|
|
This chapter describes how to configure the system. System configuration tasks include:
The chapter concludes with alphabetical summaries of the commands it describes.
The following sections contain procedures and command descriptions for configuring the global system characteristics: host name and passwords and configuring system security and system management functions. The global configuration commands described in the following sections are entered in configuration mode. See the section "Entering Configuration Mode" in the "First-Time Startup and Basic Configuration" chapter of this manual for the procedures used to enter into this mode.
Use the hostname global configuration command to specify the host name for the network server. The hostname is used in prompts and default configuration filenames.
hostname nameThe argument name is the new host name for the network server and is case sensitive. The default host name is Router.
This command changes the host name to sandbox.
hostname sandbox
A banner is the message that the EXEC command interpreter displays whenever a user starts any EXEC process or activates a line. The general form of the banner global command follows.
banner {motd|exec|incoming} c text cThe motd, exec, and incoming keywords control when the banner message is displayed. The use of these keywords is described in the following sections.
The argument c specifies a delimiting character of your choice. The argument text specifies the message to be shown on the screen whenever an interface line is activated.
The default keyword is motd (message of the day) if none is specified.
The no version of these commands removes the specified banner, and the no banner command removes the motd.
Follow banner with one or more blank spaces, then type the delimiting character, followed by one or more lines of text. Terminate the message by typing the delimiting character a second time. There is no limit to the number of characters that can be used for the banner, with the exception of buffer limits and what is appropriate for a banner.
The following example uses the pound sign character as a delimiting character:
banner motd # Building power will be off from 7:00 AM until 9:00 AM this coming Tuesday. #
To specify a general-purpose message-of-the-day banner, use the banner motd global configuration command.
banner motd c text cThis command displays a message-of-the-day banner whenever any type of connection is established; for example, when a line is activated, or when an incoming Telnet connection is created. Use this banner for messages that affect all users of the router (for example, for system reboots).
To display a message when an EXEC process is created, use the banner exec global configuration command.
banner exec c text cThis command specifies a message to be displayed when an EXEC process is created (for example, when a TTY line is activated, or an incoming connection is established to a VTY). This banner is designed for messages that affect only interactive terminal users of the router.
To display an incoming message to a particular terminal line, use the banner incoming global configuration command.
banner incoming c text cThis command specifies a message to be displayed on incoming connections to particular terminal lines (for example, lines used for "milking machine" applications).
The EXEC banner can be suppressed on certain lines by using the no exec-banner line subcommand (described in the section "Suppressing Banner Messages" later in this chapter). Lines so configured will not display the EXEC or MOTD banners when an EXEC is created.
Banners and messages are displayed in the following order:
At this point, the user logs in, if required.
This example illustrates how to display a message-of-the-day banner and a message that will be displayed when an EXEC process is created. Use the banner global configuration commands and no exec-banner line subcommand to accomplish these settings.
! Both messages are inappropriate for the VTYs. line vty 0 4 no exec-banner ! banner exec / This is training group server. Unauthorized access prohibited. / ! banner motd / The server will go down at 6pm for a software upgrade /
Cisco software allows you to set default widths for characters such as banners and prompts, and for special characters such as flow control, hold, escape, and disconnect characters. Modifying the character width for EXEC and special characters allows you to include international characters in banners, prompts, and special characters.
Use these global configuration commands to specify the number of significant characters for EXEC and special characters.
default-value exec-character-bits {8|7} default-value special-character-bits {8|7}The default-value exec-character-bits command configures the character widths of EXEC and configuration command characters. The default value is 7 bits, which results in the use of a 7-bit ASCII character set. Configuring the EXEC character width to 8 bits allows you to add special graphical and international characters in banners, prompts, and so forth.
The default-value special-character-bits command configures the number of characters used in special characters such as software flow control, hold, escape, and disconnect characters. The default special-character width is 7. Configuring the width to 8 allows you to use twice as many special characters as with the 7-bit setting.
See the section "Setting Widths for International Character Sets for the Interface" later in this chapter for configuration examples and line character-width commands. See the "Using Terminals" chapter of this manual for EXEC-level character width commands.
In normal system operation, there are several pools of different sized buffers. These pools grow and shrink based upon demand. Some buffers are temporary and are created and destroyed as warranted. Other buffers are permanently allocated and cannot be destroyed. The buffers command allows a network administrator to adjust initial buffer pool settings, as well as the limits at which temporary buffers are created and destroyed.
The full syntax of the buffers command follows.
buffers {small|middle|big|large|huge} {permanent|max-free|min-free|First choose the keyword that describes the size of buffers in the pool--small, big, huge, and so on. The default number of the buffers in a pool is determined by the hardware configuration and can be displayed with the EXEC show buffers command.
The next keyword specifies the buffer management parameter to be changed and can be one of the following:
The argument number specifies the number of buffers to be allocated.
The no buffers command with appropriate keywords and argument restores the default buffer values.
An optional global configuration command for adjusting huge buffer settings is the buffers huge size command. As with the preceding command, use only after consulting with Cisco staff.
buffers huge size numberThe buffers huge size command dynamically resizes all huge buffers to the value that you supply. The buffer size cannot be lowered below the default. The argument number specifies the number of buffers to be allocated.
The no version of the command with the keyword and argument restores the default buffer values.
In the following example, the system will try to keep at least 50 small buffers free.
buffers small min-free 50
In this example, the system will try to keep no more than 200 medium buffers free.
buffers middle max-free 200
With the following command, the system will try to create one large temporary extra buffer, just after a reload:
buffers large initial 1
In this example, the system will try to create one permanent huge buffer:
buffers huge permanent 1
In this example, the system will resize huge buffers to 20000 bytes:
buffers huge size 20000
To display statistics about the buffer pool on the network server, use the command show buffers. For more information, refer to the section "Monitoring System Processes" in the "Managing and Monitoring the System" chapter of this manual.
On the Cisco 4000, when building the receive rings for the serial and Ethernet interfaces, if a buffer request fails (that is, there is not enough of a particular buffer size left in the pool), the interface is marked as down and the initialization is abandoned at that point.The interface will later initialize as more buffers are created to fill the demand. The configuration where this problem is most noticeable is the 1E4T configuration. The Serial 3 interface may take as long as five minutes before that interface becomes usable.
However, buffer pool allocation is a user-tunable parameter. The buffer pool to tune depends on the type of encapsulation used by the interfaces. Correspondingly, the ring size changes with the size of buffer required.The mapping between buffer and ring size on the Cisco 4000 is shown in Table 1-1.
Maximum Transmission Unit (MTU) | Receive Ring Size |
|---|---|
| MTU < 1524 | 32 |
| 1524 < MTU < 5024 | 8 |
| 5024 < MTU < 18024 | 4 |
On a Cisco 4000 1E4T box using HDLC encapsulation, there are five receive rings, each of 32 entries. Cache size is 32 buffers. The MTU for this encapsulation is less than 1524 bytes (the same as for Ethernet) and means that you must use buffers from the "big" pool. The basic number of "big" buffers required is (5 + 1) * 32 = 192. Adding a bit of "comfort" space, you can configure the buffer pool by entering the following command:
buffers big permanent 200This increases the permanent buffer pool allocation for big buffers to 200.
On a Cisco 4000 6T box, using X.25 encapsulation, there are six receive rings, each of eight entries, plus a cache ring of eight entries. The MTU for this encapsulation is less than 5024 bytes but greater than 1524, so you must use buffers from the "large" pool. The basic number of "large" buffers required is (6 + 1) * 8 = 56. Adding a bit of "comfort" space, you can configure the buffer pool by entering the following command:
buffers large permanent 60This increases the permanent buffer pool allocation for large buffers to 60.
In general, a rule of thumb is to boot the box, check for whichever buffer pool is depleted, and increase that one. The above examples are just estimates for the example configurations
This section describes the boot global configuration commands used to configure boot files. The boot command can be used to perform the following tasks:
The commands to load files over the network take effect the next time the software is reloaded, provided they have been written into nonvolatile memory.
The network configuration file contains commands that apply to all network servers and terminal servers on a network. The default name of this file is network-confg. See the section "Entering Configuration Mode" in the "First-Time Startup and Basic Configuration" chapter of this manual. To change the name of this file, use the boot network global configuration command. The full command syntax follows:
boot network filename [address]The keyword network changes the network configuration filename from network-confg. The argument filename is the new name for the network configuration file. If you omit the argument address, the network server uses the default broadcast address of 255.255.255.255. If you use address, you can specify a specific network host or a subnet broadcast address.
The host configuration file contains commands that apply to one network server in particular. To change the host configuration filename, use the boot host global configuration command. The full command syntax follows:
boot host filename [address]The keyword host changes the host configuration filename to a name you specify in the filename argument. The network server uses its name to form a host configuration filename. To form this name, the network server converts its name to all lowercase letters, removes all domain information, and appends "-confg." By default, the host filename is router-confg.
New versions of the software can be downloaded over the network. Use the boot system global configuration command to do this. The full command syntax follows.
boot system filename [address]The keyword system indicates that the filename and host addresses for booting operating software over the network are in the nonvolatile memory. In this case, the argument filename is the filename of the operating software to load, and the argument address is the address of the network host holding that file.
The boot system command overrides the processor configuration register setting unless the register specifies the use of default (ROM) operating software. Therefore, to permit netbooting, set the configuration register bits on the processor card to any pattern other than
0-0-0-0 or 0-0-0-1.
Refer to your hardware installation and maintenance publications for more information about the processor configuration registers.
To use the nonvolatile memory option to specify netbooting, place a boot system command in the nonvolatile memory. You use this command to specify both the filename of the operating software to load and the Internet address of the server host holding that file:
boot system /usr/local/tftpdir/cisco.ts2 192.7.31.19
Use the b command at the ROM monitor prompt (>) to manually boot the system from the ROM software. The syntax is as follows:
bThe following is an example of the b command for manually booting from ROM:
>bF3:{ROM Monitor copyrights}
Use the b command at the ROM monitor prompt (>) to manually netboot the system, as in the following example. Check the appropriate hardware manual for the correct jumper or configuration register setting. The syntax for TFTP netbooting is as follows:
b filename [address]The filename argument specifies the filename of the image you want loaded. It is case sensitive. The address argument is optional and defines the IP address of the host you want to boot from. The following is an example of the b command for manually netbooting:
>b testme4.test 131.108.15.112
F3:
{ROM Monitor copyrights}
When netbooting, with or without Flash memory, you can specify that the ROM image is to be booted if other boot images are not available. Use the following syntax:
boot system romUse the boot system rom global configuration command to specify the use of the ROM system image when other boot system commands exist in the configuration.
For example, a list specifying two possible internet locations for a system image, with the ROM software being used as a backup, is as follows:
boot system gs3-bfx.90-1 192.31.7.24 boot system gs3-bfx.83-2 192.31.7.19 boot system rom
To specify the size of the buffer to be used for netbooting a host or a network configuration file, use the boot buffersize global configuration command. The full command syntax follows:
boot buffersize bytesThe argument bytes specifies the size of the buffer to be used. By default, it is the size of your nonvolatile memory; it is 32 kilobytes if you do not have nonvolatile memory. There is no minimum or maximum size that can be specified.
The EXEC commands write terminal and write network use the information specified by the buffersize keyword when performing their functions (see the section "Entering Configuration Mode" in the "First-Time Startup and Basic Configuration" chapter of this manual for more information about these EXEC commands).
You can configure multiple instances of the boot commands. When issued, each command is executed in order and thus can be used to begin a systematic search or to build a specific list. For example, you can issue multiple boot commands to build an ordered list of configuration file name and host address pairs. The network server scans this list until it successfully loads the appropriate network or host configuration file or system boot image. In this example, the network server looks first for fred-confg on network 192.31.7.24 and, if it cannot load that file, then looks for wilma-confg on network 192.31.7.19.
boot host /usr/local/tftpdir/fred-confg 192.31.7.24 boot host /usr/local/tftpdir/wilma-confg 192.31.7.19
If the network server cannot find either file, a background process tries at ten-minute intervals (the default) to load one file or the other.
You can issue multiple instances of all variations of the boot command, including the no boot forms. This feature can be useful for removing configuration files. To remove a configuration file name and host address pair from the list, use the no boot command syntax.
Cisco routers support netbooting over both TFTP and MOP across all supported media types such as Ethernet, FDDI, serial, Token Ring, and HSSI. During a netbooting session, routers behave like hosts: they route via proxy ARP or a default gateway. However, when netbooting, a router ignores routing information, static IP routes, and bridging information. As a result, intermediate routers are responsible for handling ARP and TFTP requests correctly. For serial and HSSI media, ARP is not used.
If you need to netboot from a server, it is recommended that you ping the server from the ROM software. If you are unable to ping the server, there is a problem with the server configuration or hardware. Contact your technical support representative for assistance. See "Useful Information to Provide Technical Support" later in this section for details.
The sections that follow contain solutions to common problems that occur when netbooting. Note that these solutions apply only if you were able to successfully ping the server.
When netbooting, the client you netboot from sends an ARP request to the server over every available appropriate network interface (such as an Ethernet port or a Token Ring port). The client expects the server or a router to return an ARP response. If the client does not receive an ARP response from the server or a router, a message similar to the following displays at the client console:
Booting gs3-bfx..................[timed out]
One possible cause of not receiving an ARP response is that intermediate routers are not performing proxy ARP. Look for no ip proxy-arp in the configuration of the intermediate router. Another possible cause is that the client is using a broadcast address and the intermediate router does not have an IP helper address defined that points to the TFTP server.
When netbooting, it is not unusual for the client to send additional requests before receiving a response to the initial ARP request. This can result in timeouts, out-of-order packets, and multiple responses. Timeouts (shown as periods on a netbooting display) and out-of-order packets (shown as 0s) do not necessarily prevent a successful boot. It is acceptable to have timeouts and out-of-order packets. The following examples show successful boots even though a timeout and out-of-order packets have occurred:
Booting gs3-bfx from 131.108.1.123: !.!!!!!!!!!!!!!!!!!!!!!!Booting gs3-bfx from 131.108.1.123: !0.0!!!!!!!!!!!!!!!!!!!!!!
Note that intermittent timeouts and out-of-order packets may occur throughout a netbooting session without being cause for concern. Excessive timeouts and out-of-order packets can be caused by bad routing paths on the intermediate routers, an extremely slow server, problems caused by multiple paths, or noise on the line. If your netbooting session appears to have excessive timeouts and out-of-order packets, contact your technical support representative and report the problem. Before calling technical support, you need to gather some information. See the section "Useful Information to Provide Technical Support" that follows for details.
Collect the following information for the technical support representative:
The Flash Memory card is an add-in card of Flash memory storage onto which system software images can be stored, booted, and rewritten as necessary. This card also is called the CSC-MC+. The Flash card reduces the effects of network failure on system netbooting.
The CSC-MC+ Flash Memory card allows you to:
The Flash capability requires the appropriate level of system software, firmware, and hardware. Additionally, a number of prerequisites and caveats apply to its installation and use. Refer to the Modular Products Hardware Installation and Reference publication for complete hardware requirements, specifications, caveats, and step-by-step installation instructions.
The Flash Memory card's features include the following:
The Flash Memory card provides write-protection against accidental erasure or reprogramming of the Flash memories. The write-protect jumper, located on the front edge of the card, can be removed to prevent reprogramming of the Flash memory, but must be installed when programming is required. The system image stored in the Flash Memory card only can be changed from a privileged EXEC command session on the console terminal, which offers system-wide security as well. In general, this feature is not recommended for remote systems.
The following is an overview of how to configure your system to boot from Flash memory. This is not a step-by-step set of instructions; rather, it is an overview to the process of using the Flash capability. Refer to the Modular Products Hardware Installation and Reference publication for complete instructions on installing the hardware and netbooting, and in particular, any jumper setting changes.
Step 1: Set your system to boot from ROM software.
Step 2: Restore the system configuration, if necessary.
Step 3: Copy the TFTP image to Flash memories.
Step 4: Configure from the terminal to automatically boot from the desired file in Flash memory.
Step 5: Write your configuration to memory.
Step 6: Set your system to netboot from a filename (requires jumper setting change).
Step 7: Power-cycle and reboot your system to ensure that all is working as expected and that the configuration is stored in NVRAM.
Once you have successfully installed and tested the CSC-MC+ card, you may want to configure the system with the no boot system flash command in order to revert back to booting from ROM.
The remainder of this section describes the configuration commands used with the Flash feature.
To verify that the appropriate system card is properly connected to the CSC-MC+ card, use the show flash or show flash all commands.
The show flash command displays the total amount of Flash memory present on the Flash card, the type of card connected to the Flash card, any files that may currently exist in Flash memory and their size, and the amounts of Flash memory used and remaining.
The show flash all command displays all the preceding information and also shows all the information about each Flash memory device.
Once you configure Flash, the show flash or show flash all commands will display the names of the system software images.
show flash show flash allThe following shows sample output of the show flash command:
George# show flash
4096K bytes of flash ROM on MC+ (via MCI)
Contains:
gsxx (1086414)
tsyy (1086414)
[935053/4194304 bytes free]
Table 1-2 and Table 1-3 explain the show flash fields.
| Field | Description |
|---|---|
| Bytes of flash ROM on MC+ (via MCI) | Total amount of Flash memory present on the Flash card and the type of card connected to the Flash card. |
| Contains: | Bytes of Flash memory used, followed by the total bytes of Flash memory in the system. |
The following shows sample output of the show flash all command:
George# show flash all
4096K bytes of flash ROM on MC+ (via MCI)
ROM 0, U2 , code 0x89BD, size 0x40000, name INTEL 28F020
ROM 1, U19, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 2, U3 , code 0x89BD, size 0x40000, name INTEL 28F020
ROM 3, U20, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 4, U4 , code 0x89BD, size 0x40000, name INTEL 28F020
ROM 5, U21, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 6, U5 , code 0x89BD, size 0x40000, name INTEL 28F020
ROM 7, U22, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 8, U9 , code 0x89BD, size 0x40000, name INTEL 28F020
ROM 9, U26, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 10, U10, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 11, U27, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 12, U11, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 13, U28, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 14, U12, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 15, U29, code 0x89BD, size 0x40000, name INTEL 28F020
Contains:
gsxx (1086414)[invalidated]
gsxx (1086414)
tsyy (1086414)
[935053/4194304] bytes free
| Field | Description |
|---|---|
| Bytes of flash ROM on MC+ (via MCI) | Total amount of Flash memory present on the Flash card and the type of card connected to the Flash card. |
| ROM #, U# | Number and location of ROM on the Flash memory card. |
| Code | Vendor code. |
| Size | Size in hex bytes. |
| Name | Vendor name. |
| Number | Chip part number. |
| Contains: | Files that may currently exist in Flash memory and their size. Also the amounts of Flash memory used and remaining. |
| [invalidated] | Flag that appears when a file is rewritten (recopied) into Flash memory, when a user aborts, when a network times out, or when there is a Flash memory overflow. |
When you see the [invalidated] flag, a prompt will tell you that the identical file already exists and that it will be invalidated. The first (now invalidated) copy of the file is still present within Flash memory, but it is rendered unusable in favor of the newest version.
To eliminate any files from Flash (invalidated or otherwise) and free up all available memory space, the entire Flash memory must be erased; individual files cannot be erased from Flash memory.
Both examples illustrate that the Flash memory can store and display multiple, independent software images (gsxx and tsyy) for booting itself or for TFTP serving software for other products. This feature would be most useful for storing default system software as a backup. These images also can be stored in compressed format.
The copy tftp flash command copies (writes) a TFTP image into the current Flash configuration:
copy tftp flashYou must enter the copy tftp flash command in all lowercase letters.
As a rule of thumb, you should compress the TFTP image before copying it.
buffer overflow - xxxx/xxxx, will appear, where xxxx/xxxx is the number of bytes read in/number of bytes available.
Once you give the copy tftp flash command, the system prompts you for the IP address (or domain name) of the TFTP server. This may be another router serving ROM or Flash system software images. You are then prompted for the filename of the software image and given the option to erase the existing Flash memory before writing onto it only when there is free space available in Flash memory. If no free Flash memory space is available, or if the Flash memory has never been written to, the erase routine is required before new files can be copied. The system will be prompt you for these condition. The Flash memory is erased at the factory before shipment.
Following is sample output (copying a system image named gsxx) of the prompt you will see under these conditions:
George#copy tftp flashIP address or name of remote host [255.255.255.255]?131.131.101.101Name of tftp filename to copy into flash []?gsxxcopy gsxx from 131.131.101.101 into flash memory? [confirm] Flash is filled to capacity. (this line only appears if Flash memory is full) Erasure is needed before flash may be written. Erase flash before writing? [confirm]
When you erase the existing Flash, the system clears and initializes each Flash memory and displays a pound sign (#) prompt for each cleared and initialized device (total of 16). The entire copying process takes several minutes and will differ from network to network.
Following is sample output from copying a system image named gsxx into the current Flash configuration:
George#copy tftp flashIP address or name of remote host [255.255.255.255]?131.131.101.101Name of tftp filename to copy into flash []?gsxxcopy gsxx from 131.131.101.101 into flash memory?[confirm] xxxxxxxx bytes available for writing without erasure. erase flash before writing? [confirm] Clearing and initializing flash memory (please wait)####... Loading from 101.2.13.110: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! !!!!!!!!!!!!!... [OK - 324572/524212 bytes] Verifying checksum... VVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVVV... Flash verification successful. Length = 324572, checksum = 0xE2E2
The series of !s in the previous sample output indicates that the copying process is taking place. The series of Vs indicates that a checksum verification of the Flash memory is occurring as it is loaded into memory for boot. Checksum verification occurs only through data compare during programming of the Flash memory. The last line in the sample configuration indicates that the copy is successful.
Having successfully copied an image onto the Flash, the output of show flash all will provide the image name, as in the following sample output:
George# show flash all
4096K bytes of flash ROM on MC+ (via MCI)
ROM 0, U2 , code 0x89BD, size 0x40000, name INTEL 28F020
ROM 1, U19, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 2, U3 , code 0x89BD, size 0x40000, name INTEL 28F020
ROM 3, U20, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 4, U4 , code 0x89BD, size 0x40000, name INTEL 28F020
ROM 5, U21, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 6, U5 , code 0x89BD, size 0x40000, name INTEL 28F020
ROM 7, U22, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 8, U9 , code 0x89BD, size 0x40000, name INTEL 28F020
ROM 9, U26, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 10, U10, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 11, U27, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 12, U11, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 13, U28, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 14, U12, code 0x89BD, size 0x40000, name INTEL 28F020
ROM 15, U29, code 0x89BD, size 0x40000, name INTEL 28F020
Contains:
gsxx (1622132)
[2572172/4194304 bytes free]
During the actual copy process, the CSC-MC+'s yellow LED will be lit, indicating that the security (write-protect) jumper is installed. If the security jumper was removed from the Flash card, this would be indicated with the show flash command.
Following is sample output of this write-protected condition:
George# show flash
flash memory on MC+ card (via MCI)
security jumper is uninstalled, so flash memory is read-only
In this condition, no files could be copied to Flash until the jumper was reinstalled.
You are now ready to boot from Flash. The following sections describe how to automatically and manually boot from the Flash Memory card.
You can automatically boot the system from Flash memory using the boot system flash system configuration command.
boot system flash filename boot system configuration commands regardless of argument. Specifying the flash keyword or the filename argument with the no boot system command disables only the command specified by these arguments.
The boot system flash command boots the first valid file in Flash memory. The boot system flash filename boots the file specified by this filename.
Configure the system to automatically boot from the desired file in Flash memory using the configure terminal command and the boot system flash filename system configuration command.
Write the configuration to NVRAM with the write memory command. Following this, boot the system with the reload command.
The following shows use of this sequence of commands:
George#configure terminalboot system flash gsnew-image^ZGeorge#write memory[ok] George#reload[confirm] System Bootstrap, Version 4.5(0.3) Copyright (c) 1986-1990 by cisco Systems CSC3 processor with 4096 Kbytes of memory F3: 1578668+35572+156084 at 0x1000 RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR.... [OK - 162132/2110400 bytes] F3: 1586072+36028+156004 at 0x1000 {ROM Monitor copyrights...}
Use the boot flash command at the ROM monitor level to manually boot the system, as in the following example.
boot flash [filename]The optional filename argument specifies the filename of the image you want loaded. It is case sensitive.
Check the appropriate hardware manual for the correct jumper setting.
>b flash
F3: 1578668+35572+156084 at 0x1000
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR.... {reading/booting flash from rom monitor}
{ROM Monitor copyrights...}
To copy an image back to a TFTP server, use the copy flash tftp command. This copy of the system image can serve as a backup copy and can also be used to verify that the copy in Flash is the same as on the original file on disk.
copy flash tftpYou must enter the copy flash tftp command in all lowercase letters.
The following is an example of the use of this system configuration command:
George#copy flash tftpIP address of remote host [255.255.255.255]?101.2.13.110Name of file to copy []?gsxxwriting gsxx !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!! George#
Once you have successfully installed and tested the CSC-MC+ card and configured Flash memory, you may want to configure the system (configure terminal) with the no boot system flash configuration command in order to revert to booting from ROM. After this command is entered, use the write memory command to save the new configuration command to NVRAM. This procedure also requires changing the jumper on the processor's configuration register. Refer to the appropriate hardware installation and maintenance manual.
Occasionally network failures make netbooting impossible. To lessen the effects of network failure, consider the following boot strategy.
After Flash is installed and configured, you may want to configure the router to boot in the following order:
This boot order provides a more fault-tolerant alternative in the netbooting environment. Use the following three commands in your configuration to allow you to boot first from Flash, then from a system file, and finally from ROM:
boot system flash filename
boot system filename address
boot system rom
The order of the commands needed to implement this strategy is shown in the following sample output:
George#configure terminalboot system flashgsxxboot systemgsxx131.131.101.101boot system rom^ZGeorge#write memory[ok] George#
In addition to these commands, the router must be configured to boot from ROM (involves a jumper setting change).
Using this strategy, a router used primarily in a netbooting environment would have three alternative sources from which to boot. These alternative sources would help cushion the negative effects of a failure with the TFTP file server and of the network in general.
The software configuration register enables an IGS system to boot from Flash memory or the ROM monitor when the system is restarted. The following command sets the software configuration register:
config-register valueThe value argument is the register number, in hexadecimal. It is commonly one of the following:
value | Description |
|---|---|
| 0x0 | Disable booting from Flash memory |
| 0x1 | Set the default switch register contents |
| 0x2 | Boot from the ROM monitor |
| 0xF | Boot from Flash memory |
The Flash Memory card can be used as a Trivial File Transfer Protocol (TFTP) file server for other routers on the network. This feature allows you to boot a remote router with an image that resides in the Flash server memory.
For clarification, in the description that follows, one router (with a Flash Memory card installed) will be referred to as the Flash server, and all other routers will be referred to as client routers. The configurations for the Flash server and client routers will be given through example configurations of each, with commands included as necessary.
The Flash server and client router must be able to reach one another before the TFTP function can be implemented. Verify this connection by pinging between the Flash server and client router (in either direction) using the ping command.
An example use of the ping command is as follows:
Router# ping 131.131.101.101 <Return>
In this example, the Internet Protocol (IP) address of 131.131.101.101 belongs to the client router. Connectivity is indicated by !!!!!, while ... [timed out] or [failed] indicates none. If the connection fails, reconfigure the interface, check the physical connection between the Flash server and client router, and ping again.
After this connection is verified, ensure that a TFTP-bootable image is present in Flash memory. This is the system software image the client router will boot. Note the name of this software image so you can verify it after the first client boot. The next example uses the filename gs3-bfx..91.1 for the boot image.
 | Caution The type of software (bfx, and so forth) residing in the Flash memory must be of the same type as the ROM software installed on the client router. For example, if the client router has gs3-bfx.91.1 (capable of X.25 bridging) in ROM and gs3-bf.90.1 is booted from the Flash server, the client router will operate under the control of the gs3-bf.90.1 software and will not have X.25 bridging capability. |
Once you have verified the presence of a bootable image in Flash memory, you can configure the Flash server.
Configure the Flash server by adding both the tftp-server system command and the access-list command to the configuration memory. Use the configure terminal command to do so.
Following is sample output of these commands:
Server#configure terminalEnter configuration commands, one per line. Edit with DELETE, CRTL/W, and CRTL/U;end with CTRL/Ztftp-server system gs3-bfx.91.1 1access-list 1 permit 131.131.101 0.0.0.255^ZServer#write memory <Return>[ok] Server#
This example gives the filename of the software image in the Flash server and one access list (labeled 1). The access list must include the network within which the client router resides. Thus, in the example, the network 131.131.101.0 and any client routers on it are permitted access to the Flash server filenamed gs3-bfx.91.1.
For more information on access lists, refer to the section "Configuring IP Access Lists" in the "Routing IP" chapter of this manual.
| Caution Using the no boot system command in the following example will invalidate all other boot system commands currently in the client router system configuration. Before proceeding, determine whether the system configuration stored in the router you will use as the client should first be saved (uploaded) to a TFTP file server. Refer to the "First-Time Startup and Basic Configuration" chapter for instructions on uploading and downloading system configuration files. |
Configure the client router using the no boot system command, the boot system command, and the boot system rom command. Use the configure terminal command to enter these commands into the client router's memory configuration. Using these commands requires changing the jumper on the configuration register of the processor to the pattern 0-0-1-0 (Position 1). For this exercise, the IP address of the Flash server is 131.131.111.111.
Following is an example of the use of these commands:
Client#configure terminalEnter configuration commands, one per line. Edit with DELETE, CRTL/W, and CRTL/U;end with CTRL/Zno boot systemboot system gs3-bfx.91.1 131.131.111.111boot system rom^ZClient#write memory <Return>[ok] Server#reload
In this example, the no boot system command invalidates all other boot system commands currently in the configuration memory, and any boot system commands entered after this command will be executed first. The second command, boot system filename address, tells the client router to look for the file gs3-bfx.91.1 in the (Flash) server with an IP address of 131.131.111.111. Failing this, the client router will boot from its system ROM upon the boot system rom command, which is included as a backup in case of a network problem.
| Caution The system software (gs3-bfx.91.1) to be booted from the Flash server (131.131.111.111) must reside in Flash memory on the server. If it is not in Flash memory, the client router will boot the Flash server's system ROM. |
Use the show version command on the client router to verify that the software image booted from the Flash server is the image present in Flash memory.
Following is sample output of the show version command:
Client# show version
GS Software (GS3-BFX), Version 90.1, CISCO SYSTEMS SOFTWARE
Copyright (c) 1986-1992 by cisco Systems, Inc.
Compiled Mon 30-Mar-92 17:16
System Bootstrap, Version 4.5(0.5), CISCO SYSTEMS SOFTWARE
Client uptime is 5 minutes
System restarted by reload
System image file is "gs3-bfx.91.1", booted via tftp from 131.131.111.111
The important information in this example is contained in the first line (GS Software...), and the last full line (System image file...). The two software types and versions shown indicate the software currently running in RAM in the client router (first line) and the software booted from the Flash server (last line). These two types and versions must be the same.
Verify that the software shown in the first line of the previous example is the software residing in the Flash server memory.
Cisco 7000 series interface processors and the Switch Processor (SP) each have a writable control store (WCS). The WCS stores microcode. You can load updated microcode onto the WCS from the onboard ROM or from Flash memory on the Route Processor (RP) card. With this feature, you can update microcode without having physical access to the router, and you can load new microcode without rebooting the system.
By default, microcode is loaded from the ROM on each interface card. (This onboard ROM microcode is not the same as the eight ROMs on the RP that contain the system image.) However, you also can load microcode from Flash. To do this, first copy microcode files into Flash by using the copy tftp flash command. Then, use the configuration commands described in this section to load microcode from Flash memory into the WCS. If an error occurs when you are attempting to download microcode, the onboard ROM microcode will be loaded and the interface will remain operational.
To specify the location of the microcode image you want to download, use the following configuration command:
microcode interface-type [rom|flash filename]The argument interface-type is one of the following interface processor names: eip, fip, fsip, hip, sip, sp, and trip.
The argument filename is the filename of the microcode in Flash memory that you want to download.
Use the microcode flash command in cases when a code patch is separately shipped as an interim measure until the new interface code is completely qualified and released. If there is a problem with the Flash file, such as a corrupt or wrong file, the default (system bundle) is loaded instead.
Entering the command no microcode interface-type flash is the same as entering the command microcode interface-type rom.
To retain new configuration information when the system is rebooted, enter the write memory command at the EXEC prompt after entering microcode configuration commands.
These configuration commands are implemented following one of three events:
After you have entered a microcode configuration command and one of these events has taken place, all of the cards are reset, loaded with microcode from the appropriate sources, tested, and enabled for operation.
In the following example, all FIP cards will use their onboard ROM microcode:
microcode fip rom
In the following example, all FIP cards will be loaded with the microcode found in Flash memory file fip.v141-7 when the system is booted, when a card is inserted or removed, or when the configuration command microcode reload is issued. The configuration is then written to NVRAM.
microcode fip flash fip.v141-7
^Z
> write memory
To signal to the system that all microcode configuration commands have been entered and the processor cards should be reloaded, use the following command:
microcode reloadIf Flash memory is busy because a card is being removed or inserted, or if you issue a microcode reload command while Flash is locked, the files will not be available and the onboard ROM microcode will be loaded. Issue another microcode reload command when Flash memory is available, and the proper microcode will be loaded. The show flash command will show if another user or process has locked Flash memory. Do not use the microcode reload command while Flash is in use. For example, do not use this command when a copy tftp flash or show flash command is active.
The microcode reload command is automatically added to your running configuration when you issue a microcode command that changes the system's default behavior of loading all processors from ROM.
In the following example, all controllers are reset, the specified microcode is loaded, and the CxBus complex is reinitialized according to the microcode configuration commands that have been written to memory.
microcode reload
To show the microcode bundled into the system, enter the following EXEC command:
show microcodeA sample display of the show microcode command follows:
Router# show microcode Microcode bundled in system Card Microcode Target Hardware Description Type Version Version ---- ------- --------------- ----------- SP 161.18 11.x SP version 161.18 EIP 1.0 1.x EIP version 1.0 TRIP 1.1 1.x TRIP version 1.1 FIP 1.3 2.x FIP version 1.3 HIP 1.0 1.x HIP version 1.0 SIP 1.1 1.x SIP version 1.1 FSIP 161.72 1.x FSIP version 161.72
Flash memory is located on the Route Processor (RP) in the Cisco 7000 series. Software images can be stored, booted, and rewritten into Flash memory as necessary. Flash memory can reduce the effects of network failure by reducing dependency on files that can only be accessed over the network.
Flash memory allows you to do the following:
Flash memory features include the following:
Flash memory provides write protection against accidental erasing or reprogramming. The write-protect jumper, located next to the Flash components on the RP, can be removed to prevent reprogramming of the Flash memory, but must be installed when programming is required.
The system image stored in Flash memory can only be changed from a privileged EXEC command session on the console terminal. This feature offers systemwide security.
The following list is an overview of how to configure your system to boot from Flash memory. It is not a step-by-step set of instructions; rather, it is an overview of the process of using the Flash capability. Refer to the appropriate Hardware Installation and Reference publication for complete instructions for installing the hardware and netbooting, and in particular, for the jumper settings required for your configuration.
Step 1: Set your system to boot from ROM software.
Step 2: Restore the system configuration, if necessary.
Step 3: Copy the TFTP image to Flash memory.
Step 4: Configure from the terminal to automatically boot from the desired file in Flash memory.
Step 5: Set your system to boot from a file in Flash memory (requires jumper setting change).
Step 6: Power-cycle and reboot your system to ensure that all is working as expected.
Once you have successfully configured Flash memory, you might want to configure the system with the no boot system flash command to revert back to booting from ROM.
The remainder of this chapter describes the configuration commands used with Flash memory.
Once you configure Flash, use the following command to display the names of the system software images:
show flash [all]The show flash command displays the total amount of Flash memory present, where it is located, any files that currently might exist in Flash memory and their sizes, and the amounts of Flash memory used and remaining.
The show flash all command displays all the preceding file information as well as vendor, location, and other security information about each Flash memory device.
The Flash content listing does not include the checksum of individual files. To recompute and verify the image checksum after the image is copied into Flash memory, use the following command:
copy verifyWhen you enter this command, the screen prompts you for the filename to verify. By default, it prompts for the last file in Flash (most recent). Press Return to recompute the default file checksum or enter the filename of a different file at the prompt. Note that the checksum for microcode images is always 0x0000.
The following example shows sample output of the show flash command without the optional all keyword:
George> show flash
4096K bytes of flash memory on embedded flash (in RP1).
file offset length name
0 0x40 3584 gs7-k [deleted]
1 0xE80 1902192 gs7-k
2 0x1D1530 12800 eip.v128-9 [deleted]
3 0x1D4770 106578 eip.v128-9
4 0x1EE804 96906 fip.v141-7
5 0x2062D0 53330 eip128-10
[2018524/4194304 bytes free]
Table 1-4 describes the show flash display fields.
| Field | Description |
|---|---|
| file | Number of file in flash memory. |
| offset | Location of file. Base flash address plus offset equals the location of the file. |
| length | Length, in bytes, of file in flash memory. |
| name | Files that currently exist in flash memory. |
| bytes free | Amount of flash memory remaining. |
| [deleted] | Flag indicating that another file exists with the same name or that process has been aborted. |
The following example shows sample output of the show flash all command:
7000> show flash all
4096K bytes of flash memory on embedded flash (in RP1).
ROM socket code bytes name
0 U63 89BD 0x40000 INTEL 28F020
1 U62 89BD 0x40000 INTEL 28F020
2 U61 89BD 0x40000 INTEL 28F020
3 U60 89BD 0x40000 INTEL 28F020
4 U48 89BD 0x40000 INTEL 28F020
5 U47 89BD 0x40000 INTEL 28F020
6 U46 89BD 0x40000 INTEL 28F020
7 U45 89BD 0x40000 INTEL 28F020
8 U30 89BD 0x40000 INTEL 28F020
9 U29 89BD 0x40000 INTEL 28F020
10 U28 89BD 0x40000 INTEL 28F020
11 U27 89BD 0x40000 INTEL 28F020
12 U17 89BD 0x40000 INTEL 28F020
13 U16 89BD 0x40000 INTEL 28F020
14 U15 89BD 0x40000 INTEL 28F020
15 U14 89BD 0x40000 INTEL 28F020
security jumper(12V) is installed,
flash memory is programmable.
file offset length name
0 0x40 3584 gs7-k [deleted]
1 0xE80 1902192 gs7-k
2 0x1D1530 12800 eip.v128-9 [deleted]
3 0x1D4770 106578 eip.v128-9
4 0x1EE804 96906 fip.v141-7
5 0x2062D0 53330 eip128-10
[2018524/4194304 bytes free]
7000>
In the following example, the security jumper is not installed and you cannot write to Flash memory until the security jumper is installed.
Everest> show flash all
4096K bytes of flash memory on embedded flash (in RP1).
security jumper(12V) is not installed,
flash memory is read-only.
file offset length name
0 0xDCD0 1903892 gs7-k [deleted]
1 0x1DEA24 1903912 gs7-k
[329908/4194304 bytes free]
Table 1-5 describes the show flash all display fields.
| Field | Description |
|---|---|
| ROM | Number of ROM on Flash memory. |
| socket | Location of Flash. |
| code | Vendor code. |
| bytes | Size of device in hex bytes. |
| name | Vendor name. |
| security jumper, flash memory | Security jumper is/is not installed. Flash memory is programmable or read-only. If the security jumper is not installed, you will see the show flash display with a message indicating that the jumper is not installed. |
| file | Number of file in Flash memory. |
| offset | Location of file. Base Flash address plus offset equals the location of the file. |
| length | Length, in bytes, of file in Flash memory. |
| name | Files that currently exist in Flash memory. |
| bytes free | Amount of Flash memory remaining (x/y means x bytes available in Flash of an original total of y bytes). |
| [deleted] | Flag indicating that another file exists with the same name or that process has been aborted. |
To eliminate files from Flash (deleted or otherwise) and free up all available memory space, erase the entire Flash memory; you cannot erase individual files from Flash memory.
The preceding examples illustrate that Flash memory can store and display multiple, independent software images for booting or for providing TFTP server software for other products. This feature is useful for storing backups of default system software. These images also can be stored in compressed format (but cannot be compressed by the router).
Use the following command to copy (write) a TFTP image into the current Flash configuration:
copy tftp flashOnce you give the copy tftp flash command, the system prompts you for the IP address (or domain name) of the TFTP server. This may be another router serving ROM or Flash system software images. You are then prompted for the filename of the software image and, when there is free space available in Flash memory, you are given the option of erasing the existing Flash memory before writing onto it. If no free Flash memory space is available, or if the Flash memory has never been written to, the erase routine is required before new files can be copied. The system will inform you of these conditions and prompt you for a response. Note that the Flash memory is erased at the factory before shipment.
If you attempt to copy a file into Flash memory that is already there, a prompt will tell you that a file with the same name already exists. This file is "deleted" when you copy the new file into Flash. The first copy of the file still resides within Flash memory, but is rendered unusable in favor of the newest version, and will be listed with the [deleted] tag when you use the show flash command. If you abort the copy process, the newer file will be marked [deleted] because the entire file was not copied and is, therefore, not valid. In this case, the original file in Flash memory is valid and available to the system.
Following is sample output (copying a system image named gs7-k) of the prompt you will see when using the copy tftp flash command when Flash memory is too full to copy the file. The filename gs7-k can be in either lower- or uppercase; the system will see GS7-K as gs7-k. If more than one file of the same name, regardless of case, is copied to Flash, the last file copied will become the valid file.
env-chassis# copy tftp flash
IP address or name of remote host [255.255.255.255]? dirt
Translating "DIRT"...domain server (255.255.255.255) [OK]
Name of file to copy ? gs7-k
Copy gs7-k from 131.108.13.111 into flash memory? [confirm]
Flash is filled to capacity.
Erasure is needed before flash may be written.
Erase flash before writing? [confirm]
Erasing flash EPROMs bank 0
Zeroing bank...zzzzzzzzzzzzzzzz
Verify zeroed...vvvvvvvvvvvvvvvv
Erasing bank...eeeeeeeeeeeeeeee
Erasing flash EPROMs bank 1
Zeroing bank...zzzzzzzzzzzzzzzz
Verify zeroed...vvvvvvvvvvvvvvvv
Erasing bank...eeeeeeeeeeeeeeee
Erasing flash EPROMs bank 2
Zeroing bank...zzzzzzzzzzzzzzzz
Verify zeroed...vvvvvvvvvvvvvvvv
Erasing bank...eeeeeeeeeeeeeeee
Erasing flash EPROMs bank 3
Zeroing bank...zzzzzzzzzzzzzzzz
Verify zeroed...vvvvvvvvvvvvvvvv
Erasing bank...eeeeeeeeeeeeeeee
Loading from 131.108.1.111: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 1906676/4194240 bytes]
Verifying via checksum...
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
Flash verification successful. Length = 1906676, checksum = 0x12AD
Following is sample output from copying a system image named gs7-k into the current Flash configuration, in which a file of the name gs7-k already exists:
env-chassis# copy tftp flash
IP address or name of remote host [131.108.13.111]?
Name of file to copy ? gs7-k
File gs7-k already exists; it will be invalidated!
Copy gs7-k from 131.108.13.111 into flash memory? [confirm]
2287500 bytes available for writing without erasure.
Erase flash before writing? [confirm]n
Loading from 131.108.1.111: !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
[OK - 1906676/2287500 bytes]
Verifying via checksum...
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
vvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvvv
Flash verification successful. Length = 1902192, checksum = 0x12AD
In the following example, the Flash security jumper is not installed, so you cannot write files to Flash memory.
Everest# copy tftp flash
Flash: embedded flash security jumper(12V)
must be strapped to modify flash memory
Having successfully copied an image onto Flash, the output of show flash all will provide the image name, as in the following sample output:
George> show flash all
4096K bytes of flash memory on embedded flash (in RP1).
ROM socket code bytes name
0 U63 89BD 0x40000 INTEL 28F020
1 U62 89BD 0x40000 INTEL 28F020
2 U61 89BD 0x40000 INTEL 28F020
3 U60 89BD 0x40000 INTEL 28F020
4 U48 89BD 0x40000 INTEL 28F020
5 U47 89BD 0x40000 INTEL 28F020
6 U46 89BD 0x40000 INTEL 28F020
7 U45 89BD 0x40000 INTEL 28F020
8 U30 89BD 0x40000 INTEL 28F020
9 U29 89BD 0x40000 INTEL 28F020
10 U28 89BD 0x40000 INTEL 28F020
11 U27 89BD 0x40000 INTEL 28F020
12 U17 89BD 0x40000 INTEL 28F020
13 U16 89BD 0x40000 INTEL 28F020
14 U15 89BD 0x40000 INTEL 28F020
15 U14 89BD 0x40000 INTEL 28F020
security jumper(12V) is installed,
flash memory is programmable.
file offset length name
0 0x40 3584 gs7-k [deleted]
1 0xE80 1906676 gs7-k
2 0x1D1530 12800 eip.v128-9 [deleted]
3 0x1D4770 106578 eip.v128-9
4 0x1EE804 96906 fip.v141-7
5 0x2062D0 53330 eip128-10
[2018524/4194304 bytes free]
George>
You are now ready to boot from Flash. The following sections describe how to boot from Flash memory, both automatically and manually.
This procedure requires changing the jumper on the processor's configuration register. Refer to the appropriate hardware installation and maintenance manual for instructions.
Use the following command to automatically boot the system from Flash memory:
boot system flash [filename] boot system configuration commands regardless of argument. Specifying the flash keyword or the filename argument with the no boot system command disables only the command specified by these arguments.
The boot system flash command boots the first valid file in Flash memory. The boot system flash filename command boots the file specified by this filename. The optional filename argument specifies the filename of the image you want loaded. It is case sensitive.
Configure the system to automatically boot from the desired file in Flash memory using the configure terminal and boot system flash filename commands.
Write the configuration to NVRAM with the write memory command. Next, boot the system with the reload command.
The following example shows the use of this sequence of commands:
George#configure terminalboot system flash gsnew-image^ZGeorge#write memory[ok] George#reload[confirm] %SYS-5-RELOAD: Reload requested System Bootstrap, Version 4.6(0.16), BETA SOFTWARE Copyright (c) 1986-1992 by cisco Systems RP1 processor with 16384 Kbytes of memory F3: 1871404+45476+167028 at 0x1000 Booting gsnew-image from flash memory RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR [OK - 1916912/13767448 bytes] F3: 1871404+45476+167028 at 0x1000 Restricted Rights Legend Use, duplication, or disclosure by the Government is subject to restrictions as set forth in subparagraph (c) of the Commercial Computer Software - Restricted Rights clause at FAR sec. 52.227-19 and subparagraph (c) (1) (ii) of the Rights in Technical Data and Computer Software clause at DFARS sec. 252.227-7013. cisco Systems, Inc. 1525 O'Brien Drive Menlo Park, California 94025 GS Software (GS7), Version 9.17(0.3), BETA SOFTWARE Copyright (c) 1986-1992 by cisco Systems, Inc. Compiled Thu 05-Nov-92 14:16 by mlw
Use the following command at the ROM monitor level to manually boot the system from Flash memory:
b flash [filename]The optional filename argument specifies the filename of the image you want loaded. It is case sensitive. Check the appropriate Hardware Installation and Maintenance publication for the correct jumper setting.
The following example shows the boot flash command without the optional filename argument. In this example, all files in Flash memory will be loaded.
> b flash
F3: 1858656+45204+166896 at 0x1000
Booting gs7-k from flash memory RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR [OK - 1903912/13765276 bytes]
F3: 1858676+45204+166896 at 0x1000
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
In the following example, the boot flash command is used with the filename
gs7-k. That is the file that will be loaded.
> b flash gs7-k
F3: 1858656+45204+166896 at 0x1000
Booting gs7-k from flash memory RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRRR
RRRRRRRRRRRRRR [OK - 1903912/13765276 bytes]
F3: 1858676+45204+166896 at 0x1000
Restricted Rights Legend
Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
System Bootstrap, Version 4.6(1012) [mlw 99], INTERIM SOFTWARE
Copyright (c) 1986-1992 by cisco Systems
RP1 processor with 16384 Kbytes of memory
To copy an image back to a TFTP server, use the copy flash tftp command. The resulting copy of the system image can serve as a backup copy and also can be used to verify that the copy in Flash is the same as in the original file on disk.
copy flash tftpIn the following example, the file gsxx is copied to the TFTP server:
George#copy flash tftpIP address of remote host [255.255.255.255]?101.2.13.110Name of file to copy []?gsxxwriting gsxx !!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!copy complete George#
Once you have configured Flash memory, you may want to configure the system (using the configure terminal command) with the no boot system flash configuration command to revert to booting from ROM (for example, if you do not yet need this functionality, if you choose to netboot, or if you do not have the proper image in Flash memory). After you enter the no boot system flash command, use the write memory command to save the new configuration command to NVRAM.
This procedure also requires changing the jumper on the processor's configuration register. Refer to the appropriate hardware installation and maintenance manual for instructions.
Occasionally network failures make netbooting impossible. To lessen the effects of network failure, consider the following boot strategy.
After Flash is installed and configured, you may want to configure the router to boot in the following order:
This boot order provides the most fault-tolerant alternative in the netbooting environment. Use the following three commands in your configuration to allow you to boot first from Flash, then from a system file, and finally from ROM:
boot system flash [filename]
boot system filename [address]
boot system rom
The order of the commands needed to implement this strategy is shown in the following sample output:
George#configure terminalboot system flashgsxxboot systemgsxx131.131.101.101boot system rom^ZGeorge#write memory[ok] George#
Using this strategy, a router used primarily in a netbooting environment would have three alternative sources from which to boot. These alternative sources would help cushion the negative effects of a failure with the TFTP file server and of the network in general.
Flash memory can be used as a Trivial File Transfer Protocol (TFTP) file server for other routers on the network. This feature allows you to boot a remote router with an image that resides in the Flash server memory.
In the description that follows, one Cisco 7000 series router will be referred to as the Flash server, and all other routers will be referred to as client routers. The configurations for the Flash server and client routers will be given through example configurations of each, with commands included as necessary.
The Flash server and client router must be able to reach one another before the TFTP function can be implemented. Verify this connection by pinging between the Flash server and client router (in either direction) using the ping command.
An example use of the ping command is as follows:
Router# ping 131.131.101.101 <Return>
In this example, the Internet Protocol (IP) address of 131.131.101.101 belongs to the client router. Connectivity is indicated by !!!!!, while ... [timed out] or [failed] indicates no connection. If the connection fails, reconfigure the interface, check the physical connection between the Flash server and client router, and ping again.
After this connection is verified, ensure that a TFTP-bootable image is present in Flash memory. This is the system software image the client router will boot. Note the name of this software image so you can verify it after the first client boot.
| Caution For full functionality, the software residing in the Flash memory must be the same type as the ROM software installed on the client router. For example, if the server has X.25 software, and the client does not have X.25 software in ROM, the client will not have X.25 capabilities after booting from the server's Flash memory. |
Use the following privileged EXEC command to configure the Flash server by adding both the tftp-server system command and the access-list command to the configuration memory:
configure terminalThe following example shows the use of configure terminal command to get into configuration mode and configure the Flash server.
Server#configure terminalEnter configuration commands, one per line. Edit with DELETE, CRTL/W, and CRTL/U;end with CTRL/Ztftp-server system gs7-k.9.17 1access-list 1 permit 131.131.101.0 0.0.0.255^ZServer#write memory <Return>[ok] Server#
This example gives the filename of the software image in the Flash server and one access list (labeled 1). The access list must include the network within which the client router resides. Thus, in the example, the network 131.131.101.0 and any client routers on it are permitted access to the Flash server filename gs7-k.9.17.
See the "Configuring the Trivial File Transfer Protocol (TFTP) Server" section for a description of the tftp-server command.
For more information on access lists, refer to the section "Configuring IP Access Lists" in the "IP Routing" chapter of this manual.
| Caution Using the no boot system command in the following example will invalidate all other boot system commands currently in the client router system configuration. Before proceeding, determine whether the system configuration stored in the cleint router should first be saved (uploaded) to a TFTP file server so you have a backup copy. Refer to the "First-Time Startup and Basic Configuration" chapter of this manual for instructions on how to upload and download system configuration files. |
Configure the client router using the no boot system command, the boot system command, and the boot system rom command. Use the configure terminal command to enter these commands into the client router's memory configuration. Using these commands requires changing the jumper on the configuration register of the processor to the pattern 0-0-1-0 (Position 1). For this exercise, the IP address of the Flash server is 131.131.111.111.
Following is an example of the use of these commands:
Client#configure terminalEnter configuration commands, one per line. Edit with DELETE, CRTL/W, and CRTL/U;end with CTRL/Zno boot systemboot system gs7-k.9.17 131.131.111.111boot system rom^ZClient#write memory <Return>[ok] Server#reload
In this example, the no boot system command invalidates all other boot system commands currently in the configuration memory, and any boot system commands entered after this command will be executed first. The second command, boot system filename address, tells the client router to look for the file gs7-k.9.17 in the (Flash) server with an IP address of 131.131.111.111. Failing this, the client router will boot from its system ROM upon the boot system rom command, which is included as a backup in case of a network problem. The write memory command copies the configuration to memory, and the reload command boots the system.
| Caution The system software (gs7-k.9.17) to be booted from the Flash server (131.131.111.111) must reside in Flash memory on the server. If it is not in Flash memory, the client router will boot the Flash server's system ROM. |
Use the show version command on the client router to verify that the software image booted from the Flash server is the image present in Flash memory.
Following is sample output of the show version command:
env-chassis> show version
GS Software (GS7), Version 9.1.17
Copyright (c) 1986-1992 by cisco Systems, Inc.
Compiled Wed 21-Oct-92 22:49
System Bootstrap, Version 4.6(0.15)
Current date and time is Thu 10-22-1992 13:15:03
Boot date and time is Thu 10-22-1992 13:06:55
env-chassis uptime is 9 minutes
System restarted by power-on
System image file is "gs7-k.9.17", booted via tftp from 131.131.111.111
RP1 (68040) processor with 16384K bytes of memory.
X.25 software.
Bridging software.
1 Switch Processor.
1 EIP controller (6 Ethernet).
6 Ethernet/IEEE 802.3 interface.
128K bytes of non-volatile configuration memory.
4096K bytes of flash memory on embedded flash (in RP1).
Configuration register is 0x0
The important information in this example is in the first line (GS Software...) and in the line that begins with "System image file...." The two software types and versions shown indicate the software currently running in RAM in the client router (first line) and the software booted from the Flash server (last line). These two types and versions must be the same.
Verify that the software shown in the first line of the previous example is the software residing in the Flash server memory.
This section describes how to configure password protection and terminal access security.
You can set passwords to control access to the privileged command level and to individual lines. The Terminal Access Controller Access Control System (TACACS) protocol controls terminal use by means of a user-ID-and-password pair. The Defense Data Network developed TACACS to control access to its TAC terminal servers; Cisco patterned its TACACS support after the DDN application.
These system security measures may not provide the level of protection needed for some environments; individual routing protocols and bridging support may have additional security procedures. You also may need to use access lists for additional protection. For access list configuration procedures, refer to the sections describing configuration of a particular routing protocol or bridging support.
To assign a password for the privileged command level, use the enable password global configuration command.
enable password passwordNote that the commands enable password and enable-password are synonymous.
The argument password is case sensitive and specifies the password prompted for in response to the EXEC command enable. The password argument can contain any alphanumeric characters, including spaces, up to 80 characters. Password checking is also case sensitive. The password Secret is different than the password secret, for example, and the password two words is an acceptable password. You cannot specify the password argument in the format number-space-anything. The space after the number causes problems.
To enter the privileged command level, type the following EXEC command and then press Return:
enable Next, type the password for the privileged command level at the Password: prompt.
When you use the enable command at the console terminal, the EXEC does not prompt you for a password if the privileged mode password is not set. Additionally, if the enable password is not set and the line 0 (console line) password is not set, then it is only possible to enter privileged mode on the console terminal. This feature allows you to use physical security rather than passwords to protect privileged mode if that is what you choose to do.
If the enable password is not set and the line 0 (console) password is set, then it is possible to enter privileged command mode either without entering a password at the console terminal, or by entering the console line password when prompted while using any other line.
The following example sets the password secretword for the privileged command level on all lines, including the console:
enable-password secretword
When an EXEC is started on a line with password protection, the EXEC prompts for the password. If you enter the correct password, the EXEC prints its normal nonprivileged prompt. You can try three times to enter a password before the EXEC exits and returns the terminal to the idle state.
To specify a password, use the password line subcommand. The full command syntax follows:
password textThe text argument can contain any alphanumeric character, including spaces, up to 80 characters. You cannot specify its argument in the format number-space-anything. The space after the number causes problems. The password checking is also case sensitive. The password Secret is different than the password secret, for example, and the password two words is an acceptable password.
To enable checking for the password specified by the password command, use the line subcommand login:
loginAlternatively, to use the TACACS user ID and password-checking mechanism, use the following subcommand:
login tacacsTo disable all password checking, use the following command:
no loginThe server prints the message-of-the-day banner before prompting for a password, so you immediately see messages such as no trespassing notifications. By default, virtual terminals require a password. If you do not set a password for a virtual terminal, it will respond to attempted connections by displaying an error message and closing the connection. Use the no login subcommand to disable this behavior and allow connections without a password.
The following example sets the password letmein on line 5:
line 5 password letmein login
If your network server has the nonvolatile memory option, you can lock yourself out if you enable password checking on the console terminal line and then forget the line password.
To recover from this situation, force the network server into factory diagnostic mode by turning off the network server, inserting a jumper in bit 15 of the processor configuration register, (or bit 7 of the processor configuration register in the IGS or CRM), and turning on the network server. Follow these steps:
Step 1: You will be asked if you want to set the manufacturers' addresses. Respond by typing yes. You then see the following prompt:
TEST-SYSTEM>
Step 2: Type the enable command to get the privileged prompt, as in:
TEST-SYSTEM# enable
Step 3: Type the show configuration command to review the system configuration and find the password.
Step 4: To resume normal operation, turn off the network server, remove the jumper from bit 15 (or bit 7) of the configuration register, and turn on the network server again.
Step 5: Log in to the network server with the password that was shown in the configuration file.
The processor configuration registers are described in the hardware installation and maintenance publications.
When the network server restarts in factory diagnostic mode, it does not read the nonvolatile memory, thus avoiding the command to set a password for the console terminal. Do not change anything in the factory diagnostic mode.
You can increase access security to your router by encrypting passwords. When password encryption is enabled, the encrypted forms of the passwords are displayed when a show config command is entered. Use the service password-encryption global configuration command:
service password-encryptionThe actual encryption process occurs when the current configuration is written or when a password is configured. Password encryption can be applied to both the privileged command password and to console and virtual terminal line access passwords. See "Establishing Line Passwords," later in this chapter.
The following example causes no encryption to take place:
gw#configservice password-encryptionno service password-encryption
The next example encrypts the privileged command password secret. Additional passwords are not encrypted. The encrypted password remains in its encrypted form until it is reconfigured with a nonencrypted password:
gw#configservice password-encryptionenable-password secretno service password-encryption
If you modify a configuration file and add a service password-encryption configuration command, when you write the configuration file all passwords will become encrypted.
Cisco Systems provides unsupported versions of both a standard and an extended TACACS server. The servers run on most UNIX systems and are available via FTP from the host ftp.cisco.com. You can use the servers to create UNIX accounting applications that monitor use of a system and user logins.
The configuration commands in the following sections tailor the behavior of the standard TACACS server.
The tacacs-server host global configuration command specifies a TACACS host. The full syntax of this command follows.
tacacs-server host nameThe argument name is the name or Internet address of the host. You can use multiple tacacs-server host subcommands to specify multiple hosts. The server will search for the hosts in the order you specify them. The no tacacs-server host global configuration command deletes the specified name or address.
The tacacs-server attempts global configuration command controls the number of login attempts that can be made on a line set up for TACACS verification.
tacacs-server attempts countThe argument count is the number of attempts. The default is three attempts.
The no tacacs-server attempts global configuration command restores the default.
This command changes the login attempt to just one try:
tacacs-server attempts 1
The tacacs-server retransmit global configuration command specifies the number of times the server will search the list of TACACS server hosts before giving up. The server will try all servers, allowing each one to time out before increasing the retransmit count.
tacacs-server retransmit retriesThe argument retries is the retransmit count. The default is two retries.
The no tacacs-server retransmit global configuration command restores the default.
This command specifies a retransmit counter value of five times:
tacacs-server retransmit 5
The tacacs-server timeout global configuration command sets the interval that the server waits for a server host to reply.
tacacs-server timeout secondsThe argument seconds specifies the number of seconds. The default interval is five seconds. The no tacacs-server timeout global configuration command restores the default.
This command changes the interval timer to ten seconds:
tacacs-server timeout 10
If, when running the TACACS server, it does not respond, the default action is to deny the request. Use the tacacs-server last-resort global configuration command to change the default.
tacacs-server last-resort {password|succeed}The command causes the network server to request the privileged password as verification, or forces successful login without further input from the user, depending upon the keyword specified, as follows:
The no tacacs-server last-resort global configuration command restores the system to the default behavior.
The following variations of the enable command can be used to configure privileged-level command access using the TACACS protocol.
The enable use-tacacs global configuration command is used for setting the TACACS protocol to determine whether a user can access the privileged command level.
enable use-tacacs | Caution When you use the enable use-tacacs command, you also must specify a tacacs-server authenticate enable command. If you do not, you will be locked out of the router. |
If you use this command, the EXEC enable command will ask for both a new user name and a password. This information is then passed to the TACACS server for authentication. If you are using the extended TACACS, it will also pass any existing UNIX user identification code to the server.
The enable last-resort global configuration command allows you to specify what happens if the TACACS servers used by the enable command do not respond.
enable last-resort {password|succeed}The default action is to fail. Use of the keyword changes the action, as follows:
The no enable last-resort global configuration command restores the default.
The following sections describe the configuration commands that tailor the behavior of the extended TACACS client.
The tacacs-server extended global configuration command enables an extended TACACS mode.
tacacs-server extendedThis mode provides information about the terminal requests for use in setting up host auditing trails and accounting files for tracking use of terminal servers and routers. Information includes responses from terminal servers and routers and validation of user requests. An unsupported, extended TACACS server is available from Cisco Systems via anonymous FTP for UNIX users who want to create the auditing programs.
The no tacacs-server extended command disables this mode.
The tacacs-server notify global configuration command causes a message to be transmitted to the TACACS server, with retransmission being performed by a background process for up to five minutes. The terminal user, however, receives an immediate response allowing access to the terminal. The full syntax of this command follows.
tacacs-server notify {connect|slip|enable|logout}The keywords specify notification of the TACACS server whenever a user does one of the following:
The no tacacs-server notify command used with the appropriate keyword disables notification.
The tacacs-server authenticate command requires a response from the network or communication server to indicate whether the user may perform the indicated action.
tacacs-server authenticate {connect|slip|enable}Actions that require a response include the following, specified as optional keywords:
The no tacacs-server authenticate command used with the appropriate keyword disables the action.
You can specify that the first TACACS request to a TACACS server is made without password verification. This option is configured with the tacacs-server optional-passwords global configuration command.
tacacs-server optional-passwordsWhen the user types in the login name, the login request is transmitted with the name and a zero-length password. If accepted, the login procedure completes. If the TACACS server refuses this request, the terminal server prompts for a password and tries again when the user supplies a password. The TACACS server must support authentication for users without passwords to make use of this feature. This feature supports all TACACS requests, such as login, SLIP, and enable.
Networks that cannot support a TACACS service still may wish to use a user name-based authentication system. In addition, it may be useful to define certain user names that get special treatment (for example, an "info" user name that does not require a password, but connects the user to a general-purpose information service).
The network server software supports these needs by implementing a local username configuration command. The username command provides username/password authentication for login purposes only. (Note that it does not provide username/password authentication for enable mode when the enable use-tacacs command is also used.) The format for the command is as follows:
username name [nopassword|password encryptiontype password]Multiple username commands can be used to specify options for a single user.
The nopassword keyword means that no password is required for this user to log in. This is usually most useful in combination with the autocommand keyword.
The password keyword specifies a possibly encrypted password for this user name.
The encryptiontype argument is a single-digit number that defines whether the text immediately following is encrypted and, if so, what type of encryption is used. Currently defined encryption types are 0, which means that the text immediately following is not encrypted, and 7, which means that the text is encrypted using a Cisco-defined encryption algorithm. A password can contain embedded spaces and must be the last option specified in the username command.
When you specify an encryption type of 0 to enter an unencrypted password, the system displays the encrypted version of the password. For example, suppose you enter the following command:
username bill password westward
The system would display this command like this:
username bill password 7 21398211
The encrypted version of the password is 21398211. The password was encrypted by the Cisco-defined encryption algorithm, as indicated by the "7."
If you were to enter the following command, the system would assume that the password is already encrypted and would do no encryption. It would display the command exactly as you typed it:
username bill password 7 21398211
username bill password 7 21398211
The accesslist keyword specifies an outgoing access list that overrides the access list specified in the access class line configuration subcommand. It is used for the duration of the user's session. The access list number is specified by the number argument.
The autocommand keyword causes the command specified by the command argument to be issued automatically after the user logs in. When the command is complete, the session is terminated. Because the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
The noescape keyword prevents a user from using an escape character on the host to which he or she is connected.
The nohangup keyword prevents the network server from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Instead, the user gets another login prompt.
To implement a service similar to the UNIX who command, which can be given at the login prompt and lists the current users of the network server, the command takes the following form:
username who nopassword nohangup autocommand show users
To implement an ID that will work even if all the TACACS servers break, the command is as follows:
username superuser password superpassword
The Simple Network Management Protocol (SNMP) provides a way to access and set configuration and run-time parameters for the network server. Cisco System's implementation of SNMP is compatible with RFCs 1155, 1156, and 1157. The Cisco Management Information Base (MIB) supports RFCs 1155 to 1213 and provides Cisco-specific variables. The Cisco MIB and its variables are described in the Cisco Management Information Base (MIB) User Quick Reference.
A separate document, available in RFC 1213-type (MIB II) format, describes all the Cisco-specific SNMP variables in the Cisco portion of the MIB. It also describes what is required to establish minimum configuration. Contact Cisco Systems to obtain a copy of this document, which includes instructions for accessing the variables using SNMP.
Cisco also provides support for some variables of each of the following MIBs: FDDI, source-route bridging (SRB), and Token Ring. The FDDI MIB variables are described in RFC 1285, "FDDI Management Information Base," published in January 1992 by Jeffrey D. Case of the University of Tennessee and SNMP Research, Inc. One FDDI variable that Cisco supports is snmpFddiSMTCFState.
Cisco provides support for the source-route bridging (SRB) MIB variables as described in the IETF draft "Bridge MIB" document, "Definition of Managed Objects for Bridges," by E. Decker, P. Langille, A. Rijsinghani, and K. McCloghrie in June 1991. Only the SRB component of the Bridge MIB is supported.
Cisco also supports Token Ring MIB variables as described in RFC 1231, "IEEE 802.5 Token Ring MIB," by K. McCloghrie, R. Fox, and E. Decker in May 1991. Cisco implements the mandatory tables (Interface Table and Statistics Table) but not the optional table (Timer Table) of the Token Ring MIB. The Token Ring MIB has been implemented for the CSC-R16, STR (dual-port Token Ring) and the CTR (Token Ring card for the cBus controller) cards. No support has been provided for the CSC-R card.
To configure the SNMP server, you need to be in the configuration command collection mode. Enter this mode using the EXEC command configure at the EXEC prompt. See the section "Entering Configuration Mode" in the "First-Time Startup and Basic Configuration" chapter of this manual for a description of the procedure.
Begin SNMP operation by entering the configuration commands that define the desired operation. To disable SNMP server operations on the network server after it has been started, use the no snmp-server global configuration command.
no snmp-serverTo set up an access list that determines which hosts can send requests to the network server, use the snmp-server access-list global configuration command. This access list applies only to the global read-only SNMP agent configured with the command snmp-server community. The network server ignores packets from hosts that the access list denies.
The full command syntax follows.
snmp-server access-list listThe argument list is an integer from 1 through 99 that specifies an IP access list number.
The no snmp-server access-list global configuration command removes the specified access list.
This command causes the router to ignore packets from hosts that do not match access list 21:
snmp-server access-list 21
To set the system contact string (syscontact), use the snmp-server contact command. The command syntax follows:
snmp-server contact textThe text argument is a string that specifies the system contact information.
To set the system location string, use the snmp-server location command. The command syntax follows:
snmp-server location textThe text argument is a string that specifies the system location information.
To set up the community access string, use the snmp-server community global configuration command. The full command syntax follows.
snmp-server community [string [RO|RW] [list]]This command enables SNMP server operation on the network server. The argument string specifies a community string that acts like a password and permits access to the SNMP protocol.
By default, an SNMP community string permits read-only access (keyword RO); use the keyword RW to allow read-write access. The optional argument list is an integer from 1 through 99 that specifies an access list of Internet addresses that can use the community string.
The no snmp-server community global configuration command removes the specified community string or access list.
This command assigns the string comaccess to the SNMP server, allows read-only access, and specifies that addresses that match the criteria in access list 4 can use the community string. (Notice that the string is entered without quotes or any other parsing characters.)
snmp-server community comaccess RO 4
To establish the message queue length for each TRAP host, use the snmp-server queue-length global configuration command.
snmp-server queue-length lengthThis command defines the length of the message queue for each TRAP host.
The argument length is the number of TRAP events that can be held before the queue must be emptied; the default is 10. Once a TRAP message is successfully transmitted, software will continue to empty the queue, but never faster than at a rate of four TRAP messages per second.
The no snmp-server queue-length command resets the queue length to its default value of 10.
This command establishes a message queue that traps four events before it must be emptied:
snmp-server queue-length 4
To establish the packet filtering size, use the snmp-server packetsize global configuration command. The full command syntax follows.
snmp-server packetsize bytesThis command allows control over the largest SNMP packet size permitted when the SNMP server is receiving a request or generating a reply.
The argument bytes is a byte count from 484 through 8192. The default is 484. The no snmp-server packetsize command resets this default.
This command establishes a packet filtering maximum size of 1024 bytes:
snmp-server packetsize 1024
To specify the recipients of trap messages, use the snmp-server host global configuration command. The full syntax follows.
snmp-server host address community-string [snmp] [tty]This command specifies which host or hosts should receive trap messages. You need to issue the snmp-server host command once for each host acting as a trap recipient.
The argument address is the name or Internet address of the host. The argument community-string is the password-like community string set with the snmp-server community command.
The optional keywords define which traps are sent, as follows:
If you do not specify any optional keywords, the sending of all trap types is enabled.
If you specify multiple snmp-server host commands for a given host or address, the community string used is the one on the last command line you entered, and the traps sent are a combination of all the optional keywords you specified.
The no snmp-server host command removes the specified host.
This command sends all SNMP traps to 131.108.2.160:
snmp-server host 131.108.2.160
To turn these trap messages off, use the no snmp-server host command:
no snmp-server host 131.108.2.160
The following example causes all the SNMP traps to be sent to the host specified by the name cisco.com. The community string is defined to be comaccess.
snmp-server host cisco.com comaccess snmp
Suppose the initial configuration is as follows:
snmp-server host 131.108.2.3 public snmp
You then enter the following configuration command:
snmp-server host 131.108.2.3 private
This results in the following configuration, which uses the community string you specified last and the trap type snmp:
snmp-server host 131.108.2.3 private snmp
Starting again with the initial configuration, suppose you enter the following command:
snmp-server host 131.108.2.3 notpublic tty
This results in the following configuration, which uses the community string you specified last and the trap types snmp and tty:
snmp-server host 131.108.2.3 notpublic snmp tty
To modify the initial configuration so that only tty traps are sent, enter the following commands:
no snmp-server host 131.108.2.3 snmp-server host 131.108.2.3 public tty
To establish the trap message authentication, use the snmp-server trap-authentication global configuration command.
snmp-server trap-authenticationThis command enables the network server to send a trap message when it receives a packet with an incorrect community string.
The SNMP specification requires that a trap message be generated for each packet with an incorrect community string. However, because this action can result in a security breach, the network server by default does not return a trap message when it receives an incorrect community string.
To define how often to try resending trap messages on the retransmission queue, use these global configuration commands:
snmp-server trap-timeout secondsThe argument seconds sets the interval for resending the messages. The default is set to 30 seconds. The no snmp-server trap-timeout command restores this default.
This command sets an interval of 20 seconds to try resending TRAP messages on the retransmission queue:
snmp-server trap-timeout 20
Using SNMP packets, a network management tool can send messages to users on virtual terminals and on the network server's console. The network management tool operates similarly to the SNMP send command; however, the SNMP request that causes the message to be issued to the users also specifies the action to be taken after the message is delivered. One possible action is a shutdown request.
Requesting a shutdown-after-message is similar to issuing a send command followed by a reload command. Because the ability to cause a reload from the network is a powerful feature, it is protected by this configuration command. To use this SNMP message reload feature, the device configuration must include the snmp-server system-shutdown global configuration command. The full command syntax follows.
snmp-server system-shutdownThe no snmp-server system-shutdown option prevents a SNMP system shutdown request (from an SNMP manager) from resetting the Cisco agent.
To understand how to use this command with SNMP requests, read the document mib.txt91 available by anonymous FTP from ftp.cisco.com. This document is available in RFC 1213-type format. It describes all the Cisco-specific SNMP variables in the Cisco portion of the MIB. It also describes what is required to establish minimum configuration. Contact Cisco Systems to obtain a copy of this document, which includes instructions for accessing the variables using SNMP.
The Cisco MIB and its variables are also described in the Cisco Management Information Base (MIB) User Quick Reference.
You can configure the network server to act as a limited Trivial File Transfer Protocol (TFTP) server from which other Cisco servers can boot their software. As a TFTP server host, the network server responds to TFTP read request messages by sending a copy of an image stored in Flash or in its ROM software to the requesting host. The TFTP read request message must use the filename that you specified in the network server configuration.
To specify TFTP server operation for a communication server, use the tftp-server system global configuration command. The full syntax follows.
tftp-server system filename [ip-access-list]This command has two arguments: filename and list. The argument filename is the name you give the communication server ROM file, and the argument ip-access-list is an IP access-list number.
The following algorithm is used when deciding whether to send the ROM or Flash image:
The system sends a copy of the ROM software to any host that issues a TFTP read request with this filename. To learn how to specify an access list, see the "Configuring IP Access Lists" section in the "Routing IP" chapter of this manual.
You can specify multiple filenames by repeating the tftp-server system command. To remove a previously defined filename, use the no tftp-server system command and append the appropriate filename and an access list number.
Images that run from ROM, including IGS images, cannot be loaded over the network. Therefore, it does not make sense to use TFTP to offer the ROMs on these images.
This command causes the router to send, via TFTP, a copy of the ROM software when it receives a TFTP read request for the file goodimage. The requesting host is checked against access list 22.
tftp-server system goodimage 22
The service global configuration command tailors the network server's use of network-based services. Some service commands also configure system defaults; see decimal-tty for an example. The full command syntax follows.
service keywordThe argument keyword is one of the following:
wakeups row shows how many keepalives have been transmitted without receiving any response (this is reset to 0 when a response is received).
The no service command disables the specified service or function.
The following command enables TFTP autoloading of configuration files:
service config
By default, the network server sends the output from the EXEC command debug and system error messages to the console terminal.
To redirect these messages, as well as output from asynchronous events such as interface transition, to other destinations, use the logging configuration command options.
These destinations include the console terminal, virtual terminals, and UNIX hosts running a syslog server; the syslog format is compatible with 4.3 BSD UNIX.
To configure message logging, you need to be in the configuration command collection mode. To enter this mode, use the EXEC command configure at the EXEC prompt (see the section "Entering Configuration Mode" in the "First-Time Startup and Basic Configuration" chapter of this manual for the procedure). The following sections describe how to implement these redirection options.
To enable or disable message logging, use the following global configuration commands:
logging onThe logging on command enables message logging to all supported destinations other than the console. This behavior is the default.
The no logging on command enables logging to the console terminal only.
The default logging device is the console; all messages are displayed on the console unless otherwise specified.
To log messages to an internal buffer, use the logging buffered global configuration command. The full command syntax follows.
logging bufferedThe logging buffered command copies logging messages to an internal buffer instead of writing them to the console terminal. The buffer is circular in nature, so newer messages overwrite older messages. To display the messages that are logged in the buffer, use the EXEC command show logging. The first message displayed is the oldest message in the buffer.
The no logging buffered command cancels the use of the buffer and writes messages to the console terminal; this is the default.
To limit how many messages are logged to the console, use the logging console global configuration command. The full syntax of this command follows.
logging console levelThe logging console command limits the logging messages displayed on the console terminal to messages with a level number at or below the specified severity level, which is specified by the level argument. The default level for the logging monitor command is debugging.
The argument level can be one of the keywords listed in Table 1-6. They are listed in order from the most severe to the least severe level.
| Level | Keyword | Description | Syslog Definition |
|---|---|---|---|
| 0 | emergencies | System is unusable | LOG_EMERG |
| 1 | alerts | Immediate action is needed | LOG_ALERT |
| 2 | critical | Critical conditions exist | LOG_CRIT |
| 3 | errors | Error conditions exist | LOG_ERR |
| 4 | warnings | Warning conditions exist | LOG_WARNING |
| 5 | notification | Normal, but significant, conditions exist | LOG_NOTICE |
| 6 | informational | Informational messages | LOG_INFO |
| 7 | debugging | Debugging messages | LOG_DEBUG |
The no logging console command disables logging to the console terminal.
The following command sets console logging of messages at the debugging level:
logging console debugging
To limit the level of messages to log to the terminal lines (monitors), use the logging monitor command. The full syntax of this command follows.
logging monitor levelThe logging monitor command limits the logging messages displayed on terminal lines other than the console line to messages with a level at or above level. The argument level is one of the keywords described for the logging console command in the previous section, "Logging Messages to the Console." To display logging messages on a terminal, use the privileged EXEC command terminal monitor.
The no logging monitor command disables logging to terminal lines other than the console line.
The following command sets the level of messages displayed on monitors other than the console to notifications:
logging monitor notifications
To log messages to the syslog server host, use the logging global configuration command. The full syntax is as follows:
logging internet-addressThe logging command identifies a syslog server host to receive logging messages. The argument internet-address is the Internet address of the host. By issuing this command more than once, you build a list of syslog servers that receive logging messages.
The no logging command deletes the syslog server with the specified address from the list of syslogs.
To limit how many messages are sent to the syslog servers, use the logging trap global configuration command. Its full syntax follows.
logging trap levelThe logging trap command limits the logging messages sent to syslog servers to messages with a level at or above level. The argument level is one of the keywords described for the logging console command in Table 1-6.
To send logging messages to a syslog server, specify its host address with the logging command.
The default trap level is informational.
The no logging trap command disables logging to syslog servers.
The current software generates four categories of the syslog messages:
The EXEC command show logging displays the addresses and levels associated with the current logging setup. The command output also includes ancillary statistics.
To set up the syslog daemon on a 4.3 BSD UNIX system, include a line such as the following in the file /etc/syslog.conf:
local7.debug /usr/adm/logs/tiplog
The local7 keyword specifies the logging facility to be used.
The debug argument specifies the syslog level. See the previous level arguments list for other arguments that can be listed.
The UNIX system sends messages at or below this level to the file specified in the next field. The file must already exist, and the syslog daemon must have permission to write to it.
To configure your console and virtual terminal lines you need to be in the configuration command collection mode. To enter this mode, use the EXEC command configure at the EXEC prompt (see the section "Entering Configuration Mode" in the "First-Time Startup and Basic Configuration" chapter of this manual for the procedure).
To start configuring a terminal line, use the line command. This command identifies a specific line for configuration and starts line configuration command collection.
The line command has the following syntax:
line [type-keyword] first-line [last-line]This command can take up to three arguments: a keyword, a line number, or a range of line numbers.
The optional argument type-keyword specifies the type of line to be configured; it is one of the following keywords:
When the line type is specified, the argument first-line is the relative number of the terminal line (or the first line in a contiguous group) you want to configure. Numbering begins with zero.
The optional argument last-line then is the relative number of the last line in a contiguous group you want to configure.
If you omit type, then first-line and last-line are absolute rather than relative line numbers. To display absolute line numbers, use the EXEC command show users all.
The network server displays an error message if you do not specify a line number.
The line command enables you to easily configure a large group of lines all at once. After you set the defaults for the group, you can use additional line commands and subcommands to set special characteristics, such as location, for individual terminal lines.
The following command starts configuration for the first five virtual terminal lines:
line vty 0 4
Connections can be made to the next free line in a group of lines, also called a rotary group or hunt group. A line can be in only one rotary group; a rotary group can consist of a single line or many lines.
You define each group of lines with the rotary subcommand of the line configuration command. The command syntax follows:
rotary groupThis subcommand adds a line to the specified rotary group. The argument group is an integer from 1 to 100 that you choose to identify the rotary group. To list the defined rotary groups, use the show line privileged EXEC command.
The remote host must specify a particular TCP port on the router or communication server to connect to a rotary group with connections to an individual line. The available services are the same but the TCP port numbers are different. Table 1-7 lists the services and port numbers for both rotary groups and individual lines (this would be Table 4-4 in the Router Products Configuration and Reference publication).
| Services Provided | Base TCP Port for Rotaries (Decimal) | Base TCP Port for Individual Lines (Decimal) |
|---|---|---|
| Telnet protocol | 3000 | 2000 |
| Raw TCP protocol (no Telnet protocol) | 5000 | 4000 |
| Telnet protocol, binary mode | 7000 | 6000 |
If a raw TCP stream is required, the port is 5000 plus the rotary group number. If Telnet binary mode is required, the port is 7000 plus the rotary group number.
The line command keyword aux allows use of an auxiliary RS-232 DTE port available on all processor cards. Use this port to attach to an RS-232 port of a CSU/DSU, protocol analyzer, or modem. You can monitor that port remotely by connecting to the TCP port whose number is 2000 decimal plus the line number of the auxiliary port. For example, if the auxiliary port was line 1 (obtained from the EXEC command show users all), then the TCP port would be 2001. You must order a special cable for use with this auxiliary port.
To configure the auxiliary port, use this variation of the line command:
line aux port-addressWhen configuring the auxiliary port, address it as line 0, as in this sample:
line aux 0
The auxiliary port asserts DTR when a Telnet connection is established or when an EXEC becomes active. Flow control is not supported on either the auxiliary port or the console port.
By default, the auxiliary port supports an EXEC process. This default can be re-enabled using the exec line subcommand.
These commands configure the auxiliary port with a line speed of 2400 baud, and enable the EXEC:
line aux 0 exec speed 2400
No modem control signals are supported on this line. If an auto-answer modem is configured on the line, you must dial up, log in, then hang up. The DTR signal will be active whenever an EXEC is configured on the auxiliary port.
To disable automatic connections, use the following line subcommand:
transport preferred noneThis command prevents the system from assuming that any unrecognized command is a host name. No connection will be attempted if the command is not recognized (due to misspelling a command, for example).
When you start an EXEC on a line with password protection, the EXEC prompts for the password. If you enters the correct password, the EXEC prints its normal prompt. You can try to enter a password three times before the EXEC exits and returns the terminal to the idle state.
To specify a password, use the password line subcommand. Its full syntax follows.
password textThe text argument can contain any alphanumeric characters, including spaces, up to 80 characters. The password checking is case sensitive. The password Secret is different than the password secret, for example, and the password two words is an acceptable password.
The following command sets the words "Big Easy" as the password on line 1:
line 1 password Big Easy
These commands allow you to use graphical and international characters in banners and prompts, and to add special characters such as software flow control. Use these commands to set the character widths for a specific line to values other than the default values defined by the global commands described in the earlier section, "Configuring Global System Parameters." The decision to use the global configuration commands or line configuration subcommands depends on the types and numbers of terminals connected to the router, as follows:
Use the following line subcommands to configure character widths on a per-line basis.
exec-character-bits {8|7} special-character-bits {8|7}The exec-character-bits command configures the character widths of EXEC and configuration command characters. The default value is 7 bits, which results in the use of a 7-bit ASCII character set. Configuring the EXEC character width to 8 allows you to add special graphical and international characters in banners, prompts, and so forth. Setting this value to 8 allows additional international and graphical characters in banner messages, prompts, and so forth.
The special-character-bits command configures the number of characters used in special characters such as software flow control, escape characters, and so forth. The default special-character width is 7. Configuring the width to 8 bits allows you to use twice as many special characters as with the 7-bit setting.
See the "Setting Default Widths for International Character Sets" section earlier in the chapter for global character-width commands.
This example allows full 8-bit international character sets by default, except for the console, which is a dumb ASCII terminal. It illustrates use of the global configuration command and the line configuration subcommands.
default-value exec-character-bits 8 ! line 0 exec-character-bits 7
To establish connection restrictions on the lines to some Internet addresses, use the access-class line subcommand. The full command syntax follows.
access-class list {in|out}The access-class subcommand restricts connections on a line or group of lines to certain Internet addresses. The argument list is an integer from 1 through 99 that identifies a specific access list of Internet addresses. The keyword in applies to incoming connections, such as virtual terminals. The keyword out applies to outgoing Telnet connections. The no access-class command removes access restrictions on the line for the specified connections.
This example subcommand sets restrictions on access list 1 for outgoing Telnet connections:
access-class 1 out
See the section "Configuring IP Access Lists" in the "Routing IP" chapter of this manual for information about configuring access lists.
By default, messages defined by the banner motd and banner exec commands are always displayed. This condition is defined by the exec-banner line subcommand. Its full syntax follows.
exec-bannerTo suppress display of a banner, enter the no exec-banner command.
These commands suppresses the banner on virtual terminal lines 0 through 4:
line vty 0 4 no exec-banner
The router will display a message on the console when there is no active EXEC. This message, called the vacant message, is different from the banner message displayed when an EXEC process is activated.
To turn the vacant message banner on or off, use the vacant-message line configuration subcommands. The vacant-message command enables the banner to be displayed on the screen of an idle terminal. The full syntax of this command follows.
vacant-message [c message c]The vacant-message subcommand without any arguments causes the default message to be displayed. If you desire a banner, follow vacant-message with one or more blank spaces and a delimiting character (c) that you choose. Then type one or more lines of text (message), terminating the text with the second occurrence of the delimiting character.
The no vacant-message line configuration subcommand suppresses a banner message.
This example will turn on the system banner and display a message:
line 0
vacant-message #
Welcome to Cisco Systems, Inc.
This is the console terminal of the router Dross.
#
The escape-character line subcommand defines the escape character. The full syntax of this command is as follows:
escape-character decimal-numberThe argument decimal-number is the ASCII decimal representation of the desired escape character or an escape character (Ctrl-P, for example). Typing the escape character followed by the X key returns you to the EXEC when you are connected to another computer. The default escape character is Ctrl-^. (See the appendix "ASCII Character Set" for a list of ASCII characters.)
The operating software interprets Break on the console as an attempt to halt the system.
The no escape-character line configuration subcommand reinstates the default escape character.
The following command changes the escape characters to Ctrl-P (ASCII character 17):
line 5 escape-character 17
To set the location of the terminal, use the location line subcommand. The full syntax of this command follows.
location textThis subcommand is for informational purposes only; it is not used by any aspects of the system software. The argument text is the desired description. The description appears in the output of the EXEC command systat. A maximum of 80 characters can be entered.
The no location subcommand removes the information.
The following command describes the location of the terminal on line 2 as being Andrea's terminal:
line 2 location Andrea's terminal
The EXEC command interpreter waits for a specified interval of time until the user starts input. If no input is detected, the EXEC resumes the current connection. If no connections exist, the EXEC returns the terminal to the idle state and disconnects the incoming session.
To set this interval, use the exec-timeout line configuration subcommand. The full syntax of the command follows.
exec-timeout minutes [seconds]The argument minutes is the number of minutes, and the optional argument seconds specifies additional interval time in seconds. The default interval is ten minutes; an interval of zero specifies no timeouts.
The no exec-timeout subcommand removes the time-out definition. It is the same as entering exec-timeout 0.
This command sets an interval of 2 minutes, 30 seconds:
exec-timeout 2 30
This command sets an interval of 10 seconds:
exec-timeout 0 10
To set the terminal screen length, use the length line configuration subcommand. The full syntax of the command follows.
length screen-length The argument screen-length is the number of lines on the screen. The network server uses
this value to determine when to pause during multiple-screen output. The default length is 24 lines. A value of zero disables pausing between screens of output.
The no length command is the same as entering the command length 0.
To enable the terminal to notify the user about pending output, use the notify line subcommand. The full syntax of the command follows.
notifyThe notify subcommand sets a line to inform a user who has multiple, concurrent Telnet connections when output is pending on a connection other than the current connection.
The no notify line configuration subcommand ends notification and is the default.
To set the padding on characters, use the padding line configuration subcommand. The full syntax of the command follows.
padding decimal-number countThe padding subcommand sets padding for a specified output character. The argument decimal-number is the ASCII decimal representation of the character, and the argument count is the number of NUL bytes sent after that character.
The no padding line configuration subcommand removes padding for the specified output character.
The following command pads Return (ASCII character 13) with 25 NUL bytes:
padding 13 25
This section lists all of the global system configuration commands in alphabetical order.
[no] banner {motd|exec|incoming} c text c
Displays the message that the EXEC command interpreter displays whenever a user starts any EXEC process or activates a line. The motd, exec, and incoming keywords control when the banner message is displayed. The argument c specifies a delimiting character of your choice. The argument text specifies the message to be shown on the screen whenever an interface line is activated.
[no] boot buffersize bytes
Specifies the size of the buffer to be used for netbooting a host or a network configuration file. The argument bytes by default is the size of your nonvolatile memory, or 32 kilobytes if you do not have nonvolatile memory. There is no minimum or maximum size that can be specified.
[no] boot host filename [address]
Specifies the host configuration filename. The argument filename is the new name for the host configuration file. If you omit the argument address, the network server uses the default broadcast address of 255.255.255.255. The optional argument address allows you to specify a specific network host or a subnet broadcast address.
[no] boot network filename [address]
Specifies the network configuration filename. The argument filename is the new name for the network configuration file. If you omit the optional argument address, the network server uses the default broadcast address of 255.255.255.255. The optional argument address allows you to specify a specific network host or a subnet broadcast address.
[no] boot system filename [address]
Specifies a second operating software image from a file that is not in nonvolatile memory. The argument filename is the filename of the operating software to load, and the optional argument address is the address of the network host holding that file.
[no] boot system flash filename
Same as boot system filename [address] except that the system is booted from Flash memory. Specify a name to associate with the image from Flash memory with the filename parameter.
[no] boot system rom
Automatically boots the system from the ROM system image. This command is usually used as a backup to other boot system commands that specify system images that exist either on the network or in Flash memories.
[no] buffers {small|middle|big|large|huge} {permanent|max-free|min-free|
initial} number
Allows a network administrator to adjust initial buffer pool settings and set limits at which temporary buffers are created and destroyed.The first keyword denotes the size of buffers in the pool; the default number of the buffers in a pool is determined by the hardware configuration. The second keyword specifies the buffer management parameter to be changed, as follows:
The argument number specifies the number of buffers to be allocated.
The no buffers command with appropriate keywords and arguments restores the default buffer values.
[no] buffers huge size number
Dynamically resizes all huge buffers to the value that you supply. The buffer size cannot be lowered below the default. The argument number specifies the number of buffers to be allocated. The no version of the command with the keyword and argument restores the default buffer values.
copy flash tftp
Copies a Flash TFTP image back to a TFTP server.
copy tftp flash
Copies a TFTP image into the current Flash configuration.
default-value exec-character-bits {8|7}
Configures the character widths of EXEC and configuration command characters. The default value is 7 bits, which results in the use of a 7-bit ASCII character set. Configuring the EXEC character width to 8 bits allows you to add special graphical and international characters in banners, prompts, and so forth.
default-value special-character-bits {8|7}
Configures the number of characters used in special characters such as software flow control, hold, escape, and disconnect characters. The default special-character width is 7. Configuring the width to 8 allows you to use twice as many special characters as with the 7-bit setting.
enable
Allows you to enter the privileged command level.
enable password password
Assigns a password for the privileged command level. The argument password is case sensitive and specifies the password prompted for in response to the EXEC command enable.
[no] enable last-resort {succeed|password}
Allows you to specify what happens if the TACACS servers used by the enable command do not respond. The default action is to fail. The keywords change this default action:
The no version of the command restores the default.
[no] enable use-tacacs
Enables or disables use of TACACS to check the user ID and password supplied to the EXEC enable command.
hostname name
Specifies the name for the network server. The default is Router.
[no] logging internet-address
Identifies a syslog server host to receive logging messages. The argument internet-address is the Internet address of the host.The no logging command deletes the syslog server with the specified address from the list of syslogs.
[no] logging buffered
Copies logging messages to an internal buffer instead of writing them to the console. The no version of the command cancels this behavior and writes messages to the console terminal; this is the default.
[no] logging console level
Limits the logging of messages displayed on the console terminal to messages with a level at or above the specified severity, which is specified by the level argument. The argument level can be one of the following keywords, listed here in order from the most severe to the least severe level.
The no logging console command disables logging to the console terminal.
[no] logging monitor level
Limits the logging messages displayed on terminal lines other than the console line to messages with a level at or above level. The argument level is one of the keywords described for the logging console command. The no logging monitor command disables logging to terminal lines other than the console line.
[no] logging on
Enables or disables message logging to all supported destinations except the console. Enabled message logging is the default.
[no] logging trap level
Limits the logging messages sent to syslog servers to messages with a level at or above level. The argument level is one of the keywords described for the logging console command.
[no] service keyword
Tailors the network server's use of network-based services. The argument keyword is one of the following:
The no service command disables the specified service or function.
no snmp-server
Disables the SNMP operations.
[no] snmp-server access-list list
Sets up an access list that determines which hosts can send requests to the network server. The argument list is an integer from 1 through 99 that specifies an IP access list.
[no] snmp-server community string [RO|RW] [list]
Enables or disables SNMP server operation on the network server. The argument string specifies a community string that acts like a password and permits access to the SNMP protocol.
Sets the system contact string (syscontact). The text argument is a string that specifies the system contact information.
[no] snmp-server host address community-string [snmp|tty]
Specifies which host or hosts should receive TRAP messages. Issue the snmp-server host command once for each host acting as a TRAP recipient. The argument address is the name or Internet address of the host. The argument community-string is the password-like community string set with the snmp-server community command. These optional keywords direct the TRAP:
Sets the system location string. The text argument is a string that specifies the system location information.
[no] snmp-server packetsize bytes
Sets or removes control over the largest SNMP packet size permitted when the SNMP server is receiving a request or generating a reply. The argument bytes is a byte count from 484 through 8192. The default is 484.
[no] snmp-server queue-length length
Defines the length of the message queue for each TRAP host. The argument length is the number of TRAP events that can be held before the queue must be emptied; the default is ten. The no version of the command resets the queue length to the default.
[no] snmp-server system-shutdown
Allows or restricts use of the SNMP message reload feature and prevents an SNMP system shutdown request from resetting the Cisco agent.
[no] snmp-server trap-authentication
Allows or restricts the network server from sending a TRAP message when it receives a packet with an incorrect community string.
[no] snmp-server trap-timeout seconds
Defines how often to try resending TRAP messages on the retransmission queue. The argument seconds sets the interval for resending the messages. The default is set to 30 seconds. The no form of the command restores the default.
[no] tacacs-server attempts count
Controls the number of login attempts that can be made on a line set up for TACACS verification. The argument count is the number of attempts. The default is three attempts.
[no] tacacs-server authenticate {connect|slip|enable}
Specifies that a response is required from the network or communication server to indicate whether the user can perform the indicated action. Actions that require a response include the following:
The no form of the command disables the action.
[no] tacacs-server extended
Enables or disables an extended TACACS mode. This mode provides information about the terminal requests for use in setting up UNIX auditing trails and accounting files for tracking use of terminal servers and routers.
[no] tacacs-server host name
Specifies a TACACS host. The argument name is the name or Internet address of the host. You can use multiple commands to specify multiple hosts.
[no] tacacs-server last-resort {password|succeed}
Causes the network server to request the privileged password as verification, or forces successful login without further input from the user, depending upon the keyword specified.
The no form of the command disables the action.
[no] tacacs-server notify {connect|slip|enable|logout}
Causes a message to be transmitted to the TACACS server, with retransmission being performed by a background process for up to five minutes. The keywords specify notification of the TACACS server whenever a user does one of the following:
The no form of the command disables the messages.
tacacs-server optional-passwords
Specifies that the first TACACS request to a TACACS server is made without password verification. Supports all TACACS requests--login, SLIP, enable, and so on.
[no] tacacs-server retransmit retries
Specifies the number of times the server will search the list of TACACS server hosts before giving up. The argument retries is the retransmit count. The default is two retries. The no form of the command restores the default.
[no] tacacs-server timeout seconds
Sets the interval the server waits for a server host to reply. The argument seconds specifies the number of seconds. The default interval is five seconds. The no form of the command restores the default.
[no] tftp-server system filename ip-access-list
Specifies or removes TFTP server operation for a communication server. The argument filename is the name given to the network server ROM file, and the argument access-list is an IP access list number.
username name [nopassword|password encryptiontype password]
username name [accesslist number]
username name [autocommand command]
username name [noescape] [nohangup]
Create special case user name-based authentications. Multiple username commands can be used to specify options for a single user.
The nopassword keyword means that no password is required for this user to log in. This is usually most useful in combination with the autocommand keyword.
The password keyword specifies a possibly encrypted password for this user name.
The encryptiontype argument is a single-digit number. Currently defined encryption types are 0, which means no encryption, and 7, which specifies a Cisco-defined encryption algorithm. Passwords entered unencrypted are written out with the Cisco encryption. Passwords can contain embedded spaces and must be the last option specified in the username command.
The accesslist keyword specifies an outgoing access list that overrides the access list specified in the access class line configuration subcommand. It is used for the duration of the user's session. The access list number is specified by the number argument.
The autocommand keyword causes the command specified by the command argument to be issued automatically after the user logs in. When the command is complete, the session is terminated. As the command can be any length and contain embedded spaces, commands using the autocommand keyword must be the last option on the line.
The noescape keyword prevents a user from using an escape character on the host to which he is connected.
The nohangup keyword prevents the network server from disconnecting the user after an automatic command (set up with the autocommand keyword) has completed. Another login prompt is provided to the user.
This section contains a summary of all the line configuration subcommands in alphabetical order.
[no] access-class list {in|out}
Restricts or permits connections on a line or group of lines to certain Internet addresses. The argument list is an integer from 1 through 99 that identifies a specific access list of Internet addresses. The keyword in applies to incoming connections; the keyword out applies to outgoing Telnet connections.
[no] escape-character decimal-number
Sets or removes the escape character on the specified line. The argument decimal-number is either the ASCII decimal representation of the character or a control sequence (Ctrl-E, for example). The default escape character is Ctrl-^.
[no] exec-banner
Enables or disables a banner. By default, a banner is displayed on the console. To suppress display of a banner, enter the no variation of the command.
Configures the character widths of EXEC and configuration command characters. The default value is 7 bits, which results in the use of a 7-bit ASCII character set. Configuring the EXEC character width to 8 allows you to add special graphical and international characters in banners, prompts, and so forth.
[no] exec-timeout minutes [seconds]
Sets the interval the EXEC waits for user input before resuming the current connection, or if no connections exist, before returning the terminal to the idle state and disconnecting the incoming session. The argument minutes is the number of minutes, and the optional argument seconds specifies additional interval time in seconds. The default interval is ten minutes; an interval of zero specifies no time-outs. The no form of the command restores the default.
[no] length screen-length
Sets the terminal screen length. The argument screen-length is the number of lines on the screen. The network server uses this value to determine when to pause during multiple-screen output. The default length is 24 lines. A value of 0 (zero) or the no form of the command disables pausing between screens of output.
line [type-keyword] first-line [last-line]
Identifies a specific line for configuration and starts line configuration command collection. The optional argument type-keyword specifies the type of line to be configured; it can be console, aux, or vty. When the line type is specified, the argument first-line is the relative number of the terminal line (or the first line in a contiguous group) you want to configure. The optional argument last-line is the relative number of the last line in a contiguous group you want to configure. If you omit type, then first-line and last-line are absolute rather than relative line numbers.
line aux port-address
This variation of the line command configures the auxiliary port. When configuring the auxiliary port, address it as line 0.
[no] location text
Enters or removes information-only data about the terminal location and/or status. The argument text is the desired description.
[no] login
Enables or disables password checking for the password specified by the password command.
[no] login tacacs
Causes the TACACS user ID and password checking mechanism to be used instead of the regular password checking. The no form of the command disables this mechanism.
[no] notify
Enables or disables line notification of a user who has multiple, concurrent Telnet connections when output is pending on a connection other than the current line.
[no] padding decimal-number count
Sets or unsets padding for a specified output character. The argument decimal-number is the ASCII decimal representation of the character, and the argument count is the number of NUL bytes sent after that character.
[no] password text
Specifies a password. The text argument specifies a password. It can contain any alphanumeric characters, including spaces, up to 80 characters. The no version of the command removes the specified password.
[no] service password-encryption
Controls whether privileged command and line passwords are encrypted. The no version of the command turns off password encryption.
Configures the number of characters used in special characters such as software flow control, escape characters, and so forth. The default special-character width is 7. Configuring the width to 8 bits allows you to use twice as many special characters as with the 7-bit setting.
[no] vacant-message [c message c]
Controls whether or not a banner is displayed on the screen of an idle terminal. The command without any arguments causes the default message to be displayed. The no vacant-message command suppresses a banner message. To display a banner, follow vacant-message with one or more blank spaces and a delimiting character (c) that you choose, then type one or more lines of text (message), and terminate the text with the second occurrence of the delimiting character.
|
|