Page 1 S Y S T E M M A N A G E M E N T G U I D E Alcatel-Lucent Proprietary This document contains proprietary information of Alcatel-Lucent and is not to be disclosed or used except in accordance with applicable agreements.
Page 2 The customer hereby agrees that the use, sale, license or other distribution of the products for any such application without the prior written consent of Alcatel-Lucent, shall be at the customer's sole risk. The customer hereby agrees to defend and hold Alcatel-Lucent harmless from any claims for loss, cost, damage, expense or liability that may arise out of or in connection with the use, sale, license or other distribution of the products in such applications.
Page 3: Table Of Contents
Getting Started ..............23 Alcatel-Lucent 7705 SAR System Management Configuration Process......23 Notes on 7705 SAR-8 and 7705 SAR-F .
Page 4 Table of Contents Copying a Profile ..............59 Configuring SSH .
Page 5 Table of Contents Event and Accounting Logs ............195 Logging Overview .
Page 6 Table of Contents Log Command Reference ............. . . 239 Command Hierarchies .
Page 7 7705 SAR-8 and 7705 SAR-F Comparison ........
Page 8 List of Tables Table 32: Accounting Records Output Fields ..........281 Table 33: Event Control Output Fields .
Page 9 List of Figures Security............... . . 27 Figure 1: RADIUS Requests and Responses .
Page 10 List of Figures Page 10 7705 SAR OS System Management Guide...
Page 11: List Of Acronyms
List of Acronyms Acronym Expansion second generation wireless telephone technology 3DES triple DES (data encryption standard) third generation mobile telephone technology 5620 SAM 5620 Service Aware Manager 7705 SAR 7705 Service Aggregation Router available bit rate area border router alternating current attachment circuit access control list adaptive clock recovery...
Page 12 List of Acronyms Acronym Expansion BITS building integrated timing supply boot options file BRAS Broadband Remote Access Server Base Station Controller BSTA Broadband Service Termination Architecture base transceiver station channel associated signaling common bonding networks committed buffer space control channel customer edge circuit emulation circuit emulation...
Page 13 List of Acronyms Acronym Expansion CRON a time-based scheduling service (from chronos = time) Control and Switching Module CSPF constrained shortest path first connection verification customer VLAN (tag) control word direct current DC-C DC return - common DC-I DC return - isolated digitally controlled oscillator DDoS distributed DoS...
Page 14 List of Acronyms Acronym Expansion exterior gateway protocol ELER egress label edge router Epipe Ethernet VLL explicit route object electrostatic discharge end-to-end EVDO evolution - data optimized EXP bits experimental bits forwarding class frame check sequence forwarding database facilities data link forwarding equivalence class fixed filter forwarding information base...
Page 15 List of Acronyms Acronym Expansion IMA control protocol cells IEEE Institute of Electrical and Electronics Engineers Internet Enhanced Service IETF Internet Engineering Task Force interior gateway protocol ILER ingress label edge router incoming label map inverse multiplexing over ATM input/output module Internet Protocol IPCP Internet Protocol Control Protocol...
Page 16 List of Acronyms Acronym Expansion maximum buffer space maximum burst size media buffer space message digest version 5 (algorithm) media dependent adapter Metro Ethernet Forum multi-field classification management information base minimum information rate MLPPP multilink point-to-point protocol merge point multilink protocol MPLS multiprotocol label switching MRRU...
Page 17 List of Acronyms Acronym Expansion optical carrier, level 3 operating system OSPF open shortest path first OSPF-TE OSPF-traffic extensions operations support system protocol data units packet delay variation PDVT packet delay variation tolerance provider edge router per-hop behavior physical layer protocol ID peak information rate point of local repair...
Page 18 List of Acronyms Acronym Expansion routing information base Radio Network Controller record route object RSVP-TE resource reservation protocol - traffic engineering R&TTE Radio and Telecommunications Terminal Equipment receive/transmit routing table manager battery return real-time protocol service assurance agent service access point SAR-8 7705 Service Aggregation Router - 8-slot chassis SAR-F...
Page 19 List of Acronyms Acronym Expansion shortest path first service router (includes 7710 SR, 7750 SR) secure shell system synchronization unit STM1 synchronous transport module, level 1 switched virtual circuit TACACS+ Terminal Access Controller Access-Control System Plus transmission control protocol time division multiplexing TLDP targeted LDP type length value...
Page 20 List of Acronyms Acronym Expansion virtual leased line VoIP voice over IP virtual path virtual path connection virtual path identifier virtual private network VPRN virtual private routed network virtual routing and forwarding table WCDMA wideband code division multiple access (transmission protocol used in UMTS networks) WRED weighted random early discard...
Page 21: Preface
Preface About This Guide This guide describes general information you will need to configure router security, SNMP features, and event and accounting logs. It covers basic tasks such as configuring management access filters that control traffic in and out of the CSM, passwords, user profiles, security such as RADIUS, TACACS+, and SSH servers, the router clock, and virtual routers.
Page 22: List Of Technical Publications
If you purchased a service agreement for your 7705 SAR router and related products from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased an Alcatel-Lucent service agreement, contact your welcome center: Web: http://www1.alcatel-lucent.com/comps/pages/carrier_support.jhtml...
Page 23: Getting Started
In This Chapter This chapter provides process flow information to configure system security and access functions as well as event and accounting logs. Alcatel-Lucent 7705 SAR System Management Configuration Process Table 1 lists the tasks necessary to configure system security and access functions and logging features.
Page 24: Notes On 7705 Sar-8 And 7705 Sar-F
Getting Started Notes on 7705 SAR-8 and 7705 SAR-F The 7705 SAR-8 and the 7705 SAR-F run the same operating system software. The main difference between the products is their hardware configuration. The 7705 SAR-8 has an 8-slot chassis that supports two CSMs, six adapter cards, and a Fan module. The...
Page 25 The +24 VDC version of the 7705 SAR-8 only supports version 2 of the 8-port Ethernet Adapter card. On the 7705 SAR-8, the CLI indicates the MDA type for the 8-port Ethernet Adapter card as a8-eth or a8-ethv2. On the 7705 SAR-F, the CLI indicates the MDA type for the 7705 SAR-F Ethernet ports as a8-ethv3, to distinguish it from the actual version 2 of the 8-port Ethernet Adapter card.
Page 26 Getting Started Page 26 7705 SAR OS System Management Guide...
Page 27: Security
Security In This Chapter This chapter provides information to configure security parameters. Topics in this chapter include: • Authentication, Authorization, and Accounting on page 28 → Authentication on page 29 → Authorization on page 31 → Accounting on page 33 •...
Page 28: Authentication, Authorization, And Accounting
Authentication, Authorization, and Accounting Authentication, Authorization, and Accounting This chapter describes authentication, authorization, and accounting (AAA) used to monitor and control network access on the 7705 SAR. Network security is based on a multi-step process. The first step, authentication, validates a user’s name and password. The second step is authorization, which allows the user to access and execute commands at various command levels based on profiles assigned to the user.
Page 29: Authentication
Security Figure 1 depicts end-user access requests sent to a RADIUS server. After validating the user names and passwords, the RADIUS server returns an access accept message to the users on ALU-1 and ALU-2. The user name and password from ALU-3 could not be authenticated, thus access was denied.
Page 30: Local Authentication
Authentication, Authorization, and Accounting The user login is successful when the RADIUS server accepts the authentication request and responds to the router with an access accept message. Implementing authentication without authorization for the 7705 SAR does not require the configuration of VSAs (Vendor Specific Attributes) on the RADIUS server. However, users, user access permissions, and command authorization profiles must be configured on each router.
Page 31: Tacacs+ Authentication
Security TACACS+ Authentication Terminal Access Controller Access Control System, commonly referred to as TACACS, is an authentication protocol that allows a remote access server to forward a user's login password to an authentication server to determine whether access can be allowed to a given system.
Page 32: Local Authorization
Authentication, Authorization, and Accounting When authorization is configured and profiles are downloaded to the router from the RADIUS server, the profiles are considered temporary configurations and are not saved when the user session terminates. Table 3: Supported Authorization Configurations Local Authorization RADIUS Authorization 7705 SAR configured user Supported...
Page 33: Tacacs+ Authorization
Security TACACS+ Authorization Like RADIUS authorization, TACACS+ grants or denies access permissions for a 7705 SAR router. The TACACS+ server sends a response based on the user name and password. TACACS+ separates the authentication and authorization functions. RADIUS combines the authentication and authorization functions.
Page 34: Tacacs+ Accounting
Authentication, Authorization, and Accounting TACACS+ Accounting The 7705 SAR allows you to configure the type of accounting record packet that is to be sent to the TACACS+ server when specified events occur on the device. The accounting record- type parameter indicates whether TACACS+ accounting start and stop packets will be sent or just stop packets will be sent.
Page 35: Security Controls
30 seconds. Health check is enabled by default. When a service response is restored from at least one server, the alarm condition is cleared. Alarms are raised and cleared on the Alcatel-Lucent Fault Manager or other third party fault management servers.
Page 36: Figure 2: Security Flow
Security Controls If a request is sent to an active RADIUS server and the user name and password are not recognized, access is denied and passed on to the next authentication option, in this case, the TACACS+ server. The process continues until the request is either accepted, denied, or each server is queried.
Page 37: Vendor-Specific Attributes (Vsas)
Security Vendor-Specific Attributes (VSAs) The 7705 SAR software supports the configuration of Alcatel-Lucent-specific RADIUS attributes. These attributes are known as vendor-specific attributes (VSAs) and are discussed in RFC 2138. VSAs must be configured when RADIUS authorization is enabled. It is up to the vendor to specify the format of their VSA.
Page 38 Vendor-Specific Attributes (VSAs) All commands at and below the hierarchy level of the matched command are subject to the VSA. timetra-action Multiple match-strings can be entered in a single VSA. Match strings timetra-cmd must be semicolon (;) separated (maximum string length is 254 characters). One or more VSAs can be entered followed by a single timetra-cmd...
Page 39: Sample User (Vsa) Configuration
Timetra-Access = ftp Timetra-Default-Action = deny-all, Timetra-Cmd = "configure", Timetra-Cmd = "show", Timetra-Action = permit, Timetra-Cmd = "debug", Timetra-Action = permit, Alcatel-Lucent Dictionary # Version: 20061003-1 VENDORAlcatel-IPD6527 # User management VSAs ATTRIBUTE Timetra-Access1integerAlcatel-IPD ATTRIBUTE Timetra-Home-Directory2stringAlcatel-IPD ATTRIBUTE Timetra-Restrict-To-Home3integerAlcatel-IPD ATTRIBUTE Timetra-Profile4stringAlcatel-IPD ATTRIBUTE Timetra-Default-Action5integer Alcatel-IPD...
Page 40 Vendor-Specific Attributes (VSAs) ATTRIBUTE Timetra-Action7integerAlcatel-IPD ATTRIBUTE Timetra-Exec-File8stringAlcatel-IPD # RADIUS authorization and CoA VSAs ATTRIBUTE Alc-Primary-Dns9ipaddrAlcatel-IPD ATTRIBUTE Alc-Secondary-Dns10ipaddrAlcatel-IPD ATTRIBUTE Alc-Subsc-ID-Str11stringAlcatel-IPD ATTRIBUTE Alc-Subsc-Prof-Str12stringAlcatel-IPD ATTRIBUTE Alc-SLA-Prof-Str13stringAlcatel-IPD ATTRIBUTE Alc-Force-Renew14stringAlcatel-IPD # CoA ATTRIBUTE Alc-Create-Host15stringAlcatel-IPD # CoA ATTRIBUTE Alc-ANCP-Str16stringAlcatel-IPD ATTRIBUTE Alc-Retail-Serv-Id17integerAlcatel-IPD ATTRIBUTE Alc-Default-Router18ipaddrAlcatel-IPD # RADIUS accounting VSAs ATTRIBUTE Alc-Acct-I-Inprof-Octets-6419octetsAlcatel-IPD ATTRIBUTE Alc-Acct-I-Outprof-Octets-6420octetsAlcatel-IPD ATTRIBUTE Alc-Acct-O-Inprof-Octets-6421octetsAlcatel-IPD...
Page 41: Other Security Features
Security Other Security Features Secure Shell (SSH) Secure Shell Version 1 (SSH1) is a protocol that provides a secure, encrypted Telnet-like connection to a router. A connection is always initiated by the client (the user). Authentication takes place by one of the configured authentication methods (local, RADIUS, or TACACS+).
Page 42: Csm Filters And Csm Security
Other Security Features When using SCP to copy files from an external device to the file system, the 7705 SAR SCP server will accept either forward slash (“/”) or backslash (“\”) characters to delimit directory and/or filenames. Similarly, the 7705 SAR SCP client application can use either slash or backslash characters, but not all SCP clients treat backslash characters as equivalent to slash characters.
Page 43: Exponential Login Backoff
Security • multiple options • option present • source IP • source port • TCP ACK • TCP SYN To avoid DoS-like attacks overwhelming the control plane while ensuring that critical control traffic such as signaling is always serviced in a timely manner, the 7705 SAR has three queues (High, Low, and Ftp) for handling packets addressed to the CSM: •...
Page 44: Configuration Notes
Security Configuration Notes This section describes security configuration caveats. • If a RADIUS or a TACACS+ server is not configured, then password, profiles, and user access information must be configured on each router in the domain. • If RADIUS authorization is enabled, then VSAs must be configured on the RADIUS server.
Page 45: Configuring Security With Cli
Security Configuring Security with CLI This section provides information to configure security using the command line interface. Topics in this section include: • Setting Up Security Attributes on page 46 → Configuring Authentication on page 46 → Configuring Authorization on page 47 →...
Page 46: Setting Up Security Attributes
Setting Up Security Attributes Setting Up Security Attributes Table 4 depicts the capabilities of authentication, authorization, and accounting configurations. For example, authentication can be enabled locally and on RADIUS and TACACS+ servers. Authorization can be executed locally, on a RADIUS server, or on a TACACS+ server.
Page 47: Configuring Authorization
Security • TACACS+ authentication To implement TACACS+ authentication, perform the following tasks on each participating 7705 SAR router: → Configuring Profiles on page 55 → Configuring Users on page 56 → Enabling TACACS+ Authentication on page 66 Configuring Authorization Refer to the following sections to configure authorization: •...
Page 48: Configuring Accounting
Setting Up Security Attributes Configuring Accounting Refer to the following sections to configure accounting. • Local accounting is not implemented. For information about configuring accounting policies, refer to Configuring Logging with CLI on page 217. • Configuring RADIUS Accounting on page 65 •...
Page 49: Security Configurations
Security Security Configurations This section provides information on configuring security and examples of configuration tasks. To implement security features, configure the following components: • management access filters • CPM (CSM) filters • profiles • user access parameters • password management parameters •...
Page 50 Security Configurations exit exit profile "administrative" default-action permit-all entry 10 no description match "configure system security" action permit exit password authentication-order radius tacplus local no aging minimum-length 6 attempts 3 time 5 lockout 10 complexity exit user "admin" password "./3kQWERTYn0Q6w" hash access console no home-directory no restricted-to-home...
Page 51: Security Configuration Procedures
Security Security Configuration Procedures • Configuring Management Access Filters • Configuring CPM (CSM) Filters • Configuring Password Management Parameters • Configuring Profiles • Configuring Users • Copying and Overwriting Users and Profiles • Configuring SSH • Configuring Login Controls • RADIUS Configurations •...
Page 52 Security Configuration Procedures no shutdown entry entry-id description description-string src-port {port-id cpm} src-ip {ip-prefix/mask | ip-prefix netmask} protocol protocol-id router {router-instance} dst-port port [mask] action {permit | deny | deny-host- unreachable} The following displays an example of the management access filter command usage. Example: config>system>security# management-access-filter security>mgmt-access-filter# ip-filter default-action...
Page 53: Configuring Cpm (Csm) Filters
Security Configuring CPM (CSM) Filters CPM filters control all traffic going in to the CSM, including all routing protocols. They apply to packets from all network and access ports, but not to packets from a management Ethernet port. CPM packet filtering is performed by network processor hardware using no resources on the main CPUs.
Page 54: Configuring Password Management Parameters
Security Configuration Procedures Configuring Password Management Parameters Configuring password management parameters consists of defining aging, the authentication order and authentication methods, password length and complexity, as well as the number of attempts a user can make to enter a password. Depending on the authentication requirements, password parameters are configured locally or on the RADIUS or TACACS+ server.
Page 55: Configuring Profiles
Security Configuring Profiles Profiles are used to deny or permit access to a hierarchical branch or specific commands. Profiles are referenced in a user configuration. A maximum of 16 user profiles can be defined. A user can participate in up to 16 profiles. Depending on the the authorization requirements, passwords are configured locally or on the RADIUS server.
Page 56: Configuring Users
Security Configuration Procedures Configuring Users Access parameters are configured for individual users. For each user, the login name and, optionally, information that identifies the user is defined. Use the following CLI commands to configure access parameters for users: CLI Syntax: config>system>security user-template template-name user user-name access [ftp] [snmp] [console]...
Page 57: Copying And Overwriting Users And Profiles
Security The following example displays the user configuration: ALU-1>config>system>security# info ---------------------------------------------- user "49ers" password "qQbnuzLd7H/VxGdUqdh7bE" hash2 access console ftp snmp restricted-to-home console member "default" member "ghost" exit exit -------------------------------------------- ALU-1>config>system>security# Copying and Overwriting Users and Profiles You can copy a profile or user or overwrite an existing profile or user. The overwrite option must be specified;...
Page 58 Security Configuration Procedures group "testgroup" exit exit user "testuserA" password "" hash2 access snmp console new-password-at-login exit snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group "testgroup" exit exit ---------------------------------------------- ALU-12>config>system>security# info Note: The cannot-change-password flag is not replicated when a copy user command is performed.
Page 59: Copying A Profile
Security Copying a Profile CLI Syntax: config>system>security# copy {user source-user | profile source-profile} to destination [overwrite] Example: config>system>security# copy profile default to testuser The following output displays the copied profiles: A:ALU-49>config>system>security# info ---------------------------------------------- A:ALU-49>config>system>security# info detail ---------------------------------------------- profile "default" default-action none entry 10 no description match "exec"...
Page 60 Security Configuration Procedures exit profile "testuser" default-action none entry 10 no description match "exec" action permit exit entry 20 no description match "exit" action permit exit entry 30 no description match "help" action permit exit entry 40 no description match "logout" action permit exit entry 50...
Page 61: Configuring Ssh
Security Configuring SSH Use the SSH command to configure the SSH server as SSH1, SSH2 or both. The default is SSH2. This command should only be enabled or disabled when the SSH server is disabled. This setting cannot be changed while the SSH server is running. CLI Syntax: config>system>security preserve-key no server-shutdown...
Page 62 Security Configuration Procedures The following example displays the login control configuration: Example: config>system>login-control# ftp inbound-max-sessions 5 config>system>login-control# telnet inbound-max-sessions config>system>login-control# telnet outbound-max-sessions config>system>login-control# idle-timeout 1440 config>system>login-control# pre-login-message "Property of Service Routing Inc. Unauthorized access prohibited." config>system>login-control# motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"...
Page 63: Radius Configurations
Security RADIUS Configurations • Configuring RADIUS Authentication • Configuring RADIUS Authorization • Configuring RADIUS Accounting Configuring RADIUS Authentication RADIUS is disabled by default and must be explicitly enabled. The mandatory commands to enable RADIUS on the local router are server-index radius server address...
Page 64: Configuring Radius Authorization
Security Configuration Procedures The following example displays the RADIUS authentication configuration: ALU-1>config>system>security# info ---------------------------------------------- retry 5 timeout 5 server 1 address 10.10.10.103 secret "test1" server 2 address 10.10.0.1 secret "test2" server 3 address 10.10.0.2 secret "test3" server 4 address 10.10.0.3 secret "test4" ---------------------------------------- ALU-1>config>system>security# Configuring RADIUS Authorization...
Page 65: Configuring Radius Accounting
Security Configuring RADIUS Accounting On the local router, use the following CLI commands to configure RADIUS accounting: CLI Syntax: config>system>security radius accounting The following example displays the CLI syntax usage: Example: config>system>security> config>system>security# radius config>system>security>radius# accounting The following example displays the RADIUS accounting configuration: ALU-1>config>system>security# info ---------------------------------------------- radius...
Page 66: Tacacs+ Configurations
Security Configuration Procedures TACACS+ Configurations • Enabling TACACS+ Authentication • Configuring TACACS+ Authorization • Configuring TACACS+ Accounting Enabling TACACS+ Authentication To use TACACS+ authentication on the router, configure one or more TACACS+ servers on the network. Use the following CLI commands to configure TACACS+ authentication: CLI Syntax: config>system>security tacplus server server-index address ip-address secret key...
Page 67: Configuring Tacacs+ Authorization
Security Configuring TACACS+ Authorization In order for TACACS+ authorization to function, TACACS+ authentication must be enabled first. See Enabling TACACS+ Authentication on page On the local router, use the following CLI commands to configure TACACS+ authorization: CLI Syntax: config>system>security tacplus authorization no shutdown The following example displays the CLI syntax usage:...
Page 68 Security Configuration Procedures The following example displays the TACACS+ accounting configuration: ALU-1>config>system>security>tacplus# info ---------------------------------------------- accounting authorization timeout 5 single-connection server 1 address 10.10.0.5 secret "h6.TeL7YPohbmhlvz0gob." hash2 server 2 address 10.10.0.6 secret "h6.TeL7YPog7WbLsR3QRd." hash2 server 3 address 10.10.0.7 secret "h6.TeL7YPojGJqbYt85LVk" hash2 server 4 address 10.10.0.8 secret "h6.TeL7YPoiCfWKUFHARvk"...
Page 69: Security Command Reference
Security Security Command Reference Command Hierarchies • Configuration Commands → Security Configuration Commands → Management Access Filter Commands → CPM Filter Commands → Password Commands → Profile Commands → User Commands → RADIUS Commands → TACACS+ Commands → SSH Commands •...
Page 70 Security Command Reference Configuration Commands Security Configuration Commands config — system — security — copy — ftp-server {user source-user | profile source-profile} to destination [overwrite] — no ftp-server — hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}] —...
Page 71 Security CPM Filter Commands config — system — security — [no] cpm-filter — default-action {accept | drop} — ip-filter — entry entry-id [create] — no entry entry-id — action {accept | drop} — no action — description description-string — no description —...
Page 72 Security Command Reference Password Commands config — system — security — password — admin-password password [hash | hash2] — no admin-password — aging days — no aging — attempts count [time minutes1] [lockout minutes2] — no attempts — authentication-order [method-1] [method-2] [method-3] [exit-on- reject] —...
Page 73: User Commands
Security User Commands config — system — security — [no] user user-name — [no] access [ftp] [snmp] [console] — console — [no] cannot-change-password — login-exec url-prefix:source-url — no login-exec — member user-profile-name [user-profile-name…(up to 8 max)] — no member user-profile-name —...
Page 74: Radius Commands
Security Command Reference RADIUS Commands config — system — security — [no] radius — [no] accounting — accounting-port port — no accounting-port — [no] authorization — port port — no port — retry count — no retry — server server-index address ip-address secret key [hash | hash2] —...
Page 75 Security Login Control Commands config — system — login-control — [no] exponential-backoff — — inbound-max-sessions value — no inbound-max-sessions — telnet — inbound-max-sessions value — no inbound-max-sessions — outbound-max-sessions value — no outbound-max-sessions — idle-timeout {minutes | disable} — no idle-timeout —...
Page 76 Security Command Reference Clear Commands Authentication clear — router — authentication — statistics [interface ip-int-name | ip-address] Debug Commands debug — radius [detail] [hex] — no radius Page 76 7705 SAR OS System Management Guide...
Page 77: Command Descriptions
Security Command Descriptions • Configuration Commands on page 78 • Show Commands on page 131 • Clear Commands on page 150 • Debug Commands on page 151 7705 SAR OS System Management Guide Page 77...
Page 78: Configuration Commands
Security Command Reference Configuration Commands • Generic Security Commands on page 79 • Security Commands on page 80 • Management Access Filter Commands on page 83 → Management Access Filter Entry Commands on page 84 • CPM Filter Commands on page 89 •...
Page 79 Security Generic Security Commands description Syntax description description-string no description Context config>system>security>management-access-filter>ip-filter>entry entry-id config>system>security>cpm-filter>ip-filter>entry>entry-id config>system>security>profile user-profile-name>entry entry-id Description This command creates a text description stored in the configuration file for a configuration context. The no form of the command removes the string. Default No description associated with the configuration context.
Page 80: Security Commands
Security Command Reference Security Commands security Syntax security Context config>system Description This command creates the context to configure security settings. Security commands manage user profiles and user membership. Security commands also manage user login registrations. copy Syntax copy {user source-user | profile source-profile} to destination [overwrite] Context config>system>security Description...
Page 81 Security hash-control Syntax hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}] no hash-control Context config>system>security Description Whenever the user executes a save or info command, the system will encrypt all passwords and keys, and so on for security reasons. At present, two algorithms exist. The first algorithm is a simple, short key that can be copied and pasted in a different location when the user wants to configure the same password.
Page 82 Security Command Reference Parameters app — specifies the application name Values telnet, ftp, ssh, radius, tacplus, snmptrap, syslog, ping, traceroute, dns, sntp, ntp ip-int-name | ip-address — specifies the name of the IP interface or IP address. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes.
Page 83 Security Management Access Filter Commands management-access-filter Syntax [no] management-access-filter Context config>system>security Description This command creates the context to edit management access filters and to reset match criteria. Management access filters control all traffic in and out of the . They can be used to restrict management of the 7705 SAR by other nodes outside either specific (sub)networks or through designated ports.
Page 84 Security Command Reference deny-host-unreachable — specifies that packets not matching the selection criteria will be denied and a host unreachable message will be issued renum Syntax renum old-entry-number new-entry-number Context config>system>security>management-access-filter>ip-filter Description This command renumbers existing management access filter entries to resequence filter entries. The 7705 SAR exits on the first match found and executes the actions in accordance with the accompanying action command.
Page 85: Table 5: 16-Bit Mask Format
Security action Syntax action {permit | deny | deny-host-unreachable} no action Context config>system>security>management-access-filter>ip-filter>entry entry-id Description This command creates the action associated with the management access filter match criteria entry. The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.
Page 86 Security Command Reference For example, to select a range from 1024 up to 2047, specify 1024 0xFC00 for value and mask. Default 65535 (exact match) Values 1 to 65535 (decimal) Syntax [no] log Context config>system>security>management-access-filter>ip-filter>entry entry-id Description This command enables match logging. The no form of this command disables match logging.
Page 87 Security Parameters router-instance — specifies one of the following parameters for the router instance: router-name — specifies a router name up to 32 characters to be used in the match criteria service-id — specifies an existing service ID to be used in the match criteria Values 1 to 2147483647 src-ip...
Page 88 Security Command Reference Syntax: port-id Values port-id slot/mda/port[.channel] bundle-id - bundle-<type>-slot/mda.<bundle-num> bundle - keyword type - ima | ppp bundle-num - [1..10] cpm — specifies that ingress management traffic is restricted to the CSM Ethernet port Page 88 7705 SAR OS System Management Guide...
Page 89 Security CPM Filter Commands cpm-filter Syntax [no] cpm-filter Context config>system>security Description This command enables the context to configure a CPM filter. A CPM filter is a hardware filter on the that applies to all the traffic going to the CPU. It can be used to drop or accept packets, as well as allocate dedicated hardware queues for the traffic.
Page 90 Security Command Reference entry Syntax entry entry-id [create] no entry entry-id Context config>system>security>cpm-filter>ip-filter Description This command specifies a particular CPM filter match entry. Every CPM filter must have at least one filter match entry. A filter entry with no match criteria set will match every packet, and the entry action will be taken.
Page 91 Security Syntax log log-id no log Context config>system>security>cpm-filter>ip-filter>entry Description This command specifies the log in which packets matching this entry should be entered. The value 0 indicates that logging is disabled. The no form of the command deletes the log ID. Parameters log-id —...
Page 92: Table 6: Ip Protocol Ids And Descriptions
Security Command Reference Table 6: IP Protocol IDs and Descriptions Protocol Protocol ID Description icmp Internet Control Message igmp Internet Group Management IP in IP (encapsulation) Transmission Control Exterior Gateway Protocol Any private interior gateway User Datagram Reliable Data Protocol ipv6 IPv6 ipv6-route...
Page 93 Security Table 6: IP Protocol IDs and Descriptions (Continued) Protocol Protocol ID Description Performance Transparency Protocol isis ISIS over IPv4 crtp Combat Radio Transport Protocol crudp Combat Radio User Datagram dscp Syntax dscp dscp-name no dscp Context config>system>security>cpm-filter>ip-filter>entry>match Description This command configures a DiffServ Code Point (DSCP) name to be used as an IP filter match criterion.
Page 94 Security Command Reference Default no dst-ip Parameters ip-address — the IP prefix for the IP match criterion in dotted-decimal notation Values 0.0.0.0 to 255.255.255.255 mask — the subnet mask length expressed as a decimal integer Values 1 to 32 netmask — the dotted-decimal equivalent of the mask length Values 0.0.0.0 to 255.255.255.255 dst-port...
Page 95 Security icmp-code Syntax icmp-code icmp-code no icmp-code Context config>system>security>cpm-filter>ip-filter>entry>match Description This command configures matching on an ICMP code field in the ICMP header of an IP packet as an IP filter match criterion. The ICMP protocol must be configured using the match command before this filter can be configured.
Page 96 Security Command Reference ip-option Syntax ip-option ip-option-value [ip-option-mask] no ip-option Context config>system>security>cpm-filter>ip-filter>entry>match Description This command configures matching packets with a specific IP option or a range of IP options in the IP header as an IP filter match criterion. The option type octet contains 3 fields: •...
Page 97 Security multiple-option Syntax multiple-option {true | false} no multiple-option Context config>system>security>cpm-filter>ip-filter>entry>match Description This command configures matching packets that contain more than one option field in the IP header as an IP filter match criterion. The no form of the command removes the checking of the number of option fields in the IP header as a match criterion.
Page 98 Security Command Reference src-ip Syntax src-ip {ip-address/mask | ip-address netmask} no src-ip Context config>system>security>cpm-filter>ip-filter>entry>match Description This command specifies the IP address to match the source IP address of the packet. To match on the source IP address, specify the address and its associated mask; for example, 10.1.0.0/16.
Page 99 Security tcp-ack Syntax tcp-ack {true | false} no tcp-ack Context config>system>security>cpm-filter>ip-filter>entry>match Description This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion. The no form of the command removes the criterion from the match entry.
Page 100 Security Command Reference renum Syntax renum old-entry-id new-entry-id Context config>system>security>cpm-filter>ip-filter Description This command renumbers existing IP filter entries in order to resequence filter entries. Resequencing may be required in some cases because the OS exits when the first match is found and executes the actions according to the accompanying action command.
Page 101 Security Global Password Commands enable-admin Syntax enable-admin Context <global> Description admin-password Note: See the description for the command. If the admin- password is configured in the config>system>security>password context, then any user can enter the special administrative mode by entering the enable-admin command.
Page 102 Security Command Reference Password Commands password Syntax password Context config>system>security Description This command creates the context to configure password management parameters. admin-password Syntax admin-password password [hash | hash2] no admin-password Context config>system>security>password Description This command allows a user (with admin permissions) to configure a password which enables a user to become an administrator.
Page 103 Security Default no admin-password Parameters password — configures the password that enables a user to become a system administrator. The maximum length can be up to 20 characters if unhashed, 32 characters if hashed, and 54 characters if the hash2 keyword is specified. hash —...
Page 104 Security Command Reference Default count: 3 time minutes: 5 lockout minutes: 10 Parameters count — the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered. Values 1 to 64 time minutes —...
Page 105 Security method-3 — the third password authentication method to attempt Default local Values radius, tacplus, local radius — RADIUS authentication tacplus — TACACS+ authentication local — password authentication based on the local password database exit-on-reject — when enabled, and if one of the AAA methods configured in the authentication order sends a reject, then the next method in the order will not be tried.
Page 106 Security Command Reference numeric — specifies that at least one numeric character must be present in the password. This keyword can be used in conjunction with the mixed-case and special-character parameters. authentication However, if this command is used with the none command, the complexity command is rejected.
Page 107 Security Profile Management Commands profile Syntax [no] profile user-profile-name Context config>system>security Description This command creates a context to create user profiles for CLI command tree permissions. Profiles are used to either deny or permit user console access to a hierarchical branch or to specific commands.
Page 108 Security Command Reference none — sets the default of the profile to no-action. This option is useful to assign multiple profiles to a user. For example, if a user is a member of two profiles and the default action of the first profile is permit-all, then the second profile will never be evaluated because permit-all is executed first.
Page 109 Security Parameters entry-id — an entry-id uniquely identifies a user profile command match criteria and a corresponding action. If more than one entry is configured, the entry-ids should be numbered in staggered increments to allow users to insert a new entry without requiring renumbering of the existing entries.
Page 110 Security Command Reference User Management Commands user Syntax [no] user user-name Context config>system>security Description This command creates a local user and a context to edit the user configuration. If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.
Page 111 Security access Syntax [no] access [ftp] [snmp] [console] [no] access [ftp] [console] Context config>system>security>user user-name config>system>security>user-template Description This command grants a user permission for FTP, SNMP, or console access. If a user requires access to more than one application, then multiple applications can be specified in a single command.
Page 112 Security Command Reference Parameters url-prefix [directory] [directory/directory…] — the user’s local home directory URL prefix and directory structure, up to 190 characters in length password Syntax password [password] [hash | hash2] Context config>system>security>user user-name Description This command configures the user password for console and FTP access. The use of the hash keyword sets the initial password when the user is created or modifies the password of an existing user and specifies that the given password was hashed using hashing algorithm version 1.
Page 113 Security To insert # or ? characters, they must be entered inside a notepad or clipboard program and then cut and pasted into the Telnet session in the password field that is encased in the double quotes as delimiters for the password. If a password is entered without any parameters, a password length of zero is implied (return key).
Page 114 Security Command Reference cannot-change-password Syntax [no] cannot-change-password Context config>system>security>user user-name>console Description This command allows a user to change their password for both FTP and console login. To disable a user’s privilege to change their password, use the cannot-change-password form of the command.
Page 115 Security Default default Parameters user-profile-name — the user profile name new-password-at-login Syntax [no] new-password-at-login Context config>system>security>user user-name >console Description This command forces the user to change passwords at the next console or FTP login. If the user is limited to FTP access, the administrator must create the new password. The no form of the command does not force the user to change passwords.
Page 116 Security Command Reference Default authentication none - No authentication is configured and privacy cannot be configured. Parameters none — do not use authentication. If none is specified, then privacy cannot be configured. hash — when hash is not specified, unencrypted characters can be entered. When hash is configured, all specified keys are stored in an encrypted format in the configuration file.
Page 117 Security RADIUS Client Commands radius Syntax [no] radius Context config>system>security Description This command creates the context to configure RADIUS authentication on the 7705 SAR. Implement redundancy by configuring multiple server addresses for each 7705 SAR. The no form of the command removes the RADIUS configuration. accounting Syntax [no] accounting...
Page 118 Security Command Reference authorization Syntax [no] authorization Context config>system>security>radius Description This command configures RADIUS authorization parameters for the system. The no form of this command disables RADIUS authorization for the system. Default no authorization port Syntax port port no port Context config>system>security>radius Description...
Page 119 Security server Syntax server index address ip-address secret key [hash | hash2] no server index Context config>system>security>radius Description This command adds a RADIUS server and configures the RADIUS server IP address, index, and key values. Up to five RADIUS servers can be configured at any one time. RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received.
Page 120 Security Command Reference timeout Syntax timeout seconds no timeout Context config>system>security>radius Description This command configures the number of seconds the router waits for a response from a RADIUS server. The no form of the command reverts to the default value. Default Parameters seconds —...
Page 121 Security TACACS+ Client Commands tacplus Syntax [no] tacplus Context config>system>security Description This command creates the context to configure TACACS+ authentication on the 7705 SAR. Configure multiple server addresses for each 7705 SAR for redundancy. The no form of the command removes the TACACS+ configuration. accounting Syntax accounting [record-type {start-stop | stop-only}]...
Page 122 Security Command Reference server Syntax server index address ip-address secret key [hash | hash2] no server index Context config>system>security>tacplus Description This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values. Up to five TACACS+ servers can be configured at any one time. TACACS+ servers are accessed in order from the lowest index to the highest index for authentication requests.
Page 123 Security timeout Syntax timeout seconds no timeout Context config>system>security>tacplus Description This command configures the number of seconds the router waits for a response from a TACACS+ server. The no form of the command reverts to the default value. Default Parameters seconds —...
Page 124 Security Command Reference SSH Commands Syntax Context config>system>security Description This command enables the context to configure the SSH server on the system. This command should only be enabled or disabled no SSH session is running. When the command is executed, an SSH security key is generated. This key is valid until either the node is restarted or the SSH server is stopped with the no ssh command and restarted.
Page 125 Security version Syntax version ssh-version no version Context config>system>security>ssh Description This command specifies the SSH protocol version that will be supported by the SSH server. The server may be configured as Secure Shell Version 1 (SSH1), Version 2 (SSH2) or both. SSH1 and SSH2 are different protocols and encrypt at different parts of the packets.
Page 126 Security Command Reference Login Control Commands login-control Syntax login-control Context config>system Description This command creates the context to configure the session control for console, Telnet and FTP. exponential-backoff Syntax [no] exponential-backoff Context config>system>login-control Description This command enables the exponential-backoff of the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.
Page 127 Security login-banner Syntax [no] login-banner Context config>system>login-control Description This command enables or disables the display of a login banner. The login banner contains the 7705 SAR copyright and build date information for a console login attempt. The no form of the command causes only the configured pre-login-message and a generic login prompt to display.
Page 128 Security Command Reference The system name can be added to an existing message without affecting the current pre-login-message. The no form of the command removes the message. Default no pre-login-message Parameters login-text-string — a text string, up to 900 characters. Any printable, 7-bit ASCII characters can be used.
Page 129 Security Telnet Login Control Commands telnet Syntax telnet Context config>system>login-control Description This command creates the context to configure the Telnet login control parameters. inbound-max-sessions Syntax inbound-max-sessions value no inbound-max-sessions Context config>system>login-control>telnet Description This parameter limits the number of inbound Telnet sessions. Each 7705 SAR router is limited to a total of 7 Telnet or SSH sessions.
Page 130 Security Command Reference Parameters value — the maximum number of concurrent outbound Telnet sessions, expressed as an integer Values 0 to 7 Page 130 7705 SAR OS System Management Guide...
Page 131: Show Commands
Security Show Commands • Security Show Commands on page 132 • Login Control Show Commands on page 149 7705 SAR OS System Management Guide Page 131...
Page 132: Table 7: Show System Security Access Group Output Fields
Security Command Reference Security Show Commands access-group Syntax access-group [group-name] Context show>system>security Description This command displays SNMP access group information. Parameters group-name — displays information for the specified access group Output Security Access Group Output — The following table describes security access group output fields.
Page 133: Table 8: Show System Security Authentication Output Fields
Security authentication Syntax authentication [statistics] Context show>system>security Description This command displays system login authentication configuration and statistics. Parameters statistics — appends login and accounting statistics to the display Output Authentication Output — The following table describes system security authentication output fields.
Page 134 Security Command Reference Sample Output A:ALU-4# show system security authentication =============================================================================== Authentication sequence : radius tacplus local =============================================================================== type status timeout single retry server address (secs) conn count ------------------------------------------------------------------------------- radius 10.10.10.103 radius 10.10.0.1 radius 10.10.0.2 tacplus 10.10.0.9(49) down true ------------------------------------------------------------------------------- radius admin status : up tacplus admin status : down...
Page 135: Table 9: Show Communities Output Fields
Security =============================================================================== Authorization Statistics (TACACS+) =============================================================================== server address conn sent rejected errors pkts pkts ------------------------------------------------------------------------------- 10.10.0.9 =============================================================================== Accounting Statistics =============================================================================== server address conn sent rejected errors pkts pkts ------------------------------------------------------------------------------- 10.10.10.103 10.10.0.1 10.10.0.2 =============================================================================== A:ALU-7# communities Syntax communities Context show>system>security Description This command displays SNMP communities and characteristics.
Page 136: Table 10: Show Cpm Filter Output Fields
Security Command Reference Sample Output A:ALU-48# show system security communities ============================================================================= Communities ============================================================================= community access view version group name ----------------------------------------------------------------------------- cli-readonly cli-readonly cli-readwrite cli-readwrite public no-security v1 v2c snmp-ro ----------------------------------------------------------------------------- No. of Communities: 3 ============================================================================= A:ALU-48# cpm-filter Syntax cpm-filter ip-filter [entry entry-id] Context show>system>security Description...
Page 137 Security Table 10: Show CPM Filter Output Fields (Continued) Label Description The 3-bit fragment flags or 13-bit fragment offset field Fragment The IP option setting IP-Option The SYN flag in the TCP header TCP-syn When the criteria matches, displays drop or forward packet Match action The number of matched dropped packets Dropped pkts...
Page 138 Security Command Reference A:ALU-35# show system security cpm-filter ip-filter entry 2 =============================================================================== CPM IP Filter Entry =============================================================================== Entry Id Description : CPM filter #2 ------------------------------------------------------------------------------- Filter Entry Match Criteria : ------------------------------------------------------------------------------- Log Id : 101 Src. IP : 10.4.101.2/32 Src. Port Dest.
Page 139: Table 11: Show Management Access Filter Output Fields
Security Output Management Access Filter Output — The following table describes management access filter output fields. Table 11: Show Management Access Filter Output Fields Label Description The management access filter type filter type Permit — Specifies that packets not matching the configured Def.
Page 140: Table 12: Show Password Options Output Fields
Security Command Reference Sample Output A:ALU-7# show system security management-access-filter ip-filter entry 1 ============================================================================= IPv4 Management Access Filters ============================================================================= filter type: : ip Def. Action : permit Admin Status : enabled (no shutdown) ----------------------------------------------------------------------------- Entry Description : test description Src IP : 10.10.10.104 Src interface : undefined Dest port...
Page 141 Security Table 12: Show Password Options Output Fields (Continued) Label Description Displays the sequence in which password authentication Authentication order is attempted among RADIUS, TACACS+, and local passwords Displays the complexity requirements of locally Configured complexity administered passwords, HMAC-MD5-96, HMAC- options SHA-96 and DES-keys configured in the authentication section...
Page 142: Table 13: Show User Profile Output Fields
Security Command Reference Output User Profile Output — The following table describes user profile output fields. Table 13: Show User Profile Output Fields Label Description Displays the profile name used to deny or permit user console access to User Profile a hierarchical branch or to specific commands Permit all —...
Page 143: Table 14: Show Source Address Output Fields
Security source-address Syntax source-address Context show>system>security Description This command displays the source address configured for applications. Output Source Address Output — The following table describes source address output fields. Table 14: Show Source Address Output Fields Label Description Displays the source-address application Application Displays the source address IP address or interface name IP address...
Page 144: Table 15: Show Ssh Output Fields
Security Command Reference Output SSH Options Output — The following table describes SSH output fields. Table 15: Show SSH Output Fields Label Description SSH is enabled — Displays that SSH server is enabled SSH status SSH is disabled — Displays that SSH server is disabled Enabled —...
Page 145: Table 16: Show User Output Fields
Security user Syntax user [user-id] [detail] Context show>system>security Description This command displays user registration information. If no command line options are specified, summary information for all users displays. Parameters user-id — displays information for the specified user Default All users detail —...
Page 146 Security Command Reference Table 16: Show User Output Fields (Continued) Label Description Yes — The user is not allowed to navigate to a directory higher in the Restricted to directory tree on the home directory device home No — The user is allowed to navigate to a directory higher in the directory tree on the home directory device Displays the user’s login exec file which executes whenever the user Login exec...
Page 147: Table 17: Show View Output Fields
Security snmp parameters ------------------------------------------------------------------------------- =============================================================================== ALU-7# view Syntax view [view-name] [detail] [capabilities] Context show>system>security Description This command displays one or all views and permissions in the MIB-OID tree. Parameters view-name — specifies the name of the view to display. If no view name is specified, the complete list of views displays.
Page 148 Security Command Reference mgmt-view 1.3.6.1.2.1.77 included mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.7 included mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.11 included vprn-view 1.3.6.1.2.1.2 included vprn-view 1.3.6.1.2.1.4 included vprn-view 1.3.6.1.2.1.5 included vprn-view 1.3.6.1.2.1.6 included vprn-view 1.3.6.1.2.1.7 included vprn-view 1.3.6.1.2.1.15 included vprn-view 1.3.6.1.2.1.23 included vprn-view 1.3.6.1.2.1.31 included vprn-view 1.3.6.1.2.1.68 included vprn-view 1.3.6.1.2.1.77 included vprn-view...
Page 149: Table 18: Show Users Output Fields
Security Login Control Show Commands users Syntax users Context show Description This command displays console user login and connection information. Output Users Output — The following table describes show users output fields. Table 18: Show Users Output Fields Label Description The user name User The user is authorized for this access type...
Page 150: Clear Commands
Security Command Reference Clear Commands statistics Syntax statistics [interface ip-int-name | ip-address] Context clear>router>authentication Description This command clears authentication statistics. Parameters ip-int-name — clears the authentication statistics for the specified interface name. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes ip-address —...
Page 151: Debug Commands
Security Debug Commands radius Syntax radius [detail] [hex] no radius Context debug Description This command enables debugging for RADIUS connections. The no form of the command disables the debugging. Parameters detail — displays detailed output hex — displays the packet dump in hexadecimal format 7705 SAR OS System Management Guide Page 151...
Page 152 Security Command Reference Page 152 7705 SAR OS System Management Guide...
Page 153: Snmp
SNMP In This Chapter This chapter provides information to configure SNMP. Topics in this chapter include: • SNMP Overview on page 154 → SNMP Architecture on page 154 → Management Information Base on page 154 → SNMP Versions on page 155 →...
Page 154: Snmp Overview
SNMP Overview SNMP Overview SNMP Architecture The Service Assurance Manager (SAM) consists of two elements: managers and agents. The manager is the entity through which network management tasks are facilitated. An agent is a software module integrated into the operating system of the managed device that communicates with the network manager.
Page 155: Snmp Versions
SNMP The SNMP agent provides management information to support a collection of IETF specified MIBs and a number of MIBs defined to manage device parameters and network data unique to the 7705 SAR. SNMP Versions The agent supports multiple versions of the SNMP protocol. •...
Page 156: User-Based Security Model Community Strings
A community string is a text string that acts like a password to permit access to the agent on the 7705 SAR router. The Alcatel-Lucent implementation of SNMP has defined three levels of community-named access: •...
Page 157: Access Groups
SNMP Access Groups Access groups associate a user group and a security model with the views the group can access. An access group is defined by a unique combination of a group name, security model (SNMPv1, SNMPv2c, or SNMPv3), and security level (no-authorization-no privacy, authorization-no-privacy, or privacy).
Page 158: Which Snmp Version To Use
Which SNMP Version to Use? Which SNMP Version to Use? SNMPv1 and SNMPv2c do not provide security, authentication, or encryption. Without authentication, an unauthorized user could perform SNMP network management functions and eavesdrop on management information as it passes from system to system. Many SNMPv1 and SNMPv2c implementations are restricted read-only access, which, in turn, reduces the effectiveness of a network monitor in which network control applications cannot be supported.
Page 159: Configuration Notes
SNMP Configuration Notes This section describes SNMP configuration caveats. • To avoid management systems attempting to manage a partially booted system, SNMP will remain in a shutdown state if the configuration file fails to complete during system startup. While shut down, SNMP gets and sets are not processed. However, notifications are issued if an SNMP trap group has been configured.
Page 160 Configuration Notes Page 160 7705 SAR OS System Management Guide...
Page 161: Configuring Snmp With Cli
SNMP Configuring SNMP with CLI This section provides information about configuring SNMP with CLI. Topics in this chapter include: • SNMP Configuration Overview on page 162 → Configuring SNMPv1 and SNMPv2c on page 162 → Configuring SNMPv3 on page 162 •...
Page 162: Snmp Configuration Overview
SNMP Configuration Overview SNMP Configuration Overview This section describes how to configure SNMP components that apply to SNMPv1, SNMPv2c, and SNMPv3 on the 7705 SAR. • Configuring SNMPv1 and SNMPv2c • Configuring SNMPv3 Configuring SNMPv1 and SNMPv2c The 7705 SAR router is based on SNMPv3. To use 7705 SAR routers with SNMPv1 and/or SNMPv2c, SNMP community strings must be configured.
Page 163: Basic Snmp Security Configuration
SNMP Basic SNMP Security Configuration This section provides information to configure SNMP parameters and provides examples of common configuration tasks. The minimal SNMP parameters are: For SNMPv1 and SNMPv2c: • Configure community string parameters For SNMPv3: • Configure view parameters •...
Page 164: Configuring Snmp Components
Configuring SNMP Components Configuring SNMP Components Use the CLI syntax displayed below to configure the following SNMP scenarios: • Configuring a Community String • Configuring View Options • Configuring Access Options • Configuring USM Community Options • Configuring Other SNMP Parameters CLI Syntax: config>system>security>snmp attempts [count] [time minutes1] [lockout minutes2] community community-string [hash | hash2] access-...
Page 165: Configuring View Options
SNMP The following example displays community string command usage: Example: config>system>security# snmp config>system>security>snmp# community private hash2 rwa version both config>system>security>snmp# community public hash r version v2c The following example displays the SNMP community configuration: ALU-1>config>system>security>snmp# info ------------------------------------------------------- community "uTdc9j48PBRkxn5DcSjchk" hash2 rwa version both community "Lla.RtAyRW2"...
Page 166: Configuring Access Options
Configuring SNMP Components Configuring Access Options command creates an association between a user group, a security model, and access the views that the user group can access. Access must be configured unless security is limited to the preconfigured access groups and views for SNMPv1 and SNMPv2c. An access group is defined by a unique combination of the group name, security model, and security level.
Page 167: Configuring Usm Community Options
SNMP The following example displays user security command usage: Example: ALU-1>config>system>security# user testuser config>system>security>user$ access snmp config>system>security>user# snmp config>system>security>user>snmp# authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none config>system>security>user>snmp# group testgroup config>system>security>user>snmp# exit config>system>security>user# exit The following example displays the user’s SNMP configuration. ALU-1>config>system>security# info ---------------------------------------------- user "testuser"...
Page 168: Configuring Other Snmp Parameters
Configuring SNMP Components The following example displays the SNMP community configuration: ALU-1>config>system>security>snmp# info ---------------------------------------------- view testview subtree 1 mask ff exit view testview subtree 1.3.6.1.2 mask ff type excluded exit access group testgroup security-model usm security-level auth-no -privacy read testview write testview notify testview community "private"...
Page 169: Snmp Command Reference
SNMP SNMP Command Reference Command Hierarchies • Configuration Commands → SNMP System Commands → SNMP Security Commands • Show Commands 7705 SAR OS System Management Guide Page 169...
Page 170 SNMP Command Reference Configuration Commands SNMP System Commands config — system — snmp — snmp engine-id — no snmp — general-port port — no general-port — packet-size bytes — no packet-size — [no] shutdown SNMP Security Commands config — system —...
Page 171 SNMP Show Commands show — snmp — counters — system — information — security — access-group [group-name] — communities [statistics] — communities — user [profile-name] — user [user-id] [detail] — view [view-name] [capabilities] [detail] 7705 SAR OS System Management Guide Page 171...
Page 172: Command Descriptions
SNMP Command Reference Command Descriptions • Configuration Commands on page 173 • Show Commands on page 183 Page 172 7705 SAR OS System Management Guide...
Page 173: Configuration Commands
SNMP Configuration Commands • SNMP System Commands on page 174 • SNMP Security Commands on page 177 7705 SAR OS System Management Guide Page 173...
Page 174 SNMP Command Reference SNMP System Commands snmp Syntax snmp Context config>system Description This command creates the context to configure SNMP parameters. engineID Syntax [no] engineID engine-id Context config>system>snmp Description This command sets the SNMP engine ID to uniquely identify the SNMPv3 node. By default, the engine ID is generated using information from the system backplane.
Page 175 SNMP general-port Syntax general-port port-number no general-port Context config>system>snmp Description This command configures the port number used by this node to receive SNMP request messages and to send replies. Note that SNMP notifications generated by the agent are sent from the port specified in the config>log>snmp-trap-group>trap-target command.
Page 176 SNMP Command Reference This command is automatically invoked in the event of a reboot when the processing of the configuration file fails to complete or when an SNMP persistent index file fails while the bof persist on command is enabled. The no form of the command administratively enables SNMP.
Page 177 SNMP SNMP Security Commands snmp Syntax snmp Context config>system>security Description This command creates the context to configure SNMPv1, SNMPv2c, and SNMPv3 parameters. access group Syntax [no] access group group-name security-model {snmpv1 | snmpv2c | usm} security-level {no-auth-no-privacy | auth-no-privacy | privacy} [context context-name [prefix-match {exact | prefix}]] [read view-name-1] [write view-name-2] [notify view-name-3] Context config>system>security>snmp...
Page 178 SNMP Command Reference security-level auth-no-privacy — specifies that authentication is required but privacy (encryption) is not required. When this option is configured, both the group and the user must be configured for authentication. security-level privacy — specifies that both authentication and privacy (encryption) is required. When this option is configured, both the group and the user must be configured for authentication.
Page 179 SNMP Parameters count — the number of unsuccessful SNMP attempts allowed for the specified time Default Values 1 to 64 time minutes1 — the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the host is locked out Default Values 0 to 60...
Page 180 SNMP Command Reference usm-community Syntax usm-community community-string [hash | hash2] group group-name no usm-community community-string Context config>system>security>snmp Description This command is used to associate a community string with an SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group. The 7705 SAR OS implementation of SNMP uses SNMPv3.
Page 181 SNMP Default No views are defined Parameters view-name — the 1 to 32 character view name Default none oid-value — the object identifier (OID) value for the view-name. This value, for example, 1.3.6.1.6.3.11.2.1, combined with the mask and include and exclude statements, configures the access available in the view.
Page 182 SNMP Command Reference Parameters mask-value — the mask value associated with the OID value determines whether the sub-identifiers are included or excluded from the view The mask can be entered either: • In hexadecimal format (for example, 0xfc) • In binary format (for example, 0b11111100) Note: If the number of bits in the bit mask is less than the number of sub-identifiers in the MIB subtree, then the mask is extended with ones until the mask length matches the number of sub-identifiers in the MIB subtree.
Page 183: Show Commands
SNMP Show Commands counters Syntax counters Context show>snmp Description This command displays SNMP counter information. SNMP counters will continue to increase even when SNMP is shut down. Some internal modules communicate using SNMP packets. Output Counters Output — The following table describes SNMP counters output fields. Table 19: Show SNMP Counters Output Fields Label Description...
Page 184: Table 20: Show System Information Output Fields
SNMP Command Reference Sample Output A:ALU-1# show snmp counters ============================================================================== SNMP counters: ============================================================================== in packets : ------------------------------------------------------------------------------ in gets : 93 in getnexts : 0 in sets : 370 out packets: ------------------------------------------------------------------------------ out get responses : out traps variables requested: variables set ============================================================================== A:ALU-1#...
Page 185 SNMP Table 20: Show System Information Output Fields (Continued) Label Description Enabled — SNMP is administratively enabled SNMP Admin State Disabled — SNMP is administratively disabled Enabled — SNMP is operationally enabled SNMP Oper State Disabled — SNMP is operationally disabled Persistent —...
Page 186 SNMP Command Reference Table 20: Show System Information Output Fields (Continued) Label Description Displays the index version used in the most recent boot Last Boot Index Version Displays the header information of the index used in the most Last Boot Index recent boot Header Displays the filename of the last saved configuration...
Page 187 Last Booted Config File: ftp://172.22.184.249/./debby-sim1/debby-sim1-config.cfg Last Boot Cfg Version : THU MAR 11 16:58:20 2008 UTC Last Boot Config Header: # TiMOS-B-0.0.I1042 both/i386 Alcatel-Lucent SAR 7705 Copyright (c) 2000-2008 Alcatel-Lucent. # All rights reserved. All use subject to applicable license agreements.
Page 188: Table 21: Show System Access Group Fields
SNMP Command Reference Last Boot Index Header : # TiMOS-B-0.0.I1042 both/i386 Alcatel-Lucent SAR 7705 Copyright (c) 2000-2008 Alcatel-Lucent. # All rights reserved. All use subject to applicable license agreements. # Built on Tue Mar 11 01:26:23 PST 2008 by builder in /rel0.0/I1042/panos/main # Generated TUE...
Page 189 SNMP Table 21: Show System Access Group Fields (Continued) Label Description Specifies the view to send a trap about MIB objects Notify view The total number of configured access groups No. of access groups Sample Output A:ALU-1# show system security access-group =============================================================================== Access Groups ===============================================================================...
Page 190: Table 22: Show Communities Output Fields
SNMP Command Reference communities Syntax communities Context show>system>security Description This command lists SNMP communities and characteristics. Output Communities Output — The following table describes the communities output fields. Table 22: Show Communities Output Fields Label Description The community string name for SNMPv1 and SNMPv2c access only Community r —...
Page 191: Table 23: Show User Output Fields
SNMP user Syntax user [user-id] [detail] Context show>system>security Description This command displays user information. Output User Output — The following table describes user information output fields. Table 23: Show User Output Fields Label Description The name of a system user User ID Yes —...
Page 192: Table 24: Show System Security View Output Fields
SNMP Command Reference Sample Output A:ALU-1# show system security user =============================================================================== Users =============================================================================== user id User Permissions Password Login Failed Local console ftp snmp Expires Attempts Logins Conf ------------------------------------------------------------------------------- admin never testuser never ------------------------------------------------------------------------------- Number of users : 2 =============================================================================== A:ALU-1# view Syntax...
Page 193 SNMP Sample Output A:ALU-1# show system security view =============================================================================== Views =============================================================================== view name oid tree mask permission ------------------------------------------------------------------------------- included no-security included no-security 1.3.6.1.6.3 excluded no-security 1.3.6.1.6.3.10.2.1 included no-security 1.3.6.1.6.3.11.2.1 included no-security 1.3.6.1.6.3.15.1.1 included ------------------------------------------------------------------------------- No. of Views: 6 =============================================================================== A:ALU-1# A:ALU-1# show system security view no-security detail =============================================================================== Views...
Page 194 SNMP Command Reference 1.3.6.1.2.1.68 no-support 1.3.6.1.2.1.85 no-support 1.3.6.1.2.1.100 no-support 1.3.6.1.2.1.4.39 no-support 1.3.6.1.2.1.5.20 no-support Parameters detail — displays all groups associated with the view capabilities — displays all views, including excluded MIB-OID trees from unsupported features Page 194 7705 SAR OS System Management Guide...
Page 195: Event And Accounting Logs
Event and Accounting Logs In This Chapter This chapter provides information about configuring event and accounting logs in the 7705 SAR. Topics in this chapter include: • Logging Overview on page 196 • Log Destinations on page 198 → Console on page 198 →...
Page 196: Logging Overview
Logging Overview Logging Overview The two primary types of logging supported on the 7705 SAR are event logging and accounting logs. Event logging controls the generation, dissemination and recording of system events for monitoring status and troubleshooting faults within the system. Events are messages generated by the system by applications or processes within the 7705 SAR.
Page 197: Table 25: Event Severity Levels
Event and Accounting Logs Table 25: Event Severity Levels Severity Number Severity Name Cleared Indeterminate (info) Critical Major Minor Warning Event control maintains a count of the number of events generated (logged) and dropped (suppressed) for each application event. The severity of an application event can be configured in event control.
Page 198: Log Destinations
Log Destinations Log Destinations Both event logs and accounting logs use a common mechanism for referencing a log destination. 7705 SAR routers support the following log destinations: • Console • Session • Memory Logs • Log Files • SNMP Trap Group •...
Page 199: Log Files
Event and Accounting Logs Log Files Log files can be used by both event logs and accounting logs and are stored on the compact flash device (cf3) in the file system. A log file is identified by a single log file ID, but a log file will generally be composed of a number of individual files in the file system.
Page 200: Snmp Trap Group
Log Destinations Accounting log files are created in the directory on the compact flash \act-collect device. The naming convention for accounting logs is: aaff-timestamp. xml.gz where: aa is the accounting policy ID ff is the log file destination ID timestamp is the timestamp when the file is created, in the same form as for event logs.
Page 201: Syslog
Event and Accounting Logs Syslog An event log can be configured to send events to one syslog destination. Syslog destinations have the following properties: • syslog server IP address • the UDP port used to send the syslog message • the Syslog Facility Code •...
Page 202: Event Logs
Event Logs Event Logs Event logs are the means of recording-system generated events for later analysis. Events are messages generated by the system by applications or processes within the 7705 SAR. Figure 3 depicts a functional block diagram of event logging. Figure 3: Event Logging Block Diagram EVENT EVENT...
Page 203: Figure 4: Show Log Applications Command Output
Event and Accounting Logs • Change — The change activity event source is all events that directly affect the configuration or operation of the node. Change events are generated by the USER application. • Debug — The debug event source is the debugging configuration that has been enabled on the system.
Page 204: Event Control
Event Logs Event Control Event control pre-processes the events generated by applications before the event is passed into the main event stream. Event control assigns a severity to application events and can either forward the event to the main event source or suppress the event. Suppressed events are counted in event control, but these events will not generate log entries as they never reach the log manager.
Page 205: Log Manager And Event Logs
Event and Accounting Logs 2002 ipEtherBroadcast 2003 ipDuplicateAddress LDP: 2001 vRtrLdpStateChange 2002 vRtrLdpInstanceStateChange 2003 vRtrLdpIfStateChange LOGGER: 2001 STARTED 2002 tmnxLogTraceError 2005 tmnxLogSpaceContention MPLS: 2001 mplsXCUp 2002 mplsXCDown 2003 mplsTunnelUp NTP: 2001 tmnxNtpAuthMismatch 2002 tmnxNtpNoServersAvail 2003 tmnxNtpServersAvail SYSTEM: 2001 stiDateAndTimeChanged 2002 ssiSaveConfigSucceeded 2003 ssiSaveConfigFailed USER: 2001 cli_user_login...
Page 206: Event Filter Policies
Event Logs An event log has the following properties: • a unique log ID The log ID is a short, numeric identifier for the event log. A maximum of 10 logs can be configured at a time. • one or more log sources The source stream or streams to be sent to log destinations can be specified.
Page 207: Event Log Entries
Event and Accounting Logs Table 27: Valid Filter Policy Operators Operator Description Equal to Not equal to Less than Less than or equal to Greater than Greater than or equal to A match criteria entry can include combinations of: • equal to or not equal to a given system application •...
Page 208: Table 28: Log Entry Field Descriptions
Event Logs The general format for an event in an event log with either a memory, console or file destination is as follows: nnnn YYYY/MM/DD HH:MM:SS.SS <severity>:<application> # <event_id> <router-name> <subject> description The following is an event log example: 475 2007/11/27 00:19:40.38 WARNING: SNMP #2008 Base 1/1/1 "interface 1/1/1 came up"...
Page 209: Simple Logger Event Throttling
Event and Accounting Logs Simple Logger Event Throttling Simple event throttling provides a mechanism to protect event receivers from being overloaded when a scenario causes many events to be generated in a very short period of time. A throttling rate (events/seconds), can be configured. Specific application events can be configured to be throttled.
Page 210: Default System Log
Event Logs Default System Log Log 99 is a preconfigured memory-based log that logs events from the main event source (not security, debug, or change). Log 99 exists by default. The following example displays the log 99 configuration. ALU-1>config>log# info detail #------------------------------------------ echo "Log Configuration "...
Page 211: Accounting Logs
Event and Accounting Logs Accounting Logs Before an accounting policy can be created, a target log file must be created to collect the accounting records. The files are stored in system memory on a compact flash (cf3) in a compressed (tar) XML format and can be retrieved using FTP or SCP. Accounting Records An accounting policy must define a record name and collection interval.
Page 212: Table 30: Accounting Record Name Details
Accounting Logs Table 30: Accounting Record Name Details Record Name Sub-Record Field Field Description Service-ingress-octets SvcId SapId QueueId OfferedHiPrioOctets DroppedHiPrioOctets LowOctetsOffered LowOctetsDropped UncoloredOctetsOffered InProfileOctetsForwarded OutOfProfileOctetsForwarded Service-egress-octets SvcId SapId QueueId InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped Page 212 7705 SAR OS System Management Guide...
Page 213 Event and Accounting Logs Table 30: Accounting Record Name Details (Continued) Record Name Sub-Record Field Field Description Service-ingress-packets SvcId SapId QueueId HighPktsOffered HighPktsDropped LowPktsOffered LowPktsDropped UncoloredPacketsOffered InProfilePktsForwarded OutOfProfilePktsForwarded Service-egress-packets SvcId SapId QueueId InProfilePktsForwarded InProfilePktsDropped OutOfProfilePktsForwarded OutOfProfilePktsDropped SapId slaProfile SlaProfile 7705 SAR OS System Management Guide Page 213...
Page 214: Accounting Files
Accounting Logs Accounting Files When a policy has been created and applied to a service, the accounting file is stored on the compact flash in a compressed XML file format. The 7705 SAR creates two directories on the compact flash to store the files. The following output displays a directory named act- that holds accounting files that are open and actively collecting statistics, and a collect...
Page 215: Configuration Notes
Event and Accounting Logs Configuration Notes This section describes logging configuration caveats. • A file or filter cannot be deleted if it has been applied to a log. • File IDs, syslog IDs, or SNMP trap groups must be configured before they can be applied to a log ID.
Page 216 Configuration Notes Page 216 7705 SAR OS System Management Guide...
Page 217: Configuring Logging With Cli
Event and Accounting Logs Configuring Logging with CLI This section provides information to configure logging using the command line interface. Topics in this section include: • Log Configuration Overview on page 218 • Log Type on page 219 • Basic Event Log Configuration on page 220 •...
Page 218: Log Configuration Overview
Log Configuration Overview Log Configuration Overview Logging on the 7705 SAR is used to provide the operator with logging information for monitoring and troubleshooting. You can configure logging parameters to save information in a log file or direct the messages to other devices. Logging commands allow you to: •...
Page 219: Log Type
Event and Accounting Logs Log Type Logs can be configured in the following contexts: • Log file — log files can contain log event message streams or accounting/billing information. Log file IDs are used to direct events, alarms/traps, and debug information to their respective targets.
Page 220: Basic Event Log Configuration
Basic Event Log Configuration Basic Event Log Configuration The most basic log configuration must have the following: • a log ID or an accounting policy ID • a log source • a log destination The following displays a log configuration example. ALU-12>config>log# info #------------------------------------------ echo "Log Configuration "...
Page 221: Common Configuration Tasks
Event and Accounting Logs Common Configuration Tasks The following sections describe basic system tasks that must be performed. • Configuring an Event Log • Configuring a File ID • Configuring an Accounting Policy • Configuring Event Control • Configuring Throttle Rate •...
Page 222: Configuring A File Id
Common Configuration Tasks config>log>log-id# to file 1 config>log>log-id# no shutdown config>log>log-id# exit The following displays a log file configuration: ALU-12>config>log>log-id# info ---------------------------------------------- log-id 2 description "This is a test log file." filter 1 from main security to file 1 exit ---------------------------------------------- ALU-12>config>log>log-id# Configuring a File ID...
Page 223: Configuring An Accounting Policy
Event and Accounting Logs The following displays the file ID configuration: ALU-12>config>log# info ------------------------------------------ file-id 1 description "This is a log file." location cf3: rollover 600 retention 24 exit ---------------------------------------------- ALU-12>config>log# Configuring an Accounting Policy Before an accounting policy can be created, a target log file must be created to collect the accounting records.
Page 224: Configuring Event Control
Common Configuration Tasks config>log>acct-policy# to file 1 config>log>acct-policy# exit config>log# accounting-policy 5 config>log>acct-policy# description "This is a test accounting policy." config>log>acct-policy# record service-ingress-packets config>log>acct-policy# to file 2 config>log>acct-policy# The following displays the accounting policy configuration: ALU-12>config>log# info ---------------------------------------------- accounting-policy 4 description "This is the default accounting policy."...
Page 225: Configuring Throttle Rate
Event and Accounting Logs ALU-12>config>log# info #------------------------------------------ echo "Log Configuration" #------------------------------------------ throttle-rate 500 interval 10 event-control "atm" 2014 generate critical event-control "oam" 2001 suppress ---------------------------------------------- ALU-12>config>log>filter# Configuring Throttle Rate This command configures the number of events and interval length to be applied to all event types that have throttling enabled by the event-control command.
Page 226 Common Configuration Tasks application {eq | neq} application-id number {eq | neq | lt | lte | gt | gte} event-id router {eq | neq} router-instance [regexp] severity {eq | neq | lt | lte | gt | gte} severity-level subject {eq | neq} subject [regexp] The following displays an example of the log filter configuration command syntax: Example:...
Page 227: Configuring An Snmp Trap Group
Event and Accounting Logs Configuring an SNMP Trap Group The associated log-id does not have to be configured before a snmp-trap-group can be created; however, the snmp-trap-group must exist before the log-id can be configured to use it. Use the following CLI syntax to configure an SNMP trap group: CLI Syntax: config>log snmp-trap-group log-id trap-target name [address ip-address] [port port]...
Page 228: Configuring A Syslog Target
Common Configuration Tasks Configuring a Syslog Target Log events cannot be sent to a syslog target host until a valid syslog ID exists. Use the following CLI syntax to configure a syslog file: CLI Syntax: config>log syslog syslog-id description description-string address ip-address log-prefix log-prefix-string port port...
Page 229: Log Management Tasks
Event and Accounting Logs Log Management Tasks This section discusses the following logging tasks: • Modifying a Log File • Deleting a Log File • Modifying a File ID • Deleting a File ID • Deleting a Syslog ID • Deleting a Syslog ID •...
Page 230: Deleting A Log File
Log Management Tasks exit ---------------------------------------------- ALU-12>config>log>log-id# The following displays an example of modifying log file parameters: Example: config# log config>log# log-id 2 config>log>log-id# description "Chassis log file." config>log>log-id# filter 2 config>log>log-id# from security config>log>log-id# exit The following displays the modified log file configuration: ALU-12>config>log# info ---------------------------------------------- log-id 2...
Page 231: Modifying A File Id
Event and Accounting Logs Use the following CLI syntax to delete a log file: CLI Syntax: config>log no log-id log-id shutdown The following displays an example of deleting a log file: Example: config# log config>log# log-id 2 config>log>log-id# shutdown config>log>log-id# exit config>log# no log-id 2 Modifying a File ID Note: When the file-id location parameter is modified, log files are not written to the...
Page 232: Deleting A File Id
Log Management Tasks config>log>file-id# location cf3: config>log>file-id# rollover 2880 retention 500 config>log>file-id# exit The following displays the file ID modifications: ALU-12>config>log# info ---------------------------------------------- file-id 1 description "LocationTest." location cf3: rollover 2880 retention 500 exit ---------------------------------------------- ALU-12>config>log# Deleting a File ID Note: All references to the file ID must be deleted before the file ID can be removed.
Page 233: Modifying A Syslog Id
Event and Accounting Logs Modifying a Syslog ID Note: All references to the syslog ID must be deleted before the syslog ID can be removed. Use the following CLI syntax to modify syslog ID parameters: CLI Syntax: config>log syslog syslog-id description description-string address ip-address log-prefix log-prefix-string...
Page 234: Modifying An Snmp Trap Group
Log Management Tasks Modifying an SNMP Trap Group Use the following CLI syntax to modify an SNMP trap group: CLI Syntax: config>log snmp-trap-group log-id trap-target name [address ip-address] [port port] [snmpv1 | snmpv2c | snmpv3] notify-community communityName | snmpv3SecurityName [security-level {no-auth-no-privacy | auth-no-privacy | privacy}] The following displays the current SNMP trap group configuration: ALU-12>config>log# info...
Page 235: Deleting An Snmp Trap Group
Event and Accounting Logs Deleting an SNMP Trap Group Use the following CLI syntax to delete a trap target and SNMP trap group: CLI Syntax: config>log no snmp-trap-group log-id no trap-target name The following displays the SNMP trap group configuration: ALU-12>config>log# info ---------------------------------------------- snmp-trap-group 10...
Page 236 Log Management Tasks The following output displays the current log filter configuration: ALU-12>config>log# info #------------------------------------------ echo "Log Configuration" #------------------------------------------ filter 1 default-action drop description "This is a sample filter." entry 1 action forward match application eq "atm" severity eq critical exit exit exit...
Page 237: Deleting A Log Filter
Event and Accounting Logs Deleting a Log Filter Use the following CLI syntax to delete a log filter: CLI Syntax: config>log no filter filter-id The following output displays the current log filter configuration: The following displays an example of the command to delete a log filter: Example: config>log# no filter 1 Modifying Event Control Parameters...
Page 238: Returning To The Default Event Control Configuration
Log Management Tasks Returning to the Default Event Control Configuration The no form of the event-control command returns modified values back to the default values. Use the following CLI syntax to return to the default event control configuration: CLI Syntax: config>log no event-control application [event-name | event- number] The following displays an example of the command usage to return to the default values:...
Page 239: Log Command Reference
Event and Accounting Logs Log Command Reference Command Hierarchies • Configuration Commands → Accounting Policy Commands → Event Control Commands → Log File Commands → Log Filter Commands → Log Filter Entry Commands → Log Filter Entry Match Commands → Syslog Commands →...
Page 240 Log Command Reference Configuration Commands Accounting Policy Commands config — log — accounting-policy acct-policy-id [interval minutes] — no accounting-policy acct-policy-id — [no] default — description description-string — no description — record record-name — no record — [no] shutdown — to file file log-file-id Event Control Commands config...
Page 241 Event and Accounting Logs Log Filter Entry Commands config — log — [no] filter filter-id — [no] entry entry-id — action {drop | forward} — no action — description description-string — no description Log Filter Entry Match Commands config — log —...
Page 242 Log Command Reference Logging Destination Commands config — log — log-id — [no] to console log-id — description description-string — no description — log-id filter-id — no log-id — from {[main] [security] [change] [debug-trace]} — no from — [no] shutdown —...
Page 243 Event and Accounting Logs Clear Commands clear — log-id 7705 SAR OS System Management Guide Page 243...
Page 244: Command Descriptions
Log Command Reference Command Descriptions • Configuration Commands on page 245 • Show Commands on page 279 • Clear Commands on page 298 Page 244 7705 SAR OS System Management Guide...
Page 245: Configuration Commands
Event and Accounting Logs Configuration Commands • Generic Commands on page 246 • Accounting Policy Commands on page 248 • Event Control on page 251 • Log File Commands on page 253 • Log Filter Commands on page 257 • Log Filter Entry Commands on page 258 •...
Page 246: Generic Commands
Log Command Reference Generic Commands description Syntax description string no description Context config>log>filter filter-id config>log>filter filter-id>entry entry-id config>log>log-id log-id config>log>accounting-policy policy-id config>log>file-id file-id config>log>syslog syslog-id config>log>snmp-trap-group Description This command creates a text description stored in the configuration file for a configuration context. The command associates a text string with a configuration context to help identify the content in the configuration file.
Page 247 Event and Accounting Logs Special Cases log-id — When a log-id is shut down, no events are collected for the entity. This leads to the loss of event data. policy-id — When an accounting policy is shut down, no accounting data is written to the destination log ID.
Page 248 Log Command Reference Accounting Policy Commands accounting-policy Syntax accounting-policy policy-id [interval minutes] no accounting-policy policy-id Context config>log Description This command creates an access accounting policy. An accounting policy defines the accounting records that are created. Access accounting policies are policies that can be applied to one or more service access points (SAPs).
Page 249 Event and Accounting Logs default Syntax [no] default Context config>log>accounting-policy policy-id This command adds the designation that the accounting policy ID is the default access accounting policy to be used with all SAPs without a specified accounting policy. If no access accounting policy is defined on a SAP, accounting records are produced in accordance with the default access policy.
Page 250 Log Command Reference Only one record may be configured in a single accounting policy. Note: Collecting excessive statistics can adversely affect the CPU utilization and take up large amounts of storage space. The no form of the command removes the record type from the policy. Default No accounting record is defined.
Page 251 Event and Accounting Logs Event Control event-control Syntax event-control application-id [event-name | event-number] [generate [severity-level] [throttle]] event-control application-id [event-name | event-number] suppress no event-control application [event-name | event-number] Context config>log Description This command is used to specify that a particular event, or all events associated with an application, are either generated or suppressed.
Page 252 Log Command Reference event-name | event-number — to generate, suppress, or revert to default for a single event, enter the specific number or event short name. If no event number or name is specified, the command applies to all events in the application. To display a list of all event short names use the event- control command.
Page 253 Event and Accounting Logs Log File Commands file-id Syntax [no] file-id file-id Context config>log Description This command creates the context to configure a file ID template to be used as a destination for an event log or billing file. This command defines the file location and characteristics that are to be used as the destination for a log event message stream or accounting and billing information.
Page 254 Log Command Reference • the accounting file is compressed and has a gz extension When initialized, each file will contain: • the log-id description • the time the file was opened • the reason the file was created • the sequence number of the last event stored on the log (if the event log file was closed properly) If the process of writing to a log file fails (for example, the compact flash card is full) and if a backup location is not specified or fails, the log file will not become operational even if the compact flash...
Page 255 Event and Accounting Logs When creating files, the primary location is used as long as there is available space. If no space is available, an attempt is made to delete unnecessary files that are past their retention date. If sufficient space is not available, an attempt is made to remove the oldest to newest closed log or accounting files.
Page 256 Log Command Reference retention hours — the retention period in hours, expressed as a decimal integer. The retention time is based on the creation time of the file. The file becomes a candidate for removal once the creation datestamp + rollover time + retention time is less than the current timestamp. Default Values 1 to 500...
Page 257 Event and Accounting Logs Log Filter Commands filter Syntax [no] filter filter-id Context config>log Description This command creates a context for an event filter. An event filter specifies whether to forward or drop an event or trap based on the match criteria. Filters are configured in the filter filter-id context and then applied to a log in the log-id log-id context.
Page 258 Log Command Reference Log Filter Entry Commands action Syntax action {drop | forward} no action Context config>log>filter filter-id>entry entry-id Description This command specifies a drop or forward action associated with the filter entry. default-action If neither drop nor forward is specified, the will be used for traffic that conforms to the match criteria.
Page 259 Event and Accounting Logs Default No event filter entries are defined. An entry must be explicitly configured. Parameters entry-id — uniquely identifies a set of match criteria corresponding action within a filter. Entry ID values should be configured in staggered increments so you can insert a new entry in an existing policy without renumbering the existing entries.
Page 260 Log Command Reference Log Filter Entry Match Commands match Syntax [no] match Context config>log>filter filter-id>entry entry-id Description This command creates the context to enter or edit match criteria for a filter entry. When the match criteria is satisfied, the action associated with the entry is executed. If more than one match parameter (within one match statement) is specified, then all the criteria must be satisfied and functional before the action associated with the match is executed.
Page 261 Event and Accounting Logs Parameters eq | neq — the operator specifying the type of match. Valid operators are listed in the table below. Operator Notes Equal to Not equal to application-id — the application name string Values atm, chassis, debug, efm_oam, filter, gsmp, ip, ldp, logger, mpls, ntp, oam, port, ppp, qos, route_policy, security, snmp, stp, svcmgr, system, tip, tod, user, user_db, vrtr number...
Page 262 Log Command Reference event-id — the event ID, expressed as a decimal integer Values 1 to 4294967295 router Syntax router {eq | neq} router-instance [regexp] no router Context config>log>filter>entry>match Description This command specifies the log event matches for the router. Parameters eq —...
Page 263 Event and Accounting Logs Parameters eq | neq | lt | lte | gt | gte — this operator specifies the type of match. Valid operators are listed in the table below. Operator Notes Equal to Not equal to Less than Less than or equal to Greater than Greater than or equal to...
Page 264 Log Command Reference Default no subject Parameters eq | neq — this operator specifies the type of match. Valid operators are listed in the following table: Operator Notes Equal to Not equal to subject — a string used as the subject match criterion. regexp —...
Page 265 Event and Accounting Logs Syslog Commands syslog Syntax [no] syslog syslog-id Context config>log Description This command creates the context to configure a syslog target host that is capable of receiving selected syslog messages from the 7705 SAR. A valid syslog-id must have the target syslog host address configured. A maximum of 10 syslog IDs can be configured.
Page 266 Log Command Reference facility Syntax facility syslog-facility no facility Context config>log>syslog syslog-id Description This command configures the facility code for messages sent to the syslog target host. Multiple syslog IDs can be created with the same target host but each syslog ID can only have one facility code.
Page 267 Event and Accounting Logs Numerical Code Facility Code log-audit log-alert cron2 local0 local1 local2 local3 local4 local5 local6 local7 Values 0 to 23 level Syntax level syslog-level no level Context config>log>syslog syslog-id Description This command configures the syslog message severity level threshold. All messages with severity level equal to or higher than the threshold are sent to the syslog target host.
Page 268 Log Command Reference Parameters syslog-level — the threshold severity level name. Values are described in the table below. Values emergency, alert, critical, error, warning, notice, info, debug 7705 SAR Syslog Severity Configured Definition Severity Level Level Severity (highest to lowest) emergency System is unusable 3 critical...
Page 269 Event and Accounting Logs Parameters log-prefix-string — an alphanumeric string of up to 32 characters. Special charcters (#, $, spaces, etc.) cannot be used in the string. port Syntax port value no port Context config>log>syslog syslog-id Description This command configures the UDP port that will be used to send syslog messages to the syslog target host.
Page 270 Log Command Reference Logging Destination Commands log-id Syntax [no] log-id log-id Context config>log Description This command creates a context to configure destinations for event streams. The log-id context is used to direct events, alarms/traps, and debug information to respective destinations. A maximum of 10 logs can be configured.
Page 271 Event and Accounting Logs An event filter policy defines (limits) the events that are forwarded to the destination configured in the log-id. The event filter policy can also be used to select the alarms and traps to be forwarded to a destination snmp-trap-group.
Page 272 Log Command Reference security — instructs all events in the security event stream to be sent to the destination defined in the to command for this destination log-id. The security stream contains all events that affect attempts to breach system security such as failed login attempts, attempts to access MIB tables to which the user is not granted access, or attempts to enter a branch of the CLI to which access has not been granted.
Page 273 Event and Accounting Logs The source of the data stream must be specified in the from command prior to configuring the destination with the to command. The to command cannot be modified or re-entered. If the log destination needs to be changed or if the maximum size of an SNMP log or memory log needs to be modified, the log ID must be removed then recreated.
Page 274 Log Command Reference to session Syntax to session Context config>log>log-id log-id Description This is one of the commands used to specify the log ID destination. This parameter is mandatory when configuring a log destination. This command instructs the events selected for the log ID to be directed to the current console or telnet session.
Page 275 Event and Accounting Logs Parameters size — defines the number of events stored in this memory log Default Values 50 to 1024 to syslog Syntax to syslog syslog-id Context config>log>log-id Description This is one of the commands used to specify the log ID destination. This parameter is mandatory when configuring a log destination.
Page 276 Log Command Reference SNMP Trap Groups snmp-trap-group Syntax [no] snmp-trap-group log-id Context config>log Description This command creates the context to configure a group of SNMP trap receivers and their operational parameters for a given log-id. A trap group specifies the types of SNMP traps and specifies the log ID that will receive the group of SNMP traps.
Page 277 Event and Accounting Logs snmp-trap-group The trap-target command is used to add or remove a trap receiver from an . The operational parameters specified in the command include: • the IP address of the trap receiver • the UDP port used to send the SNMP trap •...
Page 278 Log Command Reference The keyword snmpv2c selects the SNMP version 2c format. When specifying snmpv2c, the notify-community parameter must be configured for the proper SNMP community string that the trap receiver expects to be present in alarms and traps messages. If the SNMP version is changed from snmpv3 to snmpv2c, then the notify-community parameter must be changed to reflect the community string rather than the security-name that is used by snmpv3.
Page 279: Show Commands
Event and Accounting Logs Show Commands accounting-policy Syntax accounting-policy [acct-policy-id] access Context show>log Description This command displays accounting policy information. Parameters acct-policy-id — the policy ID that uniquely identifies the accounting policy, expressed as a decimal integer Values 1 to 99 access —...
Page 280 Log Command Reference Table 31: Accounting Policy Output Fields (Continued) Label Description The accounting record name that represents the configured record type Record Name Specifies the entities that the accounting policy is applied to This policy is applied to Sample Output A:ALU-1# show log accounting-policy ============================================================================== Accounting Policies...
Page 281: Table 32: Accounting Records Output Fields
Event and Accounting Logs accounting-records Syntax accounting-records Context show>log Description This command displays accounting policy record names. Output Accounting Records Output — The following table describes accounting records output fields. Table 32: Accounting Records Output Fields Label Description The record ID that uniquely identifies the accounting policy, expressed Record # as a decimal integer The accounting record name...
Page 282 Log Command Reference applications Syntax applications Context show>log Description This command displays a list of all application names that can be used in event-control and filter commands. Sample Output Output A:ALU-1# show log applications ================================== Log Event Application Names ================================== Application Name ---------------------------------- CHASSIS...
Page 283: Table 33: Event Control Output Fields
Event and Accounting Logs event-control Syntax event-control [application [event-name | event-number]] Context show>log Description This command displays event control settings for events, including whether the event is suppressed or generated and the severity level for the event. If no options are specified, all events, alarms and traps are listed. Parameters application —...
Page 284 Log Command Reference Table 33: Event Control Output Fields (Continued) Label Description gen — the event will be generated/logged by event control sup — the event will be suppressed/dropped by event control thr — specifies that throttling is enabled The number of events logged/generated Logged The number of events dropped/suppressed Dropped...
Page 285: Table 34: Log File Summary Output Fields
Event and Accounting Logs 2003 cli_user_login_failed 2004 cli_user_login_max_attempts 2005 ftp_user_login 2006 ftp_user_logout 2007 ftp_user_login_failed 2008 ftp_user_login_max_attempts 2009 cli_user_io 2010 snmp_user_set 2011 cli_config_io 4357 ======================================================================= A:ALU-1# file-id Syntax file-id [log-file-id] Context show>log Description This command displays event log file information. If no command line parameters are specified, a summary output of all event log files is displayed. Specifying a file ID displays detailed information on the event log file.
Page 286 Log Command Reference Table 34: Log File Summary Output Fields (Continued) Label Description in progress — indicates the current open log file state complete — indicates the old log file Sample Output A:ALU-1# show log file-id ============================================================= File Id List ============================================================= file-id rollover...
Page 287: Table 35: Filter Id Summary Output Fields
Event and Accounting Logs filter-id Syntax filter-id [filter-id] Context show>log Description This command displays event log filter policy information. If you specify a filter ID, the command also displays the filter match criteria. Parameters filter-id — displays detailed information on the specified event filter policy ID Output Event Log Filter Summary Output —...
Page 288: Table 36: Filter Id Match Criteria Output Fields
Log Command Reference Log Filter Match Criteria Output — The following table describes the output fields for log filter match criteria information. Table 36: Filter ID Match Criteria Output Fields Label Description The event log filter entry ID Entry-id default — there is no explicit action for the event log filter entry and Action the filter’s default action is used on matching events drop —...
Page 289 Event and Accounting Logs Table 36: Filter ID Match Criteria Output Fields (Continued) Label Description greaterThan — matches when greater than the match criterion greaterThanOrEqual — matches when greater than or equal to the match criterion lessThan — matches when less than the match criterion lessThanOrEqual —...
Page 290: Table 37: Log Collector Output Fields
Log Command Reference log-collector Syntax log-collector Context show>log Description This command displays log collector statistics for the main, security, change and debug log collectors. Output Log Collector Output — The following table describes log collector output fields. Table 37: Log Collector Output Fields Label Description —...
Page 291 Event and Accounting Logs Table 37: Log Collector Output Fields (Continued) Label Description SNMP traps — events defined as SNMP traps are sent to the configured SNMP trap destinations and are logged in NOTIFICATION- LOG-MIB tables File — all selected log events are directed to a file on the CSM’s compact flash disk Memory —...
Page 292 Log Command Reference Parameters log-id — displays the contents of the specified log file or memory log ID. The log ID must have a destination of an SNMP or log file or a memory log for this parameter to be used. Default Displays the event log summary Values...
Page 293: Table 38: Log Id Output Fields
Event and Accounting Logs Output Show Log ID Output — The following table describes the log ID field output. Table 38: Log ID Output Fields Label Description An event log destination Log Id no — the event log filter is not currently in use by a log ID Source yes —...
Page 294 Log Command Reference Table 38: Log ID Output Fields (Continued) Label Description The allocated memory size for the log Size The time format specifies the type of timestamp format for events sent to Time format logs where the log ID destination is either syslog or file. When the time format is UTC, timestamps are written using the Coordinated Universal Time value.
Page 295: Table 39: Snmp Trap Group Output Fields
Event and Accounting Logs snmp-trap-group Syntax snmp-trap-group [log-id] Context show>log Description This command displays SNMP trap group configuration information. Parameters log-id — displays only SNMP trap group information for the specified trap group log ID Values 1 to 99 Output SNMP Trap Group Output —...
Page 296: Table 40: Syslog Output Fields
Log Command Reference syslog Syntax syslog [syslog-id] Context show>log Description This command displays syslog event log destination summary information or detailed information on a specific syslog destination. Parameters syslog-id — displays detailed information on the specified syslog event log destination Values 1 to 10 Output...
Page 297 Event and Accounting Logs Sample Output *A:ALU-48>config>log# show log syslog =============================================================================== Syslog Target Hosts =============================================================================== Ip Address Port Sev Level Below Level Drop Facility Pfx Level ------------------------------------------------------------------------------- unknown info local7 unknown info mail =============================================================================== *A:ALU-48>config>log# *A:ALU-48>config>log# show log syslog 1 =============================================================================== Syslog Target 1 ===============================================================================...
Page 298: Clear Commands
Log Command Reference Clear Commands Syntax log log-id Context clear Description This command reinitializes/rolls over the specified memory log or log file. Memory logs are reinitialized and cleared of contents. Log files are manually rolled over by this command. This command is only applicable to event logs that are directed to file destinations and memory destinations.
Page 299: Standards And Protocol Support
Standards and Protocol Support Standards Compliance DIFFERENTIATED SERVICES RFC 2474 Definition of the DS Field in the IPv4 IEEE 802.1p/q VLAN Tagging and IPv6 Headers IEEE 802.3 10BaseT RFC 2597 Assured Forwarding PHB Group IEEE 802.3u 100BaseTX RFC 2598 An Expedited Forwarding PHB IEEE 802.3x Flow Control RFC 3140...
Page 300 Standards and Protocol Support RFC 2575 SNMP-VIEW-BASED ACM- PSEUDOWIRES RFC 3985 Pseudo Wire Emulation Edge-to-Edge (PWE3) Architecture RFC 2576 SNMP-COMMUNITY-MIB RFC 4385 Pseudowire Emulation Edge-to-Edge RFC 2588 SONET-MIB (PWE3) Control Word for Use over an RFC 2665 EtherLike-MIB MPLS PSN RFC 2819 RMON-MIB RFC 4446...
Page 301 Standards and Protocol Support Proprietary MIBs draft-ietf-secsh-architecture.txt SSH Protocol TIMETRA-ATM-MIB.mib Architecture TIMETRA-CAPABILITY-7705-V1.mib draft-ietf-secsh-userauth.txt SSH Authentication TIMETRA-CFLOWD-MIB.mib Protocol TIMETRA-CHASSIS-MIB.mib draft-ietf-secsh-transport.txt SSH Transport Layer Protocol TIMETRA-CLEAR-MIB.mib draft-ietf-secsh-connection.txt SSH Connection TIMETRA-FILTER-MIB.mib Protocol TIMETRA-GLOBAL-MIB.mib draft-ietf-secsh- newmodes.txt SSH Transport Layer TIMETRA-LDP-MIB.mib Encryption Modes TIMETRA-LOG-MIB.mib TIMETRA-MPLS-MIB.mib SYNCHRONIZATION TIMETRA-OAM-TEST-MIB.mib G.813 Timing characteristics of SDH equipment slave...
Page 302 Standards and Protocol Support Page 302 7705 SAR OS System Management Guide...
Page 303: Documentation Feedback
Customer documentation and product support Customer documentation http://www.alcatel-lucent.com/myaccess Product manuals and documentation updates are available at alcatel-lucent.com. If you are a new user and require access to this service, please contact your Alcatel-Lucent sales representative. Technical Support http://www.alcatel-lucent.com/support Documentation feedback...

This manual is also suitable for:

7705 sar-f 7705

Alcatel-Lucent 7705 SAR-8 System Management Manual

Quick Links

Related Manuals for Alcatel-Lucent 7705 SAR-8

Summary of Contents for Alcatel-Lucent 7705 SAR-8

This manual is also suitable for:

Table of Contents