|
|
This chapter describes the commands used to manage the communication server system and its performance on the network.
For system management configuration tasks and examples, refer to the chapter entitled "Managing the System" in the Access and Communication Servers Configuration Guide.
To enable AAA accounting of requested services for billing or security purposes when using TACACS+, use the aaa accounting global configuration command. Use the no form of this command to disable accounting.
aaa accounting {system | network | connection | exec | command level} {start-stop |
system | Accounting is performed for all system-level events not associated with users, such as reloads. |
network | Accounting is run for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP. |
connection | Accounting is run for outbound Telnet and rlogin. |
exec | Accounting is run for Execs (user shells). This may return user profile information such as autocommand information. |
command | Accounting is run for all commands at the specified privilege level. |
level | The command level that should be accounted. Valid entries are 0-15. |
start-stop | A start record accounting notice is sent at the beginning of a process and a stop record is sent at the end of a process. The start accounting record is sent in the background. The requested user process begins regardless of whether or not the start accounting record was received by the accounting server. |
wait-start | As in start-stop, both a start and a stop accounting record are sent to the accounting server. However, if you use the wait-start keyword, the requested user service will not begin until the start accounting record is acknowledged. A stop accounting record will also be sent. |
stop-only | A stop record accounting notice is sent at the end of the requested user process. |
AAA accounting is not enabled.
Global configuration
The aaa accounting command allows you to set start/stop accounting for any or all of the listed functions in the Syntax Description for this command. For minimal accounting control, issue the stop-only command, which sends a stop record accounting notice at the end of the requested user process. For additional accounting control, you can issue the start-stop command, where TACACS+ sends a start accounting notice at the beginning of the requested process and a stop accounting notice at the end of the process. You can further control access and accounting by issuing the wait-start command, which ensures that the start notice is received by the TACACS+ server before granting the user's process request. Accounting is only done to the TACACS+ server.
In the following example, accounting is set for outbound Telnet and rlogin, and both a start and stop accounting notice is sent to the TACACS+ server:
aaa accounting connection start-stop tacacs+
In the following example, accounting is set for privilege level 15 commands, with a wait-start restriction:
aaa accounting command 15 wait-start tacacs+
aaa new-model
aaa authorization
To enable an AAA authentication method for ARA users while using TACACS+, use the aaa authentication arap command. Use the no form of the command to disable this authentication.
aaa authentication arap {default | list-name} method1 [...[method4]]
default | Makes the listed methods that follow this argument the default list of methods used when a user logs in. |
list-name | A character string used to name the following list of authentication methods tried when a user logs in. |
method | One of the methods described in Table 5-1. |
If the default list is not set, only the local user database is checked. This has the same effect as issuing the following command:
aaa authentication arap default local
Global configuration
The list names and default that you set using the aaa authentication arap command are used with the arap authentication command. These lists can contain up to four authentication methods that will be used when a user tries to log in with ARA.
Create a list by entering the aaa authentication arap list-name method command, where list-name is any character string used to name this list, such as MIS-access. The method keyword refers to the list of methods the authentication algorithm will try, in the given sequence. You can enter up to four methods, which are described in Table 5-1.
To create a default list that will be used if no list is specified in the arap authentication command, use the default keyword followed by the methods you wish to be used in default situations.
The additional methods of authentication will only be used if the previous method returns an error, not if it fails.
Use the write terminal command to view lists of authentication methods.
| Method | Description |
|---|---|
if-needed | Will not authenticate if the user has already been authenticated on a TTY line. |
line | Uses the line password for authentication. |
local | Uses the local username database for authentication. |
tacacs+ | Uses TACACS+ authentication. |
The following example creates a list called MIS-access, which first tries TACACS+ authentication and then none:
aaa authentication arap MIS-access tacacs+ none
The following example creates the same list, but sets it as the default list, which will be used for all arap authentications if no other list is specified:
aaa authentication arap default tacacs+ none
A dagger (†) indicates that the command is documented in another chapter.
aaa authentication local-override
aaa new-model
arap authentication†
To enable AAA authentication to determine if a user can access the privileged command level with TACACS+, use the aaa authentication enable default command. Use the no form of the command to disable this authorization method.
aaa authentication enable default method1 [...[method4]]
method | At least one and up to four of the methods described in Table 5-2. |
If the default list is not set, the action will be to check only the enable password. This has the same effect as issuing the following command:
aaa authentication enable default enable
On the console, the enable password is used if it exists. If no password is set, the process will succeed anyway.
Global configuration
Use the aaa authentication enable default command to create a series of authentication methods that are used to determine if a user can access privileged command level. You can specify up to four authentication methods. Method keywords are described in Table 5-2. The additional methods of authentication will only be used if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
If a default authentication routine is not set for a function, the default is none—no authentication is performed. Use the write terminal command to view currently configured lists of authentication methods.
| Method | Description |
|---|---|
enable | Uses the enable password for authentication. |
line | Uses the line password for authentication. |
none | Uses no authentication. |
tacacs+ | Uses TACACS+ authentication. |
The following example creates an authentication list that will first try to contact a TACACS+ server. If no server can be found, then AAA will try to use the enable password. If this also returns an error (because no enable password is configured on the server), the user will be allowed access with no authentication.
aaa authentication enable default tacacs+ enable none
A dagger (†) indicates that the command is documented in another chapter.
aaa authentication local-override
aaa new-model
aaa authorization
enable password†
To set AAA authentication at login when using TACACS+, use the aaa authentication login global configuration command. Use the no form of the command to disable AAA authentication.
aaa authentication login {default | list-name} method1 [...[method4]]
default | Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in. |
list-name | A character string used to name the following list of authentication methods tried when a user logs in. |
method | At least one and up to four of the methods described in Table 5-3. |
If the default list is not set, only the local user database is checked. This has the same effect as issuing the following command:
aaa authentication login default local
Global configuration
The default and optional list names that you create with the aaa authentication login command are used with the login authentication command.
Create a list by entering the aaa authentication list-name method command, where list-name is any character string used to name this list, such as MIS-access. The method keyword refers to the list of methods the authentication algorithm tries, in the given sequence. Method keywords are described in Table 5-3.
To create a default list that is used if no list is assigned to a line with the login authentication command, use the default argument followed by the methods you want in default situations.
The additional methods of authentication is only be used if the previous method returns an error, not if it fails. To specify that the authentication should succeed even if all methods return an error, specify none as the final method in the command line.
If authentication is not specifically set for a line, the default is to deny access—no authentication is performed. Use the write terminal command to view currently configured lists of authentication methods.
| Method | Description |
|---|---|
enable | Uses the enable password for authentication. |
line | Uses the line password for authentication. |
local | Uses the local username database for authentication. |
none | Uses no authentication. |
tacacs+ | Uses TACACS+ authentication. |
The following example creates an AAA authentication list called MIS-access. This authentication will first try to contact a TACACS+ server. If no server is found, TACACS+ will return an error and AAA will try to use the enable password. If this also returns an error (because no enable password is configured on the server), the user is allowed access with no authentication.
aaa authentication login MIS-access tacacs+ enable none
The following example creates the same list, but sets it as the default list that will be used for all login authentications if no other list is specified:
aaa authentication login default tacacs+ enable none
A dagger (†) indicates that the command is documented in another chapter.
aaa authentication local-override
aaa new-model
login authentication†
To have the communication server check the local user database for authentication before attempting another form of authentication, use the aaa authentication local-override command. Use the no form of the command to disable the override.
aaa authentication local-overrideThis command has no arguments or keywords.
Override is disabled.
Global configuration
This command is useful when you want to configure an override to the normal authentication process for certain personnel such as system administrators.
When this override is set, the user is always be prompted for the username. The system then checks to see if the entered username corresponds to a local account. If the username does not correspond to one in the local database, login proceeds with the methods configured using other aaa commands (such as aaa authentication login). Note that when using this command, the first prompt is fixed as Username:
The following example enables aaa authentication override:
aaa authentication local-override
aaa authentication arap
aaa authentication enable default
aaa authentication login
aaa new-model
aaa authentication ppp
To specify one or more AAA authentication methods for use on serial interfaces running PPP when using TACACS+, use the aaa authentication ppp command. Use the no form of the command to disable authentication.
aaa authentication ppp {default | list-name} method1 [...[method4]]
default | Makes the listed authentication methods that follow this argument the default list of methods used when a user logs in. |
list-name | A character string used to name the following list of authentication methods tried when a user logs in. |
method | At least one and up to four of the methods described in Table 5-4. |
If the default list is not set, the action will be to check only the local user database. This has the same effect as issuing the following command:
aaa authentication ppp default local
Global configuration
The lists that you create using the aaa authentication ppp command are used with the ppp authentication command. These lists contain up to four authentication methods that will be used when a user tries to log in to the serial interface.
Create a list by entering the aaa authentication ppp list-name method command, where list-name is any character string used to name this list, such as MIS-access. The method keyword refers to the list of methods the authentication algorithm tries, in the given sequence. You can enter up to four methods. Method keywords are described in Table 5-4.
The additional methods of authentication are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authentication succeed even if all methods return an error.
If authentication is not specifically set for a function, the default is none—no authentication is performed. Use the write terminal command to view lists of authentication methods.
| Method | Description |
|---|---|
if-needed | Does not authenticate if user has already been authenticated on a TTY line. |
local | Uses the local username database for authentication. |
none | Uses no authentication. |
tacacs+ | Uses TACACS+ authentication. |
The following example creates an AAA authentication list called MIS-access for serial lines that use PPP. This authentication first tries to contact a TACACS+ server. If this returns an error, the user is allowed access with no authentication.
aaa authentication MIS-access ppp tacacs+ none
A dagger (†) indicates that the command is documented in another chapter.
aaa authentication local-override
aaa new-model
ppp authentication†
To set parameters that restrict a user's network access based on TACACS+ authorization, use the aaa authorization command. To disable authorization for a function, use the no form of the command.
aaa authorization {network | connection | exec | command level} methods
network | Authorization is run for all network-related service requests, including SLIP, PPP, PPP NCPs, and ARAP. |
connection | Authorization is run for outbound Telnet and rlogin. |
exec | Authorization is run to determine if the user is allowed to run an Exec shell. This may return user profile information such as autocommand information. |
command | Authorization is run for all commands at the specified privilege level. |
level | Specific command level that should be authorized. Valid entries are 0-15. |
Authorization is disabled for all actions (equivalent to the keyword none).
Global configuration
Use the aaa authorization command to create a list of one and up to four authorization methods that can be used when a user accesses the specified function. Table 5-5 lists the different authorization methods.
The additional methods of authorization are only used if the previous method returns an error, not if it fails. Specify none as the final method in the command line to have authorization succeed even if all methods return an error.
| Keyword | Description |
|---|---|
methods |
|
If authorization is not specifically set for a function, the default is none—no authorization is performed.
The following example specifies that TACACS+-style authorization is used for all network-related requests. If this authorization method returns an error (if the TACACS+ server cannot be contacted), no authorization is performed, and the request is successful.
aaa authorization network tacacs+ none
The following example specifies that TACACS+-style authorization is run for level 15 commands. If this authorization method returns an error (if the TACACS+ server cannot be contacted), no authorization is performed, and the request succeeds.
aaa authorization command 15 tacacs+ none
aaa accounting
aaa new-model
To enable the new AAA access control model that includes TACACS+, issue the aaa new-model global configuration command. Use the no form of the command to disable this functionality.
aaa new-modelThis command has no arguments or keywords.
AAA/TACACS+ is not enabled.
Global configuration
This command enables the new AAA access control system and TACACS+. If you initialize this functionality and later decide to use TACACS or XTACACS, issue the no version of this command and then enable the version of TACACS you want to use.
The following example initializes AAA and TACACS+:
aaa new-model
aaa accounting
aaa authentication arap
aaa authentication enable default
aaa authentication local-override
aaa authentication login
aaa authentication ppp
aaa authorization
To create a command alias, use the alias global configuration command. Use the no alias command to delete all aliases in a command mode or to delete a specific alias, and to revert to the original command syntax.
alias mode alias-name alias-command-line
mode | Command mode of the original command and alias commands. See Table 5-6 for a list of options for this argument. |
alias-name | Command alias. |
alias-command-line | Original command syntax. |
Default aliases are in EXEC mode as follows:
| Command Alias | Original Command |
|---|---|
h | help |
lo | logout |
p | ping |
r | resume |
s | show |
w | where |
Global configuration
You can use simple words as aliases or abbreviations. The aliases in the Default section are predefined. They can be turned off using the no alias command.
Table 5-6 shows the acceptable options for the mode argument in the alias global configuration command.
| Argument Options | Mode |
|---|---|
configuration | Global configuration |
controller | Controller configuration |
exec | EXEC |
hub | Hub configuration |
interface | Interface configuration |
ipx-router | IPX router configuration |
line | Line configuration |
map-class | Map class configuration |
map-list | Map list configuration |
route-map | Route map configuration |
router | Router configuration |
See the summary of command modes in the user interface chapter in the Access and Communication Configuration Guide for more information about command modes.
When you use online help, command aliases are indicated by an asterisk (*), as follows:
cs#lo? *lo=logout lock login logout
When you use online help, aliases that contain spaces (for example, "telnet device.cisco.com 25") are displayed as follows:
cs# configure terminal Enter configuration commands, one per line. End with CNTL/Z. cs(config)# alias exec device-mail telnet device.cisco.com 25 cs(config)# end cs#device-mail? *device-mail="telnet device.cisco.com 25"
When you use online help, the alias is expanded and replaced with the original command, as shown in the following example with the "td" alias:
cs(config)#alias exec td trace device cs(config)#^Z cs#t? *td="trace device" telnet terminal test tn3270 trace
To list only commands and omit aliases, begin your input line with a space. In the following example, the alias td is not shown, because there is a space before the t? command line.
cs# t? telnet terminal test tn3270 trace
As with commands, you can use online help to display the arguments and keywords that can follow a command alias. In the following example, the alias td is created to represent the command telnet device. The /debug and /line switches can be added to telnet device to modify the command:
cs(config)# alias exec td telnet device
cs(config)# ^Z
cs#td ?
/debug Enable telnet debugging mode
/line Enable telnet line mode
...
whois Whois port
<cr>
cs# telnet device
You must enter the complete syntax for the alias command. Partial syntax for aliases are not accepted. In the following example, the parser does not recognize the command t as indicating the alias td.
bones# t % Ambiguous command: "t"
In the following example, the alias fixmyrt is created for the EXEC-mode command clear ip route 198.92.116.16.
alias exec fixmyrt clear ip route 198.92.116.16
show aliases
To enable TACACS+ authentication for ARA on a line, use the arap authentication command. Use the no form of the command to disable authentication for an ARA line.
arap authentication {default | list-name}
default | Use the default list created with the aaa authentication arap command. |
list-name | Use the indicated list created with the aaa authentication arap command. |
ARAP authentication uses the default set with aaa authentication arap command. If no default has been set, the local user database is checked.
Line configuration
This command is a per-line command, and specifies the name of a list of AAA authentication methods to try at login. If no list is specified, the default list will be used (whether or not it is specified in the command line). Defaults and lists are created by using the aaa authentication arap command. Entering the no version of arap authentication has the same effect as entering the command with the default argument.
Before issuing this command, create a list of authentication processes by using the aaa authentication arap global configuration command.
 | Caution If you use a list-name that was not configured with the aaa authentication arap command, ARAP will be disabled on this line. |
The following example specifies that the TACACS+ authentication list called MIS-access is used on ARA line 7:
line 7 arap authentication MIS-access
aaa authentication arap
Use the buffers global configuration command to make adjustments to initial buffer pool settings and to the limits at which temporary buffers are created and destroyed. Use the no buffers command to return the buffers to their default size.
buffers {small | middle | big | large | huge | interface-type interface-number} {permanent |
small | Small buffer size. |
middle | Medium buffer size. |
big | Big buffer size. |
large | Large buffer size. |
huge | Huge buffer size. |
interface-type | Interface type of the interface buffer pool. |
interface-number | Interface number of the interface buffer pool. |
permanent | Number of permanent buffers that the system tries to allocate. Permanent buffers are normally not deallocated by the system. |
max-free | Maximum number of free or unallocated buffers in a buffer pool. |
min-free | Minimum number of free or unallocated buffers in a buffer pool. |
initial | Number of additional temporary buffers that should be allocated when the system is reloaded. This can be used to ensure that the system has necessary buffers immediately after reloading in a high-traffic environment. |
number | Number of buffers to be allocated. |
The default number of the buffers in a pool is determined by the hardware configuration and can be displayed with the EXEC show buffers command.
Global configuration
It is normally not necessary to adjust these parameters; do so only after consulting with technical support personnel. Improper settings could adversely impact system performance.
Buffer pool allocation is a user tunable parameter. The buffer pool to tune depends on the type of encapsulation used by the interfaces. Correspondingly, the ring size changes with the size of the buffer required.
In the following example, the system will try to keep at least 50 small buffers free:
buffers small min-free 50
In the following example, the permanent buffer pool allocation for big buffers is increased to 200. On a Cisco 2509 1E2T box using HDLC encapsulation, there are four receive rings, each of 32 entries. The cache size is 32 buffers. The MTU for this sort of encapsulation is below 1524 bytes (the same as for Ethernet) which means that you must use buffers from the "big" pool. The basic number of "big" buffers required is (2 + 1) * 32 = 96. Adding a bit of "comfort" space, the following command can then be used:
buffers big permanent 100
The above example shows approximate figures.
In the following example, the initial and permanent interface buffer pools are set to 100:
buffers ethernet 0 initial 100 buffers ethernet 0 permanent 100
buffers huge size
show buffers
Use the buffers huge size global configuration command to dynamically resize all huge buffers to the value you specify. Use the no buffers huge size command to restore the default buffer values.
buffers huge size number
number | Number of buffers to be allocated |
18024 buffers
Global configuration
Use this command only after consulting with technical support personnel. The buffer size cannot be lowered below the default.
In the following example, the system will resize huge buffers to 20000 bytes:
buffers huge size 20000
buffers
show buffers
To enable CDP on an interface, use the cdp enable interface configuration command. Use the no cdp enable command to disable CDP on an interface.
cdp enableThis command has no arguments or keywords.
Disabled
Interface configuration
CDP is enabled by default at the global level, but it must be enabled on each interface in order to send or receive CDP information.
In the following example, CDP is enabled on Ethernet interface 0:
interface ethernet 0 cdp enable
cdp run
To specify the amount of time the receiving device should hold a CDP packet from your communication server before discarding it, use the cdp holdtime global configuration command. Use the no cdp holdtime command to revert to the default setting.
cdp holdtime seconds
seconds | Specifies the hold time to be sent in the CDP update packets. |
180 seconds
Global configuration
CDP packets are sent with time-to-live, or hold time, that is nonzero after an interface is enabled and a hold time of 0 immediately before an interface is idled down.
The CDP hold time must be set to a higher number of seconds than the time between CDP transmissions, which is set using the cdp timer command.
In the following example, the CDP packets being sent from your device should be held by the receiving device for 60 seconds before being discarded. You might want to set the hold time lower than the default setting of 180 seconds if information about your device changes often and you want the receiving devices to purge this information more quickly.
cdp holdtime 60
cdp timer
show cdp
To enable CDP on your communication server, use the cdp run global configuration command. Use the no cdp run command to disable CDP.
cdp runThis command has no arguments or keywords.
Enabled
Global configuration
CDP is enabled on your communication server by default, which means the communication server will receive CDP information. However, to receive CDP packets it must be enabled on interfaces, using the cdp enable interface configuration command.
In the following example, CDP is disabled for the communication server.
no cdp run
cdp enable
To specify how often your communication server will send CDP updates, use the cdp timer global configuration command. Use the no cdp timer command to revert to the default setting.
cdp timer seconds
seconds | Specifies how often your communication server will send CDP updates. |
60 seconds
Global configuration
The trade-off with sending more frequent transmissions is providing up-to-date information versus using bandwidth more often.
In the following example, CDP updates will be sent from your communication server every 80 seconds, less frequently than the default setting of 60 seconds. You might want to make this change if you are concerned about preserving bandwidth.
cdp timer 80
cdp holdtime
show cdp
To reset CDP traffic counters to zero (0) on your communication server, use the clear cdp counters privileged EXEC command.
clear cdp countersThis command has no arguments or keywords.
Privileged EXEC
In the following example, the CDP counters have been cleared. The show cdp traffic output shows that all of the traffic counters have been reset to zero (0).
cs# clear cdp counters cs# show cdp traffic
CDP counters : Packets output: 0, Input: 0 Hdr syntax: 0, Chksum error: 0, Encaps failed: 0 No memory: 0, Invalid packet: 0, Fragmented: 0
show cdp traffic
clear cdp table
To clear the table that contains CDP information about neighbors, use the clear cdp table privileged EXEC command.
clear cdp tableThis command has no arguments or keywords.
Privileged EXEC
In the following example, the CDP table is cleared. The output of the show cdp neighbors command shows that all information has been deleted from the table.
cs# clear cdp table
CDP-AD: Deleted table entry for neon.cisco.com, interface Ethernet0 CDP-AD: Deleted table entry for neon.cisco.com, interface Serial0 cs# show cdp neighbors
Capability Codes: R - Router, T - Trans Bridge, B - Source Route Bridge S - Switch, H - Host, I - IGMP Device ID Local Intrfce Holdtme Capability Platform Port ID
clear cdp counters
show cdp neighbors
To manually set the system clock, use the clock set EXEC command.
clock set hh:mm:ss day month year
hh:mm:ss | Current time in hours (military format), minutes, and seconds |
day | Current day (by date) in the month |
month | Current month (by name) |
year | Current year (no abbreviation) |
EXEC
Generally, if the system is synchronized by a valid outside timing mechanism, such as an NTP clock source, you need not set the system clock. Use this command if no other time sources are available. The time specified in this command is relative to the configured time zone.
In the following example, the system clock is manually set to 1:32 p.m. on July 23, 1993:
clock set 13:32:00 23 July 1993
calendar set
clock read-calendar
clock summer-time
clock timezone
To configure the system to switch to summer time (daylight savings time) automatically, use one of the formats of the clock summer-time global configuration command. Use the no form of this command to configure the communication server not to automatically switch to summer time.
clock summer-time zone recurring [week day month hh:mm week day month hh:mm [offset]]
zone | Name of the time zone (PDT, ...) to be displayed when summer time is in effect |
week | Week of the month (1 to 5 or last) |
day | Day of the week (Sunday, Monday ) |
date | Date of the month (1 to 31) |
month | Month (January, February, ) |
year | Year (1993 to 2035) |
hh:mm | Time (military format) in hours and minutes |
offset | (Optional) Number of minutes to add during summer time (default is 60) |
Summer time is disabled. If clock summer-time zone recurring is specified without parameters, the summer time rules default to United States rules. Default of offset is 60.
Global configuration
Use this command if you want to automatically switch to summer time (for display purposes only). Use the recurring form of the command if the local summer time rules are of this form. Use the date form to specify a start and end date for summer time if you cannot use the first form.
In both forms of the command, the first part of the command specifies when summer time begins, and the second part specifies when it ends. All times are relative to the local time zone. The start time is relative to standard time. The end time is relative to summer time. If the starting month is after the ending month, the system assumes that you are in the Southern Hemisphere.
In the following example, summer time starts on the first Sunday in April at 02:00 and ends on the last Sunday in October at 02:00:
clock summer-time PDT recurring 1 Sunday April 2:00 last Sunday October 2:00
If you live in a place where summer time does not follow the pattern in the first example, you could set it to start on October 12, 1993 at 02:00, and end on April 28, 1994 at 02:00, with the following example:
clock summer-time date 12 October 1993 2:00 28 April 1994 2:00
calendar set
clock timezone
To set the time zone for display purposes, use the clock timezone global configuration command. To set the time to Coordinated Universal Time (UTC), use the no clock timezone command.
clock timezone zone hours [minutes]
zone | Name of the time zone to be displayed when standard time is in effect |
hours | Hours offset from UTC |
minutes | (Optional) Minutes offset from UTC |
UTC
Global configuration
The system internally keeps time in UTC, so this command is used only for display purposes and when the time is manually set.
In the following example, the time zone is set to Pacific Standard Time and is offset 8 hours behind UTC:
clock timezone PST -8
calendar set
clock set
clock summer-time
show clock
To assign a custom queue list to an interface, use the custom-queue-list interface configuration command. To remove a specific list or all list assignments, use the no form of this command.
custom-queue-list list
list | Number of the custom queue list you want to assign to the interface. An integer from 1 to 10. |
No custom queue list is assigned.
Interface configuration
You can assign only one queue list per interface. Use this command in place of the priority-list command (not in addition to it). Custom queuing allows a fairness that is not provided with priority queuing. With custom queuing, you can control the interfaces' available bandwidth when it is unable to accommodate the aggregate traffic enqueued. Associated with each output queue is a configurable byte count, which specifies how many bytes of data should be delivered from the current queue by the system before the system moves on to the next queue. When a particular queue is being processed, packets are sent until the number of bytes sent exceeds the queue byte count or until the queue is empty.
In the following example, custom queue list number 3 is assigned to serial interface 0:
interface serial 0 custom-queue-list 3
queue-list default
queue-list interface
queue-list protocol
queue-list queue byte-count
queue-list queue limit
queue-list stun
To have the access server try to generate a configuration that is compatible with an earlier Cisco IOS release, use the downward-compatible-config global configuration command. To remove this feature, use the no form of this command.
downward-compatible-config version
version | Cisco IOS Release number, not earlier than 10.2. |
Disabled
Global configuration
In Cisco IOS Release 10.3, IP access lists changed format. Use this command to regenerate a configuration in a format prior to Release 10.3 if you are going to downgrade from a Release 10.3 or later to an earlier release. The earliest release this command accepts is 10.2.
When this command is configured, the router attempts to generate a configuration that is compatible with the specified version. Currently, this command affects only IP access lists.
Under some circumstances, the software might not be able to generate a fully backward-compatible configuration. In such a case, the software issues a warning message whenever it tries to write a configuration that is not downward compatible.
The following example, the router will attempt to generate a configuration file compatible with Cisco IOS Release 10.2:
downward-compatible-config 10.2
A dagger (†) indicates that the command is documented in another chapter.
access-list (extended)†
access-list (standard)†
To specify what happens if the TACACS servers used by the enable command do not respond, use the enable last-resort global configuration command. The no form of this command restores the default.
enable last-resort {password | succeed}
password | Allows users to enable by entering the privileged command level password. |
succeed | Allows users to enable without further question. |
Default action is to fail.
Global configuration
The secondary authentication is used only if the first attempt failed. The second authentication will not occur if the first authentication was only unsuccessful.
In the following example, if the TACACS servers do not respond to the enable command, the user can enable by entering the privileged level password:
enable last-resort password
A dagger (†) indicates that the command is documented in another chapter.
enable †
Use the enable password global configuration command to set a local password to control access to various privilege levels. Use the no form of this command to remove the password requirement.
enable password [level level] {password}
level level | (Optional) Level for which the password applies. You can specify up to sixteen privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command. |
password | The enable password password as you would type it when enabling. This password should be different from the password created with the enable secret command. If you have the service password-encryption flag set, when the router displays the password for you later it will be displayed encrypted (an encrypted form of what you typed). |
encryption-type | (Optional) The Cisco-proprietary algorithm used to encrypt the password. Currently the only encryption type available is 7 . If you specify encryption-type, the next argument you supply must be an encrypted password (a password already encrypted by a Cisco router). |
encrypted-password | An encrypted password you enter, copied from another router configuration. |
No password is defined.
Global configuration
You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you copy and paste back into this command a password that has already been encrypted by a Cisco router.
Use this command with the level option to define a password for a specific privilege level. Once the level and the password are specified, give the password to the users you want to have access at this level. Use the privilege level (global) configuration command to specify commands accessible at various level.
Enable or disable password encryption with the service password-encryption command.
An enable password can contain from 1 to 80 uppercase and lowercase alphanumeric characters. The first character cannot be a number. Some spaces are valid password characters; for example, "two words" is valid. Leading spaces are ignored, but trailing spaces are recognized. For example "woolly" is interpreted as "woolly" (without the space), while "woolly " is interpreted as "woolly " (with the space). To create an enable password containing a question mark (?), precede the question mark with the keystrokes Ctrl-V. For example, to create the password "abc?123", you enter the letters abc followed by Ctrl-V followed by ? followed by the numbers 123. When the system prompts you to enter the enable password, you need not precede the question mark with the Ctrl-V; you can simply enter abc?123 at the password prompt.
In the following example, the password pswd2 is enabled for privilege level 2:
enable password level 2 pswd2
In the following example the encrypted password Xyti5Rkls3LoyxzS8t9, which has been copied from a router configuration file, is set for privilege level 2 using encryption type 7:
enable password level 2 7 Xyti5Rkls3LoyxzS8t9
A dagger (†) indicates that the command is documented outside this chapter.
disable †
enable †
privilege level (global)
service password-encryption
show privilege
Use the enable secret command to specify an additional layer of security over the enable password command. Use the no form of the command to turn off the enable secret function.
enable secret [level level] {password}
level level | (Optional) Level for which the password applies. You can specify up to sixteen privilege levels, using numbers 0 through 15. Level 1 is normal EXEC-mode user privileges. If this argument is not specified, the privilege level defaults to 15 (traditional enable privileges). The same holds true for the no form of the command. |
password | The enable secret password—the password you would type when enabling. This password should be different from the password created with the enable password command. When the router displays the password for you later, it will be displayed encrypted (an encrypted form of what you typed). |
encryption-type | (Optional) The Cisco-proprietary algorithm used to encrypt the password. Current the only encryption type available for this command is 5 . If you specify encryption-type, the next argument you supply must be an encrypted password (a password encrypted by a Cisco router). |
encrypted password | An encrypted password you enter, copied from another router configuration. |
Disabled
Global configuration
You will not ordinarily enter an encryption type. Typically you enter an encryption type only if you paste back into this command an encrypted password that you copied from a router configuration file.
The enable secret command is used in conjunction with the enable password command to provide an additional layer of security over the enable password. This scheme provides better security by storing the enable secret using a non-reversible cryptographic function.
This added layer of security is useful in environments where the password crosses the network or is stored on a TFTP server.
If you use the same password for enable password and enable secret, you receive an error message warning that this practice is not recommended; but the password will be accepted. By using the same password, however, you undermine the additional security the enable secret command provides.
The following example specifies an enable secret password of gobbledegook:
enable secret gobbledegook
After specifying an enable secret password, users must enter this password to gain access. Any passwords set through enable password will no longer work.
Password: gobbledegook
In the following example the encrypted password Xyti5Rkls3LoyxzS8t9, which has been copied from a router configuration file, is enabled for privilege level 2 using encryption type 5:
enable password level 2 5 $1$FaD0$Xyti5Rkls3LoyxzS8t98j2
A dagger (†) indicates that the command is documented outside this chapter.
enable †
enable password
To enable use of TACACS to determine whether a user can access the privileged command level, use the enable use-tacacs global configuration command. Use the no enable use-tacacs command to disable TACACS verification.
enable use-tacacsThis command has no arguments or keywords.
Disabled
Global configuration
When you add this command to the configuration file, the EXEC enable command prompts for a new username and password pair. This pair is then passed to the TACACS server for authentication. If you are using extended TACACS, it also will pass any already-existing UNIX user identification code to the server.
| Caution If you use the enable use-tacacs command, you must also use the tacacs-server authenticate enable command, or else you will be locked out of the communication server. |
The following example sets TACACS verification on the privileged EXEC-level login sequence:
enable use-tacacs tacacs-server authenticate enable
tacacs-server authenticate enable
To specify or modify the host name for the network server, use the hostname global configuration command.
hostname name
name | New host name for the network server; the name is case sensitive. |
The factory-assigned default host name is cs.
Global configuration
The order of display at startup is the message-of-the-day (MOTD) banner, then login and password prompts, then the EXEC banner.
The host name is used in prompts and default configuration filenames. The setup command facility also prompts for a host name at startup.
The following example changes the host name to sandbox:
hostname sandbox
seconds | Length of time for which data is used to compute load statistics. A value that is a multiple of thirty, between 30 and 600 (30, 60, 90, 120, and so forth). |
300 seconds (or 5 minutes)
Interface configuration
If you want load computations to be more reactive to short bursts of traffic rather than averaged over five-minute periods, you can shorten the length of time over which load averages are computed.
If the load interval is set to thirty seconds, new data is used for load calculations over a thirty-second period. This data is used to compute load statistics, including input rate in bits and packets per second, output rate in bits and packets per second, load, and reliability.
Load data is gathered every five seconds on the communication server. This data is used for a weighted average calculation in which more-recent load data has more weight in the computation than older load data. If the load interval is set to thirty seconds, the average is computed for the last thirty seconds of load data.
The load-interval command allows you to change the default interval five minutes to a shorter or longer period of time. If you change it to a shorter period of time, the input and output statistics that are displayed when you use the show interface command will be more current and based on more instantaneous data rather than reflecting a more average load over a longer period of time.
This command is often used for dial backup purposes to increase or decrease the likelihood of a backup interface being implemented, but it can be used on any interface.
In the following example, the default five-minute average is set it to a thirty-second average. A burst in traffic that would not trigger a dial backup for an interface configured with the default five-minute interval might trigger a dial backup for this interface that is set for a shorter, thirty-second interval.
interface serial 0 load-interval 30
show interface
To log messages to a syslog server host, use the logging global configuration command. The no logging command deletes the syslog server with the specified address from the list of syslogs.
logging host
host | Name or IP address of the host to be used as a syslog server |
No messages are logged to a syslog server host.
Global configuration
This command identifies a syslog server host to receive logging messages. By issuing this command more than once, you build a list of syslog servers that receive logging messages.
The following example logs messages to a host named johnson:
logging johnson
logging trap
service timestamps
To log messages to an internal buffer, use the logging buffered global configuration command. The no logging buffered command cancels the use of the buffer and writes messages to the console terminal, which is the default.
logging bufferedThis command has no arguments or keywords.
The communication server displays all messages to the console terminal.
Global configuration
This command copies logging messages to an internal buffer instead of writing them to the console terminal. The buffer is circular in nature, so newer messages overwrite older messages.
To display the messages that are logged in the buffer, use the EXEC command show logging. The first message displayed is the oldest message in the buffer.
The following example illustrates how to enable logging to an internal buffer:
logging buffered
To limit messages logged to the console based on severity, use the logging console global configuration command. To disable logging to the console terminal, use the no form of the command.
logging console level
level | Limits the logging of messages displayed on the console terminal to the specified level and levels below it. See Table 5-7 for a list of the level keywords. |
The debugging level
Global configuration
Specifying one of the level names shown in Table 5-7 causes messages at that level and numerically lower levels to be displayed at the console terminal.
The EXEC command show logging displays the addresses and levels associated with the current logging setup, as well as any other logging statistics.
| Level Name | Level | Description | Syslog Definition |
|---|---|---|---|
emergencies | 0 | System unusable | LOG_EMERG |
alerts | 1 | Immediate action needed | LOG_ALERT |
critical | 2 | Critical conditions | LOG_CRIT |
errors | 3 | Error conditions | LOG_ERR |
warnings | 4 | Warning conditions | LOG_WARNING |
notifications | 5 | Normal but significant condition | LOG_NOTICE |
informational | 6 | Informational messages only | LOG_INFO |
debugging | 7 | Debugging messages | LOG_DEBUG |
The following example changes the level of messages displayed to the console terminal to alerts, which means alerts and emergencies are displayed:
logging console alerts
logging facility
To configure the syslog facility in which error messages are sent, use the logging facility global configuration command. To revert to the default of local7, use the no form of this command.
logging facility facility-type
facility-type | Logging facility type. See Table 5-8 for the facility-type keywords. |
local7
Global configuration
| Keyword | Description |
|---|---|
auth | Authorization system |
cron | Cron facility |
daemon | System daemon |
kern | Kernel |
local0-7 | Reserved for locally defined messages |
lpr | Line printer system |
Mail system | |
news | USENET news |
sys9 | System use |
sys10 | System use |
sys11 | System use |
sys12 | System use |
sys13 | System use |
sys14 | System use |
syslog | System log |
user | User process |
uucp | UNIX-to-UNIX copy system |
The following example configures the syslog facility to Kernel:
logging facility kern
logging console
To limit messages logged to the terminal lines (monitors) based on severity, use the logging monitor global configuration command. Use the no form of this command to disable logging to terminal lines other than the console line.
logging monitor level
level | One of the level keywords listed in Table 5-7 |
debugging
Global configuration
Specifying a level causes messages at that level and numerically lower levels to be displayed to the monitor.
This command limits the logging messages displayed on terminal lines other than the console line to messages with a level at or above the specified level.
The following example specifies that only messages of the levels errors, critical, alerts, and emergencies be displayed on terminals:
logging monitor errors
A dagger (†) indicates that the command is documented in another chapter.
terminal monitor †
To control logging of error messages, use the logging on global configuration command. This command enables or disables message logging to all destinations except the console terminal. The no logging on command enables logging to the console terminal only.
logging onThis command has no arguments or keywords.
The communication server logs messages to the console terminal.
Global configuration
The following example shows how to direct error messages to the console terminal only:
no logging on
level severity-level-number | (Optional) Message severity level. Messages with a severity level equal to or higher than this value are printed asynchronously. When specifying a severity level number, consider that for the logging system, low numbers indicate greater severity and high numbers indicate lesser severity. The default value is 2. |
all | (Optional) Specifies that all messages are printed asynchronously, regardless of the severity level. |
limit number-of-buffers | (Optional) Number of buffers to be queued for the terminal after which new messages are dropped. The default value is 20. |
This feature is turned off by default.
If you do not specify a severity level, the default value of 2 is assumed.
If you do not specify the maximum number of buffers to be queued, the default value of 20 is assumed.
Line configuration
When synchronous logging of unsolicited messages and debug output is turned on, unsolicited router output is displayed on the console or printed after solicited router output is displayed or printed. Unsolicited messages and debug output is displayed on the console after the prompt for user input is returned. This is to keep unsolicited messages and debug output from being interspersed with solicited router output and prompts. After the unsolicited messages are displayed, the console displays the user prompt again.
When specifying a severity level number, consider that for the logging system, low numbers indicate greater severity and high numbers indicate lesser severity.
When a terminal line's message-queue limit is reached, new messages are dropped from the line, although these messages might be displayed on other lines. If messages are dropped, the notice "%SYS-3-MSGLOST number-of-messages due to overflow" follows any messages that are displayed. This notice is displayed only on the terminal that lost the messages. It is not sent to any other lines, any logging servers, or the logging buffer.
| Caution By configuring abnormally large message-queue limits and setting the terminal to "terminal monitor" on a terminal that is accessible to intruders, you expose yourself to "denial of service" attacks. An intruder could carry out the attack by putting the terminal in synchronous output mode, making a Telnet connection to a remote host, and leaving the connection idle. This could cause large numbers of messages to be generated and queued, and these messages would consume all available RAM. Although unlikely to occur, you should guard against this type of attack through proper configuration. |
The following example identifies a line and configures synchronous logging for that line, then it does this for another line:
line 0 4
logging synchronous level 6 line 2 logging synchronous level 7 limit 70000
A dagger (†) indicates that the command is documented in another chapter.
line †
To limit messages logged to the syslog servers based on severity, use the logging trap global configuration command. Use the no form of this command to disable logging to syslog servers.
logging trap level
level | One of the level keywords listed in Table 5-7 |
informational
Global configuration
Table 5-7 lists the syslog definitions that correspond to the debugging message levels. Additionally, there are four categories of messages generated by the software, as follows:
Use the logging and logging trap commands to send messages to a UNIX syslog server.
The following example logs messages to a host named johnson and limits messages logged to the syslog server.
logging johnson
logging trap notifications
logging
To enable TACACS+ authentication for logins, use the login authentication command. Use the no form of the command to return to the default.
login authentication {default |list-name}
default | Uses the default list created with the aaa authentication login command. |
list-name | Uses the indicated list created with the aaa authentication login command. |
Uses the default set with aaa authentication login.
Line configuration
This command is a per-line command used with AAA, and specifies the name of a list of TACACS+ authentication methods to try at login. If no list is specified, the default list will be used (whether or not it is specified in the command line). Defaults and lists are created by using the aaa authentication login command. Entering the no version of login authentication has the same effect as entering the command with the default argument.
Before issuing this command, create a list of authentication processes by using the global configuration aaa authentication login command.
| Caution If you use a list-name that was not configured with the aaa authentication login command, you will disable login on this line. |
The following example specifies that the default AAA authentication is to be used on line 4:
line 4 login authentication default
The following example specifies that the AAA authentication list called MIS-access is to be used on line 7:
line 7 login authentication MIS-access
A dagger (†) indicates that the command is documented in another chapter.
aaa authentication login†
To control access to the system's Network Time Protocol (NTP) services, use the ntp access-group global configuration command. To remove access control to the system's NTP services, use the no form of this command.
ntp access-group {query-only | serve-only | serve | peer} access-list-number
query-only | Allows only NTP control queries. See RFC 1305 (NTP version 3). |
serve-only | Allows only time requests. |
serve | Allows time requests and NTP control queries, but does not allow the system to synchronize to the remote system. |
peer | Allows time requests and NTP control queries and allows the system to synchronize to the remote system. |
access-list-number | Number (1 to 99) of a standard IP access list. |
No access control (full access granted to all systems)
Global configuration
The access group options are scanned in the following order from least restrictive to most restrictive:
1. peer
2. serve
3. serve-only
4. query-only
Access is granted for the first match that is found. If no access groups are specified, all access is granted to all sources. If any access groups are specified, only the specified access is granted. This facility provides minimal security for the time services of the system. However, it can be circumvented by a determined programmer. If tighter security is desired, use the NTP authentication facility.
In the following example, the system is configured to allow itself to be synchronized by a peer from access list 99. However, the system restricts access to allow only time requests from access list 42.
ntp access-group peer 99 ntp access-group serve-only 42
A dagger (†) indicates that the command is documented in another chapter.
access-list †
To enable Network Time Protocol (NTP) authentication, use the ntp authenticate global configuration command. Use the no form of this command to disable the feature.
ntp authenticateThis command has no keywords or arguments.
No authentication
Global configuration
Use this command if you want authentication. If this command is specified, the system will not synchronize to a system unless it carries one of the authentication keys specified in the ntp trusted-key command.
The following example enables NTP authentication:
ntp authenticate
ntp authentication-key
ntp trusted-key
To define an authentication key for Network Time Protocol (NTP), use the ntp authentication-key global configuration command. Use the no form of this command to remove the authentication key for NTP.
ntp authentication-key number md5 value
number | Key number (1 to 4294967295) |
md5 | Key type |
value | Key value (an arbitrary string of up to eight characters) |
No authentication key is defined for NTP.
Global configuration
Use this command to define authentication keys for use with other NTP commands in order to provide a higher degree of security. Currently, only the key type md5 is supported.
The following example sets authentication key 10 to aNiceKey:
ntp authentication-key 10 md5 aNiceKey
ntp authenticate
ntp peer
ntp server
ntp trusted-key
To specify that a specific interface should send Network Time Protocol (NTP) broadcast packets, use the ntp broadcast interface configuration command. Use the no form of this command to disable this capability.
ntp broadcast [version number]
version number | (Optional) Number from 1 to 3 indicating the NTP version |
Disabled
Interface configuration
In the following example, Ethernet interface 0 is configured to send NTP version 2 packets:
interface ethernet 0 ntp broadcast version 2
ntp broadcast client
ntp broadcastdelay
To allow the system to receive NTP broadcast packets on an interface, use the ntp broadcast client interface configuration command. Use the no form of this command to disable this capability.
ntp broadcast clientThis command has no arguments or keywords.
Disabled
Interface configuration
Use this command to allow the system to listen to broadcast packets on an interface-by-interface basis.
In the following example, the communication server synchronizes to NTP packets broadcasted on Ethernet interface 1:
interface ethernet 1ntp broadcast client
ntp broadcast
ntp broadcastdelay
To set the estimated round-trip delay between the communication server and a Network Time Protocol (NTP) broadcast server, use the ntp broadcastdelay global configuration command. Use the no form of this command to revert to the default value.
ntp broadcastdelay microseconds
microseconds | Estimated round-trip time (in microseconds) for NTP broadcasts. The range is from 1 to 999999. |
3000 microseconds
Global configuration
Use this command when the communication server is configured as a broadcast client and the round-trip delay on the network is other than 3000 microseconds.
In the following example, the estimated round-trip delay between the communication server and the broadcast client is set to 5000 microseconds:
ntp broadcastdelay 5000
ntp broadcast
ntp broadcast client
As NTP compensates for the error in the system clock, it keeps track of the correction factor for this error. The system automatically saves this value into the system configuration using the ntp clock-period global configuration command. The system uses the no form of this command to revert to the default.
ntp clock-period value
value | Amount to add to the system clock for each clock hardware tick (in units of |
17179869 (4 milliseconds)
Global configuration
If a write memory command is entered to save the configuration to nonvolatile memory, this command will automatically be added to the configuration. It is a good idea to use the write memory command after NTP has been running for a week or so; this will help NTP synchronize more quickly if the system is restarted.
Do not enter this command; it is documented for informational purposes only. The system automatically generates this command as Network Time Protocol (NTP) determines the clock error and compensates.
To prevent an interface from receiving Network Time Protocol (NTP) packets, use the ntp disable interface configuration command. To enable receipt of NTP packets on an interface, use the no form of this command.
ntp disableThis command has no arguments or keywords.
Enabled
Interface configuration
This command provides a simple method of access control.
In the following example, Ethernet interface 0 is prevented from receiving NTP packets:
interface ethernet 0 ntp disable
To configure the communication server as a Network Time Protocol (NTP) master clock to which peers synchronize themselves when an external NTP source is not available, use the ntp master global configuration command. To disable the master clock function, use the no ntp master command.
ntp master [stratum]
stratum | (Optional) Number from 1 to 15. Indicates the NTP stratum number that the system will claim. |
By default, the master clock function is disabled. When enabled, the default stratum is 8.
Global configuration
Because our implementation of NTP does not support directly attached radio or atomic clocks, the communication server is normally synchronized, directly or indirectly, to an external system that has such a clock. In a network without Internet connectivity, such a time source may not be available. The ntp master command is used in such cases.
If the communication server has ntp master configured, and it cannot reach any clock with a lower stratum number, the communication server will claim to be synchronized at the configured stratum number, and other communication servers will be willing to synchronize to it via NTP.
| Caution Use this command with extreme caution. It is very easy to override valid time sources using this command, especially if a low stratum number is configured. Configuring multiple machines in the same network with the ntp master command can cause instability in timekeeping if the machines do not agree on the time. |
In the following example, the communication server is configured as an NTP master clock to which peers can synchronize:
ntp master 10
clock calendar-valid
To configure the communication server's system clock to synchronize a peer or to be synchronized by a peer, use the ntp peer global configuration command. To disable this capability, use the no form of this command.
ntp peer ip-address [version number] [key keyid] [source interface] [prefer]
ip-address | IP address of the peer providing, or being provided, the clock synchronization. |
version number | (Optional) Defines the Network Time Protocol (NTP) version number (1 to 3). |
key keyid | (Optional) Defines the authentication key when sending packets to this peer. |
source interface | (Optional) Names the interface from which to pick the IP source address. |
prefer | (Optional) Makes this peer the preferred peer that provides synchronization. |
No peers are configured by default. If a peer is configured, the default NTP version number is 3, no authentication key is used, and the source IP address is taken from the outgoing interface.
Global configuration
Use this command if you want to allow this communication server to synchronize with the peer, or vice versa. Using the prefer keyword will reduce switching back and forth between peers.
If you are using the default version of 3 and NTP synchronization does not occur, try using NTP version number 2. Many NTP servers on the Internet run version 2.
In the following example, the communication server is configured to allow its system clock to be synchronized with the clock of the peer (or vice versa) at IP address 131.108.22.33 using NTP version 2. The source IP address will be the address of Ethernet interface 0.
ntp peer 131.108.22.33 version 2 source Ethernet 0
ntp authentication-key
ntp server
ntp source
To allow the communication server's system clock to be synchronized by a time server, use the ntp server global configuration command. To disable this capability, use the no form of this command.
ntp server ip-address [version number] [key keyid] [source interface] [prefer]
ip-address | IP address of the time server providing the clock synchronization. |
version number | (Optional) Defines the Network Time Protocol (NTP) version number (1 to 3). |
key keyid | (Optional) Defines the authentication key to use when sending packets to this peer. |
source interface | (Optional) Identifies the interface from which to pick the IP source address. |
prefer | (Optional) Makes this server the preferred server that provides synchronization. |
No peers are configured by default. If a peer is configured, the default NTP version number is 3, no authentication key is used, and the source IP address is taken from the outgoing interface.
Global configuration
Use this command if you want to allow this communication server to synchronize with the specified server. The server will not synchronize to this communication server.
Using the prefer keyword will reduce switching back and forth between servers.
If you are using the default version of 3 and NTP synchronization does not occur, try using NTP version number 2. Many NTP servers on the Internet run version 2.
In the following example, the communication server is configured to allow its system clock to be synchronized with the clock of the peer at IP address 128.108.22.44 using NTP version 2:
ntp server 128.108.22.44 version 2<