RADIUS Centralized Filter Management

Table Of Contents

RADIUS Centralized Filter Management

Contents

Feature Overview

Cache Management

New Vendor-Specific Attribute Support

Benefits

Restrictions

Related Documents

Supported Standards, MIBs, and RFCs

Prerequisites

Configuration Tasks

Configuring the RADIUS ACL Filter Server

Configuring the Filter Cache

Verifying the Filter Cache

Troubleshooting Tips

Monitoring and Maintaining the Filter Cache

Configuration Examples

NAS Configuration Example

RADIUS Server Configuration Example

RADIUS Dictionary and Vendors File Example

Debug Output Example

Command Reference

aaa authorization cache filterserver

aaa cache filter

cache clear age

cache disable

cache refresh

clear aaa cache filterserver acl

debug aaa cache filterserver

password

show aaa cache filterserver

RADIUS Centralized Filter Management

---

Feature History for Radius Centralized Filter Management

Release	Modification
12.2(13)T	This feature was introduced.
12.2(27)SBA	This feature was integrated into Cisco IOS Release 12.2(27)SBA.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Feature Overview

•Supported Standards, MIBs, and RFCs

•Prerequisites

•Configuration Tasks

•Monitoring and Maintaining the Filter Cache

•Configuration Examples

•Command Reference

Feature Overview

Before the RADIUS Centralized Filter Management feature, wholesale providers (who provide premium charges for customer services such as access control lists [ACLs]) were unable to prevent customers from applying exhaustive ACLs, which could impact router performance and other customers. This feature introduces a centralized administration point—a filter server—for ACL management. The filter server acts as a centralized RADIUS repository for ACL configuration.

Whether or not the RADIUS server that is used as the filter server is the same server that is used for access authentication, the network access server (NAS) will initiate a second access request to the filter server. If configured, the NAS will use the filter-ID name as the authentication username and the filter server password for the second access request. The RADIUS server will attempt to authenticate the filter-ID name, returning any required filtering configuration in the access-accept response.

Because downloading ACLs is time consuming, a local cache is maintained on the NAS. If an ACL name exists on the local cache, that configuration will be used without consulting the filter server.

---

Note An appropriately configured cache should minimize delays; however, the first dialin user to require a filter will always experience a longer delay because the ACL configuration is retrieved for the first time.

---

Cache Management

A global filter cache is maintained on the NAS of recently downloaded ACLs; thus, users no longer have to repeatedly request the same ACL configuration information from a potentially overloaded RADIUS server. Users are required to flush the cache when the following criteria have been met:

•After an entry becomes associated with a newly active call, the idle timer that is associated with that entry will be reset, if configured to do so.

•After the idle-time stamp of an entry expires, the entry will be removed.

•After the global cache of entries reaches a specified maximum number, the entry whose idle-timer is closest to the idle time limit will be removed.

A single timer is responsible for managing all cache entries. The timer is started after the first cache entry is created, and it runs periodically until reboot. The period of the timer will correspond to the minimum granularity offered when configuring cache idle timers, which is one expiration per minute. A single timer prevents users from having to manage individual timers per cache entry.

---

Note The single timer introduces a lack of precision in timer expiration. There is an average error of approximately 50 percent of the timer granularity. Although decreasing the timer granularity will decrease the average error, the decreased timer granularity will negatively impact performance. Because precise timing is not required for cache management, the error delay should be acceptable.

---

New Vendor-Specific Attribute Support

This feature introduces support for three new vendor-specific attributes (VSAs), which can be divided into the following two categories:

•User profile extensions

–Filter-Required (50)—Specifies whether the call should be permitted if the specified filter is not found. If present, this attribute will be applied after any authentication, authorization, and accounting (AAA) filter method-list.

•Pseudo-user profile extensions

–Cache-Refresh (56)—Specifies whether cache entries should be refreshed each time an entry is referenced by a new session. This attribute corresponds to the cache refresh command.

–Cache-Time (57)—Specifies the idle time out, in minutes, for cache entries. This attribute corresponds to the cache clear age command.

---

Note All RADIUS attributes will override any command-line interface (CLI) configurations.

---

Benefits

This feature allows users to centrally manage filters at a RADIUS server, thereby, offloading ACL configuration and management to a centralized repository.

Restrictions

Multiple method lists are not supported in this feature; only a single global filter method list can be configured.

Related Documents

•The chapters "Configuring Authorization" and "Configuring RADIUS" in the Cisco IOS Security Configuration Guide, Release 12.2

•The chapter "Authorization Commands" in the Cisco IOS Security Command Reference, Release 12.2

Supported Standards, MIBs, and RFCs

Standards

None

MIBs

None

To obtain lists of supported MIBs by platform and Cisco IOS release, and to download MIB modules, go to the Cisco MIB website on Cisco.com at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL:

http://tools.cisco.com/ITDIT/MIBS/servlet/index

If Cisco  MIB Locator does not support the MIB information that you need, you can also obtain a list of supported MIBs and download MIBs from the Cisco  MIBs page at the following URL:

http://www.cisco.com/public/sw-center/netmgmt/cmtk/mibs.shtml

To access Cisco MIB Locator, you must have an account on Cisco.com. If you have forgotten or lost your account information, send a blank e-mail to cco-locksmith@cisco.com. An automatic check will verify that your e-mail address is registered with Cisco.com. If the check is successful, account details with a new random password will be e-mailed to you. Qualified users can establish an account on Cisco.com by following the directions found at this URL:

http://www.cisco.com/register

RFCs

None

Prerequisites

•You may need to add a dictionary file to your server if it does not support the new RADIUS VSAs. For a sample dictionary and vendors file, see the section "RADIUS Dictionary and Vendors File Example" later in this document.

If you need to add a dictionary file, ensure that your RADIUS server is nonstandard and that it can send the newly introduced VSAs.

•You want to set up RADIUS network authentication so a remote user can dial in and get IP connectivity.

Configuration Tasks

See the following sections for configuration tasks for the Centralized Filter Management feature. Each task in the list is identified as either required or optional.

•Configuring the RADIUS ACL Filter Server (required)

•Configuring the Filter Cache (required)

•Verifying the Filter Cache (optional)

Configuring the RADIUS ACL Filter Server

To enable the RADIUS ACL filter server, use the following command in global configuration mode:

Command	Purpose
Router(config)# aaa authorization cache filterserver default methodlist[methodlist2...]	Enables AAA authorization caches and the downloading of an ACL configuration from a RADIUS filter server. •default—The default authorization list. •methodlist [methodlist2...]—One of the keywords listed on the password command page.

Configuring the Filter Cache

To configure the filter cache, use the following commands beginning in global configuration:

	Command	Purpose
Step 1	Router(config)# aaa cache filter	Enables filter cache configuration and enters AAA filter configuration mode.
Step 2	Router(config-aaa-filter)# password {0 | 7} password	(Optional) Specifies the optional password that is to be used for filter server authentication requests. 0—Specifies that an unencrypted password will follow. 7—Specifies that a hidden password will follow. password—The unencrypted (clear text) password. Note If a password is not specified, the default password ("cisco") is enabled.
Step 3	Router(config-aaa-filter)# cache disable	(Optional) Disables the cache.
Step 4	Router(config-aaa-filter)# cache clear age minutes	(Optional) Specifies, in minutes, when cache entries expire and the cache is cleared. minutes—Any value between 0 to 4294967295. Note If a time is not specified, the default (1400 minutes [1 day]) is enabled.
Step 5	Router(config-aaa-filter)# cache refresh	(Optional) Refreshes a cache entry when a new session begins. This command is enabled by default. To disable this functionality, use the no cache refresh command.
Step 6	Router(config-aaa-filter)# cache max number	(Optional) Limits the absolute number of entries the cache can maintain for a particular server. number—The maximum number of entries the cache can contain. Any value between 0 to 4294967295. Note If a number is not specified, the default (100 entries) is enabled.

Verifying the Filter Cache

To display the cache status, use the show aaa cache filterserver EXEC command. The following is sample output for the show aaa cache filterserver command:

Router# show aaa cache filterserver

Filter     Server          Age Expires Refresh Access-Control-Lists

--------------------------------------------------------------------------------

aol        1.2.3.4           0    1440     100 ip in icmp drop

                                               ip out icmp drop

                                               ip out forward tcp dstip 1.2.3...

msn        1.2.3.4         N/A   Never       2 ip in tcp drop

msn2       1.2.3.4         N/A   Never       2 ip in tcp drop

vone       1.2.3.4         N/A   Never       0 ip in tcp drop

---

Note The show aaa cache filterserver command shows how many times a particular filter has been referenced or refreshed. This function may be used in administration to determine which filters are actually being used.

---

Troubleshooting Tips

To help troubleshoot your filter cache configurations, use the privileged EXEC debug aaa cache filterserver command. To view sample output for the debug aaa cache filterserver command, refer to the section "Debug Output Example" later in this document.

Monitoring and Maintaining the Filter Cache

To monitor and maintain filter caches, use at least one of the following EXEC commands:

Command	Purpose
Router# clear aaa cache filterserver acl [filter-name]	Clears the cache status for a particular filter or all filters.
Router# show aaa cache filterserver	Displays the cache status.

Configuration Examples

This section provides the following configuration examples:

•NAS Configuration Example

•RADIUS Server Configuration Example

•RADIUS Dictionary and Vendors File Example

•Debug Output Example

NAS Configuration Example

The following example shows how to configure the NAS for cache filtering. In this example, the server group "mygroup" in contacted first. If there is no response, the default RADIUS server will then be contacted. If there still is no response, the local filters care contacted. Finally, the call is accepted if the filter cannot be resolved.

aaa authorization cache filterserver group mygroup group radius local none

!

aaa group server radius mygroup

 server 1.2.3.4

 server 1.2.3.5

!

radius-server host 1.2.3.4

!

aaa cache filter 

 password mycisco

 no cache refresh

 cache max 100

!

RADIUS Server Configuration Example

The following example is a sample RADIUS configuration that is for a remote user "user1" dialing into the NAS:

myfilter Password = "cisco"

Service-Type = Outbound,

Ascend:Ascend-Call-Filter = "ip in drop srcip 7.0.0.1/32 dstip 7.0.0.10/32 icmp",

Ascend:Ascend-Call-Filter = "ip in drop srcip 7.0.0.1/32 dstip 7.0.0.10/32 tcp 
dstport = telnet",

Ascend:Ascend-Cache-Refresh = Refresh-No,

Ascend:Ascend-Cache-Time = 15

user1 Password = "cisco"

Service-Type = Framed,

Filter-Id = "myfilter",

Ascend:Ascend-Filter-Required = Filter-Required-Yes, 

RADIUS Dictionary and Vendors File Example

The following example is a sample RADIUS dictionary file for the new VSAs. In this example, the dictionary file is for a Merit server.

dictionary file:

Ascend.attr Ascend-Filter-Required 50 integer (*, 0, NOENCAPS)

Ascend.attr Ascend-Cache-Refresh   56 integer (*, 0, NOENCAPS)

Ascend.attr Ascend-Cache-Time      57 integer (*, 0, NOENCAPS)

Ascend.value Ascend-Cache-Refresh Refresh-No  0

Ascend.value Ascend-Cache-Refresh Refresh-Yes 1

Ascend.value Ascend-Filter-Required  Filter-Required-No  0

Ascend.value Ascend-Filter-Required  Filter-Required-Yes 1

vendors file:

50     50

56     56

57     57

Debug Output Example

The following is sample output from the debug aaa cache filterserver command:

Router# debug aaa cache filterserver 

AAA/FLTSV: need "myfilter" (fetch), call 0x612DAC64 

AAA/FLTSV: send req, call 0x612DAC50 

AAA/FLTSV: method SERVER_GROUP myradius 

AAA/FLTSV: recv reply, call 0x612DAC50 (PASS) 

AAA/FLTSV: create cache 

AAA/FLTSV: add attr "call-inacl" 

AAA/FLTSV: add attr "call-inacl" 

AAA/FLTSV: add attr "call-inacl" 

AAA/FLTSV: skip attr "filter-cache-refresh" 

AAA/FLTSV: skip attr "filter-cache-time" 

AAA/CACHE: set "AAA filtserv cache" entry "myfilter" refresh? no 

AAA/CACHE: set "AAA filtserv cache" entry "myfilter" cachetime 15 

AAA/FLTSV: add attr to list "call-inacl" call 0x612DAC64 

AAA/FLTSV: add attr to list "call-inacl" call 0x612DAC64 

AAA/FLTSV: add attr to list "call-inacl" call 0x612DAC64 

AAA/FLTSV: PASS call 0x612DAC64 

AAA/CACHE: timer "AAA filtserv cache", next in 10 secs (0 entries) 

AAA/CACHE: timer "AAA filtserv cache", next in 10 secs (1 entry) 

AAA/CACHE: destroy "AAA filtserv cache" entry "myfilter" 

AAA/CACHE: timer "AAA filtserv cache", next in 10 secs (0 entries)

Command Reference

This section documents new commands. All other commands used with this feature are documented in the Cisco IOS Release 12.2 command reference publications.

•aaa authorization cache filterserver

•aaa cache filter

•password

•password

•password

•password

•password

•password

•password

•show aaa cache filterserver

aaa authorization cache filterserver

To enable authentication, authorization, and accounting (AAA) authorization caches and the downloading of access control list (ACL) configurations from a RADIUS filter server, use the aaa authorization cache filterserver command in global configuration mode. To disable AAA authorization caches, use the no form of this command.

aaa authorization cache filterserver default methodlist [methodlist2...]

no aaa authorization cache filterserver default

Syntax Description

default	Default authorization list.
methodlist [methodlist2...]	One of the keywords listed in Table 1.

Defaults

No default behavior or values

Command Modes

Global configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Usage Guidelines

Use the aaa authorization cache filterserver command to enable the RADIUS ACL filter server.

Method keywords are described in Table 1.

Table 1 aaa authorization cache filterserver Methods

Keyword	Description
group group-name	Uses a subset of RADIUS servers for authentication as defined by the aaa group server radius command.
local	Uses the local database for authorization caches and ACL configuration downloading.
none	No authorization is performed.

This command functions similarly to the aaa authorization command with the following exceptions:

•Named method-lists cannot be configured.

•Only one instance of this command can be configured.

•TACACS+ groups cannot be configured.

Examples

The following example shows how to configure the default RADIUS server group as the desired filter. If the request is rejected or a reply is not returned, local configuration will be consulted. If the local filter does not respond, the call will be accepted but filtering will not occur.

aaa authorization cache filterserver group radius local none

Related Commands

Command	Description
aaa authorization	Sets parameters that restrict user access to a network.
aaa group server radius	Groups different RADIUS server hosts into distinct lists and distinct methods.

aaa cache filter

To enable filter cache configuration, use the aaa cache filter command in global configuration mode. To disable this functionality, use the no form of this command.

aaa cache filter

no aaa cache filter

Syntax Description

This command has no arguments or keywords.

Defaults

Filter cache configuration is not enabled.

Command Modes

Global configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Usage Guidelines

Use the aaa cache filter command to begin filter cache configuration and enter AAA filter configuration mode (config-aaa-filter).

After enabling this command, you can specify filter cache parameters with the following commands:

•cache clear age—Specifies, in minutes, when cache entries expire and the cache is cleared.

•cache disable—Disables the cache.

•cache max—Refreshes a cache entry when a new sessions begins.

•cache refresh—Limits the absolute number of entries the cache can maintain for a particular server.

•password—Specifies the optional password that is to be used for filter server authentication requests.

---

Note Each of these commands is optional; thus, the default value will be enabled for any command that is not specified.

---

Examples

The following example shows how to enable filter cache configuration and specify cache parameters.

aaa cache filter

 password mycisco

 no cache refresh

 cache max 100

Related Commands

Command	Description
aaa authorization cache filterserver	Enables AAA authorization caches and the downloading of ACL configurations from a RADIUS filter server.
cache clear age	Specifies when, in minutes, cache entries expire and the cache is cleared.
cache disable	Disables the cache.
cache max	Refreshes a cache entry when a new sessions begins.
cache refresh	Limits the absolute number of entries the cache can maintain for a particular server.
password	Specifies the optional password that is to be used for filter server authentication requests.

cache clear age

To specify when, in minutes, cache entries expire and the cache is cleared, use the cache clear age command in AAA filter configuration mode. To return to the default value, use the no form of this command.

cache clear age minutes

no cache clear age

Syntax Description

minutes

Any value from 0 to 4294967295; the default value is 1440 minutes.

Defaults

1440 minutes (1 day)

Command Modes

AAA filter configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Usage Guidelines

After enabling the aaa cache filter command, which allows you to configure cache filter parameters, you can use the cache clear age command to specify when cache entries should expire. If this command is not specified, the default value (1440 minutes) will be enabled.

Examples

The following example shows how to configure the cache entries to expire every 60 minutes:

aaa cache filter

 cache clear age 60

Related Commands

Command	Description
aaa cache filter	Enables filter cache configuration.

cache disable

To disable the cache, use the cache disable command in AAA filter configuration mode. To return to the default, use the no form of this command.

cache disable

no cache disable

Syntax Description

This command has no arguments or keywords.

Defaults

Caching is enabled.

Command Modes

AAA filter configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Usage Guidelines

After enabling the aaa cache filter command, which allows you to configure cache filter parameters, you can use the cache disable command to disable filter caching. This command can be used to verify that the access control lists (ACLs) are being downloaded.

Examples

The following example shows how to disable filter caching:

aaa cache filter 

 cache disable

Related Commands

Command	Description
aaa cache filter	Enables filter cache configuration.

cache refresh

To refresh a cache entry after a new session begins, use the cache refresh command in AAA filter configuration mode. To disable this functionality, use the no form of this command.

cache refresh

no cache refresh

Syntax Description

This command has no arguments or keywords.

Defaults

This command is enabled by default.

Command Modes

AAA filter configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Usage Guidelines

The cache refresh command is used in an attempt to keep cache entries from the filter server, that are being referred to by new sessions, within the cache. This command resets the idle timer for these entries when they are referenced by new calls.

Examples

The following example shows how to disable the cache refresh command:

aaa cache filter

 password mycisco

 no cache refresh

 cache max 100

Related Commands

Command	Description
aaa cache filter	Enables filter cache configuration.

clear aaa cache filterserver acl

To clear the cache status for a particular filter or all filters, use the clear aaa cache filterserver acl command in EXEC mode.

clear aaa cache filterserver acl [filter-name]

Syntax Description

filter-name

(Optional) Cache status of a specified filter is cleared.

Command Modes

EXEC

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Usage Guidelines

After you clear the cache status for a particular filter or all filters, it is recommended that you enable the show aaa cache filterserver command to verify that the cache status.

Examples

The following example shows how to clear the cache for all filters:

clear aaa cache filterserver acl

Related Commands

Command	Description
show aaa cache filterserver	Displays the cache status.

debug aaa cache filterserver

To help troubleshoot your filter cache configurations, use the debug aaa cache filterserver command in privileged EXEC mode. To disable debugging output, use the no form of this command.

debug aaa cache filterserver

no debug aaa cache filterserver

Syntax Description

This command has no arguments or keywords.

Command Modes

Privileged EXEC

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Examples

The following is sample output from the debug aaa cache filterserver command:

Router# debug aaa cache filterserver 

AAA/FLTSV: need "myfilter" (fetch), call 0x612DAC64 

AAA/FLTSV: send req, call 0x612DAC50 

AAA/FLTSV: method SERVER_GROUP myradius 

AAA/FLTSV: recv reply, call 0x612DAC50 (PASS) 

AAA/FLTSV: create cache 

AAA/FLTSV: add attr "call-inacl" 

AAA/FLTSV: add attr "call-inacl" 

AAA/FLTSV: add attr "call-inacl" 

AAA/FLTSV: skip attr "filter-cache-refresh" 

AAA/FLTSV: skip attr "filter-cache-time" 

AAA/CACHE: set "AAA filtserv cache" entry "myfilter" refresh? no 

AAA/CACHE: set "AAA filtserv cache" entry "myfilter" cachetime 15 

AAA/FLTSV: add attr to list "call-inacl" call 0x612DAC64 

AAA/FLTSV: add attr to list "call-inacl" call 0x612DAC64 

AAA/FLTSV: add attr to list "call-inacl" call 0x612DAC64 

AAA/FLTSV: PASS call 0x612DAC64 

AAA/CACHE: timer "AAA filtserv cache", next in 10 secs (0 entries) 

AAA/CACHE: timer "AAA filtserv cache", next in 10 secs (1 entry) 

AAA/CACHE: destroy "AAA filtserv cache" entry "myfilter" 

AAA/CACHE: timer "AAA filtserv cache", next in 10 secs (0 entries)

Related Commands

Command	Description
aaa authorization cache filterserver	Enables AAA authorization caches and the downloading of ACL configurations from a RADIUS filter server.

password

To specify the optional password that is to be used for filter server authentication requests, use the password command in AAA filter configuration mode. To return to the default value, use the no form of this command.

password {0 | 7} password

no password

Syntax Description

0	Specifies that an unencrypted password will follow.
7	Specifies that a hidden password will follow.
password	Unencrypted (clear text) password. The default password is cisco.

Defaults

cisco

Command Modes

AAA filter configuration

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Usage Guidelines

Before configuring this command, you must enable the aaa cache filter command, which allows you to configure cache filter parameters. If this command is not specified, the default value ("cisco") will be enabled.

Examples

The following example shows how to configure the password "mycisco":

aaa cache filter 

 password mycisco

Related Commands

Command	Description
aaa cache filter	Enables filter cache configuration.

show aaa cache filterserver

To display the cache status, use the show aaa cache filterserver command in EXEC mode.

show aaa cache filterserver

Syntax Description

This command has no arguments or keywords.

Defaults

No default behavior or values.

Command Modes

EXEC

Command History

Release	Modification
12.2(13)T	This command was introduced.
12.2(27)SBA	This command was integrated into Cisco IOS Release 12.2(27)SBA.

Usage Guidelines

The show aaa cache filterserver command shows how many times a particular filter has been referenced or refreshed. This function may be used in administration to determine which filters are actually being used.

Examples

The following is sample output for the show aaa cache filterserver command:

Router# show aaa cache filterserver

Filter     Server          Age Expires Refresh Access-Control-Lists

--------------------------------------------------------------------------------

aol        1.2.3.4           0    1440     100 ip in icmp drop

                                               ip out icmp drop

                                               ip out forward tcp dstip 1.2.3...

msn        1.2.3.4         N/A   Never       2 ip in tcp drop

msn2       1.2.3.4         N/A   Never       2 ip in tcp drop

vone       1.2.3.4         N/A   Never       0 ip in tcp drop

Table 2 describes the significant fields shown in the display.

Table 2 show aaa cache filterserver Field Descriptions continued

Field	Description
Filter	Filter name.
Server	RADIUS server IP address.
Age	When to expire a cache entry.
Expires	Number of minutes in which a cache entry will expire.
Refresh	Number of times a cache has been refreshed.
Access-Control-Lists	Server's ACL.

Related Commands

Command	Description
password	Enables AAA authorization caches and the downloading of ACL configurations from a RADIUS filter server.

Copyright © 2002, 2003, 2005 Cisco Systems, Inc. All rights reserved.