-
Cisco IOS Configuration Fundamentals and Network Management Command Reference, Release 12.3
-
Introduction
-
CFR Commands: absolute -- clock timezone
-
CFR Commands: clock update-calendar -- escape-character
-
CFR Commands: exception core-file -- ip ftp passive
-
CFR Commands: ip ftp password -- lsr-path
-
CFR Commands: memory sanity -- periodic
-
CFR Commands: ping -- service sequence numbers
-
CFR Commands: service slave-log -- show
tee -
CFR Commands: show context -- show ip http server
-
CFR Commands: show kron schedule -- show rtr enhanced-history
-
12.3 CF CR Commands: show rtr distributions-statistics -- snmp-server enable informs
-
CFR Commands: snmp-server enable traps -- statistics-distribution-interval
-
CFR Commands: stopbits -- ttl ip
-
CFR Commands: type dhcp - xsm vdm
-
CFR Appendix: ASCII Character Set and Hex Values
-
Table Of Contents
ip http client secure-ciphersuite
ip http client secure-trustpoint
ip ftp password
To specify the password to be used for File Transfer Protocol (FTP) connections, use the ip ftp password command in global configuration mode. To return the password to its default, use the no form of this command.
ip ftp password [type] password
no ip ftp password
Syntax Description
type
(Optional) Type of encryption to use on the password. A value of 0 disables encryption. A value of 7 indicates proprietary encryption.
password
Password to use for FTP connections.
Defaults
The router forms a password username@routername.domain. The variable username is the username associated with the current session, routername is the configured host name, and domain is the domain of the router.
Command Modes
Global configuration
Command History
Examples
The following example configures the router to use the username "red" and the password "blue" for FTP connections:
Router(config)# ip ftp username redRouter(config)# ip ftp password blueRelated Commands
ip ftp source-interface
To specify the source IP address for File Transfer Protocol (FTP) connections, use the ip ftp source-interface command in global configuration mode. To use the address of the interface where the connection is made, use the no form of this command.
ip ftp source-interface interface
no ip ftp source-interface
Syntax Description
Defaults
The FTP source address is the IP address of the interface the FTP packets use to leave the router.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set the same source address for all FTP connections.
Examples
The following example configures the router to use the IP address associated with Ethernet interface 0 as the source address on all FTP packets, regardless of which interface is actually used to send the packet:
ip ftp source-interface ethernet 0Related Commands
ip ftp username
To configure the username for File Transfer Protocol (FTP) connections, use the ip ftp username command in global configuration mode. To configure the router to attempt anonymous FTP, use the no form of this command.
ip ftp username username
no ip ftp username
Syntax Description
Defaults
The Cisco IOS software attempts an anonymous FTP.
Command Modes
Global configuration
Command History
Usage Guidelines
The remote username must be associated with an account on the destination server.
Examples
In the following example, the router is configured to use the username "red" and the password "blue" for FTP connections:
Router(config)# ip ftp username redRouter(config)# ip ftp password blueRelated Commands
ip http access-class
To specify the access list that should be used to restrict access to the HTTP server, use the ip http access-class command in global configuration mode. To remove a previously configured access list association, use the no form of this command.
ip http access-class access-list-number
no ip http access-class access-list-number
Syntax Description
access-list-number
Standard IP access list number in the range 0 to 99, as configured by the access-list global configuration command.
Defaults
No access list is applied to the HTTP server.
Command Modes
Global configuration
Command History
Usage Guidelines
If this command is configured, the specified access list is assigned to the HTTP server. Before the HTTP server accepts a connection, it checks the access list. If the check fails, the HTTP server does not accept the request for a connection.
Examples
In the following example the access list identified as "20" is defined and assigned to the HTTP server:
Router(config)# ip access-list standard 20Router(config-std-nacl)# permit 209.165.202.0 0.0.0.255Router(config-std-nacl)# permit 209.165.0.0 0.0.255.255Router(config-std-nacl)# permit 209.0.0.0 0.255.255.255! (Note: all other access implicitly denied)Router(config-std-nacl)# exitRouter(config)# ip http access-class 20Related Commands
ip http authentication
To specify a particular authentication method for HTTP server users, use the ip http authentication command in global configuration mode. To disable a configured authentication method, use the no form of this command.
ip http authentication {aaa {command-authorization level listname | exec-authorization listname | login-authentication listname} | enable | local | tacacs}
no ip http authentication {aaa {command-authorization level listname | exec-authorization listname | login-authentication listname} | enable | local | tacacs}
Syntax Description
Defaults
The "enable" password is required when users (clients) connect to the HTTP server.
Three command privilege levels exist on the router.Command Modes
Global configuration
Command History
Usage Guidelines
The ip http authentication command specifies the authentication method to be used for login when a client connects to the HTTP server. Use of the ip http authentication aaa command option is recommended. The enable, local, and tacacs methods should be specified using the aaa authentication login command.
The "enable" password method is the default HTTP server authentication method. If the enable password is used as the HTTP server login authentication method, the client connects to the HTTP server with a default privilege level of 15.
Note
When the "enable" password is used as the HTTP server login authentication method, any username entered will be ignored; the server will only verify the "enable" password. This may make it easier for an attacker to access the router. Because a username and password pair is more secure than using only a password for authentication, using only "enable" password for authentication is strongly discouraged. Instead, use of the local or tacacs authentication options, configured as part of a global Authentication, Authorization, and Accounting (AAA) framework, is recommended.
To configure HTTP access as part of a AAA policy, use the ip http authentication aaa command option. The "local", "tacacs", or "enable" authentication methods should then be configured using the aaa authentication login command.For information about adding users into the local username database, refer to the Cisco IOS Security Configuration Guide.
Examples
The following example specifies that the method configured for AAA should be used for authentication for HTTP server users. The AAA login method is configured as the "local" username/password authentication method. This example specifies that the local username database be used for login authentication and exec authorization of HTTP sessions:
router(config)# aaa authentication login LOCALDB localrouter(config)# aaa authorization exec LOCALDB localrouter(config)# ip http authentication aaa login-authentication LOCALDBrouter(config)# ip http authentication aaa exec-authorization LOCALDBRelated Commands
ip http client secure-ciphersuite
To specify the CipherSuite that should be used for encryption over the secure HTTP connection from the client to a remote server, use the ip http client secure-ciphersuite command in global configuration mode. To remove a previously configured CipherSuite specification for the client, use the no form of this command.
ip http client secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]}
no ip http client secure-ciphersuite
Syntax Description
Defaults
The client and server negotiate the best CipherSuite that they both support from the list of available CipherSuites.
Command Modes
Global configuration
Command History
Usage Guidelines
This command allows you to restrict the list of CipherSuites (encryption algorithms) that the client offers when connecting to a secure HTTP server. For example, you may want to allow only the most secure CipherSuite(s) to be used.
Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default). The no form of this command returns the list of available CipherSuites to the default (that is, all CipherSuites supported on your device are available for negotiation).
Examples
In the following example the HTTPS client is configured to use only the SSL_RSA_WITH_3DES_EDE_CBC_SHA CipherSuite:
Router(config)# ip http client secure-ciphersuite 3des-ede-cbc-shaRelated Commands
show ip http client secure status
Displays the configuration status of the secure HTTP client.
ip http client secure-trustpoint
To specify the remote Certificate of Authority (CA) trustpoint that should be used if certification is needed for the secure HTTP client, use the ip http client secure-trustpoint command in global configuration mode. To remove a client trustpoint from the configuration, use the no form of this command.
ip http client secure-trustpoint trustpoint-name
no ip http client secure-trustpoint trustpoint-name
Syntax Description
trustpoint-name
Name of a configured trustpoint. Use the same trustpoint name that was used in the associated crypto ca trustpoint command.
Defaults
If the remote HTTPS server requests client certification, the secure HTTP client will use the trustpoint configured as primary in the CA trustpoint configuration.
If a trustpoint is not configured, client certification will fail.
Command Modes
Global configuration
Command History
Usage Guidelines
This command specifies that the secure HTTP client should use the certificate associated with the trustpoint indicated by the trustpoint-name argument. Use the same trustpoint name that you used in the associated crypto ca trustpoint command.
The specified X.509v3 security certificate will be used by the secure HTTP (HTTPS) client for cases when the remote HTTPS server requires client authorization.
Use of this command assumes you have already declared a CA trustpoint using the crypto ca trustpoint command and associated sub-mode commands. If the remote HTTPS server requires client authorization and a trustpoint is not configured for the client, the remote HTTPS server will reject the connection.
If this command is not used, the client will attempt to use the certificate associated with the primary trustpoint. The primary trustpoint is configured using the primary CA TrustPoint configuration mode command.
Examples
In the following example the CA trustpoint is configured then referenced in the secure HTTP server configuration:
!The following commands specifies a CA trustpoint that can be used!to obtain a X.509v3 security certificate.Router(config)# crypto ca trustpoint tp1Router(config-ca)# enrollment url http://host1:80Router(config-ca)# exit!The following command is used to actually obtain the security certificate.!A trustpoint NAME is used because there could be multiple trust points!configured for the router.Router(config)# crypto ca enrollment TP1!The following command specifies that the secure HTTP client!should use the certificate associated with the TP1 trustpoint for HTTPS connections.Router(config)# ip http client secure-trustpoint tp1Related Commands
ip http max-connections
To configure the maximum number of concurrent connections allowed for the HTTP server, use the ip http max-connections command in global configuration mode. To return the maximum connection value to the default, use the no form of this command.
ip http max-connections value
no ip http max-connections value
Syntax Description
Defaults
5 concurrent HTTP connections.
Command Modes
Global configuration
Command History
Usage Guidelines
Platform-specific implementations can supersede the upper range limit of 16.
If a new value is configured that is less than the previously configured value while the current number of connections exceeds the new maximum value, the HTTP server will not abort any of the current connections. However, the server will not accept any new connections until the current number of connections falls below the new configured value.
Examples
In the following example the HTTP server is configured to allow up to 10 simultaneous connections:
Router(config)# ip http serverRouter(config)# ip http max-connections 10Related Commands
ip http server
Enables the HTTP 1.1 server, including the Cisco web browser user interface.
ip http path
To specify the base path used to locate files for use by the HTTP server, use the ip http path command in global configuration mode. To disable the HTTP server, use the no form of this command.
ip http path url
no ip http path url
Syntax Description
url
Cisco IOS File System (IFS) Uniform Resource Locator (URL) specifying the location of the HTML files used by the HTTP server.
Defaults
The HTTP server is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
After enabling the HTTP server, you should set the base path by specifying the location of the HTML files to be served. HTML files used by the HTTP web server typically reside in system Flash memory.
Remote URLs can be specified using this command, but use of remote path names (for example, where HTML files are located on a remote TFTP server) is not recommended.
Examples
In the following example, the HTML files are located in the default Flash location on the system:
Router(config)# ip http path flash:In the following example, the HTML files are located in the directory named web on the Flash memory card inserted in slot 0:
Router(config)# ip http path slot0:webRelated Commands
ip http server
Enables the HTTP server, including the Cisco web browser user interface.
ip http port
To specify the port number to be used by the HTTP server, use the ip http port command in global configuration mode. To return the port number to the default, use the no form of this command.
ip http port port-number
no ip http port port-number
Syntax Description
port-number
The port number to be used for the HTTP server. Valid values are 80 or any value from 1024 to 65535. The default is 80.
Defaults
The HTTP server uses port 80.
Command Modes
Global configuration
Command History
11.2
This command was introduced.
12.2(15)T
This command was modified to restrict port numbers. The port number 443 is now reserved for HTTPS (HTTP over SSL) connections.
Usage Guidelines
HTTP port 80 is the standard port used by web servers.
Examples
In the following example the HTTP server port is changed to port 8080.
Router(config)# ip http serverRouter(config)# ip http port 8080Related Commands
ip http server
Enables the HTTP 1.1 server, including the Cisco web browser user interface.
ip http secure-ciphersuite
To specify the CipherSuites that should be used by the secure HTTP server when negotiating a connection with a remote client, use the ip http secure-ciphersuite command in global configuration mode. To return the configuration to the default set of CipherSuites, use the no form of this command.
ip http secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]}
no ip http secure-ciphersuite
Syntax Description
Defaults
The HTTPS server negotiates the best CipherSuite using the list received from connecting client.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is used to restrict the list of CipherSuites (encryption algorithms) that should be used for encryption over the HTTPS connection. For example, you may want to allow only the most secure CipherSuite(s) to be used.
Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default).
The supported CipherSuites vary by Cisco IOS software image. For example, "IP Sec56" ("k8") images support only the SSL_RSA_WITH_DES_CBC_SHA CipherSuite in Cisco IOS Release 12.2T.
In terms of router processing load (speed), the following list ranks the CipherSuites from fastest to slowest (slightly more processing time is required for the more secure and more complex CipherSuites) :
1.
2.
3.
4.
Additional information about these CipherSuites can be found online from sources that document the Secure Socket Layer (SSL) 3.0 protocol.
Examples
The following example restricts the CipherSuites offered to a connecting secure web client:
Router(config)# ip http secure-ciphersuite rc4-128-sha rc4-128-md5Related Commands
ip http secure-server
Enables the secure HTTP (HTTPS) server.
show ip http server secure status
Displays the configuration status of the secure HTTP server.
ip http secure-client-auth
To configure the secure HTTP server to authenticate connecting clients, use the ip http secure-client-auth command in global configuration mode. To remove the requirement for client authorization, use the no form of this command.
ip http secure-client-auth
no ip http secure-client-auth
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled (that is, client authentication is not required for connections to the secure HTTP server).
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures the HTTP server to request an X.509v3 certificate from the client in order to authenticate the client during the connection process.
In the default connection and authentication process, the client requests a certificate from the HTTP server, but the server does not attempt to authenticate the client. Authenticating the client provides more security than server authentication by itself, but not all web clients may be configured for certificate authority (CA) authentication.
Examples
In the following example the secure web server is enabled and the server is configured to accept connections only from clients with a signed security certificate:
Router(config)# no ip http serverRouter(config)# ip http secure-serverRouter(config)# ip http secure-client-authRelated Commands
ip http secure-server
Enables the secure HTTP (HTTPS) server.
show ip http server secure status
Displays the configuration status of the secure HTTP server.
ip http secure-port
To specify the port (socket) to be used for connections to the secure HTTP (HTTPS) server, use the ip http secure-port command in global configuration mode. To return the secure HTTP server port number to the default, use the no form of this command.
ip http secure-port port-number
no ip http secure-port
Syntax Description
port-number
Port number that should be used for the secure HTTP server. The default port number is 443. Valid options are 443 or any number in the range 1025 to 65535.
Defaults
Port 443
Command Modes
Global configuration
Command History
Examples
The following example changes the port for HTTPS server connections from 443 to 1025:
Router(config)# ip http secure-port 1025Related Commands
ip http secure-server
To enable the secure HTTP web server, use the ip http secure-server command in global configuration mode. To disable the secure HTTP server, use the no form of this command.
ip http secure-server
no ip http secure-server
Syntax Description
This command has no arguments or keywords.
Defaults
The secure HTTP server is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The secure HTTP server (also called the HTTPS server) uses the Secure Socket Layer (SSL) version 3.0 protocol.
Note
If a certificate authority is to be used for certification, you should declare the CA trustpoint on the routing device before enabling the secure HTTP server.
Examples
In the following example the secure HTTP server is enabled, and the (previously configured) CA trustpoint CA_trust_local is specified:
Router# config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip http secure-serverRouter(config)# ip http secure-trustpoint CA_trust_localRouter(config)# endRouter# show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12a
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint: CA_trust_localRelated Commands
ip http secure-trustpoint
To specify the certificate authority (CA) trustpoint that should be used for obtaining signed certificates for the secure HTTP server, use the ip http secure-trustpoint command in global configuration mode. To remove a previously specified CA trustpoint, use the no form of this command.
ip http secure-trustpoint trustpoint-name
no ip http secure-trustpoint trustpoint-name
Syntax Description
trustpoint-name
Name of a configured trustpoint. Use the same trustpoint name that was used in the associated crypto ca trustpoint command.
Defaults
The secure HTTP server will use the trustpoint configured as primary in the CA trustpoint configuration.
If a trustpoint is not configured, the secure HTTP server will use a self-signed certificate.
Command Modes
Global configuration
Command History
Usage Guidelines
This command specifies that the secure HTTP server should use the X.509v3 certificate associated with the trustpoint indicated by the trustpoint-name argument. Use the same trustpoint name that you used in the associated crypto ca trustpoint command.
The specified X.509v3 security certificate will be used to authenticate the server to connecting clients, and, if remote client authentication is enabled, to authenticate the connecting clients.
Use of this command assumes you have already declared a CA trustpoint using the crypto ca trustpoint command and associated sub-mode commands. If a trustpoint is not configured, the secure HTTP server will use a self-signed certificate.
If this command is not used, the server will attempt to use the certificate associated with the primary trustpoint. The primary trustpoint is configured using the primary CA TrustPoint configuration mode command.
Examples
In the following example the CA trustpoint is configured, a certificate is obtained, then the certificate is referenced in the secure HTTP server configuration:
!The following commands specifies a CA trustpoint that can be used!to obtain a X.509v3 security certificate.!A trustpoint NAME is used because there could be multiple trustpoints!configured for the router.Router(config)# crypto ca trustpoint tp1Router(config-ca)# enrollment url http://host1:80Router(config-ca)# exitRouter(config)# crypto ca authenticate tp1!The following command is used to actually obtain the security certificate.Router(config)# crypto ca enrollment tp1Router(config)# ip http secure-server!The following command specifies that the secure HTTP server!should use a certificate associated with the TP1 trustpoint for HTTPS connections.Router(config)# ip http secure-trustpoint tp1Related Commands
ip http server
To enable the HTTP server on your system, including the Cisco web browser user interface, use the ip http server command in global configuration mode. To disable the HTTP server, use the no form of this command.
ip http server
no ip http server
Syntax Description
This command has no arguments or keywords.
Defaults
The HTTP server is disabled.
Command Modes
Global configuration
Command History
11.2
This command was introduced.
12.2(15)T
The HTTP 1.0 implementation was replaced by the HTTP 1.1 implementation.
The secure HTTP server feature was added.
Usage Guidelines
The HTTP server uses the standard port 80 by default.
Caution
Examples
In the following example the HTTP server is enabled:
Router(config)# ip http serverRouter(config)# ip http path flash:Related Commands
ip http path
Specifies the base path used to locate files for use by the HTTP server.
ip http secure-server
Enables the secure HTTP server.
ip http timeout-policy
To configure the parameters for closing connections to the local HTTP server, use the ip http timeout-policy command in global configuration mode. To return the parameters to their defaults, use the no form of this command.
ip http timeout-policy idle seconds life seconds requests value
no ip http timeout-policy
Syntax Description
Defaults
HTTP server connection idle time: 180 seconds (3 minutes)
HTTP server connection life time: 180 seconds (3 minutes)
HTTP server connection maximum requests: 1
Command Modes
Global configuration
Command History
Usage Guidelines
This command sets the characteristics that determine how long a connection to the HTTP server should remain open.
This command may not take effect immediately on any HTTP connections that are open at the time you use this command. In other words, new values for idle time, life time, and maximum requests will apply only to connections made to the HTTP server after this command is issued.
A connection may be closed sooner than the configured idle time if the server is too busy or the limit on the life time or the number of requests is reached.
A connection may be closed sooner than the configured life time if the server is too busy or the limit on the idle time or the number of requests is reached. Also, since the server will not close a connection while actively processing a request, the connection may remain open longer than the specified life time if processing is occurring when the life maximum is reached. In this case, the connection will be closed when processing finishes.
A connection may be closed before the maximum number of requests are processed if the server is too busy or the limit on the idle time or life time is reached.
The ip http timeout-policy command allows you to specify a general access policy to the HTTP server by adjusting the connection timeout values. For example, if you want to maximize throughput for HTTP connections, you should configure a policy that minimizes connection overhead. You can do this by specifying large values for the life and request options so that each connection stays open longer and more requests are processed for each connection.
Another example would be to configure a policy that minimizes the response time for new connections. You can do this by specifying small values for the life and request options so that the connections are quickly released to serve new clients.
A throughput policy would be better for HTTP sessions with dedicated management applications, as it would allow the application to send more requests before the connection is closed, while a response time policy would be better for interactive HTTP sessions, as it would allow more people to connect to the server at the same time without having to wait for connections to become available.
In general, you should configure these options as appropriate for your environment. The value for the idle option should be balanced so that it is large enough not to cause an unwanted request or response timeout on the connection, but small enough that it does not hold a connection open longer than necessary.
Examples
In the following example, a Throughput timeout policy is applied. This configuration would allow each connection to be idle a maximum of 30 seconds (approximately). Each connection will remain open (be "alive") until either the HTTP server has been busy processing requests for approximately 2 minutes (120 seconds) or until approximately 100 requests have been processed.
Router(config)# ip http timeout-policy idle 30 life 120 requests 100In the following example, a Response Time timeout policy is applied. This configuration would allow each connection to be idle a maximum of 30 seconds (approximately). Each connection will be closed as soon as the first request has been processed.
Router(config)# ip http timeout-policy idle 30 life 30 requests 1Related Commands
ip http server
Enables the HTTP server, including the Cisco web browser user interface.
ip rarp-server
To enable the router to act as a Reverse Address Resolution Protocol (RARP) server, use the ip rarp-server command in interface configuration mode. To restore the interface to the default of no RARP server support, use the no form of this command.
ip rarp-server ip-address
no ip rarp-server ip-address
Syntax Description
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
This feature makes diskless booting of clients possible between network subnets where the client and server are on separate subnets.
RARP server support is configurable on a per-interface basis, so that the router does not interfere with RARP traffic on subnets that need no RARP assistance.
The Cisco IOS software answers incoming RARP requests only if both of the following two conditions are met:
•
•
Use the show ip arp EXEC command to display the contents of the IP ARP cache.
Sun Microsystems, Inc. makes use of RARP and UDP-based network services to facilitate network-based booting of SunOS on it's workstations. By bridging RARP packets and using both the ip helper-address interface configuration command and the ip forward-protocol global configuration command, the Cisco IOS software should be able to perform the necessary packet switching to enable booting of Sun workstations across subnets. Unfortunately, some Sun workstations assume that the sender of the RARP response, in this case the router, is the host that the client can contact to TFTP load the bootstrap image. This causes the workstations to fail to boot.
By using the ip rarp-server command, the Cisco IOS software can be configured to answer these RARP requests, and the client machine should be able to reach its server by having its TFTP requests forwarded through the router that acts as the RARP server.
In the case of RARP responses to Sun workstations attempting to diskless boot, the IP address specified in the ip rarp-server interface configuration command should be the IP address of the TFTP server. In addition to configuring RARP service, the Cisco IOS software must be configured to forward UDP-based Sun portmapper requests to completely support diskless booting of Sun workstations. This can be accomplished using configuration commands of the following form:
ip forward-protocol udp 111interface interface nameip helper-address target-addressRFC 903 documents the RARP.
Examples
The following partial example configures a router to act as a RARP server. The router is configured to use the primary address of the specified interface in its RARP responses.
arp 172.30.2.5 0800.2002.ff5b arpainterface ethernet 0ip address 172.30.3.100 255.255.255.0ip rarp-server 172.30.3.100In the following example, a router is configured to act as a RARP server, with TFTP and portmapper requests forwarded to the Sun server:
! Allow the router to forward broadcast portmapper requestsip forward-protocol udp 111! Provide the router with the IP address of the diskless sunarp 172.30.2.5 0800.2002.ff5b arpainterface ethernet 0! Configure the router to act as a RARP server, using the Sun Server's IP! address in the RARP response packet.ip rarp-server 172.30.3.100! Portmapper broadcasts from this interface are sent to the Sun Server.ip helper-address 172.30.3.100Related Commands
ip forward-protocol
Speeds up flooding of UDP datagrams using the spanning-tree algorithm.
ip helper-address
Forwards UDP broadcasts, including BOOTP, received on an interface.
ip rcmd domain-lookup
To reenable the basic Domain Name Service (DNS) security check for rcp and rsh, use the ip rcmd domain-lookup command in global configuration mode. To disable the basic DNS security check for remote copy protocol (rcp) and remote shell protoco (rsh), use the no form of this command.
ip rcmd domain-lookup
no ip rcmd domain-lookup
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration
Command History
Usage Guidelines
The abbreviation RCMD (remote command) is used to indicate both rsh and rcp.
DNS lookup for RCMD is enabled by default (provided general DNS services are enabled on the system using the ip domain-lookup command).
The no ip rcmd domain-lookup command is used to disable the DNS lookup for RCMD. The ip rcmd domain-lookup command is used to reenable the DNS lookup for RCMD.
DNS lookup for RCMD is performed as a basic security check. This check is performed using a host authentication process. When enabled, the system records the address of the requesting client. That address is mapped to a host name using DNS. Then a DNS request is made for the IP address for that host name. The IP address received is then checked against the original requesting address. If the address does not match with any of the addresses received from DNS, the RCMD request will not be serviced.
This reverse lookup is intended to help protect against spoofing. However, please note that the process only confirms that the IP address is a valid "routable" address; it is still possible for a hacker to spoof the valid IP address of a known host.
The DNS lookup is done after the TCP handshake but before the router (which is acting as a rsh/rcp server) sends any data to the remote client.
The no ip rcmd domain-lookup will turn off DNS lookups for rsh and rcp only. The no ip domain-lookup command takes precedence over the ip rcmd domain-lookup command. This means that if the no ip domain-lookup command is in the current configuration, DNS will be bypassed for rcp and rsh even if the ip rcmd domain-lookup command is enabled.
Examples
In the following example, the DNS security check is disabled for RCMD (rsh/rcp):
Router(config)# no ip rcmd domain-lookupRelated Commands
ip rcmd rcp-enable
To configure the Cisco IOS software to allow remote users to copy files to and from the router using remote copy protocol (rcp), use the ip rcmd rcp-enable command in global configuration mode. To disable rcp on the device, use the no form of this command.
ip rcmd rcp-enable
no ip rcmd rcp-enable
Syntax Description
This command has no arguments or keywords.
Defaults
To ensure security, the router is not enabled for rcp by default.
Command Modes
Global configuration
Command History
Usage Guidelines
To allow a remote user to execute rcp commands on the router, you must also create an entry for the remote user in the local authentication database using the ip rcmd remote-host command.
The no ip rcmd rcp-enable command does not prohibit a local user from using rcp to copy system images and configuration files to and from the router.
To protect against unauthorized users copying the system image or configuration files, the router is not enabled for rcp by default.
Examples
In the following example, the rcp service is enabled on the system, the IP address assigned to the Loopback0 interface is used as the source address for outbound rcp and rsh packets, and access is granted to the user "netadmin3"on the remote host 172.16.101.101:
Router(config)# ip rcmd rcp-enableRouter(config)# ip rcmd source-interface Loopback0Router(config)# ip rcmd remote-host router1 172.16.101.101 netadmin3Related Commands
ip rcmd remote-host
Creates an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp.
ip rcmd remote-host
To create an entry for the remote user in a local authentication database so that remote users can execute commands on the router using remote shell protocol (rsh) or remote copy protocol (rcp), use the ip rcmd remote-host command in global configuration mode. To remove an entry for a remote user from the local authentication database, use the no form of this command.
ip rcmd remote-host local-username {ip-address | host-name} remote-username [enable [level]]
no ip rcmd remote-host local-username {ip-address | host-name} remote-username [enable [level]]
Syntax Description
Defaults
No entries are in the local authentication database.
Command Modes
Global configuration
Command History
Usage Guidelines
A TCP connection to a router is established using an IP address. Using the host name is valid only when you are initiating an rcp or rsh command from a local router. The host name is converted to an IP address using DNS or host-name aliasing.
To allow a remote user to execute rcp or rsh commands on a local router, you must create an entry for the remote user in the local authentication database. You must also enable the router to act as an rsh or rcp server.
To enable the router to act as an rsh server, issue the ip rcmd rsh-enable command. To enable the router to act as an rcp server, issue the ip rcmd rcp-enable command.The router cannot act as a server for either of these protocols unless you explicitly enable the capacity.
A local authentication database, which is similar to a UNIX .rhosts file, is used to enforce security on the router through access control. Each entry that you configure in the authentication database identifies the local user, the remote host, and the remote user. To permit a remote user of rsh to execute commands in privileged EXEC mode or to permit a remote user of rcp to copy files to the router, specify the enable keyword and level. For information on the enable level, refer to the privilege level global configuration command in the Cisco IOS Security Command Reference.
An entry that you configure in the authentication database differs from an entry in a UNIX .rhosts file in the following aspect. Because the .rhosts file on a UNIX system resides in the home directory of a local user account, an entry in a UNIX .rhosts file need not include the local username; the local username is determined from the user account. To provide equivalent support on a router, specify the local username along with the remote host and remote username in each authentication database entry that you configure.
For a remote user to be able to execute commands on the router in its capacity as a server, the local username, host address or name, and remote username sent with the remote client request must match values configured in an entry in the local authentication file.
A remote client host should be registered with DNS. The Cisco IOS software uses DNS to authenticate the remote host's name and address. Because DNS can return several valid IP addresses for a host name, the Cisco IOS software checks the address of the requesting client against all of the IP addresses for the named host returned by DNS. If the address sent by the requester is considered invalid, that is, it does not match any address listed with DNS for the host name, then the software will reject the remote-command execution request.
Note that if no DNS servers are configured for the router, then that device cannot authenticate the host in this manner. In this case, the Cisco IOS software sends a broadcast request to attempt to gain access to DNS services on another server. If DNS services are not available, you must use the no ip domain-lookup command to disable the attempt to gain access to a DNS server by sending a broadcast request.
If DNS services are not available and, therefore, you bypass the DNS security check, the software will accept the request to remotely execute a command only if all three values sent with the request match exactly the values configured for an entry in the local authentication file.
Examples
The following example allows the remote user named netadmin3 on a remote host with the IP address 172.16.101.101 to execute commands on router1 using the rsh or rcp protocol. User netadmin3 is allowed to execute commands in privileged EXEC mode.
Router(config)# ip rcmd remote-host router1 172.16.101.101 netadmin3 enableRelated Commands
ip rcmd remote-username
To configure the remote username to be used when requesting a remote copy using remote copy protocol (rcp), use the ip rcmd remote-username command in global configuration mode. To remove from the configuration the remote username, use the no form of this command.
ip rcmd remote-username username
no ip rcmd remote-username username
Syntax Description
Defaults
If you do not issue this command, the Cisco IOS software sends the remote username associated with the current tty process, if that name is valid, for rcp copy commands. For example, if the user is connected to the router through Telnet and the user was authenticated through the username command, then the software sends that username as the remote username.
Note
If the username for the current tty process is not valid, the Cisco IOS software sends the host name as the remote username. For rcp boot commands, the Cisco IOS software sends the access server host name by default.
Note
Command Modes
Global configuration
Command History
Usage Guidelines
The rcp protocol requires that a client send the remote username on an rcp request to the server. Use this command to specify the remote username to be sent to the server for an rcp copy request. If the server has a directory structure, as do UNIX systems, all files and images to be copied are searched for or written relative to the directory of the remote user's account.
Note
Examples
The following example configures the remote username to netadmin1:
Router(config)# ip rcmd remote-username netadmin1Related Commands
ip rcmd rsh-enable
To configure the router to allow remote users to execute commands on it using remote shell protocol (rsh), use the ip rcmd rsh-enable command in global configuration mode. To disable a router that is enabled for rsh, use the no form of this command.
ip rcmd rsh-enable
no ip rcmd rsh-enable
Syntax Description
This command has no arguments or keywords.
Defaults
To ensure security, the router is not enabled for rsh by default.
Command Modes
Global configuration
Command History
Usage Guidelines
rsh, used as a client process, gives users the ability to remotely get router information (such as status) without the need to connect into the router and then disconnect. This is valuable when looking at many statistics on many different routers.
Use this command to enable the router to receive rsh requests from remote users. In addition to issuing this command, you must create an entry for the remote user in the local authentication database to allow a remote user to execute rsh commands on the router.
The no ip rcmd rsh-enable command does not prohibit a local user of the router from executing a command on other routers and UNIX hosts on the network using rsh. The no form of this command only disables remote access to rsh on the router.
Examples
The following example enables a router as an rsh server:
Router(config)# ip rcmd rsh-enableRelated Commands
ip rcmd remote-host
Creates an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp.
ip rcmd source-interface
To force remote copy protocol (rcp) or remote shell protocol (rsh) to use the IP address of a specified interface for all outgoing rcp/rsh communication packets, use the ip rcmd source-interface command in global configuration mode. To disable a previously configured ip rcmd source-interface command, use the no form of this command.
ip rcmd source-interface interface-id
no ip rcmd source-interface interface-id
Syntax Description
Defaults
The address of the interface closest to the destination is used as the source interface for rcp/rsh communications.
Command Modes
Global configuration
Command History
Usage Guidelines
If this command is not used, or if the interface specified in this command is not available (not up), the Cisco IOS software uses the address of the interface closest to the destination as the source address.
Use this command to force the system to tag all outgoing rcp/rsh packets with the IP address associated with the specified interface. This address is used as the source address as long as the interface is in the up state.
This command is especially useful in cases where the router has many interfaces, and you want to ensure that all rcp and/or rsh packets from this router have the same source IP address. A consistent address is preferred so that the other end of the connection (the rcp/rsh server or client) can maintain a single session. The other benefit of a consistent address is that an access list can be configured on the remote device.
The specified interface must have an IP address associated with it. If the specified interface does not have an IP address or is in a down state, then rcp/rsh reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.
Examples
In the following example, Loopback interface 0 is assigned an IP address of 220.144.159.200, and the ip rcmd source-interface command is used to specify that the source IP address for all rcp/rsh packets will be the IP address assigned to the Loopback0 interface:
interface Loopback0
description Loopback interface
ip address 220.144.159.200 255.255.255.255
no ip directed-broadcast
!
.
.
.
clock timezone GMT 0
ip subnet-zero
no ip source-route
no ip finger
ip rcmd source-interface Loopback0
ip telnet source-interface Loopback0
ip tftp source-interface Loopback0
ip ftp source-interface Loopback0
ip ftp username cisco
ip ftp password shhhhsecret
no ip bootp server
ip domain-name net.galaxy
ip name-server 220.144.159.1
ip name-server 220.144.159.2
ip name-server 219.10.2.1
!
...Related Commands
ip rcmd remote-host
Creates an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp.
ip telnet source-interface
To specify the IP address of an interface as the source address for Telnet connections, use the ip telnet source-interface command in global configuration mode. To reset the source address to the default for each connection, use the no form of this command.
ip telnet source-interface interface
no ip telnet source-interface
Syntax Description
Defaults
The address of the closest interface to the destination is the source address.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set the IP address of an interface as the source for all Telnet connections.
If the specified interface is not up, the Cisco IOS software selects the address of the interface closest to the destination as the source address.
Examples
The following example forces the IP address for Ethernet interface 1 as the source address for Telnet connections:
Router(config)# ip telnet source-interface Ethernet1Related Commands
ip radius source-interface
Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.
ip tftp source-interface
To specify the IP address of an interface as the source address for TFTP connections, use the ip tftp source-interface command in global configuration mode. To return to the default, use the no form of this command.
ip tftp source-interface interface
no ip tftp source-interface
Syntax Description
Defaults
The address of the closest interface to the destination as the source address.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set the IP address of an interface as the source for all TFTP connections.
If the specified interface is not up, the Cisco IOS software selects the address of the interface closest to the destination as the source address.
Examples
In the following example, the IP address assigned to Loopback interface 0 will be used as the source address for TFTP connections:
Router(config)# ip tftp source-interface Loopback0Related Commands
Note
kron occurrence
To specify schedule parameters for a Command Scheduler occurrence and enter kron-occurrence configuration mode, use the kron occurrence command in global configuration mode. To delete a Command Scheduler occurrence, use the no form of this command.
kron occurrence occurrence-name [user username] {in [[numdays:]numhours:]nummin | at hours:min [[month] day-of-month] [day-of-week]} {oneshot | recurring}
no kron occurrence occurrence-name [user username] {in [[numdays:]numhours:]nummin | at hours:min [[month] day-of-month] [day-of-week]} {oneshot | recurring}
Syntax Description
Defaults
No schedule parameters are specified.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same time or interval. Use the kron policy-list command in conjunction with the cli command to create a Command Scheduler policy containing EXEC command line interface (CLI) commands to be scheduled to run on the router at a specified time.
Use the show kron schedule command to display the name of each configured occurrence and when it will next run.
The Command Scheduler process is useful to automate the running of EXEC commands at recurring intervals, and it can be used in remote routers to minimize manual intervention.
Examples
The following example shows how to create a Command Scheduler occurrence named IT2 and schedule it to run every three days, 10 hours, and 50 minutes. The EXEC CLI in the policy named three-day-list is configured to run as part of occurrence info-three.
Router(config)# kron occurrence info-three user IT2 in 3:10:50 recurringRouter(config-kron-occurrence)# policy-list three-day-listThe following example shows how to create a Command Scheduler occurrence named auto-mkt and schedule it to run once on June 4 at 5:30 a.m. The EXEC CLI in the policies named mkt-list and mkt-list2 are configured to run as part of occurrence auto-mkt.
Router(config)# kron occurrence auto-mkt user marketing at 5:30 jun 4 oneshotRouter(config-kron-occurrence)# policy-list mkt-listRouter(config-kron-occurrence)# policy-list mkt-list2Related Commands
kron policy-list
To specify a name for a Command Scheduler policy and enter kron-policy configuration mode, use the kron policy-list command in global configuration mode. To delete the policy list, use the no form of this command.
kron policy-list list-name
no kron policy-list list-name
Syntax Description
Defaults
If the specified list name does not exist, a new policy list is created.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the kron policy-list command in conjunction with the cli command to create a Command Scheduler policy containing EXEC command line interface (CLI) commands to be scheduled to run on the router at a specified time. Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same time or interval.
The Command Scheduler process is useful to automate the running of EXEC commands at recurring intervals, and it can be used in remote routers to minimize manual intervention.
Examples
The following example shows how to create a policy named sales-may and configure EXEC CLI commands to run the CNS command that retrieves an image from a server:
Router(config)# kron policy-list sales-mayRouter(config-kron-policy)# cli cns image retrieve server https://10.21.2.3/imgsvr/ status https://10.21.2.5/status/Related Commands
length
To set the terminal screen length, use the length command in line configuration mode. To restore the default value, use the no form of this command.
length screen-length
no length
Syntax Description
screen-length
The number of lines on the screen. A value of zero disables pausing between screens of output.
Defaults
Screen length of 24 lines
Command Modes
Line configuration
Command History
Usage Guidelines
The Cisco IOS software uses the value of this command to determine when to pause during multiple-screen output. Not all commands recognize the configured screen length. For example, the show terminal command assumes a screen length of 24 lines or more.
Examples
In the following example, the terminal type is specified and the screen pause function is disabled for the terminal connection on line 6:
Router(config)# line 6Router(config-line)# terminal-type VT220Router(config-line)# length 0Related Commands
terminal length
Sets the number of lines on the current terminal screen for the current session.
line-cli
Note
To connect to the Cisco Networking Services (CNS) configuration engine using a modem dialup line, use the line-cli command in CNS Connect-interface configuration mode.
line-cli
Syntax Description
This command has no arguments or keywords.
Defaults
No command lines are specified to configure modem lines.
Command Modes
CNS Connect-interface configuration
Command History
Usage Guidelines
Use this command to connect to the CNS configuration engine using a specific type of interface. You must specify the interface type but need not specify the interface number; the router's bootstrap configuration finds the connecting interface, regardless of the slot in which the card resides or the modem dialout line for the connection, by trying different candidate interfaces or lines until it successfully pings the registrar.
Enter this command to enter CNS Connect-interface configuration (config-cns-conn-if) mode. Then use one of the following bootstrap-configuration commands to connect to the registrar for initial configuration:
•
•
The config-cli command accepts the special directive character "&," which acts as a placeholder for the interface name. When the configuration is applied, the & is replaced with the interface name. Thus, for example, if we are able to connect using FastEthernet0/0, the following is the case:
•
•
Examples
The following example enters CNS Connect-interface configuration mode, connects to a configuration engine using an asynchronous interface, and issues a number of commands:
Router(config)# cns config connect-intf AsyncRouter(config-cns-conn-if)# config-cli encapsulation pppRouter(config-cns-conn-if)# config-cli ip unnumbered FastEthernet0/0Router(config-cns-conn-if)# config-cli dialer rotart-group 0Router(config-cns-conn-if)# line-cli modem InOutRouter(config-cns-conn-if)# line-cli...Router(config-cns-conn-if)# exitThese commands apply the following configuration:
line 65modem InOut...interface Async65encapsulation pppdialer in-banddialer rotary-group 0Related Commands
lives-of-history-kept
To set the number of lives maintained in the history table for the Service Assurance Agent (SAA) operation, use the lives-of-history-kept command in SAA RTR configuration mode. To return to the default value, use the no form of this command.
lives-of-history-kept lives
no lives-of-history-kept
Syntax Description
lives
Number of lives maintained in the history table for the operation. If you specify 0 lives, history is not collected for the operation.
Defaults
0 lives
Command Modes
SAA RTR configuration
Command History
Usage Guidelines
The number of lives you can specify is dependent on the type of operation you are configuring. Use the lives-of-history-kept ? command to determine the available options.
The default value of 0 lives means that history is not collected for the operation.
To disable history collection, use no lives-of-history-kept command rather than the filter-for-history none SAA RTR configuration command. The no lives-of-history-kept command disables history collection before an operation is attempted, while the filter-for-history command causes the SAA to check for history inclusion after the operation attempt is made.
When the number of lives exceeds the specified value, the history table wraps (that is, the oldest information is replaced by newer information).
When an operation makes a transition from pending to active, a life starts. When the life of an operation ends, the operation makes a transition from active to pending.
Examples
The following example maintains the history for 5 lives of operation 1:
Router(config)# rtr 1Router(config-rtr)# type echo protocol ipIcmpEcho 172.16.1.176Router(config-rtr)# lives-of-history-kept 5Related Commands
load-interval
To specify the length of time to be used to calculate the average load for an interface, use the load-interval command in interface configuration or Frame Relay DLCI configuration mode. To revert to the default setting, use the no form of this command.
load-interval seconds
no load-interval seconds
Syntax Description
seconds
Length of time for which data is used to compute load statistics. Value is a multiple of 30, from 30 to 600 (30, 60, 90, 120, and so on). The default is 300 seconds.
Defaults
300 seconds (5 minutes)
Command Modes
Interface configuration
Frame Relay DLCI configurationCommand History
10.3
This command was introduced.
12.2(4)T
This command was made available in Frame Relay DLCI configuration mode.
Usage Guidelines
If you want load computations to be more reactive to short bursts of traffic, rather than being averaged over 5-minute periods, you can shorten the length of time over which load averages are computed. For example, if the load interval is set to 30 seconds, the load value will reflect the weighted-average load for the last 30-second period.
Load data is gathered every 5 seconds. This data is used to compute load statistics, including input rate in bits and packets per second, output rate in bits and packets per second, load, and reliability. Load data is computed using a weighted-average calculation in which recent load data has more weight in the computation than older load data.
The load-interval command allows you to change the calculation interval from the default value of 5 minutes (300 seconds) to a shorter or longer period of time. If you change it to a shorter period of time, the input and output statistics that are displayed when you use the show interface or show frame-relay pvc command will be more current, rather than reflecting a more average load over a longer period of time.
One use of this command is to increase or decrease the likelihood of activating a backup interface; for example a backup dial interface may be triggered by a sudden spike in the load on an active interface.
Examples
In the following example, the load-interval for the serial interface 0 is configured so that the average is computed over 30-second intervals. A burst in traffic that would not trigger a dial backup for an interface configured with the default 5-minute interval might trigger a dial backup for this interface, which is set for the shorter 30-second interval.
Router(config)# interface serial 0Router(config-if)# load-interval 30Frame Relay PVC Example
In the following example, the load interval is set to 60 seconds for a Frame Relay PVC with the DLCI 100:
Router(config)# interface serial 1/1Router(config-if# encapsulation frame-relay ietfRouter(config-if)# frame-relay interface-dlci 100Router(config-fr-dlci)# load-interval 60Related Commands
location
To provide a description of the location of a serial device, use the location command in line configuration mode. To remove the description, use the no form of this command.
location text
no location
Syntax Description
Defaults
No location description is provided.
Command Modes
Line configuration
Command History
Usage Guidelines
The location command enters information about the device location and status. Use the show users all EXEC command to display the location information.
Examples
In the following example, the location description for the console line is given as "Building 3, Basement":
Router(config)# line consoleRouter(config-line)# location Building 3, Basementlock
To configure a temporary password on a line, use the lock command in EXEC mode.
lock
Syntax Description
This command has no arguments or keywords.
Defaults
Not locked
Command Modes
EXEC
Command History
Usage Guidelines
You can prevent access to your session while keeping your connection open by setting up a temporary password. To lock access to the terminal, perform the following steps:
Step 1
Step 2
Step 3
The Cisco IOS software honors session timeouts on a locked lines. You must clear the line to remove this feature. The system administrator must set the line up to allow use of the temporary locking feature by using the lockable line configuration command.
Examples
The following example shows configuring the router as lockable, saving the configuration, and then locking the current session for the user:
Router(config-line)# lockableRouter(config-line)# ^ZRouter# copy system:running-config nvram:startup-configBuilding configuration...OKRouter# lockPassword: <password>Again: <password>LockedPassword: <password>Router#Related Commands
lockable
Enables the lock EXEC command.
login (EXEC)
Enables or changes a login username.
lockable
To enable use of the lock EXEC command, use the lockable command in line configuration mode. To reinstate the default (the terminal session cannot be locked), use the no form of this command.
lockable
no lockable
Syntax Description
This command has no arguments or keywords.
Defaults
Sessions on the line are not lockable (the lock EXEC command has no effect).
Command Modes
Line configuration
Command History
Usage Guidelines
This command enables use of temporary terminal locking, which is executed using the lock EXEC command. Terminal locking allows a user keep the current session open while preventing access by other users.
Examples
In the following example, the terminal connection is configured as lockable, then the current connection is locked:
Router# configure terminalRouter(config)# line console 0Router(config-line)# lockableRouter(config)# ^ZRouter# lockPassword: <password>Again: <password>LockedPassword: <password>Router#Related Commands
lock
Prevents access to your session by other users by setting a temporary password on your terminal line.
logging buffered
To enable system message logging to a local buffer and limit messages logged to the buffer based on severity, use the logging buffered command in global configuration mode. To cancel the use of the buffer, use the no form of this command. The default form of this command returns the buffer size to the default size.
logging buffered [buffer-size | level]
no logging buffered
default logging buffered
Syntax Description
buffer-size
(Optional) Size of the buffer from 4096 to 4,294,967,295 bytes. The default size varies by platform.
level
(Optional) Limits the logging of messages to the buffer to a specified level. You can enter the level name or level number. See Table 27 for a list of the accepatable level name or level number keywords. The default logging level varies by platform, but is generally 7, meaning that messages at all levels (0-7) are logged to the buffer.
Defaults
Varies by platform. For most platforms, logging to the buffer is disabled by default. When enabled, the default logging level is 7 (debugging).
Command Modes
Global configuration
Command History
Usage Guidelines
This command copies logging messages to an internal buffer. The buffer is circular in nature, so newer messages overwrite older messages after the buffer is filled.
Specifying a level causes messages at that level and numerically lower levels to be logged in an internal buffer. See Table 27 for a list of level arguments.
Do not make the buffer size too large because the router could run out of memory for other tasks. You can use the show memory EXEC command to view the free processor memory on the router; however, this is the maximum available and should not be approached. The default logging buffered command resets the buffer size to the default for the platform.
To display the messages that are logged in the buffer, use the show logging command. The first message displayed is the oldest message in the buffer.
The show logging command displays the addresses and levels associated with the current logging setup, and any other logging statistics.
Examples
In the following example, the user enables standard system logging to the local syslog buffer:
Router(config)# logging bufferedRelated Commands
logging buffered xml
To enable system message logging (syslog) and send XML-formatted logging messages to the XML-specific system buffer, use the logging buffered xml command in global configuration mode. To disable the XML syslog buffer and return the size of the buffer to the default, use the no form of this command.
logging buffered xml [xml-buffer-size]
no logging buffered xml
Syntax Description
Defaults
XML formatting of system logging messages is disabled.
The default XML syslog buffer size is the same size as the standard syslog buffer.
Command Modes
Global configuration
Command History
Usage Guidelines
Standard logging is enabled by default, but XML-formatted system message logging is disabled by default. If standard logging has been disabled on your system (using the no logging on command), standard logging must be reenabled using the logging on command before using the logging buffered xml command.
The logging buffered xml command copies logging messages to an internal XML buffer. The XML syslog buffer is separate from the standard syslog buffer (created using the logging buffered command).
The buffer is circular, so newer messages overwrite older messages as the buffer is filled.
The severity level for logged messages is determined by the setting of the logging buffered command. If the logging buffered command has not been used, the default severity level for that command is used. The default severity level varies by platform, but is generally level 7 ("debugging"), meaning that messages at all severity levels (0 through 7) are logged. For more information on severity levels, see the documentation of the logging buffered command.
Do not make the buffer size too large because the router could run out of memory for other tasks. You can use the show memory EXEC command to view the free processor memory on the router; however, this value is the maximum available and should not be approached.
To return the size of the XML logging buffer to the default, enter the logging buffered xml command again without a buffer size value.
To display the messages that are logged in the buffer, use the show logging xml command in EXEC mode. The first message displayed is the oldest message in the buffer.
Examples
In the following example, the user enables logging to the XML syslog buffer and sets the XML syslog buffer size to 14 kilobytes:
Router(config)# logging buffered xml 14336Related Commands
logging console
To send system logging (syslog) messages to all available TTY lines and limit messages based on severity, use the logging console command in global configuration mode. To disable logging to the console terminal, use the no form of this command.
logging console [severity-level]
no logging console [severity-level]
Syntax Description
severity-level
Limits the logging of messages displayed on the console terminal to the specified level and (numerically) lower levels. You can enter the level number or level name. See Table 28 for a list of the level arguments.
Defaults
In general, the default is to log messages from level 0 (emergencies) to level 7 (debugging). However, the default level varies by platform.
Command Modes
Global configuration
Command History
Usage Guidelines
The console keyword indicates all available TTY lines. This can mean a console terminal attached to the router's TTY line, a dial-up modem connection, or a printer.
Specifying a level causes messages at that level and numerically lower levels to be sent to the console (TTY lines). See Table 28 for a list of the level arguments.
The show logging EXEC command displays the addresses and levels associated with the current logging setup, and any other logging statistics.
Note
Examples
In the following example, the user changes the level of messages sent to the console terminal (TTY lines) to alerts, which means messages at levels 0 and 1 are sent:
Router(config)# logging console alertsRelated Commands
access-list (extended)
Defines an extended XNS access list.
logging facility
Configures the syslog facility in which error messages are sent.
logging console xml
To enable XML-formatted system message logging to the console connections, use the logging console xml command in global configuration mode. To disable all logging to the console connections, use the no form of this command.
logging console xml [severity-level]
no logging console xml
Syntax Description
Defaults
Logging to the console is enabled.
XML-formatted logging to the console is disabled.
The default severity level varies by platform, but is generally level 7 (messages at levels 0 through 7 are logged).
Command Modes
Global configuration
Command History
Usage Guidelines
To return system logging messages to standard text (without XML formatting), issue the standard logging console command (without the xml keyword extension).
Examples
In the following example, the user enables XML-formatted system message logging to the console for messages at levels 0 through 4:
Router(config)# logging console xml 4Related Commands
show logging xml
Displays the state of XML-formatted system message logging, followed by the contents of the XML syslog buffer.
logging count
To enable the error log count capability, use the logging count command in global configuration mode. To disable the error log count capability, use the no form of this command.
logging count
no logging count
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The logging count command counts every syslog message and time-stamps the occurrence of each message.
Examples
In the following example, syslog messages are logged to the system buffer and the logging count capability is enabled:
Router(config)# logging buffered notificationsRouter(config)# logging countRouter(config)# endRouter# show logging countFacility Message Name Sev Occur Last Time=============================================================================SYS BOOTTIME 6 1 00:00:12SYS RESTART 5 1 00:00:11SYS CONFIG_I 5 3 1d00h------------- ------------------------------- -----------------------------SYS TOTAL 5LINEPROTO UPDOWN 5 13 00:00:19------------- ------------------------------- -----------------------------LINEPROTO TOTAL 13LINK UPDOWN 3 1 00:00:18LINK CHANGED 5 12 00:00:09------------- ------------------------------- -----------------------------LINK TOTAL 13SNMP COLDSTART 5 1 00:00:11------------- ------------------------------- -----------------------------SNMP TOTALRelated Commands
logging cns-events
To enable XML-formatted system event message logging to be sent trough the CNS Event Bus, use the logging cns-events command in global configuration mode. To disable the ability to send system logging event messages through the CNS Event Bus, use the no form of this command.
logging cns-events [severity-level]
no logging cns-events
Syntax Description
Defaults
Level 7: debugging
Command Modes
Global configuration
Command History
Usage Guidelines
Before you configure this command you must enable the CNS event agent with the cns event command because the CNS event agent sends out the CNS event logging messages. The generation of many CNS event logging messages can negatively impact the publishing time of standard CNS event messages that must be sent to the network.
If the debug cns event command is active when the logging cns-events command is configured, the logging of CNS events is disabled.
Examples
In the following example, the user enables XML-formatted CNS system error message logging to the CNS Event Bus for messages at levels 0 through 4:
Router(config)# logging cns-events 4Related Commands
cns event
Configures CNS event gateway, which provides CNS event services to Cisco IOS clients.
debug cns event
Displays CNS event agent debugging messages.
logging facility
To configure the syslog facility in which error messages are sent, use the logging facility command in global configuration mode. To revert to the default of local7, use the no form of this command.
logging facility facility-type
no logging facility
Syntax Description
facility-type
Syslog facility. See the "Usage Guidelines" section of this command reference entry for descriptions of acceptable keywords.
Defaults
local7
Command Modes
Global configuration
Command History
Usage Guidelines
Table 29 describes the acceptable keywords for the facility-type argument.
Examples
In the following example, the user configures the syslog facility to the kernel facility type:
logging facility kernRelated Commands
logging history
To limit syslog messages sent to the router's history table and to an SNMP network management station based on severity, use the logging history command in global configuration mode. To return the logging of syslog messages to the default level, use the no form of this command with the previously configured severity level argument.
logging history [severity-level-name | severity-level-number]
no logging history [severity-level-name | severity-level-number]
Syntax Description
Defaults
Logging of error messages of severity levels 0 through 4 (emergency, alert, critical, error, and warning levels); in other words, "saving level warnings or higher."
Command Modes
Global configuration
Command History
Usage Guidelines
The sending of syslog messages to an SNMP network management station (NMS) occurs when you enable syslog traps with the snmp-server enable traps syslog global configuration mode command.
Because SNMP traps are potentially unreliable, at least one syslog message, the most recent message, is stored in a history table on the router. The history table, which contains table size, message status, and message text data, can be viewed using the show logging history command. The number of messages stored in the table is governed by the logging history size global configuration mode command.
Severity levels are numbered 0 through 7, with 0 being the highest severity level and 7 being the lowest severity level (that is, the lower the number, the more critical the message). Specifying a level causes messages at that severity level and numerically lower levels to be stored in the router's history table and sent to the SNMP network management station. For example, specifying the level critical causes messages as the critical (3), alert (2), and emergency (1) levles to be saved to the logging history table.
Table 30 provides a description of logging severity levels, listed from higest severity to lowest severity, and the arguments used in the logging history command syntax. Note that you can use the level name or the level number as the level argument in this command.
Examples
In the following example, the system is initially configured to the default of saving severity level 4 or higher. The logging history 1 command is used to configure the system to save only level 1 (alert) and level 0 (emergency) messages to the logging history table, and, by extension, to send only these levels in the SNMP notifications. The configuration is then confirmed using the show logging history command.
Router# show logging historySyslog History Table:10 maximum table entries,! The following line shows that system-error-message-logging is set to the! default level of "warnings" (4).saving level warnings or higher23 messages ignored, 0 dropped, 0 recursion drops1 table entries flushedSNMP notifications not enabledentry number 2 : LINK-3-UPDOWNInterface FastEthernet0, changed state to uptimestamp: 2766Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# logging history 1Router(config)# snmp-server enable traps syslogRouter(config)# endRouter#4w0d: %SYS-5-CONFIG_I: Configured from console by consoleRouter# show logging historySyslog History Table:1 maximum table entries,! The following line indicates that `logging history level 1' (alerts) is configured.saving level alerts or higher18 messages ignored, 0 dropped, 0 recursion drops1 table entries flushedSNMP notifications enabled, 0 notifications sententry number 2 : LINK-3-UPDOWNInterface FastEthernet0, changed state to uptimestamp: 2766Router#Related Commands
logging history size
To change the number of syslog messages stored in the router's history table, use the logging history size command in global configuration mode. To return the number of messages to the default value, use the no form of this command.
logging history size number
no logging history size
Syntax Description
number
Number from 1 to 500 that indicates the maximum number of messages stored in the history table. The default is one message.
Defaults
One message
Command Modes
Global configuration
Command History
Usage Guidelines
When the history table is full (that is, it contains the maximum number of message entries specified with the logging history size command), the oldest message entry is deleted from the table to allow the new message entry to be stored.
Examples
In the following example, the user sets the number of messages stored in the history table to 20:
logging history size 20Related Commands
logging host
To log system messages and debug output to a remote host, use the logging host command in global configuration mode. To remove a specified logging host from the configuration, use the no form of this command.
logging host {ip-address | host-name} [xml]
no logging host {ip-address | host-name} [xml]
Syntax Description
Defaults
System logging messages are not sent to any remote host.
If this command is entered without the xml keyword, messages are sent in the standard format.
Command Modes
Global configuration
Command History
10.0
The logging command was introduced.
12.0(14)S, 12.0(14)ST, 12.2(15)T
The logging host command replaced the logging command.
12.2(15)T
The xml keyword was added.
Usage Guidelines
System logging messages are also called system error messages.
Standard system message logging (syslog) is enabled by default. If logging has been disabled on your system (using the no logging on command), logging must be reenabled using the logging on command before using the logging host command.
The logging host command identifies a remote host (syslog server) to receive logging messages. By issuing this command more than once, you build a list of syslog servers that receive logging messages.
To specify the severity level for logging to all hosts, use the logging trap command.
You can specify that standard syslog messages are to be sent to one or more hosts while XML-formatted messages are to be sent to another host (or hosts) by repeating this command with the appropriate syntax.
If you enter the logging host {ip-address | host-name} command after entering the logging host {ip-address | host-name} xml command and you use the same IP adderess or host name in both commands, XML formatting is disabled for that host, and messages will be sent in the standard format. In other words, a standard logging host command will replace an XML logging host command, and vice versa, if the same host is specified.
Note
Examples
In the following example, messages at severity levels 0 (emergencies) through 5 (notifications) are logged to a host at 209.165.202.169:
Router(config)# logging host 209.165.202.169Router(config)# logging trap 5Related Commands
logging linecard
To log messages to an internal buffer on a line card, use the logging linecard command in global configuration mode. To cancel the use of the internal buffer on the line cards, use the no form of this command.
logging linecard [size | level]
no logging linecard
Syntax Description
Defaults
The Cisco IOS software logs messages to the internal buffer on the GRP card.
Command Modes
Global configuration
Command History
11.2 GS
This command was added to support the Cisco 12000 series Gigabit Switch Routers.
Usage Guidelines
Specifying a message level causes messages at that level and numerically lower levels to be stored in the internal buffer on the line cards.
Table 31 lists the message levels and associated numerical level. For example, if you specify a message level of critical, all critical, alert, and emergency messages will be logged.
Table 31 Message Levels
emergencies
0
alerts
1
critical
2
errors
3
warnings
4
notifications
5
informational
6
debugging
7
To display the messages that are logged in the buffer, use the show logging slot EXEC command. The first message displayed is the oldest message in the buffer.
Do not make the buffer size too large because the router could run out of memory for other tasks. You can use the show memory EXEC command to view the free processor memory on the router; however, this is the maximum available and should not be approached.
Examples
The following example enables logging to an internal buffer on the line cards using the default buffer size and logging warning, error, critical, alert, and emergency messages:
Router(config)# logging linecard warningsRelated Commands
clear logging
Clears messages from the logging buffer.
show logging
Displays the state of logging (syslog).
logging monitor
To enable system message logging to the terminal lines (monitor connections) and limit these messages based on severity, use the logging monitor command in global configuration mode. To disable logging to terminal lines other than the console line, use the no form of this command.
logging monitor severity-level
no logging monitor
Syntax Description
Defaults
debugging (severity-level 7)
Command Modes
Global configuration
Command History
Usage Guidelines
Specifying a severity-level causes messages only at that level and numerically lower levels to be displayed to the monitor (terminal lines).
Examples
In the following example, the user specifies that only messages of the levels errors, critical, alerts, and emergencies be logged to monitor connections:
Router(config)# logging monitor 3Related Commands
logging monitor xml
To enable XML-formatted system message logging to monitor connections, use the logging console xml command in global configuration mode. To disable all logging to the monitor connections, use the no form of this command.
logging monitor xml [severity-level]
no logging monitor xml
Syntax Description
Defaults
Logging to monitor connections is enabled.
XML-formatted logging to monitor connections is disabled.
The default severity level varies by platform, but is generally level 7 (messages at levels 0 through 7 are logged).
Command Modes
Global configuration
Command History
Usage Guidelines
The monitor keyword specifies the tty line connections at all line ports. The tty lines (also called ports) communicate with peripheral devices such as terminals, modems, and serial printers. An example of a tty connection is a PC with a terminal emulation program connected to the device using a dial-up modem, or a Telnet connection.
To return system logging messages to standard text (without XML formatting), issue the standard logging monitor command (without the xml keyword extension).
Examples
In the following example, the user enables XML-formatted system message logging to the console for messages at levels 0 through 4 and XML-formatted system message logging to tty line connections at the default severity level:
Router(config)# logging console xml 4Router(config)# logging monitor xmlRelated Commands
logging on
To enable logging of system messages, use the logging on command in global configuration mode. This command sends debug or error messages to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. To disable the logging process, use the no form of this command.
logging on
no logging on
Syntax Description
This command has no arguments or keywords.
Defaults
The Cisco IOS software sends messages to the asynchronous logging process.
Command Modes
Global configuration
Command History
Usage Guidelines
The logging process controls the distribution of logging messages to the various destinations, such as the logging buffer, terminal lines, or syslog server. System logging messages are also known as system error messages. You can turn logging on and off for these destinations individually using the logging buffered, logging monitor, and logging global configuration commands. However, if the logging on command is disabled, no messages will be sent to these destinations. Only the console will receive messages.
Additionally, the logging process logs messages to the console and the various destinations after the processes that generated them have completed. When the logging process is disabled, messages are displayed on the console as soon as they are produced, often appearing in the middle of command output.
Caution
The logging synchronous line configuration command also affects the displaying of messages to the console. When the logging synchronous command is enabled, messages will appear only after the user types a carriage return.
Examples
The following example shows command output and message output when logging is enabled. The ping process finishes before any of the logging information is printed to the console (or any other destination).
Router(config)# logging onRouter(config)# endRouter#%SYS-5-CONFIG_I: Configured from console by consoleRouter# ping dirtType escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.1.129, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 msRouter#IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1In the following example, logging is disabled. The message output is displayed as messages are generated, causing the debug messages to be interspersed with the message "Type escape sequence to abort."
Router(config)# no logging onRouter(config)# end%SYS-5-CONFIG_I: Configured from console by consoleRouter#Router# ping dirtIP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingTypIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1eIP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending escIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingapeIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingseIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingquenIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1ce to abort.Sending 5, 100-byte ICMP Echos to 172.16.1.129, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 152/152/156 msRouter#Related Commands
logging origin-id
To add an origin identifier to system logging messages sent to remote hosts, use the logging origin-id command in global configuration mode. To disable the origin identifier, use the no form of this command.
logging origin-id {hostname | ip | string user-defined-id}
no logging origin-id {hostname | ip | string user-defined-id}
Syntax Description
Defaults
Disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The origin identifier is added to the beginning of all system logging (syslog) messages sent to remote hosts. The identifier can be the hostname, the IP address, or any text that you specify. The origin identifier is not added to messages sent to local destinations (the console, monitor, or buffer).
The origin identifier is useful for identifying the source of system logging messages in cases where you send syslog output from multiple devices to a single syslog host.
When specifying your own identification string using the logging origin-id string user-defined-id command, the system expects a string without spaces. For example:
Router(config)# logging origin-id string Cisco_SystemsTo uses spaces (multiple words) or additional syntax, enclose the string with quotes. For example:
Router(config)# logging origin-id string "Cisco Systems, Inc."Examples
In the following example, the origin identifier "Domain 1, router B" will be added to the beginning of all system logging messages sent to remote hosts:
Router(config)# logging origin-id string "Domain 1, router B"In the following example, all logging message sent to remote hosts will have the IP address configured for the Serial 1 interface added to the beginning of the message:
Router(config)# logging host 209.165.200.225Router(config)# logging trap 5Router(config)# logging source-interface serial 1Router(config)# logging origin-id ipRelated Commands
logging rate-limit
To limit the rate of messages logged per second, use the logging rate-limit command in global configuration mode. To disable the limit, use the no form of this command.
logging rate-limit {number | all number | console {number | all number}} [except severity]
no logging rate-limit
Syntax Description
Command Default
The default for this command is 10 messages logged per second and exclusion of messages of the errors level or lower.
Command Modes
Global configuration
Command History
Usage Guidelines
The logging rate-limit command controls the output of messages from the system. Use this command if you want to avoid a flood of output messages. You can select the severity of the output messages and output rate by using the logging rate-limit command. You can use the logging rate-limit command anytime; it will not negatively impact the performance of your system and may improve the system performance by specifying the severities and rates of output messages.
You can use this command with or without the logging synchronous line configuration command. For example, if you want to see all severity 0, 1, and 2 messages, use the no logging synchronous command and specify logging rate-limit 10 except 2. By using the two commands together, you cause all messages of 0, 1, and 2 severity to print and limit the less severe ones (lower than 2) to only 10 per second.
Table 32 compares the error message logging numeric severity level with its equivalent word description.
Examples
In the following example, the logging rate-limit configuration mode command limits message output to 200 per second:
Router(config)# logging rate-limit 200Related Commands
logging source-interface
To specify the source IP address of syslog packets, use the logging source-interface command in global configuration mode. To remove the source designation, use the no form of this command.
logging source-interface interface-type interface-number
no logging source-interface
Syntax Description
Defaults
No interface is specified.
Command Modes
Global configuration
Command History
Normally, a syslog message contains the IP address of the interface it uses to leave the router. The logging source-interface command specifies that syslog packets contain the IP address of a particular interface, regardless of which interface the packet uses to exit the router.
Examples
In the following example, the user specifies that the IP address for Ethernet interface 0 is the source IP address for all syslog messages:
Router(config)# logging source-interface ethernet 0The following example specifies that the IP address for Ethernet interface 2/1 on a Cisco 7000 series router is the source IP address for all syslog messages:
Router(config)# logging source-interface ethernet 2/1Related Commands
logging synchronous
To synchronize unsolicited messages and debug output with solicited Cisco IOS software output and prompts for a specific console port line, auxiliary port line, or vty, use the logging synchronous command in line configuration mode. To disable synchronization of unsolicited messages and debug output, use the no form of this command.
logging synchronous [level severity-level | all] [limit number-of-buffers]
no logging synchronous [level severity-level | all] [limit number-of-buffers]
Syntax Description
Defaults
This command is disabled.
If you do not specify a severity level, the default value of 2 is assumed.
If you do not specify the maximum number of buffers to be queued, the default value of 20 is assumed.
Command Modes
Line configuration
Command History
Usage Guidelines
When synchronous logging of unsolicited messages and debug output is turned on, unsolicited Cisco IOS software output is displayed on the console or printed after solicited Cisco IOS software output is displayed or printed. Unsolicited messages and debug output is displayed on the console after the prompt for user input is returned. To keep unsolicited messages and debug output from being interspersed with solicited software output and prompts. After the unsolicited messages are displayed, the console displays the user prompt again.
When specifying a severity level number, consider that for the logging system, low numbers indicate greater severity and high numbers indicate lesser severity.
When a message queue limit of a terminal line is reached, new messages are dropped from the line, although these messages might be displayed on other lines. If messages are dropped, the notice "%SYS-3-MSGLOST number-of-messages due to overflow" follows any messages that are displayed. This notice is displayed only on the terminal that lost the messages. It is not sent to any other lines, any logging servers, or the logging buffer.
Caution
Examples
In the following example, line 4 is identified and synchronous logging for line 4 is enabled with a severity level of 6. Then another line, line 2, is identified and the synchronous logging for line 2 is enabled with a severity level of 7 and is specified with a maximum number of buffers to be 70,000.
Router(config)# line 4Router(config-line)# logging synchronous level 6Router(config-line)# exitRouter(config)# line 2Router(config)# logging synchronous level 7 limit 70000Router(config-line)# endRouter#Related Commands
logging trap
To limit messages logged to remote syslog servers based on severity, use the logging trap command in global configuration mode. To return the logging to remote hosts to the default level, use the no form of this command.
logging trap severity-level
no logging trap
Syntax Description
Defaults
Syslog messages at level 0 to level 6 are generated, but will only be sent to a remote host if the logging host command is configured.
Command Modes
Global configuration
Command History
Usage Guidelines
A trap is an unsolicited message sent to a remote network management host. Logging traps should not be confused with SNMP traps (SNMP logging traps require the use of the CISCO -SYSLOG-MIB, are enabled using the snmp-server enable traps syslog command, and are sent using the Simple Network Management Protocol.)
The show logging EXEC command displays the addresses and levels associated with the current logging setup. The command output also includes ancillary statistics.
Table 33 lists the syslog definitions that correspond to the system message logging levels. Additionally, four categories of messages are generated by the software, as follows:
•
•
•
•
Use the logging host and logging trap commands to send messages to a remote syslog server.
Examples
In the following example, system messages of levels 0 (emergencies) through 5 (notifications) are sent to the host at 209.165.200.225:
Router(config)# logging host 209.165.200.225Router(config)# logging trap notificationsRelated Commands
logging host
Enables remote logging of system logging messages and specifies the syslog server host that messages should be sent to.
logout
To close an active terminal session by logging off the router, use the logout command in user EXEC mode.
logout
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
User EXEC
Command History
Examples
In the following example, the exit (global) command is used to move from global configuration mode to privileged EXEC mode, the disable command is used to move from privileged EXEC mode to user EXEC mode, and the logout command is used to log off (exit from the active session):
Router(config)# exitRouter# disableRouter> logoutRelated Commands
exit (global)
Exits any configuration mode to the next highest mode in the CLI mode hierarchy.
logout-warning
To warn users of an impending forced timeout, use the logout-warning command in line configuration mode. To restore the default, use the no form of this command.
logout-warning [seconds]
logout-warning
Syntax Description
seconds
(Optional) Number of seconds that are counted down before session termination. If no number is specified, the default of 20 seconds is used.
Defaults
No warning is sent to the user.
Command Modes
Line configuration
Command History
Usage Guidelines
This command notifies the user of an impending forced timeout (set using the absolute-timeout command).
Examples
In the following example, a logout warning is configured on line 5 with a countdown value of 30 seconds:
Router(config)# line 5Router(config-line)# logout-warning 30Related Commands
lsr-path
To define a loose source routing (LSR) path for a Cisco Service Assurance Agent (SAA) IP echo operation, use the lsr-path command in SAA RTR configuration mode. To remove the definition, use the no form of this command.
lsr-path {hostname | ip-address} [{hostname | ip-address} ...]
no lsr-path
Syntax Description
Defaults
LSR path is disabled.
Command Modes
SAA RTR configuration
Command History
Usage Guidelines
The maximum number of hops available is eight when an LSR path is configured.
Examples
In the following example, the LSR path is defined for SAA echo operation 1. The target destination for the operation is at 172.16.1.176. The first hop on the LSR path is 172.18.4.149. The second hop on the LSR path is 172.18.16.155.
Router(config)# rtr 1Router(config-rtr)# type echo protocol ipIcmpEcho 172.16.1.176Router(config-rtr)# lsr-path 172.18.4.149 172.18.26.155Related Commands
rtr
Specifies an identification for an SAA operation and enters SAA RTR configuration mode.
