Support For Icsr Configurations; Encrypted Snmp Community Strings; Lawful Intercept Restrictions; Li Server Addresses - Cisco ASR 5000 Administration Manual
Staros release 21.1
Hide thumbs
Also See for ASR 5000:
- Installation manual (294 pages) ,
- Administration manual (159 pages) ,
- Installation procedure (8 pages)
Table of Contents
Advertisement
Support for ICSR Configurations
• Change the chassis key to the new desired value.
• Save the configuration with this new chassis key.
Refer to Configuring a Chassis Key in System Settings for additional information.
Support for ICSR Configurations
Inter-Chassis Session Recovery (ICSR) is a redundancy configuration that employs two identically configured
ASR 5x00 chassis as a redundant pair.
ICSR chassis share the same chassis key. If the ICSR detects that the two chassis have incompatible chassis
keys, an error message is logged but the ICSR system will continue to run. Without the matching chassis key,
the standby ICSR chassis can recover services if the active chassis goes out of service; the standby chassis
will still have access to the passwords in their decrypted form.
ICSR chassis use Service Redundancy Protocol (SRP) to periodically check to see if the redundancy
configuration matches with either decrypted passwords or DES-based two-way encryption strings. Since the
configuration is generated internally to the software, users are not able to access the configuration used to
check ICSR compatibility.
Encrypted SNMP Community Strings
Simple Network Management Protocol (SNMP) uses community strings as passwords for network elements.
Although these community strings are sent in clear-text in the SNMP PDUs, the values can be encrypted in
the configuration file.
The snmp community encrypted name command enables the encryption of SNMP community strings. For
additional information, see the Global Configuration Mode Commands chapter in the Command Line Interface
Reference.
Lawful Intercept Restrictions
This section describes some of the security features associated with the provisioning of Lawful Intercept (LI).
For additional information, refer to the Lawful Intercept Configuration Guide.
LI Server Addresses
An external authenticating agent (such as RADIUS or Diameter) sends a list of LI server addresses as part of
access-accept. For any intercept that was already installed or will be installed for that subscriber, a security
check is performed to match the LI server address with any of the LI-addresses that were received from the
authenticating agent. Only those addresses that pass this criteria will get the intercepted information for that
subscriber.
While configuring a campon trigger, the user will not be required to enter the destination LI server addresses.
When a matching call for that campon trigger is detected, a security check is done with the list received from
the authentication agent. The LI-related information is only forwarded if a matching address is found.
When an active-only intercept is configured, if a matching call is found, a security check is made for the LI
address received from the authentication agent and the intercept configuration will be rejected.
ASR 5000 System Administration Guide, StarOS Release 21.1
114
System Security
Advertisement
Table of Contents
Troubleshooting
