Service aggregation router.
sar-a chassis (154 pages)
Summary of Contents for Alcatel-Lucent 7705 SAR-8
Page 1
S Y S T E M M A N A G E M E N T G U I D E Alcatel-Lucent Proprietary This document contains proprietary information of Alcatel-Lucent and is not to be disclosed or used except in accordance with applicable agreements.
Page 2
The customer hereby agrees that the use, sale, license or other distribution of the products for any such application without the prior written consent of Alcatel-Lucent, shall be at the customer's sole risk. The customer hereby agrees to defend and hold Alcatel-Lucent harmless from any claims for loss, cost, damage, expense or liability that may arise out of or in connection with the use, sale, license or other distribution of the products in such applications.
List of Acronyms Acronym Expansion second generation wireless telephone technology 3DES triple DES (data encryption standard) third generation mobile telephone technology 5620 SAM 5620 Service Aware Manager 7705 SAR 7705 Service Aggregation Router available bit rate area border router alternating current attachment circuit access control list adaptive clock recovery...
Page 12
List of Acronyms Acronym Expansion BITS building integrated timing supply boot options file BRAS Broadband Remote Access Server Base Station Controller BSTA Broadband Service Termination Architecture base transceiver station channel associated signaling common bonding networks committed buffer space control channel customer edge circuit emulation circuit emulation...
Page 13
List of Acronyms Acronym Expansion CRON a time-based scheduling service (from chronos = time) Control and Switching Module CSPF constrained shortest path first connection verification customer VLAN (tag) control word direct current DC-C DC return - common DC-I DC return - isolated digitally controlled oscillator DDoS distributed DoS...
Page 14
List of Acronyms Acronym Expansion exterior gateway protocol ELER egress label edge router Epipe Ethernet VLL explicit route object electrostatic discharge end-to-end EVDO evolution - data optimized EXP bits experimental bits forwarding class frame check sequence forwarding database facilities data link forwarding equivalence class fixed filter forwarding information base...
Page 15
List of Acronyms Acronym Expansion IMA control protocol cells IEEE Institute of Electrical and Electronics Engineers Internet Enhanced Service IETF Internet Engineering Task Force interior gateway protocol ILER ingress label edge router incoming label map inverse multiplexing over ATM input/output module Internet Protocol IPCP Internet Protocol Control Protocol...
Page 16
List of Acronyms Acronym Expansion maximum buffer space maximum burst size media buffer space message digest version 5 (algorithm) media dependent adapter Metro Ethernet Forum multi-field classification management information base minimum information rate MLPPP multilink point-to-point protocol merge point multilink protocol MPLS multiprotocol label switching MRRU...
Page 17
List of Acronyms Acronym Expansion optical carrier, level 3 operating system OSPF open shortest path first OSPF-TE OSPF-traffic extensions operations support system protocol data units packet delay variation PDVT packet delay variation tolerance provider edge router per-hop behavior physical layer protocol ID peak information rate point of local repair...
Page 18
List of Acronyms Acronym Expansion routing information base Radio Network Controller record route object RSVP-TE resource reservation protocol - traffic engineering R&TTE Radio and Telecommunications Terminal Equipment receive/transmit routing table manager battery return real-time protocol service assurance agent service access point SAR-8 7705 Service Aggregation Router - 8-slot chassis SAR-F...
Page 19
List of Acronyms Acronym Expansion shortest path first service router (includes 7710 SR, 7750 SR) secure shell system synchronization unit STM1 synchronous transport module, level 1 switched virtual circuit TACACS+ Terminal Access Controller Access-Control System Plus transmission control protocol time division multiplexing TLDP targeted LDP type length value...
Page 20
List of Acronyms Acronym Expansion virtual leased line VoIP voice over IP virtual path virtual path connection virtual path identifier virtual private network VPRN virtual private routed network virtual routing and forwarding table WCDMA wideband code division multiple access (transmission protocol used in UMTS networks) WRED weighted random early discard...
Preface About This Guide This guide describes general information you will need to configure router security, SNMP features, and event and accounting logs. It covers basic tasks such as configuring management access filters that control traffic in and out of the CSM, passwords, user profiles, security such as RADIUS, TACACS+, and SSH servers, the router clock, and virtual routers.
If you purchased a service agreement for your 7705 SAR router and related products from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased an Alcatel-Lucent service agreement, contact your welcome center: Web: http://www1.alcatel-lucent.com/comps/pages/carrier_support.jhtml...
In This Chapter This chapter provides process flow information to configure system security and access functions as well as event and accounting logs. Alcatel-Lucent 7705 SAR System Management Configuration Process Table 1 lists the tasks necessary to configure system security and access functions and logging features.
Getting Started Notes on 7705 SAR-8 and 7705 SAR-F The 7705 SAR-8 and the 7705 SAR-F run the same operating system software. The main difference between the products is their hardware configuration. The 7705 SAR-8 has an 8-slot chassis that supports two CSMs, six adapter cards, and a Fan module. The...
Page 25
The +24 VDC version of the 7705 SAR-8 only supports version 2 of the 8-port Ethernet Adapter card. On the 7705 SAR-8, the CLI indicates the MDA type for the 8-port Ethernet Adapter card as a8-eth or a8-ethv2. On the 7705 SAR-F, the CLI indicates the MDA type for the 7705 SAR-F Ethernet ports as a8-ethv3, to distinguish it from the actual version 2 of the 8-port Ethernet Adapter card.
Page 26
Getting Started Page 26 7705 SAR OS System Management Guide...
Security In This Chapter This chapter provides information to configure security parameters. Topics in this chapter include: • Authentication, Authorization, and Accounting on page 28 → Authentication on page 29 → Authorization on page 31 → Accounting on page 33 •...
Authentication, Authorization, and Accounting Authentication, Authorization, and Accounting This chapter describes authentication, authorization, and accounting (AAA) used to monitor and control network access on the 7705 SAR. Network security is based on a multi-step process. The first step, authentication, validates a user’s name and password. The second step is authorization, which allows the user to access and execute commands at various command levels based on profiles assigned to the user.
Security Figure 1 depicts end-user access requests sent to a RADIUS server. After validating the user names and passwords, the RADIUS server returns an access accept message to the users on ALU-1 and ALU-2. The user name and password from ALU-3 could not be authenticated, thus access was denied.
Authentication, Authorization, and Accounting The user login is successful when the RADIUS server accepts the authentication request and responds to the router with an access accept message. Implementing authentication without authorization for the 7705 SAR does not require the configuration of VSAs (Vendor Specific Attributes) on the RADIUS server. However, users, user access permissions, and command authorization profiles must be configured on each router.
Security TACACS+ Authentication Terminal Access Controller Access Control System, commonly referred to as TACACS, is an authentication protocol that allows a remote access server to forward a user's login password to an authentication server to determine whether access can be allowed to a given system.
Authentication, Authorization, and Accounting When authorization is configured and profiles are downloaded to the router from the RADIUS server, the profiles are considered temporary configurations and are not saved when the user session terminates. Table 3: Supported Authorization Configurations Local Authorization RADIUS Authorization 7705 SAR configured user Supported...
Security TACACS+ Authorization Like RADIUS authorization, TACACS+ grants or denies access permissions for a 7705 SAR router. The TACACS+ server sends a response based on the user name and password. TACACS+ separates the authentication and authorization functions. RADIUS combines the authentication and authorization functions.
Authentication, Authorization, and Accounting TACACS+ Accounting The 7705 SAR allows you to configure the type of accounting record packet that is to be sent to the TACACS+ server when specified events occur on the device. The accounting record- type parameter indicates whether TACACS+ accounting start and stop packets will be sent or just stop packets will be sent.
30 seconds. Health check is enabled by default. When a service response is restored from at least one server, the alarm condition is cleared. Alarms are raised and cleared on the Alcatel-Lucent Fault Manager or other third party fault management servers.
Security Controls If a request is sent to an active RADIUS server and the user name and password are not recognized, access is denied and passed on to the next authentication option, in this case, the TACACS+ server. The process continues until the request is either accepted, denied, or each server is queried.
Security Vendor-Specific Attributes (VSAs) The 7705 SAR software supports the configuration of Alcatel-Lucent-specific RADIUS attributes. These attributes are known as vendor-specific attributes (VSAs) and are discussed in RFC 2138. VSAs must be configured when RADIUS authorization is enabled. It is up to the vendor to specify the format of their VSA.
Page 38
Vendor-Specific Attributes (VSAs) All commands at and below the hierarchy level of the matched command are subject to the VSA. timetra-action Multiple match-strings can be entered in a single VSA. Match strings timetra-cmd must be semicolon (;) separated (maximum string length is 254 characters). One or more VSAs can be entered followed by a single timetra-cmd...
Security Other Security Features Secure Shell (SSH) Secure Shell Version 1 (SSH1) is a protocol that provides a secure, encrypted Telnet-like connection to a router. A connection is always initiated by the client (the user). Authentication takes place by one of the configured authentication methods (local, RADIUS, or TACACS+).
Other Security Features When using SCP to copy files from an external device to the file system, the 7705 SAR SCP server will accept either forward slash (“/”) or backslash (“\”) characters to delimit directory and/or filenames. Similarly, the 7705 SAR SCP client application can use either slash or backslash characters, but not all SCP clients treat backslash characters as equivalent to slash characters.
Security • multiple options • option present • source IP • source port • TCP ACK • TCP SYN To avoid DoS-like attacks overwhelming the control plane while ensuring that critical control traffic such as signaling is always serviced in a timely manner, the 7705 SAR has three queues (High, Low, and Ftp) for handling packets addressed to the CSM: •...
Security Configuration Notes This section describes security configuration caveats. • If a RADIUS or a TACACS+ server is not configured, then password, profiles, and user access information must be configured on each router in the domain. • If RADIUS authorization is enabled, then VSAs must be configured on the RADIUS server.
Security Configuring Security with CLI This section provides information to configure security using the command line interface. Topics in this section include: • Setting Up Security Attributes on page 46 → Configuring Authentication on page 46 → Configuring Authorization on page 47 →...
Setting Up Security Attributes Setting Up Security Attributes Table 4 depicts the capabilities of authentication, authorization, and accounting configurations. For example, authentication can be enabled locally and on RADIUS and TACACS+ servers. Authorization can be executed locally, on a RADIUS server, or on a TACACS+ server.
Security • TACACS+ authentication To implement TACACS+ authentication, perform the following tasks on each participating 7705 SAR router: → Configuring Profiles on page 55 → Configuring Users on page 56 → Enabling TACACS+ Authentication on page 66 Configuring Authorization Refer to the following sections to configure authorization: •...
Setting Up Security Attributes Configuring Accounting Refer to the following sections to configure accounting. • Local accounting is not implemented. For information about configuring accounting policies, refer to Configuring Logging with CLI on page 217. • Configuring RADIUS Accounting on page 65 •...
Security Security Configurations This section provides information on configuring security and examples of configuration tasks. To implement security features, configure the following components: • management access filters • CPM (CSM) filters • profiles • user access parameters • password management parameters •...
Page 50
Security Configurations exit exit profile "administrative" default-action permit-all entry 10 no description match "configure system security" action permit exit password authentication-order radius tacplus local no aging minimum-length 6 attempts 3 time 5 lockout 10 complexity exit user "admin" password "./3kQWERTYn0Q6w" hash access console no home-directory no restricted-to-home...
Security Configuring CPM (CSM) Filters CPM filters control all traffic going in to the CSM, including all routing protocols. They apply to packets from all network and access ports, but not to packets from a management Ethernet port. CPM packet filtering is performed by network processor hardware using no resources on the main CPUs.
Security Configuration Procedures Configuring Password Management Parameters Configuring password management parameters consists of defining aging, the authentication order and authentication methods, password length and complexity, as well as the number of attempts a user can make to enter a password. Depending on the authentication requirements, password parameters are configured locally or on the RADIUS or TACACS+ server.
Security Configuring Profiles Profiles are used to deny or permit access to a hierarchical branch or specific commands. Profiles are referenced in a user configuration. A maximum of 16 user profiles can be defined. A user can participate in up to 16 profiles. Depending on the the authorization requirements, passwords are configured locally or on the RADIUS server.
Security Configuration Procedures Configuring Users Access parameters are configured for individual users. For each user, the login name and, optionally, information that identifies the user is defined. Use the following CLI commands to configure access parameters for users: CLI Syntax: config>system>security user-template template-name user user-name access [ftp] [snmp] [console]...
Security The following example displays the user configuration: ALU-1>config>system>security# info ---------------------------------------------- user "49ers" password "qQbnuzLd7H/VxGdUqdh7bE" hash2 access console ftp snmp restricted-to-home console member "default" member "ghost" exit exit -------------------------------------------- ALU-1>config>system>security# Copying and Overwriting Users and Profiles You can copy a profile or user or overwrite an existing profile or user. The overwrite option must be specified;...
Page 58
Security Configuration Procedures group "testgroup" exit exit user "testuserA" password "" hash2 access snmp console new-password-at-login exit snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group "testgroup" exit exit ---------------------------------------------- ALU-12>config>system>security# info Note: The cannot-change-password flag is not replicated when a copy user command is performed.
Security Copying a Profile CLI Syntax: config>system>security# copy {user source-user | profile source-profile} to destination [overwrite] Example: config>system>security# copy profile default to testuser The following output displays the copied profiles: A:ALU-49>config>system>security# info ---------------------------------------------- A:ALU-49>config>system>security# info detail ---------------------------------------------- profile "default" default-action none entry 10 no description match "exec"...
Page 60
Security Configuration Procedures exit profile "testuser" default-action none entry 10 no description match "exec" action permit exit entry 20 no description match "exit" action permit exit entry 30 no description match "help" action permit exit entry 40 no description match "logout" action permit exit entry 50...
Security Configuring SSH Use the SSH command to configure the SSH server as SSH1, SSH2 or both. The default is SSH2. This command should only be enabled or disabled when the SSH server is disabled. This setting cannot be changed while the SSH server is running. CLI Syntax: config>system>security preserve-key no server-shutdown...
Page 62
Security Configuration Procedures The following example displays the login control configuration: Example: config>system>login-control# ftp inbound-max-sessions 5 config>system>login-control# telnet inbound-max-sessions config>system>login-control# telnet outbound-max-sessions config>system>login-control# idle-timeout 1440 config>system>login-control# pre-login-message "Property of Service Routing Inc. Unauthorized access prohibited." config>system>login-control# motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"...
Security RADIUS Configurations • Configuring RADIUS Authentication • Configuring RADIUS Authorization • Configuring RADIUS Accounting Configuring RADIUS Authentication RADIUS is disabled by default and must be explicitly enabled. The mandatory commands to enable RADIUS on the local router are server-index radius server address...
Security Configuring RADIUS Accounting On the local router, use the following CLI commands to configure RADIUS accounting: CLI Syntax: config>system>security radius accounting The following example displays the CLI syntax usage: Example: config>system>security> config>system>security# radius config>system>security>radius# accounting The following example displays the RADIUS accounting configuration: ALU-1>config>system>security# info ---------------------------------------------- radius...
Security Configuration Procedures TACACS+ Configurations • Enabling TACACS+ Authentication • Configuring TACACS+ Authorization • Configuring TACACS+ Accounting Enabling TACACS+ Authentication To use TACACS+ authentication on the router, configure one or more TACACS+ servers on the network. Use the following CLI commands to configure TACACS+ authentication: CLI Syntax: config>system>security tacplus server server-index address ip-address secret key...
Security Configuring TACACS+ Authorization In order for TACACS+ authorization to function, TACACS+ authentication must be enabled first. See Enabling TACACS+ Authentication on page On the local router, use the following CLI commands to configure TACACS+ authorization: CLI Syntax: config>system>security tacplus authorization no shutdown The following example displays the CLI syntax usage:...
Page 68
Security Configuration Procedures The following example displays the TACACS+ accounting configuration: ALU-1>config>system>security>tacplus# info ---------------------------------------------- accounting authorization timeout 5 single-connection server 1 address 10.10.0.5 secret "h6.TeL7YPohbmhlvz0gob." hash2 server 2 address 10.10.0.6 secret "h6.TeL7YPog7WbLsR3QRd." hash2 server 3 address 10.10.0.7 secret "h6.TeL7YPojGJqbYt85LVk" hash2 server 4 address 10.10.0.8 secret "h6.TeL7YPoiCfWKUFHARvk"...
Security Command Reference RADIUS Commands config — system — security — [no] radius — [no] accounting — accounting-port port — no accounting-port — [no] authorization — port port — no port — retry count — no retry — server server-index address ip-address secret key [hash | hash2] —...
Page 75
Security Login Control Commands config — system — login-control — [no] exponential-backoff — — inbound-max-sessions value — no inbound-max-sessions — telnet — inbound-max-sessions value — no inbound-max-sessions — outbound-max-sessions value — no outbound-max-sessions — idle-timeout {minutes | disable} — no idle-timeout —...
Page 76
Security Command Reference Clear Commands Authentication clear — router — authentication — statistics [interface ip-int-name | ip-address] Debug Commands debug — radius [detail] [hex] — no radius Page 76 7705 SAR OS System Management Guide...
Security Command Descriptions • Configuration Commands on page 78 • Show Commands on page 131 • Clear Commands on page 150 • Debug Commands on page 151 7705 SAR OS System Management Guide Page 77...
Security Command Reference Configuration Commands • Generic Security Commands on page 79 • Security Commands on page 80 • Management Access Filter Commands on page 83 → Management Access Filter Entry Commands on page 84 • CPM Filter Commands on page 89 •...
Page 79
Security Generic Security Commands description Syntax description description-string no description Context config>system>security>management-access-filter>ip-filter>entry entry-id config>system>security>cpm-filter>ip-filter>entry>entry-id config>system>security>profile user-profile-name>entry entry-id Description This command creates a text description stored in the configuration file for a configuration context. The no form of the command removes the string. Default No description associated with the configuration context.
Security Command Reference Security Commands security Syntax security Context config>system Description This command creates the context to configure security settings. Security commands manage user profiles and user membership. Security commands also manage user login registrations. copy Syntax copy {user source-user | profile source-profile} to destination [overwrite] Context config>system>security Description...
Page 81
Security hash-control Syntax hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}] no hash-control Context config>system>security Description Whenever the user executes a save or info command, the system will encrypt all passwords and keys, and so on for security reasons. At present, two algorithms exist. The first algorithm is a simple, short key that can be copied and pasted in a different location when the user wants to configure the same password.
Page 82
Security Command Reference Parameters app — specifies the application name Values telnet, ftp, ssh, radius, tacplus, snmptrap, syslog, ping, traceroute, dns, sntp, ntp ip-int-name | ip-address — specifies the name of the IP interface or IP address. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.
Page 83
Security Management Access Filter Commands management-access-filter Syntax [no] management-access-filter Context config>system>security Description This command creates the context to edit management access filters and to reset match criteria. Management access filters control all traffic in and out of the . They can be used to restrict management of the 7705 SAR by other nodes outside either specific (sub)networks or through designated ports.
Page 84
Security Command Reference deny-host-unreachable — specifies that packets not matching the selection criteria will be denied and a host unreachable message will be issued renum Syntax renum old-entry-number new-entry-number Context config>system>security>management-access-filter>ip-filter Description This command renumbers existing management access filter entries to resequence filter entries. The 7705 SAR exits on the first match found and executes the actions in accordance with the accompanying action command.
Security action Syntax action {permit | deny | deny-host-unreachable} no action Context config>system>security>management-access-filter>ip-filter>entry entry-id Description This command creates the action associated with the management access filter match criteria entry. The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.
Page 86
Security Command Reference For example, to select a range from 1024 up to 2047, specify 1024 0xFC00 for value and mask. Default 65535 (exact match) Values 1 to 65535 (decimal) Syntax [no] log Context config>system>security>management-access-filter>ip-filter>entry entry-id Description This command enables match logging. The no form of this command disables match logging.
Page 87
Security Parameters router-instance — specifies one of the following parameters for the router instance: router-name — specifies a router name up to 32 characters to be used in the match criteria service-id — specifies an existing service ID to be used in the match criteria Values 1 to 2147483647 src-ip...
Page 88
Security Command Reference Syntax: port-id Values port-id slot/mda/port[.channel] bundle-id - bundle-<type>-slot/mda.<bundle-num> bundle - keyword type - ima | ppp bundle-num - [1..10] cpm — specifies that ingress management traffic is restricted to the CSM Ethernet port Page 88 7705 SAR OS System Management Guide...
Page 89
Security CPM Filter Commands cpm-filter Syntax [no] cpm-filter Context config>system>security Description This command enables the context to configure a CPM filter. A CPM filter is a hardware filter on the that applies to all the traffic going to the CPU. It can be used to drop or accept packets, as well as allocate dedicated hardware queues for the traffic.
Page 90
Security Command Reference entry Syntax entry entry-id [create] no entry entry-id Context config>system>security>cpm-filter>ip-filter Description This command specifies a particular CPM filter match entry. Every CPM filter must have at least one filter match entry. A filter entry with no match criteria set will match every packet, and the entry action will be taken.
Page 91
Security Syntax log log-id no log Context config>system>security>cpm-filter>ip-filter>entry Description This command specifies the log in which packets matching this entry should be entered. The value 0 indicates that logging is disabled. The no form of the command deletes the log ID. Parameters log-id —...
Security Command Reference Table 6: IP Protocol IDs and Descriptions Protocol Protocol ID Description icmp Internet Control Message igmp Internet Group Management IP in IP (encapsulation) Transmission Control Exterior Gateway Protocol Any private interior gateway User Datagram Reliable Data Protocol ipv6 IPv6 ipv6-route...
Page 93
Security Table 6: IP Protocol IDs and Descriptions (Continued) Protocol Protocol ID Description Performance Transparency Protocol isis ISIS over IPv4 crtp Combat Radio Transport Protocol crudp Combat Radio User Datagram dscp Syntax dscp dscp-name no dscp Context config>system>security>cpm-filter>ip-filter>entry>match Description This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.
Page 94
Security Command Reference Default no dst-ip Parameters ip-address — the IP prefix for the IP match criterion in dotted-decimal notation Values 0.0.0.0 to 255.255.255.255 mask — the subnet mask length expressed as a decimal integer Values 1 to 32 netmask — the dotted-decimal equivalent of the mask length Values 0.0.0.0 to 255.255.255.255 dst-port...
Page 95
Security icmp-code Syntax icmp-code icmp-code no icmp-code Context config>system>security>cpm-filter>ip-filter>entry>match Description This command configures matching on an ICMP code field in the ICMP header of an IP packet as an IP filter match criterion. The ICMP protocol must be configured using the match command before this filter can be configured.
Page 96
Security Command Reference ip-option Syntax ip-option ip-option-value [ip-option-mask] no ip-option Context config>system>security>cpm-filter>ip-filter>entry>match Description This command configures matching packets with a specific IP option or a range of IP options in the IP header as an IP filter match criterion. The option type octet contains 3 fields: •...
Page 97
Security multiple-option Syntax multiple-option {true | false} no multiple-option Context config>system>security>cpm-filter>ip-filter>entry>match Description This command configures matching packets that contain more than one option field in the IP header as an IP filter match criterion. The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.
Page 98
Security Command Reference src-ip Syntax src-ip {ip-address/mask | ip-address netmask} no src-ip Context config>system>security>cpm-filter>ip-filter>entry>match Description This command specifies the IP address to match the source IP address of the packet. To match on the source IP address, specify the address and its associated mask; for example, 10.1.0.0/16.
Page 99
Security tcp-ack Syntax tcp-ack {true | false} no tcp-ack Context config>system>security>cpm-filter>ip-filter>entry>match Description This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion. The no form of the command removes the criterion from the match entry.
Page 100
Security Command Reference renum Syntax renum old-entry-id new-entry-id Context config>system>security>cpm-filter>ip-filter Description This command renumbers existing IP filter entries in order to resequence filter entries. Resequencing may be required in some cases because the OS exits when the first match is found and executes the actions according to the accompanying action command.
Page 101
Security Global Password Commands enable-admin Syntax enable-admin Context <global> Description admin-password Note: See the description for the command. If the admin- password is configured in the config>system>security>password context, then any user can enter the special administrative mode by entering the enable-admin command.
Page 102
Security Command Reference Password Commands password Syntax password Context config>system>security Description This command creates the context to configure password management parameters. admin-password Syntax admin-password password [hash | hash2] no admin-password Context config>system>security>password Description This command allows a user (with admin permissions) to configure a password which enables a user to become an administrator.
Page 103
Security Default no admin-password Parameters password — configures the password that enables a user to become a system administrator. The maximum length can be up to 20 characters if unhashed, 32 characters if hashed, and 54 characters if the hash2 keyword is specified. hash —...
Page 104
Security Command Reference Default count: 3 time minutes: 5 lockout minutes: 10 Parameters count — the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered. Values 1 to 64 time minutes —...
Page 105
Security method-3 — the third password authentication method to attempt Default local Values radius, tacplus, local radius — RADIUS authentication tacplus — TACACS+ authentication local — password authentication based on the local password database exit-on-reject — when enabled, and if one of the AAA methods configured in the authentication order sends a reject, then the next method in the order will not be tried.
Page 106
Security Command Reference numeric — specifies that at least one numeric character must be present in the password. This keyword can be used in conjunction with the mixed-case and special-character parameters. authentication However, if this command is used with the none command, the complexity command is rejected.
Page 107
Security Profile Management Commands profile Syntax [no] profile user-profile-name Context config>system>security Description This command creates a context to create user profiles for CLI command tree permissions. Profiles are used to either deny or permit user console access to a hierarchical branch or to specific commands.
Page 108
Security Command Reference none — sets the default of the profile to no-action. This option is useful to assign multiple profiles to a user. For example, if a user is a member of two profiles and the default action of the first profile is permit-all, then the second profile will never be evaluated because permit-all is executed first.
Page 109
Security Parameters entry-id — an entry-id uniquely identifies a user profile command match criteria and a corresponding action. If more than one entry is configured, the entry-ids should be numbered in staggered increments to allow users to insert a new entry without requiring renumbering of the existing entries.
Page 110
Security Command Reference User Management Commands user Syntax [no] user user-name Context config>system>security Description This command creates a local user and a context to edit the user configuration. If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.
Page 111
Security access Syntax [no] access [ftp] [snmp] [console] [no] access [ftp] [console] Context config>system>security>user user-name config>system>security>user-template Description This command grants a user permission for FTP, SNMP, or console access. If a user requires access to more than one application, then multiple applications can be specified in a single command.
Page 112
Security Command Reference Parameters url-prefix [directory] [directory/directory…] — the user’s local home directory URL prefix and directory structure, up to 190 characters in length password Syntax password [password] [hash | hash2] Context config>system>security>user user-name Description This command configures the user password for console and FTP access. The use of the hash keyword sets the initial password when the user is created or modifies the password of an existing user and specifies that the given password was hashed using hashing algorithm version 1.
Page 113
Security To insert # or ? characters, they must be entered inside a notepad or clipboard program and then cut and pasted into the Telnet session in the password field that is encased in the double quotes as delimiters for the password. If a password is entered without any parameters, a password length of zero is implied (return key).
Page 114
Security Command Reference cannot-change-password Syntax [no] cannot-change-password Context config>system>security>user user-name>console Description This command allows a user to change their password for both FTP and console login. To disable a user’s privilege to change their password, use the cannot-change-password form of the command.
Page 115
Security Default default Parameters user-profile-name — the user profile name new-password-at-login Syntax [no] new-password-at-login Context config>system>security>user user-name >console Description This command forces the user to change passwords at the next console or FTP login. If the user is limited to FTP access, the administrator must create the new password. The no form of the command does not force the user to change passwords.
Page 116
Security Command Reference Default authentication none - No authentication is configured and privacy cannot be configured. Parameters none — do not use authentication. If none is specified, then privacy cannot be configured. hash — when hash is not specified, unencrypted characters can be entered. When hash is configured, all specified keys are stored in an encrypted format in the configuration file.
Page 117
Security RADIUS Client Commands radius Syntax [no] radius Context config>system>security Description This command creates the context to configure RADIUS authentication on the 7705 SAR. Implement redundancy by configuring multiple server addresses for each 7705 SAR. The no form of the command removes the RADIUS configuration. accounting Syntax [no] accounting...
Page 118
Security Command Reference authorization Syntax [no] authorization Context config>system>security>radius Description This command configures RADIUS authorization parameters for the system. The no form of this command disables RADIUS authorization for the system. Default no authorization port Syntax port port no port Context config>system>security>radius Description...
Page 119
Security server Syntax server index address ip-address secret key [hash | hash2] no server index Context config>system>security>radius Description This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values. Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received.
Page 120
Security Command Reference timeout Syntax timeout seconds no timeout Context config>system>security>radius Description This command configures the number of seconds the router waits for a response from a RADIUS server. The no form of the command reverts to the default value. Default Parameters seconds —...
Page 121
Security TACACS+ Client Commands tacplus Syntax [no] tacplus Context config>system>security Description This command creates the context to configure TACACS+ authentication on the 7705 SAR. Configure multiple server addresses for each 7705 SAR for redundancy. The no form of the command removes the TACACS+ configuration. accounting Syntax accounting [record-type {start-stop | stop-only}]...
Page 122
Security Command Reference server Syntax server index address ip-address secret key [hash | hash2] no server index Context config>system>security>tacplus Description This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values. Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from the lowest index to the highest index for authentication requests.
Page 123
Security timeout Syntax timeout seconds no timeout Context config>system>security>tacplus Description This command configures the number of seconds the router waits for a response from a TACACS+ server. The no form of the command reverts to the default value. Default Parameters seconds —...
Page 124
Security Command Reference SSH Commands Syntax Context config>system>security Description This command enables the context to configure the SSH server on the system. This command should only be enabled or disabled no SSH session is running. When the command is executed, an SSH security key is generated. This key is valid until either the node is restarted or the SSH server is stopped with the no ssh command and restarted.
Page 125
Security version Syntax version ssh-version no version Context config>system>security>ssh Description This command specifies the SSH protocol version that will be supported by the SSH server. The server may be configured as Secure Shell Version 1 (SSH1), Version 2 (SSH2) or both. SSH1 and SSH2 are different protocols and encrypt at different parts of the packets.
Page 126
Security Command Reference Login Control Commands login-control Syntax login-control Context config>system Description This command creates the context to configure the session control for console, Telnet and FTP. exponential-backoff Syntax [no] exponential-backoff Context config>system>login-control Description This command enables the exponential-backoff of the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.
Page 127
Security login-banner Syntax [no] login-banner Context config>system>login-control Description This command enables or disables the display of a login banner. The login banner contains the 7705 SAR copyright and build date information for a console login attempt. The no form of the command causes only the configured pre-login-message and a generic login prompt to display.
Page 128
Security Command Reference The system name can be added to an existing message without affecting the current pre-login-message. The no form of the command removes the message. Default no pre-login-message Parameters login-text-string — a text string, up to 900 characters. Any printable, 7-bit ASCII characters can be used.
Page 129
Security Telnet Login Control Commands telnet Syntax telnet Context config>system>login-control Description This command creates the context to configure the Telnet login control parameters. inbound-max-sessions Syntax inbound-max-sessions value no inbound-max-sessions Context config>system>login-control>telnet Description This parameter limits the number of inbound Telnet sessions. Each 7705 SAR router is limited to a total of 7 Telnet or SSH sessions.
Page 130
Security Command Reference Parameters value — the maximum number of concurrent outbound Telnet sessions, expressed as an integer Values 0 to 7 Page 130 7705 SAR OS System Management Guide...
Security Command Reference Security Show Commands access-group Syntax access-group [group-name] Context show>system>security Description This command displays SNMP access group information. Parameters group-name — displays information for the specified access group Output Security Access Group Output — The following table describes security access group output fields.
Security authentication Syntax authentication [statistics] Context show>system>security Description This command displays system login authentication configuration and statistics. Parameters statistics — appends login and accounting statistics to the display Output Authentication Output — The following table describes system security authentication output fields.
Page 134
Security Command Reference Sample Output A:ALU-4# show system security authentication =============================================================================== Authentication sequence : radius tacplus local =============================================================================== type status timeout single retry server address (secs) conn count ------------------------------------------------------------------------------- radius 10.10.10.103 radius 10.10.0.1 radius 10.10.0.2 tacplus 10.10.0.9(49) down true ------------------------------------------------------------------------------- radius admin status : up tacplus admin status : down...
Security Command Reference Sample Output A:ALU-48# show system security communities ============================================================================= Communities ============================================================================= community access view version group name ----------------------------------------------------------------------------- cli-readonly cli-readonly cli-readwrite cli-readwrite public no-security v1 v2c snmp-ro ----------------------------------------------------------------------------- No. of Communities: 3 ============================================================================= A:ALU-48# cpm-filter Syntax cpm-filter ip-filter [entry entry-id] Context show>system>security Description...
Page 137
Security Table 10: Show CPM Filter Output Fields (Continued) Label Description The 3-bit fragment flags or 13-bit fragment offset field Fragment The IP option setting IP-Option The SYN flag in the TCP header TCP-syn When the criteria matches, displays drop or forward packet Match action The number of matched dropped packets Dropped pkts...
Page 138
Security Command Reference A:ALU-35# show system security cpm-filter ip-filter entry 2 =============================================================================== CPM IP Filter Entry =============================================================================== Entry Id Description : CPM filter #2 ------------------------------------------------------------------------------- Filter Entry Match Criteria : ------------------------------------------------------------------------------- Log Id : 101 Src. IP : 10.4.101.2/32 Src. Port Dest.
Security Output Management Access Filter Output — The following table describes management access filter output fields. Table 11: Show Management Access Filter Output Fields Label Description The management access filter type filter type Permit — Specifies that packets not matching the configured Def.
Security Command Reference Sample Output A:ALU-7# show system security management-access-filter ip-filter entry 1 ============================================================================= IPv4 Management Access Filters ============================================================================= filter type: : ip Def. Action : permit Admin Status : enabled (no shutdown) ----------------------------------------------------------------------------- Entry Description : test description Src IP : 10.10.10.104 Src interface : undefined Dest port...
Page 141
Security Table 12: Show Password Options Output Fields (Continued) Label Description Displays the sequence in which password authentication Authentication order is attempted among RADIUS, TACACS+, and local passwords Displays the complexity requirements of locally Configured complexity administered passwords, HMAC-MD5-96, HMAC- options SHA-96 and DES-keys configured in the authentication section...
Security Command Reference Output User Profile Output — The following table describes user profile output fields. Table 13: Show User Profile Output Fields Label Description Displays the profile name used to deny or permit user console access to User Profile a hierarchical branch or to specific commands Permit all —...
Security source-address Syntax source-address Context show>system>security Description This command displays the source address configured for applications. Output Source Address Output — The following table describes source address output fields. Table 14: Show Source Address Output Fields Label Description Displays the source-address application Application Displays the source address IP address or interface name IP address...
Security Command Reference Output SSH Options Output — The following table describes SSH output fields. Table 15: Show SSH Output Fields Label Description SSH is enabled — Displays that SSH server is enabled SSH status SSH is disabled — Displays that SSH server is disabled Enabled —...
Security user Syntax user [user-id] [detail] Context show>system>security Description This command displays user registration information. If no command line options are specified, summary information for all users displays. Parameters user-id — displays information for the specified user Default All users detail —...
Page 146
Security Command Reference Table 16: Show User Output Fields (Continued) Label Description Yes — The user is not allowed to navigate to a directory higher in the Restricted to directory tree on the home directory device home No — The user is allowed to navigate to a directory higher in the directory tree on the home directory device Displays the user’s login exec file which executes whenever the user Login exec...
Security snmp parameters ------------------------------------------------------------------------------- =============================================================================== ALU-7# view Syntax view [view-name] [detail] [capabilities] Context show>system>security Description This command displays one or all views and permissions in the MIB-OID tree. Parameters view-name — specifies the name of the view to display. If no view name is specified, the complete list of views displays.
Page 148
Security Command Reference mgmt-view 1.3.6.1.2.1.77 included mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.7 included mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.11 included vprn-view 1.3.6.1.2.1.2 included vprn-view 1.3.6.1.2.1.4 included vprn-view 1.3.6.1.2.1.5 included vprn-view 1.3.6.1.2.1.6 included vprn-view 1.3.6.1.2.1.7 included vprn-view 1.3.6.1.2.1.15 included vprn-view 1.3.6.1.2.1.23 included vprn-view 1.3.6.1.2.1.31 included vprn-view 1.3.6.1.2.1.68 included vprn-view 1.3.6.1.2.1.77 included vprn-view...
Security Login Control Show Commands users Syntax users Context show Description This command displays console user login and connection information. Output Users Output — The following table describes show users output fields. Table 18: Show Users Output Fields Label Description The user name User The user is authorized for this access type...
Security Command Reference Clear Commands statistics Syntax statistics [interface ip-int-name | ip-address] Context clear>router>authentication Description This command clears authentication statistics. Parameters ip-int-name — clears the authentication statistics for the specified interface name. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes ip-address —...
Security Debug Commands radius Syntax radius [detail] [hex] no radius Context debug Description This command enables debugging for RADIUS connections. The no form of the command disables the debugging. Parameters detail — displays detailed output hex — displays the packet dump in hexadecimal format 7705 SAR OS System Management Guide Page 151...
Page 152
Security Command Reference Page 152 7705 SAR OS System Management Guide...
SNMP In This Chapter This chapter provides information to configure SNMP. Topics in this chapter include: • SNMP Overview on page 154 → SNMP Architecture on page 154 → Management Information Base on page 154 → SNMP Versions on page 155 →...
SNMP Overview SNMP Overview SNMP Architecture The Service Assurance Manager (SAM) consists of two elements: managers and agents. The manager is the entity through which network management tasks are facilitated. An agent is a software module integrated into the operating system of the managed device that communicates with the network manager.
SNMP The SNMP agent provides management information to support a collection of IETF specified MIBs and a number of MIBs defined to manage device parameters and network data unique to the 7705 SAR. SNMP Versions The agent supports multiple versions of the SNMP protocol. •...
A community string is a text string that acts like a password to permit access to the agent on the 7705 SAR router. The Alcatel-Lucent implementation of SNMP has defined three levels of community-named access: •...
SNMP Access Groups Access groups associate a user group and a security model with the views the group can access. An access group is defined by a unique combination of a group name, security model (SNMPv1, SNMPv2c, or SNMPv3), and security level (no-authorization-no privacy, authorization-no-privacy, or privacy).
Which SNMP Version to Use? Which SNMP Version to Use? SNMPv1 and SNMPv2c do not provide security, authentication, or encryption. Without authentication, an unauthorized user could perform SNMP network management functions and eavesdrop on management information as it passes from system to system. Many SNMPv1 and SNMPv2c implementations are restricted read-only access, which, in turn, reduces the effectiveness of a network monitor in which network control applications cannot be supported.
SNMP Configuration Notes This section describes SNMP configuration caveats. • To avoid management systems attempting to manage a partially booted system, SNMP will remain in a shutdown state if the configuration file fails to complete during system startup. While shut down, SNMP gets and sets are not processed. However, notifications are issued if an SNMP trap group has been configured.
Page 160
Configuration Notes Page 160 7705 SAR OS System Management Guide...
SNMP Configuring SNMP with CLI This section provides information about configuring SNMP with CLI. Topics in this chapter include: • SNMP Configuration Overview on page 162 → Configuring SNMPv1 and SNMPv2c on page 162 → Configuring SNMPv3 on page 162 •...
SNMP Configuration Overview SNMP Configuration Overview This section describes how to configure SNMP components that apply to SNMPv1, SNMPv2c, and SNMPv3 on the 7705 SAR. • Configuring SNMPv1 and SNMPv2c • Configuring SNMPv3 Configuring SNMPv1 and SNMPv2c The 7705 SAR router is based on SNMPv3. To use 7705 SAR routers with SNMPv1 and/or SNMPv2c, SNMP community strings must be configured.
SNMP Basic SNMP Security Configuration This section provides information to configure SNMP parameters and provides examples of common configuration tasks. The minimal SNMP parameters are: For SNMPv1 and SNMPv2c: • Configure community string parameters For SNMPv3: • Configure view parameters •...
SNMP The following example displays community string command usage: Example: config>system>security# snmp config>system>security>snmp# community private hash2 rwa version both config>system>security>snmp# community public hash r version v2c The following example displays the SNMP community configuration: ALU-1>config>system>security>snmp# info ------------------------------------------------------- community "uTdc9j48PBRkxn5DcSjchk" hash2 rwa version both community "Lla.RtAyRW2"...
Configuring SNMP Components Configuring Access Options command creates an association between a user group, a security model, and access the views that the user group can access. Access must be configured unless security is limited to the preconfigured access groups and views for SNMPv1 and SNMPv2c. An access group is defined by a unique combination of the group name, security model, and security level.
SNMP The following example displays user security command usage: Example: ALU-1>config>system>security# user testuser config>system>security>user$ access snmp config>system>security>user# snmp config>system>security>user>snmp# authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none config>system>security>user>snmp# group testgroup config>system>security>user>snmp# exit config>system>security>user# exit The following example displays the user’s SNMP configuration. ALU-1>config>system>security# info ---------------------------------------------- user "testuser"...
SNMP SNMP Command Reference Command Hierarchies • Configuration Commands → SNMP System Commands → SNMP Security Commands • Show Commands 7705 SAR OS System Management Guide Page 169...
Page 170
SNMP Command Reference Configuration Commands SNMP System Commands config — system — snmp — snmp engine-id — no snmp — general-port port — no general-port — packet-size bytes — no packet-size — [no] shutdown SNMP Security Commands config — system —...
Page 171
SNMP Show Commands show — snmp — counters — system — information — security — access-group [group-name] — communities [statistics] — communities — user [profile-name] — user [user-id] [detail] — view [view-name] [capabilities] [detail] 7705 SAR OS System Management Guide Page 171...
SNMP Command Reference Command Descriptions • Configuration Commands on page 173 • Show Commands on page 183 Page 172 7705 SAR OS System Management Guide...
SNMP Configuration Commands • SNMP System Commands on page 174 • SNMP Security Commands on page 177 7705 SAR OS System Management Guide Page 173...
Page 174
SNMP Command Reference SNMP System Commands snmp Syntax snmp Context config>system Description This command creates the context to configure SNMP parameters. engineID Syntax [no] engineID engine-id Context config>system>snmp Description This command sets the SNMP engine ID to uniquely identify the SNMPv3 node. By default, the engine ID is generated using information from the system backplane.
Page 175
SNMP general-port Syntax general-port port-number no general-port Context config>system>snmp Description This command configures the port number used by this node to receive SNMP request messages and to send replies. Note that SNMP notifications generated by the agent are sent from the port specified in the config>log>snmp-trap-group>trap-target command.
Page 176
SNMP Command Reference This command is automatically invoked in the event of a reboot when the processing of the configuration file fails to complete or when an SNMP persistent index file fails while the bof persist on command is enabled. The no form of the command administratively enables SNMP.
Page 177
SNMP SNMP Security Commands snmp Syntax snmp Context config>system>security Description This command creates the context to configure SNMPv1, SNMPv2c, and SNMPv3 parameters. access group Syntax [no] access group group-name security-model {snmpv1 | snmpv2c | usm} security-level {no-auth-no-privacy | auth-no-privacy | privacy} [context context-name [prefix-match {exact | prefix}]] [read view-name-1] [write view-name-2] [notify view-name-3] Context config>system>security>snmp...
Page 178
SNMP Command Reference security-level auth-no-privacy — specifies that authentication is required but privacy (encryption) is not required. When this option is configured, both the group and the user must be configured for authentication. security-level privacy — specifies that both authentication and privacy (encryption) is required. When this option is configured, both the group and the user must be configured for authentication.
Page 179
SNMP Parameters count — the number of unsuccessful SNMP attempts allowed for the specified time Default Values 1 to 64 time minutes1 — the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the host is locked out Default Values 0 to 60...
Page 180
SNMP Command Reference usm-community Syntax usm-community community-string [hash | hash2] group group-name no usm-community community-string Context config>system>security>snmp Description This command is used to associate a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group. The 7705 SAR OS implementation of SNMP uses SNMPv3.
Page 181
SNMP Default No views are defined Parameters view-name — the 1 to 32 character view name Default none oid-value — the object identifier (OID) value for the view-name. This value, for example, 1.3.6.1.6.3.11.2.1, combined with the mask and include and exclude statements, configures the access available in the view.
Page 182
SNMP Command Reference Parameters mask-value — the mask value associated with the OID value determines whether the sub-identifiers are included or excluded from the view The mask can be entered either: • In hexadecimal format (for example, 0xfc) • In binary format (for example, 0b11111100) Note: If the number of bits in the bit mask is less than the number of sub-identifiers in the MIB subtree, then the mask is extended with ones until the mask length matches the number of sub-identifiers in the MIB subtree.
SNMP Show Commands counters Syntax counters Context show>snmp Description This command displays SNMP counter information. SNMP counters will continue to increase even when SNMP is shut down. Some internal modules communicate using SNMP packets. Output Counters Output — The following table describes SNMP counters output fields. Table 19: Show SNMP Counters Output Fields Label Description...
SNMP Command Reference Sample Output A:ALU-1# show snmp counters ============================================================================== SNMP counters: ============================================================================== in packets : ------------------------------------------------------------------------------ in gets : 93 in getnexts : 0 in sets : 370 out packets: ------------------------------------------------------------------------------ out get responses : out traps variables requested: variables set ============================================================================== A:ALU-1#...
Page 185
SNMP Table 20: Show System Information Output Fields (Continued) Label Description Enabled — SNMP is administratively enabled SNMP Admin State Disabled — SNMP is administratively disabled Enabled — SNMP is operationally enabled SNMP Oper State Disabled — SNMP is operationally disabled Persistent —...
Page 186
SNMP Command Reference Table 20: Show System Information Output Fields (Continued) Label Description Displays the index version used in the most recent boot Last Boot Index Version Displays the header information of the index used in the most Last Boot Index recent boot Header Displays the filename of the last saved configuration...
Page 187
Last Booted Config File: ftp://172.22.184.249/./debby-sim1/debby-sim1-config.cfg Last Boot Cfg Version : THU MAR 11 16:58:20 2008 UTC Last Boot Config Header: # TiMOS-B-0.0.I1042 both/i386 Alcatel-Lucent SAR 7705 Copyright (c) 2000-2008 Alcatel-Lucent. # All rights reserved. All use subject to applicable license agreements.
SNMP Command Reference Last Boot Index Header : # TiMOS-B-0.0.I1042 both/i386 Alcatel-Lucent SAR 7705 Copyright (c) 2000-2008 Alcatel-Lucent. # All rights reserved. All use subject to applicable license agreements. # Built on Tue Mar 11 01:26:23 PST 2008 by builder in /rel0.0/I1042/panos/main # Generated TUE...
Page 189
SNMP Table 21: Show System Access Group Fields (Continued) Label Description Specifies the view to send a trap about MIB objects Notify view The total number of configured access groups No. of access groups Sample Output A:ALU-1# show system security access-group =============================================================================== Access Groups ===============================================================================...
SNMP Command Reference communities Syntax communities Context show>system>security Description This command lists SNMP communities and characteristics. Output Communities Output — The following table describes the communities output fields. Table 22: Show Communities Output Fields Label Description The community string name for SNMPv1 and SNMPv2c access only Community r —...
SNMP user Syntax user [user-id] [detail] Context show>system>security Description This command displays user information. Output User Output — The following table describes user information output fields. Table 23: Show User Output Fields Label Description The name of a system user User ID Yes —...
SNMP Command Reference Sample Output A:ALU-1# show system security user =============================================================================== Users =============================================================================== user id User Permissions Password Login Failed Local console ftp snmp Expires Attempts Logins Conf ------------------------------------------------------------------------------- admin never testuser never ------------------------------------------------------------------------------- Number of users : 2 =============================================================================== A:ALU-1# view Syntax...
Page 193
SNMP Sample Output A:ALU-1# show system security view =============================================================================== Views =============================================================================== view name oid tree mask permission ------------------------------------------------------------------------------- included no-security included no-security 1.3.6.1.6.3 excluded no-security 1.3.6.1.6.3.10.2.1 included no-security 1.3.6.1.6.3.11.2.1 included no-security 1.3.6.1.6.3.15.1.1 included ------------------------------------------------------------------------------- No. of Views: 6 =============================================================================== A:ALU-1# A:ALU-1# show system security view no-security detail =============================================================================== Views...
Page 194
SNMP Command Reference 1.3.6.1.2.1.68 no-support 1.3.6.1.2.1.85 no-support 1.3.6.1.2.1.100 no-support 1.3.6.1.2.1.4.39 no-support 1.3.6.1.2.1.5.20 no-support Parameters detail — displays all groups associated with the view capabilities — displays all views, including excluded MIB-OID trees from unsupported features Page 194 7705 SAR OS System Management Guide...
Event and Accounting Logs In This Chapter This chapter provides information about configuring event and accounting logs in the 7705 SAR. Topics in this chapter include: • Logging Overview on page 196 • Log Destinations on page 198 → Console on page 198 →...
Logging Overview Logging Overview The two primary types of logging supported on the 7705 SAR are event logging and accounting logs. Event logging controls the generation, dissemination and recording of system events for monitoring status and troubleshooting faults within the system. Events are messages generated by the system by applications or processes within the 7705 SAR.
Event and Accounting Logs Table 25: Event Severity Levels Severity Number Severity Name Cleared Indeterminate (info) Critical Major Minor Warning Event control maintains a count of the number of events generated (logged) and dropped (suppressed) for each application event. The severity of an application event can be configured in event control.
Log Destinations Log Destinations Both event logs and accounting logs use a common mechanism for referencing a log destination. 7705 SAR routers support the following log destinations: • Console • Session • Memory Logs • Log Files • SNMP Trap Group •...
Event and Accounting Logs Log Files Log files can be used by both event logs and accounting logs and are stored on the compact flash device (cf3) in the file system. A log file is identified by a single log file ID, but a log file will generally be composed of a number of individual files in the file system.
Log Destinations Accounting log files are created in the directory on the compact flash \act-collect device. The naming convention for accounting logs is: aaff-timestamp. xml.gz where: aa is the accounting policy ID ff is the log file destination ID timestamp is the timestamp when the file is created, in the same form as for event logs.
Event and Accounting Logs Syslog An event log can be configured to send events to one syslog destination. Syslog destinations have the following properties: • syslog server IP address • the UDP port used to send the syslog message • the Syslog Facility Code •...
Event Logs Event Logs Event logs are the means of recording-system generated events for later analysis. Events are messages generated by the system by applications or processes within the 7705 SAR. Figure 3 depicts a functional block diagram of event logging. Figure 3: Event Logging Block Diagram EVENT EVENT...
Event and Accounting Logs • Change — The change activity event source is all events that directly affect the configuration or operation of the node. Change events are generated by the USER application. • Debug — The debug event source is the debugging configuration that has been enabled on the system.
Event Logs Event Control Event control pre-processes the events generated by applications before the event is passed into the main event stream. Event control assigns a severity to application events and can either forward the event to the main event source or suppress the event. Suppressed events are counted in event control, but these events will not generate log entries as they never reach the log manager.
Event Logs An event log has the following properties: • a unique log ID The log ID is a short, numeric identifier for the event log. A maximum of 10 logs can be configured at a time. • one or more log sources The source stream or streams to be sent to log destinations can be specified.
Event and Accounting Logs Table 27: Valid Filter Policy Operators Operator Description Equal to Not equal to Less than Less than or equal to Greater than Greater than or equal to A match criteria entry can include combinations of: • equal to or not equal to a given system application •...
Event Logs The general format for an event in an event log with either a memory, console or file destination is as follows: nnnn YYYY/MM/DD HH:MM:SS.SS <severity>:<application> # <event_id> <router-name> <subject> description The following is an event log example: 475 2007/11/27 00:19:40.38 WARNING: SNMP #2008 Base 1/1/1 "interface 1/1/1 came up"...
Event and Accounting Logs Simple Logger Event Throttling Simple event throttling provides a mechanism to protect event receivers from being overloaded when a scenario causes many events to be generated in a very short period of time. A throttling rate (events/seconds), can be configured. Specific application events can be configured to be throttled.
Event Logs Default System Log Log 99 is a preconfigured memory-based log that logs events from the main event source (not security, debug, or change). Log 99 exists by default. The following example displays the log 99 configuration. ALU-1>config>log# info detail #------------------------------------------ echo "Log Configuration "...
Event and Accounting Logs Accounting Logs Before an accounting policy can be created, a target log file must be created to collect the accounting records. The files are stored in system memory on a compact flash (cf3) in a compressed (tar) XML format and can be retrieved using FTP or SCP. Accounting Records An accounting policy must define a record name and collection interval.
Accounting Logs Table 30: Accounting Record Name Details Record Name Sub-Record Field Field Description Service-ingress-octets SvcId SapId QueueId OfferedHiPrioOctets DroppedHiPrioOctets LowOctetsOffered LowOctetsDropped UncoloredOctetsOffered InProfileOctetsForwarded OutOfProfileOctetsForwarded Service-egress-octets SvcId SapId QueueId InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped Page 212 7705 SAR OS System Management Guide...
Page 213
Event and Accounting Logs Table 30: Accounting Record Name Details (Continued) Record Name Sub-Record Field Field Description Service-ingress-packets SvcId SapId QueueId HighPktsOffered HighPktsDropped LowPktsOffered LowPktsDropped UncoloredPacketsOffered InProfilePktsForwarded OutOfProfilePktsForwarded Service-egress-packets SvcId SapId QueueId InProfilePktsForwarded InProfilePktsDropped OutOfProfilePktsForwarded OutOfProfilePktsDropped SapId slaProfile SlaProfile 7705 SAR OS System Management Guide Page 213...
Accounting Logs Accounting Files When a policy has been created and applied to a service, the accounting file is stored on the compact flash in a compressed XML file format. The 7705 SAR creates two directories on the compact flash to store the files. The following output displays a directory named act- that holds accounting files that are open and actively collecting statistics, and a collect...
Event and Accounting Logs Configuration Notes This section describes logging configuration caveats. • A file or filter cannot be deleted if it has been applied to a log. • File IDs, syslog IDs, or SNMP trap groups must be configured before they can be applied to a log ID.
Page 216
Configuration Notes Page 216 7705 SAR OS System Management Guide...
Event and Accounting Logs Configuring Logging with CLI This section provides information to configure logging using the command line interface. Topics in this section include: • Log Configuration Overview on page 218 • Log Type on page 219 • Basic Event Log Configuration on page 220 •...
Log Configuration Overview Log Configuration Overview Logging on the 7705 SAR is used to provide the operator with logging information for monitoring and troubleshooting. You can configure logging parameters to save information in a log file or direct the messages to other devices. Logging commands allow you to: •...
Event and Accounting Logs Log Type Logs can be configured in the following contexts: • Log file — log files can contain log event message streams or accounting/billing information. Log file IDs are used to direct events, alarms/traps, and debug information to their respective targets.
Basic Event Log Configuration Basic Event Log Configuration The most basic log configuration must have the following: • a log ID or an accounting policy ID • a log source • a log destination The following displays a log configuration example. ALU-12>config>log# info #------------------------------------------ echo "Log Configuration "...
Event and Accounting Logs Common Configuration Tasks The following sections describe basic system tasks that must be performed. • Configuring an Event Log • Configuring a File ID • Configuring an Accounting Policy • Configuring Event Control • Configuring Throttle Rate •...
Common Configuration Tasks config>log>log-id# to file 1 config>log>log-id# no shutdown config>log>log-id# exit The following displays a log file configuration: ALU-12>config>log>log-id# info ---------------------------------------------- log-id 2 description "This is a test log file." filter 1 from main security to file 1 exit ---------------------------------------------- ALU-12>config>log>log-id# Configuring a File ID...
Event and Accounting Logs The following displays the file ID configuration: ALU-12>config>log# info ------------------------------------------ file-id 1 description "This is a log file." location cf3: rollover 600 retention 24 exit ---------------------------------------------- ALU-12>config>log# Configuring an Accounting Policy Before an accounting policy can be created, a target log file must be created to collect the accounting records.
Common Configuration Tasks config>log>acct-policy# to file 1 config>log>acct-policy# exit config>log# accounting-policy 5 config>log>acct-policy# description "This is a test accounting policy." config>log>acct-policy# record service-ingress-packets config>log>acct-policy# to file 2 config>log>acct-policy# The following displays the accounting policy configuration: ALU-12>config>log# info ---------------------------------------------- accounting-policy 4 description "This is the default accounting policy."...
Event and Accounting Logs ALU-12>config>log# info #------------------------------------------ echo "Log Configuration" #------------------------------------------ throttle-rate 500 interval 10 event-control "atm" 2014 generate critical event-control "oam" 2001 suppress ---------------------------------------------- ALU-12>config>log>filter# Configuring Throttle Rate This command configures the number of events and interval length to be applied to all event types that have throttling enabled by the event-control command.
Page 226
Common Configuration Tasks application {eq | neq} application-id number {eq | neq | lt | lte | gt | gte} event-id router {eq | neq} router-instance [regexp] severity {eq | neq | lt | lte | gt | gte} severity-level subject {eq | neq} subject [regexp] The following displays an example of the log filter configuration command syntax: Example:...
Event and Accounting Logs Configuring an SNMP Trap Group The associated log-id does not have to be configured before a snmp-trap-group can be created; however, the snmp-trap-group must exist before the log-id can be configured to use it. Use the following CLI syntax to configure an SNMP trap group: CLI Syntax: config>log snmp-trap-group log-id trap-target name [address ip-address] [port port]...
Common Configuration Tasks Configuring a Syslog Target Log events cannot be sent to a syslog target host until a valid syslog ID exists. Use the following CLI syntax to configure a syslog file: CLI Syntax: config>log syslog syslog-id description description-string address ip-address log-prefix log-prefix-string port port...
Event and Accounting Logs Log Management Tasks This section discusses the following logging tasks: • Modifying a Log File • Deleting a Log File • Modifying a File ID • Deleting a File ID • Deleting a Syslog ID • Deleting a Syslog ID •...
Log Management Tasks exit ---------------------------------------------- ALU-12>config>log>log-id# The following displays an example of modifying log file parameters: Example: config# log config>log# log-id 2 config>log>log-id# description "Chassis log file." config>log>log-id# filter 2 config>log>log-id# from security config>log>log-id# exit The following displays the modified log file configuration: ALU-12>config>log# info ---------------------------------------------- log-id 2...
Event and Accounting Logs Use the following CLI syntax to delete a log file: CLI Syntax: config>log no log-id log-id shutdown The following displays an example of deleting a log file: Example: config# log config>log# log-id 2 config>log>log-id# shutdown config>log>log-id# exit config>log# no log-id 2 Modifying a File ID Note: When the file-id location parameter is modified, log files are not written to the...
Log Management Tasks config>log>file-id# location cf3: config>log>file-id# rollover 2880 retention 500 config>log>file-id# exit The following displays the file ID modifications: ALU-12>config>log# info ---------------------------------------------- file-id 1 description "LocationTest." location cf3: rollover 2880 retention 500 exit ---------------------------------------------- ALU-12>config>log# Deleting a File ID Note: All references to the file ID must be deleted before the file ID can be removed.
Event and Accounting Logs Modifying a Syslog ID Note: All references to the syslog ID must be deleted before the syslog ID can be removed. Use the following CLI syntax to modify syslog ID parameters: CLI Syntax: config>log syslog syslog-id description description-string address ip-address log-prefix log-prefix-string...
Log Management Tasks Modifying an SNMP Trap Group Use the following CLI syntax to modify an SNMP trap group: CLI Syntax: config>log snmp-trap-group log-id trap-target name [address ip-address] [port port] [snmpv1 | snmpv2c | snmpv3] notify-community communityName | snmpv3SecurityName [security-level {no-auth-no-privacy | auth-no-privacy | privacy}] The following displays the current SNMP trap group configuration: ALU-12>config>log# info...
Event and Accounting Logs Deleting an SNMP Trap Group Use the following CLI syntax to delete a trap target and SNMP trap group: CLI Syntax: config>log no snmp-trap-group log-id no trap-target name The following displays the SNMP trap group configuration: ALU-12>config>log# info ---------------------------------------------- snmp-trap-group 10...
Page 236
Log Management Tasks The following output displays the current log filter configuration: ALU-12>config>log# info #------------------------------------------ echo "Log Configuration" #------------------------------------------ filter 1 default-action drop description "This is a sample filter." entry 1 action forward match application eq "atm" severity eq critical exit exit exit...
Event and Accounting Logs Deleting a Log Filter Use the following CLI syntax to delete a log filter: CLI Syntax: config>log no filter filter-id The following output displays the current log filter configuration: The following displays an example of the command to delete a log filter: Example: config>log# no filter 1 Modifying Event Control Parameters...
Log Management Tasks Returning to the Default Event Control Configuration The no form of the event-control command returns modified values back to the default values. Use the following CLI syntax to return to the default event control configuration: CLI Syntax: config>log no event-control application [event-name | event- number] The following displays an example of the command usage to return to the default values:...
Log Command Reference Command Descriptions • Configuration Commands on page 245 • Show Commands on page 279 • Clear Commands on page 298 Page 244 7705 SAR OS System Management Guide...
Log Command Reference Generic Commands description Syntax description string no description Context config>log>filter filter-id config>log>filter filter-id>entry entry-id config>log>log-id log-id config>log>accounting-policy policy-id config>log>file-id file-id config>log>syslog syslog-id config>log>snmp-trap-group Description This command creates a text description stored in the configuration file for a configuration context. The command associates a text string with a configuration context to help identify the content in the configuration file.
Page 247
Event and Accounting Logs Special Cases log-id — When a log-id is shut down, no events are collected for the entity. This leads to the loss of event data. policy-id — When an accounting policy is shut down, no accounting data is written to the destination log ID.
Page 248
Log Command Reference Accounting Policy Commands accounting-policy Syntax accounting-policy policy-id [interval minutes] no accounting-policy policy-id Context config>log Description This command creates an access accounting policy. An accounting policy defines the accounting records that are created. Access accounting policies are policies that can be applied to one or more service access points (SAPs).
Page 249
Event and Accounting Logs default Syntax [no] default Context config>log>accounting-policy policy-id This command adds the designation that the accounting policy ID is the default access accounting policy to be used with all SAPs without a specified accounting policy. If no access accounting policy is defined on a SAP, accounting records are produced in accordance with the default access policy.
Page 250
Log Command Reference Only one record may be configured in a single accounting policy. Note: Collecting excessive statistics can adversely affect the CPU utilization and take up large amounts of storage space. The no form of the command removes the record type from the policy. Default No accounting record is defined.
Page 251
Event and Accounting Logs Event Control event-control Syntax event-control application-id [event-name | event-number] [generate [severity-level] [throttle]] event-control application-id [event-name | event-number] suppress no event-control application [event-name | event-number] Context config>log Description This command is used to specify that a particular event, or all events associated with an application, are either generated or suppressed.
Page 252
Log Command Reference event-name | event-number — to generate, suppress, or revert to default for a single event, enter the specific number or event short name. If no event number or name is specified, the command applies to all events in the application. To display a list of all event short names use the event- control command.
Page 253
Event and Accounting Logs Log File Commands file-id Syntax [no] file-id file-id Context config>log Description This command creates the context to configure a file ID template to be used as a destination for an event log or billing file. This command defines the file location and characteristics that are to be used as the destination for a log event message stream or accounting and billing information.
Page 254
Log Command Reference • the accounting file is compressed and has a gz extension When initialized, each file will contain: • the log-id description • the time the file was opened • the reason the file was created • the sequence number of the last event stored on the log (if the event log file was closed properly) If the process of writing to a log file fails (for example, the compact flash card is full) and if a backup location is not specified or fails, the log file will not become operational even if the compact flash...
Page 255
Event and Accounting Logs When creating files, the primary location is used as long as there is available space. If no space is available, an attempt is made to delete unnecessary files that are past their retention date. If sufficient space is not available, an attempt is made to remove the oldest to newest closed log or accounting files.
Page 256
Log Command Reference retention hours — the retention period in hours, expressed as a decimal integer. The retention time is based on the creation time of the file. The file becomes a candidate for removal once the creation datestamp + rollover time + retention time is less than the current timestamp. Default Values 1 to 500...
Page 257
Event and Accounting Logs Log Filter Commands filter Syntax [no] filter filter-id Context config>log Description This command creates a context for an event filter. An event filter specifies whether to forward or drop an event or trap based on the match criteria. Filters are configured in the filter filter-id context and then applied to a log in the log-id log-id context.
Page 258
Log Command Reference Log Filter Entry Commands action Syntax action {drop | forward} no action Context config>log>filter filter-id>entry entry-id Description This command specifies a drop or forward action associated with the filter entry. default-action If neither drop nor forward is specified, the will be used for traffic that conforms to the match criteria.
Page 259
Event and Accounting Logs Default No event filter entries are defined. An entry must be explicitly configured. Parameters entry-id — uniquely identifies a set of match criteria corresponding action within a filter. Entry ID values should be configured in staggered increments so you can insert a new entry in an existing policy without renumbering the existing entries.
Page 260
Log Command Reference Log Filter Entry Match Commands match Syntax [no] match Context config>log>filter filter-id>entry entry-id Description This command creates the context to enter or edit match criteria for a filter entry. When the match criteria is satisfied, the action associated with the entry is executed. If more than one match parameter (within one match statement) is specified, then all the criteria must be satisfied and functional before the action associated with the match is executed.
Page 261
Event and Accounting Logs Parameters eq | neq — the operator specifying the type of match. Valid operators are listed in the table below. Operator Notes Equal to Not equal to application-id — the application name string Values atm, chassis, debug, efm_oam, filter, gsmp, ip, ldp, logger, mpls, ntp, oam, port, ppp, qos, route_policy, security, snmp, stp, svcmgr, system, tip, tod, user, user_db, vrtr number...
Page 262
Log Command Reference event-id — the event ID, expressed as a decimal integer Values 1 to 4294967295 router Syntax router {eq | neq} router-instance [regexp] no router Context config>log>filter>entry>match Description This command specifies the log event matches for the router. Parameters eq —...
Page 263
Event and Accounting Logs Parameters eq | neq | lt | lte | gt | gte — this operator specifies the type of match. Valid operators are listed in the table below. Operator Notes Equal to Not equal to Less than Less than or equal to Greater than Greater than or equal to...
Page 264
Log Command Reference Default no subject Parameters eq | neq — this operator specifies the type of match. Valid operators are listed in the following table: Operator Notes Equal to Not equal to subject — a string used as the subject match criterion. regexp —...
Page 265
Event and Accounting Logs Syslog Commands syslog Syntax [no] syslog syslog-id Context config>log Description This command creates the context to configure a syslog target host that is capable of receiving selected syslog messages from the 7705 SAR. A valid syslog-id must have the target syslog host address configured. A maximum of 10 syslog IDs can be configured.
Page 266
Log Command Reference facility Syntax facility syslog-facility no facility Context config>log>syslog syslog-id Description This command configures the facility code for messages sent to the syslog target host. Multiple syslog IDs can be created with the same target host but each syslog ID can only have one facility code.
Page 267
Event and Accounting Logs Numerical Code Facility Code log-audit log-alert cron2 local0 local1 local2 local3 local4 local5 local6 local7 Values 0 to 23 level Syntax level syslog-level no level Context config>log>syslog syslog-id Description This command configures the syslog message severity level threshold. All messages with severity level equal to or higher than the threshold are sent to the syslog target host.
Page 268
Log Command Reference Parameters syslog-level — the threshold severity level name. Values are described in the table below. Values emergency, alert, critical, error, warning, notice, info, debug 7705 SAR Syslog Severity Configured Definition Severity Level Level Severity (highest to lowest) emergency System is unusable 3 critical...
Page 269
Event and Accounting Logs Parameters log-prefix-string — an alphanumeric string of up to 32 characters. Special charcters (#, $, spaces, etc.) cannot be used in the string. port Syntax port value no port Context config>log>syslog syslog-id Description This command configures the UDP port that will be used to send syslog messages to the syslog target host.
Page 270
Log Command Reference Logging Destination Commands log-id Syntax [no] log-id log-id Context config>log Description This command creates a context to configure destinations for event streams. The log-id context is used to direct events, alarms/traps, and debug information to respective destinations. A maximum of 10 logs can be configured.
Page 271
Event and Accounting Logs An event filter policy defines (limits) the events that are forwarded to the destination configured in the log-id. The event filter policy can also be used to select the alarms and traps to be forwarded to a destination snmp-trap-group.
Page 272
Log Command Reference security — instructs all events in the security event stream to be sent to the destination defined in the to command for this destination log-id. The security stream contains all events that affect attempts to breach system security such as failed login attempts, attempts to access MIB tables to which the user is not granted access, or attempts to enter a branch of the CLI to which access has not been granted.
Page 273
Event and Accounting Logs The source of the data stream must be specified in the from command prior to configuring the destination with the to command. The to command cannot be modified or re-entered. If the log destination needs to be changed or if the maximum size of an SNMP log or memory log needs to be modified, the log ID must be removed then recreated.
Page 274
Log Command Reference to session Syntax to session Context config>log>log-id log-id Description This is one of the commands used to specify the log ID destination. This parameter is mandatory when configuring a log destination. This command instructs the events selected for the log ID to be directed to the current console or telnet session.
Page 275
Event and Accounting Logs Parameters size — defines the number of events stored in this memory log Default Values 50 to 1024 to syslog Syntax to syslog syslog-id Context config>log>log-id Description This is one of the commands used to specify the log ID destination. This parameter is mandatory when configuring a log destination.
Page 276
Log Command Reference SNMP Trap Groups snmp-trap-group Syntax [no] snmp-trap-group log-id Context config>log Description This command creates the context to configure a group of SNMP trap receivers and their operational parameters for a given log-id. A trap group specifies the types of SNMP traps and specifies the log ID that will receive the group of SNMP traps.
Page 277
Event and Accounting Logs snmp-trap-group The trap-target command is used to add or remove a trap receiver from an . The operational parameters specified in the command include: • the IP address of the trap receiver • the UDP port used to send the SNMP trap •...
Page 278
Log Command Reference The keyword snmpv2c selects the SNMP version 2c format. When specifying snmpv2c, the notify-community parameter must be configured for the proper SNMP community string that the trap receiver expects to be present in alarms and traps messages. If the SNMP version is changed from snmpv3 to snmpv2c, then the notify-community parameter must be changed to reflect the community string rather than the security-name that is used by snmpv3.
Event and Accounting Logs Show Commands accounting-policy Syntax accounting-policy [acct-policy-id] access Context show>log Description This command displays accounting policy information. Parameters acct-policy-id — the policy ID that uniquely identifies the accounting policy, expressed as a decimal integer Values 1 to 99 access —...
Page 280
Log Command Reference Table 31: Accounting Policy Output Fields (Continued) Label Description The accounting record name that represents the configured record type Record Name Specifies the entities that the accounting policy is applied to This policy is applied to Sample Output A:ALU-1# show log accounting-policy ============================================================================== Accounting Policies...
Event and Accounting Logs accounting-records Syntax accounting-records Context show>log Description This command displays accounting policy record names. Output Accounting Records Output — The following table describes accounting records output fields. Table 32: Accounting Records Output Fields Label Description The record ID that uniquely identifies the accounting policy, expressed Record # as a decimal integer The accounting record name...
Page 282
Log Command Reference applications Syntax applications Context show>log Description This command displays a list of all application names that can be used in event-control and filter commands. Sample Output Output A:ALU-1# show log applications ================================== Log Event Application Names ================================== Application Name ---------------------------------- CHASSIS...
Event and Accounting Logs event-control Syntax event-control [application [event-name | event-number]] Context show>log Description This command displays event control settings for events, including whether the event is suppressed or generated and the severity level for the event. If no options are specified, all events, alarms and traps are listed. Parameters application —...
Page 284
Log Command Reference Table 33: Event Control Output Fields (Continued) Label Description gen — the event will be generated/logged by event control sup — the event will be suppressed/dropped by event control thr — specifies that throttling is enabled The number of events logged/generated Logged The number of events dropped/suppressed Dropped...
Event and Accounting Logs 2003 cli_user_login_failed 2004 cli_user_login_max_attempts 2005 ftp_user_login 2006 ftp_user_logout 2007 ftp_user_login_failed 2008 ftp_user_login_max_attempts 2009 cli_user_io 2010 snmp_user_set 2011 cli_config_io 4357 ======================================================================= A:ALU-1# file-id Syntax file-id [log-file-id] Context show>log Description This command displays event log file information. If no command line parameters are specified, a summary output of all event log files is displayed. Specifying a file ID displays detailed information on the event log file.
Page 286
Log Command Reference Table 34: Log File Summary Output Fields (Continued) Label Description in progress — indicates the current open log file state complete — indicates the old log file Sample Output A:ALU-1# show log file-id ============================================================= File Id List ============================================================= file-id rollover...
Event and Accounting Logs filter-id Syntax filter-id [filter-id] Context show>log Description This command displays event log filter policy information. If you specify a filter ID, the command also displays the filter match criteria. Parameters filter-id — displays detailed information on the specified event filter policy ID Output Event Log Filter Summary Output —...
Log Command Reference Log Filter Match Criteria Output — The following table describes the output fields for log filter match criteria information. Table 36: Filter ID Match Criteria Output Fields Label Description The event log filter entry ID Entry-id default — there is no explicit action for the event log filter entry and Action the filter’s default action is used on matching events drop —...
Page 289
Event and Accounting Logs Table 36: Filter ID Match Criteria Output Fields (Continued) Label Description greaterThan — matches when greater than the match criterion greaterThanOrEqual — matches when greater than or equal to the match criterion lessThan — matches when less than the match criterion lessThanOrEqual —...
Log Command Reference log-collector Syntax log-collector Context show>log Description This command displays log collector statistics for the main, security, change and debug log collectors. Output Log Collector Output — The following table describes log collector output fields. Table 37: Log Collector Output Fields Label Description —...
Page 291
Event and Accounting Logs Table 37: Log Collector Output Fields (Continued) Label Description SNMP traps — events defined as SNMP traps are sent to the configured SNMP trap destinations and are logged in NOTIFICATION- LOG-MIB tables File — all selected log events are directed to a file on the CSM’s compact flash disk Memory —...
Page 292
Log Command Reference Parameters log-id — displays the contents of the specified log file or memory log ID. The log ID must have a destination of an SNMP or log file or a memory log for this parameter to be used. Default Displays the event log summary Values...
Event and Accounting Logs Output Show Log ID Output — The following table describes the log ID field output. Table 38: Log ID Output Fields Label Description An event log destination Log Id no — the event log filter is not currently in use by a log ID Source yes —...
Page 294
Log Command Reference Table 38: Log ID Output Fields (Continued) Label Description The allocated memory size for the log Size The time format specifies the type of timestamp format for events sent to Time format logs where the log ID destination is either syslog or file. When the time format is UTC, timestamps are written using the Coordinated Universal Time value.
Event and Accounting Logs snmp-trap-group Syntax snmp-trap-group [log-id] Context show>log Description This command displays SNMP trap group configuration information. Parameters log-id — displays only SNMP trap group information for the specified trap group log ID Values 1 to 99 Output SNMP Trap Group Output —...
Log Command Reference syslog Syntax syslog [syslog-id] Context show>log Description This command displays syslog event log destination summary information or detailed information on a specific syslog destination. Parameters syslog-id — displays detailed information on the specified syslog event log destination Values 1 to 10 Output...
Page 297
Event and Accounting Logs Sample Output *A:ALU-48>config>log# show log syslog =============================================================================== Syslog Target Hosts =============================================================================== Ip Address Port Sev Level Below Level Drop Facility Pfx Level ------------------------------------------------------------------------------- unknown info local7 unknown info mail =============================================================================== *A:ALU-48>config>log# *A:ALU-48>config>log# show log syslog 1 =============================================================================== Syslog Target 1 ===============================================================================...
Log Command Reference Clear Commands Syntax log log-id Context clear Description This command reinitializes/rolls over the specified memory log or log file. Memory logs are reinitialized and cleared of contents. Log files are manually rolled over by this command. This command is only applicable to event logs that are directed to file destinations and memory destinations.
Standards and Protocol Support Standards Compliance DIFFERENTIATED SERVICES RFC 2474 Definition of the DS Field in the IPv4 IEEE 802.1p/q VLAN Tagging and IPv6 Headers IEEE 802.3 10BaseT RFC 2597 Assured Forwarding PHB Group IEEE 802.3u 100BaseTX RFC 2598 An Expedited Forwarding PHB IEEE 802.3x Flow Control RFC 3140...
Page 300
Standards and Protocol Support RFC 2575 SNMP-VIEW-BASED ACM- PSEUDOWIRES RFC 3985 Pseudo Wire Emulation Edge-to-Edge (PWE3) Architecture RFC 2576 SNMP-COMMUNITY-MIB RFC 4385 Pseudowire Emulation Edge-to-Edge RFC 2588 SONET-MIB (PWE3) Control Word for Use over an RFC 2665 EtherLike-MIB MPLS PSN RFC 2819 RMON-MIB RFC 4446...
Customer documentation and product support Customer documentation http://www.alcatel-lucent.com/myaccess Product manuals and documentation updates are available at alcatel-lucent.com. If you are a new user and require access to this service, please contact your Alcatel-Lucent sales representative. Technical Support http://www.alcatel-lucent.com/support Documentation feedback...