|
|
Table Of Contents
ip http client secure-ciphersuite
ip http client secure-trustpoint
ip http client source-interface
ip sla monitor apm lowWaterMark
ip sla monitor reaction-configuration
ip sla monitor reaction-trigger
ip sla monitor responder type frame-relay
ip sla monitor responder type tcpConnect ipaddress
ip sla monitor responder type udpEcho ipaddress
ip sla monitor slm frame-relay statistics
logging enable (config-archive-log)
logging size (config-archive-log)
ip ftp password
To specify the password to be used for File Transfer Protocol (FTP) connections, use the ip ftp password command in global configuration mode. To return the password to its default, use the no form of this command.
ip ftp password [type] password
no ip ftp password
Syntax Description
type
(Optional) Type of encryption to use on the password. A value of 0 disables encryption. A value of 7 indicates proprietary encryption.
password
Password to use for FTP connections.
Defaults
The router forms a password username@routername.domain. The variable username is the username associated with the current session, routername is the configured host name, and domain is the domain of the router.
Command Modes
Global configuration
Command History
Examples
The following example configures the router to use the username "red" and the password "blue" for FTP connections:
Router(config)# ip ftp username redRouter(config)# ip ftp password blueRelated Commands
ip ftp source-interface
To specify the source IP address for File Transfer Protocol (FTP) connections, use the ip ftp source-interface command in global configuration mode. To use the address of the interface where the connection is made, use the no form of this command.
ip ftp source-interface interface
no ip ftp source-interface
Syntax Description
Defaults
The FTP source address is the IP address of the interface the FTP packets use to leave the router.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set the same source address for all FTP connections.
Examples
The following example configures the router to use the IP address associated with Ethernet interface 0 as the source address on all FTP packets, regardless of which interface is actually used to send the packet:
ip ftp source-interface ethernet 0Related Commands
ip ftp username
To configure the username for File Transfer Protocol (FTP) connections, use the ip ftp username command in global configuration mode. To configure the router to attempt anonymous FTP, use the no form of this command.
ip ftp username username
no ip ftp username
Syntax Description
Defaults
The Cisco IOS software attempts an anonymous FTP.
Command Modes
Global configuration
Command History
Usage Guidelines
The remote username must be associated with an account on the destination server.
Examples
In the following example, the router is configured to use the username "red" and the password "blue" for FTP connections:
Router(config)# ip ftp username redRouter(config)# ip ftp password blueRelated Commands
ip http access-class
To specify the access list that should be used to restrict access to the HTTP server, use the ip http access-class command in global configuration mode. To remove a previously configured access list association, use the no form of this command.
ip http access-class access-list-number
no ip http access-class access-list-number
Syntax Description
access-list-number
Standard IP access list number in the range 0 to 99, as configured by the access-list global configuration command.
Defaults
No access list is applied to the HTTP server.
Command Modes
Global configuration
Command History
Usage Guidelines
If this command is configured, the specified access list is assigned to the HTTP server. Before the HTTP server accepts a connection, it checks the access list. If the check fails, the HTTP server does not accept the request for a connection.
Examples
In the following example the access list identified as "20" is defined and assigned to the HTTP server:
Router(config)# ip access-list standard 20Router(config-std-nacl)# permit 209.165.202.0 0.0.0.255Router(config-std-nacl)# permit 209.165.0.0 0.0.255.255Router(config-std-nacl)# permit 209.0.0.0 0.255.255.255! (Note: all other access implicitly denied)Router(config-std-nacl)# exitRouter(config)# ip http access-class 20Related Commands
ip http authentication
To specify a particular authentication method for HTTP server users, use the ip http authentication command in global configuration mode. To disable a configured authentication method, use the no form of this command.
ip http authentication {aaa {command-authorization level listname | exec-authorization listname | login-authentication listname} | enable | local | tacacs}
no ip http authentication {aaa {command-authorization level listname | exec-authorization listname | login-authentication listname} | enable | local | tacacs}
Syntax Description
Defaults
The "enable" password is required when users (clients) connect to the HTTP server.
Three command privilege levels exist on the router.Command Modes
Global configuration
Command History
11.2 F
This command was introduced.
12.3(8)T
The tacacs keyword was removed. The command-authorization, exec-authorization, and login-authentication keywords were added.
Usage Guidelines
The ip http authentication command specifies the authentication method to be used for login when a client connects to the HTTP server. Use of the ip http authentication aaa command option is recommended. The enable, local, and tacacs methods should be specified using the aaa authentication login command.
The "enable" password method is the default HTTP server authentication method. If the enable password is used as the HTTP server login authentication method, the client connects to the HTTP server with a default privilege level of 15.
Note
When the "enable" password is used as the HTTP server login authentication method, any username entered will be ignored; the server will only verify the "enable" password. This may make it easier for an attacker to access the router. Because a username and password pair is more secure than using only a password for authentication, using only "enable" password for authentication is strongly discouraged. Instead, use of the local or tacacs authentication options, configured as part of a global Authentication, Authorization, and Accounting (AAA) framework, is recommended.
To configure HTTP access as part of a AAA policy, use the ip http authentication aaa command option. The "local", "tacacs", or "enable" authentication methods should then be configured using the aaa authentication login command.For information about adding users into the local username database, refer to the Cisco IOS Security Configuration Guide.
Examples
The following example specifies that the method configured for AAA should be used for authentication for HTTP server users. The AAA login method is configured as the "local" username/password authentication method. This example specifies that the local username database be used for login authentication and exec authorization of HTTP sessions:
router(config)# aaa authentication login LOCALDB localrouter(config)# aaa authorization exec LOCALDB localrouter(config)# ip http authentication aaa login-authentication LOCALDBrouter(config)# ip http authentication aaa exec-authorization LOCALDBRelated Commands
ip http client connection
To configure the HTTP client connection, use the ip http client connection command in global configuration mode. To change or remove a configuration, use the no form of this command.
ip http client connection {forceclose | idle timeout seconds | timeout seconds}
no ip http client connection {forceclose | idle timeout seconds | timeout seconds}
Syntax Description
Defaults
Persistent connection maintenance is enabled.
30 second idle timeout
10 second maximum timeout
0 retry attemptsCommand Modes
Global configuration
Command History
Usage Guidelines
Use this command to configure the characteristics for establishing an HTTP client connection.
Examples
The following example configures the default HTTP client persistent connection for a 15 second idle connection period. The maximum time the HTTP client will wait for a connection is 10 seconds.
Router(config)# ip http client connection idle timeout 15Related Commands
ip http client password
To configure the default password used for connections to remote HTTP servers, use the ip http client password command in global configuration mode. To remove a configured default password from the configuration, use the no form of this command.
ip http client password password
no ip http client password password
Syntax Description
password
The password string to be used in HTTP client connection requests sent to remote HTTP servers.
Defaults
No default password exists for the HTTP connections.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is used to configure a default password before a file is download from a remote web server using the copy http:// or copy https:// command. The default password will be overridden by a password specified in the URL of the copy command.
The password is encrypted in the configuration files.
Examples
In the following example the default HTTP password is configured as Secret and the default HTTP username is configured as User2 for connections to remote HTTP or Secure HTTP (HTTPS) servers:
Router(config)# ip http client password SecretRouter(config)# ip http client username User2Router(config)# do show running-config | include ip http clientRelated Commands
ip http client proxy-server
To configure an HTTP proxy server, use the ip http client proxy-server command in global configuration mode. To disable or change the proxy server, use the no form of this command.
ip http client proxy-server proxy-name | ip-address [proxy-port port-number]
no ip http client proxy-server proxy-name | ip-address [proxy-port port-number]
Syntax Description
proxy-name | ip-address
Name or IP address for the proxy server.
proxy-port port-number
(Optional) Specifies a port number on the remote proxy server.
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures the HTTP client to connect to a remote proxy server for HTTP file system client connections.
The optional proxy-port port-number keyword and argument specify the proxy port number on the remote proxy server.
Examples
The following example configures the HTTP proxy server named edge2 at port 29:
Router(config)# ip http client proxy-server edge2 proxy-port 29Related Commands
ip http client secure-ciphersuite
To specify the CipherSuite that should be used for encryption over the secure HTTP connection from the client to a remote server, use the ip http client secure-ciphersuite command in global configuration mode. To remove a previously configured CipherSuite specification for the client, use the no form of this command.
ip http client secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]}
no ip http client secure-ciphersuite
Syntax Description
Defaults
The client and server negotiate the best CipherSuite that they both support from the list of available CipherSuites.
Command Modes
Global configuration
Command History
Usage Guidelines
This command allows you to restrict the list of CipherSuites (encryption algorithms) that the client offers when connecting to a secure HTTP server. For example, you may want to allow only the most secure CipherSuite(s) to be used.
Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default). The no form of this command returns the list of available CipherSuites to the default (that is, all CipherSuites supported on your device are available for negotiation).
Examples
In the following example the HTTPS client is configured to use only the SSL_RSA_WITH_3DES_EDE_CBC_SHA CipherSuite:
Router(config)# ip http client secure-ciphersuite 3des-ede-cbc-shaRelated Commands
show ip http client secure status
Displays the configuration status of the secure HTTP client.
ip http client secure-trustpoint
To specify the remote Certificate of Authority (CA) trustpoint that should be used if certification is needed for the secure HTTP client, use the ip http client secure-trustpoint command in global configuration mode. To remove a client trustpoint from the configuration, use the no form of this command.
ip http client secure-trustpoint trustpoint-name
no ip http client secure-trustpoint trustpoint-name
Syntax Description
trustpoint-name
Name of a configured trustpoint. Use the same trustpoint name that was used in the associated crypto ca trustpoint command.
Defaults
If the remote HTTPS server requests client certification, the secure HTTP client will use the trustpoint configured as primary in the CA trustpoint configuration.
If a trustpoint is not configured, client certification will fail.
Command Modes
Global configuration
Command History
Usage Guidelines
This command specifies that the secure HTTP client should use the certificate associated with the trustpoint indicated by the trustpoint-name argument. Use the same trustpoint name that you used in the associated crypto ca trustpoint command.
The specified X.509v3 security certificate will be used by the secure HTTP (HTTPS) client for cases when the remote HTTPS server requires client authorization.
Use of this command assumes you have already declared a CA trustpoint using the crypto ca trustpoint command and associated sub-mode commands. If the remote HTTPS server requires client authorization and a trustpoint is not configured for the client, the remote HTTPS server will reject the connection.
If this command is not used, the client will attempt to use the certificate associated with the primary trustpoint. The primary trustpoint is configured using the primary CA TrustPoint configuration mode command.
Examples
In the following example the CA trustpoint is configured then referenced in the secure HTTP server configuration:
!The following commands specifies a CA trustpoint that can be used!to obtain a X.509v3 security certificate.Router(config)# crypto ca trustpoint tp1Router(config-ca)# enrollment url http://host1:80Router(config-ca)# exit!The following command is used to actually obtain the security certificate.!A trustpoint NAME is used because there could be multiple trust points!configured for the router.Router(config)# crypto ca enrollment TP1!The following command specifies that the secure HTTP client!should use the certificate associated with the TP1 trustpoint for HTTPS connections.Router(config)# ip http client secure-trustpoint tp1Related Commands
ip http client source-interface
To configure a source interface for the HTTP client, use the ip http client source-interface command in global configuration mode. To change or disable the source interface, use the no form of this command.
ip http client source-interface interface-id
no ip http client source-interface interface-id
Syntax Description
Defaults
No default behavior or values
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to specify a source interface to use for HTTP connections.
Examples
The following example configures the source interface as Ethernet 0/1:
Router(config)# ip http client source-interface Ethernet 0/1Related Commands
ip http client username
To configure the default username used for connections to remote HTTP servers, use the ip http client username command in global configuration mode. To remove a configured default HTTP username from the configuration, use the no form of this command.
ip http client username username
no ip http client username username
Syntax Description
username
The username string (login name) to be used in HTTP client connection requests sent to remote HTTP servers.
Defaults
No default username exists for the HTTP connections.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is used to configure a default username before a file is copied to or from a remote web server using the copy http:// or copy https:// command. The default username will be overridden by a username specified in the URL of the copy command.
Examples
In the following example, the default HTTP password is configured as Secret and the default HTTP username is configured as User1 for connections to remote HTTP or Secure HTTP (HTTPS) servers:
Router(config)# ip http client password SecretRouter(config)# ip http client username User1Related Commands
ip http max-connections
To configure the maximum number of concurrent connections allowed for the HTTP server, use the ip http max-connections command in global configuration mode. To return the maximum connection value to the default, use the no form of this command.
ip http max-connections value
no ip http max-connections value
Syntax Description
Defaults
5 concurrent HTTP connections.
Command Modes
Global configuration
Command History
Usage Guidelines
Platform-specific implementations can supersede the upper range limit of 16.
If a new value is configured that is less than the previously configured value while the current number of connections exceeds the new maximum value, the HTTP server will not abort any of the current connections. However, the server will not accept any new connections until the current number of connections falls below the new configured value.
Examples
In the following example the HTTP server is configured to allow up to 10 simultaneous connections:
Router(config)# ip http serverRouter(config)# ip http max-connections 10Related Commands
ip http server
Enables the HTTP 1.1 server, including the Cisco web browser user interface.
ip http path
To specify the base path used to locate files for use by the HTTP server, use the ip http path command in global configuration mode. To disable the HTTP server, use the no form of this command.
ip http path url
no ip http path url
Syntax Description
url
Cisco IOS File System (IFS) Uniform Resource Locator (URL) specifying the location of the HTML files used by the HTTP server.
Defaults
The HTTP server is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
After enabling the HTTP server, you should set the base path by specifying the location of the HTML files to be served. HTML files used by the HTTP web server typically reside in system Flash memory.
Remote URLs can be specified using this command, but use of remote path names (for example, where HTML files are located on a remote TFTP server) is not recommended.
Examples
In the following example, the HTML files are located in the default Flash location on the system:
Router(config)# ip http path flash:In the following example, the HTML files are located in the directory named web on the Flash memory card inserted in slot 0:
Router(config)# ip http path slot0:webRelated Commands
ip http server
Enables the HTTP server, including the Cisco web browser user interface.
ip http port
To specify the port number to be used by the HTTP server, use the ip http port command in global configuration mode. To return the port number to the default, use the no form of this command.
ip http port port-number
no ip http port port-number
Syntax Description
port-number
The port number to be used for the HTTP server. Valid values are 80 or any value from 1024 to 65535. The default is 80.
Defaults
The HTTP server uses port 80.
Command Modes
Global configuration
Command History
11.2
This command was introduced.
12.2(15)T
This command was modified to restrict port numbers. The port number 443 is now reserved for HTTPS (HTTP over SSL) connections.
Usage Guidelines
HTTP port 80 is the standard port used by web servers.
Examples
In the following example the HTTP server port is changed to port 8080.
Router(config)# ip http serverRouter(config)# ip http port 8080Related Commands
ip http server
Enables the HTTP 1.1 server, including the Cisco web browser user interface.
ip http secure-ciphersuite
To specify the CipherSuites that should be used by the secure HTTP server when negotiating a connection with a remote client, use the ip http secure-ciphersuite command in global configuration mode. To return the configuration to the default set of CipherSuites, use the no form of this command.
ip http secure-ciphersuite {[3des-ede-cbc-sha] [rc4-128-sha] [rc4-128-md5] [des-cbc-sha]}
no ip http secure-ciphersuite
Syntax Description
Defaults
The HTTPS server negotiates the best CipherSuite using the list received from connecting client.
Command Modes
Global configuration
Command History
Usage Guidelines
This command is used to restrict the list of CipherSuites (encryption algorithms) that should be used for encryption over the HTTPS connection. For example, you may want to allow only the most secure CipherSuite(s) to be used.
Unless you have a reason to specify the CipherSuites that should be used, or you are unfamiliar with the details of these CipherSuites, you should leave this command unconfigured and let the server and client negotiate the CipherSuite that they both support (this is the default).
The supported CipherSuites vary by Cisco IOS software image. For example, "IP Sec56" ("k8") images support only the SSL_RSA_WITH_DES_CBC_SHA CipherSuite in Cisco IOS Release 12.2T.
In terms of router processing load (speed), the following list ranks the CipherSuites from fastest to slowest (slightly more processing time is required for the more secure and more complex CipherSuites) :
1.
2.
3.
4.
Additional information about these CipherSuites can be found online from sources that document the Secure Socket Layer (SSL) 3.0 protocol.
Examples
The following example restricts the CipherSuites offered to a connecting secure web client:
Router(config)# ip http secure-ciphersuite rc4-128-sha rc4-128-md5Related Commands
ip http secure-server
Enables the secure HTTP (HTTPS) server.
show ip http server secure status
Displays the configuration status of the secure HTTP server.
ip http secure-client-auth
To configure the secure HTTP server to authenticate connecting clients, use the ip http secure-client-auth command in global configuration mode. To remove the requirement for client authorization, use the no form of this command.
ip http secure-client-auth
no ip http secure-client-auth
Syntax Description
This command has no arguments or keywords.
Defaults
Disabled (that is, client authentication is not required for connections to the secure HTTP server).
Command Modes
Global configuration
Command History
Usage Guidelines
This command configures the HTTP server to request an X.509v3 certificate from the client in order to authenticate the client during the connection process.
In the default connection and authentication process, the client requests a certificate from the HTTP server, but the server does not attempt to authenticate the client. Authenticating the client provides more security than server authentication by itself, but not all web clients may be configured for certificate authority (CA) authentication.
Examples
In the following example the secure web server is enabled and the server is configured to accept connections only from clients with a signed security certificate:
Router(config)# no ip http serverRouter(config)# ip http secure-serverRouter(config)# ip http secure-client-authRelated Commands
ip http secure-server
Enables the secure HTTP (HTTPS) server.
show ip http server secure status
Displays the configuration status of the secure HTTP server.
ip http secure-port
To specify the port (socket) to be used for connections to the secure HTTP (HTTPS) server, use the ip http secure-port command in global configuration mode. To return the secure HTTP server port number to the default, use the no form of this command.
ip http secure-port port-number
no ip http secure-port
Syntax Description
port-number
Port number that should be used for the secure HTTP server. The default port number is 443. Valid options are 443 or any number in the range 1025 to 65535.
Defaults
Port 443
Command Modes
Global configuration
Command History
Examples
The following example changes the port for HTTPS server connections from 443 to 1025:
Router(config)# ip http secure-port 1025mw-6(config)#no ip http secure-port ?
<cr>Related Commands
ip http secure-server
To enable the secure HTTP web server, use the ip http secure-server command in global configuration mode. To disable the secure HTTP server, use the no form of this command.
ip http secure-server
no ip http secure-server
Syntax Description
This command has no arguments or keywords.
Defaults
The secure HTTP server is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The secure HTTP server (also called the HTTPS server) uses the Secure Socket Layer (SSL) version 3.0 protocol.
Note
If a certificate authority is to be used for certification, you should declare the CA trustpoint on the routing device before enabling the secure HTTP server.
Examples
In the following example the secure HTTP server is enabled, and the (previously configured) CA trustpoint
CA_trust_localis specified:Router# config terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip http secure-serverRouter(config)# ip http secure-trustpoint CA_trust_localRouter(config)# endRouter# show ip http server secure status
HTTP secure server status: Enabled
HTTP secure server port: 443
HTTP secure server ciphersuite: 3des-ede-cbc-sha des-cbc-sha rc4-128-md5 rc4-12a
HTTP secure server client authentication: Disabled
HTTP secure server trustpoint: CA_trust_localRelated Commands
ip http secure-trustpoint
To specify the certificate authority (CA) trustpoint that should be used for obtaining signed certificates for the secure HTTP server, use the ip http secure-trustpoint command in global configuration mode. To remove a previously specified CA trustpoint, use the no form of this command.
ip http secure-trustpoint trustpoint-name
no ip http secure-trustpoint trustpoint-name
Syntax Description
trustpoint-name
Name of a configured trustpoint. Use the same trustpoint name that was used in the associated crypto ca trustpoint command.
Defaults
The secure HTTP server will use the trustpoint configured as primary in the CA trustpoint configuration.
If a trustpoint is not configured, the secure HTTP server will use a self-signed certificate.
Command Modes
Global configuration
Command History
Usage Guidelines
This command specifies that the secure HTTP server should use the X.509v3 certificate associated with the trustpoint indicated by the trustpoint-name argument. Use the same trustpoint name that you used in the associated crypto ca trustpoint command.
The specified X.509v3 security certificate will be used to authenticate the server to connecting clients, and, if remote client authentication is enabled, to authenticate the connecting clients.
Use of this command assumes you have already declared a CA trustpoint using the crypto ca trustpoint command and associated sub-mode commands. If a trustpoint is not configured, the secure HTTP server will use a self-signed certificate.
If this command is not used, the server will attempt to use the certificate associated with the primary trustpoint. The primary trustpoint is configured using the primary CA TrustPoint configuration mode command.
Examples
In the following example the CA trustpoint is configured, a certificate is obtained, then the certificate is referenced in the secure HTTP server configuration:
!The following commands specifies a CA trustpoint that can be used!to obtain a X.509v3 security certificate.!A trustpoint NAME is used because there could be multiple trustpoints!configured for the router.Router(config)# crypto ca trustpoint tp1Router(config-ca)# enrollment url http://host1:80Router(config-ca)# exitRouter(config)# crypto ca authenticate tp1!The following command is used to actually obtain the security certificate.Router(config)# crypto ca enrollment tp1Router(config)# ip http secure-server!The following command specifies that the secure HTTP server!should use a certificate associated with the TP1 trustpoint for HTTPS connections.Router(config)# ip http secure-trustpoint tp1Related Commands
ip http server
To enable the HTTP server on your system, including the Cisco web browser user interface, use the ip http server command in global configuration mode. To disable the HTTP server, use the no form of this command.
ip http server
no ip http server
Syntax Description
This command has no arguments or keywords.
Defaults
The HTTP server is disabled on the Cisco Catalyst 4000 series switch. The HTTP server is enabled for clustering and on the following Cisco switches: Catalyst 3700 series, Catalyst 3750 series, Catalyst 3550 series, Catalyst 3560 series, and Catalyst 2950 series.
Command Modes
Global configuration
Command History
11.2
This command was introduced.
12.2(15)T
The HTTP 1.0 implementation was replaced by the HTTP 1.1 implementation.
The secure HTTP server feature was added.
Usage Guidelines
The HTTP server uses the standard port 80 by default.
Caution
Examples
In the following example the HTTP server is enabled:
Router(config)# ip http serverRouter(config)# ip http path flash:Related Commands
ip http path
Specifies the base path used to locate files for use by the HTTP server.
ip http secure-server
Enables the secure HTTP server.
ip http timeout-policy
To configure the parameters for closing connections to the local HTTP server, use the ip http timeout-policy command in global configuration mode. To return the parameters to their defaults, use the no form of this command.
ip http timeout-policy idle seconds life seconds requests value
no ip http timeout-policy
Syntax Description
Defaults
HTTP server connection idle time: 180 seconds (3 minutes)
HTTP server connection life time: 180 seconds (3 minutes)
HTTP server connection maximum requests: 1Command Modes
Global configuration
Command History
Usage Guidelines
This command sets the characteristics that determine how long a connection to the HTTP server should remain open.
This command may not take effect immediately on any HTTP connections that are open at the time you use this command. In other words, new values for idle time, life time, and maximum requests will apply only to connections made to the HTTP server after this command is issued.
A connection may be closed sooner than the configured idle time if the server is too busy or the limit on the life time or the number of requests is reached.
A connection may be closed sooner than the configured life time if the server is too busy or the limit on the idle time or the number of requests is reached. Also, since the server will not close a connection while actively processing a request, the connection may remain open longer than the specified life time if processing is occurring when the life maximum is reached. In this case, the connection will be closed when processing finishes.
A connection may be closed before the maximum number of requests are processed if the server is too busy or the limit on the idle time or life time is reached.
The ip http timeout-policy command allows you to specify a general access policy to the HTTP server by adjusting the connection timeout values. For example, if you want to maximize throughput for HTTP connections, you should configure a policy that minimizes connection overhead. You can do this by specifying large values for the life and request options so that each connection stays open longer and more requests are processed for each connection.
Another example would be to configure a policy that minimizes the response time for new connections. You can do this by specifying small values for the life and request options so that the connections are quickly released to serve new clients.
A throughput policy would be better for HTTP sessions with dedicated management applications, as it would allow the application to send more requests before the connection is closed, while a response time policy would be better for interactive HTTP sessions, as it would allow more people to connect to the server at the same time without having to wait for connections to become available.
In general, you should configure these options as appropriate for your environment. The value for the idle option should be balanced so that it is large enough not to cause an unwanted request or response timeout on the connection, but small enough that it does not hold a connection open longer than necessary.
Examples
In the following example, a Throughput timeout policy is applied. This configuration would allow each connection to be idle a maximum of 30 seconds (approximately). Each connection will remain open (be "alive") until either the HTTP server has been busy processing requests for approximately 2 minutes (120 seconds) or until approximately 100 requests have been processed.
Router(config)# ip http timeout-policy idle 30 life 120 requests 100In the following example, a Response Time timeout policy is applied. This configuration would allow each connection to be idle a maximum of 30 seconds (approximately). Each connection will be closed as soon as the first request has been processed.
Router(config)# ip http timeout-policy idle 30 life 30 requests 1Related Commands
ip http server
Enables the HTTP server, including the Cisco web browser user interface.
ip rarp-server
To enable the router to act as a Reverse Address Resolution Protocol (RARP) server, use the ip rarp-server command in interface configuration mode. To restore the interface to the default of no RARP server support, use the no form of this command.
ip rarp-server ip-address
no ip rarp-server ip-address
Syntax Description
Defaults
Disabled
Command Modes
Interface configuration
Command History
Usage Guidelines
This feature makes diskless booting of clients possible between network subnets where the client and server are on separate subnets.
RARP server support is configurable on a per-interface basis, so that the router does not interfere with RARP traffic on subnets that need no RARP assistance.
The Cisco IOS software answers incoming RARP requests only if both of the following two conditions are met:
•
•
Use the show ip arp EXEC command to display the contents of the IP ARP cache.
Sun Microsystems, Inc. makes use of RARP and UDP-based network services to facilitate network-based booting of SunOS on it's workstations. By bridging RARP packets and using both the ip helper-address interface configuration command and the ip forward-protocol global configuration command, the Cisco IOS software should be able to perform the necessary packet switching to enable booting of Sun workstations across subnets. Unfortunately, some Sun workstations assume that the sender of the RARP response, in this case the router, is the host that the client can contact to TFTP load the bootstrap image. This causes the workstations to fail to boot.
By using the ip rarp-server command, the Cisco IOS software can be configured to answer these RARP requests, and the client machine should be able to reach its server by having its TFTP requests forwarded through the router that acts as the RARP server.
In the case of RARP responses to Sun workstations attempting to diskless boot, the IP address specified in the ip rarp-server interface configuration command should be the IP address of the TFTP server. In addition to configuring RARP service, the Cisco IOS software must be configured to forward UDP-based Sun portmapper requests to completely support diskless booting of Sun workstations. This can be accomplished using configuration commands of the following form:
ip forward-protocol udp 111interface interface nameip helper-address target-addressRFC 903 documents the RARP.
Examples
The following partial example configures a router to act as a RARP server. The router is configured to use the primary address of the specified interface in its RARP responses.
arp 172.30.2.5 0800.2002.ff5b arpainterface ethernet 0ip address 172.30.3.100 255.255.255.0ip rarp-server 172.30.3.100In the following example, a router is configured to act as a RARP server, with TFTP and portmapper requests forwarded to the Sun server:
! Allow the router to forward broadcast portmapper requestsip forward-protocol udp 111! Provide the router with the IP address of the diskless sunarp 172.30.2.5 0800.2002.ff5b arpainterface ethernet 0! Configure the router to act as a RARP server, using the Sun Server's IP! address in the RARP response packet.ip rarp-server 172.30.3.100! Portmapper broadcasts from this interface are sent to the Sun Server.ip helper-address 172.30.3.100Related Commands
ip forward-protocol
Speeds up flooding of UDP datagrams using the spanning-tree algorithm.
ip helper-address
Forwards UDP broadcasts, including BOOTP, received on an interface.
ip rcmd domain-lookup
To reenable the basic Domain Name Service (DNS) security check for rcp and rsh, use the ip rcmd domain-lookup command in global configuration mode. To disable the basic DNS security check for remote copy protocol (rcp) and remote shell protoco (rsh), use the no form of this command.
ip rcmd domain-lookup
no ip rcmd domain-lookup
Syntax Description
This command has no arguments or keywords.
Defaults
Enabled
Command Modes
Global configuration
Technology: TCP > RCMD
Task: Basic Services
Command History
Usage Guidelines
The abbreviation RCMD (remote command) is used to indicate both rsh and rcp.
DNS lookup for RCMD is enabled by default (provided general DNS services are enabled on the system using the ip domain-lookup command).
The no ip rcmd domain-lookup command is used to disable the DNS lookup for RCMD. The ip rcmd domain-lookup command is used to reenable the DNS lookup for RCMD.
DNS lookup for RCMD is performed as a basic security check. This check is performed using a host authentication process. When enabled, the system records the address of the requesting client. That address is mapped to a host name using DNS. Then a DNS request is made for the IP address for that host name. The IP address received is then checked against the original requesting address. If the address does not match with any of the addresses received from DNS, the RCMD request will not be serviced.
This reverse lookup is intended to help protect against spoofing. However, please note that the process only confirms that the IP address is a valid "routable" address; it is still possible for a hacker to spoof the valid IP address of a known host.
The DNS lookup is done after the TCP handshake but before the router (which is acting as a rsh/rcp server) sends any data to the remote client.
The no ip rcmd domain-lookup will turn off DNS lookups for rsh and rcp only. The no ip domain-lookup command takes precedence over the ip rcmd domain-lookup command. This means that if the no ip domain-lookup command is in the current configuration, DNS will be bypassed for rcp and rsh even if the ip rcmd domain-lookup command is enabled.
Examples
In the following example, the DNS security check is disabled for RCMD (rsh/rcp):
Router(config)# no ip rcmd domain-lookupRelated Commands
ip rcmd rcp-enable
To configure the Cisco IOS software to allow remote users to copy files to and from the router using remote copy protocol (rcp), use the ip rcmd rcp-enable command in global configuration mode. To disable rcp on the device, use the no form of this command.
ip rcmd rcp-enable
no ip rcmd rcp-enable
Syntax Description
This command has no arguments or keywords.
Defaults
To ensure security, the router is not enabled for rcp by default.
Command Modes
Global configuration
Command History
Usage Guidelines
To allow a remote user to execute rcp commands on the router, you must also create an entry for the remote user in the local authentication database using the ip rcmd remote-host command.
The no ip rcmd rcp-enable command does not prohibit a local user from using rcp to copy system images and configuration files to and from the router.
To protect against unauthorized users copying the system image or configuration files, the router is not enabled for rcp by default.
Examples
In the following example, the rcp service is enabled on the system, the IP address assigned to the Loopback0 interface is used as the source address for outbound rcp and rsh packets, and access is granted to the user "netadmin3"on the remote host 172.16.101.101:
Router(config)# ip rcmd rcp-enableRouter(config)# ip rcmd source-interface Loopback0Router(config)# ip rcmd remote-host router1 172.16.101.101 netadmin3Related Commands
ip rcmd remote-host
Creates an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp.
ip rcmd remote-host
To create an entry for the remote user in a local authentication database so that remote users can execute commands on the router using remote shell protocol (rsh) or remote copy protocol (rcp), use the ip rcmd remote-host command in global configuration mode. To remove an entry for a remote user from the local authentication database, use the no form of this command.
ip rcmd remote-host local-username {ip-address | host-name} remote-username [enable [level]]
no ip rcmd remote-host local-username {ip-address | host-name} remote-username [enable [level]]
Syntax Description
Defaults
No entries are in the local authentication database.
Command Modes
Global configuration
Command History
Usage Guidelines
A TCP connection to a router is established using an IP address. Using the host name is valid only when you are initiating an rcp or rsh command from a local router. The host name is converted to an IP address using DNS or host-name aliasing.
To allow a remote user to execute rcp or rsh commands on a local router, you must create an entry for the remote user in the local authentication database. You must also enable the router to act as an rsh or rcp server.
To enable the router to act as an rsh server, issue the ip rcmd rsh-enable command. To enable the router to act as an rcp server, issue the ip rcmd rcp-enable command.The router cannot act as a server for either of these protocols unless you explicitly enable the capacity.
A local authentication database, which is similar to a UNIX .rhosts file, is used to enforce security on the router through access control. Each entry that you configure in the authentication database identifies the local user, the remote host, and the remote user. To permit a remote user of rsh to execute commands in privileged EXEC mode or to permit a remote user of rcp to copy files to the router, specify the enable keyword and level. For information on the enable level, refer to the privilege level global configuration command in the Release 12.2 Cisco IOS Security Command Reference.
An entry that you configure in the authentication database differs from an entry in a UNIX .rhosts file in the following aspect. Because the .rhosts file on a UNIX system resides in the home directory of a local user account, an entry in a UNIX .rhosts file need not include the local username; the local username is determined from the user account. To provide equivalent support on a router, specify the local username along with the remote host and remote username in each authentication database entry that you configure.
For a remote user to be able to execute commands on the router in its capacity as a server, the local username, host address or name, and remote username sent with the remote client request must match values configured in an entry in the local authentication file.
A remote client host should be registered with DNS. The Cisco IOS software uses DNS to authenticate the remote host's name and address. Because DNS can return several valid IP addresses for a host name, the Cisco IOS software checks the address of the requesting client against all of the IP addresses for the named host returned by DNS. If the address sent by the requester is considered invalid, that is, it does not match any address listed with DNS for the host name, then the software will reject the remote-command execution request.
Note that if no DNS servers are configured for the router, then that device cannot authenticate the host in this manner. In this case, the Cisco IOS software sends a broadcast request to attempt to gain access to DNS services on another server. If DNS services are not available, you must use the no ip domain-lookup command to disable the attempt to gain access to a DNS server by sending a broadcast request.
If DNS services are not available and, therefore, you bypass the DNS security check, the software will accept the request to remotely execute a command only if all three values sent with the request match exactly the values configured for an entry in the local authentication file.
Examples
The following example allows the remote user named netadmin3 on a remote host with the IP address 172.16.101.101 to execute commands on router1 using the rsh or rcp protocol. User netadmin3 is allowed to execute commands in privileged EXEC mode.
Router(config)# ip rcmd remote-host router1 172.16.101.101 netadmin3 enableRelated Commands
ip rcmd remote-username
To configure the remote username to be used when requesting a remote copy using remote copy protocol (rcp), use the ip rcmd remote-username command in global configuration mode. To remove from the configuration the remote username, use the no form of this command.
ip rcmd remote-username username
no ip rcmd remote-username username
Syntax Description
Defaults
If you do not issue this command, the Cisco IOS software sends the remote username associated with the current tty process, if that name is valid, for rcp copy commands. For example, if the user is connected to the router through Telnet and the user was authenticated through the username command, then the software sends that username as the remote username.
Note
If the username for the current tty process is not valid, the Cisco IOS software sends the host name as the remote username. For rcp boot commands, the Cisco IOS software sends the access server host name by default.
Note
Command Modes
Global configuration
Command History
Usage Guidelines
The rcp protocol requires that a client send the remote username on an rcp request to the server. Use this command to specify the remote username to be sent to the server for an rcp copy request. If the server has a directory structure, as do UNIX systems, all files and images to be copied are searched for or written relative to the directory of the remote user's account.
Note
Examples
The following example configures the remote username to netadmin1:
Router(config)# ip rcmd remote-username netadmin1Related Commands
ip rcmd rsh-enable
To configure the router to allow remote users to execute commands on it using remote shell protocol (rsh), use the ip rcmd rsh-enable command in global configuration mode. To disable a router that is enabled for rsh, use the no form of this command.
ip rcmd rsh-enable
no ip rcmd rsh-enable
Syntax Description
This command has no arguments or keywords.
Defaults
To ensure security, the router is not enabled for rsh by default.
Command Modes
Global configuration
Command History
Usage Guidelines
rsh, used as a client process, gives users the ability to remotely get router information (such as status) without the need to connect into the router and then disconnect. This is valuable when looking at many statistics on many different routers.
Use this command to enable the router to receive rsh requests from remote users. In addition to issuing this command, you must create an entry for the remote user in the local authentication database to allow a remote user to execute rsh commands on the router.
The no ip rcmd rsh-enable command does not prohibit a local user of the router from executing a command on other routers and UNIX hosts on the network using rsh. The no form of this command only disables remote access to rsh on the router.
Examples
The following example enables a router as an rsh server:
Router(config)# ip rcmd rsh-enableRelated Commands
ip rcmd remote-host
Creates an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp.
ip rcmd source-interface
To force remote copy protocol (rcp) or remote shell protocol (rsh) to use the IP address of a specified interface for all outgoing rcp/rsh communication packets, use the ip rcmd source-interface command in global configuration mode. To disable a previously configured ip rcmd source-interface command, use the no form of this command.
ip rcmd source-interface interface-id
no ip rcmd source-interface interface-id
Syntax Description
Defaults
The address of the interface closest to the destination is used as the source interface for rcp/rsh communications.
Command Modes
Global configuration
Command History
Usage Guidelines
If this command is not used, or if the interface specified in this command is not available (not up), the Cisco IOS software uses the address of the interface closest to the destination as the source address.
Use this command to force the system to tag all outgoing rcp/rsh packets with the IP address associated with the specified interface. This address is used as the source address as long as the interface is in the up state.
This command is especially useful in cases where the router has many interfaces, and you want to ensure that all rcp and/or rsh packets from this router have the same source IP address. A consistent address is preferred so that the other end of the connection (the rcp/rsh server or client) can maintain a single session. The other benefit of a consistent address is that an access list can be configured on the remote device.
The specified interface must have an IP address associated with it. If the specified interface does not have an IP address or is in a down state, then rcp/rsh reverts to the default. To avoid this, add an IP address to the subinterface or bring the interface to the up state.
Examples
In the following example, Loopback interface 0 is assigned an IP address of 220.144.159.200, and the ip rcmd source-interface command is used to specify that the source IP address for all rcp/rsh packets will be the IP address assigned to the Loopback0 interface:
interface Loopback0
description Loopback interface
ip address 220.144.159.200 255.255.255.255
no ip directed-broadcast
!
.
.
.
clock timezone GMT 0
ip subnet-zero
no ip source-route
no ip finger
ip rcmd source-interface Loopback0
ip telnet source-interface Loopback0
ip tftp source-interface Loopback0
ip ftp source-interface Loopback0
ip ftp username cisco
ip ftp password shhhhsecret
no ip bootp server
ip domain-name net.galaxy
ip name-server 220.144.159.1
ip name-server 220.144.159.2
ip name-server 219.10.2.1
!
...Related Commands
ip rcmd remote-host
Creates an entry for the remote user in a local authentication database so that remote users can execute commands on the router using rsh or rcp.
ip sla monitor
To begin configuring a Cisco IOS IP Service Level Agreements (SLAs) operation and enter IP SLA monitor configuration mode, use the ip sla monitor command in global configuration mode. To remove all configuration information for an operation, including the schedule of the operation, reaction configuration, and reaction triggers, use the no form of this command.
ip sla monitor operation-number
no ip sla monitor operation-number
Syntax Description
operation-number
Operation number used for the identification of the IP SLAs operation you want to configure.
Defaults
No IP SLAs operation is configured.
Command Modes
Global configuration
Command History
Usage Guidelines
The ip sla monitor command is used to begin configuration for an IP SLAs operation. Use this command to specify an identification number for the operation you are about to configure. After you enter this command, the router will enter IP SLA monitor configuration mode.
IP SLAs allows a maximum of 2000 operations.
Debugging is supported only on the first 32 operation numbers.
After you configure an operation, you must schedule the operation. For information on scheduling an operation, refer to the ip sla monitor schedule and ip sla monitor group schedule global configuration commands. You can also optionally set reaction triggers for the operation. For information on reaction triggers, refer to the ip sla monitor reaction-configuration and ip sla monitor reaction-trigger global configuration commands.
To change the operation type of an existing IP SLAs operation, you must first delete the IP SLAs operation (using the no ip sla monitor global configuration command) and then reconfigure the operation with the new operation type.
Note
To display the current configuration settings of the operation, use the show ip sla monitor configuration command in user EXEC or privileged EXEC mode.
Examples
In the following example, operation 99 is configured as a UDP jitter operation and scheduled to start running in 5 hours:
ip sla monitor 99type jitter dest-ipaddr 172.29.139.134 dest-port 5000 num-packets 20!ip sla monitor schedule 99 life 300 start-time after 00:05:00
Note
Related Commands
ip sla monitor apm cache-size
To set the size of a Cisco IOS IP Service Level Agreements (SLAs) Application Performance Monitor (APM) cache, use the ip sla monitor apm cache-size command in global configuration mode. To reset the IP SLAs APM cache size to its default, use the no form of this command.
ip sla monitor apm cache-size bytes
no ip sla monitor apm cache-size bytes
Syntax Description
Defaults
The default APM cache size is 100000 bytes.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the saa apm cache-size command.
Usage Guidelines
IP SLAs APM script and scheduler files are kept in an area of memory called the IP SLAs APM cache. The cache size is checked by the system before each attempt to copy a new file to the cache. If the file to be downloaded puts the cache over its size limit, a "cache trimming" operation is performed, and all files in the cache not tagged with a "sticky bit" (sticky=1) will be deleted.
Examples
In the following example, the IP SLAs APM cache is set to 80,000 bytes (approximately 78 kilobytes):
Router(config)# ip sla monitor apm cache-size 80000Router(config)# endRouter#00:01:50: %SYS-5-CONFIG_I: Configured from console by consoleRouter# show ip sla monitor apm cacheCache Size (bytes): 80000Cache used (bytes): 793File Name TimeCreated TimeAccessed ref Type stickyapm.cf.1234567 00:02:50 00:00:00 1 CFG 0apm/config/smtp-1000.cfg 00:02:50 00:00:00 1 CFG 0Related Commands
show ip sla monitor apm cache
Displays the amount of memory available in the IP SLAs APM cache and information about the files stored in the cache.
ip sla monitor apm copy
To copy script or scheduler files from an FTP server to the device that will initiate Cisco IOS IP Service Level Agreements (SLAs) Application Performance Monitor (APM) operations, use the ip sla monitor apm copy command in global configuration mode.
ip sla monitor apm copy {script | scheduler} ftp://[username:password@]server-name/path-to-file/filename [sticky]
Syntax Description
Defaults
No script or scheduler files are copied.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the saa apm copy command.
Usage Guidelines
The ip sla monitor apm copy command downloads an IP SLAs APM script or scheduler file from an FTP server to the local IP SLAs APM cache in NVRAM.
A file tagged as "sticky" will not be deleted from the local APM cache during a cache trimming operation. APM cache trimming operations are initiated when the ip sla monitor apm lowWaterMark value is reached.
You can force a file tagged as "sticky" to be deleted using the clear ip sla monitor apm cache command.
Examples
In the following example, a Frame Relay emulation script titled frm.scr is downloaded from the FTP server FTP101. The username user1 and the password password1 are used to access the server:
ip sla monitor apm copy script ftp://user1:password1@FTP101/userbin/user1files/frm.scr stickyRelated Commands
ip sla monitor apm lowWaterMark
To specify the lowest amount of free memory that must be available on the system to allow additional Cisco IOS IP Service Level Agreements (SLAs) Application Performance Monitor (APM) operations to be configured, use the ip sla monitor apm lowWaterMark command in global configuration mode. To restore the default low-memory-watermark value, use the no form of this command.
ip sla monitor apm lowWaterMark bytes
no ip sla monitor apm lowWaterMark
Syntax Description
Defaults
The default APM low-memory watermark is 25 percent of free memory at startup.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the saa apm lowWaterMark command.
Usage Guidelines
The ip sla monitor apm lowWaterMark global configuration command configures the lowest amount of free memory (low-memory watermark) that must be available on the system. If the amount of available free memory falls below the value specified in the ip sla monitor apm lowWaterMark command, then IP SLAs will not allow new APM operations to be configured. The default value is 25 percent of the memory available on the system at startup.
Note
For example, if there are 6 MB of free memory when the router starts up, and the default low-memory watermark of 25 percent is used, then the IP SLAs APM can use up to 4.5 MB of memory for creating operations. If the free memory drops below 1.5 MB, then new APM operations cannot be created.
The value of the ip sla monitor apm lowWaterMark command should not exceed the amount of free memory available on the system. To determine the amount of free memory available on the system, use the show memory user EXEC or privileged EXEC command.
The show ip sla monitor apm information user EXEC or privileged EXEC command will display the number of operations that can be configured on the device in the "Max Number of operations supported" field.
Examples
In the following example, the IP SLAs APM low-memory watermark is set to 3,145,728 bytes (3 MB):
Router(config)# ip sla monitor apm lowWaterMark 3145728Router(config)# endRouter# show ip sla monitor apm informationService Assurance Agent: Application Performance MonitorAPM Engine Version: 1.0Max Number of oper supported: 23Number of configurable oper: 23Number of oper configured: 0Number of files in cache: 0Cache Size (bytes): 100000Cache used (bytes): 0APM low memory water-mark: 3,145,728Related Commands
ip sla monitor apm operation
To start or stop a Cisco IOS IP Service Level Agreements (SLAs) Application Performance Monitor (APM) operation, use the ip sla monitor apm operation command in global configuration mode. To delete existing IP SLAs APM operations, use the no form of this command.
ip sla monitor apm operation operation-number {start ftp://[user:password@]server-name/path-to-file/filename | stop}
no ip sla monitor apm operation [operation-number]
Syntax Description
Defaults
No IP SLAs APM operations exist.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the saa apm operation command.
Usage Guidelines
The following files are required to perform an IP SLAs APM operation:
•
•
•
•
All filenames can have a maximum of 255 characters.
The ip sla monitor apm operation start command points to the APM configuration file to be used for the operation. The APM configuration file specifies the location of the other files used in the operation, and the target IP address for the operation.
To download script, configuration, data, and scheduler template files used by the IP SLAs APM, and to download the documentation ("readme" files) for the scripts, go to the "Cisco IP SLAs APM" page at http://www.cisco.com/cgi-bin/tablebuild.pl/saa-apm.
After an operation is started using the ip sla monitor apm operation start command, the operation should be stopped using the ip sla monitor apm operation stop command.
Examples
In the following example, an IP SLAs APM NNTP operation is started and stopped, and the operation is deleted from the configuration:
Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip sla monitor apm operation 2 start ftp://user:password@saa-nms/apm/config/nntp-20.cfRouter(config)#1d09h: SAA-APM-1: downloading file (apm/config/nntp-20.cf) of size (532)1d09h: SAA-APM-1: using cached file (apm/scheduler/master.sch)1d09h: SAA-APM-1: using cached file (apm/scripts/nntp.scr)1d09h: SAA-APM-1: sending APM_SCRIPT_DONE message1d09h: SAA-APM-1: operation doneRouter(config)# ip sla monitor apm operation 2 stopRouter(config)# no ip sla monitor apm operation 2Related Commands
show ip sla monitor apm results
Displays the data gathered using the IP SLAs Application Performance Monitor.
ip sla monitor group schedule
To perform group scheduling for Cisco IOS IP Service Level Agreements (SLAs) operations, use the ip sla monitor group schedule command in global configuration mode. To stop the operation and place it in the default state of normal scheduling, use the no form of this command.
ip sla monitor group schedule group-operation-number operation-id-numbers schedule-period seconds [ageout seconds] [frequency seconds] [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}]
no ip sla monitor group schedule
Syntax Description
Defaults
The operation is placed in a pending state (that is, the operation is enabled but is not actively collecting information).
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr group schedule command.
Usage Guidelines
Though IP SLAs multiple operations scheduling functionality helps in scheduling thousands of operations, you should be cautious while specifying the number of operations, the schedule period, and the operation group frequency to avoid any significant CPU impact.
For example, consider a scenario where you are scheduling 1 to 780 operations at a schedule period of 60 seconds. The command would be as follows:
ip sla monitor group schedule 2 1-780 schedule-period 60 start-time now
IP SLAs calculates how many operations it should start in each 1-second interval by dividing the number of operations by the schedule period (780 operations divided by 60 seconds, which is 13 operations per second). Operations 1 to 13 in operation group 2 start after 0 seconds, operations 14 to 26 start after 1 second, operations 27 to 40 start after 2 seconds, and the iteration continues until operations 768 to 780 start after 59 seconds. This high value of operations starting at every 1-second interval (especially for jitter operations) can load the CPU to very high values.
On a Cisco 2600 router, the maximum recommended value of operations per second is 6 or 7 (approximately 350 to 400 operations per minute). Exceeding this value of 6 or 7 operations per second could cause major performance (CPU) impact. Note that the maximum recommended value of operations per second varies from platform to platform.
Note
When you reboot the router, the IP SLAs multiple operations scheduling functionality schedules the operations in the same order as was done before the reboot. For example, assume the following operation had been scheduled:
ip sla monitor group schedule 2 1-20 schedule-period 40 start-time now
Over a range of 40 seconds, 20 operations have to be started (that is, one operation every 2 seconds). After the system reboot, operation 1 will start at t seconds and operation 2 starts at t+2 seconds, operation 3 starts at t+4 seconds, and so on.
The IP SLAs multiple operations scheduling functionality schedules the maximum number of operations possible without aborting. However, this functionality skips those IP SLAs operations that are already running or those that are not configured and hence do not exist. The total number of operations will be calculated based on the number of operations specified in the command, irrespective of the number of operations that are missing or already running. The IP SLAs multiple operations scheduling functionality displays a message showing the number of active and missing operations. However, these messages are displayed only if you schedule operations that are not configured or are already running.
Examples
The following example shows how to schedule IP SLAs operations 3, 4, and 6 to 10 as a group (identified as group 1). In this example, the operations are scheduled to begin at equal intervals over a schedule period of 20 seconds. The first operation (or set of operations) is scheduled to start immediately. Since the frequency is not specified, it is set to the value of the schedule period (20 seconds) by default.
ip sla monitor group schedule 1 3, 4, 6-10 schedule-period 20 start-time nowRelated Commands
ip sla monitor key-chain
To enable Cisco IOS IP Service Level Agreements (SLAs) control message authentication and specify an MD5 key chain, use the ip sla monitor key-chain command in global configuration mode. To remove control message authentication, use the no form of this command.
ip sla monitor key-chain name
no ip sla monitor key-chain
Syntax Description
Defaults
Control message authentication is disabled.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr key-chain command.
Usage Guidelines
The authentication configuration on the IP SLAs collector and IP SLAs Responder must be the same. Both sides must configure the same key chain or both sides must not use authentication.
Examples
In the following example, the IP SLAs control message uses MD5 authentication, and the key chain name is CSAA:
ip sla monitor key-chain csaaRelated Commands
ip sla monitor
Begins configuration for an IP SLAs operation and enters IP SLA monitor configuration mode.
ip sla monitor logging traps
To enable the generation of system logging Simple Network Management Protocol (SNMP) notifications (traps) specific to Cisco IOS IP Service Level Agreements (SLAs) thresholds, use the ip sla monitor logging traps command in global configuration mode. To disable IP SLAs system logging SNMP traps, use the no form of this command.
ip sla monitor logging traps
no ip sla monitor logging traps
Syntax Description
This command has no arguments or keywords.
Defaults
IP SLAs system logging traps are not generated.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr logging traps command.
Usage Guidelines
SNMP notifications (traps) for IP SLAs can be configured as a triggered action, to be sent when monitored values exceed an upper threshold or fall below a lower threshold, or when a set of defined conditions are met. For example, an SNMP trap can be triggered by five consecutive timeouts during an IP SLAs operation. The sending of SNMP traps is one of the options for triggered actions that can be configured for IP SLAs violations. The monitored values (also called monitored elements), the threshold type, and the triggered action are configured using the ip sla monitor reaction-configuration global configuration mode command.
SNMP traps for IP SLAs are supported by the CISCO-SYSLOG-MIB. The ip sla monitor logging traps command is used to enable the generation of SNMP traps specific to IP SLAs threshold violations. The generation of IP SLAs specific logging messages depends on the configuration of the standard set of logging commands (for example, logging on). IP SLAs logging messages are generated as level 7 (debugging) messages.
Examples
The following example shows the configuration of IP SLAs traps to be triggered for round-trip time (RTT) violations and Voice over IP (VoIP) mean opinion score (MOS) violations, and the necessary SNMP configuration for enabling these SNMP logging traps:
Router(config)# ip sla monitor 1Router(config-sla-monitor)# type jitter dest-ipaddr 209.165.200.225 dest-port 9234Router(config-sla-monitor)# exitRouter(config)# ip sla monitor schedule 1 start now life foreverRouter(config)# ip sla monitor reaction-configuration 1 react rtt threshold-type immediate threshold-value 3000 2000 action-type trapOnlyRouter(config)# ip sla monitor reaction-configuration 1 react MOS threshold-type consecutive 4 threshold-value 390 220 action-type trapOnlyRouter(config)# ip sla monitor logging trapsRouter(config)#Router(config)# snmp-server community public RWRouter(config)# snmp-server enable traps syslogRouter(config)# snmp-server host 209.165.202.129 version 3 public syslogRouter(config)# logging trap debuggingRouter(config)# logging host 209.165.202.129Related Commands
ip sla monitor low-memory
To specify how much unused memory must be available to allow Cisco IOS IP Service Level Agreements (SLAs) configuration, use the ip sla monitor low-memory command in global configuration mode. To remove the type configuration for the operation, use the no form of this command.
ip sla monitor low-memory bytes
no ip sla monitor low-memory
Syntax Description
bytes
Specifies amount of memory, in bytes, that must be available to configure IP SLA. The range is from 0 to the maximum amount of free memory bytes available.
Defaults
The default amount of memory is 25 percent of the memory available on the system.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr low-memory command.
Usage Guidelines
The ip sla monitor low-memory command allows you to specify the amount of memory that the IP SLAs can use. If the amount of available free memory falls below the value specified in the ip sla monitor low-memory command, then the IP SLAs will not allow new operations to be configured. If this command is not used, the default low-memory value is 25 percent. This means that if 75 percent of system memory has been utilized you will not be able to configure any IP SLAs characteristics.
The value of the ip sla monitor low-memory command should not exceed the amount of free memory available on the system. To determine the amount of free memory available on the system, use the show memory user EXEC or privileged EXEC command.
Examples
In the following example, the router is configured so that no less than 2 MB of memory will be free for IP SLAs configuration:
ip sla monitor low-memory 2097152Related Commands
ip sla monitor reaction-configuration
To configure certain actions to occur based on events under the control of Cisco IOS IP Service Level Agreements (SLAs), use the ip sla monitor reaction-configuration command in global configuration mode. To clear all reaction configuration for a specified IP SLAs operation, use the no form of this command.
ip sla monitor reaction-configuration operation-number react monitored-element [action-type option] [threshold-type {average [number-of-measurements] | consecutive [occurrences] | immediate | never | xofy [x-value y-value]}] [threshold-value upper-threshold lower-threshold]
no ip sla monitor reaction-configuration operation-number
Syntax Description
operation-number
Number of the IP SLAs operation for which reactions are to be configured.
react monitored-element
Specifies the element to be monitored for violations.
Note
Keyword options for the monitored-element argument are as follows:
•
•
•
•
•
•
•
react monitored-element (continued)
•
•
•
action-type option
(Optional) Specifies what action or combination of actions the operation performs when threshold events occur. If the threshold-type never keywords are defined, the action-type keyword is disabled. The option argument can be one of the following keywords:
•
•
•
•
threshold-type average [number-of-measurements]
(Optional) When the average of a specified number of measurements for the monitored element exceeds the upper threshold or when the average of a specified number of measurements for the monitored element drops below the lower threshold, perform the action defined by the action-type keyword. For example, if the upper threshold for react rtt threshold-type average 3 is configured as 5000 ms and the last three results of the operation are 6000, 6000, and 5000 ms, the average would be 6000 + 6000 + 5000 = 17000/3 = 5667, thus violating the 5000 ms upper threshold.
The default number of 5 averaged measurements can be changed using the number-of-measurements argument. The valid range is from 1 to 16.
This syntax is not available if the connectionLoss, timeout, or verifyError keyword is specified as the monitored element, because upper and lower thresholds do not apply to these options.
threshold-type consecutive [occurrences]
(Optional) When the reaction conditions (such as threshold violations) for the monitored element are met consecutively for a specified number of times, perform the action defined by the action-type keyword.
The default number of 5 consecutive occurrences can be changed using the occurrences argument. The valid range is from 1 to 16.
The occurrences value will appear in the output of the show ip sla monitor reaction-configuration command as the "Threshold Count" value.
threshold-type immediate
(Optional) When the reaction conditions (such as threshold violations) for the monitored element are met, immediately perform the action defined by the action-type keyword.
threshold-type never
(Optional) Do not calculate threshold violations. This is the default threshold type.
threshold-type xofy [x-value y-value]
(Optional) When the reaction conditions (such as threshold violations) for the monitored element are met x number of times within the last y number of measurements ("x of y"), perform the action defined by the action-type keyword.
The default is 5 for both the x and y values (xofy 5 5). The valid range for each value is from 1 to 16.
The x-value will appear in the output of the show ip sla monitor reaction-configuration command as the "Threshold Count" value, and the y-value will appear as the "Threshold Count2" value.
[threshold-value upper-threshold lower-threshold]
(Optional) Specifies the upper-threshold and lower-threshold values of the applicable monitored elements. See Table 38 in the "Usage Guidelines" section for a list of the default values.
Note
Defaults
No IP SLAs reactions are generated.
Error verification is disabled.
Connection loss and timeout logging are disabled.Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr reaction-configuration command.
Usage Guidelines
You can configure the ip sla monitor reaction-configuration command multiple times to allow reactions for multiple monitored elements (for example, configuring thresholds for destination-to-source packet loss and MOS) for the same operation. However, entering the no ip sla monitor reaction-configuration operation-number command will clear all reaction configuration for the specified operation. In other words, disabling of granular reaction elements (for example, entering the no ip sla monitor reaction-configuration operation-number react monitored-element command) is not supported, so as to provide backwards compatibility with the earlier version of this command.
SNMP traps for IP SLAs are supported by the CISCO-SYSLOG-MIB. The ip sla monitor logging traps command is used to enable the generation of SNMP traps specific to IP SLAs threshold violations.
You can check the configuration of the IP SLAs reaction configuration using the show ip sla monitor reaction-configuration command.
Note
Table 38 lists the default upper and lower thresholds for specific monitored elements.
Examples
In the following example, IP SLAs operation 10 (a UDP jitter operation) is configured to send an SNMP logging trap when the MOS value exceeds 4.9 (best quality) or falls below 2.5 (poor quality):
Router(config)# ip sla monitor reaction-configuration 10 react mos threshold-type immediate threshold-value 490 250 action-type trapOnlyThe following example shows the default settings for the ip sla monitor reaction-configuration command when none of the optional syntax elements are used:
Router# show ip sla monitor reaction-configuration 1Entry number: 1Reaction Configuration not configuredRouter# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# ip sla monitor reaction-configuration 1Router(config)# do show ip sla monitor reaction-configuration 1Entry number: 1Reaction: rttThreshold Type: NeverRising (milliseconds): 5000Falling (milliseconds): 3000Threshold Count: 5Threshold Count2: 5Action Type: NoneRelated Commands
ip sla monitor reaction-trigger
To define a second Cisco IOS IP Service Level Agreements (SLAs) operation to make the transition from a pending state to an active state when one of the trigger action type options are defined with the ip sla monitor reaction-configuration command, use the ip sla monitor reaction-trigger command in global configuration mode. To remove the trigger combination, use the no form of this command.
ip sla monitor reaction-trigger operation-number target-operation
no ip sla monitor reaction-trigger operation
Syntax Description
Defaults
No trigger combination is defined.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr reaction-trigger command.
Usage Guidelines
Triggers are usually used for diagnostics purposes and are not intended for use during normal operation conditions.
Examples
In the following example, a trigger action type is defined for IP SLAs operation 2 . When operation 2 experiences certain user-specified threshold violation events while it is actively collecting statistical information, the operation state of IP SLAs operation 1 will be triggered to change from pending to active.
ip sla monitor reaction-trigger 2 1Related Commands
ip sla monitor reset
To perform a shutdown and restart of the Cisco IOS IP Service Level Agreements (SLAs) engine, use the ip sla monitor reset command in global configuration mode.
ip sla monitor reset
Syntax Description
This command has no arguments or keywords.
Defaults
None
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr reset command.
Usage Guidelines
The ip sla monitor reset command stops all operations, clears IP SLAs configuration information, and returns the IP SLAs feature to the startup condition. This command does not reread the IP SLAs configuration stored in the startup configuration in NVRAM. You must retype the configuration or load a previously saved configuration file.
Note
Note
Examples
The following example shows how to reset the Cisco IOS IP SLAs engine, clearing all stored IP SLAs information and configuration:
ip sla monitor resetRelated Commands
ip sla monitor responder
To enable the Cisco IOS IP Service Level Agreements (SLAs) Responder for general IP SLAs operations, use the ip sla monitor responder command in global configuration mode. To disable the IP SLAs Responder, use the no form of this command.
ip sla monitor responder
no ip sla monitor responder
Syntax Description
This command has no arguments or keywords.
Defaults
The IP SLAs Responder is disabled.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr responder command.
Usage Guidelines
This command is used on the destination device for IP SLAs operations to enable the sending and receiving of IP SLAs control packets. Enabling the IP SLAs Responder allows the generation of packet loss statistics on the device sending IP SLAs operations.
Prior to sending an operation packet to the IP SLAs Responder, the IP SLAs operation sends a control message to the IP SLAs Responder to enable the destination port.
Examples
The following example shows how to enable the IP SLAs Responder:
ip sla monitor responderRelated Commands
ip sla monitor responder type frame-relay
To enable the Cisco IOS IP Service Level Agreements (SLAs) Responder on the operational target device for Frame Relay operations, use the ip sla monitor responder type frame-relay command in global configuration mode. To disable the IP SLAs Responder, use the no form of this command.
ip sla monitor responder type frame-relay {all | interface {serial | fr-atm} interface-number dlci dlci-number}
no ip sla monitor responder type frame-relay {all | interface {serial | fr-atm} interface-number dlci dlci-number}
Syntax Description
Defaults
The IP SLAs Responder is disabled.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr responder type frame-relay command.
Usage Guidelines
This command allows the IP SLAs Responder to respond to Frame Relay operations without receiving IP SLAs control protocol packets.
Note that if you use this command, packet loss statistics will not be able to be generated for the operation because the Responder will not be able to determine the order of the received packets. To generate packet loss statistics, use the ip sla monitor responder command without specifying an operation type.
Examples
In the following example, the IP SLAs Responder is configured to respond to Frame Relay operations specifically on serial interface 1/0, using DLCI number 16:
ip sla monitor responder type frame-relay interface serial 1/0 dlci 16Related Commands
ip sla monitor responder type tcpConnect ipaddress
To enable the Cisco IOS IP Service Level Agreements (SLAs) Responder for TCP Connect operations, use the ip sla monitor responder type tcpConnect ipaddress command in global configuration mode. To disable the IP SLAs Responder, use the no form of this command.
ip sla monitor responder type tcpConnect ipaddress ip-address port port-number
no ip sla monitor responder type tcpConnect ipaddress ip-address port port-number
Syntax Description
Defaults
The IP SLAs Responder is disabled.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr responder type tcpConnect command.
Usage Guidelines
This command is used on the destination device for IP SLAs operations to enable the acceptance and return of TCP connection operation packets.
Examples
The following example shows how to enable the IP SLAs Responder for TCP connection operations:
ip sla monitor responder type tcpConnect ipaddress A.B.C.D port 1Related Commands
ip sla monitor responder type udpEcho ipaddress
To enable the Cisco IOS IP Service Level Agreements (SLAs) Responder for User Datagram Protocol (UDP) echo or jitter operations, use the ip sla monitor responder type udpEcho ipaddress command in global configuration mode. To disable the IP SLAs Responder, use the no form of this command.
ip sla monitor responder type udpEcho ipaddress ip-address port port-number
no ip sla monitor responder type udpEcho ipaddress ip-address port port-number
Syntax Description
Defaults
The IP SLAs Responder is disabled.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr responder type udpEcho command.
Usage Guidelines
This command is used on the destination device for IP SLAs operations to enable UDP echo and jitter (UDP+) operations on nonnative interfaces.
Examples
The following example shows how to enable the IP SLAs Responder for jitter operations:
ip sla monitor responder type udpEcho ipaddress A.B.C.D port 1Related Commands
ip sla monitor restart
To restart a Cisco IOS IP Service Level Agreements (SLAs) operation, use the ip sla monitor restart command in global configuration mode.
ip sla monitor restart operation-number
Syntax Description
operation-number
Number of the IP SLAs operation to restart. IP SLAs allows a maximum of 2000 operations.
Defaults
None
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr restart command.
Usage Guidelines
To restart an operation, the operation should be in an active state.
IP SLAs allows a maximum of 2000 operations.
This command does not have a no form.
Examples
The following example shows how to restart operation 12:
ip sla monitor restart 12Related Commands
ip sla monitor reset
Clears all current IP SLAs statistics and configuration information from the router and resets the IP SLAs engine.
ip sla monitor schedule
To configure the scheduling parameters for a single Cisco IOS IP Service Level Agreements (SLAs) operation, use the ip sla monitor schedule command in global configuration mode. To stop the operation and place it in the default state (pending), use the no form of this command.
ip sla monitor schedule operation-number [life {forever | seconds}] [start-time {hh:mm[:ss] [month day | day month] | pending | now | after hh:mm:ss}] [ageout seconds] [recurring]
no ip sla monitor schedule operation-number
Syntax Description
Defaults
The operation is placed in a pending state (that is, the operation is enabled but not actively collecting information).
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr schedule command.
Usage Guidelines
After you schedule the operation with the ip sla monitor schedule command, you cannot change the configuration of the operation. To change the configuration of the operation, use the no form of the ip sla monitor global configuration command and reenter the configuration information.
If the operation is in a pending state, you can define the conditions under which the operation makes the transition from pending to active with the ip sla monitor reaction-trigger and ip sla monitor reaction-configuration global configuration commands. When the operation is in an active state, it immediately begins collecting information.
The following time line shows the age-out process of the operation:
W----------------------X----------------------Y----------------------Zwhere:
•
•
•
•
Age out starts counting down at W and Y, is suspended between X and Y, and is reset to its configured size at Y.
The operation to can age out before it executes (that is, Z can occur before X). To ensure that this does not happen, configure the difference between the operation's configuration time and start time (X and W) to be less than the age-out seconds.
Note
For IP SLAs Service Level Monitoring (SLM) operations, the operation will always start at the nearest 15-minute interval since the router start time. For example, if the ip sla monitor schedule 1 start-time now command is used, the operation will not start until the next quarter-hour time increment.
The recurring keyword is supported only for scheduling single IP SLAs operations. You cannot schedule multiple IP SLAs operations using the ip sla monitor schedule command. The life value for a recurring IP SLAs operation should be less than one day. The ageout value for a recurring operation must be "never" (which is specified with the value 0), or the sum of the life and ageout values must be more than one day. If the recurring option is not specified, the operations are started in the existing normal scheduling mode.
Examples
In the following example, operation 25 begins actively collecting data at 3:00 p.m. on April 5. This operation will age out after 12 hours of inactivity, which can be before it starts or after it has finished with its life. When this operation ages out, all configuration information for the operation is removed (that is, the configuration information is no longer in the running configuration in RAM).
ip sla monitor schedule 25 life 43200 start-time 15:00 apr 5 ageout 43200In the following example, operation 1 begins collecting data after a 5-minute delay:
ip sla monitor schedule 1 start-time after 00:05:00In the following example, operation 3 begins collecting data immediately and is scheduled to run indefinitely:
ip sla monitor schedule 3 start-time now life foreverIn the following example, operation 15 begins automatically collecting data every day at 1:30 a.m.:
ip sla monitor schedule 15 start-time 01:30:00 recurringRelated Commands
ip sla monitor slm frame-relay statistics
To enable Cisco IOS IP Service Level Agreements (SLAs) and Cisco Networking Services (CNS) to collect Frame Relay performance monitoring statistics, use the ip sla monitor slm frame-relay statistics command in global configuration mode. To disable the collection of Frame Relay performance monitoring statistics, use the no form of this command.
ip sla monitor slm frame-relay statistics
no ip sla monitor slm frame-relay statistics
Syntax Description
This command has no arguments or keywords.
Defaults
Frame Relay performance monitoring statistics are not collected.
Command Modes
Global configuration
Command History
12.3(14)T
This command was introduced. This command replaces the rtr slm frame-relay statistics command.
Usage Guidelines
The ip sla monitor slm frame-relay statistics command should be issued prior to configuring any of the IP SLAs Frame Relay Service Level Monitoring (SLM) operations. Performance statistics are not retained for these operations until this command is entered.
This command does not affect the standard Frame Relay IP SLAs operation (configured using the type frame-relay command).
Examples
In the following example, the IP SLAs Frame Relay SLM feature is enabled:
ip sla monitor slm frame-relay statisticsRelated Commands
ip telnet source-interface
To specify the IP address of an interface as the source address for Telnet connections, use the ip telnet source-interface command in global configuration mode. To reset the source address to the default for each connection, use the no form of this command.
ip telnet source-interface interface
no ip telnet source-interface
Syntax Description
Defaults
The address of the closest interface to the destination is the source address.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set the IP address of an interface as the source for all Telnet connections.
If the specified interface is not up, the Cisco IOS software selects the address of the interface closest to the destination as the source address.
Examples
The following example forces the IP address for Ethernet interface 1 as the source address for Telnet connections:
Router(config)# ip telnet source-interface Ethernet1Related Commands
ip radius source-interface
Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.
ip tftp source-interface
To specify the IP address of an interface as the source address for TFTP connections, use the ip tftp source-interface command in global configuration mode. To return to the default, use the no form of this command.
ip tftp source-interface interface
no ip tftp source-interface
Syntax Description
Defaults
The address of the closest interface to the destination as the source address.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to set the IP address of an interface as the source for all TFTP connections.
If the specified interface is not up, the Cisco IOS software selects the address of the interface closest to the destination as the source address.
Examples
In the following example, the IP address assigned to Loopback interface 0 will be used as the source address for TFTP connections:
Router(config)# ip tftp source-interface Loopback0Related Commands
kron occurrence
To specify schedule parameters for a Command Scheduler occurrence and enter kron-occurrence configuration mode, use the kron occurrence command in global configuration mode. To delete a Command Scheduler occurrence, use the no form of this command.
kron occurrence occurrence-name [user username] {in [[numdays:]numhours:]nummin | at hours:min [[month] day-of-month] [day-of-week]} {oneshot | recurring}
no kron occurrence occurrence-name [user username] {in [[numdays:]numhours:]nummin | at hours:min [[month] day-of-month] [day-of-week]} {oneshot | recurring}
Syntax Description
Command Default
No schedule parameters are specified.
Command Modes
Global configuration
Command History
Usage Guidelines
Prior to Cisco IOS Release 12.4, when you configured a kron occurrence for a calendar time when the system clock was not set, you received a printf message stating that the clock was not set and the occurrence would not be scheduled until it was set.
Beginning in Cisco IOS Release 12.4, when you configure a kron occurrence for a calendar time when the system clock is not set, the occurrence is scheduled but a printf message appears stating that the clock is not set and that it currently reads <current clock time>.
If you set the clock, the schedule of the occurrence is affected in one of the following ways:
•
•
•
•
Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same time or interval.
Use the kron policy-list command in conjunction with the cli command to create a Command Scheduler policy containing EXEC command-line interface (CLI) commands to be scheduled to run on the router at a specified time.
Use the show kron schedule command to display the name of each configured occurrence and when it will next run.
The Command Scheduler process is useful to automate the running of EXEC commands at recurring intervals, and it can be used in remote routers to minimize manual intervention.
Examples
The following example shows how to create a Command Scheduler occurrence named IT2 and schedule it to run every three days, 10 hours, and 50 minutes. The EXEC CLI in the policy named three-day-list is configured to run as part of occurrence info-three.
Router(config)# kron occurrence info-three user IT2 in 3:10:50 recurringRouter(config-kron-occurrence)# policy-list three-day-listThe following example shows how to create a Command Scheduler occurrence named auto-mkt and schedule it to run once on June 4 at 5:30 a.m. The EXEC CLI in the policies named mkt-list and mkt-list2 are configured to run as part of occurrence auto-mkt.
Router(config)# kron occurrence auto-mkt user marketing at 5:30 jun 4 oneshotRouter(config-kron-occurrence)# policy-list mkt-listRouter(config-kron-occurrence)# policy-list mkt-list2Related Commands
kron policy-list
To specify a name for a Command Scheduler policy and enter kron-policy configuration mode, use the kron policy-list command in global configuration mode. To delete the policy list, use the no form of this command.
kron policy-list list-name
no kron policy-list list-name
Syntax Description
Defaults
If the specified list name does not exist, a new policy list is created.
Command Modes
Global configuration
Command History
Usage Guidelines
Use the kron policy-list command in conjunction with the cli command to create a Command Scheduler policy containing EXEC command line interface (CLI) commands to be scheduled to run on the router at a specified time. Use the kron occurrence and policy-list commands to schedule one or more policy lists to run at the same time or interval.
The Command Scheduler process is useful to automate the running of EXEC commands at recurring intervals, and it can be used in remote routers to minimize manual intervention.
Examples
The following example shows how to create a policy named sales-may and configure EXEC CLI commands to run the CNS command that retrieves an image from a server:
Router(config)# kron policy-list sales-mayRouter(config-kron-policy)# cli cns image retrieve server https://10.21.2.3/imgsvr/ status https://10.21.2.5/status/Related Commands
length
To set the terminal screen length, use the length command in line configuration mode. To restore the default value, use the no form of this command.
length screen-length
no length
Syntax Description
screen-length
The number of lines on the screen. A value of zero disables pausing between screens of output.
Defaults
Screen length of 24 lines
Command Modes
Line configuration
Command History
Usage Guidelines
The Cisco IOS software uses the value of this command to determine when to pause during multiple-screen output. Not all commands recognize the configured screen length. For example, the show terminal command assumes a screen length of 24 lines or more.
Examples
In the following example, the terminal type is specified and the screen pause function is disabled for the terminal connection on line 6:
Router(config)# line 6Router(config-line)# terminal-type VT220Router(config-line)# length 0Related Commands
terminal length
Sets the number of lines on the current terminal screen for the current session.
line-cli
Note
To connect to the Cisco Networking Services (CNS) configuration engine using a modem dialup line, use the line-cli command in CNS Connect-interface configuration mode.
line-cli
Syntax Description
This command has no arguments or keywords.
Defaults
No command lines are specified to configure modem lines.
Command Modes
CNS Connect-interface configuration
Command History
Usage Guidelines
Use this command to connect to the CNS configuration engine using a specific type of interface. You must specify the interface type but need not specify the interface number; the router's bootstrap configuration finds the connecting interface, regardless of the slot in which the card resides or the modem dialout line for the connection, by trying different candidate interfaces or lines until it successfully pings the registrar.
Enter this command to enter CNS Connect-interface configuration (config-cns-conn-if) mode. Then use one of the following bootstrap-configuration commands to connect to the registrar for initial configuration:
•
•
The config-cli command accepts the special directive character "&," which acts as a placeholder for the interface name. When the configuration is applied, the & is replaced with the interface name. Thus, for example, if we are able to connect using FastEthernet0/0, the following is the case:
•
•
Examples
The following example enters CNS Connect-interface configuration mode, connects to a configuration engine using an asynchronous interface, and issues a number of commands:
Router(config)# cns config connect-intf AsyncRouter(config-cns-conn-if)# config-cli encapsulation pppRouter(config-cns-conn-if)# config-cli ip unnumbered FastEthernet0/0Router(config-cns-conn-if)# config-cli dialer rotart-group 0Router(config-cns-conn-if)# line-cli modem InOutRouter(config-cns-conn-if)# line-cli...Router(config-cns-conn-if)# exitThese commands apply the following configuration:
line 65modem InOut...interface Async65encapsulation pppdialer in-banddialer rotary-group 0Related Commands
lives-of-history-kept
To set the number of lives maintained in the history table for a Cisco IOS IP Service Level Agreements (SLAs) operation, use the lives-of-history-kept command in the appropriate submode of IP SLA monitor configuration or RTR configuration mode. To return to the default value, use the no form of this command.
lives-of-history-kept lives
no lives-of-history-kept
Syntax Description
lives
Number of lives maintained in the history table for the operation. If you specify 0 lives, history is not collected for the operation.
Defaults
0 lives
Command Modes
IP SLA Monitor Configuration
DHCP configuration (config-sla-monitor-dhcp)
DLSw configuration (config-sla-monitor-dlsw)
DNS configuration (config-sla-monitor-dns)
Frame Relay configuration (config-sla-monitor-frameRelay)
FTP configuration (config-sla-monitor-ftp)
HTTP configuration (config-sla-monitor-http)
ICMP echo configuration (config-sla-monitor-echo)
ICMP path echo configuration (config-sla-monitor-pathEcho)
ICMP path jitter configuration (config-sla-monitor-pathJitter)
TCP connect configuration (config-sla-monitor-tcp)
UDP echo configuration (config-sla-monitor-udp)
VoIP configuration (config-sla-monitor-voip)RTR Configuration
DHCP configuration (config-rtr-dhcp)
DLSw configuration (config-rtr-dlsw)
DNS configuration (config-rtr-dns)
Frame Relay configuration (config-rtr-frameRelay)
FTP configuration (config-rtr-ftp)
HTTP configuration (config-rtr-http)
ICMP echo configuration (config-rtr-echo)
ICMP path echo configuration (config-rtr-pathEcho)
ICMP path jitter configuration (config-rtr-pathJitter)
TCP connect configuration (config-rtr-tcp)
UDP echo configuration (config-rtr-udp)
Note
Command History
Usage Guidelines
The following rules apply to the lives-of-history-kept command:
•
•
•
•
Note
An IP SLAs operation can collect history and capture statistics. By default, the history for an IP SLAs operation is not collected. If history is collected, each history bucket contains one or more history entries from the operation. When the operation type is ICMP path echo, an entry is created for each hop along the path that the operation takes to reach its destination. The type of entry stored in the history table is controlled by the filter-for-history command. The total number of entries stored in the history table is controlled by the combination of the samples-of-history-kept, buckets-of-history-kept, and lives-of-history-kept commands.
To disable history collection, use the no lives-of-history-kept command rather than the filter-for-history none command. The no lives-of-history-kept command disables history collection before an IP SLAs operation is attempted. The filter-for-history command checks for history inclusion after the operation attempt is made.
IP SLAs Operation Configuration Dependence on Cisco IOS Release
The Cisco IOS command used to begin configuration for an IP SLAs operation varies depending on the Cisco IOS release you are running (see Table 39). You must configure the type of IP SLAs operation (such as User Datagram Protocol [UDP] jitter or Internet Control Message Protocol [ICMP] echo) before you can configure any of the other parameters of the operation.
The configuration mode for the lives-of-history-kept command varies depending on the Cisco IOS release you are running (see Table 39) and the operation type configured. For example, if you are running Cisco IOS Release 12.4 and the ICMP echo operation type is configured, you would enter the lives-of-history-kept command in ICMP echo configuration mode (config-sla-monitor-echo) within IP SLA monitor configuration mode.
Examples
The following examples show how to maintain the history for five lives of IP SLAs ICMP echo operation 1. Note that the Cisco IOS command used to begin configuration for an IP SLAs operation varies depending on the Cisco IOS release you are running (see Table 39).
IP SLA Monitor Configuration
ip sla monitor 1type echo protocol ipIcmpEcho 172.16.1.176lives-of-history-kept 5!ip sla monitor schedule 1 life forever start-time nowRTR Configuration
rtr 1type echo protocol ipIcmpEcho 172.16.1.176lives-of-history-kept 5!rtr schedule 1 life forever start-time nowRelated Commands
load-interval
To specify the length of time to be used to calculate the average load for an interface, use the load-interval command in interface configuration or Frame Relay DLCI configuration mode. To revert to the default setting, use the no form of this command.
load-interval seconds
no load-interval seconds
Syntax Description
seconds
Length of time for which data is used to compute load statistics. Value is a multiple of 30, from 30 to 600 (30, 60, 90, 120, and so on). The default is 300 seconds.
Defaults
300 seconds (5 minutes)
Command Modes
Interface configuration
Frame Relay DLCI configurationCommand History
10.3
This command was introduced.
12.2(4)T
This command was made available in Frame Relay DLCI configuration mode.
Usage Guidelines
If you want load computations to be more reactive to short bursts of traffic, rather than being averaged over 5-minute periods, you can shorten the length of time over which load averages are computed. For example, if the load interval is set to 30 seconds, the load value will reflect the weighted-average load for the last 30-second period.
Load data is gathered every 5 seconds. This data is used to compute load statistics, including input rate in bits and packets per second, output rate in bits and packets per second, load, and reliability. Load data is computed using a weighted-average calculation in which recent load data has more weight in the computation than older load data.
The load-interval command allows you to change the calculation interval from the default value of 5 minutes (300 seconds) to a shorter or longer period of time. If you change it to a shorter period of time, the input and output statistics that are displayed when you use the show interface or show frame-relay pvc command will be more current, rather than reflecting a more average load over a longer period of time.
One use of this command is to increase or decrease the likelihood of activating a backup interface; for example a backup dial interface may be triggered by a sudden spike in the load on an active interface.
Examples
In the following example, the load-interval for the serial interface 0 is configured so that the average is computed over 30-second intervals. A burst in traffic that would not trigger a dial backup for an interface configured with the default 5-minute interval might trigger a dial backup for this interface, which is set for the shorter 30-second interval.
Router(config)# interface serial 0Router(config-if)# load-interval 30Frame Relay PVC Example
In the following example, the load interval is set to 60 seconds for a Frame Relay PVC with the DLCI 100:
Router(config)# interface serial 1/1Router(config-if# encapsulation frame-relay ietfRouter(config-if)# frame-relay interface-dlci 100Router(config-fr-dlci)# load-interval 60Related Commands
location
To provide a description of the location of a serial device, use the location command in line configuration mode. To remove the description, use the no form of this command.
location text
no location
Syntax Description
Defaults
No location description is provided.
Command Modes
Line configuration
Command History
Usage Guidelines
The location command enters information about the device location and status. Use the show users all EXEC command to display the location information.
Examples
In the following example, the location description for the console line is given as "Building 3, Basement":
Router(config)# line consoleRouter(config-line)# location Building 3, Basementlock
To configure a temporary password on a line, use the lock command in EXEC mode.
lock
Syntax Description
This command has no arguments or keywords.
Defaults
Not locked
Command Modes
EXEC
Command History
Usage Guidelines
You can prevent access to your session while keeping your connection open by setting up a temporary password. To lock access to the terminal, perform the following steps:
Step 1
Step 2
Step 3
The Cisco IOS software honors session timeouts on a locked lines. You must clear the line to remove this feature. The system administrator must set the line up to allow use of the temporary locking feature by using the lockable line configuration command.
Examples
The following example shows configuring the router as lockable, saving the configuration, and then locking the current session for the user:
Router(config-line)# lockableRouter(config-line)# ^ZRouter# copy system:running-config nvram:startup-configBuilding configuration...OKRouter# lockPassword: <password>Again: <password>LockedPassword: <password>Router#Related Commands
lockable
Enables the lock EXEC command.
login (EXEC)
Enables or changes a login username.
lockable
To enable use of the lock EXEC command, use the lockable command in line configuration mode. To reinstate the default (the terminal session cannot be locked), use the no form of this command.
lockable
no lockable
Syntax Description
This command has no arguments or keywords.
Defaults
Sessions on the line are not lockable (the lock EXEC command has no effect).
Command Modes
Line configuration
Command History
Usage Guidelines
This command enables use of temporary terminal locking, which is executed using the lock EXEC command. Terminal locking allows a user keep the current session open while preventing access by other users.
Examples
In the following example, the terminal connection is configured as lockable, then the current connection is locked:
Router# configure terminalRouter(config)# line console 0Router(config-line)# lockableRouter(config)# ^ZRouter# lockPassword: <password>Again: <password>LockedPassword: <password>Router#Related Commands
lock
Prevents access to your session by other users by setting a temporary password on your terminal line.
log config
To enter configuration change logger configuration mode, use the log config command in archive configuration mode.
log config
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values
Command Modes
Archive configuration
Command History
12.3(4)T
This command was introduced.
12.2(25)S
This command was integrated into Cisco IOS Release 12.2(25)S.
Examples
The following example shows how to place the router in configuration change logger configuration mode:
Router(config)# archiveRouter(config-archive)# log configRouter(config-archive-log-config)# logging enableRelated Commands
logging buffered
To enable system message logging to a local buffer and limit messages logged to the buffer based on severity, use the logging buffered command in global configuration mode. To cancel the use of the buffer, use the no form of this command. The default form of this command returns the buffer size to the default size.
logging buffered [buffer-size | severity-level]
no logging buffered
default logging buffered
Syntax Description
buffer-size
(Optional) Size of the buffer from 4096 to 4,294,967,295 bytes. The default size varies by platform.
severity-level
(Optional) Limits the logging of messages to the buffer to a specified level. You can enter the level name or level number. See Table 40 for a list of the acceptable level name or level number keywords. The default logging level varies by platform, but is generally 7, meaning that messages at all levels (0-7) are logged to the buffer.
Defaults
Varies by platform. For most platforms, logging to the buffer is disabled by default. When enabled, the default logging level is 7 (debugging).
Command Modes
Global configuration
Command History
Usage Guidelines
This command copies logging messages to an internal buffer. The buffer is circular in nature, so newer messages overwrite older messages after the buffer is filled.
Specifying a level causes messages at that level and numerically lower levels to be logged in an internal buffer. See Table 40 for a list of level arguments.
Do not make the buffer size too large because the router could run out of memory for other tasks. You can use the show memory EXEC command to view the free processor memory on the router; however, this is the maximum available and should not be approached. The default logging buffered command resets the buffer size to the default for the platform.
To display the messages that are logged in the buffer, use the show logging command. The first message displayed is the oldest message in the buffer.
The show logging command displays the addresses and levels associated with the current logging setup, and any other logging statistics.
Examples
In the following example, the user enables standard system logging to the local syslog buffer:
Router(config)# logging bufferedRelated Commands
logging buffered filtered
To enable Embedded Syslog Manager (ESM) filtered system message logging to the standard syslog buffer, use the logging buffered filtered command in global configuration mode. To disable all logging to the buffer and return the size of the buffer to the default, use the no form of this command.
logging buffered filtered [severity-level]
no logging buffered filtered
Syntax Description
Defaults
Logging to the buffer is enabled.
ESM filtering of system logging messages sent to the buffer is disabled.
The default severity level varies by platform but is generally level 7 ("debugging"), meaning that messages at all severity levels (0 through 7) are logged.
Command Modes
Global configuration
Command History
Usage Guidelines
If standard logging has been disabled on your system (using the no logging on command), standard logging must be reenabled using the logging on command before using the logging buffered filtered command.
Standard logging is enabled by default, but filtering by the ESM is disabled by default.
ESM uses syslog filter modules, which are Tcl script files stored locally or on a remote device. The syslog filter modules must be configured using the logging filter command before filtered output can be sent to the buffer.
When ESM filtering is enabled, all messages sent to the buffer have the configured syslog filter modules applied. To return to standard logging to the buffer, use the plain form of the logging buffered command (without the filtered keyword). To disabled all logging to the buffer, use the no logging buffered command, with or without the filtered keyword.
The buffer is circular, so newer messages overwrite older messages as the buffer is filled. To change the size of the buffer, use the logging buffered buffer-size command, then issue the logging buffered filtered command to start (or restart) filtered logging.
To display the messages that are logged in the buffer, use the show logging command in EXEC mode. The first message displayed is the oldest message in the buffer.
Examples
In the following example, the user enables ESM filtered logging to the buffer:
Router(config)# logging filter tftp://209.165.200.225/ESM/escalate.tclRouter(config)# logging filter slot0:/email.tcl user@example.comRouter(config)# logging buffer filteredRelated Commands
logging buffered xml
To enable system message logging (syslog) and send XML-formatted logging messages to the XML-specific system buffer, use the logging buffered xml command in global configuration mode. To disable the XML syslog buffer and return the size of the buffer to the default, use the no form of this command.
logging buffered xml [xml-buffer-size]
no logging buffered xml
Syntax Description
Defaults
XML formatting of system logging messages is disabled.
The default XML syslog buffer size is the same size as the standard syslog buffer.
Command Modes
Global configuration
Command History
Usage Guidelines
Standard logging is enabled by default, but XML-formatted system message logging is disabled by default. If standard logging has been disabled on your system (using the no logging on command), standard logging must be reenabled using the logging on command before using the logging buffered xml command.
The logging buffered xml command copies logging messages to an internal XML buffer. The XML syslog buffer is separate from the standard syslog buffer (created using the logging buffered command).
The buffer is circular, so newer messages overwrite older messages as the buffer is filled.
The severity level for logged messages is determined by the setting of the logging buffered command. If the logging buffered command has not been used, the default severity level for that command is used. The default severity level varies by platform, but is generally level 7 ("debugging"), meaning that messages at all severity levels (0 through 7) are logged. For more information on severity levels, see the documentation of the logging buffered command.
Do not make the buffer size too large because the router could run out of memory for other tasks. You can use the show memory EXEC command to view the free processor memory on the router; however, this value is the maximum available and should not be approached.
To return the size of the XML logging buffer to the default, enter the logging buffered xml command again without a buffer size value.
To display the messages that are logged in the buffer, use the show logging xml command in EXEC mode. The first message displayed is the oldest message in the buffer.
Examples
In the following example, the user enables logging to the XML syslog buffer and sets the XML syslog buffer size to 14 kilobytes:
Router(config)# logging buffered xml 14336Related Commands
logging cns-events
To enable XML-formatted system event message logging to be sent trough the CNS Event Bus, use the logging cns-events command in global configuration mode. To disable the ability to send system logging event messages through the CNS Event Bus, use the no form of this command.
logging cns-events [severity-level]
no logging cns-events
Syntax Description
Defaults
Level 7: debugging
Command Modes
Global configuration
Command History
Usage Guidelines
Before you configure this command you must enable the CNS event agent with the cns event command because the CNS event agent sends out the CNS event logging messages. The generation of many CNS event logging messages can negatively impact the publishing time of standard CNS event messages that must be sent to the network.
If the debug cns event command is active when the logging cns-events command is configured, the logging of CNS events is disabled.
Examples
In the following example, the user enables XML-formatted CNS system error message logging to the CNS Event Bus for messages at levels 0 through 4:
Router(config)# logging cns-events 4Related Commands
cns event
Configures CNS event gateway, which provides CNS event services to Cisco IOS clients.
debug cns event
Displays CNS event agent debugging messages.
logging console
To send system logging (syslog) messages to all available TTY lines and limit messages based on severity, use the logging console command in global configuration mode. To disable logging to the console terminal, use the no form of this command.
logging console [severity-level]
no logging console [severity-level]
Syntax Description
severity-level
Limits the logging of messages displayed on the console terminal to the specified level and (numerically) lower levels. You can enter the level number or level name. See Table 41 for a list of the level arguments.
Defaults
In general, the default is to log messages from level 0 (emergencies) to level 7 (debugging). However, the default level varies by platform.
Command Modes
Global configuration
Command History
Usage Guidelines
The console keyword indicates all available TTY lines. This can mean a console terminal attached to the router's TTY line, a dial-up modem connection, or a printer.
Specifying a level causes messages at that level and numerically lower levels to be sent to the console (TTY lines). See Table 41 for a list of the level arguments.
The show logging EXEC command displays the addresses and levels associated with the current logging setup, and any other logging statistics.
Note
Examples
In the following example, the user changes the level of messages sent to the console terminal (TTY lines) to alerts, which means messages at levels 0 and 1 are sent:
Router(config)# logging console alertsRelated Commands
access-list (extended)
Defines an extended XNS access list.
logging facility
Configures the syslog facility in which error messages are sent.
logging console filtered
To enable Embedded Syslog Monitor (ESM) filtered system message logging to the console connections, use the logging console filtered command in global configuration mode. To disable all logging to the console connections, use the no form of this command.
logging console filtered [severity-level]
no logging console [filtered] [severity-level]
Syntax Description
Defaults
Logging to the console is enabled.
ESM filtering of system logging messages sent to the console is disabled.
The default severity level varies by platform, but is generally level 7 (messages at levels 0 through 7 are logged).
Command Modes
Global configuration
Command History
Usage Guidelines
If standard logging has been disabled on your system (using the no logging on command), standard logging must be reenabled using the logging on command before using the logging console filtered command.
Standard logging is enabled by default, but filtering by the ESM is disabled by default.
ESM uses syslog filter modules, which are Tcl script files stored locally or on a remote device. The syslog filter modules must be configured using the logging filter command before system logging messages can be filtered.
When ESM filtering is enabled, all messages sent to the console have the configured syslog filter modules applied. To disable filtered logging to the console and return to standard logging, use the standard logging console command (without the filtered keyword). To disable all logging to the console, use the no logging console command, with or without the filtered keyword.
Examples
In the following example, the user enables ESM filtered logging to the console for severity levels 0 through 3:
Router(config)# logging filter tftp://209.165.200.225/ESM/escalate.tclRouter(config)# logging filter slot0:/email.tcl user@example.comRouter(config)# logging console filtered 3Related Commands
logging console xml
To enable XML-formatted system message logging to the console connections, use the logging console xml command in global configuration mode. To disable all logging to the console connections, use the no form of this command.
logging console xml [severity-level]
no logging console xml
Syntax Description
Defaults
Logging to the console is enabled.
XML-formatted logging to the console is disabled.
The default severity level varies by platform, but is generally level 7 (messages at levels 0 through 7 are logged).Command Modes
Global configuration
Command History
Usage Guidelines
To return system logging messages to standard text (without XML formatting), issue the standard logging console command (without the xml keyword extension).
Examples
In the following example, the user enables XML-formatted system message logging to the console for messages at levels 0 through 4:
Router(config)# logging console xml 4Related Commands
show logging xml
Displays the state of XML-formatted system message logging, followed by the contents of the XML syslog buffer.
logging count
To enable the error log count capability, use the logging count command in global configuration mode. To disable the error log count capability, use the no form of this command.
logging count
no logging count
Syntax Description
This command has no arguments or keywords.
Defaults
This command is disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The logging count command counts every syslog message and time-stamps the occurrence of each message.
Examples
In the following example, syslog messages are logged to the system buffer and the logging count capability is enabled:
Router(config)# logging buffered notificationsRouter(config)# logging countRouter(config)# endRouter# show logging countFacility Message Name Sev Occur Last Time=============================================================================SYS BOOTTIME 6 1 00:00:12SYS RESTART 5 1 00:00:11SYS CONFIG_I 5 3 1d00h------------- ------------------------------- -----------------------------SYS TOTAL 5LINEPROTO UPDOWN 5 13 00:00:19------------- ------------------------------- -----------------------------LINEPROTO TOTAL 13LINK UPDOWN 3 1 00:00:18LINK CHANGED 5 12 00:00:09------------- ------------------------------- -----------------------------LINK TOTAL 13SNMP COLDSTART 5 1 00:00:11------------- ------------------------------- -----------------------------SNMP TOTALRelated Commands
logging enable (config-archive-log)
To enable the logging of configuration changes, use the logging enable command in configuration change logger configuration mode. To disable the logging of configuration changes, use the no form of this command.
logging enable
no logging enable
Syntax Description
This command has no arguments or keywords.
Defaults
Configuration change logging is disabled.
Command Modes
Configuration change logger configuration
Command History
12.3(4)T
This command was introduced.
12.2(25)S
This command was integrated into Cisco IOS Release 12.2(25)S.
Usage Guidelines
Disabling the configuration log results in all configuration log records being purged.
Examples
The following example shows how to enable configuration logging:
Router(config)# archive
Router(config-archive)# log config
Router(config-archive-log-config)# logging enable
The following example shows how to clear the configuration log by disabling and then reenabling the configuration log:
Router(config)# archive
Router(config-archive)# log config
Router(config-archive-log-config)# no logging enable
Router(config-archive-log-config)# logging enable
Related Commands
logging facility
To configure the syslog facility in which error messages are sent, use the logging facility command in global configuration mode. To revert to the default of local7, use the no form of this command.
logging facility facility-type
no logging facility
Syntax Description
facility-type
Syslog facility. See the "Usage Guidelines" section of this command reference entry for descriptions of acceptable keywords.
Defaults
local7
Command Modes
Global configuration
Command History
Usage Guidelines
Table 42 describes the acceptable keywords for the facility-type argument.
Examples
In the following example, the user configures the syslog facility to the kernel facility type:
logging facility kernRelated Commands
logging filter
To specify a syslog filter module to be used by the Embedded Syslog Manager (ESM), use the logging filter command in global configuration mode. To remove a module from the filter chain, use the no form of this command.
logging filter filter-url [position] [args filter-arguments]
no logging filter filter-url [position]
Syntax Description
Defaults
No ESM filters are applied to system logging messages.
Command Modes
Global configuration
Command History
Usage Guidelines
Use this command to enable the Embedded Syslog Manager by specifying the filter that should be applied to logging messages generated by the system. Repeat this command for each syslog filter module that should be used.
Syslog filter modules are Tcl script files. These files can be stored as plain text files (.txt) or as precompiled Tcl scripts (.tcl). When positioning (ordering) the modules, keep in mind that the output of each filter module is used as input for the next filter module in the chain.
By default, syslog filter modules are executed in the order in which they appear in the system configuration file. The position argument can be used to order the filter modules manually. Filter modules can also be reordered at any time by reentering the logging filter command and specifying a different position for a given filter module.
The optional args filter-arguments syntax can be added to pass arguments to the specified filter. Multiple arguments can be specified. The number and type of arguments should be defined in the syslog filter module. For example, if the syslog filter module is designed to accept a specific email address as an argument, you could pass the email address using the args user@host.com syntax. Multiple arguments are typically delimited by spaces.
To remove a module from the list of modules to be executed, use the no form of this command. Modules not referenced in the configuration will not be executed, regardless of their "position" number.
Examples
In the following example, the user enables ESM filtered logging to the console for severity levels 0 through 3:
Router(config)# logging filter tftp://209.165.200.225/ESM/escalate.tclRouter(config)# logging filter slot0:/email.tcl user@example.comRouter(config)# logging filter slot0:/email_guts.tclRouter(config)# logging console filtered 3Related Commands
logging history
To limit syslog messages sent to the router's history table and to an SNMP network management station based on severity, use the logging history command in global configuration mode. To return the logging of syslog messages to the default level, use the no form of this command with the previously configured severity level argument.
logging history [severity-level-name | severity-level-number]
no logging history [severity-level-name | severity-level-number]
Syntax Description
Defaults
Logging of error messages of severity levels 0 through 4 (emergency, alert, critical, error, and warning levels); in other words, "saving level warnings or higher."
Command Modes
Global configuration
Command History
Usage Guidelines
The sending of syslog messages to an SNMP network management station (NMS) occurs when you enable syslog traps with the snmp-server enable traps syslog global configuration mode command.
Because SNMP traps are potentially unreliable, at least one syslog message, the most recent message, is stored in a history table on the router. The history table, which contains table size, message status, and message text data, can be viewed using the show logging history command. The number of messages stored in the table is governed by the logging history size global configuration mode command.
Severity levels are numbered 0 through 7, with 0 being the highest severity level and 7 being the lowest severity level (that is, the lower the number, the more critical the message). Specifying a level causes messages at that severity level and numerically lower levels to be stored in the router's history table and sent to the SNMP network management station. For example, specifying the level critical causes messages as the critical (3), alert (2), and emergency (1) levels to be saved to the logging history table.
Table 43 provides a description of logging severity levels, listed from highest severity to lowest severity, and the arguments used in the logging history command syntax. Note that you can use the level name or the level number as the level argument in this command.
Examples
In the following example, the system is initially configured to the default of saving severity level 4 or higher. The logging history 1 command is used to configure the system to save only level 1 (alert) and level 0 (emergency) messages to the logging history table, and, by extension, to send only these levels in the SNMP notifications. The configuration is then confirmed using the show logging history command.
Router# show logging historySyslog History Table:10 maximum table entries,! The following line shows that system-error-message-logging is set to the! default level of "warnings" (4).saving level warnings or higher23 messages ignored, 0 dropped, 0 recursion drops1 table entries flushedSNMP notifications not enabledentry number 2 : LINK-3-UPDOWNInterface FastEthernet0, changed state to uptimestamp: 2766Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# logging history 1Router(config)# snmp-server enable traps syslogRouter(config)# endRouter#4w0d: %SYS-5-CONFIG_I: Configured from console by consoleRouter# show logging historySyslog History Table:1 maximum table entries,! The following line indicates that `logging history level 1' (alerts) is configured.saving level alerts or higher18 messages ignored, 0 dropped, 0 recursion drops1 table entries flushedSNMP notifications enabled, 0 notifications sententry number 2 : LINK-3-UPDOWNInterface FastEthernet0, changed state to uptimestamp: 2766Router#Related Commands
logging history size
To change the number of syslog messages stored in the router's history table, use the logging history size command in global configuration mode. To return the number of messages to the default value, use the no form of this command.
logging history size number
no logging history size
Syntax Description
number
Number from 1 to 500 that indicates the maximum number of messages stored in the history table. The default is one message.
Defaults
One message
Command Modes
Global configuration
Command History
Usage Guidelines
When the history table is full (that is, it contains the maximum number of message entries specified with the logging history size command), the oldest message entry is deleted from the table to allow the new message entry to be stored.
Examples
In the following example, the user sets the number of messages stored in the history table to 20:
logging history size 20Related Commands
logging host
To log system messages and debug output to a remote host, use the logging host command in global configuration mode. To remove a specified logging host from the configuration, use the no form of this command.
logging host {ip-address | hostname} [xml | filtered [stream stream-id]]
no logging host {ip-address | hostname} [xml | filtered [stream stream-id]]
Syntax Description
Defaults
System logging messages are not sent to any remote host.
If this command is entered without the xml or filtered keywords, messages are sent in the standard format.Command Modes
Global configuration
Command History
Usage Guidelines
Standard system message logging (syslog) is enabled by default. If logging has been disabled on your system (using the no logging on command), logging must be reenabled using the logging on command before using the logging host command.
The logging host command identifies a remote host (usually a device serving as a syslog server) to receive logging messages. By issuing this command more than once, you can build a list of hosts that receive logging messages.
To specify the severity level for logging to all hosts, use the logging trap command.
If XML-formatted syslog is enabled using the logging host {ip-address | hostname} xml command, messages will be sent to the specified host with the system defined XML tags. These tags are predefined and are not user-configurable. XML-formatting will not be applied to debugging output.
If you are using the Embedded Syslog Manager (ESM) feature, you can enable ESM filtered syslog messages to be sent to one or more hosts using the logging host {ip-address | hostname} filtered command. To use the ESM feature, you must first specify the syslog filter modules that should be applied to the messages using the logging filter command. See the description of the logging filter command for more information on the ESM feature.
To configure standard logging to a specific host after configuring XML-formatted or ESM filtered logging to that host, use the standard form of this command (logging host {ip-address | hostname}) without the xml or filtered keywords. In other words, a standard logging host command will replace an XML or ESM filtered logging host command, and vice versa, if the same host is specified.
Note
You can configure the system to send standard messages to one or more hosts, XML-formatted messages to one or more hosts, and ESM filtered messages to one or more hosts by repeating this command as many times as desired with the appropriate syntax. (See the "Examples" section.)
Examples
In the following example, messages at severity levels 0 (emergencies) through 5 (notifications) are logged to a host at 209.165.202.169:
Router(config)# logging host 209.165.202.169Router(config)# logging trap 5In the following example, standard system logging messages are sent to the host at 209.165.200.225, XML-formatted system logging messages are sent to the host at 209.165.200.226, ESM filtered logging messages with the stream 10 value are sent to the host at 209.165.200.227, and ESM filtered logging messages with the stream 20 value are sent to host at 209.165.202.129:
Router(config)# logging host 209.165.200.225Router(config)# logging host 209.165.200.226 xmlRouter(config)# logging host 209.165.200.227 filtered stream 10Router(config)# logging host 209.165.202.129 filtered stream 20Related Commands
logging linecard
To log messages to an internal buffer on a line card, use the logging linecard command in global configuration mode. To cancel the use of the internal buffer on the line cards, use the no form of this command.
logging linecard [size | level]
no logging linecard
Syntax Description
Defaults
The Cisco IOS software logs messages to the internal buffer on the GRP card.
Command Modes
Global configuration
Command History
11.2 GS
This command was added to support the Cisco 12000 series Gigabit Switch Routers.
Usage Guidelines
Specifying a message level causes messages at that level and numerically lower levels to be stored in the internal buffer on the line cards.
Table 44 lists the message levels and associated numerical level. For example, if you specify a message level of critical, all critical, alert, and emergency messages will be logged.
Table 44 Message Levels
emergencies
0
alerts
1
critical
2
errors
3
warnings
4
notifications
5
informational
6
debugging
7
To display the messages that are logged in the buffer, use the show logging slot EXEC command. The first message displayed is the oldest message in the buffer.
Do not make the buffer size too large because the router could run out of memory for other tasks. You can use the show memory EXEC command to view the free processor memory on the router; however, this is the maximum available and should not be approached.
Examples
The following example enables logging to an internal buffer on the line cards using the default buffer size and logging warning, error, critical, alert, and emergency messages:
Router(config)# logging linecard warningsRelated Commands
clear logging
Clears messages from the logging buffer.
show logging
Displays the state of logging (syslog).
logging monitor
To enable system message logging to the terminal lines (monitor connections) and limit these messages based on severity, use the logging monitor command in global configuration mode. To disable logging to terminal lines other than the console line, use the no form of this command.
logging monitor severity-level
no logging monitor
Syntax Description
Defaults
debugging (severity-level 7)
Command Modes
Global configuration
Command History
Usage Guidelines
Specifying a severity-level causes messages only at that level and numerically lower levels to be displayed to the monitor (terminal lines).
Examples
In the following example, the user specifies that only messages of the levels errors, critical, alerts, and emergencies be logged to monitor connections:
Router(config)# logging monitor 3Related Commands
logging monitor filtered
To enable Embedded Syslog Manager (ESM) filtered system message logging to monitor connections, use the logging monitor filtered command in global configuration mode. To disable all logging to the monitor connections, use the no form of this command.
logging monitor filtered [severity-level]
no logging monitor filtered
Syntax Description
Defaults
Logging to monitor connections is enabled.
ESM filtering of system logging messages sent to the monitor connections is disabled.
The default severity level varies by platform, but is generally level 7 (messages at levels 0 through 7 are logged).Command Modes
Global configuration
Command History
Usage Guidelines
The monitor keyword specifies the TTY (TeleTYpe) line connections at all line ports. TTY lines (also called ports) communicate with peripheral devices such as terminals, modems, and serial printers. An example of a TTY connection is a PC with a terminal emulation program connected to the device using a dial-up modem, or a Telnet connection.
Standard logging is enabled by default, but filtering by the Embedded Syslog Manager (ESM) is disabled by default. If standard logging has been disabled on your system (using the no logging on command), standard logging must be reenabled using the logging on command before using the logging monitor filtered command.
ESM uses syslog filter modules, which are Tcl script files stored locally or on a remote device. The syslog filter modules must be configured using the logging filter command before system logging messages can be filtered.
When ESM filtering is enabled, all messages sent to the monitor have the configured syslog filter modules applied. To disable filtered logging to the monitor and return to standard logging, issue the standard logging monitor command (without the filtered keyword). To disable all logging to the monitor connections, use the no logging monitor command, with or without the filtered keyword.
Examples
In the following example, the user enables ESM filtered logging to the monitor connections:
Router(config)# logging filter tftp://209.165.200.225/ESM/escalate.tclRouter(config)# logging filter slot0:/email.tcl user@example.comRouter(config)# logging monitor filteredRelated Commands
logging monitor xml
To enable XML-formatted system message logging to monitor connections, use the logging console xml command in global configuration mode. To disable all logging to the monitor connections, use the no form of this command.
logging monitor xml [severity-level]
no logging monitor xml
Syntax Description
Defaults
Logging to monitor connections is enabled.
XML-formatted logging to monitor connections is disabled.
The default severity level varies by platform, but is generally level 7 (messages at levels 0 through 7 are logged).Command Modes
Global configuration
Command History
Usage Guidelines
The monitor keyword specifies the tty line connections at all line ports. The tty lines (also called ports) communicate with peripheral devices such as terminals, modems, and serial printers. An example of a tty connection is a PC with a terminal emulation program connected to the device using a dial-up modem, or a Telnet connection.
To return system logging messages to standard text (without XML formatting), issue the standard logging monitor command (without the xml keyword extension).
Examples
In the following example, the user enables XML-formatted system message logging to the console for messages at levels 0 through 4 and XML-formatted system message logging to tty line connections at the default severity level:
Router(config)# logging console xml 4Router(config)# logging monitor xmlRelated Commands
logging on
To enable logging of system messages, use the logging on command in global configuration mode. This command sends debug or error messages to a logging process, which logs messages to designated locations asynchronously to the processes that generated the messages. To disable the logging process, use the no form of this command.
logging on
no logging on
Syntax Description
This command has no arguments or keywords.
Defaults
The Cisco IOS software sends messages to the asynchronous logging process.
Command Modes
Global configuration
Command History
Usage Guidelines
The logging process controls the distribution of logging messages to the various destinations, such as the logging buffer, terminal lines, or syslog server. System logging messages are also known as system error messages. You can turn logging on and off for these destinations individually using the logging buffered, logging monitor, and logging global configuration commands. However, if the logging on command is disabled, no messages will be sent to these destinations. Only the console will receive messages.
Additionally, the logging process logs messages to the console and the various destinations after the processes that generated them have completed. When the logging process is disabled, messages are displayed on the console as soon as they are produced, often appearing in the middle of command output.
Caution
The logging synchronous line configuration command also affects the displaying of messages to the console. When the logging synchronous command is enabled, messages will appear only after the user types a carriage return.
Examples
The following example shows command output and message output when logging is enabled. The ping process finishes before any of the logging information is printed to the console (or any other destination).
Router(config)# logging onRouter(config)# endRouter#%SYS-5-CONFIG_I: Configured from console by consoleRouter# ping dirtType escape sequence to abort.Sending 5, 100-byte ICMP Echos to 172.16.1.129, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 4/5/8 msRouter#IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1In the following example, logging is disabled. The message output is displayed as messages are generated, causing the debug messages to be interspersed with the message "Type escape sequence to abort."
Router(config)# no logging onRouter(config)# end%SYS-5-CONFIG_I: Configured from console by consoleRouter#Router# ping dirtIP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingTypIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1eIP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sending escIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingapeIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingseIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1IP: s=172.21.96.41 (local), d=172.16.1.129 (Ethernet1/0), len 100, sendingquenIP: s=171.69.1.129 (Ethernet1/0), d=172.21.96.41, len 114, rcvd 1ce to abort.Sending 5, 100-byte ICMP Echos to 172.16.1.129, timeout is 2 seconds:!!!!!Success rate is 100 percent (5/5), round-trip min/avg/max = 152/152/156 msRouter#Related Commands
logging origin-id
To add an origin identifier to system logging messages sent to remote hosts, use the logging origin-id command in global configuration mode. To disable the origin identifier, use the no form of this command.
logging origin-id {hostname | ip | string user-defined-id}
no logging origin-id {hostname | ip | string user-defined-id}
Syntax Description
Defaults
Disabled.
Command Modes
Global configuration
Command History
Usage Guidelines
The origin identifier is added to the beginning of all system logging (syslog) messages sent to remote hosts. The identifier can be the hostname, the IP address, or any text that you specify. The origin identifier is not added to messages sent to local destinations (the console, monitor, or buffer).
The origin identifier is useful for identifying the source of system logging messages in cases where you send syslog output from multiple devices to a single syslog host.
When specifying your own identification string using the logging origin-id string user-defined-id command, the system expects a string without spaces. For example:
Router(config)# logging origin-id string Cisco_SystemsTo uses spaces (multiple words) or additional syntax, enclose the string with quotes. For example:
Router(config)# logging origin-id string "Cisco Systems, Inc."Examples
In the following example, the origin identifier "Domain 1, router B" will be added to the beginning of all system logging messages sent to remote hosts:
Router(config)# logging origin-id string "Domain 1, router B"In the following example, all logging message sent to remote hosts will have the IP address configured for the Serial 1 interface added to the beginning of the message:
Router(config)# logging host 209.165.200.225Router(config)# logging trap 5Router(config)# logging source-interface serial 1Router(config)# logging origin-id ipRelated Commands
logging rate-limit
To limit the rate of messages logged per second, use the logging rate-limit command in global configuration mode. To disable the limit, use the no form of this command.
logging rate-limit {number | all number | console {number | all number}} [except severity]
no logging rate-limit
Syntax Description
Command Default
The default for this command is 10 messages logged per second and exclusion of messages of the errors level or lower.
Command Modes
Global configuration
Command History
Usage Guidelines
The logging rate-limit command controls the output of messages from the system. Use this command if you want to avoid a flood of output messages. You can select the severity of the output messages and output rate by using the logging rate-limit command. You can use the logging rate-limit command anytime; it will not negatively impact the performance of your system and may improve the system performance by specifying the severities and rates of output messages.
You can use this command with or without the logging synchronous line configuration command. For example, if you want to see all severity 0, 1, and 2 messages, use the no logging synchronous command and specify logging rate-limit 10 except 2. By using the two commands together, you cause all messages of 0, 1, and 2 severity to print and limit the less severe ones (lower than 2) to only 10 per second.
Table 45 compares the error message logging numeric severity level with its equivalent word description.
Examples
In the following example, the logging rate-limit configuration mode command limits message output to 200 per second:
Router(config)# logging rate-limit 200Related Commands
logging size (config-archive-log)
To specify the maximum number of entries retained in the configuration log, use the logging size command in configuration change logger configuration mode. To reset the default value, use the no form of this command.
logging size entries
no logging size
Syntax Description
entries
The maximum number of entries retained in the configuration log. Valid values range from 1 to 1000. The default value is 100 entries.
Defaults
100 entries
Command Modes
Configuration change logger configuration
Command History
12.3(4)T
This command was introduced.
12.2(25)S
This command was integrated into Cisco IOS Release 12.2(25)S.
Usage Guidelines
When the configuration log is full, the oldest log entry will be removed every time a new entry is added.
Note
Examples
The following example shows how to specify that the configuration log may have a maximum of 200 entries:
Router(config-archive-log-config)# logging size 200
The following example shows how to clear the configuration log by reducing the log size to 1, then resetting the log size to the desired value. Only the most recent configuration log file will be saved.
Router(config)# archive
Router(config-archive)# log config
Router(config-archive-log-config)# logging size 1
Router(config-archive-log-config)# logging size 200
Related Commands
logging source-interface
To specify the source IP address of syslog packets, use the logging source-interface command in global configuration mode. To remove the source designation, use the no form of this command.
logging source-interface interface-type interface-number
no logging source-interface
Syntax Description
Defaults
No interface is specified.
Command Modes
Global configuration
Command History
Usage Guidelines
Normally, a syslog message contains the IP address of the interface it uses to leave the router. The logging source-interface command specifies that syslog packets contain the IP address of a particular interface, regardless of which interface the packet uses to exit the router.
Examples
In the following example, the user specifies that the IP address for Ethernet interface 0 is the source IP address for all syslog messages:
Router(config)# logging source-interface ethernet 0The following example specifies that the IP address for Ethernet interface 2/1 on a Cisco 7000 series router is the source IP address for all syslog messages:
Router(config)# logging source-interface ethernet 2/1Related Commands
logging synchronous
To synchronize unsolicited messages and debug output with solicited Cisco IOS software output and prompts for a specific console port line, auxiliary port line, or vty, use the logging synchronous command in line configuration mode. To disable synchronization of unsolicited messages and debug output, use the no form of this command.
logging synchronous [level severity-level | all] [limit number-of-lines]
no logging synchronous [level severity-level | all] [limit number-of-lines]
Syntax Description
Defaults
This command is disabled.
If you do not specify a severity level, the default value of 2 is assumed.
If you do not specify the maximum number of buffers to be queued, the default value of 20 is assumed.Command Modes
Line configuration
Command History
Usage Guidelines
When synchronous logging of unsolicited messages and debug output is turned on, unsolicited Cisco IOS software output is displayed on the console or printed after solicited Cisco IOS software output is displayed or printed. This keeps unsolicited messages and debug output from being interspersed with solicited software output and prompts.
Tip
When this command is enabled, unsolicited messages and debug output are displayed on a separate line than user input. After the unsolicited messages are displayed, the CLI returns to the user prompt.
Note
When specifying a severity level number, consider that for the logging system, low numbers indicate greater severity and high numbers indicate lesser severity.
When a message queue limit of a terminal line is reached, new messages are dropped from the line, although these messages might be displayed on other lines. If messages are dropped, the notice "%SYS-3-MSGLOST number-of-messages due to overflow" follows any messages that are displayed. This notice is displayed only on the terminal that lost the messages. It is not sent to any other lines, any logging servers, or the logging buffer.
Caution
Examples
In the following example, a system message appears in the middle of typing the show running-config command:
Router(config-line)# endRouter# show ru2w1d: %SYS-5-CONFIG_I: Configured from console by consolenning-config...The user then enables synchronous logging for the current line (indicated by the * symbol in the show line command), after which the system displays the system message on a separate line, and returns the user to the prompt to allow the user to finish typing the command on a single line:
Router# show lineTty Typ Tx/Rx A Modem Roty AccO AccI Uses Noise Overruns Int* 0 CTY - - - - - 0 3 0/0 -...Router# configure terminalEnter configuration commands, one per line. End with CNTL/Z.Router(config)# line 0Router(config-line)# logging syn<tab>Router(config-line)# logging synchronousRouter(config-line)# endRouter# show ru2w1d: %SYS-5-CONFIG_I: Configured from console by consoleRouter# show running-configIn the following example, synchronous logging for line 4 is enabled with a severity level of 6. Then synchronous logging for line 2 is enabled with a severity level of 7 and is specified with a maximum number of buffer lines of 1,000.
Router(config)# line 4Router(config-line)# logging synchronous level 6Router(config-line)# exitRouter(config)# line 2Router(config-line)# logging synchronous level 7 limit 1000Router(config-line)# endRouter#Related Commands
logging trap
To limit messages logged to the syslog servers based on severity, use the logging trap command in global configuration mode. To return the logging to remote hosts to the default level, use the no form of this command.
logging trap level
no logging trap
Syntax Description
Defaults
Syslog messages at level 0 to level 6 are generated, but will only be sent to a remote host if the logging host command is configured.
Command Modes
Global configuration
Command History
Usage Guidelines
A trap is an unsolicited message sent to a remote network management host. Logging traps should not be confused with SNMP traps (SNMP logging traps require the use of the CISCO -SYSLOG-MIB, are enabled using the snmp-server enable traps syslog command, and are sent using the Simple Network Management Protocol.)
The show logging EXEC command displays the addresses and levels associated with the current logging setup. The status of logging to remote hosts appears in the command output as "trap logging".
Table 46 lists the syslog definitions that correspond to the debugging message levels. Additionally, four categories of messages are generated by the software, as follows:
•
•
•
•
Use the logging host and logging trap commands to send messages to a remote syslog server.
Examples
In the following example, system messages of levels 0 (emergencies) through 5 (notifications) are sent to the host at 209.165.200.225:
Router(config)# logging host 209.165.200.225Router(config)# logging trap notificationsRouter(config)# endRouter# show loggingSyslog logging: enabled (0 messages dropped, 1 messages rate-limited,0 flushes, 0 overruns, xml disabled, filtering disabled)Console logging: level emergencies, 0 messages logged, xml disabled,filtering disabledMonitor logging: level debugging, 0 messages logged, xml disabled,filtering disabledBuffer logging: level debugging, 67 messages logged, xml disabled,filtering disabledLogging Exception size (4096 bytes)Count and timestamp logging messages: enabledTrap logging: level notifications, 71 message lines loggedLog Buffer (4096 bytes):00:00:20: %SYS-5-CONFIG_I: Configured from memory by console...Related Commands
logging host
Enables remote logging of system logging messages and specifies the syslog server host that messages should be sent to.
logging userinfo
To enable logging user information use the logging userinfo command in global configuration mode. To cancel the logging of user information, use the no form of this command.
logging userinfo
no logging userinfo
Syntax Description
This command has no arguments or keywords.
Command Default
User information logging is disabled by default.
Command Modes
Global configuration mode
Command History
Usage Guidelines
The logging userinfo global configuration command allows the logging of user information when the user invokes the enable privilege mode or when the user changes the privilege level. Information logged includes "username", "line" (i.e. Console, vty0, etc.) and "privileged level" (i.e. 0 - 15).
Note
Examples
The following example enables user information logging.
Router# configure terminalRouter(config)# logging userinfoRouter(config)# exitThe following are 2 examples of user information logging.
Router> enablePassword:Router#*Feb 26 17:11:15.398: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by cisco)Router# disable 6Router#*Feb 26 17:12:28.922: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 6 by cisco)Router# enable 15Password:Router#*Feb 26 17:15:48.022: %SYS-5-PRIV_AUTH_PASS: Privilege level set to 15 by cisco)Router#Related Commands
logout
To close an active terminal session by logging off the router, use the logout command in user EXEC mode.
logout
Syntax Description
This command has no arguments or keywords.
Defaults
No default behavior or values.
Command Modes
User EXEC
Command History
Examples
In the following example, the exit (global) command is used to move from global configuration mode to privileged EXEC mode, the disable command is used to move from privileged EXEC mode to user EXEC mode, and the logout command is used to log off (exit from the active session):
Router(config)# exitRouter# disableRouter> logoutlogout-warning
To warn users of an impending forced timeout, use the logout-warning command in line configuration mode. To restore the default, use the no form of this command.
logout-warning [seconds]
logout-warning
Syntax Description
seconds
(Optional) Number of seconds that are counted down before session termination. If no number is specified, the default of 20 seconds is used.
Defaults
No warning is sent to the user.
Command Modes
Line configuration
Command History
Usage Guidelines
This command notifies the user of an impending forced timeout (set using the absolute-timeout command).
Examples
In the following example, a logout warning is configured on line 5 with a countdown value of 30 seconds:
Router(config)# line 5Router(config-line)# logout-warning 30Related Commands
lsr-path
To define a loose source routing (LSR) path for a Cisco IOS IP Service Level Agreements (SLAs) operation, use the lsr-path command in the appropriate submode of IP SLA monitor configuration or RTR configuration mode. To remove the definition, use the no form of this command.
lsr-path {hostname1 | ip-address1} [[hostname2 | ip-address2]...[hostname8 | ip-address8]]
no lsr-path
Syntax Description
Defaults
LSR path is disabled.
Command Modes
IP SLA Monitor Configuration
ICMP path echo configuration (config-sla-monitor-pathEcho)
ICMP path jitter configuration (config-sla-monitor-pathJitter)RTR Configuration
ICMP path echo configuration (config-rtr-pathEcho)
ICMP path jitter configuration (config-rtr-pathJitter)
Note
Command History
Usage Guidelines
The maximum number of hops available is eight when an LSR path is configured.
Note
IP SLAs Operation Configuration Dependence on Cisco IOS Release
The Cisco IOS command used to begin configuration for an IP SLAs operation varies depending on the Cisco IOS release you are running (see Table 47). You must configure the type of IP SLAs operation (such as User Datagram Protocol [UDP] jitter or Internet Control Message Protocol [ICMP] echo) before you can configure any of the other parameters of the operation.
The configuration mode for the lsr-path command varies depending on the Cisco IOS release you are running (see Table 47) and the operation type configured. For example, if you are running Cisco IOS Release 12.4 and the ICMP path echo operation type is configured, you would enter the lsr-path command in ICMP path echo configuration mode (config-sla-monitor-pathEcho) within IP SLA monitor configuration mode.
Examples
In the following examples, the LSR path is defined for IP SLAs ICMP path echo operation 1. The target destination for the operation is at 172.16.1.176. The first hop on the LSR path is 172.18.4.149. The second hop on the LSR path is 172.18.16.155. Note that the Cisco IOS command used to begin configuration for an IP SLAs operation varies depending on the Cisco IOS release you are running (see Table 47).
IP SLA Monitor Configuration
ip sla monitor 1type pathEcho protocol ipIcmpEcho 172.16.1.176lsr-path 172.18.4.149 172.18.26.155!ip sla monitor schedule 1 life forever start-time nowRTR Configuration
rtr 1type pathEcho protocol ipIcmpEcho 172.16.1.176lsr-path 172.18.4.149 172.18.26.155!rtr schedule 1 life forever start-time nowRelated Commands
Posted: Thu Apr 20 12:33:56 PDT 2006
All contents are Copyright © 1992--2006 Cisco Systems, Inc. All rights reserved.
Important Notices and Privacy Statement.
