Page 1 7210 SAS E OS System Management Guide Software Version: 7210-SAS E OS 1.0 Rev. 01 January 2009 Document Part Number: 93-0220-01-01 *93-0220-01-01*...
Page 2 This document is protected by copyright. Except as specifically permitted herein, no portion of the provided information can be reproduced in any form, or by any means, without prior written permission from Alcatel-Lucent. Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.
Page 3: Table Of Contents
ABLE OF ONTENTS Preface ................11 Getting Started Alcatel-Lucent 7210 SAS Router Configuration Process .
Page 4 Table of Contents Configuring Users ..............55 Configuring Keychains.
Page 5 Table of Contents Event and Accounting Logs Logging Overview ..............198 Log Destinations .
Page 6 Table of Contents Standards and Protocol Support ........... . .305 Page 6 7210 SAS-E OS System Management Guide...
Page 7 IST OF ABLES Getting Started Table 1: Configuration Process ............13 Security Table 2: Supported Authorization Configurations .
Page 8 List of Tables Page 8 7210 SAS-E OS System Management Guide...
Page 9 IST OF IGURES Security Figure 1: RADIUS Requests and Responses ..........16 Figure 2: Security Flow .
Page 10 List of Figures Page 10 7210 SAS-E OS System Management Guide...
Page 11: Preface
Preface About This Guide This guide describes general information you will need to configure router security, SNMP features, as well as configuring event and accounting logs. It covers basic tasks such as configuring management access filters that control traffic in and out of the CPM, passwords, user profiles, security such as RADIUS, TACACS+, and SSH servers, the router clock, and virtual routers.
Page 12 Technical Support This guide describes system security and access configurations as well as event logging and accounting logs. • 7210-SAS E OS Interface Configuration Guide This guide describes card, Media Dependent Adapter (MDA), and port provisioning. • 7210-SAS E OSRouter Configuration Guide This guide describes logical IP routing interfaces and associated attributes such as an IP address, port, link aggregation group (LAG) as well as IP and MAC-based filtering.
Page 13: Getting Started
Getting Started In This Chapter This chapter provides process flow information to configure system security and access functions as well as event and accounting logs. Alcatel-Lucent 7210 SAS Router Configuration Process Table 1 lists the tasks necessary to configure system security and access functions and logging features.
Page 14: Getting Started
Getting Started Page 14 7210 SAS-E OS System Management Guide...
Page 15: Security
Security In This Chapter This chapter provides information to configure security parameters. Topics in this chapter include: • Authentication, Authorization, and Accounting on page 16 → Authentication on page 17 → Authorization on page 22 → Accounting on page 24 •...
Page 16: Authentication, Authorization, And Accounting
Authentication, Authorization, and Accounting Authentication, Authorization, and Accounting This chapter describes authentication, authorization, and accounting (AAA) used to monitor and control network access on routers. Network security is based on a multi-step process. The first step, authentication, validates a user’s name and password. The second step is authorization, which allows the user to access and execute commands at various command levels based on profiles assigned to the user.
Page 17: Authentication
Security Authentication Authentication validates a user name and password combination when a user attempts to log in. When a user attempts to log in through the console, Telnet, SSH, SCP, or FTP, the client sends an access request to a RADIUS, TACACS+, or local database. Transactions between the client and a RADIUS server are authenticated through the use of a shared secret.
Page 18: Local Authentication
Authentication, Authorization, and Accounting Local Authentication Local authentication uses user names and passwords to authenticate login attempts. The user names and passwords are local to each router not to user profiles. By default, local authentication is enabled. When one or more of the other security methods are enabled, local authentication is disabled.
Page 19 Security Direct Mode The first server is used as the primary server. If this server is unreachable, the next server, based on the server index, of the server pool is used. This continues until either all servers in the pool have been tried or an answer is received.
Page 20 Authentication, Authorization, and Accounting Application Specific Behavior Operator Management The server access mode is fixed to Round-Robin (Direct cannot be configured for operator management). A health-check function is available for operator management, which can optionally be disabled. The health-check polls the server once every 10 seconds with an improbable user name.
Page 21: Tacacs+ Authentication
Security TACACS+ Authentication Terminal Access Controller Access Control System, commonly referred to as TACACS is an authentication protocol that allows a remote access server to forward a user's logon password to an authentication server to determine whether access can be allowed to a given system. TACACS is an encryption protocol and therefore less secure than the later Terminal Access Controller Access Control System Plus (TACACS+) and RADIUS protocols.
Page 22: Authorization
Authentication, Authorization, and Accounting Authorization routers support local, RADIUS, and TACACS+ authorization to control the actions of specific users by applying a profile based on user name and password configurations once network access is granted. The profiles are configured locally as well as VSAs on the RADIUS server. See Vendor-Specific Attributes (VSAs) on page Once a user has been authenticated using RADIUS (or another method), the router can be configured to perform authorization.
Page 23: Local Authorization
Security configuration when the user session terminates. Temporary user login names and their associated passwords are not saved as part of the configuration. • Local Authorization on page 23 • RADIUS Authorization on page 23 • TACACS+ Authorization on page 23 Local Authorization Local authorization uses user profiles and user access information after a user is authenticated.
Page 24: Accounting
Authentication, Authorization, and Accounting Accounting When enabled, RADIUS accounting sends command line accounting from the router to the RADIUS server. The router sends accounting records using UDP packets at port 1813 (decimal). The router issues an accounting request packet for each event requiring the activity to be recorded by the RADIUS server.
Page 25 Security The TACACS+ accounting server acknowledges the start packet and records information about the event. When the event ends, the device sends a stop packet. The stop packet is acknowledged by the TACACS+ accounting server. 7210 SAS-E OS System Management Guide Page 25...
Page 26: Security Controls
Security Controls Security Controls You can configure routers to use RADIUS, TACACS+, and local authentication to validate users requesting access to the network. The order in which password authentication is processed among RADIUS, TACACS+ and local passwords can be specifically configured. In other words, the authentication order can be configured to process authorization via TACACS+ first, then RADIUS for authentication and accounting.
Page 27: Access Request Flow
Security Access Request Flow Figure 2, the authentication process is defined in the config>system>security> password context. The authentication order is determined by specifying the sequence in which password authentication is attempted among RADIUS, TACACS+, and local passwords. This example uses the authentication order of RADIUS, then TACACS+, and finally, local. An access request is sent to RADIUS server 1.
Page 28: Vendor-Specific Attributes (Vsas)
Vendor-Specific Attributes (VSAs) Vendor-Specific Attributes (VSAs) software supports the configuration of Alcatel-Lucent-specific RADIUS attributes. These attributes are known as vendor-specific attributes (VSAs) and are discussed in RFC 2138. VSAs must be configured when RADIUS authorization is enabled. It is up to the vendor to specify the format of their VSA.
Page 29 Security All commands at and below the hierarchy level of the matched command are subject to VSA. timetra-action Multiple match-strings can be entered in a single VSA. Match strings must timetra-cmd be semicolon (;) separated (maximum string length is 254 characters). One or more VSAs can be entered followed by a single timetra-cmd...
Page 30: Sample User (Vsa) Configuration
Vendor-Specific Attributes (VSAs) Sample User (VSA) Configuration The following example displays a user-specific VSA configuration. This configuration shows attributes for users named ruser1 and ruser2. The following example shows that user ruser1 is granted console access. ruser1’s home directory is in compact flash slot 3 and is limited to the home directory. The default action permits all packets when matching conditions are not met.
Page 31: Alcatel-Lucent Dictionary
Security Alcatel-Lucent Dictionary # Version: 1.28 VENDOR Alcatel-IPD 6527 # User management VSAs ATTRIBUTE Timetra-Access integer Alcatel-IPD ATTRIBUTE Timetra-Home-Directory string Alcatel-IPD ATTRIBUTE Timetra-Restrict-To-Home integer Alcatel-IPD ATTRIBUTE Timetra-Profile string Alcatel-IPD ATTRIBUTE Timetra-Default-Action integer Alcatel-IPD ATTRIBUTE Timetra-Cmd string Alcatel-IPD ATTRIBUTE Timetra-Action integer Alcatel-IPD ATTRIBUTE Timetra-Exec-File string Alcatel-IPD...
Page 32 Vendor-Specific Attributes (VSAs) ATTRIBUTE Alc-Tunnel-Destruct-Timeout integer Alcatel-IPD ATTRIBUTE Alc-Tunnel-Est-Max-Retries integer Alcatel-IPD ATTRIBUTE Alc-Tunnel-Oth-Max-Retries integer Alcatel-IPD ATTRIBUTE Alc-Tunnel-AVP-Hiding-Level integer Alcatel-IPD VALUE Alc-Tunnel-Algorithm weighted-access 1 VALUE Alc-Tunnel-Algorithm existing-first VALUE Alc-Tunnel-AVP-Hiding-Level nothing VALUE Alc-Tunnel-AVP-Hiding-Level secrets-only VALUE Alc-Tunnel-AVP-Hiding-Level ATTRIBUTE Alc-BGP-Policy string Alcatel-IPD ATTRIBUTE Alc-BGP-Auth-Keychain string Alcatel-IPD ATTRIBUTE Alc-BGP-Auth-Key...
Page 33 Security ATTRIBUTE Alc-Acct-OC-O-Outprof-Octets-64 octets Alcatel-IPD ATTRIBUTE Alc-Acct-OC-I-Inprof-Pkts-64 octets Alcatel-IPD ATTRIBUTE Alc-Acct-OC-I-Outprof-Pkts-64 octets Alcatel-IPD ATTRIBUTE Alc-Acct-OC-O-Inprof-Pkts-64 octets Alcatel-IPD ATTRIBUTE Alc-Acct-OC-O-Outprof-Pkts-64 octets Alcatel-IPD ATTRIBUTE Alc-Acct-I-High-Octets-Drop_64 octets Alcatel-IPD ATTRIBUTE Alc-Acct-I-Low-Octets-Drop_64 octets Alcatel-IPD ATTRIBUTE Alc-Acct-I-High-Pack-Drop_64 octets Alcatel-IPD ATTRIBUTE Alc-Acct-I-Low-Pack-Drop_64 octets Alcatel-IPD ATTRIBUTE Alc-Acct-I-High-Octets-Offer_64 octets Alcatel-IPD ATTRIBUTE Alc-Acct-I-Low-Octets-Offer_64 octets...
Page 34: Other Security Features
Other Security Features Other Security Features Secure Shell (SSH) Secure Shell Version 1 (SSH) is a protocol that provides a secure, encrypted Telnet-like connection to a router. A connection is always initiated by the client (the user). Authentication takes places by one of the configured authentication methods (local, RADIUS, or TACACS+).
Page 35 Security transmitted to the SCP server. For example, a destination directory specified as “cf1:\dir1\file1” will be transmitted to the SCP server as “cf1:dir1file1” where the backslash escape characters are stripped by the SCP client system before transmission. On systems where the client treats the backslash like an “escape”...
Page 36: Exponential Login Backoff
Other Security Features Exponential Login Backoff A malicious user can gain the CLI access by a dictionary attack: using a script to try "admin" with any conceivable password. The 7210 SAS increases the delay between login attempts exponentially to mitigate attacks. It is applied to the console login.
Page 37: Encryption
Security Encryption Data Encryption Standard (DES) and Triple DES (3DES) are supported for encryption. • DES is a widely-used method of data encryption using a private (secret) key. Both the sender and the receiver must know and use the same private key. •...
Page 38: Packet Formats
Other Security Features Packet Formats 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ Kind | Length |T|K| Alg ID|Res| Key ID |...
Page 39: Keychain
Security Keychain A keychain is a set of up to 64 keys, where each key is {A[i], K[i], V[i], S[i], T[i], S'[i], T'[i]} as described in draft-bonica-tcp-auth-05.txt, Authentication for TCP-based Routing and Management Protocols. They keys can be assigned to both sides of a BGP or LDP peer.The individual keys in a keychain have a begin- and end-time indicating when to use this key.
Page 40 Other Security Features Table 4: Keychain Mapping (Continued) Field Definition T[i] End time after which key[i] cannot Inferred by the begin-time of the next key (youngest key rule). be used by sending TCPs. S'[i] Start time from which key[i] can be config>system>security>keychain>direction>bi>entry>begin-time used by receiving TCPs.
Page 41: Configuration Notes
Security Configuration Notes This section describes security configuration caveats. General • If a RADIUS or a TACACS+ server is not configured, then password, profiles, and user access information must be configured on each router in the domain. • If a RADIUS authorization is enabled, then VSAs must be configured on the RADIUS server.
Page 42 Configuration Notes Page 42 7210 SAS-E OS System Management Guide...
Page 43: Configuring Security With Cli
Security Configuring Security with CLI This section provides information to configure security using the command line interface. Topics in this section include: • Setting Up Security Attributes on page 44 → Configuring Authorization on page 45 → Configuring Authorization on page 45 →...
Page 44: Setting Up Security Attributes
Setting Up Security Attributes Setting Up Security Attributes Configuring Authentication Refer to the following sections to configure authentication: • Local authentication → Configuring Password Management Parameters on page 53 → Configuring Profiles on page 54 → Configuring Users on page 55 •...
Page 45: Configuring Authorization
Security Configuring Authorization Refer to the following sections to configure authorization. • Local authorization For local authorization, configure these tasks on each participating router: → Configuring Profiles on page 54 → Configuring Users on page 55 • RADIUS authorization (only) For RADIUS authorization (without authentication), configure these tasks on each participating router: →...
Page 46 Setting Up Security Attributes For TACACS+ authorization (with authentication), configure these tasks on each participating router: → Enabling TACACS+ Authentication on page 65 → Configuring TACACS+ Authorization on page 66 Page 46 7210 SAS-E OS System Management Guide...
Page 47: Configuring Accounting
Security Configuring Accounting Refer to the following sections to configure accounting. • Local accounting is not implemented. For information about configuring accounting policies, refer to Configuring Logging with CLI on page 219 • Configuring RADIUS Accounting on page 63 → Configuring RADIUS Accounting on page 63 •...
Page 48: Security Configurations
Security Configurations Security Configurations This section provides information to configure security and configuration examples of configuration tasks. To implement security features, configure the following components: • Management access filters • Profiles • User access parameters • Password management parameters • Enable RADIUS and/or TACACS+ →...
Page 49 Security exit snmp view iso subtree 1 mask ff type included exit access group snmp-ro security-model snmpv1 security-level no-auth-no-privacy read no-security notify no-security access group snmp-ro security-model snmpv2c security-level no-auth-no-privacy read no-security notify no-security access group snmp-rw security-model snmpv1 security-level no-auth-no-privacy read no-security write no-security notify no-security access group snmp-rw security-model snmpv2c security-level no-auth-no-privacy read no-security write no-security notify no-security...
Page 50: Configuration Tasks
Configuration Tasks Configuration Tasks This section provides a brief overview of the tasks that must be performed to configure security and provides the CLI commands. Table 5 depicts the capabilities of authentication, authorization, and accounting configurations. For example, authentication can be enabled locally and on RADIUS and TACACS+ servers.
Page 51: Security Configuration Procedures
Security Security Configuration Procedures • Configuring Management Access Filters on page 51 • Configuring Password Management Parameters on page 53 • Configuring Profiles on page 54 • Configuring Users on page 55 • Copying and Overwriting Users and Profiles on page 57 •...
Page 52 Security Configuration Procedures action {permit|deny|deny-host-unreachable} The following displays a management access filter configuration example: A:ALA-1>config>system>security# info ---------------------------------------------- no hash-control telnet-server no telnet6-server no ftp-server management-access-filter exit profile "default" default-action none no li entry 10 no description match "exec" action permit exit entry 20 no description...
Page 53: Configuring Password Management Parameters
Security Configuring Password Management Parameters Password management parameters consists of defining aging, the authentication order and authentication methods, password length and complexity, as well as the number of attempts a user can enter a password. Depending on the your authentication requirements, password parameters are configured locally. Use the following CLI commands to configure password support: CLI Syntax: config>system>security password...
Page 54: Configuring Profiles
Security Configuration Procedures Configuring Profiles Profiles are used to deny or permit access to a hierarchical branch or specific commands. Profiles are referenced in a user configuration. A maximum of sixteen user profiles can be defined. A user can participate in up to sixteen profiles. Depending on the the authorization requirements, passwords are configured locally or on the RADIUS server.
Page 55: Configuring Users
Security Configuring Users For user, define the login name for the user Configure access parameters for individual users. and, optionally, information that identifies the user. Use the following CLI commands to configure RADIUS support: CLI Syntax: config>system>security user-template template-name user user-name access [ftp] [snmp] [console] console cannot-change-password...
Page 56: Configuring Keychains
Security Configuration Procedures Configuring Keychains The following displays a keychain configuration. A:ALA-1>config>system>security# info ---------------------------------------------- keychain "abc" direction entry 1 key "ZcvSElJzJx/wBZ9biCtOVQJ9YZQvVU.S" hash2 alg orithm aes-128-cmac-96 begin-time 2006/12/18 22:55:20 exit exit exit exit keychain "basasd" direction receive entry 1 key "Ee7xdKlYO2DOm7v3IJv/84LIu96R2fZh" hash2 algorithm aes-128-cmac-96 tolerance forever exit...
Page 57: Copying And Overwriting Users And Profiles
Security Copying and Overwriting Users and Profiles You can copy a profile or user. You can copy a profile or user or overwrite an existing profile or user. The option must be specified or an error occurs if the destination profile or overwrite username already exists.
Page 58 Security Configuration Procedures Note that the cannot-change-password flag is not replicated when a copy user command is performed. A new-password-at-login flag is created instead. A:ALA-12>config>system>security>user# info ---------------------------------------------- password "F6XjryaATzM" hash access snmp console cannot-change-password exit snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group "testgroup"...
Page 59: Profile
Security Profile CLI Syntax: config>system>security# copy {user source-user | profile source-profile} to destination [overwrite] Example config>system>security# copy profile default to testuser The following output displays the copied profiles: A:ALA-49>config>system>security# info ---------------------------------------------- A:ALA-49>config>system>security# info detail ---------------------------------------------- profile "default" default-action none entry 10 no description match "exec"...
Page 60 Security Configuration Procedures action permit exit exit profile "testuser" default-action none entry 10 no description match "exec" action permit exit entry 20 no description match "exit" action permit exit entry 30 no description match "help" action permit exit entry 40 no description match "logout"...
Page 61: Radius Configurations
Security RADIUS Configurations • Configuring RADIUS Authentication on page 61 • Configuring RADIUS Authorization on page 62 • Configuring RADIUS Accounting on page 63 • Configuring 802.1x RADIUS Policies on page 64 Configuring RADIUS Authentication RADIUS is disabled by default and must be explicitly enabled. The mandatory commands to enable RADIUS on the local router are and server server-index address radius...
Page 62: Configuring Radius Authorization
RADIUS Configurations Configuring RADIUS Authorization In order for RADIUS authorization to function, RADIUS authentication must be enabled first. See Configuring RADIUS Authentication on page In addition to the local configuration requirements, VSAs must be configured on the RADIUS server. See Vendor-Specific Attributes (VSAs) on page On the local router, use the following CLI commands to configure RADIUS authorization: CLI Syntax: config>system>security...
Page 63: Configuring Radius Accounting
Security Configuring RADIUS Accounting On the local router, use the following CLI commands to configure RADIUS accounting: CLI Syntax: config>system>security radius accounting The following displays RADIUS accounting configuration example: A:ALA-1>config>system>security# info ---------------------------------------------- radius shutdown authorization accounting retry 5 timeout 5 server 1 address 10.10.10.103 secret "test1"...
Page 64: Configuring 802.1X Radius Policies
Configuring 802.1x RADIUS Policies Configuring 802.1x RADIUS Policies Use the following CLI commands to configure generic authentication parameters for clients using 802.1x EAPOL. Additional parameters are configured per Ethernet port. Refer to the To configure generic parameters for 802.1x authentication, enter the following CLI syntax. CLI Syntax: config>system>security dot1x radius-plcy policy-name...
Page 65: Tacacs+ Configurations
Security TACACS+ Configurations • Enabling TACACS+ Authentication on page 65 • Configuring TACACS+ Authorization on page 66 • Configuring TACACS+ Accounting on page 67 Enabling TACACS+ Authentication To use TACACS+ authentication on the router, configure one or more TACACS+ servers on the network.
Page 66: Configuring Tacacs+ Authorization
TACACS+ Configurations Configuring TACACS+ Authorization In order for TACACS+ authorization to function, TACACS+ authentication must be enabled first. Enabling TACACS+ Authentication on page On the local router, use the following CLI commands to configure RADIUS authorization: CLI Syntax: config>system>security tacplus authorization no shutdown The following displays a TACACS+ authorization configuration example:...
Page 67: Configuring Tacacs+ Accounting
Security Configuring TACACS+ Accounting On the local router, use the following CLI commands to configure TACACS+ accounting: CLI Syntax: config>system>security tacplus accounting The following displays a TACACS+ accounting configuration example: A:ALA-1>config>system>security>tacplus# info ---------------------------------------------- accounting authorization timeout 5 server 1 address 10.10.0.5 secret "test1" server 2 address 10.10.0.6 secret "test2"...
Page 68: Enabling Ssh
TACACS+ Configurations Enabling SSH Use the SSH command to configure the SSH server as SSH1, SSH2 or both. The default is SSH2 ). This command should only be enabled or disabled when the SSH server is SSH version 2 disabled. This setting should not be changed while the SSH server is running since the actual change only takes place after SSH is disabled or enabled.
Page 69: Configuring Login Controls
Security Configuring Login Controls Configure login control parameters for console, Telnet, and FTP sessions. To configure login controls, enter the following CLI syntax. CLI Syntax: config>system login-control exponential-backoff inbound-max-sessions value telnet inbound-max-sessions value outbound-max-sessions value idle-timeout {minutes |disable} pre-login-message login-text-string [name] login-banner motd {url url-prefix: source-url|text motd-text-string} The following displays a login control configuration example:...
Page 70 Configuring Login Controls Page 70 7210 SAS-E OS System Management Guide...
Page 71: Security Command Reference
Security Security Command Reference Command Hierarchies Configuration Commands • Security Commands → Management Access Filter Commands on page 73 → Password Commands on page 74 → Profile Commands on page 74 → RADIUS Commands on page 74 → SSH Commands on page 75 →...
Page 72 Command Hierarchies Security Commands config — system — security — copy {user source-user | profile source-profile} to destination [overwrite] — [no] ftp-server — hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}] — no hash-control — source-address — application app [ip-int-name|ip-address|ipv6-address] —...
Page 73 Security Management Access Filter Commands config — system — security — [no] management-access-filter —Management Access Filter Commands — default-action {permit|deny|deny-host-unreachable} — [no] entry entry-id — action {permit | deny | deny-host-unreachable} — no action — description description-string — no description —...
Page 74 Command Hierarchies —Password Commands Security Password Commands config — system — security — password — admin-password password [hash | hash2] — no admin-password — aging days — no aging — attempts count [time minutes1] [lockout minutes2] — no attempts — authentication-order [method-1] [method-2] [method-3] [exit-on- reject]...
Page 75 Security SSH Commands config — system — security — —SSH Commands — [no] preserve-key — [no] server-shutdown — [no] version SSH-version TACPLUS Commands config — system — security — [no] tacplus —TACACS+ Commands — accounting [record-type {start-stop | stop-only}] — no accounting —...
Page 76 Command Hierarchies — system — security — user-template {tacplus_default | radius_default} — [no] access [ftp] [console] — console — login-exec url-prefix:source-url — no login-exec — home-directory url-prefix [directory][directory/directory ..] — no home-directory — profile user-profile-name — no profile — [no] restricted-to-home Dot1x Commands config...
Page 77 Security — send — entry entry-id key [authentication-key | hash- key | hash2-key] [hash | hash2] algorithm algo- rithm — begin-time [date][hours-minutes] [UTC] [now] [forever] — [no] shutdown — [no] shutdown — tcp-option-number — receive option-number — send option-number TTL Security Commands config —...
Page 78 Command Hierarchies Login Control Commands config — system — login-control —Login Control Commands — [no] exponential-backoff — — inbound-max-sessions value — no inbound-max-sessions — idle-timeout {minutes | disable} — no idle-timeout — [no] login-banner — motd {url url-prefix: source-url | text motd-text-string} —...
Page 79 Security Show Commands Security show — system — security — access-group [group-name] — authentication [statistics] — communities — keychain keychain-name [detail] — management-access-filter [entry-id] — password-options — profile [profile-name] — source-address — application app ip-int-name|ip-address — no application — application6 app ipv6-address —...
Page 80 Command Hierarchies Page 80 7210 SAS-E OS System Management Guide...
Page 81 Security Configuration Commands General Security Commands description Syntax description description-string no description Context config>system>security>mgmt-access-filter>entry config>sys>security>keychain>direction>bi>entry config>system>security>keychain>direction>uni>receive>entry config>system>security>keychain>direction>uni>send>entry Description This command creates a text description stored in the configuration file for a configuration context. This command associates a text string with a configuration context to help identify the context in the configuration file.
Page 82 General Security Commands security Syntax security Context config>system Description This command creates the context to configure security settings. Security commands manage user profiles and user membership. Security commands also manage user login registrations. ftp-server Syntax [no] ftp-server Context config>system>security Description This command enables FTP servers running on the system.
Page 83 Security source-address Syntax source-address Context config>system>security Description This command specifies the source address that should be used in all unsolicited packets sent by the application. application Syntax application app [ip-int-name|ip-address] no application app Context config>system>security>source-address Description This command specifies the application to use the source-IP address specified by the source-address command.
Page 84 Login, Telnet, SSH and FTP Commands Login, Telnet, SSH and FTP Commands exponential-backoff Syntax [no] exponential-backoff Context config>system>login-control Description This command enables the exponential-backoff of the login prompt. The exponential-backoff com- mand is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.
Page 85 Security inbound-max-sessions Syntax inbound-max-sessions value no inbound-max-sessions Context config>system>login-control>ftp Description This command configures the maximum number of concurrent inbound FTP sessions. This value is the combined total of inbound and outbound sessions. The no form of the command reverts to the default value. Default Parameters value —...
Page 86 Login, Telnet, SSH and FTP Commands login-control Syntax login-control Context config>system Description This command creates the context to configure the session control for console, Telnet and FTP. motd Syntax motd {url url-prefix: source-url | text motd-text-string} no motd Context config>system>login-control Description This command creates the message of the day displayed after a successful console login.
Page 87 Security pre-login-message Syntax pre-login-message login-text-string [name] no pre-login-message Context config>system>login-control Description This command creates a message displayed prior to console login attempts on the console via Telnet. Only one message can be configured. If multiple pre-login-messages are configured, the last mes- sage entered overwrites the previous entry.
Page 88 Login, Telnet, SSH and FTP Commands preserve-key Syntax [no] preserve-key Context config>system>security Description This command specifies the persistence of the SSH server host key. When enabled, the host key will be saved by the server and restored following a system reboot. This command can only be enabled or disabled when the SSH server is disabled.
Page 89 Security telnet Syntax telnet Context config>system>login-control Description This command creates the context to configure the Telnet login control parameters. 7210 SAS-E OS System Management Guide Page 89...
Page 90 Management Access Filter Commands Management Access Filter Commands management-access-filter Syntax [no] management-access-filter Context config>system>security Description This command creates the context to edit management access filters and to reset match criteria. Management access filters control all traffic in and out of the CPM. They can be used to restrict man- agement of the router by other nodes outside either specific (sub)networks or through designated ports.
Page 91 Security Description This command creates the default action for management access in the absence of a specific manage- ment access filter match. The default-action is applied to a packet that does not satisfy any match criteria in any of the man- agement access filters.
Page 92 Management Access Filter Commands entry [no] entry entry-id Context config>system>security>mgmt-access-filter Description This command is used to create or edit a management access filter entry. Multiple entries can be cre- ated with unique entry-id numbers. The search exits the filter upon the first match found and executes the actions according to the respective action command.
Page 93 Security The exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be re-numbered differently from most to least explicit. Parameters old-entry-number — Enter the entry number of the existing entry. Values 1 —...
Page 94 Password Commands Password Commands admin-password Syntax admin-password password [hash | hash2] no admin-password Context config>system>security>password Description This command allows a user (with admin permissions) to configure a password which enables a user to become an administrator. This password is valid only for one session. When enabled, no authorization to TACACS+ or RADIUS is performed and the user is locally regarded as an admin user.
Page 95 Security hash2 — Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed. enable-admin Syntax enable-admin Context <global> Description NOTE: See the description for the admin-password on the previous page. If the admin-password is configured in the config>system>security>password context, then any user can enter the special administrative mode by entering the enable-admin command.
Page 96 Password Commands Description This command configures the number of days a user password is valid before the user must change their password. This parameter can be used to force the user to change the password at the configured interval. The no form of the command reverts to the default value. Default No aging is enforced.
Page 97 Security authentication-order Syntax authentication-order [method-1] [method-2] [method-3] [exit-on-reject] no authentication-order Context config>system>security>password Description This command configures the sequence in which password authentication, authorization, and accounting is attempted among RADIUS, TACACS+, and local passwords. The order should be from the most preferred authentication method to the least preferred. The pres- ence of all methods in the command line does not guarantee that they are all operational.
Page 98 Password Commands • exit-on-reject is configured and the user does not exist, the user will not be authenticated. • The user is authenticated locally, then other methods, if configured, will be used for authorization and accounting. • The user is configured locally but without console access, login will be denied. complexity Syntax [no] complexity [numeric] [special-character] [mixed-case]...
Page 99 Security The no form of the command disables the periodic monitoring of the RADIUS and TACACS+ serv- ers. In this case, the operational status for the active server will be up if the last access was successful. Default health-check minimum-length Syntax minimum-length value no minimum-length...
Page 100 Profile Management Commands Profile Management Commands action Syntax action {deny | permit} Context config>system>security>profile user-profile-name>entry entry-id Description This command configures the action associated with the profile entry. Parameters deny — Specifies that commands matching the entry command match criteria are to be denied. permit —...
Page 101 Security overwrite — Specifies that the destination profile configuration will be overwritten with the copied source profile configuration. A profile will not be overwritten if the overwrite command is not specified. default-action Syntax default-action {deny-all | permit-all | none} Context config>system>security>profile user-profile-name Description This command specifies the default action to be applied when no match conditions are met.
Page 102 Profile Management Commands entry Syntax [no] entry entry-id Context config>system>security>profile user-profile-name Description This command is used to create a user profile entry. More than one entry can be created with unique entry-id numbers. Exits when the first match is found and executes the actions according to the accompanying action command.
Page 103 Security renum Syntax renum old-entry-number new-entry-number Context config>system>security>profile user-profile-name Description This command renumbers profile entries to re-sequence the entries. Since the exits when the first match is found and executes the actions according to accompanying action command, re-numbering is useful to rearrange the entries from most explicit to least explicit. Parameters old-entry-number —...
Page 104 User Management Commands User Management Commands access Syntax [no] access [ftp] [snmp] [console] Context config>system>security>user config>system>security>user-template Description This command grants a user permission for FTP, SNMP, console or lawful intercept (LI) access. If a user requires access to more than one application, then multiple applications can be specified in a single command.
Page 105 Security The MD5 authentication key is stored in an encrypted format. The minimum key length is determined by the config>system>security>password>minimum-length value. The maximum length is 16 octets (32 printable characters). The complexity of the key is determined by the complexity command. sha key —...
Page 106 User Management Commands To disable a user’s privilege to change their password, use the cannot-change-password form of the command. Note that the cannot-change-password flag is not replicated when a user copy is performed. A new- password-at-login flag is created instead. Default no cannot-change-password console...
Page 107 Security Default no home-directory NOTE: If restrict-to-home has been configured no file access is granted and no home-directory is cre- ated, if restrict-to-home is not applied then root becomes the user’s home-directory. Parameters local-url-prefix [directory] [directory/directory…] — The user’s local home directory URL prefix and directory structure up to 190 characters in length.
Page 108 User Management Commands The no form of this command deletes access user access to a profile. Default default Parameters user-profile-name — The user profile name. new-password-at-login Syntax [no] new-password-at-login Context config>system>security>user>console Description This command forces the user to change passwords at the next console or FTP login. If the user is limited to FTP access, the administrator must create the new password.
Page 109 Security Parameters password — This is the password for the user that must be entered by this user during the login procedure. The minimum length of the password is determined by the minimum-length command. The maximum length can be up to 20 chars if unhashed, 32 characters if hashed. The complexity requirements for the password is determined by the complexity command.
Page 110 User Management Commands Description This command creates the context to configure SNMP group membership for a specific user and defines encryption and authentication parameters. All SNMPv3 users must be configured with the commands available in this CLI node. 7210 SAS OS always uses the configured SNMPv3 user name as the security user name. user-template Syntax user-template {tacplus_default | radius_default}...
Page 111 Security RADIUS Client Commands accounting Syntax [no] accounting Context config>system>security>radius Description This command enables RADIUS accounting. The no form of this command disables RADIUS accounting. Default no accounting accounting-port Syntax accounting-port port no accounting-port Context config>system>security>radius Description This command specifies a UDP port number on which to contact the RADIUS server for accounting requests.
Page 112 RADIUS Client Commands Description This command configures the TCP port number to contact the RADIUS server. The no form of the command reverts to the default value. Default 1812 (as specified in RFC 2865, Remote Authentication Dial In User Service (RADIUS) ) Parameters port —...
Page 113 Security Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received. A higher indexed server is only queried if no response is received from a lower indexed server (which implies that the server is not available).
Page 114 RADIUS Client Commands timeout Syntax timeout seconds no timeout Context config>system>security>radius Description This command configures the number of seconds the router waits for a response from a RADIUS server. The no form of the command reverts to the default value. Default 3 seconds Parameters...
Page 115 Security TACACS+ Client Commands server Syntax server index address ip-address secret key no server index Context config>system>security>tacplus Description This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values. Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from lowest index to the highest index for authentication requests.
Page 116 TACACS+ Client Commands The no form of the command disables TACACS+ protocol operation. Default no single-connection shutdown Syntax [no] shutdown Context config>system>security>tacplus Description This command administratively disables the TACACS+ protocol operation. Shutting down the proto- col does not remove or change the configuration other than the administrative state. The operational state of the entity is disabled as well as the operational state of any entities contained within.
Page 117 Security authorization Syntax [no] authorization Context config>system>security>tacplus Description This command configures TACACS+ authorization parameters for the system. Default no authorization timeout Syntax timeout seconds no timeout Context config>system>security>tacplus Description This command configures the number of seconds the router waits for a response from a TACACS+ server.
Page 118 TACACS+ Client Commands Description This command specifies whether or not the user template defined by this entry is to be actively applied to the TACACS+ user. Page 118 7210 SAS-E OS System Management Guide...
Page 119 Security Generic 802.1x COMMANDS dot1x Syntax [no] dot1x Context config>system>security Description This command creates the context to configure 802.1x network access control on the router. The no form of the command removes the 802.1x configuration. radius-plcy Syntax [no] radius-plcy Context config>system>security>...
Page 120 Generic 802.1x COMMANDS server (dot1x) Syntax server server-index address ip-address secret key [hash | hash2] [auth-port auth-port] [acct-port acct-port] [type server-type] no server index Context config>system>security> dot1x>radius-plcy Description This command adds a Dot1x server and configures the Dot1x server IP address, index, and key val- ues.
Page 121 Security source-address Syntax source-address ip-address no source-address Context config>system>security> dot1x>radius-plcy Description This command configures the NAS IP address to be sent in the RADIUS packet. The no form of the command reverts to the default value. Default By default the System IP address is used in the NAS field. Parameters ip-address —...
Page 122 TCP Enhanced Authentication TCP Enhanced Authentication keychain Syntax [no] keychain keychain-name Context config>system>security Description This command enables the context to configure keychain parameters. A keychain must be configured on the system before it can be applied to a session. The no form of the command removes the keychain nodal context and everything under it from the configuration.
Page 123 Security Description This command configures keys for send or receive stream directions. Default none receive Syntax receive Context config>system>security>keychain>direction>uni Description This command enables the receive nodal context. Entries defined under this context are used to authenticate TCP segments that are being received by the router. Default none send...
Page 124 TCP Enhanced Authentication Parameters entry-id — Specifies an entry that represents a key configuration to be applied to a keychain. Values 0 — 63 key — Specifies a key ID which is used along with keychain-name and direction to uniquely identify this particular key entry.
Page 125 Security forever — Specifies that the key should always be active. end-time Syntax end-time [date][hours-minutes] [UTC] [now] [forever] Context config>system>security>keychain>direction>uni>receive>entry config>system>security>keychain>direction>uni>send>entry Description This command specifies the calendar date and time after which the key specified by the authentica- tion key is no longer eligible to sign and/or authenticate the protocol stream. Default forever Parameters...
Page 126 TCP Enhanced Authentication Description This command enables the context to configure the TCP option number to be placed in the TCP packet header. receive Syntax receive option-number Context config>system>security>keychain>tcp-option-number Description This command configures the TCP option number accepted in TCP packets received. Default Parameters option-number —...
Page 127 Security TTL Security Commands ttl-security Syntax ttl-security min-ttl-value no ttl-security Context config>router>ldp>peer-parameters>peer Description This command configures TTL security parameters for incoming packets. When the feature is enabled, LDP will accept incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL value configured for that peer.
Page 128 TTL Security Commands Page 128 7210 SAS-E OS System Management Guide...
Page 129: Table 6: Show System Security Access Group Output Fields
Security Show Commands Security Commands access-group Syntax access-group [group-name] Context show>system>security Description This command displays SNMP access group information. Parameters group-name — This command displays information for the specified access group. Output Security Access Group Output — The following table describes security access group output fields..
Page 130: Table 7: Show System Security Authentication Output Fields
Security Commands snmp-trap snmpv1 none snmp-trap snmpv2c none =============================================================================== A:ALA-7# authentication Syntax authentication [statistics] Context show>system>security Description This command displays system login authentication configuration and statistics. Parameters statistics — Appends login and accounting statistics to the display. Output Authentication Output — The following table describes system security authentication output fields.
Page 131 Security Sample Output A:ALA-4# show system security authentication =============================================================================== Authentication sequence : radius tacplus local =============================================================================== server address status type timeout(secs) single connection retry count ------------------------------------------------------------------------------- 10.10.10.103 radius 10.10.0.1 radius 10.10.0.2 radius 10.10.0.3 radius ------------------------------------------------------------------------------- radius admin status : down tacplus admin status : up health check : enabled...
Page 132: Table 8: Show Communities Output Fields
Security Commands 10.10.0.1 10.10.0.2 10.10.0.3 =============================================================================== A:ALA-7# communities Syntax communities Context show>system>security Description This command displays SNMP communities. Output Communities Output — The following table describes community output fields. Table 8: Show Communities Output Fields Label Description The community string name for SNMPv1 and SNMPv2c access only. Community r —...
Page 133 Security keychain Syntax keychain [key-chain] [detail] Context show>system>security Description This command displays keychain information. Parameters key-chain — Specifies the keychain name to display. detail — Displays detailed keychain information. Sample Output *A:ALA-A# show system security keychain test =============================================================================== Key chain:test =============================================================================== TCP-Option number send : 254...
Page 134: Table 9: Show Management Access Filter Output Fields
Security Commands management-access-filter Syntax management-access-filter [entry-id] Context show>system>security Description This command displays management access control filter information. If no specific entry number is specified, all entries are displayed. Parameters entry-id — Displays information about the specified management access filter entry. Default All filter entries Values...
Page 135: Table 10: Show Management Access Filter Output Fields
Security Sample Output A:ALA-7# show system security management-access-filter ============================================================================= Management Access Filters ============================================================================= Def. Action : deny ----------------------------------------------------------------------------- Entry : 10 Description Src IP : 10.10.10.104 Src interface : undefined Dest port : 10.10.10.103 Protocol Action : permit Matches : 3876 ----------------------------------------------------------------------------- Entry : 20...
Page 136 Security Commands Table 10: Show Management Access Filter Output Fields (Continued) Label Description Displays the lockout period in minutes where the user is not allowed to Lockout period (when threshold login. breached) Authentication Displays the sequence in which password authentication is attempted order among RADIUS, TACACS+, and local passwords.
Page 137: Table 11: Show User Profile Output Fields
Security Output User Profile Output — The following table describes user profile output fields. Table 11: Show User Profile Output Fields Label Description Displays the profile name used to deny or permit user console access to User Profile a hierarchical branch or to specific commands. Permit all —...
Page 138: Table 12: Show Source Address Output Fields
Security Commands source-address Syntax source-address Context show>system>security Description This command displays source-address configured for applications. Output Source Address Output — The following table describes source address output fields. Table 12: Show Source Address Output Fields Label Description Displays the source-address application. Application IP address Displays the source address IP address or interface name.
Page 139 Security application6 Syntax application6 app ipv6-address Context show>system>security>source-address Description This command configures an application to use a source IPv6 address. Parameters app — telnet|traceroute|ping ipv6-address — x:x:x:x:x:x:x:x (eight 16-bit pieces) Syntax Context show>system>security Description This command displays all the SSH sessions as well as the SSH status and fingerprint. Output SSH Options Output —...
Page 140 Security Commands Sample output # show system security ssh ALA-7 SSH is enabled SSH preserve key: Enabled SSH protocol version 1: Enabled RSA host key finger print:c6:a9:57:cb:ee:ec:df:33:1a:cd:d2:ef:3f:b5:46:34 SSH protocol version 2: Enabled DSA host key finger print:ab:ed:43:6a:75:90:d3:fc:42:59:17:8a:80:10:41:79 ======================================================= Connection Encryption Username ======================================================= 192.168.5.218...
Page 141 Security Label Description (Continued) User permissions Console — Y - The user is authorized for console access. N- The user is not authorized for console access. FTP — Y - The user is authorized for FTP access. N - The user is not authorized for FTP access. SNMP —...
Page 142: Table 13: Show View Output Fields
Security Commands new pwd console ftp snmp expires logins logins conf ------------------------------------------------------------------------------- admin never =============================================================================== =============================================================================== User Configuration Detail =============================================================================== user id : admin ------------------------------------------------------------------------------- console parameters ------------------------------------------------------------------------------- new pw required : no cannot change pw : no home directory : cf1:\ restricted to home : no login exec file...
Page 143 Security Sample Output A:ALA-48# show system security view =============================================================================== Views =============================================================================== view name oid tree mask permission ------------------------------------------------------------------------------- included read1 1.1.1.1 11111111 included write1 2.2.2.2 11111111 included testview 11111111 included testview 1.3.6.1.2 11111111 excluded mgmt-view 1.3.6.1.2.1.2 included mgmt-view 1.3.6.1.2.1.4 included mgmt-view 1.3.6.1.2.1.5 included...
Page 144: Table 14: Show Users Output Fields
Login Control Login Control users Syntax users Context show Description Displays console user login and connection information. Output Users Output — The following table describes show users output fields. Table 14: Show Users Output Fields Label Description User The user name. The user is authorized this access type.
Page 145 Security Clear Commands Authentication Commands statistics Syntax statistics [interface ip-int-name | ip-address] Context clear>router>authentication Description This command clears authentication statistics. Parameters ip-int-name — Clears the authentication statistics for the specified interface name. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes ip-address —...
Page 146 Debug Commands Debug Commands radius Syntax radius [detail] [hex] no radius Context debug Description This command enables debugging for RADIUS connections. The no form of the command disables the debugging. Parameters detail — Displays detailed output. hex — Displays the packet dump in hex format. Page 146 7210 SAS-E OS System Management Guide...
Page 147: Snmp
SNMP In This Chapter This chapter provides information to configure SNMP. Topics in this chapter include: • SNMP Overview on page 148 → SNMP Architecture on page 148 → Management Information Base on page 148 → SNMP Protocol Operations on page 149 →...
Page 148: Snmp Overview
SNMP Overview SNMP Overview SNMP Architecture The Service Assurance Manager (SAM) is comprised of two elements: managers and agents. The manager is the entity through which network management tasks are facilitated. Agents interface managed objects. Managed devices, such as bridges, hubs, routers, and network servers can contain managed objects.
Page 149: Snmp Protocol Operations
SNMP The SNMP agent provides management information to support a collection of IETF specified MIBs and a number of MIBs defined to manage device parameters and network data unique to Alcatel-Lucent’s router. SNMP Protocol Operations Between the SNMP agent and the SNMP manager the following actions can occur: •...
Page 150: Management Information Access Control
SNMP Overview Management Information Access Control By default, the implementation of SNMP uses SNMPv3. SNMPv3 incorporates security model and security level features. A security model is the authentication type for the group and the security level is the permitted level of security within a security model. The combination of the security level and security model determines which security mechanism handles an SNMP packet.
Page 151: User-Based Security Model Community Strings
SNMP User-Based Security Model Community Strings User-based security model (USM) community strings associates a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group. Views Views control the access to a managed object.
Page 152: Users
SNMP Overview Users By default, authentication and encryption parameters are not configured. Authentication parameters which a user must use in order to be validated by the device can be modified. SNMP authentication allows the device to validate the managing node that issued the SNMP message and determine if the message has been tampered with.
Page 153: Which Snmp Version To Use
SNMP Which SNMP Version to Use? SNMPv1 and SNMPv2c do not provide security, authentication, or encryption. Without authentication, a non authorized user could perform SNMP network management functions and eavesdrop on management information as it passes from system to system. Many SNMPv1 and SNMPv2c implementations are restricted read-only access, which, in turn, reduces the effectiveness of a network monitor in which network control applications cannot be supported.
Page 154: Figure 3: Snmpv1 And Snmpv2C Configuration And Implementation Flow
Which SNMP Version to Use? START SNMPv3? USE PREDEFINED ACCESS GROUP CONFIGURATION? CONFIGURE COMMUNITY STRING WITH R, RW, RWA ACCESS (SNMPv1 & SNMPv2cONLY) CONFIGURE VIEWS CONFIGURE VIEWS CONFIGURE ACCESS GROUPS CONFIGURE ACCESS GROUPS CONFIGURE USM COMMUNITY CONFIGURE SNMP USERS EXIT Figure 3: SNMPv1 and SNMPv2c Configuration and Implementation Flow Page 154 7210 SAS-E OS System Management Guide...
Page 155: Configuration Notes
SNMP Configuration Notes This section describes SNMP configuration caveats. General • To avoid management systems attempting to manage a partially booted system, SNMP will remain in a shut down state if the configuration file fails to complete during system startup. While shutdown, SNMP gets and sets are not processed. However, notifications are issued if an SNMP trap group has been configured.
Page 156 Configuration Notes Page 156 7210 SAS-E OS System Management Guide...
Page 157: Configuring Snmp With Cli
SNMP Configuring SNMP with CLI This section provides information about configuring SNMP with CLI. Topics in this chapter include: • SNMP Configuration Overview on page 158 • Basic SNMP Security Configuration on page 159 • Configuring SNMP Components on page 160 7210 SAS-E OS System Management Guide Page 157...
Page 158: Snmp Configuration Overview
SNMP Configuration Overview SNMP Configuration Overview This section describes how to configure SNMP components which apply to SNMPv1 and SNMPv2c, and SNMPv3 on the router. • Configuring SNMPv1 and SNMPv2c on page 158 • Configuring SNMPv3 on page 158 Configuring SNMPv1 and SNMPv2c Alcatel-Lucent routers are based on SNMPv3.
Page 159: Basic Snmp Security Configuration
SNMP Basic SNMP Security Configuration This section provides information to configure SNMP parameters and provides examples of common configuration tasks. The minimal SNMP parameters are: SNMPv1 and SNMPv2c: • Configure community string parameters. SNMPv3: • Configure view parameters • Configure SNMP group •...
Page 160: Configuring Snmp Components
Configuring SNMP Components Configuring SNMP Components Use the CLI syntax displayed below to configure the following SNMP scenarios: • Configuring a Community String on page 160 • Configuring View Options on page 161 • Configuring Access Options on page 162 •...
Page 161: Configuring View Options
SNMP Configuring View Options Use the following CLI syntax to configure view options: CLI Syntax: config>system>security>snmp view view-name subtree oid-value mask mask-value [type {included|excluded}] The following displays a view configuration example: ALA-1>config>system>security>snmp# info ---------------------------------------------- view testview subtree 1 mask ff exit view testview subtree 1.3.6.1.2 mask ff type excluded...
Page 162: Configuring Access Options
Configuring SNMP Components Configuring Access Options command creates an association between a user group, a security model and the access views that the user group can access. Access must be configured unless security is limited to the preconfigured access groups and views for SNMPv1 and SNMPv2. An access group is defined by a unique combination of the group name, security model and security level.
Page 163 SNMP Use the following CLI syntax to configure user group and authentication parameters: CLI Syntax: config>system>security# user user-name access [ftp] [snmp] [console] snmp authentication [none]|[[hash]{md5 key|sha key } privacy {none|des-key key}] group group-name The following displays a user’s SNMP configuration example. A:ALA-1>config>system>security# info ---------------------------------------------- user "testuser"...
Page 164: Configuring Usm Community Options
Configuring SNMP Components Configuring USM Community Options User-based security model (USM) community strings associate a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group. By default, the implementation of SNMP uses SNMPv3.
Page 165: Configuring Other Snmp Parameters
SNMP Configuring Other SNMP Parameters Use the following CLI syntax to modify the system SNMP options: CLI Syntax: config>system>snmp engineID engine-id general-port port packet-size bytes no shutdown The following example displays the system SNMP default values: A:ALA-104>config>system>snmp# info detail ---------------------------------------------- shutdown engineID "0000xxxx000000000xxxxx00"...
Page 166 Configuring SNMP Components Page 166 7210 SAS-E OS System Management Guide...
Page 167: Snmp Command Reference
SNMP SNMP Command Reference Command Hierarchies Configuration Commands SNMP System Commands config — system — snmp — engineID engine-id — no engineID — general-port port — no general-port — packet-size bytes — no packet-size — [no] shutdown SNMP Security Commands config —...
Page 168 SNMP Command Reference The following commands configure user-specific SNMP features. Refer to the Security section for CLI syntax and command descriptions. config — system — security — [no] user user-name — [no] snmp — authentication {[none] | [[hash] {md5 key-1 | sha key-1} privacy {none | des-key key-2}] —...
Page 169 SNMP Configuration Commands SNMP System Commands engineID Syntax [no] engineID engine-id Context config>system>snmp Description This command sets the SNMP engineID to uniquely identify the SNMPv3 node. By default, the engineID is generated using information from the system backplane. If SNMP engine ID is changed in the config>system>snmp> engineID engine-id context, the current configuration must be saved and a reboot must be executed.
Page 170 SNMP System Commands The no form of the command reverts to the default value. Default Parameters port-number — The port number used to send SNMP traffic other than traps. Values 1 — 65535 (decimal) packet-size Syntax packet-size bytes no packet-size Context config>system>snmp Description...
Page 171 SNMP The no form of the command administratively enables SNMP which is the default state. Default no shutdown 7210 SAS-E OS System Management Guide Page 171...
Page 172 SNMP Security Commands SNMP Security Commands access group Syntax [no] access group group-name security-model security-model security-level security- level [context context-name [prefix-match]] [read view-name-1] [write view-name-2] [notify view-name-3] Context config>system>security>snmp Description This command creates an association between a user group, a security model, and the views that the user group can access.
Page 173 SNMP The context-name is treated as either a full context-name string or a context name prefix depending on the keyword specified (exact or prefix). read view-name — Specifies the keyword and variable of the view to read the MIB objects. This command must be configured for each view to which the group has read access.
Page 174 SNMP Security Commands lockout minutes2 — The lockout period in minutes where the host is not allowed to login. When the host exceeds the attempted count times in the specified time, then that host is locked out from any further login attempts for the configured time period. Default Values 0 —...
Page 175 SNMP For example, the MIB subtree that represents MIB-II is 1.3.6.1.2.1. The mask that catches all MIB-II would be 0xfc or 0b11111100. Only a single mask may be configured per view and OID value combination. If more than one entry is configured, each subsequent entry overwrites the previous entry.
Page 176 SNMP Security Commands usm-community Syntax usm-community community-string group group-name no usm-community community-string Context config>system>security>snmp Description This command is used to associate a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group. Alcatel-Lucent’s SR OS implementation of SNMP uses SNMPv3.
Page 177 SNMP oid-value — The object identifier (OID) value for the view-name. This value, for example, 1.3.6.1.6.3.11.2.1, combined with the mask and include and exclude statements, configures the access available in the view. It is possible to have a view with different subtrees with their own masks and include and exclude statements.
Page 178 SNMP Security Commands Page 178 7210 SAS-E OS System Management Guide...
Page 179: Table 15: Counters Output Fields
SNMP Show Commands counters Syntax counters Context show>snmp Description This command displays SNMP counters information. SNMP counters will continue to increase even when SNMP is shut down. Some internal modules communicate using SNMP packets. Output Counters Output — The following table describes SNMP counters output fields. Table 15: Counters Output Fields Label Description...
Page 180: Table 16: Show System Information Output Fields
Show Commands ------------------------------------------------------------------------------ in gets : 93 in getnexts : 0 in sets : 370 out packets: ------------------------------------------------------------------------------ out get responses : out traps variables requested: variables set ============================================================================== A:ALA-1# information Syntax information Context show>system Description This command lists the SNMP configuration and statistics. Output System Information Output Fields —...
Page 181 SNMP Table 16: Show System Information Output Fields (Continued) Label Description Persistent — Persistent indexes at the last system reboot SNMP Index Boot Status was enabled. Disabled — Persistent indexes at the last system reboot was disabled. The state when the synchronization of configuration files SNMP Sync State between the primary and secondary s finish.
Page 182 Show Commands Table 16: Show System Information Output Fields (Continued) Label Description Displays the time the configuration was most recently saved. Time Last Saved Yes — The configuration changed since the last save. Changes Since Last Save No — The configuration has not changed since the last save. Displays the time of the last modification.
Page 183 SNMP Sample Output A:ALA-1# show system information =============================================================================== System Information =============================================================================== System Name : ALA-1 System Type System Version : B-0.0.I1204 System Contact System Location System Coordinates System Active Slot System Up Time : 1 days, 02:12:57.84 (hr:min:sec) SNMP Port : 161 SNMP Engine ID : 0000197f00000479ff000000...
Page 184: Table 17: Show System Information Output Fields
Show Commands Next Hop 128.251.10.0/23 192.168.1.251 172.22.184.0/22 192.168.1.251 ATM Location ID : 01:00:00:00:00:00:00:00:00:00:00:00:00:00:00:00 ATM OAM Retry Up ATM OAM Retry Down ATM OAM Loopback Period: 10 =============================================================================== A:ALA-1# access-group Syntax access-group group-name Context show>system>security Description This command displays access-group information. Output System Information Output —...
Page 185 SNMP snmp-rw snmpv2c none no-security no-security no-security snmp-rwa snmpv1 none snmp-rwa snmpv2c none snmp-trap snmpv1 none snmp-trap snmpv2c none ------------------------------------------------------------------------------- No. of Access Groups: 8 =============================================================================== A:ALA-1# A:ALA-1# show system security access-group detail =============================================================================== Access Groups =============================================================================== group name security security read write...
Page 186 Show Commands Label Description The administrative status of the RADIUS protocol operation. radius admin sta- The administrative status of the TACACS+ protocol operation. tacplus admin sta- Specifies whether the RADIUS and TACACS+ servers will be periodi- health check cally monitored. Each server will be contacted every 30 seconds. If in this process a server is found to be unreachable, or a previously unreachable server starts responding, based on the type of the server, a trap will be sent.
Page 187: Table 18: Show Communities Output Fields
SNMP Table 18: Show Communities Output Fields Label Description The community string name for SNMPv1 and SNMPv2c access only. Community r — The community string allows read-only access. Access rw — The community string allows read-write access. rwa — The community string allows read-write access. mgmt —...
Page 188 Show Commands Output Password-Options Output — The following table describes password-options output fields. Label Description Number of days a user password is valid before the user must change Password aging in days his password. Displays the maximum number of unsuccessful login attempts allowed Number of invalid attempts permit- for a user.
Page 189 SNMP Output Per-Peer_Queuing Output — The following table describes the per-peer-queuing output fields. Label Description Displays whether per-peer-queuing is enabled or disabled. When Per Peer Queuing enabled, a peering session is established and the router will automati- cally allocate a separate hardware queue for that peer. When disabled, no hardware queuing per peer occurs.
Page 190 Show Commands Label Description none — No action is given to the user profile when none of the Def. Action entries match the command. permit-all — The action to be taken when an entry matches the command. 10 - 80 — Each entry represents the configuration for a system Entry user.
Page 191 SNMP =============================================================================== User Profile : default Def. Action : none ------------------------------------------------------------------------------- Entry : 10 Description Match Command: exec Action : permit ------------------------------------------------------------------------------- Entry : 20 Description Match Command: exit Action : permit ------------------------------------------------------------------------------- Entry : 30 Description Match Command: help Action : permit -------------------------------------------------------------------------------...
Page 192: Table 19: Show Ssh Output Fields
Show Commands Output SSH Options Output — The following table describes SSH output fields. Table 19: Show SSH Output Fields Label Description SSH is enbled — Displays that SSH server is enabled. SSH status SSH is disabled — Displays that SSH server is disabled. Key fingerprint The key fingerprint is the server’s identity.
Page 193: Table 20: Show User Output Fields
SNMP user Syntax users [user-id] [detail] Context show>system>security Description This command displays user information. Output User Output — The following table describes user information output fields. Table 20: Show User Output Fields Label Description The name of a system user. User ID Yes —...
Page 194: Table 21: Show System Security View Output Fields
Show Commands view Syntax view [view-name] [detail] Context show>system>security Description This command lists one or all views and permissions in the MIB-OID tree. Output System Security View Output — The following table describes system security view output fields. Table 21: Show System Security View Output Fields Label Description View name...
Page 195 SNMP A:ALA-1# show system security view no-security detail =============================================================================== Views =============================================================================== view name oid tree mask permission ------------------------------------------------------------------------------- no-security included no-security 1.3.6.1.6.3 excluded no-security 1.3.6.1.6.3.10.2.1 included no-security 1.3.6.1.6.3.11.2.1 included no-security 1.3.6.1.6.3.15.1.1 included ------------------------------------------------------------------------------- No. of Views: 5 =============================================================================== ======================================= no-security used in ======================================= group name ---------------------------------------...
Page 196 Show Commands Page 196 7210 SAS-E OS System Management Guide...
Page 197: Event And Accounting Logs
Event and Accounting Logs In This Chapter This chapter provides information about configuring event and accounting logs in the 7210 SAS. Topics in this chapter include: • Logging Overview on page 198 • Log Destinations on page 200 • Event Logs on page 205 →...
Page 198: Logging Overview
Logging Overview Logging Overview The two primary types of logging supported in the 7210 SAS OS are event logging and accounting logs. Event logging controls the generation, dissemination and recording of system events for monitoring status and troubleshooting faults within the system. The 7210 SAS groups events into three major categories or event sources: •...
Page 199 Event and Accounting Logs Events that are suppressed by event control will not generate any event log entries. Event control maintains a count of the number of events generated (logged) and dropped (suppressed) for each application event. The severity of an application event can be configured in event control. An event log within the 7210 SAS OS associates the event sources with logging destinations.
Page 200: Log Destinations
Log Destinations Log Destinations Both event logs and accounting logs use a common mechanism for referencing a log destination. 7210 SAS-Series devices support the following log destinations: • Console on page 200 • Session on page 200 • Memory Logs on page 200 •...
Page 201: Log Files
Event and Accounting Logs Log Files Log files can be used by both event logs and accounting logs and are stored on the compact flash devices (specifically cf1:) in the file system. A log file is identified with a single log file ID, but a log file will generally be composed of a number individual files in the file system.
Page 202 Log Destinations Accounting log files are created in the directory on a compact flash device \act-collect (specifically cf1 or cf2). The naming convention for accounting log files is nearly the same as for log files except the prefix is used instead of the prefix .
Page 203: Snmp Trap Group
Event and Accounting Logs SNMP Trap Group An event log can be configured to send events to SNMP trap receivers by specifying an SNMP trap group destination. An SNMP trap group can have multiple trap targets. Each trap target can have different operational parameters.
Page 204: Table 23: 7210 Sas-Series To Syslog Severity Level Mappings
Log Destinations Because syslog uses eight severity levels whereas the 7210 SAS-Series uses six internal severity levels, the severity levels are mapped to syslog severities. Table 23 displays the severity level mappings to syslog severities. Table 23: 7210 SAS-Series to Syslog Severity Level Mappings Severity Level Numerical Severity Syslog...
Page 205: Event Logs
Event and Accounting Logs Event Logs Event logs are the means of recording system generated events for later analysis. Events are messages generated by the system by applications or processes within the 7210 SAS. Figure 4 depicts a function block diagram of event logging. EVENT EVENT SOURCES...
Page 206: Event Sources
Event Logs Event Sources Figure 4, the event sources are the main categories of events that feed the log manager. • Security — The security event source is all events that affect attempts to breach system security such as failed login attempts, attempts to access MIB tables to which the user is not granted access or attempts to enter a branch of the CLI to which access has not been granted.
Page 207: Figure 5: Show Log Applications Command Output
Event and Accounting Logs *A:ALU-7210# show log applications ================================== Log Event Application Names ================================== Application Name ---------------------------------- CHASSIS DEBUG DOT1AG DOT1X EFM_OAM FILTER IGMP LOGGER MIRROR PORT SECURITY SNMP SVCMGR SYSTEM USER VRTR ================================== *A:ALU-7210# Figure 5: Show Log Applications Command Output 7210 SAS-E OS System Management Guide Page 207...
Page 208: Event Control
Event Logs Event Control Event control pre-processes the events generated by applications before the event is passed into the main event stream. Event control assigns a severity to application events and can either forward the event to the main event source or suppress the event. Suppressed events are counted in event control, but these events will not generate log entries as it never reaches the log manager.
Page 209 Event and Accounting Logs 2005 fibAddFailed SYSTEM: 2001 stiDateAndTimeChanged 2002 ssiSaveConfigSucceeded 2003 ssiSaveConfigFailed 2004 sbiBootConfig 2005 sbiBootSnmpd VRTR: 2001 tmnxVRtrMidRouteTCA 2002 tmnxVRtrHighRouteTCA 2003 tmnxVRtrHighRouteCleared ======================================================================= router# 7210 SAS-E OS System Management Guide Page 209...
Page 210: Log Manager And Event Logs
Event Logs Log Manager and Event Logs Events that are forwarded by event control are sent to the log manager. The log manager manages the event logs in the system and the relationships between the log sources, event logs and log destinations, and log filter policies.
Page 211: Event Filter Policies
Event and Accounting Logs Event Filter Policies The log manager uses event filter policies to allow fine control over which events are forwarded or dropped based on various criteria. Like other policies with the 7210 SAS, filter policies have a default action.
Page 212: Event Log Entries
Event Logs Event Log Entries Log entries that are forwarded to a destination are formatted in a way appropriate for the specific destination whether it be recorded to a file or sent as an SNMP trap, but log event entries have common elements or properties.
Page 213 Event and Accounting Logs Table 25: Log Entry Field Descriptions (Continued) Label Description The severity level name of the event. <severity> CLEARED — A cleared event (severity number 1). INFO — An indeterminate/informational severity event (severity level 2). CRITICAL — A critical severity event (severity level 3). MAJOR —...
Page 214: Simple Logger Event Throttling
Event Logs Simple Logger Event Throttling Simple event throttling provides a mechanism to protect event receivers from being overloaded when a scenario causes many events to be generated in a very short period of time. A throttling rate, # events/# seconds, can be configured. Specific event types can be configured to be throttled. Once the throttling event limit is exceeded in a throttling interval, any further events of that type cause the dropped events counter to be incremented.
Page 215: Default System Log
Event and Accounting Logs Default System Log Log 99 is a pre-configured memory-based log which logs events from the main event source (not security, debug, etc.). Log 99 exists by default. The following example displays the log 99 configuration. ALA-1>config>log# info detail #------------------------------------------ echo "Log Configuration "...
Page 216: Accounting Logs
Accounting Logs Accounting Logs Before an accounting policy can be created a target log file must be created to collect the accounting records. The files are stored in system memory on compact flash (cf1:) in a compressed (tar) XML format and can be retrieved using FTP or SCP. A file ID can only be assigned to either one event log ID or one accounting log.
Page 217: Table 27: Accounting Record Name Details
Event and Accounting Logs Table 27: Accounting Record Name Details Record Name Sub-Record Field Field Description Service-ingress-octets (sio) (**) SvcId SapId MeterId InProfileOctetsForwarded OutOfProfileOctetsForwarded Service-ingress-packets (sip) (*) (**) SvcId SapId MeterId InProfilePktsForwarded OutOfProfilePktsForwarded Network-ingress-octets (nio) port PortId MeterId InProfileOctetsForwarded OutOfProfileOctetsForwarded Network-ingress-packets (nip) port PortId...
Page 218: Configuration Notes
Configuration Notes Configuration Notes This section describes logging configuration caveats. • A file or filter cannot be deleted if it has been applied to a log. • File IDs, syslog IDs, or SNMP trap groups must be configured before they can be applied to a log ID.
Page 219: Configuring Logging With Cli
Event and Accounting Logs Configuring Logging with CLI This section provides information to configure logging using the command line interface. Topics in this section include: • Log Configuration Overview on page 220 → Log Types on page 220 • Basic Event Log Configuration on page 221 •...
Page 220: Log Configuration Overview
Log Configuration Overview Log Configuration Overview Configure logging parameters to save information in a log file or direct the messages to other devices. Logging does the following: • Provides you with logging information for monitoring and troubleshooting. • Allows you to select the types of logging information to be recorded. •...
Page 221: Basic Event Log Configuration
Event and Accounting Logs Basic Event Log Configuration The most basic log configuration must have the following: • Log ID or accounting policy ID • A log source • A log destination The following displays a log configuration example. A:ALA-12>config>log# info #------------------------------------------ echo "Log Configuration "...
Page 222: Common Configuration Tasks
Common Configuration Tasks Common Configuration Tasks The following sections are basic system tasks that must be performed. • Configuring a File ID on page 224 • Configuring an Event Log on page 222 • Configuring an Accounting Policy on page 225 •...
Page 223 Event and Accounting Logs The following displays a log file configuration example: ALA-12>config>log>log-id# info ---------------------------------------------- log-id 2 description "This is a test log file." filter 1 from main security to file 1 exit ---------------------------------------------- ALA-12>config>log>log-id# 7210 SAS-E OS System Management Guide Page 223...
Page 224: Configuring A File Id
Common Configuration Tasks Configuring a File ID To create a log file a file ID is defined, specifies the target CF drive, and the rollover and retention interval period for the file. The rollover interval is defined in minutes and determines how long a file will be used before it is closed and a new log file is created.
Page 225: Configuring An Accounting Policy
Event and Accounting Logs Configuring an Accounting Policy Before an accounting policy can be created a target log file must be created to collect the accounting records. The files are stored in system memory of compact flash (cf1:) in a compressed (tar) XML format and can be retrieved using FTP or SCP.
Page 226: Configuring Event Control
Common Configuration Tasks Configuring Event Control Use the following CLI syntax to configure event control. Note that the throttle parameter used in the event-control command syntax enables throttling for a specific event type. The config>log>throttle-rate command configures the number of events and interval length to be applied to all event types that have throttling enabled by this event-control command.
Page 227: Configuring Throttle Rate
Event and Accounting Logs Configuring Throttle Rate This command configures the number of events and interval length to be applied to all event types that have throttling enabled by the event-control command. Use the following CLI syntax to configure the throttle rate. CLI Syntax: config>log# throttle-rate events [interval seconds] The following displays a throttle rate configuration example:...
Page 228: Configuring A Log Filter
Common Configuration Tasks Configuring a Log Filter Use the following CLI syntax to configure a log filter: CLI Syntax: config>log filter filter-id default-action {drop|forward} description description-string entry entry-id action {drop|forward} description description-string match application {eq|neq} application-id number {eq|neq|lt|lte|gt|gte} event-id router {eq|neq} router-instance [regexp] severity {eq|neq|lt|lte|gt|gte} severity-level subject {eq|neq} subject [regexp] The following displays a log filter configuration example:...
Page 229: Configuring An Snmp Trap Group
Event and Accounting Logs Configuring an SNMP Trap Group The associated log-id does not have to configured before a snmp-trap-group can be created, however, the snmp-trap-group must exist before the log-id can be configured to use it. Use the following CLI syntax to configure an SNMP trap group: CLI Syntax: config>log snmp-trap-group log-id trap-target name [address ip-address] [port port]...
Page 230: Configuring A Syslog Target
Common Configuration Tasks Configuring a Syslog Target Log events cannot be sent to a syslog target host until a valid syslog ID exists. Use the following CLI syntax to configure a syslog file: CLI Syntax: config>log syslog syslog-id description description-string address ip-address log-prefix log-prefix-string port port...
Page 231: Log Management Tasks
Event and Accounting Logs Log Management Tasks This section discusses the following logging tasks: • Modifying a Log File on page 232 • Deleting a Log File on page 234 • Modifying a File ID on page 235 • Deleting a File ID on page 236 •...
Page 232: Modifying A Log File
Log Management Tasks Modifying a Log File Use the following CLI syntax to modify a log file: CLI Syntax: config>log log-id log-id description description-string filter filter-id from {[main] [security] [change] [debug-trace]} to console to file file-id to memory [size] to session to snmp [size] to syslog syslog-id} The following displays the current log configuration:...
Page 233 Event and Accounting Logs ---------------------------------------------- A:ALA-12>config>log# 7210 SAS-E OS System Management Guide Page 233...
Page 234: Deleting A Log File
Log Management Tasks Deleting a Log File The log ID must be shutdown first before it can be deleted. In a previous example, file 1 is associated with log-id 2. A:ALA-12>config>log# info ---------------------------------------------- file-id 1 description "LocationTest." location cf1: rollover 600 retention 24 exit log-id 2 description "Chassis log file."...
Page 235: Modifying A File Id
Event and Accounting Logs Modifying a File ID NOTE: When the file-id location parameter is modified, log files are not written to the new location until a rollover occurs or the log is manually cleared. A rollover can be forced by using the clear>log command.
Page 236: Deleting A File Id
Log Management Tasks Deleting a File ID NOTE: All references to the file ID must be deleted before the file ID can be removed. Use the following CLI syntax to delete a log ID: CLI Syntax: config>log no file-id log-file-id The following displays an example to delete a file ID: Example config>log# no file-id 1...
Page 237: Modifying A Syslog Id
Event and Accounting Logs Modifying a Syslog ID NOTE: All references to the syslog ID must be deleted before the syslog ID can be removed. Use the following CLI syntax to modify a syslog ID parameters: CLI Syntax: config>log syslog syslog-id description description-string address ip-address log-prefix log-prefix-string...
Page 238: Deleting A Syslog
Log Management Tasks Deleting a Syslog Use the following CLI syntax to delete a syslog file: CLI Syntax: config>log no syslog syslog-id The following displays an example to delete a syslog ID: Example onfig# log config>log# no syslog 1 Page 238 7210 SAS-E OS System Management Guide...
Page 239: Modifying An Snmp Trap Group
Event and Accounting Logs Modifying an SNMP Trap Group Use the following CLI syntax to modify an SNMP trap group: CLI Syntax: config>log snmp-trap-group log-id trap-target name [address ip-address] [port port] [snmpv1|snmpv2c| snmpv3] notify-community communi- tyName |snmpv3SecurityName [security-level {no- auth-no-privacy|auth-no-privacy|privacy}] The following displays the current SNMP trap group configuration: A:ALA-12>config>log# info ----------------------------------------------...
Page 240: Deleting An Snmp Trap Group
Log Management Tasks Deleting an SNMP Trap Group Use the following CLI syntax to delete a trap target and SNMP trap group: CLI Syntax: config>log no snmp-trap-group log-id no trap-target name The following displays the SNMP trap group configuration: A:ALA-12>config>log# info ---------------------------------------------- snmp-trap-group 10 trap-target 10.10.0.91:1 "snmpv2c"...
Page 241: Modifying A Log Filter
Event and Accounting Logs Modifying a Log Filter Use the following CLI syntax to modify a log filter: CLI Syntax: config>log filter filter-id default-action {drop|forward} description description-string entry entry-id action {drop|forward} description description-string match application {eq|neq} application-id number {eq|neq|lt|lte|gt|gte} event-id router {eq|neq} router-instance [regexp] severity {eq|neq|lt|lte|gt|gte} severity-level subject {eq|neq} subject [regexp]...
Page 242 Log Management Tasks config>log>filter>entry>match# number eq 2001 config>log>filter>entry>match# no severity config>log>filter>entry>match# exit The following displays the log filter configuration: A:ALA-12>config>log>filter# info ---------------------------------------- filter 1 description "This allows <n>." entry 1 action drop match application eq "user" number eq 2001 exit exit exit ----------------------------------------...
Page 243: Deleting A Log Filter
Event and Accounting Logs Deleting a Log Filter Use the following CLI syntax to delete a log filter: CLI Syntax: config>log no filter filter-id The following output displays the current log filter configuration: A:ALA-12>config>log>filter# info ---------------------------------------- filter 1 description "This allows <n>." entry 1 action drop match...
Page 244: Modifying Event Control Parameters
Log Management Tasks Modifying Event Control Parameters Use the following CLI syntax to modify event control parameters: CLI Syntax: config>log event-control application-id [event-name|event-number] gen- erate[severity-level] [throttle] event-control application-id [event-name|event-number] sup- press The following displays the current event control configuration: A:ALA-12>config>log# info ---------------------------------------------- event-control ""...
Page 245: Returning To The Default Event Control Configuration
Event and Accounting Logs Returning to the Default Event Control Configuration The no form of the event-control command returns modified values back to the default values. Use the following CLI syntax to modify event control parameters: CLI Syntax: config>log no event-control application [event-name |event-nunmber] The following displays an example of the command usage to return to the default values: Example onfig# log...
Page 246 Log Management Tasks Page 246 7210 SAS-E OS System Management Guide...
Page 247: Log Command Reference
Event and Accounting Logs Log Command Reference Command Hierarchies • Log Command Reference on page 247 → Accounting Policy Commands on page 247 → File ID Commands on page 247 → Event Filter Commands on page 248 → Log ID Commands on page 248 →...
Page 248 Log Command Reference — description description-string — no description — location cflash-id — rollover minutes [retention hours] — no rollover VENT ILTER OMMANDS config — log — [no] filter filter-id — default-action {drop | forward} — no default-action — description description-string —...
Page 249 Event and Accounting Logs SNMP T ROUP OMMANDS config — log — [no] snmp-trap-group log-id — description description-string — no description — trap-target name [address ip-address] [port port] [snmpv1 | snmpv2c | snmpv3] notify-community communityName | snmpv3SecurityName [security-level {no- auth-no-privacy | auth-no-privacy | privacy}] [replay] —...
Page 250 Log Command Reference Show Commands show — log — accounting-policy [acct-policy-id] [access | network] — accounting-records — applications — event-control [application [event-name | event-number]] — file-id [log-file-id] — filter-id [filter-id] — log-collector — log-id [log-id] [severity severity-level] [application application] [sequence from-seq [to- seq]] [count count] [subject subject] [ascending | descending] —...
Page 251 Event and Accounting Logs Configuration Commands Generic Commands description Syntax description string no description Context config>log>filter filter-id config>log>filter filter-id>entry entry-id config>log>log-id log-id config>log>accounting-policy policy-id config>log>file-id file-id config>log>syslog syslog-id config>log>snmp-trap-group Description This command creates a text description stored in the configuration file for a configuration context. The description command associates a text string with a configuration context to help identify the content in the configuration file.
Page 252 Generic Commands accounting Policy — When an accounting policy is shut down, no accounting data is written to the destination log ID. Counters in the billing data reflect totals, not increments, so when the policy is re-enabled (no shutdown) the counters include the data collected during the period the policy was shut down.
Page 253 Event and Accounting Logs Event Control event-control Syntax event-control application-id [event-name | event-number] [generate [severity-level] [throttle] event-control application-id [event-name | event-number] suppress no event-control application [event-name | event-number] Context config>log Description This command is used to specify that a particular event or all events associated with an application is either generated or suppressed.
Page 254 Event Control generate — Specifies that logger event is created when this event occurs. The generate keyword can be used with two optional parameters, severity-level and throttle. Default generate severity-name — An ASCII string representing the severity level to associate with the specified gen- erated events Default The system assigned severity name...
Page 255 Event and Accounting Logs Log File Commands file-id Syntax [no] file-id file-id Context config>log Description This command creates the context to configure a file ID template to be used as a destination for an event log or billing file. This command defines the file location and characteristics that are to be used as the destination for a log event message stream or accounting/billing information.
Page 256 Log File Commands When initialized, each file will contain: • The log-id description. • The time the file was opened. • The reason the file was created. • If the event log file was closed properly, the sequence number of the last event stored on the log is recorded.
Page 257 Event and Accounting Logs Parameters cflash-id — Specify the primary location. Values cflash-id: cf1:, rollover Syntax rollover minutes [retention hours] no rollover Context config>log>file file-id Description This command configures how often an event or accounting log is rolled over or partitioned into a new file.
Page 258 Log Filter Commands Any changes made to an existing filter, using any of the sub-commands, are immediately applied to the destinations where the filter is applied. The no form of the command removes the filter association from log IDs which causes those logs to forward all events.
Page 259 Event and Accounting Logs Log Filter Entry Commands action Syntax action {drop | forward} no action Context config>log>filter filter-id>entry entry-id Description This command specifies a drop or forward action associated with the filter entry. If neither drop nor forward is specified, the default-action will be used for traffic that conforms to the match criteria. This could be considered a No-Op filter entry used to explicitly exit a set of filter entries without modifying previous actions.
Page 260 Log Filter Entry Commands Parameters entry-id. The entry ID uniquely identifies a set of match criteria corresponding action within a filter. Entry ID values should be configured in staggered increments so you can insert a new entry in an existing policy without renumbering the existing entries. Values 1 —...
Page 261 Event and Accounting Logs Log Filter Entry Match Commands match Syntax [no] match Context config>log>filter filter-id>entry entry-id Description This command creates context to enter/edit match criteria for a filter entry. When the match criteria is satisfied, the action associated with the entry is executed. If more than one match parameter (within one match statement) is specified, then all the criteria must be satisfied (AND functional) before the action associated with the match is executed.
Page 262 Log Filter Entry Match Commands number Syntax number {eq | neq | lt | lte | gt | gte} event-id no number Context config>log>filter filter-id>entry entry-id>match Description This command adds an SR OS application event number as a match criterion. SR OS event numbers uniquely identify a specific logging event within an application.
Page 263 Event and Accounting Logs regexp — Specifies the type of string comparison to use to determine if the log event matches the value of router command parameters. When the regexp keyword is specified, the string in the router command is a regular expression string that will be matched against the subject string in the log event being filtered.
Page 264 Log Filter Entry Match Commands subject Syntax subject {eq|neq} subject [regexp] no subject Context config>log>filter filter-id>entry entry-id>match Description This command adds an event subject as a match criterion. The subject is the entity for which the event is reported, such as a port. In this case the port-id string would be the subject.
Page 265 Event and Accounting Logs Syslog Commands syslog Syntax [no] syslog syslog-id Context config>log Description This command creates the context to configure a syslog target host that is capable of receiving selected syslog messages from this network element. A valid syslog-id must have the target syslog host address configured. A maximum of 10 syslog-id’s can be configured.
Page 266 Syslog Commands facility Syntax facility syslog-facility no facility Context config>log>syslog syslog-id Description This command configures the facility code for messages sent to the syslog target host. Multiple syslog IDs can be created with the same target host but each syslog ID can only have one facility code.
Page 267 Event and Accounting Logs Numerical Code Facility Code local1 local2 local3 local4 local5 local6 local7 Values 0 — 23 log-prefix Syntax log-prefix log-prefix-string no log-prefix Context config>log>syslog syslog-id Description This command adds the string prepended to every syslog message sent to the syslog host. RFC3164, The BSD syslog Protocol, allows a alphanumeric string (tag) to be prepended to the content of every log message sent to the syslog host.
Page 268 Syslog Commands Only a single threshold level can be specified. If multiple levels are entered, the last level entered will overwrite the previously entered commands. The no form of the command reverts to the default value. Parameters value — The threshold severity level name. Values emergency, alert, critical, error, warning, notice, info, debug Numerical Severity...
Page 269 Event and Accounting Logs throttle-rate Syntax throttle-rate events [interval seconds] no throttle-rate Context config>log Description This command configures an event throttling rate. Parameters events — Specifies the number of log events that can be logged within the specified interval for a specific event.
Page 270 SNMP Trap Groups SNMP Trap Groups snmp-trap-group Syntax [no] snmp-trap-group log-id Context config>log Description This command creates the context to configure a group of SNMP trap receivers and their operational parameters for a given log-id. A group specifies the types of SNMP traps and specifies the log ID which will receive the group of SNMP traps.
Page 271 Event and Accounting Logs • SNMP community name for SNMPv1 and SNMPv2c receivers. • Security name and level for SNMPv3 trap receivers. A single snmp-trap-group log-id can have multiple trap-receivers. Each trap receiver can have different operational parameters. An address can be configured as a trap receiver more than once as long as a different port is used for each instance.
Page 272 SNMP Trap Groups Pre-existing conditions are checked before the snmpv3SecurityName is accepted. These are: • The user name must be configured. • The v3 access group must be configured. • The v3 notification view must be configured. Default snmpv3 Values snmpv1, snmpv2c, snmpv3 notify-community community | security-name —...
Page 273 Event and Accounting Logs Logging Destination Commands filter Syntax filter filter-id no filter Context config>log>log-id log-id Description This command adds an event filter policy with the log destination. The filter command is optional. If no event filter is configured, all events, alarms and traps generated by the source stream will be forwarded to the destination.
Page 274 Logging Destination Commands Default No source stream is configured. Parameters main — Instructs all events in the main event stream to be sent to the destination defined in the to command for this destination log-id. The main event stream contains the events that are not explicitly directed to any other event stream.
Page 275 Event and Accounting Logs The no form of the command deletes the log destination ID from the configuration. Default No log destinations are defined. Parameters log-id — The log ID number, expressed as a decimal integer. Values 1 — 100 to console Syntax to console...
Page 276 Logging Destination Commands to memory Syntax to memory [size] Context config>log>log-id log-id Description This command specifies a log ID destination. This parameter is mandatory when configuring a log destination. This command instructs the events selected for the log ID to be directed to a memory log. A memory file is a circular buffer.
Page 277 Event and Accounting Logs to snmp Syntax to snmp [size] Context config>log>log-id log-id Description This is one of the commands used to specify the log ID destination. This parameter is mandatory when configuring a log destination. This command instructs the alarms and traps to be directed to the snmp-trap-group associated with log-id.
Page 278 Logging Destination Commands time-format Syntax time-format {local | utc} Context config>log>log-id Description This command specifies whether the time should be displayed in local or Coordinated Universal Time (UTC) format. Default Parameters local — Specifies that timestamps are written in the system’s local time. utc —...
Page 279 Event and Accounting Logs Accounting Policy Commands accounting-policy Syntax accounting-policy policy-id [interval minutes] no accounting-policy policy-id Context config>log Description This command creates an access or network accounting policy. An accounting policy defines the accounting records that are created. Access accounting policies are policies that can be applied to one or more service access points (SAPs).
Page 280 Accounting Policy Commands The default interval for each record type is defined in the record record-name description. Default As defined in the record name description. Values 5 — 120 default Syntax [no] default Context config>log>accounting-policy policy-id This command adds the designation that the accounting policy ID is the default (access or network) accounting policy to be used with all SAPs without a specified accounting policy.
Page 281 Event and Accounting Logs network-ingress-octets network-ingress-packets ========================================================== A:ALU-7210# To configure an accounting policy for access ports, select a service record (for example, service- ingress-octets). To change the record name to another service record then the record command with the new record name can be entered and it will replace the old record name. When configuring an accounting policy for network ports, a network record should be selected.
Page 282 Accounting Policy Commands Page 282 7210 SAS-E OS System Management Guide...
Page 283: Table 28: Show Accounting Policy Output Fields
Event and Accounting Logs Show Commands accounting-policy Syntax accounting-policy [acct-policy-id] [access | network] Context show>log Description This command displays accounting policy information. Parameters policy-id — The policy ID that uniquely identifies the accounting policy, expressed as a decimal integer. Values 1 —...
Page 284 Show Commands Table 28: Show Accounting Policy Output Fields (Continued) Label Description Displays the interval, in minutes, in which statistics are collected and Intvl written to their destination. The default depends on the record name type. The log destination. File ID The accounting record name which represents the configured record Record Name type.
Page 285: Table 29: Accounting Policy Output Fields
Event and Accounting Logs ============================================================================== Accounting Policies ============================================================================== Policy Type Def Admin Oper Intvl File Record Name State State ------------------------------------------------------------------------------ network No network-ingress-packets network Yes Up network-ingress-octets ============================================================================== A:ALA-1# A:ALA-1# show log accounting-policy access ============================================================================== Accounting Policies ============================================================================== Policy Type Def Admin Oper Intvl File Record Name...
Page 286 Show Commands service-ingress-packets network-ingress-octets network-ingress-packets ========================================================== A:ALA-1# applications Syntax applications Context show>log Description This command displays a list of all application names that can be used in event-control and filter commands. Output Sample Output A:ALA-1# show log applications ================================== Log Event Application Names ================================== Application Name ----------------------------------...
Page 287 Event and Accounting Logs event-control Syntax event-control [application [event-name | event-number]] Context show>log Description This command displays event control settings for events including whether the event is suppressed or generated and the severity level for the event. If no options are specified all events, alarms and traps are listed. Parameters application —...
Page 288 Show Commands Sample Output A:gal171# show log event-control ======================================================================= Log Events ======================================================================= Application Event Name Logged Dropped ----------------------------------------------------------------------- CHASSIS: 2001 cardFailure 2002 cardInserted 2003 cardRemoved 2004 cardWrong 2005 EnvTemperatureTooHigh CPMHWFILTER: DHCP: 2001 sdpTlsDHCPSuspiciousPcktRcvd 2002 sapTlsDHCPLseStEntriesExceeded 2003 sapTlsDHCPLeaseStateOverride 2004 sapTlsDHCPSuspiciousPcktRcvd 2005 svcTlsDHCPLseStRestoreProblem 2006 svcTlsDHCPLseStatePopulateErr 2007 tmnxVRtrDHCPLseStsExceeded 2008 tmnxVRtrDHCPLeaseStateOverride...
Page 289 Event and Accounting Logs 2008 ftp_user_login_max_attempts 2009 cli_user_io 2010 snmp_user_set 2011 cli_config_io 4357 VRRP: 2001 vrrpTrapNewMaster 2002 vrrpTrapAuthFailure 2003 tmnxVrrpIPListMismatch 2004 tmnxVrrpIPListMismatchClear 2005 tmnxVrrpMultipleOwners 2006 tmnxVrrpBecameBackup 2007 vrrpPacketDiscarded VRTR: 2001 tmnxVRtrMidRouteTCA 2002 tmnxVRtrHighRouteTCA 2003 tmnxVRtrHighRouteCleared 2004 tmnxVRtrIllegalLabelTCA 2005 tmnxVRtrMcastMidRouteTCA 2006 tmnxVRtrMcastMaxRoutesTCA 2007 tmnxVRtrMcastMaxRoutesCleared 2008 tmnxVRtrMaxArpEntriesTCA 2009 tmnxVRtrMaxArpEntriesCleared...
Page 290 Show Commands A:ALA-1# A:ALA-1# show log event-control ospf ospfVirtIfStateChange ======================================================================= Log Events ======================================================================= Application Event Name Logged Dropped ----------------------------------------------------------------------- 2001 ospfVirtIfStateChange ======================================================================= A:ALA-1# file-id Syntax file-id [log-file-id] Context show>log Description This command displays event file log information. If no command line parameters are specified, a summary output of all event log files is displayed. Specifying a file ID displays detailed information on the event file log.
Page 291 Event and Accounting Logs Label Description (Continued) expired Indicates whether or not the retention period for this file has passed. state in progress — Indicates the current open log file. complete — Indicates the old log file. Sample Output A:ALA-1# show log file-id ============================================================= File Id List =============================================================...
Page 292: Table 30: Event Log Filter Summary Output Fields
Show Commands filter-id Syntax filter-id [filter-id] Context show>log Description This command displays event log filter policy information. Parameters filter-id — Displays detailed information on the specified event filter policy ID. Output Event Log Filter Summary Output — The following table describes the output fields for event log filter summary information.
Page 293: Table 31: Event Log Filter Detail Output Fields
Event and Accounting Logs Event Log Filter Detailed Output — The following table describes the output fields for detailed event log filter information . Table 31: Event Log Filter Detail Output Fields Label Description The event log filter ID. Filter-id no —...
Page 294 Show Commands Table 32: Log Filter Match Criteria Output Fields (Continued) Label Description cleared — The log event filter entry application event severity Severity cleared match criterion. indeterminate — The log event filter entry application event severity indeterminate match criterion. critical —...
Page 295: Table 33: Show Log-Collector Output Fields
Event and Accounting Logs -------------------------------------------------------------------------- Entry-id : 10 Action : forward Application Operator : off Event Number Operator : off Severity : major Operator : greaterThanOrEqual Subject Operator : off Match Type : exact string Router Operator : off Match Type : exact string Description : Collect only events of major severity or higher...
Page 296 Show Commands Table 33: Show Log-Collector Output Fields (Continued) Label Description Console — A log created with the console type destination displays Dest. Type events to the physical console device. Events are displayed to the console screen whether a user is logged in to the console or not.
Page 297 Event and Accounting Logs log-id Syntax log-id [log-id] [severity severity-level] [application application] [sequence from-seq [to- seq]] [count count] [router router-instance [expression]] [subject subject [regexp]] [ascending | descending] Context show>log Description This command displays an event log summary with settings and statistics or the contents of a specific log file, SNMP log, or memory log.
Page 298 Show Commands subject subject — Displays only log entries matching the specified text subject string. The subject is the object affected by the event, for example the port-id would be the subject for a link-up or link-down event. regexp — Specifies to use a regular expression as parameters with the specified subject string.. ascending | descending —...
Page 299 Event and Accounting Logs Label Description (Continued) Dest ID The event log stream destination. Size The allocated memory size for the log. Time format The time format specifies the type of timestamp format for events sent to logs where log ID destination is either syslog or file. When the time format is UTC, timestamps are written using the Coor- dinated Universal Time value.
Page 300: Table 34: Snmp Trap Group Output Fields
Show Commands =============================================================================== A:gal171 A:NS061550532>config>log>snmp-trap-group# show log log-id 1 =============================================================================== Event Log 1 =============================================================================== SNMP Log contents [size=100 next event=3 (not wrapped)] Cannot send to SNMP target address 10.1.1.1. Waiting to replay starting from event #2 14 2000/01/05 00:54:09.11 UTC WARNING: MPLS #2007 Base VR 1: "Instance is in administrative state: inService, operational state: inService"...
Page 301 Event and Accounting Logs Table 34: SNMP Trap Group Output Fields (Continued) Label Description Indicates whether or not the replay parameter has been configured, Replay enabled or disabled, for the trap-target address. Replay from Indicates the sequence ID of the first missed notification that will be replayed when a route is added to the routing table by which trap-target address can be reached.
Page 302: Table 35: Show Log Syslog Output Fields
Show Commands syslog Syntax syslog [syslog-id] Context show>log Description This command displays syslog event log destination summary information or detailed information on a specific syslog destination. Parameters syslog-id — Displays detailed information on the specified syslog event log destination. Values 1 —...
Page 303 Event and Accounting Logs local7 unknown info local7 unknown info local7 unknown info local7 =============================================================================== *A:ALA-48>config>log# *A:MV-SR>config>log# show log syslog 1 =============================================================================== Syslog Target 1 =============================================================================== IP Address : 192.168.15.22 Port : 514 Log-ids : none Prefix : Sr12 Facility : local1 Severity Level : info...
Page 304 Clear Commands Clear Commands Syntax log log-id Context clear Description Reinitializes/rolls over the specified memory/file event log ID. Memory logs are reinitialized and cleared of contents. File logs are manually rolled over by this command. This command is only applicable to event logs that are directed to file destinations and memory destinations.
Page 305 Standards and Protocol Support Standards Compliance RFC 3164 Syslog draft-ietf-secsh-architecture.txt SSH RFC 3273 HCRMON-MIB IEEE 802.1d Bridging Protocol Architecture RFC 3411 An Architecture for IEEE 802.1p/Q VLAN Tagging draft-ietf-secsh-userauth.txt SSH Describing Simple Network IEEE 802.1w Rapid Spanning Tree Authentication Protocol Management Protocol (SNMP) Protocol Management Frameworks...
Page 306 NDEX Security overview overview compact flash storing log files accounting synchronization RADIUS VSA home directory TACACS+ authentication RADIUS TACACS+ authorization overview accounting local accounting records RADIUS default system log TACACS+ destinations controls event control encryption event filter policies event log entries configuring event logs accounting...
Page 307 Index access control access groups users USMs views architecture MIBs versions configuring access options basic command reference security commands show commands system commands community strings SNMPv1 and SNMPv2 SNMPv3 USM community options view options command reference system commands user commands Page 307 7210 SAS-E OS System Management Guide...

Alcatel-Lucent 7210 SAS E OS System Management Manual

Preface

Getting Started

Security

Security

Security

Snmp

Snmp

Snmp

Event and Accounting Logs

Event and Accounting Logs

Quick Links

Related Manuals for Alcatel-Lucent 7210 SAS E OS

Summary of Contents for Alcatel-Lucent 7210 SAS E OS

Table of Contents