Support For Icsr Configurations - Cisco ASR 5000 Series Administration Manual

Support for ICSR Configurations

• Change the chassis key to the new desired value.
• Save the configuration with this new chassis key.
Refer to Configuring a Chassis Key in System Settings for additional information.
Support for ICSR Configurations
Inter-Chassis Session Recovery (ICSR) is a redundancy configuration that employs two identically configured
ASR 5500 chassis/instances as a redundant pair.
ICSR pairs share the same chassis key. If the ISCR detects that the two chassis/instances have incompatible
chassis keys, an error message is logged but the ICSR system will continue to run. Without the matching
chassis key, the standby ICSR peer can recover services if the active peer goes out of service; the standby
peer will still have access to the passwords in their decrypted form.
ICSR peers use Service Redundancy Protocol (SRP) to periodically check to see if the redundancy configuration
matches with either decrypted passwords or DES-based two-way encryption strings. Since the configuration
is generated internally to the software, users are not able to access the configuration used to check ICSR
compatibility.
Encrypted SNMP Community Strings
Simple Network Management Protocol (SNMP) uses community strings as passwords for network elements.
Although these community strings are sent in clear-text in the SNMP PDUs, the values can be encrypted in
the configuration file.
The snmp community encrypted name command enables the encryption of SNMP community strings. For
additional information, see the Global Configuration Mode Commands chapter in the Command Line Interface
Reference.
Lawful Intercept Restrictions
This section describes some of the security features associated with the provisioning of Lawful Intercept (LI).
LI Server Addresses
An external authenticating agent (such as RADIUS or Diameter) sends a list of LI server addresses as part of
access-accept. For any intercept that was already installed or will be installed for that subscriber, a security
check is performed to match the LI server address with any of the LI-addresses that were received from the
authenticating agent. Only those addresses that pass this criteria will get the intercepted information for that
subscriber.
While configuring a campon trigger, the user will not be required to enter the destination LI server addresses.
When a matching call for that campon trigger is detected, a security check is done with the list received from
the authentication agent. The LI-related information is only forwarded if a matching address is found.
When an active-only intercept is configured, if a matching call is found, a security check is made for the LI
address received from the authentication agent and the intercept configuration will be rejected.
ASR 5500 System Administration Guide, StarOS Release 21.4
110
System Security