Table Of Contents
Advanced Quick Reference Configurations
Routing Protocol Configuration
Line Signaling (ISDN) Configuration
Line Signaling (CAS) Configuration
AAA Authentication Configuration
AAA Authorization Configuration
AAA RADIUS Server Configuration
IP Address Pools Configuration
Virtual Template Configuration
Multilink Virtual Template Requisites
Multilink Virtual Template Configuration
Global Parameter Configuration
Finalizing Operational Configurations
Final Operational Configurations
Other Operational Configuration Considerations
Advanced Quick Reference
This appendix provides quick reference configurations for the advanced Cisco AS5800 user and system administrator who need to rapidly modify system functionality or enhance system performance. Interface and/or protocol configurations addressed in this section are listed categorically and sequenced logically by operation.
Remember, Cisco routers are configured using a command line interface (CLI) from a user interface, known as a port, that provides hardware connectivity. Routers are accessed from the routers console port or by Telnetting into the routers interface from another host. A command interpreter, called EXEC, is employed by the operating system to translate and execute Cisco IOS commands. This command interpreter provide the user with privileged mode of access that promotes security to the respective command levels, restricting users to a subset of mode-specific commands.
•
User EXEC mode
(5800>)provides restricted access and limits router configuration or troubleshooting. At this level, miscellaneous functionality is performed, such as viewing system information, obtaining basic router status, changing terminal settings, or establishing remote device connectivity.•
(5800#)includes user mode functionality and provides unrestricted access. It is used exclusively for router configuration, debugging, setting operating system (OS) parameters, and retrieving detailed router status information.–
[5800(config)#]is a preliminary configuration mode that recognizes commands affecting the whole router. Some of these commands cause the router to enter other configuration modes that recognize even more detailed commands.•
[5800(config-if)#].Each configuration command mode restricts the user to a subset of mode-specific commands that individualize and secure a router.•
(> or rommon>)is a CLI allowing router configuration if the router does not find a valid system image or if the bootup sequence is interrupted during startup.The end (Ctrl-Z) command provides an escape from any configuration command mode: Terminal
[5800(config)#],Interface[5800(config-if)#],Line[5800(config-line)#],Controller[5800(config-controll)#],Router[5800(config-router)#], etc.,to privileged EXEC mode(5800#).The exit command provides an escape from any configuration command mode to one command prompt level higher, or completely out of the command line interface if you are in privileged EXEC or user EXEC mode. The disable command provides an escape from privileged EXEC mode to user EXEC mode. The logout command provides a complete escape out of the command line interface if you are in privileged EXEC or user EXEC mode.Advanced Quick Reference Configurations
This section provides abridged interface and/or protocol configurations listed categorically and sequenced logically by operation. Each functional component is dependent on previous component configurations and includes the following reference information:
•
•
•
–
–
–
•
–
–
–
–
Functional Components
Cisco AS5800 operational configurations are provided for the following functional components.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
22.
Egress Interface
Egress interfaces are network connections, or ports, used for outbound traffic flow.
Egress Requisites
The following requisites are significant considerations to identify before configuring an egress interface:
•
•
•
Egress Configuration
The following Cisco IOS CLI script serves as a sample egress interface configuration or setup.
Sample Configuration
5800(config)# interface FastEthernet0/0/05800(config-if)# ip address 1.1.1.1 255.255.255.05800(config-if)# no ip directed broadcast5800(config-if)# no ip mroute-cache5800(config-if)# no cdp enable5800(config-if)# exit5800(config)#Command Line Description
5800(config)# interface FastEthernet0/0/0Defines the interface type.
5800(config-if)# ip address 1.1.1.1 255.255.255.0Assigns a primary IP address and subnet mask to the interface.
5800(config-if)# no ip directed broadcastDisables the translation of directed broadcast to physical broadcasts. It drops the directed broadcasts destined for this subnet.
5800(config-if)# no ip mroute-cacheTurns off IP multicast fast switching.
5800(config-if)# no cdp enableDisables CDP (Cisco Discovery Protocol).
5800(config-if)# exitExits interface configuration mode to global configuration mode.
5800(config)#Global configuration mode prompt.
To Modify, Copy, & Paste
interface FastEthernet0/0/0ip address 1.1.1.1 255.255.255.0no ip directed broadcastno ip mroute-cacheno cdp enableexitLoopback Interface
Loopback interface is a logical interface on the router that can be used for diagnostics and troubleshooting purposes. It is also used to conserve address space so other physical interfaces can be unnumbered to this interface. The state of the Loopback interface is always UP/UP.
Loopback Requisites
The following requisite is significant consideration to identify before configuring a loopback interface:
•
Loopback Configuration
The following Cisco IOS CLI script serves as a sample loopback configuration or setup.
Sample Configuration
5800(config)# interface loopback05800(config-if)# ip address 2.2.2.2 255.255.255.2555800(config-if)# no ip directed broadcast5800(config-if)# exit5800(config)#Command Line Description
5800(config)# interface loopback0Defines the interface type.
5800(config-if)# ip address 2.2.2.2 255.255.255.255Assigns an IP address to the interface.
5800(config-if)# no ip directed broadcastDisables the translation of directed broadcast to physical broadcasts.
5800(config-if)# exitExits this interface configuration mode to global configuration mode.
5800(config)#Global configuration mode prompt.
To Modify, Copy, & Paste
interface loopback0ip address 2.2.2.2 255.255.255.255no ip directed broadcastexitRouting Protocol
Routing protocol that accomplishes routing through the implementation of a specific routing algorithm. Examples of routing protocols include: RIP, IGRP, EIGRP, OSPF, and BGP.
Routing Protocol Requisites
The following requisites are significant considerations to identify before configuring routing protocols:
•
•
•
•
Routing Protocol Configuration
The following Cisco IOS CLI script serves as a sample routing protocol configuration or setup.
Sample Configuration
5800(config)# router rip5800(config-router)# version 25800(config-router)# redistribute static5800(config-router)# passive-interface Group-Async05800(config-router)# passive-interface Virtual-Template15800(config-router)# passive-interface Dialer05800(config-router)# passive-interface Loopback05800(config-router)# network 10.0.0.05800(config-router)# network 172.16.0.05800(config-router)# no auto-summary5800(config-router)# exit5800(config)# ip route 0.0.0.0 0.0.0.0 172.16.1.1Command Line Description
5800(config)# router ripDefines the routing protocol used on the router and initiates the routing protocol processes.
5800(config-router)# version 2Defines the protocol version used. Enables sending and receiving of Version 2 RIP packets.
5800(config-router)# redistribute staticEnables the redistribution of static routes in routing updates. Advertises static routes (including per-user static routes downloaded from RADIUS or TACACS+).
5800(config-router)# passive-interface Group-Async0Defines the Group-Async interface as a passive interface so no routing updates are sent out of these interfaces. Disables sending of updates across the interface and places the interface in listen mode.
5800(config-router)# passive-interface Virtual-Template1Defines the Virtual-Template as a passive interface so no routing updates are send out the Virtual-Access interfaces that are cloned off the Virtual-Template.
5800(config-router)# passive-interface Dialer0Defines the Dialer interface as a passive interface.
5800(config-router)# passive-interface Loopback0Defines the Loopback interface as a passive interface.
5800(config-router)# network 10.0.0.0Enables advertisement of interfaces in this network. Defines 10.0.0.0 network as part of the RIP routing process. The router exchanges routing updates about the 10.0.0.0 network dynamically.
5800(config-router)# network 172.16.0.0Defines 172.16.0.0 network as part of the RIP routing process. Updates regarding this network are exchanged dynamically between this router and its neighbors.
5800(config-router)# no auto-summaryTurns off route summarization, so updates are not summarized to classful boundaries.
5800(config-router)# exitExits the router configuration mode to global configuration mode.
5800(config)# ip route 0.0.0.0 0.0.0.0 172.16.1.1Defines a default route for this router. If the router does not have an address in its routing table, the table forwards the packets to this IP address. Default route for destinations are not learned through the routing protocol.
To Modify, Copy, & Paste
router ripversion 2redistribute staticpassive-interface Group-Async0passive-interface Virtual-Template1passive-interface Dialer0passive-interface Loopback0network 10.0.0.0network 172.16.0.0no auto-summaryexitip route 0.0.0.0 0.0.0.0 172.16.1.1Ingress Interface
Interfaces used for inbound traffic flow.
Ingress Requisites
The following requisites are significant considerations to identify before configuring ingress interfaces:
•
•
•
•
•
•
T3 Ingress Configuration
The following Cisco IOS CLI script serves as a sample T3 ingress interface configuration or setup.
Sample Configuration
5800(config)# isdn switch-type primary-ni (ISDN)5800(config)# controller t3 1/0/05800(config-controller)# framing m235800(config-controller)# cablelength 2245800(config-controller)# t1 1 controller5800(config-controller)# t1 2 controller5800(config-controller)# . . .5800(config-controller)# exit5800(config)#Command Line Description
5800(config)# isdn switch-type primary-ni (ISDN)Defines the ISDN switch-type to be used on the router. This is a global command but can also be configured under the D-channel in later versions of Cisco IOS software.
5800(config)# controller t3 1/0/0Identifies controller type and number to be configured. The controller type is a T3 and the controller is in shelf 1, slot 0, port 0.
5800(config-controller)# framing m23Enables m23 framing. Sets the framing type under the T3 controller.
5800(config-controller)# cablelength 224Sets the cable length to 224 feet.
5800(config-controller)# t1 1 controllerEnables the first T1 in the T3. Configures individual T1 controllers under the T3 controller. Range is 1-28.
5800(config-controller)# t1 2 controllerEnables the second T1 in the T3. Configures individual T1 controllers under the T3 controller. Range is 1-28.
5800(config-controller)# . . .Configures additional individual T1 controllers under the T3 controller. Range is 1-28.
5800(config-controller)# exitExits this controller configuration mode to global configuration mode.
5800(config)#Global configuration mode prompt.
To Modify, Copy, & Paste
isdn switch-type primary-ni (ISDN)controller t3 1/0/0framing m23cablelength 224t1 1 controllert1 2 controllerexitT1 Ingress Configuration
The following Cisco IOS CLI script serves as a sample T1 ingress interface configuration or setup.
Sample Configuration
5800(config)# controller t1 1/0/0:15800(config-controller) # framing esf5800(config-controller) # linecode b8zs (t1-pri)5800(config-controller) # pri-group timeslots 1-245800(config-controller)# controller t1 1/0/0:25800(config-controller)# framing esf5800(config-controller)# pri-group timeslots 1-245800(config-controller)# exit5800(config)#Command Line Description
5800(config)# controller t1 1/0/0:1Configures the first T1 on the T3 card in slot 0. Enters the controller configuration mode and configures controller t1 1 under the T3 controller.
5800(config-controller) # framing esfEnables T1 Extended Superframe Framing. Sets framing to Extended Super Frame (ESF).
5800(config-controller) # linecode b8zs (t1-pri)Enable Binary 8 Zero Substitution line coding. Sets the line coding to Binary 8 Zero Substitution (B8ZS).
5800(config-controller) # pri-group timeslots 1-24Configures the controller for ISDN PRI on time slots 1 through 24. Time slot 24 is the D-channel.
5800(config-controller)# controller t1 1/0/0:2Configures the second T1 on the T3 card in slot 0. Configures controller t1 2 under the T3 controller.
5800(config-controller)# framing esfSets framing to Extended Super Frame (ESF).
5800(config-controller)# pri-group timeslots 1-24Configures the controller for ISDN PRI on time slots 1 through 24. Time slot 24 is the D-channel.
5800(config-controller)# exitExits controller configuration mode to global configuration mode.
5800(config)#Global configuration mode prompt.
To Modify, Copy, & Paste
controller t1 1/0/0:1framing esflinecode b8zspri-group timeslots 1-24controller t1 1/0/0:2framing esfpri-group timeslots 1-24ExitLine Signaling
When configuring a router for signaling, line signaling can be used for both inbound and outbound calls. The line signaling configuration must match the corresponding telco switch configuration.
Line Signaling Requisites
The following requisites are significant considerations to identify before configuring line signaling:
•
•
•
•
•
•
Line Signaling (ISDN) Configuration
The following Cisco IOS CLI script serves as a sample ISDN line signaling configuration or setup.
Sample Configuration
5800(config)# isdn switch-type primary-ni15800(config)# controller t1 1/0/05800(config-controller)# pri-group timeslots 1-245800(config-controller)# exit5800(config)#Command Line Description
5800(config)# isdn switch-type primary-ni1Configures the ISDN switch-type that the access server is connected to.
5800(config)# controller t1 1/0/0Configures the first T1 on slot 0.
5800(config-controller)# pri-group timeslots 1-24Enables this T1 to use ISDN PRI signaling on all 24 timeslots.
5800(config-controller)# exitExits controller configuration mode to global configuration mode.
5800(config)#Global configuration mode prompt.
To Modify, Copy, & Paste
isdn switch-type primary-ni1controller t1 1/0/0pri-group timeslots 1-24exitLine Signaling (CAS) Configuration
The following Cisco IOS CLI script serves as a sample CAS line signaling configuration or setup.
Sample Configuration
5800(config)# controller t1 1/0/115800(config-controll)# framing esf5800(config-controll)# linecode b8zs5800(config-controll)# ds0-group 0 timeslots 1-24 type e&m-fgb5800(config-controller)# exit5800(config)#Command Line Description
5800(config)# controller t1 1/0/11Enters the controller configuration mode.
5800(config-controll)# framing esfSets framing to Extended Super Frame (ESF).
5800(config-controll)# linecode b8zs (t1-cas)Sets the line coding to Binary 8 Zero Substitution (B8ZS).
5800(config-controll)# ds0-group 0 timeslots 1-24 type e&m-fgbConfigures this T1 CAS line to use E&M feature-group B signaling on all 24 timeslots.
5800(config-controller)# exitExits controller configuration mode to global configuration mode.
To Modify, Copy, & Paste
controller t1 1/0/0:1framing esflinecode b8zsds0-group 0 timeslots 1-24 typeexitD-Channels (ISDN)
This is the 24th timeslot on T1/PRI or the 16th timeslot on E1/PRI and is used for signaling information. Call setup and tear down information is sent over the D-channel.
D-Channel Requisites
The following requisites are significant considerations to identify before configuring ISDN D-Channels:
•
•
•
•
•
•
D-Channel Configuration
The following Cisco IOS CLI script serves as a sample ISDN D-Channel configuration or setup.
Sample Configuration
5800(config)# interface s 1/0/0:1:235800(config-if)# no ip address5800(config-if)# no ip directed-broadcast5800(config-if)# encapsulation ppp5800(config-if)# dialer rotary-group 05800(config-if)# isdn switch-type primary-5ess5800(config-if)# isdn incoming-voice modem5800(config-if)# no cdp enable5800(config-if)# exit5800(config)#Command Line Description
5800(config)# interface s 1/0/0:1:23Defines the D-channel to configure. Configure the D-channel on controller T1 1 under the T3 controller in shelf 1, slot 0, and port 0.
5800(config-if)# no ip addressNot assigning an IP address on the D-channel.
5800(config-if)# no ip directed-broadcastDisables the translation of directed broadcast to physical broadcasts
5800(config-if)# encapsulation pppSets the encapsulation type to PPP.
5800(config-if)# dialer rotary-group 0Configures the D-channel for rotary-group. Make this interface a member of the Dialer 0 rotary interface. This is legacy DDR configuration and it assigns the physical interface serial 1/0/0:1:23 to rotary-group 0.
5800(config-if)# isdn switch-type primary-5essSets the ISDN switch-type to primary-5ess.
5800(config-if)# isdn incoming-voice modemIncoming voice calls should be handed off to the CSM and terminated on a modem. Accept speech (voice) bearer-type calls and route them to a voice or modem resource.
5800(config-if)# no cdp enableDisables Cisco Discovery Protocol (CDP). If an incoming speech call cannot be terminated because all voice/modem resources are in use, disconnect the call with a cause code of user-busy.
5800(config-if)# exitExits interface configuration mode to global configuration mode.
To Modify, Copy, & Paste
interface s 1/0/0:1:23no ip addressno ip directed-broadcastencapsulation pppdialer rotary-group 0isdn switch-type primary-5essisdn incoming-voice modemno cdp enableAAA
Triple A security in billing that stands for Authentication, Authorization and Accounting.
AAA Plan and Requisites
The following requisites are significant considerations to identify before configuring AAA:
•
•
•
•
For detailed AAA configuration information, refer to Authentication, Authorization, and Accounting (AAA), available online at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_c/scprt1/AAA Server Options
The following AAA server options are significant network design considerations:
•
•
For detailed RADIUS Server configuration information, refer to RADIUS Commands, available online at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios113ed/113ed_cr/secur_r/srprt2/AAA Authentication Configuration
The following Cisco IOS CLI script serves as a sample AAA authentication configuration or setup.
Sample Configuration
5800(config)# aaa new-model5800(config)# aaa authentication login CONSOLE none5800(config)# aaa authentication login LOCAL none5800(config)# aaa authentication login USE-RADIUS group radius local5800(config)# aaa authentication login USE-TACACS tacacs+ enable5800(config)# aaa authentication enable default enable tacacs+5800(config)# aaa authentication ppp USE-RADIUS if-needed radius5800(config)# username cisco password ciscoCommand Line Description
5800(config)# aaa new-modelTurns on the AAA process on a Cisco router. Enables the AAA security paradigm.
5800(config)# aaa authentication login CONSOLE noneConfigure an authentication method list called CONSOLE that requires no authentication. Defines the login authentication method for EXEC users. The method list is called CONSOLE and it points to none so there is no authentication for method list CONSOLE.
5800(config)# aaa authentication login LOCAL noneConfigures an authentication method list called LOCAL that consults the local database of user names and passwords.
5800(config)# aaa authentication login USE-RADIUS group radius localDefines the login authentication for method list USE-RADIUS that points to RADIUS server. User will be authenticated against the RADIUS database. Configure an authentication method list called USE-RADIUS that uses the global RADIUS server list. If the RADIUS servers do not respond, then fallback to the local user database.
5800(config)# aaa authentication login USE-TACACS tacacs+ enableDefines the login authentication for method list USE-TACACS that point to TACACS+ server. Users will be authenticated against the TACACS+ database. Configure an authentication method list called USE-TACACS that uses the global TACACS+ server list. If the TACACS+ servers do not respond, fallback to using the enable password.
5800(config)# aaa authentication enable default enable tacacs+Defines the authentication method for enable privilege on the router. The method list is called "default" and it points to the enable password defined on the router and then to the TACACS+ server.
5800(config)# aaa authentication ppp USE-RADIUS if-needed radiusDefines the authentication method for PPP users. Method list is called "USE-RADIUS" and it points to the radius server if authentication is required. The "if-needed" option states that if users have already been authenticated then do not re-authenticate them. Configure an authentication method list called USE-RADIUS that uses the global RADIUS server list.
5800(config)# username cisco password ciscoDefines the username and password locally on the router for local authentication. Configure a local user account to authenticate when the RADIUS server is not available.
To Modify, Copy, & Paste
aaa new-modelaaa authentication login CONSOLE noneaaa authentication login USE-RADIUS radiusaaa authentication login TAC_PLUS tacacs+ enableaaa authentication login LOCAL localaaa authentication enable default enable tacacs+aaa authentication ppp USE-RADIUS if-needed radiususername cisco password ciscoAAA Authorization Configuration
The following Cisco IOS CLI script serves as a sample AAA authorization configuration or setup.
Sample Configuration
5800(config)# aaa authorization exec USE-RADIUS group radius if-authenticated5800(config)# aaa authorization exec USE-TACACS group tacacs+ if-authenticated5800(config)# aaa authorization network default radius if-authenticated5800(config)# aaa authorization network USE-RADIUS group radius if-authenticatedCommand Line Description
5800(config)# aaa authorization exec USE-RADIUS group radius if-authenticatedConfigures an authorization method list called USE-RADIUS that uses the global RADIUS server list. EXEC authorization is required to process per-user attribute such as autocommands. Defines the authorization method for EXEC (shell). Method list is called "USE-RADIUS" and it points to the radius server. If the radius server does not respond, the user, if authenticated, is automatically authorized due to the "if-authenticated" option.
5800(config)# aaa authorization exec USE-TACACS group tacacs+ if-authenticatedConfigure an authorization method list called USE-TACACS that uses the global TACACS+ server list. EXEC authorization is required to process per-user attribute such as autocommands. Defines the authorization method for EXEC (shell). Method list is called "USE-TACACS" and it points to the TACACS+ server. If the TACACS+ server does not respond, the user, if authenticated, is automatically authorized due to the "if-authenticated" option.
5800(config)# aaa authorization network default radius if-authenticatedDefines the authorization method for network services (PPP, SLIP, ARAP). Method list is called "default" and it points to the radius server. If the radius server does not respond the user, if already authenticated, will be automatically authorized due to the "if-authenticated" option.
5800(config)# aaa authorization network USE-RADIUS group radius if-authenticatedDefines the authorization method for network services (PPP, SLIP, ARAP). Method list is called "USE-RADIUS" and it points to the radius server. If the radius server does not respond the user, if already authenticated, will be automatically authorized due to the "if-authenticated" option.
To Modify, Copy, & Paste
aaa authorization exec USE-RADIUS group radius if-authenticatedaaa authorization exec USE-TACACS group tacacs+ if-authenticatedaaa authorization network default radius if-authenticatedaaa authorization network USE-RADIUS group radius if-authenticatedAAA Accounting Configuration
The following Cisco IOS CLI script serves as a sample AAA accounting configuration or setup.
Sample Configuration
5800(config)# aaa accounting suppress null-username5800(config)# aaa accounting exec default start-stop group radius5800(config)# aaa accounting network default start-stop group radius5800(config)# aaa accounting system default start-stop group radiusCommand Line Description
5800(config)# aaa accounting suppress null-usernameDo not generate accounting records for users with a null-username.
5800(config)# aaa accounting exec default start-stop group radiusGenerates accounting records for EXEC (shell) service. Start and Stop records should be generated without wait. Radius server is being used for this accounting. This enables accounting records for all EXEC sessions. The accounting record will be sent at the beginning and the end of the EXEC session. The record will be sent to the global RADIUS server list.
5800(config)# aaa accounting network default start-stop group radiusGenerates accounting records for network services (PPP, SLIP, ARAP). Start and Stop records should be generated without wait. Radius server is being used for this accounting. This enables accounting records for all network sessions (PPP/SLIP). The accounting record will be sent at the beginning and the end of the network session. The record will be sent to the global RADIUS server list.
5800(config)# aaa accounting system default start-stop group radiusGenerates accounting records for systems events. Start and Stop records should be generated using the Radius server. This enables accounting records for system events. The accounting record will be sent when the access server is booted and when accounting is turned on or off. The record will be sent to the global RADIUS server list.
To Modify, Copy, & Paste
aaa accounting suppress null-usernameaaa accounting exec default start-stop group radiusaaa accounting network default start-stop group radiusaaa accounting system default start-stop group radiusAAA RADIUS Server Configuration
The following Cisco IOS CLI script serves as a sample AAA Radius Server configuration or setup.
Sample Configuration
5800(config)# radius-server host x.x.x.x auth-port x acct-port x non-standard5800(config)# radius-server host a.b.c.d auth-port x acct-port y key mysharedsecret5800(config)# radius-server deadtime 55800(config)# radius-server timeout 35800(config)# radius-server retransmit 25800(config)# radius-server attribute nas-port format cCommand Line Description
5800(config)# radius-server host x.x.x.x auth-port x acct-port x non-standardDefines the radius server IP address and the authentication (UDP 1645) and accounting (UDP 1646) ports. The non-standard option enable the parsing of attributes that violate the RADIUS standard.
5800(config)# radius-server host a.b.c.d auth-port x acct-port y key mysharedsecretDefines a RADIUS server at IP address a.b.c.d, with authentication being done on UDP port x and accounting being done on UDP port y. The key "mysharedsecret" is used to encrypt the wire password.
5800(config)# radius-server deadtime 5Defines the time to stop using a server that does not respond. The time is defined in minutes.
5800(config)# radius-server timeout 3Defines the time to wait for a RADIUS server to reply. The time is defined in seconds.
5800(config)# radius-server retransmit 2Specifies the number of retries to active server.
5800(config)# radius-server attribute nas-port format cSets the format of the NAS-Port attribute to "c" which means:
Data format(bits): shelf(2), slot(4), port(5), channel(5).To Modify, Copy, & Paste
radius-server host x.x.x.x auth-port x acct-port x non-standardradius-server host a.b.c.d auth-port x acct-port y key mysharedsecretradius-server deadtime 5radius-server timeout 3radius-server retransmit 2radius-server attribute nas-port format cTACACS Server Configuration
The following Cisco IOS CLI script serves as a sample TACACS Server configuration or setup.
Sample Configuration
5800(config)# tacacs-server host x.x.x.x key mysharedsecretCommand Line Description
5800(config)# tacacs-server host x.x.x.x key mysharedsecretDefines a TACACS+ server at IP address a.b.c.d. The key "mysharedsecret" is used to encrypt the all transactions with the TACACS+ server on the wire.
To Modify, Copy, & Paste
tacacs-server host x.x.x.x key mysharedsecretModem Pools
The modem pool covers a specified range of modems that accept calls based on the number called by dial in users. If there is only one dialin number, then all modems can be defined under the default modem pool. It is also used for modem firmware upgrades.
Modem Pool Requisites
The following requisites are significant considerations to identify before configuring modem pools:
•
•
•
•
For information, refer to Modem Management Commands, available online at
http://www.cisco.com/univercd/cc/td/doc/product/software/ios120/12cgcr/dial_r/drprt1/drmodmgt.htmModem Pool Configuration
The following Cisco IOS CLI script serves as a sample modem pool configuration or setup.
Sample Configuration
5800(config)# modem-pool Default5800(config-modem-pool)# pool-range 1/2/00-1/11/1435800(config-modem-pool)# firmware 2.6.2.05800(config-modem-pool)# exit5800(config)# modem recovery action none5800(config)# modem call-record terseCommand Line Description
5800(config)# modem-pool DefaultDefines the default modem pool by creating a new modem pool called "Default".
5800(config-modem-pool)# pool-range 1/2/00-1/11/143Defines the pool range for the modems to be included in the modem pool. The modem pool spans all modems between 1/2/00 and 1/11/143. Empty slots are ignored.
5800(config-modem-pool)# firmware 2.6.2.0Defines the firmware to be loaded onto the modems. Configures all modems within a modem-pool to run version 2.6.2.0 of Portware.
5800(config-modem-pool)# exitExits from the configuration mode.
5800(config)# modem recovery action noneDisables the modem recovery process. Disables the automatic recovery of faulty modems. Modem recovery may be enabled if you are temporarily working around a specific problem of hung modems.
5800(config)# modem call-record terseGenerates a Terse Modem Call Record at the end of a call. Enables modem call records logging that provide detailed connection information, which aids in troubleshooting call failure patterns.
To Modify, Copy, & Paste
modem-pool Defaultpool-range 1/2/00-1/11/143firmware 2.6.2.0exitmodem recovery action nonemodem call-record terseTTY Line
These are asynchronous lines on the router. TTY is a line configuration, not an interface configuration. These lines correspond to async interfaces that are configured separately.
TTY Line Requisites
The following requisites are significant considerations to identify before configuring a TTY line:
•
•
•
•
•
TTY Line Configuration
The following Cisco IOS CLI script serves as a sample TTY line configuration or setup.
Sample Configuration
5800(config)# line 1/2/00 1/11/1435800(config-line)# location "Async call"5800(config-line)# exec-timeout 0 05800(config-line)# autoselect PPP5800(config-line)# autoselect during-login5800(config-line)# login authentication USE-RADIUS5800(config-line)# authorization exec USE-RADIUS5800(config-line)# modem Dialin5800(config-line)# no modem log rs2325800(config-line)# transport preferred none5800(config-line)# exit5800(config)#Command Line Description
5800(config)# line 1/2/00 1/11/143Defines the range for lines to be configured.
5800(config-line)# location "Async call"Defines the location of the async line.
5800(config-line)# exec-timeout 0 0Sets the EXEC-timeout under the line to indefinite.
5800(config-line)# autoselect pppSets line to allow PPP autoselection. Enables the automatic the detection of PPP packets.
5800(config-line)# autoselect during-loginAutomatically selects at the Username/Password prompt. Present the login prompt before beginning autoselect process.
5800(config-line)# login authentication USE-RADIUSDefines the authentication method for login and points it to the "USE-RADIUS" list defined in the AAA process. Configures EXEC authentication on this line to use the USE-RADIUS method list.
5800(config-line)# authorization exec USE-RADIUSDefines the authorization method for EXEC service and point it to the "USE-RADIUS" list defined in the AAA process. Configures EXEC authorization on the line to use the USE-RADIUS method list.
5800(config-line)# modem DialinConfigures the line to allow a modern modem to dial-in (dial-out not allowed).
5800(config-line)# no modem log rs232Turns off the rs232 log events. Does not log EIA/TIA-232 events in the modem log.
5800(config-line)# transport preferred noneSets the preferred protocol to none. Does not try to auto-connect the user to a host with a particular protocol.
5800(config-line)# exitExits line configuration mode to global configuration mode.
To Modify, Copy, & Paste
line 1/2/00 1/11/143location "Async call"exec-timeout 0 0autoselect pppautoselect during-loginlogin authentication USE-RADIUSauthorization exec USE-RADIUSmodem Dialinno modem log rs232transport preferred noneAsync Interface
Asychronous interface is used to terminate analog (async) dialin calls.
Async Interface Requisites
The following requisites are significant considerations to identify before configuring an async interface:
•
•
•
•
•
•
•
•
•
Async Interface Configuration
The following Cisco IOS CLI script serves as a sample async interface configuration or setup.
Sample Configuration
5800(config)# interface group-async05800(config-if)# ip unnumbered loopback05800(config-if)# encapsulation ppp5800(config-if)# dialer in-band5800(config-if)# dialer idle-timeout 27005800(config-if)# dialer-group 15800(config-if)# async mode interactive5800(config-if)# ntp disable5800(config-if)# no snmp trap link-status5800(config-if)# peer default ip address pool default5800(config-if)# no cdp enable5800(config-if)# ppp authentication pap callin USE-RADIUS5800(config-if)# ppp multilink5800(config-if) group-range 1/2/00 1/11/1435800(config-if) exit5800(config)#Command Line Description
5800(config)# interface group-async0Creates a group-async interface used to configure all the async interfaces at one time.
5800(config-if)# ip unnumbered loopback0Unnumbers the interface to the IP address of loopback 0 interface.
5800(config-if)# encapsulation pppSets the default encapsulation type to PPP.
5800(config-if)# dialer in-bandEnables dial on demand routing on this interface. Establishes a dialer interface.
5800(config-if)# dialer idle-timeout 2700Defines the idle-timeout under the interface. If the call is idle for 45 minutes (2700 seconds) then the command disconnects the user. Default is 120 seconds.
5800(config-if)# dialer-group 1Assigns interface to dialer-list 1. Use dialer-list 1 to determine what kind of traffic is valid.
5800(config-if)# async mode interactiveAllows the user to run PPP or SLIP on this interface. Line may be switched between interactive use and async interface.
5800(config-if)# ntp disableDisables the processing of Network Time Protocol (NTP) on this interface.
5800(config-if)# no snmp trap link-statusDisables SNMP LINKUP and LINKDOWN traps. Do not send SNMP traps when this interface goes up or down.
5800(config-if)# peer default ip address pool defaultUse IP pool mechanism to allocate a peer IP address. The pool in this case is called "default".
5800(config-if)# no cdp enableDisables Cisco Discovery Protocol (CDP) on this interface.
5800(config-if)# ppp authentication pap callin USE-RADIUSDefines the authentication protocol (PAP) to be used for authenticating incoming calls only. The USE-RADIUS list is defined in the AAA process. PPP clients must authenticate themselves using the Password Authentication Protocol. Authentication will be done using the USE-RADIUS method list.
5800(config-if)# ppp multilinkConfigures the interface for multilink. Enable this interface to negotiate PPP multilink.
5800(config-if) group-range 1/2/00 1/11/143Defines the group-range for interface to be covered under this group-async interface. Apply this configuration to interfaces from Async1/2/00 to Async1/11/143.
5800(config-if) exitExits interface configuration mode to global configuration mode.
5800(config)#Global configuration mode prompt.
To Modify, Copy, & Paste
interface group-async0ip unnumbered loopback0encapsulation pppdialer in-banddialer idle-timeout 2700dialer-group 1async mode interactiventp disableno snmp trap link-statuspeer default ip address pool defaultno cdp enableppp authentication pap callin USE-RADIUSppp multilinkgroup-range 1/2/00 1/11/143exitDial Interface
These interfaces are used for ending digital calls. Dialer interfaces are also used for async calls.
Dial Interface Requisites
The following requisites are significant considerations to identify before configuring a dial interface:
•
•
•
•
•
•
Dial Interface Configuration
The following Cisco IOS CLI script serves as a sample dial interface configuration or setup.
Sample Configuration
5800(config)# interface dialer05800(config-if)# ip unnumbered loopback05800(config-if)# encapsulation ppp5800(config-if)# no ip mroute-cache5800(config-if)# dialer in-band5800(config-if)# dialer idle-timeout 27005800(config-if)# dialer-group 15800(config-if)# ntp disable5800(config-if)# no snmp trap link-status5800(config-if)# peer default ip address pool default5800(config-if)# no cdp enable5800(config-if)# ppp authentication pap callin USE-RADIUS5800(config-if)# ppp multilink5800(config-if)# exit5800(config)# dialer-list 1 protocol ip permitCommand Line Description
5800(config)# interface dialer0Defines the dialer interface. Creates a dialer interface used to configure all dialer interfaces at one time.
5800(config-if)# ip unnumbered loopback0Unnumbers the interface to the IP address of loopback 0 interface.
5800(config-if)# encapsulation pppSets the default encapsulation type to PPP.
5800(config-if)# no ip mroute-cacheTurns off fast switching for multicast traffic.
5800(config-if)# dialer in-bandEnables dial on demand routing on this interface. Enables this interface to be a dialer interface.
5800(config-if)# dialer idle-timeout 2700Defines the idle-timeout under the interface. If the call is idle for 45 minutes (2700 seconds) then the command disconnects the user. Default is 120 seconds.
5800(config-if)# dialer-group 1Assigns interface to dialer-list 1. Use dialer-list 1 to determine what kind of traffic is considered interesting.
5800(config-if)# ntp disableDisables the processing of Network Time Protocol (NTP) on this interface.
5800(config-if)# no snmp trap link-statusDisables SNMP LINKUP and LINKDOWN traps. Do not send SNMP traps when this interface goes up or down.
5800(config-if)# peer default ip address pool defaultUse IP pool mechanism to allocate a peer IP address. The pool in this case is called "default".
5800(config-if)# no cdp enableDisables Cisco Discovery Protocol (CDP) on this interface.
5800(config-if)# ppp authentication pap callin USE-RADIUSDefines the authentication protocol (PAP) to be used for authenticating incoming calls only. The USE-RADIUS list is defined in the AAA process. PPP clients must authenticate themselves using the Password Authentication Protocol. Authentication will be done using the USE-RADIUS method list.
5800(config-if)# ppp multilinkConfigures the interface for multilink. Enable this interface to negotiate PPP multilink.
5800(config-if)# exitExits interface configuration mode to global configuration mode.
5800(config)# dialer-list 1 protocol ip permitConfigures dialer-list 1 to consider all IP traffic as interesting.
To Modify, Copy, & Paste
interface dialer0ip unnumbered loopback0no ip directed broadcastencapsulation pppno ip mroute-cachedialer in-banddialer idle-timeout 2700dialer-group 1ntp disableno snmp trap link-statuspeer default ip address pool defaultno cdp enableppp authentication pap callin USE-RADIUSppp multilinkexitdialer-list 1 protocol ip permit