Download Print this page

Alcatel-Lucent 7950 SR System Management Manual

Hide thumbs Also See for 7950 SR:

User configuration manual (480 pages)

Table Of Contents

page of 462

/ 462
Contents
Table of Contents
Bookmarks

Table of Contents

Advertisement

Quick Links

Download this manual

7950 SR OS

System Management Guide

Software Version: 7950 SR OS 11.0 R5

September 2013

Document Part Number: 93-0401-02-04

*93-0401-02-04*

Table of Contents

Advertisement

Table of Contents

Need help?

Need help?

Do you have a question about the 7950 SR and is the answer not in the manual?

Questions and answers

Summary of Contents for Alcatel-Lucent 7950 SR

Page 1 7950 SR OS System Management Guide Software Version: 7950 SR OS 11.0 R5 September 2013 Document Part Number: 93-0401-02-04 *93-0401-02-04*...
Page 2 This document is protected by copyright. Except as specifically permitted herein, no portion of the provided information can be reproduced in any form, or by any means, without prior written permission from Alcatel-Lucent. Alcatel, Lucent, Alcatel-Lucent and the Alcatel-Lucent logo are trademarks of Alcatel-Lucent. All other trademarks are the property of their respective owners.
Page 3: Table Of Contents
Alcatel-Lucent 7950 SR Router Configuration Process ........
Page 4 Configuring SNMPv3 ............. .256 Page 4 7950 SR OS System Management Guide...
Page 5 Configuring Throttle Rate ............331 7950 SR OS System Management Guide...
Page 6 ................461 Page 6 7950 SR OS System Management Guide...
Page 7 Event Log Filter Summary Output Fields .........428 7950 SR OS System Management Guide...
Page 8 Facility Alarm Support ..........453 Page 8 7950 SR OS System Management Guide...
Page 9 Log Events, Alarms and LEDs ..........443 7950 SR OS System Management Guide...
Page 10 List of Figures Page 10 7950 SR OS System Management Guide...
Page 11: Preface
Protocols and concepts described in this manual include the following: • CLI concepts • System and user access and security • SNMP • Event and accounting logs 7950 SR OS System Management Guide Page 11...
Page 12: List Of Technical Publications
About This Guide List of Technical Publications The 7950 SRdocumentation set is composed of the following books: • 7950 SR OS Basic System Configuration Guide This guide describes basic system configurations and operations. • 7950 SR OS System Management Guide This guide describes system security and access configurations as well as event logging and accounting logs.
Page 13: Technical Support
If you purchased a service agreement for your router and related products from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased an Alcatel-Lucent service agreement, contact technical assistance at: http://www.alcatel-lucent.com/wps/portal/support Report documentation errors, omissions and comments to: ipd_online_feedback@alcatel-lucent.com...
Page 14 About This Guide Page 14 7950 SR OS System Management Guide...
Page 15: Getting Started
This chapter provides process flow information to configure system security and access functions as well as event and accounting logs. Alcatel-Lucent 7950 SR Router Configuration Process Table 1 lists the tasks necessary to configure system security and access functions and logging features.
Page 16 Alcatel-Lucent 7950 SR Router Configuration Process Page 16 7950 SR OS System Management Guide...
Page 17: Security
Other Security Features on page 46  CPM Filters and Traffic Management on page 48  Secure Shell (SSH) on page 46  Encryption on page 51 • Configuration Notes on page 55 7950 SR OS System Management Guide Page 17...
Page 18: Authentication, Authorization, And Accounting
ALA-1 and ALA-2. The user name and password from ALA-3 could not be authenticated, thus access was denied. RADIUS Server Authentication Access Request ALA-1 Network Access Accepted Access Request Access Request Access Accepted ALA-2 ALA-3 OSSG008 Figure 1: RADIUS Requests and Responses Page 18 7950 SR OS System Management Guide...
Page 19: Authentication
Any combination of these authentication methods can be configured to control network access from a router: • Local Authentication on page 20 • RADIUS Authentication on page 20 • TACACS+ Authentication on page 23 7950 SR OS System Management Guide Page 19...
Page 20: Local Authentication
In all these applications, up to 5 RADIUS servers pools (per RADIUS policy, if used) can be configured. The RADIUS server selection algorithm can work in 2 modes, either Direct mode or Round- robin mode. Page 20 7950 SR OS System Management Guide...
Page 21 RADIUS server (for example, if the server was previously down but no requests had been sent to the server, thus, it is not certain yet whether the server is actually reachable). 7950 SR OS System Management Guide Page 21...
Page 22 As long as the Session-Timeout (attribute in the RADIUS user file) is specified, it is used for the polling interval. Otherwise, the configured polling interval will be used (60 seconds by default). Page 22 7950 SR OS System Management Guide...
Page 23: Tacacs+ Authentication
TACACS+ uses Transmission Control Protocol (TCP) and RADIUS uses the User Datagram Protocol (UDP). TACACS+ is popular as TCP is thought to be a more reliable protocol. RADIUS combines authentication and authorization. TACACS+ separates these operations. 7950 SR OS System Management Guide Page 23...
Page 24: Authorization
The RADIUS server can be used to: • Download the user profile to the router • Send the profile name that the node should apply to the router. Page 24 7950 SR OS System Management Guide...
Page 25: Tacacs+ Authorization
All users who authenticate via TACACS+ can use a single common default profile that is configured on the SR OS Router, or • Each command attempted by a user is sent to the TACACS+ server for authorization 7950 SR OS System Management Guide Page 25...
Page 26 - “show router” - “show port 1/1/1” - “configure port 1/1/1 description “my port” This results in the following AVPairs: cmd=show cmd=show cmd-arg=router cmd=show cmd-arg=port cmd-arg=1/1/1 cmd=configure cmd-arg=port cmd-arg=1/1/1 cmd-arg=description cmd-arg=my port Page 26 7950 SR OS System Management Guide...
Page 27 - *A:dut-c>config>service# vprn 555 customer 1 create - *A:dut-c>config>service>vprn$ shutdown This results in the following AVPairs: cmd =configure cmd-arg=service cmd=configure cmd-arg=service cmd-arg=vprn cmd-arg="555" cmd-arg=customer cmd-arg=1 cmd-arg=create cmd=configure cmd-arg=service cmd-arg=vprn cmd-arg="555" cmd-arg=customer cmd-arg=1 cmd-arg=create cmd-arg=shutdown 7950 SR OS System Management Guide Page 27...
Page 28: Accounting
TACACS+ accounting is required for the particular event. Page 28 7950 SR OS System Management Guide...
Page 29 The TACACS+ accounting server acknowledges the start packet and records information about the event. When the event ends, the device sends a stop packet. The stop packet is acknowledged by the TACACS+ accounting server. 7950 SR OS System Management Guide Page 29...
Page 30: Security Controls
30 seconds. Health check is enabled by default. When a service response is restored from at least one server, the alarm condition is cleared. Alarms are raised and cleared on Alcatel-Lucent’s Fault Manager or other third party fault management servers.
Page 31: Access Request Flow
No Response No Response TACACS+ TACACS+ TACACS+ TACACS+ TACACS+ Accept Server 1 Server 2 Server 3 Server 4 Server 5 Access Access Denied Denied Deny Local Deny Access OSRG009 Figure 2: Security Flow 7950 SR OS System Management Guide Page 31...
Page 32: Cpu Protection
Only the DHCP protocol is limited (per source) when the ip-src-monitoring keyword is used. • out-profile-rate – Applies to all control traffic destined to the CPM (all sources) received on the interface (only where the policy is applied). This is a per-interface Page 32 7950 SR OS System Management Guide...
Page 33: Figure 3: Profile Marking
The objective of CPU protection is to limit the amount of traffic that the CPU will process at an early stage, therefore, the good and bad 7950 SR OS System Management Guide Page 33...
Page 34 If PIM or PIM snooping is configured on an interface/SAP, then multicast PIM messages are filter based on PIM being enabled on that particular interface. All unicast PIM messages are sent to the CPU to be processed. Page 34 7950 SR OS System Management Guide...
Page 35: Cpu Protection Extensions Eth-Cfm
This means the rate is on a per SAP/Binding basis. Only a single policy may be applied to a SAP/Binding. The “eth-cfm-monitoring” option must be configured in order for the eth-cfm entries to be applied when the policy is applied to the SAP/Binding. If this option 7950 SR OS System Management Guide Page 35...
Page 36 CPU would not be bound by a CPU protection rate. config>sys>security>cpu-protection# policy 1 eth-cfm entry 10 level 5-7 opcode 3,5 rate 1 entry 20 level 0-7 opcode 0-255 rate 0 config>service>vpls# sap 1/1/4:100 cpu-protection 1 eth-cfm-monitoring aggregate eth-cfm no shutdown Page 36 7950 SR OS System Management Guide...
Page 37: Distributed Cpu Protection (Dcp)
7950 SR OS System Management Guide Page 37...
Page 38: Figure 4: Per Sap Per Protocol Static Rate Limiting With Dcp
ICMP OSPF port 1/1/1 User Data interface as 123 port 3/2/8 d-cpu-prot-policyB ISIS interface bb456 User Data al_0180 Figure 5: Per Network Interface per Protocol Static Rate Limiting with DCP Page 38 7950 SR OS System Management Guide...
Page 39: Applicability Of Distributed Cpu Protection
SAP. In this case the DCP policy that an operator creates for use on VPLS SAPs, for VPLSs that have a l3-interface bound to them (r-vpls), may have protocols like OSPF, ARP, configured in the policy. 7950 SR OS System Management Guide Page 39...
Page 40: Log Events, Statistics, Status And Snmp Support
Statistics and status related to DCP are available both via: • • SNMP — See various tables and objects with “Dcp” or “DCpuProt” in their name in the TIMETRA-CHASSIS-MIB¸ TIMETRA-SECURITY-MIB, TIMETRA-SAP-MIB and TIMETRA-VRTR-MIB Page 40 7950 SR OS System Management Guide...
Page 41: Dcp Policer Resource Management
7950 SR OS System Management Guide Page 41...
Page 42: Operational Guidelines And Tips
 avoid creating protocol X so that it is treated as part of the all-unspecified bucket (but account for the packets from X in the all-unspecified rate and local-mon rate),  create protocol X and configure it to bypass Page 42 7950 SR OS System Management Guide...
Page 43: Dcp Configuration Samples
"my-ddos-policy2" create local-monitoring-policer "my-local-monitor" create rate packets 10 within 10 initial-delay 7 exceed-action low-priority exit protocol arp create enforcement dynamic "my-local-monitor" dynamic-parameters detection-time 900 rate packets 5 within 10 initial-delay 5 7950 SR OS System Management Guide Page 43...
Page 44 60 exit exit protocol pppoe-pppoa create enforcement dynamic "my-local-monitor" dynamic-parameters detection-time 600 rate packets 3 within 10 initial-delay 3 exceed-action discard hold-down 120 exit exit exit *A:node1>config>subscr-mgmt>msap-policy# info ---------------------------------------------- dist-cpu-protection "my-ddos-policy2" Page 44 7950 SR OS System Management Guide...
Page 45: Vendor-Specific Attributes (Vsas)
VSA. The attribute-specific field is dependent on the vendor's definition of that attribute. The Alcatel-Lucent-defined attributes are encapsulated in a RADIUS vendor-specific attribute with the vendor ID field set to 6527, the vendor ID number.
Page 46: Other Security Features
SCP clients treat backslash characters as equivalent to slash characters. In particular, UNIX systems will often times interpret the backslash character as an “escape” character which does not get transmitted to the SCP server. For example, a destination Page 46 7950 SR OS System Management Guide...
Page 47: Per Peer Cpm Queuing
CPMQ, using the “per-peer-queuing” command, ensures that service levels would not (or only partially be) impacted in case of an attack from a spoofed LDP or BGP peer IP address. 7950 SR OS System Management Guide Page 47...
Page 48: Cpm Filters And Traffic Management
(CPM) queues for traffic directed to the control processors. CPM queueing is supported on the following platforms: 7950 SR, 7750 SR-7/SR-12, and 7750 SR-c12 (not 7750 SR-1). CPM filters and queues control all traffic going in to the CPM from IOMs/XMAs, including all routing protocols.
Page 49: Exponential Login Backoff
Exponential backoff applies to any user and by any login method such as console, SSH and Telnet. Refer to Configuring Login Controls on page 87. The commands are described in Login, Telnet, SSH and FTP Commands on page 115. 7950 SR OS System Management Guide Page 49...
Page 50: User Lockout
A lock-out for a specific user can be administratively cleared using the admin user x clear- lockout. Page 50 7950 SR OS System Management Guide...
Page 51: Encryption
3DES is a more secure version of the DES protocol. 802.1x Network Access Control The Alcatel-Lucent OS supports network access control of client devices (PCs, STBs, etc.) on an Ethernet network using the IEEE. 802.1x standard. 802.1x is known as Extensible Authentication Protocol (EAP) over a LAN network or EAPOL.
Page 52: Packet Formats
The default value is 0. • K-Bit: 1 bit This bit is reserved for future enhancement. Its value MUST be equal to zero. • Alg ID: 6 bits The Alg ID field identifies the MAC algorithm. Page 52 7950 SR OS System Management Guide...
Page 53 Authentication Data Field can be derived from the Alg ID. • The Authentication for TCP-based Routing and Management Protocols draft provides and overview of the TCP Enhanced Authentication Option. The details of this feature are described in draft-bonica-tcp-auth-04.txt. 7950 SR OS System Management Guide Page 53...
Page 54: Keychain
Start time from which key[i] can be config>system>security>keychain>direction>bi>entry>begin-time used by receiving TCPs. config>system>security>keychain>direction>bi>entry>tolerance config>system>security>keychain>direction>uni>receive>entry >begin-time config>system>security>keychain>direction>uni>receive>entry >tol- erance T'[i] End time after which key[i] cannot config>system>security>keychain>direction>uni>receive>entry>end- be used by receiving TCPs time Page 54 7950 SR OS System Management Guide...
Page 55: Configuration Notes
If a RADIUS or a TACACS+ server is not configured, then password, profiles, and user access information must be configured on each router in the domain. • If a RADIUS authorization is enabled, then VSAs must be configured on the RADIUS server. 7950 SR OS System Management Guide Page 55...
Page 56 Configuration Notes Page 56 7950 SR OS System Management Guide...
Page 57: Configuring Security With Cli
Configuring RADIUS Accounting on page 80  TACACS+ Configurations on page 83  Enabling TACACS+ Authentication on page 83  Configuring TACACS+ Authorization on page 84  Configuring TACACS+ Accounting on page 85 7950 SR OS System Management Guide Page 57...
Page 58: Setting Up Security Attributes
To implement only TACACS+ authentication, perform the following tasks on each participating router:  Configuring Profiles on page 71  Configuring Users on page 72  Enabling TACACS+ Authentication on page 83 Page 58 7950 SR OS System Management Guide...
Page 59: Configuring Authorization
Configuring RADIUS Authentication on page 78  Configuring Profiles on page 71 • TACACS+ authorization (only) For TACACS+ authorization (without authentication), configure these tasks on each participating router:  Configuring TACACS+ Authorization on page 84 7950 SR OS System Management Guide Page 59...
Page 60 Setting Up Security Attributes • TACACS+ authorization For TACACS+ authorization (with authentication), configure these tasks on each participating router:  Enabling TACACS+ Authentication on page 83  Configuring TACACS+ Authorization on page 84 Page 60 7950 SR OS System Management Guide...
Page 61: Configuring Accounting
Local accounting is not implemented. For information about configuring accounting policies, refer to Configuring Logging with CLI on page 323 • Configuring RADIUS Accounting on page 80 • Configuring TACACS+ Accounting on page 85 7950 SR OS System Management Guide Page 61...
Page 62: Security Configurations
“exec” action permit password authentication-order radius tacplus local no aging minimum-length 6 attempts 3 time 5 lockout 10 complexity exit user "admin" password "./3kQWERTYn0Q6w" hash access console no home-directory no restricted-to-home Page 62 7950 SR OS System Management Guide...
Page 63 20 time 5 lockout 10 exit no ssh 7950 SR OS System Management Guide Page 63...
Page 64: Configuration Tasks
TACACS+ server. Accounting can be performed on a RADIUS or TACACS+ server. Table 6: Security Configuration Requirements Authentication Authorization Accounting Local Local None RADIUS Local and RADIUS RADIUS TACACS+ Local TACACS+ Page 64 7950 SR OS System Management Guide...
Page 65: Security Configuration Procedures
IPv4 filter and permitted for IPv6 and MAC filters. *A:Dut-C>config>system>security>mgmt-access-filter# info ---------------------------------------------- ip-filter default-action deny entry 10 description "Accept SSH from mgmnt subnet" src-ip 192.168.5.0/26 protocol tcp dst-port 22 65535 action permit 7950 SR OS System Management Guide Page 65...
Page 66 10 src-ip 3FFE::1:1/128 next-header rsvp action deny exit exit mac-filter default-action permit entry 12 match frame-type ethernet_II svc-id 1 src-mac 00:01:01:01:01:01 ff:ff:ff:ff:ff:ff exit action permit exit exit ---------------------------------------------- *A:Dut-C>config>system>security>mgmt-access-filter# Page 66 7950 SR OS System Management Guide...
Page 67: Configuring Cpm Filters Policy
0x8902 cfm-opcode gt 100 exit exit exit *A:Dut-C>config>sys>security>cpm-filter# CPM queues can be used to provide rate limit capabilities for traffic destined to CPM as described in an earlier section of this document. 7950 SR OS System Management Guide Page 67...
Page 68: Configuring Password Management Parameters
[numeric] [special-character] [mixed-case] health-check minimum-length value The following example displays a password configuration: A:ALA-1>config>system>security# info ---------------------------------------------- password authentication-order radius tacplus local aging 365 minimum-length 8 attempts 5 time 5 lockout 20 exit ---------------------------------------------- A:ALA-1>config>system>security# Page 68 7950 SR OS System Management Guide...
Page 69: Ipsec Certificates Parameters
"Root CA" cert-file "R1-0cert.der" crl-file "R1-0crl.der" no shutdown exit ---------------------------------------------- *A:SR-7/Dut-A>config>system>security>pki# The following displays an example of an ike-policy with cert-auth output: :SR-7/Dut-A>config>ipsec>ike-policy# info ---------------------------------------------- ike-version 2 auth-method cert-auth own-auth-method psk ---------------------------------------------- 7950 SR OS System Management Guide Page 69...
Page 70 "Sanity-1" create security-policy 1 local-gateway-address 30.1.1.13 peer 50.1.1.15 delivery-service 300 dynamic-keying ike-policy 1 pre-shared-key "Sanity-1" transform 1 cert trust-anchor "R1-0" cert "M2cert.der" key "M2key.der" exit exit no shutdown exit exit exit Page 70 7950 SR OS System Management Guide...
Page 71: Configuring Profiles
The following example displays a user profile output: A:ALA-1>config>system>security# info ---------------------------------------------- profile "ghost" default-action permit-all entry 1 match "configure" action permit exit entry 2 match "show" exit entry 3 match "exit" exit exit ---------------------------------------------- A:ALA-1>config>system>security# 7950 SR OS System Management Guide Page 71...
Page 72: Configuring Users
The following displays a user configuration example: A:ALA-1>config>system>security# info ---------------------------------------------- user "49ers" password "qQbnuzLd7H/VxGdUqdh7bE" hash2 access console ftp snmp restricted-to-home console member "default" member "ghost" exit exit -------------------------------------------- A:ALA-1>config>system>security# Page 72 7950 SR OS System Management Guide...
Page 73: Configuring Keychains
1 key "ZcvSElJzJx/wBZ9biCtOVQJ9YZQvVU.S" hash2 alg orithm aes-128-cmac-96 begin-time 2006/12/18 22:55:20 exit exit exit exit keychain "basasd" direction receive entry 1 key "Ee7xdKlYO2DOm7v3IJv/84LIu96R2fZh" hash2 algorithm aes-128-cmac-96 tolerance forever exit exit exit exit exit ---------------------------------------------- A:ALA-1>config>system>security# 7950 SR OS System Management Guide Page 73...
Page 74: Copying And Overwriting Users And Profiles
"testgroup" exit exit user "testuserA" password "" hash2 access snmp console new-password-at-login exit snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group "testgroup" exit exit ---------------------------------------------- A:ALA-12>config>system>security# info Page 74 7950 SR OS System Management Guide...
Page 75 "testgroup" exit ---------------------------------------------- A:ALA-12>config>system>security>user# exit A:ALA-12>config>system>security# user testuserA A:ALA-12>config>system>security>user# info ---------------------------------------------- password "" hash2 access snmp console new-password-at-login exit snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group "testgroup" exit ---------------------------------------------- A:ALA-12>config>system>security>user# 7950 SR OS System Management Guide Page 75...
Page 76: Profile
"password" action permit exit entry 60 no description match "show config" action deny exit entry 70 no description match "show" action permit exit entry 80 no description match "enable-admin" Page 76 7950 SR OS System Management Guide...
Page 77 "show config" action deny exit entry 70 no description match "show" action permit exit entry 80 no description match "enable-admin" action permit exit exit profile "administrative" default-action permit-all exit ---------------------------------------------- A:ALA-12>config>system>security# 7950 SR OS System Management Guide Page 77...
Page 78: Radius Configurations
Also, the system IP address must be configured in order for the RADIUS client to work. See Configuring a System Interface of the 7950 SR OS Router Configuration Guide. The other commands are optional. The server command adds a RADIUS server and configures the RADIUS server’s IP address, index, and key values.
Page 79: Configuring Radius Authorization
5 timeout 5 server 1 address 10.10.10.103 secret "test1" server 2 address 10.10.0.1 secret "test2" server 3 address 10.10.0.2 secret "test3" server 4 address 10.10.0.3 secret "test4" exit ---------------------------------------------- A:ALA-1>config>system>security# 7950 SR OS System Management Guide Page 79...
Page 80: Configuring Radius Accounting
5 timeout 5 server 1 address 10.10.10.103 secret "test1" server 2 address 10.10.0.1 secret "test2" server 3 address 10.10.0.2 secret "test3" server 4 address 10.10.0.3 secret "test4" exit ---------------------------------------------- A:ALA-1>config>system>security# Page 80 7950 SR OS System Management Guide...
Page 81: Configuring 802.1X Radius Policies
Configuring 802.1x RADIUS Policies Use the following CLI commands to configure generic authentication parameters for clients using 802.1x EAPOL. Additional parameters are configured per Ethernet port. Refer to the 7950 SR OS Interface Configuration Guide To configure generic parameters for 802.1x authentication, enter the following CLI syntax.
Page 82: Configuring Cpu Protection Policies
254 create exit policy 255 create exit port-overall-rate 12000 protocol-protection ---------------------------------------------- Node_3>config>sys>security>cpu-protection# The following output displays an application to an interface: Node_3>config>service>ies>if# info ---------------------------------------------- cpu-protection 4 sap 1/1/5 create exit ---------------------------------------------- Node_3>config>sys>security>cpu-protection# Page 82 7950 SR OS System Management Guide...
Page 83: Tacacs+ Configurations
1 address 10.10.0.5 secret "test1" server 2 address 10.10.0.6 secret "test2" server 3 address 10.10.0.7 secret "test3" server 4 address 10.10.0.8 secret "test4" server 5 address 10.10.0.9 secret "test5" ---------------------------------------------- A:ALA-1>config>system>security>tacplus# 7950 SR OS System Management Guide Page 83...
Page 84: Configuring Tacacs+ Authorization
1 address 10.10.0.5 secret "test1" server 2 address 10.10.0.6 secret "test2" server 3 address 10.10.0.7 secret "test3" server 4 address 10.10.0.8 secret "test4" server 5 address 10.10.0.9 secret "test5" ---------------------------------------------- A:ALA-1>config>system>security>tacplus# Page 84 7950 SR OS System Management Guide...
Page 85: Configuring Tacacs+ Accounting
1 address 10.10.0.5 secret "test1" server 2 address 10.10.0.6 secret "test2" server 3 address 10.10.0.7 secret "test3" server 4 address 10.10.0.8 secret "test4" server 5 address 10.10.0.9 secret "test5" ---------------------------------------------- A:ALA-1>config>system>security>tacplus# 7950 SR OS System Management Guide Page 85...
Page 86: Enabling Ssh
SSH is disabled or enabled. CLI Syntax: config>system>security preserve-key no server-shutdown version ssh-version The following displays a SSH server configuration as both SSH and SSH2 using a host-key: A:sim1>config>system>security>ssh# info ---------------------------------------------- preserve-key version 1-2 ---------------------------------------------- A:sim1>config>system>security>ssh# Page 86 7950 SR OS System Management Guide...
Page 87: Configuring Login Controls
2 exit idle-timeout 1440 pre-login-message "Property of Service Routing Inc. Unauthorized access prohib- ited." motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM" exit no exponential-backoff ---------------------------------------------- A:ALA-1>config>system# 7950 SR OS System Management Guide Page 87...
Page 88 Configuring Login Controls Page 88 7950 SR OS System Management Guide...
Page 89: Security Command Reference
Keychain Commands on page 101 • Login Control Commands on page 103 • Show Commands on page 104 • Clear Commands on page 104 • Debug Commands on page 105 • Tools Commands on page 105 7950 SR OS System Management Guide Page 89...
Page 90: Lldp Commands
— no message-fast-tx-init — notification-interval time — no notification-interval — reinit-delay time — no reinit-delay — tx-credit-max count — no tx-credit-max — tx-hold-multiplier multiplier — no tx-hold-multiplier — tx-interval interval — no tx-interval Page 90 7950 SR OS System Management Guide...
Page 91 {port-id | cpm | lag lag-id } — no src-port — renum old-entry-number new-entry-number — [no] shutdown — [no] mac-filter — default-action {permit | deny} — [no] entry entry-id — action {permit | deny | deny-host-unreachable} 7950 SR OS System Management Guide Page 91...
Page 92 {ip-address/mask | ip-address netmask | ip- prefix-list prefix-list-name} — no dst-ip — dst-port [tcp/udp port-number] [mask] — no dst-port — fragment {true | false} — no fragment — icmp-code icmp-code — no icmp-code — icmp-type icmp-type Page 92 7950 SR OS System Management Guide...
Page 93 — no fragment — hop-by-hop-opt {true | false} — no hop-by-hop-opt — icmp-code icmp-code — no icmp-code — icmp-type icmp-type — no icmp-type — port tcp/udp port-number [mask] — port port-list port-list-name 7950 SR OS System Management Guide Page 93...
Page 94 0x0600..0xfff — no etype — src-mac ieee-address [ieee-address-mask] — no src-mac — ssap ssap-value [ssap-mask] — no ssap — svc-id service-id — no svc-id — renum old-entry-number new-entry-number — [no] shutdown Page 94 7950 SR OS System Management Guide...
Page 95 Security CPM Queue Commands config — system — security — [no] cpm-queue — [no] queue queue-id — — no — — no — rate rate [cir cir] — no rate 7950 SR OS System Management Guide Page 95...
Page 96 [mac-monitoring]|[eth-cfm-monitoring [aggregate][car]] configure>service>epipe>spoke-sdp>cpu-protection policy-id [mac-monitoring]|[eth-cfm-monitoring [aggregate][car]] configure>service>ies>interface>cpu-protection policy-id configure>service>ies>interfac>sap>cpu-protection policy-id [mac-monitoring]|[eth-cfm-monitoring [aggregate][car]] configure>service>template>vpls-sap-template>cpu-protection policy-id [mac-monitoring]|[eth-cfm- monitoring [aggregate][car]] configure>service>vpls>sap>cpu-protection policy-id [mac-monitoring]|[eth-cfm-monitoring [aggregate][car]] configure>service>vprn>interface>cpu-protection policy-id configure>service>vprn >interface>sap>cpu-protection policy-id [mac-monitoring]|[eth-cfm- monitoring [aggregate][car]] configure>service>vprn>network-interface>cpu-protection policy-id Page 96 7950 SR OS System Management Guide...
Page 97 | kbps {kilobits-per-second | max} [mbs size] [bytes|kilobytes]} — no rate config card x fp y — dist-cpu-protection — [no] dynamic-enforcement-policer-pool number-of-policers —Password Commands Security Password Commands config — system — ftp-server 7950 SR OS System Management Guide Page 97...
Page 98 — authentication-order [method-1] [method-2] [method-3] [exit-on-reject] — no authentication-order — [no] complexity [numeric] [special-character] [mixed-case] — [no] health-check [interval interval] — minimum-length value — no minimum-length — tacplus-map-to-priv-lvl [admin-priv-lvl] — no tacplus-map-to-priv-lvl Page 98 7950 SR OS System Management Guide...
Page 99: Profile Commands
— default-action {deny-all | permit-all | none} — [no] entry entry-id — action {deny | permit} — description description-string — no description — ftp-server command-string — no ftp-server — renum old-entry-number new-entry-number 7950 SR OS System Management Guide Page 99...
Page 100: Radius Commands
[hash | hash2] — no server server-index — [no] shutdown — timeout seconds — no timeout — [no] use-default-template User Commands config — system — ftp-server Page 100 7950 SR OS System Management Guide...
Page 101 — no retry — server (dot1x) server-index address ip-address secret key [port port] — source-address ip-address — [no] shutdown — timeout seconds — no timeout — [no] shutdown Keychain Commands config — system 7950 SR OS System Management Guide Page 101...
Page 102 — bgp — group — ttl-security min-ttl-value — neighbor — ttl-security min-ttl-value config — router — ldp — peer-parameters — peer — ttl-security min-ttl-value config — system — login-control — ssh — ttl-security Page 102 7950 SR OS System Management Guide...
Page 103 [name] — no pre-login-message — — disable-graceful-shutdown — inbound-max-sessions — outbound-max-sessions — ttl-security — telnet — enable-graceful-shutdown — inbound-max-sessions value — no inbound-max-sessions — outbound-max-sessions value — no outbound-max-sessions — ttl-security 7950 SR OS System Management Guide Page 103...
Page 104 — certificate — ca-profile — ca-profile name [association] — ocsp-cache [entry-id] — statistics Login Control show — user Clear Commands Authentication clear — router — authentication — statistics [interface ip-int-name | ip-address] Page 104 7950 SR OS System Management Guide...
Page 105 — violators enforcement {sap|interface} card slot-number [fp fp-number] — violators local-monitor {sap|interface} card slot-number [fp fp-number] — perform — security — dist-cpu-protection — release-hold-down interface interface-name [protocol protocol] [static- policer name] — release-hold-down sap sap-id [protocol protocol] [static-policer name] 7950 SR OS System Management Guide Page 105...
Page 106 Security Command Reference Page 106 7950 SR OS System Management Guide...
Page 107 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes. shutdown Syntax [no] shutdown Context config>system>security>mgmt-access-filter>ip-filter config>system>security>mgmt-access-filter>ipv6-filter config>sys>sec>cpm>ip-filter config>system>security>keychain>direction>bi>entry config>system>security>keychain>direction>uni>receive>entry 7950 SR OS System Management Guide Page 107...
Page 108 {1 | 2 | all} — When the read-version is configured as “all,” both versions 1 and 2 will be accepted by the system. Otherwise, only the selected version will be accepted when reading con- figuration or exec files. The presence of incorrect hash versions will abort the script/startup. Page 108 7950 SR OS System Management Guide...
Page 109 Syntax application app [ip-int-name|ip-address] no application app Context config>system>security>source-address Description This command specifies the use of the source IP address specified by the source-address command. Parameters app — Specify the application name. 7950 SR OS System Management Guide Page 109...
Page 110 This command enables Telnet IPv6 servers running on the system. Telnet servers are off by default. At system startup, only SSH server are enabled. The no form of the command disables Telnet IPv6 servers running on the system. Page 110 7950 SR OS System Management Guide...
Page 111 The no form of the command disables the rate limiting of the reply to these packets. Default no security vprn-network-exceptions Parameters number — 10 — 10,000 seconds — 1 — 60 7950 SR OS System Management Guide Page 111...
Page 112 This command configures the number of LLDPDUs to send during the fast transmission period. Parameters count — Specifies the number of LLDPDUs to send during the fast transmission period. Values 1 — 8 Default Page 112 7950 SR OS System Management Guide...
Page 113 Default tx-credit-max Syntax tx-credit-max count no tx-credit-max Context config>system>lldp Description This command configures the maximum consecutive LLDPDUs transmitted. Parameters count — Specifies the maximum consecutive LLDPDUs transmitted. Values 1 — 100 Default 7950 SR OS System Management Guide Page 113...
Page 114 Default tx-interval Syntax tx-interval interval no tx-interval Context config>system>lldp Description This command configures the LLDP transmit interval time. Parameters interval — Specifies the LLDP transmit interval time. Values 1 — 100 Default Page 114 7950 SR OS System Management Guide...
Page 115 — The idle timeout in minutes. Allowed values are 1 to 1440. 0 implies the sessions never timeout. Values 1 — 1440 disable — When the disable option is specified, a session will never timeout. To re-enable idle timeout, enter the command without the disable option. 7950 SR OS System Management Guide Page 115...
Page 116 This command enables or disables the display of a login banner. The login banner contains the copy- right and build date information for a console login attempt. The no form of the command causes only the configured pre-login-message and a generic login prompt to display. Page 116 7950 SR OS System Management Guide...
Page 117 The local serial port cannot be disabled. The no form of the command reverts to the default value. Default Parameters value — The maximum number of concurrent outbound Telnet sessions, expressed as an integer. Values 0 — 15 7950 SR OS System Management Guide Page 117...
Page 118 This command enables the context to configure the SSH parameters. disable-graceful-shutdown Syntax [no] disable-graceful-shutdown Context config>system>login-control>ssh Description This command enables graceful shutdown of SSH sessions. The no form of the command disables graceful shutdown of SSH sessions. Page 118 7950 SR OS System Management Guide...
Page 119 2 — Specifies that the SSH server will accept connections from clients supporting either SSH protocol version 2 1-2 — Specifies that the SSH server will accept connections from clients support- ing either SSH protocol version 1, or SSH protocol version 2 or both. 7950 SR OS System Management Guide Page 119...
Page 120 This command creates the context to configure the Telnet login control parameters. enable-graceful-shutdown Syntax [no] enable-graceful-shutdown Context config>system>login-control>telnet Description This command enables graceful shutdown of telnet sessions. The no form of the command disables graceful shutdown of telnet sessions. Page 120 7950 SR OS System Management Guide...
Page 121 [no] ipv6-filter Context config>system>security>mgmt-access-filter Description This command enables the context to configure management access IPv6 filter parameters. mac-filter Syntax [no] mac-filter Context config>system>security>mgmt-access-filter Description This command configures a management access MAC-filter. action 7950 SR OS System Management Guide Page 121...
Page 122 — Specifies that packets not matching the selection criteria be denied access and that an ICMP host unreachable message will be issued. Note: deni-host-unreachable only applies to ip-filter and ipv6filter. Page 122 7950 SR OS System Management Guide...
Page 123 An entry may not have any match criteria defined (in which case, everything matches) but must have at least the keyword action defined to be considered complete. Entries without the action keyword are considered incomplete and inactive. 7950 SR OS System Management Guide Page 123...
Page 124 Description This command specifies the next header to match. The protocol type such as TCP / UDP / OSPF is identified by its respective protocol number. Well-known protocol numbers include ICMP(1), Page 124 7950 SR OS System Management Guide...
Page 125 OR destination port matches either the specified port value or a port in the specified port range or port list. This command is mutually exclusive with src-port and dst-port commands. The no form of this command deletes the specified port match criterion. Default no port 7950 SR OS System Management Guide Page 125...
Page 126 — Specifies an existing service name up to 64 characters in length. renum Syntax renum old-entry-number new-entry-number Context config>system>security>mgmt-access-filter>ip-filter config>system>security>mgmt-access-filter>ipv6-filter config>system>security>mgmt-access-filter>mac-filter Description This command renumbers existing management access filter entries for an IP(v4), IPv6, or MAC fil- ter to re-sequence filter entries. Page 126 7950 SR OS System Management Guide...
Page 127 802dot2-llc, ethernet_II cfm-opcode Syntax cfm-opcode {lt | gt | eq} opcode cfm-opcode range start end no cfm-opcode Context config>system>security>mgmt-access-filter>mac-filter>entry Description This command specifies the type of opcode checking to be performed. 7950 SR OS System Management Guide Page 127...
Page 128: Table 7: Opcode Values
Reserved for ITU Reserved for ITU Reserved for ITU Reserved for ITU Reserved for ITU Reserved for ITU Reserved for ITU 48 – 63 Reserved for IEEE 802.1 0 64 - 255 Page 128 7950 SR OS System Management Guide...
Page 129 This command configures dsap match conditions. Format Style Format Syntax Example Decimal Hexadecimal Binary 0bBBB 0b100 Parameters dsap-value — The 8-bit dsap match criteria value in hexadecimal. Values 0x00 — 0xFF (hex) 7950 SR OS System Management Guide Page 129...
Page 130 — The MAC address to be used as a match criterion. Values HH:HH:HH:HH:HH:HH or HH-HH-HH-HH-HH-HH where H is a hexadecimal digit mask — A 48-bit mask to match a range of MAC address values. Page 130 7950 SR OS System Management Guide...
Page 131 — Specifies to match packets with the three-byte OUI field in the SNAP-ID not set to zero. snap-pid Syntax snap-pid snap-pid no snap-pid Context config>system>security>mgmt-access-filter>mac-filter>entry>match Description This command configures an IEEE 802.3 LLC SNAP Ethernet Frame PID value to be used as a MAC 7950 SR OS System Management Guide Page 131...
Page 132 To configure so that all packets with a source MAC OUI value of 00-03-FA are subject to a match condition then the entry should be specified as: 003FA000000 0xFFFFFF000000 Default 0xFFFFFFFFFFFF (exact match) Values 0x00000000000000 — 0xFFFFFFFFFFFF Page 132 7950 SR OS System Management Guide...
Page 133 {port-id | cpm | lag port-id} no src-port Context config>system>security>mgmt-access-filter>ip-filter>entry config>system>security>mgmt-access-filter>ipv6-filter>entry Description CPMCCM This command restricts ingress management traffic to either the Ethernet port or any other logical port (for example LAG)on the device. 7950 SR OS System Management Guide Page 133...
Page 134 This command configures a source IPv6 address range prefix to be used as a management access fil- ter match criterion. The no form of the command removes the source IPv6 address match criterion. Page 134 7950 SR OS System Management Guide...
Page 135 — Specifies the subnet mask length expressed as a decimal integer. Values 1 — 32 (mask length), 0.0.0.0 — 255.255.255.255 (dotted decimal) 7950 SR OS System Management Guide Page 135...
Page 136: Password Commands
— Specifies the key is entered in an encrypted form. If the hash parameter is not used, the key is assumed to be in a non-encrypted, clear text form. For security, all keys are stored in encrypted Page 136 7950 SR OS System Management Guide...
Page 137 ------------------------------------------------------------------------------- Number of users : 2 'A' indicates user is in admin mode =============================================================================== A:ALA-1# A:ALA-1# enable-admin MINOR: CLI Already in admin mode. A:ALA-1# aging Syntax aging days no aging Context config>system>security>password 7950 SR OS System Management Guide Page 137...
Page 138 When the user exceeds the attempted count times in the specified time, then that user is locked out from any further login attempts for the configured time period. Default Values 0 — 1440 Page 138 7950 SR OS System Management Guide...
Page 139 If the local keyword is the first authentication and: 7950 SR OS System Management Guide Page 139...
Page 140 This command specifies that RADIUS and TACACS+ servers are monitored for 3 seconds each at 30 second intervals. Servers that are not configured will have 3 seconds of idle time. If in this process a Page 140 7950 SR OS System Management Guide...
Page 141 SR OS node to the TACACS+ server. The start message (service=enable) contains the user-id and the requested admin-priv-lvl. Successful authentication results in the use of a new profile (as configured under con- fig>system>security>tacplus>priv-lvl-map). 7950 SR OS System Management Guide Page 141...
Page 142 Password Commands password Syntax password Context config>system>security Description This command creates the context to configure password management parameters. Page 142 7950 SR OS System Management Guide...
Page 143 This command copies a profile or user from a source profile to a destination profile. Parameters source-profile — The profile to copy. The profile must exist. dest-profile — The copied profile is copied to the destination profile. 7950 SR OS System Management Guide Page 143...
Page 144 — The description character string. Allowed values are any string up to 80 characters long composed of printable, 7-bit ASCII characters. If the string contains special characters (#, $, spaces, etc.), the entire string must be enclosed within double quotes. Page 144 7950 SR OS System Management Guide...
Page 145 The no form of the command deletes a user profile. Default user-profile default Parameters user-profile-name — The user profile name entered as a character string. The string is case sensitive and limited to 32 ASCII 7-bit printable characters with no spaces. 7950 SR OS System Management Guide Page 145...
Page 146 Parameters old-entry-number — Enter the entry number of an existing entry. Values 1 — 9999 new-entry-number — Enter the new entry number. Values 1 — 9999 Page 146 7950 SR OS System Management Guide...
Page 147 SNMP engine-ID and a password). The password is not directly entered in this command (only the localized key). Default authentication none - No authentication is configured and privacy cannot be configured. Parameters none — Do not use authentication. If none is specified, then privacy cannot be configured. 7950 SR OS System Management Guide Page 147...
Page 148 No group name is associated with a user. Parameters group-name — Enter the group name (between 1 and 32 alphanumeric characters) that is associated with this user. A user can be associated with one group-name per security model. Page 148 7950 SR OS System Management Guide...
Page 149 — Specifies that the destination user configuration will be overwritten with the copied source user configuration. A configuration will not be overwritten if the overwrite command is not specified. home-directory Syntax home-directory url-prefix [directory] [directory/directory…] no home-directory Context config>system>security>user 7950 SR OS System Management Guide Page 149...
Page 150 Parameters url-prefix: source-url — Enter either a local or remote URL, up to 200 characters in length, that identifies the exec file that will be executed after the user successfully logs in. Page 150 7950 SR OS System Management Guide...
Page 151 2 key to store in the database. In previous releases, the password command syntax included the hash (hash version 1) parameter that allowed you to specify a password and encryption. For example, 7950 SR OS System Management Guide Page 151...
Page 152 Telnet session in the password field that is encased in the double quotes as delimiters for the password. If a password is entered without any parameters, a password length of zero is implied: (carriage return). Page 152 7950 SR OS System Management Guide...
Page 153 The key is a 1024-bit key. Default none Parameters public-key-name — Specifies the public key, enclosed in quotation marks. The key is a 1024-bit key. key-id — Specifies the key identifier name. snmp Syntax snmp Context config>system>security>user 7950 SR OS System Management Guide Page 153...
Page 154 The no form of the command deletes the user and all configuration data. Users cannot delete them- selves. Default none Parameters user-name — The name of the user up to 16 characters. Page 154 7950 SR OS System Management Guide...
Page 155 Description This command specifies a UDP port number on which to contact the RADIUS server for accounting requests. Parameters port — Specifies the UDP port number. Values 1 — 65535 Default 1813 7950 SR OS System Management Guide Page 155...
Page 156 Context config>system>security>radius config>system>security>dot1x>radius-plcy Description This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server. Page 156 7950 SR OS System Management Guide...
Page 157 — Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed. 7950 SR OS System Management Guide Page 157...
Page 158 VSAs are returned with the auth-accept from the RADIUS server. When enabled, the RADIUS user template is actively applied if no VSAs are returned with the auth-accept from the RADIUS server. The no form of the command disables the command. Page 158 7950 SR OS System Management Guide...
Page 159 — Specifies the key is entered in a more complex encrypted form. If the hash2 parameter is not used, the less encrypted hash form is assumed. shutdown Syntax [no] shutdown Context config>system>security>tacplus 7950 SR OS System Management Guide Page 159...
Page 160 — Specifies that a stop packet is sent whenever the command execution is complete. authorization Syntax [no] authorization [use-priv-lvl] Context config>system>security>tacplus Description This command configures TACACS+ authorization parameters for the system. Default no authorization Page 160 7950 SR OS System Management Guide...
Page 161 • SR OS sends a continue packet with the password in the user_msg field. • TACACS+ server replies with PASS or FAIL. When interactive-authentication is enabled, tacplus must be the first method specified in the authenti- cation-order configuration. Default no interactive-authentication timeout Syntax timeout seconds 7950 SR OS System Management Guide Page 161...
Page 162 Default no shutdown use-default-template Syntax [no] use-default-template Context config>system>security>tacplus Description This command specifies whether or not the user template defined by this entry is to be actively applied to the TACACS+ user. Page 162 7950 SR OS System Management Guide...
Page 163 This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server. The no form of the command reverts to the default value. Default Parameters count — The retry count. Values 1 — 10 7950 SR OS System Management Guide Page 163...
Page 164 — The UDP port number on which to contact the RADIUS server for accounting requests. auth-port auth-port — specifies a UDP port number to be used as a match criteria. Values 1 — 65535 type server-type — Specifies the server type. Values authorization, accounting, combined Page 164 7950 SR OS System Management Guide...
Page 165 The no form of the command reverts to the default value. Default 3 seconds Parameters seconds — The number of seconds the router waits for a response from a RADIUS server, expressed as a decimal integer. Values 1 — 90 7950 SR OS System Management Guide Page 165...
Page 166 This command specifies the data type that indicates the TCP stream direction to apply the keychain. Default none Syntax Context config>system>security>keychain>direction Description This command configures keys for both send and receive stream directions. Default none Syntax Context config>system>security>keychain>direction Page 166 7950 SR OS System Management Guide...
Page 167 The no form of the command deletes the entry. 7950 SR OS System Management Guide Page 167...
Page 168 If no date and time is set, the begin-time is represented by a date and time string with all NULLs and the key is not valid by default. Parameters date hours-minutes — Specifies the date and time for the key to become active. Values date: YYYY/MM/DD hours-minutes: hh:mm[:ss] Page 168 7950 SR OS System Management Guide...
Page 169 — Specifies the duration that an eligible receive key overlaps with the active send key. Values 0 — 4294967294 seconds forever — Specifies that an eligible receive key overlap with the active send key forever. tcp-option-number Syntax tcp-option-number 7950 SR OS System Management Guide Page 169...
Page 170 This command configures the TCP option number accepted in TCP packets sent. Default Parameters option-number — Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header. Values 253, 254 Page 170 7950 SR OS System Management Guide...
Page 171 — Specifies that packets matching the filter entry are dropped. ip-filter Syntax [no] ip-filter Context config>system>security>cpm-filter Description This command enables the context to configure CPM IP filter parameters. Default shutdown ipv6-filter Syntax [no] ipv6-filter Context config>system>security>cpm-filter 7950 SR OS System Management Guide Page 171...
Page 172 — Specifies packets matching the entry criteria will be forwarded. drop — Specifies packets matching the entry criteria will be dropped. queue queue-id — Specifies packets matching the entry criteria will be forward to the specified hardware queue. Page 172 7950 SR OS System Management Guide...
Page 173: Table 8: Ip Protocol Names
, * — udp/tcp wildcard Table 8: IP Protocol Names Protocol Protocol ID Description icmp Internet Control Message igmp Internet Group Management IP in IP (encapsulation) 7950 SR OS System Management Guide Page 173...
Page 174 Protocol Independent Multicast vrrp Virtual Router Redundancy Protocol l2tp Layer Two Tunneling Protocol Spanning Tree Protocol Performance Transparency Protocol isis ISIS over IPv4 crtp Combat Radio Transport Protocol crudp Combat Radio User Datagram Page 174 7950 SR OS System Management Guide...
Page 175 ICMP host unreachable message will not be issued. default-action Syntax default-action {permit | deny} Context config>system>security>mgmt-access-filter>mac-filter Description This command creates the default action for management access in the absence of a specific manage- ment access filter match. 7950 SR OS System Management Guide Page 175...
Page 176 The no form of the command removes the destination IP address match criterion. Default No destination IP match criterion Parameters ip-address — Specifies the IP address for the IP match criterion in dotted decimal notation. Values 0.0.0.0 — 255.255.255.255 Page 176 7950 SR OS System Management Guide...
Page 177 — Creates a list of IPv4 prefixes for match criteria in IPv4 ACL and CPM filter policies. ipv6-prefix-list-name — A string of up to 32 characters of printable ASCII characters. If special char- acters are used, the string must be enclosed within double quotes. 7950 SR OS System Management Guide Page 177...
Page 178 — Specify the flow identifier in an IPv6 packet header that can be used to discriminate traffic flows (See RFC 3595, Textual Conventions for IPv6 Flow Label.) Values 0 — 1048575 fragment Syntax fragment {true | false} no fragment Context config>sys>sec>cpm>ip-filter>entry>match config>sys>sec>cpm>ipv6-filter>entry>match Page 178 7950 SR OS System Management Guide...
Page 179 Default no hop-by-hop-opt Parameters true — Match if a packet contains Hop-by-Hop Options Extension Header. false — Match if a packet does not contain Hop-by-Hop Options Extension Header. 7950 SR OS System Management Guide Page 179...
Page 180 — No match criterion for the ICMP type. Parameters icmp-type — Specifies the ICMP type values that must be present to match. Values 0 — 255 ip-option Syntax ip-option ip-option-value ip-option-mask no ip-option Context config>sys>sec>cpm>ip-filter>entry>match Page 180 7950 SR OS System Management Guide...
Page 181 The no form of the command removes the checking of the number of option fields in the IP header as a match criterion. Default no multiple-option — No checking for the number of option fields in the IP header 7950 SR OS System Management Guide Page 181...
Page 182 — Specifies an existing service ID to be used in the match criteria. Values 1 — 2147483647 service-name service-name — Specifies an existing service name up to 64 characters in length. Page 182 7950 SR OS System Management Guide...
Page 183 The conventional notation of 10.1.0.0 255.255.0.0 may also be used. The no form of the command removes the source IP address match criterion. Default no src-ip — No source IP match criterion. 7950 SR OS System Management Guide Page 183...
Page 184 This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP or IPv6 packet as an IP filter match criterion. Note that an entry containing Layer 4 Page 184 7950 SR OS System Management Guide...
Page 185 — Specifies matching on IP or IPv6 packets that do not have the SYN bit set in the control bits of the TCP header. renum Syntax renum old-entry-id new-entry-id Context config>sys>sec>cpm>ip-filter config>sys>sec>cpm>ipv6-filter>entry>match config>sys>sec>cpm>mac-filter>entry>match 7950 SR OS System Management Guide Page 185...
Page 186 Values 1 — 2048 shutdown Syntax shutdown Context config>sys>sec>cpm>ip-filter config>sys>sec>cpm>ipv6-filter config>sys>sec>cpm>mac-filter Description This command enables IP(v4), IPv6 or MAC CPM filter. The no form of this command disable the filter. Default shutdown Page 186 7950 SR OS System Management Guide...
Page 187 — Specifies the commited burst size in kbytes. Syntax mbs mbs no mbs Context config>system>security>cpm-queue>queue Description This command specifies the maximum queue depth to which a queue can grow. Parameters mbs — Specifies the maximum burst size in kbytes. 7950 SR OS System Management Guide Page 187...
Page 188 This command specifies the maximum bandwidth that will be made available to the queue in kilobits per second (kbps). Parameters rate — Specifies the administrative Peak Information Rate (PIR) for the queue. cir cir — Specifies the amount of bandwidth committed to the queue. Page 188 7950 SR OS System Management Guide...
Page 189 TTL protection to operate. The no form of the command disables TTL security. Default no ttl-security Parameters min-ttl-value — Specifies the minimum TTL value for an incoming LDP packet. Values 1 — 255 7950 SR OS System Management Guide Page 189...
Page 190 TTL protection to operate. The no form of the command disables TTL security. Parameters min-ttl-value — Specify the minimum TTL value for an incoming BGP packet. Values 1 — 255 Page 190 7950 SR OS System Management Guide...
Page 191 The parameters within these policies can be modified. An event will be logged (warning) when the default policies are modified. Default Policy 254 (default access interface policy): per-source-rate: max (no limit) overall-rate : 6000 7950 SR OS System Management Guide Page 191...
Page 192 Provides the construct under which the different entries within CPU policy can define the match cri- teria and overall arrival rate of the Ethernet Configuration and Fault Management (ETH-CFM) pack- ets at the CPU. Default None Page 192 7950 SR OS System Management Guide...
Page 193 6000 for cpu-protection-policy-id 254 (default access interface policy) 3000 for cpu-protection-policy-id 255 (default network interface policy) Parameters packet-rate-limit — Specifies a packet arrival rate limit in packets per second. Values 1 — 65535, max (max indicates no limit) 7950 SR OS System Management Guide Page 193...
Page 194 Default max, no limit Parameters packet-rate-limit — Specifies a per-source packet (per SAP/MAC source address arrival rate limit in packets per second. Values 1 — 65535, max (max indicates no limit) Page 194 7950 SR OS System Management Guide...
Page 195 The default policy is policy number 254 for access interfaces, 255 for network interfaces. The no form of the command reverts to the default values. Default cpu-protection 254 (for access interfaces) 7950 SR OS System Management Guide Page 195...
Page 196 — Enables the Ethernet Connectivity Fault Management cpu-protection extensions on the associated SAP/SDP/template. aggregate — applies the rate limit to the sum of the per-peer packet rates. car — (Committed Access Rate) Ignores Eth-CFM packets when enforcing overall-rate. Page 196 7950 SR OS System Management Guide...
Page 197 {ppi|max} within seconds [initial-delay packets] no rate Context config>system>security>dist-cpu-protection>policy>static-policer config>system>security>dist-cpu-protection>policy>local-monitoring-policer config>system>security>dist-cpu-protection>policy>protocol>dynamic-parameters Description This command configures the rate and burst tolerance for the policer in either a packet rate or a bit rate. 7950 SR OS System Management Guide Page 197...
Page 198 (that is, the count- down timer starts again at the configured value). During the hold-down (and the detection-time), the policer is considered as in an “exceed” state. Default Page 198 7950 SR OS System Management Guide...
Page 199 (software may detect this some time after the packets are actually discarded), and an optional hold-down seconds value has been specified for the exceed-action, then the policer will be set into a “mark-all” or “drop-all” mode that cause the following: 7950 SR OS System Management Guide Page 199...
Page 200 If the system cannot allocate all the dynamic policers within 150 seconds, it will stop attempting to allocate dynamic policers, raise a LocMonExcdAllDynAlloc log event, and go back to using the local Page 200 7950 SR OS System Management Guide...
Page 201 “exceed” state. The policer may re-enter the hold-down state if an exceed packet is detected during the detection-time countdown. The allowed values are [none|1..10080|indefinite]. Values 1-10080 in seconds none — no hold-down 7950 SR OS System Management Guide Page 201...
Page 202 • ospf+: includes all OSPFv2 and OSPFv3 packets, and also includes any packets with an IPv4 destination address in the 224.0.0.0/24 prefix range (e.g. RIP) except the following: IGMP, PIM, VRRP, LDP and any other protocols explicitly identified in the dist-cpu-protection list of sup- ported protocols. Page 202 7950 SR OS System Management Guide...
Page 203 — This parameter is used to not include packets from this protocol in the local monitoring function, and when the local-monitor “trips”, do not instantiate a dynamic enforcement policer for this protocol. 7950 SR OS System Management Guide Page 203...
Page 204 Hold Down End, DcpDynamicEnforceAlloc and DcpDynamicEnforceFreed events. The optional “verbose” includes the allocation/de-allocation events (typically used for debug/tuning only – could be very noisy even when there is nothing much of concern) Page 204 7950 SR OS System Management Guide...
Page 205 Mul- tiple protocols can use the same static-policer. Parameters policy-name — Specifies the name of the policy. Values [32 chars max] 7950 SR OS System Management Guide Page 205...
Page 206 Distributed CPU Protection Commands Page 206 7950 SR OS System Management Guide...
Page 207: Table 9: Show System Security Access Group Output Fields
------------------------------------------------------------------------------- snmp-ro snmpv1 none no-security no-security snmp-ro snmpv2c none no-security no-security snmp-rw snmpv1 none no-security no-security no-security snmp-rw snmpv2c none no-security no-security no-security snmp-rwa snmpv1 none snmp-rwa snmpv2c none 7950 SR OS System Management Guide Page 207...
Page 208: Table 10: Show System Security Authentication Output Fields
The number of times the user has successfully logged in. Accepted logins The number of unsuccessful login attempts. Rejected logins The number of packets sent. Sent packets The number of packets rejected. Rejected packets Page 208 7950 SR OS System Management Guide...
Page 209 10.10.0.1 10.10.0.2 10.10.0.3 local =============================================================================== Authorization Statistics (TACACS+) =============================================================================== server address connection errors sent packets rejected packets ------------------------------------------------------------------------------- =============================================================================== Accounting Statistics =============================================================================== server address connection errors sent packets rejected packets ------------------------------------------------------------------------------- 10.10.10.103 7950 SR OS System Management Guide Page 209...
Page 210 ------------------------------------------------------------------------------- ============================================================================== communities Syntax communities Context show>system>security Description This command displays SNMP communities. Output Communities Output — The following table describes community output fields. Page 210 7950 SR OS System Management Guide...
Page 211: Table 11: Show Communities Output Fields
----------------------------------------------------------------------------- cli-readonly cli-readonly cli-readwrite cli-readwrite public no-security v1 v2c snmp-ro ----------------------------------------------------------------------------- No. of Communities: 3 ============================================================================= A:ALA-48# cpm-filter Syntax cpm-filter Context show>system>security Description This command displays CPM filters. 7950 SR OS System Management Guide Page 211...
Page 212: Table 12: Show Cpm Ip Filter Output Fields
Displays the ACK flag in the TCP header TCP-ack Match action When the criteria matches, displays drop or forward packet. In case match action is forward, indicates destination of the matched Next Hop packet. Page 212 7950 SR OS System Management Guide...
Page 213 ICMP Type : Undefined ICMP Code : Undefined Fragment : True Option-present : Off IP-Option : 130/255 Multiple Option : True TCP-syn : Off TCP-ack : True Match action : Drop =============================================================================== A:ALA-35# 7950 SR OS System Management Guide Page 213...
Page 214: Table 13: Show Cpm Ipv6 Filter Output Fields
Match action Next Hop In case match action is forward, indicates destination of the matched packet. Indicating number of matched dropped packets Dropped pkts Indicating number of matched forwarded packets. Forwarded pkts Page 214 7950 SR OS System Management Guide...
Page 215 Forwarded pkts : 0 =============================================================================== A:ALA-35# cpm-queue Syntax cpm-queue queue-id Context show>system>security Description Displays CPM queues. Parameters queue-id — Specifies an integer value that identifies a CPM queue. Values 0, 33 — 2000 7950 SR OS System Management Guide Page 215...
Page 216: Table 14: Show Cpm Ipv6 Filter Output Fields
SAP's where the protection policy Eth-CFM rate limit is exceeded =============================================================================== SAP-Id Service-Id Plcy ------------------------------------------------------------------------------- 1/1/1 ------------------------------------------------------------------------------- 1 SAP('s) found =============================================================================== =============================================================================== SDP's where the protection policy Eth-CFM rate limit is exceeded =============================================================================== Page 216 7950 SR OS System Management Guide...
Page 217 OpCode First-Time Last-Time Violation-Periods ------------------------------------------------------------------------------- 8c:8c:8c:8c:8c:8c 03/21/2009 23:32:29 03/21/2009 23:34:39 3000000019 61234 8d:8d:8d:8d:8d:8d 03/21/2009 23:32:39 03/21/2009 23:34:59 3000000020 61234 Aggregated 03/21/2009 23:32:49 03/21/2009 23:35:19 3000000021 61234 8f:8f:8f:8f:8f:8f 03/21/2009 23:32:59 03/21/2009 23:35:39 3000000022 7950 SR OS System Management Guide Page 217...
Page 218 05/01/2010 01:43:55 06/27/2010 22:37:23 3000000008 61234 05/01/2010 01:43:57 06/27/2010 22:37:26 3000000009 05/01/2010 01:43:59 06/27/2010 22:37:29 3000000010 61234 05/01/2010 01:44:01 06/27/2010 22:37:32 3000000011 ------------------------------------------------------------------------------- 5 SDP('s) found =============================================================================== show system security cpu-protection excessive-sources Page 218 7950 SR OS System Management Guide...
Page 219 Number of SDP's : 4 Interface associations ------------------------------------------------------------------------------- None Managed SAP associations ------------------------------------------------------------------------------- None Video-Interface associations ------------------------------------------------------------------------------- None =============================================================================== Associations for CPU Protection policy 254 =============================================================================== Description : Default (Modifiable) CPU-Protection Policy assigned to Access 7950 SR OS System Management Guide Page 219...
Page 220 : VPLS SDP 1:300 ------------------------------------------------------------------------------- Number of SDP's : 6 Interface associations ------------------------------------------------------------------------------- Router-Name : Base system ------------------------------------------------------------------------------- Number of interfaces : 1 Managed SAP associations ------------------------------------------------------------------------------- None Video-Interface associations ------------------------------------------------------------------------------- None =============================================================================== Page 220 7950 SR OS System Management Guide...
Page 221 =============================================================================== Interface-Name Router-Name Plcy Limit First-Time Last-Time Violation-Periods ------------------------------------------------------------------------------- No interfaces found =============================================================================== =============================================================================== SAP's where the protection policy overall rate limit is violated =============================================================================== SAP-Id Service-Id Plcy Limit First-Time Last-Time Violation-Periods 7950 SR OS System Management Guide Page 221...
Page 222 [{service-id service-id sap-id sap-id} | {service-id service-id sdp-id sdp-id:vc-id}] Context show>system>security>cpu-protection Description This command displays sources exceeding their eth-cfm-monitoring rate limit. dist-cpu-protection Syntax dist-cpu-protection Context show>system>security Description This command enables the context to display distributed CPU protection information. Page 222 7950 SR OS System Management Guide...
Page 223 — Displays violators associated with the interface. sap — Displays violators associated with the SAP. video — Displays violators associated with the video entity. sdp — Displays violators associated with the SDP. 7950 SR OS System Management Guide Page 223...
Page 224 : permit Admin Status : enabled (no shutdown) ------------------------------------------------------------------------------- Entry Action : deny FrameType : ethernet_II Svc-Id : Undefined Src Mac : Undefined Dest Mac : Undefined Dot1p : Undefined Ethertype : Disabled Page 224 7950 SR OS System Management Guide...
Page 225 : 2007/02/15 18:27:57 Begin Time (UTC) : 2007/02/15 17:27:57 End Time : 2007/02/15 18:28:13 End Time (UTC) : 2007/02/15 17:28:13 =============================================================================== Direction : send-receive Algorithm : aes-128-cmac-96 Admin State : Up Valid : Yes 7950 SR OS System Management Guide Page 225...
Page 226: Table 15: Show Management Access Filter Output Fields
The entry ID in a policy or filter table. Entry Description A text string describing the filter. The source IP address used for management access filter match crite- Src IP ria. Page 226 7950 SR OS System Management Guide...
Page 227 — Specifies the IPv6 filter entry ID to display. Values 1 — 9999 Output *A:Dut-C# show system security management-access-filter ipv6-filter entry 1 ============================================================================= IPv6 Management Access Filter ============================================================================= filter type : ipv6 Def. Action : permit 7950 SR OS System Management Guide Page 227...
Page 228: Table 16: Show Management Access Filter Output Fields
HMAC-MD5-96, HMAC-SHA-96 and DES-keys configured in the authentication section. Displays the minimum number of characters required for locally Minimum password length administered passwords, HMAC-MD5-96, HMAC-SHA-96, and DES- keys configured in the system security section. Page 228 7950 SR OS System Management Guide...
Page 229: Table 17: Show Per-Peer-Queuing Output Fields
Num of Queues In Sample Output A:ALA-48# show system security per-peer-queuing ================================================= CPM Hardware Queuing ================================================= Per Peer Queuing : Enabled Total Num of Queues : 8192 Num of Queues In Use ================================================= A:ALA-48# configure 7950 SR OS System Management Guide Page 229...
Page 230: Table 18: Show User Profile Output Fields
No. of profiles Sample Output A:ALA-7# show system security profile administrative =============================================================================== User Profile =============================================================================== User Profile : administrative Def. Action : permit-all ------------------------------------------------------------------------------- Entry : 10 Description Match Command: configure system security Page 230 7950 SR OS System Management Guide...
Page 231: Table 19: Show Source Address Output Fields
Down — The source address is operationally down. Sample Output A:SR-7# show system security source-address =============================================================================== Source-Address applications =============================================================================== Application IP address/Interface Name Oper status ------------------------------------------------------------------------------- telnet 10.20.1.7 radius loopback1 =============================================================================== A:SR-7# 7950 SR OS System Management Guide Page 231...
Page 232 SSH preserve key: Enabled SSH protocol version 1: Enabled RSA host key finger print:c6:a9:57:cb:ee:ec:df:33:1a:cd:d2:ef:3f:b5:46:34 SSH protocol version 2: Enabled DSA host key finger print:ab:ed:43:6a:75:90:d3:fc:42:59:17:8a:80:10:41:79 ======================================================= Connection Encryption Username ======================================================= 192.168.5.218 3des admin ------------------------------------------------------- Page 232 7950 SR OS System Management Guide...
Page 233 SNMP — Y - The user is authorized for SNMP access. N - The user is not authorized for SNMP access. Password expires The number of days in which the user must change his login password. 7950 SR OS System Management Guide Page 233...
Page 234 Password Login Failed Local console ftp li snmp Expires Attempts Logins Conf ------------------------------------------------------------------------------- admin never ------------------------------------------------------------------------------- Number of users : 1 =============================================================================== *A:Dut-C# show system security user detail =============================================================================== User Configuration Detail Page 234 7950 SR OS System Management Guide...
Page 235: Table 20: Show View Output Fields
The name of the view. Views control the accessibility of a MIB object view name within the configured MIB view and subtree. The object identifier of the ASN.1 subtree. oid tree The bit mask that defines a family of view subtrees. mask 7950 SR OS System Management Guide Page 235...
Page 236 1.3.6.1.4.1.6527.3.1.2.3.7 included vprn-view 1.3.6.1.4.1.6527.3.1.2.3.11 included vprn-view 1.3.6.1.4.1.6527.3.1.2.20.1 includedno-security included no-security 1.3.6.1.6.3 excluded no-security 1.3.6.1.6.3.10.2.1 included no-security 1.3.6.1.6.3.11.2.1 included no-security 1.3.6.1.6.3.15.1.1 included on-security 00000000 included ------------------------------------------------------------------------------- No. of Views: =============================================================================== A:ALA-48# Page 236 7950 SR OS System Management Guide...
Page 237 Cache entry expire time Parameters entry-id — Specifies the local cache entry identifier of the certificate that was validated by the OCSP responder. statistics Syntax statistics Context show>certificate Description This command shows certificate related statistics. 7950 SR OS System Management Guide Page 237...
Page 238: Table 21: Show Users Output Fields
A:ALA-7# show users =============================================================================== User Type From Login time Idle time =============================================================================== testuser Console 21FEB2007 04:58:55 0d 00:00:00 ------------------------------------------------------------------------------- Number of users : 1 'A' indicates user is in admin mode =============================================================================== A:ALA-7# Page 238 7950 SR OS System Management Guide...
Page 239 1 — 2048 mac-filter Syntax mac-filter [entry entry-id] Context clear>cpm-filter Description This command clears MAC filter statistics. Parameters entry entry-id — Specifies a particular CPM MAC filter entry. Values 1 — 2048 7950 SR OS System Management Guide Page 239...
Page 240 Login Control ipv6-filter Syntax ipv6-filter [entry entry-id] Context clear>cpm-filter Description This command clears IPv6 filter information. Parameters entry entry-id — Specifies a particular CPM IPv6 filter entry. Values 1 — 2048 Page 240 7950 SR OS System Management Guide...
Page 241 [port][interface][sap] Context clear>cpu-protection Description This command clears the rate limit violator record. Parameters port — Clears entries for ports. interface — Clears entries for interfaces. sap — Clears entries for SAPs. 7950 SR OS System Management Guide Page 241...
Page 242 33 — 2000 radius-proxy-server Syntax radius-proxy-server server-name statistics Context clear>router Description This command clears RADIUS proxy server data. Parameters server-name — Specifies the proxy server name. statistics — Clears statistics for the specified server. Page 242 7950 SR OS System Management Guide...
Page 243 This command enables debug output of OCSP protocol for the CA profile. The no form of the command disables the debug output. ca-profile Syntax [no] ca-profile profile-name Context debug>ocsp Description This command enables debug output of a specific CA profile. 7950 SR OS System Management Guide Page 243...
Page 244 Debug Commands Page 244 7950 SR OS System Management Guide...
Page 245: Snmp
User-Based Security Model Community Strings on page 249  Views on page 249  Access Groups on page 249  Users on page 250 • Which SNMP Version to Use? on page 251 • Configuration Notes on page 253 7950 SR OS System Management Guide Page 245...
Page 246: Snmp Overview
The main branches are defined by the Internet Engineering Task Force (IETF). When requested, the Internet Assigned Numbers Authority (IANA) assigns a unique branch for use by a private organization or company. The branch assigned to Alcatel-Lucent (TiMetra) is 1.3.6.1.4.1.6527.
Page 247: Snmp Protocol Operations
View Access Control MIB (VACM) defines the user access control features. The SNMP-COMMUNITY-MIB is used to associate SNMPv1/SNMPv2c community strings with SNMPv3 VACM access control. SNMPv3 uses a username match for authentication. 7950 SR OS System Management Guide Page 247...
Page 248: Management Information Access Control
A community string is a text string that acts like a password to permit access to the agent on the router. Alcatel-Lucent’s implementation of SNMP has defined three levels of community-named access: •...
Page 249: User-Based Security Model Community Strings
Pre-defined views are available that are particularly useful when configuring SNMPv1 and SNMPv2c. The Alcatel-Lucent SNMP agent associates SNMPv1 and SNMPv2c community strings with a SNMPv3 view. Access Groups Access groups associate a user group and a security model to the views the group can access.
Page 250: Users
User access and authentication privileges must be explicitly configured. In a user configuration, a user is associated with an access group, which is a collection of users who have common access privileges and views (see Access Groups). Page 250 7950 SR OS System Management Guide...
Page 251: Which Snmp Version To Use
SNMP authentication allows the router to validate the managing node that issued the SNMP message and determine if the message was tampered with. Figure 6 depicts the configuration requirements to implement SNMPv1/SNMPv2c, and SNMPv3. 7950 SR OS System Management Guide Page 251...
Page 252: Figure 6: Snmpv1 And Snmpv2C Configuration And Implementation Flow
R, RW, RWA Access (SNMPv1 & SNMPv2cONLY) Configure Views Configure Views Configure Access Groups Configure Access Groups Configure USM Community Configure SNMP Users Exit al_0203 Figure 6: SNMPv1 and SNMPv2c Configuration and Implementation Flow Page 252 7950 SR OS System Management Guide...
Page 253: Configuration Notes
If not, the previously configured SNMP communities and logger trap-target notify communities will not be valid for the new engine ID. 7950 SR OS System Management Guide Page 253...
Page 254 Configuration Notes Page 254 7950 SR OS System Management Guide...
Page 255: Configuring Snmp With Cli
This section provides information about configuring SNMP with CLI. Topics in this chapter include: • SNMP Configuration Overview on page 256 • Basic SNMP Security Configuration on page 257 • Configuring SNMP Components on page 258 7950 SR OS System Management Guide Page 255...
Page 256: Snmp Configuration Overview
Configuring SNMPv3 on page 256 Configuring SNMPv1 and SNMPv2c Alcatel-Lucent routers are based on SNMPv3. To use the routers with SNMPv1 and/or SNMPv2c, SNMP community strings must be configured. Three pre-defined access methods are available when SNMPv1 or SNMPv2c access is required. Each access method (r, rw, or rwa) is associated with an SNMPv3 access group that determines the access privileges and the scope of managed objects available.
Page 257: Basic Snmp Security Configuration
20 time 5 lockout 10 7950 SR OS System Management Guide Page 257...
Page 258: Configuring Snmp Components
[version SNMP version] usm-community community-string group group-name view view-name subtree oid-value mask mask-value [type {included|excluded}] access group group-name security-model security-model secu- rity-level security-level [context context-name [pre- fix-match]] [read view-name-1] [write view-name-2] [notify view-name-3] Page 258 7950 SR OS System Management Guide...
Page 259: Configuring A Community String
The following displays an SNMP community configuration example: *A:cses-A13>config>system>security>snmp# info ---------------------------------------------- community "uTdc9j48PBRkxn5DcSjchk" hash2 rwa version both community "Lla.RtAyRW2" hash2 r version v2c community "r0a159kIOfg" hash2 r version both ---------------------------------------------- *A:cses-A13>config>system>security>snmp# 7950 SR OS System Management Guide Page 259...
Page 260: Configuring View Options
"testview" subtree "1.3.6.1.2" mask ff type excluded exit community "uTdc9j48PBRkxn5DcSjchk" hash2 rwa version both community "Lla.RtAyRW2" hash2 r version v2c community "r0a159kIOfg" hash2 r version both ---------------------------------------------- *A:cses-A13>config>system>security>snmp# Page 260 7950 SR OS System Management Guide...
Page 261: Configuring Access Options
"test" security-model usm security-level auth-no-pr ivacy read "testview" write "testview" notify "testview" community "uTdc9j48PBRkxn5DcSjchk" hash2 rwa version both community "Lla.RtAyRW2" hash2 r version v2c community "r0a159kIOfg" hash2 r version both ---------------------------------------------- *A:cses-A13>config>system>security>snmp# 7950 SR OS System Management Guide Page 261...
Page 262 {none|des-key|aes-128-cfb-key key}] group group-name The following displays a user’s SNMP configuration example. A:ALA-1>config>system>security# info ---------------------------------------------- user "testuser" access snmp snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group testgroup exit exit ---------------------------------------------- A:ALA-1>config>system>security# Page 262 7950 SR OS System Management Guide...
Page 263: Configuring Usm Community Options
"testview" write "testview" notify "testview" community "uTdc9j48PBRkxn5DcSjchk" hash2 rwa version both community "Lla.RtAyRW2" hash2 r version v2c community "r0a159kIOfg" hash2 r version both ---------------------------------------------- A:ALA-1>config>system>security>snmp# The group grouptest was configured in the config>system>security>snmp>access CLI context. 7950 SR OS System Management Guide Page 263...
Page 264: Configuring Other Snmp Parameters
CLI Syntax: config>system>snmp engineID engine-id general-port port packet-size bytes no shutdown The following example displays the system SNMP default values: A:ALA-104>config>system>snmp# info detail ---------------------------------------------- shutdown engineID "0000xxxx000000000xxxxx00" packet-size 1500 general-port 161 ---------------------------------------------- A:ALA-104>config>system>snmp# Page 264 7950 SR OS System Management Guide...
Page 265: Snmp Command Reference
— usm-community community-string group group-name — no usm-community community-string — view view-name subtree oid-value — no view view-name [subtree oid-value] — mask mask-value [type {included | excluded}] — no mask 7950 SR OS System Management Guide Page 265...
Page 266 — system — information — security — access-group [group-name] — authentication [statistics] — communities — password-options [entry-id] — password-options — profile [profile-name] — — user [user-id] [detail] — view [view-name] [detail] Page 266 7950 SR OS System Management Guide...
Page 267 This command configures the port number used by this node to receive SNMP request messages and to send replies. Note that SNMP notifications generated by the agent are sent from the port specified in the config>log>snmp-trap-group>trap-target CLI command. 7950 SR OS System Management Guide Page 267...
Page 268 In higher latency networks, synchronizing router MIBs from network management via streaming takes less time than synchronizing via classic SNMP UDP requests. Streaming operates on TCP port 1491 and runs over IPv4 or IPv6. Page 268 7950 SR OS System Management Guide...
Page 269 SNMP persistent index file fails while the bof persist on command is enabled. The no form of the command administratively enables SNMP which is the default state. Default no shutdown 7950 SR OS System Management Guide Page 269...
Page 270 When this option is configured, both the group and the user must be configured for authentication. The user must also be configured for privacy. context context-name — Specifies a set of SNMP objects that are associated with the context-name. Page 270 7950 SR OS System Management Guide...
Page 271 1 — 64 time minutes1 — The period of time, in minutes, that a specified number of unsuccessful attempts can be made before the host is locked out. Default Values 0 — 60 7950 SR OS System Management Guide Page 271...
Page 272 Each bit in the mask corresponds to a sub-identifier position. For example, the most significant bit for the first sub-identifier, the next most significant bit for the second sub-identifier, and so on. If the bit position on the sub-identifier is available, it can be included or excluded. Page 272 7950 SR OS System Management Guide...
Page 273 - All MIB subtree objects that are identified with a 1 in the mask are denied access in the view. (Default: included). Default included snmp Syntax snmp Context config>system>security Description This command creates the context to configure SNMPv1, SNMPv2, and SNMPv3 parameters. 7950 SR OS System Management Guide Page 273...
Page 274 The access granted with a community string is restricted to the scope of the configured group. Alcatel-Lucent’s SR OS implementation of SNMP uses SNMPv3. In order to implement SNMPv1 and SNMPv2c configurations, several access groups are predefined. In order to implement SNMP with security features (Version 3), security models, security levels, and USM communities must be explicitly configured.
Page 275 It is possible to have a view with different subtrees with their own masks and include and exclude statements. This allows for customizing visibility and write capabilities to specific user requirements. 7950 SR OS System Management Guide Page 275...
Page 276 SNMP Security Commands Page 276 7950 SR OS System Management Guide...
Page 277: Table 22: Counters Output Fields
Displays the number of MIB objects set by SNMP as the result of variables set receiving valid SNMP set request PDUs. Sample Output A:ALA-1# show snmp counters ============================================================================== SNMP counters: ============================================================================== in packets : 7950 SR OS System Management Guide Page 277...
Page 278: Table 23: Counters Output Fields
Displays the number of response packets sent. out responses Sample Output *A:Dut-B# show snmp streaming counters ============================================================================== STREAMING counters: ============================================================================== in getTables : 772 in getManys : 26 ------------------------------------------------------------------------------ out responses : 848 ============================================================================== Page 278 7950 SR OS System Management Guide...
Page 279: Table 24: Show System Information Output Fields
The state when the synchronization of configuration files SNMP Sync State between the primary and secondary s finish. Telnet/SSH/FTP Admin Displays the administrative state of the Telnet, SSH, and FTP sessions. 7950 SR OS System Management Guide Page 279...
Page 280 Time Last Modified The maximum number of backup revisions maintained for a Max Cfg/BOF Backup Rev configuration file. This value also applies to the number of revi- sions maintained for the BOF file. Page 280 7950 SR OS System Management Guide...
Page 281 Next Hop — The next hop IP address used to reach the des- tination. Metric — Displays the priority of this static route versus other static routes. None — No static routes are configured. 7950 SR OS System Management Guide Page 281...
Page 282 : WED MAY 23 11:58:26 2012 UTC Last Boot Config Header: # TiMOS-C-0.0.I3339 cpm/i386 ALCATEL XRS 7950 Copyright (c) 2000-2012 Alcatel-Lucent. # All rights reserved. All use subject to applicable license agreements. # Built on Tue May 22 18:46:56 PDT 2012 by builder in /rel0.0/I3339/panos/main # Generated...
Page 283 /rel0.0/I1042/panos/main # Generated THU FEB 11 16:58:20 2007 UTC Last Boot Index Version: N/A Last Boot Index Header : # TiMOS-B-0.0.I1042 both/i386 Alcatel-Lucent SR Copyright (c) 2000-2007 Alcatel-Lucent. # All rights reserved. All use subject to applicable license agreements.
Page 284: Table 25: Show System Security Access-Group Output Fields
The total number of configured access groups. No. of access groups Sample Output A:ALA-1# show system security access-group =============================================================================== Access Groups =============================================================================== group name security security read write notify model level view view view Page 284 7950 SR OS System Management Guide...
Page 285 The address of the RADIUS, TACACS+, or local server. server address The status of the server. status type The type of server. Number of seconds the server will wait before timing out. timeout (secs) 7950 SR OS System Management Guide Page 285...
Page 286 ------------------------------------------------------------------------------- No. of Servers: 4 =============================================================================== A:ALA-49>show>system>security# communities Syntax communities Context show>system>security Description This command lists SNMP communities and characterisics. Output Communities Ouput — The following table describes the communities output fields. Page 286 7950 SR OS System Management Guide...
Page 287: Table 26: Show Communities Output Fields
----------------------------------------------------------------------------- private v1 v2c snmp-rwa public no-security v1 v2c snmp-ro snmp-trap ----------------------------------------------------------------------------- No. of Communities: 3 ============================================================================= A:ALA-1# password-options Syntax password-options Context show>system>security Description This command displays password options. 7950 SR OS System Management Guide Page 287...
Page 288 =============================================================================== A:ALA-48>show>system>security# per-peer-queuing Syntax per-peer-queuing Context show>system>security Description This command displays displays the number of queues in use by the Qchip, which in turn is used by PPQ, CPM filter, SAP, etc. Page 288 7950 SR OS System Management Guide...
Page 289 Description default — The action to be given to the user profile if none of the User Profile entries match the command. administrative — specifies the administrative state for this pro- file. 7950 SR OS System Management Guide Page 289...
Page 290 — Denies the user access to all commands. A:ALA-48>config>system>snmp# show system security profile =============================================================================== User Profile =============================================================================== User Profile : test Def. Action : none ------------------------------------------------------------------------------- Entry Description Match Command: Action : unknown Page 290 7950 SR OS System Management Guide...
Page 291 Match Command: show system security Action : permit =============================================================================== ------------------------------------------------------------------------------- No. of profiles: 3 =============================================================================== A:ALA-48>config>system>snmp# Syntax Context show>system>security Description This command displays all the SSH sessions as well as the SSH status and fingerprint. 7950 SR OS System Management Guide Page 291...
Page 292: Table 27: Show Ssh Output Fields
SSH is enabled Key fingerprint: 34:00:f4:97:05:71:aa:b1:63:99:dc:17:11:73:43:83 ======================================================= Connection Encryption Username ======================================================= 192.168.5.218 3des admin ------------------------------------------------------- Number of SSH sessions : 1 ======================================================= ALA-7# A:ALA-49>config>system>security# show system security ssh SSH is disabled A:ALA-49>config>system>security# Page 292 7950 SR OS System Management Guide...
Page 293: Table 28: Show User Output Fields
=============================================================================== Users =============================================================================== user id need user permissions password attempted failed local new pwd console ftp snmp expires logins logins conf ------------------------------------------------------------------------------- admin never testuser never ------------------------------------------------------------------------------- Number of users : 2 7950 SR OS System Management Guide Page 293...
Page 294: Table 29: Show System Security View Output Fields
=============================================================================== Views =============================================================================== view name oid tree mask permission ------------------------------------------------------------------------------- included no-security included no-security 1.3.6.1.6.3 excluded no-security 1.3.6.1.6.3.10.2.1 included no-security 1.3.6.1.6.3.11.2.1 included no-security 1.3.6.1.6.3.15.1.1 included ------------------------------------------------------------------------------- No. of Views: 6 =============================================================================== A:ALA-1# Page 294 7950 SR OS System Management Guide...
Page 295 1.3.6.1.6.3 excluded no-security 1.3.6.1.6.3.10.2.1 included no-security 1.3.6.1.6.3.11.2.1 included no-security 1.3.6.1.6.3.15.1.1 included ------------------------------------------------------------------------------- No. of Views: 5 =============================================================================== ======================================= no-security used in ======================================= group name --------------------------------------- snmp-ro snmp-rw ======================================= A:ALA-1# 7950 SR OS System Management Guide Page 295...
Page 296 Show Commands Page 296 7950 SR OS System Management Guide...
Page 297: Event And Accounting Logs
Default System Log on page 313 • Accounting Logs on page 314  Accounting Records on page 314  Accounting Files on page 317  Design Considerations on page 317 • Configuration Notes on page 321 7950 SR OS System Management Guide Page 297...
Page 298: Logging Overview
Events that are suppressed by event control will not generate any event log entries. Event control maintains a count of the number of events generated (logged) and dropped (suppressed) for each application event. The severity of an application event can be configured in event control. Page 298 7950 SR OS System Management Guide...
Page 299 The only supported destination for an accounting log is a compact flash system device (cf1or cf2). Accounting data is stored within a standard directory structure on the device in compressed XML format. 7950 SR OS System Management Guide Page 299...
Page 300: Log Destinations
When a memory log is created, the specific number of entries it can hold can be specified, otherwise it will assume a default size. An event log can send entries to a memory log destination. Page 300 7950 SR OS System Management Guide...
Page 301: Log Files
24-hour clock (for example, 04 for 4 a.m.) mm is the two digit minute (for example, 30 for 30 minutes past the hour) ss is the two digit second (for example, 14 for 14 seconds) 7950 SR OS System Management Guide Page 301...
Page 302 The \act-collect directory is where active accounting logs are written. When an accounting log is rolled over, the active file is closed and archived in the \act directory before a new active accounting log file created in \act-collect. Page 302 7950 SR OS System Management Guide...
Page 303: Snmp Trap Group
The UDP port used to send the syslog message. • The Syslog Facility Code (0 - 23) (default 23 - local 7). • The Syslog Severity Threshold (0 - 7) - events exceeding the configured level will be sent. 7950 SR OS System Management Guide Page 303...
Page 304: Table 31: Router To Syslog Severity Level Mappings
System is unusable alert Action must be taken immediately critical Critical conditions error Error conditions warning Warning conditions notice Normal but significant condition 1 cleared info Informational messages 2 indeterminate debug Debug-level messages Page 304 7950 SR OS System Management Guide...
Page 305: Event Logs
Log Manager Filter Policy Log Destination Security Console Logs Session Memory File Change Trap Group Syslog Debug = Different Events = Event with Severity Marked CLI0001B Figure 7: Event Logging Block Diagram 7950 SR OS System Management Guide Page 305...
Page 306: Event Sources
*A:ALA-48# show log applications ================================== Log Event Application Names ================================== Application Name ---------------------------------- CCAG CFLOWD CHASSIS MPLS MSDP USER VRRP VRTR ================================== *A:ALA-48# Page 306 7950 SR OS System Management Guide...
Page 307: Event Control
The following example, generated by querying event control for application generated events, displays a partial list of event numbers and names. router# show log event-control ======================================================================= Log Events ======================================================================= Application Event Name Logged Dropped ----------------------------------------------------------------------- 7950 SR OS System Management Guide Page 307...
Page 308: Log Manager And Event Logs
• An optional event filter policy An event filter policy defines whether to forward or drop an event or trap-based on match criteria. Page 308 7950 SR OS System Management Guide...
Page 309: Event Filter Policies
• Equal to or not equal to a router name string or regular expression match. • Equal to or not equal to an event subject string or regular expression match. 7950 SR OS System Management Guide Page 309...
Page 310: Event Log Entries
The UTC date stamp for the log entry. YYYY/MM/DD YYYY — Year MM — Month DD — Date The UTC time stamp for the event. HH:MM:SS.SS HH — Hours (24 hour format) MM — Minutes SS.SS — Seconds Page 310 7950 SR OS System Management Guide...
Page 311 The application’s event ID number for the event. <event_id> The router name representing the VRF-ID that generated the event. <router> The subject/affected object for the event. <subject> A text description of the event. <description> 7950 SR OS System Management Guide Page 311...
Page 312: Simple Logger Event Throttling
Throttle rate applies commonly to all event types. It is not configurable for a specific event-type. A timer task checks for events dropped by throttling when the throttle interval expires. If any events have been dropped, a TIMETRA-SYSTEM-MIB::tmnxTrapDropped notification is sent. Page 312 7950 SR OS System Management Guide...
Page 313: Default System Log
The following example displays the log 99 configuration. ALA-1>config>log# info detail #------------------------------------------ echo "Log Configuration " #------------------------------------------ snmp-trap-group 7 exit log-id 99 description "Default system log" no filter from main to memory 500 no shutdown exit ---------------------------------------------- ALA-1>config>log# 7950 SR OS System Management Guide Page 313...
Page 314: Accounting Logs
Table Table 35, and Table 36 provide field descriptions. Table 34: Policer Stats Field Descriptions Field Field Description PolicerId statmode PolicerStatMode AllOctetsDropped AllOctetsForwarded AllOctetsOffered AllPacketsDropped AllPacketsForwarded AllPacketsOffered HighPriorityOctetsDropped HighPriorityOctetsForwarded HighPriorityOctetsOffered HighPriorityPacketsDropped HighPriorityPacketsForwarded Page 314 7950 SR OS System Management Guide...
Page 315: Table 35: Queue Group Record Types
OutOfProfileOctetsForwarded OutOfProfileOctetsOffered UncoloredOctetsOffered Table 35: Queue Group Record Types Record Name Description qgone PortQueueGroupOctetsNetworkEgress qgosi PortQueueGroupOctetsServiceIngress qgose PortQueueGroupOctetsServiceEgress qgpne PortQueueGroupPacketsNetworkEgress qgpsi PortQueueGroupPacketsServiceIngress qgpse PortQueueGroupPacketsServiceEgress fpqgosi ForwardingPlaneQueueGroupOctetsServiceIngress fpqgoni ForwardingPlaneQueueGroupOctetsNetworkIngress fpqgpsi ForwardingPlaneQueueGroupPacketsServiceIngress fpqgpni ForwardingPlaneQueueGroupPacketsNetworkIngress 7950 SR OS System Management Guide Page 315...
Page 316: Table 36: Queue Group Record Type Fields
LAGMemberPort (used for port based Queue Groups) data slot Slot (used for Forwarding Plane based Queue Groups) forwarding-plane ForwardingPlane (used for Forwarding Plane based Queue Groups) queue-group QueueGroupName instance QueueGroupInstance QueueId PolicerId statmode PolicerStatMode aod...ucp same as above Page 316 7950 SR OS System Management Guide...
Page 317: Accounting Files
For example, with a 1GB CF and using the default collection interval, the system is expected to hold 48 hours worth of billing information. 7950 SR OS System Management Guide Page 317...
Page 318: Overhead Reduction In Accounting: Custom Record
Assurance records; however without an ability to specify different significant change values and per-field scope (for example, all fields of a custom record are collected if any activity was reported against any of the statistics that are part of the custom record). Page 318 7950 SR OS System Management Guide...
Page 319: Configurable Accounting Records
For Application Assurance records, a significant change of 1 in any field of a customized record (send a record if any field changed) is supported. When configured, if any statistic field records activity, an accounting record containing all fields will be collected. 7950 SR OS System Management Guide Page 319...
Page 320: Immediate Completion Of Records
AA Accounting per Forwarding Class This feature allows the operator to report on protocol/application/app-group volume usage per forwarding class by adding a bitmap information representing the observed FC in the XML accounting files. Page 320 7950 SR OS System Management Guide...
Page 321: Configuration Notes
Accounting policies must be configured in the config>log context before they can be applied to a service SAP or service interface, or applied to a network port. • The snmp-trap-id must be the same as the log-id. 7950 SR OS System Management Guide Page 321...
Page 322 Configuration Notes Page 322 7950 SR OS System Management Guide...
Page 323: Configuring Logging With Cli
Log Configuration Overview on page 324  Log Types on page 324 • Basic Event Log Configuration on page 325 • Common Configuration Tasks on page 326 • Log Management Tasks on page 343 7950 SR OS System Management Guide Page 323...
Page 324: Log Configuration Overview
Accounting policies can be applied to one or more service access points (SAPs). • Event logs — An event log defines the types of events to be delivered to its associated destination. • Event throttling rate — Defines the rate of throttling events. Page 324 7950 SR OS System Management Guide...
Page 325: Basic Event Log Configuration
2 description "This is a test log." location cf1: exit snmp-trap-group 7 trap-target 11.22.33.44 "snmpv2c" notify-community "public" exit log-id 2 from main to file 2 exit ---------------------------------------------- A:ALA-12>config>log# 7950 SR OS System Management Guide Page 325...
Page 326: Common Configuration Tasks
CLI Syntax: config>log log-id log-id description description-string filter filter-id from {[main] [security] [change] [debug-trace]} to console to file file-id to memory [size] to session to snmp [size] to syslog syslog-id} time-format {local|utc} no shutdown Page 326 7950 SR OS System Management Guide...
Page 327 Event and Accounting Logs The following displays a log file configuration example: ALA-12>config>log>log-id# info ---------------------------------------------- log-id 2 description "This is a test log file." filter 1 from main security to file 1 exit ---------------------------------------------- ALA-12>config>log>log-id# 7950 SR OS System Management Guide Page 327...
Page 328: Configuring A File Id
[retention hours] The following displays a log file configuration example: A:ALA-12>config>log# info ------------------------------------------ file-id 1 description "This is a log file." location cf1: rollover 600 retention 24 exit ---------------------------------------------- A:ALA-12>config>log# Page 328 7950 SR OS System Management Guide...
Page 329: Configuring An Accounting Policy
The following displays a accounting policy configuration example: A:ALA-12>config>log# info ---------------------------------------------- accounting-policy 5 description "This is a test accounting policy." record service-ingress-packets to file 3 exit ---------------------------------------------- A:ALA-12>config>log# 7950 SR OS System Management Guide Page 329...
Page 330: Configuring Event Control
A:ALA-12>config>log# info #------------------------------------------ echo "Log Configuration" #------------------------------------------ throttle-rate 500 interval 10 event-control "oam" 2001 generate throttle event-control "ospf" 2001 suppress event-control "ospf" 2003 generate cleared event-control "ospf" 2014 generate critical ---------------------------------------------- A:ALA-12>config>log>filter# Page 330 7950 SR OS System Management Guide...
Page 331: Configuring Throttle Rate
Use the following CLI syntax to configure the throttle rate. CLI Syntax: config>log# throttle-rate events [interval seconds] The following displays a throttle rate configuration example: *A:gal171>config>log# info --------------------------------------------- throttle-rate 500 interval 10 event-control "bgp" 2001 generate throttle ---------------------------------------------- *A:gal171>config>log# 7950 SR OS System Management Guide Page 331...
Page 332: Configuring A Log Filter
"mirror" severity eq critical exit exit exit log-id 2 shutdown description "This is a test log file." filter 1 from main security to file 1 exit ------------------------------------------ A:ALA-12>config>log# Page 332 7950 SR OS System Management Guide...
Page 333: Configuring An Snmp Trap Group
"xyz-test" address xx.xx.x.x snmpv2c notify-community "xyztesting" trap-target "test2" address xx.xx.xx.x snmpv2c notify-community "xyztesting" ---------------------------------------------- *A:SetupCLI>config>log>log-id# info ---------------------------------------------- from main to snmp ---------------------------------------------- *A:SetupCLI>config>router# interface xyz-test *A:SetupCLI>config>router>if# info ---------------------------------------------- address xx.xx.xx.x/24 port 1/1/1 ---------------------------------------------- *A:SetupCLI>config>router>if# 7950 SR OS System Management Guide Page 333...
Page 334: Setting The Replay Parameter
Name : test2 Address : 20.20.20.5 Port : 162 Version : v2c Community : xyztesting Sec. Level : none Replay : disabled Replay from : n/a Last replay : never =============================================================================== A:SetupCLI>config>log>snmp-trap-group# Page 334 7950 SR OS System Management Guide...
Page 335 "Status of Mda 1/1 changed administrative state: inService, operational state: inService" 3814 2008/04/22 23:35:38.88 UTC MINOR: CHASSIS #2002 Base Mda 1/2 "Class MDA Module : inserted" 3813 2008/04/22 23:35:38.88 UTC MINOR: CHASSIS #2002 Base Mda 1/1 7950 SR OS System Management Guide Page 335...
Page 336: Shutdown In-Band Port
Name : test2 Address : 20.20.20.5 Port : 162 Version : v2c Community : xyztesting Sec. Level : none Replay : disabled Replay from : n/a Last replay : never =============================================================================== *A:SetupCLI# Page 336 7950 SR OS System Management Guide...
Page 337 3818 2008/04/22 23:35:39.89 UTC WARNING: SYSTEM #2009 Base IP "Status of vRtrIfTable: router Base (index 1) interface xyz-test (index 35) changed administrative state: inService, operational state: inService" 3823 2008/04/22 23:41:49.82 UTC WARNING: SNMP #2005 Base xyz-test "Interface xyz-test is operational" 7950 SR OS System Management Guide Page 337...
Page 338: No Shutdown Port
An event message has been written to the logger that indicates the replay to the trap-target address has happened and displays the notification sequence ID of the first and last replayed notifications. *A:SetupCLI# show log log-id 44 =============================================================================== Event Log 44 Page 338 7950 SR OS System Management Guide...
Page 339 "Status of vRtrIfTable: router Base (index 1) interface xyz-test (index 35) changed admin- istrative s tate: inService, operational state: inService" 3823 2008/04/22 23:41:49.82 UTC WARNING: SNMP #2005 Base xyz-test "Interface xyz-test is operational" 7950 SR OS System Management Guide Page 339...
Page 340: Configuring A Syslog Target
{emergency|alert|critical|error|warning|notice|in- fo|debug} facility syslog-facility The following displays a syslog configuration example: A:ALA-12>config>log# info ---------------------------------------------- syslog 1 description "This is a syslog file." address 10.10.10.104 facility user level warning exit ---------------------------------------------- A:ALA-12>config>log# Page 340 7950 SR OS System Management Guide...
Page 341: Configuring An Accounting Custom Record
---------------------------------------------- A:ALA-48>config>subscr-mgmt>acct-plcy# The following is an example custom record configuration. Dut-C>config>log>acct-policy>cr# info ---------------------------------------------- aa-specific aa-sub-counters short-duration-flow-count medium-duration-flow-count long-duration-flow-count total-flow-duration total-flows-completed-count exit from-aa-sub-counters flows-admitted-count flows-denied-count flows-active-count packets-admitted-count octets-admitted-count packets-denied-count octets-denied-count max-throughput-octet-count 7950 SR OS System Management Guide Page 341...
Page 342 Common Configuration Tasks max-throughput-packet-count max-throughput-timestamp forwarding-class exit to-aa-sub-counters flows-admitted-count flows-denied-count flows-active-count packets-admitted-count octets-admitted-count packets-denied-count octets-denied-count max-throughput-octet-count max-throughput-packet-count max-throughput-timestamp forwarding-class exit exit significant-change 1 ref-aa-specific-counter any ---------------------------------------------- Page 342 7950 SR OS System Management Guide...
Page 343: Log Management Tasks
Modifying a Log Filter on page 353 • Deleting a Log Filter on page 355 • Modifying Event Control Parameters on page 356 • Returning to the Default Event Control Configuration on page 357 7950 SR OS System Management Guide Page 343...
Page 344: Modifying A Log File
---------------------------------------------- ALA-12>config>log>log-id# The following displays an example to modify log file parameters: Example: config# log config>log# log-id 2 config>log>log-id# description "Chassis log file." config>log>log-id# filter 2 config>log>log-id# from security config>log>log-id# exit Page 344 7950 SR OS System Management Guide...
Page 345 Event and Accounting Logs The following displays the modified log file configuration: A:ALA-12>config>log# info ---------------------------------------------- log-id 2 description "Chassis log file." filter 2 from security to file 1 exit ---------------------------------------------- A:ALA-12>config>log# 7950 SR OS System Management Guide Page 345...
Page 346: Deleting A Log File
Use the following CLI syntax to delete a log file: CLI Syntax: config>log no log-id log-id shutdown The following displays an example to delete a log file: Example config# log config>log# log-id 2 config>log>log-id# shutdown config>log>log-id# exit config>log# no log-id 2 Page 346 7950 SR OS System Management Guide...
Page 347: Modifying A File Id
1 config>log>file-id# description "LocationTest." config>log>file-id# rollover 2880 retention 500 config>log>file-id# exit The following displays the file modifications: A:ALA-12>config>log# info ---------------------------------------------- file-id 1 description "LocationTest." location rollover 2880 retention 500 exit ---------------------------------------------- A:ALA-12>config>log# 7950 SR OS System Management Guide Page 347...
Page 348: Deleting A File Id
NOTE: All references to the file ID must be deleted before the file ID can be removed. Use the following CLI syntax to delete a log ID: CLI Syntax: config>log no file-id log-file-id The following displays an example to delete a file ID: Example config>log# no file-id 1 Page 348 7950 SR OS System Management Guide...
Page 349: Modifying A Syslog Id
10.10.0.91 config>log>syslog# facility mail config>log>syslog# level info The following displays the syslog configuration: A:ALA-12>config>log# info ---------------------------------------------- syslog 1 description "Test syslog." address 10.10.10.91 facility mail level info exit ---------------------------------------------- A:ALA-12>config>log# 7950 SR OS System Management Guide Page 349...
Page 350: Deleting A Syslog
Use the following CLI syntax to delete a syslog file: CLI Syntax: config>log no syslog syslog-id The following displays an example to delete a syslog ID: Example config# log config>log# no syslog 1 Page 350 7950 SR OS System Management Guide...
Page 351: Modifying An Snmp Trap Group
10.10.10.104:5 config>log>snmp-trap-group# snmp-trap-group# trap-target 10.10.0.91:1 snmpv2c notify-community "com1" The following displays the SNMP trap group configuration: A:ALA-12>config>log# info ---------------------------------------------- snmp-trap-group 10 10.10.0.91:1 com1 trap-target "snmpv2c" notify-community " ” exit ---------------------------------------------- A:ALA-12>config>log# 7950 SR OS System Management Guide Page 351...
Page 352: Deleting An Snmp Trap Group
---------------------------------------------- A:ALA-12>config>log# The following displays an example to delete a trap target and an SNMP trap group. Example config>log# snmp-trap-group 10 config>log>snmp-trap-group# no trap-target 10.10.0.91:1 config>log>snmp-trap-group# exit config>log# no snmp-trap-group 10 Page 352 7950 SR OS System Management Guide...
Page 353: Modifying A Log Filter
The following displays an example of the log filter modifications: Example config# log config>log# filter 1 config>log>filter# description "This allows <n>." config>log>filter# default-action forward config>log>filter# entry 1 config>log>filter>entry$ action drop config>log>filter>entry# match config>log>filter>entry>match# application eq user 7950 SR OS System Management Guide Page 353...
Page 354 The following displays the log filter configuration: A:ALA-12>config>log>filter# info ---------------------------------------- filter 1 description "This allows <n>." entry 1 action drop match application eq "user" number eq 2001 exit exit exit ---------------------------------------- A:ALA-12>config>log>filter# Page 354 7950 SR OS System Management Guide...
Page 355: Deleting A Log Filter
"user" number eq 2001 exit exit exit ---------------------------------------- A:ALA-12>config>log>filter# The following displays an example of the command usage to delete a log filter: Example config>log# no filter 1 7950 SR OS System Management Guide Page 355...
Page 356: Modifying Event Control Parameters
The following displays an example of an event control modifications: Example config# log config>log# event-control 2014 suppress The following displays the log filter configuration: A:ALA-12>config>log# info ---------------------------------------------- event-control "" 2014 suppress ---------------------------------------------- A:ALA-12>config>log# Page 356 7950 SR OS System Management Guide...
Page 357: Returning To The Default Event Control Configuration
"" 2011 generate warning event-control "" 2012 generate warning event-control "" 2013 generate warning event-control "" 2014 generate warning event-control "" 2015 generate critical event-control "" 2016 generate warning ---------------------------------------------- A:ALA-12>config>log# 7950 SR OS System Management Guide Page 357...
Page 358 Log Management Tasks Page 358 7950 SR OS System Management Guide...
Page 359: Log Command Reference
— no event-control application [event-name | event-number] — [no] event-damping — route-preference primary {inband | outband} secondary {inband | outband | none} — no route-preference — throttle-rate events [interval seconds] — no throttle-rate 7950 SR OS System Management Guide Page 359...
Page 360 — accounting-policy acct-policy-id — no accounting-policy acct-policy-id — [no] default — description description-string — no description — [no] include-system-info — record record-name — no record — [no] shutdown — file log-file-id Page 360 7950 SR OS System Management Guide...
Page 361 — [no] out-profile-octets-discarded-count — [no] out-profile-octets-forwarded-count — [no] out-profile-packets-discarded-count — [no] out-profile-packets-forwarded-count — [no] queue queue-id — e-counters [all] — no e-counters — [no] in-profile-octets-discarded-count — [no] in-profile-octets-forwarded-count — [no] in-profile-packets-discarded-count 7950 SR OS System Management Guide Page 361...
Page 362 — [no] high-packets-discarded-count — [no] high-packets-offered-count — [no] in-profile-octets-forwarded-count — [no] in-profile-packets-forwarded-count — [no] low-octets-discarded-count — [no] low-packets-discarded-count — [no] low-octets-offered-count — [no] low-packets-offered-count — [no] out-profile-octets-forwarded-count — [no] out-profile-packets-forwarded-count — [no] uncoloured-octets-offered-count Page 362 7950 SR OS System Management Guide...
Page 363 — rollover minutes [retention hours] — no rollover Event Filter Commands config — log — [no] filter filter-id — default-action {drop | forward} — no default-action — description description-string — no description 7950 SR OS System Management Guide Page 363...
Page 364 {eq | neq} router-instance [regexp] — no router — severity {eq | neq | lt | lte | gt | gte} severity-level — no severity — subject {eq | neq} subject [regexp] — no subject Page 364 7950 SR OS System Management Guide...
Page 365 — no description — trap-target name [address ip-address] [port port] [snmpv1 | snmpv2c | snmpv3] notify-community communityName | snmpv3SecurityName [security-level {no- auth-no-privacy | auth-no-privacy | privacy}][replay] — no trap-target name 7950 SR OS System Management Guide Page 365...
Page 366 [filter-id] — log-collector — log-id [log-id] [severity severity-level] [application application] [sequence from-seq [to- seq]] [count count] [subject subject] [ascending | descending] — snmp-trap-group [log-id] — syslog [syslog-id] Clear Command clear — log-id Page 366 7950 SR OS System Management Guide...
Page 367: Generic Commands
The no form of this command administratively enables an entity. Default no shutdown Special Cases log-id log-id — When a log-id is shut down, no events are collected for the entity. This leads to the loss of event data. 7950 SR OS System Management Guide Page 367...
Page 368 Syntax [no] route-recovery-wait Context config>log>app-route-notifications Description The time delay that must pass before notifying specific CPM applications after the recovery or change of a route during normal operation. Default no route-recovery-wait Page 368 7950 SR OS System Management Guide...
Page 369 | event-number — To generate, suppress, or revert to default for a single event, enter the specific number or event short name. If no event number or name is specified, the command 7950 SR OS System Management Guide Page 369...
Page 370 On the other hand, if the damping is disabled (no event-damping), it may take much longer for a large CLI configuration file to be processed when manually “exceed” after system bootup. Page 370 7950 SR OS System Management Guide...
Page 371 — Specifies that the logging utility will attempt to use the management routing context to send SNMP notifications and syslog messages to remote destinations. none — Specifies that no attempt will be made to send SNMP notifications and syslog messages to remote destinations. 7950 SR OS System Management Guide Page 371...
Page 372 – mm is the minutes (for example, 30 for 30 minutes past the hour) – ss is the number of seconds (for example, 14 for 14 seconds) • The accounting file is compressed and has a gz extension. Page 372 7950 SR OS System Management Guide...
Page 373 If sufficient space is not available an attempt is made to remove the oldest to newest closed log or accounting files. After each file is deleted, the system attempts to create the new file. 7950 SR OS System Management Guide Page 373...
Page 374 The file becomes a candidate for removal once the creation datestamp + rollover time + retention time is less than the current timestamp. Default Values 1 — 500 Page 374 7950 SR OS System Management Guide...
Page 375 — The events which are not explicitly forwarded by an event filter match are dropped. forward — The events which are not explicitly dropped by an event filter match are forwarded. 7950 SR OS System Management Guide Page 375...
Page 376 The no form of the command removes the specified entry from the event filter. Entries removed from the event filter are immediately removed from all log-id’s where the filter is applied. Default No event filter entries are defined. An entry must be explicitly configured. Page 376 7950 SR OS System Management Guide...
Page 377 The entry ID uniquely identifies a set of match criteria corresponding action within a filter. Entry ID values should be configured in staggered increments so you can insert a new entry in an existing policy without renumbering the existing entries. Values 1 — 999 7950 SR OS System Management Guide Page 377...
Page 378 | neq — The operator specifying the type of match. Valid operators are listed in the table below. Operator Notes equal to not equal to application-id — The application name string. Values port, ppp, rip, route_policy, rsvp, security, snmp, stp, svcmgr, system, user, vrrp, vrtr Page 378 7950 SR OS System Management Guide...
Page 379 — Determines if the matching criteria should not be equal to the specified value. router-instance — Specifies a router name up to 32 characters to be used in the match criteria. 7950 SR OS System Management Guide Page 379...
Page 380 — The ITU severity level name. The following table lists severity names and corresponding numbers per ITU standards M.3100 X.733 & X.21 severity levels. Severity Number Severity Name cleared indeterminate (info) critical major minor warning Values cleared, intermediate, critical, major, minor, warning Page 380 7950 SR OS System Management Guide...
Page 381 When regexp keyword is not specified, the subject command string is matched exactly by the event filter. 7950 SR OS System Management Guide Page 381...
Page 382 Default no address — There is no syslog target host IP address defined for the syslog ID. Parameters ip-address — The IP address of the syslog target host in dotted decimal notation. Page 382 7950 SR OS System Management Guide...
Page 383 Valid responses per RFC3164, The BSD syslog Protocol, are listed in the table below. Numerical Code Facility Code kernel user mail systemd auth syslogd printer net-news uucp cron auth-priv log-audit log-alert cron2 local0 7950 SR OS System Management Guide Page 383...
Page 384 Only a single threshold level can be specified. If multiple levels are entered, the last level entered will overwrite the previously entered commands. Page 384 7950 SR OS System Management Guide...
Page 385 The no form of the command reverts to default value. Default no port Parameters value — The value is the configured UDP port number used when sending syslog messages. Values 1 — 65535 7950 SR OS System Management Guide Page 385...
Page 386 Values 1 — 20000 Default 2000 interval seconds — Specifies the number of seconds that an event throttling interval lasts. Values 1 — 1200 Default Page 386 7950 SR OS System Management Guide...
Page 387 The trap-target command is used to add/remove a trap receiver from an snmp-trap-group. The operational parameters specified in the command include: • The IP address of the trap receiver • The UDP port used to send the SNMP trap • SNMP version 7950 SR OS System Management Guide Page 387...
Page 388 Pre-existing conditions are checked before the snmpv3SecurityName is accepted. These are: Page 388 7950 SR OS System Management Guide...
Page 389 Note that because of route table change convergence time, it is possible that one or more events may be lost at the beginning or end of a replay sequence. The cold-start-wait and route- recovery-wait timers under config>log>app-route-notifications can help reduce the probability of lost events. 7950 SR OS System Management Guide Page 389...
Page 390 Only one from command may be entered for a single log-id. If multiple from commands are configured, then the last command entered overwrites the previous from command. The no form of the command removes all previously configured source streams. Default No source stream is configured. Page 390 7950 SR OS System Management Guide...
Page 391 It is strongly recommended not to alter the configuration for Log-ID 99. The no form of the command deletes the log destination ID from the configuration. 7950 SR OS System Management Guide Page 391...
Page 392 — Instructs the events selected for the log ID to be directed to the log-file-id. The charac- teristics of the log-file-id referenced here must have already been defined in the config>log>file log-file-id context. Values 1 — 99 Page 392 7950 SR OS System Management Guide...
Page 393 The to command cannot be modified or re-entered. If the destination or maximum size of an SNMP or memory log needs to be modified, the log ID must be removed and then re-created. Default none 7950 SR OS System Management Guide Page 393...
Page 394 — Instructs the events selected for the log ID to be directed to the syslog-id. The character- istics of the syslog-id referenced here must have been defined in the config>log>syslog syslog-id context. Values 1 — 10 Page 394 7950 SR OS System Management Guide...
Page 395 — Specifies that timestamps are written in the system’s local time. utc — Specifies that timestamps are written using the UTC value. This was formerly called Greenwich Mean Time (GMT) and Zulu time. 7950 SR OS System Management Guide Page 395...
Page 396 SAPs, network ports or channels where the policy is applied. Default No default accounting policy is defined. Parameters policy-id — The policy ID that uniquely identifies the accounting policy, expressed as a decimal integer. Values 1 — 99 Page 396 7950 SR OS System Management Guide...
Page 397 Syntax [no] include-system-info Context config>log>accounting-policy Description This command allows the operator to optionally include router information at the top of each accounting file generated for a given accounting policy. 7950 SR OS System Management Guide Page 397...
Page 398 Accounting Policy Commands When the no version of this command is selected, optional router information is not include at the top of the file. Default no include-router-info Page 398 7950 SR OS System Management Guide...
Page 399 5 aa-protocol aa-application aa-app-group aa-subscriber-protocol aa-subscriber-application custom-record-subscriber custom-record-service custom-record-aa-sub queue-group-octets queue-group-packets combined-queue-group combined-mpls-lsp-ingress combined-mpls-lsp-egress combined-ldp-lsp-egress video kpi-system kpi-bearer-mgmt kpi-bearer-traffic kpi-ref-point kpi-path-mgmt kpi-iom-3 kci-system kci-bearer-mgmt kci-path-mgmt 7950 SR OS System Management Guide Page 399...
Page 400 — The accounting record name. The following table lists the accounting record names available and the default collection interval. Record Type Accounting Record Name Default Interval service-ingress-octets service-egress-octets service-ingress-packets service-egress-packets network-ingress-octets network-egress-octets network-ingress-packets Page 400 7950 SR OS System Management Guide...
Page 401 Accounting Record Name Default Interval network-egress-packets compact-service-ingress-octets combined-service-ingress combined-network-ing-egr-octets combined-service-ing-egr-octets complete-service-ingress-egress combined-sdp-ingress-egress complete-sdp-ingress-egress complete-subscriber-ingress- egress aa-protocol aa-application aa-app-group aa-subscriber-protocol aa-subscriber-application custom-record-subscriber custom-record-service custom-record-aa-sub queue-group-octets queue-group-packets combined-queue-group combined-mpls-lsp-ingress combined-mpls-lsp-egress combined-ldp-lsp-egress video kpi-system kpi-bearer-mgmt kpi-bearer-traffic 7950 SR OS System Management Guide Page 401...
Page 402 Accounting Record Name Default Interval network-egress-packets compact-service-ingress-octets combined-service-ingress combined-network-ing-egr-octets combined-service-ing-egr-octets complete-service-ingress-egress combined-sdp-ingress-egress complete-sdp-ingress-egress complete-subscriber-ingress- egress aa-protocol aa-application aa-app-group aa-subscriber-protocol aa-subscriber-application custom-record-subscriber custom-record-service custom-record-aa-sub queue-group-octets queue-group-packets combined-queue-group combined-mpls-lsp-ingress combined-mpls-lsp-egress combined-ldp-lsp-egress video kpi-system kpi-bearer-mgmt kpi-bearer-traffic Page 402 7950 SR OS System Management Guide...
Page 403 A file-id can only be used once. The file is generated when the file policy is referenced. This command identifies the type of accounting file to be created. The file definition defines its characteristics. 7950 SR OS System Management Guide Page 403...
Page 404 Accounting Policy Commands If the to command is executed while the accounting policy is in operation, then it becomes active during the next collection interval. Values 1 — 99 Page 404 7950 SR OS System Management Guide...
Page 405 The no form of the command reverts the configured values to the defaults. aa-specific Syntax [no] aa-specific Context config>log>acct-policy>cr Description This command enables the context to configure information for this custom record. The no form of the command 7950 SR OS System Management Guide Page 405...
Page 406 Default no flows-denied-count forwarding-class Syntax [no] forwarding-class Context config>log>acct-policy>cr>aa>aa-from-sub-cntr config>log>acct-policy>cr>aa>aa-to-sub-cntr Description This command enables the collection of a Forwarding Class bitmap information added to the XML aa-sub and router level accounting records. Page 406 7950 SR OS System Management Guide...
Page 407 [no] packets-admitted-count Context config>log>acct-policy>cr>aa>aa-from-sub-cntr config>log>acct-policy>cr>aa>aa-to-sub-cntr Description This command includes the admitted packet count in the AA subscriber's custom record. The no form of the command excludes the admitted packet count. Default no packets-admitted-count 7950 SR OS System Management Guide Page 407...
Page 408 — Specifies the queue-id for which counters will be collected in this custom record. e-counters Syntax [no] e-counters Context config>log>acct-policy>cr>override-cntr config>log>acct-policy>cr>queue config>log>acct-policy>cr>ref-override-cntr config>log>acct-policy>cr>ref-queue Description This command configures egress counter parameters for this custom record. The no form of the command reverts to the default value. Page 408 7950 SR OS System Management Guide...
Page 409 The no form of the command excludes the in-profile octets discarded count. in-profile-octets-forwarded-count Syntax [no] in-profile-octets-forwarded-count Context config>log>acct-policy>cr>oc>e-count config>log>acct-policy>cr>roc>e-count config>log>acct-policy>cr>queue>e-count config>log>acct-policy>cr>ref-queue>e-count Description This command includes the in-profile octets forwarded count. The no form of the command excludes the in-profile octets forwarded count. 7950 SR OS System Management Guide Page 409...
Page 410 [no] out-profile-octets-discarded-count Context config>log>acct-policy>cr>oc>e-count config>log>acct-policy>cr>roc>e-count config>log>acct-policy>cr>queue>e-count config>log>acct-policy>cr>ref-queue>e-count Description This command includes the out of profile packets discarded count. The no form of the command excludes the out of profile packets discarded count. Page 410 7950 SR OS System Management Guide...
Page 411 [no] out-profile-packets-forwarded-count Context config>log>acct-policy>cr>oc>e-count config>log>acct-policy>cr>roc>e-count config>log>acct-policy>cr>queue>e-count config>log>acct-policy>cr>ref-queue>e-count Description This command includes the out of profile packets forwarded count. The no form of the command excludes the out of profile packets forwarded count. 7950 SR OS System Management Guide Page 411...
Page 412 Syntax [no] high-octets-discarded-count Context config>log>acct-policy>cr>oc>i-count config>log>acct-policy>cr>roc>i-count config>log>acct-policy>cr>queue>i-count config>log>acct-policy>cr>ref-queue>i-count Description This command includes the high octets discarded count. The no form of the command excludes the high octets discarded count. Default no high-octets-discarded-count Page 412 7950 SR OS System Management Guide...
Page 413 [no] high-packets-offered-count Context config>log>acct-policy>cr>oc>i-count config>log>acct-policy>cr>roc>i-count config>log>acct-policy>cr>queue>i-count config>log>acct-policy>cr>ref-queue>i-count Description This command includes the high packets offered count. The no form of the command excludes the high packets offered count. Default no high-packets-offered -count 7950 SR OS System Management Guide Page 413...
Page 414 Syntax [no] low-octets-discarded-count Context config>log>acct-policy>cr>oc>i-count config>log>acct-policy>cr>roc>i-count config>log>acct-policy>cr>queue>i-count config>log>acct-policy>cr>ref-queue>i-count Description This command includes the low octets discarded count. The no form of the command excludes the low octets discarded count. Default no low-octets-discarded-count Page 414 7950 SR OS System Management Guide...
Page 415 The no form of the command excludes the low octets discarded count. low-packets-offered-count Syntax [no] low-packets-offered-count Context config>log>acct-policy>cr>oc>i-count config>log>acct-policy>cr>roc>i-count config>log>acct-policy>cr>queue>i-count config>log>acct-policy>cr>ref-queue>i-count Description This command includes the low packets discarded count. The no form of the command excludes the low packets discarded count. 7950 SR OS System Management Guide Page 415...
Page 416 This command includes the uncoloured octets offered in the count. The no form of the command excludes the uncoloured octets offered in the count. uncoloured-packets-offered-count Syntax [no] uncoloured-packets-offered-count Context config>log>acct-policy>cr>queue>i-count config>log>acct-policy>cr>ref-queue>i-count Description This command includes the uncolored packets offered count. Page 416 7950 SR OS System Management Guide...
Page 417 Syntax ref-queue queue-id ref-queue all no ref-queue Context config>log>acct-policy>cr Description This command configures a reference queue. The no form of the command reverts to the default value. Default no ref-queue 7950 SR OS System Management Guide Page 417...
Page 418 — Specifies the delta change (significant change) that is required for the custom record to be written to the xml file. Values 0 — 4294967295 (For custom-record-aa-sub only values 0 or 1 are supported.) Page 418 7950 SR OS System Management Guide...
Page 419: Table 37: Show Accounting Policy Output Fields
Down — Indicates that the policy is administratively disabled. Displays the operational state of the policy. Oper State Up — Indicates that the policy is operationally up. Down — Indicates that the policy is operationally down. 7950 SR OS System Management Guide Page 419...
Page 420 SAP : 1/1/8:6 Collect-Stats Svc Id: 107 SAP : 1/1/8:7 Collect-Stats Svc Id: 108 SAP : 1/1/8:8 Collect-Stats Svc Id: 109 SAP : 1/1/8:9 Collect-Stats ============================================================================== A:ALA-1# A:ALA-1# show log accounting-policy network Page 420 7950 SR OS System Management Guide...
Page 421: Table 38: Accounting Policy Output Fields
Sample Output NOTE: aa, video and subscriber records are not applicable to the 7950 XRS. A:ALA-1# show log accounting-records ========================================================== Accounting Policy Records ========================================================== Record # Record Name Def. Interval 7950 SR OS System Management Guide Page 421...
Page 422 This command displays a list of all application names that can be used in event-control and filter commands. Output Sample Output *A:7950 XRS-20# show log applications =================================== Log Event Application Names =================================== Application Name ----------------------------------- CHASSIS IGMP MIRROR MPLS Page 422 7950 SR OS System Management Guide...
Page 423 SNMP notification. Most events do generate a notification, only the exceptions are marked with a preceding “L”. Event Name The event name. CL — The event has a cleared severity/priority. 7950 SR OS System Management Guide Page 423...
Page 424 DOT1X: FILTER: 2001 filterPBRPacketsDropped IGMP_SNOOPING: 2001 clearRTMError 2002 ipEtherBroadcast 2003 ipDuplicateAddress 2004 ipArpInfoOverwritten 2005 fibAddFailed 2006 qosNetworkPolicyMallocFailed 2007 ipArpBadInterface 2008 ipArpDuplicateIpAddress 2009 ipArpDuplicateMacAddress ISIS: 2001 vRtrIsisDatabaseOverload 2002 vRtrIsisManualAddressDrops 2003 vRtrIsisCorruptedLSPDetected 2004 vRtrIsisMaxSeqExceedAttempt Page 424 7950 SR OS System Management Guide...
Page 425 Event Name Logged Dropped ----------------------------------------------------------------------- 2001 ospfVirtIfStateChange 2002 ospfNbrStateChange 2003 ospfVirtNbrStateChange 2004 ospfIfConfigError 2005 ospfVirtIfConfigError 2006 ospfIfAuthFailure 2007 ospfVirtIfAuthFailure 2008 ospfIfRxBadPacket 2009 ospfVirtIfRxBadPacket 2010 ospfTxRetransmit 2011 ospfVirtIfTxRetransmit 2012 ospfOriginateLsa 2013 ospfMaxAgeLsa 2014 ospfLsdbOverflow 7950 SR OS System Management Guide Page 425...
Page 426 The primary flash device specified for the file location. none — indicates no specific flash device was specified. oper location The actual flash device on which the log file exists. Page 426 7950 SR OS System Management Guide...
Page 427 ------------------------------------------------------------- 1440 cf3: cf2: cf1: Description : Main =============================================================== File Id 10 Location cf1: =============================================================== file name expired state --------------------------------------------------------------- cf1:\log\log0302-20060501-012205 complete cf1:\log\log0302-20060501-014049 complete cf1:\log\log0302-20060501-015344 complete cf1:\log\log0302-20060501-015547 in progress 7950 SR OS System Management Guide Page 427...
Page 428: Table 39: Event Log Filter Summary Output Fields
The description string for the filter ID. Description Sample Output *A:ALA-48>config>log# show log filter-id ============================================================================= Log Filters ============================================================================= Filter Applied Default Description Action ----------------------------------------------------------------------------- forward forward forward 1001 drop Collect events for Serious Errors Log ============================================================================= *A:ALA-48>config>log# Page 428 7950 SR OS System Management Guide...
Page 429: Table 40: Event Log Filter Detail Output Fields
The description string for the event log filter entry. Description (Entry-id) The event log filter entry application match criterion. Application Event Number The event log filter entry application event ID match criterion. 7950 SR OS System Management Guide Page 429...
Page 430 Sample Output *A:ALA-48>config>log# show log filter-id 1001 ========================================================================== Log Filter ========================================================================== Filter-id : 1001 Applied : yes Default Action: drop Description : Collect events for Serious Errors Log -------------------------------------------------------------------------- Log Filter Match Criteria Page 430 7950 SR OS System Management Guide...
Page 431: Table 42: Show Log-Collector Output Fields
If the value is 0, then all events in the source log are forwarded to the destination. Enabled — Logging is enabled. Status Disabled — Logging is disabled. 7950 SR OS System Management Guide Page 431...
Page 432 Filter Id: 0 Status: enabled Dest Type: memory Dest Log Id: 100 Filter Id: 1001 Status: enabled Dest Type: memory Security Logged Dropped Change Logged : 3896 Dropped Debug Logged Dropped =============================================================================== A:ALA-1# Page 432 7950 SR OS System Management Guide...
Page 433 — Limits the number of log entries displayed to the number specified. Default All log entries Values 1 — 4294967295 router-instance — Specifies a router name up to 32 characters to be used in the display criteria. 7950 SR OS System Management Guide Page 433...
Page 434 File — All selected log events will be directed to a file on one of the 's compact flash disks. Memory — All selected log events will be directed to an in-memory storage area. Page 434 7950 SR OS System Management Guide...
Page 435 "The active CPM card A is operating in singleton mode. There is no standby CPM card." 65 2007/01/24 02:08:47.92 UTC CRITICAL: SYSTEM #2029 Base Redundancy "The active CPM card A is operating in singleton mode. There is no standby CPM card." 7950 SR OS System Management Guide Page 435...
Page 436: Table 43: Snmp Trap Group Output Fields
Valid values are snmpv1, snmpv2c, snmpv3. The community string required by snmpv1 or snmpv2c trap receivers. Community Security-Level The required authentication and privacy levels required to access the views on this node. Page 436 7950 SR OS System Management Guide...
Page 437: Table 44: Show Log Syslog Output Fields
Syslog Event Log Destination Summary Output — The following table describes the syslog output fields. Table 44: Show Log Syslog Output Fields Label Description The syslog ID number for the syslog destination. Syslog ID The IP address of the syslog target host. IP Address 7950 SR OS System Management Guide Page 437...
Page 438 *A:MV-SR>config>log# show log syslog 1 =============================================================================== Syslog Target 1 =============================================================================== IP Address : 192.168.15.22 Port : 514 Log-ids : none Prefix : Sr12 Facility : local1 Severity Level : info Prefix Level : yes Page 438 7950 SR OS System Management Guide...
Page 439 Event and Accounting Logs Below Level Drop : 0 Description : Linux Station Springsteen =============================================================================== *A:MV-SR>config>log# 7950 SR OS System Management Guide Page 439...
Page 440 This command is only applicable to event logs that are directed to file destinations and memory destinations. SNMP, syslog and console/session logs are not affected by this command. Parameters log-id. The event log ID to be initialized/rolled over. Values 1 — 100 Page 440 7950 SR OS System Management Guide...
Page 441: Facility Alarms
Facility Alarms vs. Log Events on page 443 • Facility Alarm Severities and Alarm LED Behavior on page 445 • Facility Alarm Hierarchy on page 446 • Facility Alarm Hierarchy on page 446 7950 SR OS System Management Guide Page 441...
Page 442: Facility Alarms Overview
The SR-OS alarm model is based on RFC 3877, Alarm Management Information Base (MIB), (which evolved from the IETF DISMAN drafts). Page 442 7950 SR OS System Management Guide...
Page 443: Facility Alarms Vs. Log Events
Is There at Least One Detected Suppressed) and Log Events Active Major Alarm? Sends it to the Appropriate Log(s) Compact Hast Alarms Cnt Maj Min LEDs on CPM OSSG651 Figure 8: Log Events, Alarms and LEDs 7950 SR OS System Management Guide Page 443...
Page 444 • configure port ethernet report-alarm • configure system thresholds no memory-use-alarm • configure system thresholds rmon no alarm • configure system security cpu-protection policy alarm Page 444 7950 SR OS System Management Guide...
Page 445: Facility Alarm Severities And Alarm Led Behavior
Changing the severity of a raising event only affects subsequent occurrences of that event and alarms. Alarms that are already raised when their raising event severity is changed maintain their original severity. 7950 SR OS System Management Guide Page 445...
Page 446: Facility Alarm Hierarchy
Note that a masked alarm is not the same as a cleared alarm. The cleared alarm queue does not display entries for previously raised alarms that are currently masked. If the masking event goes away, then the previously raised alarms will once again be visible in the active alarm queue. Page 446 7950 SR OS System Management Guide...
Page 447: Facility Alarm List
7-2019-x but for the BITS same as 7-2019-x but for the BITS same as 7-2019-x but for input input the BITS input 7-2033-1 tmnxChassisUpgradeInProgress Class CPM Module: software tmnxChassisUpgradeCom upgrade in progress plete 7950 SR OS System Management Guide Page 447...
Page 448 7-2019-x but for the BITS2 same as 7-2019-x but for the BITS2 same as 7-2019-x but for input input the BITS2 input 59-2004-1 linkDown Interface intf-towards-node-B22 is linkUp not operational Page 448 7950 SR OS System Management Guide...
Page 449: Table 46: Alarm Name/Raising Event, Cause, Effect And Recovery
More powerful fan trays may also be required. 7950 SR OS System Management Guide Page 449...
Page 450 7-2011-1 tmnxEqPowerSupplyRe Generated when one of the Reduced power can Re-insert the moved chassis's power supplies is cause intermittent errors power supply. removed. and could also cause permanent damage to components. Page 450 7950 SR OS System Management Guide...
Page 451 7-2019-x but for same as 7-2019-x but for the same as 7-2019-x but for same as 7-2019-x the BITS input BITS timing reference the BITS timing but for the BITS reference timing reference 7950 SR OS System Management Guide Page 451...
Page 452 If permanent damage to that doesn't work, components. then replace the power supply. Page 452 7950 SR OS System Management Guide...
Page 453: Table 47: Linkdown Facility Alarm Support
TDM Ports (E1, T1, DS3) including CES MDAs/CMAs TDM Channels (DS3 channel configured in an STM-1 port) ATM Ports Ethernet LAGs APS groups Bundles (MLPPP, IMA, etc) ATM channels, Ethernet VLANs, Frame Relay DLCIs 7950 SR OS System Management Guide Page 453...
Page 454 Facility Alarm List Page 454 7950 SR OS System Management Guide...
Page 455: Standards And Protocol Support
Standards and Protocol Support Standards Compliance RFC 3630 Traffic Engineering (TE) MPLS IP Virtual Private Networks Extensions to OSPF Version 2 (VPNs) IEEE 802.1ab-REV/D3 Station and RFC 4203 - OSPF Extensions in Support RFC 4659 BGP-MPLS IP Virtual Private Media Access Control Connectivity of Generalized Multi-Protocol Label Network (VPN) Extension for IPv6 Discovery...
Page 456 Standards and Protocols RFC 3719 Recommendations for RFC 3587 IPv6 Global Unicast Address Version 2 (MLDv2) and Multicast Interoperable Networks using IS-IS Format Routing Protocol Interaction RFC 3784 Intermediate System to RFC3590 Source Address Selection for draft-ietf-pim-sm-bsr-06.txt Intermediate System (IS-IS) the Multicast Listener Discovery draft-rosen-vpn-mcast-15.txt Multicast in Extensions for Traffic Engineering...
Page 457 Standards and Protocols and Multipoint-to-Multipoint Label RFC 4875 Extensions to Resource RFC 793 TCP Switched Paths Reservation Protocol - Traffic RFC 826 ARP Engineering (RSVP-TE) for Point- draft-pdutta-mpls-tldp-hello-reduce- RFC 854 Telnet to-Multipoint TE Label Switched 04.txt, Targeted LDP Hello RFC 951 BootP (rev) Paths (LSPs) Reduction RFC 1519 CIDR...
Page 458 Standards and Protocols Services (previously draft-ietf- RFC 6310 Pseudowire (PW) OAM Multiplexing (TDM) Pseudowires in l2vpn-vpls-mcast-reqts-04) Message Mapping MPLS Networks RFC 6074: Provisioning, Auto- RFC 6391 Flow Aware Transport of SONET/SDH Discovery, and Signaling in Layer 2 Pseudowires over an MPLS PSN Virtual Private Networks (L2VPNs) ITU-G.841 Telecommunication RFC 6575 ARP Mediation for IP...
Page 459 Standards and Protocols ITU-T G.8262 Telecommunication RFC 2574 SNMP-User-based-SMMIB Standardization Section of ITU, RFC 2575 SNMP-View-based ACM- Timing characteristics of synchronous Ethernet equipment RFC 2576 SNMP-Community-MIB slave clock (EEC), issued 08/2007. RFC 2578 Structure of Management ITU-T G.8264 Telecommunication Information Version 2 (SMIv2) Standardization Section of ITU, RFC 2665 EtherLike-MIB Distribution of timing information...
Page 460 Standards and Protocols Page 460 Standards and Protocols...
Page 461: Index
RADIUS basic TACACS+ command reference authentication file ID commands RADIUS filter commands TACACS+ log ID commands authorization syslog commands RADIUS event control TACACS+ event log basic file ID login controls 7950 SR OS System Management Guide Page 461...
Page 462 MIBs versions configuring access options basic command reference security commands show commands system commands community strings SNMPv1 and SNMPv2 SNMPv3 USM community options view options command reference system commands user commands Page 462 7950 SR OS System Management Guide...