CFR Commands: ip ftp password through lsr-path

Table Of Contents

ip ftp password

ip ftp source-interface

ip ftp username

ip http access-class

ip http authentication

ip http client connection

ip http client password

ip http client proxy-server

ip http client secure-ciphersuite

ip http client secure-trustpoint

ip http client source-interface

ip http client username

ip http max-connections

ip http path

ip http port

ip http secure-ciphersuite

ip http secure-client-auth

ip http secure-port

ip http secure-server

ip http secure-trustpoint

ip http server

ip http timeout-policy

ip rarp-server

ip rcmd domain-lookup

ip rcmd rcp-enable

ip rcmd remote-host

ip rcmd remote-username

ip rcmd rsh-enable

ip rcmd source-interface

ip sla monitor

ip sla monitor apm cache-size

ip sla monitor apm copy

ip sla monitor apm lowWaterMark

ip sla monitor apm operation

ip sla monitor group schedule

ip sla monitor key-chain

ip sla monitor logging traps

ip sla monitor low-memory

ip sla monitor reaction-configuration

ip sla monitor reaction-trigger

ip sla monitor reset

ip sla monitor responder

ip sla monitor responder type frame-relay

ip sla monitor responder type tcpConnect ipaddress

ip sla monitor responder type udpEcho ipaddress

ip sla monitor restart

ip sla monitor schedule

ip sla monitor slm frame-relay statistics

ip telnet source-interface

ip tftp source-interface

kron occurrence

kron policy-list

length

line-cli

lives-of-history-kept

load-interval

location

lock

lockable

log config

logging buffered

logging buffered filtered

logging buffered xml

logging cns-events

logging console

logging console filtered

logging console xml

logging count

logging enable (config-archive-log)

logging facility

logging filter

logging history

logging history size

logging host

logging linecard

logging monitor

logging monitor filtered

logging monitor xml

logging on

logging origin-id

logging rate-limit

logging size (config-archive-log)

logging source-interface

logging synchronous

logging trap

logging userinfo

logout

logout-warning

lsr-path


ip ftp password

To specify the password to be used for File Transfer Protocol (FTP) connections, use the ip ftp password command in global configuration mode. To return the password to its default, use the no form of this command.

ip ftp password [type] password

no ip ftp password

Syntax Description

type

(Optional) Type of encryption to use on the password. A value of 0 disables encryption. A value of 7 indicates proprietary encryption.

password

Password to use for FTP connections.


Defaults

The router forms a password username@routername.domain. The variable username is the username associated with the current session, routername is the configured host name, and domain is the domain of the router.

Command Modes

Global configuration

Command History

Release
Modification

10.3

This command was introduced.


Examples

The following example configures the router to use the username "red" and the password "blue" for FTP connections:

Router(config)# ip ftp username red 
Router(config)# ip ftp password blue 

Related Commands

Command
Description

ip ftp password

Specifies the password to be used for FTP connections.

ip ftp source-interface

Specifies the source IP address for FTP connections.

ip ftp username

Configures the username for FTP connections.


ip ftp source-interface

To specify the source IP address for File Transfer Protocol (FTP) connections, use the ip ftp source-interface command in global configuration mode. To use the address of the interface where the connection is made, use the no form of this command.

ip ftp source-interface interface

no ip ftp source-interface

Syntax Description

interface

The interface type and number to use to obtain the source address for FTP connections.


Defaults

The FTP source address is the IP address of the interface the FTP packets use to leave the router.

Command Modes

Global configuration

Command History

Release
Modification

10.3

This command was introduced.


Usage Guidelines

Use this command to set the same source address for all FTP connections.

Examples

The following example configures the router to use the IP address associated with Ethernet interface 0 as the source address on all FTP packets, regardless of which interface is actually used to send the packet:

ip ftp source-interface ethernet 0

Related Commands

Command
Description

ip ftp passive

Configures the router to use only passive FTP connections

ip ftp password

Specifies the password to be used for FTP connections.

ip ftp username

Configures the username for FTP connections.


ip ftp username

To configure the username for File Transfer Protocol (FTP) connections, use the ip ftp username command in global configuration mode. To configure the router to attempt anonymous FTP, use the no form of this command.

ip ftp username username

no ip ftp username

Syntax Description

username

Username for FTP connections.


Defaults

The Cisco IOS software attempts an anonymous FTP.

Command Modes

Global configuration

Command History

Release
Modification

10.3

This command was introduced.


Usage Guidelines

The remote username must be associated with an account on the destination server.

Examples

In the following example, the router is configured to use the username "red" and the password "blue" for FTP connections:

Router(config)# ip ftp username red 
Router(config)# ip ftp password blue 

Related Commands

Command
Description

ip ftp passive

Configures the router to use only passive FTP connections.

ip ftp password

Specifies the password to be used for FTP connections.

ip ftp source-interface

Specifies the source IP address for FTP connections.


ip http access-class

To specify the access list that should be used to restrict access to the HTTP server, use the ip http access-class command in global configuration mode. To remove a previously configured access list association, use the no form of this command.

ip http access-class access-list-number

no ip http access-class access-list-number

Syntax Description

access-list-number

Standard IP access list number in the range 0 to 99, as configured by the access-list global configuration command.


Defaults

No access list is applied to the HTTP server.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.


Usage Guidelines

If this command is configured, the specified access list is assigned to the HTTP server. Before the HTTP server accepts a connection, it checks the access list. If the check fails, the HTTP server does not accept the request for a connection.

Examples

In the following example the access list identified as "20" is defined and assigned to the HTTP server:

Router(config)# ip access-list standard 20 
Router(config-std-nacl)# permit 209.165.202.0 0.0.0.255 
Router(config-std-nacl)# permit 209.165.0.0 0.0.255.255 
Router(config-std-nacl)# permit 209.0.0.0 0.255.255.255 
! (Note: all other access implicitly denied)
Router(config-std-nacl)# exit 
Router(config)# ip http access-class 20 

Related Commands

Command
Description

ip access-list

Assigns an ID to an access list and enters access list configuration mode.

ip http server

Enables the HTTP 1.1 server, including the Cisco web browser user interface.


ip http authentication

To specify a particular authentication method for HTTP server users, use the ip http authentication command in global configuration mode. To disable a configured authentication method, use the no form of this command.

ip http authentication {aaa {command-authorization level listname | exec-authorization listname | login-authentication listname} | enable | local | tacacs}

no ip http authentication {aaa {command-authorization level listname | exec-authorization listname | login-authentication listname} | enable | local | tacacs}

Syntax Description

aaa

Indicates that the authentication method used for the authentication, authorization, and accounting (AAA) login service should be used for authentication. The AAA login authentication method is specified by the aaa authentication login default command, unless otherwise specified by the login-authentication listname keyword and argument.

command-
authorization

Sets the authorization method list for commands at the specified privilege level.

level

Indicates a privilege value from 0 through 15. By default, there are the following three command privilege levels on the router:

0—Includes the disable, enable, exit, help, and logout commands.

1—Includes all user-level commands at the router > prompt.

15—Includes all enable-level commands at the router > prompt.

listname

Sets the name of the method list.

exec-authorization

Sets the method list for exec authorization.

login-
authentication

Sets the method list for login authentication.

enable

Indicates that the "enable" password should be used for authentication. (This is the default method.)

local

Indicates that the login user name, password and privilege level access combination specified in the local system configuration (by the username global configuration command) should be used for authentication and authorization.

tacacs

Indicates that the TACACS (or XTACACS) server should be used for authentication.


Defaults

The "enable" password is required when users (clients) connect to the HTTP server.
Three command privilege levels exist on the router.

Command Modes

Global configuration

Command History

Release
Modification

11.2 F

This command was introduced.

12.3(8)T

The tacacs keyword was removed. The command-authorization, exec-authorization, and login-authentication keywords were added.


Usage Guidelines

The ip http authentication command specifies the authentication method to be used for login when a client connects to the HTTP server. Use of the ip http authentication aaa command option is recommended. The enable, local, and tacacs methods should be specified using the aaa authentication login command.

The "enable" password method is the default HTTP server authentication method. If the enable password is used as the HTTP server login authentication method, the client connects to the HTTP server with a default privilege level of 15.


Note When the "enable" password is used as the HTTP server login authentication method, any username entered will be ignored; the server will only verify the "enable" password. This may make it easier for an attacker to access the router. Because a username and password pair is more secure than using only a password for authentication, using only "enable" password for authentication is strongly discouraged. Instead, use of the local or tacacs authentication options, configured as part of a global Authentication, Authorization, and Accounting (AAA) framework, is recommended.
To configure HTTP access as part of a AAA policy, use the ip http authentication aaa command option. The "local", "tacacs", or "enable" authentication methods should then be configured using the aaa authentication login command.


For information about adding users into the local username database, refer to the Cisco IOS Security Configuration Guide.

Examples

The following example specifies that the method configured for AAA should be used for authentication for HTTP server users. The AAA login method is configured as the "local" username/password authentication method. This example specifies that the local username database be used for login authentication and exec authorization of HTTP sessions:

router(config)# aaa authentication login LOCALDB local 
router(config)# aaa authorization exec LOCALDB local
router(config)# ip http authentication aaa login-authentication LOCALDB
router(config)# ip http authentication aaa exec-authorization LOCALDB

Related Commands

Command
Description

aaa authentication login

Specifies the login authentication method to be used by the AAA service.

aaa authorization

Sets parameters that restrict user access to a network.

ip http server

Enables the HTTP server.


ip http client connection

To configure the HTTP client connection, use the ip http client connection command in global configuration mode. To change or remove a configuration, use the no form of this command.

ip http client connection {forceclose | idle timeout seconds | timeout seconds}

no ip http client connection {forceclose | idle timeout seconds | timeout seconds}

Syntax Description

forceclose

Disables a persistent connection.

idle timeout seconds

Sets the period of time allowed for an idle connection between an HTTP client and server before the connection is closed. Accepted range is from 1 to 60 seconds. Default period is 30 seconds.

timeout seconds

Sets the maximum time the HTTP client will wait for a connection. Accepted range is from 1 to 60 seconds. Default is 10 seconds.


Defaults

Persistent connection maintenance is enabled.
30 second idle timeout
10 second maximum timeout
0 retry attempts

Command Modes

Global configuration

Command History

Release
Modification

12.3(7)T

This command was introduced.


Usage Guidelines

Use this command to configure the characteristics for establishing an HTTP client connection.

Examples

The following example configures the default HTTP client persistent connection for a 15 second idle connection period. The maximum time the HTTP client will wait for a connection is 10 seconds.

Router(config)# ip http client connection idle timeout 15

Related Commands

Command
Description

copy

Copies a file from any supported remote location to a local file system, or from a local file system to a remote location, or from a local file system to a local file system.

debug ip http client

Enables debugging output for the HTTP client.

ip http client password

Configures a password for all HTTP client connections.

ip http client proxy-server

Configures an HTTP proxy server.

ip http client source-interface

Configures a source interface for the HTTP client.

ip http client username

Configures a login name for all HTTP client connections.

show ip http client connection

Displays a report about HTTP client active connections.

show ip http client history

Displays the URLs accessed by the HTTP client.

show ip http client session-module

Displays a report about sessions that have registered with the HTTP client.


ip http client password

To configure the default password used for connections to remote HTTP servers, use the ip http client password command in global configuration mode. To remove a configured default password from the configuration, use the no form of this command.

ip http client password password

no ip http client password password

Syntax Description

password

The password string to be used in HTTP client connection requests sent to remote HTTP servers.


Defaults

No default password exists for the HTTP connections.

Command Modes

Global configuration

Command History

Release
Modification

12.3(2)T

This command was introduced.


Usage Guidelines

This command is used to configure a default password before a file is download from a remote web server using the copy http:// or copy https:// command. The default password will be overridden by a password specified in the URL of the copy command.

The password is encrypted in the configuration files.

Examples

In the following example the default HTTP password is configured as Secret and the default HTTP username is configured as User2 for connections to remote HTTP or Secure HTTP (HTTPS) servers:

Router(config)# ip http client password Secret
Router(config)# ip http client username User2
Router(config)# do show running-config | include ip http client

Related Commands

Command
Description

copy

Copies a file from any supported remote location to a local file system, or from a local file system to a remote location, or from a local file system to a local file system.

debug ip http client

Enables debugging output for the HTTP client.

ip http client connection

Configures the HTTP client connection.

ip http client proxy-server

Configures an HTTP proxy server.

ip http client source-interface

Configures a source interface for the HTTP client.

ip http client username

Configures a login name for all HTTP client connections.

show ip http client connection

Displays a report about HTTP client active connections.

show ip http client history

Displays the URLs accessed by the HTTP client.

show ip http client session-module

Displays a report about sessions that have registered with the HTTP client.


ip http client proxy-server

To configure an HTTP proxy server, use the ip http client proxy-server command in global configuration mode. To disable or change the proxy server, use the no form of this command.

ip http client proxy-server proxy-name | ip-address [proxy-port port-number]

no ip http client proxy-server proxy-name | ip-address [proxy-port port-number]

Syntax Description

proxy-name | ip-address

Name or IP address for the proxy server.

proxy-port port-number

(Optional) Specifies a port number on the remote proxy server.


Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release
Modification

12.3(7)T

This command was introduced.


Usage Guidelines

This command configures the HTTP client to connect to a remote proxy server for HTTP file system client connections.

The optional proxy-port port-number keyword and argument specify the proxy port number on the remote proxy server.

Examples

The following example configures the HTTP proxy server named edge2 at port 29:

Router(config)# ip http client proxy-server edge2 proxy-port 29

Related Commands

Command
Description

copy

Copies a file from any supported remote location to a local file system, or from a local file system to a remote location, or from a local file system to a local file system.

debug ip http client

Enables debugging output for the HTTP client.

ip http client connection

Configures the HTTP client connection.

ip http client password

Configures a password for all HTTP client connections.

ip http client source-interface

Configures a source interface for the HTTP client.

ip http client username

Configures a login name for all HTTP client connections.

show ip http client connection

Displays a report about HTTP client active connections.

show ip http client history

Displays the URLs accessed by the HTTP client.

show ip http client session-module

Displays a report about sessions that have registered with the HTTP client.


ip http client secure-ciphersuite

To specify the CipherSuite that should be used for encryption over the secure HTTP connection from the client to a remote server, use the ip http client secure-ciphersuite command in global configuration mode. To remove a previously configured CipherSuite specification for the client, use the no form of this command.

ip http client secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]}

no ip http client secure-ciphersuite

Syntax Description

3des-ede-cbc-sha

SSL_RSA_WITH_3DES_EDE_CBC_SHA—RSA key exchange with 3DES and DES-EDE3-CBC for message encryption and SHA for message digest.

rc4-128-sha

SSL_RSA_WITH_RC4_128_SHA—RSA key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption for message encryption and SHA for message digest.

rc4-128-md5

SSL_RSA_WITH_RC4_128_MD5—RSA key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption for message encryption and MD5 for message digest.

des-cbc-sha

SSL_RSA_WITH_DES_CBC_SHA—RSA key exchange with DES-CBC for message encryption and SHA for message digest.


Defaults

The client and server negotiate the best CipherSuite that they both support from the list of available CipherSuites.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

This command allows you to restrict the list of CipherSuites (encryption algorithms) that the client offers when connecting to a secure HTTP server. For example, you may want to allow only the most secure CipherSuite(s) to be used.

Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default). The no form of this command returns the list of available CipherSuites to the default (that is, all CipherSuites supported on your device are available for negotiation).

Examples

In the following example the HTTPS client is configured to use only the SSL_RSA_WITH_3DES_EDE_CBC_SHA CipherSuite:

Router(config)# ip http client secure-ciphersuite 3des-ede-cbc-sha

Related Commands

Command
Description

show ip http client secure status

Displays the configuration status of the secure HTTP client.


ip http client secure-trustpoint

To specify the remote Certificate of Authority (CA) trustpoint that should be used if certification is needed for the secure HTTP client, use the ip http client secure-trustpoint command in global configuration mode. To remove a client trustpoint from the configuration, use the no form of this command.

ip http client secure-trustpoint trustpoint-name

no ip http client secure-trustpoint trustpoint-name

Syntax Description

trustpoint-name

Name of a configured trustpoint. Use the same trustpoint name that was used in the associated crypto ca trustpoint command.


Defaults

If the remote HTTPS server requests client certification, the secure HTTP client will use the trustpoint configured as primary in the CA trustpoint configuration.

If a trustpoint is not configured, client certification will fail.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

This command specifies that the secure HTTP client should use the certificate associated with the trustpoint indicated by the trustpoint-name argument. Use the same trustpoint name that you used in the associated crypto ca trustpoint command.

The specified X.509v3 security certificate will be used by the secure HTTP (HTTPS) client for cases when the remote HTTPS server requires client authorization.

Use of this command assumes you have already declared a CA trustpoint using the crypto ca trustpoint command and associated sub-mode commands. If the remote HTTPS server requires client authorization and a trustpoint is not configured for the client, the remote HTTPS server will reject the connection.

If this command is not used, the client will attempt to use the certificate associated with the primary trustpoint. The primary trustpoint is configured using the primary CA TrustPoint configuration mode command.

Examples

In the following example the CA trustpoint is configured then referenced in the secure HTTP server configuration:

!The following commands specifies a CA trustpoint that can be used 
!to obtain a X.509v3 security certificate.
Router(config)# crypto ca trustpoint tp1 
Router(config-ca)# enrollment url http://host1:80 
Router(config-ca)# exit 
!The following command is used to actually obtain the security certificate.
!A trustpoint NAME is used because there could be multiple trust points 
!configured for the router.
Router(config)# crypto ca enrollment TP1 
!The following command specifies that the secure HTTP client 
!should use the certificate associated with the TP1 trustpoint for HTTPS connections.
Router(config)# ip http client secure-trustpoint tp1 

Related Commands

Command
Description

crypto ca trustpoint

Specifies a name for a certificate authority trustpoint and enters CA TrustPoint configuration mode.

primary

Indicates that the CA trustpoint being configured should be used as the primary (default) trustpoint.


ip http client source-interface

To configure a source interface for the HTTP client, use the ip http client source-interface command in global configuration mode. To change or disable the source interface, use the no form of this command.

ip http client source-interface interface-id

no ip http client source-interface interface-id

Syntax Description

interface-id

Name and number of the source interface.


Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release
Modification

12.3(7)T

This command was introduced.


Usage Guidelines

Use this command to specify a source interface to use for HTTP connections.

Examples

The following example configures the source interface as Ethernet 0/1:

Router(config)# ip http client source-interface Ethernet 0/1

Related Commands

Command
Description

copy

Copies a file from any supported remote location to a local file system, or from a local file system to a remote location, or from a local file system to a local file system.

debug ip http client

Enables debugging output for the HTTP client.

ip http client connection

Configures the HTTP client connection.

ip http client password

Configures a password for all HTTP client connections.

ip http client proxy-server

Configures an HTTP proxy server.

ip http client username

Configures a login name for all HTTP client connections.

show ip http client connection

Displays a report about HTTP client active connections.

show ip http client history

Displays the URLs accessed by the HTTP client.

show ip http client session-module

Displays a report about sessions that have registered with the HTTP client.


ip http client username

To configure the default username used for connections to remote HTTP servers, use the ip http client username command in global configuration mode. To remove a configured default HTTP username from the configuration, use the no form of this command.

ip http client username username

no ip http client username username

Syntax Description

username

The username string (login name) to be used in HTTP client connection requests sent to remote HTTP servers.


Defaults

No default username exists for the HTTP connections.

Command Modes

Global configuration

Command History

Release
Modification

12.3(2)T

This command was introduced.


Usage Guidelines

This command is used to configure a default username before a file is copied to or from a remote web server using the copy http:// or copy https:// command. The default username will be overridden by a username specified in the URL of the copy command.

Examples

In the following example, the default HTTP password is configured as Secret and the default HTTP username is configured as User1 for connections to remote HTTP or Secure HTTP (HTTPS) servers:

Router(config)# ip http client password Secret
Router(config)# ip http client username User1

Related Commands

Command
Description

copy

Copies a file from any supported remote location to a local file system, or from a local file system to a remote location, or from a local file system to a local file system.

debug ip http client

Enables debugging output for the HTTP client.

ip http client connection

Configures the HTTP client connection.

ip http client password

Configures a password for all HTTP client connections.

ip http client proxy-server

Configures an HTTP proxy server.

ip http client source-interface

Configures a source interface for the HTTP client.

show ip http client connection

Displays a report about HTTP client active connections.

show ip http client history

Displays the URLs accessed by the HTTP client.

show ip http client session-module

Displays a report about sessions that have registered with the HTTP client.


ip http max-connections

To configure the maximum number of concurrent connections allowed for the HTTP server, use the ip http max-connections command in global configuration mode. To return the maximum connection value to the default, use the no form of this command.

ip http max-connections value

no ip http max-connections value

Syntax Description

value

The maximum number of concurrent HTTP connections. The range is 1 to 16. The default is 5.


Defaults

5 concurrent HTTP connections.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Platform-specific implementations can supersede the upper range limit of 16.

If a new value is configured that is less than the previously configured value while the current number of connections exceeds the new maximum value, the HTTP server will not abort any of the current connections. However, the server will not accept any new connections until the current number of connections falls below the new configured value.

Examples

In the following example the HTTP server is configured to allow up to 10 simultaneous connections:

Router(config)# ip http server 
Router(config)# ip http max-connections 10 

Related Commands

Command
Description

ip http server

Enables the HTTP 1.1 server, including the Cisco web browser user interface.


ip http path

To specify the base path used to locate files for use by the HTTP server, use the ip http path command in global configuration mode. To disable the HTTP server, use the no form of this command.

ip http path url

no ip http path url

Syntax Description

url

Cisco IOS File System (IFS) Uniform Resource Locator (URL) specifying the location of the HTML files used by the HTTP server.


Defaults

The HTTP server is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.0

This command was introduced.


Usage Guidelines

After enabling the HTTP server, you should set the base path by specifying the location of the HTML files to be served. HTML files used by the HTTP web server typically reside in system Flash memory.

Remote URLs can be specified using this command, but use of remote path names (for example, where HTML files are located on a remote TFTP server) is not recommended.

Examples

In the following example, the HTML files are located in the default Flash location on the system:

Router(config)# ip http path flash: 

In the following example, the HTML files are located in the directory named web on the Flash memory card inserted in slot 0:

Router(config)# ip http path slot0:web 

Related Commands

Command
Description

ip http server

Enables the HTTP server, including the Cisco web browser user interface.


ip http port

To specify the port number to be used by the HTTP server, use the ip http port command in global configuration mode. To return the port number to the default, use the no form of this command.

ip http port port-number

no ip http port port-number

Syntax Description

port-number

The port number to be used for the HTTP server. Valid values are 80 or any value from 1024 to 65535. The default is 80.


Defaults

The HTTP server uses port 80.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.

12.2(15)T

This command was modified to restrict port numbers. The port number 443 is now reserved for HTTPS (HTTP over SSL) connections.


Usage Guidelines

HTTP port 80 is the standard port used by web servers.

Examples

In the following example the HTTP server port is changed to port 8080.

Router(config)# ip http server 
Router(config)# ip http port 8080 

Related Commands

Command
Description

ip http server

Enables the HTTP 1.1 server, including the Cisco web browser user interface.


ip http secure-ciphersuite

To specify the CipherSuites that should be used by the secure HTTP server when negotiating a connection with a remote client, use the ip http secure-ciphersuite command in global configuration mode. To return the configuration to the default set of CipherSuites, use the no form of this command.

ip http secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]}

no ip http secure-ciphersuite

Syntax Description

3des-ede-cbc-sha

SSL_RSA_WITH_3DES_EDE_CBC_SHA—RSA key exchange with 3DES and DES-EDE3-CBC for message encryption and SHA for message digest.

rc4-128-sha

SSL_RSA_WITH_RC4_128_SHA —RSA key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption for message encryption and SHA for message digest.

rc4-128-md5

SSL_RSA_WITH_RC4_128_MD5 —RSA key exchange (RSA Public Key Cryptography) with RC4 128-bit encryption for message encryption and MD5 for message digest.

des-cbc-sha

SSL_RSA_WITH_DES_CBC_SHA—RSA key exchange with DES-CBC for message encryption and SHA for message digest.


Defaults

The HTTPS server negotiates the best CipherSuite using the list received from connecting client.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

This command is used to restrict the list of CipherSuites (encryption algorithms) that should be used for encryption over the HTTPS connection. For example, you may want to allow only the most secure CipherSuite(s) to be used.

Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default).

The supported CipherSuites vary by Cisco IOS software image. For example, "IP Sec56" ("k8") images support only the SSL_RSA_WITH_DES_CBC_SHA CipherSuite in Cisco IOS Release 12.2T.

In terms of router processing load (speed), the following list ranks the CipherSuites from fastest to slowest (slightly more processing time is required for the more secure and more complex CipherSuites) :

1. SSL_RSA_WITH_DES_CBC_SHA

2. SSL_RSA_WITH_RC4_128_MD5

3. SSL_RSA_WITH_RC4_128_SHA

4. SSL_RSA_WITH_3DES_EDE_CBC_SHA

Additional information about these CipherSuites can be found online from sources that document the Secure Socket Layer (SSL) 3.0 protocol.

Examples

The following example restricts the CipherSuites offered to a connecting secure web client:

Router(config)# ip http secure-ciphersuite rc4-128-sha rc4-128-md5 

Related Commands

Command
Description

ip http secure-server

Enables the secure HTTP (HTTPS) server.

show ip http server secure status

Displays the configuration status of the secure HTTP server.


ip http secure-client-auth

To configure the secure HTTP server to authenticate connecting clients, use the ip http secure-client-auth command in global configuration mode. To remove the requirement for client authorization, use the no form of this command.

ip http secure-client-auth

no ip http secure-client-auth

Syntax Description

This command has no arguments or keywords.

Defaults

Disabled (that is, client authentication is not required for connections to the secure HTTP server).

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

This command configures the HTTP server to request an X.509v3 certificate from the client in order to authenticate the client during the connection process.

In the default connection and authentication process, the client requests a certificate from the HTTP server, but the server does not attempt to authenticate the client. Authenticating the client provides more security than server authentication by itself, but not all web clients may be configured for certificate authority (CA) authentication.

Examples

In the following example the secure web server is enabled and the server is configured to accept connections only from clients with a signed security certificate:

Router(config)# no ip http server 
Router(config)# ip http secure-server 
Router(config)# ip http secure-client-auth 

Related Commands

Command
Description

ip http secure-server

Enables the secure HTTP (HTTPS) server.

show ip http server secure status

Displays the configuration status of the secure HTTP server.


ip http secure-port

To specify the port (socket) to be used for connections to the secure HTTP (HTTPS) server, use the ip http secure-port command in global configuration mode. To return the secure HTTP server port number to the default, use the no form of this command.

ip http secure-port port-number

no ip http secure-port

Syntax Description

port-number

Port number that should be used for the secure HTTP server. The default port number is 443. Valid options are 443 or any number in the range 1025 to 65535.


Defaults

Port 443

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Examples

The following example changes the port for HTTPS server connections from 443 to 1025:

Router(config)# ip http secure-port 1025

mw-6(config)#no ip http secure-port ?

  <cr>

Related Commands

Command
Description

ip http secure-server

Enables the secure HTTP (HTTPS) server.


ip http secure-server

To enable the secure HTTP web server, use the ip http secure-server command in global configuration mode. To disable the secure HTTP server, use the no form of this command.

ip http secure-server

no ip http secure-server

Syntax Description

This command has no arguments or keywords.

Defaults

The secure HTTP server is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

The secure HTTP server (also called the HTTPS server) uses the Secure Socket Layer (SSL) version 3.0 protocol.


Note When enabling the secure HTTP server you should always disable the standard HTTP server to prevent insecure connections to the same services. Disable the standard HTTP server using the no ip http server command in global configuration mode (this is a precautionary step; typically, the HTTP server is disabled by default).


If a certificate authority is to be used for certification, you should declare the CA trustpoint on the routing device before enabling the secure HTTP server.

Examples

In the following example the secure HTTP server is enabled, and the (previously configured) CA trustpoint CA_trust_local is specified:

Router# config terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# ip http secure-server 
Router(config)# ip http secure-trustpoint CA_trust_local
Router(config)# end

Router# show ip http server secure status

HTTP secure server status: Enabled

HTTP secure server port: 443

HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12a

HTTP secure server client authentication: Disabled

HTTP secure server trustpoint: CA_trust_local

Related Commands

Command
Description

ip http secure-trustpoint

Specifies the CA trustpoint that should be used for obtaining signed certificates for the secure HTTP server.

show ip http server secure status

Displays the configuration status of the secure HTTP server.


ip http secure-trustpoint

To specify the certificate authority (CA) trustpoint that should be used for obtaining signed certificates for the secure HTTP server, use the ip http secure-trustpoint command in global configuration mode. To remove a previously specified CA trustpoint, use the no form of this command.

ip http secure-trustpoint trustpoint-name

no ip http secure-trustpoint trustpoint-name

Syntax Description

trustpoint-name

Name of a configured trustpoint. Use the same trustpoint name that was used in the associated crypto ca trustpoint command.


Defaults

The secure HTTP server will use the trustpoint configured as primary in the CA trustpoint configuration.

If a trustpoint is not configured, the secure HTTP server will use a self-signed certificate.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

This command specifies that the secure HTTP server should use the X.509v3 certificate associated with the trustpoint indicated by the trustpoint-name argument. Use the same trustpoint name that you used in the associated crypto ca trustpoint command.

The specified X.509v3 security certificate will be used to authenticate the server to connecting clients, and, if remote client authentication is enabled, to authenticate the connecting clients.

Use of this command assumes you have already declared a CA trustpoint using the crypto ca trustpoint command and associated sub-mode commands. If a trustpoint is not configured, the secure HTTP server will use a self-signed certificate.

If this command is not used, the server will attempt to use the certificate associated with the primary trustpoint. The primary trustpoint is configured using the primary CA TrustPoint configuration mode command.

Examples

In the following example the CA trustpoint is configured, a certificate is obtained, then the certificate is referenced in the secure HTTP server configuration:

!The following commands specifies a CA trustpoint that can be used 
!to obtain a X.509v3 security certificate.
!A trustpoint NAME is used because there could be multiple trustpoints 
!configured for the router.
Router(config)# crypto ca trustpoint tp1 
Router(config-ca)# enrollment url http://host1:80 
Router(config-ca)# exit 
Router(config)# crypto ca authenticate tp1
!The following command is used to actually obtain the security certificate.
Router(config)# crypto ca enrollment tp1 
Router(config)# ip http secure-server 
!The following command specifies that the secure HTTP server 
!should use a certificate associated with the TP1 trustpoint for HTTPS connections.
Router(config)# ip http secure-trustpoint tp1 

Related Commands

Command
Description

crypto ca trustpoint

Declares the certificate authority (CA) that your routing device should use.

ip http secure-server

Enables the secure HTTP (HTTPS) server.

show ip http server secure status

Displays the configuration status of the secure HTTP server.


ip http server

To enable the HTTP server on your system, including the Cisco web browser user interface, use the ip http server command in global configuration mode. To disable the HTTP server, use the no form of this command.

ip http server

no ip http server

Syntax Description

This command has no arguments or keywords.

Defaults

The HTTP server is disabled on the Cisco Catalyst 4000 series switch. The HTTP server is enabled for clustering and on the following Cisco switches: Catalyst 3700 series, Catalyst 3750 series, Catalyst 3550 series, Catalyst 3560 series, and Catalyst 2950 series.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.

12.2(15)T

The HTTP 1.0 implementation was replaced by the HTTP 1.1 implementation.

The secure HTTP server feature was added.


Usage Guidelines

The HTTP server uses the standard port 80 by default.


Caution The standard HTTP server and the secure HTTP server can run at the same time on your system. If you enable the secure HTTP server using the ip http secure-server command, you should disable the standard HTTP server using the no ip http server command to ensure that secure data cannot be accessed through the standard HTTP connection.

Examples

In the following example the HTTP server is enabled:

Router(config)# ip http server 
Router(config)# ip http path flash: 

Related Commands

Command
Description

ip http path

Specifies the base path used to locate files for use by the HTTP server.

ip http secure-server

Enables the secure HTTP server.


ip http timeout-policy

To configure the parameters for closing connections to the local HTTP server, use the ip http timeout-policy command in global configuration mode. To return the parameters to their defaults, use the no form of this command.

ip http timeout-policy idle seconds life seconds requests value

no ip http timeout-policy

Syntax Description

idle seconds

The maximum number of seconds the connection will be kept open if no data is received or response data cannot be sent out on the connection.

The valid range is from 1 to 600 seconds (10 minutes).

The default value is 180 seconds (3 minutes).

life seconds

The maximum number of seconds the connection will be kept open, from the time the connection is established.

The valid range is from 1 to 86400 seconds (24 hours).

The default value is 180 seconds (3 minutes).

requests value

The maximum limit on the number of requests processed on a persistent connection before it is closed.

The valid range is from 1 to 86400.

The default value is 1.


Defaults

HTTP server connection idle time: 180 seconds (3 minutes)
HTTP server connection life time: 180 seconds (3 minutes)
HTTP server connection maximum requests: 1

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

This command sets the characteristics that determine how long a connection to the HTTP server should remain open.

This command may not take effect immediately on any HTTP connections that are open at the time you use this command. In other words, new values for idle time, life time, and maximum requests will apply only to connections made to the HTTP server after this command is issued.

A connection may be closed sooner than the configured idle time if the server is too busy or the limit on the life time or the number of requests is reached.

A connection may be closed sooner than the configured life time if the server is too busy or the limit on the idle time or the number of requests is reached. Also, since the server will not close a connection while actively processing a request, the connection may remain open longer than the specified life time if processing is occurring when the life maximum is reached. In this case, the connection will be closed when processing finishes.

A connection may be closed before the maximum number of requests are processed if the server is too busy or the limit on the idle time or life time is reached.

The ip http timeout-policy command allows you to specify a general access policy to the HTTP server by adjusting the connection timeout values. For example, if you want to maximize throughput for HTTP connections, you should configure a policy that minimizes connection overhead. You can do this by specifying large values for the life and request options so that each connection stays open longer and more requests are processed for each connection.

Another example would be to configure a policy that minimizes the response time for new connections. You can do this by specifying small values for the life and request options so that the connections are quickly released to serve new clients.

A throughput policy would be better for HTTP sessions with dedicated management applications, as it would allow the application to send more requests before the connection is closed, while a response time policy would be better for interactive HTTP sessions, as it would allow more people to connect to the server at the same time without having to wait for connections to become available.

In general, you should configure these options as appropriate for your environment. The value for the idle option should be balanced so that it is large enough not to cause an unwanted request or response timeout on the connection, but small enough that it does not hold a connection open longer than necessary.

Examples

In the following example, a Throughput timeout policy is applied. This configuration would allow each connection to be idle a maximum of 30 seconds (approximately). Each connection will remain open (be "alive") until either the HTTP server has been busy processing requests for approximately 2 minutes (120 seconds) or until approximately 100 requests have been processed.

Router(config)# ip http timeout-policy idle 30 life 120 requests 100 

In the following example, a Response Time timeout policy is applied. This configuration would allow each connection to be idle a maximum of 30 seconds (approximately). Each connection will be closed as soon as the first request has been processed.

Router(config)# ip http timeout-policy idle 30 life 30 requests 1 

Related Commands

Command
Description

ip http server

Enables the HTTP server, including the Cisco web browser user interface.


ip rarp-server

To enable the router to act as a Reverse Address Resolution Protocol (RARP) server, use the ip rarp-server command in interface configuration mode. To restore the interface to the default of no RARP server support, use the no form of this command.

ip rarp-server ip-address

no ip rarp-server ip-address

Syntax Description

ip-address

IP address that is to be provided in the source protocol address field of the RARP response packet. Normally, this is set to whatever address you configure as the primary address for the interface.


Defaults

Disabled

Command Modes

Interface configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

This feature makes diskless booting of clients possible between network subnets where the client and server are on separate subnets.

RARP server support is configurable on a per-interface basis, so that the router does not interfere with RARP traffic on subnets that need no RARP assistance.

The Cisco IOS software answers incoming RARP requests only if both of the following two conditions are met:

The ip rarp-server command has been configured for the interface on which the request was received.

A static entry is found in the IP ARP table that maps the MAC address contained in the RARP request to an IP address.

Use the show ip arp EXEC command to display the contents of the IP ARP cache.

Sun Microsystems, Inc. makes use of RARP and UDP-based network services to facilitate network-based booting of SunOS on it's workstations. By bridging RARP packets and using both the ip helper-address interface configuration command and the ip forward-protocol global configuration command, the Cisco IOS software should be able to perform the necessary packet switching to enable booting of Sun workstations across subnets. Unfortunately, some Sun workstations assume that the sender of the RARP response, in this case the router, is the host that the client can contact to TFTP load the bootstrap image. This causes the workstations to fail to boot.

By using the ip rarp-server command, the Cisco IOS software can be configured to answer these RARP requests, and the client machine should be able to reach its server by having its TFTP requests forwarded through the router that acts as the RARP server.

In the case of RARP responses to Sun workstations attempting to diskless boot, the IP address specified in the ip rarp-server interface configuration command should be the IP address of the TFTP server. In addition to configuring RARP service, the Cisco IOS software must be configured to forward UDP-based Sun portmapper requests to completely support diskless booting of Sun workstations. This can be accomplished using configuration commands of the following form:

ip forward-protocol udp 111
interface interface name
ip helper-address target-address

RFC 903 documents the RARP.

Examples

The following partial example configures a router to act as a RARP server. The router is configured to use the primary address of the specified interface in its RARP responses.

arp 172.30.2.5 0800.2002.ff5b arpa
interface ethernet 0
ip address 172.30.3.100 255.255.255.0
ip rarp-server 172.30.3.100

In the following example, a router is configured to act as a RARP server, with TFTP and portmapper requests forwarded to the Sun server:

! Allow the router to forward broadcast portmapper requests
ip forward-protocol udp 111
! Provide the router with the IP address of the diskless sun
arp 172.30.2.5 0800.2002.ff5b arpa
interface ethernet 0
! Configure the router to act as a RARP server, using the Sun Server's IP
! address in the RARP response packet.
ip rarp-server 172.30.3.100
! Portmapper broadcasts from this interface are sent to the Sun Server.
ip helper-address 172.30.3.100

Related Commands

Command
Description

ip forward-protocol

Speeds up flooding of UDP datagrams using the spanning-tree algorithm.

ip helper-address

Forwards UDP broadcasts, including BOOTP, received on an interface.


ip rcmd domain-lookup

To reenable the basic Domain Name Service (DNS) security check for rcp and rsh, use the ip rcmd domain-lookup command in global configuration mode. To disable the basic DNS security check for remote copy protocol (rcp) and remote shell protoco (rsh), use the no form of this command.

ip rcmd domain-lookup

no ip rcmd domain-lookup

Syntax Description

This command has no arguments or keywords.

Defaults

Enabled

Command Modes

Global configuration

Technology: TCP > RCMD

Task: Basic Services

Command History

Release
Modification

10.3

This command was introduced.


Usage Guidelines

The abbreviation RCMD (remote command) is used to indicate both rsh and rcp.

DNS lookup for RCMD is enabled by default (provided general DNS services are enabled on the system using the ip domain-lookup command).

The no ip rcmd domain-lookup command is used to disable the DNS lookup for RCMD. The ip rcmd domain-lookup command is used to reenable the DNS lookup for RCMD.

DNS lookup for RCMD is performed as a basic security check. This check is performed using a host authentication process. When enabled, the system records the address of the requesting client. That address is mapped to a host name using DNS. Then a DNS request is made for the IP address for that host name. The IP address received is then checked against the original requesting address. If the address does not match with any of the addresses received from DNS, the RCMD request will not be serviced.

This reverse lookup is intended to help protect against spoofing. However, please note that the process only confirms that the IP address is a valid "routable" address; it is still possible for a hacker to spoof the valid IP address of a known host.

The DNS lookup is done after the TCP handshake but before the router (which is acting as a rsh/rcp server) sends any data to the remote client.

The no ip rcmd domain-lookup will turn off DNS lookups for rsh and rcp only. The no ip domain-lookup command takes precedence over the ip rcmd domain-lookup command. This means that if the no ip domain-lookup command is in the current configuration, DNS will be bypassed for rcp and rsh even if the ip rcmd domain-lookup command is enabled.

Examples

In the following example, the DNS security check is disabled for RCMD (rsh/rcp):

Router(config)# no ip rcmd domain-lookup 

Related Commands

Command
Description

ip domain-lookup

Enables the IP DNS-based host name-to-address translation.


ip rcmd rcp-enable

To configure the Cisco IOS software to allow remote users to copy files to and from the router using remote copy protocol (rcp), use the ip rcmd rcp-enable command in global configuration mode. To disable rcp on the device, use the no form of this command.

ip rcmd rcp-enable

no ip rcmd rcp-enable

Syntax Description

This command has no arguments or keywords.

Defaults

To ensure security, the router is not enabled for rcp by default.

Command Modes

Global configuration

Command History

Release
Modification

10.3

This command was introduced.


Usage Guidelines

To allow a remote user to execute rcp commands on the router, you must also create an entry for the remote user in the local authentication database using the ip rcmd remote-host command.

The no ip rcmd rcp-enable command does not prohibit a local user from using rcp to copy system images and configuration files to and from the router.

To protect against unauthorized users copying the system image or configuration files, the router is not enabled for rcp by default.

Examples

In the following example, the rcp service is enabled on the system, the IP address assigned to the Loopback0 interface is used as the source address for outbound rcp and rsh packets, and access is granted to the user "netadmin3"on the remote host 172.16.101.101:

Router(config)# ip rcmd rcp-enable 
Router(config)# ip rcmd source-interface Loopback0 
Router(config)# ip rcmd remote-host router1 172.16.101.101 netadmin3

Related Commands

Command
Description

ip rcmd remote-host

Creates an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp.


ip rcmd remote-host

To create an entry for the remote user in a local authentication database so that remote users can execute commands on the router using remote shell protocol (rsh) or remote copy protocol (rcp), use the ip rcmd remote-host command in global configuration mode. To remove an entry for a remote user from the local authentication database, use the no form of this command.

ip rcmd remote-host local-username {ip-address | host-name} remote-username [enable [level]]

no ip rcmd remote-host local-username {ip-address | host-name} remote-username [enable [level]]

Syntax Description

local-username

Name of the user on the local router. You can specify the router name as the username. This name needs to be communicated to the network administrator or to the user on the remote system. To be allowed to remotely execute commands on the router, the remote user must specify this value correctly.

ip-address

IP address of the remote host from which the local router will accept remotely executed commands. Either the IP address or the host name is required.

host-name

Name of the remote host from which the local router will accept remotely executed commands. Either the host name or the IP address is required.

remote-username

Name of the user on the remote host from which the router will accept remotely executed commands.

enable [level]

(Optional) Enables the remote user to execute privileged EXEC commands using rsh or to copy files to the router using rcp. The range is from 1 to 15. The default is 15. For information on the enable level, refer to the privilege level global configuration command in the Release 12.2 Cisco IOS Security Command Reference.


Defaults

No entries are in the local authentication database.

Command Modes

Global configuration

Command History

Release
Modification

10.3

This command was introduced.


Usage Guidelines

A TCP connection to a router is established using an IP address. Using the host name is valid only when you are initiating an rcp or rsh command from a local router. The host name is converted to an IP address using DNS or host-name aliasing.

To allow a remote user to execute rcp or rsh commands on a local router, you must create an entry for the remote user in the local authentication database. You must also enable the router to act as an rsh or rcp server.

To enable the router to act as an rsh server, issue the ip rcmd rsh-enable command. To enable the router to act as an rcp server, issue the ip rcmd rcp-enable command.The router cannot act as a server for either of these protocols unless you explicitly enable the capacity.

A local authentication database, which is similar to a UNIX .rhosts file, is used to enforce security on the router through access control. Each entry that you configure in the authentication database identifies the local user, the remote host, and the remote user. To permit a remote user of rsh to execute commands in privileged EXEC mode or to permit a remote user of rcp to copy files to the router, specify the enable keyword and level. For information on the enable level, refer to the privilege level global configuration command in the Release 12.2 Cisco IOS Security Command Reference.

An entry that you configure in the authentication database differs from an entry in a UNIX .rhosts file in the following aspect. Because the .rhosts file on a UNIX system resides in the home directory of a local user account, an entry in a UNIX .rhosts file need not include the local username; the local username is determined from the user account. To provide equivalent support on a router, specify the local username along with the remote host and remote username in each authentication database entry that you configure.

For a remote user to be able to execute commands on the router in its capacity as a server, the local username, host address or name, and remote username sent with the remote client request must match values configured in an entry in the local authentication file.

A remote client host should be registered with DNS. The Cisco IOS software uses DNS to authenticate the remote host's name and address. Because DNS can return several valid IP addresses for a host name, the Cisco IOS software checks the address of the requesting client against all of the IP addresses for the named host returned by DNS. If the address sent by the requester is considered invalid, that is, it does not match any address listed with DNS for the host name, then the software will reject the remote-command execution request.

Note that if no DNS servers are configured for the router, then that device cannot authenticate the host in this manner. In this case, the Cisco IOS software sends a broadcast request to attempt to gain access to DNS services on another server. If DNS services are not available, you must use the no ip domain-lookup command to disable the attempt to gain access to a DNS server by sending a broadcast request.

If DNS services are not available and, therefore, you bypass the DNS security check, the software will accept the request to remotely execute a command only if all three values sent with the request match exactly the values configured for an entry in the local authentication file.

Examples

The following example allows the remote user named netadmin3 on a remote host with the IP address 172.16.101.101 to execute commands on router1 using the rsh or rcp protocol. User netadmin3 is allowed to execute commands in privileged EXEC mode.

Router(config)# ip rcmd remote-host router1 172.16.101.101 netadmin3 enable

Related Commands

Command
Description

ip rcmd rcp-enable

Configures the Cisco IOS software to allow remote users to copy files to and from the router.

ip domain-lookup

Enables the IP DNS-based host name-to-address translation.

ip rcmd rsh-enable

Configures the router to allow remote users to execute commands on it using the rsh protocol.


ip rcmd remote-username

To configure the remote username to be used when requesting a remote copy using remote copy protocol (rcp), use the ip rcmd remote-username command in global configuration mode. To remove from the configuration the remote username, use the no form of this command.

ip rcmd remote-username username

no ip rcmd remote-username username

Syntax Description

username

Name of the remote user on the server. This name is used for rcp copy requests. All files and images to be copied are searched for or written relative to the directory of the remote user's account, if the server has a directory structure, for example, as do UNIX systems.


Defaults

If you do not issue this command, the Cisco IOS software sends the remote username associated with the current tty process, if that name is valid, for rcp copy commands. For example, if the user is connected to the router through Telnet and the user was authenticated through the username command, then the software sends that username as the remote username.


Note The remote username must be associated with an account on the destination server.


If the username for the current tty process is not valid, the Cisco IOS software sends the host name as the remote username. For rcp boot commands, the Cisco IOS software sends the access server host name by default.


Note For Cisco, tty lines are commonly used for access services. The concept of tty originated with UNIX. For UNIX systems, each physical device is represented in the file system. Terminals are called tty devices (tty stands for teletype, the original UNIX terminal).


Command Modes

Global configuration

Command History

Release
Modification

10.3

This command was introduced.


Usage Guidelines

The rcp protocol requires that a client send the remote username on an rcp request to the server. Use this command to specify the remote username to be sent to the server for an rcp copy request. If the server has a directory structure, as do UNIX systems, all files and images to be copied are searched for or written relative to the directory of the remote user's account.


Note Cisco IOS Release 10.3 added the ip keyword to rcmd commands. If you are upgrading from Release 10.2 to Release 10.3 or a later release, this keyword is automatically added to any rcmd commands you have in your Release 10.2 configuration files.


Examples

The following example configures the remote username to netadmin1:

Router(config)# ip rcmd remote-username netadmin1 

Related Commands

Command
Description

boot network rcp

Changes the default name of the network configuration file from which to load configuration commands.

boot system rcp

Specifies the system image that the router loads at startup.

bridge acquire

Forwards any frames for stations that the system has learned about dynamically.

copy

Copies any file from a source to a destination.


ip rcmd rsh-enable

To configure the router to allow remote users to execute commands on it using remote shell protocol (rsh), use the ip rcmd rsh-enable command in global configuration mode. To disable a router that is enabled for rsh, use the no form of this command.

ip rcmd rsh-enable

no ip rcmd rsh-enable

Syntax Description

This command has no arguments or keywords.

Defaults

To ensure security, the router is not enabled for rsh by default.

Command Modes

Global configuration

Command History

Release
Modification

10.3

This command was introduced.


Usage Guidelines

rsh, used as a client process, gives users the ability to remotely get router information (such as status) without the need to connect into the router and then disconnect. This is valuable when looking at many statistics on many different routers.

Use this command to enable the router to receive rsh requests from remote users. In addition to issuing this command, you must create an entry for the remote user in the local authentication database to allow a remote user to execute rsh commands on the router.

The no ip rcmd rsh-enable command does not prohibit a local user of the router from executing a command on other routers and UNIX hosts on the network using rsh. The no form of this command only disables remote access to rsh on the router.

Examples

The following example enables a router as an rsh server:

Router(config)# ip rcmd rsh-enable 

Related Commands

Command
Description

ip rcmd remote-host

Creates an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp.


ip rcmd source-interface

To force remote copy protocol (rcp) or remote shell protocol (rsh) to use the IP address of a specified interface for all outgoing rcp/rsh communication packets, use the ip rcmd source-interface command in global configuration mode. To disable a previously configured ip rcmd source-interface command, use the no form of this command.

ip rcmd source-interface interface-id

no ip rcmd source-interface interface-id

Syntax Description

interface-id

The name and number used to identify the interface. For example, Loopback2.


Defaults

The address of the interface closest to the destination is used as the source interface for rcp/rsh communications.

Command Modes

Global configuration

Command History

Release
Modification

11.3

This command was introduced.


Usage Guidelines

If this command is not used, or if the interface specified in this command is not available (not up), the Cisco IOS software uses the address of the interface closest to the destination as the source address.

Use this command to force the system to tag all outgoing rcp/rsh packets with the IP address associated with the specified interface. This address is used as the source address as long as the interface is in the up state.

This command is especially useful in cases where the router has many interfaces, and you want to ensure that all rcp and/or rsh packets from this router have the same source IP address. A consistent address is preferred so that the other end of the connection (the rcp/rsh server or client) can maintain a single session. The other benefit of a consistent address is that an access list can be configured on the remote device.

The specified interface must have an IP address associated with it. If the specified interface does not have an IP address or is in a down state, then rcp/rsh reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.

Examples

In the following example, Loopback interface 0 is assigned an IP address of 220.144.159.200, and the ip rcmd source-interface command is used to specify that the source IP address for all rcp/rsh packets will be the IP address assigned to the Loopback0 interface:

interface Loopback0

  description Loopback interface

  ip address 220.144.159.200 255.255.255.255

  no ip directed-broadcast

!

.

.

.

clock timezone GMT 0

ip subnet-zero

no ip source-route

no ip finger

ip rcmd source-interface Loopback0

ip telnet source-interface Loopback0

ip tftp source-interface Loopback0

ip ftp source-interface Loopback0

ip ftp username cisco

ip ftp password shhhhsecret

no ip bootp server

ip domain-name net.galaxy

ip name-server 220.144.159.1

ip name-server 220.144.159.2

ip name-server 219.10.2.1

!

.
.
.

Related Commands

Command
Description

ip rcmd remote-host

Creates an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp.


ip sla monitor

To begin configuring a Cisco IOS IP Service Level Agreements (SLAs) operation and enter IP SLA monitor configuration mode, use the ip sla monitor command in global configuration mode. To remove all configuration information for an operation, including the schedule of the operation, reaction configuration, and reaction triggers, use the no form of this command.

ip sla monitor operation-number

no ip sla monitor operation-number

Syntax Description

operation-number

Operation number used for the identification of the IP SLAs operation you want to configure.


Defaults

No IP SLAs operation is configured.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr command.


Usage Guidelines

The ip sla monitor command is used to begin configuration for an IP SLAs operation. Use this command to specify an identification number for the operation you are about to configure. After you enter this command, the router will enter IP SLA monitor configuration mode.

IP SLAs allows a maximum of 2000 operations.

Debugging is supported only on the first 32 operation numbers.

After you configure an operation, you must schedule the operation. For information on scheduling an operation, refer to the ip sla monitor schedule and ip sla monitor group schedule global configuration commands. You can also optionally set reaction triggers for the operation. For information on reaction triggers, refer to the ip sla monitor reaction-configuration and ip sla monitor reaction-trigger global configuration commands.

To change the operation type of an existing IP SLAs operation, you must first delete the IP SLAs operation (using the no ip sla monitor global configuration command) and then reconfigure the operation with the new operation type.


Note After you schedule an operation, you cannot modify the configuration of the operation. To modify the configuration of the operation after it is scheduled, you must first delete the IP SLAs operation (using the no ip sla monitor command) and then reconfigure the operation with the new operation parameters.


To display the current configuration settings of the operation, use the show ip sla monitor configuration command in user EXEC or privileged EXEC mode.

Examples

In the following example, operation 99 is configured as a UDP jitter operation and scheduled to start running in 5 hours:

ip sla monitor 99
 type jitter dest-ipaddr 172.29.139.134 dest-port 5000 num-packets 20
!
ip sla monitor schedule 99 life 300 start-time after 00:05:00

Note If operation 99 already exists and has not been scheduled, the command line interface will enter IP SLA monitor configuration mode for operation 99. If the operation already exists and has been scheduled, this command will fail.


Related Commands

Command
Description

ip sla monitor group schedule

Configures the group scheduling parameters for multiple IP SLAs operations.

ip sla monitor reaction-configuration

Configures certain actions to occur based on events under the control of IP SLAs.

ip sla monitor reaction-trigger

Defines a second IP SLAs operation to make the transition from a pending state to an active state when one of the trigger action type options are defined with the ip sla monitor reaction-configuration command.

ip sla monitor schedule

Configures the scheduling parameters for a single IP SLAs operation.

show ip sla monitor configuration

Displays configuration values including all defaults for all IP SLAs operations or the specified operation.

show ip sla monitor statistics

Displays the current operational status and statistics of all IP SLAs operations or a specified operation.


ip sla monitor apm cache-size

To set the size of a Cisco IOS IP Service Level Agreements (SLAs) Application Performance Monitor (APM) cache, use the ip sla monitor apm cache-size command in global configuration mode. To reset the IP SLAs APM cache size to its default, use the no form of this command.

ip sla monitor apm cache-size bytes

no ip sla monitor apm cache-size bytes

Syntax Description

bytes

Number that specifies the size of the cache, in bytes. The default is 100000 bytes.


Defaults

The default APM cache size is 100000 bytes.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the saa apm cache-size command.


Usage Guidelines

IP SLAs APM script and scheduler files are kept in an area of memory called the IP SLAs APM cache. The cache size is checked by the system before each attempt to copy a new file to the cache. If the file to be downloaded puts the cache over its size limit, a "cache trimming" operation is performed, and all files in the cache not tagged with a "sticky bit" (sticky=1) will be deleted.

Examples

In the following example, the IP SLAs APM cache is set to 80,000 bytes (approximately 78 kilobytes):

Router(config)# ip sla monitor apm cache-size 80000
Router(config)# end
Router#
00:01:50: %SYS-5-CONFIG_I: Configured from console by console
Router# show ip sla monitor apm cache
 Cache Size (bytes): 80000
 Cache used (bytes): 793
 File Name                                TimeCreated TimeAccessed ref Type sticky
 apm.cf.1234567                              00:02:50     00:00:00   1 CFG  0
 apm/config/smtp-1000.cfg                    00:02:50     00:00:00   1 CFG  0

Related Commands

Command
Description

show ip sla monitor apm cache

Displays the amount of memory available in the IP SLAs APM cache and information about the files stored in the cache.


ip sla monitor apm copy

To copy script or scheduler files from an FTP server to the device that will initiate Cisco IOS IP Service Level Agreements (SLAs) Application Performance Monitor (APM) operations, use the ip sla monitor apm copy command in global configuration mode.

ip sla monitor apm copy {script | scheduler} ftp://[username:password@]server-name/path-to-file/filename [sticky]

Syntax Description

script

Specifies that the file to be copied is an APM script file (.scr).

scheduler

Specifies that the file to be copied is an APM scheduler file (.sch).

ftp://

Begins the URL that specifies the file to copy from a remote FTP server.

username:password@

(Optional) Specifies a username and password as part of the URL. Use these arguments only if they are required on the server.

server-name

The server-name component of the URL.

/path-to-file

The folder path component of the URL. A folder path can contain multiple folder names. Each folder must be separated using a forward slash (/).

/filename

Name of the file to be copied from the server.

sticky

(Optional) Indicates that the copied file should not be deleted from the local APM cache during a cache trimming operation.


Defaults

No script or scheduler files are copied.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the saa apm copy command.


Usage Guidelines

The ip sla monitor apm copy command downloads an IP SLAs APM script or scheduler file from an FTP server to the local IP SLAs APM cache in NVRAM.

A file tagged as "sticky" will not be deleted from the local APM cache during a cache trimming operation. APM cache trimming operations are initiated when the ip sla monitor apm lowWaterMark value is reached.

You can force a file tagged as "sticky" to be deleted using the clear ip sla monitor apm cache command.

Examples

In the following example, a Frame Relay emulation script titled frm.scr is downloaded from the FTP server FTP101. The username user1 and the password password1 are used to access the server:

ip sla monitor apm copy script ftp://user1:password1@FTP101/userbin/user1files/frm.scr 
sticky

Related Commands

Command
Description

clear ip sla monitor apm cache

Deletes files from the IP SLAs APM cache.

ip sla monitor apm lowWaterMark

Specifies the lowest amount of free memory that must be available on the system to allow additional IP SLAs APM operations to be configured.


ip sla monitor apm lowWaterMark

To specify the lowest amount of free memory that must be available on the system to allow additional Cisco IOS IP Service Level Agreements (SLAs) Application Performance Monitor (APM) operations to be configured, use the ip sla monitor apm lowWaterMark command in global configuration mode. To restore the default low-memory-watermark value, use the no form of this command.

ip sla monitor apm lowWaterMark bytes

no ip sla monitor apm lowWaterMark

Syntax Description

bytes

Number that specifies the size of the cache, in bytes.


Defaults

The default APM low-memory watermark is 25 percent of free memory at startup.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the saa apm lowWaterMark command.


Usage Guidelines

The ip sla monitor apm lowWaterMark global configuration command configures the lowest amount of free memory (low-memory watermark) that must be available on the system. If the amount of available free memory falls below the value specified in the ip sla monitor apm lowWaterMark command, then IP SLAs will not allow new APM operations to be configured. The default value is 25 percent of the memory available on the system at startup.


Note The smaller the low-memory-watermark value is, the more APM operations can be configured. If the value is set to 0, then APM operations can be created until the system runs out of memory. However, you should be careful not to set the low-memory watermark too low, because all additional router processes must be able to run with the amount of memory specified by the ip sla monitor apm lowWaterMark and ip sla monitor low-memory commands. Setting the low-memory watermark to 0 is discouraged, because other router processes may not be left with enough system memory to function.


For example, if there are 6 MB of free memory when the router starts up, and the default low-memory watermark of 25 percent is used, then the IP SLAs APM can use up to 4.5 MB of memory for creating operations. If the free memory drops below 1.5 MB, then new APM operations cannot be created.

The value of the ip sla monitor apm lowWaterMark command should not exceed the amount of free memory available on the system. To determine the amount of free memory available on the system, use the show memory user EXEC or privileged EXEC command.

The show ip sla monitor apm information user EXEC or privileged EXEC command will display the number of operations that can be configured on the device in the "Max Number of operations supported" field.

Examples

In the following example, the IP SLAs APM low-memory watermark is set to 3,145,728 bytes (3 MB):

Router(config)# ip sla monitor apm lowWaterMark 3145728
Router(config)# end
Router# show ip sla monitor apm information

        Service Assurance Agent: Application Performance Monitor

          APM Engine Version: 1.0
Max Number of oper supported: 23
 Number of configurable oper: 23
   Number of oper configured: 0
    Number of files in cache: 0
          Cache Size (bytes): 100000
          Cache used (bytes): 0
   APM low memory water-mark: 3,145,728

Related Commands

Command
Description

show ip sla monitor apm information

Displays details about the IP SLAs APM.


ip sla monitor apm operation

To start or stop a Cisco IOS IP Service Level Agreements (SLAs) Application Performance Monitor (APM) operation, use the ip sla monitor apm operation command in global configuration mode. To delete existing IP SLAs APM operations, use the no form of this command.

ip sla monitor apm operation operation-number {start ftp://[user:password@]server-name/path-to-file/filename | stop}

no ip sla monitor apm operation [operation-number]

Syntax Description

operation-number

Number that uniquely identifies the APM operation. In the no ip sla monitor apm operation form of this command, this argument is optional. If an operation number is not specified in the no form of this command, all APM operations are removed from the system configuration.

start

Starts the specified operation.

ftp://

Begins the URL that specifies the configuration file to use for the APM operation.

user:password@

(Optional) Allows you to specify a username and password as part of the URL if they are required on the server.

server-name

Server-name component of the URL.

/path-to-file

Folder path component of the URL. Each folder should be separated using a forward slash (/).

/filename

Name of the APM configuration (.cf) file to be used for the operation.

stop

Stops the specified operation.


Defaults

No IP SLAs APM operations exist.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the saa apm operation command.


Usage Guidelines

The following files are required to perform an IP SLAs APM operation:

script file (.scr) available on the routing device running IP SLAs

scheduler file (.sch) available on the routing device running IP SLAs

configuration file (.cf) available on an FTP server

data file (.dat) available on an FTP server

All filenames can have a maximum of 255 characters.

The ip sla monitor apm operation start command points to the APM configuration file to be used for the operation. The APM configuration file specifies the location of the other files used in the operation, and the target IP address for the operation.

To download script, configuration, data, and scheduler template files used by the IP SLAs APM, and to download the documentation ("readme" files) for the scripts, go to the "Cisco IP SLAs APM" page at http://www.cisco.com/pcgi-bin/tablebuild.pl/saa-apm.

After an operation is started using the ip sla monitor apm operation start command, the operation should be stopped using the ip sla monitor apm operation stop command.

Examples

In the following example, an IP SLAs APM NNTP operation is started and stopped, and the operation is deleted from the configuration:

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# ip sla monitor apm operation 2 start 
ftp://user:password@saa-nms/apm/config/nntp-20.cf
Router(config)#
1d09h: SAA-APM-1: downloading file (apm/config/nntp-20.cf) of size (532)
1d09h: SAA-APM-1: using cached file (apm/scheduler/master.sch)
1d09h: SAA-APM-1: using cached file (apm/scripts/nntp.scr)
1d09h: SAA-APM-1: sending APM_SCRIPT_DONE message
1d09h: SAA-APM-1: operation done
Router(config)# ip sla monitor apm operation 2 stop
Router(config)# no ip sla monitor apm operation 2

Related Commands

Command
Description

show ip sla monitor apm results

Displays the data gathered using the IP SLAs Application Performance Monitor.


ip sla monitor group schedule

To perform group scheduling for Cisco IOS IP Service Level Agreements (SLAs) operations, use the ip sla monitor group schedule command in global configuration mode. To stop the operation and place it in the default state of normal scheduling, use the no form of this command.

ip sla monitor group schedule group-operation-number operation-id-numbers schedule-period seconds [ageout seconds] [frequency seconds] [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}]

no ip sla monitor group schedule

Syntax Description

group-operation-number

Group configuration or group schedule number of the IP SLAs operation to be scheduled.

Valid values range from 0 to 65535.

operation-id-numbers

The list of IP SLAs operation ID numbers in the scheduled operation group. Indicate ranges of operation ID numbers with a hyphen. Individual ID numbers and ranges of ID numbers are delimited by a comma. For example, enter a list of operation ID numbers in any of the following ways:

2, 3, 4, 9, 20

10-20, 30-35, 60-70

2, 3, 4, 90-100, 105-115

The operation-id-numbers argument can include a maximum of 125 characters.

schedule-period seconds

Specifies the time (in seconds) for which the IP SLAs operation group is scheduled.

Valid values are from 1 to 604800 seconds.

ageout seconds

(Optional) Specifies the number of seconds to keep the operation in memory when it is not actively collecting information. The default is 0 seconds (never ages out).

frequency seconds

(Optional) Specifies the number of seconds after which each IP SLAs operation is restarted. If this keyword and argument are specified, the frequency of all operations belonging to the group will be overridden and set to the specified frequency.

Note If this keyword and argument are not specified, the frequency for each operation is set to the value specified for the schedule period.

Valid values are from 1 to 604800 seconds.

life forever

(Optional) Schedules the operation to run indefinitely.

life seconds

(Optional) Specifies the number of seconds the operation actively collects information. The default is 3600 seconds (one hour).

start-time

(Optional) Specifies the time when the operation starts collecting information. If the start-time is not specified, no information is collected until the start-time is configured or a trigger occurs that performs a start-time now.

hh:mm[:ss]

(Optional) Specifies an absolute start time using hours, minutes, and (optionally) seconds. Use the 24-hour clock notation. For example, start-time 01:02 means "start at 1:02 a.m.," and start-time 13:01:30 means "start at 1:01 p.m. and 30 seconds." The current day is implied unless you specify a month and day.

month

(Optional) Name of the month to start the operation in. If month is not specified, the current month is used. Use of this argument requires that a day be specified. You can specify the month by using either the full English name or the first three letters of the month.

day

(Optional) Number of the day (in the range 1 to 31) to start the operation on. If a day is not specified, the current day is used. Use of this argument requires that a month be specified.

pending

(Optional) Indicates that no information is collected. This is the default value.

now

(Optional) Indicates that the operation should start immediately.

after hh:mm:ss

(Optional) Indicates that the operation should start hh hours, mm minutes, and ss seconds after this command was entered.


Defaults

The operation is placed in a pending state (that is, the operation is enabled but is not actively collecting information).

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr group schedule command.


Usage Guidelines

Though IP SLAs multiple operations scheduling functionality helps in scheduling thousands of operations, you should be cautious while specifying the number of operations, the schedule period, and the operation group frequency to avoid any significant CPU impact.

For example, consider a scenario where you are scheduling 1 to 780 operations at a schedule period of 60 seconds. The command would be as follows:

ip sla monitor group schedule 2 1-780 schedule-period 60 start-time now

IP SLAs calculates how many operations it should start in each 1-second interval by dividing the number of operations by the schedule period (780 operations divided by 60 seconds, which is 13 operations per second). Operations 1 to 13 in operation group 2 start after 0 seconds, operations 14 to 26 start after 1 second, operations 27 to 40 start after 2 seconds, and the iteration continues until operations 768 to 780 start after 59 seconds. This high value of operations starting at every 1-second interval (especially for jitter operations) can load the CPU to very high values.

On a Cisco 2600 router, the maximum recommended value of operations per second is 6 or 7 (approximately 350 to 400 operations per minute). Exceeding this value of 6 or 7 operations per second could cause major performance (CPU) impact. Note that the maximum recommended value of operations per second varies from platform to platform.


Note No warning messages will be displayed if IP SLAs multiple operations scheduling leads to a high number of operations starting per second.


When you reboot the router, the IP SLAs multiple operations scheduling functionality schedules the operations in the same order as was done before the reboot. For example, assume the following operation had been scheduled:

ip sla monitor group schedule 2 1-20 schedule-period 40 start-time now

Over a range of 40 seconds, 20 operations have to be started (that is, one operation every 2 seconds). After the system reboot, operation 1 will start at t seconds and operation 2 starts at t+2 seconds, operation 3 starts at t+4 seconds, and so on.

The IP SLAs multiple operations scheduling functionality schedules the maximum number of operations possible without aborting. However, this functionality skips those IP SLAs operations that are already running or those that are not configured and hence do not exist. The total number of operations will be calculated based on the number of operations specified in the command, irrespective of the number of operations that are missing or already running. The IP SLAs multiple operations scheduling functionality displays a message showing the number of active and missing operations. However, these messages are displayed only if you schedule operations that are not configured or are already running.

Examples

The following example shows how to schedule IP SLAs operations 3, 4, and 6 to 10 as a group (identified as group 1). In this example, the operations are scheduled to begin at equal intervals over a schedule period of 20 seconds. The first operation (or set of operations) is scheduled to start immediately. Since the frequency is not specified, it is set to the value of the schedule period (20 seconds) by default.

ip sla monitor group schedule 1 3, 4, 6-10 schedule-period 20 start-time now

Related Commands

Command
Description

ip sla monitor schedule

Configures the scheduling parameters for a single IP SLAs operation.

show ip sla monitor configuration

Displays the configuration details of the IP SLAs operation.

show ip sla monitor group schedule

Displays the group scheduling details of the IP SLAs operations.


ip sla monitor key-chain

To enable Cisco IOS IP Service Level Agreements (SLAs) control message authentication and specify an MD5 key chain, use the ip sla monitor key-chain command in global configuration mode. To remove control message authentication, use the no form of this command.

ip sla monitor key-chain name

no ip sla monitor key-chain

Syntax Description

name

Name of MD5 key chain.


Defaults

Control message authentication is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr key-chain command.


Usage Guidelines

The authentication configuration on the IP SLAs collector and IP SLAs Responder must be the same. Both sides must configure the same key chain or both sides must not use authentication.

Examples

In the following example, the IP SLAs control message uses MD5 authentication, and the key chain name is CSAA:

ip sla monitor key-chain csaa

Related Commands

Command
Description

ip sla monitor

Begins configuration for an IP SLAs operation and enters IP SLA monitor configuration mode.


ip sla monitor logging traps

To enable the generation of system logging Simple Network Management Protocol (SNMP) notifications (traps) specific to Cisco IOS IP Service Level Agreements (SLAs) thresholds, use the ip sla monitor logging traps command in global configuration mode. To disable IP SLAs system logging SNMP traps, use the no form of this command.

ip sla monitor logging traps

no ip sla monitor logging traps

Syntax Description

This command has no arguments or keywords.

Defaults

IP SLAs system logging traps are not generated.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr logging traps command.


Usage Guidelines

SNMP notifications (traps) for IP SLAs can be configured as a triggered action, to be sent when monitored values exceed an upper threshold or fall below a lower threshold, or when a set of defined conditions are met. For example, an SNMP trap can be triggered by five consecutive timeouts during an IP SLAs operation. The sending of SNMP traps is one of the options for triggered actions that can be configured for IP SLAs violations. The monitored values (also called monitored elements), the threshold type, and the triggered action are configured using the ip sla monitor reaction-configuration global configuration mode command.

SNMP traps for IP SLAs are supported by the CISCO-SYSLOG-MIB. The ip sla monitor logging traps command is used to enable the generation of SNMP traps specific to IP SLAs threshold violations. The generation of IP SLAs specific logging messages depends on the configuration of the standard set of logging commands (for example, logging on). IP SLAs logging messages are generated as level 7 (debugging) messages.

Examples

The following example shows the configuration of IP SLAs traps to be triggered for round-trip time (RTT) violations and Voice over IP (VoIP) mean opinion score (MOS) violations, and the necessary SNMP configuration for enabling these SNMP logging traps:

Router(config)# ip sla monitor 1
Router(config-sla-monitor)# type jitter dest-ipaddr 209.165.200.225 dest-port 9234 
Router(config-sla-monitor)# exit 
Router(config)# ip sla monitor schedule 1 start now life forever 
Router(config)# ip sla monitor reaction-configuration 1 react rtt threshold-type immediate 
threshold-value 3000 2000 action-type trapOnly 
Router(config)# ip sla monitor reaction-configuration 1 react MOS threshold-type 
consecutive 4 threshold-value 390 220 action-type trapOnly 

Router(config)# ip sla monitor logging traps 
Router(config)#
Router(config)# snmp-server community public RW
Router(config)# snmp-server enable traps syslog 
Router(config)# snmp-server host 209.165.202.129 version 3 public syslog 
Router(config)# logging trap debugging 
Router(config)# logging host 209.165.202.129 

Related Commands

Command
Description

ip sla monitor reaction-configuration

Configures reactions, such as the generation of syslog traps, based on monitored IP SLAs elements.

logging on

Controls (enables or disables) system message logging globally.


ip sla monitor low-memory

To specify how much unused memory must be available to allow Cisco IOS IP Service Level Agreements (SLAs) configuration, use the ip sla monitor low-memory command in global configuration mode. To remove the type configuration for the operation, use the no form of this command.

ip sla monitor low-memory bytes

no ip sla monitor low-memory

Syntax Description

bytes

Specifies amount of memory, in bytes, that must be available to configure IP SLA. The range is from 0 to the maximum amount of free memory bytes available.


Defaults

The default amount of memory is 25 percent of the memory available on the system.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr low-memory command.


Usage Guidelines

The ip sla monitor low-memory command allows you to specify the amount of memory that the IP SLAs can use. If the amount of available free memory falls below the value specified in the ip sla monitor low-memory command, then the IP SLAs will not allow new operations to be configured. If this command is not used, the default low-memory value is 25 percent. This means that if 75 percent of system memory has been utilized you will not be able to configure any IP SLAs characteristics.

The value of the ip sla monitor low-memory command should not exceed the amount of free memory available on the system. To determine the amount of free memory available on the system, use the show memory user EXEC or privileged EXEC command.

Examples

In the following example, the router is configured so that no less than 2 MB of memory will be free for IP SLAs configuration:

ip sla monitor low-memory 2097152

Related Commands

Command
Description

ip sla monitor

Begins configuration for an IP SLAs operation and enters IP SLA monitor configuration mode.

show memory

Displays statistics about memory, including memory-free pool statistics.


ip sla monitor reaction-configuration

To configure certain actions to occur based on events under the control of Cisco IOS IP Service Level Agreements (SLAs), use the ip sla monitor reaction-configuration command in global configuration mode. To clear all reaction configuration for a specified IP SLAs operation, use the no form of this command.

ip sla monitor reaction-configuration operation-number react monitored-element [action-type option] [threshold-type {average [number-of-measurements] | consecutive [occurrences] | immediate | never | xofy [x-value y-value]}] [threshold-value upper-threshold lower-threshold]

no ip sla monitor reaction-configuration operation-number

Syntax Description

operation-number

Number of the IP SLAs operation for which reactions are to be configured.

react monitored-element

Specifies the element to be monitored for violations.

Note The elements available for monitoring will vary depending on the type of IP SLAs operation you are configuring.

Keyword options for the monitored-element argument are as follows:

connectionLoss—Specifies that a reaction should occur if there is a one-way connection loss for the monitored operation. Thresholds do not apply to this monitored element.

jitterAvg—Specifies that a reaction should occur if the average round-trip jitter value violates the upper threshold or lower threshold.

jitterDSAvg—Specifies that a reaction should occur if the average one-way destination-to-source jitter value violates the upper threshold or lower threshold.

jitterSDAvg—Specifies that a reaction should occur if the average one-way source-to-destination jitter value violates the upper threshold or lower threshold.

mos—Specifies that a reaction should occur if the one-way mean opinion score (MOS) value violates the upper threshold or lower threshold.

packetLossDS—Specifies that a reaction should occur if the one-way destination-to-source packet loss value violates the upper threshold or lower threshold.

packetLossSD—Specifies that a reaction should occur if the one-way source-to-destination packet loss value violates the upper threshold or lower threshold.

react monitored-element (continued)

rtt—Specifies that a reaction should occur if the round-trip time violates the upper threshold or lower threshold.

timeout—Specifies that a reaction should occur if there is a one-way timeout for the monitored operation. Thresholds do not apply to this monitored element.

verifyError—Specifies that a reaction should occur if there is a one-way error verification violation. Thresholds do not apply to this monitored element.

action-type option

(Optional) Specifies what action or combination of actions the operation performs when threshold events occur. If the threshold-type never keywords are defined, the action-type keyword is disabled. The option argument can be one of the following keywords:

none—No action is taken. This option is the default value.

trapAndTrigger—Trigger an Simple Network Management Protocol (SNMP) trap and start another IP SLAs operation when the violation conditions are met, as defined in the trapOnly and triggerOnly options.

trapOnly—Send an SNMP logging trap when the specified violation type occurs for the monitored element. IP SLAs logging traps are enabled using the ip sla monitor logging traps command.

triggerOnly—Have one or more target operation's operational state make the transition from pending to active when the violation conditions are met. The target operations to be triggered are specified using the ip sla monitor reaction-trigger command. A target operation will continue until its life expires, as specified by the target operation's configured lifetime value. A triggered target operation must finish its life before it can be triggered again.

threshold-type average [number-of-measurements]

(Optional) When the average of a specified number of measurements for the monitored element exceeds the upper threshold or when the average of a specified number of measurements for the monitored element drops below the lower threshold, perform the action defined by the action-type keyword. For example, if the upper threshold for react rtt threshold-type average 3 is configured as 5000 ms and the last three results of the operation are 6000, 6000, and 5000 ms, the average would be 6000 + 6000 + 5000 = 17000/3 = 5667, thus violating the 5000 ms upper threshold.

The default number of 5 averaged measurements can be changed using the number-of-measurements argument. The valid range is from 1 to 16.

This syntax is not available if the connectionLoss, timeout, or verifyError keyword is specified as the monitored element, because upper and lower thresholds do not apply to these options.

threshold-type consecutive [occurrences]

(Optional) When the reaction conditions (such as threshold violations) for the monitored element are met consecutively for a specified number of times, perform the action defined by the action-type keyword.

The default number of 5 consecutive occurrences can be changed using the occurrences argument. The valid range is from 1 to 16.

The occurrences value will appear in the output of the show ip sla monitor reaction-configuration command as the "Threshold Count" value.

threshold-type immediate

(Optional) When the reaction conditions (such as threshold violations) for the monitored element are met, immediately perform the action defined by the action-type keyword.

threshold-type never

(Optional) Do not calculate threshold violations. This is the default threshold type.

threshold-type xofy [x-value y-value]

(Optional) When the reaction conditions (such as threshold violations) for the monitored element are met x number of times within the last y number of measurements ("x of y"), perform the action defined by the action-type keyword.

The default is 5 for both the x and y values (xofy 5 5). The valid range for each value is from 1 to 16.

The x-value will appear in the output of the show ip sla monitor reaction-configuration command as the "Threshold Count" value, and the y-value will appear as the "Threshold Count2" value.

[threshold-value upper-threshold lower-threshold]

(Optional) Specifies the upper-threshold and lower-threshold values of the applicable monitored elements. See Table 38 in the "Usage Guidelines" section for a list of the default values.

Note For MOS threshold values (react mos), the number is expressed in three digits representing ones, tenths, and hundredths. For example, to express a MOS threshold of 3.20, enter 320. The valid range is from 100 (1.00) to 500 (5.00).


Defaults

No IP SLAs reactions are generated.
Error verification is disabled.
Connection loss and timeout logging are disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr reaction-configuration command.


Usage Guidelines

You can configure the ip sla monitor reaction-configuration command multiple times to allow reactions for multiple monitored elements (for example, configuring thresholds for destination-to-source packet loss and MOS) for the same operation. However, entering the no ip sla monitor reaction-configuration operation-number command will clear all reaction configuration for the specified operation. In other words, disabling of granular reaction elements (for example, entering the no ip sla monitor reaction-configuration operation-number react monitored-element command) is not supported, so as to provide backwards compatibility with the earlier version of this command.

SNMP traps for IP SLAs are supported by the CISCO-SYSLOG-MIB. The ip sla monitor logging traps command is used to enable the generation of SNMP traps specific to IP SLAs threshold violations.

You can check the configuration of the IP SLAs reaction configuration using the show ip sla monitor reaction-configuration command.


Note Keywords are not case sensitive and are shown in mixed case for readability only.


Table 38 lists the default upper and lower thresholds for specific monitored elements.

Table 38 Default Threshold Values for Monitored Elements 

Monitored Element Keyword
Upper Threshold
Lower Threshold

jitterAvg

100 ms

100 ms

jitterDSAvg

100 ms

100 ms

jitterSDAvg

100 ms

100 ms

mos

500 (score)

100 (score)

packetLossDS

10000 packets

10000 packets

packetLossSD

10000 packets

10000 packets

rtt

5000 ms

3000 ms


Examples

In the following example, IP SLAs operation 10 (a UDP jitter operation) is configured to send an SNMP logging trap when the MOS value exceeds 4.9 (best quality) or falls below 2.5 (poor quality):

Router(config)# ip sla monitor reaction-configuration 10 react mos threshold-type 
immediate threshold-value 490 250 action-type trapOnly


The following example shows the default settings for the ip sla monitor reaction-configuration command when none of the optional syntax elements are used:


Router# show ip sla monitor reaction-configuration 1

Entry number: 1
Reaction Configuration not configured

Router# configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# ip sla monitor reaction-configuration 1
Router(config)# do show ip sla monitor reaction-configuration 1

Entry number: 1
Reaction: rtt
Threshold Type: Never
Rising (milliseconds): 5000
Falling (milliseconds): 3000
Threshold Count: 5
Threshold Count2: 5
Action Type: None

Related Commands

Command
Description

ip sla monitor

Begins configuration for an IP SLAs operation and enters IP SLA monitor configuration mode.

ip sla monitor logging traps

Enables the generation of system logging SNMP notifications (traps) specific to IP SLAs thresholds.

ip sla monitor reaction-trigger

Defines a second IP SLAs operation to make the transition from a pending state to an active state when one of the trigger action-type options are defined with the ip sla monitor reaction-configuration global configuration command.

show ip sla monitor reaction-configuration

Displays the current configuration for IP SLAs reactions.

show ip sla monitor reaction-trigger

Displays the configured state of triggered IP SLAs operations.

timeout

Sets the amount of time the IP SLAs operation waits for a response from its request packet.


ip sla monitor reaction-trigger

To define a second Cisco IOS IP Service Level Agreements (SLAs) operation to make the transition from a pending state to an active state when one of the trigger action type options are defined with the ip sla monitor reaction-configuration command, use the ip sla monitor reaction-trigger command in global configuration mode. To remove the trigger combination, use the no form of this command.

ip sla monitor reaction-trigger operation-number target-operation

no ip sla monitor reaction-trigger operation

Syntax Description

operation-number

Number of the operation for which a trigger action type is defined (using the ip sla monitor reaction-configuration global configuration command).

target-operation

Number of the operation that will be triggered into an active state.


Defaults

No trigger combination is defined.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr reaction-trigger command.


Usage Guidelines

Triggers are usually used for diagnostics purposes and are not intended for use during normal operation conditions.

Examples

In the following example, a trigger action type is defined for IP SLAs operation 2 . When operation 2 experiences certain user-specified threshold violation events while it is actively collecting statistical information, the operation state of IP SLAs operation 1 will be triggered to change from pending to active.

ip sla monitor reaction-trigger 2 1

Related Commands

Command
Description

ip sla monitor

Begins configuration for an IP SLAs operation and enters IP SLA monitor configuration mode.

ip sla monitor reaction-configuration

Configures certain actions to occur based on events under the control of the IP SLA.

ip sla monitor schedule

Configures the time parameters for an IP SLAs operation.


ip sla monitor reset

To perform a shutdown and restart of the Cisco IOS IP Service Level Agreements (SLAs) engine, use the ip sla monitor reset command in global configuration mode.

ip sla monitor reset

Syntax Description

This command has no arguments or keywords.

Defaults

None

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr reset command.


Usage Guidelines

The ip sla monitor reset command stops all operations, clears IP SLAs configuration information, and returns the IP SLAs feature to the startup condition. This command does not reread the IP SLAs configuration stored in the startup configuration in NVRAM. You must retype the configuration or load a previously saved configuration file.


Note The ip sla monitor reset command does not remove IP SLAs label switched path (LSP) Health Monitor configurations from the running configuration.



Note Use the ip sla monitor reset command only in extreme situations such as the incorrect configuration of a number of operations.


Examples

The following example shows how to reset the Cisco IOS IP SLAs engine, clearing all stored IP SLAs information and configuration:

ip sla monitor reset

Related Commands

Command
Description

ip sla monitor restart

Restarts a stopped IP SLAs operation.


ip sla monitor responder

To enable the Cisco IOS IP Service Level Agreements (SLAs) Responder for general IP SLAs operations, use the ip sla monitor responder command in global configuration mode. To disable the IP SLAs Responder, use the no form of this command.

ip sla monitor responder

no ip sla monitor responder

Syntax Description

This command has no arguments or keywords.

Defaults

The IP SLAs Responder is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr responder command.


Usage Guidelines

This command is used on the destination device for IP SLAs operations to enable the sending and receiving of IP SLAs control packets. Enabling the IP SLAs Responder allows the generation of packet loss statistics on the device sending IP SLAs operations.

Prior to sending an operation packet to the IP SLAs Responder, the IP SLAs operation sends a control message to the IP SLAs Responder to enable the destination port.

Examples

The following example shows how to enable the IP SLAs Responder:

ip sla monitor responder

Related Commands

Command
Description

ip sla monitor

Begins configuration for an IP SLAs operation and enters IP SLA monitor configuration mode.

ip sla monitor responder type frame-relay

Enables the IP SLAs Responder on the operational target device for Frame Relay operations.

ip sla monitor responder type tcpConnect ipaddress

Enables the IP SLAs Responder for TCP Connect operations.

ip sla monitor responder type udpEcho ipaddress

Enables the IP SLAs Responder for UDP echo and jitter operations.


ip sla monitor responder type frame-relay

To enable the Cisco IOS IP Service Level Agreements (SLAs) Responder on the operational target device for Frame Relay operations, use the ip sla monitor responder type frame-relay command in global configuration mode. To disable the IP SLAs Responder, use the no form of this command.

ip sla monitor responder type frame-relay {all | interface {serial | fr-atm} interface-number dlci dlci-number}

no ip sla monitor responder type frame-relay {all | interface {serial | fr-atm} interface-number dlci dlci-number}

Syntax Description

all

Specifies that the IP SLAs Responder will respond to Frame Relay operations on every interface and data-link connection identifier (DLCI).

interface serial

Specifies the serial interface over which to respond to Frame Relay operations.

interface fr-atm

Specifies the Frame Relay interface over which to respond to Frame Relay operations.

interface-number

Frame Relay or serial interface number.

dlci dlci-number

Specifies the Frame Relay permanent virtual circuit (PVC) DLCI number that is assigned to the interface.


Defaults

The IP SLAs Responder is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr responder type frame-relay command.


Usage Guidelines

This command allows the IP SLAs Responder to respond to Frame Relay operations without receiving IP SLAs control protocol packets.

Note that if you use this command, packet loss statistics will not be able to be generated for the operation because the Responder will not be able to determine the order of the received packets. To generate packet loss statistics, use the ip sla monitor responder command without specifying an operation type.

Examples

In the following example, the IP SLAs Responder is configured to respond to Frame Relay operations specifically on serial interface 1/0, using DLCI number 16:

ip sla monitor responder type frame-relay interface serial 1/0 dlci 16 

Related Commands

Command
Description

ip sla monitor

Begins configuration for an IP SLAs operation and enters IP SLA monitor configuration mode.

ip sla monitor responder

Enables the IP SLAs Responder for nonspecific IP SLAs operations.


ip sla monitor responder type tcpConnect ipaddress

To enable the Cisco IOS IP Service Level Agreements (SLAs) Responder for TCP Connect operations, use the ip sla monitor responder type tcpConnect ipaddress command in global configuration mode. To disable the IP SLAs Responder, use the no form of this command.

ip sla monitor responder type tcpConnect ipaddress ip-address port port-number

no ip sla monitor responder type tcpConnect ipaddress ip-address port port-number

Syntax Description

ip-address

Destination IP address.

port port-number

Specifies the destination port number.


Defaults

The IP SLAs Responder is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr responder type tcpConnect command.


Usage Guidelines

This command is used on the destination device for IP SLAs operations to enable the acceptance and return of TCP connection operation packets.

Examples

The following example shows how to enable the IP SLAs Responder for TCP connection operations:

ip sla monitor responder type tcpConnect ipaddress A.B.C.D port 1

Related Commands

Command
Description

ip sla monitor

Begins configuration for an IP SLAs operation and enters IP SLA monitor configuration mode.

ip sla monitor responder

Enables the IP SLAs Responder for nonspecific IP SLAs operations.


ip sla monitor responder type udpEcho ipaddress

To enable the Cisco IOS IP Service Level Agreements (SLAs) Responder for User Datagram Protocol (UDP) echo or jitter operations, use the ip sla monitor responder type udpEcho ipaddress command in global configuration mode. To disable the IP SLAs Responder, use the no form of this command.

ip sla monitor responder type udpEcho ipaddress ip-address port port-number

no ip sla monitor responder type udpEcho ipaddress ip-address port port-number

Syntax Description

ip-address

Destination IP address.

port port-number

Specifies the destination port number.


Defaults

The IP SLAs Responder is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr responder type udpEcho command.


Usage Guidelines

This command is used on the destination device for IP SLAs operations to enable UDP echo and jitter (UDP+) operations on nonnative interfaces.

Examples

The following example shows how to enable the IP SLAs Responder for jitter operations:

ip sla monitor responder type udpEcho ipaddress A.B.C.D port 1

Related Commands

Command
Description

ip sla monitor

Begins configuration for an IP SLAs operation and enters IP SLA monitor configuration mode.

ip sla monitor responder

Enables the IP SLAs Responder for nonspecific IP SLAs operations.


ip sla monitor restart

To restart a Cisco IOS IP Service Level Agreements (SLAs) operation, use the ip sla monitor restart command in global configuration mode.

ip sla monitor restart operation-number

Syntax Description

operation-number

Number of the IP SLAs operation to restart. IP SLAs allows a maximum of 2000 operations.


Defaults

None

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr restart command.


Usage Guidelines

To restart an operation, the operation should be in an active state.

IP SLAs allows a maximum of 2000 operations.

This command does not have a no form.

Examples

The following example shows how to restart operation 12:

ip sla monitor restart 12

Related Commands

Command
Description

ip sla monitor reset

Clears all current IP SLAs statistics and configuration information from the router and resets the IP SLAs engine.


ip sla monitor schedule

To configure the scheduling parameters for a single Cisco IOS IP Service Level Agreements (SLAs) operation, use the ip sla monitor schedule command in global configuration mode. To stop the operation and place it in the default state (pending), use the no form of this command.

ip sla monitor schedule operation-number [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring]

no ip sla monitor schedule operation-number

Syntax Description

operation-number

Number of the IP SLAs operation to schedule.

life forever

(Optional) Schedules the operation to run indefinitely.

life seconds

(Optional) Number of seconds the operation actively collects information. The default is 3600 seconds (one hour).

start-time

(Optional) Time when the operation starts.

hh:mm[:ss]

Specifies an absolute start time using hour, minute, and (optionally) second. Use the 24-hour clock notation. For example, start-time 01:02 means "start at 1:02 a.m.," and start-time 13:01:30 means "start at 1:01 p.m. and 30 seconds." The current day is implied unless you specify a month and day.

month

(Optional) Name of the month to start the operation in. If month is not specified, the current month is used. Use of this argument requires that a day be specified. You can specify the month by using either the full English name or the first three letters of the month.

day

(Optional) Number of the day (in the range 1 to 31) to start the operation on. If a day is not specified, the current day is used. Use of this argument requires that a month be specified.

pending

(Optional) No information is collected. This is the default value.

now

(Optional) Indicates that the operation should start immediately.

after hh:mm:ss

(Optional) Indicates that the operation should start hh hours, mm minutes, and ss seconds after this command was entered.

ageout seconds

(Optional) Number of seconds to keep the operation in memory when it is not actively collecting information. The default is 0 seconds (never ages out).

recurring

(Optional) Indicates that the operation will start automatically at the specified time and for the specified duration every day.


Defaults

The operation is placed in a pending state (that is, the operation is enabled but not actively collecting information).

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr schedule command.


Usage Guidelines

After you schedule the operation with the ip sla monitor schedule command, you cannot change the configuration of the operation. To change the configuration of the operation, use the no form of the ip sla monitor global configuration command and reenter the configuration information.

If the operation is in a pending state, you can define the conditions under which the operation makes the transition from pending to active with the ip sla monitor reaction-trigger and ip sla monitor reaction-configuration global configuration commands. When the operation is in an active state, it immediately begins collecting information.

The following time line shows the age-out process of the operation:

W----------------------X----------------------Y----------------------Z

where:

W is the time the operation was configured with the ip sla monitor global configuration command.

X is the start time or start of life of the operation (that is, when the operation became "active").

Y is the end of life as configured with the ip sla monitor schedule global configuration command (life seconds have counted down to zero).

Z is the age out of the operation.

Age out starts counting down at W and Y, is suspended between X and Y, and is reset to its configured size at Y.

The operation to can age out before it executes (that is, Z can occur before X). To ensure that this does not happen, configure the difference between the operation's configuration time and start time (X and W) to be less than the age-out seconds.


Note The total RAM required to hold the history and statistics tables is allocated at the time of scheduling the IP SLAs operation. This prevents router memory problems when the router gets heavily loaded and lowers the amount of overhead an IP SLAs operation causes on a router when it is active.


For IP SLAs Service Level Monitoring (SLM) operations, the operation will always start at the nearest 15-minute interval since the router start time. For example, if the ip sla monitor schedule 1 start-time now command is used, the operation will not start until the next quarter-hour time increment.

The recurring keyword is supported only for scheduling single IP SLAs operations. You cannot schedule multiple IP SLAs operations using the ip sla monitor schedule command. The life value for a recurring IP SLAs operation should be less than one day. The ageout value for a recurring operation must be "never" (which is specified with the value 0), or the sum of the life and ageout values must be more than one day. If the recurring option is not specified, the operations are started in the existing normal scheduling mode.

Examples

In the following example, operation 25 begins actively collecting data at 3:00 p.m. on April 5. This operation will age out after 12 hours of inactivity, which can be before it starts or after it has finished with its life. When this operation ages out, all configuration information for the operation is removed (that is, the configuration information is no longer in the running configuration in RAM).

ip sla monitor schedule 25 life 43200 start-time 15:00 apr 5 ageout 43200


In the following example, operation 1 begins collecting data after a 5-minute delay:

ip sla monitor schedule 1 start-time after 00:05:00


In the following example, operation 3 begins collecting data immediately and is scheduled to run indefinitely:

ip sla monitor schedule 3 start-time now life forever


In the following example, operation 15 begins automatically collecting data every day at 1:30 a.m.:

ip sla monitor schedule 15 start-time 01:30:00 recurring

Related Commands

Command
Description

ip sla monitor

Begins configuration for an IP SLAs operation and enters IP SLA monitor configuration mode.

ip sla monitor group schedule

Performs group scheduling for IP SLAs operations.

ip sla monitor reaction-configuration

Configures certain actions to occur based on events under the control of the IP SLA.

ip sla monitor reaction-trigger

Defines a second IP SLAs operation to make the transition from a pending state to an active state when one of the trigger action-type options is defined with the ip sla monitor reaction-configuration global configuration command.

show ip sla monitor configuration

Displays the configuration details of the IP SLAs operation.


ip sla monitor slm frame-relay statistics

To enable Cisco IOS IP Service Level Agreements (SLAs) and Cisco Networking Services (CNS) to collect Frame Relay performance monitoring statistics, use the ip sla monitor slm frame-relay statistics command in global configuration mode. To disable the collection of Frame Relay performance monitoring statistics, use the no form of this command.

ip sla monitor slm frame-relay statistics

no ip sla monitor slm frame-relay statistics

Syntax Description

This command has no arguments or keywords.

Defaults

Frame Relay performance monitoring statistics are not collected.

Command Modes

Global configuration

Command History

Release
Modification

12.3(14)T

This command was introduced. This command replaces the rtr slm frame-relay statistics command.


Usage Guidelines

The ip sla monitor slm frame-relay statistics command should be issued prior to configuring any of the IP SLAs Frame Relay Service Level Monitoring (SLM) operations. Performance statistics are not retained for these operations until this command is entered.

This command does not affect the standard Frame Relay IP SLAs operation (configured using the type frame-relay command).

Examples

In the following example, the IP SLAs Frame Relay SLM feature is enabled:

ip sla monitor slm frame-relay statistics 

Related Commands

Command
Description

type slm controller

Specifies that the IP SLAs operation is an SLM controller operation, and specifies the controller that the operation should be run on.

type slm frame-relay interface

Specifies that the IP SLAs operation is an SLM FR interface operation, and specifies the interface that the operation should be run on.

type slm frame-relay pvc interface

Specifies that the IP SLAs operation is an SLM FR circuit operation, and specifies the interface and DLCI number that the operation should be run on.

type slm interface

Specifies that the IP SLAs operation is an SLM interface operation, and specifies the interface that the operation should be run on.


ip telnet source-interface

To specify the IP address of an interface as the source address for Telnet connections, use the ip telnet source-interface command in global configuration mode. To reset the source address to the default for each connection, use the no form of this command.

ip telnet source-interface interface

no ip telnet source-interface

Syntax Description

interface

The interface whose address is to be used as the source for Telnet connections.


Defaults

The address of the closest interface to the destination is the source address.

Command Modes

Global configuration

Command History

Release
Modification

11.1

This command was introduced.


Usage Guidelines

Use this command to set the IP address of an interface as the source for all Telnet connections.

If the specified interface is not up, the Cisco IOS software selects the address of the interface closest to the destination as the source address.

Examples

The following example forces the IP address for Ethernet interface 1 as the source address for Telnet connections:

Router(config)# ip telnet source-interface Ethernet1

Related Commands

Command
Description

ip radius source-interface

Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.


ip tftp source-interface

To specify the IP address of an interface as the source address for TFTP connections, use the ip tftp source-interface command in global configuration mode. To return to the default, use the no form of this command.

ip tftp source-interface interface

no ip tftp source-interface

Syntax Description

interface

The interface whose address is to be used as the source for TFTP connections.


Defaults

The address of the closest interface to the destination as the source address.

Command Modes

Global configuration

Command History

Release
Modification

11.1

This command was introduced.


Usage Guidelines

Use this command to set the IP address of an interface as the source for all TFTP connections.

If the specified interface is not up, the Cisco IOS software selects the address of the interface closest to the destination as the source address.

Examples

In the following example, the IP address assigned to Loopback interface 0 will be used as the source address for TFTP connections:

Router(config)# ip tftp source-interface Loopback0

Related Commands

Command
Description

ip ftp source-interface

Forces outgoing FTP packets to use the IP address of a specified interface as the source address.

ip radius source-interface

Forces outgoing RADIUS packets to use the IP address of a specified interface as the source address.


kron occurrence

To specify schedule parameters for a Command Scheduler occurrence and enter kron-occurrence configuration mode, use the kron occurrence command in global configuration mode. To delete a Command Scheduler occurrence, use the no form of this command.

kron occurrence occurrence-name [user username] {in [[numdays:]numhours:]nummin | at hours:min [[month] day-of-month] [day-of-week]} {oneshot | recurring}

no kron occurrence occurrence-name [user username] {in [[numdays:]numhours:]nummin | at hours:min [[month] day-of-month] [day-of-week]} {oneshot | recurring}

Syntax Description

occurrence-name

Name of occurrence. Length of occurrence-name is from 1 to 31 characters. If the occurrence-name is new, an occurrence structure will be created. If the occurrence-name is not new, the existing occurrence will be edited.

user

(Optional) Used to identify a particular user.

username

(Optional) Name of user.

in

Identifies that the occurrence is to run after a specified time interval. The timer starts when the occurrence is configured.

numdays:

(Optional) Number of days. If used, add a colon after the number.

numhours:

(Optional) Number of hours. If used, add a colon after the number.

nummin

Number of minutes.

at

Identifies that the occurrence is to run at a specified calendar date and time.

hours:

Hour as a number using the twenty-four hour clock. Add a colon after the number.

min

Minute as a number.

month

(Optional) Month name. If used, you must also specify day-of-month.

day-of-month

(Optional) Day of month as a number.

day-of-week

(Optional) Day of week name.

oneshot

Identifies that the occurrence is to run only one time. After the occurrence has run, the configuration is removed.

recurring

Identifies that the occurrence is to run on a recurring basis.


Command Default

No schedule parameters are specified.

Command Modes

Global configuration

Command History

Release
Modification

12.3(1)

This command was introduced.


Usage Guidelines

Prior to Cisco IOS Release 12.4, when you configured a kron occurrence for a calendar time when the system clock was not set, you received a printf message stating that the clock was not set and the occurrence would not be scheduled until it was set.

Beginning in Cisco IOS Release 12.4, when you configure a kron occurrence for a calendar time when the system clock is not set, the occurrence is scheduled but a printf message appears stating that the clock is not set and that it currently reads <current clock time>.

If you set the clock, the schedule of the occurrence is affected in one of the following ways:

A new clock time set for less than 3 hours after the occurrence is scheduled to happen causes the occurrence to happen immediately.

A new clock time set for less than 3 hours before the occurrence is scheduled to happen causes the occurrence to happen as scheduled.

A new clock time set for more than 3 hours after the occurrence is scheduled to happen causes the occurrence to be rescheduled for the next regular calendar time.

A new clock time set for more than 3 hours before the occurrence is scheduled to happen causes the occurrence to be rescheduled for the previous regular calendar time.

Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same time or interval.

Use the kron policy-list command in conjunction with the cli command to create a Command Scheduler policy containing EXEC command-line interface (CLI) commands to be scheduled to run on the router at a specified time.

Use the show kron schedule command to display the name of each configured occurrence and when it will next run.

The Command Scheduler process is useful to automate the running of EXEC commands at recurring intervals, and it can be used in remote routers to minimize manual intervention.

Examples

The following example shows how to create a Command Scheduler occurrence named IT2 and schedule it to run every three days, 10 hours, and 50 minutes. The EXEC CLI in the policy named three-day-list is configured to run as part of occurrence info-three.

Router(config)# kron occurrence info-three user IT2 in 3:10:50 recurring
Router(config-kron-occurrence)# policy-list three-day-list

The following example shows how to create a Command Scheduler occurrence named auto-mkt and schedule it to run once on June 4 at 5:30 a.m. The EXEC CLI in the policies named mkt-list and mkt-list2 are configured to run as part of occurrence auto-mkt.

Router(config)# kron occurrence auto-mkt user marketing at 5:30 jun 4 oneshot
Router(config-kron-occurrence)# policy-list mkt-list
Router(config-kron-occurrence)# policy-list mkt-list2

Related Commands

Command
Description

cli

Specifies EXEC CLI commands within a Command Scheduler policy list

kron policy-list

Specifies a name for a Command Scheduler policy and enters kron-policy configuration mode.

policy-list

Specifies the policy list associated with a Command Scheduler occurrence.

show kron schedule

Displays the status and schedule information for Command Scheduler occurrences.


kron policy-list

To specify a name for a Command Scheduler policy and enter kron-policy configuration mode, use the kron policy-list command in global configuration mode. To delete the policy list, use the no form of this command.

kron policy-list list-name

no kron policy-list list-name

Syntax Description

list-name

Name of policy. Length of list-name is from 1 to 31 characters. If the list-name is new, a policy list structure will be created. If the list-name is not new, the existing policy list will be edited.


Defaults

If the specified list name does not exist, a new policy list is created.

Command Modes

Global configuration

Command History

Release
Modification

12.3(1)

This command was introduced.


Usage Guidelines

Use the kron policy-list command in conjunction with the cli command to create a Command Scheduler policy containing EXEC command line interface (CLI) commands to be scheduled to run on the router at a specified time. Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same time or interval.

The Command Scheduler process is useful to automate the running of EXEC commands at recurring intervals, and it can be used in remote routers to minimize manual intervention.

Examples

The following example shows how to create a policy named sales-may and configure EXEC CLI commands to run the CNS command that retrieves an image from a server:

Router(config)# kron policy-list sales-may
Router(config-kron-policy)# cli cns image retrieve server https://10.21.2.3/imgsvr/ status 
https://10.21.2.5/status/

Related Commands

Command
Description

cli

Specifies EXEC CLI commands within a Command Scheduler policy list.

kron occurrence

Specifies schedule parameters for a Command Scheduler occurrence and enters kron-occurrence configuration mode.

policy-list

Specifies the policy list associated with a Command Scheduler occurrence.


length

To set the terminal screen length, use the length command in line configuration mode. To restore the default value, use the no form of this command.

length screen-length

no length

Syntax Description

screen-length

The number of lines on the screen. A value of zero disables pausing between screens of output.


Defaults

Screen length of 24 lines

Command Modes

Line configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The Cisco IOS software uses the value of this command to determine when to pause during multiple-screen output. Not all commands recognize the configured screen length. For example, the show terminal command assumes a screen length of 24 lines or more.

Examples

In the following example, the terminal type is specified and the screen pause function is disabled for the terminal connection on line 6:

Router(config)# line 6
Router(config-line)# terminal-type VT220
Router(config-line)# length 0

Related Commands

Command
Description

terminal length

Sets the number of lines on the current terminal screen for the current session.


line-cli


Note Effective with Cisco IOS Releases 12.3(8)T and 12.3(9), the line-cli command is replaced by the cli (cns) command. See the cli (cns) command for more information.


To connect to the Cisco Networking Services (CNS) configuration engine using a modem dialup line, use the line-cli command in CNS Connect-interface configuration mode.

line-cli

Syntax Description

This command has no arguments or keywords.

Defaults

No command lines are specified to configure modem lines.

Command Modes

CNS Connect-interface configuration

Command History

Release
Modification

12.2(8)T

This command was introduced on Cisco 2600 series and Cisco 3600 series routers.

12.3(8)T

This command was replaced by the cli (cns) command.

12.3(9)

This command was replaced by the cli (cns) command.


Usage Guidelines

Use this command to connect to the CNS configuration engine using a specific type of interface. You must specify the interface type but need not specify the interface number; the router's bootstrap configuration finds the connecting interface, regardless of the slot in which the card resides or the modem dialout line for the connection, by trying different candidate interfaces or lines until it successfully pings the registrar.

Enter this command to enter CNS Connect-interface configuration (config-cns-conn-if) mode. Then use one of the following bootstrap-configuration commands to connect to the registrar for initial configuration:

config-cli followed by commands that, used as is, configure the interface.

line-cli followed by a command to configure modem lines to enable dialout and, after that, commands to configure the modem dialout line.

The config-cli command accepts the special directive character "&," which acts as a placeholder for the interface name. When the configuration is applied, the & is replaced with the interface name. Thus, for example, if we are able to connect using FastEthernet0/0, the following is the case:

The config-cli ip route 0.0.0.0 0.0.0.0 & command generates the config ip route 0.0.0.0 0.0.0.0 FastEthernet0/0 command.

The cns id & ipaddress command generates the cns id FastEthernet0/0 ipaddress command.

Examples

The following example enters CNS Connect-interface configuration mode, connects to a configuration engine using an asynchronous interface, and issues a number of commands:

Router(config)# cns config connect-intf Async
Router(config-cns-conn-if)# config-cli encapsulation ppp
Router(config-cns-conn-if)# config-cli ip unnumbered FastEthernet0/0
Router(config-cns-conn-if)# config-cli dialer rotart-group 0
Router(config-cns-conn-if)# line-cli modem InOut
Router(config-cns-conn-if)# line-cli
.
.
.
Router(config-cns-conn-if)# exit

These commands apply the following configuration:

line 65
modem InOut
.
.
.
interface Async65
encapsulation ppp
dialer in-band
dialer rotary-group 0

Related Commands

Command
Description

cns config connect-intf

Specifies the interface for connecting to the CNS configuration engine.

config-cli

Connects to the CNS configuration engine using a specific type of interface.


lives-of-history-kept

To set the number of lives maintained in the history table for a Cisco IOS IP Service Level Agreements (SLAs) operation, use the lives-of-history-kept command in the appropriate submode of IP SLA monitor configuration or RTR configuration mode. To return to the default value, use the no form of this command.

lives-of-history-kept lives

no lives-of-history-kept

Syntax Description

lives

Number of lives maintained in the history table for the operation. If you specify 0 lives, history is not collected for the operation.


Defaults

0 lives

Command Modes

IP SLA Monitor Configuration

DHCP configuration (config-sla-monitor-dhcp)
DLSw configuration (config-sla-monitor-dlsw)
DNS configuration (config-sla-monitor-dns)
Frame Relay configuration (config-sla-monitor-frameRelay)
FTP configuration (config-sla-monitor-ftp)
HTTP configuration (config-sla-monitor-http)
ICMP echo configuration (config-sla-monitor-echo)
ICMP path echo configuration (config-sla-monitor-pathEcho)
ICMP path jitter configuration (config-sla-monitor-pathJitter)
TCP connect configuration (config-sla-monitor-tcp)
UDP echo configuration (config-sla-monitor-udp)
VoIP configuration (config-sla-monitor-voip)

RTR Configuration

DHCP configuration (config-rtr-dhcp)
DLSw configuration (config-rtr-dlsw)
DNS configuration (config-rtr-dns)
Frame Relay configuration (config-rtr-frameRelay)
FTP configuration (config-rtr-ftp)
HTTP configuration (config-rtr-http)
ICMP echo configuration (config-rtr-echo)
ICMP path echo configuration (config-rtr-pathEcho)
ICMP path jitter configuration (config-rtr-pathJitter)
TCP connect configuration (config-rtr-tcp)
UDP echo configuration (config-rtr-udp)


Note The configuration mode varies depending on the Cisco IOS release you are running and the operation type configured. See the "Usage Guidelines" section for more information.


Command History

Release
Modification

11.2

This command was introduced.


Usage Guidelines

The following rules apply to the lives-of-history-kept command:

The number of lives you can specify is dependent on the type of operation you are configuring.

The default value of 0 lives means that history is not collected for the operation.

When the number of lives exceeds the specified value, the history table wraps (that is, the oldest information is replaced by newer information).

When an operation makes a transition from a pending to active state, a life starts. When the life of an operation ends, the operation makes a transition from an active to pending state.


Note The lives-of-history-kept command does not support the IP SLAs User Datagram Protocol (UDP) jitter operation.


An IP SLAs operation can collect history and capture statistics. By default, the history for an IP SLAs operation is not collected. If history is collected, each history bucket contains one or more history entries from the operation. When the operation type is ICMP path echo, an entry is created for each hop along the path that the operation takes to reach its destination. The type of entry stored in the history table is controlled by the filter-for-history command. The total number of entries stored in the history table is controlled by the combination of the samples-of-history-kept, buckets-of-history-kept, and lives-of-history-kept commands.

To disable history collection, use the no lives-of-history-kept command rather than the filter-for-history none command. The no lives-of-history-kept command disables history collection before an IP SLAs operation is attempted. The filter-for-history command checks for history inclusion after the operation attempt is made.

IP SLAs Operation Configuration Dependence on Cisco IOS Release

The Cisco IOS command used to begin configuration for an IP SLAs operation varies depending on the Cisco IOS release you are running (see Table 39). You must configure the type of IP SLAs operation (such as User Datagram Protocol [UDP] jitter or Internet Control Message Protocol [ICMP] echo) before you can configure any of the other parameters of the operation.

The configuration mode for the lives-of-history-kept command varies depending on the Cisco IOS release you are running (see Table 39) and the operation type configured. For example, if you are running Cisco IOS Release 12.4 and the ICMP echo operation type is configured, you would enter the lives-of-history-kept command in ICMP echo configuration mode (config-sla-monitor-echo) within IP SLA monitor configuration mode.

Table 39 Command Used to Begin Configuration of an IP SLAs Operation Based on Cisco IOS Release 

Cisco IOS Release
Global Configuration Command
Command Mode Entered

12.3(14)T and 12.4

ip sla monitor

IP SLA monitor configuration

All other Cisco IOS releases

rtr

RTR configuration


Examples

The following examples show how to maintain the history for five lives of IP SLAs ICMP echo operation 1. Note that the Cisco IOS command used to begin configuration for an IP SLAs operation varies depending on the Cisco IOS release you are running (see Table 39).

IP SLA Monitor Configuration

ip sla monitor 1
 type echo protocol ipIcmpEcho 172.16.1.176
 lives-of-history-kept 5
!
ip sla monitor schedule 1 life forever start-time now

RTR Configuration

rtr 1
 type echo protocol ipIcmpEcho 172.16.1.176
 lives-of-history-kept 5
!
rtr schedule 1 life forever start-time now

Related Commands

Command
Description

buckets-of-history-kept

Sets the number of history buckets that are kept during the lifetime of the IP SLAs operation.

filter-for-history

Defines the type of information kept in the history table for the IP SLAs operation.

ip sla monitor

Begins configuration for an IP SLAs operation and enters IP SLA monitor configuration mode.

rtr

Begins configuration for an IP SLAs operation and enters RTR configuration mode.

samples-of-history-kept

Sets the number of entries kept in the history table per bucket for the IP SLAs operation.


load-interval

To specify the length of time to be used to calculate the average load for an interface, use the load-interval command in interface configuration or Frame Relay DLCI configuration mode. To revert to the default setting, use the no form of this command.

load-interval seconds

no load-interval seconds

Syntax Description

seconds

Length of time for which data is used to compute load statistics. Value is a multiple of 30, from 30 to 600 (30, 60, 90, 120, and so on). The default is 300 seconds.


Defaults

300 seconds (5 minutes)

Command Modes

Interface configuration
Frame Relay DLCI configuration

Command History

Release
Modification

10.3

This command was introduced.

12.2(4)T

This command was made available in Frame Relay DLCI configuration mode.


Usage Guidelines

If you want load computations to be more reactive to short bursts of traffic, rather than being averaged over 5-minute periods, you can shorten the length of time over which load averages are computed. For example, if the load interval is set to 30 seconds, the load value will reflect the weighted-average load for the last 30-second period.

Load data is gathered every 5 seconds. This data is used to compute load statistics, including input rate in bits and packets per second, output rate in bits and packets per second, load, and reliability. Load data is computed using a weighted-average calculation in which recent load data has more weight in the computation than older load data.

The load-interval command allows you to change the calculation interval from the default value of 5 minutes (300 seconds) to a shorter or longer period of time. If you change it to a shorter period of time, the input and output statistics that are displayed when you use the show interface or show frame-relay pvc command will be more current, rather than reflecting a more average load over a longer period of time.

One use of this command is to increase or decrease the likelihood of activating a backup interface; for example a backup dial interface may be triggered by a sudden spike in the load on an active interface.

Examples

In the following example, the load-interval for the serial interface 0 is configured so that the average is computed over 30-second intervals. A burst in traffic that would not trigger a dial backup for an interface configured with the default 5-minute interval might trigger a dial backup for this interface, which is set for the shorter 30-second interval.

Router(config)# interface serial 0
Router(config-if)# load-interval 30

Frame Relay PVC Example

In the following example, the load interval is set to 60 seconds for a Frame Relay PVC with the DLCI 100:

Router(config)# interface serial 1/1 
Router(config-if# encapsulation frame-relay ietf 
Router(config-if)# frame-relay interface-dlci 100 
Router(config-fr-dlci)# load-interval 60 

Related Commands

Command
Description

show interfaces

Displays information about interfaces on the device.


location

To provide a description of the location of a serial device, use the location command in line configuration mode. To remove the description, use the no form of this command.

location text

no location

Syntax Description

text

Location description.


Defaults

No location description is provided.

Command Modes

Line configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The location command enters information about the device location and status. Use the show users all EXEC command to display the location information.

Examples

In the following example, the location description for the console line is given as "Building 3, Basement":

Router(config)# line console
Router(config-line)# location Building 3, Basement

lock

To configure a temporary password on a line, use the lock command in EXEC mode.

lock

Syntax Description

This command has no arguments or keywords.

Defaults

Not locked

Command Modes

EXEC

Command History

Release
Modification

10.0

This command was introduced in a release prior to Cisco IOS Release 10.0.


Usage Guidelines

You can prevent access to your session while keeping your connection open by setting up a temporary password. To lock access to the terminal, perform the following steps:


Step 1 Enter the lock command. The system prompts you for a password.

Step 2 Enter a password, which can be any arbitrary string. The system will prompt you to confirm the password. The screen then clears and displays the message "Locked."

Step 3 To regain access to your sessions, reenter the password.


The Cisco IOS software honors session timeouts on a locked lines. You must clear the line to remove this feature. The system administrator must set the line up to allow use of the temporary locking feature by using the lockable line configuration command.

Examples

The following example shows configuring the router as lockable, saving the configuration, and then locking the current session for the user:

Router(config-line)# lockable
Router(config-line)# ^Z
Router# copy system:running-config nvram:startup-config
Building configuration...
OK
Router# lock 
Password: <password>
Again: <password>
                      Locked
Password: <password>
Router#

Related Commands

Command
Description

lockable

Enables the lock EXEC command.

login (EXEC)

Enables or changes a login username.


lockable

To enable use of the lock EXEC command, use the lockable command in line configuration mode. To reinstate the default (the terminal session cannot be locked), use the no form of this command.

lockable

no lockable

Syntax Description

This command has no arguments or keywords.

Defaults

Sessions on the line are not lockable (the lock EXEC command has no effect).

Command Modes

Line configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

This command enables use of temporary terminal locking, which is executed using the lock EXEC command. Terminal locking allows a user keep the current session open while preventing access by other users.

Examples

In the following example, the terminal connection is configured as lockable, then the current connection is locked:

Router# configure terminal
Router(config)# line console 0
Router(config-line)# lockable
Router(config)# ^Z
Router# lock
Password: <password>
Again: <password>
                      Locked
Password: <password>
Router#

Related Commands

Command
Description

lock

Prevents access to your session by other users by setting a temporary password on your terminal line.


log config

To enter configuration change logger configuration mode, use the log config command in archive configuration mode.

log config

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values

Command Modes

Archive configuration

Command History

Release
Modification

12.3(4)T

This command was introduced.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.


Examples

The following example shows how to place the router in configuration change logger configuration mode:

Router(config)# archive
Router(config-archive)# log config
Router(config-archive-log-config)# logging enable

Related Commands

Command
Description

archive

Enters archive configuration mode.

hidekeys

Suppresses the display of password information in configuration log files.

logging enable

Enables the logging of configuration changes.

logging size

Specifies the maximum number of entries retained in the configuration log.

notify syslog

Enables the sending of notifications of configuration changes to a remote syslog.

show archive log config

Displays entries from the configuration log.


logging buffered

To enable system message logging to a local buffer and limit messages logged to the buffer based on severity, use the logging buffered command in global configuration mode. To cancel the use of the buffer, use the no form of this command. The default form of this command returns the buffer size to the default size.

logging buffered [buffer-size | severity-level]

no logging buffered

default logging buffered

Syntax Description

buffer-size

(Optional) Size of the buffer from 4096 to 4,294,967,295 bytes. The default size varies by platform.

severity-level

(Optional) Limits the logging of messages to the buffer to a specified level. You can enter the level name or level number. See Table 40 for a list of the acceptable level name or level number keywords. The default logging level varies by platform, but is generally 7, meaning that messages at all levels (0-7) are logged to the buffer.


Defaults

Varies by platform. For most platforms, logging to the buffer is disabled by default. When enabled, the default logging level is 7 (debugging).

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.

11.1(17)T

The level argument was added.


Usage Guidelines

This command copies logging messages to an internal buffer. The buffer is circular in nature, so newer messages overwrite older messages after the buffer is filled.

Specifying a level causes messages at that level and numerically lower levels to be logged in an internal buffer. See Table 40 for a list of level arguments.

Do not make the buffer size too large because the router could run out of memory for other tasks. You can use the show memory EXEC command to view the free processor memory on the router; however, this is the maximum available and should not be approached. The default logging buffered command resets the buffer size to the default for the platform.

To display the messages that are logged in the buffer, use the show logging command. The first message displayed is the oldest message in the buffer.

The show logging command displays the addresses and levels associated with the current logging setup, and any other logging statistics.

Table 40 Error Message Logging Priorities and Corresponding Level Names/Numbers 

Level Name
Level Number
Description
Syslog Definition

emergencies

0

System unusable

LOG_EMERG

alerts

1

Immediate action needed

LOG_ALERT

critical

2

Critical conditions

LOG_CRIT

errors

3

Error conditions

LOG_ERR

warnings

4

Warning conditions

LOG_WARNING

notifications

5

Normal but significant condition

LOG_NOTICE

informational

6

Informational messages only

LOG_INFO

debugging

7

Debugging messages

LOG_DEBUG


Examples

In the following example, the user enables standard system logging to the local syslog buffer:

Router(config)# logging buffered

Related Commands

Command
Description

clear logging

Clears messages from the logging buffer.

logging buffered xml

Enables system message logging (syslog) and sends XML-formatted logging messages to the XML-specific system buffer.

show logging

Displays the state of logging (syslog).


logging buffered filtered

To enable Embedded Syslog Manager (ESM) filtered system message logging to the standard syslog buffer, use the logging buffered filtered command in global configuration mode. To disable all logging to the buffer and return the size of the buffer to the default, use the no form of this command.

logging buffered filtered [severity-level]

no logging buffered filtered

Syntax Description

severity-level

(Optional) Limits messages sent to the buffer to those messages at or numerically lower than the specified value. For example, if level 1 is specified, only messages at level 1 (alerts) or level 0 (emergencies) will be sent to the specified target. Severity levels are specified as a number or a keyword:

{0 | emergencies}—System is unusable

{1 | alerts}—Immediate action needed

{2 | critical}—Critical conditions

{3 | errors}—Error conditions

{4 | warnings}—Warning conditions

{5 | notifications}—Normal but significant conditions

{6 | informational}—Informational messages

{7 | debugging}—Debugging messages


Defaults

Logging to the buffer is enabled.

ESM filtering of system logging messages sent to the buffer is disabled.

The default severity level varies by platform but is generally level 7 ("debugging"), meaning that messages at all severity levels (0 through 7) are logged.

Command Modes

Global configuration

Command History

Release
Modification

12.3(2)T

This command was introduced.

12.3(2)XE

This command was integrated into Cisco IOS Release 12.3(2)XE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.


Usage Guidelines

If standard logging has been disabled on your system (using the no logging on command), standard logging must be reenabled using the logging on command before using the logging buffered filtered command.

Standard logging is enabled by default, but filtering by the ESM is disabled by default.

ESM uses syslog filter modules, which are Tcl script files stored locally or on a remote device. The syslog filter modules must be configured using the logging filter command before filtered output can be sent to the buffer.

When ESM filtering is enabled, all messages sent to the buffer have the configured syslog filter modules applied. To return to standard logging to the buffer, use the plain form of the logging buffered command (without the filtered keyword). To disabled all logging to the buffer, use the no logging buffered command, with or without the filtered keyword.

The buffer is circular, so newer messages overwrite older messages as the buffer is filled. To change the size of the buffer, use the logging buffered buffer-size command, then issue the logging buffered filtered command to start (or restart) filtered logging.

To display the messages that are logged in the buffer, use the show logging command in EXEC mode. The first message displayed is the oldest message in the buffer.

Examples

In the following example, the user enables ESM filtered logging to the buffer:

Router(config)# logging filter tftp://209.165.200.225/ESM/escalate.tcl 
Router(config)# logging filter slot0:/email.tcl user@example.com 
Router(config)# logging buffer filtered

Related Commands

Command
Description

clear logging

Clears all messages from the system message logging (syslog) buffer.

logging buffered

Enables standard system message logging (syslog) to a local buffer and sets the severity level and buffer size for the logging buffer.

logging filter

Specifies the name and location of a syslog filter module to be applied to generated system logging messages.

logging on

Globally controls (enables or disables) system message logging.

show logging

Displays the state of system message logging, followed by the contents of the logging buffer.


logging buffered xml

To enable system message logging (syslog) and send XML-formatted logging messages to the XML-specific system buffer, use the logging buffered xml command in global configuration mode. To disable the XML syslog buffer and return the size of the buffer to the default, use the no form of this command.

logging buffered xml [xml-buffer-size]

no logging buffered xml

Syntax Description

xml-buffer-size

(Optional) Size of the buffer, from 4,096 to 4,294,967,295 bytes (4 kilobytes to 2 gigabytes). The default size varies by platform. This value is ignored if entered as part of the no form of this command.


Defaults

XML formatting of system logging messages is disabled.

The default XML syslog buffer size is the same size as the standard syslog buffer.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

Standard logging is enabled by default, but XML-formatted system message logging is disabled by default. If standard logging has been disabled on your system (using the no logging on command), standard logging must be reenabled using the logging on command before using the logging buffered xml command.

The logging buffered xml command copies logging messages to an internal XML buffer. The XML syslog buffer is separate from the standard syslog buffer (created using the logging buffered command).

The buffer is circular, so newer messages overwrite older messages as the buffer is filled.

The severity level for logged messages is determined by the setting of the logging buffered command. If the logging buffered command has not been used, the default severity level for that command is used. The default severity level varies by platform, but is generally level 7 ("debugging"), meaning that messages at all severity levels (0 through 7) are logged. For more information on severity levels, see the documentation of the logging buffered command.

Do not make the buffer size too large because the router could run out of memory for other tasks. You can use the show memory EXEC command to view the free processor memory on the router; however, this value is the maximum available and should not be approached.

To return the size of the XML logging buffer to the default, enter the logging buffered xml command again without a buffer size value.

To display the messages that are logged in the buffer, use the show logging xml command in EXEC mode. The first message displayed is the oldest message in the buffer.

Examples

In the following example, the user enables logging to the XML syslog buffer and sets the XML syslog buffer size to 14 kilobytes:

Router(config)# logging buffered xml 14336 

Related Commands

Command
Description

clear logging xml

Clears all messages from the XML-specific system message logging (syslog) buffer.

logging buffered

Enables standard system message logging (syslog) to a local buffer and sets the severity level and buffer size for the logging buffer.

logging on

Globally controls (enables or disables) system message logging.

show logging xml

Displays the state of XML-formatted system message logging, followed by the contents of the XML-specific buffer.


logging cns-events

To enable XML-formatted system event message logging to be sent trough the CNS Event Bus, use the logging cns-events command in global configuration mode. To disable the ability to send system logging event messages through the CNS Event Bus, use the no form of this command.

logging cns-events [severity-level]

no logging cns-events

Syntax Description

severity-level

The number or name of the desired severity level at which messages should be logged. Messages at or numerically lower than the specified level are logged. Severity levels are as follows (enter the number or the keyword):

{0 | emergencies}— System is unusable

{1 | alerts}—Immediate action needed

{2 | critical}—Critical conditions

{3 | errors}—Error conditions

{4 | warnings}—Warning conditions

{5 | notifications}—Normal but significant conditions

{6 | informational}—Informational messages

{7 | debugging}— Debugging messages


Defaults

Level 7: debugging

Command Modes

Global configuration

Command History

Release
Modification

12.2(2)T

This command was introduced.


Usage Guidelines

Before you configure this command you must enable the CNS event agent with the cns event command because the CNS event agent sends out the CNS event logging messages. The generation of many CNS event logging messages can negatively impact the publishing time of standard CNS event messages that must be sent to the network.

If the debug cns event command is active when the logging cns-events command is configured, the logging of CNS events is disabled.

Examples

In the following example, the user enables XML-formatted CNS system error message logging to the CNS Event Bus for messages at levels 0 through 4:

Router(config)# logging cns-events 4

Related Commands

Command
Description

cns event

Configures CNS event gateway, which provides CNS event services to Cisco IOS clients.

debug cns event

Displays CNS event agent debugging messages.


logging console

To send system logging (syslog) messages to all available TTY lines and limit messages based on severity, use the logging console command in global configuration mode. To disable logging to the console terminal, use the no form of this command.

logging console [severity-level]

no logging console [severity-level]

Syntax Description

severity-level

Limits the logging of messages displayed on the console terminal to the specified level and (numerically) lower levels. You can enter the level number or level name. See Table 41 for a list of the level arguments.


Defaults

In general, the default is to log messages from level 0 (emergencies) to level 7 (debugging). However, the default level varies by platform.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The console keyword indicates all available TTY lines. This can mean a console terminal attached to the router's TTY line, a dial-up modem connection, or a printer.

Specifying a level causes messages at that level and numerically lower levels to be sent to the console (TTY lines). See Table 41 for a list of the level arguments.

The show logging EXEC command displays the addresses and levels associated with the current logging setup, and any other logging statistics.

Table 41 Error Message Logging Priorities and Corresponding Level Names/Numbers 

Level Arguments
Level
Description
Syslog Definition

emergencies

0

System unusable

LOG_EMERG

alerts

1

Immediate action needed

LOG_ALERT

critical

2

Critical conditions

LOG_CRIT

errors

3

Error conditions

LOG_ERR

warnings

4

Warning conditions

LOG_WARNING

notifications

5

Normal but significant condition

LOG_NOTICE

informational

6

Informational messages only

LOG_INFO

debugging

7

Debugging messages

LOG_DEBUG



Note The effect of the log keyword with the IP access list (extended) interface configuration command depends on the setting of the logging console command. The log keyword takes effect only if the logging console level is set to 6 or 7. If you change the default to a level lower than 6 and specify the log keyword with the IP access list (extended) command, no information is logged or displayed.


Examples

In the following example, the user changes the level of messages sent to the console terminal (TTY lines) to alerts, which means messages at levels 0 and 1 are sent:

Router(config)# logging console alerts 

Related Commands

Command
Description

access-list (extended)

Defines an extended XNS access list.

logging facility

Configures the syslog facility in which error messages are sent.


logging console filtered

To enable Embedded Syslog Monitor (ESM) filtered system message logging to the console connections, use the logging console filtered command in global configuration mode. To disable all logging to the console connections, use the no form of this command.

logging console filtered [severity-level]

no logging console [filtered] [severity-level]

Syntax Description

severity-level

(Optional) The number or name of the desired severity level at which messages should be logged. Messages at or numerically lower than the specified level are logged. Severity levels are as follows (enter the number or the keyword):

{0 | emergencies}—System is unusable

{1 | alerts}—Immediate action needed

{2 | critical}—Critical conditions

{3 | errors}—Error conditions

{4 | warnings}—Warning conditions

{5 | notifications}—Normal but significant conditions

{6 | informational}—Informational messages

{7 | debugging}—Debugging messages


Defaults

Logging to the console is enabled.

ESM filtering of system logging messages sent to the console is disabled.

The default severity level varies by platform, but is generally level 7 (messages at levels 0 through 7 are logged).

Command Modes

Global configuration

Command History

Release
Modification

12.3(2)T

This command was introduced.

12.3(2)XE

This command was integrated into Cisco IOS Release 12.3(2)XE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.


Usage Guidelines

If standard logging has been disabled on your system (using the no logging on command), standard logging must be reenabled using the logging on command before using the logging console filtered command.

Standard logging is enabled by default, but filtering by the ESM is disabled by default.

ESM uses syslog filter modules, which are Tcl script files stored locally or on a remote device. The syslog filter modules must be configured using the logging filter command before system logging messages can be filtered.

When ESM filtering is enabled, all messages sent to the console have the configured syslog filter modules applied. To disable filtered logging to the console and return to standard logging, use the standard logging console command (without the filtered keyword). To disable all logging to the console, use the no logging console command, with or without the filtered keyword.

Examples

In the following example, the user enables ESM filtered logging to the console for severity levels 0 through 3:

Router(config)# logging filter tftp://209.165.200.225/ESM/escalate.tcl 
Router(config)# logging filter slot0:/email.tcl user@example.com 
Router(config)# logging console filtered 3 

Related Commands

Command
Description

logging console

Enables standard system message logging (syslog) to all console (CTY) connections and sets the severity level.

logging filter

Specifies the name and location of a syslog filter module to be applied to generated system logging messages.

logging on

Globally controls (enables or disables) system message logging.

show logging

Displays the state of system message logging, followed by the contents of the logging buffer.


logging console xml

To enable XML-formatted system message logging to the console connections, use the logging console xml command in global configuration mode. To disable all logging to the console connections, use the no form of this command.

logging console xml [severity-level]

no logging console xml

Syntax Description

severity-level

(Optional) The number or name of the desired severity level at which messages should be logged. Messages at or numerically lower than the specified level are logged. Severity levels are as follows (enter the number or the keyword):

{0 | emergencies}— System is unusable

{1 | alerts}—Immediate action needed

{2 | critical}—Critical conditions

{3 | errors}—Error conditions

{4 | warnings}—Warning conditions

{5 | notifications}—Normal but significant conditions

{6 | informational}—Informational messages

{7 | debugging}— Debugging messages


Defaults

Logging to the console is enabled.
XML-formatted logging to the console is disabled.
The default severity level varies by platform, but is generally level 7 (messages at levels 0 through 7 are logged).

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

To return system logging messages to standard text (without XML formatting), issue the standard logging console command (without the xml keyword extension).

Examples

In the following example, the user enables XML-formatted system message logging to the console for messages at levels 0 through 4:

Router(config)# logging console xml 4

Related Commands

Command
Description

show logging xml

Displays the state of XML-formatted system message logging, followed by the contents of the XML syslog buffer.


logging count

To enable the error log count capability, use the logging count command in global configuration mode. To disable the error log count capability, use the no form of this command.

logging count

no logging count

Syntax Description

This command has no arguments or keywords.

Defaults

This command is disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(8)T

This command was introduced.


Usage Guidelines

The logging count command counts every syslog message and time-stamps the occurrence of each message.

Examples

In the following example, syslog messages are logged to the system buffer and the logging count capability is enabled:

Router(config)# logging buffered notifications
Router(config)# logging count
Router(config)# end
Router# show logging count

Facility       Message Name                     Sev Occur   Last Time
                        
=============================================================================
SYS            BOOTTIME                          6    1     00:00:12
SYS            RESTART                           5    1     00:00:11
SYS            CONFIG_I                          5    3     1d00h
-------------  -------------------------------  -----------------------------
SYS TOTAL                                              5

LINEPROTO      UPDOWN                             5   13 00:00:19
-------------  -------------------------------  -----------------------------
LINEPROTO TOTAL                                       13

LINK           UPDOWN                             3    1 00:00:18
LINK           CHANGED                            5   12 00:00:09
-------------  -------------------------------  -----------------------------
LINK TOTAL                                            13

SNMP           COLDSTART                          5    1 00:00:11
-------------  -------------------------------  -----------------------------
SNMP TOTAL 

Related Commands

Command
Description

show logging

Displays the state of system logging (syslog).


logging enable (config-archive-log)

To enable the logging of configuration changes, use the logging enable command in configuration change logger configuration mode. To disable the logging of configuration changes, use the no form of this command.

logging enable

no logging enable

Syntax Description

This command has no arguments or keywords.

Defaults

Configuration change logging is disabled.

Command Modes

Configuration change logger configuration

Command History

Release
Modification

12.3(4)T

This command was introduced.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.


Usage Guidelines

Disabling the configuration log results in all configuration log records being purged.

Examples

The following example shows how to enable configuration logging:

Router(config)# archive

Router(config-archive)# log config

Router(config-archive-log-config)# logging enable


The following example shows how to clear the configuration log by disabling and then reenabling the configuration log:

Router(config)# archive

Router(config-archive)# log config

Router(config-archive-log-config)# no logging enable

Router(config-archive-log-config)# logging enable

Related Commands

Command
Description

archive

Enters archive configuration mode.

hidekeys

Suppresses the display of password information in configuration log files.

log config

Enters configuration change logger configuration mode.

logging size

Specifies the maximum number of entries retained in the configuration log.

notify syslog

Enables the sending of notifications of configuration changes to a remote syslog.

show archive log config

Displays entries from the configuration log.


logging facility

To configure the syslog facility in which error messages are sent, use the logging facility command in global configuration mode. To revert to the default of local7, use the no form of this command.

logging facility facility-type

no logging facility

Syntax Description

facility-type

Syslog facility. See the "Usage Guidelines" section of this command reference entry for descriptions of acceptable keywords.


Defaults

local7

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Table 42 describes the acceptable keywords for the facility-type argument.

Table 42 logging facility facility-type Argument 

Facility-type keyword
Description

auth

Authorization system

cron

Cron facility

daemon

System daemon

kern

Kernel

local0-7

Reserved for locally defined messages

lpr

Line printer system

mail

Mail system

news

USENET news

sys9

System use

sys10

System use

sys11

System use

sys12

System use

sys13

System use

sys14

System use

syslog

System log

user

User process

uucp

UNIX-to-UNIX copy system


Examples

In the following example, the user configures the syslog facility to the kernel facility type:

logging facility kern

Related Commands

Command
Description

logging console

Limits messages logged to the console based on severity.


logging filter

To specify a syslog filter module to be used by the Embedded Syslog Manager (ESM), use the logging filter command in global configuration mode. To remove a module from the filter chain, use the no form of this command.

logging filter filter-url [position] [args filter-arguments]

no logging filter filter-url [position]

Syntax Description

filter-url

Specifies the location of the syslog filter module (script file), using the standard Cisco IOS File System URL syntax.

The location can be a local memory location, such as flash: or slot0:, or a remote file server system, such as tftp:, ftp:, or rcp:.

The filter-url should include the name of the syslog filter module; for example, "email.tcl" or "email.txt".

position

(Optional) An integer that specifies the order in which the syslog filter modules should be executed. The valid value for this argument is N + 1, where N is the current number of configured filters.

If this argument is omitted, the specified module will be positioned as the last module in the chain (the Nth+1 position).

args filter-arguments

(Optional) Any arguments you wish to pass to the ESM file chain can be added using this syntax. The ESM filter modules will determine what arguments you should use.


Defaults

No ESM filters are applied to system logging messages.

Command Modes

Global configuration

Command History

Release
Modification

12.3(2)T

This command was introduced.

12.3(2)XE

This command was integrated into Cisco IOS Release 12.3(2)XE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.


Usage Guidelines

Use this command to enable the Embedded Syslog Manager by specifying the filter that should be applied to logging messages generated by the system. Repeat this command for each syslog filter module that should be used.

Syslog filter modules are Tcl script files. These files can be stored as plain text files (.txt) or as precompiled Tcl scripts (.tcl). When positioning (ordering) the modules, keep in mind that the output of each filter module is used as input for the next filter module in the chain.

By default, syslog filter modules are executed in the order in which they appear in the system configuration file. The position argument can be used to order the filter modules manually. Filter modules can also be reordered at any time by reentering the logging filter command and specifying a different position for a given filter module.

The optional args filter-arguments syntax can be added to pass arguments to the specified filter. Multiple arguments can be specified. The number and type of arguments should be defined in the syslog filter module. For example, if the syslog filter module is designed to accept a specific email address as an argument, you could pass the email address using the args user@host.com syntax. Multiple arguments are typically delimited by spaces.

To remove a module from the list of modules to be executed, use the no form of this command. Modules not referenced in the configuration will not be executed, regardless of their "position" number.

Examples

In the following example, the user enables ESM filtered logging to the console for severity levels 0 through 3:

Router(config)# logging filter tftp://209.165.200.225/ESM/escalate.tcl
Router(config)# logging filter slot0:/email.tcl user@example.com 
Router(config)# logging filter slot0:/email_guts.tcl 
Router(config)# logging console filtered 3 

Related Commands

Command
Description

logging buffer filtered

Enables ESM filtered system message logging to the system logging buffer.

logging console filtered

Enables ESM filtered system message logging to all console connections.

logging host

Enables system message logging to a remote host (syslog collector).

logging monitor filtered

Enables ESM filtered system message logging to all monitor (TTY) connections.

show logging

Displays the status of system message logging, followed by the contents of the logging buffer.


logging history

To limit syslog messages sent to the router's history table and to an SNMP network management station based on severity, use the logging history command in global configuration mode. To return the logging of syslog messages to the default level, use the no form of this command with the previously configured severity level argument.

logging history [severity-level-name | severity-level-number]

no logging history [severity-level-name | severity-level-number]

Syntax Description

severity-level-name

Name of the severity level. Specifies the lowest severity level for system error message logging. See the "Usage Guidelines" section of this command for available keywords.

severity-level-number

Number of the severity level. Specifies the lowest severity level for system error message logging. See the "Usage Guidelines" section of this command for available keywords.


Defaults

Logging of error messages of severity levels 0 through 4 (emergency, alert, critical, error, and warning levels); in other words, "saving level warnings or higher."

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.


Usage Guidelines

The sending of syslog messages to an SNMP network management station (NMS) occurs when you enable syslog traps with the snmp-server enable traps syslog global configuration mode command.

Because SNMP traps are potentially unreliable, at least one syslog message, the most recent message, is stored in a history table on the router. The history table, which contains table size, message status, and message text data, can be viewed using the show logging history command. The number of messages stored in the table is governed by the logging history size global configuration mode command.

Severity levels are numbered 0 through 7, with 0 being the highest severity level and 7 being the lowest severity level (that is, the lower the number, the more critical the message). Specifying a level causes messages at that severity level and numerically lower levels to be stored in the router's history table and sent to the SNMP network management station. For example, specifying the level critical causes messages as the critical (3), alert (2), and emergency (1) levels to be saved to the logging history table.

Table 43 provides a description of logging severity levels, listed from highest severity to lowest severity, and the arguments used in the logging history command syntax. Note that you can use the level name or the level number as the level argument in this command.

Table 43 Syslog Error Message Severity Levels 

Severity Level Name
Severity Level Number
Description
Syslog Definition

emergencies

0

System unusable

LOG_EMERG

alerts

1

Immediate action needed

LOG_ALERT

critical

2

Critical conditions

LOG_CRIT

errors

3

Error conditions

LOG_ERR

warnings

4

Warning conditions

LOG_WARNING

notifications

5

Normal but significant condition

LOG_NOTICE

informational

6

Informational messages only

LOG_INFO

debugging

7

Debugging messages

LOG_DEBUG


Examples

In the following example, the system is initially configured to the default of saving severity level 4 or higher. The logging history 1 command is used to configure the system to save only level 1 (alert) and level 0 (emergency) messages to the logging history table, and, by extension, to send only these levels in the SNMP notifications. The configuration is then confirmed using the show logging history command.

Router# show logging history 

Syslog History Table:10 maximum table entries,
! The following line shows that system-error-message-logging is set to the
! default level of "warnings" (4).
saving level warnings or higher
 23 messages ignored, 0 dropped, 0 recursion drops                                                  
 1 table entries flushed
 SNMP notifications not enabled
   entry number 2 : LINK-3-UPDOWN
    Interface FastEthernet0, changed state to up                                                
    timestamp: 2766 
Router# configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z. 
Router(config)# logging history 1 
Router(config)# snmp-server enable traps syslog 
Router(config)# end 
Router#
4w0d: %SYS-5-CONFIG_I: Configured from console by console
Router# show logging history 
Syslog History Table:1 maximum table entries,
! The following line indicates that `logging history level 1' (alerts) is configured.
saving level alerts or higher
 18 messages ignored, 0 dropped, 0 recursion drops
 1 table entries flushed
 SNMP notifications enabled, 0 notifications sent
   entry number 2 : LINK-3-UPDOWN
    Interface FastEthernet0, changed state to up
    timestamp: 2766
Router#

Related Commands

Command
Description

logging history size

Sets the maximum number of syslog messages that can be stored in the router's syslog history table.

logging on

Controls (enables or disables) the logging of error messages.

show logging

Displays the state of system logging (syslog) and contents of the local logging buffer.

show logging history

Displays information about the system logging history table.

snmp-server enable traps syslog

Controls (enables or disables) the sending of SYSLOG MIB notifications.

snmp-server host

Specifies the recipient of an SNMP notification operation.


logging history size

To change the number of syslog messages stored in the router's history table, use the logging history size command in global configuration mode. To return the number of messages to the default value, use the no form of this command.

logging history size number

no logging history size

Syntax Description

number

Number from 1 to 500 that indicates the maximum number of messages stored in the history table. The default is one message.


Defaults

One message

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.


Usage Guidelines

When the history table is full (that is, it contains the maximum number of message entries specified with the logging history size command), the oldest message entry is deleted from the table to allow the new message entry to be stored.

Examples

In the following example, the user sets the number of messages stored in the history table to 20:

logging history size 20

Related Commands

Command
Description

logging history

Limits syslog messages sent to the router's history table and the SNMP network management station based on severity.

show logging

Displays the state of logging (syslog).


logging host

To log system messages and debug output to a remote host, use the logging host command in global configuration mode. To remove a specified logging host from the configuration, use the no form of this command.

logging host {ip-address | hostname} [xml | filtered [stream stream-id]]

no logging host {ip-address | hostname} [xml | filtered [stream stream-id]]

Syntax Description

ip-address

IP address of the host that will receive the system logging messages.

hostname

Name of the host that will receive the system logging messages.

xml

(Optional) Specifies that the logging output should be tagged using the Cisco defined XML tags.

filtered

(Optional) Specifies that logging messages sent to this host should first be filtered by the ESM syslog filter modules specified in the logging filter commands.

stream stream-id

(Optional) Specifies that only ESM filtered messages with the stream identification number specified in the stream-id argument should be sent to this host. (The stream-id number is applied to messages by syslog filter modules.)


Defaults

System logging messages are not sent to any remote host.
If this command is entered without the xml or filtered keywords, messages are sent in the standard format.

Command Modes

Global configuration

Command History

Release
Modification

10.0

The logging command was introduced.

12.0(14)S, 12.0(14)ST, 12.2(15)T

The logging host command replaced the logging command.

12.2(15)T

The xml keyword was added.

12.3(2)T

The filtered [stream stream-id] syntax was added as part of the Embedded Syslog Manager feature.

12.3(2)XE

This command was integrated into Cisco IOS Release 12.3(2)XE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.


Usage Guidelines

Standard system message logging (syslog) is enabled by default. If logging has been disabled on your system (using the no logging on command), logging must be reenabled using the logging on command before using the logging host command.

The logging host command identifies a remote host (usually a device serving as a syslog server) to receive logging messages. By issuing this command more than once, you can build a list of hosts that receive logging messages.

To specify the severity level for logging to all hosts, use the logging trap command.

If XML-formatted syslog is enabled using the logging host {ip-address | hostname} xml command, messages will be sent to the specified host with the system defined XML tags. These tags are predefined and are not user-configurable. XML-formatting will not be applied to debugging output.

If you are using the Embedded Syslog Manager (ESM) feature, you can enable ESM filtered syslog messages to be sent to one or more hosts using the logging host {ip-address | hostname} filtered command. To use the ESM feature, you must first specify the syslog filter modules that should be applied to the messages using the logging filter command. See the description of the logging filter command for more information on the ESM feature.

To configure standard logging to a specific host after configuring XML-formatted or ESM filtered logging to that host, use the standard form of this command (logging host {ip-address | hostname}) without the xml or filtered keywords. In other words, a standard logging host command will replace an XML or ESM filtered logging host command, and vice versa, if the same host is specified.


Note Any no logging host command (with or without the optional keywords) will disable all logging to the specified host.


You can configure the system to send standard messages to one or more hosts, XML-formatted messages to one or more hosts, and ESM filtered messages to one or more hosts by repeating this command as many times as desired with the appropriate syntax. (See the "Examples" section.)

Examples

In the following example, messages at severity levels 0 (emergencies) through 5 (notifications) are logged to a host at 209.165.202.169:

Router(config)# logging host 209.165.202.169 
Router(config)# logging trap 5 

In the following example, standard system logging messages are sent to the host at 209.165.200.225, XML-formatted system logging messages are sent to the host at 209.165.200.226, ESM filtered logging messages with the stream 10 value are sent to the host at 209.165.200.227, and ESM filtered logging messages with the stream 20 value are sent to host at 209.165.202.129:

Router(config)# logging host 209.165.200.225 
Router(config)# logging host 209.165.200.226 xml 
Router(config)# logging host 209.165.200.227 filtered stream 10 
Router(config)# logging host 209.165.202.129 filtered stream 20 

Related Commands

Command
Description

logging on

Globally controls (enables or disables) system message logging.

logging trap

Limits messages sent to the syslog servers based on severity level.

show logging

Displays the state of system message logging, followed by the contents of the standard syslog buffer.

show logging xml

Displays the state of XML-formatted system message logging, followed by the contents of the XML syslog buffer.


logging linecard

To log messages to an internal buffer on a line card, use the logging linecard command in global configuration mode. To cancel the use of the internal buffer on the line cards, use the no form of this command.

logging linecard [size | level]

no logging linecard

Syntax Description

size

(Optional) Size of the buffer used for each line card. The range is from 4096 to 65,536 bytes. The default is 8 KB.

level

(Optional) Limits the logging of messages displayed on the console terminal to a specified level. The message level can be one of the following:

alerts—Immediate action needed

critical—Critical conditions

debugging—Debugging messages

emergencies—System is unusable

errors—Error conditions

informational—Informational messages

notifications—Normal but significant conditions

warnings—Warning conditions


Defaults

The Cisco IOS software logs messages to the internal buffer on the GRP card.

Command Modes

Global configuration

Command History

Release
Modification

11.2 GS

This command was added to support the Cisco 12000 series Gigabit Switch Routers.


Usage Guidelines

Specifying a message level causes messages at that level and numerically lower levels to be stored in the internal buffer on the line cards.

Table 44 lists the message levels and associated numerical level. For example, if you specify a message level of critical, all critical, alert, and emergency messages will be logged.

Table 44 Message Levels 

Level Keyword
Level

emergencies

0

alerts

1

critical

2

errors

3

warnings

4

notifications

5

informational

6

debugging

7


To display the messages that are logged in the buffer, use the show logging slot EXEC command. The first message displayed is the oldest message in the buffer.

Do not make the buffer size too large because the router could run out of memory for other tasks. You can use the show memory EXEC command to view the free processor memory on the router; however, this is the maximum available and should not be approached.

Examples

The following example enables logging to an internal buffer on the line cards using the default buffer size and logging warning, error, critical, alert, and emergency messages:

Router(config)# logging linecard warnings 

Related Commands

Command
Description

clear logging

Clears messages from the logging buffer.

show logging

Displays the state of logging (syslog).


logging monitor

To enable system message logging to the terminal lines (monitor connections) and limit these messages based on severity, use the logging monitor command in global configuration mode. To disable logging to terminal lines other than the console line, use the no form of this command.

logging monitor severity-level

no logging monitor

Syntax Description

severity-level

(Optional) The number or name of the desired severity level at which messages should be logged. Messages at or numerically lower than the specified level are logged. Severity levels are as follows (enter the number or the keyword):

{0 | emergencies}— System is unusable

{1 | alerts}—Immediate action needed

{2 | critical}—Critical conditions

{3 | errors}—Error conditions

{4 | warnings}—Warning conditions

{5 | notifications}—Normal but significant conditions

{6 | informational}—Informational messages

{7 | debugging}— Debugging messages


Defaults

debugging (severity-level 7)

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

Specifying a severity-level causes messages only at that level and numerically lower levels to be displayed to the monitor (terminal lines).

Examples

In the following example, the user specifies that only messages of the levels errors, critical, alerts, and emergencies be logged to monitor connections:

Router(config)# logging monitor 3

Related Commands

Command
Description

logging monitor filtered

Enables ESM filtered system message logging to monitor connections.

logging monitor xml

Applies XML formatting to messages logged to the monitor connections.

terminal monitor

Displays debug command output and system error messages for the current terminal and session.


logging monitor filtered

To enable Embedded Syslog Manager (ESM) filtered system message logging to monitor connections, use the logging monitor filtered command in global configuration mode. To disable all logging to the monitor connections, use the no form of this command.

logging monitor filtered [severity-level]

no logging monitor filtered

Syntax Description

severity-level

(Optional) The number or name of the desired severity level at which messages should be logged. Messages at or numerically lower than the specified level are logged. Severity levels are as follows (enter the number or the keyword):

{0 | emergencies}—System is unusable

{1 | alerts}—Immediate action needed

{2 | critical}—Critical conditions

{3 | errors}—Error conditions

{4 | warnings}—Warning conditions

{5 | notifications}—Normal but significant conditions

{6 | informational}—Informational messages

{7 | debugging}—Debugging messages


Defaults

Logging to monitor connections is enabled.
ESM filtering of system logging messages sent to the monitor connections is disabled.
The default severity level varies by platform, but is generally level 7 (messages at levels 0 through 7 are logged).

Command Modes

Global configuration

Command History

Release
Modification

12.3(2)T

This command was introduced.

12.3(2)XE

This command was integrated into Cisco IOS Release 12.3(2)XE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.


Usage Guidelines

The monitor keyword specifies the TTY (TeleTYpe) line connections at all line ports. TTY lines (also called ports) communicate with peripheral devices such as terminals, modems, and serial printers. An example of a TTY connection is a PC with a terminal emulation program connected to the device using a dial-up modem, or a Telnet connection.

Standard logging is enabled by default, but filtering by the Embedded Syslog Manager (ESM) is disabled by default. If standard logging has been disabled on your system (using the no logging on command), standard logging must be reenabled using the logging on command before using the logging monitor filtered command.

ESM uses syslog filter modules, which are Tcl script files stored locally or on a remote device. The syslog filter modules must be configured using the logging filter command before system logging messages can be filtered.

When ESM filtering is enabled, all messages sent to the monitor have the configured syslog filter modules applied. To disable filtered logging to the monitor and return to standard logging, issue the standard logging monitor command (without the filtered keyword). To disable all logging to the monitor connections, use the no logging monitor command, with or without the filtered keyword.

Examples

In the following example, the user enables ESM filtered logging to the monitor connections:

Router(config)# logging filter tftp://209.165.200.225/ESM/escalate.tcl 
Router(config)# logging filter slot0:/email.tcl user@example.com 
Router(config)# logging monitor filtered 

Related Commands

Command
Description

logging monitor

Enables standard system message logging to all monitor (TTY) connections.

show logging xml

Displays the state of XML-formatted system message logging, followed by the contents of the XML syslog buffer.


logging monitor xml

To enable XML-formatted system message logging to monitor connections, use the logging console xml command in global configuration mode. To disable all logging to the monitor connections, use the no form of this command.

logging monitor xml [severity-level]

no logging monitor xml

Syntax Description

severity-level

(Optional) The number or name of the desired severity level at which messages should be logged. Messages at or numerically lower than the specified level are logged. Severity levels are as follows (enter the number or the keyword):

{0 | emergencies}— System is unusable

{1 | alerts}—Immediate action needed

{2 | critical}—Critical conditions

{3 | errors}—Error conditions

{4 | warnings}—Warning conditions

{5 | notifications}—Normal but significant conditions

{6 | informational}—Informational messages

{7 | debugging}— Debugging messages


Defaults

Logging to monitor connections is enabled.
XML-formatted logging to monitor connections is disabled.
The default severity level varies by platform, but is generally level 7 (messages at levels 0 through 7 are logged).

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.


Usage Guidelines

The monitor keyword specifies the tty line connections at all line ports. The tty lines (also called ports) communicate with peripheral devices such as terminals, modems, and serial printers. An example of a tty connection is a PC with a terminal emulation program connected to the device using a dial-up modem, or a Telnet connection.

To return system logging messages to standard text (without XML formatting), issue the standard logging monitor command (without the xml keyword extension).

Examples

In the following example, the user enables XML-formatted system message logging to the console for messages at levels 0 through 4 and XML-formatted system message logging to tty line connections at the default severity level:

Router(config)# logging console xml 4 
Router(config)# logging monitor xml 

Related Commands

Command
Description

logging monitor

Enables system message logging in standard (plain text) format to all monitor (TTY) connections.

show logging xml

Displays the state of XML-formatted system message logging, followed by the contents of the XML syslog buffer.


logging on

To enable logging of system messages, use the logging on command in global configuration mode. This command sends debug or error messages to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. To disable the logging process, use the no form of this command.

logging on

no logging on

Syntax Description

This command has no arguments or keywords.

Defaults

The Cisco IOS software sends messages to the asynchronous logging process.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

The logging process controls the distribution of logging messages to the various destinations, such as the logging buffer, terminal lines, or syslog server. System logging messages are also known as system error messages. You can turn logging on and off for these destinations individually using the logging buffered, logging monitor, and logging global configuration commands. However, if the logging on command is disabled, no messages will be sent to these destinations. Only the console will receive messages.

Additionally, the logging process logs messages to the console and the various destinations after the processes that generated them have completed. When the logging process is disabled, messages are displayed on the console as soon as they are produced, often appearing in the middle of command output.


Caution Disabling the logging on command may substantially slow down the router. Any process generating debug or error messages will wait until the messages have been displayed on the console before continuing.

The logging synchronous line configuration command also affects the displaying of messages to the console. When the logging synchronous command is enabled, messages will appear only after the user types a carriage return.

Examples

The following example shows command output and message output when logging is enabled. The ping process finishes before any of the logging information is printed to the console (or any other destination).

Router(config)# logging on
Router(config)# end
Router#
%SYS-5-CONFIG_I: Configured from console by console 
Router# ping dirt

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 ms
Router#
IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending
IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1
IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending
IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1
IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending
IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1
IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending
IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1
IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending
IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1

In the following example, logging is disabled. The message output is displayed as messages are generated, causing the debug messages to be interspersed with the message "Type escape sequence to abort."

Router(config)# no logging on
Router(config)# end

%SYS-5-CONFIG_I: Configured from console by console
Router#
Router# ping dirt

IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingTyp
IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1e
IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending esc
IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1
IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingape 
IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1
IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingse
IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1
IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingquen
IP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1ce to abort.
Sending 5, 100-byte ICMP Echos to 172.16.1.129, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 152/152/156 ms
Router#

Related Commands

Command
Description

logging host

Logs messages to a syslog server host.

logging buffered

Logs messages to an internal buffer.

logging console

Logs messages to console connections.

logging monitor

Limits messages logged to the terminal lines (monitors) based on severity.

logging synchronous

Synchronizes unsolicited messages and debug output with solicited Cisco IOS software output and prompts for a specific console port line, auxiliary port line, or vty.


logging origin-id

To add an origin identifier to system logging messages sent to remote hosts, use the logging origin-id command in global configuration mode. To disable the origin identifier, use the no form of this command.

logging origin-id {hostname | ip | string user-defined-id}

no logging origin-id {hostname | ip | string user-defined-id}

Syntax Description

hostname

Specifies that the hostname will be used as the message origin identifier.

ip

Specifies that the IP address of the sending interface will be used as the message origin identifier.

string user-defined-id

Allows you to enter your own identifying description. The user-defined-id argument is a string you specify.

You can enter a string with no spaces or use delimiting quotation marks to enclose a string with spaces.


Defaults

Disabled.

Command Modes

Global configuration

Command History

Release
Modification

12.2(15)T

This command was introduced.

12.3(1)

The string user-defined-id syntax was added.

12.3(2)XE

This command was integrated into Cisco IOS Release 12.3(2)XE.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.


Usage Guidelines

The origin identifier is added to the beginning of all system logging (syslog) messages sent to remote hosts. The identifier can be the hostname, the IP address, or any text that you specify. The origin identifier is not added to messages sent to local destinations (the console, monitor, or buffer).

The origin identifier is useful for identifying the source of system logging messages in cases where you send syslog output from multiple devices to a single syslog host.

When specifying your own identification string using the logging origin-id string user-defined-id command, the system expects a string without spaces. For example:

Router(config)# logging origin-id string Cisco_Systems 
 

To uses spaces (multiple words) or additional syntax, enclose the string with quotes. For example:

Router(config)# logging origin-id string "Cisco Systems, Inc." 
 

Examples

In the following example, the origin identifier "Domain 1, router B" will be added to the beginning of all system logging messages sent to remote hosts:

Router(config)# logging origin-id string "Domain 1, router B" 

In the following example, all logging message sent to remote hosts will have the IP address configured for the Serial 1 interface added to the beginning of the message:

Router(config)# logging host 209.165.200.225 
Router(config)# logging trap 5 
Router(config)# logging source-interface serial 1 
Router(config)# logging origin-id ip 

Related Commands

Command
Description

logging host

Enables system message logging to a remote host.

logging source-interface

Forces logging messages to be sent from a specified interface, instead of any available interface.

logging trap

Configures the severity level at or numerically below which logging messages should be sent to a remote host.


logging rate-limit

To limit the rate of messages logged per second, use the logging rate-limit command in global configuration mode. To disable the limit, use the no form of this command.

logging rate-limit {number | all number | console {number | all number}} [except severity]

no logging rate-limit

Syntax Description

number

Maximum number of messages logged per second. The valid values are from 1 to 10000.

all

Sets the rate limit for all error and debug messages displayed at the console and printer.

console

Sets the rate limit for error and debug messages displayed at the console.

except

(Optional) Excludes messages of this severity level or lower.

Severity decreases as the number increases. So, severity level 1 is a more serious problem than severity level 3.

severity

(Optional) Sets the logging severity level. The valid levels are from 0 to 7.


Command Default

The default for this command is 10 messages logged per second and exclusion of messages of the errors level or lower.

Command Modes

Global configuration

Command History

Release
Modification

12.1(3)T

This command was introduced.

12.2

This command was integrated in Cisco IOS Release 12.2.

12.3

This command was integrated in Cisco IOS Release 12.3.

12.3T

This command was integrated in Cisco IOS Release 12.3T.

12.4

This command was integrated in Cisco IOS Release 12.4.

12.4T

This command was integrated in Cisco IOS Release 12.4T.


Usage Guidelines

The logging rate-limit command controls the output of messages from the system. Use this command if you want to avoid a flood of output messages. You can select the severity of the output messages and output rate by using the logging rate-limit command. You can use the logging rate-limit command anytime; it will not negatively impact the performance of your system and may improve the system performance by specifying the severities and rates of output messages.

You can use this command with or without the logging synchronous line configuration command. For example, if you want to see all severity 0, 1, and 2 messages, use the no logging synchronous command and specify logging rate-limit 10 except 2. By using the two commands together, you cause all messages of 0, 1, and 2 severity to print and limit the less severe ones (lower than 2) to only 10 per second.

Table 45 compares the error message logging numeric severity level with its equivalent word description.

Table 45 Error Message Logging Severity Level and Equivalent Word Descriptions

Numeric Severity Level
Equivalent Word
Description

0

emergencies

System unusable

1

alerts

Immediate action needed

2

critical

Critical conditions

3

errors

Error conditions

4

warnings

Warning conditions

5

notifications

Normal but significant condition

6

informational

Informational messages only

7

debugging

Debugging messages


Examples

In the following example, the logging rate-limit configuration mode command limits message output to 200 per second:

Router(config)# logging rate-limit 200

Related Commands

Command
Description

logging synchronous

Synchronizes unsolicited messages and debug output with solicited Cisco IOS software output and prompts for a specific console port line, auxiliary port line, or vty.


logging size (config-archive-log)

To specify the maximum number of entries retained in the configuration log, use the logging size command in configuration change logger configuration mode. To reset the default value, use the no form of this command.

logging size entries

no logging size

Syntax Description

entries

The maximum number of entries retained in the configuration log. Valid values range from 1 to 1000. The default value is 100 entries.


Defaults

100 entries

Command Modes

Configuration change logger configuration

Command History

Release
Modification

12.3(4)T

This command was introduced.

12.2(25)S

This command was integrated into Cisco IOS Release 12.2(25)S.


Usage Guidelines

When the configuration log is full, the oldest log entry will be removed every time a new entry is added.


Note If a new log size is specified that is smaller than the current log size, the oldest entries will be immediately purged until the new log size is satisfied, regardless of the age of the log entries.


Examples

The following example shows how to specify that the configuration log may have a maximum of 200 entries:

Router(config-archive-log-config)# logging size 200


The following example shows how to clear the configuration log by reducing the log size to 1, then resetting the log size to the desired value. Only the most recent configuration log file will be saved.

Router(config)# archive

Router(config-archive)# log config

Router(config-archive-log-config)# logging size 1

Router(config-archive-log-config)# logging size 200

Related Commands

Command
Description

archive

Enters archive configuration mode.

hidekeys

Suppresses the display of password information in configuration log files.

log config

Enters configuration change logger configuration mode.

logging enable

Enables the logging of configuration changes.

notify syslog

Enables the sending of notifications of configuration changes to a remote syslog.

show archive log config

Displays entries from the configuration log.


logging source-interface

To specify the source IP address of syslog packets, use the logging source-interface command in global configuration mode. To remove the source designation, use the no form of this command.

logging source-interface interface-type interface-number

no logging source-interface

Syntax Description

interface-type

Interface type.

interface-number

Interface number.


Defaults

No interface is specified.

Command Modes

Global configuration

Command History

Release
Modification

11.2

This command was introduced.


Usage Guidelines

Normally, a syslog message contains the IP address of the interface it uses to leave the router. The logging source-interface command specifies that syslog packets contain the IP address of a particular interface, regardless of which interface the packet uses to exit the router.

Examples

In the following example, the user specifies that the IP address for Ethernet interface 0 is the source IP address for all syslog messages:

Router(config)# logging source-interface ethernet 0 

The following example specifies that the IP address for Ethernet interface 2/1 on a Cisco 7000 series router is the source IP address for all syslog messages:

Router(config)# logging source-interface ethernet 2/1 

Related Commands

Command
Description

logging

Logs messages to a syslog server host.


logging synchronous

To synchronize unsolicited messages and debug output with solicited Cisco IOS software output and prompts for a specific console port line, auxiliary port line, or vty, use the logging synchronous command in line configuration mode. To disable synchronization of unsolicited messages and debug output, use the no form of this command.

logging synchronous [level severity-level | all] [limit number-of-lines]

no logging synchronous [level severity-level | all] [limit number-of-lines]

Syntax Description

level severity-level

(Optional) Specifies the message severity level. Messages with a severity level equal to or higher than this value are printed asynchronously. Low numbers indicate greater severity and high numbers indicate lesser severity. The default value is 2.

all

(Optional) Specifies that all messages are printed asynchronously, regardless of the severity level.

limit number-of-lines

(Optional) Specifies the number of buffer lines to be queued for the terminal, after which new messages are dropped. The default value is 20.


Defaults

This command is disabled.
If you do not specify a severity level, the default value of 2 is assumed.
If you do not specify the maximum number of buffers to be queued, the default value of 20 is assumed.

Command Modes

Line configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

When synchronous logging of unsolicited messages and debug output is turned on, unsolicited Cisco IOS software output is displayed on the console or printed after solicited Cisco IOS software output is displayed or printed. This keeps unsolicited messages and debug output from being interspersed with solicited software output and prompts.


Tip This command is useful for keeping system messages from interrupting your typing. By default, messages will appear immediately when they are processed by the system, and the CLI cursor will appear at the end of the displayed message. For example, the line "Configured by console from console" may be printed to the screen, interrupting whatever command you are currently typing. The logging synchronous command allows you to avoid these potentially annoying interruptions without have to turn off logging to the console entirely.


When this command is enabled, unsolicited messages and debug output are displayed on a separate line than user input. After the unsolicited messages are displayed, the CLI returns to the user prompt.


Note This command is also useful for allowing you to continue typing when debugging is enabled.


When specifying a severity level number, consider that for the logging system, low numbers indicate greater severity and high numbers indicate lesser severity.

When a message queue limit of a terminal line is reached, new messages are dropped from the line, although these messages might be displayed on other lines. If messages are dropped, the notice "%SYS-3-MSGLOST number-of-messages due to overflow" follows any messages that are displayed. This notice is displayed only on the terminal that lost the messages. It is not sent to any other lines, any logging servers, or the logging buffer.


Caution By configuring abnormally large message queue limits and setting the terminal to "terminal monitor" on a terminal that is accessible to intruders, you expose yourself to "denial of service" attacks. An intruder could carry out the attack by putting the terminal in synchronous output mode, making a Telnet connection to a remote host, and leaving the connection idle. This could cause large numbers of messages to be generated and queued, and these messages could consume all available RAM. You should guard against this type of attack through proper configuration.

Examples

In the following example, a system message appears in the middle of typing the show running-config command:

Router(config-line)# end
Router# show ru
2w1d: %SYS-5-CONFIG_I: Configured from console by consolenning-config
 .
 .
 .

The user then enables synchronous logging for the current line (indicated by the * symbol in the show line command), after which the system displays the system message on a separate line, and returns the user to the prompt to allow the user to finish typing the command on a single line:

Router# show line 
   Tty Typ     Tx/Rx    A Modem  Roty AccO AccI   Uses   Noise  Overruns   Int
*    0 CTY              -    -      -    -    -      0       3     0/0       -
 .
 .
 .
Router# configure terminal 
Enter configuration commands, one per line.  End with CNTL/Z.
Router(config)# line 0 
Router(config-line)# logging syn<tab> 
Router(config-line)# logging synchronous 
Router(config-line)# end 
Router# show ru 
2w1d: %SYS-5-CONFIG_I: Configured from console by console
Router# show running-config

In the following example, synchronous logging for line 4 is enabled with a severity level of 6. Then synchronous logging for line 2 is enabled with a severity level of 7 and is specified with a maximum number of buffer lines of 1,000.

Router(config)# line 4 
Router(config-line)# logging synchronous level 6 
Router(config-line)# exit 
Router(config)# line 2 
Router(config-line)# logging synchronous level 7 limit 1000 
Router(config-line)# end 
Router# 

Related Commands

Command
Description

line

Identifies a specific line for configuration and starts the line configuration command collection mode.

logging on

Controls logging of error messages and sends debug or error messages to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages.


logging trap

To limit messages logged to the syslog servers based on severity, use the logging trap command in global configuration mode. To return the logging to remote hosts to the default level, use the no form of this command.

logging trap level

no logging trap

Syntax Description

severity-level

(Optional) The number or name of the desired severity level at which messages should be logged. Messages at or numerically lower than the specified level are logged. Severity levels are as follows (enter the number or the keyword):

{0 | emergencies}— System is unusable

{1 | alerts}—Immediate action needed

{2 | critical}—Critical conditions

{3 | errors}—Error conditions

{4 | warnings}—Warning conditions

{5 | notifications}—Normal but significant conditions

{6 | informational}—Informational messages

{7 | debugging}— Debugging messages


Defaults

Syslog messages at level 0 to level 6 are generated, but will only be sent to a remote host if the logging host command is configured.

Command Modes

Global configuration

Command History

Release
Modification

10.0

This command was introduced.


Usage Guidelines

A trap is an unsolicited message sent to a remote network management host. Logging traps should not be confused with SNMP traps (SNMP logging traps require the use of the CISCO -SYSLOG-MIB, are enabled using the snmp-server enable traps syslog command, and are sent using the Simple Network Management Protocol.)

The show logging EXEC command displays the addresses and levels associated with the current logging setup. The status of logging to remote hosts appears in the command output as "trap logging".

Table 46 lists the syslog definitions that correspond to the debugging message levels. Additionally, four categories of messages are generated by the software, as follows:

Error messages about software or hardware malfunctions at the LOG_ERR level.

Output for the debug commands at the LOG_WARNING level.

Interface up/down transitions and system restarts at the LOG_NOTICE level.

Reload requests and low process stacks at the LOG_INFO level.

Use the logging host and logging trap commands to send messages to a remote syslog server.

Table 46 logging trap Error Message Logging Priorities 

Level Arguments
Level
Description
Syslog Definition

emergencies

0

System unusable

LOG_EMERG

alerts

1

Immediate action needed

LOG_ALERT

critical

2

Critical conditions

LOG_CRIT

errors

3

Error conditions

LOG_ERR

warnings

4

Warning conditions

LOG_WARNING

notifications

5

Normal but significant condition

LOG_NOTICE

informational

6

Informational messages only

LOG_INFO

debugging

7

Debugging messages

LOG_DEBUG


Examples

In the following example, system messages of levels 0 (emergencies) through 5 (notifications) are sent to the host at 209.165.200.225:

Router(config)# logging host 209.165.200.225 
Router(config)# logging trap notifications 
Router(config)# end 
Router# show logging 
Syslog logging: enabled (0 messages dropped, 1 messages rate-limited,
                0 flushes, 0 overruns, xml disabled, filtering disabled)
    Console logging: level emergencies, 0 messages logged, xml disabled,
                     filtering disabled
    Monitor logging: level debugging, 0 messages logged, xml disabled,
                     filtering disabled
    Buffer logging: level debugging, 67 messages logged, xml disabled,
                    filtering disabled
    Logging Exception size (4096 bytes)
    Count and timestamp logging messages: enabled
    Trap logging: level notifications, 71 message lines logged 

Log Buffer (4096 bytes):
00:00:20: %SYS-5-CONFIG_I: Configured from memory by console
 .
 .
 .

Related Commands

Command
Description

logging host

Enables remote logging of system logging messages and specifies the syslog server host that messages should be sent to.


logging userinfo

To enable logging user information use the logging userinfo command in global configuration mode. To cancel the logging of user information, use the no form of this command.

logging userinfo

no logging userinfo

Syntax Description

This command has no arguments or keywords.

Command Default

User information logging is disabled by default.

Command Modes

Global configuration mode

Command History

Release
Modification

12.0S

This command was introduced.

12.3T

This command was introduced.


Usage Guidelines

The logging userinfo global configuration command allows the logging of user information when the user invokes the enable privilege mode or when the user changes the privilege level. Information logged includes "username", "line" (i.e. Console, vty0, etc.) and "privileged level" (i.e. 0 - 15).


Note When a username is not available, "unknown" is displayed as the username.


Examples

The following example enables user information logging.


Router# configure terminal 
Router(config)# logging userinfo
Router(config)# exit


The following are 2 examples of user information logging.


Router> enable
Password: 
Router#
*Feb 26 17:11:15.398: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by cisco)
Router# disable 6
Router#
*Feb 26 17:12:28.922: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 6 by cisco)

Router# enable 15
Password: 
Router#
*Feb 26 17:15:48.022: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by cisco)
Router#

Related Commands

Command
Description

disable

Exits from privileged EXEC mode to user EXEC mode, or, if privilege levels are set, to the specified privilege level.

enable

Enables higher privilege level access, such as privileged EXEC mode.

privilege level (global)

Sets a privilege level for a command.

privilege level (line)

Sets a privilege level for a command for a specific line.


logout

To close an active terminal session by logging off the router, use the logout command in user EXEC mode.

logout

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

User EXEC

Command History

Release
Modification

10.0

This command was introduced.


Examples

In the following example, the exit (global) command is used to move from global configuration mode to privileged EXEC mode, the disable command is used to move from privileged EXEC mode to user EXEC mode, and the logout command is used to log off (exit from the active session):

Router(config)# exit
Router# disable
Router> logout 

logout-warning

To warn users of an impending forced timeout, use the logout-warning command in line configuration mode. To restore the default, use the no form of this command.

logout-warning [seconds]

logout-warning

Syntax Description

seconds

(Optional) Number of seconds that are counted down before session termination. If no number is specified, the default of 20 seconds is used.


Defaults

No warning is sent to the user.

Command Modes

Line configuration

Command History

Release
Modification

10.3

This command was introduced.


Usage Guidelines

This command notifies the user of an impending forced timeout (set using the absolute-timeout command).

Examples

In the following example, a logout warning is configured on line 5 with a countdown value of 30 seconds:

Router(config)# line 5 
Router(config-line)# logout-warning 30 

Related Commands

Command
Description

absolute-timeout

Sets the interval for closing user connections on a specific line or port.

session-timeout

Sets the interval for closing the connection when there is no input or output traffic.


lsr-path

To define a loose source routing (LSR) path for a Cisco IOS IP Service Level Agreements (SLAs) operation, use the lsr-path command in the appropriate submode of IP SLA monitor configuration or RTR configuration mode. To remove the definition, use the no form of this command.

lsr-path {hostname1 | ip-address1} [[hostname2 | ip-address2]...[hostname8 | ip-address8]]

no lsr-path

Syntax Description

hostname1 | ip-address1

Destination hostname or IP address of the first hop in the LSR path.

[hostname2 | ip-address2]...[hostname8 | ip-address8]

(Optional) You can continue specifying host destinations until you specify the final host target. Each hostname or IP address specified indicates another hop on the path. The maximum number of hops you can specify is eight.


Defaults

LSR path is disabled.

Command Modes

IP SLA Monitor Configuration

ICMP path echo configuration (config-sla-monitor-pathEcho)
ICMP path jitter configuration (config-sla-monitor-pathJitter)

RTR Configuration

ICMP path echo configuration (config-rtr-pathEcho)
ICMP path jitter configuration (config-rtr-pathJitter)


Note The configuration mode varies depending on the Cisco IOS release you are running and the operation type configured. See the "Usage Guidelines" section for more information.


Command History

Release
Modification

12.0(3)T

This command was introduced.


Usage Guidelines

The maximum number of hops available is eight when an LSR path is configured.


Note This command is supported by the IP SLAs Internet Control Message Protocol (ICMP) path echo and path jitter operations only.


IP SLAs Operation Configuration Dependence on Cisco IOS Release

The Cisco IOS command used to begin configuration for an IP SLAs operation varies depending on the Cisco IOS release you are running (see Table 47). You must configure the type of IP SLAs operation (such as User Datagram Protocol [UDP] jitter or Internet Control Message Protocol [ICMP] echo) before you can configure any of the other parameters of the operation.

The configuration mode for the lsr-path command varies depending on the Cisco IOS release you are running (see Table 47) and the operation type configured. For example, if you are running Cisco IOS Release 12.4 and the ICMP path echo operation type is configured, you would enter the lsr-path command in ICMP path echo configuration mode (config-sla-monitor-pathEcho) within IP SLA monitor configuration mode.

Table 47 Command Used to Begin Configuration of an IP SLAs Operation Based on Cisco IOS Release 

Cisco IOS Release
Global Configuration Command
Command Mode Entered

12.3(14)T and 12.4

ip sla monitor

IP SLA monitor configuration

All other Cisco IOS releases

rtr

RTR configuration


Examples

In the following examples, the LSR path is defined for IP SLAs ICMP path echo operation 1. The target destination for the operation is at 172.16.1.176. The first hop on the LSR path is 172.18.4.149. The second hop on the LSR path is 172.18.16.155. Note that the Cisco IOS command used to begin configuration for an IP SLAs operation varies depending on the Cisco IOS release you are running (see Table 47).

IP SLA Monitor Configuration

ip sla monitor 1
 type pathEcho protocol ipIcmpEcho 172.16.1.176
 lsr-path 172.18.4.149 172.18.26.155
!
ip sla monitor schedule 1 life forever start-time now

RTR Configuration

rtr 1
 type pathEcho protocol ipIcmpEcho 172.16.1.176
 lsr-path 172.18.4.149 172.18.26.155
!
rtr schedule 1 life forever start-time now

Related Commands

Command
Description

ip sla monitor

Begins configuration for an IP SLAs operation and enters IP SLA monitor configuration mode.

rtr

Begins configuration for an IP SLAs operation and enters RTR configuration mode.