Download Print this page

Advertisement

Cisco SCE8000 Software Configuration
Guide
Release 3.1.6S
February 15, 2011
Americas Headquarters
Cisco Systems, Inc.
170 West Tasman Drive
San Jose, CA 95134-1706
USA
http://www.cisco.com
Tel: 408 526-4000
800 553-NETS (6387)
Fax: 408 527-0883
Text Part Number: OL-16479-01

Advertisement

Chapters

   Related Manuals for Cisco SCE8000

   Summary of Contents for Cisco SCE8000

  • Page 1

    Cisco SCE8000 Software Configuration Guide Release 3.1.6S February 15, 2011 Americas Headquarters Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-1706 http://www.cisco.com Tel: 408 526-4000 800 553-NETS (6387) Fax: 408 527-0883 Text Part Number: OL-16479-01...

  • Page 2

    OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco Logo are trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and other countries. A listing of Cisco's trademarks can be found at www.cisco.com/go/trademarks.

  • Page 3: Table Of Contents

    CLI Command Hierarchy Prompt Indications CLI Help Features Partial Help Argument Help The [no] Prefix Navigational and Shortcut Features Command History Keyboard Shortcuts Tab Completion FTP User Name and Password Managing Command Output Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 4

    How to Display the SCE Platform Version Information Example for Displaying the SCE Platform Version Information How to Display the SCE Platform Inventory 3-10 Examples for Displaying the SCE Platform Inventory 3-11 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 5

    Configuring the Management Interface and Security C H A P T E R About Management Interface and Security Configuring the Management Port How to Enter Management Interface Configuration Mode Configuring the Management Port Physical Parameters Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 6

    How to Enable the SNMP Interface 5-25 How to Disable the SNMP Interface 5-25 Configuring and Managing the SNMP Interface 5-25 About the SNMP Interface 5-25 SNMP Protocol 5-26 Security Considerations 5-26 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 7

    Setting the Calendar: Example 5-40 Setting the Time Zone 5-40 Options 5-40 Setting the Time Zone: Example 5-40 Removing the Current Time Zone Setting 5-41 Configuring Daylight Saving Time 5-41 Options 5-41 Guidelines 5-42 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 8

    Configuring Traffic Rules and Counters Traffic Rules and Counters What are Traffic Rules and Counters? Traffic Rules Traffic Counters 6-10 Configuring Traffic Counters 6-10 How to Create a Traffic Counter 6-10 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S viii OL-16479-01...

  • Page 9

    Link Failure Reflection How to Enable Link Failure Reflection How to Disable Link Failure Reflection Enabling and Disabling Link Failure Reflection on All Ports Options How to Enable Link Failure Reflection on All Ports Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 10

    NetFlow Exporting Support Data Destinations Categories Priority Setting DSCP for NetFlow Forwarding Modes Protocol Transport Type Configuring Data Destinations and Categories Configuringa Data Destination Options Configuring the Data Destinations: Examples Configuring the Data Categories Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 11

    Subscriber Modes in Service Control Solutions Subscriber Mapping Limits Aging Subscribers Anonymous Groups and Subscriber Templates Subscriber Files Subscriber default csv file format Subscriber anonymous groups csv file format Importing and Export ingSubscriber Information Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 12

    How to display OS counters for a specified subscriber 9-18 Displaying Anonymous Subscriber Information 9-19 How to display currently configured anonymous groups 9-19 How to display currently configured templates for anonymous groups 9-19 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 13

    How to Enable Specific-IP Detection for the TCP Protocol for Port-based Detections Only for Dual-sided Attacks 10-9 How to Disable Specific-IP Detection for Protocols Other than TCP, UDP, and ICMP for all Attack Directions 10-10 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S xiii OL-16479-01...

  • Page 14

    Monitoring Attack Filtering Using CLI Commands 10-22 How to display a specified attack detector configuration 10-23 How to display the default attack detector configuration 10-24 How to display all attack detector configurations 10-25 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 15

    How to Assign the SCMP Peer Device to an Anonymous Group 11-10 Deleting Subscribers Managed by an SCMP Peer Device 11-11 Options 11-11 Deleting an SCMP Peer Device 11-11 Defining the Subscriber ID 11-11 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 16

    A P P E N D I X MIB Files Loading MIBs pcube to Cisco MIB Mapping Pcube Engage MIB (CISCO-SCA-BB-MIB) pcube to Cisco MIB Mapping: Detailed OID Mappings Monitoring SCE Platform Utilization A P P E N D I X SCE Platform Utilization Indicators CPU Utilization...

  • Page 17

    Preface This preface describes who should read the Cisco SCE8000 Software Configuration Guide, how it is organized, and its document conventions. This guide is for experienced network administrators who are responsible for configuring and maintaining the SCE platform. Document Revision History The Document Revision History below records changes to this document.

  • Page 18

    Protocol (SCMP), which is a protocol that integrates the SCE platform and the ISG (Intelligent Service Gateway) functionality of the Cisco routers. It also explains how to configure and manage SCMP, SCMP peer devices and the RADIUS client. Cisco Service Control MIBs,...

  • Page 19

    Cisco Service Control Application for Broadband User Guide – Cisco Service Control Application Reporter User Guide • To view Cisco documentation or obtain general information about the documentation, refer to the following sources: – Obtaining Documentation and Submitting a Service Request, page -xx –...

  • Page 20

    Obtaining Documentation and Submitting a Service Request For information on obtaining documentation, submitting a service request, and gathering additional information, see the monthly What's New in Cisco Product Documentation, which also lists all new and revised Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html...

  • Page 21: Cisco Service Control Solution

    C H A P T E R Cisco Service Control Overview This chapter provides a general overview of the Cisco Service Control solution. It introduces the Cisco service control concept and capabilities. It also briefly describes the hardware capabilities of the service control engine (SCE) platform and the Cisco specific applications that together compose the complete Cisco service control solution.

  • Page 22: Chapter 1 Cisco Service Control Overview

    (BSS) and operational support systems (OSS) Cisco Service Control Capabilities The core of the Cisco service control solution is the network hardware device: the Service control engine (SCE). The core capabilities of the SCE platform, which support a wide range of applications for delivering service control solutions, include: Subscriber and application awareness—Application-level drilling into IP traffic for real-time...

  • Page 23: Sce Platform Description

    Transparent network and BSS and OSS integration into existing networks • Subscriber awareness that relates traffic and usage to specific customers • Figure 1-1 illustrates a common deployment of an SCE platform in a network. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 24: Management And Collection

    GBE-2 DE NET SCE platform device CMTS Management and Collection The Cisco service control solution includes a complete management infrastructure that provides the following management components to manage all aspects of the solution: Network management • Subscriber management • •...

  • Page 25: Network Management

    Subscriber Management Where the Cisco service control application for broadband (SCA BB) enforces policies on different subscribers and tracks usage on an individual subscriber basis, the Cisco service control management suite (SCMS) subscriber manager (SM) may be used as middleware software for bridging between OSS and SCE platforms.

  • Page 26: Service Configuration Management

    Records (RDRs), which the SCE platform forwards using a simple TCP-based protocol (RDR-Protocol). RDRs are processed by the Cisco service control management suite collection manager. The collection manager software is an implementation of a collection system that receives RDRs from one or more SCE platforms. It collects these records and processes them in one of its adapters.

  • Page 27: Getting Help

    To obtain a list of commands that are available for each command mode, enter a question mark (?) at the system prompt. You also can obtain a list of keywords and arguments associated with any command using the context-sensitive help feature. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 28: Chapter 2 Command Line Interface

    The on-screen prompt indicates both your authorization level and your command hierarchy level, as well as the assigned hostname. Throughout the manual, SCE is used as the sample host name. Note Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 29: Cli Command Hierarchy

    This enhances the security of the system by not revealing its identity to unauthorized people. The list of available commands in each mode can be viewed using the question mark ‘?’ at the end of the prompt. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 30

    In order for the auto-completion feature to work, when you move from one interface configuration mode to another, you must first exit the current interface configuration mode (as illustrated in the above figure). Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 31: Prompt Indications

    Root level #> Command hierarchy levels are indicated as follows: This command hierarchy... Is indicated as... User Exec SCE> Privileged Exec sce# Global Configuration (config)# Interface Configuration (config-if)# Line Configuration (config-line)# Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 32: Cli Help Features

    The following example illustrates how to get a list of all arguments or keywords expected after the command snmp-server. SCE(config)#snmp-server? community Define community string contact Set system contact enable Enable the SNMP agent host Set traps destination interface Set interface parameters SCE(config)# snmp-server Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 33: The [no] Prefix

    Using the keyboard, you can navigate through your last commands, one by one, or all commands that start with a given prefix. By default, the system saves the last 30 commands you typed. You can change the number of commands remembered using the history size command. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 34: Keyboard Shortcuts

    Recall the last item deleted. CTRL-Y Completes the word when there is only one possible completion. <Tab> Completes the word when there is only one possible completion. (Same CTRL-I functionality as <Tab>.) Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 35: Tab Completion

    Filtering options — You can filter the output so that output lines are displayed only if they include • or exclude a specified expression. Redirecting to a file — You can send the output to a specified file. • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 36: Scrolling The Screen Display

    — The new output of the command will overwrite the existing contents of the file. • append — The new output of the command will be appended to the existing contents of the file. • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 2-10 OL-16479-01...

  • Page 37: Cli Authorization Levels

    Password required. For use by technical field engineers, #> the Root authorization level enables configuration of all advanced settings, such as debug and disaster recovery. The Root level is used by technical engineers only. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 2-11 OL-16479-01...

  • Page 38: How To Change From User To Viewer Level Authorization

    Password: <Cisco> SCE#>disable sce> Exiting Modes This section describes how to revert to a previous mode. To exit from one authorization level to the previous one, use the disable command. • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 2-12 OL-16479-01...

  • Page 39: How To Exit From The Privileged Exec Mode And Revert To The Viewer Mode

    How to exit the Global Configuration Mode, page 2-14 • How to enter the Global Configuration Mode At the SCE# prompt, type configure and press Enter. Step 1 The SCE(config)# prompt appears. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 2-13 OL-16479-01...

  • Page 40: How To Exit The Global Configuration Mode

    • GigabitEthernet number 1/1 speed • duplex • Line (10 GBE) Interface slot number/bay TenGigabitEthernet number/port number (3/0/0, 3/1/0, 3/2/0, (3/0/0 | 3/1/0 | 3/2/0 | 3/3/0) 3/3/0) Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 2-14 OL-16479-01...

  • Page 41: Entering Management Interface Configuration Mode

    SCE(config-if)# To return to Global Configuration Mode, type exit and press Enter. Step 3 prompt appears. SCE(config)# To exit Global Configuration Mode, type exit and press Enter. Step 4 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 2-15 OL-16479-01...

  • Page 42: Entering Line Interface Configuration Mode

    The specified command executes without exiting to the appropriate exec command mode. The following example shows how to display the running configuration while in interface configuration mode. SCE(config-if#) do show running-config Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 2-16 OL-16479-01...

  • Page 43: Creating A Cli Script

    Device ‘//apps/data/scos/’ has 81154048 bytes free, 21447973 bytes are needed for extraction, all is well. Extracting files to temp locations... Renaming temp files... Extracted OK. Backing-up general configuration file... Copy temporary file to final location... sce#script stop sce# Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 2-17 OL-16479-01...

  • Page 44

    Chapter 2 Command Line Interface Creating a CLI Script Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 2-18 OL-16479-01...

  • Page 45: Starting The Cisco Sce8000 Platform

    C H A P T E R Basic Cisco SCE8000 Platform Operations This chapter describes how to start up the Cisco SCE8000 platform, reboot, and shutdown. It also describes how to manage configurations. Starting the Cisco SCE8000 Platform, page 3-1 •...

  • Page 46: Starting The System And Observing Initial Conditions

    The Status LED should be a constant amber while booting. After a successful boot, the Status LED • is steady green. It takes a several minutes for the Cisco SCE8000 to boot and for the status LED to change Note from amber to green.

  • Page 47: How To Verify Operational Status

    Managing Configurations How to Verify Operational Status After all the ports are connected, verify that the Cisco SCE8000 is not in a Warning state. Step 1 On the front panel of the Service Control module, examine the Status LED; it should be green.

  • Page 48: Viewing Configurations

    Viewing the startup configuration: show startup-config • After configuring the SCE platform, you may query for the running configuration using the command show running-config. At the Cisco SCE8000# prompt, type show running-config. Step 1 The system shows the running configuration. SCE8000#>show running-config #This is a general configuration file (running-config).

  • Page 49: How To Save Or Change The Configuration Settings

    Chapter 3 Basic Cisco SCE8000 Platform Operations Managing Configurations exit ip default-gateway 10.56.96.1 line vty 0 4 exit management-agent property "com.pcube.management.framework.install.activation.operation" "Install" management-agent property "com.pcube.management.framework.install.activated.package" "SCA BB" management-agent property "com.pcube.management.framework.install.activated.version" "3.1.6 build 79" management-agent property "com.pcube.management.framework.install.activation.date" "Sun May 11 08:44:04 GMT+00:00 2008"...

  • Page 50: Example For Saving Or Changing The Configuration Settings

    Chapter 3 Basic Cisco SCE8000 Platform Operations Managing Configurations Example for Saving or Changing the Configuration Settings The following example shows how to save the running configuration file (first displaying the file to review the settings). SCE#show running-config #This is a general configuration file (running-config).

  • Page 51: Restoring A Previous Configuration

    Chapter 3 Basic Cisco SCE8000 Platform Operations Managing Configurations To remove a configuration command from the running-config, use the no form of the command. The following example illustrates how to remove all DNS settings from the running configuration. SCE(config)#no ip name-server...

  • Page 52: How To Display The Sce Platform Version Information

    Chapter 3 Basic Cisco SCE8000 Platform Operations How to Display the SCE Platform Version Information attack-filter subscriber-notification ports 80 replace spare-memory code bytes 3145728 interface GigabitEthernet 1/1 ip address 10.56.96.46 255.255.252.0 interface TenGigabitEthernet 3/0/0 bandwidth 10000000 burst-size 50000 global-controller 0 name "Default Global Controller"...

  • Page 53

    Chapter 3 Basic Cisco SCE8000 Platform Operations How to Display the SCE Platform Version Information select : [ubs-cf1] 1.0.0/5 (secondary: [ubs-cf1] 1.0.0/5) ---------------- Slot 1: SCM-8000 ---------------- serial-num : CAT1202G07D part-num : 73-10598-01 38 cpld : 0x8162 vtpld : 0xc001...

  • Page 54: How To Display The Sce Platform Inventory

    SCE8000 uptime is 9 minutes, 54 seconds How to Display the SCE Platform Inventory Unique Device Identification (UDI) is a Cisco baseline feature that is supported by all Cisco platforms. This feature allows network administrators to remotely manage the assets in their network by tracing specific devices through either CLI or SNMP.

  • Page 55: Examples For Displaying The Sce Platform Inventory

    NAME: "SCE8000 Chassis", DESCR: "CISCO7604" PID: CISCO7604 , VID: V0 , SN: FOX105108X5 NAME: "SCE8000 Service Control Module (SCM) in slot 1", DESCR: "SCE8000-SCM-E" PID: SCE8000-SCM-E , VID: V0 , SN: CAT1122584N NAME: "SCE8000 SPA Interface Processor (SIP) in slot 3", DESCR: "SCE8000-SIP"...

  • Page 56: Displaying The Complete Sce Platform Inventory

    NAME: "SCE8000 Fan Module", DESCR: "Container SCE8000 Fan Module" PID: "" , VID: "" , SN: "" NAME: "SCE8000 AC and DC power supply", DESCR: "Container SCE8000 AC and DC power supply" PID: "" , VID: "" , SN: ""...

  • Page 57

    Chapter 3 Basic Cisco SCE8000 Platform Operations How to Display the SCE Platform Inventory NAME: "SCE8000 SIP bay 3/2", DESCR: "SCE8000 SIP bay" PID: "" , VID: "" , SN: "" NAME: "SCE8000 SIP bay 3/3", DESCR: "SCE8000 SIP bay"...

  • Page 58: How To Display The System Uptime

    Chapter 3 Basic Cisco SCE8000 Platform Operations How to Display the System Uptime NAME: "SCE8000 traffic processor 5", DESCR: "SCE8000 traffic processor" PID: "" , VID: "" , SN: "" NAME: "SCE8000 traffic processor 6", DESCR: "SCE8000 traffic processor" PID: ""...

  • Page 59: Examples For Rebooting The Sce Platform

    Chapter 3 Basic Cisco SCE8000 Platform Operations Rebooting and Shutting Down the SCE Platform When the SCE restarts, it loads the startup configuration, so all changes made in the running Note configuration will be lost. You are advised to save the running configuration before performing reload,...

  • Page 60

    Chapter 3 Basic Cisco SCE8000 Platform Operations Rebooting and Shutting Down the SCE Platform Since the SCE platform can recover from the power-down state only by being physically turned off (or Note cycling the power), this command can only be executed from the serial CLI console. This limitation helps prevent situations in which a user issues this command from a Telnet session, and then realizes he or she has no physical access to the SCE platform.

  • Page 61: Utilities

    How to Display your Working Directory, page 4-2 • How to List the Files in a Directory, page 4-2 • How to Create a Directory mkdir Step 1 From the SCE# prompt, type mkdir directory-name and press Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 62: How To Delete A Directory

    How to List the Files in the Current Directory, page 4-3 • How to List the Applications in the Current Directory, page 4-3 • How to Include Files in Sub-Directories in the Directory Files List, page 4-3 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 63: Working With Files

    From the SCE# prompt, type rename current-file-name new-file-name and press Enter. Step 1 How to Delete a File delete From the SCE# prompt, type delete file-name and press Enter. Step 1 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 64

    Uploading a File to a Passive FTP Site: Example The following example uploads the analysis.sli file located on the local flash file system to the host 10.1.1.105, specifying Passive FTP. SCE#copy-passive /appli/analysis.sli ftp://myname:mypw@10.1.1.1/p:/appli/analysis.sli sce# Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 65: The User Log

    Basic operations include: Copying the User Log to an external location • Viewing the User Log • Clearing the User Log • Viewing/clearing the User Log counters • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 66: Copying The User Log

    There are two types of log counters: • User log counters — count the number of system events logged from the SCE platform last reboot. • Non-volatile counters — are not cleared during boot time Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 67: Viewing The User Log

    In order for technical support to be most effective, the user should provide them with the information contained in the system logs. Use the logger get support-file command to generate a support file via FTP for the use of Cisco technical support staff. From the SCE# prompt, type logger get support-file filename and press Enter.

  • Page 68

    Chapter 4 Utilities The User Log Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 69: About Management Interface And Security

    Perform the following tasks to configure the management interface and management interface security: Configure the management port: • – Physical parameters • Configure management interface security – Configure the permitted and not-permitted IP addresses Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 70: Configuring The Management Port

    Setting the IP Address and Subnet Mask of the Management Interface, page 5-3 • Configuring the Management Interface Speed and Duplex Parameters, page 5-3 • How to Monitor the Management Interface, page 5-5 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 71: Setting The Ip Address And Subnet Mask Of The Management Interface

    Interface State Relationship to Speed and Duplex, page 5-4 • How to Configure the Speed of the Management Interface, page 5-4 • How to Configure the Duplex Operation of the Management Interface, page 5-5 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 72: Interface State Relationship To Speed And Duplex

    Specify the desired speed option. Configuring the Speed of the Management Interface: Example The following example shows how to use this command to configure the Management port to 100 Mbps speed. SCE(config-if)#speed 100 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 73: How To Configure The Duplex Operation Of The Management Interface

    From the SCE# prompt, type show GigabitEthernet interface Mng 1/1 [auto-negotiate|ip address] Step 1 and press Enter. Displays the GBE management interface configuration. If no option is specified, all management interface information is displayed. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 74: Configuring The Available Interfaces

    The TACACS+ protocol provides authentication between the network element and the TACACS+ ACS, and it can also ensure confidentiality, if a key is configured, by encrypting all protocol exchanges between a network element and a TACACS+ server. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 75

    After a successful login the user is granted a default privilege level of 0, giving the user the ability to execute a limited number of commands. Changing privilege level is done by executing the "enable" command. This command initiates the privilege level authorization mechanism. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 76

    Configure the remote servers for the protocols. Keep in mind the following guidelines Configure the encryption key that the server and client will use. – The maximal user privilege level and enable password (password used when executing the – enable command) should be provided. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 77: How To Configure The Sce Platform Tacacs+ Client

    How to Add a New TACACS+ Server Host, page 5-10 • How to Remove a TACACS+ Server Host, page 5-11 • How to Configure the Global Default Key, page 5-11 • How to Configure the Global Default Timeout, page 5-12 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 78

    — time in seconds that the server waits for a reply from the server host before • timing out Default = 5 seconds or user-configured global default timeout interval (See How to Define the – Global Default Timeout, page 5-12.) Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-10 OL-16479-01...

  • Page 79

    No global default key is defined. Each TACACS+ server host may still have a specific key defined. However, any server host that does not have a key explicitly defined (uses the global default key) is now configured to use no key. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-11 OL-16479-01...

  • Page 80: How To Manage The User Database

    Use these commands to add a new user to the local database. Up to 100 users may be defined. Options, page 5-13 • How to Add a User with a Clear Text Password, page 5-13 • How to Add a User with No Password, page 5-13 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-12 OL-16479-01...

  • Page 81

    From the SCE(config)# prompt, type username name password password and press Enter. Step 1 How to Add a User with No Password Step 1 From the SCE(config)# prompt, type username name nopassword and press Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-13 OL-16479-01...

  • Page 82

    In the config files ( running config and startup config ), this command will appear as two separate commands. Options, page 5-15 • How to Add a User with a Privilege Level and a Clear Text Password, page 5-15 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-14 OL-16479-01...

  • Page 83

    How to Add a User with a Privilege Level and an MD5 Encrypted Password Entered as an MD5 Encrypted String Step 1 From the SCE(config)# prompt, type username name privilege level secret 5 encrypted-secret and press Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-15 OL-16479-01...

  • Page 84: Configuring Aaa Login Authentication

    Use this command to specify which login authentication methods are to be used, and in what order of preference. • Options, page 5-17 How to Specify the Login Authentication Methods, page 5-17 • How to Delete the Login Authentication Methods List, page 5-17 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-16 OL-16479-01...

  • Page 85: Configuring Aaa Privilege Level Authorization Methods

    TACACS+ — Use TACACS+ authorization. – local — Use the local username database for authorization – enable (default) — Use the " enable " password for authorization – none — Use no authorization. – Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-17 OL-16479-01...

  • Page 86: Configuring Aaa Accounting

    Enter. The start-stop keyword (required) indicates that the accounting message is sent at the beginning and the end (if the command was successfully executed) of the execution of a CLI command. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-18 OL-16479-01...

  • Page 87: Monitoring Tacacs+ Servers

    Configuring Access Control Lists (ACLs) About Access Control Lists, page 5-20 • Options, page 5-20 • How to Add Entries to an ACL, page 5-21 • How to Remove an ACL, page 5-21 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-19 OL-16479-01...

  • Page 88

    The following keywords are available: • permit — the specified IP addresses have permission to access the SCE platform. deny — the specified IP addresses are denied access to the SCE platform. • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-20 OL-16479-01...

  • Page 89: How To Enable An Acl

    Applies the specified ACL to all traffic attempting to access the SCE platform. Managing the Telnet Interface About the Telnet Interface, page 5-22 • How to Prevent Telnet Access, page 5-22 • How to Configure the Telnet Timeout, page 5-22 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-21 OL-16479-01...

  • Page 90: About The Telnet Interface

    Configuring the SSH Server The SSH Server, page 5-23 • Key Management, page 5-23 • Managing the SSH Server, page 5-23 • How to Monitor the Status of the SSH Server, page 5-24 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-22 OL-16479-01...

  • Page 91: The Ssh Server

    From the SCE(config)# prompt, type ip ssh key generate and press Enter. Step 1 Generates a new SSH key set and immediately saves it to non-volatile memory. (Key set is not part of the configuration file). Key size is always 2048 bits. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-23 OL-16479-01...

  • Page 92: How To Monitor The Status Of The Ssh Server

    From the SCE> prompt, type show ip ssh and press Enter. Step 1 This is a User Exec command. Make sure that you are in User Exec command mode by exiting any other modes. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-24 OL-16479-01...

  • Page 93: Enabling The Snmp Interface

    SNMP notifications and the supported MIBs. SNMP Protocol, page 5-26 • Security Considerations, page 5-26 • About CLI, page 5-27 • About MIBs, page 5-27 • Configuration via SNMP, page 5-28 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-25 OL-16479-01...

  • Page 94: Snmp Protocol

    (in-band management is not supported). In addition, the SCE platform supports the option to configure community of managers for read-write accessibility or for read-only accessibility. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-26 OL-16479-01...

  • Page 95: About Cli

    MIBs (Management Information Bases) are databases of objects that can be monitored by a network management system (NMS). SNMP uses standardized MIB formats that allow any SNMP tools to monitor any device defined by a MIB. For further information concerning MIBs used by the Cisco SCE8000 platform. (See the Cisco Service Control MIBs, page A-1) Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S...

  • Page 96: Configuration Via Snmp

    To make this configuration stored for next reboots (startup-configuration) the user must specify it explicitly via CLI or via SNMP using the Cisco enterprise MIB objects. It should be noted also that the SCE platform takes the approach of a single configuration database with multiple interfaces that may change this database.

  • Page 97: How To Configure Snmp Notifications

    Configurable Notifications, for a list of configurable notifications). Whenever one of the events that trigger notifications occurs in the SCE platform, an SNMP notification is sent from the SCE platform to the list of IP addresses that you define. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-29 OL-16479-01...

  • Page 98: How To Define Snmp Hosts

    — a security string that identifies a community of managers who are permitted • to access the SNMP server version — SNMP version running in the system. Can be set to 1 or 2c. • Default — 1 (SNMPv1) – Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-30 OL-16479-01...

  • Page 99

    Currently the only accepted value for this parameter is Authentication . • enterprise — optional parameter that specifies that all or specific enterprise traps should be enabled or disabled. By default, enterprise traps are enabled. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-31 OL-16479-01...

  • Page 100

    How to Restore All Notifications to the Default Status At the SCE(config)# prompt, type default snmp-server enable traps and press Enter. Step 1 Resets all notifications supported by the SCE platform to their default status. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-32 OL-16479-01...

  • Page 101: Ip Configuration

    • no ip route all • no ip route prefix mask • show ip route • show ip route prefix • show ip route prefix mask • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-33 OL-16479-01...

  • Page 102: How To Configure The Default Gateway

    How to Display the Entire IP Routing Table From the SCE# prompt, type show ip route and press Enter. Step 1 Displays the entire routing table and the destination of last resort (default-gateway) Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-34 OL-16479-01...

  • Page 103: Ip Advertising

    The following commands are relevant to IP advertising: • [no] ip advertising • ip advertising destination ip advertising interval • default ip advertising destination • default ip advertising interval • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-35 OL-16479-01...

  • Page 104: Configuring Ip Advertising

    Configuring IP Advertising: Example The following example shows how to configure IP advertising, specifying 10.1.1.1 as the destination and an interval of 240 seconds. SCE(config)#ip advertising destination 10.1.1.1 SCE(config)#ip advertising interval 240 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-36 OL-16479-01...

  • Page 105: How To Display The Current Ip Advertising Configuration

    Configuring the IP Address of the Management Interface: Example The following example shows how to set the IP address of the SCE platform to 10.1.1.1 and the subnet mask to 255.255.0.0. SCE(config if)#ip address 10.1.1.1 255.255.0.0 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-37 OL-16479-01...

  • Page 106: Configuring Time Clocks And Time Zone

    From the SCE(config)# prompt, type show clock and press Enter. Step 1 Displaying the System Time: Example The following example shows the current system clock. SCE#show clock 12:50:03 November 13 2001 sce# Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-38 OL-16479-01...

  • Page 107: Displaying The Calendar Time

    The calendar is a system clock that continues functioning even when the system shuts down. Options The following option is available: time-date —the time and date you want to set, in the following format: • hh:mm:ss day month year Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-39 OL-16479-01...

  • Page 108: Setting The Calendar: Example

    Setting the Time Zone: Example The following example shows how to set the time zone to Pacific Standard Time with an offset of 10 hours behind UTC. SCE(config)#clock timezone PST –10 SCE(config)# Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-40 OL-16479-01...

  • Page 109: Removing The Current Time Zone Setting

    Day of the week in a specific week in a specified month — For example, Sunday of the fourth week of March. (This would be different from the last Sunday of the month whenever there were five Sundays in the month). This is used for a recurring configuration. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-41 OL-16479-01...

  • Page 110: Guidelines

    From the SCE(config)# prompt, type clock summer-time zone recurring [week1 day1 month1 time1 Step 1 week2 day2 month2 time2 [ offset ]] and press Enter. Configures daylight saving time to start and stop on the specified days every year. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-42 OL-16479-01...

  • Page 111: How To Define Non-recurring Daylight Saving Time Transitions

    How to Display the Current Daylight Saving Time Configuration Step 1 From the SCE# prompt, type show timezone and press Enter. Displays the current time zone and daylight saving time configuration. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-43 OL-16479-01...

  • Page 112: Domain Name Server (dns) Settings

    From the SCE(config)# prompt, type ip domain-lookup and press Enter. Step 1 Enables DNS lookup. How to Disable DNS Lookup From the SCE(config)# prompt, type no ip domain-lookup and press Enter. Step 1 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-44 OL-16479-01...

  • Page 113: Configuring Name Servers

    Removes the specified server from the DNS list. Removing a Domain Name Server: Example The following example shows how to remove name server (DNS) IP addresses. SCE(config)#no ip name-server 10.1.1.60 10.1.1.61 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-45 OL-16479-01...

  • Page 114: How To Add A Host To The Host Table

    The following example shows how to display current DNS information. SCE#show hosts Default domain is Cisco.com Name/address lookup uses domain service Name servers are 10.1.1.60, 10.1.1.61 Host Address ---- ------- PC85 10.1.1.61 sce# Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 5-46 OL-16479-01...

  • Page 115: Chapter 6 Configuring The Line Interface

    SCE platform in an attempt to recover Maximum Packet Size The MTU value for the Cisco SCE8000 traffic processing is 9238 bytes. However, in the current version, packets larger than 1600 bytes are bypassed and are not handled by the service control application.

  • Page 116: How To Configure The Ten Gigabit Ethernet Line Interfaces

    VLAN Ignore tunnel VLAN symmetric skip symmetric Ignore tunnel – asymmetric VLAN a-symmetric skip asymmetric VLAN tag used for VPN classification VLAN symmetric classify symmetric MPLS Ignore tunnel (inject unlabeled) MPLS symmetric traffic-engineering skip Cisco SCE8000 Software Configuration Guide OL-16479-02...

  • Page 117: Selecting The Tunneling Mode

    IPinIP Tunneling, page 6-4 • How to Configure the VLAN Environment, page 6-6 • How to Configure the L2TP Environment, page 6-6 • Use these commands to configure tunneling: ip-tunnel • vlan • L2TP identify-by • Cisco SCE8000 Software Configuration Guide OL-16479-02...

  • Page 118: Ipinip Tunneling

    By default, IP tunnel recognition is disabled. Use this command to configure recognition of IPinIP tunnels and skipping into the internal IP packet. From the SCE(config-if)# prompt, type ip-tunnel IPinIP skip and press Enter. Step 1 Cisco SCE8000 Software Configuration Guide OL-16479-02...

  • Page 119

    Manage DSCP Marker Values" in the chapter "Using the Service Configuration Editor: Traffic Control" in the Cisco Service Control Application for Broadband User Guide for further information. Use this command to configure the SCE platform to mark the DSCP bits of the internal IP header. This command takes effect only when IPinIP skip is enabled.

  • Page 120: How To Configure The Vlan Environment

    Configuring the VLAN Environment: Example The following example selects VLAN-based classification. SCE(config if)#vlan symmetric classify How to Configure the L2TP Environment External Fragmentation in the L2TP Environment, page 6-7 • Options, page 6-7 • Cisco SCE8000 Software Configuration Guide OL-16479-02...

  • Page 121: Asymmetric L2 Support

    In order to support asymmetric layer 2, the SCE platform switches to asymmetric flow open mode, which incurs a certain performance penalty. This is NOT the case for asymmetric routing topology. From the SCE(config-if)# prompt, type asymmetric-L2-support and press Enter. Step 1 Cisco SCE8000 Software Configuration Guide OL-16479-02...

  • Page 122: How To Display The Tunneling Configuration

    This is useful when a particular type of traffic should be blocked by the SCE platform. Possible examples include performing ingress source address filtering (dropping packets originating from a subscriber port whose IP address does not belong to any defined subscriber-side subnet), or blocking specific ports. Cisco SCE8000 Software Configuration Guide OL-16479-02...

  • Page 123: Traffic Rules

    A traffic rule specifies that a defined action should be taken on packets processed by the SCE Platform that meet certain criteria. The maximum number of rules for the Cisco SCE8000 is 64, which includes not only traffic rules configured via the SCE platform CLI, but also any additional rules configured by external management systems, such as SCA BB.

  • Page 124: Traffic Counters

    How to Delete a Traffic Counter From the SCE(config if)# prompt, type no traffic-counter name name and press Enter. Step 1 A traffic counter cannot be deleted if it is used by any existing traffic rule. Note Cisco SCE8000 Software Configuration Guide 6-10 OL-16479-02...

  • Page 125: Configuring Traffic Rules

    Specify the port or port range for both the subscriber-side and the network-side. • Specify a range of ports using the form MinPort:MaxPort. • Use the all-but keyword to exclude the specified port or range of ports • Cisco SCE8000 Software Configuration Guide 6-11 OL-16479-02...

  • Page 126

    <IP specification> network-side <IP specification>)) protocol protocol [ports subscriber-side <port specification> network-side <port specification>] [tunnel-id <tunnel-id specification>] direction direction traffic-counter <traffic-counter>[action action] Configuring Traffic Rules: Examples Example 1, page 6-13 • Example 2, page 6-13 • Example 3, page 6-13 • Cisco SCE8000 Software Configuration Guide 6-12 OL-16479-02...

  • Page 127

    • Action = ignore (required since traffic-counter = none) • The only action performed will be Ignore. • SCE(config if)# traffic-rule name rule3 IP-addresses all protocol IS-IS direction upstream traffic-counter none action ignore Cisco SCE8000 Software Configuration Guide 6-13 OL-16479-02...

  • Page 128: Managing Traffic Rules And Counters

    Displays the configuration of the specified traffic rule. How to View all Traffic Rules From the SCE# prompt, type show interface linecard 0 traffic-rule all and press Enter. Step 1 Displays the configuration of all existing traffic rules. Cisco SCE8000 Software Configuration Guide 6-14 OL-16479-02...

  • Page 129

    Step 1 Enter. Resets the specified traffic counter. How to Reset all Traffic Counters Step 1 From the SCE# prompt, type clear interface linecard 0 traffic-counter all and press Enter. Resets all traffic counters. Cisco SCE8000 Software Configuration Guide 6-15 OL-16479-02...

  • Page 130: Dscp Marking

    DSCP Marking DSCP Marking DSCP marking is used in IP networks as a means to signal the priority of a packet. The Cisco Service Control solution supports the DSCP classification on a per-service, per-package level via the SCA BB application. The SCE platform DSCP marking feature enables marking the DSCP field in the IP header of each packet according to the policy configured via the SCA BB console.

  • Page 131: Disabling The Hardware Packet Drop

    From the SCE(config if)# prompt, type no accelerate-packet-drops and press Enter. Step 1 Disables hardware packet drop. To enable hardware packet drop, use the following command: From the SCE(config if)# prompt, type accelerate-packet-drops and press Enter. Step 1 Cisco SCE8000 Software Configuration Guide 6-17 OL-16479-02...

  • Page 132

    Chapter 6 Configuring the Line Interface Counting Dropped Packets Cisco SCE8000 Software Configuration Guide 6-18 OL-16479-02...

  • Page 133: Configuring The Connection Mode

    Connection mode — Can be any one of the following, depending on the physical installation of the SCE platform: – Inline — single SCE platform inline – Receive-only — single SCE platform receive-only Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 134: Configuring The Connection Mode Example

    This example defines a single-SCE platform, dual link, receive-only topology. The link mode on-failure. SCE(config if)# connection-mode receive-only Monitoring the Connection Mode From the SCE> prompt, type show interface linecard 0 connection-mode and press Enter. Step 1 Displays the connection mode configuration. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 135: Monitoring The Connection Mode: Example

    Cutoff — completely cuts off flow of traffic through the SCE platform. Recommendations and restrictions The following recommendations and restrictions: For the Cisco SCE8000 platform, the link mode setting is global, and cannot be set for each link • separately. Therefore the all-links keyword must be used.

  • Page 136: External Optical Bypass

    Cisco SCE8000, bypassing all the traffic, as illustrated in Figure 7-1. The SCE8000 can detect the presence of each external optical bypass device, and warns the user by various means (CLI show command, system operational-state, SNMP traps) if an expected external bypass device is not detected as present.

  • Page 137: How To Activate The External Bypass

    How to Set the External Bypass to the Default State The default state of the external optical bypass is deactivated. From the SCE(config if)# prompt, type default external-bypass and press Enter. Step 1 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 138: How To Display The State Of The External Bypass

    From the SCE(config if)# prompt, type link failure-reflection and press Enter. Step 1 Enables link failure-reflection. How to Disable Link Failure Reflection From the SCE(config if)# prompt, type no link failure-reflection and press Enter. Step 1 Disables link failure-reflection. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 139: Enabling And Disabling Link Failure Reflection On All Ports

    Enables failure reflection to all ports. How to Disable Link Failure Reflection on All Ports From the SCE(config if)# prompt, type no link failure-reflection and press Enter. Step 1 Disables failure reflection to all ports. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 140: Configuring Link Failure Reflection In Linecard-aware Mode

    This mode reflects a failure of one port to the other three ports of the SCE platform differently, depending on different failure conditions, as follows: One interface of the SCE8000 is down: Link failure is reflected to the all other SCE platform ports. •...

  • Page 141: Asymmetric Routing Topology

    Analysis layer transport mode enabled (ROOT level configuration) – ‘no TCP bypass-establishment’ mode enabled (ROOT level configuration) – A traffic rule is configured for certain flows to use the classical open flow mode (ROOT level – configuration) Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 142: Enabling Asymmetric Routing

    For more information, please see the Cisco Service Control Application for Broadband User Guide. Monitoring Asymmetric Routing Use the command below to display the following information regarding asymmetric routing: Current status of asymmetric routing mode (enabled or disabled) •...

  • Page 143: Configuring A Forced Failure

    From the SCE(config if)# prompt, type no force failure-condition and press Enter. Step 1 Exits from the virtual failure condition. Configuring the Failure Recovery Mode The failure-recovery operation-mode command defines the behavior of the system after boot resulting from failure. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 7-11 OL-16479-01...

  • Page 144: Options

    If SM functionality is not critical to the operation of the system — no action needs to be configured • system operational-status of the should be In this case you can specify that the SCE platform 'warning' when the link is down Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 7-12 OL-16479-01...

  • Page 145: Configuring The Behavior Of The Sce Platform In Case Of Failure Of The Sm

    The following option is available: interval — the timeout interval in seconds • From the SCE(config if)# prompt, type subscriber sm-connection-failure timeout interval and press Step 1 Enter. Configures the connection timeout. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 7-13 OL-16479-01...

  • Page 146

    Chapter 7 Configuring the Connection Configuring the SCE Platform/SM Connection Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 7-14 OL-16479-01...

  • Page 147: Rdr Formatter And Netflow Exporting Support

    C H A P T E R Raw Data Formatting: The RDR Formatter and NetFlow Exporting Cisco Service Control is able to deliver gathered reporting data to an external application for collecting, aggregation, storage and processing over two protocols: •...

  • Page 148: Netflow

    Flow Data Record • A data record that contains values of the flow parameters corresponding to a template record. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 149: Netflow Exporting Support

    (TCP (RDRv1) or UDP (NetFlow)) • The destination is assigned a priority for each category to which it is assigned. The following figure illustrates the simplest data destination topology, with only one category and one destination. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 150: Categories

    By default, the categories are referred to as Category 1 through Category 4. However, the user may define meaningful names for the categories. This generally reduces confusion and prevents errors. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 151: Priority

    Some types of deployments using the NetFlow protocol require multicast forwarding mode. In a Note deployment where there are multiple destinations for at least one category, and at least one of those is a NetFlow destination, the multicast forwarding mode must be configured. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 152: Protocol

    — the protocol used for data sent to the destination (either RDRv1 or NetFlow; if no • protocol is assigned the protocol is RdrV1) transport — the transport type, TCP or UDP (optional, as this parameter is determined by the • protocol) Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 153: Configuring The Data Destinations: Examples

    Refer to the examples below for illustrations of some of the issues involved in configuring categories. Options The following options are available: • category-number — the number of the category (1-4) category-name — the name to be assigned to the category • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 154: Configuring A Destination And Assigning Categories

    | number category-number] [priority priority]] [category [name category-name | number category-number] [priority priority]] [category [name category-name | number category-number] [priority priority]] protocol protocol [transport transport] and press Enter. Defines the destination and assigns categories with optional priorities. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 155

    (redundancy forwarding mode). Figure 8-4 Configuring Destinations: Two Categories with Redundancy Mode SCE platform Destination 1 RDR Formatter Destination 2 Category 1 "Prepaid" Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 156

    SCE(config)# rdr-formatter destination 10.10.10.96 port 33000 category name billing priority 90 protocol NetFlowV9 transport udp SCE(config)# rdr-formatter destination 10.1.96.0 port 33000 category name prepaid priority 80prepaid priority 80 protocol NetFlowV9 transport udp Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 8-10 OL-16479-01...

  • Page 157

    SCE(config)# rdr-formatter destination 10.10.10.96 port 33000 category name prepaid priority 90 category name special-prepaid priority 80 protocol RdrV1 transport tcp SCE(config)# rdr-formatter destination 10.1.1.206 port 33000 category name special-prepaid priority 90 protocol NetFlowV9 transport udp Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 8-11 OL-16479-01...

  • Page 158: Configuring The Forwarding Mode

    Setting the size of the RDR formatter history buffer. The size of the history buffer must be Note zero bytes (the default value). Other values may cause duplication of RDRs. Dynamic mapping of RDRs to categories (see Configuring Dynamic Mapping of RDRs to • Categories, page 8-14) Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 8-12 OL-16479-01...

  • Page 159: Options

    Assigning a DSCP value to the NetFlow export packets to a specified destination for priority • configuration. The DSCP value must be between 0 and 63, and be entered in HEX format. Configuring the frequency of exporting the template records (template refresh interval) • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 8-13 OL-16479-01...

  • Page 160: Options

    The user must provide the RDR tag ID and the category number to add or remove. The configuration is saved as part of the application configuration. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 8-14 OL-16479-01...

  • Page 161: Configuring Mappings

    Enter. How to Restore the Default Mapping for a Specified RDR Tag From the SCE(config)# prompt, type default rdr-formatter rdr-mapping tag-id tag-number and press Step 1 Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 8-15 OL-16479-01...

  • Page 162: Displaying Data Destination Configuration And Statistics

    • show rdr-formatter protocol NetFlowV9 dscp Refer to the Cisco SCE8000 CLI Command Reference for a complete description of the other show rdr-formatter commands. How to the Display the Current RDR Formatter Configuration The system can display the complete data destination configuration, or just specific parameters.

  • Page 163: How To The Display The Current Rdr Formatter Statistics

    17 hours, 5 minutes, 14 seconds Destination: 10.56.204.7 Port: 33000 Status: up Sent: 12134054 Rate: Max: Sent Templates: 13732 Sent Data Records: 12134054 Refresh Timeout (Sec): Last connection establishment: 17 hours, 5 minutes, 15 seconds Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 8-17 OL-16479-01...

  • Page 164: Disabling The Linecard From Sending Rdrs

    From the SCE(config if)# prompt, type silent and press Enter. Step 1 To enable the linecard to produce data records, use the following command: From the SCE(config if)# prompt, type no silent and press Enter. Step 1 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 8-18 OL-16479-01...

  • Page 165: Managing Subscribers

    What is a Subscriber? In the Service Control solution, a subscriber is defined as a managed entity on the subscriber side of the SCE Platform to which accounting and policy are applied individually. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 166: Subscriber Modes In Service Control Solutions

    Service Control solutions support several modes of handling subscribers: Subscriber-less mode • Anonymous subscriber mode • • Static subscriber aware mode • Dynamic subscriber aware mode Note Not all the Service Control solutions support all modes. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 167: Subscriber Mapping Limits

    SCE platform and are no longer occupying resources. Aging time can be configured individually for introduced subscribers and for anonymous subscribers. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 168: Anonymous Groups And Subscriber Templates

    The following mapping formats are supported: IP address — in dotted decimal notation. Example: 10.3.4.5 – – IP address range — dotted decimal, followed by the amount of significant bits. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 169: Importing And Export Ingsubscriber Information

    How to Export a Subscriber Template, page 9-7 Use the following commands to import subscriber data from csv files and to export subscriber data to these files: • subscriber import csv-file • subscriber export csv-file Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 170: Options

    Exports the subscriber information to the specified file. How to Import a Subscriber Template From the SCE(config if)# prompt, type subscriber template import csv-file filename and press Enter. Step 1 Imports the subscriber template from the specified file. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 171: How To Export A Subscriber Template

    The following option is available: subscriber-name — the name of the subscriber to be removed • From the SCE(config if)# prompt, type no subscriber name subscriber-name and press Enter. Step 1 Removes the specified subscriber. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 172: How To Remove All Introduced Subscribers

    From the SCE# prompt, type clear interface linecard 0 subscriber anonymous all and press Enter. Step 1 Removes all anonymous subscribers. The clear subscriber anonymous command is a Privileged Exec command. Note Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 173: How To Remove All Subscriber Templates

    Step 1 Enter. Clears all subscribers from the specified SCMP peer device. Importing and Exporting Anonymous Groups • How to Import Anonymous Groups, page 9-10 How to Export Anonymous Groups, page 9-10 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 174: How To Import Anonymous Groups

    The CLI provides several commands that allow you to monitor subscribers. These commands can be used to display information regarding the following: • Subscriber Database • All subscribers meeting various criteria • Individual subscriber information, such as properties and mappings Anonymous subscribers • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-10 OL-16479-01...

  • Page 175: How To Monitor The Subscriber Database

    0 subscriber db counters • How to Display the Subscriber Database Counters From the SCE# prompt, type show interface linecard 0 subscriber db counters and press Enter. Step 1 Displays the subscriber database counters. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-11 OL-16479-01...

  • Page 176: Clearing The Subscriber Database Counters

    A subscriber property is equal to, larger than, or smaller than a specified value. • Subscriber name matches a specific prefix or suffix. • Mapped to a specified IP address range. • • Mapped to a specified VLAN ID. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-12 OL-16479-01...

  • Page 177: Displaying Subscribers: All Current Subscriber Names

    How to display subscribers that match a specified value of a subscriber property Options The following options are available: propertyname — name of the subscriber property to match • property-val — value of that subscriber property to match • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-13 OL-16479-01...

  • Page 178

    • • property-val — value of that subscriber property to match From the SCE> prompt, type how interface linecard 0 subscriber amount property propertyname Step 1 equals property-val and press Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-14 OL-16479-01...

  • Page 179: How To Display Subscribers: By Mapping (ip Address Or Vlan Id)

    IP addresses intersecting a given IP address or IP range • A specified VLAN ID • no mapping • You can also display just the number of subscribers with a specified mapping, rather than listing the actual subscribers. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-15 OL-16479-01...

  • Page 180

    The following options are available: • VLAN-id — VLAN ID to match From the SCE> prompt, type show interface linecard 0 subscriber amount mapping VLAN-id Step 1 VLAN-id and press Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-16 OL-16479-01...

  • Page 181: How To Display Subscriber Information

    From the SCE> prompt, type show interface linecard 0 subscriber properties and press Enter. Step 1 How to display complete information for a specified subscriber Use this command to display complete information for a specified subscriber, including all values of subscriber properties and mappings. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-17 OL-16479-01...

  • Page 182

    How to display OS counters for a specified subscriber Options The following options are available: name — subscriber name • Step 1 From the SCE> prompt, type show interface linecard 0 subscriber name name counters and press Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-18 OL-16479-01...

  • Page 183: Displaying Anonymous Subscriber Information

    From the SCE> prompt, type show interface linecard 0 subscriber anonymous-group all and press Enter. How to display currently configured templates for anonymous groups From the SCE> prompt, type show interface linecard 0 subscriber templates and press Enter. Step 1 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-19 OL-16479-01...

  • Page 184: How To Display Current Configuration For A Specified Anonymous Group

    Enter. How to display the total number of subscribers in all anonymous groups From the SCE> prompt, type show interface linecard 0 subscriber amount anonymous and press Step 1 Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-20 OL-16479-01...

  • Page 185: Configuring Subscriber Aging

    From the SCE(config if)# prompt, type subscriber aging introduced and press Enter. Step 1 How to Disable Aging for Anonymous Group Subscribers From the SCE(config if)# prompt, type and press Enter. Step 1 no subscriber aging anonymous Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-21 OL-16479-01...

  • Page 186: How To Disable Aging For Introduced Subscribers

    From the SCE> prompt, type show interface linecard 0 subscriber aging anonymous and press Enter. Step 1 How to Display Aging for Introduced Subscribers From the SCE> prompt, type show interface linecard 0 subscriber aging introduced and press Enter. Step 1 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-22 OL-16479-01...

  • Page 187: Configuring The Sce Platform/sm Connection

    From the SCE(config if)# prompt, type subscriber sm-connection-failure action Step 1 force-failure|none|remove-mappings|shut and press Enter. How to Configure the SM-SCE Platform Connection Timeout From the SCE(config if)# prompt, type subscriber sm-connection-failure timeout interval and press Step 1 Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-23 OL-16479-01...

  • Page 188

    Chapter 9 Managing Subscribers Configuring the SCE Platform/SM Connection Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 9-24 OL-16479-01...

  • Page 189: Attack Filtering And Attack Detection

    When the rates satisfy user-configured criteria, it is considered an attack, and a configured action can take place (report/block, notify subscriber, send SNMP trap). This mechanism is enabled by default, and can be disabled and enabled for each attack type independently. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-1 OL-16479-01...

  • Page 190: Specific Attack Filtering

    In addition, the user can manually override the configured attack detectors to either force or prevent attack filtering in a particular situation. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-2 OL-16479-01...

  • Page 191: Attack Detection

    Redirect. Alarm — The system will generate an SNMP trap each time an attack starts and stops. Attack detection and handling are user-configurable. The remainder of this chapter explains how to configure and monitor attack detection. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-3 OL-16479-01...

  • Page 192: Attack Detection Thresholds

    Enabled — If the subscriber IP address is detected to be attacked or attacking, the subscriber is notified about the attack. – Disabled — The subscriber is not notified about the attack. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-4 OL-16479-01...

  • Page 193: Subscriber Notification

    When the hardware is used to filter the attack, the software has no knowledge of the attack packets, and therefore the following side effects occur: Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-5 OL-16479-01...

  • Page 194: Configuring Attack Detectors

    • Sample Attack Detector Configuration, page 10-16 • The Cisco attack detection mechanism is controlled by defining and configuring special entities called Attack Detectors. There is one attack detector called ‘default’, which is always enabled, and 99 attack detectors (numbered 1-99), which are disabled by default.

  • Page 195

    Alarm • Each of these four settings can be either configured (with a value or set of values) or not configured. The default state is for all them is not configured. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-7 OL-16479-01...

  • Page 196: Enabling Specific-ip Detection

    How to Disable Specific-IP Detection for Protocols Other than TCP, UDP, and ICMP for all Attack • Directions, page 10-10 How to Disable Specific-IP Detection for ICMP for Single-sided Attacks Defined by the Source IP, • page 10-10 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-8 OL-16479-01...

  • Page 197: Options

    How to Enable Specific-IP Detection for the TCP Protocol for Port-based Detections Only for Dual-sided Attacks From the SCE(config if)# prompt, type ttack-filter protocol TCP dest-port specific attack-direction Step 1 dual-sided and press Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-9 OL-16479-01...

  • Page 198: Directions

    (default) — Report beginning and end of the attack by writing to the attack-log. – block — Block all further flows that are part of this attack, the SCE platform drops the packets. – Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-10 OL-16479-01...

  • Page 199

    (subscriber|network|both) (alarm|no-alarm) and press Enter. Enables or disables sending an SNMP trap by default for the defined attack type. The attack type must be defined the same as in Step 1. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-11 OL-16479-01...

  • Page 200: Specific Attack Detectors

    How to Delete User-Defined Values, page 10-15 • How to Disable a Specific Attack Detector, page 10-15 • How to Disable All Non-default Attack Detectors, page 10-15 • How to Disable All Attack Detectors, page 10-16 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-12 OL-16479-01...

  • Page 201

    • Use the appropriate keyword to enable or disable sending an SNMP trap by default: alarm — Enable sending an SNMP trap. – no-alarm — Disable sending an SNMP trap. – Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-13 OL-16479-01...

  • Page 202: How To Define The Subscriber Notification Setting For A Specific Attack Detector

    From the SCE(config if)# prompt, type attack-detector number protocol (((TCP|UDP) [dest-port (specific|not- specific|both)])|ICMP|other|all) attack-direction (single-side-source|single-side-destination|single-side-both|dual-sided|all) side (subscriber|network|both) (alarm|no-alarm) and press Enter. Defines the SNMP trap setting for the specified attack detector. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-14 OL-16479-01...

  • Page 203: How To Delete User-defined Values

    Use the following command to disable all non-default attack detectors, configuring them to use the default values. From the SCE(config if)# prompt, type default attack-detector all-numbered and press Enter. Step 1 Disables all non-default attack detectors. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-15 OL-16479-01...

  • Page 204: How To Disable All Attack Detectors

    Step 7 Exits the linecard interface configuration mode. Configure ACL #3, which has been assigned to the attack detector. Step 8 SCE(config)# access-list 3 permit 10.1.1.10 SCE(config)# access-list 3 permit 10.1.1.13 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-16 OL-16479-01...

  • Page 205: Subscriber Notifications

    From the SCE(config if)# prompt, type attack-filter subscriber-notification ports portnumber and press Enter. How to Remove the Subscriber Notification Port Step 1 From the SCE(config if)# prompt, type no attack-filter subscriber-notification ports and press Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-17 OL-16479-01...

  • Page 206: Preventing And Forcing Attack Detection

    — the IP address for which to prevent attack filtering. If attack -direction is dual-sided, an IP address must be configured for both the source (source-ip-address) and the destination (dest-ip-address) sides. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-18 OL-16479-01...

  • Page 207: Preventing Attack Filtering

    How to Configure a force-filter Setting for a Specified Situation, page 10-20 • How to Remove a force-filter Setting from a Specified Situation, page 10-20 • How to Remove All force-filter Settings, page 10-20 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-19 OL-16479-01...

  • Page 208: How To Configure A Force-filter Setting For A Specified Situation

    The system sends a trap at the start of a specific attack detection event, and also when a specific detection event ends, as follows: STARTED_FILTERING trap – String with the attack information • STOPPED_FILTERING • String with the attack information – – String with the reason for stopping Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-20 OL-16479-01...

  • Page 209

    IP addresses were detected from IP address A.B.C.D – on IP address A.B.C.D – from IP address A.B.C.D to IP address A.B.C.D – 'side' • subscriber – network – Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-21 OL-16479-01...

  • Page 210: Monitoring Attack Filtering Using Cli Commands

    0 attack-filter query • show interface linecard 0 attack-filter current-attacks • • show interface linecard 0 attack-filter don't-filter • show interface linecard 0 attack-filter force-filter • show interface linecard 0 attack-filter subscriber-notification ports Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-22 OL-16479-01...

  • Page 211: How To Display A Specified Attack Detector Configuration

    ||Action| Thresholds |Sub- |Alarm |Open flows|Ddos-Suspected flows|notif| |rate |rate |ratio --------|----|-----------||------|----------|------------|-------|-----|----- |net.|source-only|| |net.|dest-only |sub.|source-only|| |sub.|dest-only |net.|source+dest|| |sub.|source+dest|| TCP+port|net.|source-only||Block | |Yes TCP+port|net.|dest-only TCP+port|sub.|source-only||Block | |Yes TCP+port|sub.|dest-only TCP+port|net.|source+dest|| TCP+port|sub.|source+dest|| |net.|source-only|| |net.|dest-only |sub.|source-only|| |sub.|dest-only Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-23 OL-16479-01...

  • Page 212: How To Display The Default Attack Detector Configuration

    UDP+port|sub.|source-only||Report| 1000| 500|50 UDP+port|sub.|dest-only ||Report| 1000| 500|50 UDP+port|net.|source+dest||Report| 100| 50|50 UDP+port|sub.|source+dest||Report| 100| 50|50 ICMP |net.|source-only||Report| 500| 250|50 ICMP |net.|dest-only ||Report| 500| 250|50 ICMP |sub.|source-only||Report| 500| 250|50 ICMP |sub.|dest-only ||Report| 500| 250|50 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-24 OL-16479-01...

  • Page 213: How To Display All Attack Detector Configurations

    If attack -direction is dual-sided, an IP address must be configured for both the source (source-ip-address) and the destination (dest-ip-address) sides. portnumber — the port number for which to display information. • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-25 OL-16479-01...

  • Page 214

    50|No UDP+port|net.|src.|Report| 1000| 500| 50|No UDP+port|net.|dst.|Report| 1000| 500| 50|No UDP+port|sub.|src.|Report| 1000| 500| 50|No UDP+port|sub.|dst.|Report| 1000| 500| 50|No (N) below a value means that the value is set through attack-detector #N. SCE#> Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-26 OL-16479-01...

  • Page 215: How To Display The Current Counters

    From the SCE> prompt, type show interface linecard 0 attack-filter dont-filter and press Enter. Step 1 How to display the list of ports selected for subscriber notification From the SCE> prompt, type show interface linecard 0 attack-filter subscriber-notification ports and Step 1 press Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-27 OL-16479-01...

  • Page 216: How To Find Out Whether Hardware Attack Filtering Has Been Activated

    The message for detecting attack end contains the following data: IP address (Pair of addresses, if detected) • Protocol Port number (If detected) • • Attack-direction (Attack-source or Attack-destination) • Interface of IP address • Number of attack flows reported/blocked Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-28 OL-16479-01...

  • Page 217: How To View The Attack Log

    How to Copy the Attack Log to a File From the SCE# prompt, type more line-attack-log redirect filename and press Enter. Step 1 Writes the log information to the specified file. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-29 OL-16479-01...

  • Page 218

    Chapter 10 Identifying and Preventing Distributed-Denial-Of-Service Attacks Monitoring Attack Filtering Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 10-30 OL-16479-01...

  • Page 219: About Scmp

    SCMP Subscriber Management, page 11-6 • The SCMP is a Cisco proprietary protocol that uses the RADIUS protocol with CoA (Change of Authorization) support as a transport layer. The SCMP provides connection management messages, subscriber management and subscriber accounting messages. Each subscriber in the SCE platform represents a session in the SCMP peer (as defined by the ISG terminology).

  • Page 220: Scmp Terminology

    • destination IP address, source port, destination port, protocol and in some cases direction. SCMP Peer – A Cisco device running IOS with the ISG module enabled. • Identity Key – One of the keys that help identify a Session. The identity keys that are relevant to the •...

  • Page 221: Deployment Scenarios

    • terminating a large number of subscribers. However, note that deploying only one SCE platform results in a single point of failure, which is not generally acceptable in an actual deployment. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-3 OL-16479-01...

  • Page 222: Multiple Isg Routers With Multiple Sce Platforms Via Load Balancing (nxisg - Mxsce)

    SCMP Peer Devices An SCMP peer device is a Cisco device running IOS with the ISG module enabled. The SCE platform supports the ability to communicate with several SCMP peer devices at the same time. However, each peer device manages its own subscribers and the corresponding subscriber network IDs. The SCE platform recognizes which subscribers belong to which peer device.

  • Page 223: Connection Management

    Re-query all anonymous Connected The loss-of-sync timeout prevents the SCE platform from retaining sessions that are obsolete and whose identity-keys have been replaced or moved to other sessions thus miss-classification risk is limited. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-5 OL-16479-01...

  • Page 224: Scmp Subscriber Management

    How to Disable the SCMP, page 11-7 • How to Configure the SCMP Peer Device to Push Sessions, page 11-7 • Configuring the SCMP Peer Device to Force Each Subscriber to Single SCE Platform, page 11-8 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-6 OL-16479-01...

  • Page 225: How To Enable The Scmp

    Use this command to disable pushing sessions to the SCE platform. This means that the SCE platform will pull all sessions from the SCMP peer. From the SCE(config)# prompt, type no scmp subscriber send-session-start and press Enter. Step 1 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-7 OL-16479-01...

  • Page 226: Configuring The Scmp Peer Device To Force Each Subscriber To Single Sce Platform

    — Interval between keep-alive messages from the SCE platform to the SCMP peer device • in seconds Default = 5 seconds – Step 1 From the SCE(config)# prompt, type scmp keepalive-interval interval and press Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-8 OL-16479-01...

  • Page 227: Defining The Reconnect Interval Parameter

    Define the device, configuring the following parameters: – device name – RADIUS host – RADIUS shared secret authorization port number (optional) – accounting port number (optional) – Associate the device with one or more unmapped anonymous groups. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-9 OL-16479-01...

  • Page 228

    This command defines the specified anonymous group to be the IP range of the SCMP peer device. You must define the specified SCMP peer device before assigning the anonymous group. From the SCE(config if)# prompt, type no subscriber anonymous-group name group-name and press Step 1 Enter. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-10 OL-16479-01...

  • Page 229: Deleting Subscribers Managed By An Scmp Peer Device

    • User-Name • The GUID is always appended at the end of the subscriber ID as defined by this command. Note You must disable the SCMP interface before executing this command. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-11 OL-16479-01...

  • Page 230: Options

    The RADIUS client polls the sockets to receive the next message and calls the SCMP engine to handle it, based on the type of the received message. Messages that were not acknowledged can be retransmitted up to the configured maximum number of retries. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-12 OL-16479-01...

  • Page 231: Monitoring The Scmp Environment

    Statistics for either all SCMP peer devices or a specified SCMP peer device. • Options The following options are available: device-name — The name of the specific SCMP peer device for which to display the configuration • or statistics. Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-13 OL-16479-01...

  • Page 232: How To Display The General Scmp Configuration

    Send session start: Time connected: 9 seconds How to display the statistics for all SCMP peer devices From the SCE> prompt, type show scmp all counters and press Enter. Step 1 Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-14 OL-16479-01...

  • Page 233: How To Display The Statistics For A Specified Scmp Peer Device

    Use the following command to monitor the SCMP RADIUS client. This command displays the general configuration of the RADIUS client. Step 1 From the SCE> prompt, type and press Enter. show ip radius-client Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-15 OL-16479-01...

  • Page 234

    Chapter 11 Managing the SCMP Monitoring the SCMP Environment Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S 11-16 OL-16479-01...

  • Page 235: Appendix

    SCE platform that were not provided by the standard MIB. The proprietary pcube MIBs has been replaced by a combination of standard and Cisco MIBs and new Cisco Service Control MIBs. The new MIB structure was designed to keep backward compatibility and provide the same information as provided in the past as much as possible.

  • Page 236

    Description PCUBE-SMI.my Defines P-cube enterprise tree structure PCUBE-PRODUCTS-MIB.my Defines OIDs of Cisco Service Control products PCUBE-CONFIG-COPY-MIB.my Contains a subset of the Cisco Config-Copy-MIB ported to the pcube enterprise subtree CISCO-SCAS-BB-MIB.my Contains SCA BB information handlers PCUBE-SE-MIB.my Contains information about the SCE platform...

  • Page 237

    Appendix A Cisco Service Control MIBs MIB Files Table A-2 Standard and Cisco MIBs used to replace pcube MIBs (continued) MIBs Description ENTITY-MIB.my Represents multiple logical entities supported by a single SNMP agent ENTITY-STATE-MIB.my Defines a state extension to the Entity MIB ENTITY-STATE-TC-MIB.my...

  • Page 238: Loading Mibs

    Loading procedure for standard MIBs and other legacy Cisco MIBs is explained here: http://tools.cisco.com/Support/SNMP/do/BrowseMIB.do?local=en&step=2 pcube to Cisco MIB Mapping This section is an overview of how the former pcube MIB maps to the current Cisco MIBs. Two P-cube MIBs are mapped; PcubeSeMIB and PcubeEngageMIB (CISCO-SCABB-MIB). Table A-4...

  • Page 239: Pcube Engage Mib (cisco-sca-bb-mib

    The pcubeEnageMIB is currently in the process of being transformed. This MIB will be translated in future releases. pcube to Cisco MIB Mapping: Detailed OID Mappings The following tables provide the detailed mappings for specific pcubeSeMIB (1.3.6.1.4.1.5655.4.1/0) OIDs to the current standard and Cisco MIBs.

  • Page 240

    Table A-7 pchassisGrp (1.3.6.1.4.1.5655.4.1.2 pcube Object Name New MIB New Object Name pchassisSysType 1.3.6.1.4.1.5655. Not mapped. 4.1.2.1 Derived from entPhysicalDescr and entPhysicalClass chassis(3) pchassisPowerSupply 1.3.6.1.4.1.5655. CISCO-ENTITY-FRU- cefcPSOutputModeInOp 1.3.6.1.4.1.9.9.117.1.6 Alarm 4.1.2.2 CONTROL-MIB eration .2.1.3 Cisco SCE8000 Software Configuration Guide, Release 3.1.6S OL-16479-01...

  • Page 241

    1.3.6.1.2.1.47.1.1.1. .1.1.1 pmoduleType 1.3.6.1.4.1.5655.4.1.3 ENTITY-MIB entPhysicalName 1.3.6.1.2.1.47.1.1.1. .1.1.2 entPhysicalClass 1.3.6.1.2.1.47.1.1.1. pmoduleNumTraffic 1.3.6.1.4.1.5655.4.1.3 CISCO-PROCESS- cpmCPUTotalTable.cpmC 1.3.6.1.4.1.9.9.109.1 Processors .1.1.3 PUTotal .1.1.1.2 PhysicalIndex pmoduleSlotNum 1.3.6.1.4.1.5655.4.1.3 ENTITY-MIB entPhysicalContainedIn 1.3.6.1.2.1.47.1.1.1. .1.1.4 pmoduleHwVersion 1.3.6.1.4.1.5655.4.1.3 ENTITY-MIB entPhysicalHardwareRev 1.3.6.1.2.1.47.1.1.1. .1.1.5 Cisco SCE8000 Software Configuration Guide, Release 3.1.6S OL-16479-01...

  • Page 242

    ENTITY-MIB entStateAdmin 1.3.6.1.2.1.131.1.1.1 .1.1.15 pmoduleOperStatus 1.3.6.1.4.1.5655.4.1.3 ENTITY-MIB entStateOper 1.3.6.1.2.1.131.1.1.1 .1.1.16 entStateStandby 1.3.6.1.2.1.131.1.1.1 Table A-9 linkGrp (1.3.6.1.4.1.5655.4.1.4): all mapped objects mapped to CISCO-SERVICE-CONTROL-LINK-MIB pcube Object Name New Object Name linkTable 1.3.6.1.4.1.5655.4.1.4.1 cscLinkStatusTable 1.3.6.1.4.1.9.9.631.1.2 linkEntry 1.3.6.1.4.1.5655.4.1.4.1. cscLinkStatusEntry 1.3.6.1.4.1.9.9.631.1.2.1 linkModuleIndex 1.3.6.1.4.1.5655.4.1.4.1. Not mapped.

  • Page 243

    Appendix A Cisco Service Control MIBs pcube to Cisco MIB Mapping Table A-9 linkGrp (1.3.6.1.4.1.5655.4.1.4): all mapped objects mapped to CISCO-SERVICE-CONTROL-LINK-MIB pcube Object Name New Object Name linkIndex 1.3.6.1.4.1.5655.4.1.4.1. entPhysicalIndex 1.3.6.1.2.1.47.1.1.1.1.1 linkAdminModeOnAc 1.3.6.1.4.1.5655.4.1.4.1. csclLinkStatusAdminModeOnActive 1.3.6.1.4.1.9.9.631.1.2.1.1 tive linkAdminModeOnFai 1.3.6.1.4.1.5655.4.1.4.1. csclLinkStatusAdminModeOnFailure 1.3.6.1.4.1.9.9.631.1.2.1.2...

  • Page 244

    1.3.6.1.4.1.5655.4.1.6.11 cServiceControlRDRFormatterCategor 1.3.6.1.4.1.9.9.637.1.3 Table yTable rdrFormatterCategory 1.3.6.1.4.1.5655.4.1.6.11 cServiceControlRDRCategoryEntry 1.3.6.1.4.1.9.9.637.1.3 .1 Entry rdrFormatterCategory 1.3.6.1.4.1.5655.4.1.6.11 cServiceControlRDRCategoryIndex 1.3.6.1.4.1.9.9.637.1.3.1.1 Index .1.1 rdrFormatterCategory 1.3.6.1.4.1.5655.4.1.6.11 cServiceControlRDRCategoryName 1.3.6.1.4.1.9.9.637.1.3.1.3 Name .1.2 rdrFormatterCategory 1.3.6.1.4.1.5655.4.1.6.11 cServiceControlRDRCategoryNumRep 1.3.6.1.4.1.9.9.637.1.3.1.4 NumReportsSent .1.3 ortsSent Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-10 OL-16479-01...

  • Page 245

    1.3.6.1.4.1.9.9.637.1.4.1.1 DestPriority .1.1 yDestPriority rdrFormatterCategory 1.3.6.1.4.1.5655.4.1.6.12 cServiceControlRDRFormatterCategor 1.3.6.1.4.1.9.9.637.1.4.1.2 DestStatus .1.2 yDestStatus Table A-12 loggerGrp (1.3.6.1.4.1.5655.4.1.7): all mapped objects mapped to CISCO-SYSLOG-EVENT-EXT-MIB pcube Object Name New Object Name loggerUserLogEnable 1.3.6.1.4.1.5655.4.1.7.1 Not mapped loggerUserLogNumInfo 1.3.6.1.4.1.5655.4.1.7.2 cslogEventDispositionTable 1.3.6.1.4.1.9.9.270.1.1.5.1.3 loggerUserLogNumWar 1.3.6.1.4.1.5655.4.1.7.3 cslogEventDispositionTable 1.3.6.1.4.1.9.9.270.1.1.5.1.4...

  • Page 246

    1.3.6.1.4.1.9.9.628.1.2.1.11 RangeMappings Mappings subscribersNumTpIpRan 1.3.6.1.4.1.5655.4.1.8.1.1. cServiceControlSubscribersNumTpIp 1.3.6.1.4.1.9.9.628.1.2.1.12 Range MappingsFree MappingsFree subscribersNumAnonym 1.3.6.1.4.1.5655.4.1.8.1.1. cServiceControlSubscribersNumAnon 1.3.6.1.4.1.9.9.628.1.2.1.13 ymous subscribersNumWithSes 1.3.6.1.4.1.5655.4.1.8.1.1. cServiceControlSubscribersNumWith 1.3.6.1.4.1.9.9.628.1.2.1.14 sions Sessions subscribersPropertiesVal 1.3.6.1.4.1.5655.4.1.8.3 Not mapped. ueTable subscribersPropertiesVal 1.3.6.1.4.1.5655.4.1.8.3.1 Not mapped. ueEntry Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-12 OL-16479-01...

  • Page 247

    New Object Name tpInfoTable 1.3.6.1.4.1.5655.4.1.9.1 CISCO-SERVICE- cscTpTable 1.3.6.1.4.1.9.9.634.1.1 CONTROL- TP-STATS-MIB tpInfoEntry 1.3.6.1.4.1.5655.4.1.9.1. CISCO-SERVICE- cscTpEntry 1.3.6.1.4.1.9.9.634.1.1.1 CONTROL- TP-STATS-MIB tpModuleIndex 1.3.6.1.4.1.5655.4.1.9.1. CISCO-SERVICE- entPhysicalIndex 1.3.6.1.2.1.47.1.1.1.1.1 CONTROL- TP-STATS-MIB tpIndex 1.3.6.1.4.1.5655.4.1.9.1. CISCO-SERVICE- entPhysicalIndex 1.3.6.1.2.1.47.1.1.1.1.1 CONTROL- TP-STATS-MIB Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-13 OL-16479-01...

  • Page 248

    1.3.6.1.4.1.5655.4.1.9.1. Not mapped. ActiveFlowsPeak 1.15 tpNumNonTcpUdp 1.3.6.1.4.1.5655.4.1.9.1. Not mapped. ActiveFlowsPeakTim 1.16 tpTotalNum 1.3.6.1.4.1.5655.4.1.9.1. CISCO-SERVICE- cscTpTotalBlockedP 1.3.6.1.4.1.9.9.634.1.1.1.6 BlockedPackets 1.17 CONTROL- ackets TP-STATS-MIB tpTotalNum 1.3.6.1.4.1.5655.4.1.9.1. CISCO-SERVICE- cscTpTotalBlockedF 1.3.6.1.4.1.9.9.634.1.1.1.7 BlockedFlows 1.18 CONTROL- lows TP-STATS-MIB Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-14 OL-16479-01...

  • Page 249

    Not mapped. RatePeak 1.30 tpHandledPackets 1.3.6.1.4.1.5655.4.1.9.1. Not mapped. RatePeakTime 1.31 tpHandledFlowsRate 1.3.6.1.4.1.5655.4.1.9.1. CISCO-SERVICE- cscTpHandledFlows 1.3.6.1.4.1.9.9.634.1.1.1.18 1.32 CONTROL- Rate TP-STATS-MIB tpHandledFlows 1.3.6.1.4.1.5655.4.1.9.1. Not mapped RatePeak 1.33 tpHandledFlows 1.3.6.1.4.1.5655.4.1.9.1. Not mapped RatePeakTime 1.34 Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-15 OL-16479-01...

  • Page 250

    1.3.6.1.2.1.2.2.1.3 0.1.1.3 Also entPhysicalVendorType can be queried for this value. pportNumTxQueue 1.3.6.1.4.1.5655.4.1.1 Not mapped 0.1.1.4 Information provided by CISCO-QUEUE-MIB cQIfSubqueues pportIfIndex 1.3.6.1.4.1.5655.4.1.1 Not mapped 0.1.1.5 ifIndex mapping information provided by entAliasMappingTable. Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-16 OL-16479-01...

  • Page 251

    CISCO-QUEUE-M cQStatsQNumber 1.3.6.1.4.1.9.9.37.1.2.1.1 Index txQueuesDescri 1.3.6.1.4.1.5655.4.1.11.1.1.4 CISCO-QUEUE-M cQIfTable.cQifQType 1.3.6.1.4.1.9.9.37.1.1.1.1 ption txQueuesBand 1.3.6.1.4.1.5655.4.1.11.1.1.5 CISCO-QUEUE-M cQStatsBandwidth 1.3.6.1.4.1.9.9.37.1.2.1.5 width txQueuesUtiliz 1.3.6.1.4.1.5655.4.1.11.1.1.6 Not mapped ation txQueuesUtiliz 1.3.6.1.4.1.5655.4.1.11.1.1.7 Not mapped ationPeak txQueuesUtiliz 1.3.6.1.4.1.5655.4.1.11.1.1.8 Not mapped ationPeakTime Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-17 OL-16479-01...

  • Page 252

    1.3.6.1.4.1.5655.4.1.12.1.1.5 ciscoServiceControlGlobalC 1.3.6.1.4.1.9.9.9999.1.5.1.1. ontrollersBandwidth globalControllersUtilization 1.3.6.1.4.1.5655.4.1.12.1.1.6 ciscoServiceControlGlobalC 1.3.6.1.4.1.9.9.9999.1.5.1.1. ontrollersUtilization globalControllers 1.3.6.1.4.1.5655.4.1.12.1.1.7 Not mapped UtilizationPeak globalControllers 1.3.6.1.4.1.5655.4.1.12.1.1.8 Not mapped UtilizationPeakTime globalControllers 1.3.6.1.4.1.5655.4.1.12.1.1.9 Not mapped ClearCountersTime globalControllers 1.3.6.1.4.1.5655.4.1.12.1.1.10 Not mapped DroppedBytes Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-18 OL-16479-01...

  • Page 253

    1.3.6.1.4.1.5655.4.1.15.1.1.6 cscaTypeTotalNumSeconds 1.3.6.1.4.1.9.9.5555.1.2.1.6 onds New Objects at this MIB - Used For TRAPS cscaType 1.3.6.1.4.1.9.9.5555.1.1.1 cscaSourceAddressType 1.3.6.1.4.1.9.9.5555.1.1.2 cscaSourceAddress 1.3.6.1.4.1.9.9.5555.1.1.3 cscaDestinationAddressType 1.3.6.1.4.1.9.9.5555.1.1.4 cscaDestinationAddress 1.3.6.1.4.1.9.9.5555.1.1.5 cscaDestinationPort 1.3.6.1.4.1.9.9.5555.1.1.6 cscaFilterStatus 1.3.6.1.4.1.9.9.5555.1.1.7 cscaDescription 1.3.6.1.4.1.9.9.5555.1.1.8 cscaNotifsEnabled 1.3.6.1.4.1.9.9.5555.1.1.9 Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-19 OL-16479-01...

  • Page 254

    Object Name New MIB New Object Name operationalStatus 1.3.6.1.4.1.5655.4.0.1 CISCO-ENTITY-FRU- cefcModuleStatusCh 1.3.6.1.4.1.9.9.117.2.0. OperationalTrap CONTROL-MIB ange operationalStatus 1.3.6.1.4.1.5655.4.0.2 CISCO-ENTITY-FRU- cefcModuleStatusCh 1.3.6.1.4.1.9.9.117.2.0. WarningTrap CONTROL-MIB ange operationalStatusFailur 1.3.6.1.4.1.5655.4.0.3 CISCO-ENTITY-FRU- cefcModuleStatusCh 1.3.6.1.4.1.9.9.117.2.0. eTrap CONTROL-MIB ange Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-20 OL-16479-01...

  • Page 255

    SERVER-MIB telnetSessionBadLogin 1.3.6.1.4.1.5655.4.0.17 CISCO-TELNET- ctsSessionLoginFail 1.3.6.1.4.1.9.9.630.0.4 Trap SERVER-MIB loggerUserLogIsFullTr 1.3.6.1.4.1.5655.4.0.18 CISCO-ENTITY- ceAlarmAsserted/ 1.3.6.1.4.1.9.9.138.2.0. ALARM-MIB ceAlarmCleared 1.3.6.1.4.1.9.9.138.2.0. sntpClockDriftWarnTr 1.3.6.1.4.1.5655.4.0.19 CISCO-ENTITY- ceAlarmAsserted/ 1.3.6.1.4.1.9.9.138.2.0. ALARM-MIB ceAlarmCleared 1.3.6.1.4.1.9.9.138.2.0. linkModeBypassTrap 1.3.6.1.4.1.5655.4.0.20 CISCO-SERVICE- cServiceControlLink 1.3.6.1.4.1.9.9.631.0.1 CONTROL-LINK-MIB ModeChangeTrap Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-21 OL-16479-01...

  • Page 256

    1.3.6.1.4.1.9.9.117.2.0. Trap CONTROL-MIB ange chassisLineFeedAlarm 1.3.6.1.4.1.5655.4.0.36 CISCO-ENTITY-FRU- cefcPowerStatusCha 1.3.6.1.4.1.9.9.117.2.0. OnTrap CONTROL-MIB rdrFormatterCategory 1.3.6.1.4.1.5655.4.0.37 CISCO-SERVICE- cServiceControlRdr 1.3.6.1.4.1.9.9.637.0.2 DiscardingReportsTrap CONTROL-RDR-MIB CategoryDiscarding ReportsTrap rdrFormatterCategory 1.3.6.1.4.1.5655.4.0.38 CISCO-SERVICE- cServiceControlRdr 1.3.6.1.4.1.9.9.637.0.1 StoppedDiscarding CONTROL-RDR-MIB CategoryStopped ReportsTrap DiscardingReportsTr Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-22 OL-16479-01...

  • Page 257

    OIDs can be used: used: 1.3.6.1.4.1.9.9.138.2.0. ceAlarmAsserted ceAlarmCleared 1.3.6.1.4.1.9.9.138.2.0. mplsVpnTotalHW 1.3.6.1.4.1.5655.4.0.48 CISCO-ENTITY- ceAlarmAsserted/ 1.3.6.1.4.1.9.9.138.2.0. MappingsThreshold ALARM-MIB ceAlarmCleared ExceededTrap 1.3.6.1.4.1.9.9.138.2.0. ApplicationGrp (1.3.6.1.4.1.5655.4.1.13) is not mapped to a current MIB. Note Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-23 OL-16479-01...

  • Page 258

    Appendix A Cisco Service Control MIBs pcube to Cisco MIB Mapping Cisco SCE8000 Software Configuration Guide, Release 3.1.6S A-24 OL-16479-01...

  • Page 259: Appendix

    The SCE platform exposes several indicators to allow the network operators to easily monitor whether it is working within its performance and capacity specifications: CPU Utilization, page B-2 • Flows Capacity, page B-2 • Subscribers Capacity, page B-2 • Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

  • Page 260: Service Loss

    • show snmp MIB cisco-service-control-subscriber The Cisco SCE8000 platform supports up to 250K subscribers. You should make sure that the number of Introduced Subscribers plus the number of Anonymous Subscribers stays below this figure. It is advisable that when subscribers utilization exceeds 90%, special attention should be given and sizing should be reconsidered.

  • Page 261: Monitoring Service Loss

    Monitoring Service Loss SNMP • cscTpServiceLoss MIB available for each traffic processor. Refer to the cisco-service-control-tp-stats MIB for more information. It is expected that the SCE platform user will define timeslots in which this variable is monitored (reset it between timeslots). Note The units for this variable are 0.001% and the information is rounded down.

  • Page 262

    Appendix B Monitoring SCE Platform Utilization Service Loss Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S OL-16479-01...

Comments to this Manuals

Symbols: 0
Latest comments: