1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Server
  5. SCE 8000 10GBE
  6. Software configuration manual

Cisco SCE 8000 10GBE Software Configuration Manual

Hide thumbs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
Table of Contents

Advertisement

Quick Links

Download this manual
Cisco SCE 8000 10GBE Software
Configuration Guide
Release 4.1.x
February 07, 2014
Cisco Systems, Inc.
www.cisco.com
Cisco has more than 200 offices worldwide. 
Addresses, phone numbers, and fax numbers 
are listed on the Cisco website at 
www.cisco.com/go/offices.
Text Part Number: OL-30621-02

Advertisement

Table of Contents
loading

Related Manuals for Cisco SCE 8000 10GBE

Summary of Contents for Cisco SCE 8000 10GBE

  • Page 1 Cisco SCE 8000 10GBE Software Configuration Guide Release 4.1.x February 07, 2014 Cisco Systems, Inc. www.cisco.com Cisco has more than 200 offices worldwide.  Addresses, phone numbers, and fax numbers  are listed on the Cisco website at  www.cisco.com/go/offices. Text Part Number: OL-30621-02...
  • Page 2 OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. Cisco and the Cisco logo are trademarks or registered trademarks of Cisco and/or its affiliates in the U.S. and other countries. To view a list of Cisco trademarks, go to this URL: www.cisco.com/go/trademarks.

  • Page 3: Table Of Contents

    Authorization and Command Mode Levels (Hierarchy) CLI Authorization Levels CLI Command Mode Hierarchy Prompt Indications Navigating Between Authorization Levels and Command Modes The do Command: Executing Commands Without Exiting CLI Help Features Partial Help Argument Help Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 4 How to Save or Change the Configuration Settings Example for Saving or Changing the Configuration Settings Restoring a Previous Configuration Example for Restoring a Previous Configuration How to Display the Cisco SCE Platform Version Information 3-10 Example for Displaying the Cisco SCE Platform Version Information 3-10...
  • Page 5 Contents Rebooting and Shutting Down the Cisco SCE Platform 3-23 Rebooting the Cisco SCE Platform 3-23 Examples for Rebooting the Cisco SCE Platform 3-23 How to Shut Down the Cisco SCE Platform 3-23 Example for Shutting Down the Cisco SCE Platform...
  • Page 6 Monitoring the Management Interface 5-10 Configuring Management Interface VLANs 5-11 Monitoring Management VLANs 5-14 TACACS+ Authentication, Authorization, and Accounting 5-15 Information About TACACS+ Authentication, Authorization, and Accounting 5-15 Login Authentication 5-15 Accounting 5-16 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 7 Configuring Telnet Timeout 5-36 Configuring the SSH Server 5-37 The SSH Server 5-37 Key Management 5-37 Managing the SSH Server 5-38 Generating a Set of SSH Keys 5-38 Enabling the SSH Server 5-38 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 8 Configuring the IP Routing Table How to Configure the Default Gateway How to Add an Entry to the IP Routing Table How to Display the IP Routing Table IP Advertising Configuring IP Advertising Cisco SCE 8000 10GBE Software Configuration Guide viii OL-30621-02...
  • Page 9 How to Define the SNTP Unicast Update Interval 6-15 Options 6-15 How to Display SNTP Information 6-15 Domain Name Server (DNS) Settings 6-17 Configuring DNS Lookup 6-17 How to Enable DNS Lookup 6-17 How to Disable DNS Lookup 6-17 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 10 Displaying Current DNS Settings: Example 6-19 Configuring Cisco Discovery Protocol 6-20 Cisco Discovery Protocol 6-20 Cisco Discovery Protocol on the Cisco SCE 8000 Platform 6-21 CDP Operational Modes on the Cisco SCE 8000 6-21 CDP Limitations on the Cisco SCE 8000 6-22...
  • Page 11 How to Create a Traffic Rule for IPv4 Addresses 7-29 How to Create a Traffic Rule for IPv6 Addresses 7-32 How to Delete a Traffic Rule 7-33 How to Delete All Traffic Rules 7-33 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 12 8-10 How to Display the Hardware Bypass Status of a Static Party 8-11 How to Display the Startup Configuration Party Database 8-11 How to Display the Currently Running Party Database Configuration 8-12 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 13 8-21 Configure the Failure Recovery Mode: Examples 8-21 Configuring the Cisco SCE Platform/SM Connection 8-22 Configuring the Behavior of the Cisco SCE Platform in Case of Failure of the SM 8-22 Options 8-22 Configuring the SM-SCE Platform Connection Timeout 8-22...
  • Page 14 Displaying the RDR Formatter Configuration: Example 9-19 How to the Display the Current RDR Formatter Statistics 9-19 Displaying the Current RDR Formatter Statistics: Example 9-19 Disabling the Linecard from Sending RDRs 9-21 Disabling RDR Aggregation 9-22 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 15 How to Remove All the Anonymous Subscribers 10-14 How to Remove All Subscriber Templates 10-15 Removing VPN-based Subscribers 10-15 How to Remove Subscribers by Device 10-15 How to Remove Subscribers from the SM 10-15 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 16 How to Enable Aging for Anonymous Group Subscribers 10-34 How to Enable Aging for Introduced Subscribers 10-34 How to Disable Aging for Anonymous Group Subscribers 10-34 How to Disable Aging for Introduced Subscribers 10-35 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 17 How to Display VPN-Related Mappings 10-37 How to Clear Automatic VPNs 10-37 Configuring the Cisco SCE Platform/SM Connection 10-39 Configuring the Behavior of the Cisco SCE Platform in Case of Failure of the SM 10-39 Options 10-39 Configuring the SM-SCE Platform Connection Timeout 10-40...
  • Page 18 How to View the Current Connection Mode 11-14 How to View the Cisco SCE-ID 11-15 How to View the Current Redundancy Status of the Cisco SCE Platform 11-15 How to View Information about the Peer Cisco SCE Platform 11-15 How to View Information about the Cascade Connections...
  • Page 19 How to Display the List of Ports Selected for Subscriber Notification 12-31 How to Find out Whether Hardware Attack Filtering has been Activated 12-32 Viewing the Attack Log 12-32 The Attack Log 12-32 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 20 Single ISG Router with Two Cascaded Cisco SCE Platforms (1xISG – 2xCisco SCE) 13-4 Multiple ISG Routers with Two Cascaded Cisco SCE Platforms (NxISG – 2xCisco SCE) 13-5 Multiple ISG Routers with Multiple Cisco SCE Platforms via Load Balancing (NxISG – MxCisco SCE) 13-6 SCMP Peer Devices...
  • Page 21 Data Flow 14-15 Multiple Cisco SCE Platforms, Multiple VAS Servers 14-15 SNMP Support for VAS 14-17 Interactions Between VAS Traffic Forwarding and Other Cisco SCE Platform Features 14-18 Incompatible Cisco SCE Platform Features 14-18 VAS Traffic Forwarding and DDoS Processing 14-18...
  • Page 22 How to Display Operational and Configuration Information for All VAS Server Groups 14-33 How to Display Operational and Configuration Information for a Specific VAS Server 14-33 Example 14-33 How to Display Operational and Configuration Information for All VAS Servers 14-34 Cisco SCE 8000 10GBE Software Configuration Guide xxii OL-30621-02...
  • Page 23 A P P E N D I X Introduction MIB Files Loading MIBs pcube to Cisco MIB Mapping Pcube Engage MIB (CISCO-SCAS-BB-MIB) pcube to Cisco MIB Mapping: Detailed OID Mappings Cisco SCE Platform-Specific MIB Information A-26 CISCO-ENTITY-ALARM-MIB A-26 MIB Updates A-27 Release 3.5.5 MIB Updates...
  • Page 24 Cisco SCE Platform Utilization Indicators CPU Utilization Flows Capacity Subscribers Capacity Service Loss Monitoring Service Loss Cisco SCE 8000 Licensing Information A P P E N D I X OpenSSH License NetSNMP License Cisco SCE 8000 10GBE Software Configuration Guide xxiv OL-30621-02...

  • Page 25: About This Guide

    Revised: February 07, 2014, OL-30621-02 Introduction This preface describes who should read Cisco SCE 8000 10GBE Software Configuration Guide, how it is organized, and its document conventions. This guide is for experienced network administrators who are responsible for configuring and maintaining the Cisco SCE platform.

  • Page 26: Document Revision History

    “Configuring and Managing the SNMP Interface” section on page 5-41 with SNMPv3 details. Updated the “Tunneling Protocols” section on • page 7-4. Added “Release 4.1.0 MIB Updates” section on • page A-30. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 27 Chapter 1 Cisco Service Control Overview Overview of Cisco SCE platform management. Chapter 2 Command-Line Interface Detailed explanation of how to use the Cisco SCE Command-line Interface. Chapter 3 Basic Cisco SCE 8000 Platform Explanation of how to manage configurations,...
  • Page 28 Monitoring Cisco SCE Platform Explanation of how to monitor Cisco SCE Utilization platforms that are installed in real traffic. Appendix C Cisco SCE 8000 Licensing Copy of Open SSH and NetSNMP license Information information. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 29: Related Publications

    Related Publications Your Cisco SCE platform and the software running on it contain extensive features and functionality, which are documented in the following resources: For further information regarding the Service Control CLI and a complete listing of all CLI •...
  • Page 30 Means the described action saves time. You can save time by performing the action described in the paragraph. Warning Means reader be warned. In this situation, you might perform an action that could result in bodily injury. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 31: Obtaining Documentation And Submitting A Service Request

    Cisco technical documentation, at: http://www.cisco.com/en/US/docs/general/whatsnew/whatsnew.html Subscribe to the What’s New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application. The RSS feeds are a free service. Cisco currently supports RSS Version 2.0.
  • Page 32 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 33: Introduction

    Revised: February 07, 2014, OL-30621-02 Introduction This chapter provides a general overview of the Cisco Service Control solution. It introduces the Cisco service control concept and capabilities. It also briefly describes the hardware capabilities of the service control engine (Cisco SCE) platform and the Cisco specific applications that together compose the complete Cisco service control solution.

  • Page 34: Chapter 1 Cisco Service Control Overview

    IP services. The Cisco service control application for broadband adds a layer of service intelligence and control to existing networks that can: Report and analyze network traffic at subscriber and aggregate level for capacity planning •...

  • Page 35: Cisco Service Control Capabilities

    Cisco Service Control Capabilities Cisco Service Control Capabilities The core of the Cisco service control solution is the network hardware device: the Service control engine (Cisco SCE). The core capabilities of the Cisco SCE platform, which support a wide range of applications for delivering service control solutions, include: •...

  • Page 36: Cisco Sce Platform Description

    The Cisco SCE family of programmable network devices performs application-layer stateful-flow inspection of IP traffic, and controls the traffic based on configurable rules. The Cisco SCE platform is a network device that uses ASIC components and reduced instruction set computer (RISC) processors to exceed beyond packet counting and expand into the contents of network traffic.

  • Page 37: Bandwidth Management Of P2P Traffic

    P2P, and IM and if required, associate these rules to separate Bandwidth Controls (BWCs). With BWC enforcement, you can limit the networking flows for all types of applications. There are three types of rules in the Cisco SCE which can be used for bandwidth enforcement at different levels.

  • Page 38: Management And Collection

    No bandwidth control is enforced upon the subscribers. This results in unlimited bandwidth to the subscriber. Management and Collection The Cisco service control solution includes a complete management infrastructure that provides the following management components to manage all aspects of the solution: Network management •...

  • Page 39: Subscriber Management

    The collection manager software is an implementation of a collection system that receives RDRs from one or more Cisco SCE platforms. It collects these records and processes them in one of its adapters. Each adapter performs a specific action on the RDR.

  • Page 40: Ipv6 Support

    Cisco Service Control Overview IPv6 Support IPv6 Support The Cisco SCE 8000 devices support processing of IPv6 traffic. The features that are available for IPv4, such as traffic processing, application classification and control, and management APIs, are available for IPv6 too.
  • Page 41 Cisco Service Control Overview IPv6 Support Cisco SCE 8000 supports a maximum of 1M subscriber range. This means that the Cisco SCE can • support a maximum of 1M subscribers with one mapping (either IPv4 or IPv6). But when the dual stack mode is enabled and all subscribers are dual stack subsribers—subscribers with one IPv4 and...
  • Page 42 Chapter 1 Cisco Service Control Overview IPv6 Support Cisco SCE 8000 10GBE Software Configuration Guide 1-10 OL-30621-02...

  • Page 43: Introduction

    The CLI is accessed through a Telnet session or directly via the console port on the front panel of the Cisco SCE platform. When you enter a Telnet session, you enter as the simplest level of user, in the User Exec mode.

  • Page 44: Authorization And Command Mode Levels (Hierarchy)

    To monitor the system, you must have Viewer authorization, while to perform administrative functions on the Cisco SCE platform, you must have Admin or Root authorization. A higher level of authorization is accessed by logging in with appropriate password, as described in the procedures below.

  • Page 45: Chapter 2 Command-Line Interface

    The next levels in the hierarchy are the Global and Interface configuration modes, which hold a set of commands that control the global configuration of the Cisco SCE platform and its interfaces. Any of the parameters set by the commands in these modes should be saved in the startup configuration, such that in the case of a reboot, the Cisco SCE platform restores the saved configuration.
  • Page 46 Exit Global Configuration Mode Exit Exit Exit Exit Exit Line Card Interface Interface Interface Line Interface Configuration Configuration Range Configuration Configuration Mode Mode Configuration Mode Mode (Management) (Traffic) Mode Interface Configuration Mode Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 47 Exit Linecard Interface configuration mode to user exec mode • SCE#configure SCE(config)#clock timezone PST -10 SCE(config)#interface mng 0/1 SCE(config if)#speed 100 SCE(config if)#exit SCE(config)#interface Linecard 0 SCE(config if)#link mode forwarding SCE(config if)#end sce> Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 48: Prompt Indications

    (config if range)# Line Configuration (config-line)# Example: The prompt indicates: SCE1(config if)# The name of the Cisco SCE platform is • SCE1 The current CLI mode is Interface configuration mode • The user has Admin authorization level • Navigating Between Authorization Levels and Command Modes The authorization levels and command modes function together under one hierarchy.

  • Page 49: The Do Command: Executing Commands Without Exiting

    EXEC mode command (such as a show command) or a privileged EXEC (such as show running-config) without exiting to the relevant command mode. Use the do command for this purpose. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 50 The specified command executes without exiting to the appropriate exec command mode. The following example shows how to display the running configuration while in interface configuration mode. SCE(config if#) do show running-config Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 51: Cli Help Features

    (“) marks to enclose the string. DECIMAL Any decimal number. Positive number is assumed, for negative numbers use the “–” symbol. A hexadecimal number; must start with either 0x or 0X. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 52 List the keywords associated with the specified command. <command keyword> ? List the arguments associated with the specified keyword. Example: Leave a space between the keyword and question show ? mark access-lists Show all access-lists Cisco SCE 8000 10GBE Software Configuration Guide 2-10 OL-30621-02...

  • Page 53: Navigational And Shortcut Features

    Ctrl-L Re-display the current command line. Ctrl-R Keyboard Shortcuts The Cisco SCE platform has several keyboard shortcuts that make it easier to navigate and use the system. Table 2-8 shows the keyboard shortcuts available. You can get a display the keyboard shortcuts at any time by typing help bindings.

  • Page 54: Auto-Completion

    The following example illustrates how to use the completion feature with a non-default value for the argument. In this example, the enable command is completed using the specified value (15) for the authorization level. SCE>en 15 <Enter>  Password: sce# Cisco SCE 8000 10GBE Software Configuration Guide 2-12 OL-30621-02...

  • Page 55: Ftp User Name And Password

    FTP protocol. sce#ip FTP password pw123  sce#ip FTP username user1  sce#copy ftp://@10.10.10.10/h:/config.tmp myconf.txt connecting 10.10.10.10 (user name user1 password pw123) to retrieve config.tmp  sce# Cisco SCE 8000 10GBE Software Configuration Guide 2-13 OL-30621-02...

  • Page 56: Managing Command Output

    All previous lines are excluded. The syntax of filtered commands is as follows: • command | include expression • command | exclude expression • command | begin expression Cisco SCE 8000 10GBE Software Configuration Guide 2-14 OL-30621-02...

  • Page 57: Redirecting Command Output To A File

    Redirect that output to a file named current_gold_subscribers. The output should not overwrite • existing entries in the file, but should be appended to the end of the file. sce# more subscribers_10.10.2008 include gold | append current_gold_subscribers Cisco SCE 8000 10GBE Software Configuration Guide 2-15 OL-30621-02...

  • Page 58: Creating A Cli Script

    Cisco SCE platforms and you want to run the same configuration commands on each platform, you could create a script on one platform and run it on all the other Cisco SCE platforms. The available script commands are: script capture •...

  • Page 59: Introduction

    Basic Cisco SCE 8000 Platform Operations Revised: February 07, 2014, OL-30621-02 Introduction This chapter describes how to start up the Cisco SCE 8000 platform, reboot, and shutdown. It also describes how to manage configurations. Starting the Cisco SCE 8000 Platform, page 3-2 •...

  • Page 60: Starting The Cisco Sce 8000 Platform

    Subsequent startups • Line interfaces are properly cabled (optional) – – Cisco SCE 8000 platform is connected to at least one of the following types of management stations: Direct connection to local console (CON port) – – Remote management station via the LAN (Mng port)

  • Page 61: Final Tests

    The Status LED should be a constant amber while booting. After a successful boot, the Status LED • is steady green. It takes a several minutes for the Cisco SCE 8000 to boot and for the status LED to change from amber Note to green.
  • Page 62 Total warning messages: 0 Total error messages: 0 Total fatal messages: 0 If there are “Total error messages” or “Total fatal messages”, use the show logger device user-file-log command to display details about the errors. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 63: Managing Configurations

    This configuration, referred to as the running-config, is saved in the Cisco SCE platform volatile memory and is effective while the Cisco SCE platform is up. After reboot, the Cisco SCE platform loads the startup-config, which includes the non-default configuration that was saved by the user, into the running-config.

  • Page 64: How To Save Or Change The Configuration Settings

    The Cisco SCE platform provides multiple interfaces for the purpose of configuration and management. All interfaces supply an API to the same database of the Cisco SCE platform and any configuration made through one interface is reflected through all interfaces. Furthermore, when saving the running configuration to the startup configuration from any management interface, all configuration settings are saved regardless of the management interface used to set the configuration.

  • Page 65: Example For Saving Or Changing The Configuration Settings

    "ignore_filter" first-rule 4 num-rules 32 flow-filter partition name "udpPortsToOpenBySw" first-rule 40 num-rules 21 SCE#copy running-config startup-config  Writing general configuration file to temporary location... Backing-up general configuration file... Copy temporary file to final location... SCE# Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 66: Restoring A Previous Configuration

    RDR-formatter destination 10.56.96.26 port 33000 category number 3 priority 100  RDR-formatter destination 10.56.96.26 port 33000 category number 4 priority 100  interface LineCard 0 connection-mode inline on-failure external-bypass no silent no shutdown attack-filter subscriber-notification ports 80 replace spare-memory code bytes 3145728 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 67 "com.pcube.management.framework.install.activated.version" "3.1.6 build 79" management-agent property "com.pcube.management.framework.install.activation.date" "Sun May 11 08:44:04 GMT+00:00 2008" flow-filter partition name "ignore_filter" first-rule 4 num-rules 32 flow-filter partition name "udpPortsToOpenBySw" first-rule 40 num-rules 21 SCE#copy /system/config.tx1 /system/config.txt Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 68: How To Display The Cisco Sce Platform Version Information

    How to Display the Cisco SCE Platform Version Information Use this command to display global static information on the Cisco SCE platform, such as software and hardware version, image build time, system uptime, last open packages names and information on the SLI application assigned.
  • Page 69 Chapter 3 Basic Cisco SCE 8000 Platform Operations How to Display the Cisco SCE Platform Version Information cpu-0 SVR : 0x80900121 cpu-0 PVR : 0x80040202 cpu-0 freq : 1500MHz cpu-1 SVR : 0x80900121 cpu-1 PVR : 0x80040202 cpu-1 freq : 1500MHz...
  • Page 70 Chapter 3 Basic Cisco SCE 8000 Platform Operations How to Display the Cisco SCE Platform Version Information part-num : 73-9789-02 part-rev : A0 vid : V01 Part number: 73-10598-01 38 Revision:  Software revision:  LineCard S/N : CAT1202G07D Power Supply type: AC ...

  • Page 71: How To Display The Cisco Sce Platform Inventory

    How to Display the Cisco SCE Platform Inventory How to Display the Cisco SCE Platform Inventory Unique Device Identification (UDI) is a Cisco baseline feature that is supported by all Cisco platforms. This feature allows network administrators to remotely manage the assets in their network by tracing specific devices through either CLI or SNMP.
  • Page 72 Chapter 3 Basic Cisco SCE 8000 Platform Operations How to Display the Cisco SCE Platform Inventory PID: SPA-1X10GE-L-V2 , VID: V02, SN: JAE11517RIO  NAME: "SPA-1X10GE-L-V2", DESCR: "SPA-1X10GE-L-V2" PID: SPA-1X10GE-L-V2 , VID: V02, SN: JAE115295HH  NAME: "SCE8000 FAN 1", DESCR: "FAN-MOD-4HS"...
  • Page 73 Chapter 3 Basic Cisco SCE 8000 Platform Operations How to Display the Cisco SCE Platform Inventory NAME: "SCE8000 Service Control Module (SCM) in slot 1", DESCR: "SCE8000-SCM-E" PID: SCE8000-SCM-E , VID: V01, SN: CAT1122584N  NAME: "SCE8000 SPA Interface Processor (SIP) in slot 3", DESCR: "SCE8000-SIP"...
  • Page 74 Chapter 3 Basic Cisco SCE 8000 Platform Operations How to Display the Cisco SCE Platform Inventory NAME: "SCE8000 optic 3/2/0", DESCR: "XFP-10GLR-OC192SR "  PID: XFP-10GLR-OC192SR , VID: V02, SN: AGA1141N43R  NAME: "SCE8000 optic 3/3/0", DESCR: "XFP-10GLR-OC192SR " ...

  • Page 75: How To Display The System Uptime

    Displays the system uptime. Example for Displaying the System Uptime The following example shows how to display the system uptime of the Cisco SCE platform. SCE#show system-uptime  Cisco SCE8000 uptime is 21 minutes, 37 seconds Configuring the System Mode The Cisco SCE 8000 devices operates in one the following system modes: IPv4 only system mode—All traffic processors handle only IPv4 traffic.

  • Page 76: Configuring The Ipv6 Prefix Length

    Configuring the IPv6 Prefix Length Cisco SCE 8000 devices identifies the IPv6 subscribers based on the MSB 64 bits of the subscriber IPv6 address. Cisco SCE 8000 devices support IPv6 subscribers with a range of /32 to /64 and not less than /32.
  • Page 77 For example, if the system prefix length is 48 for a party mapping configuration party mapping ipv6-address 1234:abcd:2123:abbc:0:0:1e:0 name test, only MSB 48 bits 1234:abcd:2123 is considered for identifying subscriber test. Cisco SCE 8000 10GBE Software Configuration Guide 3-19 OL-30621-02...

  • Page 78: Monitoring Control Processor Cpu Utilization

    Cisco SCE log files , which are part of the Cisco SCE support file. This data can be used to monitor the CPU utilization trend of the control processor and the specific internal tasks over time or to view the CPU utilization required for a specific event.

  • Page 79: Example For Monitoring Control Processor Cpu Utilization

    CPU utilization by task in the last minute 5Min CPU utilization by task in the last five minutes Currently not relevant in the Cisco Service Control system. Process Name of the process. For more information, refer to The Processes section of this document.
  • Page 80 When CPU utilization is higher than about 90%, the CPU utilization per task is not reliable and can sum Note to more than 100%. This is because high CPU utilization can influence the task that samples CPU utilization. Cisco SCE 8000 10GBE Software Configuration Guide 3-22 OL-30621-02...

  • Page 81: Rebooting And Shutting Down The Cisco Sce Platform

    How to Shut Down the Cisco SCE Platform Shutting down the Cisco SCE platform is required before turning the power off. This helps to ensure that non-volatile memory devices in the Cisco SCE platform are properly flushed in an orderly manner.

  • Page 82: Example For Shutting Down The Cisco Sce Platform

    IT IS NOW SAFE TO TURN THE POWER OFF. Since the Cisco SCE platform can recover from the power-down state only by being physically turned Note off (or cycling the power), this command can only be executed from the serial CLI console. This limitation helps prevent situations in which users issue this command from a Telnet session, and then realize that they have no physical access to the Cisco SCE platform.

  • Page 83: Utilities

    C H A P T E R Utilities Revised: February 07, 2014, OL-30621-02 Introduction This chapter describes the following utilities: Working with Cisco SCE Platform Files, page 4-2 • The User Log, page 4-7 • Managing Syslog, page 4-10 •...

  • Page 84: Working With Cisco Sce Platform Files

    Regarding disk capacity: While performing disk operations, the user should take care that the addition Note of new files that are stored on the Cisco SCE disk do not cause the disk to exceed 70%. • Working with Directories, page 4-2 Working with Files, page 4-4 •...

  • Page 85: How To Change Directories

    How to Include Files in Sub-Directories in the Directory Files List, page 4-4 How to List the Files in the Current Directory From the SCE# prompt, type: Command Purpose Lists the files in the current directory. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 86: Working With Files

    How to Rename a File From the SCE# prompt, type: Command Purpose rename current-file-name new-file-name Renames a file. How to Delete a File From the SCE# prompt, type: Command Purpose delete file-name Deletes a file. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 87 Uploading a File to a Passive FTP Site: Example The following example uploads the analysis.sli file located on the local flash file system to the host 10.1.1.1, specifying Passive FTP. SCE#copy-passive /appli/analysis.sli ftp://myname:mypw@10.1.1.1/p:/appli/analysis.sli sce# Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 88 How to Display File Contents From the SCE# prompt, type: Command Purpose more file-name Displays file contents. How to Unzip a File From the SCE# prompt, type: Command Purpose unzip file-name Unzips a file. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 89: The User Log

    You can view the log file by copying it to an external location or to disk. This command copies both log files to the local Cisco SCE platform disk or any external host running a FTP server. Copying the User Log to an External Location, page 4-7 •...
  • Page 90 Viewing the non-volatile counter for the user-file-log, page 4-9 • There are two types of log counters: User log counters—Count the number of system events logged from the Cisco SCE platform last • reboot. Non-volatile counters—These are not cleared during boot time •...

  • Page 91: Generating A File For Technical Support

    In order for technical support to be most effective, the user should provide them with the information contained in the system logs. Use the logger get support-file command to generate a support file via FTP for the use of Cisco technical support staff. From the SCE# prompt, type:...

  • Page 92: Managing Syslog

    To assign a port, you must use the transport udp option. If you are not assigning a port, this is not • required, since UDP is the only transport protocol supported for Syslog on the Cisco SCE platform. Each host requires a separate command.

  • Page 93: How To Add A Remote Syslog Host

    However, you can configure the minimum severity level of the messages to logged to Syslog. Table 4-1 lists the syslog severity levels and the corresponding SCOS severity levels. Not all syslog severity levels are supported on the Cisco SCE platform. Table 4-1 Syslog and SCOS Severity Levels...

  • Page 94: How To Configure The Minimum Severity Level For Syslog Messages

    The following option is available: severity-level—The name of the desired severity level at which messages should be logged. • Messages at or lower than the specified level are logged. Severity levels supported on the Cisco SCE platform are as follows: fatal –...

  • Page 95: How To Configure The Syslog Facility

    You can configure a maximum number of messages logged per second. In addition, you can specify a severity level above which the rate is unlimited. For example, you can configure a rate limit for all messages below the fatal severity level. Cisco SCE 8000 10GBE Software Configuration Guide 4-13 OL-30621-02...

  • Page 96: How To Configure The Syslog Rate Limit

    – If the datetime keyword is used without additional keywords, time stamps will be shown using UTC, without the year, without milliseconds, and without a time zone name. Cisco SCE 8000 10GBE Software Configuration Guide 4-14 OL-30621-02...

  • Page 97: How To Configure The Syslog Time Stamp Format

    Step 1 From the SCE (config)# prompt, type logging message-counter and press Enter. Step 2 Monitoring Syslog You can display the following Syslog information: • Current Syslog server configuration. • Syslog counters Cisco SCE 8000 10GBE Software Configuration Guide 4-15 OL-30621-02...

  • Page 98: How To Display The Syslog Configuration

    From the SCE# prompt, type: Command Purpose show logging Displays the syslog configuration. How to Display the Syslog Counters From the SCE# prompt, type: Command Purpose show logging counters Displays the syslog counters. Cisco SCE 8000 10GBE Software Configuration Guide 4-16 OL-30621-02...

  • Page 99: Flow Capture

    128 MB on the Cisco SCE 8000 platform (configurable by a const DB). In Cisco SCE 8000 that has two SCM modules, a separate cap file is created by each SCM module, each with a maximum file size of 64 MB.

  • Page 100: The Flow Capture Process

    L3/L4 headers and no more than the configured maximum bytes of L4 payload. Only one maximum L4 payload length value can be configured. This value applies to all – recorded packets. Cisco SCE 8000 10GBE Software Configuration Guide 4-18 OL-30621-02...
  • Page 101 The cap file contains marking for packets which had TCP or UDP checksum error when received in the Cisco SCE platform, since the validity of the TCP and UDP checksum cannot be checked for the captured packets due to missing bytes.

  • Page 102: Performing The Flow Capture

    (Do not include the ".cap" file extension; it is appended automatically.) In a system with two Cisco SCE 8000-SCM modules, which creates two capture files, an indicator is appended to this prefix to indicate which Cisco SCE 8000-SCM module created the file. For example, if you assign the filename “myCapFile”, the system creates myCapFile1.cap and...

  • Page 103: Introduction

    • Configuring Access Control Lists (ACLs), page 5-32 • • Managing the Telnet Interface, page 5-35 • Configuring the SSH Server, page 5-37 • Configuring and Managing the SNMP Interface, page 5-41 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 104: Management Interface And Security

    Management Interface and Security Management Interface and Security The Cisco SCE 8000 platform is equipped with two RJ-45 management ports (Port1 and Port2 on the Cisco SCE 8000-SCM-E module in slot 1). These ports provide access from a remote management console to the Cisco SCE platform via a LAN.

  • Page 105: Configuring The Management Ports

    The following Management Interface commands are applied to both management ports, regardless of which port had been specified when entering Management Interface Configuration Mode. Therefore, both ports are configured with one command: • ip address • auto-failover Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 106: Configuring The Management Port Physical Parameters

    IP address for the currently active management port, regardless of which physical port is currently active. The following IP addresses are used internally by the Cisco SCE 8000 platform and cannot be assigned to the management interface: –...

  • Page 107: Configuring The Management Interface Speed And Duplex Parameters

    Note After changing the IP address, you must reload the Cisco SCE platform so that the change will take effect properly in all internal and external components of the Cisco SCE platform. (See “Rebooting and...
  • Page 108 Configuring the Speed of the Management Interface: Example The following example shows how to use this command to configure the Management port to 100 Mbps speed. SCE#config SCE(config)#interface mng 0/1 SCE(config if)#speed 100 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 109: Specifying The Active Management Port

    Access the interface configuration mode for the management interface you want to configure as the Step 1 active management port. From the SCE(config)# prompt, type interface Mng (0/1 | 0/2) and press Enter. Step 2 Type active-port and press Enter Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 110: Management Interface Redundancy

    Configuring the Fail-Over Mode, page 5-9 • The Cisco SCE platform contains two RJ-45 management ports. The two management ports provide the possibility for a redundant management interface, thus ensuring management access to the Cisco SCE platform even if there is a failure in one of the management links. If a failure is detected in the active management link, the standby port automatically becomes the new active management port.

  • Page 111: Configuring The Fail-Over Mode

    From the SCE(config if)# prompt, type: Command Purpose auto-fail-over Enables automatic failover mode. How to Disable the Automatic Fail-Over Mode From the SCE(config if)# prompt, type: Command Purpose no auto-fail-over Disables automatic failover mode. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 112: Monitoring The Management Interface

    Displays the specified GBE management duplex | |ip address | auto-fail-over] interface configuration for the specified interface. If no option is specified, all management interface information is displayed for the specified interface. Cisco SCE 8000 10GBE Software Configuration Guide 5-10 OL-30621-02...

  • Page 113: Configuring Management Interface Vlans

    Chapter 5 Configuring the Management Interface and Security Configuring Management Interface VLANs Configuring Management Interface VLANs The Cisco SCE management network interface is used for various management services such as: Accessing the Cisco SCE shell through Telnet or SSH. • SNMP •...
  • Page 114 L3 Switch with InterVLAN Routing VLAN 200 VLAN 110 VLAN 220 VLAN 120 Trunk Port VLAN 150 192.168.10.1 SCE 8000 The following diagram provides another view of the configured management VLAN: Cisco SCE 8000 10GBE Software Configuration Guide 5-12 OL-30621-02...
  • Page 115 <service> mng-vlan vlan-id DETAILED STEPS Command Purpose Step 1 enable Enables privileged EXEC mode. Enter your password when prompted. Example: SCE> enable Step 2 configure Enters global configuration mode. Example: SCE#> configure Cisco SCE 8000 10GBE Software Configuration Guide 5-13 OL-30621-02...

  • Page 116: Monitoring Management Vlans

    Displays the traffic statistics for the specified VLAN. show vty mng-vlan Displays the management interface VLAN configured for Telnet services. show ip ssh mng-vlan Displays the management interface VLAN configured for SSH services. Cisco SCE 8000 10GBE Software Configuration Guide 5-14 OL-30621-02...

  • Page 117: Tacacs+ Authentication, Authorization, And Accounting

    The implementation of TACACS+ protocol allows customers to configure one or more authentication servers for the Cisco SCE platform, providing a secure means of managing the Cisco SCE platform, as the authentication server will authenticate each user. This then centralizes the authentication database, making it easier for the customers to manage the Cisco SCE platform.
  • Page 118 The user is re-prompted a user-configurable number of times, after which the failed login attempt is recorded in the Cisco SCE platform user log and the telnet session is terminated (unless the user is connected to the console port.)

  • Page 119: Command-Level Authorization

    None • If the server goes to AAA fault, the Cisco SCE platform will not be accessible until one of the AAA Caution methods is restored. In order to prevent this, it is advisable to use the "none" method as the last AAA method.

  • Page 120: About Configuring Tacacs+

    If the local database and TACACS+ are both configured, it is recommended to configure the same user names in both TACACS+ and the local database. This will allow the users to access the Cisco SCE platform in case of TACACS+ server failure.

  • Page 121: Configuring The Cisco Sce Platform Tacacs+ Client

    Configuring the Global Default Timeout, page 5-21 • Adding a New TACACS+ Server Host Use this command to define a new TACACS+ server host that is available to the Cisco SCE platform TACACS+ client. The Service Control solution supports a maximum of three TACACS+ server hosts.

  • Page 122: Removing A Tacacs+ Server Host

    TACACS+ servers and clients will use when • communicating with each other. Make sure that the specified key is actually configured on the TACACS+ server hosts. Default = no encryption – Cisco SCE 8000 10GBE Software Configuration Guide 5-20 OL-30621-02...

  • Page 123: Configuring The Global Default Timeout

    Default = 5 seconds – To define the global default timeout, do the following: From the SCE(config)# prompt, type: Command Purpose tacacs-server timeout timeout-interval Defines global default timeout. Cisco SCE 8000 10GBE Software Configuration Guide 5-21 OL-30621-02...

  • Page 124: Managing The User Database

    The password is defined with the username. There are several password options: No password—Use the nopassword keyword. • Password—Password is saved in clear text format in the local list. • Use the password parameter. Cisco SCE 8000 10GBE Software Configuration Guide 5-22 OL-30621-02...
  • Page 125 How to Add a User with an MD5 Encrypted Password Entered in Clear Text From the SCE(config)# prompt, type: Command Purpose username name secret 0 password Adds a user with an MD5 encrypted password entered in clear text. Cisco SCE 8000 10GBE Software Configuration Guide 5-23 OL-30621-02...

  • Page 126: Defining The User Privilege Level

    MD5 encrypted string. Defining the User Privilege Level Privilege level authorization in the Cisco SCE platform is accomplished by the use of an " enable " command authentication request. When a user requests an authorization for a specified privilege level, by using the "...
  • Page 127 How to Add a User with a Privilege Level and an MD5 Encrypted Password Entered in Clear Text From the SCE(config)# prompt, type: Command Purpose username name privilege level secret 0 Adds a user with a privilege level and an MD5 password encrypted password entered in clear text. Cisco SCE 8000 10GBE Software Configuration Guide 5-25 OL-30621-02...

  • Page 128: Login Authentication

    • telnet session is terminated. This is relevant only for Telnet sessions. From the local console, the number of re-tries is unlimited. Default = three – Cisco SCE 8000 10GBE Software Configuration Guide 5-26 OL-30621-02...

  • Page 129: Configuring The Aaa Login Authentication Methods

    Deletes login authentication methods list. If the login authentication methods list is deleted, the default login authentication method only (enable password) will be used. TACACS+ authentication will not be used. Cisco SCE 8000 10GBE Software Configuration Guide 5-27 OL-30621-02...

  • Page 130: Configuring Aaa Privilege-Level Authorization Methods

    TACACS+ authentication will not be used. Configuring AAA Command-Level Authorization Methods How to Specify AAA Command-Level Authorization Methods, page 5-29 • How to Delete the AAA Command-Level Authorization Methods List, page 5-29 • Cisco SCE 8000 10GBE Software Configuration Guide 5-28 OL-30621-02...

  • Page 131: Configuring Aaa Accounting

    How to Disable AAA Accounting, page 5-30 • If TACACS+ accounting is enabled, the Cisco SCE platform sends an accounting message to the TACACS+ server after every command execution. The accounting message is logged in the TACACS+ server for the use of the network administrator.

  • Page 132: Monitoring Tacacs+

    Note that, although most show commands are accessible to viewer level users, the ' all ' option is available only at the admin level. Use the command ' enable 10 ' to access the admin level. Cisco SCE 8000 10GBE Software Configuration Guide 5-30 OL-30621-02...

  • Page 133: Monitoring Tacacs+ Users

    Note that, although most show commands are accessible to viewer level users, this command is available only at the admin level. Use the command ' enable 10 ' to access the admin level. Cisco SCE 8000 10GBE Software Configuration Guide 5-31 OL-30621-02...

  • Page 134: Configuring Access Control Lists (Acls)

    Global (IP) level: If a global list is defined using the ip access-class command, when a request • comes in, the Cisco SCE platform first checks if there is permission for access from that IP address. If not, the Cisco SCE does not respond to the request. Configuring the Cisco SCE platform to deny a certain IP address would preclude the option of communicating with that address using any IP-based protocol including Telnet, FTP, ICMP, RPC, SSH, and SNMP.

  • Page 135: Adding Entries To An Acl

    Configuring the Management Interface and Security Configuring Access Control Lists (ACLs) The Cisco SCE Platform will respond to ping commands only from IP addresses that are allowed access. Note Pings from a non-authorized address will not receive a response from the Cisco SCE platform, as ping uses ICMP protocol.

  • Page 136: Defining A Global Acl

    Chapter 5 Configuring the Management Interface and Security Configuring Access Control Lists (ACLs) Defining a Global ACL A global ACL for permits or denies all traffic to the Cisco SCE platform. From the SCE(config)# prompt, type: Command Purpose ip access-class number...

  • Page 137: Managing The Telnet Interface

    • Assign an ACL to permit or deny incoming connections. • Timeout for Telnet sessions, that is, if there is no activity on the session, how long the Cisco SCE • platform waits before automatically cutting off the Telnet connection.

  • Page 138: Removing Acl Assignment From The Telnet Interface

    Removes the ACL assignment from the Telnet interface, so that any IP address may now access the Telnet interface. Configuring Telnet Timeout The Cisco SCE platform supports timeout of inactive Telnet sessions. Options The following options are available: • timeout—The length of time in minutes before an inactive Telnet session will be timed-out.

  • Page 139: Configuring The Ssh Server

    The SSH server implementation provides protection against eavesdroppers who can monitor the management communication channels of the Cisco SCE platform, but it does not provide protection against a user with knowledge of the ‘enable’ password.

  • Page 140: Disabling The Ssh Server

    SCE8000(config)# aaa authentication login default none From the SCE(config)# prompt, type: Command Purpose ip ssh Enables SSH server. Disabling the SSH Server From the SCE(config)# prompt, type: Command Purpose no ip ssh Disables SSH server. Cisco SCE 8000 10GBE Software Configuration Guide 5-38 OL-30621-02...

  • Page 141: Running Only Sshv2

    However, if the startup-configuration specifies that the SSH server is enabled, the Cisco SCE platform will not be able to start the SSH server on startup if the keys have been deleted. To avoid this situation, after executing this command, always do one of the following before the Cisco SCE platform is restarted (using reload ): Generate a new set of keys.

  • Page 142: Monitoring The Status Of The Ssh Server

    Use this command to monitor the status of the SSH sever, including current SSH sessions. From the SCE> prompt, type: Command Purpose show ip ssh Monitors the status of SSH server. Cisco SCE 8000 10GBE Software Configuration Guide 5-40 OL-30621-02...

  • Page 143: Configuring And Managing The Snmp Interface

    The User-based Security Model (USM) is the default security model. USM and its attributes are described in RFC 2574. Cisco SCE platform implementation of SNMP supports all MIB II variables, as described in RFC 1213, and defines the SNMP traps using the guidelines described in RFC 1215.

  • Page 144: Security Considerations

    (in-band management is not supported). In addition, the Cisco SCE platform supports the option to configure community of managers for read-write accessibility or for read-only accessibility. Furthermore, an ACL may be associated with the SNMP agent by assigning it to one of the community strings to allow SNMP management to a restricted set of manager IP addresses.

  • Page 145: About Cli

    CLI Commands for Monitoring SNMP, page 5-44 • The Cisco SCE platform supports the CLI commands that control the operation of the SNMP agent. All the SNMP commands are available in Admin authorization level. The SNMP agent is disabled by default and any SNMP configuration command enables the SNMP agent (except where there is an explicit disable command).

  • Page 146: About Mibs

    Control MIBs” section on page A-1 Configuration via SNMP Cisco SCE platform supports a limited set of variables that may be configured via SNMP (read-write variables). Setting a variable via SNMP (as via the CLI) takes effect immediately and affects only the running-configuration.

  • Page 147: Enabling The Snmp Interface

    SNMP Get , Get-next , and Get-bulk requests are valid if the community string in the request matches the read-only community. SNMP Get , Get-next , Get-bulk and Set requests are valid if the community string in the request • matches the agent’s read-write community. Cisco SCE 8000 10GBE Software Configuration Guide 5-45 OL-30621-02...

  • Page 148: Defining A Community String

    Since read-only is the default, it does not need to be defined explicitly. SCE(config)#snmp-server community mycommunity 1 Removing a Community String From the SCE(config)# prompt, type: Command Purpose no snmp-server community community-string Removes a community string. Cisco SCE 8000 10GBE Software Configuration Guide 5-46 OL-30621-02...

  • Page 149: Displaying The Configured Community Strings

    Table A-20 on page A-21). After a host or hosts are configured to receive notifications, by default, the Cisco SCE platform sends to the host or hosts all the notifications supported by the Cisco SCE platform except for the AuthenticationFailure notification. The Cisco SCE platform provides the option to enable or disable the sending of this notification, as well as some of the Cisco SCE enterprise notifications, explicitly.

  • Page 150: Configuring Snmp Server Group

    This is the view used for SNMPSET. Configuring SNMP Server View Use this command to configure the SNMP v3 server view on the Cisco SCE platform. At the SCE(config)# prompt, type: Cisco SCE 8000 10GBE Software Configuration Guide...

  • Page 151: Configuring Snmp Server User

    Note Configuring SNMP Server User Use this command to configure the SNMP v3 server user on the Cisco SCE platform. To configure large number of SNMPv3 users, disable SNMP agent before configuring the users. Enable the SNMP agent after configuring all users.

  • Page 152: Defining Snmp Hosts

    Configuring and Managing the SNMP Interface Defining SNMP Hosts Use this command to define the hosts that will receive notifications from the Cisco SCE platform. How to Configure the Cisco SCE Platform to Send Notifications to a Host (NMS), page 5-50 •...

  • Page 153: Configuring Snmp Traps

    Configures Cisco SCE platform to stop sending notifications to a host. Configuring the Cisco SCE Platform to Stop Sending Notifications to a Host: Example The following example shows how to remove the host with the IP Address: “192.168.0.83”. SCE(config)#no snmp-server host 192.168.0.83 Configuring SNMP Traps Use this command to configure the notifications that will be sent to the defined host.
  • Page 154 How to Restore All Notifications to the Default Status At the SCE(config)# prompt, type: Command Purpose default snmp-server enable traps Resets all notifications supported by the Cisco SCE platform to their default status. Cisco SCE 8000 10GBE Software Configuration Guide 5-52 OL-30621-02...

  • Page 155: Snmp Walk Acceleration For Linkserviceusage Queries

    The time taken for the SNMP walk on any of the linkServiceUsage queries is reduced considerably. The SNMP walk acceleration enables Cisco SCE 8000 device to perform SNMP queries for LinkUsage MIB queries in background and cache the results. This may result in more CPU utilization.
  • Page 156 Privacy protocol: NONE User: ipUser01 : Group Name: ipGroup Authentication Protocol: SHA Privacy protocol: NONE User: ifUserNoAuth : Group Name: ifGroupReadOnly Authentication Protocol: NONE Privacy protocol: NONE User: ifUserRW : Group Name: ifGroup Cisco SCE 8000 10GBE Software Configuration Guide 5-54 OL-30621-02...
  • Page 157 Configuring the Management Interface and Security Configuring and Managing the SNMP Interface Authentication Protocol: SHA Privacy protocol: AES SCE8000#> show snmp user user-name ipUser User: ipUser : Group Name: ipGroup Authentication Protocol: MD5 Privacy protocol: NONE Cisco SCE 8000 10GBE Software Configuration Guide 5-55 OL-30621-02...
  • Page 158 Chapter 5 Configuring the Management Interface and Security Configuring and Managing the SNMP Interface Cisco SCE 8000 10GBE Software Configuration Guide 5-56 OL-30621-02...

  • Page 159: Introduction

    Domain Name Server (DNS) Settings, page 6-17 • Configuring Cisco Discovery Protocol, page 6-20 • Enabling the CLI Interface Warning Banner, page 6-29 • OS Fingerprinting and NAT Detection, page 6-30 • Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 160: Global Configuration

    Configures the default gateway. Configuring the Default Gateway: Example The following example shows how to set the default gateway IP of the Cisco SCE platform to 10.1.1.1. SCE(config)#ip default-gateway 10.1.1.1 Cisco SCE 8000 10GBE Software Configuration Guide...

  • Page 161: Chapter 6 Global Configuration

    10.1.1.1 prefix mask next hop | |-----------------|------------------|-----------------| 10.2.0.0 | 255.255.0.0 10.1.1.250 | 10.3.0.0 | 255.255.0.0 10.1.1.253 | 198.0.0.0 | 255.0.0.0 | 10.1.1.251 | 10.1.60.0 | 255.255.255.0 | 10.1.1.5 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 162: Ip Advertising

    IP advertising is the act of periodically sending ping requests to a configured address at configured intervals. This maintains the Cisco SCE platform IP/MAC addresses in the memory of adaptive network elements, such as switches, even during a long period of inactivity.

  • Page 163: How To Display The Current Ip Advertising Configuration

    How to Display the Current IP Advertising Configuration From the SCE# prompt, type: Command Purpose show ip advertising Displays the status of IP advertising (enabled or disabled), the configured destination, and the configured interval. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 164: Configuring Time Clocks And Time Zone

    Configuring Daylight Saving Time, page 6-9 • The Cisco SCE platform has three types of time settings, which can be configured: the clock, the calendar, and the time zone. It is important to synchronize the clock and calendar to the local time, and to set the time zone properly.

  • Page 165: Displaying The Calendar Time

    SCE#clock set 10:20:00 13 may 2007 SCE#clock update-calendar SCE#show clock 10:21:10 2007 Setting the Calendar The calendar is a system clock that continues functioning even when the system shuts down. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 166: Options

    = 0 From the SCE(config)# prompt, type: Command Purpose clock timezone zone hours minutes Sets the timezone to the specified timezone name with the configured offset in hours and minutes. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 167: Setting The Time Zone: Example

    Configuring Daylight Saving Time The Cisco SCE platform can be configured to automatically switch to daylight saving time on a specified date, and also to switch back to standard time. In addition, the time zone code can be configured to vary with daylight saving time if required.

  • Page 168: Guidelines

    For the clock summer-time recurring command, the default values are the United States transition • rules: Daylight saving time begins: 2:00 (AM) on the second Sunday of March. – Daylight saving time ends: 2:00 (AM) on the first Sunday of November. – Cisco SCE 8000 10GBE Software Configuration Guide 6-10 OL-30621-02...

  • Page 169: How To Define Recurring Daylight Saving Time Transitions

    SCE(config)# clock summer-time DST April 16 2004 00:00 October 23 2004 23:59 How to Cancel the Daylight Saving Time Configuration From the SCE(config)# prompt, type: Command Purpose no clock summer-time Removes all daylight saving configuration. Cisco SCE 8000 10GBE Software Configuration Guide 6-11 OL-30621-02...

  • Page 170: How To Display The Current Daylight Saving Time Configuration

    Configuring Time Clocks and Time Zone How to Display the Current Daylight Saving Time Configuration From the SCE# prompt, type: Command Purpose show timezone Displays the current time zone and daylight saving time configuration. Cisco SCE 8000 10GBE Software Configuration Guide 6-12 OL-30621-02...

  • Page 171: Configuring Sntp

    How to Enable the SNTP Multicast Client From the SCE(config)# prompt, type: Command Purpose sntp broadcast client Enables the SNTP multicast client. It will accept time updates from any broadcast server. Cisco SCE 8000 10GBE Software Configuration Guide 6-13 OL-30621-02...

  • Page 172: How To Disable The Sntp Multicast Client

    How to Disable the SNTP Unicast Client and Remove All Servers From the SCE(config)# prompt, type: Command Purpose no sntp server all Removes all SNTP unicast servers, preventing unicast SNTP query. Cisco SCE 8000 10GBE Software Configuration Guide 6-14 OL-30621-02...

  • Page 173: How To Remove One Sntp Server

    SCE(config)# sntp update-interval 100 How to Display SNTP Information From the SCE> prompt, type: Command Purpose show sntp Displays the configuration of both the SNTP unicast client and the SNTP multicast client. Cisco SCE 8000 10GBE Software Configuration Guide 6-15 OL-30621-02...
  • Page 174 SCE# show sntp SNTP broadcast client: disabled last update time: not available SNTP unicast client: enabled SNTP unicast server: 128.182.58.100 last update time: Feb 10 2002, 14:06:41 update interval: 100 seconds Cisco SCE 8000 10GBE Software Configuration Guide 6-16 OL-30621-02...

  • Page 175: Domain Name Server (Dns) Settings

    How to Enable DNS Lookup From the SCE(config)# prompt, type: Command Purpose ip domain-lookup Enables DNS lookup. How to Disable DNS Lookup From the SCE(config)# prompt, type: Command Purpose no ip domain-lookup Disables DNS lookup. Cisco SCE 8000 10GBE Software Configuration Guide 6-17 OL-30621-02...

  • Page 176: Configuring Name Servers

    Removes the specified server from the DNS list. [server-address2 [server-address3]] Removing a Domain Name Server: Example The following example shows how to remove name server (DNS) IP addresses. SCE(config)#no ip name-server 10.1.1.60 10.1.1.61 Cisco SCE 8000 10GBE Software Configuration Guide 6-18 OL-30621-02...

  • Page 177: How To Remove All Domain Name Servers

    The following example shows how to display current DNS information. SCE#show hosts Default domain is Cisco.com  Name/address lookup uses domain service Name servers are 10.1.1.60, 10.1.1.61 Host Address ---- ------- PC85 10.1.1.61 sce# Cisco SCE 8000 10GBE Software Configuration Guide 6-19 OL-30621-02...

  • Page 178: Configuring Cisco Discovery Protocol

    Cisco Discovery Protocol CDP is primarily used to obtain protocol addresses of neighboring devices and discover the platform of those devices. It is media- and protocol-independent, and runs on all equipment manufactured by Cisco, including routers, bridges, access servers, and switches.

  • Page 179: Cisco Discovery Protocol On The Cisco Sce 8000 Platform

    • generated. In this mode CDP functions as it does on a typical Cisco device. This mode should be used in most cases, even though it is not the default mode. Bypass mode (default): CDP packets are received and transmitted unchanged. Received packets are •...

  • Page 180: Cdp Limitations On The Cisco Sce 8000

    Setting the Timer, page 6-24 • Enabling CDP Globally By default, CDP is enabled on the Cisco SCE 8000. If you prefer not to use the CDP device discovery capability, use the following command to disable it. From the SCE(config)# prompt, type:...

  • Page 181: Setting Cdp Mode

    CDP modes.) Caution In cascade topologies, both Cisco SCE 8000 platforms must be configured to the same CDP mode. By default, the CDP mode is set to bypass. To reset the CDP mode to the default mode (bypass) use the default cdp mode command.

  • Page 182: Setting The Hold Time

    Sets hold time. Setting the Timer Use this command to configure how often the Cisco SCE 8000 platform sends CDP updates. Use either the no or the default form of the command to restore the timer to the default value.

  • Page 183: Monitoring And Maintaining Cdp

    Configuring Cisco Discovery Protocol Monitoring and Maintaining CDP To monitor and maintain CDP on the Cisco SCE 8000, use one or more of the following commands. The clear commands are in privileged EXEC mode. The show commands are in viewer mode.
  • Page 184 Number of times fragments of CDP advertisement were received • CDP version 1 advertisements output • • CDP version 1 advertisements input • CDP version 2 advertisements output • CDP version 2 advertisements input Cisco SCE 8000 10GBE Software Configuration Guide 6-26 OL-30621-02...

  • Page 185: Cdp Configuration Examples

    Example: Setting the CDP Mode The following example illustrates how to configure CDP mode to ‘standard’. In cascade topologies, both Cisco SCE 8000 platforms must be configured to the same CDP mode. Caution The show command verifies that the CDP configuration has been correctly updated.
  • Page 186 T—Transparent bridge B—Source-routing bridge S—Switch H—Host I— device is using IGMP r—Repeater The capability of the Cisco SCE 8000 is ‘r’ (Repeater), Note since it is installed as a bump-in-the-wire device. Platform The product number of the device. Port ID The protocol and port number of the device.

  • Page 187: Enabling The Cli Interface Warning Banner

    Cisco SCE platform. It can also provide device details, as well as information about the service and application. By default the banner is disabled. You do not have to shutdown the Cisco SCE platform in order to enable or disable the banner.

  • Page 188: Os Fingerprinting And Nat Detection

    BB console as part of the status of a subscriber. Restrictions and Limitations Due to the nature of the Cisco SCE platform, there are certain limitations to the scope of the OS fingerprinting and NAT detection feature: OS information is available only for logged-in and active subscribers.

  • Page 189: Configuring Os Fingerprinting

    Enables privileged EXEC mode. Enter your password when prompted. Example: SCE> enable Step 2 configure Enters global configuration mode. Example: SCE# configure Step 3 interface linecard Enters interface linecard configuration mode. Example: SCE(config)# interface linecard 0 Cisco SCE 8000 10GBE Software Configuration Guide 6-31 OL-30621-02...
  • Page 190 For more information on this command, see the Cisco SCE 8000 CLI Command Reference, Release 3.7.x. Step 10 os-fingerprinting gx-report (Optional) Enables sending subscriber OS information in Gx messages. Example: SCE(config if)# os-fingerprinting gx-report Cisco SCE 8000 10GBE Software Configuration Guide 6-32 OL-30621-02...

  • Page 191: Monitoring Os Fingerprinting

    Displays the OS fingerprinting information for the specified subscriber. This name command displays the same information as the show interface linecard slot-number subscriber name name command with the os-info option. Cisco SCE 8000 10GBE Software Configuration Guide 6-33 OL-30621-02...
  • Page 192 Chapter 6 Global Configuration OS Fingerprinting and NAT Detection Cisco SCE 8000 10GBE Software Configuration Guide 6-34 OL-30621-02...

  • Page 193: Introduction

    DSCP marking, and traffic rules. Line Interfaces, page 7-2 • Tunneling Protocols, page 7-4 • Configuring Traffic Rules and Counters, page 7-26 • DSCP Marking, page 7-36 • Counting Dropped Packets, page 7-37 • Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 194: Line Interfaces

    Information About Line Interfaces The Cisco SCE 8000 10GBE line interfaces are found on the 1-port Ten Gigabit Ethernet SPAs installed in subslots 0 through 3 of slot 3. Each 1-port Ten Gigabit Ethernet SPA provides one 10GBE port, which interfaces with either subscriber or network traffic.

  • Page 195: Chapter 7 Configuring Line Interface

    Changing the Traffic Direction on the Ten Gigabit Ethernet Line Interfaces The hardware design of the Cisco SCE 8000 10G platform is such that the traffic coming in and out of SPAs 0 and 2 is limited to a total of 16Gbps in each direction, as is the traffic coming in and out of SPAs 1 and 3.

  • Page 196: Tunneling Protocols

    The Cisco SCE platform is designed to recognize and process various tunneling protocols in several ways. The Cisco SCE platform is able to either ignore the tunneling protocols (skip the header) or treat the tunneling information as subscriber information (classify). A special case of classification by tunneling information is VPN with private IP support.
  • Page 197 L2TP is an IP-based tunneling protocol, therefore the system must be specifically configured to recognize the L2TP flows, given the UDP port used for L2TP. The Cisco SCE platform can then skip the external IP, UDP, and L2TP headers, reaching the internal IP, which is the actual subscriber traffic. If L2TP is not configured, the system treats the external IP header as the subscriber traffic, thus all the flows in the tunnel are seen as a single flow.

  • Page 198: Tunneling Ipv6 Traffic

    Cisco SCE supports IPv6 over IPv4 L2TP tunnels. In L2TP IPv6 over IPv4 tunnels, the internal L3 header is IPv6 and the external L3 header is IPv4. The Cisco SCE uses internal IPv6 addresses for tasks such as subscriber awareness, classification, load-balancing, congestion mangement.

  • Page 199: Selecting The Tunneling Mode

    Configuring DSCP Marking, page 7-14 • Configuring the 6to4 Environment, page 7-15 • Configuring the VLAN Environment, page 7-16 • Configuring the MPLS Environment, page 7-17 • Configuring the L2TP Environment, page 7-18 • Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 200: Configuring The 6To4 Tunnels

    Step 1 From the SCE(config if)#> prompt, enter shutdown and press Enter. Disable 6to4 tunneling. Step 2 From the SCE(config if)#>prompt, enter no ip-tunnel 6to4 and press Enter. Restart the linecard. Step 3 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 201: Configuring Ds-Lite Tunnels

    From the SCE(config if)#> prompt, enter shutdown and press Enter. Enable DS-Lite tunneling. Step 2 From the SCE(config if)#> prompt, enter ip-tunnel DS-Lite and press Enter. Enable DS-Lite extension header support. Step 3 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 202: Configuring L2Tp Tunnels

    Enable L2TP tunneling. From the SCE(config if)#> prompt, enter ip-tunnel l2tp skip and press Enter. Restart the linecard. Step 3 From the SCE(config if)#> prompt, enter no shutdown and press Enter. Cisco SCE 8000 10GBE Software Configuration Guide 7-10 OL-30621-02...

  • Page 203: Configuring Gre Tunneling

    GRE tunneling is an IP-based tunneling protocol; therefore the system must be specifically configured to recognize the flows inside the tunnel. The Cisco SCE platform will then skip the external IP header, reaching the internal IP, which is the actual subscriber traffic. When GRE skip is disabled, the system treats the external IP header as the subscriber traffic, resulting in all GRE traffic being reported as generic IP.
  • Page 204 Step 2 From the SCE(config if)#> prompt, enter no ip-tunnel gre skip and press Enter. Step 3 Restart the linecard. From the SCE(config if)#> prompt, enter no shutdown and press Enter. Cisco SCE 8000 10GBE Software Configuration Guide 7-12 OL-30621-02...

  • Page 205: Configuring Ipinip Tunneling

    IPinIP is an IP-based tunneling protocol; therefore the system must be specifically configured to recognize the flows inside the tunnel. The Cisco SCE platform will then skip the external IP header, reaching the internal IP, which is the actual subscriber traffic. When IPinIP skip is disabled, the system treats the external IP header as the subscriber traffic, resulting in all IPinIP traffic being reported as generic IP.

  • Page 206: Configuring Dscp Marking

    Source Address Destination Address L4 – L7 DSCP marking should be enabled and configured through SCA BB console. See the Cisco Service Note Control Application for Broadband User Guide for further information. Cisco SCE 8000 10GBE Software Configuration Guide 7-14 OL-30621-02...

  • Page 207: Configuring The 6To4 Environment

    Configuring DSCP Marking on the Internal IP Header Use this command to configure the Cisco SCE platform to mark the DSCP bits of the internal IP header. This command takes effect only when the relevant tunneling mode (GRE skip or IPinIP skip) is enabled.

  • Page 208: Configuring The Vlan Environment

    SCE8000#> copy running-config startup-config Reboot the Cisco SCE 8000 device. Step 5 After Cisco SCE 8000 restarts, you can use the following configuration and show commands to configure the 6to4 and 6rd tunnels: configure interface linecard 0 IP-tunnel 6to4 •...

  • Page 209: Configuring The Mpls Environment

    An a-symmetric environment is an environment in which the VLAN tags might not be the same in the upstream and downstream directions of the same flow. The Cisco SCE platform is configured by default to work in symmetric environments. A specific command should be used to allow correct operation of the Cisco SCE platform in asymmetric environments and instruct it to take into consideration that the upstream and downstream of each flow has potentially different VLAN tags.

  • Page 210: Configuring The L2Tp Environment

    L2TP traffic. This can be done based on the IP ranges in use by the internal IPs in the tunnel (as allocated by the LNS), or simply for all the traffic passing through the Cisco SCE platform.

  • Page 211: Displaying The Tunneling Configuration

    (upstream/downstream). Asymmetric tunneling support (asymmetric L2 support) refers to the ability to support topologies where the Cisco SCE platform sees both directions of all flows, but some of the flows may have different layer 2 characteristics (like MAC addresses, VLAN tags, MPLS labels and L2TP headers), which the Cisco SCE platform must specifically take into account when injecting packets into the traffic (such as in block and redirect operations).

  • Page 212: How To Display The Ipinip Configuration

    —The name of a specific currently logged-in VPN for which to display details. all-names —Use this keyword to display all the VPN names that are currently logged into the • system. Cisco SCE 8000 10GBE Software Configuration Guide 7-20 OL-30621-02...

  • Page 213: How To Display The Asymmetric L2 Support Mode

    Displays the logged-in VPNs. | all-names} How to Display the Asymmetric L2 Support Mode From the SCE# prompt, type: Command Purpose show interface linecard 0 Displays asymmetric L2 support mode. asymmetric-L2-support Cisco SCE 8000 10GBE Software Configuration Guide 7-21 OL-30621-02...

  • Page 214: Managed Vpns

    IP@VpnName, where IP can be either a single IP address or a range of addresses. Managed VPN entities can be configured only via the SM. The Cisco SCE platform CLI can be used to view VPN-related information, but not to configure the VPNs.

  • Page 215: Monitoring Vpn Support

    Chapter 7 Configuring Line Interfaces Managed VPNs Monitoring VPN Support The Cisco SCE platform CLI allows you to do the following: Display VPN-related mappings • Monitor subscriber counters • Displaying VPN-related Mappings Use the following Viewer commands to display subscriber mappings. These commands display the following information: •...
  • Page 216 IP range for which to display mapped subscribers • vpn-name—The name of the VPN for which to display mappings. • Use the ‘amount ‘keyword to display the number of subscribers rather than a listing of subscriber names. Cisco SCE 8000 10GBE Software Configuration Guide 7-24 OL-30621-02...
  • Page 217 Displaying the Number of Subscribers Mapped to range on a Specified VPN: Example SCE> show interface linecard 0 subscriber amount mapping included-in IP 0.0.0.0/0 VPN vpn1 There are 2 subscribers with 4 IP mappings included in IP range '0.0.0.0/0'. Cisco SCE 8000 10GBE Software Configuration Guide 7-25 OL-30621-02...

  • Page 218: Configuring Traffic Rules And Counters

    Ignoring certain types of flows. When a traffic rules specifies an “ignore” action, packets matching the rule criteria will not open a new flow, but will pass through the Cisco SCE platform without being processed. This is useful when a particular type of traffic should be ignored by the Cisco SCE platform.

  • Page 219: Traffic Rules

    Configuring Traffic Rules and Counters Traffic Rules A traffic rule specifies that a defined action should be taken on packets processed by the Cisco SCE Platform that meet certain criteria. The maximum number of rules for the Cisco SCE 8000 is 64, which includes not only traffic rules configured via the Cisco SCE platform CLI, but also any additional rules configured by external management systems, such as SCA BB.

  • Page 220: Configuring Traffic Counters

    From the SCE(config if)# prompt, type: Command Purpose no traffic-counter all Removes all traffic counters. Note that a traffic counter cannot be deleted if it is used by any existing traffic rule. Cisco SCE 8000 10GBE Software Configuration Guide 7-28 OL-30621-02...

  • Page 221: Configuring Traffic Rules

    Note that the VLAN tag itself is a 12-bit value, and therefore aliasing of the lower 8 bits can occur, depending on the VLAN tags used. direction: Any of the following: upstream/downstream/both Cisco SCE 8000 10GBE Software Configuration Guide 7-29 OL-30621-02...
  • Page 222 • • Traffic counter = counter1 • The only action performed will be counting SCE(config if)# traffic-rule name rule1 IP-addresses subscriber-side all network-side 10.10.10.10 protocol all direction both traffic-counter name counter1 Cisco SCE 8000 10GBE Software Configuration Guide 7-30 OL-30621-02...
  • Page 223 Name = FlowCaptureRule IP addresses: subscriber side = all IP addresses, network side = all IP addresses Direction = both Protocol = 250 Traffic counter name = counter2 Cisco SCE 8000 10GBE Software Configuration Guide 7-31 OL-30621-02...

  • Page 224: How To Create A Traffic Rule For Ipv6 Addresses

    (not required if the action is count only) One of the following: block—Block the specified traffic. • classical-open-flow-mode—Use the classical open flow mode for the specified flow. • • ignore—Bypass the specified traffic; traffic receives no service. Cisco SCE 8000 10GBE Software Configuration Guide 7-32 OL-30621-02...

  • Page 225: How To Delete A Traffic Rule

    Removes the specified traffic rule. How to Delete All Traffic Rules From the SCE(config if)# prompt, enter: Command Purpose no traffic-rule all Removes all existing traffic rules. Cisco SCE 8000 10GBE Software Configuration Guide 7-33 OL-30621-02...

  • Page 226: How To Delete All Flow Control Traffic Rules

    How to View a Specified Traffic Counter From the SCE# prompt, type: Command Purpose show interface linecard 0 traffic-counter name Displays the value of the specified counter and counter-name lists the traffic rules that use it. Cisco SCE 8000 10GBE Software Configuration Guide 7-34 OL-30621-02...

  • Page 227: How To View All Traffic Counters

    0 traffic-counter name Resets the specified traffic counter. counter-name How to Reset All Traffic Counters From the SCE# prompt, enter: Command Purpose clear interface linecard 0 traffic-counter all Resets all traffic counters. Cisco SCE 8000 10GBE Software Configuration Guide 7-35 OL-30621-02...

  • Page 228: Dscp Marking

    DSCP Marking DSCP Marking DSCP marking is used in IP networks as a means to signal the priority of a packet. The Cisco Service Control solution supports the DSCP classification on a per-service, per-package level via the SCA BB application. The Cisco SCE platform DSCP marking feature enables marking the DSCP field in the IP header of each packet according to the policy configured via the SCA BB console.

  • Page 229: Counting Dropped Packets

    • About Counting Dropped Packets By default, the Cisco SCE platform hardware drops WRED packets (packets that are marked to be dropped due to BW control criteria). However, this presents a problem for the user who needs to know the number of dropped packets per service. To be able to count dropped packets per service, the traffic processor must see all dropped packets for all flows.
  • Page 230 Chapter 7 Configuring Line Interfaces Counting Dropped Packets Cisco SCE 8000 10GBE Software Configuration Guide 7-38 OL-30621-02...

  • Page 231: Introduction

    Configuring the Failure Recovery Mode, page 8-21 • Configuring the Cisco SCE Platform/SM Connection, page 8-22 For more information regarding the physical installation of the Cisco SCE 8000 platform and cabling the Note connections, see the Cisco SCE8000 10GBE Installation and Configuration Guide...

  • Page 232: Configuring The Connection Mode

    Caution This command can only be used if the line card is in either no-application or shutdown mode. If an application is installed on the Cisco SCE platform, the command will fail with an error message and help instructions. Options The following topology-related parameters are included in the connection mode command.

  • Page 233: Configuring The Connection Mode Examples

    Configuring the Connection Mode Examples Example 1 This example defines defines a primary Cisco SCE 8000 in a cascaded inline topology. Link 0 is connected to this device, and the link mode on failure is bypass (default). SCE(config if)# connection-mode inline-cascade sce-id 0 priority primary Example 2 This example defines a single-Cisco SCE platform, dual link, receive-only topology.

  • Page 234: Monitoring The Connection Mode And Related Parameters

    0 is connected to peer slot failure mode is bypass Redundancy status is active SCE> Viewing the Cisco SCE-ID: Example SCE> enable 5 Password:<cisco> SCE> show interface linecard 0 sce-id  slot 0 sce-id is 1 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 235 Peer SCE's IP address is 10.10.10.10 Monitoring the Connection Status: Examples The following example shows the output of this command in the case of two cascaded Cisco SCE 8000 10GBE platforms where the cascade interfaces have not been connected correctly.

  • Page 236: Configuring The Link Mode

    Cutoff—Completely cuts off flow of traffic through the Cisco SCE platform. Recommendations and restrictions Note the following recommendations and restrictions: For the Cisco SCE 8000 platform, the link mode setting is global, and cannot be set for each link • separately. Therefore the all-links keyword must be used.

  • Page 237: External Optical Bypass

    Figure 8-1. The Cisco SCE 8000 can detect the presence of each external optical bypass device, and warns the user by various means (CLI show command, system operational-state, SNMP traps) if an expected external bypass device is not detected as present.

  • Page 238: How To Deactivate The External Bypass

    External bypass current state is 'not activated'. External bypass failure state is 'activated'. Amount of expected external bypass devices: 2 (automatically configured). Warning: External bypass device expected but not detected on link #1 Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 239: Hardware Bypass

    How to Copy the Startup Configuration Party Database and Create a Backup File, page 8-12 • The Cisco SCE 8000 platform supports the Hardware Bypass feature for IPv4 traffic. The main objective of this feature is to bypass the traffic of the configured static parties created in the hardware bypass mode at the hardware (SIP module) level, based on their IP address or IP range.

  • Page 240: How To Disable The Hardware Bypass Mode

    From the SCE(config)#> prompt, type: Command Purpose no hw-bypass mode Disables the hardware bypass mode of the Cisco SCE 8000 platform. It also allows you to reset the hardware bypass state for the specified static parties when these parties are configured in this mode.

  • Page 241: How To Display The Hardware Bypass Status Of A Static Party

    July 2011 #cli-type 1 #version 1 hw-bypass mode party name "N/A" party name "[party-name]" party mapping ip-address 24.11.52.128 name [party-name] party mapping ip-address 110.10.10.10 name [party-name] party name [party-name] hw-bypass SCE#> Cisco SCE 8000 10GBE Software Configuration Guide 8-11 OL-30621-02...

  • Page 242: How To Display The Currently Running Party Database Configuration

    Command Purpose copy startup-config-party-db backup-file name Enables the task of copying the startup configuration party database and create a backup file of the configured static parties in the Cisco SCE 8000 platform. Cisco SCE 8000 10GBE Software Configuration Guide 8-12...

  • Page 243: Configuring The Static Subscribers

    How to Display All Mappings to Dual Stack Static Subscriber From the SCE(config )#> prompt, type: Command Purpose show part name party-name mappings all Displays all mappings to dual stack static subscriber. Cisco SCE 8000 10GBE Software Configuration Guide 8-13 OL-30621-02...

  • Page 244: How To Display Ipv6 Mappings To Dual Stack Static Subscriber

    How to Display Dual Stack Static Subscriber From the SCE(config )#> prompt, type: Command Purpose show part name party-name Displays dual stack static subscribers. show interface LineCard 0 subscriber name Displays dual stack static subscribers. party-name Cisco SCE 8000 10GBE Software Configuration Guide 8-14 OL-30621-02...

  • Page 245: Link Failure Reflection

    Cisco SCE platform that the device is in a failure state, and therefore cannot be used. In link reflection on all ports mode, all ports of the Cisco SCE platform are forced down and the link state of the first port is reflected on all the ports.

  • Page 246: Options

    This mode reflects a failure of one port to the other three ports of the Cisco SCE platform differently, depending on different failure conditions, as follows: One interface of the Cisco SCE 8000 is down: Link failure is reflected to the all other Cisco SCE •...

  • Page 247: How To Enable Linecard-Aware Mode

    How to Disable Linecard-Aware Mode From the SCE(config if)# prompt, type: Command Purpose no link failure-reflection linecard-aware-mode Disables linecard aware mode. Note that this command does not disable link failure reflection on all ports. Cisco SCE 8000 10GBE Software Configuration Guide 8-17 OL-30621-02...

  • Page 248: Asymmetric Routing Topology

    Cisco SCE platform. However, this is sometimes not feasible, due to the fact that the Cisco SCE platforms sharing the split flow are geographically remote (especially common upon peering insertion). In this type of scenario, the...

  • Page 249: Monitoring Asymmetric Routing

    TCP unidirectional flows ratio: the ratio of TCP unidirectional flows to total TCP flows per traffic • processor, calculated over the period of time since the Cisco SCE platform was last reloaded (or since the counters were last reset). From the SCE> prompt, type:...

  • Page 250: Configuring A Forced Failure

    Forcing failure will cause a failover - do you want to continue? n Type 'Y' and press Enter to confirm the forced failure. no force failure-condition Exits from the virtual failure condition. Cisco SCE 8000 10GBE Software Configuration Guide 8-20 OL-30621-02...

  • Page 251: Configuring The Failure Recovery Mode

    This example sets the system to boot as non-operational after a failure. SCE(config)#failure-recovery operation-mode non-operational Example 2 This example sets the system to the default failure recovery mode. SCE(config)# default failure-recovery operation-mode Cisco SCE 8000 10GBE Software Configuration Guide 8-21 OL-30621-02...

  • Page 252: Configuring The Cisco Sce Platform/Sm Connection

    If SM functionality is critical to the operation of the system—configure the desired behavior of the • Cisco SCE platform if any loss of connection with the SM (may be due either to failure of the SM or failure of the connection itself).

  • Page 253: Options

    Configuring the Cisco SCE Platform/SM Connection Options The following option is available: interval—The timeout interval in seconds • From the SCE(config if)# prompt, type: Command Purpose subscriber sm-connection-failure timeout Configures the connection timeout. interval Cisco SCE 8000 10GBE Software Configuration Guide 8-23 OL-30621-02...
  • Page 254 Chapter 8 Configuring the Connection Configuring the Cisco SCE Platform/SM Connection Cisco SCE 8000 10GBE Software Configuration Guide 8-24 OL-30621-02...

  • Page 255: Introduction

    Raw Data Formatting: The RDR Formatter and NetFlow Exporting Revised: February 07, 2014, OL-30621-02 Introduction Cisco Service Control is able to deliver gathered reporting data to an external application for collecting, aggregation, storage and processing over two protocols: RDRv1: the Service Control proprietary export protocol •...

  • Page 256: C H A P T E R 9 Raw Data Formatting: The Rdr Formatter And Netflow Exporting

    • NetFlow Terminology Exporter • A device (in this case, the RDR formatter component in the Cisco SCE platform) with NetFlow services enabled, responsible for exporting information using NetFlowV9 protocol. NetFlow Collector • A device that receives records from one or more exporters. It processes the received export packet(s) by parsing and storing the record information.

  • Page 257: Netflow Exporting Support

    Each RDR type supported for NetFlowV9 exporting has a pre-defined mapping that allows the RDR formatter to convert it to a NetFlow V9 report and sent it over a NetFlow destination. The Cisco SCE platform maintains template records for several RDR types, with the structure of each NetFlow data record that corresponds to that RDR type.

  • Page 258: Data Destinations

    • Protocol, page 9-6 • Transport Type, page 9-6 • The Cisco SCE platform can be configured with a maximum of eight destinations, three destinations per category. Each destination is defined by the following parameters: IP address • port number •...

  • Page 259: Categories

    In this case, the data types are divided into up to four groups, and each group, or category, is assigned to a particular destination or destinations. The categories are defined by the application running on the Cisco SCE platform. The system supports up to four categories: •...

  • Page 260: Setting Dscp For Netflow

    The following two transport types are available: • • Currently, the transport type is linked to the configured protocol as follows: RDRv1 protocol requires TCP transport type • NetFlow V9 protocol requires UDP transport type • Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 261: Configuring Data Destinations And Categories

    Commands relevant only to the NetFlowV9 protocol and the NetFlow exporting support • Options In order for the data records, either RDRs or NetFlow export packets, from the Cisco SCE platform to arrive at the correct location, the following parameters must be configured: ip-address—The IP address of the destination •...

  • Page 262: Configuring The Data Categories

    Command Purpose rdr-formatter category number Defines the name for the specified category category-number name category-name number. This category name can then be used in any rdr-formatter command instead of the category number. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 263: Configuring The Buffer Size

    The category may defined by either number or name. • A different priority may be assigned to each category. • • Note that within each category the priorities must be unique for each destination. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 264 SCE(config)# rdr-formatter category number 2 name prepaid SCE(config)# rdr-formatter destination 10.1.1.205 port 33000 category number 1 priority 90 protocol RdrV1 transport tcp SCE(config)# rdr-formatter destination 10.1.1.206 port 33000 category name prepaid protocol RdrV1 transport tcp Cisco SCE 8000 10GBE Software Configuration Guide 9-10 OL-30621-02...
  • Page 265 (billing) being sent to both destinations, in multi-cast mode (Figure 9-5). Figure 9-5 Configuring Destinations: Two Categories and Two Modes SCE platform Destination 1 RDR Formatter Destination 2 "Billing" "Prepaid" Cisco SCE 8000 10GBE Software Configuration Guide 9-11 OL-30621-02...
  • Page 266 SCE(config)# rdr-formatter destination 10.10.10.96 port 33000 category name prepaid priority 90 category name special-prepaid priority 80 protocol RdrV1 transport tcp SCE(config)# rdr-formatter destination 10.1.1.206 port 33000 category name special-prepaid priority 90 protocol NetFlowV9 transport udp Cisco SCE 8000 10GBE Software Configuration Guide 9-12 OL-30621-02...

  • Page 267: Configuring The Forwarding Mode

    From the SCE(config)# prompt, type: Command Purpose rdr-formatter forwarding-mode mode Configures the specified forwarding mode. Configuring the Forwarding Mode: Example The following example shows how to set the forwarding-mode to multicast. SCE(config)# rdr-formatter forwarding-mode multicast Cisco SCE 8000 10GBE Software Configuration Guide 9-13 OL-30621-02...

  • Page 268: Configuring The Rdr Formatter

    Maximum buffer size is 64 KB. • From the SCE(config)# prompt, type: Command Purpose rdr-formatter history-size size Sets the size of the RDR formatter history buffer. Cisco SCE 8000 10GBE Software Configuration Guide 9-14 OL-30621-02...

  • Page 269: Configuring Netflow Exporting Support

    How to Configure the Template Refresh Interval Options The following options are available: • ip-address—The destination IP address. • port-number—The destination port number • timeout-value—The frequency of exporting the template records in seconds (1 – 86400.) Cisco SCE 8000 10GBE Software Configuration Guide 9-15 OL-30621-02...
  • Page 270 Raw Data Formatting: The RDR Formatter and NetFlow Exporting Configuring NetFlow Exporting Support From the SCE(config)# prompt, type: Command Purpose rdr-formatter destination ip-address port Sets the template refresh interval. port-number protocol NetFlowV9 template data timeout timeout-value Cisco SCE 8000 10GBE Software Configuration Guide 9-16 OL-30621-02...

  • Page 271: Configuring Dynamic Mapping Of Rdrs To Categories

    How to Restore the Default Mapping for a Specified RDR Tag From the SCE(config)# prompt, type: Command Purpose default rdr-formatter rdr-mapping tag-id Restores the default mapping for a specified RDR tag-number tag. Cisco SCE 8000 10GBE Software Configuration Guide 9-17 OL-30621-02...

  • Page 272: Displaying Data Destination Configuration And Statistics

    How to the Display the Current RDR Formatter Configuration The system can display the complete data destination configuration, or just specific parameters. From the SCE> prompt, type: Command Purpose show rdr-formatter Displays the current RDR formatter configuration. Cisco SCE 8000 10GBE Software Configuration Guide 9-18 OL-30621-02...

  • Page 273: Displaying The Rdr Formatter Configuration: Example

    64 RDRs per second Category 2: sent: 12040436 in-queue: 0 thrown: 0 format-mismatch: 0 unsupported-tags: 0 rate: 12 RDRs per second max-rate: 453 RDRs per second Category 3: sent: 0 in-queue: 0 Cisco SCE 8000 10GBE Software Configuration Guide 9-19 OL-30621-02...
  • Page 274 Destination: 10.56.204.7 Port: 33000 Status: up Sent: 12134054 Rate: Max: 595 Sent Templates: 13732 Sent Data Records: 12134054 Refresh Timeout (Sec): 5 Last connection establishment: 17 hours, 5 minutes, 15 seconds Cisco SCE 8000 10GBE Software Configuration Guide 9-20 OL-30621-02...

  • Page 275: Disabling The Linecard From Sending Rdrs

    Use the no form of this command if you want the linecard to send records. From the SCE(config if)# prompt, type: Command Purpose silent Disables the linecard from issuing data records. no silent Enables the linecard to produce data records. Cisco SCE 8000 10GBE Software Configuration Guide 9-21 OL-30621-02...

  • Page 276: Disabling Rdr Aggregation

    In large deployments, if each traffic processor sends its own records separately to the CM, the number of RDRs reaching the CM becomes enormous. Therefore, the Cisco SCE platform aggregates certain RDRs, thus reducing the load on the CM without affecting the usability of the information provided. In essence, the control processor receives records from all traffic processors, but it only sends one record for each reporting period, containing the aggregated data of all CPUs together.

  • Page 277: Introduction

    Revised: February 07, 2014, OL-30621-02 Introduction The Cisco SCE platform is subscriber aware, that is, it can relate traffic and usage to specific customers. This ability to map between IP flows and a specific subscriber allows the system to do the following: Maintain the state of each subscriber transmitting traffic through the platform •...

  • Page 278: Chapter 10 Managing Subscriber

    What is a Subscriber? In the Service Control solution, a subscriber is defined as a managed entity on the subscriber side of the Cisco SCE Platform to which accounting and policy are applied individually. Table 10-1 lists several examples of subscribers in Service Control solutions.

  • Page 279: Subscriber Modes In Service Control Solutions

    The most basic mode is Subscriber-less mode. In this mode, there is no notion of subscriber in the system, and the entire link where the Cisco SCE platform is deployed is treated as a single subscriber. Global Application level analysis (such as total p2p, browsing) can be conducted, as well as global control (such as limiting total p2p to a specified percentage).

  • Page 280: Subscriber Database: Capacity And Limits

    There are two possible Subscriber Aware modes. In these modes, subscriber IDs and currently used network IDs are provisioned into the Cisco SCE platform. The Cisco SCE platform can then bind usage to a particular subscriber, and enforce per-subscriber policies on the traffic. Named reports are supported (such as top subscribers with the OSS IDs), quota-tracking (such as tracking a subscriber-quota over time even when network IDs change) as well as dynamic binding of packages to subscribers.

  • Page 281: Working With Large Numbers Of Subscribers

    The maximum rate for creation of anonymous subscribers is 360 per second. Aging Subscribers Subscribers can be aged automatically by the Cisco SCE platform. ‘Aging’ is the automatic removal of a subscriber, performed when no traffic sessions assigned to it have been detected for a certain amount of time.

  • Page 282: Vpn-Based Subscribers

    A VPN-based subscriber contains a set of mappings of the form: IP@VpnName, where IP can be either a single IP address or a range of addresses. A VPN-based subscriber is VLAN-based. Most VPN-based subscriber functionality is managed via the SM, with the role of the Cisco SCE platform CLI being more limited.

  • Page 283: Anonymous Groups And Subscriber Templates

    • is-static flag • Only the active Cisco SCE platform communicates with the SM. The SM is aware of the active/standby state of each Cisco SCE platform, and is also aware of a failover. Specifically, this means the following: In push mode, the SM pushes events to the active Cisco SCE platform, which updates the standby •...

  • Page 284: Subscriber Files

    Each line in a csv file should contain either a comment (beginning with the character ‘#’), or a list of comma-separated fields. Subscriber csv files are application-specific, but a default format is defined by the Cisco SCE, which is used when the application does not choose to over-ride it. The application might over-ride the format when additional data is desired for each subscriber or subscriber template.

  • Page 285: Ipv6 Subscriber Csv File Format

    Here is an example of an anonymous groups csv file: # Yet another comment line anon1, 10.1.1.0/24, 1, 1 anon2, 2001:a:d:f::/64, 2, 2 anon3, 10.1.3.0/32, 3, 3 anon4, 2001:a:d:d::/64, 3, 3 anon5, 10.1.5.0/31, 2 anon6, 10.1.6.0/30, 1 anon7, 0.0.0.0/0, 1 Cisco SCE 8000 10GBE Software Configuration Guide 10-9 OL-30621-02...

  • Page 286: Importing And Exporting Subscriber Information

    • subscriber template import csv-file • subscriber template export csv-file • These subscriber management commands are LineCard interface commands. Make sure that you are in LineCard Interface command mode. Cisco SCE 8000 10GBE Software Configuration Guide 10-10 OL-30621-02...

  • Page 287: Options

    [all] Exports all the static and dynamic subscribers information to the specified file. subscriber export csv-file filename Exports only the static subscribers information to the specified file. Cisco SCE 8000 10GBE Software Configuration Guide 10-11 OL-30621-02...

  • Page 288: How To Import A Subscriber Template

    Imports the subscriber template from the specified file. How to Export a Subscriber Template From the SCE(config if)# prompt, type: Command Purpose subscriber template export csv-file filename Exports the subscriber template to the specified file. Cisco SCE 8000 10GBE Software Configuration Guide 10-12 OL-30621-02...

  • Page 289: Removing Subscribers And Templates

    How to Remove a Specific Subscriber Options The following option is available: subscriber-name—The name of the subscriber to be removed From the SCE(config if)# prompt, type: Command Purpose no subscriber name subscriber-name Removes the specified subscriber. Cisco SCE 8000 10GBE Software Configuration Guide 10-13 OL-30621-02...

  • Page 290: How To Remove All Introduced Subscribers

    How to Remove All the Anonymous Subscribers From the SCE# prompt, type: Command Purpose clear interface linecard 0 subscriber Removes all anonymous subscribers. anonymous all Note The clear subscriber anonymous command is a Privileged Exec command. Cisco SCE 8000 10GBE Software Configuration Guide 10-14 OL-30621-02...

  • Page 291: How To Remove All Subscriber Templates

    Because the clear interface linecard subscriber anonymous all command clears all the anonymous Caution subscribers in the Cisco SCE, do not use the command in a production environment. Using this command in a production environment impacts anonymous subscribers’ accountability. Use the command only when the linecard interface is shut down.
  • Page 292 Chapter 10 Managing Subscribers Removing Subscribers and Templates Command Purpose no subscriber sm all Clears all subscribers from the SM. Cisco SCE 8000 10GBE Software Configuration Guide 10-16 OL-30621-02...

  • Page 293: How To Remove Subscribers From A Specified Scmp Peer Device

    Clears all subscribers from the specified SCMP peer device. peer-device-name specifies the name of the • SCMP peer device from which to clear the subscribers. Cisco SCE 8000 10GBE Software Configuration Guide 10-17 OL-30621-02...

  • Page 294: Creating Anonymous Groups

    Create the group by importing anonymous groups from a csv file. Groups can also be exported to a csv file. Maximum creation rate of anonymous subscribers is 360 per second on the Cisco SCE 8000 and 180 • per second on the Cisco SCE2020.

  • Page 295: Importing And Exporting Anonymous Groups

    Imported anonymous groups information is added to the existing anonymous groups information. It does not overwrite the existing data. The Cisco SCE platform can support a maximum of 5000 anonymous groups. How to Export Anonymous Groups Options The following option is available: filename—Name of the csv file.

  • Page 296: Monitoring Subscribers

    Anonymous subscribers • Subscribers may be introduced to the Cisco SCE platform via the Cisco SCE platform CLI or via the Subscriber Manager. The monitoring commands may be used to monitor all subscribers and subscriber information, regardless of how the subscribers were introduced to the system.

  • Page 297: How To Display The Subscriber Database Counters

    Subscriber aged: 0. Pull-request notifications sent: 0. Pull-request by ID notifications sent: 0. Subscriber pulled by ID: 0. State notifications sent: 0. Logout notifications sent: 0. Subscriber mapping TIR contradictions: 0 Cisco SCE 8000 10GBE Software Configuration Guide 10-21 OL-30621-02...

  • Page 298: Clearing The Subscriber Database Counters

    • show interface linecard 0 subscriber mapping VLAN-id ‘VLAN-id’ • Displaying Subscribers: All Current Subscriber Names You can display the names of all subscribers currently in the Cisco SCE subscriber database. From the SCE> prompt, type: Command Purpose show interface linecard 0 subscriber all-names Displays the names of all subscribers currently in the Cisco SCE subscriber database.

  • Page 299: Displaying Subscribers: By Subscriber Property Or Prefix

    From the SCE> prompt, type: Command Purpose show interface linecard 0 subscriber property Displays subscribers that are greater than or less propertyname greater-than|less-than than a specified value of a subscriber property. property-val Cisco SCE 8000 10GBE Software Configuration Guide 10-23 OL-30621-02...
  • Page 300 How to display the number of subscribers that are greater than or less than a specified value of a subscriber property Options The following options are available: propertyname—Name of the subscriber property to match • property-val—Value of that subscriber property to match • Cisco SCE 8000 10GBE Software Configuration Guide 10-24 OL-30621-02...

  • Page 301: How To Display Subscribers: By Mapping (Ip Address, Vpn, Or Vlan Id)

    A specified VLAN ID • A specified VPN • no mapping • You can also display just the number of subscribers with a specified mapping, rather than listing the actual subscribers. Cisco SCE 8000 10GBE Software Configuration Guide 10-25 OL-30621-02...
  • Page 302 VLAN-id VLAN-id specified VLAN ID. How to display subscribers with no mapping From the SCE> prompt, type: Command Purpose show interface linecard 0 subscriber mapping Displays subscribers with no mapping. none Cisco SCE 8000 10GBE Software Configuration Guide 10-26 OL-30621-02...

  • Page 303: How To Display Subscriber Information

    0 subscriber name ‘name’ • show interface linecard 0 subscriber name ‘name’ mappings • show interface linecard 0 subscriber name ‘name’ counters • show interface linecard 0 subscriber name ‘name’ properties • Cisco SCE 8000 10GBE Software Configuration Guide 10-27 OL-30621-02...

  • Page 304: How To Display A Listing Of Subscriber Properties

    How to Display Mappings for a Specified Subscriber Options The following options are available: name—Subscriber name • From the SCE> prompt, type: Command Purpose show interface linecard 0 subscriber name Displays mappings for a specified subscriber. name mappings Cisco SCE 8000 10GBE Software Configuration Guide 10-28 OL-30621-02...

  • Page 305: How To Display Os Counters For A Specified Subscriber

    0 subscriber anonymous [name ‘groupname’] • How to Display Currently Configured Anonymous Groups From the SCE> prompt, type: Command Purpose show interface linecard 0 subscriber Displays currently configured anonymous groups. anonymous-group all Cisco SCE 8000 10GBE Software Configuration Guide 10-29 OL-30621-02...

  • Page 306: How To Display Currently Configured Templates For Anonymous Groups

    How to Display All Subscribers Currently in Anonymous Groups From the SCE> prompt, type: Command Purpose show interface linecard 0 subscriber Displays all subscribers currently in anonymous anonymous groups. Cisco SCE 8000 10GBE Software Configuration Guide 10-30 OL-30621-02...

  • Page 307: How To Display The Number Of Subscribers In A Specified Anonymous Group

    How to Display the Total Number of Subscribers in All Anonymous Groups From the SCE> prompt, type: Command Purpose show interface linecard 0 subscriber amount Displays the total number of subscribers in all anonymous anonymous groups. Cisco SCE 8000 10GBE Software Configuration Guide 10-31 OL-30621-02...

  • Page 308: Configuring The Actual Maximum Number Of Subscribers

    Install the new application (PQI) file. (The configured subscriber maximum takes effect only after a new application file has been loaded.) If you saved the policy configuration (PQB file), apply it to the Cisco SCE platform using the SCA BB Step 5 console.

  • Page 309: How To Restore The Configured Capacity Option

    Step 5 If you saved the policy configuration (PQB file), apply it to the Cisco SCE platform using the Cisco SCA BB console. If a policy configuration (PQB file) has been applied on the active Cisco SCE platform, use the Cisco SCA BB console to retrieve it and save it before proceeding.

  • Page 310: Configuring Subscriber Aging

    Enables aging for introduced subscribers. How to Disable Aging for Anonymous Group Subscribers From the SCE(config if)# prompt, type: Command Purpose no subscriber aging anonymous Disables aging for anonymous group subscribers. Cisco SCE 8000 10GBE Software Configuration Guide 10-34 OL-30621-02...

  • Page 311: How To Disable Aging For Introduced Subscribers

    Sets the aging timeout period for introduced aging-time subscribers. How to Display Aging for Anonymous Group Subscribers From the SCE> prompt, type: Command Purpose show interface linecard 0 subscriber aging Displays aging of anonymous group subscribers. anonymous Cisco SCE 8000 10GBE Software Configuration Guide 10-35 OL-30621-02...

  • Page 312: How To Display Aging For Introduced Subscribers

    Managing Subscribers Configuring Subscriber Aging How to Display Aging for Introduced Subscribers From the SCE> prompt, type: Command Purpose show interface linecard 0 subscriber Displays aging for introduced subscribers. aging introduced Cisco SCE 8000 10GBE Software Configuration Guide 10-36 OL-30621-02...

  • Page 313: Managing Vpns And Vpn Subscriber Mappings

    Displays a listing of all currently logged-in VPNs. Displaying a Listing of All VPNs: Example SCE>show interface linecard 0 VPN all-names How to Clear Automatic VPNs From the SCE# prompt, type: Cisco SCE 8000 10GBE Software Configuration Guide 10-37 OL-30621-02...
  • Page 314 Managing VPNs and VPN Subscriber Mappings Command Purpose clear interface linecard 0 VPN automatic Removes all VLAN VPNs that were created automatically by the Cisco SCE platform. (Only removes VPNs that have no active subscriber mappings). Cisco SCE 8000 10GBE Software Configuration Guide 10-38 OL-30621-02...

  • Page 315: Configuring The Cisco Sce Platform/Sm Connection

    If SM functionality is critical to the operation of the system—Configure the desired behavior of the • Cisco SCE platform if any loss of connection with the SM (may be due either to failure of the SM or failure of the connection itself).

  • Page 316: Configuring The Sm-Sce Platform Connection Timeout

    Options The following option is available: • interval—The timeout interval in seconds From the SCE(config if)# prompt, type: Command Purpose subscriber sm-connection-failure timeout Configures the connection timeout. interval Cisco SCE 8000 10GBE Software Configuration Guide 10-40 OL-30621-02...

  • Page 317: Introduction

    • Hot Standby and Failover, page 11-6 • Recovery, page 11-11 • CLI Commands for Cascaded Systems, page 11-13 • Configuring Forced Failure, page 11-18 • System Upgrades, page 11-19 • Cisco SCE 8000 10GBE Software Configuration Guide 11-1 OL-30621-02...

  • Page 318: Chapter 11 Redundancy And Failover

    SCE platform, including updated subscriber state. Terminology and Definitions Following is a list of definitions of terms used in the chapter as they apply to the Cisco failover solution, which is based on cascaded Cisco SCE platforms. Failover—A situation in which the Cisco SCE platform experiences a problem that makes it •...

  • Page 319: External Bypass

    The Cisco SCE 8000 platform can control an external bypass device, which bypasses the traffic during a power failure and also under specific control command from the Cisco SCE 8000. The Cisco SCE 8000 automatically activates the external bypass device during reload for the short period (less than 10 seconds) in which the SPA Interface Processor card does not forward traffic between traffic ports.
  • Page 320 SM may be regarded as a cause for failover. However, this communication failure is not necessarily a problem in the Cisco SCE platform. If the connection to the SM of the active Cisco SCE platform has failed, while the connection to the SM of the standby Cisco SCE platform is alive, a failover process will be initiated to allow the Cisco SCE platform proper exchange of information between the Cisco SCE platforms and the SM.

  • Page 321: Link Failure Reflection

    MAC address of the other network element when forwarding traffic. To assist the network elements on both sides of the Cisco SCE platform to identify the link failures as quickly as possible, the Cisco SCE platform supports a functionality of reflecting to the other side of the Cisco SCE platforms events of link failure.

  • Page 322: Hot Standby And Failover

    The previously standby Cisco SCE platform now processes all the traffic of this other link that is forwarded to it by the previously active Cisco SCE platform in addition to the traffic of its own link.
  • Page 323 Cisco SCE platform has either recovered or been replaced. If the failure is in the standby Cisco SCE platform, it will continue to forward traffic to the active Cisco SCE platform and back to its link, while the active Cisco SCE platform continues to provide its normal processing functionality to the traffic of the two links.

  • Page 324: Hardware Crash Mode

    The external optical bypasses protect against a second Cisco SCE 8000 platform failure. In the case of a second failure, if a bypass module is connected to the last Cisco SCE 8000 to fail, it will be enabled. This preserves one of the network links, assuming the on-failure configuration is is bypass .

  • Page 325: Failure In The Cascade Connection

    'dead end' , cutting off all traffic on both links. Failure in the Cascade Connection The effect of a failure in the cascade connection between the two Cisco SCE platforms depends on whether one or both connections fail: Only one cascade connection is down—In this case, both Cisco SCE platforms can still...
  • Page 326 Step 6 Use the show interface linecard 0 connection-mode command. If you want to start in bypass mode, change the link mode to bypass in both Cisco SCE platforms. The Step 7 bypass mode will be applied only to the active Cisco SCE platform. (See “About the Link Mode”...

  • Page 327: Recovery

    • Manual Steps Step 1 Disconnect the failed Cisco SCE platform from the network Connect a new Cisco SCE platform to the management link and the cascade links (leave network ports Step 2 disconnected.) Step 3 Configure the Cisco SCE platform.

  • Page 328: Automatic Steps (In Parallel With The Manual Steps, Requires No User Intervention):

    Establishment of inter-Cisco SCE platform communication. Step 1 Synchronization with the SM. Step 2 Copying updated subscriber states from the active Cisco SCE platform to the standby. Step 3 Reboot Only (Fully Automatic Recovery) Step 1 Reboot of the Cisco SCE platform.

  • Page 329: Cli Commands For Cascaded Systems

    On-failure—For each of the cascaded Cisco SCE platforms, this parameter determines whether the • system cuts the traffic or bypasses it when the Cisco SCE platform either has failed or is booting. Configuring the Connection Mode Use the following command to configure the connection mode, including the following parameters.

  • Page 330: Examples

    SCE platform in Example 1. This Cisco SCE platform would have to be the secondary Cisco SCE platform, and Link 0 would be connected to this Cisco SCE platform, since Link 1 was connected to the primary. The connection mode would be the same as the first, and the behavior of the Cisco SCE platform if a failure occurs is external-bypass.

  • Page 331: How To View The Cisco Sce-Id

    Viewing the Cisco SCE-ID: Example SCE>enable 5 Password:<cisco> SCE>show interface linecard 0 sce-id slot 0 sce-id is 1 How to View the Current Redundancy Status of the Cisco SCE Platform From the SCE# prompt, type: Command Purpose show interface linecard 0 cascade...

  • Page 332: How To View Information About The Cascade Connections

    Displays information about the cascade connection-status connections. Monitoring the Connection Status: Examples The following example shows the output of this command in the case of two cascaded Cisco SCE 8000 GBE platforms where the cascade interfaces have not been connected correctly. SCE>enable 5 Password:<cisco>...

  • Page 333: How To View The Current Link Mode

    ----------------------------------------------------------- | 0/2 | 0/1 SCE> How to View the Current Link Mode From the SCE# prompt, type: Command Purpose show interface linecard 0 link mode Displays the current link mode. Cisco SCE 8000 10GBE Software Configuration Guide 11-17 OL-30621-02...

  • Page 334: Configuring Forced Failure

    From the SCE(config if)# prompt, type: Commands Purpose force failure-condition Forces the Cisco SCE platform into a virtual failure state. no force failure-condition Exits from the virtual failure state. Cisco SCE 8000 10GBE Software Configuration Guide...

  • Page 335: System Upgrades

    Reload the active Cisco SCE platform. Step 5 After the former active Cisco SCE platform reboots and is ready to work manually, it may be left as Step 6 standby or we can manually switch the Cisco SCE platforms to their original state.

  • Page 336: Simultaneous Upgrade Of Firmware And Application

    System Upgrades Remove the force failure condition in that platform. Step 7 After the former active Cisco SCE platform recovers and is ready to work, it may remain the standby or Step 8 can be manually switched back to active.

  • Page 337: Introduction

    Revised: February 07, 2014, OL-30621-02 Introduction This chapter describes the ability of the Cisco SCE platform to identify and prevent DDoS attacks, and the various procedures for configuring and monitoring the Attack Filter Module. Attack Filtering and Attack Detection, page 12-2 •...

  • Page 338: C H A P T E R 12 Identifying And Preventing Distributed Denial-Of-Service Attacks

    Attack filtering is performed using specific-IP attack detectors. A specific-IP attack detector tracks the rate of flows (total open and total suspected) in the Cisco SCE platform for each combination of IP address (or pair of IP addresses), protocol (TCP/UDP/ICMP/Other), destination port (for TCP/UDP), interface and direction.
  • Page 339 Enable port-based detection for TCP/UDP attacks that have a fixed destination port or ports. The list of destination ports for port-based detection is configured separately. (See “Specific Attack Detectors” section on page 12-14.) Cisco SCE 8000 10GBE Software Configuration Guide 12-3 OL-30621-02...

  • Page 340: Attack Detection

    Attack Detection Thresholds There are three thresholds that are used to define an attack. These thresholds are based on meters that are maintained by the Cisco SCE platform for each IP address or pair of addresses, protocol, interface and attack-direction.

  • Page 341: Attack Handling

    Configuring the action: Report—Attack packets are processed as usual, and the occurrence of the attack is reported. – Block—Attack packets are dropped by the Cisco SCE platform, and therefore do not reach their – destination. Regardless of which action is configured, two reports are generated for every attack: one when the start of an attack is detected, and one when the end of an attack is detected.

  • Page 342: Subscriber Notification

    Service Control Application. Hardware Filtering The Cisco SCE platform has two ways of handling an attack: by software or by hardware. Normally, attacks are handled by software. This enables the Cisco SCE platform to accurately measure the attack flows and to instantly detect that an attack has ended.
  • Page 343 “Monitoring Attack Filtering” section on page 12-24): Check the " HW-filter " field in the show interface linecard attack-filter current-attacks • command. Check the " HW-filter " field in the attack log file. • Cisco SCE 8000 10GBE Software Configuration Guide 12-7 OL-30621-02...

  • Page 344: Configuring Attack Detectors

    When detectors 1-99 are disabled, the default attack detector configuration determines the thresholds used for detecting an attack, and the action taken by the Cisco SCE platform when an attack is detected. For each attack type, a different set of thresholds and action can be set. In addition, subscriber-notification and SNMP traps (alarm) can be enabled or disabled in the same granularity.
  • Page 345 (default| number) protocol protocol attack-direction direction side side • default attack-detector default • default attack-detector number default attack-detector (all-numbered|all) • attack-detector number access-list comment • attack-detector number (TCP-dest-ports|UDP-dest-ports) (all|(port1 [port2 …])) • [no] attack-filter subscriber-notification ports port1 • Cisco SCE 8000 10GBE Software Configuration Guide 12-9 OL-30621-02...

  • Page 346: Enabling Specific-Ip Detection

    Use the no form of the command to disable the configured specific-IP detection. How to Enable Specific-IP Detection From the SCE(config if)# prompt, enter: Command Purposes attack-filter [protocol (((TCP|UDP) [dest-port Enables specific-IP detection. (specific|not-specific|both)])|ICMP|other)] [attack-direction (single-side-source|single-side-destination|sing le-side-both|dual-sided|all)] Cisco SCE 8000 10GBE Software Configuration Guide 12-10 OL-30621-02...

  • Page 347: How To Enable Specific-Ip Detection For The Tcp Protocol Only For All Attack Directions

    How to Define the Default Action and Optionally, the Default Thresholds, page 12-13 • How to Reinstate the System Defaults for a Selected Set of Attack Types, page 12-13 • How to Reinstate the System Defaults for All Attack Types, page 12-14 Cisco SCE 8000 10GBE Software Configuration Guide 12-11 OL-30621-02...

  • Page 348: Options

    • report (default)—Report beginning and end of the attack by writing to the attack-log. – block—Block all further flows that are part of this attack, the Cisco SCE platform drops the – packets. Thresholds: • open-flows-rate—Default threshold for rate of open flows. suspected-flows-rate—Default –...

  • Page 349: How To Define The Default Action And Optionally, The Default Thresholds

    From the SCE(config if)# prompt, type: Command Purpose default attack-detector default protocol Reinstates the system defaults for the defined (((TCP|UDP) [dest-port (specific|not- attack types. specific|both)])|ICMP|other|all) attack-direction (single-side-source|single-side-destination|single-si de-both|dual-sided|all) side (subscriber|network|both) Cisco SCE 8000 10GBE Software Configuration Guide 12-13 OL-30621-02...

  • Page 350: How To Reinstate The System Defaults For All Attack Types

    A specific attack detector may be configured for each possible combination of protocol, attack direction, and side. The Cisco SCE platform supports a maximum of 100 attack detectors. Each attack detector is identified by a number (1-100). Each detector can be either disabled (default) or enabled. An enabled attack detector must be configured with the following parameters: access-list—The number of the Access-Control List (ACL) associated with the specified attack...

  • Page 351: How To Enable A Specific Attack Detector And Assign It An Acl

    'not configured' state (which is the default), or be configured with a specific value. action—Action: • report (default)—Report beginning and end of the attack by writing to the attack-log. – block—Block all further flows that are part of this attack, the Cisco SCE platform drops the – packets. Thresholds: •...

  • Page 352: How To Define The Action And Optionally The Thresholds For A Specific Attack Detector

    From the SCE(config if)# prompt, type: Command Purpose attack-detector number protocol (((TCP|UDP) Defines the SNMP trap setting for the specified [dest-port (specific|not- attack detector. specific|both)])|ICMP|other|all) attack-direction (single-side-source|single-side-destination|sing le-side-both|dual-sided|all) side (subscriber|network|both) (alarm|no-alarm) Cisco SCE 8000 10GBE Software Configuration Guide 12-16 OL-30621-02...

  • Page 353: How To Define The List Of Destination Ports For Tcp Or Udp Protocols For A Specific Attack Detector

    Use the following command to disable a specific attack detector, configuring it to use the default action, threshold values and subscriber notification for all protocols, attack directions and sides. From the SCE(config if)# prompt, type: Command Purpose default attack-detector number Disables the specified attack detector. Cisco SCE 8000 10GBE Software Configuration Guide 12-17 OL-30621-02...

  • Page 354: How To Disable All Non-Default Attack Detectors

    Defines the thresholds and action for attack detector #1. Step 6 From the SCE(config if)# prompt, type attack-detector 1 protocol UDP dest-port specific attack-direction side and press Enter. single-side-destination subscriber notify-subscriber Enables subscriber notification for attack detector #1. Cisco SCE 8000 10GBE Software Configuration Guide 12-18 OL-30621-02...
  • Page 355 Step 7 Exits the linecard interface configuration mode. Configure ACL #3, which has been assigned to the attack detector. Step 8 SCE(config)# access-list 3 permit 10.1.1.10 SCE(config)# access-list 3 permit 10.1.1.13 Cisco SCE 8000 10GBE Software Configuration Guide 12-19 OL-30621-02...

  • Page 356: Subscriber Notifications

    You can define a port to be used as the subscriber notification port. The attack filter will never block TCP traffic from the subscriber side of the Cisco SCE platform to this port, leaving it always available for subscriber notification.

  • Page 357: Preventing And Forcing Attack Detection

    For example: • The Cisco SCE platform has detected an attack, but the user knows this to be a false alarm. The proper action that should be taken by the user is to configure the system with higher thresholds (for the whole IP range, or maybe for specific IP addresses or ports).

  • Page 358: How To Remove All Dont-Filter Settings

    CLI command (either no force-filter or dont-filter). • How to Remove All force-filter Settings, page 12-23 Use the following commands to configure or remove a force-filter setting for or from a specified situation: Cisco SCE 8000 10GBE Software Configuration Guide 12-22 OL-30621-02...

  • Page 359: How To Remove All Force-Filter Settings

    (ip ip-address)|(dual-sided source-ip source-ip-address destination-ip dest-ip-address)) side (subscriber|network|both) How to Remove All force-filter Settings From the SCE(config if)# prompt, type: Command Purpose no attack-filter force-filter all Removes all force-filter settings. Cisco SCE 8000 10GBE Software Configuration Guide 12-23 OL-30621-02...

  • Page 360: Monitoring Attack Filtering

    If attack end was detected in the traffic: Detected attack end • If the end of the attack was declared as a result of a no force-filter command or a new don't-filter command: Forced attack end Cisco SCE 8000 10GBE Software Configuration Guide 12-24 OL-30621-02...
  • Page 361 If the attack was filtered by a hardware filter: HW filters used, actual attack duration is probably smaller than reported above, actual amount of flows handled is probably larger than reported above. Cisco SCE 8000 10GBE Software Configuration Guide 12-25 OL-30621-02...

  • Page 362: Monitoring Attack Filtering Using Cli Commands

    – flows per second). suspected-flows-ratio—Default threshold for ratio of suspected flow rate to open flow rate. – Subscriber notification—Enabled or disabled. • Alarm: sending an SNMP trap enabled or disabled. • Cisco SCE 8000 10GBE Software Configuration Guide 12-26 OL-30621-02...
  • Page 363 | other |net.|source-only|| | other |net.|dest-only | other |sub.|source-only|| | other |sub.|dest-only | Empty fields indicate that no value is set and configuration from the default attack detector is used. SCE#> Cisco SCE 8000 10GBE Software Configuration Guide 12-27 OL-30621-02...

  • Page 364: How To Display The Default Attack Detector Configuration

    |sub.|dest-only ||Report| 500| 250|50 |No SCE#> How to Display All Attack Detector Configurations From the SCE> prompt, type: Command Purpose show interface linecard 0 attack-detector all Displays all attack detector configurations. Cisco SCE 8000 10GBE Software Configuration Guide 12-28 OL-30621-02...

  • Page 365: How To Display Filter State (Enabled Or Disabled)

    From the SCE> prompt, type: Command Purpose show interface linecard 0 attack-filter query Displays the configured threshold values and ((single-sided ip ip-address)|(dual-sided actions a specified IP address. source-IP source-ip-address destination-IP dest-ip-address)) [dest-port portnumber] configured Cisco SCE 8000 10GBE Software Configuration Guide 12-29 OL-30621-02...

  • Page 366: How To Display The Current Counters

    (N) below a value means that the value is set through attack-detector #N. SCE#> How to Display the Current Counters Use this command to display the current counters for the specified attack detector for attack types for a specified IP address. Cisco SCE 8000 10GBE Software Configuration Guide 12-30 OL-30621-02...

  • Page 367: How To Display All Currently Handled Attacks

    How to Display the List of Ports Selected for Subscriber Notification From the SCE> prompt, type: Command Purpose show interface linecard 0 attack-filter Displays the list of ports selected for subscriber subscriber-notification ports notification. Cisco SCE 8000 10GBE Software Configuration Guide 12-31 OL-30621-02...

  • Page 368: How To Find Out Whether Hardware Attack Filtering Has Been Activated

    IP address (Pair of addresses, if detected) • Protocol Port number (If detected) • Attack-direction (Attack-source or Attack-destination) • Interface of IP address • Number of attack flows reported/blocked • Action taken • Cisco SCE 8000 10GBE Software Configuration Guide 12-32 OL-30621-02...

  • Page 369: How To View The Attack Log

    Displays the attack log. How to Copy the Attack Log to a File From the SCE# prompt, type: Command Purposes more line-attack-log redirect filename Writes the log information to the specified file. Cisco SCE 8000 10GBE Software Configuration Guide 12-33 OL-30621-02...
  • Page 370 Chapter 12 Identifying and Preventing Distributed Denial-of-Service Attacks Monitoring Attack Filtering Cisco SCE 8000 10GBE Software Configuration Guide 12-34 OL-30621-02...

  • Page 371: Introduction

    This module provides an overview of the Service Control Management Protocol (SCMP) capabilities. It also explains the various procedures for configuring and monitoring SCMP. About SCMP, page 13-2 • Configuring the SCMP, page 13-9 • Monitoring the SCMP Environment, page 13-17 • Cisco SCE 8000 10GBE Software Configuration Guide 13-1 OL-30621-02...

  • Page 372: Chapter 13 Managing The Scmp

    The SCMP peers can work in either of two introduction modes. These introduction modes affect only how and when a session is created on the Cisco SCE platform: The SCMP peer provisions the session to the Cisco SCE platform when it is created in the peer •...

  • Page 373: Scmp Terminology

    Managing the SCMP About SCMP SCMP Terminology SCMP terminology is similar to, but not identical to, existing Cisco SCE platform terminology. It is derived from the ISG terminology, since every Cisco SCE subscriber is actually an ISG session. • subscriber – The client who is purchasing service from the Service Provider and is receiving the bill.

  • Page 374: Single Isg Router With A Single Cisco Sce Platform (1Xisg – 1Xcisco Sce)

    A deployment of this type might be used with ISG running on a service gateway or BRAS • terminating a large number of subscribers. However, note that deploying only one Cisco SCE platform results in a single point of failure, which is not generally acceptable in an actual deployment.

  • Page 375: Multiple Isg Routers With Two Cascaded Cisco Sce Platforms (Nxisg – 2Xcisco Sce)

    If advanced services requiring deep packet inspection are offered, we recommend locating the Cisco SCE platforms centrally, just before traffic requiring such services exits the SP network, since not all traffic needs to be processed by Cisco SCE platforms. Please note the following: •...
  • Page 376 Chapter 13 Managing the SCMP About SCMP You can configure the cascaded Cisco SCE platforms to receive session info from the SCMP peer • on session creation or pull the session info when the subscribers traffic traverses the Cisco SCE platform.

  • Page 377: Scmp Peer Devices

    SCMP Peer Devices An SCMP peer device is a Cisco device running IOS with the ISG module enabled. The Cisco SCE platform supports the ability to communicate with several SCMP peer devices at the same time. However, each peer device manages its own subscribers and the corresponding subscriber network IDs.

  • Page 378: Scmp Subscriber Management

    SCMP Subscriber Management Subscriber virtualization allows multiple SCMP peer devices to simultaneously manage subscribers in the Cisco SCE platform without interfering with each other. (Note that each device must handle a distinct set of subscribers and network IDs.) The following mechanisms support subscriber virtualization: SCMP adds the Manager-Id field to each subscriber record in the database.

  • Page 379: Configuring The Scmp

    Enable the SCMP • Configure the SCMP peer device to push sessions to the Cisco SCE platform • Allow the SCMP peer device to provision each subscriber to only one Cisco SCE platform. • Define the SCMP keep-alive interval •...

  • Page 380: How To Disable The Scmp

    When SCMP establishes a connection with an SCMP peer device, it informs the device whether the SCMP is configured to push sessions or to wait till the sessions are pulled by the Cisco SCE platform. Use this command to specify push mode. Use the no form of the command to specify pull mode. This configuration takes effect only after the connection is re-established.

  • Page 381: Defining The Keep-Alive Interval Parameter

    The reconnect interval is the amount of time between attempts by the Cisco SCE platform to reconnect with an SCMP peer. The Cisco SCE platform attempts to reconnect to the SCMP peer device at the defined intervals by sending an establish-peering-request message.

  • Page 382: Defining The Loss-Of-Sync Timeout Parameter

    Defines the reconnect interval parameter. Defining the Loss-of-Sync Timeout Parameter The loss of sync timeout interval is the amount of time between loss of connection between the Cisco SCE platform and an SCMP peer device and the loss-of-sync event. (To prevent miss-classification, loss-of-sync event removes all subscribers that were provisioned by the relevant SCMP peer device.)

  • Page 383: How To Assign The Scmp Peer Device To An Anonymous Group

    This command removes the specified anonymous group from the SCMP peer device. From the SCE(config if)# prompt, type: Command Purpose no subscriber anonymous-group name Removes an anonymous group from the SCMP group-name peer device. Cisco SCE 8000 10GBE Software Configuration Guide 13-13 OL-30621-02...

  • Page 384: Deleting Subscribers Managed By An Scmp Peer Device

    • User-Name • The GUID is always appended at the end of the subscriber ID as defined by this command. Note You must disable the SCMP interface before executing this command. Cisco SCE 8000 10GBE Software Configuration Guide 13-14 OL-30621-02...

  • Page 385: Options

    The RADIUS client polls the sockets to receive the next message and calls the SCMP engine to handle it, based on the type of the received message. Messages that were not acknowledged can be retransmitted up to the configured maximum number of retries. Cisco SCE 8000 10GBE Software Configuration Guide 13-15 OL-30621-02...

  • Page 386: Options

    (optional)—Timeout interval for retransmitting a message, in seconds • Default = 1 second – From the SCE(config)# prompt, type: Command Purpose ip radius-client retry limit times [timeout Configures RADIUS client. timeout] Cisco SCE 8000 10GBE Software Configuration Guide 13-16 OL-30621-02...

  • Page 387: Monitoring The Scmp Environment

    SCMP peer device for which to display the configuration • or statistics. How to display the general SCMP configuration From the SCE> prompt, type: Command Purpose show scmp Displays the general SCMP configuration. Cisco SCE 8000 10GBE Software Configuration Guide 13-17 OL-30621-02...

  • Page 388: How To Display The Configuration All Currently Defined Scmp Peer Devices

    9 seconds How to display the statistics for all SCMP peer devices From the SCE> prompt, type: Command Purpose show scmp all counters Displays the statistics for all SCMP peer devices. Cisco SCE 8000 10GBE Software Configuration Guide 13-18 OL-30621-02...

  • Page 389: How To Display The Statistics For A Specified Scmp Peer Device

    Use the following command to monitor the SCMP RADIUS client. This command displays the general configuration of the RADIUS client. From the SCE> prompt, type: Command Purpose show ip radius-client Monitors the SCMP RADIUS client. Cisco SCE 8000 10GBE Software Configuration Guide 13-19 OL-30621-02...
  • Page 390 Chapter 13 Managing the SCMP Monitoring the SCMP Environment Cisco SCE 8000 10GBE Software Configuration Guide 13-20 OL-30621-02...

  • Page 391: Introduction

    VAS Traffic Forwarding Topologies, page 14-14 • SNMP Support for VAS, page 14-17 • Interactions Between VAS Traffic Forwarding and Other Cisco SCE Platform Features, page 14-18 • Configuring VAS Traffic Forwarding, page 14-20 • Monitoring VAS Traffic Forwarding, page 14-32 •...

  • Page 392: C H A P T E R 14 Value-Added Services (Vas) Traffic Forwarding

    Information About VAS Traffic Forwarding Information About VAS Traffic Forwarding The VAS feature uses the Cisco SCE platform to access an external “expert system” for classification and control of services not supported by SCA BB. Using the VAS feature, you can forward selected flows to an external, third-party system for per-subscriber processing in addition to the existing services and functions of the SCA BB solution.

  • Page 393: How Vas Traffic Forwarding Works

    The same VAS server may be used by more than one Cisco SCE platform. • In VAS mode, the Cisco SCE performance envelope might be up to 50 percent lower than in the normal Note operation mode. The exact performance envelope is specific to the traffic mix in the customer network and should be sized in advance.

  • Page 394: Requirements For Vas Servers

    • Requirements for VAS Servers Because the VAS devices are installed behind the Cisco SCE platform, they should follow the network behavior of the Cisco SCE platform. Therefore, VAS devices must meet the following two requirements: VAS devices must be equipped with separate interfaces for the subscriber side and separate •...

  • Page 395: Vas Traffic Forwarding And Sca Bb

    VLAN Tags for VAS Traffic Forwarding The traffic is routed between the Cisco SCE platform and the VAS servers by VLANs. There is a unique VLAN tag for each Cisco SCE platform and VAS server combination. Before the traffic is forwarded to the VAS servers, the Cisco SCE platform adds the VLAN tags to the original traffic.

  • Page 396: Data Flow

    The Cisco SCE platform performs load sharing between multiple VAS servers belonging to the same server group; the balance is based on the subscriber load. In other words, the Cisco SCE platform ensures that the subscribers are evenly distributed between the VAS servers in the same group.The mapping of subscriber to a VAS server (per group) is maintained even when servers are added or removed from the group either due to configuration changes or changes in the operational status of the servers in the group.

  • Page 397: Non-Vas Data Flow

    A VAS data flow is slightly more complex than the basic data flow. It is received and transmitted in the same manner as the basic non-VAS Cisco SCE platform flow, but before it is transmitted to its original destination, it flows through the VAS server.

  • Page 398: Load Balancing

    The packet is sent to the VAS subscriber port from Cisco SCE platform Port 4 (N). The VAS server processes the packets and either drops the packet or sends it back to the Cisco SCE platform from the VAS network port to the Cisco SCE platform subscribers Port 3 (S).

  • Page 399: Load Balancing And Subscriber Mode

    In pull mode, the first flow of the subscriber behaves as configured in the anonymous template. If no anonymous template is configured, such first flows are processed as defined by the default template. Therefore, the default template should provide a proper package, so these flows get VAS service. Cisco SCE 8000 10GBE Software Configuration Guide 14-9 OL-30621-02...

  • Page 400: Vas Redundancy

    The system monitors the health of a VAS server by periodically checking the connectivity between the Cisco SCE platform and the VAS server. When the Cisco SCE platform fails to establish or maintain a connection to the server within a configurable window of time, the server is considered to be in Down state.

  • Page 401: Ethernet Switch Failure

    Value-Added Services (VAS) Traffic Forwarding VAS Redundancy When the Cisco SCE platform detects that the number of active servers within a group is below the configured minimum, it changes the state of the group to Failure. The configured action-on-failure is then applied to all new flows mapped for that VAS server group (existing flows are not affected.)

  • Page 402: Vas Status And Vas Health Check

    The Cisco SCE platform adds its own Layer 7 data on top of the UDP transport layer. This data is used by the Cisco SCE platform to validate the correctness of the packet upon retrieval.

  • Page 403: Vas Server States

    The VAS server should not drop traffic unless it is specifically configured to do so. Therefore, if the • connectivity between the VAS server and the Cisco SCE platform is operative, the health check packets should reach the Cisco SCE platform safely.

  • Page 404: Vas Traffic Forwarding Topologies

    Multiple Cisco SCE Platforms, Multiple VAS Servers, page 14-15 • A topology in which a VAS server is directly connected to the Cisco SCE platform is not supported. If Note you want a topology of a single Cisco SCE platform connected to a single VAS server, use a switch between the Cisco SCE platform and the VAS server.

  • Page 405: Data Flow

    If the flow is a VAS flow (red), the Cisco SCE platform selects the VAS server to which the packet should be sent, adds the server VLAN tag to the packet, and transmits the packet on Port #4 (Network).
  • Page 406 The two Ethernet switches route the traffic to the VAS servers. The routing is VLAN based. The Ethernet switch should be configured to trunk mode with learning disabled. The data flow is the same as that for the single Cisco SCE platform to multiple VAS servers topology (see “Data Flow”...

  • Page 407: Snmp Support For Vas

    Object type—vasServersTable provides information on each VAS server operational status. • SNMP Trap—vasServerOperationalStatusChangeTrap signifies that the agent entity has detected a • change in the operational status of a VAS server. Cisco SCE 8000 10GBE Software Configuration Guide 14-17 OL-30621-02...

  • Page 408: Interactions Between Vas Traffic Forwarding And Other Cisco Sce Platform Features

    • Incompatible Cisco SCE Platform Features There are certain Cisco SCE platform features that are incompatible with VAS traffic forwarding. Before enabling VAS traffic forwarding, it is the responsibility of the user to make sure that no incompatible features or modes are configured.

  • Page 409: Vas Traffic Forwarding And Bandwidth Management

    Bypass—Traffic is bypassed and NO SCA BB or VAS services are provided. • VAS Traffic Forwarding and Bandwidth Management The complexity of the VAS traffic forwarding results in the modification of some Cisco SCE platform bandwidth management capabilities: VAS flows are not subject to global bandwidth control.

  • Page 410: Configuring Vas Traffic Forwarding

    Value-Added Services (VAS) Traffic Forwarding Configuring VAS Traffic Forwarding Configuring VAS Traffic Forwarding There are three broad aspects to VAS traffic forwarding configuration in the Cisco SCE platform: Configuring global VAS traffic forwarding options, such as enabling or disabling VAS traffic •...

  • Page 411: Configuring Vas Traffic Forwarding From The Sca Bb Console

    “Disabling VAS Traffic Forwarding” section on page 14-22. There are certain other Cisco SCE platform features that are incompatible with VAS traffic forwarding. Before enabling VAS traffic forwarding, make sure that no incompatible features or modes are configured. The features and modes listed below cannot coexist with VAS mode: Line-card connection modes—receive-only, receive-only-cascade, inline-cascade...

  • Page 412: Disabling Vas Traffic Forwarding

    Disabling the VAS Traffic Forwarding feature in runtime must be done with special care. There are two points to consider: You cannot disable VAS mode in the Cisco SCE platform while the applied SCA BB policy instructs • the Cisco SCE platform to forward traffic to the VAS servers.

  • Page 413: Options

    However, it is not operational since it does not have VLAN. Note A VAS server is not operational until the VLAN tag is defined, even if the server itself is enabled. Cisco SCE 8000 10GBE Software Configuration Guide 14-23 OL-30621-02...

  • Page 414: Options

    This section contains the following topics: • How to Configure the VLAN Tag Number for a Specified VAS Server, page 14-25 • How to Remove the VLAN Tag Number from a Specified VAS Server, page 14-25 Cisco SCE 8000 10GBE Software Configuration Guide 14-24 OL-30621-02...

  • Page 415: Options

    This section explains how to to enable and disable the Health Check, and how to define the ports it should use. By default, the VAS server health check is enabled, however you may disable it. Cisco SCE 8000 10GBE Software Configuration Guide 14-25 OL-30621-02...

  • Page 416: How To Enable Vas Server Health Check

    Down if one or more conditions are not met: • VAS traffic forwarding mode is enabled. Pseudo IPs are configured for the Cisco SCE platform traffic ports on the VAS traffic link. • VAS server is enabled.

  • Page 417: How To Disable Vas Server Health Check

    You should configure source and destination pseudo IP address for the health check packets. The pseudo-ip command allows you to specify a unique IP address to be used by the health check packets. The pseudo IP address is configured on the interfaces that connect the Cisco SCE platform with the VAS servers.

  • Page 418: Configuring A Vas Server Group

    IP) – Default—no IP address mask (optional)—Defines the range of IP addresses that can be used by the Cisco SCE platform. • Note that the Cisco SCE platform is not required to reside in this subnet.

  • Page 419: Adding And Removing Servers

    Failure action—The action to be applied to all new flows mapped to this server group while it is • Failure state: Block—all new flows assigned to the failed VAS server group will be blocked by the Cisco SCE – platform.
  • Page 420 How to Configure the Failure Action for a Specified VAS Server Group to the Default From the SCE(config if)# prompt, type: Command Purpose default VAS-traffic-forwarding VAS Configures the failure action for a specified VAS server-group group-number failure action server group to the default. Cisco SCE 8000 10GBE Software Configuration Guide 14-30 OL-30621-02...

  • Page 421: Vas Configuration Example

    You must shutdown the linecard when configuring VAS servers and groups. Step 6 VAS-traffic-forwarding Set the Cisco SCE platform to forward VAS traffic (enable VAS traffic forwarding). Step 7 VAS-traffic-forwarding traffic-link link-0 Set the VAS traffic forwarding link to Link 0.

  • Page 422: Monitoring Vas Traffic Forwarding

    Purpose show interface linecard 0 Displays the global VAS status and configuration. VAS-traffic-forwarding Example SCE>show interface linecard 0 VAS-traffic-forwarding VAS traffic forwarding is enabled VAS traffic link configured: Link-1 actual: Link-1 Cisco SCE 8000 10GBE Software Configuration Guide 14-32 OL-30621-02...

  • Page 423: How To Display Operational And Configuration Information For A Specific Vas Server Group

    VAS server 0: Configured mode: enable actual mode: enable VLAN: server group: 3 State: UP Health Check configured mode: enable status: running Health Check source port: 63140 destination port: 63141 Number of subscribers: Cisco SCE 8000 10GBE Software Configuration Guide 14-33 OL-30621-02...

  • Page 424: How To Display Operational And Configuration Information For All Vas Servers

    IP Checksum error packets 0 : L4 Checksum error packets 0 : L7 Checksum error packets 0 : Bad VLAN tag packets 0 : Bad Device ID packets 0 : Bad Server ID packets Cisco SCE 8000 10GBE Software Configuration Guide 14-34 OL-30621-02...

  • Page 425: How To Display Health Check Counters For All Vas Servers

    How to Clear the Health Check Counters for All VAS Servers From the SCE> prompt, type: Command Purpose clear interface linecard 0 Clears health check counters for all VAS servers. VAS-traffic-forwarding VAS server-id all counters health-check Cisco SCE 8000 10GBE Software Configuration Guide 14-35 OL-30621-02...

  • Page 426: Intelligent Traffic Mirroring

    The traffic that is copied is also processed by the SCA BB application and forwarded without interruption to its original destination. The copy of the traffic is presumed not to return to the Cisco SCE platform after being processed by the third party servers.

  • Page 427: How Traffic Mirroring Works

    Subscribers browse web For more information regarding targeted advertising, see the following documents: Cisco Service Control Online Advertising Solution Guide: Behavioral Profile Creation Using RDRs • Cisco Service Control Online Advertising Solution Guide: Behavioral Profile Creation Using Traffic •...

  • Page 428: Mirroring Termination

    To save in performance on both sides, zero payload packets are also not mirrored. (note that this type of packets have no real value for offline analysis). If the VLAN traffic is mirrored, Cisco SCE devices replace the VLAN information from the incoming traffic with the VAS-configured VLAN information before mirroring the traffic on the VAS port.

  • Page 429: Cisco Sce Connectivity

    Traffic mirroring is implemented by sending the mirrored packets over a designated VLAN through a predefined link of the Cisco SCE platform. The link that has been defined for traffic mirroring can be either used exclusively for this purpose, or it can be one of the traffic ports, in which case the Tx capacity of the link will be shared between the original egress traffic and the mirrored traffic.
  • Page 430 Chapter 14 Value-Added Services (VAS) Traffic Forwarding Intelligent Traffic Mirroring Figure 14-6 shows a Cisco SCE platform using a dedicated link for mirroring (Link 1). Figure 14-6 Traffic Mirroring on a Dedicated Link Traffic crosses the SCE through link 1...

  • Page 431: Traffic Mirroring And Bandwidth Management

    Cisco Service Control Application for Broadband User Guide. Note Traffic mirroring is not compatible with regular VAS traffic forwarding. Traffic mirroring configuration is distributed between the SCA BB console and the Cisco SCE platform CLI: The Cisco SCE platform CLI configuration: •...

  • Page 432: Monitoring Traffic Mirroring

    Use the same commands to monitor traffic mirroring as for regular VAS functionality. (See “Monitoring VAS Traffic Forwarding” section on page 14-32) Traffic Mirroring Sample Configuration Following is a sample illustrating the steps in configuring the Cisco SCE 8000 platform for traffic mirroring. Command Purpose Step 1...

  • Page 433: Introduction

    MIB. The proprietary pcube MIBs has been replaced by a combination of standard and Cisco MIBs and new Cisco Service Control MIBs. The new MIB structure was designed to keep backward compatibility and provide the same information as provided in the past as much as possible.

  • Page 434: Appendix A Cisco Service Control Mib

    MIB Files The pcube MIB was grouped into several MIBs, each of which represented a certain aspect or functionality in the Cisco SCE platform (see the tables in the “pcube to Cisco MIB Mapping: Detailed OID Mappings” section on page A-7 section for more details).
  • Page 435 Defines state textual conventions. HOST-RESOURCES-MIB.my Manages host systems. Only OIDs that are mapped to former pcube MIB OIDs are in use in the standard and Cisco MIBs as Note listed in this table. Cisco SCE 8000 10GBE Software Configuration Guide...

  • Page 436: Loading Mibs

    Appendix A Cisco Service Control MIBs Loading MIBs Loading MIBs It is important to load the MIBs in the proper order. Before loading any new CISCO-SERVICE-CONTROL MIB, load the following MIBs in this order: SNMPv2-SMI.my SNMPv2-CONF.my SNMPv2-TC.my SNMP-FRAMEWORK-MIB.my ENTITY-MIB.my INET-ADDRESS-MIB.my CISCO-SMI.my...

  • Page 437: Pcube To Cisco Mib Mapping

    Cisco Service Control MIBs pcube to Cisco MIB Mapping pcube to Cisco MIB Mapping This section is an overview of how the former pcube MIB maps to the current Cisco MIBs. Two P-cube MIBs are mapped; PcubeSeMIB and PcubeEngageMIB (CISCO-SCABB-MIB). Table A-4...

  • Page 438: Pcube Engage Mib (Cisco-Scas-Bb-Mib)

    Pcube Engage MIB (CISCO-SCAS-BB-MIB) The information in the pcubeEnageMIB is available from various RDRs and from tables of the Collection Manager database. Therefore this MIB has not been replaced by a new Cisco Service Control MIB. For information regarding the mapping of the MIB objects to RDRs and the Collection Manager...

  • Page 439: Pcube To Cisco Mib Mapping: Detailed Oid Mappings

    Cisco MIB Mapping: Detailed OID Mappings The following tables provide the detailed mappings for specific pcubeSeMIB (1.3.6.1.4.1.5655.4.1/0) OIDs to the current standard and Cisco MIBs. Table A-6 systemGrp (1.3.6.1.4.1.5655.4.1.1) pcube Object Name New MIB New Object Name sysOperationalStatus 1.3.6.1.4.1.5655.4.1.1.1 ENTITY-STATE-MIB entStateTable.entStateOper...
  • Page 440 Object Name New MIB New Object Name pchassisSysType 1.3.6.1.4.1.5655.4.1.2.1 Not mapped. Derived from entPhysicalDescr and entPhysicalClass chassis(3) pchassisPowerSupply 1.3.6.1.4.1.5655.4.1.2.2 CISCO-ENTITY-FRU- Trap is sent Alarm CONTROL-MIB Current status available using the show environment CLI command pchassisFansAlarm 1.3.6.1.4.1.5655.4.1.2.3 CISCO-ENTITY-FRU- Trap is sent...
  • Page 441 ENTITY-MIB  with entPhysicalClass = other Use CLI command:  pmoduleConnection 1.3.6.1.4.1.5655.4.1.3.1.1.8 Not mapped Mode show interface linecard connection-mode pmoduleSerialNumber 1.3.6.1.4.1.5655.4.1.3.1.1.9 ENTITY-MIB entPhysicalSerialNum 1.3.6.1.2.1.47.1.1.1.1.11 pmoduleUpStream 1.3.6.1.4.1.5655.4.1.3.1.1.10 CISCO- cscaInfoUpStream 1.3.6.1.4.1.9.9.693.1.3.1.1 AttackFilteringTime SERVICE-CONTROL- AttackFilteringTime ATTACK-MIB pmoduleUpStreamLas 1.3.6.1.4.1.5655.4.1.3.1.1.11 CISCO- cscaInfoUpStreamLast 1.3.6.1.4.1.9.9.693.1.3.1.2 tAttackFilteringTime SERVICE-CONTROL- AttackFilteringTime...
  • Page 442 New Object Name pmoduleAdminStatus 1.3.6.1.4.1.5655.4.1.3.1.1.15 ENTITY-MIB entStateAdmin 1.3.6.1.2.1.131.1.1.1.2 pmoduleOperStatus 1.3.6.1.4.1.5655.4.1.3.1.1.16 ENTITY-MIB entStateOper 1.3.6.1.2.1.131.1.1.1.3 1.3.6.1.2.1.131.1.1.1.6 entStateStandby Table A-9 linkGrp (1.3.6.1.4.1.5655.4.1.4): All Mapped Objects Mapped to CISCO-SERVICE-CONTROL-LINK-MIB pcube Object Name New Object Name linkTable 1.3.6.1.4.1.5655.4.1.4.1 cscLinkStatusTable 1.3.6.1.4.1.9.9.631.1.2 linkEntry 1.3.6.1.4.1.5655.4.1.4.1.1 cscLinkStatusEntry 1.3.6.1.4.1.9.9.631.1.2.1 linkModuleIndex 1.3.6.1.4.1.5655.4.1.4.1.1.1...
  • Page 443 Object Name New Object Name diskNumUsedBytes 1.3.6.1.4.1.5655.4.1.5.1 hrStorageTable.hrStorageUsed 1.3.6.1.2.1.25.2.3.1.6 diskNumFreeBytes 1.3.6.1.4.1.5655.4.1.5.2 hrStorageTable.hrStorageUsed 1.3.6.1.2.1.25.2.3.1.6 hrStorageTable.hrStorageSize 1.3.6.1.2.1.25.2.3.1.5 Table A-11 rdrFormatterGrp (1.3.6.1.4.1.5655.4.1.6): All Mapped Objects Mapped to CISCO-SERVICE-CONTROL-RDR-MIB pcube Object Name New Object Name rdrFormatterEnable 1.3.6.1.4.1.5655.4.1.6.1 cServiceControlRDRFormatterEnable 1.3.6.1.4.1.9.9.637.1.1.1.1 rdrFormatterDestTable 1.3.6.1.4.1.5655.4.1.6.2 cServiceControlRDRFormatterDestTable 1.3.6.1.4.1.9.9.637.1.2 rdrFormatterDestEntry 1.3.6.1.4.1.5655.4.1.6.2.1 cServiceControlRDRFormatterDestEntry 1.3.6.1.4.1.9.9.637.1.2 .1...
  • Page 444 Table A-11 rdrFormatterGrp (1.3.6.1.4.1.5655.4.1.6): All Mapped Objects Mapped to CISCO-SERVICE-CONTROL-RDR-MIB (continued) pcube Object Name New Object Name rdrFormatterClear 1.3.6.1.4.1.5655.4.1.6.5 Not mapped CountersTime rdrFormatterReportRate 1.3.6.1.4.1.5655.4.1.6.6 cServiceControlRDRFormatterReportRate 1.3.6.1.4.1.9.9.637.1.1.1.4 rdrFormatterReportRate 1.3.6.1.4.1.5655.4.1.6.7 cscRdrFormatterReportRatePeak 1.3.6.1.4.1.9.9.637.1.1.1.5 Peak rdrFormatterReportRate 1.3.6.1.4.1.5655.4.1.6.8 cscRdrFormatterReportRatePeakTime 1.3.6.1.4.1.9.9.637.1.1.1.6 PeakTime rdrFormatterProtocol 1.3.6.1.4.1.5655.4.1.6.9 cServiceControlRDRFormatterProtocol 1.3.6.1.4.1.9.9.637.1.1.1.7 rdrFormatterForwarding 1.3.6.1.4.1.5655.4.1.6.10...
  • Page 445 Table A-11 rdrFormatterGrp (1.3.6.1.4.1.5655.4.1.6): All Mapped Objects Mapped to CISCO-SERVICE-CONTROL-RDR-MIB (continued) pcube Object Name New Object Name rdrFormatterCategory 1.3.6.1.4.1.5655.4.1.6.12.1.1 Available through the CLI. DestPriority rdrFormatterCategory 1.3.6.1.4.1.5655.4.1.6.12.1.2 Available through the CLI. DestStatus Table A-12 loggerGrp (1.3.6.1.4.1.5655.4.1.7): all Mapped Objects Mapped to CISCO-SYSLOG-EVENT-EXT-MIB...
  • Page 446 Table A-13 subscribersGrp (1.3.6.1.4.1.5655.4.1.8): All Mapped Objects Mapped to CISCO-SERVICE-CONTROL-SUBSCRIBERS-MIB (continued) pcube Object Name New Object Name subscribersNumActive 1.3.6.1.4.1.5655.4.1.8.1.1.9 cServiceControlSubscribersNumActive 1.3.6.1.4.1.9.9.628.1.2.1.9 subscribersNumActivePeak 1.3.6.1.4.1.5655.4.1.8.1.1.10 Not mapped subscribersNumActivePeakTime 1.3.6.1.4.1.5655.4.1.8.1.1.11 Not mapped subscribersNumUpdates 1.3.6.1.4.1.5655.4.1.8.1.1.12 cServiceControlSubscribersNumUpdates 1.3.6.1.4.1.9.9.628.1.2.1.10 subscribersCountersClearTime 1.3.6.1.4.1.5655.4.1.8.1.1.13 Not mapped subscribersNumTpIpRange 1.3.6.1.4.1.5655.4.1.8.1.1.14 cServiceControlSubscribersNumTpIpRangeMappings 1.3.6.1.4.1.9.9.628.1.2.1.11...
  • Page 447 Table A-13 subscribersGrp (1.3.6.1.4.1.5655.4.1.8): All Mapped Objects Mapped to CISCO-SERVICE-CONTROL-SUBSCRIBERS-MIB (continued) pcube Object Name New Object Name cServiceControlSubscribersPackageIndex 1.3.6.1.4.1.9.9.628.1.1.1.5 cServiceControlSubscribersRealTimeMonitor 1.3.6.1.4.1.9.9.628.1.1.1.6 Table A-14 trafficProcessorGrp (1.3.6.1.4.1.5655.4.1.9) pcube Object Name New MIB New Object Name tpInfoTable 1.3.6.1.4.1.5655.4.1.9.1 CISCO-SERVICE-CONTROL- cscTpTable 1.3.6.1.4.1.9.9.634.1.1 TP-STATS-MIB tpInfoEntry 1.3.6.1.4.1.5655.4.1.9.1.1...
  • Page 448 Table A-14 trafficProcessorGrp (1.3.6.1.4.1.5655.4.1.9) (continued) pcube Object Name New MIB New Object Name tpNumUdpActive 1.3.6.1.4.1.5655.4.1.9.1.1.13 Not mapped. FlowsPeakTime tpNumNonTcpUdp 1.3.6.1.4.1.5655.4.1.9.1.1.14 CISCO-SERVICE-CONTROL- cscTpUdpActiveFlows 1.3.6.1.4.1.9.9.634.1.1.1.5 ActiveFlows TP-STATS-MIB tpNumNonTcpUdp 1.3.6.1.4.1.5655.4.1.9.1.1.15 Not mapped. ActiveFlowsPeak tpNumNonTcpUdp 1.3.6.1.4.1.5655.4.1.9.1.1.16 Not mapped. ActiveFlowsPeakTime tpTotalNum 1.3.6.1.4.1.5655.4.1.9.1.1.17 CISCO-SERVICE-CONTROL- cscTpTotalBlockedPackets 1.3.6.1.4.1.9.9.634.1.1.1.6...
  • Page 449 (1.3.6.1.4.1.5655.4.1.9) (continued) pcube Object Name New MIB New Object Name tpHandledPackets 1.3.6.1.4.1.5655.4.1.9.1.1.30 Not mapped. RatePeak tpHandledPackets 1.3.6.1.4.1.5655.4.1.9.1.1.31 Not mapped. RatePeakTime tpHandledFlowsRate 1.3.6.1.4.1.5655.4.1.9.1.1.32 CISCO-SERVICE-CONTROL- cscTpHandledFlowsRate 1.3.6.1.4.1.9.9.634.1.1.1.18 TP-STATS-MIB tpHandledFlows 1.3.6.1.4.1.5655.4.1.9.1.1.33 Not mapped RatePeak tpHandledFlows 1.3.6.1.4.1.5655.4.1.9.1.1.34 Not mapped RatePeakTime tpCpuUtilization 1.3.6.1.4.1.5655.4.1.9.1.1.35 CISCO-PROCESS-MIB cpmCPUTotal1minRev 1.3.6.1.4.1.9.9.109.1.1.1.1.7...
  • Page 450 1.3.6.1.4.1.5655.4.1.10.1.1.10 ENTITY-MIB entPhysicalIndex 1.3.6.1.2.1.47.1.1.1.1.1 Defined in ENTITY-STATE-MIB. Table A-16 txQueuesGrp (1.3.6.1.4.1.5655.4.1.11) pcube Object Name New MIB New Object Name txQueuesTable 1.3.6.1.4.1.5655.4.1.11.1 CISCO-QUEUE-MIB cQIfTable and cQStatsTable 1.3.6.1.4.1.9.9.37.1.2 txQueuesEntry 1.3.6.1.4.1.5655.4.1.11.1.1 CISCO-QUEUE-MIB cQStatsEntry 1.3.6.1.4.1.9.9.37.1.2.1 txQueuesModuleIndex 1.3.6.1.4.1.5655.4.1.11.1.1.1 Not mapped txQueuesPortIndex 1.3.6.1.4.1.5655.4.1.11.1.1.2 RFC1213-MIB ifIndex 1.3.6.1.2.1.2.2.1.1...
  • Page 451 Time txQueuesClearCounters 1.3.6.1.4.1.5655.4.1.11.1.1.9 Not mapped Time txQueuesDroppedBytes 1.3.6.1.4.1.5655.4.1.11.1.1.10 CISCO-QUEUE-MIB cQStatsDiscards 1.3.6.1.4.1.9.9.37.1.2.1.4 This object counts bytes Table A-17 globalControllerssGrp (1.3.6.1.4.1.5655.4.1.12): All Mapped Objects Mapped to CISCO-SERVICE-CONTROLLER-MIB pcube Object Name New Object Name globalControllersTable 1.3.6.1.4.1.5655.4.1.12.1 cscGlobalControllersTable 1.3.6.1.4.1.9.9.667.0.1 globalControllersEntry 1.3.6.1.4.1.5655.4.1.12.1.1 cscGlobalControllersEntry 1.3.6.1.4.1.9.9.667.0.1.1 globalControllersModuleIndex 1.3.6.1.4.1.5655.4.1.12.1.1.1...
  • Page 452 Table A-18 trafficCountersGrp (1.3.6.1.4.1.5655.4.1.14): All Objects Mapped to CISCO-SERVICE-CONTROL-TP-STATS-MIB pcube Object Name New Object Name trafficCountersTable 1.3.6.1.4.1.5655.4.1.14.1 cscTpStatsTrafficCountersTable 1.3.6.1.4.1.9.9.634.1.2 trafficCountersEntry 1.3.6.1.4.1.5655.4.1.14.1.1 cscTpStatsTrafficCountersEntry 1.3.6.1.4.1.9.9.634.1.2.1 trafficCounterIndex 1.3.6.1.4.1.5655.4.1.14.1.1.1 cscTpStatsTrafficCounterIndex 1.3.6.1.4.1.9.9.634.1.2.1.1 trafficCounterValue 1.3.6.1.4.1.5655.4.1.14.1.1.2 cscTpStatsTrafficCounterValue 1.3.6.1.4.1.9.9.634.1.2.1.2 trafficCounterName 1.3.6.1.4.1.5655.4.1.14.1.1.3 cscTpStatsTrafficCounterName 1.3.6.1.4.1.9.9.634.1.2.1.3 trafficCounterType 1.3.6.1.4.1.5655.4.1.14.1.1.4 cscTpStatsTrafficCounterType 1.3.6.1.4.1.9.9.634.1.2.1.4 Table A-19 attackGrp (1.3.6.1.4.1.5655.4.1.15): All Objects Mapped to CISCO-SERVICE-CONTROL-ATTACK-MIB...
  • Page 453 1.3.6.1.4.1.5655.4.0.9 CISCO-ENTITY-FRU- cefcPowerSupplyOutputChange 1.3.6.1.4.1.9.9.117.2.0.7 AlarmOnTrap CONTROL-MIB Trap functions as follows: • Unplug power cord from Cisco SCE platform—trap sent Plug power cord into Cisco SCE • platform—trap not sent Remove a PSU—trap sent • Insert a PSU—trap not sent •...
  • Page 454 Trap CONTROL-RDR-MIB Trap rdrConnectionUpTrap 1.3.6.1.4.1.5655.4.0.12 CISCO-SERVICE- cServiceControlRdrConnectionStatus 1.3.6.1.4.1.9.9.637.0.6 CONTROL-RDR-MIB UpTrap rdrConnectionDown 1.3.6.1.4.1.5655.4.0.13 CISCO-SERVICE- cServiceControlRdrConnectionStatusDow 1.3.6.1.4.1.9.9.637.0.4 Trap CONTROL-RDR-MIB nTrap telnetSessionStartedTrap 1.3.6.1.4.1.5655.4.0.14 CISCO-TELNET- ctsSessionStarted 1.3.6.1.4.1.9.9.630.0.2 SERVER-MIB telnetSessionEndedTrap 1.3.6.1.4.1.5655.4.0.15 CISCO-TELNET- ctsSessionEnded 1.3.6.1.4.1.9.9.630.0.1 SERVER-MIB telnetSessionDenied 1.3.6.1.4.1.5655.4.0.16 CISCO-TELNET- ctsSessionDenied 1.3.6.1.4.1.9.9.630.0.3 AccessTrap SERVER-MIB telnetSessionBadLogin 1.3.6.1.4.1.5655.4.0.17 CISCO-TELNET-...
  • Page 455 Table A-20 PCUBE SeEvents (1.3.6.1.4.1.5655.4.0) (continued) pcube Object Name New MIB New Object Name linkModeSniffingTrap 1.3.6.1.4.1.5655.4.0.28 CISCO-SERVICE- cServiceControlLinkModeChangeTrap 1.3.6.1.4.1.9.9.631.0.1 CONTROL-LINK-MIB moduleRedundancy 1.3.6.1.4.1.5655.4.0.29 CISCO-ENTITY- ceRedunProtectStatusChange 1.3.6.1.4.1.9.9.498.0.2 ReadyTrap REDUNDANCY-MIB ceRedunMbrStatusCurrent=protection_ provided(0x10) moduleRedundant 1.3.6.1.4.1.5655.4.0.30 CISCO-ENTITY- ceRedunProtectStatusChange 1.3.6.1.4.1.9.9.498.0.2 ConfigurationMismatch REDUNDANCY-MIB ceRedunMbrStatusCurrent=failure(0x40) Trap moduleLostRedundancy 1.3.6.1.4.1.5655.4.0.31 CISCO-ENTITY-...
  • Page 456 Table A-20 PCUBE SeEvents (1.3.6.1.4.1.5655.4.0) (continued) pcube Object Name New MIB New Object Name sessionDeniedAccess 1.3.6.1.4.1.5655.4.0.41 CISCO-SECURE- cssSessionDeniedTrap 1.3.6.1.4.1.9.9.339.0.2 Trap SHELL-MIB sessionBadLoginTrap 1.3.6.1.4.1.5655.4.0.42 CISCO-SECURE- cssSessionDeniedTrap 1.3.6.1.4.1.9.9.339.0.2 SHELL-MIB cssSessionDeniedReason 1.3.6.1.4.1.9.9.339.1.3.2.1.4 illegalSubscriber 1.3.6.1.4.1.5655.4.0.43 CISCO- cServiceControlSubscriberMappingTrap 1.3.6.1.4.1.9.9.628.0.1 MappingTrap SERVICE-CONTROL- SUBSCRIBER-MIB loggerLineAttackLog 1.3.6.1.4.1.5655.4.0.44 CISCO-ENTITY-...
  • Page 457 Table A-21 pcubeEnageMIB 1.3.6.1.4.1.5655.4.2 (continued) pcube Object Name Corresponding RDR Objects not mapped subscriberGrp 1.3.6.1.4.1.5655.4.2.4 Subscriber Usage RDRs none 1.3.6.1.4.1.5655.4.2.4 serviceCounterGrp 1.3.6.1.4.1.5655.4.2.5 Service Configuration API or none 1.3.6.1.4.1.5655.4.2.5 the INI_VALUES DB table...

  • Page 458: Cisco Sce Platform-Specific Mib Information

    Appendix A Cisco Service Control MIBs Cisco SCE Platform-Specific MIB Information Cisco SCE Platform-Specific MIB Information This section contains definitions that are specific to the Cisco SCE platforms for certain standard and Cisco MIB objects. CISCO-ENTITY-ALARM-MIB ceAlarmDescrSeverity (integer) ceAlarmDescrSeverity.1.1—3 ceAlarmDescrSeverity.1.2—3 ceAlarmDescrSeverity.1.3—2...

  • Page 459: Mib Updates

    Processor, in units of 0.001%. The service loss is computed as the relative amount of traffic which was bypassed by the Cisco SCE from one side to another without being serviced due to lack of resources (either CPU or memory).

  • Page 460: Index Changes

    • rdr-no-active-connection • rdr-connection-up rdr-connection-down • rdr-formatterCategoryDisacard • rdrCategoryStoppedDiscard • userlogFull • userLogNotFull • lineAttackLog • SmConnectionDown • SmConnectionUp • illegalSubscriberMapping • PowerStatusChange • warningStatusChange • • failureStatusChange • SipAttack Cisco SCE 8000 10GBE Software Configuration Guide A-28 OL-30621-02...

  • Page 461: Release 3.6.5 Mib Updates

    The trap will also identify the component within the FRU that is associated with the threshold • violation or conformance. CISCO-ENTITY-SENSOR MIB is read-only. Thresholds are internally defined and cannot be changed. Note Temperature reported for the entities (FRUs) are a normalized temperature since there is no single Note temperature reading for an entire FRU.
  • Page 462 • Cisco SCE 8000 supports the linkUp/linkDown trap only on management ports. If there is a change to the management-port state, Cisco SCE 8000 sends two traps—one linkUp/linkDown trap and one entStateOperEnabled/entStateOperDisabled trap. But if there is a change to the traffic-port state, Cisco SCE 8000 sends only the entStateOperEnabled/entStateOperDisabled trap.

  • Page 463: Introduction

    Service Loss, page B-3 • As with any network device, the Cisco SCE platform has its performance and capacity envelopes. As the network evolves, the utilization of the Cisco SCE platform can increase and these envelopes might be reached. It is, therefore, advisable to monitor Cisco SCE platform to be sure that utilization remains at a level that supports reliable and consistent service.

  • Page 464: Cpu Utilization

    • show snmp MIB cisco-service-control-subscriber The Cisco SCE 8000 platform supports up to 1M subscribers. You should make sure that the number of introduced subscribers plus the number of anonymous subscribers stays below this figure. It is advisable that when subscribers utilization exceeds 90%, special attention should be given and sizing should be reconsidered.

  • Page 465: Service Loss

    Service Loss Service Loss Service Loss is an event which occurs when the Cisco SCE platform does not provide the processing it was expected to perform for any transaction in the network. This can occur due to either CPU or Flows shortage.
  • Page 466 Appendix B Monitoring Cisco SCE Platform Utilization Service Loss Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 467: Openssh License

    OpenSSH, i.e., RSA is no longer included, found in the OpenSSL library – IDEA is no longer included, its use is deprecated – DES is now external, in the OpenSSL library – Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 468 * Copyright (c) 1998 CORE SDI S.A., Buenos Aires, Argentina. * All rights reserved. Redistribution and use in source and binary * forms, with or without modification, are permitted provided that * this copyright notice is retained. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 469 * WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE * OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, * EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 470 Remaining components of the software are provided under a standard 2-term BSD licence with the following names as copyright holders: Markus Friedl • Theo de Raadt • Niels Provos • Dug Song • Aaron Campbell • Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 471 * 1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. * 2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 472 Eric P. Allman The Regents of the University of California Constantin S. Svintsoff * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 473 * copyright notice and this permission notice appear in all copies. * THE SOFTWARE IS PROVIDED "AS IS" AND TODD C. MILLER DISCLAIMS ALL * WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 474 * holders shall not be used in advertising or otherwise to promote the * sale, use or other dealings in this Software without prior written * authorization. **************************************************************************** $OpenBSD: LICENCE,v 1.19 2004/08/30 09:18:08 markus Exp $ Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...

  • Page 475: Netsnmp License

    OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Cisco SCE 8000 10GBE Software Configuration Guide OL-30621-02...
  • Page 476 EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, Cisco SCE 8000 10GBE Software Configuration Guide C-10 OL-30621-02...
  • Page 477 • Neither the name of Cisco, Inc, Beijing University of Posts and Telecommunications, nor the names of their contributors may be used to endorse or promote products derived from this software without specific prior written permission.
  • Page 478 CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. Cisco SCE 8000 10GBE Software Configuration Guide C-12 OL-30621-02...

Table of Contents