and arguments needed to delete the desired access list. For example, to delete the entire access list, use the following command:
no access-list access-list-number
To delete the access list for a specific network, use the following command:
no access-list access-list-number {deny | permit} within cable-range
Example
The following example defines an access list that permits access to packets destined to any nonextended or extended network whose network number or cable range is completely included in the range 10 to 20. This means, for example, that packets whose cable range is 13 to 16 will be forwarded, but those whose cable range is 17 to 25 will not be forwarded. The second line of the example causes all other packets to be forwarded.
access-list 600 permit within 10-20access-list 600 permit other-accessRelated Commands
access-list additional-zones
access-list cable-range
access-list includes
access-list network
access-list other-access
access-list zoneaccess-list zone
To define an AppleTalk access list that applies to a zone, use the access-list zone global configuration command. To remove an access list, use the no form of this command.
access-list access-list-number {deny | permit} zone zone-name
no access-list access-list-number {deny | permit} zone zone-nameSyntax Description
Default
No AppleTalk access list is applied to a zone.
Command Mode
Global configuration
Usage Guidelines
To delete an access list, specify the minimum number of keywords and arguments needed to delete the proper access list. For example, to delete the entire access list, use the following command:
no access-list access-list-number
To delete the access list for a specific network, use the following command:
no access-list access-list-number {deny | permit} zone zone-name
Use the access-list additional-zones command to define the action to take for access checks not explicitly defined with the access-list zone command.
Example
The following example creates an access list based on AppleTalk zones:
access-list 610 deny zone Twilightaccess-list 610 permit additional-zonesRelated Commands
access-list additional-zones
access-list cable-range
access-list includes
access-list network
access-list other-access
access-list withinappletalk address
To enable nonextended AppleTalk on an interface, use the appletalk address interface configuration command. To disable nonextended AppleTalk, use the no form of this command.
appletalk address network.node
no appletalk addressSyntax Description
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
You must enable AppleTalk on the interface before assigning zone names.
Specifying an address of 0.0, 0.node, or network.0 puts the interface into discovery mode. When in this mode, the router attempts to determine network address information from another router on the network. You can also enable discovery mode with the appletalk discovery command. Note that discovery mode does not run over synchronous serial lines.
Example
The following example enables nonextended AppleTalk on Ethernet interface 0:
appletalk routinginterface ethernet 0appletalk address 1.129Related Commands
appletalk cable-range
appletalk discovery
appletalk zoneappletalk cable-range
To assign a range of networks to a cable, use the appletalk cable-range interface configuration command. Use the no form of this command to disable a cable-range setting.
appletalk cable-range cable-range [network.node]
no appletalk cable-rangeSyntax Description
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
The router needs both a valid cable range and a zone list to use AppleTalk. This command must be entered before the appletalk zone command.
Whenever you change the cable range, the router clears the internal zone list and you must enter a new zone list.
Configure the router for discovery mode if you want to find out what the current cable range is. To configure the router for discovery mode, use the appletalk cable-range 0-0 0.0 command. This causes the router to learn about the AppleTalk network. After saving the command in your configuration file, log back in and enable configuration mode. When you display the configuration, you will see the AppleTalk cable range and the AppleTalk zone variables. Then, add those two entries to the configuration and save the configuration file.
Examples
The following example shows how to use discovery mode:
appletalk routinginterface ether 0appletalk cable-range 0-0 0.0line 5 6modem inoutspeed 38400arap enabledautoselectAfter you learn the cable range values, add them to the configuration file. For example:
appletalk cable-range 105-105 105.222appletalk zone Marketingusername arauser password arapasswdThe following example assigns a cable range of 2-2 to the interface:
interface async 1appletalk cable-range 2-2Related Commands
appletalk address
appletalk routing
appletalk zoneappletalk checksum
To enable the generation and verification of checksums for all AppleTalk packets, use the appletalk checksum global configuration command. To disable checksum generation and verification, use the no form of this command.
appletalk checksum
no appletalk checksumSyntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Global configuration
Usage Guidelines
When the appletalk checksum command is enabled, the router discards incoming DDP packets when the checksum is nonzero and incorrect and the router is the final destination for the packet.
You might want to disable checksum generation and verification if you have older LaserWriter printers or other devices that cannot receive packets that contain checksums.
Example
The following example disables the generation and verification of checksums:
no appletalk checksumappletalk discovery
To put an interface into discovery mode, use the appletalk discovery interface configuration command. To disable discovery mode, use the no form of this command.
appletalk discovery
no appletalk discoverySyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Interface configuration
Usage Guidelines
If an interface is connected to a network that has at least one other operational AppleTalk router, you can dynamically configure the interface using discovery mode. In discovery mode, an interface acquires network address information about the attached network from an operational router and then uses this information to configure itself.
If you enable discovery mode on an interface, that interface must configure itself by acquiring information from another operational router on the attached network when the router is starting up that interface. If no operational router is present on the connected network, the interface will not start up.
If you do not enable discovery mode, the interface must acquire its configuration from memory when the router is starting up. If the stored configuration is not complete, the interface will not start up. If there is another operational router on the connected network, the router will verify the stored interface configuration with that router. If there is any discrepancy, the interface will not start up. If there are no neighboring operational routers, the router will assume the stored interface configuration is correct and will start up.
Once an interface is operational, it can seed the configurations of other routers on the connected network regardless of whether you have enabled discovery mode on any of the routers.
If you enable appletalk discovery and the interface is restarted, you must have another operational router on the directly connected network or the interface will not start up.
It is not advisable to have all routers on a network configured with discovery mode enabled. If all routers were to restart simultaneously (for instance, after a power failure), the network would become inaccessible until at least one router was restarted with discovery mode disabled.
You also can enable discovery mode by specifying an address of 0.0. in the appletalk address command or a cable range of 0-0 in the appletalk cable-range command.
Discovery mode is useful when you are changing a network configuration or when you are adding a router to an existing network.
Discovery mode does not run over synchronous serial lines.
Use the no appletalk discovery command to disable discovery mode and allow the interface to be a seed port. If the interface is not operational when you issue this command, you must configure the zone name before the interface will be operational. If you are reconfiguring an operational interface by issuing the no appletalk discovery command, the command will have no effect because the network configuration is already established.
Example
The following example enables discovery mode on Ethernet interface 0:
interface ethernet 0appletalk cable-range 0-0appletalk discoveryRelated Commands
appletalk address
appletalk cable-range
appletalk zone
show appletalk interfaceappletalk macip dynamic
To allocate IP addresses to dynamic MacIP clients, use the appletalk macip dynamic global configuration command. To delete a MacIP dynamic address assignment, use the no form of this command.
appletalk macip dynamic ip-address [ip-address] zone server-zone
no appletalk macip [dynamic ip-address [ip-address] zone server-zone]Syntax Description
Default
No IP addresses are allocated to dynamic MacIP clients.
Command Mode
Global configuration
Usage Guidelines
Use the appletalk macip dynamic command when configuring MacIP servers.
Dynamic clients are those that accept any IP address assignment within the dynamic range specified.
In general, it is recommended that you do not use fragmented address ranges in configuring ranges for MacIP. However, if this is unavoidable, use the appletalk macip dynamic command to specify as many addresses or ranges as required and use the appletalk macip static command to assign a specific address or address range.
To shut down all running MacIP services, use the following command:
no appletalk macip
To delete a particular dynamic address assignment from the configuration, use the following command:
no appletalk macip dynamic ip-address [ip-address] zone server-zone
Example
The following example illustrates MacIP support for dynamically addressed MacIP clients with IP addresses in the range 172.16.1.28 to 172.16.1.44.
! This global statement specifies the MacIP server address and zone:appletalk macip server 172.16.1.27 zone Engineering!! This global statement identifies the dynamically addressed clients:appletalk macip dynamic 172.16.1.28 172.16.1.44 zone Engineering!! These statements assign the IP address and subnet mask for Ethernet! interface 0:interface ethernet 0ip address 172.16.1.27 255.255.255.0!! This global statement enables AppleTalk on the router.appletalk routing!! These statements enable AppleTalk on the interface and! set the zone name for the interfaceinterface ethernet 0appletalk cable-range 69-69 69.128appletalk zone EngineeringRelated Commands
A dagger (†) indicates that the command is documented in another chapter.
appletalk macip server
appletalk macip static
ip address †
show appletalk macip-serversappletalk macip server
To establish a MacIP server for a zone, use the appletalk macip server global configuration command. To shut down a MACIP server, use the no form of this command.
appletalk macip server ip-address zone server-zone
no appletalk macip [server ip-address zone server-zone]Syntax Description
Default
No MacIP servers are established for a zone.
Command Mode
Global configuration
Usage Guidelines
Use the appletalk macip server command when configuring MacIP servers.
You can configure multiple MacIP servers for a router, but you can assign only one MacIP server to a particular zone and only one IP interface to each MacIP server. In general, you must be able to establish an alias between the IP address you assign with the appletalk macip server command and an existing IP interface. For implementation simplicity, it is suggested that the address specified in this command match an existing IP interface address.
A MacIP server is not registered using NBP until at least one MacIP resource is configured.
To shut down all active MacIP servers, use the following command:
no appletalk macip
To delete a specific MacIP server from the MacIP configuration, use the following command:
no appletalk macip server ip-address zone server-zone
Example
The following example establishes a MacIP server on Ethernet interface 0 in AppleTalk zone Engineering. It then assigns an IP address to the Ethernet interface and enables AppleTalk on the router and the Ethernet interface.
appletalk macip server 172.16.1.27 zone Engineeringip address 172.16.1.27 255.255.255.0appletalk routinginterface ethernet 0appletalk cable-range 69-69 69.128appletalk zone EngineeringRelated Commands
A dagger (†) indicates that the command is documented in another chapter.
appletalk macip dynamic
appletalk macip static
ip address †
show appletalk macip-serversappletalk macip static
To allocate an IP address to be used by a MacIP client that has reserved a static IP address, use the appletalk macip static global configuration command. To delete a MacIP static address assignment, use the no form of this command.
appletalk macip static ip-address [ip-address] zone server-zone
no appletalk macip [static ip-address [ip-address] zone server-zone]Syntax Description
Default
No IP addresses are allocated.
Command Mode
Global configuration
Usage Guidelines
Use the appletalk macip static command when configuring MacIP.
Static addresses are for users who require fixed addresses for IP name domain name service and for administrators who do want addresses to change so they can always know who has what IP address.
In general, it is recommended that you do not use fragmented address ranges in configuring ranges for MacIP. However, if this is unavoidable, use the appletalk macip dynamic command to specify as many addresses or ranges as required, and then use the appletalk macip static command to assign a specific address or address range.
To shut down all running MacIP services, use the following command:
no appletalk macip
To delete a particular static address assignment from the configuration, use the following command:
no appletalk macip static ip-address [ip-address] zone server-zone
Example
The following example illustrates MacIP support for MacIP clients with statically allocated IP addresses. The IP addresses range is from 172.16.1.50 to 172.16.1.66. The three nodes that have the specific addresses are 172.16.1.81, 172.16.1.92, and 172.16.1.101.
! This global statement specifies the MacIP server address and zone:appletalk macip server 172.16.1.27 zone Engineering!! These global statements identify the statically addressed clients:appletalk macip static 172.16.1.50 172.16.1.66 zone Engineeringappletalk macip static 172.16.1.81 zone Engineeringappletalk macip static 172.16.1.92 zone Engineeringappletalk macip static 172.16.1.101 zone Engineering!! These statements assign the IP address and subnet mask for Ethernet! interface 0:interface ethernet 0ip address 172.16.1.27 255.255.255.0!! This global statement enables AppleTalk on the router.appletalk routing!! These statements enable AppleTalk on the interface and! set the zone name for the interfaceinterface ethernet 0appletalk cable-range 69-69 69.128appletalk zone EngineeringRelated Commands
A dagger (†) indicates that the command is documented in another chapter.
appletalk macip dynamic
appletalk macip server
ip address †
show appletalk macip-serversappletalk routing
To enable AppleTalk connections, use the appletalk routing global configuration command. To disable AppleTalk, use the no form of this command.
appletalk routing
no appletalk routingSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Global configuration
Usage Guidelines
You must enable AppleTalk routing to permit your router to be an AppleTalk Remote Access (ARA) server.
Example
The following example enables AppleTalk protocol processing on the router:
appletalk routingRelated Commands
appletalk address
access-list cable-range
appletalk zone
arap enableappletalk zone
To set the zone name for the connected AppleTalk network, use the appletalk zone interface configuration command. To delete a zone, use the no form of this command.
appletalk zone zone-name
no appletalk zone [zone-name]Syntax Description
Default
No zone name is defined.
If a zone list exists, the first zone in the list is the default zone.
Command Mode
Interface configuration
Usage Guidelines
The router needs both a valid cable range and a valid zone list to use AppleTalk.
The appletalk cable-range command must be entered before the appletalk zone command.
The first zone specified in the list is the default zone.
The appletalk zone command accepts spaces in zone names. Do not use quotation marks in the command entry. When you have completed the entry, use the show configuration command to display the configuration file.
The no form of the command deletes a zone name from a zone list or, if you do not specify a zone name, it deletes the entire zone list. Before configuring a new zone list, delete any existing zone-name list using the no appletalk zone command.
The internal zone list is cleared automatically when you issue an appletalk cable-range command. The list is also cleared if you issue the appletalk zone command on an existing network.
Changing the Zone List
AppleTalk routers maintain a complete list of zone names and associated network numbers. AppleTalk network protocols assume that the list of zones is stable if the associated networks remain reachable. The only way to make an old zone name disappear throughout your network is to cause the associated routes to disappear. If you change a zone name and keep the network numbers the same, you might need to wait for the next general power failure for parts of your network to acquire new zone lists and flush the old entry.
Examples
The following example assigns the zone name Twilight to an interface:
interface ethernet 0appletalk cable-range 10-20appletalk zone TwilightThe following example uses a colon and two hexadecimal numbers to specify a Macintosh special character in the zone name Cisco·Zone.
appletalk zone Cisco:A5ZoneRelated Commands
A dagger (†) indicates that the command is documented in another chapter.
appletalk cable-range
show appletalk zone
show configuration †arap authentication
To enable TACACS+ authentication for ARA on a line, use the arap authentication command. Use the no form of the command to disable authentication for an ARA line.
arap authentication {default |list-name}
no arap authentication {default | list-name}Syntax Description
default
Use the default list created with the aaa authentication arap command.
list-name
Use the indicated list created with the aaa authentication arap command.
Default
ARAP authentication uses the default set with the aaa authentication arap command. If no default is set, the local user database is checked.
Command Mode
Line configuration
Usage Guideline
This command is a per-line command used with TACACS+, and specifies the name of a list of AAA authentication processes to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). Defaults and lists are created with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default argument.
Before issuing this command, create a list of authentication processes by using the global configuration aaa authentication arap command.
CautionIf you use a list-name that is not configured using the aaa authentication arap command, you will disable ARAP on this line.
Example
The following example specifies that the TACACS+ authentication list called MIS-access is to be used on ARA line 7:
line 7arap authentication MIS-accessRelated Command
A dagger (†) indicates that the command is documented in another chapter.
aaa authentication arap †
arap callback
To enable an ARA client to request a callback, use the arap callback global configuration command.
arap callback
Syntax Description
This command has no arguments or keywords.
Default
Callback requests are not accepted on lines configured for ARA.
Command Mode
Global configuration
Usage Guidelines
This command enables the router to accept callback requests from ARA clients. You must first enable AppleTalk routing on the router and enable automatic ARA startup on the line. You can then use this command with either local username authentication or TACACS+ authentication.
Example
The following example accepts a callback request from an ARA client:
arap callbackRelated Commands
A dagger (†) indicates that the command is documented in another chapter.
arap authentication
autoselect ara
callback forced-wait†
ppp authentication†
ppp callback†
service exec-callback†
username†arap dedicated
To configure a line to be used only as an ARA connection, use the arap dedicated line configuration command. Use the no form of the command to return the line to interactive mode.
arap dedicated
no arap dedicatedSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Line configuration
Example
The following example configures line 3 to be used only for ARA connections:
line 3arap dedicatedarap enable
To enable ARA for a line, use the arap enable line configuration command. Use the no form of this command to disable ARA.
arap enable
no arap enableSyntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Line configuration
Example
The following example enables ARA on a line:
line 3arap enableRelated Commands
A dagger (†) indicates that the command is documented in another chapter.
appletalk routing
autoselect †arap network
To create a new network/zone and cause it to be advertised, use the arap network global configuration command. Use the no form of this command to prevent a new network/zone from being advertised.
arap network [network-number] [zone-name]
no arap networkSyntax Description
Default
A new network or zone is not created.
Command Mode
Global configuration
Usage Guidelines
This is a required command. ARAP does not run without it in Cisco IOS Release 10.2 and above.
Example
The following example creates a new network/zone:
arap network 400 test zonearap net-access-list
To control Macintosh access to networks, use the arap net-access-list line configuration command. Use the no form of this command to return to the default setting.
arap net-access-list net-access-list-number
no arap net-access-list net-access-list-numberSyntax Description
Default
Disabled. The Macintosh has access to all networks.
Command Mode
Line configuration
Usage Guidelines
You can use the arap net-access-list command to apply access lists defined by the access-list cable-range, access-list includes, access-list network, access-list other-access, and access-list within commands.
You cannot use the arap net-access-list command to apply access lists defined by the access-list zone and access-list additional-zones commands.
Example
In the following example, ARA is enabled on line 3 and the Macintosh will have access to the AppleTalk access list numbered 650.
line 3arap enablearap net-access-list 650Related Commands
access-list cable-range
access-list includes
access-list network
access-list other-access
access-list within
arap zonelistarap noguest
To prevent Macintosh guests from logging in to the router, use the arap noguest line configuration command. Use the no form of this command to remove this restriction.
arap noguest [if-needed]
no arap noguestSyntax Description
Default
Disabled
Command Mode
Line configuration
Usage Guidelines
A guest is a person who connects to the network without having to give a name or a password.
CautionDo not use the arap noguest command if you are using modified (CCL) scripts and the login tacacs command.
Example
The following example prohibits guests from logging in to the router:
line 3arap enablearap noguestarap require-manual-password
To require users to enter their password manually at the time they log in, use the arap require-manual-password line configuration command.
arap require-manual-password
Syntax Description
This command has no arguments or keywords.
Default
Disabled
Command Mode
Line configuration
Usage Guidelines
This command only works for ARAP 2.0 connections.
Example
The following example forces users to enter their passwords manually at the time they log in, rather than use a saved password:
arap require-manual-passwordRelated Commands
A dagger (†) indicates that the command is documented in another chapter.
enable password †
login (line configuration) †
password †arap timelimit
To set the maximum length of an ARA session for a line, use the arap timelimit line configuration command. Use the no form of this command to return to the default of unlimited session length.
arap timelimit [minutes]
no arap timelimitSyntax Description
Default
Unlimited session length
Command Mode
Line configuration
Usage Guidelines
After the specified length of time, the session will be terminated.
Example
The following example specifies a maximum length of 20 minutes for ARA sessions:
line 3arap enablearap timelimit 20Related Command
arap use-tacacs
To enable TACACS for ARAP authentication, use the arap use-tacacs line configuration command. Use the no form of this command to disable TACACS for ARAP authentication.
arap use-tacacs [single-line]
no arap use-tacacsSyntax Description
single-line
(Optional) Accepts the username and password in the username field. If you are using an older version of TACACS (before Extended TACACS), you must use this keyword.
Default
Disabled
Command Mode
Line configuration
Usage Guidelines
This is a per line command. Use this command only when you have set up an extended TACACS server. This command requires the new Cisco extended TACACS server.
Note
This command cannot be used with AAA/TACACS+. Use the arap authentication command instead.
The command specifies that if a username and password are specified in the username, separated by an asterisk (*), then a standard TACACS login query is performed using that username and password. If the username does not contain an asterisk, then normal ARAP authentication is performed using TACACS.
This feature is useful when integrating TACACS with other authentication systems that require a clear text version of the user's password. Such systems include one-time password systems, token card systems, and others.
CautionNormal ARAP authentications prevent the clear-text password from being transmitted over the link. When you use the single-line keyword, passwords cross the link in the clear, exposing them to anyone looking for such information.
Due to the two-way nature of the ARAP authentication, the ARA application requires that a password value be entered in the Password field in the ARA dialog box. This secondary password must be "arap." First enter the username and password in the form username*password in the Name field of the dialog box, then enter arap in the Password field.
Example
The following example enables TACACS for ARAP authentication:
line 3arap use-tacacsRelated Commands
A dagger (†) indicates that the command is documented in another chapter.
arap enable
arap noguest
autoselect †
tacacs-server extended †
tacacs-server host †arap warningtime
To set when a disconnect warning message is displayed, use the arap warningtime line configuration command. Use the no form of this command to disable this function.
arap warningtime [minutes]
no arap warningtimeSyntax Description
Default
Disabled
Command Mode
Line configuration
Usage Guidelines
This command can only be used if a session time limit has been configured on the line.
Example
The following example shows a line configured for 20-minute ARA sessions, with a warning 17 minutes after the session is started:
line 3arap enablearap dedicatedarap timelimit 20arap warningtime 3Related Command
arap zonelist
To control what zones the Macintosh client sees, use the arap zonelist line configuration command. Use the no form of this command to disable the default setting.
arap zonelist zone-access-list-number
no arap zonelist zone-access-list-numberSyntax Description
zone-access-list-number
One of the list values configured using the AppleTalk access-list zone or access-list additional-zones commands.
Default
Disabled. The Macintosh will see all defined zones.
Command Mode
Line configuration
Usage Guidelines
You can use the arap zonelist command to apply access lists defined by the access-list zone and access-list additional-zones command.
You cannot use the arap zonelist command to apply access lists defined by the access-list network command.
Example
In the following example, ARA is enabled on line 3 and the Macintosh will see only zones permitted by access list 650.
line 3arap enablearap zonelist 650Related Commands
access-list additional-zones
access-list zone
arap net-access-listdebug arap
To debug ARA sessions, use the debug arap privileged EXEC command. Use the no form of this command to turn off the debugging function.
debug arap {internal | memory | mnp4 | v42bis}
no debug arapSyntax Description
internal
Debug internal ARA packets
memory
Debug memory allocation for ARA
mnp4
Debug low-level asynchronous serial protocol
v42bis
Debug compression
Default
Disabled
Command Mode
Privileged EXEC
Example
The following example activates debugging internal ARA packets on line 3:
debug arap internallogin authentication
To enable TACACS+ authentication for logins, use the login authentication command. Use the no form of the command to return to the default.
login authentication {default | list-name}
no login authentication {default | list-name}Syntax Description
