-
Cisco IOS Dial Services Command Reference, Release 12.1
-
About the Cisco IOS Software Documentation
-
Commands: A through B
-
Commands: C
-
Commands: D
-
Commands: E through IP
-
Commands IS through LAT
-
Commands: LC through MOD
-
Commands: MU through PPP
-
Commands: PRI through SGBP
-
Commands: SHOW A through E
-
Commands: SHOW I through L
-
Commands: SHOW M
-
Commands: SHOW N through X
-
Commands: SL through TN
-
Commands: TR through VIR
-
Commands: VPDN through X
- Appendixes
-
Index
-
Table Of Contents
Cisco IOS Dial Services Commands
aaa authorization configuration default
Cisco IOS Dial Services Commands
This chapter presents the commands to configure and maintain Cisco IOS dial and access solutions. The commands are presented in alphabetical order. Some commands required for configuring dial and access solutions may be found in other Cisco IOS command references. Use the command reference master index or search online to find these commands.
aaa authorization configuration default
To download static route configuration information from the authorization, authentication, and accounting (AAA) server using TACACS+ or RADIUS, use the aaa authorization configuration default command in global configuration mode. To remove static route configuration information, use the no form of this command.
aaa authorization configuration default {radius | tacacs+}
no aaa authorization configuration default
Syntax Description
Defaults
No configuration authorization is defined.
Command Modes
Global configuration
Command History
Examples
The following example downloads static route information using a TACACS+ server:
aaa authorization configuration default tacacs+Related Commands
aaa route download
To enable the download static route feature and set the amount of time between downloads, use the aaa route download command in global configuration mode. To disable this function, use the no form of the command.
aaa route download [time]
no aaa route download
Syntax Description
Defaults
The default period between downloads (updates) is 720 minutes.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is used to download static route details from the authorization, authentication, and accounting (AAA) server if the name of the router is hostname. The name passed to the AAA server for static routes is hostname-1, hostname-2 .... hostname-n—the router downloads static routes until it fails an index and no more routes can be downloaded.
Examples
The following example sets the AAA route update period to 100 minutes:
aaa route download 100Related Commands
absolute-timeout
To set the interval for closing the connection, use the absolute-timeout command in line configuration mode. To restore the default, use the no form of this command.
absolute-timeout minutes
no absolute-timeout
Syntax Description
Defaults
No timeout interval is automatically set.
Command Modes
Line configuration
Command History
Usage Guidelines
Use the absolute-timeout command line configuration command to configure the EXEC to terminate when the configured number of minutes occurs on the virtual terminal (vty) line. The absolute-timeout command terminates the connection after the specified time period has elapsed, regardless of whether the connection is being used at the time of termination. You can specify an absolute-timeout value for each port. The user is given 20 seconds notice before the session is terminated. You can use this command along with the logout-warning command to notify users of an impending logout.
Cisco IOS software also provides the session-timeout and exec-timeout line configuration commands for releasing lines when they have been idle for too long.
You can set the absolute-timeout command and an AppleTalk Remote Access Protocol (ARAP) timeout for the same line; however, this command supersedes any timeouts set in ARAP. Additionally, ARAP users will receive no notice of any impending termination if you use this command.
Examples
The following example sets an interval of 60 minutes on line 5:
line 5absolute-timeout 60Related Commands
accept dialin
To configure L2TP Network Servers (LNSs) to accept tunneled PPP connections from an L2TP Access Concentrator (LAC) and create an accept-dialin Virtual Private Dialup Network (VPDN) subgroup, use the accept dialin command in VPDN group configuration mode. To remove the accept-dialin subgroup from a VPDN group, use the no form of this command.
accept dialin
no accept dialin
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
VPDN group configuration
Command History
Usage Guidelines
For a VPDN group to accept dialin calls, you must also configure the following commands:
•
terminate-from VPDN group command
•
•
Once an L2F or L2TP tunnel is established, both dial-in and dial-out calls can use the same tunnel.
This command replies to a dial in L2F or L2TP tunnel open request from the specified peer. Once the LNS accepts the request from a LAC, it uses the specified virtual template to clone new virtual access interfaces. This command replaces the vpdn incoming command used in Cisco IOS Release 11.3. The user interface will automatically be upgraded when you reload the router with a 12.0 T or 11.3 AA image.
Typically, you need one VPDN group for each LAC. For an LNS that services many LACs, the configuration can become cumbersome; however, you can use the default VPDN group configuration if all the LACs will share the same tunnel attributes. An example of this scenario would be a LNS that services a large department with many Windows NT L2TP clients that are co-located with the LAC. Each of the Windows NT devices is an L2TP client as well as a LAC. Each of these devices will demand a tunnel to the LNS. If all the tunnels will share the same tunnel attributes you can use a default VPDN group configuration, which excels and simplifies the configuration process.
Note
Examples
The following example enables the LNS to accept an L2TP tunnel from a LAC named mugsy. A virtual-access interface will be cloned from virtual-template 1:
vpdn-group 1accept dialinprotocol l2tpvirtual-template 1terminate-from hostname mugsyIf you do not use the terminate-from command, you automatically enable a default VPDN group, which allows all tunnels to share the same tunnel attributes:
vpdn-group 1! Default L2TP VPDN groupaccept dialinprotocol l2tpvirtual-template 1Related Commands
accept dialout
To accept requests to tunnel Layer 2 Tunneling Protocol (L2TP) dial-out calls and create an accept-dialout VPDN subgroup, use the accept dialout command in VPDN group configuration mode. To remove the accept-dialout subgroup from the VPDN group, use the no form of this command.
accept dialout
no accept dialout
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
VPDN group configuration
Command History
Usage Guidelines
Only L2TP can be used to dial out, not Cisco's Layer 2 Forwarding (L2F).
For a VPDN group to accept dialout calls, you must also configure the following commands:
•
•
•
•
Once an L2TP tunnel is established, both dial-in and dialout calls can use the same tunnel.
Examples
The following example configures a VPDN group to accept L2TP tunnels for dialout calls from the LNS cerise by using dialer 2 as its dialing resource:
vpdn-group 1accept dialoutprotocol l2tpdialer 2terminate-from hostname cerise!interface Dialer2ip unnumbered Ethernet0encapsulation pppdialer in-banddialer aaadialer-group 1ppp authentication chapRelated Commands
access-class (LAT)
To define restrictions on incoming and outgoing connections, use the access-class command in line configuration mode. To remove the access list number, use the no form of this command.
access-class access-list-number {in | out}
no access-class access-list-number
Syntax Description
Defaults
Disabled
Command Modes
Line configuration
Command History
Usage Guidelines
This command defines access list numbers that will then be used with the lat access-list command to specify the access conditions.
The value supplied for the access-list-number argument is used for all protocols supported by the Cisco IOS software. If you are already using an IP access list, you must define local-area transport (LAT) and possibly X.25 access lists permitting connections to everything, to emulate the behavior of previous software versions.
When both IP and LAT connections are allowed from a terminal line and an IP access list is applied to that line with the access-class line configuration command, you must also create a LAT access list with the same number if you want to allow any LAT connections from that terminal. You can specify only one incoming and one outgoing access list number for each terminal line. When checking LAT access lists, if the specified list does not exist, the system denies all LAT connections.
Examples
The following example configures an incoming access class on virtual terminal line 4:
line vty 4 access-class 4 inRelated Commands
arap callback
To enable an AppleTalk Remote Access (ARA) client to request a callback, use the arap callback command in global configuration mode. To disable callback requests, use the no form of this command.
arap callback
no arap callback
Syntax Description
This command has no arguments or keywords.
Defaults
Callback requests are not accepted on lines configured for ARA.
Command Modes
Global configuration
Command History
Usage Guidelines
This command enables the router to accept callback requests from ARA clients. You first have to enable AppleTalk routing on the router and then enable automatic ARA startup on the line. You can use this command with either local username authentication or TACACS+ authentication.
Examples
The following example accepts a callback request from an ARA client:
arap callbackRelated Commands
arap dedicated
To configure a line to be used only as an AppleTalk Remote Access (ARA) connection, use the arap dedicated command in line configuration mode. To return the line to interactive mode, use the no form of the command.
arap dedicated
no arap dedicated
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Line configuration
Command History
Examples
The following example configures line 3 to be used only for ARA connections:
line 3arap dedicatedarap enable
To enable AppleTalk Remote Access (ARA) for a line, use the arap enable command in line configuration mode. Use the no form of this command to disable ARA.
arap enable
no arap enable
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Line configuration
Command History
Examples
The following example enables ARA on a line:
line 3arap enableRelated Commands
appletalk routing
Enables AppleTalk routing.
Configures a line to start an ARA, PPP, or SLIP session.
arap net-access-list
To control Macintosh access to networks, use the arap net-access-list command in line configuration mode. Use the no form of this command to return to the default setting.
arap net-access-list net-access-list-number
no arap net-access-list net-access-list-number
Syntax Description
Defaults
Disabled. The Macintosh has access to all networks.
Command Modes
Line configuration
Command History
Usage Guidelines
You can use the arap net-access-list command to apply access lists defined by the access-list cable-range, access-list includes, access-list network, access-list other-access, and access-list within commands.
You cannot use the arap net-access-list command to apply access lists defined by the access-list zone and access-list additional-zones commands.
Examples
In the following example, ARA is enabled on line 3 and the Macintosh will have access to the AppleTalk access list numbered 650:
line 3arap enablearap net-access-list 650Related Commands
arap network
To create a new network/zone and cause it to be advertised, use the arap network command in global configuration mode. Use the no form of this command to prevent a new network/zone from being advertised.
arap network [network-number] [zone-name]
no arap network
Syntax Description
Defaults
A new network or zone is not created.
Command Modes
Global configuration
Command History
Usage Guidelines
This is a required command. ARAP does not run without it in Cisco IOS Release 10.2 and later.
Examples
The following example creates a new network/zone:
arap network 400 test zonearap noguest
To prevent Macintosh guests from logging in to the router, use the arap noguest command in line configuration mode. Use the no form of this command to remove this restriction.
arap noguest [if-needed]
no arap noguest
Syntax Description
if-needed
(Optional) Does not authenticate if the user already provided authentication. This allows users to log in as guests if they have already been authenticated through a username or password.
Defaults
Disabled
Command Modes
Line configuration
Command History
Usage Guidelines
A guest is a person who connects to the network without having to give a name or a password.
Caution
Examples
The following example prohibits guests from logging in to the router:
line 3arap enablearap noguestarap require-manual-password
To require users to enter their password manually at the time they log in, use the arap require-manual-password command in line configuration mode. Use the no form of this command to disable the manual password-entry requirement.
arap require-manual-password
no arap require-manual-password
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Line configuration
Command History
Usage Guidelines
This command only works for AppleTalk Remote Access Protocol (ARAP) 2.0 connections.
Examples
The following example forces users to enter their passwords manually at the time they log in, rather than use a saved password:
arap require-manual-passwordRelated Commands
arap timelimit
To set the maximum length of an AppleTalk Remote Access (ARA) session for a line, use the arap timelimit command in line configuration mode. Use the no form of this command to return to the default of unlimited session length.
arap timelimit [minutes]
no arap timelimit
Syntax Description
Defaults
Unlimited session length
Command Modes
Line configuration
Command History
Usage Guidelines
After the specified length of time, the session will be terminated.
Examples
The following example specifies a maximum length of 20 minutes for ARA sessions:
line 3arap enablearap timelimit 20Related Commands
arap warningtime
To set when a disconnect warning message is displayed, use the arap warningtime command in line configuration mode. Use the no form of this command to disable this function.
arap warningtime [minutes]
no arap warningtime
Syntax Description
Defaults
Disabled
Command Modes
Line configuration
Command History
Usage Guidelines
This command can only be used if a session time limit has been configured on the line.
Examples
The following example shows a line configured for 20-minute AppleTalk Remote Access (ARA) sessions, with a warning 17 minutes after the session is started:
line 3arap enablearap dedicatedarap timelimit 20arap warningtime 3Related Commands
arap zonelist
To control what zones the Macintosh client sees, use the arap zonelist command in line configuration mode. Use the no form of this command to disable the default setting.
arap zonelist zone-access-list-number
no arap zonelist zone-access-list-number
Syntax Description
zone-access-list-number
One of the list values configured using the AppleTalk access-list zone or access-list additional-zones commands.
Defaults
Disabled. The Macintosh will see all defined zones.
Command Modes
Line configuration
Command History
Usage Guidelines
You can use the arap zonelist command to apply access lists defined by the access-list zone and access-list additional-zones commands.
You cannot use the arap zonelist command to apply access lists defined by the access-list network command.
Hiding a zone from users is not the same as preventing them from sending and receiving packets from the networks that make up that zone. For true security, an arap net-access-list command must be issued to prevent traffic to and from those networks.
Examples
The following example enables AppleTalk Remote Access (ARA) on line 3; the Macintosh will see only zones permitted by access list 650.
line 3arap enablearap zonelist 650Related Commands
async default ip address
The peer default ip address command replaces the async default ip address command.
See the description of the peer default ip address command in this book for more information.
async default routing
To enable the router to pass routing updates to other routers over the AUX port configured as an asynchronous interface, use the async default routing command in interface configuration mode. Use the no form of this command to disable dynamic addressing.
async default routing
no async default routing
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
Use the async default routing command to define the default behavior for router-to-router communication over connections to the AUX port configured as an asynchronous interface. This command is commonly used to enable two routers to communicate over an async dial backup link.
To require a remote user to manually configure routing over connections to the AUX port configured as an asynchronous interface, use the async dynamic routing command.
Examples
The following example enables routing over asynchronous interface 0:
interface async 0async default routingRelated Commands
async dynamic address
To specify dynamic asynchronous addressing, use the async dynamic address command in interface configuration mode. Use the no form of this command to disable dynamic addressing.
async dynamic address
no async dynamic address
Syntax Description
This command has no arguments or keywords.
Defaults
Dynamic addressing is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
You can control whether addressing is dynamic (the user specifies the address at the EXEC level when making the connection), or whether default addressing is used (the address is forced by the system). If you specify dynamic addressing, the router must be in interactive mode and the user will enter the address at the EXEC level.
It is common to configure an asynchronous interface to have a default address and to allow dynamic addressing. With this configuration, the choice between the default address or a dynamic addressing is made by users when they enter the slip or ppp EXEC command. If the user enters an address, it is used, and if the user enters the default keyword, the default address is used.
Examples
The following example shows dynamic addressing assigned to async interface six.
interface ethernet 0ip address 10.0.0.1 255.0.0.0interface async 6async dynamic addressRelated Commands
Specifies an IP address, an address from a specific IP address pool, or an address from the DHCP mechanism to be returned to a remote peer connecting to this interface.
async dynamic routing
To enable manually configured routing on an asynchronous interface, use the async dynamic routing command in interface configuration mode. Use the no form of this command to disable routing protocols; static routing is still used.
async dynamic routing
no async dynamic routing
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
The async dynamic routing command is commonly used to manually bring up PPP from an EXEC session.
Examples
The following example shows how to enable manually configured routing on asynchronous interface 1. The ip tcp header-compression passive command enables Van Jacobson TCP header compression and prevents transmission of compressed packets until a compressed packet arrives from the asynchronous link.
interface async 1async dynamic routing async dynamic addressasync default ip address 1.1.1.2 ip tcp header-compression passiveA remote user who establishes a PPP or SLIP connection to this asynchronous interface can enable routing by using the /routing switch or the ppp/routing command.
However, if you want to establish routing by default on connections to an asynchronous interface, use the async default routing command when you configure the interface.
Related Commands
async mode dedicated
To place a line into dedicated asynchronous mode using Serial Line Internet Protocol (SLIP) or PPP encapsulation, use the async mode dedicated command in interface configuration mode. Use the no form of this command to return the line to interactive mode.
async mode dedicated
no async mode dedicated
Syntax Description
This command has no arguments or keywords.
Defaults
Asynchronous mode is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
With dedicated asynchronous network mode, the interface will use either SLIP or PPP encapsulation, depending on which encapsulation method is configured for the interface. An EXEC prompt does not appear, and the router is not available for normal interactive use.
If you configure a line for dedicated mode, you will not be able to use the async dynamic address command, because there is no user prompt.
Examples
The following example assigns an IP address to an asynchronous line and places the line into network mode. Setting the stop bits to 1 enhances performance.
interface async 4async default ip address 172.31.7.51async mode dedicatedencapsulation slipline 20location Joe's computerstopbits 1speed 115200Related Commands
Returns a line that has been placed into dedicated asynchronous network mode to interactive mode, thereby enabling the slip and ppp EXEC commands.
async mode interactive
To return a line that has been placed into dedicated asynchronous network mode to interactive mode, thereby enabling the slip and ppp EXEC commands, use the async mode interactive command in interface configuration mode. Use the no form of this command to prevent users from implementing Serial Line Internet Protocol (SLIP) and PPP at the EXEC level.
async mode interactive
no async mode interactive
Syntax Description
This command has no arguments or keywords.
Defaults
Asynchronous mode is disabled.
Command Modes
Interface configuration
Command History
Usage Guidelines
Interactive mode enables the slip and ppp EXEC commands. In dedicated mode, there is no user EXEC level. The user does not enter any commands, and a connection is automatically established when the user logs in, according to the configuration.
Examples
The following example places async interface 6 into interactive asynchronous mode:
interface async 6async default ip address 172.31.7.51async mode interactiveip unnumbered ethernet 0Related Commands
authen-before-forward
To configure a network access server (NAS) to request authentication of a complete username before making a forwarding decision for dial-in Layer 2 Tunnel Protocol (L2TP) or Layer 2 Forwarding (L2F) tunnels belonging to a virtual private dialup network (VPDN) group, use the authen-before-forward command in VPDN group configuration mode. To disable this configuration, use the no form of this command.
authen-before-forward
no authen-before-forward
Syntax Description
This command has no arguments or keywords.
Command Default
L2TP or L2F tunnels are forwarded to the tunnel server without first requesting authentication of the complete username.
Command Modes
VPDN group configuration
Command History
Usage Guidelines
To configure the NAS to perform authentication of dial-in L2TP or L2F sessions belonging to a specific VPDN group before the sessions are forwarded to the tunnel server, use the authen-before-forward command in VPDN group configuration mode.
To configure the NAS to perform authentication of all dial-in L2TP or L2F sessions before the sessions are forwarded to the tunnel server, configure the vpdn authen-before-forward command in global configuration mode.
You must configure a request dial-in VPDN subgroup by issuing the request-dialin command before you can configure the authen-before-forward command. Removing the request-dialin configuration will remove the authen-before-forward command configuration from the VPDN group.
Enabling the authen-before-forward command instructs the NAS to authenticate the complete username before making a forwarding decision based on the domain portion of the username. A user may be forwarded or terminated locally depending on the information contained in the users RADIUS profile. Users with forwarding information in their RADIUS profile are forwarded based on that information. Users without forwarding information in their RADIUS profile are either forwarded or terminated locally based on the Service-Type in their RADIUS profile. The relationship between forwarding decisions and the information contained in the users RADIUS profile is summarized in Table 3.
Examples
The following example configures an L2F request dial-in VPDN subgroup that sends the entire username to the authentication, authorization, and accounting (AAA) server when a user dials in with a username that includes the domain cisco.com:
vpdn-group 1request-dialinprotocol l2fdomain cisco.cominitiate-to ip 10.0.0.1local name router32authen-before-forwardRelated Commands
autocommand
To configure the Cisco IOS software to automatically execute a command when a user connects to a particular line, use the autocommand command in line configuration mode. Use the no form of this command to disable the automatic execution.
autocommand command
no autocommand command
Syntax Description
command
Any appropriate EXEC command, including the host name and any switches that occur with the EXEC command.
Defaults
No commands are configured to automatically execute.
Command Modes
Line configuration
Command History
Usage Guidelines
This command enables you to automatically execute an EXEC command when a user connects to a line.
Examples
The following example forces an automatic connection to a host named host21 (which could be an IP address):
line vty 4 autocommand connect host21autodetect encapsulation
To enable automatic detection of the encapsulation types operating over a point-to-point link to a specified serial or ISDN interface, use the autodetect encapsulation command in interface configuration mode. To disable automatic dynamic detection of the encapsulation types on a link, use the no form of this command.
autodetect encapsulation {lapb-ta | ppp | v120}
no autodetect encapsulation {lapb-ta | ppp | v120}
Syntax Description
Defaults
No default behavior or values.
Command Modes
Interface configuration
Command History
