|
|
To control the number of login attempts that can be made on a line set up for TACACS verification, use the tacacs-server attempts global configuration command. Use the no form of this command to remove this feature and restore the default.
tacacs-server attempts count| count | Integer that sets the number of attempts. |
Three attempts.
Global configuration.
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server attempts global configuration command.
The following example changes the login attempt to just one try.
Switch# tacacs-server attempts 1
To enable an extended TACACS mode, use the tacacs-server extended global configuration command. Use the no form of this command to disable the mode.
tacacs-server extendedThis command has no arguments or keywords.
Disabled.
Global configuration.
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server extended global configuration command.
The following example enables extended TACACS mode.
Switch# tacacs-server extended
To specify a TACACS host, use the tacacs-server host global configuration command. You can use multiple tacacs-server host commands to specify multiple hosts. The software searches for the hosts in the order you specify them. The no form of this command deletes the specified name or address.
tacacs-server host name| name | Name or IP address of the host. |
No TACACS host is specified.
Global configuration.
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server host global configuration command.
The following example specifies a TACACS host named SCACAT.
Switch# tacacs-server host SCACAT
aaa authentication ppp
login
slip
To cause the network server to request the privileged password as verification or to force successful login without further input from the user, use the tacacs-server last-resort global configuration command. The no form of this command restores the system to the default behavior.
tacacs-server last-resort {password | succeed}| password | Allows the user to access the EXEC command mode by entering the password set by the enable command. |
| succeed | Allows the user to access the EXEC command mode without further question. |
If, when running the TACACS server, the TACACS server does not respond, the default action is to deny the request.
Global configuration.
Use the tacacs-server last-resort command to be sure that login can occur; for example, a systems administrator must log in to troubleshoot TACACS servers that might be down.
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server last-resort global configuration command.
The following example forces successful login.
Switch# tacacs-server last-resort succeed
To specify that the first TACACS request to a TACACS server be made without password verification, use the tacacs-server optional-passwords global configuration command. Use the no form of this command to restore the default.
tacacs-server optional-passwordsThis command has no arguments or keywords.
Disabled.
Global configuration.
When the user enters in the login name, the login request is transmitted with the name and a zero-length password. If accepted, the login procedure completes. If the TACACS server refuses this request, the server software prompts for a password and tries again when the user supplies a password. The TACACS server must support authentication for users without passwords to make use of this feature. This feature supports all TACACS requests--login, SLIP, enable, and so on.
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server optional-passwords global configuration command.
The following example configures the first login to not require TACACS verification.
Switch# tacacs-server optional-passwords
To specify the number of times the switch software searches the list of TACACS server hosts before giving up, use the tacacs-server retransmit global configuration command. The switch software tries all servers, allowing each one to timeout before increasing the retransmit count. The no form of this command restores the default.
tacacs-server retransmit retries| retries | Integer that specifies the retransmit count. |
Two retries.
Global configuration.
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server retransmit global configuration command.
The following example specifies a retransmit counter value of five times.
Switch# tacacs-server retransmit 5
To set the interval that the server waits for a server host to reply, use the tacacs-server timeout global configuration command. The no form of this command restores the default.
tacacs-server timeout seconds| seconds | Integer that specifies the timeout interval in seconds. |
5 seconds.
Global configuration.
Refer to the LightStream 1010 ATM Switch User Guide for more information about the tacacs-server timeout global configuration command.
The following example changes the interval timer to 10 seconds.
Switch# tacacs-server timeout 10
The following terminal commands are documented under the following parameter names:
| Command | Description |
|---|---|
| data-character-bits | Size of characters being handled. |
| databits | Set number of data bits per character. |
| downward-compatible-config | Put line in download mode. |
| editing | Enable command line editing. |
| escape-character | Change the current lines escape character. |
| escape-character-bits | Size of characters to the command exec. |
| flowcontrol | Set the flow control. |
| full-help | Provide help to unprivileged user. |
| help | Description of the interactive help system. |
| history | Enable and control the command history function. |
| ip | IP options. |
| length | Set number of lines on a screen. |
| monitor | Copy debug output to the current terminal line. |
| no | Negate a command or set its defaults. |
| notify | Inform users of output from concurrent sessions. |
| padding | Set padding for a specified output character. |
| parity | Set terminal parity. |
| rxspeed | Set the receive speed. |
| special-character-bits | Size of the escape (and other special) characters. |
| speed | Set the transmit and receive speeds. |
| start-character | Define the start character. |
| stop-character | Define the stop character. |
| stopbits | Set async line stop bits. |
| terminal-type | Set the terminal type. |
| transport preferred | Define transport protocols for line. |
| txspeed | Set the transmit speeds. |
| width | Set width of the display terminal. |
To specify the type of terminal connected to a line, use the terminal-type line configuration command. The command records the type of terminal connected to the line. The no form of this command removes any information about the type of terminal and resets the line to the default terminal emulation.
terminal-type terminal-name| terminal-name | Terminal name and type. |
VT100.
Line configuration.
The argument terminal-name provides a record of the terminal type and allows terminal negotiation of display management by hosts that provide that type of service.
The following example defines the terminal on the console as a type VT220.
Switch(config)#line consoleSwitch(config-line)#terminal-type VT220
terminal terminal-type
To specify that the switch or Flash device operates as a TFTP server, use one of the following tftp-server global configuration commands. To remove a previously defined filename, use the no form of this command with the appropriate filename.
tftp-server flash [device:]filename1 [alias filename2] [rom alias filename2]| flash | Specifies TFTP service of a file in Flash memory. |
| device: | Specifies TFTP service of a file on a Flash memory device. The colon (:) is required. Valid devices are as follows:
· bootflash: This device is the internal Flash memory. · slot0: This device is the first PCMCIA slot ASP card. · slot1: This device is the second PCMCIA slot on the ASP card. |
| filename1 | Name of a file in Flash or in ROM that the TFTP server uses in answering TFTP Read Requests. |
| alias | Specifies an alternate name for the file that the TFTP server uses in answering TFTP Read Requests. |
| filename2 | Alternate name of the file that the TFTP server uses in answering TFTP Read Requests. A client of the TFTP server can use this alternate name in its Read Requests. |
Disabled.
Global configuration.
You can specify multiple filenames by repeating the tftp-server command. The system sends a copy of the system image contained in ROM or one of the system images contained in Flash memory to any client that issues a TFTP Read Request with this filename.
If the specified filename1 or filename2 exists in Flash memory, a copy of the Flash image is sent. On systems that contain a complete image in ROM, the system sends the ROM image if the specified filename1 or filename2 is not found in Flash memory.
Images that run from ROM cannot be loaded over the network. Therefore, you should not use TFTP to offer the ROMs on these images.
The system sends a copy of the file contained on one of the Flash memory devices to any client that issues a TFTP Read Request with its filename.
In the following example, the system uses TFTP to send a copy of the version-11.1 file located in Flash memory in response to a TFTP Read Request for that file. The requesting host is checked against access list 22.
Switch(config)# tftp-server flash version-11.1 22
In the following example, the system uses TFTP to send a copy of the version-11.1.4 file in response to a TFTP Read Request for that file. The file is located on the Flash memory card inserted in slot 0 of the ASP card.
Switch(config)# tftp-server flash slot0:version-11.1.4
To configure the PNNI timers, use the timer ATM router PNNI node-level subcommand. To return to the default values, use the no form of this command.
timer [ack-delay tenths_of_seconds] [hello-holddown tenths_of_seconds] [hello-interval tenths_of_seconds] [inactivity-factor number] [retransmit-interval seconds]| ack-delay | Specifies the waiting period before sending an accumulated PTSE acknowledgment packet. Default is 1 second. |
| hello-holddown | Specifies the holddown period for event-triggered hellos. This is mainly used for hello packets between outside neighbors. Default is 1 second. |
| hello-interval | Interval that defines the frequency, in seconds, at which hello packets are transmitted. Default is 15 seconds. |
| inactivity-factor | Specifies the dead-interval time (the period after which you declare a neighbor down if no hello is received) as a factor of the hello interval. Default is 5. |
| retransmit-interval | Specifies the waiting period before retransmitting a PTSE, PTSE request, or database summary packet. Default is 5 seconds. |
See individual syntax descriptions.
ATM router PNNI configuration.
Decreasing the hello-interval allows PNNI to detect neighbor nodes that have stopped functioning as quickly as other nodes. The inactivity-factor is used as a multiplier of the hello-interval in received hello packets to determine the dead interval, the time after which the neighbor node is declared down if no hello packets are received. The inactivity-factor can be increased on unreliable interfaces to avoid false alarms.
Decreasing the retransmit-interval causes retransmission to increase when a PNNI packet gets lost. However, this increases the risk of unnecessarily retransmitting PNNI packets that are delayed but actually reaches the neighbor. Increasing ack-delay causes more PTSEs to be acknowledged in one ack packet. Lowering hello-holddown allows another hello packet to be sent shortly after one was sent. To avoid an overload in switch processing, you should adjust these parameters carefully.
For more information, refer to the LightStream 1010 ATM Switch Software Configuration Guide.
The following script shows how to change the hello-interval to 5 seconds.
Switch#configure terminalSwitch(config)#atm router pnniSwitch(config-atm-router)#node 1Switch(config-pnni-node)#timer hello-interval 5
Use the traceroute privileged EXEC command to discover the routes the switch's packets actually take when traveling to their destination.
traceroute [protocol] [destination]| protocol | (Optional) Protocol that can be used is ip. |
| destination | (Optional) Destination address or host name on the command line. The default parameters for the appropriate protocol are assumed, and the tracing action begins. |
The protocol argument is based on the switch's examination of the format of destination. For example, if the switch finds a destination argument in IP format, the protocol value defaults to ip.
Privileged EXEC.
The traceroute command works by taking advantage of the error messages generated by switches when a datagram exceeds its time-to-live (TTL) value.
The traceroute command starts by sending probe datagrams with a TTL value of 1. This causes the first switch to discard the probe datagram and send back an error message. The traceroute command sends several probes at each TTL level and displays the round-trip time for each.
The traceroute command sends out one probe at a time. Each outgoing packet may result in one or two error messages. A "time exceeded" error message indicates that an intermediate switch detected and discarded the probe. A "destination unreachable" error message indicates that the destination node received and discarded the probe because it could not deliver the packet. If the timer goes off before a response comes in, traceroute prints an asterisk (*).
The traceroute command terminates when the destination responds, when the maximum TTL is exceeded, or when the user interrupts the trace with the escape sequence. By default, to invoke the escape sequence, type Ctrl ^ X--by simultaneously pressing and releasing the Ctrl, Shift, and 6 keys, and then pressing the X key.
To use nondefault parameters and invoke an extended traceroute test, enter the command without a destination argument. You are stepped through a dialog to select the desired parameters.
Due to bugs in the IP implementation of various hosts and switches, the IP traceroute command may behave in uncommon ways.
Not all destinations respond correctly to a probe message by sending back an "ICMP port unreachable" message. A long sequence of TTL levels with only asterisks, terminating only when the maximum TTL is reached, may indicate this problem.
There is a known problem with the way some hosts handle an "ICMP TTL exceeded" message. Some hosts generate an "ICMP" message, but they reuse the TTL of the incoming packet. Since this is zero, the ICMP packets do not return. When you trace the path to such a host, you may see a set of TTL values with asterisks (*). Eventually the TTL gets high enough that the ICMP message can get back. For example, if the host is six hops away, traceroute times out on responses 6 through 11.
The following display shows sample IP traceroute output when a destination host name is specified.
Switch# tracerputeABA.NYC.mil
Type escape sequence to abort.
Tracing the route to ABA.NYC.mil (26.0.0.73)
1 DEBRIS.CISCO.COM (131.108.1.6) 1000 msec 8 msec 4 msec
2 BARRNET-GW.CISCO.COM (131.108.16.2) 8 msec 8 msec 8 msec
3 EXTERNAL-A-GATEWAY.STANFORD.EDU (192.42.110.225) 8 msec 4 msec 4 msec
4 BB2.SU.BARRNET.NET (131.119.254.6) 8 msec 8 msec 8 msec
5 SU.ARC.BARRNET.NET (131.119.3.8) 12 msec 12 msec 8 msec
6 MOFFETT-FLD-MB.in.MIL (192.52.195.1) 216 msec 120 msec 132 msec
7 ABA.NYC.mil (26.0.0.73) 412 msec 628 msec 664 msec
Table 17-1 describes the fields shown in the display.
| Field | Description |
|---|---|
| 1 | Indicates the sequence number of the switch in the path to the host. |
| DEBRIS.CISCO.COM | Host name of this switch. |
| 131.108.1.6 | IP address of this switch. |
| 1000 msec 8 msec 4 msec | Round-trip time for each of the three probes that are sent. |
The following display shows a sample trace session involving the extended dialog of the trace command.
Switch#tracerouteProtocol [ip]: Target IP address:mit.eduSource address: Numeric display [n]: Timeout in seconds [3]: Probe count [3]: Minimum Time to Live [1]: Maximum Time to Live [30]: Port Number [33434]: Loose, Strict, Record, Timestamp, Verbose[none]: Type escape sequence to abort. Tracing the route to MIT.EDU (18.72.2.1) 1 ICM-DC-2-V1.ICP.NET (192.108.209.17) 72 msec 72 msec 88 msec 2 ICM-FIX-E-H0-T3.ICP.NET (192.157.65.122) 80 msec 128 msec 80 msec 3 192.203.229.246 540 msec 88 msec 84 msec 4 T3-2.WASHINGTON-DC-CNSS58.T3.ANS.NET (140.222.58.3) 84 msec 116 msec 88 msec 5 T3-3.WASHINGTON-DC-CNSS56.T3.ANS.NET (140.222.56.4) 80 msec 132 msec 88 msec 6 T3-0.NEW-YORK-CNSS32.T3.ANS.NET (140.222.32.1) 92 msec 132 msec 88 msec 7 T3-0.HARTFORD-CNSS48.T3.ANS.NET (140.222.48.1) 88 msec 88 msec 88 msec 8 T3-0.HARTFORD-CNSS49.T3.ANS.NET (140.222.49.1) 96 msec 104 msec 96 msec 9 T3-0.ENSS134.T3.ANS.NET (140.222.134.1) 92 msec 128 msec 92 msec 10 W91-CISCO-EXTERNAL-FDDI.MIT.EDU (192.233.33.1) 92 msec 92 msec 112 msec 11 E40-RTR-FDDI.MIT.EDU (18.168.0.2) 92 msec 120 msec 96 msec 12 MIT.EDU (18.72.2.1) 96 msec 92 msec 96 msec
Table 17-2 describes the fields that are unique to the extended trace sequence, as shown in the display.
| Field | Description |
|---|---|
| Target IP address | You must enter a host name or an IP address. There is no default. |
| Source address | One of the interface addresses of the switch to use as a source address for the probes. The switch normally identifies the best source address to use. |
| Numeric display | The default is to have both a symbolic and numeric display; however, you can suppress the symbolic display. |
| Timeout in seconds | The number of seconds to wait for a response to a probe packet. The default is 3 seconds. |
| Probe count | The number of probes to be sent at each TTL level. The default count is 3. |
| Minimum Time to Live [1] | The TTL value for the first probes. The default is 1, but it can be set to a higher value to suppress the display of known hops. |
| Maximum Time to Live [30] | The largest TTL value that can be used. The default is 30. The trace command terminates when the destination is reached or when this value is reached. |
| Port Number | The destination port used by the UDP probe messages. The default is 33434. |
| Loose, Strict, Record, Timestamp, Verbose | IP header options. You can specify any combination. The trace command issues prompts for the required fields. Note that trace places the requested options in each probe; however, there is no guarantee that all switches (or end nodes) process the options. |
| Loose | Allows you to specify a list of nodes that must be traversed when going to the destination. |
| Strict | Allows you to specify a list of nodes that must be the only nodes traversed when going to the destination. |
| Record | Allows you to specify the number of hops to leave room for. |
| Timestamp | Allows you to specify the number of time stamps to leave room for. |
| Verbose | If you select any option, the verbose mode is automatically selected and trace prints the contents of the option field in any incoming packets. You can prevent verbose mode by selecting it again, toggling its current setting. |
Table 17-3 describes the characters that can appear in trace output.
| Char | Description |
|---|---|
| nn msec | For each node, the round-trip time in milliseconds for the specified number of probes. |
| * | The probe timed out. |
| ? | Unknown packet type. |
| Q | Source quench. |
| P | Protocol unreachable. |
| N | Network unreachable. |
| U | Port unreachable. |
| H | Host unreachable. |
Use the traceroute EXEC command to discover the IP routes the switch's packets actually take when traveling to their destination.
traceroute [protocol] [destination]| protocol | (Optional) Protocol that can be used is ip. |
| destination | (Optional) Destination address or host name on the command line. The default parameters for the appropriate protocol are assumed, and the tracing action begins. |
The protocol argument is based on the switch's examination of the format of the destination argument. For example, if the switch finds a destination in IP format, the protocol defaults to ip.
EXEC.
The traceroute command works by taking advantage of the error messages generated by switches when a datagram exceeds its time-to-live (TTL) value.
The traceroute command starts by sending probe datagrams with a TTL value of 1. This causes the first switch to discard the probe datagram and send back an error message. The traceroute command sends several probes at each TTL level and displays the round-trip time for each.
The traceroute command sends out one probe at a time. Each outgoing packet may result in one or two error messages. A "time exceeded" error message indicates that an intermediate switch detected and discarded the probe. A "destination unreachable" error message indicates that the destination node received and discarded the probe because it could not deliver the packet. If the timer goes off before a response comes in, traceroute prints an asterisk (*).
The traceroute command terminates when the destination responds, when the maximum TTL is exceeded, or when the user interrupts the trace with the escape sequence. By default, to invoke the escape sequence, enter ^ X.
Due to bugs in the IP implementation of various hosts and switches, the IP trace command may behave in unexpected ways.
Not all destinations respond correctly to a probe message by sending back an "ICMP port unreachable" message. A long sequence of TTL levels with only asterisks, terminating only when the maximum TTL is reached, may indicate this problem.
There is a known problem with the way some hosts handle an "ICMP TTL exceeded" message. Some hosts generate an ICMP message, but they reuse the TTL of the incoming packet. Since this is zero, the ICMP packets do not make it back. When you trace the path to such a host, you may see a set of TTL values with asterisks (*). Eventually the TTL gets high enough that the "ICMP" message can get back. For example, if the host is six hops away, traceroute times out on responses 6 through 11.
The following display shows sample IP traceroute output when a destination host name is specified.
Switch# traceroute ip ABA.NYC.mil
Type escape sequence to abort.
Tracing the route to ABA.NYC.mil (26.0.0.73)
1 DEBRIS.CISCO.COM (131.108.1.6) 1000 msec 8 msec 4 msec
2 BARRNET-GW.CISCO.COM (131.108.16.2) 8 msec 8 msec 8 msec
3 EXTERNAL-A-GATEWAY.STANFORD.EDU (192.42.110.225) 8 msec 4 msec 4 msec
4 BB2.SU.BARRNET.NET (131.119.254.6) 8 msec 8 msec 8 msec
5 SU.ARC.BARRNET.NET (131.119.3.8) 12 msec 12 msec 8 msec
6 MOFFETT-FLD-MB.in.MIL (192.52.195.1) 216 msec 120 msec 132 msec
7 ABA.NYC.mil (26.0.0.73) 412 msec 628 msec 664 msec
Table 17-4 describes the fields shown in the display.
| Field | Description |
|---|---|
| 1 | Indicates the sequence number of the switch in the path to the host. |
| DEBRIS.CISCO.COM | Host name of this switch. |
| 131.108.1.61 | IP address of this switch. |
| 1000 msec 8 msec 4 msec | Round-trip time for each of the three probes that are sent. |
Table 17-5 describes the characters that can appear in traceroute output.
| Char | Description |
|---|---|
| nn msec | For each node, the round-trip time in milliseconds for the specified number of probes. |
| * | The probe timed out. |
| ? | Unknown packet type. |
| Q | Source quench. |
| P | Protocol unreachable. |
| N | Network unreachable. |
| U | Port unreachable. |
| H | Host unreachable. |
To indicate to the network that this node does not allow calls to transit through it, use the transit-restricted node-level subcommand. To allow calls to transit through the node, use the no form of this command.
transit-restrictedThis command has no keywords or arguments.
Enabled.
ATM router PNNI configuration.
This command enables the network administrator to prevent connections from transiting nodes that only originate or terminate connections, for example, low-end edge switches that do not have the capacity to support transit calls.
For more information, refer to the LightStream 1010 ATM Switch Software Configuration Guide.
The following script shows how to access the transit-restricted node-level subcommand.
Switch#configure terminalSwitch(config)#atm router pnniSwitch(config-atm-router)#node 1Switch(config-pnni-node)#transit-restricted
To assign a transmit interface to a receive-only interface, use the transmit-interface interface configuration command. To return to normal duplex Ethernet interfaces, use the no form of this command.
transmit-interface type number| type | Transmit interface type to be linked with the (current) receive-only interface. |
| number | Transmit interface number to be linked with the (current) receive-only interface. |
Disabled.
Interface configuration.
Receive-only interfaces are used commonly with microwave Ethernet interfaces.
The following example specifies Ethernet interface 2/0/0 as a simplex Ethernet interface.
Switch(config)# interface ethernet 2/0/0 Switch(config-if)# ip address 128.9.1.2 Switch(config-if)# transmit-interface ethernet 2/0/0
To specify the transport protocol the switch uses if the user does not specify a transport protocol when initiating a connection, use the transport preferred line configuration command.
transport preferred {telnet | none}| telnet | Selects the TCP/IP Telnet protocol. It allows a user at one site to establish a TCP connection to a login server at another site. |
| none | Prevents any protocol selection on the line. The system normally assumes that any unrecognized command is a host name. If the protocol is set to none, the system no longer makes that assumption. The connection is not attempted if the command is not recognized. |
Telnet.
Line configuration.
Specify transport preferred none to prevent errant connection attempts.
The following example sets the preferred protocol to Telnet on virtual terminal line 1.
Switch(config)#line vty 1Switch(config-line)#transport preferred telnet
terminal transport preferred
transport preferred
To set the terminal transmit baud rate (to terminal), use the txspeed line configuration command. Use the no form of this command to disable this feature.
txspeed bps| bps | Baud rate in bits per second (bps); see the Usage Guidelines below for settings. |
9600 bps.
Line configuration.
Set the speed to match the baud rate of whatever device you have connected to the port. Some baud rates available on devices connected to the port might not be supported on the switch. The switch indicates if the speed you select is not supported. The following is a list of line speeds, in bits per second, that are available.
75, 110, 134, 150, 300, 600, 1200, 2000, 2400, 4800, 1800, 9600, 19200, 38400
The following example sets the auxiliary line transmit speed to 2400 bps.
Switch(config)#line aux 0Switch(config-line)#txspeed 2400
To control the number of transmit buffers available to a specified interface on the MCI and SCI cards, use the tx-queue-limit interface configuration command.
tx-queue-limit number| number | Maximum number of transmit buffers that the specified interface can subscribe. |
Defaults depend on the total transmit buffer pool size and the traffic patterns of all the interfaces on the card. Defaults and specified limits are displayed with the show controllers mci EXEC command.
Interface configuration.
This command should be used only under the guidance of a technical support representative.
The following example sets the maximum number of transmit buffers on the interface to 5.
Switch(config)# interface ethernet 2/0/0 Switch(config-if)# tx-queue-limit 5
|
|