Table Of Contents
restore counters
rollback
session
set
set accounting commands
set accounting connect
set accounting exec
set accounting suppress
set accounting system
set accounting update
set acllog ratelimit
set aclmerge algo
set aclmerge bdd
set alias
set arp
set authentication enable
set authentication login
set authorization commands
set authorization enable
set authorization exec
set banner lcd
set banner motd
set banner telnet
set boot auto-config
set boot config-register
set boot config-register auto-config
set boot device
set boot sync now
set boot system flash
set cam
set cam notification
set cdp
set channelprotocol
set channel vlancost
set config acl nvram
set config mode
set cops
set crypto key rsa
2F2
restore counters
To restore MAC and port counters, use the restore counters command.
restore counters [all | mod/ports]
Syntax Description
all
|
(Optional) Specifies all ports.
|
mod/ports
|
(Optional) Number of the module and the ports on the module.
|
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
If you do not specify a range of ports to be restored, then all ports on the switch are restored.
Examples
This example shows how to restore MAC and port counters:
Console> (enable) restore counters all
This command will restore all counter values reported by the CLI to the hardware counter
values.
Do you want to continue (y/n) [n]? y
MAC and Port counters restored.
Related Commands
clear counters
show port counters
rollback
To clear changes made to the ACL edit buffer since its last save, use the rollback command. The ACL is rolled back to its state at the last commit command.
rollback qos acl {acl_name | all}
rollback security acl {acl_name | all | adjacency}
Syntax Description
qos acl
|
Specifies QoS ACEs.
|
acl_name
|
Name that identifies the VACL whose ACEs are to be affected.
|
all
|
Rolls back all ACLs.
|
security acl
|
Specifies security ACEs.
|
adjacency
|
Rolls back all adjacency tables.
|
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Examples
This example shows how to clear the edit buffer of a specific QoS ACL:
Console> (enable) rollback qos acl ip-8-1
Rollback for QoS ACL ip-8-1 is successful.
This example shows how to clear the edit buffer of a specific security ACL:
Console> (enable) rollback security acl IPACL1
IPACL1 editbuffer modifications cleared.
Related Commands
commit
show qos acl info
session
To open a session with a module (for example, the MSM, NAM, or ATM), use the session command. This command allows you to use the module-specific CLI.
session mod
Syntax Description
mod
|
Number of the module.
|
Defaults
This command has no default settings.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
After you enter this command, the system responds with the Enter Password: prompt, if one is configured on the module.
To end the session, enter the quit command.
Use the session command to toggle between router and switch sessions.
For information on ATM commands, refer to the ATM Software Configuration Guide and Command Reference for the Catalyst 5000 Family and 6000 Family Switches.
For information on NAM commands, refer to the Catalyst 6000 Network Analysis Module Installation and Configuration Note.
Examples
This example shows how to open a session with an MSM (module 4):
Escape character is `^]'.
Related Commands
quit
switch console
set
To display all of the ROM monitor variable names with their values, use the set command.
set
Syntax Description
This command has no arguments or keywords.
Defaults
This command has no default settings.
Command Types
ROM monitor command.
Command Modes
Normal.
Examples
This example shows how to display all of the ROM monitor variable names with their values:
Related Commands
varname=
set accounting commands
To enable command event accounting on the switch, use the set accounting commands command.
set accounting commands enable {config | enable | all} [stop-only] {tacacs+}
set accounting commands disable
Syntax Description
enable
|
Enables the specified accounting method for commands.
|
config
|
Permits accounting for configuration commands only.
|
enable
|
Permits accounting for enable mode commands only.
|
all
|
Permits accounting for all commands.
|
stop-only
|
(Optional) Applies the accounting method at the command end.
|
tacacs+
|
Specifies TACACS+ accounting for commands.
|
disable
|
Disables accounting for commands.
|
Defaults
The default is accounting is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You must configure the TACACS+ servers before you enable accounting.
Examples
This example shows how to send records at the end of the event only using a TACACS+ server:
Console> (enable) set accounting commands enable config stop-only tacacs+
Accounting set to enable for commands-config events in stop-only mode.
Related Commands
set accounting connect
set accounting exec
set accounting suppress
set accounting system
set accounting update
set tacacs server
show accounting
set accounting connect
To enable accounting of outbound connection events on the switch, use the set accounting connect command.
set accounting connect enable {start-stop | stop-only} {tacacs+ | radius}
set accounting connect disable
Syntax Description
enable
|
Enables the specified accounting method for connection events.
|
start-stop
|
Applies the accounting method at the start and stop of the connection event.
|
stop-only
|
Applies the accounting method at the end of the connection event.
|
tacacs+
|
Specifies TACACS+ accounting for connection events.
|
radius
|
Specifies RADIUS accounting for connection events.
|
disable
|
Disables accounting of connection events.
|
Defaults
The default is accounting is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You must configure the RADIUS or TACACS+ servers and shared secret keys before you enable accounting.
Examples
This example shows how to enable accounting on Telnet and remote login sessions, generating records at stop only using a TACACS+ server:
Console> (enable) set accounting connect enable stop-only tacacs+
Accounting set to enable for connect events in stop-only mode..
Related Commands
set accounting commands
set accounting exec
set accounting suppress
set accounting system
set accounting update
set radius key
set radius server
set tacacs key
set tacacs server
show accounting
set accounting exec
To enable accounting of normal login sessions on the switch, use the set accounting exec command.
set accounting exec enable {start-stop | stop-only} {tacacs+ | radius}
set accounting exec disable
Syntax Description
enable
|
Enables the specified accounting method for normal login sessions.
|
start-stop
|
Specifies the accounting method applies at the start and stop of the normal login sessions.
|
stop-only
|
Specifies the accounting method applies at the end of the normal login sessions.
|
tacacs+
|
Specifies TACACS+ accounting for normal login sessions.
|
radius
|
Specifies RADIUS accounting for normal login sessions.
|
disable
|
Disables accounting for normal login sessions.
|
Defaults
The default is accounting is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You must configure the RADIUS or TACACS+ servers and shared secret keys before you enable accounting.
Examples
This example shows how to enable accounting of normal login sessions, generating records at start and stop using a RADIUS server:
Console> (enable) set accounting exec enable start-stop radius
Accounting set to enable for exec events in start-stop mode.
This example shows how to enable accounting of normal login sessions, generating records at stop using a TACACS+ server:
Console> (enable) set accounting exec enable stop-only tacacs+
Accounting set to enable for exec events in stop-only mode.
Related Commands
set accounting commands
set accounting connect
set accounting suppress
set accounting system
set accounting update
set radius key
set radius server
set tacacs key
set tacacs server
show accounting
set accounting suppress
To enable or disable suppression of accounting information for a user who has logged in without a username, use the set accounting suppress command.
set accounting suppress null-username {enable | disable}
Syntax Description
null-username
|
Specifies users must have a user ID.
|
enable
|
Enables suppression for a specified user.
|
disable
|
Disables suppression for a specified user.
|
Defaults
The default is accounting is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You must configure the TACACS+ servers before you enable accounting.
Examples
This example shows how to suppress accounting information for users without a username:
Console> (enable) set accounting suppress null-username enable
Accounting will be suppressed for user with no username.
This example shows how to include users without the usernames' accounting event information:
Console> (enable) set accounting suppress null-username disable
Accounting will be not be suppressed for user with no username.
Related Commands
set accounting commands
set accounting connect
set accounting exec
set accounting system
set accounting update
set tacacs server
show accounting
set accounting system
To enable accounting of system events on the switch, use the set accounting system command.
set accounting system enable {start-stop | stop-only} {tacacs+ | radius}
set accounting system disable
Syntax Description
enable
|
Enables the specified accounting method for system events.
|
start-stop
|
Specifies the accounting method applies at the start and stop of the system event.
|
stop-only
|
Specifies the accounting method applies at the end of the system event.
|
tacacs+
|
Specifies TACACS+ accounting for system events.
|
radius
|
Specifies RADIUS accounting for system events.
|
disable
|
Disables accounting for system events.
|
Defaults
The default is accounting is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You must configure the RADIUS or TACACS+ servers and shared secret keys before you enable accounting.
Examples
This example shows how to enable accounting for system events, sending records only at the end of the event using a RADIUS server:
Console> (enable) set accounting system enable stop-only radius
Accounting set to enable for system events in start-stop mode..
This example shows how to enable accounting for system events, sending records only at the end of the event using a TACACS+ server:
Console> (enable) set accounting system enable stop-only tacacs+
Accounting set to enable for system events in start-stop mode..
Related Commands
set accounting commands
set accounting connect
set accounting exec
set accounting suppress
set accounting update
set radius key
set radius server
set tacacs key
set tacacs server
show accounting
set accounting update
To configure the frequency of accounting updates, use the set accounting update command.
set accounting update {new-info | {periodic [interval]}}
Syntax Description
new-info
|
Specifies an update when new information is available.
|
periodic
|
Specifies an update on a periodic basis.
|
interval
|
(Optional) Periodic update interval time; valid values are from 1 to 71582 minutes.
|
Defaults
The default is accounting is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
You must configure the TACACS+ servers before you enable accounting.
Examples
This example shows how to send accounting updates every 200 minutes:
Console> (enable) set accounting update periodic 200
Accounting updates will be periodic at 200 minute intervals.
This example shows how to send accounting updates only when there is new information:
Console> (enable) set accounting update new-info
Accounting updates will be sent on new information only.
Related Commands
set accounting commands
set accounting connect
set accounting exec
set accounting suppress
set accounting system
set tacacs server
show accounting
set acllog ratelimit
To limit the number of packets sent to the route processor CPU for bridged ACEs, use the set acllog ratelimit command.
set acllog ratelimit rate
Syntax Description
rate
|
Number of packets per second; valid values are 1 to 1000. See the "Usage Guidelines" section for more information.
|
Defaults
ACL log rate limiting is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
After entering the set acllog ratelimit command or the clear acllog command, you must either reset the route processor or perform a shut/not shut on the route processor interfaces that have ACEs with the log keyword applied.
After entering the set acllog ratelimit command, the reset or shut/no shut action causes the bridged ACEs to be redirected to the route processor with rate limiting.
To disable ACL log rate limiting, enter the clear acllog command. After entering the clear acllog command, the reset or shut/no shut action causes the system to return to its previous behavior. The bridge action remains unchanged.
If the number of packets per second is greater than the rate that you specify, the packets that exceed the specified rate are dropped.
A rate value of 500 is recommended.
Examples
This example shows how to enable ACL logging and to specify a rate of 500 for rate limiting:
Console> (enable) set acllog ratelimit 500
If the ACLs-LOG were already applied, the rate limit mechanism will be effective on system
restart, or after shut/no shut the interface.
Related Commands
clear acllog
show acllog
set aclmerge algo
To select the ACL merge algorithm, use the set aclmerge algo command.
set aclmerge algo {bdd | odm}
Syntax Description
bdd
|
Specifies the ACL merge function based on binary decision diagram (BDD).
|
odm
|
Specifies the ACL merge function based on order dependent merge (ODM).
|
Defaults
The merge algorithm is ODM.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
If BDD is disabled, the merge algorithm can only be ODM. When BDD is enabled, you can choose either the BDD algorithm or the ODM algorithm. Use the set aclmerge bdd command to enable or disable BDD.
The ACL merge algorithm that you select is in effect for all new ACL merges. The ACLs already configured are not modified, and they use the ACL merge algorithm that was enabled when the ACLs were merged.
Examples
This example shows how to select ODM as the ACL merge algorithm:
Console> (enable) set aclmerge algo odm
Acl merge algorithm set to odm.
Related Commands
set aclmerge bdd
show aclmerge
set aclmerge bdd
To enable or disable the binary decision diagram (BDD) ACL merge algorithm, use the set aclmerge bdd command.
set aclmerge bdd {enable | disable}
Syntax Description
enable
|
Enables the BDD-based ACL merge function.
|
disable
|
Disables the BDD-based ACL merge function.
|
Defaults
BDD is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you enable or disable BDD, the change takes effect when your system is restarted.
BDD must be enabled in order to change the ACL merge algorithm.
Enabling BDD on a supervisor engine with 64 MB of RAM could cause memory to run low. To avoid this situation, upgrade the memory or disable BDD.
Examples
This example shows how to disable BDD:
Console> (enable) set aclmerge bdd disable
Bdd will be disabled on system restart.
This example shows how to enable BDD:
Console> (enable) set aclmerge bdd enable
Warning:enabling bdd on a supervisor with 64MB RAM
could cause memory to run low, to avoid this situation
please upgrade the memory or disable BDD.
Bdd will be enabled on system restart.
Related Commands
set aclmerge algo
show aclmerge
set alias
To define aliases (shorthand versions) of commands, use the set alias command.
set alias name command [parameter] [parameter]
Syntax Description
name
|
Alias being created.
|
command
|
Command for which the alias is being created.
|
parameter
|
(Optional) Parameters that apply to the command for which an alias is being created.
|
Defaults
The default is no aliases are configured.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
The name all cannot be defined as an alias. Reserved words cannot be defined as aliases.
For additional information about the parameter value, see the specific command for information about applicable parameters.
Examples
This example shows how to set the alias for the clear arp command as arpdel:
Console> (enable) set alias arpdel clear arp
Related Commands
clear alias
show alias
set arp
To add IP address-to-MAC address mapping entries to the ARP table and to set the ARP aging time for the table, use the set arp command.
set arp [dynamic | permanent | static] {ip_addr hw_addr}
set arp agingtime agingtime
Syntax Description
dynamic
|
(Optional) Specifies that entries are subject to ARP aging updates.
|
permanent
|
(Optional) Specifies that permanent entries are stored in NVRAM until they are removed by the clear arp or clear config command.
|
static
|
(Optional) Specifies that entries are not subject to ARP aging updates.
|
ip_addr
|
IP address or IP alias to map to the specified MAC address.
|
hw_addr
|
MAC address to map to the specified IP address or IP alias.
|
agingtime
|
Sets the period of time after which an ARP entry is removed from the ARP table.
|
agingtime
|
Number of seconds that entries will remain in the ARP table before being deleted; valid values are from 0 to 1,000,000 seconds. Setting this value to 0 disables aging.
|
Defaults
The default is no ARP table entries exist; ARP aging is set to 1200 seconds.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When entering the hw_addr value, use a 6-hexadecimal byte MAC address in canonical (00-11-22-33-44-55) or noncanonical (00:11:22:33:44:55) format.
Static (nonpermanent) entries remain in the ARP table until you reset the active supervisor engine.
Examples
This example shows how to configure a dynamic ARP entry mapping that will age out after the configured ARP aging time:
Console> (enable) set arp dynamic 198.133.219.232 00-00-0c-40-0f-bc
This example shows how to set the aging time for the ARP table to 1800 seconds:
Console> (enable) set arp agingtime 1800
ARP aging time set to 1800 seconds.
This example shows how to configure a permanent ARP entry, which will remain in the ARP cache after a system reset:
Console> (enable) set arp permanent 198.146.232.23 00-00-0c-30-0f-bc
Permanent ARP entry added as
198.146.232.23 at 00-00-0c-30-0f-bc on vlan 5
This example shows how to configure a static ARP entry, which will be removed from the ARP cache after a system reset:
Console> (enable) set arp static 198.144.239.22 00-00-0c-50-0f-bc
Static ARP entry added as
198.144.239.22 at 00-00-0c-50-0f-bc on vlan 5
Related Commands
clear arp
show arp
set authentication enable
To enable authentication using the TACACS+, RADIUS, or Kerberos server to determine if you have privileged access permission, use the set authentication enable command.
set authentication enable {radius | tacacs | kerberos} enable [console | telnet | http | all]
[primary]
set authentication enable {enable | disable} [console | telnet | http | all] [primary]
set authentication enable local {enable | disable} [console | telnet | http | all] [primary]
set authentication enable attempt count [console | telnet]
set authentication enable lockout time [console | telnet]
Syntax Description
radius
|
Specifies RADIUS authentication for login.
|
tacacs
|
Specifies TACACS+ authentication for login.
|
kerberos
|
Specifies Kerberos authentication for login.
|
enable
|
Enables the specified authentication method for login.
|
console
|
(Optional) Specifies the authentication method for console sessions.
|
telnet
|
(Optional) Specifies the authentication method for Telnet sessions.
|
http
|
(Optional) Specifies the specified authentication method for HTTP sessions.
|
all
|
(Optional) Applies the authentication method to all session types.
|
primary
|
(Optional) Specifies the specified authentication method be tried first.
|
disable
|
Disables the specified authentication method for login.
|
local
|
Specifies local authentication for login.
|
attempt count
|
Specifies the number of connection attempts before initiating an error; valid values are 0, from 3 to 10, and 0 to disable.
|
lockout time
|
Specifies the lockout timeout; valid values are from 30 to 600 seconds, and 0 to disable.
|
Defaults
Local authentication is enabled for console and Telnet sessions. RADIUS, TACACS+, and Kerberos are disabled for all session types. If authentication is enabled, the default attempt count is 3.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
Use authentication configuration for both console and Telnet connection attempts unless you use the console or telnet keywords to specify the authentication methods for each connection type individually.
Examples
This example shows how to use the TACACS+ server to determine if a user has privileged access permission:
Console> (enable) set authentication enable tacacs enable
tacacs enable authentication set to enable for console, telnet and http session.
This example shows how to use the local password to determine if the user has privileged access permission:
Console> (enable) set authentication enable local enable
local enable authentication set to enable for console, telnet and http session.
This example shows how to use the RADIUS server to determine if a user has privileged access permission for all session types:
Console> (enable) set authentication enable radius enable
radius enable authentication set to enable for console, telnet and http session.
This example shows how to use the TACACS+ server to determine if a user has privileged access permission for all session types:
Console> (enable) set authentication enable tacacs enable console
tacacs enable authentication set to enable for console session.
This example shows how to set the Kerberos server to be used first:
Console> (enable) set authentication enable kerberos enable primary
kerberos enable authentication set to enable for console, telnet and http session as
primary authentication method.
This example shows how to limit enable mode login attempts:
Console> (enable) set authentication enable attempt 5
Enable mode authentication attempts for console and telnet logins set to 5.
This example shows how to set the enable mode lockout time for both console and Telnet connections:
Console> (enable) set authentication enable lockout 50
Enable mode lockout time for console and telnet logins set to 50.
Related Commands
set authentication login
show authentication
set authentication login
To enable TACACS+, RADIUS, or Kerberos as the authentication method for login, use the set authentication login command.
set authentication login {radius | tacacs | kerberos} enable [console | telnet | http | all]
[primary]
set authentication login {radius | tacacs | kerberos} disable [console | telnet | http | all]
set authentication login {enable | disable} [console | telnet | http | all]
set authentication login local {enable | disable} [console | telnet | http | all]
set authentication login attempt count [console | telnet]
set authentication login lockout time [console | telnet]
Syntax Description
radius
|
Specifies the use of the RADIUS server password to determine if you have access permission to the switch.
|
tacacs
|
Specifies the use of the TACACS+ server password to determine if you have access permission to the switch.
|
kerberos
|
Specifies the Kerberos server password to determine if you have access permission to the switch.
|
enable
|
Enables the specified authentication method for login.
|
console
|
(Optional) Specifies the authentication method for console sessions.
|
telnet
|
(Optional) Specifies the authentication method for Telnet sessions.
|
http
|
(Optional) Specifies the authentication method for HTTP sessions.
|
all
|
(Optional) Specifies the authentication method for all session types.
|
primary
|
(Optional) Specifies that the method specified is the primary authentication method for login.
|
disable
|
Disables the specified authentication method for login.
|
local
|
Specifies a local password to determine if you have access permission to the switch.
|
attempt count
|
Specifies the number of login attempts before initiating an error; valid values are 0, from 3 to 10, and 0 to disable.
|
lockout time
|
Specifies the lockout timeout; valid values are from 30 to 43200 seconds, and 0 to disable.
|
Defaults
Local authentication is the primary authentication method for login.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
This command allows you to choose the authentication method for the web interface. If you configure the authentication method for the HTTP session as RADIUS, then the username or password is validated using the RADIUS protocol, and TACACS+ and Kerberos authentication is set to disable for the HTTP sessions. By default, the HTTP login is validated using the local login password.
You can specify the authentication method for console, telnet, http, or all by entering the console, telnet, http, or all keywords. If you do not specify console, telnet, http, or all, the authentication method default is for all sessions.
Examples
This example shows how to disable TACACS+ authentication access for Telnet sessions:
Console> (enable) set authentication login tacacs disable telnet
tacacs login authentication set to disable for the telnet sessions.
This example shows how to disable RADIUS authentication access for console sessions:
Console> (enable) set authentication login radius disable console
radius login authentication set to disable for the console sessions.
This example shows how to disable Kerberos authentication access for Telnet sessions:
Console> (enable) set authentication login kerberos disable telnet
kerberos login authentication set to disable for the telnet sessions.
This example shows how to set TACACS+ authentication access as the primary method for HTTP sessions:
Console> (enable) set authentication login tacacs enable http primary
tacacs login authentication set to enable for HTTP sessions as primary authentification
method.
This example shows how to limit login attempts:
Console> (enable) set authentication login attempt 5
Login authentication attempts for console and telnet logins set to 5.
This example shows how to set the lockout time for both console and Telnet connections:
Console> (enable) set authentication login lockout 50
Login lockout time for console and telnet logins set to 50.
Related Commands
set authentication enable
show authentication
set authorization commands
To enable authorization of command events on the switch, use the set authorization commands command.
set authorization commands enable {config | enable | all} {option} {fallbackoption}
[console | telnet | both]
set authorization commands disable [console | telnet | both]
Syntax Description
enable
|
Enables the specified authorization method for commands.
|
config
|
Permits authorization for configuration commands only.
|
enable
|
Permits authorization for enable mode commands only.
|
all
|
Permits authorization for all commands.
|
option
|
Switch response to an authorization request; valid values are tacacs+, if-authenticated, and none. See the "Usage Guidelines" section for valid value definitions.
|
fallbackoption
|
Switch fallback response to an authorization request if the TACACS+ server is down or not responding; valid values are tacacs+, deny, if-authenticated, and none. See the "Usage Guidelines" section for valid value definitions.
|
disable
|
Disables authorization of command events.
|
console
|
(Optional) Specifies the authorization method for console sessions.
|
telnet
|
(Optional) Specifies the authorization method for Telnet sessions.
|
both
|
(Optional) Specifies the authorization method for both console and Telnet sessions.
|
Defaults
The default is authorization is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you define the option and fallbackoption values, the following occurs:
•
tacacs+ specifies the TACACS+ authorization method.
•
deny does not let you proceed.
•
if-authenticated allows you to proceed with your action if you have been authenticated.
•
none allows you to proceed without further authorization in case the TACACS+ server does not respond.
Examples
This example shows how to enable authorization for all commands with the if-authenticated option and none fallbackoption:
Console> (enable) set authorization commands enable all if-authenticated none
Successfully enabled commands authorization.
This example shows how to disable command authorization:
Console> (enable) set authorization commands disable
Successfully disabled commands authorization.
Related Commands
set authorization enable
set authorization exec
show authorization
set authorization enable
To enable authorization of privileged mode sessions on the switch, use the set authorization enable command.
set authorization enable enable {option} {fallbackoption} [console | telnet | both]
set authorization enable disable [console | telnet | both]
Syntax Description
enable
|
Enables the specified authorization method.
|
option
|
Switch response to an authorization request; valid values are tacacs+, if-authenticated, and none. See the "Usage Guidelines" section for valid value definitions.
|
fallbackoption
|
Switch fallback response to an authorization request if the TACACS+ server is down or not responding; valid values are tacacs+, deny, if-authenticated, and none. See the "Usage Guidelines" section for valid value definitions.
|
disable
|
Disables the authorization method.
|
console
|
(Optional) Specifies the authorization method for console sessions.
|
telnet
|
(Optional) Specifies the authorization method for Telnet sessions.
|
both
|
(Optional) Specifies the authorization method for both console and Telnet sessions.
|
Defaults
The default is authorization is disabled.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you define the option and fallbackoption values, the following occurs:
•
tacacs+ specifies the TACACS+ authorization method.
•
deny does not let you proceed.
•
if-authenticated allows you to proceed with your action if you have authentication.
•
none allows you to proceed without further authorization in case the TACACS+ server does not respond.
Examples
This example shows how to enable authorization of configuration commands in enable, privileged login mode, sessions:
Console> (enable) set authorization enable enable if-authenticated none
Successfully enabled enable authorization.
This example shows how to disable enable mode authorization:
Console> (enable) set authorization enable disable
Successfully disabled enable authorization.
Related Commands
set authorization commands
set authorization exec
show authorization
set authorization exec
To enable authorization of exec, normal login mode, session events on the switch, use the set authorization exec command.
set authorization exec enable {option} {fallbackoption} [console | telnet | both]
set authorization exec disable [console | telnet | both]
Syntax Description
enable
|
Enables the specified authorization method.
|
option
|
Switch response to an authorization request; valid values are tacacs+, if-authenticated, and none. See the "Usage Guidelines" section for valid value definitions.
|
fallbackoption
|
Switch fallback response to an authorization request if the TACACS+ server is down or not responding; valid values are tacacs+, deny, if-authenticated, and none. See the "Usage Guidelines" section for valid value definitions.
|
disable
|
Disables authorization method.
|
console
|
(Optional) Specifies the authorization method for console sessions.
|
telnet
|
(Optional) Specifies the authorization method for Telnet sessions.
|
both
|
(Optional) Specifies the authorization method for both console and Telnet sessions.
|
Defaults
The default is authorization is denied.
Command Types
Switch command.
Command Modes
Privileged.
Usage Guidelines
When you define the option and fallbackoption values, the following occurs:
•
tacacs+ specifies the TACACS+ authorization method.
•
deny fails authorization if the TACACS+ server does not respond.
•
if-authenticated allows you to proceed with your action if the TACACS+ server does not respond and you have authentication.
•
none allows you to proce