Table Of Contents
System Management Commands
aaa accounting
aaa authentication arap
aaa authentication enable default
aaa authentication local-override
aaa authentication login
aaa authentication ppp
aaa authorization
aaa new-model
alias
arap authentication
buffers
buffers huge size
calendar set
cdp enable
cdp holdtime
cdp run
cdp timer
clear cdp counters
clear cdp table
clock calendar-valid
clock read-calendar
clock set
clock summer-time
clock timezone
clock update-calendar
custom-queue-list
downward-compatible-config
enable
enable last-resort
enable password
enable secret
enable use-tacacs
fair-queue
hostname
ip bootp server
load-interval
logging
logging buffered
logging console
logging facility
logging monitor
logging on
logging synchronous
logging trap
login authentication
ntp access-group
ntp authenticate
ntp authentication-key
ntp broadcast
ntp broadcast client
ntp broadcastdelay
ntp clock-period
ntp disable
ntp master
ntp peer
ntp server
ntp source
ntp trusted-key
ntp update-calendar
ping (privileged)
ping (user)
ppp authentication
ppp use-tacacs
priority-group
priority-list default
priority-list interface
priority-list protocol
priority-list queue-limit
privilege level (global)
privilege level (line)
prompt
queue-list default
queue-list interface
queue-list protocol
queue-list queue byte-count
queue-list queue limit
scheduler allocate
scheduler interval
service exec-wait
service finger
service hide-telnet-address
service nagle
service password-encryption
service tcp-keepalives
service tcp-small-servers
service telnet-zero-idle
service timestamps
service udp-small-servers
show aliases
show buffers
show calendar
show cdp
show cdp entry
show cdp interface
show cdp neighbors
show cdp traffic
show clock
show context
show environment
show environment all
show environment last
show environment table
show logging
show memory
show ntp associations
show ntp status
show privilege
show processes
show processes memory
show protocols
show queueing
show snmp
show stacks
show tech-support
snmp-server access-policy
snmp-server chassis-id
snmp-server community
snmp-server contact
snmp-server context
snmp-server enable
snmp-server host
snmp-server location
snmp-server packetsize
snmp-server party
snmp-server queue-length
snmp-server system-shutdown
snmp-server tftp-server-list
snmp-server trap-authentication
snmp-server trap-source
snmp-server trap-timeout
snmp-server view
snmp trap link-status
tacacs-server attempts
tacacs-server authenticate
tacacs-server extended
tacacs-server host
tacacs-server key
tacacs-server last-resort
tacacs-server notify
tacacs-server optional-passwords
tacacs-server retransmit
tacacs-server timeout
test flash
test interfaces
test memory
trace (privileged)
trace (user)
username
System Management Commands
This chapter describes the commands used to manage the router system and its performance on the network. In general, system or network management falls into the following categories. The commands that perform the tasks in these management categories are described in this chapter unless specified otherwise.
•
Configuration Management
The configuration of network devices determines the behavior of the network. To manage device configurations, you need to list and compare configuration files on running devices, store configuration files on network servers for shared access, and perform software installations and upgrades. (Configuration management commands required to perform these tasks are described in the chapter entitled "System Image, Microcode Image, and Configuration File Load Commands.")
Other configuration management tasks include naming the router, setting router time services, configuring for synchronous logging of unsolicited messages and debug output, configuring a router for weighted fair queueing, and configuring SNMP support. Configuration management commands required to perform these tasks are described this chapter.
•
Security Management
To manage security on the network, you need to restrict access to the system. You can do so on several different levels:
•
Assign and encrypt passwords to restrict access to terminal lines, login connections, or privileged EXEC mode.
•
Establish one of three versions of Terminal Access Controller Access Control System (TACACS) protection for network servers that have shared access: TACACS, extended TACACS, or TACACS+, which is coupled with the Authentication, Authorization, and Accounting (AAA) model.
•
Restrict login connections to specific users with a username authentication system.
•
Control access on serial interfaces with Challenge Handshake Authentication Protocol (CHAP) and Password Authentication Protocol (PAP).
•
Create access lists to filter traffic to and from specific destinations. Subsequent chapters that describe the routing protocols in detail define access lists. This section provides general guidelines for creating access lists.
•
Create security labels for Internet Protocol (IP) datagrams using the Internet Protocol Security Option (IPSO), as described in the chapter entitled "IP Commands."
•
Enable accounting for Internet Protocol (IP) access list violations and display the accounting data. For information on the IP accounting access-violations feature and commands, see the "Configuring IP" chapter of the Router Products Configuration Guide and the "IP Commands" chapter later in this publication.
Security management commands required to perform these tasks are described this chapter.
•
Fault Management
To manage network faults, you need to discover, isolate, and fix the problems. You can discover problems with the system's monitoring commands, isolate problems with the system's test commands, and resolve problems with other commands, including debug.
This chapter describes general fault management commands. For detailed troubleshooting procedures and a variety of scenarios, see the Troubleshooting Internetworking Systems guide. For complete details on all debug commands, see the Debug Command Reference publication.
•
System Performance Management
To manage system performance, you need to monitor and determine response time, error rates, and availability. Once these factors are determined, you can perform load-balancing and modify system parameters to enhance performance. For example, priority queuing allows you to prioritize traffic order. You can configure fast and autonomous switching to improve network throughput, as described in the "Configuring Interfaces" chapter of the Router Products Configuration Guide.
See the Internetwork Design Guide for additional information.
•
Accounting Management
Accounting management allows you to track both individual and group usage of network resources. You can then reallocate resources as needed. For example, you can change the system timers and configure TCP keepalives. See also the IP accounting feature in the "Configuring IP" chapter of the Router Products Configuration Guide. Additionally, the AAA/TACACS+ aaa accounting command allows you to set start-stop accounting for any or all of the listed functions for this command.
For system management configuration tasks and examples, refer to the chapter entitled "Managing the System" in the Router Products Configuration Guide.
Note
One or more of the commands that previously appeared this chapter have been replaced by new commands. See the Router Products Command Reference publication for command information. The old commands continue to perform their normal function in the current release, but support for them will cease in future releases.
aaa accounting
To enable AAA accounting of requested services for billing or security purposes when using TACACS+, use the aaa accounting global configuration command. Use the no form of this command to disable accounting.
aaa accounting {system | network | connection | exec | command level} {start-stop |
wait-start | stop-only} tacacs+
no aaa accounting {system | network | connection | exec | command level}
Syntax Description
system
|
Performs accounting for all system-level events not associated with users, such as reloads.
|
network
|
Runs accounting for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP.
|
connection
|
Runs accounting for outbound Telnet and rlogin.
|
exec
|
Runs accounting for EXECs (user shells). This keyword might return user profile information such as autocommand information.
|
command
|
Runs accounting for all commands at the specified privilege level.
|
level
|
The command level that should be accounted for. Valid entries are 0-15.
|
start-stop
|
Sends a start record accounting notice at the beginning of a process and a stop record at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting record was received by the accounting server.
|
wait-start
|
As in start-stop, sends both a start and a stop accounting record to the accounting server. However, if you use the wait-start keyword, the requested user service does not begin until the start accounting record is acknowledged. A stop accounting record is also sent.
|
stop-only
|
Sends a stop record accounting notice at the end of the requested user process.
|
tacacs+
|
Mandatory. Enables the TACACS-style accounting.
|
Default
AAA accounting is not enabled.
Command Mode
Global configuration
Usage Guideline
The aaa accounting command allows you to set start-stop accounting for any or all of the functions listed in "Syntax Description." For minimal accounting control, issue the stop-only keyword, which sends a stop record accounting notice at the end of the requested user process. For additional accounting control, you can issue the start-stop command, where TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. You can further control access and accounting by issuing the wait-start command, which ensures that the start notice is received by the TACACS+ server before granting the user's process request. Accounting is done only to the TACACS+ server.
Note
This command, along with aaa authorization, replaces the tacacs-server authenticate command in previous versions of TACACS, and can be used only with AAA/TACACS+. This command can be used only with AAA TACACS+.
Examples
In the following example, accounting is set for outbound Telnet and rlogin, and both a start and stop accounting notice is sent to the TACACS+ server:
aaa accounting connection start-stop tacacs+
In the following example, accounting is set for privilege level 15 commands, with a wait-start restriction:
aaa accounting command 15 wait-start tacacs+
Related Commands
aaa authorization
aaa new-model
aaa authentication arap
To enable an AAA authentication method for AppleTalk Remote Access (ARA) users using TACACS+, use the aaa authentication arap global configuration command. Use the no form of this command to disable this authentication.
aaa authentication arap {default | list-name} method1 [...[method4]]
no aaa authentication arap {default | list-name} method1 [...[method4]]
Syntax Description
default
|
Uses the listed methods that follow this argument as the default list of methods when a user logs in.
|
list-name
|
Character string used to name the following list of authentication methods tried when a user logs in.
|
method
|
One of the keywords described in .
|
Default
If the default list is not set, only the local user database is checked. This version has the same effect as the following command:
aaa authentication arap default local
Command Mode
Global configuration
Usage Guideline
The list names and default that you set with the aaa authentication arap command are used with the arap authentication command. These lists can contain up to four authentication methods that are used when a user tries to log in with ARA.
Create a list by entering the aaa authentication arap list-name method command, where list-name is any character string used to name this list, such as MIS-access. The method argument identifies the list of methods the authentication algorithm tries in the given sequence. You can enter up to four methods, which are described in .
To create a default list that is used if no list is specified in the arap authentication command, use the default keyword followed by the methods you wish to be used in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails.
Use the show running-config command to view lists of authentication methods.
Table 5-1 AAA Authentication ARAP Method Descriptions
Keyword
|
Description
|
if-needed
|
Does not authenticate if the user has already been authenticated on a TTY line.
|
line
|
Uses the line password for authentication.
|
local
|
Uses the local username database for authentication.
|
tacacs+
|
Uses TACACS+ authentication.
|
Note
This command cannot be used with TACACS or extended TACACS.
Examples
The following example creates a list called MIS-access, which first tries TACACS+ authentication and then none:
aaa authentication arap MIS-access tacacs+ none
The following example creates the same list, but sets it as the default list that is used for all ARA protocol authentications if no other list is specified:
aaa authentication arap default tacacs+ none
Related Commands
aaa authentication local-override
aaa new-model
arap authentication
aaa authentication enable default
To enable AAA authentication to determine if a user can access the privileged command level with TACACS+, use the aaa authentication enable default global configuration command. Use the no form of this command to disable this authorization method.
aaa authentication enable default method1 [...[method4]]
no aaa authentication enable default method1 [...[method4]]
Syntax Description
method
|
At least one and up to four of the keywords described in .
|
Default
If the default list is not set, only the enable password is checked. This version has the same effect as the following command:
aaa authentication enable default enable
On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.
Command Mode
Global configuration
Usage Guideline
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine if a user can access the privileged command level. You can specify up to four authentication methods. Method keywords are described in . The additional methods of authentication are used only if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
If a default authentication routine is not set for a function, the default is none and no authentication is performed. Use the show running-config command to view currently configured lists of authentication methods.
Table 5-2 AAA Authentication Enable Default Method Descriptions
Keyword
|
Description
|
enable
|
Uses the enable password for authentication.
|
line
|
Uses the line password for authentication.
|
none
|
Uses no authentication.
|
tacacs+
|
Uses TACACS+ authentication.
|
Note
This command cannot be used with TACACS or extended TACACS.
Example
The following example creates an authentication list that first tries to contact a TACACS+ server. If no server can be found, then AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication enable default tacacs+ enable none
Related Commands
aaa authentication local-override
aaa authorization
aaa new-model
enable password
aaa authentication local-override
To have the router check the local user database for authentication before attempting another form of authentication, use the aaa authentication local-override global configuration command. Use the no form of this command to disable the override.
aaa authentication local-override
no aaa authentication local-override
Syntax Description
This command has no arguments or keywords.
Default
Override is disabled.
Command Mode
Global configuration
Usage Guideline
This command is useful when you want to configure an override to the normal authentication process for certain personnel such as system administrators.
When this override is set, the user is always prompted for the username. The system then checks to see if the entered username corresponds to a local account. If the username does not correspond to one in the local database, login proceeds with the methods configured with other aaa commands (such as aaa authentication login). Note when using this command that Username: is fixed as the first prompt.
Example
The following example enables AAA authentication override:
aaa authentication local-override
Related Commands
aaa authentication arap
aaa authentication enable default
aaa authentication login
aaa authentication ppp
aaa new-model
aaa authentication login
To set AAA authentication at login when using TACACS+, use the aaa authentication login global configuration command. Use the no form of this command to disable AAA authentication.
aaa authentication login {default | list-name} method1 [...[method4]]
no aaa authentication login {default | list-name} method1 [...[method4]]
Syntax Description
default
|
Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
|
list-name
|
Character string used to name the following list of authentication methods tried when a user logs in.
|
method
|
At least one and up to four of the keywords described in .
|
Default
If the default list is not set, only the local user database is checked. This version has the same effect as the following command:
aaa authentication login default local
Note
On the console, login will succeed without any authentication checks if default is not set.
Command Mode
Global configuration
Usage Guideline
The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.
Create a list by entering the aaa authentication list-name method command, where list-name is any character string used to name this list, such as MIS-access. The method argument identifies the list of methods the authentication algorithm tries, in the given sequence. Method keywords are described in .
To create a default list that is used if no list is assigned to a line with the login authentication command, use the default argument followed by the methods you want in default situations.
The additional methods of authentication are used only if the previous method returns an error, not if it fails. To ensure that the authentication will succeed even if all methods return an error, specify none as the final method in the command line.
If authentication is not specifically set for a line, the default is to deny access—no authentication is performed. Use the show running-config command to view currently configured lists of authentication methods.
Table 5-3 AAA Authentication Login Method Descriptions
Keyword
|
Description
|
enable
|
Uses the enable password for authentication.
|
line
|
Uses the line password for authentication.
|
local
|
Uses the local username database for authentication.
|
none
|
Uses no authentication.
|
tacacs+
|
Uses TACACS+ authentication.
|
Note
This command cannot be used with TACACS or extended TACACS.
Examples
The following example creates an AAA authentication list called MIS-access. This authentication first tries to contact a TACACS+ server. If no server is found, TACACS+ returns an error and AAA tries to use the enable password. If this attempt also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication login MIS-access tacacs+ enable none
The following example creates the same list, but sets it as the default list that is used for all login authentications if no other list is specified:
aaa authentication login default tacacs+ enable none
Related Commands
aaa authentication local-override
aaa new-model
login authentication
aaa authentication ppp
To specify one or more AAA authentication methods for use on serial interfaces running Point-to-Point (PPP) when using TACACS+, use the aaa authentication ppp global configuration command. Use the no form of this command to disable authentication.
aaa authentication ppp {default | list-name} method1 [...[method4]]
no aaa authentication ppp {default | list-name} method1 [...[method4]]
Syntax Description
default
|
Uses the listed authentication methods that follow this argument as the default list of methods when a user logs in.
|
list-name
|
Character string used to name the following list of authentication methods tried when a user logs in.
|
method
|
At least one and up to four of the keywords described in .
|
Default
If the default list is not set, only the local user database is checked. This version has the same effect as the following command:
aaa authentication ppp default local
Command Mode
Global configuration
Usage Guideline
The lists that you create with the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that are used when a user tries to log in to the serial interface.
Create a list by entering the aaa authentication ppp list-name method command, where list-name is any character string used to name this list, such as MIS-access. The method argument identifies the list of methods the authentication algorithm tries in the given sequence. You can enter up to four methods. Method keywords are described in .
The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.
If authentication is not specifically set for a function, the default is none and no authentication is performed. Use the show running-config command to view lists of authentication methods.
Table 5-4 AAA Authentication PPP Method Descriptions
Keyword
|
Description
|
if-needed
|
Does not authenticate if user has already been authenticated on a TTY line.
|
local
|
Uses the local username database for authentication.
|
none
|
Uses no authentication.
|
tacacs+
|
Uses TACACS+ authentication.
|
Note
This command cannot be used with TACACS or extended TACACS.
Example
The following example creates an AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this action returns an error, the user is allowed access with no authentication.
aaa authentication MIS-access ppp tacacs+ none
Related Commands
aaa authentication local-override
aaa new-model
ppp authentication
aaa authorization
To set parameters that restrict a user's network access based on TACACS+ authorization, use the aaa authorization global configuration command. To disable authorization for a function, use the no form of this command.
aaa authorization {network | connection | exec | command level} methods
no aaa authorization {network | connection | exec | command level}
Syntax Description
network
|
Performs authorization for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARA protocol.
|
connection
|
Runs authorization for outbound Telnet and rlogin.
|
exec
|
Runs authorization to determine if the user is allowed to run an EXEC shell. This keyword might return user profile information such as autocommand information.
|
command
|
Runs authorization for all commands at the specified privilege level.
|
level
|
Specific command level that should be authorized. Valid entries are 0 through 15.
|
methods
|
lists the methods keywords.
|
Default
Authorization is disabled for all actions (equivalent to the keyword none).
Command Mode
Global configuration
Usage Guideline
Use the aaa authorization command to create a list of one and up to four authorization methods that can be used when a user accesses the specified function.
Note
This command, along with aaa accounting, replaces the tacacs-server suite of commands in previous versions of TACACS.
The additional methods of authorization are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authorization succeed even if all methods return an error.
Table 5-5 AAA Authorization Method Descriptions
Keyword
|
Description
|
tacacs+
|
Requests authorization information from the TACACS+ server.
|
if-authenticated
|
Allows the user to access the requested function if the user is authenticated.
|
none
|
No authorization is performed.
|
local
|
Uses the local database for authorization.
|
If authorization is not specifically set for a function, the default is none and no authorization is performed.
The authorization command causes a request packet containing a series of attribute value pairs to be sent to the TACACS daemon as part of the authorization process. The daemon can:
•
accept the request as is
•
make changes to the request
•
refuse the request, and hence, refuse authorization
describes attribute value pairs associated with the aaa authorization command. Registered users can find more information about TACACS+ and attribute pairs on Cisco Information Online.
Table 5-6 Attribute Value Pairs for Authorization
Attribute Value
|
Description
|
service=arap
|
Authorization for AppleTalk Remote Access is being requested.
|
service=shell
|
Authorization for EXEC startup and command authorization is being requested.
|
service=ppp
|
Authorization for PPP is being requested.
|
service=slip
|
Authorization for SLIP is being requested.
|
protocol=lcp
|
Authorization for LCP is being requested (lower layer of PPP).
|
protocol=ip
|
Used with service=slip and service=slip to indicate which protocol layer is being authorized.
|
protocol=ipx
|
Used with service=ppp to indicate which protocol layer is being authorized.
|
protocol=atalk
|
Used with service=ppp or service=arap to indicate which protocol layer is being authorized.
|
protocol=vines
|
Used with service=ppp for VINES over PPP.
|
protocol=unknown
|
Used for undefined or unsupported conditions.
|
cmd=x
|
Used with service=shell, if cmd=NULL, this is an authorization request to start an EXEC. If cmd is not NULL, this is a command authorization request and will contain the name of the command being authorized. For example, cmd=telnet.
|
cmd-arg=x
|
Used with service=shell. When performing command authorization, the name of the command is given by a cmd=x pair for each argument listed. For example, cmd-arg=archie.sura.net.
|
acl=x
|
Used with service=shell and service=arap. For ARA, this pair contains an access list number. For service=shell, this pair contains an access class number. For example, acl=2.
|
inacl=x
|
Used with service=ppp and protocol=ip. Contains an IP input access list for SLIP or PPP/IP. For example, inacl=2.
|
outacl=x
|
Used with service=ppp and protocol=ip. Contains an IP output access list for SLIP or PPP/IP. For example, outacl=4.
|
addr=x
|
Used with service=slip, service=ppp, and protocol=ip. Contains the IP address that the remote host should use when connecting via SLIP or PPP/IP. For example, addr=172.30.23.11.
|
routing=x
|
Used with service=slip, service=ppp, and protocol=ip. Equivalent in function to the /routing flag in SLIP and PPP commands. Can either be true or false. For example, routing=true.
|
timeout=x
|
Used with service=arap. The number of minutes before an ARA session disconnects. For example, timeout=60.
|
autocmd=x
|
Used with service=shell and cmd=NULL. Specifies an autocommand to be executed at EXEC startup. For example, autocmd=telnet foo.com.
|
noescape=x
|
Used with service=shell and cmd=NULL. Specifies a noescape option to the username configuration command. Can be either true or false. For example, noescape=true.
|
nohangup=x
|
Used with service=shell and cmd=NULL. Specifies a nohangup option to the username configuration command. Can be either true or false. For example. nohangup=false.
|
priv-lvl=x
|
Used with service=shell and cmd=NULL. Specifies the current privilege level for command authorization as a number from 0 to 15. For example, priv-lvl=15.
|
zonelist=x
|
Used with service=arap. Specifies an AppleTalk zonelist for ARA. For example, zonelist=5.
|
addr-pool=x
|
Used with service=ppp and protocol=ip. Specifies the name of a local pool from which to get the address of the remote host.
|
Examples
The following example specifies that TACACS+-style of authorization is used for all network-related requests. If this authorization method returns an error (if the TACACS+ server cannot be contacted), no authorization is performed and the request is successful.
aaa authorization network tacacs+ none
The following example specifies that TACACS+-style of authorization is run for level 15 commands. If this authorization method returns an error (if the TACACS+ server cannot be contacted), no authorization is performed and the request succeeds.
aaa authorization command 15 tacacs+ none
Related Commands
aaa accounting
aaa new-model
aaa new-model
To enable the AAA access control model that includes TACACS+, issue the aaa new-model global configuration command. Use the no form of this command to disable this functionality.
aaa new-model
no aaa new-model
Syntax Description
This command has no arguments or keywords.
Default
AAA/TACACS+ is not enabled.
Command Mode
Global configuration
Usage Guideline
This command enables the AAA access control system and TACACS+. If you initialize this functionality and later decide to use TACACS or extended TACACS, issue the no version of this command and then enable the version of TACACS you want to use.
Example
The following example initializes AAA and TACACS+:
Related Commands
aaa accounting
aaa authentication arap
aaa authentication enable default
aaa authentication local-override
aaa authentication login
aaa authentication ppp
aaa authorization
alias
To create a command alias, use the alias global configuration command. Use the no alias command to delete all aliases in a command mode or to delete a specific alias, and to revert to the original command syntax.
alias mode alias-name alias-command-line
no alias mode [alias-name]
Syntax Description
mode
|
Command mode of the original and alias commands. See for a list of options for this argument.
|
alias-name
|
Command alias.
|
alias-command-line
|
Original command syntax.
|
Defaults
Default aliases are in EXEC mode as follows:
Command Alias
|
Original Command
|
h
|
help
|
lo
|
logout
|
p
|
ping
|
r
|
resume
|
s
|
show
|
w
|
where
|
Command Mode
Global configuration
Usage Guidelines
You can use simple words or abbreviations as aliases. The aliases in the Default section are predefined. They can be turned off using the no alias command.
shows the acceptable options for the mode argument in the alias global configuration command.
Table 5-7
Argument Options
|
Mode
|
configuration
|
Global configuration
|
controller
|
Controller configuration
|
exec
|
EXEC
|
hub
|
Hub configuration
|
interface
|
Interface configuration
|
ipx-router
|
IPX router configuration
|
line
|
Line configuration
|
map-class
|
Map class configuration
|
map-list
|
Map list configuration
|
route-map
|
Route map configuration
|
router
|
Router configuration
|
Mode Argument Options
See the summary of command modes in the user interface chapter in the Router Products Configuration Guide for more information about command modes.
When you use online help, command aliases are indicated by an asterisk (*), as follows:
*lo=logout lock login logout
When you use online help, aliases that contain spaces (for example, telnet device.cisco.com 25) are displayed as follows:
Router# configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
Router(config)#alias exec device-mail telnet device.cisco.com 25
*device-mail="telnet device.cisco.com 25"
When you use online help, the alias is expanded and replaced with the original command, as shown in the following example with the td alias:
Router(config)#alias exec td trace device
*td="trace device" telnet terminal test tn3270
To list only commands and omit aliases, begin your input line with a space. In the following example, the alias td is not shown, because there is a space before the t? command line.
telnet terminal test tn3270 trace
As with commands, you can use online help to display the arguments and keywords that can follow a command alias. In the following example, the alias td is created to represent the command telet device. The /debug and /line switches can be added to telnet device to modify the command:
Router(config)# alias exec td telnet device
/debug Enable telnet debugging mode
/line Enable telnet line mode
You must enter the complete syntax for the alias command. Partial syntax for aliases are not accepted. In the following example, the parser does not recognize the command t as indicating the alias td.
Example
In the following example, the alias fixmyrt is created for the EXEC-mode command clear ip route 198.92.116.16.
alias exec fixmyrt clear ip route 198.92.116.16
Related Command
show aliases
arap authentication
To enable TACACS+ authentication for ARA on a line, use the arap authentication line configuration command. Use the no form of the command to disable authentication for an ARA line.
arap authentication {default | list-name}
no arap authentication {default | list-name}
Caution 
If you use a list-name value that was not configured with the aaa authentication arap command, ARA protocol will be disabled on this line.
Syntax Description
default
|
Default list created with the aaa authentication arap command.
|
list-name
|
Indicated list created with the aaa authentication arap command.
|
Default
ARA protocol authentication uses the default set with aaa authentication arap command. If no default has been set, the local user database is checked.
Command Mode
Line configuration
Usage Guideline
This command is a per-line command that specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list is used (whether or not it is specified in the command line). You create defaults and lists with the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default argument.
Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command.
Example
The following example specifies that the TACACS+ authentication list called MIS-access is used on ARA line 7:
arap authentication MIS-access
Related Command
aaa authentication arap
buffers
Use the buffers global configuration command to make adjustments to initial buffer pool settings and to the limits at which temporary buffers are created and destroyed. Use the no form of this command to return the buffers to their default size.
buffers {small | middle | big | verybig | large | huge | type number} {permanent | max-free
| min-free | initial} number
no buffers {small | middle | big | verybig | large | huge | type number} {permanent | max-free
| min-free | initial} number
Syntax Description
small
|
Buffer size of this public buffer pool is 104 bytes.
|
middle
|
Buffer size of this public buffer pool is 600 bytes.
|
big
|
Buffer size of this public buffer pool is 1524 bytes.
|
verybig
|
Buffer size of this public buffer pool is 4520 bytes.
|
large
|
Buffer size of this public buffer pool is 5024 bytes.
|
huge
|
Default buffer size of this public buffer pool is 18024 bytes. This value can be configured with the buffers huge size command.
|
type
|
Interface type of the interface buffer pool. Value cannot be fddi.
|
number
|
Interface number of the interface buffer pool.
|
permanent
|
Number of permanent buffers that the system tries to create and keep. Permanent buffers are normally not trimmed by the system.
|
max-free
|
Maximum number of free or unallocated buffers in a buffer pool.
|
min-free
|
Minimum number of free or unallocated buffers in a buffer pool.
|
initial
|
Number of additional temporary buffers that are to be allocated when the system is reloaded. This keyword can be used to ensure that the system has necessary buffers immediately after reloading in a high-traffic environment.
|
number
|
Number of buffers to be allocated.
|
Default
The default number of buffers in a pool is determined by the hardware configuration and can be displayed with the EXEC show buffers command.
Command Mode
Global configuration
Usage Guidelines
Normally you need not adjust these parameters; do so only after consulting with technical support personnel. Improper settings can adversely impact system performance.
You cannot configure FDDI buffers.
Examples of Public Buffer Pool Tuning
In the following example, the system will try to keep at least 50 small buffers free:
buffers small min-free 50
In the following example, the permanent buffer pool allocation for big buffers is increased to 200:
buffers big permanent 200
Example of Interface Buffer Pool Tuning
A general guideline is to display buffers with the show buffers command, observe which buffer pool is depleted, and increase that one.
In the following example, the permanent Ethernet 0 interface buffer pool on a Cisco 4000 is increased to 96 because the Ethernet 0 buffer pool is depleted:
buffers ethernet 0 permanent 96
Related Commands
buffers huge size
show buffers
buffers huge size
Use the buffers huge size global configuration command to dynamically resize all huge buffers to the value you specify. Use the no form of this command to restore the default buffer values.
buffers huge size number
no buffers huge size number
Syntax Description
number
|
Size of huge buffers, in bytes.
|
Default
18024 bytes
Command Mode
Global configuration
Usage Guidelines
Use only after consulting with technical support personnel. The buffer size cannot be lowered below the default.
Example
In the following example, the system will resize huge buffers to 20000 bytes:
Related Commands
buffers
show buffers
calendar set
To set the system calendar for a Cisco 7000 system or a Cisco 4500 system, use the calendar set EXEC command.
calendar set hh:mm:ss day month year
calendar set hh:mm:ss month day year
Syntax Description
hh:mm:ss
|
Current time in hours (military format), minutes, and seconds.
|
day
|
Current day (by date) in the month.
|
month
|
Current month (by name).
|
year
|
Current year (no abbreviation).
|
Command Mode
EXEC
Usage Guidelines
Once you set the Cisco 7000 calendar or the Cisco 4500 calendar, the system clock will be automatically set when the system is restarted or when the clock read-calendar EXEC command is issued. The calendar maintains its accuracy, even after a power failure or system reboot has occurred. The time specified in this command is relative to the configured time zone.
Example
In the following example, the system calendar is manually set to 1:32 p.m. on July 23, 1993:
calendar set 13:32:00 23 July 1993
Related Commands
clock read-calendar
clock set
clock summer-time
clock timezone
clock update-calendar
cdp enable
To enable Cisco Discovery Protocol (CDP) on an interface, use the cdp enable interface configuration command. Use the no form of this command to disable CDP on an interface.
cdp enable
no cdp enable
Syntax Description
This command has no arguments or keywords.
Default
Enabled at the global level and on all supported interfaces.
Command Mode
Interface configuration
Usage Guidelines
CDP is enabled by default at the global level and on each interface in order to send or receive CDP information.
Note
The cdp enable, cdp timer, and cdp run commands affect the operation of the IP on demand routing feature (that is, the router odr global configuration command). For more information on the router odr command, see the "IP Routing Protocols Commands" chapter in the Network Protocols Command Reference, Part 1.
Example
In the following example, CDP is enabled on Ethernet interface 0:
Related Command
cdp run
cdp holdtime
To specify the amount of time the receiving device should hold a CDP packet from your router before discarding it, use the cdp holdtime global configuration command. Use the no form of this command to revert to the default setting.
cdp holdtime seconds
no cdp holdtime
Syntax Description
seconds
|
Specifies the hold time to be sent in the CDP update packets.
|
Default
180 seconds
Command Mode
Global configuration
Usage Guidelines
CDP packets are sent with time-to-live, or hold time, that is nonzero after an interface is enabled and a hold time of 0 immediately before an interface is idled down.
The CDP hold time must be set to a higher number of seconds than the time between CDP transmissions, which is set using the cdp timer command.
Example
In the following example, the CDP packets being sent from your device should be held by the receiving device for 60 seconds before being discarded. You might want to set the hold time lower than the default setting of 180 seconds if information about your device changes often and you want the receiving devices to purge this information more quickly.
Related Commands
cdp timer
show cdp
cdp run
To enable CDP on your router, use the cdp run global configuration command. Use the no form of this command to disable CDP.
cdp run
no cdp run
Syntax Description
This command has no arguments or keywords.
Default
Enabled
Command Mode
Global configuration
Usage Guidelines
CDP is enabled on your router by default, which means the Cisco IOS software will receive CDP information. CDP also is enabled on supported interfaces by default. To disable CDP on an interface, use the cdp enable interface configuration command.
Note
The cdp enable, cdp timer, and cdp run commands affect the operation of the IP on demand routing feature (that is, the router odr global configuration command). For more information on the router odr command, see the "IP Routing Protocols Commands" chapter in the Network Protocols Command Reference, Part 1.
Example
In the following example, CDP is disabled for the router:
Related C