Download Print this page

Alcatel-Lucent 7450 System Management Manual

Alcatel-Lucent 7450 System Management Manual

Ethernet service switch

Hide thumbs Also See for 7450:

Quality of service manual (912 pages)

,

Manual (816 pages)

,

Configuration manual (778 pages)

Table Of Contents

page of 554

/ 554
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

Download this manual See also: Configuration Manual, Manual

SYSTEM MANAGEMENT GUIDE

Alcatel-Lucent 7450

ETHERNET SERVICE SWITCH | RELEASE 13.0.R1

SYSTEM MANAGEMENT GUIDE

Alcatel-Lucent – Proprietary & Confidential

Contains proprietary/trade secret information which is the property of Alcatel-Lucent. Not to be made available

to, or copied or used by anyone who is not an employee of Alcatel-Lucent except when there is a valid non-

disclosure agreement in place which covers such information and contains appropriate non-disclosure and

limited use obligations.

Copyright 2015 © Alcatel-Lucent. All rights reserved.

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the 7450 and is the answer not in the manual?

Questions and answers

Summary of Contents for Alcatel-Lucent 7450

Page 1 Contains proprietary/trade secret information which is the property of Alcatel-Lucent. Not to be made available to, or copied or used by anyone who is not an employee of Alcatel-Lucent except when there is a valid non- disclosure agreement in place which covers such information and contains appropriate non-disclosure and limited use obligations.
Page 2 This document may contain information regarding the use and installation of non-Alcatel-Lucent products. Please note that this information is provided as a courtesy to assist you. While Alcatel-Lucent tries to ensure that this information accurately reflects information provided by the supplier, please refer to the materials provided with any non-Alcatel-Lucent product and contact the supplier for confirmation.
Page 3: Table Of Contents
Alcatel-Lucent 7450 ESS Router Configuration Process ........
Page 4 Tools Commands ............. . 113 Page 4 7450 ESS System Mangement Guide...
Page 5 NETCONF Command Reference ............369 7450 ESS System Mangement Guide...
Page 6 No Shutdown Port .............435 Page 6 7450 ESS System Mangement Guide...
Page 7 ........... . .545 7450 ESS System Mangement Guide...
Page 8 Table of Contents Page 8 7450 ESS System Mangement Guide...
Page 9 Table 36: Show System Security View Output Fields ......... .330 7450 ESS System Mangement Guide...
Page 10 Table 53: Show Log Syslog Output Fields...........542 Page 10 7450 ESS System Mangement Guide...
Page 11 Figure 11: EHS Object Relationships ............395 7450 ESS System Mangement Guide...
Page 12 List of Figures Page 12 7450 ESS System Mangement Guide...
Page 13: Preface
Command Line Interface (CLI) syntax and command usage. Audience This guide is intended for network administrators who are responsible for configuring the 7450 ESS routers. It is assumed that the network administrators have an understanding of networking principles and configurations.
Page 14: List Of Technical Publications
List of Technical Publications The 7450 ESS documentation set is composed of the following guides: • 7450 ESS Basic System Configuration Guide This guide describes basic system configurations and operations. • 7450 ESS System Management Guide This guide describes system security and access configurations as well as event logging and accounting logs.
Page 15 This guide describes Triple Play services and support provided by the 7450 ESS and presents examples to configure and implement various protocols and services. • 7450 ESS Quality of Service Guide This guide describes how to configure Quality of Service (QoS) policy management.
Page 16: Technical Support
Technical Support If you purchased a service agreement for your 7450 ESS router and related products from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased an Alcatel-Lucent service agreement, follow this link to contact an Alcatel-Lucent support representative and to access product manuals and documentation updates: http://support.alcatel-lucent.com...
Page 17: Getting Started
This chapter provides process flow information to configure system security and access functions as well as event and accounting logs. Alcatel-Lucent 7450 ESS Router Configuration Process Table 1 lists the tasks necessary to configure system security and access functions and logging features.
Page 18 IPv6 address expressions and with libraries that have standard IPv6 parsing as per RFC 5952 rules. See the section on IPv6 Addresses in the Router Configuration Guide for more information. Page 18 7450 ESS System Mangement Guide...
Page 19: Security
CPM Filters and Traffic Management on page 55 → Secure Shell (SSH) on page 52 → Encryption on page 59 → 802.1x Network Access Control on page 59 • Configuration Notes on page 64 7450 ESS System Mangement Guide Page 19...
Page 20: Authentication, Authorization, And Accounting
ALA-1 and ALA-2. The user name and password from ALA-3 could not be authenticated, thus access was denied. RADIUS Server Authentication Access Request ALA-1 Network Access Accepted Access Request Access Request Access Accepted ALA-2 ALA-3 OSSG008 Figure 1: RADIUS Requests and Responses Page 20 7450 ESS System Mangement Guide...
Page 21: Authentication
Any combination of these authentication methods can be configured to control network access from a router: • Local Authentication on page 22 • RADIUS Authentication on page 22 • TACACS+ Authentication on page 27 7450 ESS System Mangement Guide Page 21...
Page 22: Local Authentication
In all these applications, up to 5 RADIUS servers pools (per RADIUS policy, if used) can be configured. The RADIUS server selection algorithm can work in 2 modes, either Direct mode or Round-robin mode. Page 22 7450 ESS System Mangement Guide...
Page 23 RADIUS server (for example, if the server was previously down but no requests had been sent to the server, thus, it is not certain yet whether the server is actually reachable). 7450 ESS System Mangement Guide Page 23...
Page 24 Enabling interactive authentication under CLI does not mean that the system uses RADIUS challenge/response mode by default. The configured password authentication-order parameter is used. If the authentication-order parameter is local RADIUS, the system will first attempt to Page 24 7450 ESS System Mangement Guide...
Page 25 If the RADIUS rejects a challenge response, it counts as a failed login attempt and a new prompt is displayed. The number of failed attempts is limited by the value set for "configure 7450 ESS System Mangement Guide Page 25...
Page 26 23). As long as the Session-Timeout (attribute in the RADIUS user file) is specified, it is used for the polling interval. Otherwise, the configured polling interval will be used (60 seconds by default). Page 26 7450 ESS System Mangement Guide...
Page 27: Tacacs+ Authentication
TACACS+ uses Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). TACACS+ is popular as TCP is thought to be a more reliable protocol. RADIUS combines authentication and authorization. TACACS+ separates these operations. 7450 ESS System Mangement Guide Page 27...
Page 28: Authorization
Once a user has been authenticated using RADIUS (or another method), the router can be configured to perform authorization. The RADIUS server can be used to: • Download the user profile to the router • Send the profile name that the node should apply to the router. Page 28 7450 ESS System Mangement Guide...
Page 29: Tacacs+ Authorization
All users who authenticate via TACACS+ can use a single common default profile that is configured on the SR OS Router, or • Each command attempted by a user is sent to the TACACS+ server for authorization 7450 ESS System Mangement Guide Page 29...
Page 30 - “show” - “show router” - “show port 1/1/1” - “configure port 1/1/1 description “my port” This results in the following AVPairs: cmd=show cmd=show cmd-arg=router cmd=show cmd-arg=port cmd-arg=1/1/1 cmd=configure cmd-arg=port cmd-arg=1/1/1 cmd-arg=description cmd-arg=my port Page 30 7450 ESS System Mangement Guide...
Page 31 - *A:dut-c>config>service# vprn 555 customer 1 create - *A:dut-c>config>service>vprn$ shutdown This results in the following AVPairs: cmd =configure cmd-arg=service cmd=configure cmd-arg=service cmd-arg=vprn cmd-arg="555" cmd-arg=customer cmd-arg=1 cmd-arg=create cmd=configure cmd-arg=service cmd-arg=vprn cmd-arg="555" cmd-arg=customer cmd-arg=1 cmd-arg=create cmd-arg=shutdown 7450 ESS System Mangement Guide Page 31...
Page 32: Accounting
TACACS+ accounting is required for the particular event. Page 32 7450 ESS System Mangement Guide...
Page 33 The TACACS+ accounting server acknowledges the start packet and records information about the event. When the event ends, the device sends a stop packet. The stop packet is acknowledged by the TACACS+ accounting server. 7450 ESS System Mangement Guide Page 33...
Page 34: Security Controls
30 seconds. Health check is enabled by default. When a service response is restored from at least one server, the alarm condition is cleared. Alarms are raised and cleared on Alcatel-Lucent’s Fault Manager or other third party fault management servers.
Page 35: Access Request Flow
No Response No Response TACACS+ TACACS+ TACACS+ TACACS+ TACACS+ Accept Server 1 Server 2 Server 3 Server 4 Server 5 Access Access Denied Denied Deny Local Deny Access OSRG009 Figure 2: Security Flow 7450 ESS System Mangement Guide Page 35...
Page 36: Cpu Protection
(per source) when the ip-src-monitoring keyword is used. • out-profile-rate – Applies to all control traffic destined to the CPM (all sources) received on the interface (only where the policy is applied). This is a per-interface Page 36 7450 ESS System Mangement Guide...
Page 37: Figure 3: Profile Marking
The objective of CPU protection is to limit the amount of traffic that the CPU will process at an early stage, therefore, the good and bad 7450 ESS System Mangement Guide Page 37...
Page 38 If PIM or PIM snooping is configured on an interface/SAP, then multicast PIM messages are filter based on PIM being enabled on that particular interface. All unicast PIM messages are sent to the CPU to be processed. Page 38 7450 ESS System Mangement Guide...
Page 39 The CPU protection features are supported on the following platforms: • 7750 SR-7/SR-12 • 7450 ESS-6/ESS-7/ESS-12 • 7950 XRS The CPU protection features are not supported on the following platforms: • 7750 SR-1 • 7450 ESS-1 • 7710 SR-c4/c12 • 7750 SR-c4/c12 7450 ESS System Mangement Guide Page 39...
Page 40: Cpu Protection Extensions Eth-Cfm
This means the rate is on a per SAP/Binding basis. Only a single policy may be applied to a SAP/Binding. The “eth-cfm-monitoring” option must be configured in order for the eth-cfm entries to be applied when the policy is applied to the SAP/Binding. If this option Page 40 7450 ESS System Mangement Guide...
Page 41 1 eth-cfm-monitoring aggregate eth-cfm no shutdown IOM1s are restricted to Down MEPs and ingress MIP for this feature. This feature is not supported on UP MEPs and egress MIPs for this IOM type. 7450 ESS System Mangement Guide Page 41...
Page 42: Eth-Cfm Ingress Squelching
The operator is able to configure Down MEPs and ingress MIPs that conflict with the squelched levels. This also means that any existing MEP or MIP processing ingress CFM packets on a SAP on Binding where a squelching policy is configured will be interrupted as Page 42 7450 ESS System Mangement Guide...
Page 43: Table 5: Cpu Protection And Squelching
=============================================================================== ETH-CFM Squelching =============================================================================== PortId SvcId Squelch Level ------------------------------------------------------------------------------- 6/1/1:100.* 0 1 2 3 4 5 6 7 7450 ESS System Mangement Guide Page 43...
Page 44 ================================================================================ ETH-CFM Squelching ================================================================================ SdpId SvcId Type Far End Squelch Level ------------------------------------------------------------------------------- 12345:4000000000 2147483650 Spok 1.1.1.1 0 1 2 3 4 =============================================================================== Extreme caution must be used when deploying this feature. Page 44 7450 ESS System Mangement Guide...
Page 45: Distributed Cpu Protection (Dcp)
7450 ESS System Mangement Guide Page 45...
Page 46: Figure 5: Per Sap Per Protocol Static Rate Limiting With Dcp
ICMP OSPF port 1/1/1 User Data interface as 123 port 3/2/8 d-cpu-prot-policyB ISIS interface bb456 User Data al_0180 Figure 6: Per Network Interface per Protocol Static Rate Limiting with DCP Page 46 7450 ESS System Mangement Guide...
Page 47: Applicability Of Distributed Cpu Protection
SAP. In this case the DCP policy that an operator creates for use on VPLS SAPs, for VPLSs that have a l3-interface bound to them (r-vpls), may have protocols like OSPF, ARP, configured in the policy. 7450 ESS System Mangement Guide Page 47...
Page 48: Log Events, Statistics, Status And Snmp Support
Statistics and status related to DCP are available both via: • • SNMP — See various tables and objects with “Dcp” or “DCpuProt” in their name in the TIMETRA-CHASSIS-MIB¸ TIMETRA-SECURITY-MIB, TIMETRA-SAP-MIB and TIMETRA-VRTR-MIB Page 48 7450 ESS System Mangement Guide...
Page 49: Dcp Policer Resource Management
7450 ESS System Mangement Guide Page 49...
Page 50: Operational Guidelines And Tips
→ avoid creating protocol X so that it is treated as part of the all-unspecified bucket (but account for the packets from X in the all-unspecified rate and local-mon rate), → create protocol X and configure it to bypass. Page 50 7450 ESS System Mangement Guide...
Page 51: Vendor-Specific Attributes (Vsas)
VSA. The attribute-specific field is dependent on the vendor's definition of that attribute. The Alcatel-Lucent-defined attributes are encapsulated in a RADIUS vendor-specific attribute with the vendor ID field set to 6527, the vendor ID number.
Page 52: Other Security Features
SCP clients treat backslash characters as equivalent to slash characters. In particular, UNIX systems will often times interpret the backslash character as an “escape” character which does not get transmitted to the SCP server. For example, a destination Page 52 7450 ESS System Mangement Guide...
Page 53: Ssh Pki Authentication
Before SSH can be used with PKI, someone must generate a public/private key pair. This is typically supported by the SSH client software. For example, PuTTY supports a utility called PuTTYgen that will generate key pairs. 7450 ESS System Mangement Guide Page 53...
Page 54: Per Peer Cpm Queuing
CPMQ, using the “per-peer-queuing” command, ensures that service levels would not (or only partially be) impacted in case of an attack from a spoofed LDP or BGP peer IP address. Per Peer CPM Queueing is supported on the 7450 ESS-6/7/12 platforms. It is not supported on the 7450 ESS-1.
Page 55: Cpm Filters And Traffic Management
CPM queueing is supported on the following platforms: 7950 XRS, 7750 SR-7/SR-12, and 7750 SR-c12 (not 7750 SR-1).CPM filters and CPM queueing are supported on 7450 ESS-6/ESS-7/ESS-12 (not ESS-1). CPM filters and queues control all traffic going in to the CPM from IOMs/XMAs, including all routing protocols.
Page 56: Ttl Security For Ldp
(in hardware) the incoming TTL value against the configured TTL value. If the incoming TTL value is less than the configured TTL value, the packets are discarded and a log is generated. Page 56 7450 ESS System Mangement Guide...
Page 57: Exponential Login Backoff
Exponential backoff applies to any user and by any login method such as console, SSH and Telnet. Refer to Configuring Login Controls on page 96. The commands are described in Login, Telnet, SSH and FTP Commands on page 122. 7450 ESS System Mangement Guide Page 57...
Page 58: User Lockout
A lock-out for a specific user can be administratively cleared using the admin user x clear- lockout. Page 58 7450 ESS System Mangement Guide...
Page 59: Encryption
3DES is a more secure version of the DES protocol. 802.1x Network Access Control The Alcatel-Lucent OS supports network access control of client devices (PCs, STBs, etc.) on an Ethernet network using the IEEE. 802.1x standard. 802.1x is known as Extensible Authentication Protocol (EAP) over a LAN network or EAPOL.
Page 60: Packet Formats
The default value is 0. • K-Bit: 1 bit This bit is reserved for future enhancement. Its value MUST be equal to zero. • Alg ID: 6 bits The Alg ID field identifies the MAC algorithm. Page 60 7450 ESS System Mangement Guide...
Page 61 Authentication Data Field can be derived from the Alg ID. • The Authentication for TCP-based Routing and Management Protocols draft provides and overview of the TCP Enhanced Authentication Option. The details of this feature are described in draft-bonica-tcp-auth-04.txt. 7450 ESS System Mangement Guide Page 61...
Page 62: Keychain
Shared secret to use with key[i]. config>system>security>keychain>direction>uni>receive>entry with shared secret parameter config>system>security>keychain>direction>uni>send>entry with shared secret parameter config>system>security>keychain>direction>bi>entry with shared secret parameter Page 62 7450 ESS System Mangement Guide...
Page 63: Table 7: Security Algorithm Support Per Protocol
CLI command to set them. Table 7: Security Algorithm Support Per Protocol Protocol Clear Text HMAC- HMAC- HMAC- HMAC- AES-128- SHA-1-96 SHA-1 SHA-256 CMAC-96 OSPF IS-IS RSVP 7450 ESS System Mangement Guide Page 63...
Page 64: Configuration Notes
If a RADIUS or a TACACS+ server is not configured, then password, profiles, and user access information must be configured on each router in the domain. • If a RADIUS authorization is enabled, then VSAs must be configured on the RADIUS server. Page 64 7450 ESS System Mangement Guide...
Page 65: Configuring Security With Cli
Enabling TACACS+ Authentication on page 92 − Configuring TACACS+ Authorization on page 93 − Configuring TACACS+ Accounting on page 94 → Configuring 802.1x RADIUS Policies on page 90 → Configuring Login Controls on page 96 7450 ESS System Mangement Guide Page 65...
Page 66: Setting Up Security Attributes
TACACS+ authentication To implement only TACACS+ authentication, perform the following tasks on each participating router: → Configuring Profiles on page 80 → Configuring Users on page 81 → Enabling TACACS+ Authentication on page 92 Page 66 7450 ESS System Mangement Guide...
Page 67: Configuring Authorization
Configuring RADIUS Authentication on page 87 → Configuring Profiles on page 80 • TACACS+ authorization (only) For TACACS+ authorization (without authentication), configure these tasks on each participating router: → Configuring TACACS+ Authorization on page 93 7450 ESS System Mangement Guide Page 67...
Page 68 Configuring Authorization • TACACS+ authorization For TACACS+ authorization (with authentication), configure these tasks on each participating router: → Enabling TACACS+ Authentication on page 92 → Configuring TACACS+ Authorization on page 93 Page 68 7450 ESS System Mangement Guide...
Page 69: Configuring Accounting
Local accounting is not implemented. For information about configuring accounting policies, refer to Configuring Logging with CLI on page 419. • Configuring RADIUS Accounting on page 89 • Configuring TACACS+ Accounting on page 94 7450 ESS System Mangement Guide Page 69...
Page 70: Security Configurations
Management access filters and CPM filters • Profiles • User access parameters • Password management parameters • Enable RADIUS and/or TACACS+ → One to five RADIUS and/or TACACS+ servers → RADIUS and/or TACACS+ parameters Page 70 7450 ESS System Mangement Guide...
Page 71: Configuration Tasks
TACACS+ server. Accounting can be performed on a RADIUS or TACACS+ server. Table 8: Security Configuration Requirements Authentication Authorization Accounting Local Local None RADIUS Local and RADIUS RADIUS TACACS+ Local TACACS+ 7450 ESS System Mangement Guide Page 71...
Page 72: Security Configuration Procedures
Use the following CLI commands to configure a management access filter. This example only accepts packets matching the criteria specified in entries 1 and 2. Non-matching packets are denied. CLI Syntax: config>system security management-access-filter [no] ip-filter default-action {permit|deny|deny-host-unreachable} renum old-entry-number new-entry-number [no] shutdown Page 72 7450 ESS System Mangement Guide...
Page 73 10 description "Accept SSH from mgmnt subnet" src-ip 192.168.5.0/26 protocol tcp dst-port 22 65535 action permit exit exit ipv6-filter default-action permit entry 10 src-ip 3FFE::1:1/128 next-header rsvp action deny exit 7450 ESS System Mangement Guide Page 73...
Page 74 Configuring Management Access Filters exit mac-filter default-action permit entry 12 match frame-type ethernet_II svc-id 1 src-mac 00:01:01:01:01:01 ff:ff:ff:ff:ff:ff exit action permit exit exit ---------------------------------------------- *A:Dut-C>config>system>security>mgmt-access-filter# Page 74 7450 ESS System Mangement Guide...
Page 75: Configuring Ip Cpm Filters Policy
192.100.2.0/24 exit exit exit mac-filter shutdown entry 40 create action accept log 101 match frame-type ethernet_II svc-id 12 dst-mac 00:03:03:03:01:01 ff:ff:ff:ff:ff:ff etype 0x8902 cfm-opcode gt 100 exit exit exit *A:Dut-C>config>sys>security>cpm-filter# 7450 ESS System Mangement Guide Page 75...
Page 76: Configuring Mac Cpm Filters
---------------------------------------------- entry 10 create description "MAC-CPM-Filter 10.10.10.100 #007" match exit log 101 action drop exit entry 20 create description "MAC-CPM-Filter 10.10.10.100 #008" match exit log 101 action drop exit no shutdown ---------------------------------------------- *A:ALA-49>config>sys>sec>cpm>mac-filter# Page 76 7450 ESS System Mangement Guide...
Page 77: Configuring Cpm Queues
5 mbs 5 rate 5 cir 5 exit queue 103 create cbs 5 mbs 5 rate 5 cir 5 exit queue 104 create cbs 5 mbs 5 rate 5 cir 5 ---------------------------------------------- A:ALA-987>config>sys>security>cpm-queue# 7450 ESS System Mangement Guide Page 77...
Page 78: Ipsec Certificates Parameters
"Root CA" cert-file "R1-0cert.der" crl-file "R1-0crl.der" no shutdown exit ---------------------------------------------- *A:SR-7/Dut-A>config>system>security>pki# The following displays an example of an ike-policy with cert-auth output: :SR-7/Dut-A>config>ipsec>ike-policy# info ---------------------------------------------- ike-version 2 auth-method cert-auth own-auth-method psk ---------------------------------------------- Page 78 7450 ESS System Mangement Guide...
Page 79 "Sanity-1" create security-policy 1 local-gateway-address 30.1.1.13 peer 50.1.1.15 delivery-service 300 dynamic-keying ike-policy 1 pre-shared-key "Sanity-1" transform 1 cert trust-anchor "R1-0" cert "M2cert.der" key "M2key.der" exit exit no shutdown exit exit exit 7450 ESS System Mangement Guide Page 79...
Page 80: Configuring Profiles
The following example displays a user profile output: A:ALA-1>config>system>security# info ---------------------------------------------- profile "ghost" default-action permit-all entry 1 match "configure" action permit exit entry 2 match "show" exit entry 3 match "exit" exit exit ---------------------------------------------- A:ALA-1>config>system>security# Page 80 7450 ESS System Mangement Guide...
Page 81: Configuring Users
The following displays a user configuration example: A:ALA-1>config>system>security# info ---------------------------------------------- user "49ers" password "$2y$10$pFoehOg/tCbBMPDJ/kqpu.8af0AoVGY2xsR7WFqyn5fVTnwRzGmOK" access console ftp snmp restricted-to-home console member "default" member "ghost" exit exit -------------------------------------------- A:ALA-1>config>system>security# 7450 ESS System Mangement Guide Page 81...
Page 82: Configuring Keychains
1 key "ZcvSElJzJx/wBZ9biCtOVQJ9YZQvVU.S" hash2 alg orithm aes-128-cmac-96 begin-time 2006/12/18 22:55:20 exit exit exit exit keychain "basasd" direction receive entry 1 key "Ee7xdKlYO2DOm7v3IJv/84LIu96R2fZh" hash2 algorithm aes-128-cmac-96 tolerance forever exit exit exit exit exit ---------------------------------------------- A:ALA-1>config>system>security# Page 82 7450 ESS System Mangement Guide...
Page 83: Copying And Overwriting Users And Profiles
"testgroup" exit exit user "testuserA" password "" access snmp console new-password-at-login exit snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group "testgroup" exit exit ---------------------------------------------- A:ALA-12>config>system>security# info 7450 ESS System Mangement Guide Page 83...
Page 84 "testgroup" exit ---------------------------------------------- A:ALA-12>config>system>security>user# exit A:ALA-12>config>system>security# user testuserA A:ALA-12>config>system>security>user# info ---------------------------------------------- password "" access snmp console new-password-at-login exit snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group "testgroup" exit ---------------------------------------------- A:ALA-12>config>system>security>user# Page 84 7450 ESS System Mangement Guide...
Page 85: Profile
50 no description match "password" action permit exit entry 60 no description match "show config" action deny exit entry 70 no description match "show" action permit exit entry 80 no description match "enable-admin" 7450 ESS System Mangement Guide Page 85...
Page 86 "show config" action deny exit entry 70 no description match "show" action permit exit entry 80 no description match "enable-admin" action permit exit exit profile "administrative" default-action permit-all exit ---------------------------------------------- A:ALA-12>config>system>security# Page 86 7450 ESS System Mangement Guide...
Page 87: Radius Configurations
Also, the system IP address must be configured in order for the RADIUS client to work. See Configuring a System Interface of the 7450 ESS Router Configuration Guide. The other commands are optional. The server command adds a RADIUS server and configures the RADIUS server’s IP address, index, and key values.
Page 88: Configuring Radius Authorization
5 timeout 5 server 1 address 10.10.10.103 secret "test1" server 2 address 10.10.0.1 secret "test2" server 3 address 10.10.0.2 secret "test3" server 4 address 10.10.0.3 secret "test4" exit ---------------------------------------------- A:ALA-1>config>system>security# Page 88 7450 ESS System Mangement Guide...
Page 89: Configuring Radius Accounting
5 timeout 5 server 1 address 10.10.10.103 secret "test1" server 2 address 10.10.0.1 secret "test2" server 3 address 10.10.0.2 secret "test3" server 4 address 10.10.0.3 secret "test4" exit ---------------------------------------------- A:ALA-1>config>system>security# 7450 ESS System Mangement Guide Page 89...
Page 90: Configuring 802.1X Radius Policies
Configuring 802.1x RADIUS Policies Use the following CLI commands to configure generic authentication parameters for clients using 802.1x EAPOL. Additional parameters are configured per Ethernet port. Refer to the 7450 ESS Interface Configuration Guide. To configure generic parameters for 802.1x authentication, enter the following CLI syntax.
Page 91: Configuring Cpu Protection Policies
Security Configuring CPU Protection Policies The CPU protection features are supported on the 7450 ESS-6/7/12 platforms. These features are not available on the 7450 ESS-1. For more information about CPU protection, see “CPU Protection” and “Monitoring Attacks on the 7750 SR” sections in SR OS Security Best Practices.
Page 92: Tacacs+ Configurations
5 server 1 address 10.10.0.5 secret "test1" server 2 address 10.10.0.6 secret "test2" server 3 address 10.10.0.7 secret "test3" server 4 address 10.10.0.8 secret "test4" server 5 address 10.10.0.9 secret "test5" ---------------------------------------------- A:ALA-1>config>system>security>tacplus# Page 92 7450 ESS System Mangement Guide...
Page 93: Configuring Tacacs+ Authorization
5 server 1 address 10.10.0.5 secret "test1" server 2 address 10.10.0.6 secret "test2" server 3 address 10.10.0.7 secret "test3" server 4 address 10.10.0.8 secret "test4" server 5 address 10.10.0.9 secret "test5" ---------------------------------------------- A:ALA-1>config>system>security>tacplus# 7450 ESS System Mangement Guide Page 93...
Page 94: Configuring Tacacs+ Accounting
5 server 1 address 10.10.0.5 secret "test1" server 2 address 10.10.0.6 secret "test2" server 3 address 10.10.0.7 secret "test3" server 4 address 10.10.0.8 secret "test4" server 5 address 10.10.0.9 secret "test5" ---------------------------------------------- A:ALA-1>config>system>security>tacplus# Page 94 7450 ESS System Mangement Guide...
Page 95: Enabling Ssh
SSH is disabled or enabled. CLI Syntax: config>system>security preserve-key no server-shutdown version ssh-version The following displays a SSH server configuration as both SSH and SSH2 using a host-key: A:sim1>config>system>security>ssh# info ---------------------------------------------- preserve-key version 1-2 ---------------------------------------------- A:sim1>config>system>security>ssh# 7450 ESS System Mangement Guide Page 95...
Page 96: Configuring Login Controls
7 outbound-max-sessions 2 exit idle-timeout 1440 pre-login-message "Property of Service Routing Inc. Unauthorized access prohib- ited." motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM" exit no exponential-backoff ---------------------------------------------- A:ALA-1>config>system# Page 96 7450 ESS System Mangement Guide...
Page 97: Security Command Reference
TTL Security Commands on page 110 • Login Control Commands on page 111 • Show Commands on page 112 • Clear Commands on page 113 • Debug Commands on page 113 • Tools Commands on page 113 7450 ESS System Mangement Guide Page 97...
Page 98: Security Commands
— no message-fast-tx-init — notification-interval time — no notification-interval — reinit-delay time — no reinit-delay — tx-credit-max count — no tx-credit-max — tx-hold-multiplier multiplier — no tx-hold-multiplier — tx-interval interval — no tx-interval Page 98 7450 ESS System Mangement Guide...
Page 99 — no etype — snap-oui {zero | non-zero} — snap-pid snap-pid — no snap-pid — src-mac ieee-address [ieee-address-mask] — no src-mac — ssap ssap-value [ssap-mask] — no ssap — svc-id service-id — no svc-id 7450 ESS System Mangement Guide Page 99...
Page 100 — no icmp-type — ip-option [ip-option-value] [ip-option-mask] — no ip-option — multiple-option {true | false} — no multiple-option — option-present {true | false} — no option-present — port port-number — port -list port-list-name Page 100 7450 ESS System Mangement Guide...
Page 101 — etype 0x0600..0xfff — no etype — src-mac ieee-address [ieee-address-mask] — no src-mac — ssap ssap-value [ssap-mask] — no ssap — svc-id service-id — no svc-id — renum old-entry-number new-entry-number — [no] shutdown 7450 ESS System Mangement Guide Page 101...
Page 102 Command Hierarchies CPM Queue Commands config — system — security — [no] cpm-queue — [no] queue queue-id — — no — — no — rate rate [cir cir] — no rate Page 102 7450 ESS System Mangement Guide...
Page 103 CPU protection policies. Examples of entities that can have CPU protection policies applied to them include: configure>router>interface>cpu-protection policy-id configure>service>epipe>sap>cpu-protection policy-id [mac-monitoring]|[eth-cfm-monitoring [aggregate][car]] configure>service>epipe>spoke-sdp>cpu-protection policy-id [mac-monitoring]|[eth-cfm-monitoring [aggregate][car]] configure>service>ies>interface>cpu-protection policy-id configure>service>ies>interfac>sap>cpu-protection policy-id [mac-monitoring]|[eth-cfm-monitoring [aggregate][car]] configure>service>template>vpls-sap-template>cpu-protection policy-id [mac-monitoring]|[eth-cfm- monitoring [aggregate][car]] configure>service>vpls>sap>cpu-protection policy-id [mac-monitoring]|[eth-cfm-monitoring [aggregate][car]] 7450 ESS System Mangement Guide Page 103...
Page 104 — no static-policer policer-name — description description-string — no description — detection-time seconds — no detection-time — exceed-action {discard [hold-down seconds] | low-prior- ity [hold-down seconds] | none} — log-events [verbose] — no log-events Page 104 7450 ESS System Mangement Guide...
Page 105 — health-check [interval interval] — no health-check — history size — no history — minimum-age [days days] [hrs hours] [min minutes] [sec seconds] — no minimum-age — minimum-change distance — no minimum-change 7450 ESS System Mangement Guide Page 105...
Page 106 — security — [no] profile user-profile-name —Profile Commands — default-action {deny-all | permit-all | none} — [no] entry entry-id — action {deny | permit} — description description-string — no description — security command-string Page 106 7450 ESS System Mangement Guide...
Page 107 Security — no security — renum old-entry-number new-entry-number 7450 ESS System Mangement Guide Page 107...
Page 108: Radius Commands
— [no] authorization [use-priv-lvl] — [no] interactive-authentication — [no] priv-lvl-map — priv-lvl priv-lvl user-profile-name — no priv-lvl priv-lvl — server server-index address ip-address secret key [hash | hash2] [port port] — no server server-index Page 108 7450 ESS System Mangement Guide...
Page 109: User Commands
[directory][directory/directory..] — no home-directory — profile user-profile-name — no profile — [no] restricted-to-home Dot1x Commands config — system — security — dot1x —Dot1x Commands — radius-plcy name — retry count — no retry 7450 ESS System Mangement Guide Page 109...
Page 110 — option {basic | isis-enhanced} — [no] shutdown — tcp-option-number — receive option-number — send option-number TTL Security Commands config — router — ldp — peer-parameters — peer — ttl-security min-ttl-value config Page 110 7450 ESS System Mangement Guide...
Page 111: Login Control Commands
[name] — no pre-login-message — — disable-graceful-shutdown — inbound-max-sessions — outbound-max-sessions — ttl-security — telnet — enable-graceful-shutdown — inbound-max-sessions value — no inbound-max-sessions — outbound-max-sessions value — no outbound-max-sessions — ttl-security 7450 ESS System Mangement Guide Page 111...
Page 112: Show Commands
[view-name] [detail] — certificate — ca-profile — ca-profile name [association] — ocsp-cache [entry-id] — statistics show — card — fp — dist-cpu-protection show — service — id — sap — dist-cpu-protection [detail] Page 112 7450 ESS System Mangement Guide...
Page 113: Login Control
{sap|interface} card slot-number [fp fp-number] — violators local-monitor {sap|interface} card slot-number [fp fp-number] — perform — security — dist-cpu-protection — release-hold-down interface interface-name [protocol protocol] [static- policer name] — release-hold-down sap sap-id [protocol protocol] [static-policer name] 7450 ESS System Mangement Guide Page 113...
Page 114 Command Hierarchies Page 114 7450 ESS System Mangement Guide...
Page 115 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes. shutdown Syntax [no] shutdown Context config>system>security>mgmt-access-filter>ip-filter config>sys>sec>cpm>ip-filter config>system>security>keychain>direction>bi>entry config>system>security>keychain>direction>uni>receive>entry 7450 ESS System Mangement Guide Page 115...
Page 116 However, because it is the same password and the hash key is limited to the password/key, even the casual observer will notice that it is the same key. Page 116 7450 ESS System Mangement Guide...
Page 117 SR/ESS or IP address specified in this command. If the IP address is removed, then the port-based 1588 hardware timestamping assist function will only be applied to PTP packets matching the IPv4 address of the router interface. application 7450 ESS System Mangement Guide Page 117...
Page 118 Telnet servers in networks limit a Telnet clients to three retries to login. The Telnet server disconnects the Telnet client session after three retries. The no form of the command disables Telnet servers running on the system. Page 118 7450 ESS System Mangement Guide...
Page 119 This command configures the number of LLDPDUs to send during the fast transmission period. Parameters count — Specifies the number of LLDPDUs to send during the fast transmission period. Values 1 — 8 Default 7450 ESS System Mangement Guide Page 119...
Page 120 1 — 10 Default tx-credit-max Syntax tx-credit-max count no tx-credit-max Context config>system>lldp Description This command configures the maximum consecutive LLDPDUs transmitted. Parameters count — Specifies the maximum consecutive LLDPDUs transmitted. Values 1 — 100 Default Page 120 7450 ESS System Mangement Guide...
Page 121 2 — 10 Default tx-interval Syntax tx-interval interval no tx-interval Context config>system>lldp Description This command configures the LLDP transmit interval time. Parameters interval — Specifies the LLDP transmit interval time. Values 1 — 100 Default 7450 ESS System Mangement Guide Page 121...
Page 122 — The idle timeout in minutes. Allowed values are 1 to 1440. 0 implies the sessions never timeout. Values 1 — 1440 disable — When the disable option is specified, a session will never timeout. To re-enable idle timeout, enter the command without the disable option. Page 122 7450 ESS System Mangement Guide...
Page 123 This command enables or disables the display of a login banner. The login banner contains the SR OS copyright and build date information for a console login attempt. The no form of the command causes only the configured pre-login-message and a generic login prompt to display. 7450 ESS System Mangement Guide Page 123...
Page 124 The local serial port cannot be disabled. The no form of the command reverts to the default value. Default Parameters value — The maximum number of concurrent outbound Telnet sessions, expressed as an integer. Values 0 — 15 Page 124 7450 ESS System Mangement Guide...
Page 125 This command enables configuration the list of allowed ciphers by the SSH client. Parameters version — Specifies the SSH version. Values 1 — Specifies that the SSH server will only accept connections from clients that support SSH protocol version 1 7450 ESS System Mangement Guide Page 125...
Page 126 Server ciphers: 3des-cbc, blowfish-cbc, cast128-cbc, arcfour, aes128-cbc, aes192- cbc, aes256-cbc, rijndael-cbc, aes128-ctr, aes192-ctr, aes256-ctr The following default ciphers are used for SSHv2: Cipher index value Cipher name aes256-ctr aes192-ctr aes128-ctr aes128-cbc 3des-cbc blowfish-cbc Page 126 7450 ESS System Mangement Guide...
Page 127 This command enables configuration the list of allowed ciphers by the SSH server. Parameters version — Specifies the SSH version. Values 1 — Specifies that the SSH server will only accept connections from clients that support SSH protocol version 1 7450 ESS System Mangement Guide Page 127...
Page 128 SSH protocol version 1, or SSH protocol version 2 or both. telnet Syntax telnet Context config>system>login-control Description This command creates the context to configure the Telnet login control parameters. enable-graceful-shutdown Syntax [no] enable-graceful-shutdown Page 128 7450 ESS System Mangement Guide...
Page 129 Security Context config>system>login-control>telnet Description This command enables graceful shutdown of telnet sessions. The no form of the command disables graceful shutdown of telnet sessions. 7450 ESS System Mangement Guide Page 129...
Page 130 This command creates the action associated with the management access filter match criteria entry. The action keyword is required. If no action is defined, the filter is ignored. If multiple action state- ments are configured, the last one overwrites previous configured actions. Page 130 7450 ESS System Mangement Guide...
Page 131 This command configures a source TCP or UDP port number or port range for a management access filter match criterion. The no form of the command removes the source port match criterion. Default No dst-port match criterion. 7450 ESS System Mangement Guide Page 131...
Page 132 This allows users to insert a new entry in an existing policy without having to renumber the existing entries. Values 1 — 9999 Syntax [no] log Page 132 7450 ESS System Mangement Guide...
Page 133 The no form of this command deletes the specified port match criterion. Default no port Parameters port-number — A source or destination port to be used as a match criterion specified as a decimal integer. Values 1 -65535 7450 ESS System Mangement Guide Page 133...
Page 134 The exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be re-numbered differently from most to least explicit. Parameters old-entry-number — Enter the entry number of the existing entry. Values 1 — 9999 Page 134 7450 ESS System Mangement Guide...
Page 135 (less than lt, greater than gt, or equal to eq) operator. If no range with a start and an end or operator (lt, gt, eq) followed by an opcode with the value between 0 and 255 is defined then the command is invalid. 7450 ESS System Mangement Guide Page 135...
Page 136: Table 9: Opcode Values
Defined by ITU-T Y.1731 32 - 63 Defined by IEEE 802.1. 64 - 255 Default no cfm-opcode Parameters opcode — Specifies the opcode checking to be performed. start — specifies the start number. Page 136 7450 ESS System Mangement Guide...
Page 137 — The 8-bit dsap match criteria value in hexadecimal. Values 0x00 — 0xFF (hex) mask — This is optional and may be used when specifying a range of dsap values to use as the match criteria. 7450 ESS System Mangement Guide Page 137...
Page 138 — The MAC address to be used as a match criterion. Values HH:HH:HH:HH:HH:HH or HH-HH-HH-HH-HH-HH where H is a hexadecimal digit mask — A 48-bit mask to match a range of MAC address values. Page 138 7450 ESS System Mangement Guide...
Page 139 — Specifies to match packets with the three-byte OUI field in the SNAP-ID not set to zero. snap-pid Syntax snap-pid snap-pid no snap-pid Context config>system>security>mgmt-access-filter>mac-filter>entry>match Description This command configures an IEEE 802.3 LLC SNAP Ethernet Frame PID value to be used as a MAC 7450 ESS System Mangement Guide Page 139...
Page 140 To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 003FA000000 0xFFFFFF000000 Default 0xFFFFFFFFFFFF (exact match) Values 0x00000000000000 — 0xFFFFFFFFFFFF Page 140 7450 ESS System Mangement Guide...
Page 141 {port-id | cpm | lag port-id} no src-port Context config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry Description CPMCCM This command restricts ingress management traffic to either the Ethernet port or any other logical port (for example LAG)on the device. 7450 ESS System Mangement Guide Page 141...
Page 142 — Specifies the subnet mask length expressed as a decimal integer. Values 1 — 32 (mask length), 0.0.0.0 — 255.255.255.255 (dotted decimal) Page 142 7450 ESS System Mangement Guide...
Page 143: Password Commands
— Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted 7450 ESS System Mangement Guide Page 143...
Page 144 Telnet 10.20.30.93 09AUG2006 08:35:23 0d 00:00:00 A ------------------------------------------------------------------------------- Number of users : 2 'A' indicates user is in admin mode =============================================================================== A:ALA-1# A:ALA-1# enable-admin MINOR: CLI Already in admin mode. A:ALA-1# aging Syntax aging days no aging Context config>system>security>password Page 144 7450 ESS System Mangement Guide...
Page 145 When the user exceeds the attempted count times in the specified time, then that user is locked out from any further login attempts for the configured time period. Default Values 0 — 1440 Values infinite; user is locked out and must wait until manually unlocked before any further attempts. 7450 ESS System Mangement Guide Page 145...
Page 146 If the local keyword is the first authentication and: Page 146 7450 ESS System Mangement Guide...
Page 147 The no form of the command resets to default. Default no credits Parameters credits — The number of credits that can be used for each characters class. Values 0-10 minimum-classes Syntax minimum-classes minimum no minimum-classes 7450 ESS System Mangement Guide Page 147...
Page 148 The number of times a characters can be repeated consecutively. The no form of the command resets to default. Default no repeated-characters Parameters count — The minimum count of consecutively repeated characters. Values Page 148 7450 ESS System Mangement Guide...
Page 149 — Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed. enable-admin-control Syntax enable-admin-control Context config>system>security>password Description Enable the user to become a system administrator. tacplus-map-to-priv-lvl Syntax tacplus-map-to-priv-lvl [admin-priv-lvl] 7450 ESS System Mangement Guide Page 149...
Page 150 Context config>system>security>password Description Configure how many previous passwords a new password is matched against. Default no history Parameters size — Specifies how many previous passwords a new password is matched against. Values 1—20 Page 150 7450 ESS System Mangement Guide...
Page 151 — Specifies how many characters must be different in the new password from the old password. Values 2—20 password Syntax password Context config>system>security Description This command creates the context to configure password management parameters. 7450 ESS System Mangement Guide Page 151...
Page 152 — Keyword used to create a new ca-profile. The create keyword requirement can be enabled/ disabled in the environment>create context. cert-file Syntax cert-file filename no cert-file Context config>system>security>pki>ca-profile Description Specifies the filename of a file in cf3:\system-pki\cert as the CA’s certificate of the ca-profile. Notes: Page 152 7450 ESS System Mangement Guide...
Page 153 This command enables the system to accept both protected and unprotected CMPv2 PKI confirma- tion messages. Without this command, system will only accept protected PKI confirmation message. The no form of the command causes the system to only accept protected PKI confirmation message. 7450 ESS System Mangement Guide Page 153...
Page 154 — Specifies a printable ASCII string, up to 64 characters in length. Syntax cmp-url url-string [service-id service-id] no cmp-url Context config>system>security>pki>ca-profile>cmp2 Description This command specifies HTTP URL of the CMPv2 server. The URL must be unique across all con- figured ca-profiles. Page 154 7450 ESS System Mangement Guide...
Page 155 This command specifies a imported certificate that is used to verify the CMP response message if they are protected by signature. If this command is not configured, then CA’s certificate will be used. Default none Parameters filename — Specifies the filename of the imported certificate. 7450 ESS System Mangement Guide Page 155...
Page 156 The no form of the command removes the filename from the configuration. Default none Parameters filename — Specifies the name of CRL file stored in cf3:\system-pki\crl. ocsp Syntax ocsp Context config>system>security>pki>ca-profile Description This command enables the context to configure OCSP parameters. Page 156 7450 ESS System Mangement Guide...
Page 157 VPRN service at the time of CLI configuration. Otherwise the configuration will fail. Parameters service-id — Specifies an existing service ID to be used in the match criteria. Values service-id: 1 — 2147483647 base-router: 0 7450 ESS System Mangement Guide Page 157...
Page 158 • If the system time changes so that the new time causes the certificates to no longer be in the warning window, then BeforeExp is cleared. If the new time causes an expired certificate to come non-expired, then AfterExp is cleared. Default no certificate-expiration-warning Page 158 7450 ESS System Mangement Guide...
Page 159 — Specifies the amount of time before a CRL expires when system issues BeforeExp. Values 0 — 8760 repeat-hour — Specifies that the system will repeat BeforeExp every repeat-hour. Values 0 — 8760 maximum-cert-chain-depth Syntax maximum-cert-chain-depth level 7450 ESS System Mangement Guide Page 159...
Page 160 This command clears the current OCSP response cache. If optional issuer and serial-number are not specified, then all current cached results are cleared. Parameters entry-id — Specifies the local cache entry identifier of the certificate to clear. Values 1 — 2000 Page 160 7450 ESS System Mangement Guide...
Page 161 Values pkcs10, pkcs12, pkcs7-der, pkcs7-pem, pem, der password — Specifies the password to decrypt the input file in case that it is a encrypted PKCS#12 file, up to 99 characters in length. export 7450 ESS System Mangement Guide Page 161...
Page 162 — Specifies the name of the keyfile in cf3:\system-pki\key that is used to generate a certificate request. Values url-string <local-url> - [99 chars max] local-url <cflash-id>/<file-path> cflash-id cf1:|cf2:|cf3: subject-dn — Specifies the distinguish name that is used as the subject in a certificate request, including: Page 162 7450 ESS System Mangement Guide...
Page 163 → PKCS #12 → PKCS #7 PEM encoded → PKCS #7 DER encoded → PEM → DER • Key → PKCS #12 → PEM → DER • CRL → PKCS #7 PEM encoded 7450 ESS System Mangement Guide Page 163...
Page 164 Tunnels currently up are not affected. → If the key does not match the certificate: → If cert and key configuration is used instead of cert-profile then the tunnel will be brought down. Page 164 7450 ESS System Mangement Guide...
Page 165 — Specifies to reload a certificate file and its key file at the same time. file-name — Specifies the file name of imported certificate or key. key-filename — In case of cert-key-pair, filename is the imported filename of certificate, key- filename is the imported key file. 7450 ESS System Mangement Guide Page 165...
Page 166 This command copies a profile or user from a source profile to a destination profile. Parameters source-profile — The profile to copy. The profile must exist. dest-profile — The copied profile is copied to the destination profile. Page 166 7450 ESS System Mangement Guide...
Page 167 — The description character string. Allowed values are any string up to 80 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes. 7450 ESS System Mangement Guide Page 167...
Page 168 — The user profile name entered as a character string. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces. renum Syntax renum old-entry-number new-entry-number Context config>system>security>profile user-profile-name Page 168 7450 ESS System Mangement Guide...
Page 169 Parameters old-entry-number — Enter the entry number of an existing entry. Values 1 — 9999 new-entry-number — Enter the new entry number. Values 1 — 9999 7450 ESS System Mangement Guide Page 169...
Page 170 SNMP engine-ID and a password). The password is not directly entered in this command (only the localized key). Default authentication none - No authentication is configured and privacy cannot be configured. Parameters none — Do not use authentication. If none is specified, then privacy cannot be configured. Page 170 7450 ESS System Mangement Guide...
Page 171 — Enter the group name (between 1 and 32 alphanumeric characters) that is associated with this user. A user can be associated with one group-name per security model. cannot-change-password Syntax [no] cannot-change-password 7450 ESS System Mangement Guide Page 171...
Page 172 Syntax home-directory url-prefix [directory] [directory/directory…] no home-directory Context config>system>security>user config>system>security>user-template Description This command configures the local home directory for the user for both console (file commands and '>' redirection) and FTP access. Page 172 7450 ESS System Mangement Guide...
Page 173 — Enter either a local or remote URL, up to 200 characters in length, that identifies the exec file that will be executed after the user successfully logs in. member Syntax member user-profile-name [user-profile-name…] no member user-profile-name 7450 ESS System Mangement Guide Page 173...
Page 174 "$2y$10$pFoehOg/tCbBMPDJ/kqpu.8af0AoVGY2xsR7WFqyn5fVTnwRzGmOK" For example: config>system>security# user testuser1 config>system>security>user$ password "$2y$10$pFoehOg/tCbBMPDJ/ kqpu.8af0AoVGY2xsR7WFqyn5fVTnwRzGmOK" config>system>security>user# exit config>system>security# info ------------------------------------- user "testuser1" password "$2y$10$pFoehOg/tCbBMPDJ/kqpu.8af0AoVGY2xsR7WFqyn5fVTnwRzGmOK" exit Page 174 7450 ESS System Mangement Guide...
Page 175 If a home-directory is not configured or the home directory is not available, then the user has no file access. The no form of the command allows the user access to navigate to directories above their home direc- tory. Default no restricted-to-home rsa-key Syntax rsa-key public-key-value key-id rsa-key key-id 7450 ESS System Mangement Guide Page 175...
Page 176 This command creates a local user and a context to edit the user configuration. If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited. Page 176 7450 ESS System Mangement Guide...
Page 177 The no form of the command deletes the user and all configuration data. Users cannot delete them- selves. Default none Parameters user-name — The name of the user up to 32 characters. 7450 ESS System Mangement Guide Page 177...
Page 178: Radius Client Commands
Description This command specifies a UDP port number on which to contact the RADIUS server for accounting requests. Parameters port — Specifies the UDP port number. Values 1 — 65535 Default 1813 Page 178 7450 ESS System Mangement Guide...
Page 179 Description This command creates the context to configure RADIUS authentication on the router. Implement redundancy by configuring multiple server addresses for each router. The no form of the command removes the RADIUS configuration. 7450 ESS System Mangement Guide Page 179...
Page 180 — Specifies the privilege level used when sending a TACACS+ ENABLE request. Values 0 — 15 user-profile-name — Specifies the user profile for this mapping. server Syntax server index address ip-address secret key [hash | hash2] no server index Page 180 7450 ESS System Mangement Guide...
Page 181 — Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed. 7450 ESS System Mangement Guide Page 181...
Page 182 VSAs are returned with the auth-accept from the RADIUS server. When enabled, the RADIUS user template is actively applied if no VSAs are returned with the auth-accept from the RADIUS server. The no form of the command disables the command. Page 182 7450 ESS System Mangement Guide...
Page 183 — Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed. port port — Specifies the port ID. Values 0 — 65535 7450 ESS System Mangement Guide Page 183...
Page 184 — Specifies that a TACACS+ start packet is sent whenever the user executes a command. record-type stop-only — Specifies that a stop packet is sent whenever the command execution is complete. authorization Syntax [no] authorization [use-priv-lvl] Page 184 7450 ESS System Mangement Guide...
Page 185 • TACACS+ server ignores the password and replies with TAC_PLUS_AUTHEN_STA- TUS_GETPASS. • SR OS sends a continue packet with the password in the user_msg field. • TACACS+ server replies with PASS or FAIL. 7450 ESS System Mangement Guide Page 185...
Page 186 The no form of the command administratively enables the protocol which is the default state. Default no shutdown use-default-template Syntax [no] use-default-template Context config>system>security>tacplus Description This command specifies whether or not the user template defined by this entry is to be actively applied to the TACACS+ user. Page 186 7450 ESS System Mangement Guide...
Page 187 This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server. The no form of the command reverts to the default value. Default Parameters count — The retry count. Values 1 — 10 7450 ESS System Mangement Guide Page 187...
Page 188 — The UDP port number on which to contact the RADIUS server for accounting requests. auth-port auth-port — specifies a UDP port number to be used as a match criteria. Values 1 — 65535 type server-type — Specifies the server type. Values authorization, accounting, combined Page 188 7450 ESS System Mangement Guide...
Page 189 The no form of the command reverts to the default value. Default 3 seconds Parameters seconds — The number of seconds the router waits for a response from a RADIUS server, expressed as a decimal integer. Values 1 — 90 7450 ESS System Mangement Guide Page 189...
Page 190 This command specifies the data type that indicates the TCP stream direction to apply the keychain. Default none Syntax Context config>system>security>keychain>direction Description This command configures keys for both send and receive stream directions. Default none Syntax Context config>system>security>keychain>direction Page 190 7450 ESS System Mangement Guide...
Page 191 The no form of the command deletes the entry. 7450 ESS System Mangement Guide Page 191...
Page 192 — Specifies the key is entered in a more complex encrypted form. begin-time Syntax begin-time [date] [hours-minutes] [UTC] [now] [forever] Context config>system>security>keychain>direction>bi>entry config>system>security>keychain>direction>uni>receive>entry config>system>security>keychain>direction>uni>send>entry Page 192 7450 ESS System Mangement Guide...
Page 193 This command configures the amount of time that an eligible receive key should overlap with the active send key or to never expire. Parameters seconds — Specifies the duration that an eligible receive key overlaps with the active send key. 7450 ESS System Mangement Guide Page 193...
Page 194 This command configures the TCP option number accepted in TCP packets received. Default Parameters option-number — Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header. Values 253, 254, 253&254 Page 194 7450 ESS System Mangement Guide...
Page 195 This command configures the TCP option number accepted in TCP packets sent. Default Parameters option-number — Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header. Values 253, 254 7450 ESS System Mangement Guide Page 195...
Page 196 Context config>system>security>cli-script>authorization Description This command enables the context to configure authorization for the VSD server. The no form of the command removes all authorizations for the VSD server. event-handler Syntax event-handler Context config>system>security>cli-script>authorization Page 196 7450 ESS System Mangement Guide...
Page 197 Parameters user-name — The name of a user in the local node database. TACACS+ or RADIUS users can not be used. The user configuration should reference a valid local profile for authorization. 7450 ESS System Mangement Guide Page 197...
Page 198 — Specifies that packets matching the filter entry are dropped. ip-filter Syntax [no] ip-filter Context config>system>security>cpm-filter Description This command enables the context to configure CPM IP filter parameters. Default shutdown Description mac-filter Syntax [no] mac-filter Page 198 7450 ESS System Mangement Guide...
Page 199 If more than one match criteria (within one match statement) are configured then all criteria must be satisfied (AND function) before the action associated with the match is executed. 7450 ESS System Mangement Guide Page 199...
Page 200: Table 10: Ip Protocol Names
Reservation Protocol General Routing Encapsulation ipv6-icmp ICMP for IPv6 ipv6-no-nxt No Next Header for IPv6 ipv6-opts Destination Options for IPv6 iso-ip ISO Internet Protocol eigrp EIGRP ospf-igp OSPFIGP ether-ip Ethernet-within-IP Encapsulation encap Encapsulation Header Page 200 7450 ESS System Mangement Guide...
Page 201 This command configures a destination IP address range to be used as an IP filter match criterion. To match on the destination IP address, specify the address and its associated mask, for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used. 7450 ESS System Mangement Guide Page 201...
Page 202 — Specifies the port list name to be used as a match criteria for the destination port. mask — Specifies the 16 bit mask to be applied when matching the destination port. Values [0x0000..0xFFFF] | [0..65535] | [0b0000000000000000..0b1111111111111111] fragment Syntax fragment {true | false} no fragment Page 202 7450 ESS System Mangement Guide...
Page 203 The no form of the command removes the criterion from the match entry. Default no icmp-code - no match criterion for the ICMP code. Parameters icmp-code — Specifies the ICMP code values that must be present to match. Values 0 — 255 7450 ESS System Mangement Guide Page 203...
Page 204 Thus to match on IP packets that contain the Router Alert option (option number =20), enter the option type of 148 (10010100). Values 0 — 255 ip-option-mask — Specifies a range of option numbers to use as the match criteria. Page 204 7450 ESS System Mangement Guide...
Page 205 IP header as an IP filter match criterion. The no form of the command removes the checking of the option field in the IP header as a match cri- terion. 7450 ESS System Mangement Guide Page 205...
Page 206 — A string of up to 32 characters of printable ASCII characters. If special charac- ters are used, the string must be enclosed within double quotes. Description src-port Syntax src-port src-port-number [mask] Page 206 7450 ESS System Mangement Guide...
Page 207 IP or IPv6 packet as an IP filter match criterion. Note that an entry containing Layer 4 match criteria will not match non-initial (2nd, 3rd, etc) fragments of a fragmented packet since only the first fragment contains the Layer 4 information. 7450 ESS System Mangement Guide Page 207...
Page 208 — Enter the new entry-number to be assigned to the old entry. Values 1 — 2048 shutdown Syntax shutdown Context config>sys>sec>cpm>ip-filter config>sys>sec>cpm>ipv6-filter config>sys>sec>cpm>mac-filter Description This command enables IP(v4) or MAC CPM filter. The no form of this command disable the filter. Default shutdown Page 208 7450 ESS System Mangement Guide...
Page 209 — Specifies the commited burst size in kbytes. Syntax mbs mbs no mbs Context config>system>security>cpm-queue>queue Description This command specifies the maximum queue depth to which a queue can grow. Parameters mbs — Specifies the maximum burst size in kbytes. 7450 ESS System Mangement Guide Page 209...
Page 210 This command specifies the maximum bandwidth that will be made available to the queue in kilobits per second (kbps). Parameters rate — Specifies the administrative Peak Information Rate (PIR) for the queue. cir cir — Specifies the amount of bandwidth committed to the queue. Page 210 7450 ESS System Mangement Guide...
Page 211 The no form of the command disables TTL security. Default no ttl-security Parameters min-ttl-value — Specifies the minimum TTL value for an incoming LDP packet. Values 1 — 255 ttl-security Syntax ttl-security min-ttl-value 7450 ESS System Mangement Guide Page 211...
Page 212 TTL protection to operate. The no form of the command disables TTL security. Parameters min-ttl-value — Specify the minimum TTL value for an incoming BGP packet. Values 1 — 255 Page 212 7450 ESS System Mangement Guide...
Page 213 (note this is different than the other protocols) Syntax [no] gtp Context config>sys>security>cpu-protection> ip>included-protocols Description Include extracted IPV4 GTP packets for ip-src-monitoring. IPv4 GTP packets will be subject to the per-source-rate of cpu protection policies. Default no gtp 7450 ESS System Mangement Guide Page 213...
Page 214 — Specifies a packet arrival rate limit, in packets per second, for link level protocols. Values 1 — 65535, max (no limit) Default 15000 policy Syntax policy cpu-protection-policy-id [create] no policy cpu-protection-policy-id Context config>sys>security>cpu-protection Page 214 7450 ESS System Mangement Guide...
Page 215 This command enables the generation of an event when a rate is exceed. The event includes information about the offending source. Only one event is generated per monitor period. The no form of the command disables the notifications. Default no alarm eth-cfm Syntax eth-cfm no eth-cfm Context config>sys>security>cpu-protection>policy 7450 ESS System Mangement Guide Page 215...
Page 216 The no form of the command sets out-profile-rate parameter back to the default value. Default 3000 for cpu-protection-policy-id 1-253 6000 for cpu-protection-policy-id 254 (default access interface policy) 3000 for cpu-protection-policy-id 255 (default network interface policy) Page 216 7450 ESS System Mangement Guide...
Page 217 The ip-src-monitoring is useful in subscriber management architectures that have routers between the subscriber and the BNG (router). In layer-3 aggregation scenarios, all packets from all subscribers 7450 ESS System Mangement Guide Page 217...
Page 218 (for example, MPLS or GRE) on a network interface. With protocol- protection enabled and tunneled pim blocked, PIM in an mVPN on the egress DR will not switch traffic from the (*,G) to the (S,G) tree. Page 218 7450 ESS System Mangement Guide...
Page 219 The no form of the command reverts to the default values. Default cpu-protection 254 (for access interfaces) cpu-protection 255 (for network interfaces) The configuration of no cpu-protection returns the msap-policy to the default policies as shown above. 7450 ESS System Mangement Guide Page 219...
Page 220 MAC address and as such the mac-monitor- ing functionality can not differentiate traffic from different subscribers. eth-cfm-monitoring — Enables the Ethernet Connectivity Fault Management cpu-protection extensions on the associated SAP/SDP/template. Page 220 7450 ESS System Mangement Guide...
Page 221 — Enables the Ethernet Connectivity Fault Management cpu-protection extensions on the associated SAP/SDP/template. aggregate — applies the rate limit to the sum of the per-peer packet rates. car — (Committed Access Rate) Ignores Eth-CFM packets when enforcing overall-rate. 7450 ESS System Mangement Guide Page 221...
Page 222 The actual (opera- tional) parameters can be seen in CLI, for example, “show service id 33 sap 1/1/3:33 dist-cpu-protec- tion detail”. Page 222 7450 ESS System Mangement Guide...
Page 223 (that is, the countdown timer starts again at the configured value). During the hold-down (and the detection-time), the policer is considered as in an “exceed” state. Default Parameters seconds — Specifies in seconds. Values 1..128000 7450 ESS System Mangement Guide Page 223...
Page 224 - the policer state to be updated as normal - all packets to be marked (if the action is “low-priority”) or dropped (action = discard) regardless of the results of the policing decisions/actions/state. Page 224 7450 ESS System Mangement Guide...
Page 225 Parameters verbose — (optional) Sends the same events as just “log-events” plus Hold Down Start and Hold Down End events. The optional “verbose” includes some events that are more likely used during debug/tuning/investigations. 7450 ESS System Mangement Guide Page 225...
Page 226 Control packets that are both forwarded (which means they could be subject to normal QoS policy policing) and also copied for extraction are not subject to distributed cpu protection (including in the all-unspecified bucket). This includes traffic snooping (for example, PIM in VPLS) as well as con- Page 226 7450 ESS System Mangement Guide...
Page 227 Default none Parameters names — Signifies protocol name. Values arp|dhcp|http-redirect|icmp|igmp|mld|ndis|pppoe-pppoa|all-unspecified|mpls- ttl|bfd-cpm|bgp|eth-cfm|isis|ldp|ospf|pim|rsvp. enforcement Syntax enforcement {static policer-name | dynamic {mon-policer-name | local-mon-bypass}} Context config>system>security>dist-cpu-protection>policy>protocols 7450 ESS System Mangement Guide Page 227...
Page 228 Syntax [no] log-events [verbose] Context config>system>security>dist-cpu-protection>policy>protocols>dynamic-parameters Description This command controls the creation of log events related to dynamic enforcement policer status & activity Default log-events - send the Exceed (Excd) and Conform events Page 228 7450 ESS System Mangement Guide...
Page 229 Mul- tiple protocols can use the same static-policer. Parameters policy-name — Specifies the name of the policy. Values [32 chars max] 7450 ESS System Mangement Guide Page 229...
Page 230 Distributed CPU Protection Commands Page 230 7450 ESS System Mangement Guide...
Page 231: Table 11: Show System Security Access Group Output Fields
------------------------------------------------------------------------------- snmp-ro snmpv1 none no-security no-security snmp-ro snmpv2c none no-security no-security snmp-rw snmpv1 none no-security no-security no-security snmp-rw snmpv2c none no-security no-security no-security snmp-rwa snmpv1 none snmp-rwa snmpv2c none 7450 ESS System Mangement Guide Page 231...
Page 232: Table 12: Show System Security Authentication Output Fields
The number of times the user has successfully logged in. Accepted logins The number of unsuccessful login attempts. Rejected logins The number of packets sent. Sent packets The number of packets rejected. Rejected packets Page 232 7450 ESS System Mangement Guide...
Page 233 10.10.10.103 10.10.0.1 10.10.0.2 10.10.0.3 local =============================================================================== Authorization Statistics (TACACS+) =============================================================================== server address connection errors sent packets rejected packets ------------------------------------------------------------------------------- =============================================================================== Accounting Statistics =============================================================================== server address connection errors sent packets rejected packets ------------------------------------------------------------------------------- 10.10.10.103 7450 ESS System Mangement Guide Page 233...
Page 234 =============================================================================== server address conn sent rejected errors pkts pkts ------------------------------------------------------------------------------- ============================================================================== communities Syntax communities Context show>system>security Description This command displays SNMP communities. Output Communities Output — The following table describes community output fields. Page 234 7450 ESS System Mangement Guide...
Page 235: Table 13: Show Communities Output Fields
----------------------------------------------------------------------------- cli-readonly cli-readonly cli-readwrite cli-readwrite public no-security v1 v2c snmp-ro ----------------------------------------------------------------------------- No. of Communities: 3 ============================================================================= A:ALA-48# cpm-filter Syntax cpm-filter Context show>system>security Description This command displays CPM filters. 7450 ESS System Mangement Guide Page 235...
Page 236: Table 14: Show Cpm Ip Filter Output Fields
Displays the ACK flag in the TCP header TCP-ack When the criteria matches, displays drop or forward packet. Match action In case match action is forward, indicates destination of the matched Next Hop packet. Page 236 7450 ESS System Mangement Guide...
Page 237 ICMP Type : Undefined ICMP Code : Undefined Fragment : True Option-present : Off IP-Option : 130/255 Multiple Option : True TCP-syn : Off TCP-ack : True Match action : Drop =============================================================================== A:ALA-35# 7450 ESS System Mangement Guide Page 237...
Page 238: Table 15: Show Cpm Ipv6 Filter Output Fields
Displays the maximum queue depth to which a queue can grow. Sample Output A:ALA-35# show system security cpm-queue 1001 =============================================================================== CPM Queue Entry =============================================================================== Queue Id : 1001 ------------------------------------------------------------------------------- Queue Parameters : ------------------------------------------------------------------------------- : 10000000 : 1000000 : 4096 : 8192 =============================================================================== A:ALA-35# Page 238 7450 ESS System Mangement Guide...
Page 239 61234 90:90:90:90:90:90 03/21/2009 23:33:09 03/21/2009 23:35:59 4000000023 61234 91:91:91:91:91:91 03/21/2009 23:33:19 03/21/2009 23:36:19 4000000024 61234 92:92:92:92:92:92 03/21/2009 23:33:29 03/21/2009 23:36:39 4000000025 Aggregated 03/21/2009 23:33:39 03/21/2009 23:36:59 4000000026 94:94:94:94:94:94 03/21/2009 23:33:49 03/21/2009 23:37:19 4000000027 7450 ESS System Mangement Guide Page 239...
Page 240 00:00:00:00:00:01 03/22/2009 00:41:59 03/22/2009 01:53:39 3000000043 00:00:00:00:00:02 03/22/2009 00:43:39 03/22/2009 01:56:59 3000000044 00:00:00:00:00:03 03/22/2009 00:45:19 03/22/2009 02:00:19 3000000045 00:00:00:00:00:04 03/22/2009 00:46:59 03/22/2009 02:03:39 3000000046 00:00:00:00:00:05 03/22/2009 00:48:39 03/22/2009 02:06:59 3000000047 ------------------------------------------------------------------------------- 5 source(s) found =============================================================================== Page 240 7450 ESS System Mangement Guide...
Page 241 Associations for CPU Protection policy 100 =============================================================================== Description : (Not Specified) SAP associations ------------------------------------------------------------------------------- Service Id Type : VPLS SAP 1/1/1 mac-monitoring SAP 1/1/2 eth-cfm-monitoring aggr car SAP 1/1/3 eth-cfm-monitoring SAP 1/1/4 ------------------------------------------------------------------------------- 7450 ESS System Mangement Guide Page 241...
Page 242 Associations for CPU Protection policy 255 =============================================================================== Description : Default (Modifiable) CPU-Protection Policy assigned to Network Interfaces SAP associations ------------------------------------------------------------------------------- None SDP associations ------------------------------------------------------------------------------- Service Id Type : VPLS SDP 1:2 SDP 1:4 eth-cfm-monitoring Page 242 7450 ESS System Mangement Guide...
Page 243 SDP 1:3 eth-cfm-monitoring aggr SDP 1:5 mac-monitoring SDP 17407:4123456789 eth-cfm-monitoring car ------------------------------------------------------------------------------- Number of SDP's : 4 Interface associations ------------------------------------------------------------------------------- None Managed SAP associations ------------------------------------------------------------------------------- None Video-Interface associations ------------------------------------------------------------------------------- None =============================================================================== A:bksim130# 7450 ESS System Mangement Guide Page 243...
Page 244 ------------------------------------------------------------------------------- 5 SDP('s) found =============================================================================== =============================================================================== Video clients where the protection policy per-source rate limit is violated =============================================================================== Client IP Address Video-Interface Service-Id Plcy Limit First-Time Last-Time Violation-Periods ------------------------------------------------------------------------------- No clients found =============================================================================== Page 244 7450 ESS System Mangement Guide...
Page 245: Table 16: Show Distributed Cpu Protection Output Fields
Time Indicates how many times the system attempted to allocate dynamic Dynamic-Policers enforcement policers but could not get enough the fill the request. Allocation Fail Count *A:nodeA# show card 1 fp 1 dist-cpu-protection 7450 ESS System Mangement Guide Page 245...
Page 246: Table 17: Show Distributed Cpu Protection Policer Output Fields
IOM3-XP) and some cards can contain multiple FPs (for example, an IOM2 has two FPs and an XCM can house two FPs via its two XMAs). The state of the policer with the following potential values: Policer-State Page 246 7450 ESS System Mangement Guide...
Page 247 This counter has the same behavior as the exceed counter in the DCP the log events – they are baselined (reset) when the policer transitions to conformant. 7450 ESS System Mangement Guide Page 247...
Page 248 Hold-Down Remain. : none Operational (adapted) rate parameters: Oper. Kbps : 2343 kbps Oper. MBS : 240 kilobytes Oper. Depth : 0 bytes … (snip) *A:nodaA# show service id 33 sap 1/1/3:34 dist-cpu-protection detail Page 248 7450 ESS System Mangement Guide...
Page 249 : none Dyn-Policer Alloc. : False Operational (adapted) rate parameters: unknown ------------------------------------------------------------------------------- dist-cpu-protection Syntax dist-cpu-protection [detail] Context show>router>interface Description This command displays Distributed CPU Protection parameters and status at the router Interface level. 7450 ESS System Mangement Guide Page 249...
Page 250: Table 18: Show Distributed Cpu Protection Policer Output Fields
(e.g. if the associated forwarding plane is operational, or for an interface if there is a physical port configured for the interface, or if the dynamic policers are allocated), otherwise values of 0 kbps, etc are displayed. Page 250 7450 ESS System Mangement Guide...
Page 251 Indicates that a dynamic policer has been instantiated. Dyn-Policer Alloc. Sample Output *A:Dut-A# show router interface "test" dist-cpu-protection detail =============================================================================== Interface "test" (Router: Base) =============================================================================== Distributed CPU Protection Policy : dcpuPol ------------------------------------------------------------------------------- Statistics/Policer-State Information 7450 ESS System Mangement Guide Page 251...
Page 252 Detec. Time Remain : 29 seconds Hold-Down Remain. : none Dyn-Policer Alloc. : True Operational (adapted) Rate Parameters: Oper. Kbps : 25 kbps Oper. MBS : 256 bytes Oper. Depth : 284 bytes ------------------------------------------------------------------------------- =============================================================================== Page 252 7450 ESS System Mangement Guide...
Page 253 — Displays violators associated with the port. interface — Displays violators associated with the interface. sap — Displays violators associated with the SAP. video — Displays violators associated with the video entity. 7450 ESS System Mangement Guide Page 253...
Page 254 ------------------------------------------------------------------------------- No SDP's found =============================================================================== =============================================================================== Video clients where the protection policy per-source rate limit is violated =============================================================================== Client IP Address Video-Interface Service-Id Plcy Limit First-Time Last-Time Violation-Periods ------------------------------------------------------------------------------- No clients found =============================================================================== Page 254 7450 ESS System Mangement Guide...
Page 255 : permit Admin Status : enabled (no shutdown) ------------------------------------------------------------------------------- Entry Action : deny FrameType : ethernet_II Svc-Id : Undefined Src Mac : Undefined Dest Mac : Undefined Dot1p : Undefined Ethertype : Disabled 7450 ESS System Mangement Guide Page 255...
Page 256 : 2007/02/15 18:27:57 Begin Time (UTC) : 2007/02/15 17:27:57 End Time : 2007/02/15 18:28:13 End Time (UTC) : 2007/02/15 17:28:13 =============================================================================== Direction : send-receive Algorithm : aes-128-cmac-96 Admin State : Up Valid : Yes Page 256 7450 ESS System Mangement Guide...
Page 257: Table 19: Show Management Access Filter Output Fields
The entry ID in a policy or filter table. Entry A text string describing the filter. Description The source IP address used for management access filter match crite- Src IP ria. 7450 ESS System Mangement Guide Page 257...
Page 258: Table 20: Show Password Options Output Fields
Password Options Output — The following table describes password options output fields. Table 20: Show Password Options Output Fields Label Description Displays the number of days a user password is valid before the user Password aging in must change their password. days Page 258 7450 ESS System Mangement Guide...
Page 259 Displays whether the user name is allowed as part of the password. Allow passwords containing user- name Displays whether palindromes are allowed as part of the password. Palindrome allowed 7450 ESS System Mangement Guide Page 259...
Page 260: Table 21: Show Per-Peer-Queuing Output Fields
Displays the status (enabled or disabled) of CPM hardware queuing Per Peer Queuing per peer. Displays the total number of hardware queues. Total Num of Queues Displays the total number of hardware queues in use. Num of Queues In Page 260 7450 ESS System Mangement Guide...
Page 261: Table 22: Show User Profile Output Fields
Permit all — Commands matching the entry command match Action criteria are permitted. Deny — Commands not matching the entry command match criteria are not permitted. The total number of profiles listed. No. of profiles 7450 ESS System Mangement Guide Page 261...
Page 262: Table 23: Show Source Address Output Fields
Up — The source address is operationally up. Oper status Down — The source address is operationally down. Sample Output A:SR-7# show system security source-address =============================================================================== Source-Address applications =============================================================================== Application IP address/Interface Name Oper status Page 262 7450 ESS System Mangement Guide...
Page 263 The name of the user. Username The SSH version number. Version The type of SSH application (CLI, SCP, SFTP or NETCONF) Server Name The total number of SSH sessions. Number of SSH ses- sions 7450 ESS System Mangement Guide Page 263...
Page 264 DSA Host Key Fingerprint : 88:41:1c:7e:97:64:df:a0:e4:54:c2:cc:3d:dd:c7:70 RSA Host Key Fingerprint : 63:b8:c4:8a:17:b7:1c:95:35:91:c9:08:75:cc:31:a3 ------------------------------------------------------------------------------- Connection Username Version ServerName Status ------------------------------------------------------------------------------- 138.120.214.254 admin netconf connected 138.120.140.148 admin connected ------------------------------------------------------------------------------- Number of SSH sessions : 2 =============================================================================== Page 264 7450 ESS System Mangement Guide...
Page 265 Y — Password authentication is based on the local password database. Local conf N — Password authentication is not based on the local password database. Specifies the local home directory for the user for both console and Home directory FTP access. 7450 ESS System Mangement Guide Page 265...
Page 266 =============================================================================== user id need user permissions password attempted failed local new pwd console ftp snmp expires logins logins conf ------------------------------------------------------------------------------- admin never =============================================================================== =============================================================================== User Configuration Detail =============================================================================== user id : admin ------------------------------------------------------------------------------- Page 266 7450 ESS System Mangement Guide...
Page 267 =============================================================================== *A:Node234# show system security user lockout =============================================================================== Currently Failed Login Attempts =============================================================================== User ID Remaining Login attempts Remaining Lockout Time (min:sec) ------------------------------------------------------------------------------- jason123 N/A 9:56 ------------------------------------------------------------------------------- Number of users : 1 =============================================================================== 7450 ESS System Mangement Guide Page 267...
Page 268: Table 24: Pass/Fail Login Attempts
*A:Dut-C# show system security user detail =============================================================================== Users =============================================================================== User ID User Permissions Password Login Failed Local console ftp li snmp Expires Attempts Logins Conf ------------------------------------------------------------------------------- admin never ------------------------------------------------------------------------------- Number of users : 1 Page 268 7450 ESS System Mangement Guide...
Page 269: Table 25: Show View Output Fields
The bit mask that defines a family of view subtrees. mask Indicates whether each view is included or excluded permission Displays the total number of views. No. of Views Sample Output A:ALA-48# show system security view 7450 ESS System Mangement Guide Page 269...
Page 270 Syntax ca-profile ca-profile name [association] Context show>certificate Description This command shows certificate-authority profile information. Parameters name — Specifies the name of the Certificate Authority (CA) profile. association — Displays associated CA profiles. Page 270 7450 ESS System Mangement Guide...
Page 271 Cache entry expire time Parameters entry-id — Specifies the local cache entry identifier of the certificate that was validated by the OCSP responder. statistics Syntax statistics Context show>certificate Description This command shows certificate related statistics. 7450 ESS System Mangement Guide Page 271...
Page 272: Table 26: Show Users Output Fields
A:ALA-7# show users =============================================================================== User Type From Login time Idle time =============================================================================== testuser Console 21FEB2007 04:58:55 0d 00:00:00 ------------------------------------------------------------------------------- Number of users : 1 'A' indicates user is in admin mode =============================================================================== A:ALA-7# Page 272 7450 ESS System Mangement Guide...
Page 273 Values 1 — 2048 ipv6-filter Syntax ipv6-filter [entry entry-id] Context clear>cpm-filter Description This command clears IPv6 filter statistics. Parameters entry entry-id — Specifies a particular CPM IP filter entry. Values 1 — 2048 7450 ESS System Mangement Guide Page 273...
Page 274 Login Control mac-filter Syntax mac-filter [entry entry-id] Context clear>cpm-filter Description This command clears MAC filter statistics. Parameters entry entry-id — Specifies a particular CPM MAC filter entry. Values 1 — 2048 Page 274 7450 ESS System Mangement Guide...
Page 275 Syntax violators [port][interface][sap] Context clear>cpu-protection Description This command clears the rate limit violator record. Parameters port — Clears entries for ports. interface — Clears entries for interfaces. sap — Clears entries for SAPs. 7450 ESS System Mangement Guide Page 275...
Page 276 33 — 2000 radius-proxy-server Syntax radius-proxy-server server-name statistics Context clear>router Description This command clears RADIUS proxy server data. Parameters server-name — Specifies the proxy server name. statistics — Clears statistics for the specified server. Page 276 7450 ESS System Mangement Guide...
Page 277 This command enables debug output of OCSP protocol for the CA profile. The no form of the command disables the debug output. ca-profile Syntax [no] ca-profile profile-name Context debug>ocsp Description This command enables debug output of a specific CA profile. 7450 ESS System Mangement Guide Page 277...
Page 278 — - Indicates to display the violators associated with router interfaces. enforcement — Shows exceed and hold-down for Static and Dynamic Policers. local-monitor — Shows state of dynamic policer allocation for Local Monitoring Policers. Page 278 7450 ESS System Mangement Guide...
Page 279: Table 27: Output Parameters
Distributed Cpu Protection Current Interface Enforcer Policer Violators =============================================================================== Interface Policer/Protocol Hld Rem ------------------------------------------------------------------------------- ------------------------------------------------------------------------------- Violators on Slot-4 Fp-1 ------------------------------------------------------------------------------- test staticArpPolicer [S] none test icmp [D] none test ospf [D] none ------------------------------------------------------------------------------- [S]-Static [D]-Dynamic [M]-Monitor ------------------------------------------------------------------------------- =============================================================================== 7450 ESS System Mangement Guide Page 279...
Page 280 Syntax clear password-history {user name | all} Context admin>user Description This command is used to clear old passwords used by a specific user, or for all users. Parameters name — Specifies username. Page 280 7450 ESS System Mangement Guide...
Page 281: In This Chapter
Per-VPRN Logs and SNMP Access on page 287 → Per-SNMP Community Source IP Address Validation on page 287 • Which SNMP Version to Use? on page 288 • Configuration Notes on page 290 7450 ESS System Mangement Guide Page 281...
Page 282: Snmp Overview
The main branches are defined by the Internet Engineering Task Force (IETF). When requested, the Internet Assigned Numbers Authority (IANA) assigns a unique branch for use by a private organization or company. The branch assigned to Alcatel-Lucent (TiMetra) is 1.3.6.1.4.1.6527.
Page 283: Snmp Versions
View Access Control MIB (VACM) defines the user access control features. The SNMP-COMMUNITY-MIB is used to associate SNMPv1/SNMPv2c community strings with SNMPv3 VACM access control. SNMPv3 uses a username match for authentication. 7450 ESS System Mangement Guide Page 283...
Page 284: Management Information Access Control
A community string is a text string that acts like a password to permit access to the agent on the router. Alcatel-Lucent’s implementation of SNMP has defined three levels of community-named access: •...
Page 285: Access Groups
• “vprn-view” view—used to limit access to objects associated with a specific VPRN (for example, the Per-VPRN Logs and SNMP Access feature) The Alcatel-Lucent SNMP agent associates SNMPv1 and SNMPv2c community strings with a SNMPv3 view. Access Groups Access groups associate a user group and a security model to the views the group can access.
Page 286 CLI management purposes and are not exposed to external SNMP access. Additional access parameters must be explicitly configured if the preconfigured access groups and views for SNMPv1 and SNMPv2c do not meet your security requirements. Page 286 7450 ESS System Mangement Guide...
Page 287: Users
SNMP community. SNMPv1 and SNMPv2c requests that fail the source IP address and community validation checks are discarded and are logged as SNMP event 2003 authenticationFailure (suppressed by default under “event-control”). 7450 ESS System Mangement Guide Page 287...
Page 288: Which Snmp Version To Use
SNMP authentication allows the router to validate the managing node that issued the SNMP message and determine if the message was tampered with. Figure 7 depicts the configuration requirements to implement SNMPv1/SNMPv2c, and SNMPv3. Page 288 7450 ESS System Mangement Guide...
Page 289: Figure 7: Snmpv1 And Snmpv2C Configuration And Implementation Flow
R, RW, RWA Access (SNMPv1 & SNMPv2cONLY) Configure Views Configure Views Configure Access Groups Configure Access Groups Configure USM Community Configure SNMP Users Exit al_0203 Figure 7: SNMPv1 and SNMPv2c Configuration and Implementation Flow 7450 ESS System Mangement Guide Page 289...
Page 290: Configuration Notes
If not, the previously configured SNMP communities and logger trap-target notify communities will not be valid for the new engine ID. Page 290 7450 ESS System Mangement Guide...
Page 291: Configuring Snmp With Cli
This section provides information about configuring SNMP with CLI. Topics in this chapter include: • SNMP Configuration Overview on page 292 • Basic SNMP Security Configuration on page 293 • Configuring SNMP Components on page 294 7450 ESS System Mangement Guide Page 291...
Page 292: Configuring Snmpv3
Configuring SNMPv3 on page 292 Configuring SNMPv1 and SNMPv2c Alcatel-Lucent routers are based on SNMPv3. To use the routers with SNMPv1 and/or SNMPv2c, SNMP community strings must be configured. Three pre-defined access methods are available when SNMPv1 or SNMPv2c access is required. Each access method (r, rw, or rwa) is associated with an SNMPv3 access group that determines the access privileges and the scope of managed objects available.
Page 293: Basic Snmp Security Configuration
20 time 5 lockout 10 7450 ESS System Mangement Guide Page 293...
Page 294: Configuring Snmp Components
[version SNMP version] usm-community community-string group group-name view view-name subtree oid-value mask mask-value [type {included|excluded}] access group group-name security-model security-model secu- rity-level security-level [context context-name [pre- fix-match]] [read view-name-1] [write view-name-2] [notify view-name-3] Page 294 7450 ESS System Mangement Guide...
Page 295: Configuring A Community String
[type {included|excluded}] The following displays a view configuration example: *A:cses-A13>config>system>security>snmp# info ---------------------------------------------- view "testview" subtree "1" mask ff exit view "testview" subtree "1.3.6.1.2" mask ff type excluded exit 7450 ESS System Mangement Guide Page 295...
Page 296: Configuring Access Options
*A:cses-A13>config>system>security>snmp# Use the following CLI syntax to configure user group and authentication parameters: CLI Syntax: config>system>security# user user-name access [ftp] [snmp] [console] snmp authentication [none]|[[hash]{md5 key|sha key } privacy {none|des-key|aes-128-cfb-key key}] group group-name Page 296 7450 ESS System Mangement Guide...
Page 297: Configuring Usm Community Options
"testview" write "testview" notify "testview" community "uTdc9j48PBRkxn5DcSjchk" hash2 rwa version both community "Lla.RtAyRW2" hash2 r version v2c community "r0a159kIOfg" hash2 r version both ---------------------------------------------- A:ALA-1>config>system>security>snmp# The group grouptest was configured in the config>system>security>snmp>access CLI context. 7450 ESS System Mangement Guide Page 297...
Page 298: Configuring Other Snmp Parameters
CLI Syntax: config>system>snmp engineID engine-id general-port port packet-size bytes no shutdown The following example displays the system SNMP default values: A:ALA-104>config>system>snmp# info detail ---------------------------------------------- shutdown engineID "0000xxxx000000000xxxxx00" packet-size 1500 general-port 161 ---------------------------------------------- A:ALA-104>config>system>snmp# Page 298 7450 ESS System Mangement Guide...
Page 299: Snmp Command Reference
— [no] src-access-list list-name — src-host host-name address ip-address — no src-host host-name — view view-name subtree oid-value — no view view-name [subtree oid-value] — mask mask-value [type {included | excluded}] — no mask 7450 ESS System Mangement Guide Page 299...
Page 300 — access-group [group-name] — authentication [statistics] — password-options [entry-id] — password-options — per-peer-queuing — profile [profile-name] — snmp — community [community-string] — src-access-list [list-name] — — user [user-id] [detail] — view [view-name] [detail] Page 300 7450 ESS System Mangement Guide...
Page 301 This command configures the port number used by this node to receive SNMP request messages and to send replies. Note that SNMP notifications generated by the agent are sent from the port specified in the config>log>snmp-trap-group>trap-target CLI command. 7450 ESS System Mangement Guide Page 301...
Page 302 In higher latency networks, synchronizing router MIBs from network management via streaming takes less time than synchronizing via classic SNMP UDP requests. Streaming operates on TCP port 1491 and runs over IPv4 or IPv6. Page 302 7450 ESS System Mangement Guide...
Page 303 SNMP persistent index file fails while the bof persist on command is enabled. The no form of the command administratively enables SNMP which is the default state. Default no shutdown 7450 ESS System Mangement Guide Page 303...
Page 304: Access Group
When this option is configured, both the group and the user must be configured for authentication. The user must also be configured for privacy. context context-name — Specifies a set of SNMP objects that are associated with the context-name. Page 304 7450 ESS System Mangement Guide...
Page 305 1 — 64 time minutes1 — The period of time, in minutes, that a specified number of unsuccessful attempts can be made before the host is locked out. Default Values 0 — 60 7450 ESS System Mangement Guide Page 305...
Page 306 • vpls-mgmt — Assigns a unique SNMP community string to the management virtual router. version {v1 | v2c | both} — Configures the scope of the community string to be for SNMPv1, SNMPv2c, or both SNMPv1 and SNMPv2c access. Default both Page 306 7450 ESS System Mangement Guide...
Page 307 {included | excluded} — Specifies whether to include or exclude MIB subtree objects. included - All MIB subtree objects that are identified with a 1 in the mask are available in the view. (Default: included). 7450 ESS System Mangement Guide Page 307...
Page 308 Default none Parameters list-name — Configures the name or key of the src-access-list. The list-name parameter must begin with a letter (a-z or A-Z). Page 308 7450 ESS System Mangement Guide...
Page 309 The access granted with a community string is restricted to the scope of the configured group. Alcatel-Lucent’s SR OS implementation of SNMP uses SNMPv3. In order to implement SNMPv1 and SNMPv2c configurations, several access groups are predefined. In order to implement SNMP with security features (Version 3), security models, security levels, and USM communities must be explicitly configured.
Page 310 It is possible to have a view with different subtrees with their own masks and include and exclude statements. This allows for customizing visibility and write capabilities to specific user requirements. Page 310 7450 ESS System Mangement Guide...
Page 311: Table 28: Counters Output Fields
Displays the number of MIB objects set by SNMP as the result of variables set receiving valid SNMP set request PDUs. Sample Output A:ALA-1# show snmp counters ============================================================================== SNMP counters: ============================================================================== in packets : 7450 ESS System Mangement Guide Page 311...
Page 312: Table 29: Counters Output Fields
Displays the number of response packets sent. out responses Sample Output *A:Dut-B# show snmp streaming counters ============================================================================== STREAMING counters: ============================================================================== in getTables : 772 in getManys : 26 ------------------------------------------------------------------------------ out responses : 848 ============================================================================== Page 312 7450 ESS System Mangement Guide...
Page 313: Table 30: Show System Information Output Fields
Disabled — Persistent indexes at the last system reboot was disabled. The state when the synchronization of configuration files SNMP Sync State between the primary and secondary s finish. Displays the administrative state of the Telnet, SSH, and FTP Telnet/SSH/FTP Admin sessions. 7450 ESS System Mangement Guide Page 313...
Page 314 Time Last Modified The maximum number of backup revisions maintained for a Max Cfg/BOF Backup Rev configuration file. This value also applies to the number of revi- sions maintained for the BOF file. Page 314 7450 ESS System Mangement Guide...
Page 315 Next Hop — The next hop IP address used to reach the des- tination. Metric — Displays the priority of this static route versus other static routes. None — No static routes are configured. 7450 ESS System Mangement Guide Page 315...
Page 316 /rel0.0/I1042/panos/main # Generated THU FEB 11 16:58:20 2007 UTC Last Boot Index Version: N/A Last Boot Index Header : # TiMOS-B-0.0.I1042 both/i386 Alcatel-Lucent SR 7450 Copyright (c) 2000-2007 Alcatel-Lucent. # All rights reserved. All use subject to applicable license agreements.
Page 317: Table 31: Show System Security Access-Group Output Fields
------------------------------------------------------------------------------- No. of Access Groups: 8 =============================================================================== A:ALA-1# A:ALA-1# show system security access-group detail 7450 ESS System Mangement Guide Page 317...
Page 318 The number of attempts to retry contacting the server. retry count The administrative status of the RADIUS protocol operation. radius admin sta- The administrative status of the TACACS+ protocol operation. tacplus admin sta- Page 318 7450 ESS System Mangement Guide...
Page 319 Displays the maximum number of unsuccessful login attempts allowed Number of invalid for a user. attempts permit- ted per login Displays the time in minutes that user is to be locked out. Time in minutes per login attempt 7450 ESS System Mangement Guide Page 319...
Page 320 Minimum password length =============================================================================== A:ALA-48>show>system>security# per-peer-queuing Syntax per-peer-queuing Context show>system>security Description This command displays displays the number of queues in use by the Qchip, which in turn is used by PPQ, CPM filter, SAP, etc. Page 320 7450 ESS System Mangement Guide...
Page 321 Displays the number of CPM hardware queues that are in use. Num of Queues In Sample Output A:ALA-48>show>system>security# per-peer-queuing ================================================= CPM Hardware Queuing ================================================= Per Peer Queuing : Enabled Total Num of Queues : 8192 Num of Queues In Use ================================================= A:ALA-48>show>system>security# 7450 ESS System Mangement Guide Page 321...
Page 322 — The action to be taken when an entry matches the command. 10 - 80 — Each entry represents the configuration for a system Entry user. A text string describing the entry. Description Page 322 7450 ESS System Mangement Guide...
Page 323 Match Command: Action : unknown =============================================================================== User Profile : default Def. Action : none ------------------------------------------------------------------------------- Entry : 10 Description Match Command: exec Action : permit ------------------------------------------------------------------------------- Entry : 20 Description Match Command: exit 7450 ESS System Mangement Guide Page 323...
Page 324 IP address list and validation failure counters. Output Community Ouput — The following table describes the community output fields. Page 324 7450 ESS System Mangement Guide...
Page 325: Table 32: Show Community Output Fields
------------------------------------------------------------------------------ No. of Communities: 6 ============================================================================== A:ALA-1# A:ALA-1# show system security snmp community "my-public2" ============================================================================== 7450 ESS System Mangement Guide Page 325...
Page 326: Table 33: Show Source Access List Output Fields
The total number of source access lists displayed. Total Access Lists A:ALA-1# show system security snmp src-access-list ============================================================================= Source Access Lists ============================================================================= List Name HostName Host Address ----------------------------------------------------------------------------- 100.100.100.1 100.100.100.2 100.100.101.1 100.100.101.2 ----------------------------------------------------------------------------- Total Access Lists: 2 ============================================================================= A:ALA-1# Page 326 7450 ESS System Mangement Guide...
Page 327: Table 34: Show Ssh Output Fields
The name of the user. Username The total number of SSH sessions. Number of SSH sessions Sample output # show system security ssh A:ALA-7 SSH is enabled 7450 ESS System Mangement Guide Page 327...
Page 328 Key fingerprint: 34:00:f4:97:05:71:aa:b1:63:99:dc:17:11:73:43:83 ======================================================= Connection Encryption Username ======================================================= 192.168.5.218 3des admin ------------------------------------------------------- Number of SSH sessions : 1 ======================================================= ALA-7# A:ALA-49>config>system>security# show system security ssh SSH is disabled A:ALA-49>config>system>security# Page 328 7450 ESS System Mangement Guide...
Page 329: Table 35: Show User Output Fields
A:ALA-1# show system security user =============================================================================== Users =============================================================================== user id need user permissions password attempted failed local new pwd console ftp snmp expires logins logins conf ------------------------------------------------------------------------------- admin never testuser never ------------------------------------------------------------------------------- Number of users : 2 7450 ESS System Mangement Guide Page 329...
Page 330: Table 36: Show System Security View Output Fields
A:ALA-1# show system security view =============================================================================== Views =============================================================================== view name oid tree mask permission ------------------------------------------------------------------------------- included no-security included no-security 1.3.6.1.6.3 excluded no-security 1.3.6.1.6.3.10.2.1 included no-security 1.3.6.1.6.3.11.2.1 included no-security 1.3.6.1.6.3.15.1.1 included ------------------------------------------------------------------------------- No. of Views: 6 =============================================================================== A:ALA-1# Page 330 7450 ESS System Mangement Guide...
Page 331 ------------------------------------------------------------------------------- no-security included no-security 1.3.6.1.6.3 excluded no-security 1.3.6.1.6.3.10.2.1 included no-security 1.3.6.1.6.3.11.2.1 included no-security 1.3.6.1.6.3.15.1.1 included ------------------------------------------------------------------------------- No. of Views: 5 =============================================================================== ======================================= no-security used in ======================================= group name --------------------------------------- snmp-ro snmp-rw ======================================= A:ALA-1# 7450 ESS System Mangement Guide Page 331...
Page 332 Page 332 7450 ESS System Mangement Guide...
Page 333: In This Chapter
Establishing a NETCONF Session on page 351 → XML Content Layer on page 352 → XML Content Layer Examples on page 359 → CLI Content Layer on page 362 → CLI Content Layer Examples on page 363 7450 ESS System Mangement Guide Page 333...
Page 334: Figure 8: Netconf Rpc Request
NETCONF server in a request/response type of interaction. The SR OS NETCONF interface supports both configuration support and retrieval of operational information. NETCONF can be conceptually partitioned into four layers as described in RFC 6241. Page 334 7450 ESS System Mangement Guide...
Page 335: Figure 9: Netconf Layers (Rfc 6241)
"admin rollback" commands are supported using a CLI content layer <cli-action> RPC. “bof”, “debug”, “tools”, and other general CLI operational commands (e.g. “telnet” or “ping”) are not supported via NETCONF. The SR OS NETCONF server advertises base capability 1.1 (in addition to 1.0). 7450 ESS System Mangement Guide Page 335...
Page 336: Yang Data Models
YANG Data Models The SR OS NETCONF XML content layer configuration schema is described in a set of Alcatel-Lucent proprietary YANG modules. The configuration modules are advertised in the SR OS NETCONF server hello. The configuration YANG data model closely aligns to the SR OS CLI configuration tree structure and commands.
Page 337: Netconf Operations
<close-session> • <kill-session> The <lock> and <unlock> base protocol operations are not supported. The <error-option> is not supported. SR OS implements the stop-on-error behavior by default. The continue-on-error and rollback-on-error are not supported. 7450 ESS System Mangement Guide Page 337...
Page 338 <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <data xmlns="urn:alcatel-lucent.com:sros:ns:yang:cli-content-layer-r13"> <oper-data-format-cli-block> <item> <cli-show>router interface "system"</cli-show> <response> =============================================================================== Interface Table (Router: Base) =============================================================================== Interface-Name Opr(v4/v6) Mode Port/SapId IP-Address PfxState ------------------------------------------------------------------------------- system Up/Down Network system 144.23.63.5/32 ------------------------------------------------------------------------------- Interfaces : 1 =============================================================================== </response> Page 338 7450 ESS System Mangement Guide...
Page 339 <source>=<startup> and <target>=<url> (as long as both are not remote urls) • <source>=<running> and <target>=<url> ∅ Equivalent of "admin save <file-url>" ∅ An index file is also saved if "persist on" is configured in the bof 7450 ESS System Mangement Guide Page 339...
Page 340: Datastores And Urls
SR OS supports the <running> datastore, the <startup> datastore, and <url> tags (Note: <url> is not a datastore in itself). The <candidate> datastore is not supported. All configuration changes (<edit-config>) done to the <running> datastore via NETCONF take immediate operational effect. Page 340 7450 ESS System Mangement Guide...
Page 341: General Netconf Behavior
Pressing Ctrl-C in a NETCONF request will immediately terminate the session. In the rpc tag, the only allowable namespace or prefix declaration is for the standard NETCONF “urn:ietf:params:xml:ns:netconf:base:1.0” namespace. If any other namespace is 7450 ESS System Mangement Guide Page 341...
Page 342 <router-name>Base</router-name> <interface> <interface-name>system</interface-name> <address> <ip-address-mask>144.23.63.5/32</ip-address-mask> </address> <shutdown>false</shutdown> </interface> </router> </configure> </data> </rpc-reply> ]]>]]> Example 2 — A non-standard NETCONF namespace defined in the rpc tag: <?xml version="1.0" encoding="UTF-8"?> <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:alu="urn:alcatel-lucent.com:sros:ns:yang:conf-r13"> <get-config> Page 342 7450 ESS System Mangement Guide...
Page 343 <?xml version="1.0" encoding="UTF-8"?> <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns:alu="urn:ietf:params:xml:ns:netconf:base:1.0"> <get-config> <source> <running/> </source> <filter> <configure> <router> <interface xmlns:alu="urn:alcatel-lucent.com:sros:ns:yang:conf-r13"> <interface-name>"system"</interface-name> </interface> </router> </configure> </filter> </get-config> </rpc> ]]>]]> Reply (non-standard namespace used in tag is ignored): 7450 ESS System Mangement Guide Page 343...
Page 344 </router> </configure> </filter> </get-config> </rpc> ]]>]]> Reply (non-standard namespace/prefix used in tag is ignored): <?xml version="1.0" encoding="UTF-8"?> <rpc-reply message-id="101" xmlns:alu="urn:ietf:params:xml:ns:netconf:base:1.0" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <data> <configure xmlns="urn:alcatel-lucent.com:sros:ns:yang:conf-r13"> <router> <router-name>Base</router-name> <interface> <interface-name>system</interface-name> <address> <ip-address-mask>144.23.63.5/32</ip-address-mask> </address> <shutdown>false</shutdown> </interface> Page 344 7450 ESS System Mangement Guide...
Page 345 <capability>urn:ietf:params:netconf:capability:with-defaults:1.0?basic-mode=trim</ capability> Pseudo-transactional capabilities are supported. A user can save a rollback checkpoint (for example, prior to doing an <edit-config> or a series of <edit-config>) and perform a rollback revert if needed later. 7450 ESS System Mangement Guide Page 345...
Page 346 "system" no shutdown exit exit exit exit ---------------------------------------------- Finished in 0.720 s </response> </item> <item> <admin>rollback compare</admin> <response> 0.160 s 0.070 s ---------------------------------------------- configure router mpls shutdown interface "system" no shutdown Page 346 7450 ESS System Mangement Guide...
Page 347 <admin>rollback compare active-cfg to 1</admin> <admin>rollback compare flee-fly</admin> </cli-action> </rpc> ]]>]]> Reply: <?xml version="1.0" encoding="UTF-8"?> <rpc-reply message-id="103" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <rpc-error> <error-type>application</error-type> <error-tag>operation-failed</error-tag> <error-severity>error</error-severity> <error-info> <err-element>admin</err-element> </error-info> <error-message> command failed - '/admin rollback compare flee-fly' </error-message> </rpc-error> 7450 ESS System Mangement Guide Page 347...
Page 348 "system" no shutdown exit exit exit exit ---------------------------------------------- Finished in 0.460 s </response> </item> <item> <admin>rollback compare 1 to flee-fly</admin> <response> </response> <rpc-error> <error-type>application</error-type> <error-tag>operation-failed</error-tag> <error-severity>error</error-severity> <error-info> <err-element>admin</err-element> Page 348 7450 ESS System Mangement Guide...
Page 349 0.170 s 1.350 s ---------------------------------------------- configure router mpls shutdown interface "system" no shutdown exit exit rsvp shutdown interface "system" no shutdown exit exit exit exit ---------------------------------------------- Finished in 1.640 s </response> </item> <item> 7450 ESS System Mangement Guide Page 349...
Page 350 Config system security snmp view no-security-view … Config system security snmp access group xyz (a set of access groups) Config system security ssh client-cipher-list protocol-version 1 cipher 200-210 Config system security ssh client-cipher-list protocol-version 2 cipher 190-235 Page 350 7450 ESS System Mangement Guide...
Page 351: Establishing A Netconf Session
NETCONF server. The SSH session must be invoked using an SSH subsystem (as recommended in RFC 6242): ssh -s my_username@192.168.0.92 -p 830 netconf The following example shows an exchange of hello messages which include advertisement of capabilities. From the SR OS server: <?xml version="1.0" encoding="UTF-8"?> 7450 ESS System Mangement Guide Page 351...
Page 352: Xml Content Layer
XML format at the NETCONF content layer, configuration changes and configuration information retrieved are expressed as XML tags. The XML formatted configuration information must be correctly ordered and has the same dependencies and behavior as the equivalent CLI commands. Page 352 7450 ESS System Mangement Guide...
Page 353: Edit-Config> With Xml Content Layer
The delete operation is not aware of the default value of the object/leaf being deleted. • A delete or remove for a leaf, where the request also specifies a value for the leaf, will result in an error. 7450 ESS System Mangement Guide Page 353...
Page 354: Get-Config> With Xml Content Layer
CLI to be deleted before removing vpls 11, then the deletion request above will fail. All configured children must be specified in the delete request. <get-config> with XML Content Layer Page 354 7450 ESS System Mangement Guide...
Page 355 Example 1 — The following request will return an error: <?xml version="1.0" encoding="UTF-8"?> <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <get-config> <source> <running/> </source> <filter> <configure> <router> <interface> <interface-name>abc</interface-name> <delayed-enable>30</delayed-enable> </interface> </router> </configure> </filter> </get-config> </rpc> ]]>]]> Reply: <?xml version="1.0" encoding="UTF-8"?> <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <rpc-error> 7450 ESS System Mangement Guide Page 355...
Page 356 </filter> </get-config> </rpc> ]]>]]> Example 3 — A valid <get-config> request (selection node that is a container): <?xml version="1.0" encoding="UTF-8"?> <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <get-config> <source> <running/> </source> <filter> <configure> <router/> </configure> </filter> </get-config> Page 356 7450 ESS System Mangement Guide...
Page 357 - 'configure router interface' </error-message> </rpc-error> </rpc-reply> ]]>]]> Example 5 — An invalid <get-config> request (empty leaf node - invalid selection node): <?xml version="1.0" encoding="UTF-8"?> <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <get-config> <source> <running/> </source> <filter> <configure> <system> <security> 7450 ESS System Mangement Guide Page 357...
Page 358 Example 6 — An invalid <get-config> request (key repeated in the same instance of the list node): <?xml version="1.0" encoding="UTF-8"?> <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <get-config> <source> <running/> </source> <filter> <configure> <router> <interface> <interface-name>abc</interface-name> <interface-name>def</interface-name> </interface> </router> </configure> </filter> </get-config> </rpc> ]]>]]> Reply: <?xml version="1.0" encoding="UTF-8"?> <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <rpc-error> Page 358 7450 ESS System Mangement Guide...
Page 359: Xml Content Layer Examples
<hello> messages. Below is an example of a <get-config> request and response to check on whether netconf is shut down or not on the router: <?xml version="1.0" encoding="UTF-8"?> <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <get-config> 7450 ESS System Mangement Guide Page 359...
Page 360 Below is an example of a <edit-config> request and response to create a basic VPRN service: <?xml version="1.0" encoding="UTF-8"?> <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <edit-config> <target> <running/> </target> <config> <configure> <service> <vprn operation="create"> <service-id>200</service-id> <customer>1</customer> </vprn> </service> </configure> </config> </edit-config> </rpc> ]]>]]> Reply: <?xml version="1.0" encoding="UTF-8"?> <rpc-reply message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> Page 360 7450 ESS System Mangement Guide...
Page 361 <error-severity>error</error-severity> <error-info> <err-element>edit-config</err-element> </error-info> <error-message> command failed - 'configure service vprn "201" customer 1 interface "test" sap "2/1/1"' MINOR: CLI SAP-id has an invalid port number or encapsulation value. </error-message> </rpc-error> </rpc-reply> ]]>]]> 7450 ESS System Mangement Guide Page 361...
Page 362: Cli Content Layer
Post-processing commands are ignored: "| match" (pipe match), "| count" (pipe count) and ">" (redirect to file) and CLI ranges are not supported for any command; for example, show card [1..5]. For more information, see "CLI Content Layer Examples". Page 362 7450 ESS System Mangement Guide...
Page 363: Cli Content Layer Examples
Below is an example of a <get-config> request and response to retrieve configuration information: <?xml version="1.0" encoding="UTF-8"?> <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <get-config> <source> <running/> </source> <filter> <config-format-cli-block> <cli-info>router</cli-info> <cli-info-detail>system login-control</cli-info-detail> </config-format-cli-block> </filter> </get-config> </rpc> ]]>]]> 7450 ESS System Mangement Guide Page 363...
Page 364: Default Settings
</config-format-cli-block> </data> </rpc-reply> ]]>]]> Below is an example of a <get-config> request and response to retrieve full configuration information. Note that <cli-info-detail/> can be used to get the full configuration including default settings. Page 364 7450 ESS System Mangement Guide...
Page 365 <item> <cli-info></cli-info> <response> # TiMOS-C-0.0.I4301 cpm/x86_64 ALCATEL SR 7750 Copyright (c) 2000-2015 Alcatel-Lucent. # All rights reserved. All use subject to applicable license agreements. # Built on Sun Jan 4 19:11:11 PST 2015 by builder in /rel0.0/I4301/panos/main # Generated WED JAN 07 01:07:43 2015 UTC...
Page 366 </data> </rpc-reply> ]]>]]> Below is an example of a <get> request and the response to it: <?xml version="1.0" encoding="UTF-8"?> <rpc message-id="101" xmlns="urn:ietf:params:xml:ns:netconf:base:1.0"> <get> <filter> <oper-data-format-cli-block> <cli-show>system security ssh</cli-show> </oper-data-format-cli-block> </filter> </get> </rpc> ]]>]]> Page 366 7450 ESS System Mangement Guide...
Page 367 RSA Host Key Fingerprint : 49:7c:21:97:42:35:83:61:06:95:cd:a8:78:4c:1e:76 ------------------------------------------------------------------------------- Connection Username Version Cipher ServerName Status ------------------------------------------------------------------------------- 135.121.143.254 admin aes128-cbc netconf connected ------------------------------------------------------------------------------- Number of SSH sessions : 1 =============================================================================== </response> </item> </oper-data-format-cli-block> </data> </rpc-reply> ]]>]]> 7450 ESS System Mangement Guide Page 367...
Page 368 CLI Content Layer Examples Page 368 7450 ESS System Mangement Guide...
Page 369: Netconf Command Reference
— security — user user-id — access [ftp] [snmp] [console] [li][netconf] config — system — security — profile profile-id — netconf — base-op-authorization —[no] kill-session Show Commands show — system — netconf — counters 7450 ESS System Mangement Guide Page 369...
Page 370 Command Hierarchies Page 370 7450 ESS System Mangement Guide...
Page 371 NETCONF sessions. Use the “admin disconnect” command to disconnect all NETCONF sessions before shutting down the NETCONF service. base-op-authorization Syntax base-op-authorization Context config>system>security>profile>netconf Description This command authorizes a user associated with the profile to send a <kill-session> NETCONF operation. 7450 ESS System Mangement Guide Page 371...
Page 372 NETCONF System Commands Page 372 7450 ESS System Mangement Guide...
Page 373 The IP address of the connected router(s) (remote client). Connection The name of the user. Username The NETCONF session ID. Session ID Connected or not connected. Status Total NETCONF sessions Number of sessions 7450 ESS System Mangement Guide Page 373...
Page 374 SSH Options Output — The following table describes NETCONF counter output fields . Label Description RX Messages Types and numbers of receive messages Total RX Total of all receive messages TX Messages Types and numbers of send messages Total TX Total of all send messages Page 374 7450 ESS System Mangement Guide...
Page 375 *A:bksim3107# show system netconf counters ============================================================================== NETCONF counters: ============================================================================== Rx Messages ------------------------------------------------------------------------------ in gets in get-configs in edit-configs in close-sessions in kill-sessions ------------------------------------------------------------------------------ Rx Total ============================================================================== Tx Messages ------------------------------------------------------------------------------ out rpc-errors ------------------------------------------------------------------------------ Tx Total ============================================================================== 7450 ESS System Mangement Guide Page 375...
Page 376 NETCONF System Commands Page 376 7450 ESS System Mangement Guide...
Page 377: Event And Accounting Logs
Event Handling System on page 394 • Accounting Logs on page 396 → Accounting Records on page 396 → Accounting Files on page 412 → Design Considerations on page 412 • Configuration Notes on page 418 7450 ESS System Mangement Guide Page 377...
Page 378: Table 37: Event Severity Levels
Events that are suppressed by event control will not generate any event log entries. Event control maintains a count of the number of events generated (logged) and dropped (suppressed) for each application event. The severity of an application event can be configured in event control. Page 378 7450 ESS System Mangement Guide...
Page 379 The only supported destination for an accounting log is a compact flash system device (cf1or cf2). Accounting data is stored within a standard directory structure on the device in compressed XML format. 7450 ESS System Mangement Guide Page 379...
Page 380: Memory Logs
When a memory log is created, the specific number of entries it can hold can be specified, otherwise it will assume a default size. An event log can send entries to a memory log destination. Page 380 7450 ESS System Mangement Guide...
Page 381: Log Files
24-hour clock (for example, 04 for 4 a.m.) mm is the two digit minute (for example, 30 for 30 minutes past the hour) ss is the two digit second (for example, 14 for 14 seconds) 7450 ESS System Mangement Guide Page 381...
Page 382 The \act-collect directory is where active accounting logs are written. When an accounting log is rolled over, the active file is closed and archived in the \act directory before a new active accounting log file created in \act-collect. Page 382 7450 ESS System Mangement Guide...
Page 383: Snmp Trap Group
The UDP port used to send the syslog message. • The Syslog Facility Code (0 - 23) (default 23 - local 7). • The Syslog Severity Threshold (0 - 7) - events exceeding the configured level will be sent. 7450 ESS System Mangement Guide Page 383...
Page 384: Table 38: Router To Syslog Severity Level Mappings
System is unusable alert Action must be taken immediately critical Critical conditions error Error conditions warning Warning conditions notice Normal but significant condition 1 cleared info Informational messages 2 indeterminate debug Debug-level messages Page 384 7450 ESS System Mangement Guide...
Page 385: Figure 10: Event Logging Block Diagram
Main Log Manager Filter Policy Log Destination Security Console Logs Session Memory File Change Trap Group Syslog Debug = Different Events = Event with Severity Marked CLI0001B Figure 10: Event Logging Block Diagram 7450 ESS System Mangement Guide Page 385...
Page 386: Event Sources
*A:ALA-48# show log applications ================================== Log Event Application Names ================================== Application Name ---------------------------------- CCAG CFLOWD CHASSIS MPLS MSDP USER VRRP VRTR ================================== *A:ALA-48# Page 386 7450 ESS System Mangement Guide...
Page 387: Event Control
2001 cardFailure 2002 cardInserted 2003 cardRemoved CPMHWFILTER: DHCP: 2001 sdpTlsDHCPSuspiciousPcktRcvd 2002 sapTlsDHCPLseStEntriesExceeded 2003 sapTlsDHCPLeaseStateOverride DEBUG: 2001 traceEvent DOT1X: FILTER: 2001 filterPBRPacketsDropped IGMP_SNOOPING: 2001 clearRTMError 2002 ipEtherBroadcast 2003 ipDuplicateAddress ISIS: 2001 vRtrIsisDatabaseOverload 2002 vRtrIsisManualAddressDrops 7450 ESS System Mangement Guide Page 387...
Page 388 2001 DynamicCostOn 2002 DynamicCostOff 2003 LagPortAddFailed LDP: 2001 vRtrLdpStateChange 2002 vRtrLdpInstanceStateChange 2003 vRtrLdpIfStateChange LOGGER: 2001 STARTED 2002 traceErrorEvent 2005 tmnxLogSpaceContention MIRROR: 2001 sourceEnabled 2002 sourceDisabled 2003 destinationEnabled MPLS: 2001 mplsXCUp 2002 mplsXCDown 2003 mplsTunnelUp Page 388 7450 ESS System Mangement Guide...
Page 389: Log Manager And Event Logs
• An optional event filter policy An event filter policy defines whether to forward or drop an event or trap-based on match criteria. 7450 ESS System Mangement Guide Page 389...
Page 390: Table 39: Valid Filter Policy Operators
The log manager uses event filter policies to allow fine control over which events are forwarded or dropped based on various criteria. Like other policies with the 7450 ESS, filter policies have a default action. The default actions are either: •...
Page 391: Table 40: Log Entry Field Descriptions
The UTC date stamp for the log entry. YYYY/MM/DD YYYY — Year MM — Month DD — Date The UTC time stamp for the event. HH:MM:SS.SS HH — Hours (24 hour format) MM — Minutes SS.SS — Seconds 7450 ESS System Mangement Guide Page 391...
Page 392 The application’s event ID number for the event. <event_id> The router name representing the VRF-ID that generated the event. <router> The subject/affected object for the event. <subject> A text description of the event. <description> Page 392 7450 ESS System Mangement Guide...
Page 393: Simple Logger Event Throttling
Throttle rate applies commonly to all event types. It is not configurable for a specific event-type. A timer task checks for events dropped by throttling when the throttle interval expires. If any events have been dropped, a TIMETRA-SYSTEM-MIB::tmnxTrapDropped notification is sent. 7450 ESS System Mangement Guide Page 393...
Page 394: Default System Log
Any command available in CLI (with some limited exceptions such as 'candidate' commands) can be executed in a script as the result of an EHS handler being triggered. The following figure illustrates the relationships between the different configurable objects used by EHS (and CRON). Page 394 7450 ESS System Mangement Guide...
Page 395: Figure 11: Ehs Object Relationships
EHS will trigger on log events that are dropped by user configured log filters that are assigned to individual logs (config>log>filter). The EHS event trigger logic occurs before the distribution of log event streams into individual logs. 7450 ESS System Mangement Guide Page 395...
Page 396: Table 41: Accounting Record Name And Collection Periods
& cmSeo complete-network-ingr-egr cpNipo & cpNepo Network port complete-service-ingress-egress cpSipo & cpSepo combined-sdp-ingress-egress cmSdpipo and SDP and SDP binding cmSdpepo complete-sdp-ingress-egress cmSdpipo, SDP and SDP binding cmSdpepo, cpSdpipo and cpSdpepo custom-record-aa-sub aaSubCustom AA subscriber Page 396 7450 ESS System Mangement Guide...
Page 397: Table 42: Accounting Record Name Details
Each accounting record name is composed of one or more sub-records which is in turn composed of multiple fields. Refer to the Application Assurance Statistics Fields Generated per Record table in the 7450 ESS- Series OS Integrated Services Adapter Guide for fields names for Application Assurance records.
Page 398 SapId QueueId InProfilePktsForwarded InProfilePktsDropped OutOfProfilePktsForwarded OutOfProfilePktsDropped Network-ingress-octets (nio) port PortId QueueId InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped Network-egress-octets (neo) port PortId QueueId InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped Network-ingress-packets (nip) port PortId QueueId InProfilePktsForwarded InProfilePktsDropped OutOfProfilePktsForwarded OutOfProfilePktsDropped Page 398 7450 ESS System Mangement Guide...
Page 399 OutOfProfilePktsForwarded OutOfProfilePktsDropped Compact-service-ingress-octets (ctSio) ctSio SvcId SapId QueueId OfferedHiPrioOctets DroppedHiPrioOctets LowOctetsOffered LowOctetsDropped UncoloredOctetsOffered Combined-service-ingress (cmSipo) cmSipo SvcId SapId QueueId HighPktsOffered HighPktsDropped LowPktsOffered LowPktsDropped UncoloredPacketsOffered OfferedHiPrioOctets DroppedHiPrioOctets LowOctetsOffered LowOctetsDropped UncoloredOctetsOffered InProfilePktsForwarded OutOfProfilePktsForwarded InProfileOctetsForwarded OutOfProfileOctetsForwarded 7450 ESS System Mangement Guide Page 399...
Page 400 OutOfProfileOctetsForwarded OutOfProfileOctetsDropped cmNeo port PortId QueueId InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped Combined-service-ingr-egr-octets cmSio SvcId (cmSio & CmSeo) SapId QueueId OfferedHiPrioOctets DroppedHiPrioOctets LowOctetsOffered LowOctetsDropped UncoloredOctetsOffered InProfileOctetsForwarded OutOfProfileOctetsForwarded cmSeo SvcId SapId QueueId InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped Page 400 7450 ESS System Mangement Guide...
Page 401 Record Name Sub-Record Field Field Description Complete-network-ingr-egr cpNipo port PortId (cpNipo & cpNepo) QueueId InProfilePktsForwarded InProfilePktsDropped OutOfProfilePktsForwarded OutOfProfilePktsDropped InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped cpNepo port PortId QueueId InProfilePktsForwarded InProfilePktsDropped OutOfProfilePktsForwarded OutOfProfilePktsDropped InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped 7450 ESS System Mangement Guide Page 401...
Page 402 LowOctetsOffered LowOctetsDropped UncoloredOctetsOffered InProfilePktsForwarded OutOfProfilePktsForwarded InProfileOctetsForwarded OutOfProfileOctetsForwarded cpSepo SvcId SapId QueueId InProfilePktsForwarded InProfilePktsDropped OutOfProfilePktsForwarded OutOfProfilePktsDropped InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped Complete-sdp-ingress-egress (cpSdpipo cpSdpipo SdpID & cpSdpepo) TotalPacketsForwarded TotalPacketsDropped TotalOctetsForwarded TotalOctetsDropped cpSdpepo SdpID TotalPacketsDropped TotalOctetsDropped Page 402 7450 ESS System Mangement Guide...
Page 403 SvcID SdpID TotalPacketsForwarded TotalOctetsForwarded Complete-sdp-ingress-egress (cmSdpipo cmSdpipo SvcID & cmsdpepo) SdpID (cpSdpip & cpSdpepo) TotalPacketsForwarded TotalPacketsDropped TotalOctetsForwarded TotalOctetsDropped cmSdpepo SvcID SdpID TotalPacketsForwarded TotalOctetsForwarded cpSdpipo SdpID TotalPacketsForwarded TotalPacketsDropped TotalOctetsForwarded TotalOctetsDropped cpSdpepo SdpID TotalPacketsForwarded TotalOctetsForwarded 7450 ESS System Mangement Guide Page 403...
Page 404 AllOctetsOffered **** UncolouredOctetsOffered InProfilePktsForwarded OutOfProfilePktsForwarded InProfileOctetsForwarded OutOfProfileOctetsForwarded v4pf IPv4PktsForwarded v6pf IPv6PktsForwarded v4pd IPv4PktsDropped v6pd IPv6PktsDropped v4of IPv4OctetsForwarded v6of IPv6OctetsForwarded v4od IPv4OctetsDropped v6od IPv6OctetsDropped cpSBepo QueueId InProfilePktsForwarded InProfilePktsDropped OutOfProfilePktsForwarded OutOfProfilePktsDropped InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped Page 404 7450 ESS System Mangement Guide...
Page 405 Event and Accounting Logs Table 42: Accounting Record Name Details (Continued) Record Name Sub-Record Field Field Description v4pf IPv4PktsForwarded v6pf IPv6PktsForwarded v4pd IPv4PktsDropped v6pd IPv6PktsDropped v4of IPv4OctetsForwarded v6of IPv6OctetsForwarded v4od IPv4OctetsDropped v6od IPv6OctetsDropped 7450 ESS System Mangement Guide Page 405...
Page 406 InProfilePktsForwarded OutOfProfilePktsForwarded InProfileOctetsForwarded OutOfProfileOctetsForwarded UncolouredPacketsOffered UncolouredOctetsOffered cpSBepooc *** OverrideCounterId InProfilePktsForwarded InProfilePktsDropped OutOfProfilePktsForwarded OutOfProfilePktsDropped InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped TestMode OwnerName TestName PingRun subrecord RunIndex TestRunResult MinRtt MaxRtt AverageRtt RttSumOfSquares ProbeResponses SentProbes MinOutTt MaxOutTt AverageOutTt Page 406 7450 ESS System Mangement Guide...
Page 407 AverageInTt InTtSumOfSqrs OutJitter InJitter RtJitter ProbeTimeouts ProbeFailures RunIndex TestRunResult LastGoodProbe TraceHop HopIndex MinRtt MaxRtt AverageRtt RttSumOfSquares ProbeResponses SentProbes MinOutTt MaxOutTt AverageOutTt OutTtSumOfSquares MinInTt MaxInTt AverageInTt InTtSumOfSqrs OutJitter InJitter RtJitter ProbeTimeouts ProbeFailures TraceAddressType TraceAddressValue 7450 ESS System Mangement Guide Page 407...
Page 408 Dot3OutPauseFrames (*) For a SAP in AAL5 SDU mode, packet counters refer to the number of SDU. (*) For a SAP in N-to-1 cell mode, packet counters refer to the number of cells. Page 408 7450 ESS System Mangement Guide...
Page 409: Table 43: Policer Stats Field Descriptions
Field Description PolicerId statmode PolicerStatMode AllOctetsDropped AllOctetsForwarded AllOctetsOffered AllPacketsDropped AllPacketsForwarded AllPacketsOffered HighPriorityOctetsDropped HighPriorityOctetsForwarded HighPriorityOctetsOffered HighPriorityPacketsDropped HighPriorityPacketsForwarded HighPriorityPacketsOffered InProfileOctetsDropped InProfileOctetsForwarded InProfileOctetsOffered InProfilePacketsDropped InProfilePacketsForwarded InProfilePacketsOffered LowPriorityOctetsDropped LowPriorityOctetsForwarded LowPriorityOctetsOffered LowPriorityPacketsDropped LowPriorityPacketsForwarded LowPriorityPacketsOffered OutOfProfilePacketsDropped OutOfProfilePacketsForwarded OutOfProfilePacketsOffered OutOfProfileOctetsDropped 7450 ESS System Mangement Guide Page 409...
Page 410: Table 44: Queue Group Record Types
Port (used for port based Queue Groups) member-port LAGMemberPort (used for port based Queue Groups) data slot Slot (used for Forwarding Plane based Queue Groups) forwarding-plane ForwardingPlane (used for Forwarding Plane based Queue Groups) queue-group QueueGroupName Page 410 7450 ESS System Mangement Guide...
Page 411 Event and Accounting Logs Table 45: Queue Group Record Type Fields (Continued) Field Field Description instance QueueGroupInstance QueueId PolicerId statmode PolicerStatMode aod...ucp same as above 7450 ESS System Mangement Guide Page 411...
Page 412: Design Considerations
For example, with a 1GB CF and using the default collection interval, the system is expected to hold 48 hours worth of billing information. Page 412 7450 ESS System Mangement Guide...
Page 413: Reporting And Time-Based Accounting
This means that the network element gathers and stores per- subscriber accounting information and compare it with “pre-defined” quotas. Once a quota is exceeded, the pre-defined action (such as re-direction to a web portal or disconnect) is applied. 7450 ESS System Mangement Guide Page 413...
Page 414: Overhead Reduction In Accounting: Custom Record
Assurance records; however without an ability to specify different significant change values and per-field scope (for example, all fields of a custom record are collected if any activity was reported against any of the statistics that are part of the custom record). Page 414 7450 ESS System Mangement Guide...
Page 415: Configurable Accounting Records
(configurable) threshold. Specific to RADIUS accounting the significant-change command does not affect ACCT-STOP messages. ACCT-STOP messages will be always sent, regardless the amount of change of the corresponding host. 7450 ESS System Mangement Guide Page 415...
Page 416 For Application Assurance records, a significant change of 1 in any field of a customized record (send a record if any field changed) is supported. When configured, if any statistic field records activity, an accounting record containing all fields will be collected. Page 416 7450 ESS System Mangement Guide...
Page 417: Immediate Completion Of Records
FC in the XML accounting files. In case the accounted object is deleted or changed, the latest information will be written in the XML file with a “final” tag indication in the record header. 7450 ESS System Mangement Guide Page 417...
Page 418: Configuration Notes
Accounting policies must be configured in the config>log context before they can be applied to a service SAP or service interface, or applied to a network port. • The snmp-trap-id must be the same as the log-id. Page 418 7450 ESS System Mangement Guide...
Page 419: Configuring Logging With Cli
Log Configuration Overview on page 420 → Log Types on page 420 • Basic Event Log Configuration on page 421 • Common Configuration Tasks on page 422 • Log Management Tasks on page 440 7450 ESS System Mangement Guide Page 419...
Page 420: Log Configuration Overview
Accounting policies can be applied to one or more service access points (SAPs). • Event logs — An event log defines the types of events to be delivered to its associated destination. • Event throttling rate — Defines the rate of throttling events. Page 420 7450 ESS System Mangement Guide...
Page 421: Basic Event Log Configuration
"This is a test file-id." location cf1: exit file-id 2 description "This is a test log." location cf1: exit snmp-trap-group 7 trap-target 11.22.33.44 "snmpv2c" notify-community "public" exit log-id 2 from main to file 2 exit ---------------------------------------------- A:ALA-12>config>log# 7450 ESS System Mangement Guide Page 421...
Page 422: Common Configuration Tasks
CLI Syntax: config>log log-id log-id description description-string filter filter-id from {[main] [security] [change] [debug-trace]} to console to file file-id to memory [size] to session to snmp [size] to syslog syslog-id} time-format {local|utc} no shutdown Page 422 7450 ESS System Mangement Guide...
Page 423 Event and Accounting Logs The following displays a log file configuration example: ALA-12>config>log>log-id# info ---------------------------------------------- log-id 2 description "This is a test log file." filter 1 from main security to file 1 exit ---------------------------------------------- ALA-12>config>log>log-id# 7450 ESS System Mangement Guide Page 423...
Page 424: Configuring A File Id
[backup-cflash-id] rollover minutes [retention hours] The following displays a log file configuration example: A:ALA-12>config>log# info ------------------------------------------ file-id 1 description "This is a log file." location cf1: rollover 600 retention 24 exit ---------------------------------------------- A:ALA-12>config>log# Page 424 7450 ESS System Mangement Guide...
Page 425: Configuring An Accounting Policy
4 description "This is the default accounting policy." record complete-service-ingress-egress default to file 1 exit accounting-policy 5 description "This is a test accounting policy." record service-ingress-packets to file 3 exit ---------------------------------------------- A:ALA-12>config>log# 7450 ESS System Mangement Guide Page 425...
Page 426: Configuring Event Control
The following displays an event control configuration: A:ALA-12>config>log# info #------------------------------------------ echo "Log Configuration" #------------------------------------------ throttle-rate 500 interval 10 event-control "oam" 2001 generate throttle event-control "ospf" 2001 suppress event-control "ospf" 2003 generate cleared event-control "ospf" 2014 generate critical ---------------------------------------------- A:ALA-12>config>log>filter# Page 426 7450 ESS System Mangement Guide...
Page 427: Configuring Throttle Rate
Use the following CLI syntax to configure the throttle rate. CLI Syntax: config>log# throttle-rate events [interval seconds] The following displays a throttle rate configuration example: *A:gal171>config>log# info --------------------------------------------- throttle-rate 500 interval 10 event-control "bgp" 2001 generate throttle ---------------------------------------------- *A:gal171>config>log# 7450 ESS System Mangement Guide Page 427...
Page 428: Configuring A Log Filter
"mirror" severity eq critical exit exit exit log-id 2 shutdown description "This is a test log file." filter 1 from main security to file 1 exit ------------------------------------------ A:ALA-12>config>log# Page 428 7450 ESS System Mangement Guide...
Page 429: Configuring An Snmp Trap Group
The following displays a basic SNMP trap group configuration example: A:ALA-12>config>log# info ---------------------------------------------- snmp-trap-group 2 trap-target 10.10.10.104:5 "snmpv3" notify-community "coummunitystring" exit log-id 2 description "This is a test log file." filter 1 from main security to file 1 exit ---------------------------------------------- A:ALA-12>config>log# 7450 ESS System Mangement Guide Page 429...
Page 430 "xyz-test" address xx.xx.x.x snmpv2c notify-community "xyztesting" trap-target "test2" address xx.xx.xx.x snmpv2c notify-community "xyztesting" ---------------------------------------------- *A:SetupCLI>config>log>log-id# info ---------------------------------------------- from main to snmp ---------------------------------------------- *A:SetupCLI>config>router# interface xyz-test *A:SetupCLI>config>router>if# info ---------------------------------------------- address xx.xx.xx.x/24 port 1/1/1 ---------------------------------------------- *A:SetupCLI>config>router>if# Page 430 7450 ESS System Mangement Guide...
Page 431: Setting The Replay Parameter
------------------------------------------------------------------------------- Name : test2 Address : 20.20.20.5 Port : 162 Version : v2c Community : xyztesting Sec. Level : none Replay : disabled Replay from : n/a Last replay : never =============================================================================== A:SetupCLI>config>log>snmp-trap-group# 7450 ESS System Mangement Guide Page 431...
Page 432 "Status of Mda 1/1 changed administrative state: inService, operational state: inService" 3814 2008/04/22 23:35:38.88 UTC MINOR: CHASSIS #2002 Base Mda 1/2 "Class MDA Module : inserted" 3813 2008/04/22 23:35:38.88 UTC MINOR: CHASSIS #2002 Base Mda 1/1 Page 432 7450 ESS System Mangement Guide...
Page 433: Shutdown In-Band Port
------------------------------------------------------------------------------- Name : test2 Address : 20.20.20.5 Port : 162 Version : v2c Community : xyztesting Sec. Level : none Replay : disabled Replay from : n/a Last replay : never =============================================================================== *A:SetupCLI# 7450 ESS System Mangement Guide Page 433...
Page 434 3818 2008/04/22 23:35:39.89 UTC WARNING: SYSTEM #2009 Base IP "Status of vRtrIfTable: router Base (index 1) interface xyz-test (index 35) changed administrative state: inService, operational state: inService" 3823 2008/04/22 23:41:49.82 UTC WARNING: SNMP #2005 Base xyz-test "Interface xyz-test is operational" Page 434 7450 ESS System Mangement Guide...
Page 435: No Shutdown Port
An event message has been written to the logger that indicates the replay to the trap-target address has happened and displays the notification sequence ID of the first and last replayed notifications. *A:SetupCLI# show log log-id 44 =============================================================================== 7450 ESS System Mangement Guide Page 435...
Page 436 "Status of vRtrIfTable: router Base (index 1) interface xyz-test (index 35) changed admin- istrative s tate: inService, operational state: inService" 3823 2008/04/22 23:41:49.82 UTC WARNING: SNMP #2005 Base xyz-test "Interface xyz-test is operational" Page 436 7450 ESS System Mangement Guide...
Page 437: Configuring A Syslog Target
{emergency|alert|critical|error|warning|notice|in- fo|debug} facility syslog-facility The following displays a syslog configuration example: A:ALA-12>config>log# info ---------------------------------------------- syslog 1 description "This is a syslog file." address 10.10.10.104 facility user level warning exit ---------------------------------------------- A:ALA-12>config>log# 7450 ESS System Mangement Guide Page 437...
Page 438: Configuring An Accounting Custom Record
---------------------------------------------- A:ALA-48>config>subscr-mgmt>acct-plcy# The following is an example custom record configuration. Dut-C>config>log>acct-policy>cr# info ---------------------------------------------- aa-specific aa-sub-counters short-duration-flow-count medium-duration-flow-count long-duration-flow-count total-flow-duration total-flows-completed-count exit from-aa-sub-counters flows-admitted-count flows-denied-count flows-active-count packets-admitted-count octets-admitted-count packets-denied-count octets-denied-count max-throughput-octet-count Page 438 7450 ESS System Mangement Guide...
Page 439 Event and Accounting Logs max-throughput-packet-count max-throughput-timestamp forwarding-class exit to-aa-sub-counters flows-admitted-count flows-denied-count flows-active-count packets-admitted-count octets-admitted-count packets-denied-count octets-denied-count max-throughput-octet-count max-throughput-packet-count max-throughput-timestamp forwarding-class exit exit significant-change 1 ref-aa-specific-counter any ---------------------------------------------- 7450 ESS System Mangement Guide Page 439...
Page 440: Log Management Tasks
Modifying a Log Filter on page 448 • Deleting a Log Filter on page 450 • Modifying Event Control Parameters on page 450 • Returning to the Default Event Control Configuration on page 451 Page 440 7450 ESS System Mangement Guide...
Page 441: Modifying A Log File
1 exit ---------------------------------------------- ALA-12>config>log>log-id# The following displays an example to modify log file parameters: Example: config# log config>log# log-id 2 config>log>log-id# description "Chassis log file." config>log>log-id# filter 2 config>log>log-id# from security config>log>log-id# exit 7450 ESS System Mangement Guide Page 441...
Page 442 Modifying a Log File The following displays the modified log file configuration: A:ALA-12>config>log# info ---------------------------------------------- log-id 2 description "Chassis log file." filter 2 from security to file 1 exit ---------------------------------------------- A:ALA-12>config>log# Page 442 7450 ESS System Mangement Guide...
Page 443: Deleting A Log File
Use the following CLI syntax to delete a log file: CLI Syntax: config>log no log-id log-id shutdown The following displays an example to delete a log file: Example config# log config>log# log-id 2 config>log>log-id# shutdown config>log>log-id# exit config>log# no log-id 2 7450 ESS System Mangement Guide Page 443...
Page 444: Modifying A File Id
"LocationTest." config>log>file-id# location cf2: config>log>file-id# rollover 2880 retention 500 config>log>file-id# exit The following displays the file modifications: A:ALA-12>config>log# info ---------------------------------------------- file-id 1 description "LocationTest." location cf2: rollover 2880 retention 500 exit ---------------------------------------------- A:ALA-12>config>log# Page 444 7450 ESS System Mangement Guide...
Page 445: Deleting A File Id
NOTE: All references to the file ID must be deleted before the file ID can be removed. Use the following CLI syntax to delete a log ID: CLI Syntax: config>log no file-id log-file-id The following displays an example to delete a file ID: Example config>log# no file-id 1 7450 ESS System Mangement Guide Page 445...
Page 446: Modifying A Syslog Id
---------------------------------------------- A:ALA-12>config>log# Deleting a Syslog Use the following CLI syntax to delete a syslog file: CLI Syntax: config>log no syslog syslog-id The following displays an example to delete a syslog ID: Page 446 7450 ESS System Mangement Guide...
Page 447: Modifying An Snmp Trap Group
10.10.10.104:5 config>log>snmp-trap-group# snmp-trap-group# trap-target 10.10.0.91:1 snmpv2c notify-community "com1" The following displays the SNMP trap group configuration: A:ALA-12>config>log# info ---------------------------------------------- snmp-trap-group 10 10.10.0.91:1 com1 trap-target "snmpv2c" notify-community " ” exit ---------------------------------------------- A:ALA-12>config>log# 7450 ESS System Mangement Guide Page 447...
Page 448: Deleting An Snmp Trap Group
CLI Syntax: config>log filter filter-id default-action {drop|forward} description description-string entry entry-id action {drop|forward} description description-string match application {eq|neq} application-id number {eq|neq|lt|lte|gt|gte} event-id router {eq|neq} router-instance [regexp] severity {eq|neq|lt|lte|gt|gte} severity-level subject {eq|neq} subject [regexp] Page 448 7450 ESS System Mangement Guide...
Page 449 The following displays the log filter configuration: A:ALA-12>config>log>filter# info ---------------------------------------- filter 1 description "This allows <n>." entry 1 action drop match application eq "user" number eq 2001 exit exit exit ---------------------------------------- A:ALA-12>config>log>filter# 7450 ESS System Mangement Guide Page 449...
Page 450: Deleting A Log Filter
Use the following CLI syntax to modify event control parameters: CLI Syntax: config>log event-control application-id [event-name|event-number] gen- erate[severity-level] [throttle] event-control application-id [event-name|event-number] sup- press The following displays the current event control configuration: A:ALA-12>config>log# info ---------------------------------------------- event-control "ospf" 2014 generate critical ---------------------------------------------- A:ALA-12>config>log# Page 450 7450 ESS System Mangement Guide...
Page 451: Returning To The Default Event Control Configuration
"ospf" 2003 generate warning event-control "ospf" 2004 generate critical event-control "ospf" 2005 generate warning event-control "ospf" 2006 generate warning event-control "ospf" 2007 generate warning event-control "ospf" 2008 generate warning event-control "ospf" 2009 generate warning 7450 ESS System Mangement Guide Page 451...
Page 452 "ospf" 2010 generate warning event-control "ospf" 2011 generate warning event-control "ospf" 2012 generate warning event-control "ospf" 2013 generate warning event-control "ospf" 2014 generate warning event-control "ospf" 2015 generate critical event-control "ospf" 2016 generate warning ---------------------------------------------- A:ALA-12>config>log# Page 452 7450 ESS System Mangement Guide...
Page 453: Log Command Reference
— no event-control application [event-name | event-number] — [no] event-damping — route-preference primary {inband | outband} secondary {inband | outband | none} — no route-preference — throttle-rate events [interval seconds] — no throttle-rate 7450 ESS System Mangement Guide Page 453...
Page 454 — no accounting-policy acct-policy-id — [no] auto-bandwidth — [no] default — description description-string — no description — [no] include-router-info — [no] include-system-info — record record-name — no record — [no] shutdown — file log-file-id Page 454 7450 ESS System Mangement Guide...
Page 455 — [no] packets-admitted-count — [no] packets-denied-count — [no] override-counter override-counter-id — e-counters [all] — no e-counters — [no] in-profile-octets-discarded-count — [no] in-profile-octets-forwarded-count — [no] in-profile-packets-discarded-count — [no] in-profile-packets-forwarded-count — [no] out-profile-octets-discarded-count — [no] out-profile-octets-forwarded-count 7450 ESS System Mangement Guide Page 455...
Page 456 — ref-override-counter — no ref-override-counter — e-counters [all] — no e-counters — [no] in-profile-octets-discarded-count — [no] in-profile-octets-forwarded-count — [no] in-profile-packets-discarded-count — [no] in-profile-packets-forwarded-count — [no] out-profile-octets-discarded-count — [no] out-profile-octets-forwarded-count — [no] out-profile-packets-discarded-count Page 456 7450 ESS System Mangement Guide...
Page 457 — [no] high-packets-offered-count — [no] in-profile-octets-forwarded-count — [no] in-profile-packets-forwarded-count — [no] low-octets-discarded-count — [no] low-packets-discarded-count — [no] low-octets-offered-count — [no] low-packets-offered-count — [no] out-profile-octets-forwarded-count — [no] out-profile-packets-forwarded-count — significant-change delta — no significant-change 7450 ESS System Mangement Guide Page 457...
Page 458 {eq | neq} router-instance [regexp] — no router — severity {eq | neq | lt | lte | gt | gte} severity-level — no severity — subject {eq | neq} subject [regexp] — no subject Page 458 7450 ESS System Mangement Guide...
Page 459 — description description-string — no description — [no] shutdown — [no] trigger-entry entry-id — event-handler event-handler-name — [no] event-handler — description description-string — no description — log-filter filter-id — [no] log-filter 7450 ESS System Mangement Guide Page 459...
Page 460 — no description — trap-target name [address ip-address] [port port] [snmpv1 | snmpv2c | snmpv3] notify-community communityName | snmpv3SecurityName [security-level {no- auth-no-privacy | auth-no-privacy | privacy}] [replay] — no trap-target name Page 460 7450 ESS System Mangement Guide...
Page 461 — level {emergency | alert | critical | error | warning | notice | info | debug} — no level — log-prefix log-prefix-string — no log-prefix — port port — no port 7450 ESS System Mangement Guide Page 461...
Page 462 [log-id] [severity severity-level] [application application] [sequence from-seq [to- seq]] [count count] [router router-instance [expression] [subject subject [regexp]] [ascending|descending] [message format [msg-regexp]] — snmp-trap-group [log-id] — syslog [syslog-id] Clear Command clear — log-id Page 462 7450 ESS System Mangement Guide...
Page 463 Description This command administratively disables an entity. When disabled, an entity does not change, reset, or remove any configuration settings or statistics. The operational state of the entity is disabled as well 7450 ESS System Mangement Guide Page 463...
Page 464 Description The time delay that must pass before notifying specific CPM applications that a route is available after a cold reboot. Default no cold-start-wait Parameters — Values seconds: 1 – 300 Default Page 464 7450 ESS System Mangement Guide...
Page 465 Default Each event has a set of default settings. To display a list of all events and the current configuration use the event-control command. 7450 ESS System Mangement Guide Page 465...
Page 466 (configure>log>throttle-rate) for the specific log event. Values 1 — 20000 interval seconds — specifies the number of seconds that the specific throttling intervals lasts. Values 1 — 1200 disable-specific-throttle — Specifies to disable the specific-throttle-rate. Page 466 7450 ESS System Mangement Guide...
Page 467 — Specifies that the logging utility will attempt to use the management routing context to send SNMP notifications and syslog messages to remote destinations. none — Specifies that no attempt will be made to send SNMP notifications and syslog messages to remote destinations. 7450 ESS System Mangement Guide Page 467...
Page 468 – mm is the minutes (for example, 30 for 30 minutes past the hour) – ss is the number of seconds (for example, 14 for 14 seconds) • The accounting file is compressed and has a gz extension. Page 468 7450 ESS System Mangement Guide...
Page 469 When creating files, the primary location is used as long as there is available space. If no space is available, an attempt is made to delete unnecessary files that are past their retention date. 7450 ESS System Mangement Guide Page 469...
Page 470 The file becomes a candidate for removal once the creation datestamp + rollover time + retention time is less than the current timestamp. Default Values 1 — 500 Page 470 7450 ESS System Mangement Guide...
Page 471 Parameters drop — The events which are not explicitly forwarded by an event filter match are dropped. forward — The events which are not explicitly dropped by an event filter match are forwarded. 7450 ESS System Mangement Guide Page 471...
Page 472 The no form of the command removes the specified entry from the event filter. Entries removed from the event filter are immediately removed from all log-id’s where the filter is applied. Default No event filter entries are defined. An entry must be explicitly configured. Page 472 7450 ESS System Mangement Guide...
Page 473 The entry ID uniquely identifies a set of match criteria corresponding action within a filter. Entry ID values should be configured in staggered increments so you can insert a new entry in an existing policy without renumbering the existing entries. Values 1 — 999 7450 ESS System Mangement Guide Page 473...
Page 474 — The application name string. Values application_assurance, aps, atm, bgp, cflowd, chassis, debug, dhcp, dhcps, diame- ter, dynsvc, efm_oam, elmi, ering, eth_cfm, etun, fiter, gsmp, igh, igmp, Page 474 7450 ESS System Mangement Guide...
Page 475 | neq | lt | lte | gt | gte — This operator specifies the type of match. Valid operators are listed in the table below. Valid operators are: Operator Notes equal to not equal to 7450 ESS System Mangement Guide Page 475...
Page 476 The latest severity command overwrites the previous command. The no form of the command removes the severity match criterion. Default no severity — No severity level match criterion is specified. Page 476 7450 ESS System Mangement Guide...
Page 477 Only one subject command can be entered per event filter entry. The latest subject command overwrites the previous command. The no form of the command removes the subject match criterion. Default no subject — No subject match criterion specified. 7450 ESS System Mangement Guide Page 477...
Page 478 When the regexp keyword is not specified, the subject command string is matched exactly by the event filter. Page 478 7450 ESS System Mangement Guide...
Page 479 The no form of the command removes the specified EHS handler action-list entry. Parameters entry-id — Specifies the identifier of the EHS handler entry. Values 1 — 1500 7450 ESS System Mangement Guide Page 479...
Page 480 Parameters policy-name — Specifies the script policy name. Can be up to 32 characters maximum. owner policy-owner — Specifies the script policy owner. Can be up to 32 characters maximum. Default “TiMOS CLI” Page 480 7450 ESS System Mangement Guide...
Page 481 If the log event occurs in the system and matches the criteria configured in the associated log filter then the handler will be executed. The no form of the command removes the specified trigger entry. 7450 ESS System Mangement Guide Page 481...
Page 482 EHS since the particular filter is only applied for a specific log event application and number, as configured under config>log>event-trigger. Parameters filter-id — Specifies the identifier of the filter. Values 1 — 1500 Page 482 7450 ESS System Mangement Guide...
Page 483 The no form of the command removes the syslog target host IP address. Default no address — There is no syslog target host IP address defined for the syslog ID. Parameters ip-address — The IP address of the syslog target host in dotted decimal notation. 7450 ESS System Mangement Guide Page 483...
Page 484 Valid responses per RFC3164, The BSD syslog Protocol, are listed in the table below. Numerical Code Facility Code kernel user mail systemd auth syslogd printer net-news uucp cron auth-priv log-audit log-alert cron2 local0 Page 484 7450 ESS System Mangement Guide...
Page 485 Context config>log>syslog syslog-id Description This command configures the syslog message severity level threshold. All messages with severity level equal to or higher than the threshold are sent to the syslog target host. 7450 ESS System Mangement Guide Page 485...
Page 486 The no form of the command reverts to default value. Default no port Parameters value — The value is the configured UDP port number used when sending syslog messages. Values 1 — 65535 Page 486 7450 ESS System Mangement Guide...
Page 487 Values 1 — 20000 Default 2000 interval seconds — Specifies the number of seconds that an event throttling interval lasts. Values 1 — 1200 Default 7450 ESS System Mangement Guide Page 487...
Page 488 The trap-target command is used to add/remove a trap receiver from an snmp-trap-group. The operational parameters specified in the command include: • The IP address of the trap receiver • The UDP port used to send the SNMP trap • SNMP version Page 488 7450 ESS System Mangement Guide...
Page 489 SNMP security-name. If the SNMP version is changed from snmpv1 or snmpv2c to snmpv3, then the notify-community parameter must be changed to reflect the security-name rather than the community string used by snmpv1 or snmpv2c. 7450 ESS System Mangement Guide Page 489...
Page 490 Note that because of route table change convergence time, it is possible that one or more events may be lost at the beginning or end of a replay sequence. The cold-start-wait and route- recovery-wait timers under config>log>app-route-notifications can help reduce the probability of lost events. Page 490 7450 ESS System Mangement Guide...
Page 491 The main event stream contains the events that are not explicitly directed to any other event stream. To limit the events forwarded to the destination, configure filters using the filter command. 7450 ESS System Mangement Guide Page 491...
Page 492 The no form of the command deletes the log destination ID from the configuration. Default No log destinations are defined. Parameters log-id — The log ID number, expressed as a decimal integer. Values 1 — 100 Page 492 7450 ESS System Mangement Guide...
Page 493 This command specifies a log ID destination. This parameter is mandatory when configuring a log destination. This command instructs the events selected for the log ID to be directed to a memory log. 7450 ESS System Mangement Guide Page 493...
Page 494 A local circular memory log is always maintained for SNMP notifications sent to the specified snmp- trap-group for the log-id. The source of the data stream must be specified in the from command prior to configuring the destination with the to command. Page 494 7450 ESS System Mangement Guide...
Page 495 — Specifies that timestamps are written in the system’s local time. utc — Specifies that timestamps are written using the UTC value. This was formerly called Greenwich Mean Time (GMT) and Zulu time. 7450 ESS System Mangement Guide Page 495...
Page 496 SAPs, network ports or channels where the policy is applied. Default No default accounting policy is defined. Parameters policy-id — The policy ID that uniquely identifies the accounting policy, expressed as a decimal integer. Values 1 — 99 Page 496 7450 ESS System Mangement Guide...
Page 497 The record name must be specified prior to assigning an accounting policy as default. If a policy is configured as the default policy, then a no default command must be issued before a new default policy can be configured. 7450 ESS System Mangement Guide Page 497...
Page 498 This command allows the operator to optionally include router information at the top of each accounting file generated for a given accounting policy. When the no version of this command is selected, optional router information is not include at the top of the file. Default no include-router-info Page 498 7450 ESS System Mangement Guide...
Page 499 5 aa-protocol aa-application aa-app-group aa-subscriber-protocol aa-subscriber-application custom-record-subscriber custom-record-service custom-record-aa-sub queue-group-octets queue-group-packets combined-queue-group combined-mpls-lsp-ingress combined-mpls-lsp-egress combined-ldp-lsp-egress complete-pm video kpi-system kpi-bearer-mgmt kpi-bearer-traffic kpi-ref-point kpi-path-mgmt kci-iom-3 kci-system kci-bearer-mgmt 7450 ESS System Mangement Guide Page 499...
Page 500 No accounting record is defined Parameters record-name — The accounting record name. The following table lists the accounting record names available and the default collection interval. Record Type Accounting Record Name Default Interval service-ingress-octets service-egress-octets Page 500 7450 ESS System Mangement Guide...
Page 501 Accounting Record Name Default Interval service-ingress-packets service-egress-packets network-ingress-octets network-egress-octets network-ingress-packets network-egress-packets compact-service-ingress-octets combined-service-ingress combined-network-ing-egr-octets combined-service-ing-egr-octets complete-service-ingress-egress combined-sdp-ingress-egress complete-sdp-ingress-egress complete-subscriber-ingress- egress aa-protocol aa-application aa-app-group aa-subscriber-protocol aa-subscriber-application custom-record-subscriber custom-record-service custom-record-aa-sub queue-group-octets queue-group-packets combined-queue-group combined-mpls-lsp-ingress combined-mpls-lsp-egress combined-ldp-lsp-egress 7450 ESS System Mangement Guide Page 501...
Page 502 Accounting Policy Commands Record Type Accounting Record Name Default Interval complete-pm video kpi-system kpi-bearer-mgmt kpi-bearer-traffic kpi-ref-point kpi-path-mgmt kpi-iom-3 kci-system kci-bearer-mgmt kci-path-mgmt complete-kpi complete-kci kpi-bearer-group kpi-ref-path-group kpi-kci-bearer-mgmt kpi-kci-path-mgmt kpi-kci-system complete-kpi-kci aa-performance complete-ethernet-port extended-service-ingress-egress complete-network-ing-egr Page 502 7450 ESS System Mangement Guide...
Page 503 The file definition defines its characteristics. If the to command is executed while the accounting policy is in operation, then it becomes active during the next collection interval. Values 1 — 99 7450 ESS System Mangement Guide Page 503...
Page 504 The no form of the command reverts the configured values to the defaults. aa-specific Syntax [no] aa-specific Context config>log>acct-policy>cr Description This command enables the context to configure information for this custom record. The no form of the command Page 504 7450 ESS System Mangement Guide...
Page 505 [no] short-duration-flow-count Context config>log>acct-policy>cr>aa>aa-sub-cntr Description This command includes the short duration flow count in the AA subscriber's custom record. The no form of the command excludes the short duration flow count. Default no short-duration-flow-count 7450 ESS System Mangement Guide Page 505...
Page 506 This command enables the context to configure Application Assurance “from subscriber” counter parameters. The no form of the command excludes the “from subscriber” count. Syntax Context config>log>acct-policy>cr>aa>aa-from-sub-cntr config>log>acct-policy>cr>aa>aa-to-sub-cntr Default This command include all counters. Page 506 7450 ESS System Mangement Guide...
Page 507 The no form of the command excludes the flow’s denied count. Default no flows-denied-count forwarding-class Syntax [no] forwarding-class Context config>log>acct-policy>cr>aa>aa-from-sub-cntr config>log>acct-policy>cr>aa>aa-to-sub-cntr Description This command enables the collection of a Forwarding Class bitmap information added to the XML aa-sub and router level accounting records. 7450 ESS System Mangement Guide Page 507...
Page 508 [no] octets-admitted-count Context config>log>acct-policy>cr>aa>aa-from-sub-cntr config>log>acct-policy>cr>aa>aa-to-sub-cntr Description This command includes the admitted octet count in the AA subscriber's custom record. The no form of the command excludes the admitted octet count. Default no octets-admitted-count Page 508 7450 ESS System Mangement Guide...
Page 509 Syntax to-aa-sub-counters no to-aa-sub-counters Context config>log>acct-policy>cr>aa Description This command enables the context to configure Application Assurance “to subscriber” counter parameters. The no form of the command excludes the “to subscriber” count. 7450 ESS System Mangement Guide Page 509...
Page 510 — Specifies the queue-id for which counters will be collected in this custom record. e-counters Syntax [no] e-counters Context config>log>acct-policy>cr>override-cntr config>log>acct-policy>cr>queue config>log>acct-policy>cr>ref-override-cntr config>log>acct-policy>cr>ref-queue Description This command configures egress counter parameters for this custom record. The no form of the command reverts to the default value. Page 510 7450 ESS System Mangement Guide...
Page 511 The no form of the command excludes the in-profile octets discarded count. in-profile-octets-forwarded-count Syntax [no] in-profile-octets-forwarded-count Context config>log>acct-policy>cr>oc>e-count config>log>acct-policy>cr>roc>e-count config>log>acct-policy>cr>queue>e-count config>log>acct-policy>cr>ref-queue>e-count Description This command includes the in-profile octets forwarded count. The no form of the command excludes the in-profile octets forwarded count. 7450 ESS System Mangement Guide Page 511...
Page 512 Syntax [no] out-profile-octets-discarded-count Context config>log>acct-policy>cr>oc>e-count config>log>acct-policy>cr>roc>e-count config>log>acct-policy>cr>queue>e-count config>log>acct-policy>cr>ref-queue>e-count Description This command includes the out of profile packets discarded count. The no form of the command excludes the out of profile packets discarded count. Page 512 7450 ESS System Mangement Guide...
Page 513 Syntax [no] out-profile-packets-forwarded-count Context config>log>acct-policy>cr>oc>e-count config>log>acct-policy>cr>roc>e-count config>log>acct-policy>cr>queue>e-count config>log>acct-policy>cr>ref-queue>e-count Description This command includes the out of profile packets forwarded count. The no form of the command excludes the out of profile packets forwarded count. 7450 ESS System Mangement Guide Page 513...
Page 514 Syntax [no] high-octets-discarded-count Context config>log>acct-policy>cr>oc>i-count config>log>acct-policy>cr>roc>i-count config>log>acct-policy>cr>queue>i-count config>log>acct-policy>cr>ref-queue>i-count Description This command includes the high octets discarded count. The no form of the command excludes the high octets discarded count. Default no high-octets-discarded-count Page 514 7450 ESS System Mangement Guide...
Page 515 Syntax [no] high-packets-offered-count Context config>log>acct-policy>cr>oc>i-count config>log>acct-policy>cr>roc>i-count config>log>acct-policy>cr>queue>i-count config>log>acct-policy>cr>ref-queue>i-count Description This command includes the high packets offered count. The no form of the command excludes the high packets offered count. Default no high-packets-offered -count 7450 ESS System Mangement Guide Page 515...
Page 516 Syntax [no] low-octets-discarded-count Context config>log>acct-policy>cr>oc>i-count config>log>acct-policy>cr>roc>i-count config>log>acct-policy>cr>queue>i-count config>log>acct-policy>cr>ref-queue>i-count Description This command includes the low octets discarded count. The no form of the command excludes the low octets discarded count. Default no low-octets-discarded-count Page 516 7450 ESS System Mangement Guide...
Page 517 The no form of the command excludes the low octets discarded count. low-packets-offered-count Syntax [no] low-packets-offered-count Context config>log>acct-policy>cr>oc>i-count config>log>acct-policy>cr>roc>i-count config>log>acct-policy>cr>queue>i-count config>log>acct-policy>cr>ref-queue>i-count Description This command includes the low packets discarded count. The no form of the command excludes the low packets discarded count. 7450 ESS System Mangement Guide Page 517...
Page 518 Syntax [no] uncoloured-packets-offered-count Context config>log>acct-policy>cr>queue>i-count config>log>acct-policy>cr>ref-queue>i-count Description This command includes the uncoloured octets offered in the count. The no form of the command excludes the uncoloured octets offered in the count. Page 518 7450 ESS System Mangement Guide...
Page 519 Syntax ref-override-counter ref-override-counter-id ref-override-counter all no ref-override-counter Context config>log>acct-policy>cr Description This command configures a reference override counter. The no form of the command reverts to the default value. Default no ref-override-counter 7450 ESS System Mangement Guide Page 519...
Page 520 — Specifies the delta change (significant change) that is required for the custom record to be written to the xml file. Values 0 — 4294967295 (For custom-record-aa-sub only values 0 or 1 are supported.) Page 520 7450 ESS System Mangement Guide...
Page 521: Table 46: Show Accounting Policy Output Fields
Down — Indicates that the policy is administratively disabled. Displays the operational state of the policy. Oper State Up — Indicates that the policy is operationally up. Down — Indicates that the policy is operationally down. 7450 ESS System Mangement Guide Page 521...
Page 522 SAP : 1/1/8:5 Collect-Stats Svc Id: 106 SAP : 1/1/8:6 Collect-Stats Svc Id: 107 SAP : 1/1/8:7 Collect-Stats Svc Id: 108 SAP : 1/1/8:8 Collect-Stats Svc Id: 109 SAP : 1/1/8:9 Collect-Stats ============================================================================== A:ALA-1# Page 522 7450 ESS System Mangement Guide...
Page 523: Table 47: Accounting Policy Output Fields
The default interval, in minutes, in which statistics are collected and Def. Interval written to their destination. Sample Output NOTE: aa, video and subscriber records are not applicable to the 7950 XRS. A:ALA-1# show log accounting-records ========================================================== Accounting Policy Records ========================================================== 7450 ESS System Mangement Guide Page 523...
Page 524 This command displays a list of all application names that can be used in event-control and filter commands. Output Sample Output *A:7950 XRS-20# show log applications =================================== Log Event Application Names =================================== Application Name ----------------------------------- CHASSIS IGMP MIRROR MPLS Page 524 7450 ESS System Mangement Guide...
Page 525 — An “L” in front of an ID represents event types that do not generate an associated SNMP notification. Most events do generate a notification, only the exceptions are marked with a preceding “L”. The event name. Event Name 7450 ESS System Mangement Guide Page 525...
Page 526 2003 apsEventChannelMismatch 2004 apsEventPSBF 2005 apsEventFEPLF CCAG: CHASSIS: 2001 cardFailure 2002 cardInserted 2003 cardRemoved 2004 cardWrong 2005 EnvTemperatureTooHigh DEBUG: 2001 traceEvent DOT1X: FILTER: 2001 filterPBRPacketsDropped IGMP_SNOOPING: 2001 clearRTMError 2002 ipEtherBroadcast 2003 ipDuplicateAddress 2004 ipArpInfoOverwritten Page 526 7450 ESS System Mangement Guide...
Page 527 2007 tmnxVRtrMcastMaxRoutesCleared 2008 tmnxVRtrMaxArpEntriesTCA 2009 tmnxVRtrMaxArpEntriesCleared 2011 tmnxVRtrMaxRoutes ======================================================================= A:ALA-1# A:ALA-1# show log event-control ospf ======================================================================= Log Events ======================================================================= Application Event Name Logged Dropped ----------------------------------------------------------------------- 2001 ospfVirtIfStateChange 2002 ospfNbrStateChange 2003 ospfVirtNbrStateChange 2004 ospfIfConfigError 7450 ESS System Mangement Guide Page 527...
Page 528 Description This command enters the context to display EHS handler information. Parameters handler-name — Specifies the name of a specific handler. 32 characters maximum. detail — Keyword to list details of all handlers. Page 528 7450 ESS System Mangement Guide...
Page 529 The total number of times that the action-list entry attempted execu- Total tion. Sample Output A:node1>show>log>event-handling# handler =============================================================================== Event Handling System - Handler List =============================================================================== Handler Admin Oper Description Name State State 7450 ESS System Mangement Guide Page 529...
Page 530 Specifying a file ID displays detailed information on the event file log. Parameters log-file-id — Displays detailed information on the specified event file log. Output Log File Output — The following table describes the output fields for a log file summary. Page 530 7450 ESS System Mangement Guide...
Page 531 ------------------------------------------------------------- cf1: cf2: cf1: cf1: cf3: cf1: 1440 cf1: none cf1: 1440 cf1: none none 1440 cf1: none none 1440 cf1: none none 1440 cf1: none none ============================================================= 7450 ESS System Mangement Guide Page 531...
Page 532: Table 48: Event Log Filter Summary Output Fields
The default action for the event log filter is to drop events not Default Action matching filter entries. forward. The default action for the event log filter is to forward events not matching filter entries. The description string for the filter ID. Description Page 532 7450 ESS System Mangement Guide...
Page 533: Table 49: Event Log Filter Detail Output Fields
— The default action for the event log filter is to forward events not matching filter entries. The description string for the filter ID. Description (Filter-id) Table 50: Log Filter Match Criteria Output Fields Label Description The event log filter entry ID. Entry-id 7450 ESS System Mangement Guide Page 533...
Page 534 Displays the event log filter entry application event ID router router- Router instance string match criterion. There is an operator field for each match criteria: Operator application, event number, severity, and subject. equal — Matches when equal to the match criterion. Page 534 7450 ESS System Mangement Guide...
Page 535 : exact string Description : Collect only events of major severity or higher -------------------------------------------------------------------------- ========================================================================== *A:ALA-48>config>log# log-collector Syntax log-collector Context show>log Description Show log collector statistics for the main, security, change and debug log collectors. 7450 ESS System Mangement Guide Page 535...
Page 536: Table 51: Show Log-Collector Output Fields
File — All selected log events will be directed to a file on one of the CPM’s compact flash disks. Memory — All selected log events will be directed to an in-memory storage area. Page 536 7450 ESS System Mangement Guide...
Page 537 Default Displays the event log summary Values 1 — 99 severity severity-level — Displays only events with the specified and higher severity. Default All severity levels Values cleared, indeterminate, critical, major, minor, warning 7450 ESS System Mangement Guide Page 537...
Page 538 If the value is 0, then all events in the source log are forwarded to the destination. Page 538 7450 ESS System Mangement Guide...
Page 539 When the time format is local, timestamps are written in the system's local time. Sample Output A:ALA-1# show log log-id ===================================================================== Event Logs ===================================================================== Log Source Filter Admin Oper Logged Dropped Dest Dest Size State State Type -------------------------------------------------------------------- 7450 ESS System Mangement Guide Page 539...
Page 540 14 2000/01/05 00:54:09.11 UTC WARNING: MPLS #2007 Base VR 1: "Instance is in administrative state: inService, operational state: inService" 13 2000/01/05 00:54:09.11 UTC WARNING: MPLS #2008 Base VR 1: "Interface linkToIxia is in administrative state: inService, operational state: inService" ..=============================================================================== A:NS061550532>config>log>snmp-trap-group# Page 540 7450 ESS System Mangement Guide...
Page 541: Table 52: Snmp Trap Group Output Fields
If no events have ever been replayed this field shows never. Sample Output A:SetupCLI>config>log>snmp-trap-group# show log snmp-trap-group 44 =============================================================================== SNMP Trap Group 44 =============================================================================== Description : none ------------------------------------------------------------------------------- Name : ntt-test Address : 10.10.10.3 Port : 162 7450 ESS System Mangement Guide Page 541...
Page 542: Table 53: Show Log Syslog Output Fields
A count of messages not sent to the syslog collector target because the Below Level severity level of the message was above the configured severity. The Dropped higher the level, the lower the severity. Page 542 7450 ESS System Mangement Guide...
Page 543 : 192.168.15.22 Port : 514 Log-ids : none Prefix : Sr12 Facility : local1 Severity Level : info Prefix Level : yes Below Level Drop : 0 Description : Linux Station Springsteen =============================================================================== *A:MV-SR>config>log# 7450 ESS System Mangement Guide Page 543...
Page 544 This command is only applicable to event logs that are directed to file destinations and memory destinations. SNMP, syslog and console/session logs are not affected by this command. Parameters log-id. The event log ID to be initialized/rolled over. Values 1 — 100 Page 544 7450 ESS System Mangement Guide...
Page 545: Standards And Protocol Support
Standards and Protocol Support Note that the information presented is subject to change without notice. Alcatel-Lucent assumes no responsibility for inaccuracies contained herein. OSPF RFC 2858 Multiprotocol Extensions for BGP-4 RFC 1586 Guidelines for Running OSPF Over Frame Relay Networks...
Page 546: Standards And Protocols
Internet Protocol Version 6 (IPv6) (Helper Mode) RFC 5998 An Extension for EAP-Only Specification RFC 5307 IS-IS Extensions in Support of Authentication in IKEv2 RFC 4552 Authentication/Confidentiality Generalized Multi-Protocol Label for OSPFv3 Switching (GMPLS) Page 546 7450 ESS System Mangement Guide...
Page 547 RFC 5059 Bootstrap Router (BSR) Identification Codes Mechanism for Protocol RFC 3209 Extensions to RSVP for RFC 3443 Time To Live (TTL) Independent Multicast (PIM) Tunnels Processing in Multi-Protocol Label Switching (MPLS) Networks 7450 ESS System Mangement Guide Page 547...
Page 548 Label Switching (MPLS) - in Resource ReSerVation Protocol - Extensions to LSP Ping TCP/IP Traffic Engineering (RSVP-TE) RFC 768 UDP MPLS — TP (7750/7450 only) RFC 3564 Requirements for Diff-Serv- RFC 791 IP aware TE RFC 5586 MPLS Generic Associated RFC 792 ICMP...
Page 549 MPLS Networks RFC 2684 Multiprotocol Encapsulation fr TCP RFC 4446 IANA Allocations for PWE3 over ATM Adaptation Layer 5 RFC 5508 NAT Behavioral Requirements RFC 4447 Pseudowire Setup and for ICMP Maintenance Using LDP 7450 ESS System Mangement Guide Page 549...
Page 550 ETSI TS 101 329-5 Annex E extensions- RFC 4250 The Secure Shell (SSH) QoS Measurement for VoIP - Protocol Assigned Numbers Method for determining an RFC 4251 The Secure Shell (SSH) Protocol Architecture Page 550 7450 ESS System Mangement Guide...
Page 551 Listener Discovery Protocol Information Base RFC 3164 Syslog draft-ietf-mpls-ldp-mib-07 Definitions of RFC 3273 HCRMON-MIB Managed Objects for the RFC 3411 An Architecture for Multiprotocol Label Switching, Describing Simple Network Label Distribution Protocol (LDP) 7450 ESS System Mangement Guide Page 551...
Page 552 Standards and Protocols Page 552 7450 ESS System Mangement Guide...
Page 553 Customer documentation and product support Customer documentation http://documentation.alcatel-lucent.com Technical support http://support.alcatel-lucent.com Documentation feedback documentation.feedback@alcatel-lucent.com...
Page 554 © 2015 Alcatel-Lucent. All rights reserved. 3HE 09856 AAAA TQZZA 01...