Download  Print this page
   
1
2
Table of Contents
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404

Advertisement

System Management Guide
7705 SERVICE AGGREGATION
ROUTER | RELEASE 8.0.R7
System Management Guide
3HE 11018 AAAC TQZZA
Edition: 01
September 2017
Nokia — Proprietary and confidential.
Use pursuant to applicable agreements.

Advertisement

Table of Contents

   Also See for Nokia 7705

   Related Manuals for Nokia 7705

   Summary of Contents for Nokia 7705

  • Page 1 System Management Guide 7705 SERVICE AGGREGATION ROUTER | RELEASE 8.0.R7 System Management Guide 3HE 11018 AAAC TQZZA Edition: 01 September 2017 Nokia — Proprietary and confidential. Use pursuant to applicable agreements.
  • Page 2 © 2016-2017 Nokia. Contains proprietary/trade secret information which is the property of Nokia and must not be made available to, or copied or used by anyone outside Nokia without its written authorization. Not to be used or disclosed except in accordance with applicable agreements.
  • Page 3: Table Of Contents

    Table of Contents Preface...................11 About This Guide..................11 1.1.1 Audience....................12 1.1.2 List of Technical Publications ..............12 1.1.3 Technical Support..................13 7705 SAR System Management Configuration Process ...15 Security ..................17 Authentication, Authorization, and Accounting .........18 3.1.1 Authentication....................19 3.1.1.1 Local Authentication ..................20 3.1.1.2 RADIUS Authentication ................21 3.1.1.3...
  • Page 4 System Management Guide 3.9.2 Configuring IPv4 or IPv6 CPM (CSM) Filters ..........48 3.9.3 Configuring Password Management Parameters........49 3.9.4 IPSec Certificate Parameters ..............51 3.9.5 Configuring Profiles ...................52 3.9.6 Configuring Users..................53 3.9.7 Copying and Overwriting Users and Profiles..........54 3.9.7.1 Copying a User..................54 3.9.7.2 Copying a Profile ..................56 3.9.8...
  • Page 5 System Management Guide 4.5.1 Configuring SNMPv1 and SNMPv2c ............198 4.5.2 Configuring SNMPv3 ................199 Basic SNMP Security Configuration ............200 Configuring SNMP Components .............201 4.7.1 Configuring a Community String..............201 4.7.2 Configuring View Options ................202 4.7.3 Configuring Access Options ..............203 4.7.4 Configuring USM Community Options.............204 4.7.5 Configuring Other SNMP Parameters .............205 SNMP Command Reference ..............207...
  • Page 6 System Management Guide 5.10.1 Configuring an Event Log ................267 5.10.2 Configuring a File ID................268 5.10.3 Configuring an Accounting Policy............269 5.10.4 Configuring Event Control ...............271 5.10.5 Configuring Throttle Rate ................271 5.10.6 Configuring a Log Filter ................272 5.10.7 Configuring an SNMP Trap Group ............273 5.10.8 Configuring a Syslog Target ..............274 5.11...
  • Page 7 Show System Security View Output Fields ...........232 Event and Accounting Logs ............233 Table 29 Event Severity Levels ................235 Table 30 7705 SAR to Syslog Severity Level Mappings ........241 Table 31 Valid Filter Policy Operators ..............247 Table 32 Log Entry Field Descriptions ..............248 Table 33 Accounting Record Name and Collection Periods .........251...
  • Page 8 System Management Guide Table 39 Severity Levels ..................312 Table 40 Valid Operators for Event Subjects ............313 Table 41 Threshold Severity Level Values ............316 Table 42 Accounting Policy Output Fields .............329 Table 43 Accounting Records Output Fields ............331 Table 44 Event Control Output Fields ..............335 Table 45 Log File Summary Output Fields ............337 Table 46...
  • Page 9 System Management Guide List of Figures Security ..................17 Figure 1 RADIUS Requests and Responses............19 Figure 2 Security Flow .....................27 Event and Accounting Logs ............233 Figure 3 Event Logging Block Diagram ..............242 Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 10 System Management Guide 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 11: Preface

    Note: This manual generically covers Release 8.0 content and may contain some content that will be released in later maintenance loads. Please refer to the 7705 SAR OS 8.0.Rx Software Release Notes, part number 3HE11057000xTQZZA, for information on features supported in each load of the Release 8.0 software.
  • Page 12: Audience

    1.1.1 Audience This guide is intended for network administrators who are responsible for configuring the 7705 SAR routers. It is assumed that the network administrators have an understanding of networking principles and configurations. Concepts described in this guide include the following: •...
  • Page 13: Technical Support

    (OAM) tools. 1.1.3 Technical Support If you purchased a service agreement for your 7705 SAR router and related products from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance. If you purchased a Nokia service agreement,...
  • Page 14 Preface System Management Guide 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 15: 7705 Sar System Management Configuration Process

    System Management Guide 7705 SAR System Management Configuration Process 2 7705 SAR System Management Configuration Process Table 1 lists the tasks that are required to configure system security and access functions as well as event and accounting logs. Each chapter in this book is presented in an overall logical configuration flow. Each section describes a software area and provides CLI syntax and command usage to configure parameters for a functional area.
  • Page 16 7705 SAR System Management Configuration System Management Guide Process 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 17: Security

    System Management Guide Security 3 Security This chapter provides information to configure security parameters. Topics in this chapter include: • Authentication, Authorization, and Accounting • Security Controls • Vendor-Specific Attributes (VSAs) • Other Security Features • Configuration Notes • Configuring Security with CLI •...
  • Page 18: Authentication, Authorization, And Accounting

    Accounting This chapter describes authentication, authorization, and accounting (AAA) used to monitor and control network access on the 7705 SAR. Network security is based on a multi-step process. The first step, authentication, validates a user’s name and password. The second step is authorization, which allows the user to access and execute commands at various command levels based on profiles assigned to the user.
  • Page 19: Authentication

    When a user attempts to log in through the console or through Telnet, SSH, SFTP, SCP, or FTP, the 7705 SAR client sends an access request to a RADIUS, TACACS+, or local database. Transactions between the client and a RADIUS server are authenticated through the use of a shared secret.
  • Page 20: Local Authentication

    The user login is successful when the RADIUS server accepts the authentication request and responds to the router with an access accept message. Implementing authentication without authorization for the 7705 SAR does not require the configuration of VSAs (Vendor Specific Attributes) on the RADIUS server.
  • Page 21: Radius Authentication

    System Management Guide Security 3.1.1.2 RADIUS Authentication Remote Authentication Dial-In User Service (RADIUS) is a client/server security protocol and software that enables remote access servers to communicate with a central server to authenticate dial-in users and authorize access to the requested system or service.
  • Page 22: Authorization

    • download the user profile to the 7705 SAR router • send the profile name that the node should apply to the 7705 SAR router Profiles consist of a suite of commands that the user is allowed or not allowed to execute.
  • Page 23: Local Authorization

    Permissions include the use of FTP, Telnet, SSH (SCP), SFTP, and console access. When granting Telnet, SSH (SCP), SFTP, and console access to the 7705 SAR router, authorization can be used to limit what CLI commands the user is allowed to issue and which file systems the user is allowed or denied access to.
  • Page 24: Tacacs+ Authorization

    3.1.2.3 TACACS+ Authorization Like RADIUS authorization, TACACS+ grants or denies access permissions for a 7705 SAR router. The TACACS+ server sends a response based on the user name and password. TACACS+ separates the authentication and authorization functions. RADIUS combines the authentication and authorization functions.
  • Page 25: Tacacs+ Accounting

    3.1.3.2 TACACS+ Accounting The 7705 SAR allows you to configure the type of accounting record packet that is to be sent to the TACACS+ server when specified events occur on the device. The accounting record-type parameter indicates whether TACACS+ accounting start and stop packets will be sent or just stop packets will be sent.
  • Page 26: Security Controls

    System Management Guide 3.2 Security Controls You can configure the 7705 SAR to use RADIUS, TACACS+, and local authentication to validate users requesting access to the network. The order in which password authentication is processed among RADIUS, TACACS+ and local passwords can be specifically configured.
  • Page 27: Figure 2 Security Flow

    System Management Guide Security This example uses the authentication order of RADIUS, then TACACS+, and finally, local. An access request is sent to RADIUS server 1. One of two scenarios can occur. If there is no response from the server, the request is passed to the next RADIUS server with the next lowest index (RADIUS server 2) and so on, until the last RADIUS server is attempted (RADIUS server 5).
  • Page 28: Vendor-specific Attributes (vsas)

    − The authentication-order parameters configured on the router must include the local keyword. − The user name may or may not be configured on the 7705 SAR router. − The user must be authenticated by the RADIUS server. − Up to eight valid profiles can exist on the router for a user. The sequence in which the profiles are specified is relevant.
  • Page 29 • A valid profile must exist on the 7705 SAR router for this user. If all conditions listed above are not met, access to the 7705 SAR router is denied and a failed login event/trap is written to the security log.
  • Page 30: Other Security Features

    Secure Shell Version 1 (SSH1) is a protocol that provides a secure, encrypted Telnet-like connection to a router. Note: SSH1 is not supported on a 7705 SAR node that is running in FIPS-140-2 mode. A connection is always initiated by the client (the user). Authentication takes place by one of the configured authentication methods (local, RADIUS, or TACACS+).
  • Page 31 “escape” character, a double backslash “\\” or the forward slash “/” can typically be used to properly delimit directories and the filename. The 7705 SAR support for SSH and SCP is the same for both IPv4 and IPv6 addressing, including support for: •...
  • Page 32: Ssh File Transfer Protocol (sftp)

    3.4.1.1 SSH File Transfer Protocol (SFTP) When an SSH server is enabled on the 7705 SAR, users can connect to the node through SFTP. SFTP runs on top of SSH and uses the same password and authentication process, and once logged in, SFTP users will appear as regular SSH users.
  • Page 33: Exponential Login Backoff

    7705 SAR segregates the incoming control plane traffic into different queues. These queues are used to shape and rate-limit traffic for each protocol or group of protocols, or on a per-flow basis, with the main goal of mitigating DoS attacks and ensuring that the control plane does not end up with more traffic than it can handle.
  • Page 34: Encryption

    • 3DES is a more secure version of the DES protocol. 3.4.5 802.1x Network Access Control The 7705 SAR supports network access control of client devices (PCs, STBs, and so on) on an Ethernet network using the IEEE 802.1x standard. 802.1x is known as Extensible Authentication Protocol (EAP) over a LAN network or EAPOL.
  • Page 35: Keychain Authentication

    System Management Guide Security TCP peers can use this extension to authenticate messages passed between one another. This strategy improves upon the practice described in RFC 2385, Protection of BGP Sessions via the TCP MD5 Signature Option. Using this new strategy, TCP peers can update authentication keys during the lifetime of a TCP connection.
  • Page 36: Keychain Configuration Guidelines And Behavior

    Security System Management Guide Table 3 Security Algorithm Support Per Protocol Protocol Clear Text HMAC- HMAC- HMAC- HMAC- AES-128- (message SHA-1-96 SHA-1 SHA-256 CMAC-96 digest) OSPF IS-IS RSVP-TE 3.4.6.2 Keychain Configuration Guidelines and Behavior • Either the existing authentication-key command or the new auth-keychain command can be used by the protocols, but both cannot be supported at the same time.
  • Page 37 For information on associating keychains with protocols, refer to the 7705 SAR Routing Protocols Guide (for OSPF, IS-IS, and BGP), the 7705 SAR MPLS Guide (for RSVP-TE and LDP), and the 7705 SAR Services Guide (for OSPF and BGP in a VPRN service).
  • Page 38: Configuration Notes

    Security System Management Guide 3.5 Configuration Notes This section describes security configuration guidelines and caveats. • If a RADIUS or a TACACS+ server is not configured, password, profiles, and user access information must be configured on each router in the domain. •...
  • Page 39: Configuring Security With Cli

    System Management Guide Security 3.6 Configuring Security with CLI This section provides information to configure security using the command line interface. Topics in this section include: • Setting Up Security Attributes • Security Configurations • Security Configuration Procedures Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 40: Setting Up Security Attributes

    − Configuring Profiles − Configuring Users • RADIUS authentication (with local authorization) By default, authentication is enabled locally. Perform the following tasks to configure security on each participating 7705 SAR router: − Configuring Profiles − Configuring RADIUS Authentication − Configuring Users •...
  • Page 41: Configuring Authorization

    Configuring Users − Enabling TACACS+ Authentication 3.7.2 Configuring Authorization Refer to the following sections to configure authorization: • Local authorization For local authorization, configure these tasks on each participating 7705 SAR router: − Configuring Profiles − Configuring Users • RADIUS authorization with authentication...
  • Page 42: Configuring Accounting

    Security System Management Guide 3.7.3 Configuring Accounting Refer to the following sections to configure accounting. • Local accounting is not implemented. For information about configuring accounting policies, refer to Configuring Logging with CLI. • Configuring RADIUS Accounting • Configuring TACACS+ Accounting 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 43: Security Configurations

    System Management Guide Security 3.8 Security Configurations This section provides information on configuring security and examples of configuration tasks. To implement security features, configure the following components: • management access filters • CPM (CSM) filters • profiles • user access parameters •...
  • Page 44 Security System Management Guide action permit exit exit profile "administrative" default-action permit-all entry 10 no description match "configure system security" action permit exit password authentication-order radius tacplus local no aging minimum-length 6 attempts 3 time 5 lockout 10 complexity exit user "admin"...
  • Page 45: Security Configuration Procedures

    Management access filters apply to the management Ethernet port, which supports both IPv4 and IPv6 filters. The 7705 SAR exits the filter when the first match is found and executes the actions according to the specified action. For this reason, entries must be sequenced correctly from most to least explicit.
  • Page 46 Security System Management Guide Use the following CLI commands to configure an IPv4 management access filter. CLI Syntax: config>system security management-access-filter ip-filter default-action {permit | deny | deny-host-unreachable} entry entry-id action {permit | deny | deny-host-unreachable} description description-string dst-port port [mask] protocol protocol-id router router-instance src-ip {ip-prefix/mask | ip-...
  • Page 47 System Management Guide Security The following example displays an IPv4 management access filter configuration. This example only accepts packets matching the criteria specified in entries 1 and 2. Non-matching packets are denied. Example: config>system>security# management-access-filter config>system>security>mgmt-access-filter# ip-filter default-action deny config>system>security>mgmt-access-filter# ip-filter entry 1 config>system>security>mgmt-access-filter>ip- filter>entry# src-ip 10.10.10.104/32...
  • Page 48: Configuring Ipv4 Or Ipv6 Cpm (csm) Filters

    Security System Management Guide 3.9.2 Configuring IPv4 or IPv6 CPM (CSM) Filters CPM filters control all traffic going in to the CSM, including all routing protocols. They apply to packets from all network and access ports, but not to packets from a management Ethernet port.
  • Page 49: Configuring Password Management Parameters

    System Management Guide Security match [next-header next-header] dscp dscp-name dst-ip ipv6-address/prefix-length dst-port [tcp/udp port-number] [mask] icmp-code icmp-code icmp-type icmp-type src-ip ipv6-address/prefix-length src-port src-port-number [mask] tcp-ack {true | false} tcp-syn {true | false} renum old-entry-id new-entry-id The following displays an IPv4 CPM filter configuration example: A:ALU-49>config>sys>sec>cpm>ip-filter# info ---------------------------------------------- entry 10 create...
  • Page 50 Security System Management Guide Use the following CLI commands to configure password support: CLI Syntax: config>system>security password admin-password password [hash | hash2] aging days attempts count [time minutes1] [lockout minutes2] authentication-order [method-1] [method-2] [method-3] [exit-on-reject] complexity [numeric] [special-character] [mixed-case] health-check minimum-length value The following displays an example of the password command usage.
  • Page 51: Ipsec Certificate Parameters

    System Management Guide Security 3.9.4 IPSec Certificate Parameters The following is an example of importing a certificate from a pem format: *A:ALU-A# admin certificate import type cert input cf3:/pre-import/ R10cert.pem output R1-0cert.der format pem The following is an example of exporting a certificate to a pem format: *A:ALU-A# admin certificate export type cert input R1-0cert.der output cf3:/ R10cert.pem format pem...
  • Page 52: Configuring Profiles

    Security System Management Guide 3.9.5 Configuring Profiles Profiles are used to deny or permit access to a hierarchical branch or specific commands. Profiles are referenced in a user configuration. A maximum of 16 user profiles can be defined. A user can participate in up to 16 profiles. Depending on the authorization requirements, passwords are configured locally or on the RADIUS server.
  • Page 53: Configuring Users

    Use the following CLI syntax to configure access parameters for users. The snmp authentication des-key keyword is not available if the 7705 SAR node is running in FIPS-140-2 mode). CLI Syntax: config>system>security...
  • Page 54: Copying And Overwriting Users And Profiles

    Security System Management Guide The following example displays the user configuration: ALU-1>config>system>security# info ---------------------------------------------- user "49ers" password "$2y$10$siOU8NvWRzFFtJjO5wA1I.7mr.57emDXUC14p6EZtO.pmr0aqLW Sa" access console ftp snmp restricted-to-home console member "default" member "ghost" exit exit -------------------------------------------- ALU-1>config>system>security# 3.9.7 Copying and Overwriting Users and Profiles You can copy a profile or user or overwrite an existing profile or user.
  • Page 55 System Management Guide Security access snmp snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group "testgroup" exit exit user "testuserA" password "$2y$10$siOU8NvWRzFFtJjO5wA1I.7mr.57emDXUC14p6EZtO.pmr0aqLW Sa" access snmp console new-password-at-login exit snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group "testgroup" exit exit ---------------------------------------------- ALU-12>config>system>security# info Note: The cannot-change-password flag is not replicated when a copy user command is performed.
  • Page 56: Copying A Profile

    Security System Management Guide 3.9.7.2 Copying a Profile CLI Syntax: config>system>security# copy {user source-user | profile source-profile} to destination [overwrite] Example: config>system>security# copy profile default to testuser The following output displays the copied profiles: A:ALU-49>config>system>security# info ---------------------------------------------- A:ALU-49>config>system>security# info detail ---------------------------------------------- profile "default"...
  • Page 57 System Management Guide Security exit exit profile "testuser" default-action none entry 10 no description match "exec" action permit exit entry 20 no description match "exit" action permit exit entry 30 no description match "help" action permit exit entry 40 no description match "logout"...
  • Page 58: Configuring Ssh

    Use the ssh command to configure SSH1 or SSH2 cipher lists. Client ciphers are used if the 7705 SAR is acting an as an SSH client, and server ciphers are used if the is 7705 SAR is acting as an SSH server.
  • Page 59 System Management Guide Security Example: config>system>security# ssh config>system>security>ssh# client-cipher-list protocol- version 1 config>system>security>ssh>client-cipher# cipher 10 name 3des config>system>security>ssh>client-cipher# cipher 20 name blowfish config>system>security>ssh>client-cipher# cipher 30 name config>system>security>ssh>client-cipher# exit config>system>security>ssh# client-cipher-list protocol- version 2 config>system>security>ssh>client-cipher# cipher 10 name aes128-cbc config>system>security>ssh>client-cipher# cipher 20 name 3des-cb config>system>security>ssh>client-cipher# cipher 30 name blowfish...
  • Page 60 Security System Management Guide config>system>security>ssh>server-cipher# cipher 60 name aes192-cbc config>system>security>ssh>server-cipher# cipher 70 name aes256-cbc config>system>security>ssh>server-cipher# cipher 80 name rijndael-cbc config>system>security>ssh>client-cipher# exit config>system>security>ssh# exit The following example displays both SSH1 and SSH2 client and server cipher configurations: A:Sar8 Dut-A>config>system>security>ssh# info detail ---------------------------------------------- client-cipher-list protocol-version 1 cipher 10 name 3des...
  • Page 61: Configuring Login Controls

    System Management Guide Security 3.9.10 Configuring Login Controls Use the login-control context to configure parameters for console, FTP, SSH, and Telnet sessions. CLI Syntax: config>system login-control exponential-backoff inbound-max-sessions value [no] disable-graceful-shutdown inbound-max-sessions value outbound-max-sessions value ttl-security min-ttl-value telnet [no] enable-graceful-shutdown inbound-max-sessions value outbound-max-sessions value ttl-security min-ttl-value...
  • Page 62 Security System Management Guide The following example displays the login control configuration: ALU-1>config>system# info ---------------------------------------------- login-control inbound-max-sessions 5 exit no disable-graceful-shutdown inbound-max-sessions 12 outbound-max-sessions 8 ttl-security telnet enable-graceful-shutdown inbound-max-sessions 7 outbound-max-sessions 2 exit idle-timeout 1440 pre-login- message "Property of Service Routing Inc. Unauthorized access prohibited." motd text "Notice to all users: Software upgrade scheduled 3/2 1:00 AM"...
  • Page 63: Radius Configurations

    Also, the system IP address must be configured in order for the RADIUS client to work. See “Configuring a System Interface” in the 7705 SAR Router Configuration Guide. The other commands are optional.
  • Page 64: Configuring Radius Authorization

    Security System Management Guide security>radius# server 4 address 10.10.0.3 secret test4 security>radius# retry 5 security>radius# timeout 5 config>system>security>radius# exit The following example displays the RADIUS authentication configuration: ALU-1>config>system>security# info ---------------------------------------------- retry 5 timeout 5 server 1 address A:A:A:A:A:A:A:1 secret "test1" server 2 address 10.10.0.1 secret "test2"...
  • Page 65: Configuring Radius Accounting

    System Management Guide Security server 1 address 10.10.10.103 secret "test1" server 2 address 10.10.0.1 secret "test2" server 3 address 10.10.0.2 secret "test3" server 4 address 10.10.0.3 secret "test4" exit ---------------------------------------------- 3.9.11.3 Configuring RADIUS Accounting On the local router, use the following CLI commands to configure RADIUS accounting: CLI Syntax: config>system>security...
  • Page 66: Configuring 802.1x Radius Policies

    Use the following CLI commands to configure generic authentication parameters for clients using 802.1x EAPOL. Additional parameters are configured on Ethernet ports. Refer to the 7705 SAR Interface Configuration Guide, “Configuration Command Reference”, for more information on configuring 802.1x parameters on Ethernet ports.
  • Page 67: Tacacs+ Configurations

    System Management Guide Security ---------------------------------------------- A:ALU-1>config>system# 3.9.12 TACACS+ Configurations • Enabling TACACS+ Authentication • Configuring TACACS+ Authorization • Configuring TACACS+ Accounting 3.9.12.1 Enabling TACACS+ Authentication To use TACACS+ authentication on the router, configure one or more TACACS+ servers on the network. Use the following CLI commands to configure TACACS+ authentication: CLI Syntax: config>system>security...
  • Page 68: Configuring Tacacs+ Authorization

    Security System Management Guide server 3 address 10.10.0.7 secret "h6.TeL7YPojGJqbYt85LVk" hash2 server 4 address 10.10.0.8 secret "h6.TeL7YPoiCfWKUFHARvk" hash2 server 5 address 10.10.0.9 secret "h6.TeL7YPojuCyTFvTNGBU" hash2 3.9.12.2 Configuring TACACS+ Authorization In order for TACACS+ authorization to function, TACACS+ authentication must be enabled first.
  • Page 69: Configuring Tacacs+ Accounting

    System Management Guide Security 3.9.12.3 Configuring TACACS+ Accounting On the local router, use the following CLI commands to configure TACACS+ accounting: CLI Syntax: config>system>security tacplus accounting The following example displays the CLI syntax usage: Example: config>system>security> config>system>security# tacplus config>system>security>tacplus# accounting The following example displays the TACACS+ accounting configuration: ALU-1>config>system>security>tacplus# info ----------------------------------------------...
  • Page 70 Security System Management Guide Optionally, each key can include an end time and tolerance. Use the following CLI commands to configure a keychain: CLI Syntax: config>system>security keychain name description description-string direction entry entry-id [key authentication- key | hash-key | hash2-key [hash | hash2] algorithm algorithm] begin-time [date] [hours- minutes] [UTC]...
  • Page 71 System Management Guide Security entry 1 key "VyScMGuUfEQw9vxb9YWEG6rfIEGa/.sGbxt3BaeWYO. " hash2 algorithm message-digest no shutdown begin-time 2016/06/09 00:00:00 UTC no option tolerance 600 exit exit exit no shutdown exit keychain "rsvp-md5" description "MD5 keychain for RSVP interfaces" tcp-option-number send 254 receive 254 exit direction send...
  • Page 72 Security System Management Guide • entry 1 will become valid at midnight (UTC) on 2016/06/09 and will replace entry • there is an overlap (tolerance) period of 600 seconds in which packets with either key (entry 0 or entry 1) will be accepted For rsvp-md5: •...
  • Page 73: Security Command Reference

    System Management Guide Security 3.10 Security Command Reference 3.10.1 Command Hierarchies • Configuration Commands − Security Configuration Commands − Management Access Filter Commands − IPv6 Management Access Filter Commands − CPM Filter Commands − IPv6 CPM Filter Commands − Password Commands −...
  • Page 74: Configuration Commands

    Security System Management Guide 3.10.1.1 Configuration Commands 3.10.1.1.1 Security Configuration Commands config — system — security — copy {user source-user | profile source-profile} to destination [overwrite] — ftp-server — no ftp-server — hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}] —...
  • Page 75 System Management Guide Security 3.10.1.1.3 IPv6 Management Access Filter Commands config — system — security — [no] management-access-filter — ipv6-filter — default-action {permit | deny | deny-host-unreachable} — [no] entry entry-id — action {permit | deny | deny-host-unreachable} — no action —...
  • Page 76 Security System Management Guide — no dst-ip — dst-port tcp/udp port-number [mask] — no dst-port — fragment {true | false} — no fragment — icmp-code icmp-code — no icmp-code — icmp-type icmp-type — no icmp-type — ip-option ip-option-value [ip-option-mask] — no ip-option —...
  • Page 77 System Management Guide Security — icmp-code icmp-code — no icmp-code — icmp-type icmp-type — no icmp-type — src-ip ipv6-address/prefix-length — no src-ip — src-port tcp/udp port-number [mask] — no src-port — tcp-ack {true | false} — no tcp-ack — tcp-syn {true | false} —...
  • Page 78 Security System Management Guide 3.10.1.1.7 Profile Commands config — system — security — [no] profile user-profile-name — default-action {deny-all | permit-all | none} — [no] entry entry-id — action {permit | deny} — description description-string — no description — match command-string —...
  • Page 79 System Management Guide Security 3.10.1.1.9 RADIUS Commands config — system — security — [no] radius — access-algorithm {direct | round-robin} — [no] access-algorithm — [no] accounting — accounting-port port — no accounting-port — [no] authorization — port port — no port —...
  • Page 80 Security System Management Guide 3.10.1.1.11 802.1x Commands config — system — security — [no] dot1x — [no] radius-plcy name [create] — retry count — no retry — server server-index address ip-address secret key [hash | hash2] [auth-port auth-port] [acct-port acct-port] [type server-type] —...
  • Page 81: Login Control Commands

    System Management Guide Security — no entryentry-id — begin-time date hours-minutes [UTC] — begin-time {now | forever} — no begin-time — option {basic | isis-enhanced} — no option — [no] shutdown — tolerance {seconds | forever} — no tolerance — —...
  • Page 82: Show Commands

    Security System Management Guide — [no] login-banner — motd {url url-prefix: source-url | text motd-text-string} — no motd — pre-login-message login-text-string [name] — no pre-login-message — — [no] disable-graceful-shutdown — inbound-max-sessions value — no inbound-max-sessions — outbound-max-sessions value — no outbound-max-sessions —...
  • Page 83: Clear Commands

    System Management Guide Security 3.10.1.3.2 Login Control show — users 3.10.1.4 Clear Commands 3.10.1.4.1 Admin admin — clear — lockout — lockout user user-name 3.10.1.4.2 Authentication clear — router — authentication — statistics [interface ip-int-name | ip-address] 3.10.1.5 Debug Commands debug —...
  • Page 84: Command Descriptions

    Security System Management Guide 3.10.2 Command Descriptions • Configuration Commands • Show Commands • Clear Commands • Debug Commands 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 85: Configuration Commands

    System Management Guide Security 3.10.2.1 Configuration Commands • Generic Security Commands • Security Commands • Management Access Filter Commands • CPM Filter Commands • Global Password Commands • Password Commands • Profile Management Commands • User Management Commands • RADIUS Client Commands •...
  • Page 86 Security System Management Guide 3.10.2.1.1 Generic Security Commands description Syntax description description-string no description Context config>system>security>management-access-filter>ip-filter>entry config>system>security>management-access-filter>ipv6-filter>entry config>system>security>cpm-filter>ip-filter>entry config>system>security>cpm-filter>ipv6-filter>entry config>system>security>keychain config>system>security>profile>entry Description This command creates a text description stored in the configuration file for a configuration context. The no form of the command removes the string. Default Parameters description-string —...
  • Page 87 System Management Guide Security The no form of the command puts an entity into the administratively enabled state. Many entities must be explicitly enabled using the no shutdown command. Default no shutdown Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 88 Security System Management Guide 3.10.2.1.2 Security Commands security Syntax security Context config>system Description This command enables the context to configure security settings. Security commands manage user profiles and user membership. Security commands also manage user login registrations. copy Syntax copy {user source-user | profile source-profile} to destination [overwrite] Context config>system>security Description...
  • Page 89 System Management Guide Security hash-control Syntax hash-control [read-version {1 | 2 | all}] [write-version {1 | 2}] no hash-control Context config>system>security Description Whenever the user executes a save or info command, the system will encrypt all passwords, keys, and so on for security reasons. At present, two algorithms exist. The first algorithm is a simple, short key that can be copied and pasted in a different location when the user wants to configure the same password.
  • Page 90 Telnet servers are off by default. At system startup, only SSH servers are enabled. Telnet servers in 7705 SAR networks limit a Telnet client to three retries to log in. The Telnet server disconnects the Telnet client session after three retries.
  • Page 91 Telnet servers are off by default. At system startup, only SSH servers are enabled. Telnet servers in 7705 SAR networks limit a Telnet client to three retries to log in. The Telnet server disconnects the Telnet client session after three retries.
  • Page 92 Management access filters control all traffic in and out of the CSM. They can be used to restrict management of the 7705 SAR by other nodes outside either specific (sub)networks or through designated ports. Management filters, as opposed to other traffic filters, are enforced by system software.
  • Page 93 This command is used to create or edit a management access filter entry. Multiple entries can be created with unique entry-id numbers. The 7705 SAR exits the filter upon the first match found and executes the actions according to the respective action command. For this reason, entries must be sequenced correctly from most to least explicit.
  • Page 94 Security System Management Guide action Syntax action {permit | deny | deny-host-unreachable} no action Context config>system>security>management-access-filter>ip-filter>entry config>system>security>management-access-filter>ipv6-filter>entry Description This command creates the action associated with the management access filter match criteria entry. The action keyword is required. If no action is defined, the filter is ignored. If multiple action statements are configured, the last one overwrites previous configured actions.
  • Page 95 System Management Guide Security Table 5 16-bit Mask Formats Format Style Format Syntax Example Decimal DDDDD 63488 Hexadecimal 0xHHHH 0xF800 Binary 0bBBBBBBBBBBBBBBBB 0b1111100000000000 For example, to select a range from 1024 up to 2047, specify 1024 0xFC00 for value and mask. Values 1 to 65535 (decimal) Default...
  • Page 96 Security System Management Guide next-header Syntax [no] next-header next-header Context config>system>security>management-access-filter>ipv6-filter>entry Description This command specifies the next header to match as a management access filter match criterion. This command applies to IPv6 filters only. Parameters next-header — protocol-number or protocol-name protocol-number —...
  • Page 97 System Management Guide Security protocol-number — the protocol number for the match criterion, expressed in decimal, hexadecimal, or binary. See Table 6 for the protocol IDs and descriptions for the IP protocols. Values [0 to 255]D [0x0 to 0xFF]H [0b0 to 0b11111111]B protocol-name —...
  • Page 98 Security System Management Guide Description This command configures a source IPv4 address range to be used as a management access filter match criterion. To match on the source IP address, specify the address and the associated mask (for example, 10.1.0.0/16). The conventional notation of 10.1.0.0 255.255.0.0 can also be used. The no form of the command removes the source IP address match criterion.
  • Page 99 This command renumbers existing management access filter entries to resequence filter entries. The 7705 SAR exits on the first match found and executes the actions in accordance with the accompanying action command. This may require some entries to be renumbered from most to least explicit.
  • Page 100 This command enables the context to configure a CPM (referred to as CSM on the 7705 SAR) filter. A CPM filter is a hardware filter (that is, implemented on the network processor) for the CSM-destined traffic that applies to all the traffic destined for the CSM CPU.
  • Page 101 System Management Guide Security ipv6-filter Syntax ipv6-filter Context config>system>security>cpm-filter Description This command enables the context to configure IPv6 CPM filter parameters. entry Syntax entry entry-id [create] no entry entry-id Context config>system>security>cpm-filter>ip-filter config>system>security>cpm-filter>ipv6-filter Description This command specifies a particular CPM filter match entry. Every CPM filter must have at least one filter match entry.
  • Page 102 Security System Management Guide Syntax log log-id no log Context config>system>security>cpm-filter>ip-filter>entry config>system>security>cpm-filter>ipv6-filter>entry Description This command specifies the log in which packets matching this entry should be entered. The value 0 indicates that logging is disabled. The no form of the command deletes the log ID. Parameters log-id —...
  • Page 103 System Management Guide Security protocol-name — the protocol name to be used as an IP filter match criterion. See Table 6 for the protocol IDs and descriptions for the IP protocols. Values none, icmp, igmp, ip, tcp, egp, igp, udp, rdp, ipv6, ipv6-route, ipv6-frag, idrp, rsvp, gre, ipv6-icmp, ipv6-no-nxt, ipv6-opts, iso-ip, eigrp, ospf-igp, ether-ip, encap, pnni, pim, vrrp, l2tp, stp, ptp, isis, crtp, crudp, sctp, mpls-in-ip, * - udp/tcp wildcard...
  • Page 104 Security System Management Guide Table 6 IP Protocol IDs and Descriptions (Continued) Protocol ID Protocol Description Protocol Independent Multicast vrrp Virtual Router Redundancy Protocol l2tp Layer Two Tunneling Protocol Schedule Transfer Protocol Performance Transparency Protocol isis ISIS over IPv4 crtp Combat Radio Transport Protocol crudp Combat Radio User Datagram...
  • Page 105 System Management Guide Security [0b0..0b101010 | 0b101101..0b110001 | 0b110100..0b111011 | 0b111101..0b11111111]B protocol-name — the IPv6 next header to match, expressed as a protocol name. This parameter is similar to the protocol parameter used in IPv4 filter match criteria. See Table 6 for the protocol IDs and descriptions for the IP protocols.
  • Page 106 Security System Management Guide To match on the destination IP address, specify the address and its associated mask; for example, 10.1.0.0/16. The conventional notation of 10.1.0.0 255.255.0.0 may also be used. The no form of the command removes the destination IP address match criterion. Default no dst-ip Parameters...
  • Page 107 System Management Guide Security config>system>security>cpm-filter>ipv6-filter>entry>match Description This command specifies the TCP/UDP port to match the destination port of the packet. The no form of the command removes the destination port match criterion. The TCP or UDP protocol must be configured using the match command before this filter can be configured.
  • Page 108 Security System Management Guide Context config>system>security>cpm-filter>ip-filter>entry>match config>system>security>cpm-filter>ipv6-filter>entry>match Description This command configures matching on an ICMP code field in the ICMP header of an IP packet as an IP filter match criterion. The ICMP protocol must be configured using the match command before this filter can be configured.
  • Page 109 System Management Guide Security Parameters icmp-type — icmp-type-number or icmp-type-keyword icmp-type-number — the ICMP type number in decimal, hexadecimal, or binary, to be used as a match criterion Values [0 to 255]D [0x0 to 0xFF]H [0b0 to 0b11111111]B icmp-type-keyword: icmp-type-keyword — the ICMP type keyword to be used as a match criterion Values For IPv4 filter: none, echo-reply, dest-unreachable, source-quench, redirect, echo-request, router-advt,...
  • Page 110: Table 7 Ip Option Formats

    Security System Management Guide This command applies to IPv4 filters only. Default no ip-option Parameters ip-option-value — the 8-bit option type (can be entered using decimal, hexadecimal, or binary formats). The mask is applied as an AND to the option byte and the result is compared with the option value.
  • Page 111 System Management Guide Security Parameters true — specifies matching on IP packets that contain more than one option field in the header false — specifies matching on IP packets that do not contain multiple option fields in the header option-present Syntax option-present {true | false} no option-present...
  • Page 112 Security System Management Guide ipv4-address-mask — the dotted-decimal equivalent of the mask length Values 0.0.0.0 to 255.255.255.255 src-ip Syntax src-ip ipv6-address/prefix-length no src-ip Context config>system>security>cpm-filter>ipv6-filter>entry>match Description This command configures a source IPv6 address range to be used as an IP filter match criterion.
  • Page 113 System Management Guide Security Values [0 to 65535]D [0x0000..0xFFFF]H [0b0000000000000000 to 0b1111111111111111]B tcp-ack Syntax tcp-ack {true | false} no tcp-ack Context config>system>security>cpm-filter>ip-filter>entry>match config>system>security>cpm-filter>ipv6-filter>entry>match Description This command configures matching on the ACK bit being set or reset in the control bits of the TCP header of an IP packet as an IP filter match criterion.
  • Page 114 Security System Management Guide renum Syntax renum old-entry-id new-entry-id Context config>system>security>cpm-filter>ip-filter config>system>security>cpm-filter>ipv6-filter Description This command renumbers existing IP filter entries in order to resequence filter entries. Resequencing may be required in some cases because the process is exited when the first match is found and the actions are executed according to the accompanying action command.
  • Page 115 System Management Guide Security 3.10.2.1.5 Global Password Commands enable-admin Syntax enable-admin Context <global> Description Note: See the description for the admin-password command. If the admin-password is configured in the config>system>security>password context, then any user can enter the special administrative mode by entering the enable-admin command. The enable-admin command is in the default profile.
  • Page 116 Security System Management Guide 3.10.2.1.6 Password Commands password Syntax password Context config>system>security Description This command enables the context to configure password management parameters. admin-password Syntax admin-password password [hash | hash2] no admin-password Context config>system>security>password Description This command allows a user (with admin permissions) to configure a password which enables a user to become an administrator.
  • Page 117 System Management Guide Security Default no admin-password Parameters password — configures the password that enables a user to become a system administrator. The maximum length can be up to 20 characters if unhashed, 32 characters if hashed, and 54 characters if the hash2 keyword is specified. hash —...
  • Page 118 Security System Management Guide Default count: 3 minutes1: 5 minutes2: 10 Parameters count — the number of unsuccessful login attempts allowed for the specified time. This is a mandatory value that must be explicitly entered. Values 1 to 64 minutes1 — the period of time, in minutes, that a specified number of unsuccessful attempts can be made before the user is locked out Values 0 to 60...
  • Page 119 System Management Guide Security method-3 — the third password authentication method to attempt Values radius, tacplus, local Default local radius — RADIUS authentication tacplus — TACACS+ authentication local — password authentication based on the local password database exit-on-reject — when enabled, and if one of the AAA methods configured in the authentication order sends a reject, then the next method in the order will not be tried.
  • Page 120 Security System Management Guide credits Syntax credits [lowercase credits] [uppercase credits] [numeric credits] [special-character credits] no credits Context config>system>security>password>complexity-rules Description This command configures a credit value for each of the different character classes in a local password. When a password is created, credits are assigned for each character in a character class, up to the assigned credits limit.
  • Page 121 System Management Guide Security minimum-length Syntax minimum-length value no minimum-length Context config>system>security>password>complexity-rules Description This command configures the minimum number of characters required for passwords. If multiple minimum-length commands are entered, each command overwrites the previously entered command. The no form of the command reverts to the default value. Default Parameters value —...
  • Page 122 Security System Management Guide The no form of the command removes the minimum required characters from each character class. Default no required Parameters count — the minimum number of characters required from the character class Values 0 to 10 health-check Syntax [no] health-check [interval interval] Context...
  • Page 123 System Management Guide Security minimum-age Syntax minimum-age [days days] [hrs hours] [min minutes] [sec seconds] no minimum-age Context config>system>security>password Description This command configures the minimum required age of a password before it can be changed again. The no form of this command removes the minimum password age requirement. Default no minimum-age Parameters...
  • Page 124 Security System Management Guide 3.10.2.1.7 Profile Management Commands profile Syntax [no] profile user-profile-name Context config>system>security Description This command creates a context to create user profiles for CLI command tree permissions. Profiles are used to either deny or permit user console access to a hierarchical branch or to specific commands.
  • Page 125 This command is used to create a user profile entry. More than one entry can be created with unique entry-id numbers. The 7705 SAR exits when the first match is found and executes the actions according to the accompanying action command.
  • Page 126 Description This command renumbers profile entries to resequence the entries. Since the 7705 SAR exits when the first match is found and executes the actions according to the accompanying action command, renumbering is useful to rearrange the entries from most explicit to least explicit.
  • Page 127 System Management Guide Security 3.10.2.1.8 User Management Commands user Syntax [no] user user-name Context config>system>security Description This command creates a local user and a context to edit the user configuration. If a new user-name is entered, the user is created. When an existing user-name is specified, the user parameters can be edited.
  • Page 128 Security System Management Guide access Syntax [no] access [ftp] [snmp] [console] [no] access [ftp] [console] Context config>system>security>user config>system>security>user-template Description This command grants a user permission for FTP, SNMP, or console access. If a user requires access to more than one application, then multiple applications can be specified in a single command.
  • Page 129 System Management Guide Security cannot-change-password Syntax [no] cannot-change-password Context config>system>security>user>console Description This command allows a user to change their password for both FTP and console login. To disable a user’s privilege to change their password, use the cannot-change-password form of the command. The cannot-change-password flag is not replicated when a user copy is performed.
  • Page 130 Security System Management Guide Default default Parameters user-profile-name — the user profile name new-password-at-login Syntax [no] new-password-at-login Context config>system>security>user>console Description This command forces the user to change passwords at the next console or FTP login. If the user is limited to FTP access, the administrator must create the new password. The no form of the command does not force the user to change passwords.
  • Page 131 System Management Guide Security password Syntax password [password] Context config>system>security>user Description This command configures the user password for console and FTP access. The password is stored in an encrypted format in the configuration file when specified. Passwords must be encased in double quotes (" ") at the time of the password creation if they contain any special characters.
  • Page 132 All SNMPv3 users must be configured with the commands available in this CLI context. The 7705 SAR always uses the configured SNMPv3 user name as the security user name. 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 133 This command configures the authentication and encryption method the user must use in order to be validated by the 7705 SAR. SNMP authentication allows the device to validate the managing node that issued the SNMP message and determine if the message has been tampered with.
  • Page 134 Security System Management Guide group Syntax group group-name no group Context config>system>security>user>snmp Description This command associates (or links) a user to a group name. The access command links the group with one or more views, security models, security levels, and read, write, and notify permissions.
  • Page 135 [no] radius Context config>system>security Description This command enables the context to configure RADIUS authentication on the 7705 SAR. For redundancy, multiple server addresses can be configured for each 7705 SAR. The no form of the command removes the RADIUS configuration. access-algorithm...
  • Page 136 Security System Management Guide accounting-port Syntax accounting-port port no accounting-port Context config>system>security>radius Description This command specifies a UDP port number on which to contact the RADIUS server for accounting requests. Parameters port — specifies the UDP port number Values 1 to 65535 Default 1813 authorization...
  • Page 137 System Management Guide Security retry Syntax retry count no retry Context config>system>security>radius Description This command configures the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server. The no form of the command reverts to the default value. Default Parameters count —...
  • Page 138 Security System Management Guide ip-address — the IP address of the RADIUS server. Two RADIUS servers cannot have the same IP address. An error message is generated if the server address is a duplicate. Values ipv4-address a.b.c.d (host bits must be 0) ipv6-address x:x:x:x:x:x:x:x (eight 16-bit pieces) x:x:x:x:x:x:d.d.d.d...
  • Page 139 System Management Guide Security use-default-template Syntax [no] use-default-template Context config>system>security>radius Description This command specifies whether the user template defined by this entry is to be actively applied to the RADIUS user. Default no use-default-template Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 140 [no] tacplus Context config>system>security Description This command enables the context to configure TACACS+ authentication on the 7705 SAR. For redundancy, multiple server addresses can be configured for each 7705 SAR. The no form of the command removes the TACACS+ configuration. accounting...
  • Page 141 System Management Guide Security server Syntax server index address ip-address secret key [hash | hash2] [port port] no server index Context config>system>security>tacplus Description This command adds a TACACS+ server and configures the TACACS+ server IP address, index, and key values. Up to five TACACS+ servers can be configured at any one time.
  • Page 142 Security System Management Guide timeout Syntax timeout seconds no timeout Context config>system>security>tacplus Description This command configures the number of seconds the router waits for a response from a TACACS+ server. The no form of the command reverts to the default value. Default Parameters seconds —...
  • Page 143 7705 SAR. The RADIUS server configured under the config>system>security>dot1x>radius-plcy context authenticates clients who get access to the data plane of the 7705 SAR. This configuration differs from the RADIUS server configured under the config>system>security>radius context that authenticates CLI login users who get access to the management plane of the 7705 SAR.
  • Page 144 Security System Management Guide Default Parameters count — the retry count Values 1 to 10 server Syntax server server-index address ip-address secret key [hash | hash2] [auth-port auth-port] [acct-port acct-port] [type server-type] no server server-index Context config>system>security>dot1x>radius-plcy Description This command adds an 802.1x server and configures the IP address, index, and key values. Up to five 802.1x servers can be configured at any one time.
  • Page 145 System Management Guide Security auth-port — the UDP port number used to contact the RADIUS server for authentication Values 1 to 65535 acct-port — the UDP port number used to contact the RADIUS server for accounting requests Values 1 to 65535 server-type —...
  • Page 146 Security System Management Guide timeout Syntax timeout seconds no timeout Context config>system>security>dot1x>radius-plcy Description This command configures the number of seconds the router waits for a response from a RADIUS server. The no form of the command reverts to the default value. Default Parameters seconds —...
  • Page 147 Parameters version — the protocol version for the list of allowed ciphers on the SSH client Values 1 — SSH protocol version 1 (not supported on a 7705 SAR node running in FIPS-140-2 mode) 2 — SSH protocol version 2...
  • Page 148: Table 8 Ssh1 Default Index Values

    This command configures the allowed SSH protocol version 1 or version 2 ciphers that are available on the SSH client or server. Client ciphers are used when the 7705 SAR node is acting as an SSH client; server ciphers are used when the 7705 SAR node is acting as an SSH server.
  • Page 149 Cipher Name cast128-cbc arcfour aes192-cbc aes256-cbc rijndael-cbc Note: blowfish-cbc, cast128-cbc, arcfour, and rijndael-cbc are not available if the 7705 SAR node is running in FIPS-140-2-140-2 mode. preserve-key Syntax [no] preserve-key Context config>system>security>ssh Description This command specifies the persistence of the SSH server host key. When enabled, the host key will be saved by the server and restored following a system reboot.
  • Page 150 Parameters version — the protocol version for the list of allowed ciphers on the SSH server Values 1 — SSH protocol version 1 (not supported on a 7705 SAR node running in FIPS-140-2 mode) 2 — SSH protocol version 2...
  • Page 151 System Management Guide Security 3.10.2.1.13 Keychain Authentication Commands keychain Syntax [no] keychain keychain-name Context config>system>security Description This command enables the context to configure keychain parameters that are used to authenticate protocol communications. A keychain must be configured on the system before it can be applied to a protocol session.
  • Page 152 Security System Management Guide entry Syntax entry entry-id [key authentication-key | hash-key | hash2-key [hash | hash2] algorithm algorithm] no entry entry-id Context config>system>security>keychain>direction>bi config>system>security>keychain>direction>uni>receive config>system>security>keychain>direction>uni>send Description This command defines a key in the keychain. A keychain must have at least one key entry to be valid.
  • Page 153 System Management Guide Security hash2 — specifies that the key is entered in a more complex encrypted form that involves more variables than the key value alone, meaning that the hash2 encrypted variable cannot be copied and pasted. If the hash or hash2 parameter is not used, the key is assumed to be in an unencrypted, clear text form.
  • Page 154 Security System Management Guide now — specifies that the key should become active immediately (current system time) forever — specifies that the key should always be active option Syntax option {basic | isis-enhanced} no option Context config>system>security>keychain>direction>bi>entry Description This command enables options to be associated with the authentication key for IS-IS. The command is only applicable for IS-IS and will be ignored by other protocols associated with the keychain.
  • Page 155 System Management Guide Security Syntax Context config>system>security>keychain>direction Description This command configures keys for send or receive stream directions. Default receive Syntax receive Context config>system>security>keychain>direction>uni Description This command enables the receive context. Entries defined under this context are used to authenticate packets that are received by the router. Default end-time Syntax...
  • Page 156 Security System Management Guide Context config>system>security>keychain>direction>uni Description This command enables the send context. Entries defined under this context are used to sign packets that are being sent by the router to another device. Default tcp-option-number Syntax tcp-option-number Context config>system>security>keychain Description This command enables the context to configure the TCP option number to be placed in the TCP packet header.
  • Page 157 System Management Guide Security 3.10.2.1.14 Login Control Commands login-control Syntax login-control Context config>system Description This command enables the context to configure the session control for console, Telnet, and FTP. exponential-backoff Syntax [no] exponential-backoff Context config>system>login-control Description This command enables the exponential backoff of the login prompt. The exponential-backoff command is used to deter dictionary attacks, when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password.
  • Page 158 This command enables or disables the display of a login banner. The login banner contains the 7705 SAR copyright and build date information for a console login attempt. The no form of the command causes only the configured pre-login-message and a generic login prompt to display.
  • Page 159 System Management Guide Security motd Syntax motd {url url-prefix:source-url | text motd-text-string} no motd Context config>system>login-control Description This command creates the message of the day that is displayed after a successful console login. Only one message can be configured. The no form of the command removes the message. Default no motd Parameters...
  • Page 160 Context config>system>login-control>ssh Description This command limits the number of inbound SSH sessions. Each 7705 SAR router is limited to a total of 15 inbound SSH sessions (IPv4 and IPv6). The no form of the command reverts to the default value.
  • Page 161 Context config>system>login-control>ssh Description This command limits the number of outbound SSH sessions. Each 7705 SAR router is limited to a total of 15 outbound SSH sessions (IPv4 and IPv6). The no form of the command reverts to the default value.
  • Page 162 Context config>system>login-control>telnet Description This command limits the number of inbound Telnet sessions. Each 7705 SAR router is limited to a total of 15 inbound Telnet sessions (IPv4 and IPv6). The no form of the command reverts to the default value.
  • Page 163 System Management Guide Security Description This command configures TTL security parameters for incoming packets. When the feature is enabled, SSH or Telnet connections will accept incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL value configured for that peer.
  • Page 164: Show Commands

    Security System Management Guide 3.10.2.2 Show Commands • Security Show Commands • Login Control Show Commands 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 165 System Management Guide Security 3.10.2.2.1 Security Show Commands Note: The following command outputs are examples only; actual displays may differ depending on supported functionality and user configuration. access-group Syntax access-group [group-name] Context show>system>security Description This command displays SNMP access group information. Parameters group-name —...
  • Page 166 Security System Management Guide Table 10 Show System Security Access Group Output Fields (Continued) Label Description Read view Specifies the variable of the view to read the MIB objects Write view Specifies the variable of the view to configure the contents of the agent Notify view Specifies the variable of the view to send a trap about MIB objects...
  • Page 167 System Management Guide Security type status timeout retry server address (secs) count ------------------------------------------------------------------------------- radius 10.10.10.103 radius 10.10.0.1 radius 10.10.0.2 tacplus 10.10.0.9(49) down ------------------------------------------------------------------------------- radius admin status : up tacplus admin status : down health check : enabled (interval 30) ------------------------------------------------------------------------------- No.
  • Page 168 Security System Management Guide Table 11 Show System Security Authentication Output Fields Label Description Type The authentication type Timeout (secs) The number of seconds the router waits for a response from a RADIUS server Retry count Displays the number of times the router attempts to contact the RADIUS server for authentication if there are problems communicating with the server Connection errors...
  • Page 169 System Management Guide Security Table 12 Show Communities Output Fields Label Description Community The community string name for SNMPv1 and SNMPv2c access only Access r: The community string allows read-only access rw: The community string allows read-write access rwa: The community string allows read-write access mgmt: The unique SNMP community string assigned to the management router View...
  • Page 170 Security System Management Guide 25880 CPM filter #3 25880 CPM filter #4 25882 CPM filter #5 25926 CPM filter #6 25926 CPM filter #7 25944 CPM filter #8 25950 CPM filter #9 25968 CPM filter #10 25984 CPM filter #11 26000 CPM filter #12 26018...
  • Page 171 System Management Guide Security Table 13 Show CPM Filter Output Fields Label Description CPM IP (or IPv6) Filter Entry Entry-id Displays information about the specified CPM filter entry Dropped The number of dropped events Forwarded The number of forwarded events Description The CPM filter description Filter Entry Match Criteria...
  • Page 172 Security System Management Guide Table 13 Show CPM Filter Output Fields (Continued) Label Description Next Hop If match action is forward, indicates destination of the matched packet Forwarded pkts Indicates number of matched forwarded packets keychain Syntax keychain [keychain] [detail] Context show>system>security Description...
  • Page 173 System Management Guide Security Begin Time : 2016/09/01 01:01:00 Begin Time (UTC) : 2016/09/01 01:01:00 End Time : Forever End Time (UTC) : Forever =============================================================================== *A:Sar18 Dut-B# Table 14 Show Keychain Output Fields Label Description Key chain: name Description The text string description for the keychain TCP-Option number The TCP option number to be inserted in the header of sent TCP send...
  • Page 174 Security System Management Guide Table 14 Show Keychain Output Fields (Continued) Label Description End Time (UTC) The end time in UTC time management-access-filter Syntax management-access-filter ip-filter [entry entry-id] management-access-filter ipv6-filter [entry entry-id] Context show>system>security Description This command displays management access control filter information. If no specific entry number is specified, all entries are displayed.
  • Page 175 System Management Guide Security A:ALU-7# show system security management-access-filter ipv6-filter entry 2 ============================================================================= IPv6 Management Access Filter ============================================================================= filter type : ipv6 Def. Action : permit Admin Status : enabled (no shutdown) ----------------------------------------------------------------------------- Entry Src IP : 2001::1/128 Flow label : undefined Src interface : undefined Dest port...
  • Page 176 Security System Management Guide Table 15 Show Management Access Filter Output Fields (Continued) Label Description Src interface The interface name for the next hop to which the packet should be forwarded if it hits this filter entry Dest port The destination port Next-header The next header ID to match.
  • Page 177 System Management Guide Security Table 16 Show Password Options Output Fields Label Description Password aging in days The number of days a user password is valid before the user must change their password Time required between password The time interval required before a password can be changes changed Number of invalid attempts...
  • Page 178 Security System Management Guide Table 16 Show Password Options Output Fields (Continued) Label Description Palindrome allowed Displays whether palindromes are allowed as part of the password profile Syntax profile user-profile-name Context show>system>security Description This command displays user profile information. If the user-profile-name is not specified, then information for all profiles is displayed. Parameters user-profile-name —...
  • Page 179 System Management Guide Security Table 17 Show User Profile Output Fields (Continued) Label Description Def. action Permit all: Permits access to all commands Deny: Denies access to all commands None: No action is taken Entry The entry ID in a policy or filter table Description Displays the text string describing the entry Match Command...
  • Page 180 Status ======================================================================== 192.168.xxx.xxx admin connected ------------------------------------------------------- Number of SSH sessions : 1 =============================================================================== Output Example (IPv6) *A:7705:Dut-C> # show system security ssh =============================================================================== SSH Server =============================================================================== Administrative State : Enabled Operational State : Up 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 181 System Management Guide Security Preserve Key : Disabled SSH Protocol Version 1 : Disabled SSH Protocol Version 2 : Enabled DSA Host Key Fingerprint : bd:fe:f5:fc:15:9d:86:65:f5:63:02:d5:55:16:d1:50 RSA Host Key Fingerprint : 00:d6:b3:83:41:2f:50:ea:63:ef:5d:71:30:ef:93:ad ------------------------------------------------------------------------------- Connection Username Version Cipher ServerName Status ------------------------------------------------------------------------------- 3301::xxxx:xxxx admin aes256-ctr...
  • Page 182 Security System Management Guide user Syntax user [user-id] [detail] user [user-id] lockout Context show>system>security Description This command displays user registration and security information. You can clear lockouts for users with the lockout command. If no command line options are specified, summary information for all users displays. Parameters user-id —...
  • Page 183 System Management Guide Security =============================================================================== =============================================================================== user id : admin ------------------------------------------------------------------------------- console parameters ------------------------------------------------------------------------------- new pw required : no cannot change pw : no home directory : cf3:\ restricted to home : no login exec file profile : administrative ------------------------------------------------------------------------------- snmp parameters ------------------------------------------------------------------------------- ALU-7# show system security user lockout...
  • Page 184 Security System Management Guide Table 20 Show User Output Fields (Continued) Label Description Failed logins The number of unsuccessful login attempts Local conf Y: Password authentication is based on the local password database N: Password authentication is not based on the local password database Home directory Specifies the local home directory for the user for both console and...
  • Page 185 System Management Guide Security included read1 1.1.1.1 11111111 included write1 2.2.2.2 11111111 included testview 11111111 included testview 1.3.6.1.2 11111111 excluded mgmt-view 1.3.6.1.2.1.2 included mgmt-view 1.3.6.1.2.1.4 included mgmt-view 1.3.6.1.2.1.5 included mgmt-view 1.3.6.1.2.1.6 included mgmt-view 1.3.6.1.2.1.7 included mgmt-view 1.3.6.1.2.1.31 included mgmt-view 1.3.6.1.2.1.77 included mgmt-view 1.3.6.1.4.1.6527.3.1.2.3.7...
  • Page 186 Security System Management Guide 3.10.2.2.2 Login Control Show Commands Note: The following command outputs are examples only; actual displays may differ depending on supported functionality and user configuration. users Syntax users Context show Description This command displays console user login and connection information. Output The following output is an example of view information, and Table 22...
  • Page 187: Clear Commands

    System Management Guide Security 3.10.2.3 Clear Commands lockout Syntax lockout all lockout user user-name Context admin>clear Description This command clears a security lockout for a specific user, or for all users, after they have failed too many login attempts. Parameters all —...
  • Page 188: Debug Commands

    Security System Management Guide 3.10.2.4 Debug Commands radius Syntax radius [detail] [hex] no radius Context debug Description This command enables debugging for RADIUS connections. The no form of the command disables the debugging. Parameters detail — displays detailed output hex — displays the packet dump in hexadecimal format 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 189: Snmp

    System Management Guide SNMP 4 SNMP This chapter provides information to configure SNMP. Topics in this chapter include: • SNMP Overview • SNMP Versions • Configuration Notes • Configuring SNMP with CLI • SNMP Command Reference Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 190: Snmp Overview

    • The manager can set the value of a MIB object that is controlled by an agent. • The agent can send traps to notify the manager of significant events that occur on the managed device (for example, the 7705 SAR router). SNMP is supported on network hosts using the IPv4 and IPv6 protocols.
  • Page 191: Management Information Base

    Internet Engineering Task Force (IETF). When requested, the Internet Assigned Numbers Authority (IANA) assigns a unique branch for use by a private organization or company. The branch assigned to the 7705 SAR is 1.3.6.1.4.1.6527. The SNMP agent provides management information to support a collection of IETF specified MIBs and a number of MIBs defined to manage device parameters and network data unique to the 7705 SAR.
  • Page 192: User-based Security Model Community Strings

    4.1.6 Views Views control the access to a managed object. The total MIB of a 7705 SAR router can be viewed as a hierarchical tree. When a view is created, either the entire tree or a portion of the tree can be specified and made available to a user to manage the objects contained in the subtree.
  • Page 193: Access Groups

    Authentication parameters that a user must use in order to be validated by the 7705 SAR can be modified. SNMP authentication allows the device to validate the managing node that issued the SNMP message and determine if the message has been tampered with.
  • Page 194: Snmp Versions

    To implement SNMPv3, an authentication and encryption method must be assigned to a user in order to be validated by the 7705 SAR. SNMP authentication allows the router to validate the managing node that issued the SNMP message and determine if the message was tampered with.
  • Page 195: Configuration Notes

    System Management Guide SNMP 4.3 Configuration Notes This section describes SNMP configuration guidelines and caveats. • To avoid management systems attempting to manage a partially booted system, SNMP will remain in a shutdown state if the configuration file fails to complete during system startup.
  • Page 196 SNMP System Management Guide 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 197: Configuring Snmp With Cli

    System Management Guide SNMP 4.4 Configuring SNMP with CLI This section provides information about configuring SNMP with CLI. Topics in this chapter include: • SNMP Configuration Overview • Basic SNMP Security Configuration • Configuring SNMP Components Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 198: Snmp Configuration Overview

    Configuring SNMPv3 4.5.1 Configuring SNMPv1 and SNMPv2c The 7705 SAR router is based on SNMPv3. To use 7705 SAR routers with SNMPv1 and/or SNMPv2c, SNMP community strings must be configured. Three predefined access methods are available when SNMPv1 or SNMPv2c access is required. Each access method (r, rw, or rwa) is associated with an SNMPv3 access group that determines the access privileges and the scope of managed objects available.
  • Page 199: Configuring Snmpv3

    System Management Guide SNMP 4.5.2 Configuring SNMPv3 The 7705 SAR implements SNMPv3. If security features other than the default views are required, the following parameters must be configured: • views • access groups • SNMP users Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 200: Basic Snmp Security Configuration

    SNMP System Management Guide 4.6 Basic SNMP Security Configuration This section provides information to configure SNMP parameters and provides examples of common configuration tasks. The minimal SNMP parameters are: For SNMPv1 and SNMPv2c: • Configure community string parameters For SNMPv3: •...
  • Page 201: Configuring Snmp Components

    System Management Guide SNMP 4.7 Configuring SNMP Components Use the CLI syntax displayed below to configure the following SNMP scenarios: • Configuring a Community String • Configuring View Options • Configuring Access Options • Configuring USM Community Options • Configuring Other SNMP Parameters CLI Syntax: config>system>security>snmp access group group-name security-model security-...
  • Page 202: Configuring View Options

    SNMP System Management Guide Use the following CLI syntax to configure community options: CLI Syntax: config>system>security>snmp community community-string [hash | hash2] access- permissions [version SNMP-version] The following example displays community string command usage: Example: config>system>security# snmp config>system>security>snmp# community private hash2 rwa version both config>system>security>snmp# community public hash2 r version v2c...
  • Page 203: Configuring Access Options

    System Management Guide SNMP The following example displays the view configuration: ALU-1>config>system>security>snmp# info ---------------------------------------------- view "testview" subtree 1 mask ff exit view testview subtree 1.3.6.1.2 mask ff type excluded exit community "private" rwa version both community "public" r version v2c ---------------------------------------------- ALU-1>config>system>security>snmp# 4.7.3 Configuring Access Options...
  • Page 204: Configuring Usm Community Options

    SNMPv3 access group and its view. The access granted with a community string is restricted to the scope of the configured group. By default, the 7705 SAR implementation of SNMP uses SNMPv3. To implement SNMPv1 and SNMPv2c, USM community strings must be explicitly configured.
  • Page 205: Configuring Other Snmp Parameters

    System Management Guide SNMP Use the following CLI syntax to configure USM community options: CLI Syntax: config>system>security>snmp usm-community community-string [hash | hash2] group group-name The following example displays USM community string command usage. The group “testgroup” was configured in the config>system>security>snmp>access CLI context.
  • Page 206 SNMP System Management Guide The following example displays the system SNMP default values: ALU-104>config>system>snmp# info detail ---------------------------------------------- shutdown engineID "0000xxxx000000000xxxxx00" packet-size 1500 general-port 161 ---------------------------------------------- ALU-104>config>system>snmp# 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 207: Snmp Command Reference

    System Management Guide SNMP 4.8 SNMP Command Reference 4.8.1 Command Hierarchies • Configuration Commands − SNMP System Commands − SNMP Security Commands • Show Commands Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 208: Configuration Commands

    SNMP System Management Guide 4.8.1.1 Configuration Commands 4.8.1.1.1 SNMP System Commands config — system — snmp — engineID engine-id — no engineID — general-port port — no general-port — packet-size bytes — no packet-size — [no] shutdown 4.8.1.1.2 SNMP Security Commands config —...
  • Page 209: Show Commands

    System Management Guide SNMP The following commands configure user-specific SNMP features. Refer to the Security Command Reference section for CLI syntax and command descriptions. config — system — security — [no] user user-name — [no] snmp — authentication {[none] | [[hash] {md5 key-1 | sha key-1} privacy {privacy-level | key-2}] —...
  • Page 210: Command Descriptions

    SNMP System Management Guide 4.8.2 Command Descriptions • Configuration Commands • Show Commands 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 211: Configuration Commands

    System Management Guide SNMP 4.8.2.1 Configuration Commands • SNMP System Commands • SNMP Security Commands Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 212 SNMP System Management Guide 4.8.2.1.1 SNMP System Commands snmp Syntax snmp Context config>system Description This command enables the context to configure SNMP parameters. engineID Syntax [no] engineID engine-id Context config>system>snmp Description This command sets the SNMP engine ID to uniquely identify the SNMPv3 node. By default, the engine ID is generated using information from the system backplane.
  • Page 213 System Management Guide SNMP general-port Syntax general-port port-number no general-port Context config>system>snmp Description This command configures the port number used by this node to receive SNMP request messages and to send replies. SNMP notifications generated by the agent are sent from the port specified in the config>log>snmp-trap-group>trap-target command.
  • Page 214 SNMP System Management Guide This command is automatically invoked in the event of a reboot when the processing of the configuration file fails to complete or when an SNMP persistent index file fails while the bof persist on command is enabled. The no form of the command administratively enables SNMP.
  • Page 215 System Management Guide SNMP 4.8.2.1.2 SNMP Security Commands snmp Syntax snmp Context config>system>security Description This command enables the context to configure SNMPv1, SNMPv2c, and SNMPv3 parameters access group Syntax [no] access group group-name security-model {snmpv1 | snmpv2c | usm} security-level {no-auth-no-privacy | auth-no-privacy | privacy} [context context-name [prefix-match {exact | prefix}]] [read view-name-1] [write view-name-2] [notify view-name-3] Context...
  • Page 216 SNMP System Management Guide security-level no-auth-no-privacy — specifies that no authentication and no privacy (encryption) is required. When configuring the user’s authentication, select the none option. security-level auth-no-privacy — specifies that authentication is required but privacy (encryption) is not required. When this option is configured, both the group and the user must be configured for authentication.
  • Page 217 System Management Guide SNMP The no form of the command resets the parameters to the default values. Default attempts 20 time 5 lockout 10 Parameters count — the number of unsuccessful SNMP attempts allowed for the specified time Values 1 to 64 Default time minutes1 —...
  • Page 218 The access granted with a community string is restricted to the scope of the configured group. The 7705 SAR implementation of SNMP uses SNMPv3. In order to implement SNMPv1 and SNMPv2c configurations, several access groups are predefined. In order to implement SNMP with security features (version 3), security models, security levels, and USM communities must be explicitly configured.
  • Page 219 System Management Guide SNMP Context config>system>security>snmp Description This command configures a view. Views control the accessibility of a MIB object within the configured MIB view and subtree. Object identifiers (OIDs) uniquely identify MIB objects in the subtree. OIDs are organized hierarchically with specific values assigned by different organizations.
  • Page 220 SNMP System Management Guide For example, the MIB subtree that represents MIB-II is 1.3.6.1.2.1. The mask that catches all MIB-II is 0xfc or 0b11111100. Only a single mask may be configured per view and OID value combination. If more than one entry is configured, each subsequent entry overwrites the previous entry.
  • Page 221: Show Commands

    System Management Guide SNMP 4.8.2.2 Show Commands Note: The following command outputs are examples only; actual displays may differ depending on supported functionality and user configuration. counters Syntax counters Context show>snmp Description This command displays SNMP counter information. SNMP counters will continue to increase even when SNMP is shut down.
  • Page 222 Output Example A:ALU-1# show system information =============================================================================== System Information =============================================================================== System Name : ALU-1 System Type : 7705 SAR-8 System Version : B-0.0.I1204 System Contact System Location System Coordinates System Active Slot System Up Time : 1 days, 02:12:57.84 (hr:min:sec)
  • Page 223 /rel0.0/I1042/panos/main # Generated TUE MAR 11 16:58:20 2016 UTC Last Boot Index Version: N/A Last Boot Index Header : # TiMOS-B-0.0.I1042 both/i386 Nokia SAR 7705 Copyright (c) 2016 Nokia. # All rights reserved. All use subject to applicable license agreements.
  • Page 224 SNMP System Management Guide Table 24 Show System Information Output Fields (Continued) Label Description System Location The text string that identifies the location of the device System Coordinates The text string that identifies the system coordinates for the device location. For example, “37.390 -122.0550" is read as latitude 37.390 north and longitude 122.0550 west.
  • Page 225 System Management Guide SNMP Table 24 Show System Information Output Fields (Continued) Label Description Config Source primary: specifies whether the configuration was loaded from the primary location specified in the BOF secondary: specifies whether the configuration was loaded from the secondary location specified in the BOF tertiary: specifies whether the configuration was loaded from the tertiary location specified in the BOF Last Booted Config File...
  • Page 226 SNMP System Management Guide Table 24 Show System Information Output Fields (Continued) Label Description Cfg-Fail Script URL: the location and name of the CLI script file executed following a failed boot-up configuration file execution Not used: no CLI script file was executed Cfg-Fail Script Status Successful/Failed: the results from the execution of the CLI script file specified in the Cfg-Fail Script location...
  • Page 227 System Management Guide SNMP Parameters group-name — the access group name Output The following output is an example of access group information, and Table 25 describes the fields. Output Example A:ALU-1# show system security access-group =============================================================================== Access Groups =============================================================================== group name security security read...
  • Page 228 SNMP System Management Guide Table 25 Show System Access Group Fields (Continued) Label Description Write view The view to configure the contents of the agent Notify view The view to send a trap about MIB objects No. of access groups The total number of configured access groups communities Syntax...
  • Page 229 System Management Guide SNMP Table 26 Show Communities Output Fields (Continued) Label Description Access r: The community string allows read-only access to all objects in the MIB except security objects rw: The community string allows read-write access to all objects in the MIB except security objects rwa: The community string allows read-write access to all objects in the MIB including security objects...
  • Page 230 SNMP System Management Guide Table 27 Show User Output Fields Label Description User ID The name of a system user Need New PWD Yes: the user must change their password at the next login No: the user is not forced to change their password at the next login User Permissions Console: specifies whether the user is permitted console/Telnet...
  • Page 231 System Management Guide SNMP Output Example A:ALU-1# show system security view =============================================================================== Views =============================================================================== view name oid tree mask permission ------------------------------------------------------------------------------- included no-security included no-security 1.3.6.1.6.3 excluded no-security 1.3.6.1.6.3.10.2.1 included no-security 1.3.6.1.6.3.11.2.1 included no-security 1.3.6.1.6.3.15.1.1 included ------------------------------------------------------------------------------- No. of Views: 6 =============================================================================== A:ALU-1# show system security view no-security detail ===============================================================================...
  • Page 232 SNMP System Management Guide 1.3.6.1.2.1.85 no-support 1.3.6.1.2.1.100 no-support 1.3.6.1.2.1.4.39 no-support 1.3.6.1.2.1.5.20 no-support =============================================================================== A:ALU-1# Table 28 Show System Security View Output Fields Label Description View name The name of the view. Views control the accessibility of a MIB object within the configured MIB view and subtree. OID tree The Object Identifier (OID) value.
  • Page 233: Event And Accounting Logs

    System Management Guide Event and Accounting Logs 5 Event and Accounting Logs This chapter provides information about configuring event and accounting logs on the 7705 SAR. Topics in this chapter include: • Logging Overview • Log Destinations • Event Logs •...
  • Page 234: Logging Overview

    • Debug events — debug events are generated by the DEBUG application and pertain to trace or other debugging information • Main events — main events pertain to 7705 SAR applications that are not assigned to other event categories/sources The applications listed above have the following properties: •...
  • Page 235: Accounting Logs

    (suppressed) for each application event. The severity of an application event can be configured in event control. An event log within the 7705 SAR associates the event sources with logging destinations. Examples of logging destinations include the console session, memory logs, file destinations, SNMP trap groups, and syslog destinations.
  • Page 236 The only supported destination for an accounting log is a compact flash system device (cf3: on all platforms; also cf1: or cf2: on the 7705 SAR-18). Accounting data is stored within a standard directory structure on the device in compressed XML format.
  • Page 237: Log Destinations

    System Management Guide Event and Accounting Logs 5.2 Log Destinations Both event logs and accounting logs use a common mechanism for referencing a log destination. The 7705 SAR supports the following log destinations: • Console • Session • Memory Logs •...
  • Page 238: Memory Logs

    Log files can be used by both event logs and accounting logs and are stored on the compact flash device (cf3: on all platforms; also cf1: or cf2: on the 7705 SAR-18) in the file system. A log file destination is configured using the config>log>file-id log- file-id command.
  • Page 239: Event Log Files

    System Management Guide Event and Accounting Logs 5.2.4.1 Event Log Files Event log files are always created in the \log directory on the compact flash device. The naming convention for event log files is: logeeff-timestamp where: • ee is the event log ID •...
  • Page 240: Snmp Trap Group

    Management Ethernet port. For SNMP traps that will be sent in-band, the source IP address of the trap is the system IP address of the 7705 SAR. Each trap target destination of a trap group receives the identical sequence of events as defined by the log ID and the associated sources and log filter applied.
  • Page 241 System Management Guide Event and Accounting Logs Table 30 7705 SAR to Syslog Severity Level Mappings 7705 SAR Syslog Severity Syslog Definition Severity Level Level (highest to Configured lowest) Severity 3 critical emergency System is unusable alert Action must be taken...
  • Page 242: Event Logs

    Default System Logs Event logs are the means of recording system-generated events for later analysis. Events are messages generated by the system by applications or processes within the 7705 SAR. Figure 3 depicts a functional block diagram of event logging.
  • Page 243: Event Sources

    Debug events are generated by the DEBUG application. • Main — The main event source receives events from all other applications within the 7705 SAR. The show log applications command displays all applications: *A:ALU-48# show log applications...
  • Page 244: Event Control

    Event and Accounting Logs System Management Guide 5.3.2 Event Control Event control preprocesses the events generated by applications before the event is passed into the main event stream. Event control assigns a severity to application events and can either forward the event to the main event source or suppress the event.
  • Page 245 System Management Guide Event and Accounting Logs 2001 clearRTMError 2002 ipEtherBroadcast 2003 ipDuplicateAddress LDP: 2001 vRtrLdpStateChange 2002 vRtrLdpInstanceStateChange 2003 vRtrLdpIfStateChange LOGGER: 2001 STARTED 2002 tmnxLogTraceError 2005 tmnxLogSpaceContention MPLS: 2001 mplsXCUp 2002 mplsXCDown 2003 mplsTunnelUp NTP: 2001 tmnxNtpAuthMismatch 2002 tmnxNtpNoServersAvail 2003 tmnxNtpServersAvail SYSTEM: 2001 stiDateAndTimeChanged 2002 ssiSaveConfigSucceeded...
  • Page 246: Log Manager And Event Logs

    5.3.4 Event Filter Policies The log manager uses event filter policies to control which events are forwarded or dropped based on various criteria. Like other policies with the 7705 SAR, filter policies have a default action. The default actions are either: •...
  • Page 247 System Management Guide Event and Accounting Logs Entries are evaluated in order from the lowest to the highest entry ID. The first matching event is subject to the forward or drop action for that entry. Filter policy 1001 exists by default and collects events for the Serious Error Log (log ID 100).
  • Page 248: Event Log Entries

    Event and Accounting Logs System Management Guide 5.3.5 Event Log Entries Log entries that are forwarded to a destination are formatted in a way that is appropriate for the specific destination; for example, whether it is to be recorded to a file or sent as an SNMP trap, but log event entries also have common elements or properties.
  • Page 249: Simple Logger Event Throttling

    System Management Guide Event and Accounting Logs Table 32 Log Entry Field Descriptions (Continued) Label Description <severity> The severity level name of the event CLEARED — a cleared event (severity number 1) INFO — an indeterminate/informational severity event (severity level 2) CRITICAL —...
  • Page 250: Default System Logs

    Event and Accounting Logs System Management Guide Throttle rate applies commonly to all event types. It is not configurable for a specific event type. A timer task checks for events dropped by throttling when the throttle interval expires. If any events have been dropped, a TIMETRA-SYSTEM-MIB::tmnxTrapDropped notification is sent.
  • Page 251: Accounting Logs

    The files are stored in system memory on a compact flash (cf3: on all platforms; also cf1: or cf2: on the 7705 SAR-18) in a compressed (tar) XML format and can be retrieved using FTP or SCP.
  • Page 252 (png) SAA or SAA test The 7705 SAR supports simultaneous collection for some records. For example, “complete-network-ingr-egr” (cpNipo and cpNepo) simultaneously collects statistics on network-ingress octets, network-ingress packets, network-egress octets, and network-egress packets for the same network port.
  • Page 253 System Management Guide Event and Accounting Logs Table 34 Accounting Record Name Details Record Name Sub-Record Field Field Description service-ingress-octets SvcId SapId QueueId OfferedHiPrioOctets DroppedHiPrioOctets LowOctetsOffered LowOctetsDropped UncoloredOctetsOffered InProfileOctetsForwarded OutOfProfileOctetsForwarded service-egress-octets SvcId SapId QueueId InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped service-ingress- SvcId packets SapId QueueId...
  • Page 254 Event and Accounting Logs System Management Guide Table 34 Accounting Record Name Details (Continued) Record Name Sub-Record Field Field Description service-egress- SvcId packets SapId QueueId InProfilePktsForwarded InProfilePktsDropped OutOfProfilePktsForwarded OutOfProfilePktsDropped SapId slaProfile SlaProfile complete-service- cpSipo SvcId ingress-egress SapId (cpSipo and cpSepo) PolicerId HighPktsOffered HighPktsDropped...
  • Page 255 System Management Guide Event and Accounting Logs Table 34 Accounting Record Name Details (Continued) Record Name Sub-Record Field Field Description complete-service- cpSipo AllPacketsForwarded ingress-egress (continued) AllOctetsForwarded (cpSipo and cpSepo) (continued) InProfilePktsDropped InProfileOctetsDropped OutOfProfilePktsDropped OutOfProfileOctetsDropped HighPriorityPacketsForwarded HighPriorityOctetsForwarded LowPriorityPacketsForwarded LowPriorityOctetsForwarded InProfilePktsForwarded OutOfProfilePktsForwarded InProfileOctetsForwarded OutOfProfileOctetsForwarded cpSepo...
  • Page 256 Event and Accounting Logs System Management Guide Table 34 Accounting Record Name Details (Continued) Record Name Sub-Record Field Field Description combined-service- cmSio SvcId ingr-egr-octets SapId (cmSio and CmSeo) QueueId OfferedHiPrioOctets DroppedHiPrioOctets LowOctetsOffered LowOctetsDropped UncoloredOctetsOffered InProfileOctetsForwarded OutOfProfileOctetsForwarded cmSeo SvcId SapId QueueId InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded...
  • Page 257 System Management Guide Event and Accounting Logs Table 34 Accounting Record Name Details (Continued) Record Name Sub-Record Field Field Description network-egress- port PortId octets QueueId InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped network-ingress- port PortId packets QueueId InProfilePktsForwarded InProfilePktsDropped OutOfProfilePktsForwarded OutOfProfilePktsDropped network-egress- port PortId packets QueueId...
  • Page 258 Event and Accounting Logs System Management Guide Table 34 Accounting Record Name Details (Continued) Record Name Sub-Record Field Field Description combined-network- cmNeo port PortId ing-egr-octets QueueId (cmNio and cmNeo) (continued) InProfileOctetsForwarded InProfileOctetsDropped OutOfProfileOctetsForwarded OutOfProfileOctetsDropped complete-network- cpNipo port PortId ingr-egr QueueId (cpNipo and cpNepo) InProfilePktsForwarded InProfilePktsDropped...
  • Page 259 System Management Guide Event and Accounting Logs Table 34 Accounting Record Name Details (Continued) Record Name Sub-Record Field Field Description TestMode OwnerName TestName PingRun subrecord RunIndex TestRunResult MinRtt MaxRtt AverageRtt RttSumOfSquares ProbeResponses SentProbes MinOutTt MaxOutTt AverageOutTt OutTtSumOfSquares MinInTt MaxInTt AverageInTt InTtSumOfSqrs OutJitter InJitter...
  • Page 260 Event and Accounting Logs System Management Guide Table 34 Accounting Record Name Details (Continued) Record Name Sub-Record Field Field Description saa (continued) RunIndex TestRunResult LastGoodProbe TraceHop HopIndex MinRtt MaxRtt AverageRtt RttSumOfSquares ProbeResponses SentProbes MinOutTt MaxOutTt AverageOutTt OutTtSumOfSquares MinInTt MaxInTt AverageInTt InTtSumOfSqrs OutJitter InJitter...
  • Page 261: Accounting Files

    XML file format. The 7705 SAR creates two directories on the compact flash to store the files. The following output displays a directory named act-collect that holds accounting files that are open and actively collecting statistics, and a directory named act that stores the files that have been closed and are awaiting retrieval.
  • Page 262: Configuration Notes

    Event and Accounting Logs System Management Guide 5.5 Configuration Notes This section describes logging configuration guidelines and caveats. • A file or filter cannot be deleted if it has been applied to a log. • File IDs, syslog IDs, or SNMP trap groups must be configured in the config>log context before they can be applied to a log ID.
  • Page 263: Configuring Logging With Cli

    System Management Guide Event and Accounting Logs 5.6 Configuring Logging with CLI This section provides information to configure logging using the command line interface. Topics in this section include: • Log Configuration Overview • Log Type • Basic Event Log Configuration •...
  • Page 264: Log Configuration Overview

    System Management Guide 5.7 Log Configuration Overview Logging on the 7705 SAR is used to provide the operator with logging information for monitoring and troubleshooting. You can configure logging parameters to save information in a log file or direct the messages to other devices. Logging commands allow you to: •...
  • Page 265: Log Type

    System Management Guide Event and Accounting Logs 5.8 Log Type Logs can be configured in the following contexts: • Log file — log files can contain log event message streams or accounting/billing information. Log file IDs are used to direct events, alarms/traps, and debug information to their respective targets.
  • Page 266: Basic Event Log Configuration

    Event and Accounting Logs System Management Guide 5.9 Basic Event Log Configuration The most basic log configuration must have the following: • a log ID or an accounting policy ID • a log source • a log destination The following displays a log configuration example. ALU-12>config>log# info #------------------------------------------ echo "Log Configuration"...
  • Page 267: Common Configuration Tasks

    System Management Guide Event and Accounting Logs 5.10 Common Configuration Tasks The following sections describe basic system tasks that must be performed. • Configuring an Event Log • Configuring a File ID • Configuring an Accounting Policy • Configuring Event Control •...
  • Page 268: Configuring A File Id

    Event and Accounting Logs System Management Guide The following displays an example of the event log file configuration command syntax: Example: config# log config>log# log-id 2 config>log>log-id$ description "This is a test log file." config>log>log-id# filter 1 config>log>log-id# from main security config>log>log-id# to file 1 config>log>log-id# no shutdown config>log>log-id# exit...
  • Page 269: Configuring An Accounting Policy

    SAP or service interface, or applied to a network port. For information on associating an accounting policy with a SAP or a network port, see the 7705 SAR Services Guide or the 7705 SAR Interface Configuration Guide (respectively).
  • Page 270 Event and Accounting Logs System Management Guide Use the following CLI syntax to configure an accounting policy: CLI Syntax: config>log> accounting-policy acct-policy-id collection-interval minutes default description description-string record record-name to file log-file-id no shutdown The following displays an example of the accounting policy configuration command syntax: Example: config>log# accounting-policy 4...
  • Page 271: Configuring Event Control

    System Management Guide Event and Accounting Logs 5.10.4 Configuring Event Control Use the following CLI syntax to configure event control. The throttle parameter used in the event-control command syntax enables throttling for a specific event type. The config>log>throttle-rate command configures the number of events and interval length to be applied to all event types that have throttling enabled by this event-control command.
  • Page 272: Configuring A Log Filter

    Event and Accounting Logs System Management Guide The following displays an example of the configuration command syntax: Example: config>log# throttle-rate 500 interval 10 config>log# event-control mpls 2001 generate throttle The following displays the configuration: *A:gal171>config>log# info --------------------------------------------- throttle-rate 500 interval 10 event-control “mpls”...
  • Page 273: Configuring An Snmp Trap Group

    System Management Guide Event and Accounting Logs The following displays the log filter configuration: ALU-12>config>log# info #------------------------------------------ echo "Log Configuration" #------------------------------------------ file-id 1 description "This is our log file." location cf3: rollover 600 retention 24 exit filter 1 default-action drop description "This is a test filter."...
  • Page 274: Configuring A Syslog Target

    Event and Accounting Logs System Management Guide The following displays an example of the SNMP trap group configuration command syntax: Example: config# log config>log# snmp-trap-group 2 config>log>snmp-trap-group# trap-target "target name" address 10.10.10.104 notify-community "communitystring" security-level no-auth-no-privacy config>log>snmp-trap-group# exit The following displays the SNMP trap group configuration: ALU-12>config>log# info ---------------------------------------------- snmp-trap-group 2...
  • Page 275 System Management Guide Event and Accounting Logs The following displays an example of the syslog file configuration command syntax: Example: config# log config>log# syslog 1 config>log>syslog$ description "This is a syslog file." config>log>syslog# address 10.10.10.104 config>log>syslog# facility user config>log>syslog# level warning The following displays the syslog configuration: ALU-12>config>log# info ----------------------------------------------...
  • Page 276: Log Management Tasks

    Event and Accounting Logs System Management Guide 5.11 Log Management Tasks This section discusses the following logging tasks: • Modifying a Log File • Deleting a Log File • Modifying a File ID • Deleting a File ID • Modifying a Syslog ID •...
  • Page 277 System Management Guide Event and Accounting Logs The following displays the current log configuration: ALU-12>config>log>log-id# info ---------------------------------------------- log-id 2 description "This is a test log file." filter 1 from main security to file 1 exit ---------------------------------------------- ALU-12>config>log>log-id# The following displays an example of modifying log file parameters: Example: config# log config>log# log-id 2...
  • Page 278: Deleting A Log File

    Event and Accounting Logs System Management Guide 5.11.2 Deleting a Log File The log ID must be shut down first before it can be deleted. In a previous example, file 1 is associated with log-id 2. ALU-12>config>log# info ---------------------------------------------- file-id 1 description "LocationTest."...
  • Page 279: Modifying A File Id

    System Management Guide Event and Accounting Logs 5.11.3 Modifying a File ID Note: When the file-id location parameter is modified, log files are not written to the new location until a rollover occurs or the log is manually cleared. A rollover can be forced by using the clear>log command.
  • Page 280: Deleting A File Id

    Event and Accounting Logs System Management Guide 5.11.4 Deleting a File ID Note: All references to the file ID must be deleted before the file ID can be removed. Use the following CLI syntax to delete a file ID: CLI Syntax: config>log no file-id log-file-id The following displays an example of deleting a file ID:...
  • Page 281: Deleting A Syslog Id

    System Management Guide Event and Accounting Logs The following displays the syslog configuration: ALU-12>config>log# info ---------------------------------------------- syslog 1 description "Test syslog." address 10.10.10.91 facility mail level info exit ---------------------------------------------- ALU-12>config>log# 5.11.6 Deleting a Syslog ID Note: All references to the syslog ID must be deleted before the syslog ID can be removed. Use the show>log>log-id command to view syslog references.
  • Page 282: Deleting An Snmp Trap Group

    Event and Accounting Logs System Management Guide The following displays the current SNMP trap group configuration: ALU-12>config>log# info ---------------------------------------------- snmp-trap-group 10 trap-target 10.10.10.104:5 "snmpv3" notify-community "communitystring" exit ---------------------------------------------- ALU-12>config>log# The following displays an example of the command usage to modify an SNMP trap group: Example: config# log...
  • Page 283: Modifying A Log Filter

    System Management Guide Event and Accounting Logs The following displays the SNMP trap group configuration: ALU-12>config>log# info ---------------------------------------------- snmp-trap-group 10 trap-target 10.10.0.91:1 "snmpv2c" notify-community "com1" exit ---------------------------------------------- ALU-12>config>log# The following displays an example of deleting a trap target and an SNMP trap group. Example: config>log# snmp-trap-group 10 config>log>snmp-trap-group# no trap-target 10.10.0.91:1...
  • Page 284 Event and Accounting Logs System Management Guide The following output displays the current log filter configuration: ALU-12>config>log# info #------------------------------------------ echo "Log Configuration" #------------------------------------------ filter 1 default-action drop description "This is a test filter." entry 1 action forward match application eq "atm" severity eq critical exit exit...
  • Page 285: Deleting A Log Filter

    System Management Guide Event and Accounting Logs 5.11.10 Deleting a Log Filter Use the following CLI syntax to delete a log filter: CLI Syntax: config>log no filter filter-id The following displays an example of the command to delete a log filter: Example: config>log# no filter 1 5.11.11 Modifying Event Control Parameters...
  • Page 286 Event and Accounting Logs System Management Guide 5.11.12 Returning to the Default Event Control Configuration The no form of the event-control command returns modified values back to the default values. Use the following CLI syntax to return to the default event control configuration: CLI Syntax: config>log no event-control application [event-name |...
  • Page 287: Log Command Reference

    System Management Guide Event and Accounting Logs 5.12 Log Command Reference 5.12.1 Command Hierarchies • Configuration Commands − Accounting Policy Commands − Event Control Commands − Log File Commands − Log Filter Commands − Syslog Commands − Logging Destination Commands −...
  • Page 288: Configuration Commands

    Event and Accounting Logs System Management Guide 5.12.1.1 Configuration Commands 5.12.1.1.1 Accounting Policy Commands config — log — accounting-policy acct-policy-id — no accounting-policy acct-policy-id — collection-interval minutes — no collection-interval — [no] default — description description-string — no description — record record-name —...
  • Page 289 System Management Guide Event and Accounting Logs 5.12.1.1.4 Log Filter Commands config — log — [no] filter filter-id — default-action {drop | forward} — no default-action — description description-string — no description — [no] entry entry-id — action {drop | forward} —...
  • Page 290: Show Commands

    Event and Accounting Logs System Management Guide 5.12.1.1.6 Logging Destination Commands config — log — [no] log-id log-id — description description-string — no description — filter filter-id — no filter — from {[main] [security] [change] [debug-trace]} — no from — [no] shutdown —...
  • Page 291: Clear Commands

    System Management Guide Event and Accounting Logs — syslog [syslog-id] 5.12.1.3 Clear Commands clear — log-id Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 292: Command Descriptions

    Event and Accounting Logs System Management Guide 5.12.2 Command Descriptions • Configuration Commands • Show Commands • Clear Commands 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 293: Configuration Commands

    System Management Guide Event and Accounting Logs 5.12.2.1 Configuration Commands • Generic Commands • Accounting Policy Commands • Event Control Commands • Log File Commands • Log Filter Commands • Syslog Commands • Logging Destination Commands • SNMP Trap Groups Commands Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 294 Event and Accounting Logs System Management Guide 5.12.2.1.1 Generic Commands description Syntax description description-string no description Context config>log>filter config>log>filter>entry config>log>log-id config>log>accounting-policy config>log>file-id config>log>syslog config>log>snmp-trap-group Description This command creates a text description stored in the configuration file for a configuration context. The command associates a text string with a configuration context to help identify the content in the configuration file.
  • Page 295 System Management Guide Event and Accounting Logs Special Cases log-id — when a log-id is shut down, no events are collected for the entity. This leads to the loss of event data. accounting-policy — when an accounting policy is shut down, no accounting data is written to the destination log ID.
  • Page 296 Event and Accounting Logs System Management Guide 5.12.2.1.2 Accounting Policy Commands accounting-policy Syntax accounting-policy acct-policy-id no accounting-policy acct-policy-id Context config>log Description This command creates an access or network accounting policy. An accounting policy defines the accounting records that are created. Access accounting policies are policies that can be applied to one or more service access points (SAPs).
  • Page 297 System Management Guide Event and Accounting Logs default Syntax [no] default Context config>log>accounting-policy Description This command configures the accounting policy specified by acct-policy-id to be the default accounting policy that is used by all SAPs or network ports that do not have a specified accounting policy.
  • Page 298 Event and Accounting Logs System Management Guide service-egress-octets service-ingress-packets service-egress-packets network-ingress-octets network-egress-octets network-ingress-packets network-egress-packets combined-network-ing-egr-octets combined-service-ing-egr-octets complete-service-ingress-egress complete-network-ing-egr ========================================================== ALU-12>config>log# The record-name must be specified prior to configuring an accounting policy as default. To configure an accounting policy for access ports, select a service record (for example, service-ingress-octets).
  • Page 299 System Management Guide Event and Accounting Logs Default No destination is specified Parameters log-file-id — the log file ID specifies the destination for the accounting records associated with this accounting policy. The characteristics of the log file ID, such as rollover and retention intervals, must have already been defined in the config>log>file-id context.
  • Page 300 Event and Accounting Logs System Management Guide 5.12.2.1.3 Event Control Commands event-control Syntax event-control application-id [event-name | event-number] generate [severity-level] [throttle] event-control application-id [event-name | event-number] suppress no event-control application-id [event-name | event-number] Context config>log Description This command is used to specify that a particular event, or all events associated with an application, are either generated or suppressed.
  • Page 301 System Management Guide Event and Accounting Logs Default Each event has a default suppress or generate state. To display a list of all events and the current configuration use the event-control command. Parameters application-id — the application whose events are affected by this event control filter Values A valid application name.
  • Page 302 Event and Accounting Logs System Management Guide throttle-rate Syntax throttle-rate events [interval seconds] no throttle-rate Context config>log Description This command configures an event throttling rate. Parameters events — specifies the number of log events that can be logged within the specified interval for a specific event.
  • Page 303 System Management Guide Event and Accounting Logs 5.12.2.1.4 Log File Commands file-id Syntax [no] file-id log-file-id Context config>log Description This command enables the context to configure a file ID template that is used as a destination for an event log or an accounting (billing) file. The template defines the file location and characteristics of the destination for a log event message stream or for accounting and billing information.
  • Page 304 The location command is optional. If the location command is not explicitly configured, log and accounting files will be created on cf3: for the following: • 7705 SAR-8 • 7705 SAR-A (both variants) • 7705 SAR-Ax • 7705 SAR-H • 7705 SAR-Hc •...
  • Page 305 • 7705 SAR-Wx (all variants) • 7705 SAR-X For the 7705 SAR-18, log files are created by default on cf1: and accounting files are created by default on cf2:. There are no overflows onto other devices. Note: The 7705 SAR-A, 7705 SAR-Ax, 7705 SAR-W, 7705 SAR-Wx, 7705 SAR-Hc, and 7705 SAR-X do not have field-replaceable compact flash drives;...
  • Page 306 Event and Accounting Logs System Management Guide rollover Syntax rollover minutes [retention hours] no rollover Context config>log>file-id Description This command configures how often an event or accounting log is rolled over or partitioned into a new file. An event or accounting log is actually composed of multiple individual files. The system creates a new file for the log based on the rollover time, expressed in minutes.
  • Page 307 System Management Guide Event and Accounting Logs 5.12.2.1.5 Log Filter Commands filter Syntax [no] filter filter-id Context config>log Description This command creates a context for an event filter. An event filter specifies whether to forward or drop an event or trap based on the match criteria. Filters are configured in the filter filter-id context and then applied to a log in the log-id log- id context.
  • Page 308 Event and Accounting Logs System Management Guide entry Syntax [no] entry entry-id Context config>log>filter Description This command is used to create or edit an event filter entry. Multiple entries may be created using unique entry-id numbers. The TiMOS implementation exits the filter on the first match found and executes the action in accordance with the action command.
  • Page 309 System Management Guide Event and Accounting Logs Default no action Parameters drop — specifies that packets matching the entry criteria will be dropped forward — specifies that packets matching the entry criteria will be forwarded match Syntax [no] match Context config>log>filter>entry Description This command enables the context to enter or edit match criteria for a filter entry.
  • Page 310: Table 36 Valid Match Operators For Applications

    Event and Accounting Logs System Management Guide Parameters eq | neq — the operator specifying the type of match. Valid operators are listed in Table Table 36 Valid Match Operators for Applications Operator Notes Equal to Not equal to application-id — the application name string Values aps, atm, bgp, chassis, debug, dhcp, dhcps, efm_oam, eth_cfm, filter, firewall, igmp, igmp_snooping, ip, ipsec, isis, lag, ldp, lldp,...
  • Page 311 System Management Guide Event and Accounting Logs Table 37 Valid Match Operators for Event Numbers (Continued) Operator Notes Less than Less than or equal to Greater than Greater than or equal to event-id — the event ID, expressed as a decimal integer Values 1 to 4294967295 router...
  • Page 312: Table 38 Valid Operators For Event Severity

    Event and Accounting Logs System Management Guide The no form of the command removes the severity match criterion. Default no severity Parameters eq | neq | lt | lte | gt | gte — this operator specifies the type of match. Valid operators are listed in Table Table 38...
  • Page 313: Table 40 Valid Operators For Event Subjects

    System Management Guide Event and Accounting Logs The subject is the entity for which the event is reported, such as a port. In this case, the port- id string would be the subject. Only one subject command can be entered per event filter entry. If multiple subject commands are entered, the last command overwrites the previous command.
  • Page 314 Description This command enables the context to configure a syslog target host that is capable of receiving selected syslog messages from the 7705 SAR. A valid syslog-id must have the target syslog host address configured. A maximum of 10 syslog IDs can be configured.
  • Page 315 System Management Guide Event and Accounting Logs Parameters ip-address — the IP address of the syslog target host Values ipv4-address a.b.c.d ipv6-address x:x:x:x:x:x:x:x (eight 16-bit pieces) x:x:x:x:x:x:d.d.d.d x: [0 to FFFF]H d: [0 to 255]D facility Syntax facility syslog-facility no facility Context config>log>syslog Description...
  • Page 316 Event and Accounting Logs System Management Guide The no form of the command reverts to the default value. Default info Parameters syslog-level — the threshold severity level value, as described in Table 41. See Table 29 for the numeric values associated with the severity levels. Values emergency, alert, critical, error, warning, notice, info, or debug Table 41...
  • Page 317 System Management Guide Event and Accounting Logs Parameters log-prefix-string — an alphanumeric string of up to 32 characters. Spaces and colons ( : ) cannot be used in the string. port Syntax port value no port Context config>log>syslog Description This command configures the UDP port that will be used to send syslog messages to the syslog target host.
  • Page 318 Event and Accounting Logs System Management Guide 5.12.2.1.7 Logging Destination Commands log-id Syntax [no] log-id log-id Context config>log Description This command creates a context to configure destinations for event streams. The log-id context is used to direct events, alarms, traps, and debug information to respective destinations.
  • Page 319 System Management Guide Event and Accounting Logs filter Syntax filter filter-id no filter Context config>log>log-id Description This command associates an event filter policy with the log destination. The filter command is optional. If no event filter is configured, all events, alarms and traps generated by the source stream will be forwarded to the destination.
  • Page 320 Event and Accounting Logs System Management Guide Default no from Parameters main — instructs all events in the main event stream to be sent to the destination defined in the to command for this destination log-id. The main event stream contains the events that are not explicitly directed to any other event stream.
  • Page 321 System Management Guide Event and Accounting Logs to file Syntax to file log-file-id Context config>log>log-id Description This command instructs the events selected for the log ID to be directed to a specified file. The command is one of the to commands used to specify the log ID destination. A to command is mandatory when configuring a log destination.
  • Page 322 Event and Accounting Logs System Management Guide Parameters size — indicates the number of events that can be stored in the memory log Values 50 to 3000 Default to session Syntax to session Context config>log>log-id Description This command instructs the events selected for the log ID to be directed to the current console or Telnet session.
  • Page 323 System Management Guide Event and Accounting Logs Default No destination is specified Parameters size — defines the number of events stored in this memory log Values 50 to 3000 Default to syslog Syntax to syslog syslog-id Context config>log>log-id Description This command instructs the alarms and traps to be directed to a specified syslog. To remain consistent with the standards governing syslog, messages to syslog are truncated to 1 kbyte.
  • Page 324 Description This command adds or modifies a trap receiver and configures the operational parameters for the trap receiver. A trap reports significant events that occur on a 7705 SAR, such as errors or failures. Before an SNMP trap can be issued to a trap receiver, the console, snmp-trap-group, and at least one trap-target must be configured.
  • Page 325 This allows a trap receiving an application, such as NMS, to reconcile a separate event sequence number stream for each 7705 SAR event log when multiple event logs are directed to the same IP address and port destination.
  • Page 326 Event and Accounting Logs System Management Guide snmpv1 | snmpv2c | snmpv3 — specifies the SNMP version format to use for traps sent to the trap receiver Values snmpv1 Selects the SNMP version 1 format. When specifying snmpv1, the notify-community parameter must be configured for the proper SNMP community string that the trap receiver expects to be present in alarms and traps messages.
  • Page 327 System Management Guide Event and Accounting Logs security-level {no-auth-no-privacy | auth-no-privacy | privacy} — specifies the required authentication and privacy levels required to access the views configured on this node when configuring an snmpv3 trap receiver. Values no-auth-no-privacy Specifies that no authentication and no privacy (encryption) are required.
  • Page 328: Show Commands

    Event and Accounting Logs System Management Guide 5.12.2.2 Show Commands Note: The following command outputs are examples only; actual displays may differ depending on supported functionality and user configuration. accounting-policy Syntax accounting-policy [acct-policy-id] [access | network] [associations] Context show>log Description This command displays accounting policy information.
  • Page 329 System Management Guide Event and Accounting Logs This policy is applied to: Svc Id: 100 SAP : 1/1/8:0 Collect-Stats Svc Id: 101 SAP : 1/1/8:1 Collect-Stats Svc Id: 102 SAP : 1/1/8:2 Collect-Stats Svc Id: 106 SAP : 1/1/8:6 Collect-Stats Svc Id: 107 SAP : 1/1/8:7 Collect-Stats...
  • Page 330 Event and Accounting Logs System Management Guide Table 42 Accounting Policy Output Fields (Continued) Label Description Intvl Displays the interval, in minutes, in which statistics are collected and written to their destination. The default depends on the record name type. File ID The log destination Record Name...
  • Page 331 System Management Guide Event and Accounting Logs complete-network-ing-egr ========================================================== A:ALU-1# Table 43 Accounting Records Output Fields Label Description Record # The record ID that uniquely identifies the accounting policy, expressed as a decimal integer Record Name The accounting record name Def.
  • Page 332 Event and Accounting Logs System Management Guide IGMP_SNOOPING IPSEC IPSEC_CPM ISIS LLDP LOGGER MCPATH MC_REDUNDANCY MIRROR MLD_SNOOPING MPLS MWMGR OSPF PIM_SNOOPING PORT RADIUS RIP_NG ROUTE_NEXT_HOP ROUTE_POLICY RSVP SCADA SECURITY SNMP SUB_HOST_TRK SVCMGR SYSTEM USER VRRP VRTR ================================== A:ALU-1# 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 333 System Management Guide Event and Accounting Logs event-control Syntax event-control [application-id [event-name | event-number]] Context show>log Description This command displays event control settings for events, including whether the event is suppressed or generated and the severity level for the event. If no options are specified, all events, alarms and traps are listed.
  • Page 334 Event and Accounting Logs System Management Guide 2009 powerSupplyDcFailure 2010 powerSupplyInserted 2011 powerSupplyRemoved 2012 redPrimaryCPMFail 2016 clearNotification 2017 syncIfTimingHoldover 2018 syncIfTimingHoldoverClear 2019 syncIfTimingRef1Alarm 2020 syncIfTimingRef1AlarmClear 2021 syncIfTimingRef2Alarm 2022 syncIfTimingRef2AlarmClear 2023 flashDataLoss 2024 flashDiskFull 2025 softwareMismatch 2026 softwareLoadFailed 2027 bootloaderMismatch 2028 bootromMismatch 2029 fpgaMismatch 2030 syncIfTimingBITSAlarm 2031 syncIfTimingBITSAlarmClear...
  • Page 335 System Management Guide Event and Accounting Logs 2007 ipArpBadInterface 2008 ipArpDuplicateIpAddress 2009 ipArpDuplicateMacAddress ..USER: 2001 cli_user_login 2002 cli_user_logout 2003 cli_user_login_failed 2004 cli_user_login_max_attempts 2005 ftp_user_login 2006 ftp_user_logout 2007 ftp_user_login_failed 2008 ftp_user_login_max_attempts 2009 cli_user_io 2010 snmp_user_set 2011 cli_config_io 4357 ======================================================================= A:ALU-1# Table 44 Event Control Output Fields...
  • Page 336 Event and Accounting Logs System Management Guide file-id Syntax file-id [log-file-id] Context show>log Description This command displays event log file information. If no command line parameters are specified, a summary output of all event log files is displayed. Specifying a file ID displays detailed information on the event log file. Parameters log-file-id —...
  • Page 337 System Management Guide Event and Accounting Logs cf3:\log\log0302-20060501-015344 complete cf3:\log\log0302-20060501-015547 in progress ============================================================= Table 45 Log File Summary Output Fields Label Description file-id The log file ID rollover The rollover time for the log file, which is the amount of time before the file is partitioned into a new file.
  • Page 338 Event and Accounting Logs System Management Guide Output Example *A:ALU-48>config>log# show log filter-id ============================================================================= Log Filters ============================================================================= Filter Applied Default Description Action ----------------------------------------------------------------------------- forward forward forward 1001 drop Collect events for Serious Errors Log ============================================================================= *A:ALU-48>config>log# Table 46 Filter ID Summary Output Fields Label Description Filter Id...
  • Page 339 System Management Guide Event and Accounting Logs Table 47 Filter ID Match Criteria Output Fields Label Description Entry-id The event log filter entry ID Action default: there is no explicit action for the event log filter entry and the filter’s default action is used on matching events drop: the action for the event log filter entry is to drop matching events forward: the action for the event log filter entry is to forward...
  • Page 340 Event and Accounting Logs System Management Guide Table 47 Filter ID Match Criteria Output Fields (Continued) Label Description Operator: There is an operator field for each match criteria: application, event number, severity, and subject equal: matches when equal to the match criterion greaterThan: matches when greater than the match criterion greaterThanOrEqual: matches when greater than or equal to the match criterion...
  • Page 341 System Management Guide Event and Accounting Logs Table 48 Log Collector Output Fields Label Description <Collector Name> Main: the main event stream contains the events that are not explicitly directed to any other event stream Security: the security stream contains all events that affect attempts to breach system security, such as failed login attempts, attempts to access MIB tables to which the user is not granted access or attempts to enter a branch of the CLI to which access...
  • Page 342 Event and Accounting Logs System Management Guide log-id Syntax log-id [log-id] [severity severity-level] [application application] [sequence from-seq [to- seq]] [count count] [router router-instance [expression]] [subject subject [regexp]] [ascending | descending] Context show>log Description This command displays an event log summary with settings and statistics or the contents of a specific log file, SNMP log, or memory log.
  • Page 343 System Management Guide Event and Accounting Logs If the to-seq number is not provided, the log contents to the end of the log are displayed unless the count parameter is present, in which case the number of entries displayed is limited by the count. Values 1 to 4294967295 Default...
  • Page 344 Event and Accounting Logs System Management Guide Table 49 Log ID Output Fields Label Description Log Id An event log destination Source no: the event log filter is not currently in use by a log ID yes: the event log filter is currently in use by a log ID M: the event source for the log ID is the Main event category C: the event source for the log ID is the Change event category none: the event log filter is currently in use by a log ID...
  • Page 345 System Management Guide Event and Accounting Logs Memory or File Event Log Contents Output Example A:gal171# show log log-id 99 =============================================================================== Event Log 99 =============================================================================== Description : Default System Log Memory Log contents [size=500 next event=3722 (wrapped)] 3721 2008/02/07 09:14:06.69 UTC WARNING: SYSTEM #2006 Base LOGGER "Log File Id 2 configuration modified"...
  • Page 346 Event and Accounting Logs System Management Guide SNMP Trap Group 90 =============================================================================== Description : none ------------------------------------------------------------------------------- Name : 135.121.107.98:162 Address : 135.121.107.98 Port : 162 Version : v2c Community : private Sec. Level : none Replay : disabled First replay : n/a Last replay : never...
  • Page 347 System Management Guide Event and Accounting Logs syslog Syntax syslog [syslog-id] Context show>log Description This command displays syslog event log destination summary information or detailed information on a specific syslog destination. Parameters syslog-id — displays detailed information on the specified syslog event log destination Values 1 to 10 Output...
  • Page 348 Event and Accounting Logs System Management Guide Table 51 Syslog Output Fields Label Description Syslog ID The syslog ID number for the syslog destination IP Address The IP address of the syslog target host Port The configured UDP port number used when sending syslog messages Facility The facility code for messages sent to the syslog target host...
  • Page 349: Clear Commands

    System Management Guide Event and Accounting Logs 5.12.2.3 Clear Commands Syntax log log-id Context clear Description This command reinitializes/rolls over the specified memory log or log file. Memory logs are reinitialized and cleared of contents. Log files are manually rolled over by this command. This command is only applicable to event logs that are directed to file destinations and memory destinations.
  • Page 350 Event and Accounting Logs System Management Guide 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 351: List Of Acronyms

    3DES triple DES (data encryption standard) third generation mobile telephone technology 6VPE IPv6 on Virtual Private Edge Router 7705 SAR 7705 Service Aggregation Router 7750 SR 7750 Service Router 9500 MPR 9500 microwave packet radio area border router available bit rate...
  • Page 352 List of Acronyms System Management Guide Table 52 Acronyms (Continued) Acronym Expansion autonomous system ASAP any service, any port ASBR autonomous system boundary router any-source multicast autonomous system message autonomous system number asynchronous transfer mode ATM PVC ATM permanent virtual circuit B3ZS bipolar with three-zero substitution Batt A...
  • Page 353 System Management Guide List of Acronyms Table 52 Acronyms (Continued) Acronym Expansion boot options file bottom of stack BPDU bridge protocol data unit BRAS Broadband Remote Access Server Base Station Controller bootstrap message bootstrap router BSTA Broadband Service Termination Architecture base transceiver station certificate authority channel associated signaling...
  • Page 354 List of Acronyms System Management Guide Table 52 Acronyms (Continued) Acronym Expansion certificate management protocol C-multicast customer multicast class of service customer premises equipment Cpipe circuit emulation (or TDM) VLL Control and Processing Module (CPM is used instead of CSM when referring to CSM filtering to align with CLI syntax used with other SR products).
  • Page 355 System Management Guide List of Acronyms Table 52 Acronyms (Continued) Acronym Expansion DC-I DC return - isolated digitally controlled oscillator differential clock recovery DDoS distributed DoS discard eligibility distinguished encoding rules data encryption standard do not fragment Diffie-Hellman decimal, hexadecimal, or binary DHCP dynamic host configuration protocol DHCPv6...
  • Page 356 List of Acronyms System Management Guide Table 52 Acronyms (Continued) Acronym Expansion digital subscriber line DSLAM digital subscriber line access multiplexer data termination equipment downstream unsolicited DUID DHCP unique identifier do not use for synchronization delay variation DVMRP distance vector multicast routing protocol e911 enhanced 911 service Extensible Authentication Protocol...
  • Page 357 System Management Guide List of Acronyms Table 52 Acronyms (Continued) Acronym Expansion end of packet evolved packet core early packet discard Epipe Ethernet VLL Ethernet private line EPON Ethernet Passive Optical Network equipment protection switching explicit route object electrostatic discharge ESMC Ethernet synchronization message channel extended sequence number...
  • Page 358 List of Acronyms System Management Guide Table 52 Acronyms (Continued) Acronym Expansion FeGW far-end gateway front-end processor fixed filter fast fault detection forwarding information base FIFO first in, first out FIPS-140-2 Federal Information Processing Standard publication 140-2 fault notification generator figure of merit Fpipe frame relay VLL...
  • Page 359 System Management Guide List of Acronyms Table 52 Acronyms (Continued) Acronym Expansion Global System for Mobile Communications (2G) GTP-U GPRS tunneling protocol user plane high availability high capacity multiplexing HDB3 high density bipolar of order 3 HDLC high-level data link control protocol header error control HMAC hash message authentication code...
  • Page 360 List of Acronyms System Management Guide Table 52 Acronyms (Continued) Acronym Expansion IGMP Internet group management protocol interior gateway protocol instance ID Internet key exchange iLER ingress label edge router incoming label map inverse multiplexing over ATM INVARP inverse address resolution protocol input/output module Internet Protocol IPCP...
  • Page 361 System Management Guide List of Acronyms Table 52 Acronyms (Continued) Acronym Expansion loopback message line buildout loopback reply link control protocol label distribution protocol label edge router loop-free alternate LFIB label forwarding information base label information base LLDP link layer discovery protocol LLDPDU link layer discovery protocol data unit link loss forwarding...
  • Page 362 List of Acronyms System Management Guide Table 52 Acronyms (Continued) Acronym Expansion LSP ID to NHLFE link trace reply maintenance association media access control MA-ID maintenance association identifier make-before-break MBGP multicast BGP multiprotocol BGP multiprotocol extensions for BGP MBMS multimedia broadcast multicast service maximum buffer space maximum burst size media buffer space...
  • Page 363 System Management Guide List of Acronyms Table 52 Acronyms (Continued) Acronym Expansion maintenance entity group MEG-ID maintenance entity group identifier Metro Ethernet network maintenance association end point multi-field classification MIP half function management information base MI-IS-IS multi-instance IS-IS minimum information rate multicast listener discovery mLDP multicast LDP...
  • Page 364 List of Acronyms System Management Guide Table 52 Acronyms (Continued) Acronym Expansion MPT-MC microwave packet transport, medium capacity MPT-XP microwave packet transport, high capacity (very high power version of MPT-HC V2/9558HC) MRAI minimum route advertisement interval MRRU maximum received reconstructed unit maximum receive unit MSDP Multicast Source Discovery Protocol...
  • Page 365 System Management Guide List of Acronyms Table 52 Acronyms (Continued) Acronym Expansion network group encryption NG-MVPN next generation MVPN next hop NHLFE next hop label forwarding entry NHOP next-hop NLOS non-line-of-sight NLPID network level protocol identifier NLRI network layer reachability information NNHOP next next-hop network-to-network interface...
  • Page 366 List of Acronyms System Management Guide Table 52 Acronyms (Continued) Acronym Expansion outdoor unit outgoing interface optical line termination optical management console optical network terminal out-of-band off premises extension outbound route filtering operating system Open Systems Interconnection (reference model) OSINLCP OSI Network Layer Control Protocol OSPF open shortest path first...
  • Page 367 System Management Guide List of Acronyms Table 52 Acronyms (Continued) Acronym Expansion pulse code modulation priority code point proprietary clock recovery power distribution unit protocol data units packet delay variation PDVT packet delay variation tolerance provider edge router PEAPv0 protected extensible authentication protocol version 0 privacy enhanced mail PFoE power feed over Ethernet...
  • Page 368 List of Acronyms System Management Guide Table 52 Acronyms (Continued) Acronym Expansion point of presence packet over SONET point-to-point protocol PPPoE point-to-point protocol over Ethernet pulses per second primary reference clock primary reference source PRTC primary reference time clock power sourcing equipment pre-shared key packet switched network PSNP...
  • Page 369 System Management Guide List of Acronyms Table 52 Acronyms (Continued) Acronym Expansion route distinguisher remote defect indication random early discard RESV reservation routing information base routing information protocol RJ-45 registered jack 45 RMON remote network monitoring Radio Network Controller rendezvous point RPF RTM reverse path forwarding RTM radio protection switching...
  • Page 370 • equipped with a factory-installed GPS receiver and GNSS RF faceplate connector SAR-H 7705 Service Aggregation Router – temperature- and EMC-hardened to the following specifications: IEEE 1613 and IEC 61850-3 SAR-Hc 7705 Service Aggregation Router – compact version of 7705 SAR-H 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 371 0 module slots • passively cooled chassis with 0 T1/E1 ports, 7 Ethernet ports, and 0 module slots SAR-O 7705 Service Aggregation Router passive CWDM device – three variants: • 2-wavelength CWDM dual-fiber • 4-wavelength CWDM dual-fiber • 8-wavelength CWDM single-fiber...
  • Page 372 Acronyms (Continued) Acronym Expansion SAR-Wx 7705 Service Aggregation Router – passively cooled, universal AC powered unit; there are six variants: • a unit that is equipped with an AC power input connector, five Gigabit Ethernet data ports (three SFP ports and two RJ-45 Ethernet ports), and an RJ-45 alarm input connector •...
  • Page 373 System Management Guide List of Acronyms Table 52 Acronyms (Continued) Acronym Expansion signal degrade space diversity synchronous digital hierarchy serial data interface software defined network service destination point shared explicit SeGW secure gateway SETS synchronous equipment timing source signal fail small form-factor pluggable (transceiver) SFTP SSH file transfer protocol...
  • Page 374 List of Acronyms System Management Guide Table 52 Acronyms (Continued) Acronym Expansion security parameter index S-PMSI selective PMSI shortest path tree service router (includes 7710 SR, 7750 SR) SRLG shared risk link group stateful request parameter SRRP subscriber routed redundancy protocol secure shell source-specific multicast synchronization status messaging...
  • Page 375 System Management Guide List of Acronyms Table 52 Acronyms (Continued) Acronym Expansion transport layer security type length value traffic management time of day type of service T-PE terminating provider edge router TPID tag protocol identifier TPIF IEEE C37.94 teleprotection interface TPMR two-port MAC relay transmission protection switching...
  • Page 376 List of Acronyms System Management Guide Table 52 Acronyms (Continued) Acronym Expansion virtual circuit voice conference bridge virtual channel connection VCCV virtual circuit connectivity verification virtual circuit identifier VLAN ID VLAN virtual LAN virtual leased line virtual machine VoIP voice over IP peak voltage virtual path virtual path connection...
  • Page 377 System Management Guide List of Acronyms Table 52 Acronyms (Continued) Acronym Expansion exclude route object Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 378 List of Acronyms System Management Guide 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 379: Standards And Protocol Support

    System Management Guide Standards and Protocol Support 7 Standards and Protocol Support This chapter lists the 7705 SAR compliance with EMC, environmental, and safety standards, telecom standards, and supported protocols: • EMC Industrial Standards Compliance • EMC Regulatory and Customer Standards Compliance •...
  • Page 380: Table 53 Emc Industrial Standards Compliance

    Standards and Protocol Support System Management Guide Table 53 EMC Industrial Standards Compliance Standard Title Platform IEEE 1613:2009 + IEEE Standard Environmental and ✓ ✓ ✓ ✓ ✓ ✓ A1:2011 Testing Requirements for Communications Networking Devices Installed in Electric Power Substations IEEE 1613.1-2013 IEEE Standard Environmental and ✓...
  • Page 381: Table 54 Emc Regulatory And Customer Standards Compliance

    System Management Guide Standards and Protocol Support Notes: 1. Performance Class 1 2. Performance Class 1 (Class 2 with Optics interfaces only) 3. Performance Class 2 4. Zone A; Performance Class 1 5. Zone A; Performance Class 1 (Class 2 with Optics interfaces only) 6.
  • Page 382 Standards and Protocol Support System Management Guide Table 54 EMC Regulatory and Customer Standards Compliance (Continued) Standard Title Platform ✓ ✓ ✓ ✓ IEC 61000-3-3 Limits for voltage fluctuations and flicker ✓ ✓ ✓ ✓ ✓ ✓ in low-voltage supply systems for equipment with rated current <16A ✓...
  • Page 383 System Management Guide Standards and Protocol Support Table 54 EMC Regulatory and Customer Standards Compliance (Continued) Standard Title Platform EN 55022 Information technology equipment. ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ Radio disturbance characteristics. Limits and methods of measurement EN 55032 Electromagnetic compatibility of ✓...
  • Page 384: Table 55 Environmental Standards Compliance

    Standards and Protocol Support System Management Guide Table 55 Environmental Standards Compliance Standard Title Platform ✓ ✓ IEEE 1613:2009 + Environmental and Testing ✓ ✓ ✓ ✓ A1:2011 Requirements for Communications Networking Devices IEC 61850-3 Communication networks and systems ✓ ✓...
  • Page 385: Table 56 Safety Standards Compliance

    System Management Guide Standards and Protocol Support Table 55 Environmental Standards Compliance (Continued) Standard Title Platform ✓ ✓ ✓ ✓ ✓ “GR-3108 Class 3 Conformal Coating Section 6.2 IEC 60068-2-52 - Severity 3 MIL-STD-810G Method 509.5 EN 60721-3-3 Class EN 60068-2-11: Salt Mist EN 50155 Class ST4”...
  • Page 386 Standards and Protocol Support System Management Guide Table 56 Safety Standards Compliance (Continued) Standard Title Platform ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ IEC/EN 60825-1 Safety of laser products - Part 1: and 2 Equipment classification and requirements Part 2: Safety of optical fibre communication systems (OFCS)
  • Page 387: Table 57 Telecom Interface Compliance

    System Management Guide Standards and Protocol Support Table 57 Telecom Interface Compliance Standard Title Platform ✓ ✓ ✓ ✓ ✓ ✓ IC CS-03 Issue 9 Compliance Specification for Terminal Equipment, Terminal Systems, Network Protection Devices, Connection Arrangements and Hearing Aids Compatibility ✓...
  • Page 388: Table 58 Directives, Regional Approvals And Certifications Compliance

    Standards and Protocol Support System Management Guide Table 57 Telecom Interface Compliance (Continued) Standard Title Platform ✓ ✓ ITU-T V.11 / X.27 Electrical characteristics for balanced (RS-422) double current interchange circuits operating at data signalling rates up to 10 Mbit/s ✓...
  • Page 389 System Management Guide Standards and Protocol Support Table 58 Directives, Regional Approvals and Certifications Compliance (Continued) Standard Title Platform ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ South Korea (KC Mark) ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓ ✓...
  • Page 390 Standards and Protocol Support System Management Guide Security Standards FIPS 140-2—Federal Information Processing Standard publication 140-2, Security Requirements for Cryptographic Modules Telecom Standards ANSI/TIA/EIA-232-C—Interface Between Data Terminal Equipment and Data Circuit-Terminating Equipment Employing Serial Binary Data Interchange IEEE 802.1ad—IEEE Standard for Local and Metropolitan Area Networks---Virtual Bridged Local Area Networks IEEE 802.1ag—Service Layer OAM IEEE 802.1p/q—VLAN Tagging...
  • Page 391 System Management Guide Standards and Protocol Support ITU-T Recommendation I.432.1—B-ISDN user-network interface - Physical layer specification: General characteristics ITU-T Recommendation I.610—B-ISDN Operation and Maintenance Principles and Functions version 11/95 RFC 2514—Definitions of Textual Conventions and OBJECT_IDENTITIES for ATM Management, February 1999 RFC 2515—Definition of Managed Objects for ATM Management, February 1999 RFC 2684—Multiprotocol Encapsulation over ATM Adaptation Layer 5 draft-ietf-bfd-mib-00.txt—Bidirectional Forwarding Detection Management...
  • Page 392 Standards and Protocol Support System Management Guide RFC 6514—BGP Encodings and Procedures for Multicast in MPLS/BGP IP VPNs draft-ietf-idr-add-paths-04.txt—Advertisement of Multiple Paths in BGP draft-ietf-idr-add-paths-guidelines-00.txt—Best Practices for Advertisement of Multiple Paths in BGP DHCP/DHCPv6 RFC 1534—Interoperation between DHCP and BOOTP RFC 2131—Dynamic Host Configuration Protocol (REV) RFC 2132—DHCP Options and BOOTP Vendor Extensions RFC 3046—DHCP Relay Agent Information Option (Option 82)
  • Page 393 System Management Guide Standards and Protocol Support ITU-T G.998.2—SHDSL 4-pair EFM bonding ITU-T G.998.4 G.inp—Physical layer retransmission ITU-T Y.1564 Ethernet service activation test methodology TR-060—SHDSL rate and reach TR112 (U-R2 Deutsche Telekom AG) Version 7.0 and report of Self-Test-Result (ATU-T Register#3) ECMP RFC 2992—Analysis of an Equal-Cost Multi-Path Algorithm Frame Relay...
  • Page 394 Standards and Protocol Support System Management Guide RFC 5280—Internet X.509 Public Key Infrastructure Certificate and Certificate Revocation List (CRL) Profile RFC 5996—Internet Key Exchange Protocol Version 2 (IKEv2) IPv6 RFC 2460—Internet Protocol, Version 6 (IPv6) Specification RFC 2462—IPv6 Stateless Address Autoconfiguration RFC 2464—Transmission of IPv6 Packets over Ethernet Networks RFC 3587—IPv6 Global Unicast Address Format RFC 3595—Textual Conventions for IPv6 Flow Label...
  • Page 395 System Management Guide Standards and Protocol Support RFC 5036—LDP Specification RFC 5283—LDP Extension for Inter-Area Label Switched Paths RFC 5443—LDP IGP Synchronization RFC 6388—Label Distribution Protocol Extensions for Point-to-Multipoint and Multipoint-to-Multipoint Label Switched Paths RFC 6512—Using Multipoint LDP When the Backbone Has No Route to the Root draft-pdutta-mpls-mldp-up-redundancy-00.txt—Upstream LSR Redundancy for Multi-point LDP Tunnels LDP and IP FRR...
  • Page 396 Standards and Protocol Support System Management Guide Network Management IANA-IFType-MIB ITU-T X.721—Information technology- OSI-Structure of Management Information ITU-T X.734—Information technology- OSI-Systems Management: Event Report Management Function M.3100/3120—Equipment and Connection Models RFC 1157—SNMPv1 RFC 1850—OSPF-MIB RFC 1907—SNMPv2-MIB RFC 2011—IP-MIB RFC 2012—TCP-MIB RFC 2013—UDP-MIB RFC 2030—Simple Network Time Protocol (SNTP) Version 4 for IPv4, IPv6 and OSI RFC 2096—IP-FORWARD-MIB...
  • Page 397 System Management Guide Standards and Protocol Support draft-ietf-disman-alarm-mib-04.txt draft-ietf-mpls-ldp-mib-07.txt draft-ietf-ospf-mib-update-04.txt draft-ietf-mpls-lsr-mib-06.txt draft-ietf-mpls-te-mib-04.txt TMF 509/613—Network Connectivity Model OSPF RFC 1765—OSPF Database Overflow RFC 2328—OSPF Version 2 RFC 2370—Opaque LSA Support RFC 2740—OSPF for IPv6 RFC 3101—OSPF NSSA Option RFC 3137—OSPF Stub Router Advertisement RFC 3509—Alternative Implementations of OSPF Area Border Routers RFC 3623—Graceful OSPF Restart (support for Helper mode) RFC 3630—Traffic Engineering (TE) Extensions to OSPF...
  • Page 398 Standards and Protocol Support System Management Guide RFC 4385—Pseudowire Emulation Edge-to-Edge (PWE3) Control Word for Use over an MPLS PSN RFC 4446—IANA Allocation for PWE3 RFC 4447—Pseudowire Setup and Maintenance Using the Label Distribution Protocol (LDP) RFC 4448—Encapsulation Methods for Transport of Ethernet over MPLS Networks RFC 4553—Structure-Agnostic Time Division Multiplexing (TDM) over Packet (SAToP) RFC 4717—Encapsulation Methods for Transport of Asynchronous Transfer Mode...
  • Page 399 System Management Guide Standards and Protocol Support RFC 4090—Fast Reroute Extensions to RSVP-TE for LSP Tunnels RFC 5440—Path Computation Element (PCE) Communication Protocol (PCEP) draft-ietf-pce-stateful-pce—PCEP Extensions for Stateful PCE draft-ietf-pce-segment-routing—PCEP Extensions for Segment Routing draft-alvarez-pce-path-profiles—PCE Path Profiles SONET/SDH GR-253-CORE—SONET Transport Systems: Common Generic Criteria. Issue 3, September 2000 ITU-T Recommendation G.841—Telecommunication Standardization Section of ITU, Types and Characteristics of SDH Networks Protection Architecture,...
  • Page 400 VRRP RFC 2787—Definitions of Managed Objects for the Virtual Router Redundancy Protocol RFC 3768 Virtual Router Redundancy Protocol RFC 5798 Virtual Router Redundancy Protocol Version 3 for IPv4 and IPv6 Proprietary MIBs TIMETRA-ATM-MIB.mib TIMETRA-CAPABILITY-7705-V1.mib TIMETRA-CHASSIS-MIB.mib TIMETRA-CLEAR-MIB.mib TIMETRA-FILTER-MIB.mib TIMETRA-GLOBAL-MIB.mib TIMETRA-LAG-MIB.mib TIMETRA-LDP-MIB.mib TIMETRA-LOG-MIB.mib...
  • Page 401 System Management Guide Standards and Protocol Support TIMETRA-MPLS-MIB.mib TIMETRA-OAM-TEST-MIB.mib TIMETRA-PORT-MIB.mib TIMETRA-PPP-MIB.mib TIMETRA-QOS-MIB.mib TIMETRA-ROUTE-POLICY-MIB.mib TIMETRA-RSVP-MIB.mib TIMETRA-SAP-MIB.mib TIMETRA-SDP-MIB.mib TIMETRA-SECURITY-MIB.mib TIMETRA-SERV-MIB.mib TIMETRA-SYSTEM-MIB.mib TIMETRA-TC-MIB.mib TIMETRA-VRRP-MIB.mib Edition: 01 3HE 11018 AAAC TQZZA...
  • Page 402 Standards and Protocol Support System Management Guide 3HE 11018 AAAC TQZZA Edition: 01...
  • Page 403 Customer Document and Product Support Customer documentation Customer Documentation Welcome Page Technical Support Product Support Portal Documentation feedback Customer Documentation Feedback...
  • Page 404 © 2016-2017 Nokia. 3HE 11018 AAAC TQZZA...

Comments to this Manuals

Symbols: 0
Latest comments: