Download Print this page

Alcatel-Lucent OmniAccess 5740 Cli Configuration Manual

Unified services gateway

Hide thumbs Also See for OmniAccess 5740:

Cli command reference manual (1043 pages)

,

User manual (360 pages)

,

Getting started manual (21 pages)

Table Of Contents

Table of Contents

Advertisement

Quick Links

Download this manual See also: User Manual

OmniAccess 5740

Unified Services Gateway

CLI Configuration Guide

1

2

Release 3.0

Notes on numbered items on banner & legal pages

1

Man26801 West Agoura Road

Calabasas, CA 91301

(818) 880-3500

FAX (818) 880-3505

support@ind.alcatel.com

Beta

US Customer Support—(800) 995-2696

International Customer Support—(818) 878-4507

Internet—service.esd.alcatel-lucent.com

Website: www.alcatel-lucent.com

Part No: 060316-00, Rev A

Table of Contents

Advertisement

Table of Contents

Troubleshooting

Need help?

Need help?

Do you have a question about the OmniAccess 5740 and is the answer not in the manual?

Questions and answers

Summary of Contents for Alcatel-Lucent OmniAccess 5740

Page 1 For final production, import color definitions from \\daldoc01\docteam\templates\framemaker\book-template\color-defs\ production-colors.fm. OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Release 3.0 Notes on numbered items on banner & legal pages Man26801 West Agoura Road Calabasas, CA 91301 (818) 880-3500 FAX (818) 880-3505 support@ind.alcatel.com...
Page 2 The following information is for the Users of the OmniAccess 5740 Unified Services Gateway: If it is not installed in accordance with the installation instructions, it may not function exactly to the said specifications.
Page 3: Table Of Contents
Table of Contents Preface......................1 About This Guide ........................1 Audience ........................... 1 Organization..........................2 Part I - Introduction ......................2 Part II - LAN Interfaces ....................... 2 Part III- WAN Interfaces...................... 3 Part IV - Packet Classification .................... 4 Part V - Routing Protocols ....................
Page 4 Traceroute ........................55 Example..........................55 Terminal Settings ........................58 Example..........................58 System Name.......................... 58 Example..........................58 AAA Configuration on OmniAccess 5740 USG............... 59 To Enable AAA Services ....................59 Example..........................59 Authentication Commands ....................60 Show Commands ......................76 Clear Commands......................
Page 5 Example..........................89 The File System ........................90 Example 1......................... 90 Example 2......................... 91 Copying Files........................91 Example..........................91 Deleting Files........................92 Example..........................92 Configuration File Management ..................93 Software Package Management ................... 101 Package Types....................... 101 Reloading the System ......................107 Example..........................
Page 6 ................ 148 Monitor and Debug VRRP ....................153 VRRP Interface Tracking ...................... 156 Alcatel-Lucent's Interface Tracking Design ..............156 VRRP Configuration Scenario using OmniAccess 5740 USG ..........158 Procedure ........................158 VRRP Configuration ....................... 159 Part 2: LAN Interfaces and Configuration 5 Ethernet Interfaces on SE................163...
Page 7 OmniAccess 5740 USG as a Switch with no VLANs............196 OmniAccess 5740 USG as a Switch with VLANs............197 7 Per VLAN Spanning Tree +................199 Chapter Conventions ...................... 199 Per VLAN Spanning Tree (PVST+) Overview............... 200 PVST+ Configuration ......................201 PVST+ Configuration Steps....................
Page 8 Port Monitoring Configuration Steps................245 Port Monitoring Commands .................... 246 Port Monitoring Configuration on OmniAccess 5740 USG ........... 247 Part 3: WAN Interfaces and Protocols 11 T1E1 Line Card ...................251 Chapter Conventions ...................... 251 T1 and E1 Overview......................252 E1 Interface Overview......................
Page 9 16 Point-to-Point Protocol over Ethernet (PPPoE)........355 Chapter Conventions ...................... 355 PPPoE Overview........................356 PPPoE Operation ......................356 Alcatel-Lucent Specific Overview on PPPoE Features ..........356 PPPoE Configuration ......................357 PPPoE Configuration Steps ................... 358 PPPoE Configuration Flow ..................... 360 PPPoE Configuration Commands ..................
Page 10 OAM Configuration on OmniAccess 5740 USG..............400 OAM Configuration Steps ....................400 OAM Configuration Flow ....................403 OAM Configuration Commands..................404 OAM Configuration using OmniAccess 5740 USG ............... 421 Configuration Steps ......................421 20 Bridging Configuration ................423 Chapter Conventions ...................... 423 Bridging overview........................
Page 11 Bridging Configuration Commands................. 429 BCP Configuration using OmniAccess 5740 USG..............436 Topology for BCP Configuration on OmniAccess 5740 USG ......... 436 21 Link Fragmentation and Interleaving (LFI)..........437 Chapter Conventions ...................... 437 LFI Overview ......................... 438 Alcatel-Lucent Specific Overview on LFI Features ............
Page 12 BGP Configuration Flow ....................561 BGP Configuration Commands ..................562 BGP Show Commands....................564 BGP Clear Commands ....................567 A Typical BGP Example Using OmniAccess 5740 USG............570 26 Open Shortest Path First ................573 Chapter Conventions ...................... 573 OSPF Overview ........................574 OSPF Configuration ......................
Page 13 OSPF Optional Parameters .................... 579 Show Commands in OSPF..................... 597 Clear Commands in OSPF ..................... 606 OSPF Configuration on OmniAccess 5740 USG ..............607 Example 1........................607 27 Multicast Routing ..................609 Chapter Conventions ...................... 609 Multicast Overview ........................ 611 Protocol Independent Multicast (PIM) ................
Page 14 Configuration....................696 DNAT Configuration Steps ..................... 697 DNAT Configuration Flow ....................699 DNAT Configuration Commands ..................700 Sample Configuration Example of DNAT on OmniAccess 5740 USG ......704 Bypass IPsec Traffic....................... 705 NAT Show Commands ....................706 NAT Clear Commands ....................
Page 15 Commands..................787 Customized-service Rule Based ALG Configuration ............794 Customizing ALG Commands ..................794 Typical Rule Based ALG and DNAT Example Using OmniAccess 5740 USG ..... 797 Security - Best Practices ....................... 799 Rules for Configuring Packet Filters ................799 32 IP Security - Virtual Private Network ............803...
Page 16 ......................807 IPsec Connection Types....................807 IPsec Concepts ......................809 Benefits of IPsec Enabled VPN ..................814 Default Configuration Setting on OmniAccess 5740 USG..........815 IPsec VPN Configuration ...................... 816 IPsec VPN Configuration Steps..................816 IPsec VPN Configuration Flow ..................818 IPsec Configuration Commands ..................
Page 17 Before You Configure IPsec Tunnel Interface ..............871 Default Configuration for an IPsec Profile on OmniAccess 5740 USG ......872 IPsec Tunnel Interface Configuration..................873 IPsec Tunnel Interface Configuration Steps ..............873 IPsec Tunnel Interface Configuration Flow..............875 IPsec Tunnel Interface Configuration Commands............
Page 18 GRE Configuration Flow ....................945 GRE Configuration Commands ..................946 GRE Configuration Scenarios using OmniAccess 5740 USG ..........950 1. GRE Configuration ..................... 950 2. GRE + IP Filters + DoS Configuration ..............953 3. GRE over IPsec Configuration ................. 955 35 Transparent Firewall ..................959...
Page 19 DHCP Client Configuration ....................1058 DHCP Client Configuration Steps................. 1058 DHCP Client Configuration Flow .................. 1060 DHCP Client Configuration Commands ............... 1061 DHCP Client Show Commands ..................1067 DHCP Client Test Scenarios using OmniAccess 5740 USG ..........1069 Configuration Steps ...................... 1069...
Page 20 Steps................. 1097 DDNS Client Configuration Flow .................. 1099 DDNS Client Configuration Commands ............... 1100 GRE Tunnel with DDNS Client Test Scenario using OmniAccess 5740 USG....1107 Configuration Steps ...................... 1108 IPsec Tunnel with DDNS Client Test Scenario using OmniAccess 5740 USG....
Page 21 System.......... 1123 Example........................1123 Display Messages ......................1123 Part 10: Appendices A Well Defined Port Numbers for Services............3 B MIBs Supported in OmniAccess 5740 USG ..........11 C Standards Supported by OmniAccess 5740 USG ........13 IETF Standards ........................13 Authentication......................13 SNMP ..........................13...
Page 22 IP-precedence Mnemonics....................21 Mnemonics........................ 21 E IPsec Interoperability of OmniAccess 5740 USG ........23 Configuring IPsec Tunnel Between OmniAccess 5740 USG and VPN Firewall Brick .... 23 Configuration ........................24 Verification........................28 Configuring IPsec between OmniAccess 5740 USG and Sonicwall (PRO 3060)....
Page 23 cURL..........................58 PCRE..........................58 ..........................59 GNU General Public License.................... 60 GNU Lesser General Public License ................66 Mozilla Public License ...................... 75...
Page 24 L2 Switching Configuration Flow 184 Switching with no VLANs 196 Switching with VLAN 197 PVST+ Configuration Flow 202 PVST+ Topology 210 Spanning Tree Topology on OmniAccess 5740 USG 212 IRB Topology 219 802.1X deployment scenario 222 Message Exchange 224 802.1X Configuration Flow 229 802.1X Topology 238...
Page 25 QoS Traffic Shaping Using OmniAccess 5740 USG 1022 QoS Priority Queuing Using OA-5740 1023 DHCP Server Configuration Flow 1041 DHCP Server Test Scenario using OmniAccess 5740 USG 1053 DHCP client configuration flow 1060 DHCP client test scenario using OmniAccess 5740 USG 1069...
Page 26 DNS Client Test Scenario using OmniAccess 5740 USG 1094 DDNS client configuration flow 1099 GRE tunnel with DDNS client configuration scenario using OmniAccess 5740 USG 1107 IPsec with DDNS client configuration scenario using OmniAccess 5740 USG 1110 IPsec Interoperability Between OmniAccess 5740 USG and VPN Firewall Brick 23...
Page 27: Preface
This guide describes the CLI commands used to configure different services available in the OmniAccess 5740 Unified Services Gateway (OmniAccess 5740 USG). It focuses on accessing the OmniAccess 5740 USG by using the Command Line Interface (CLI). In addition to showing how to configure each feature, this guide also provides background on why user might need the service and how it works.
Page 28: Organization
“Virtual Router Redundancy Protocol” details a study on VRRP implementation on the OmniAccess 5740 USG. It is a method of providing nonstop path redundancy and gateway redundancy for an enterprise network by sharing protocol and Media Access Control (MAC) addresses between redundant gateways.
Page 29: Part Iii- Wan Interfaces
Chapter 19 “Ethernet OAM (Operations, Administration, and Maintenance)” deals with configuration of Ethernet OAM on OmniAccess 5740 USG. Chapter 20 “Bridging Configuration” covers the commands used to configure bridging on OmniAccess 5740 USG.
Page 30: Part Iv - Packet Classification
“Virtual Routing and Forwarding” covers the Virtual Routing and Forwarding Customer Edge (VRF-CE) configuration on the OmniAccess 5740 USG. VRF-CE is a feature that enables a service provider to support two or more VPNs, where IP addresses can be overlapped among the VPNs.
Page 31: Part Vi - Network Security Cli
Chapter 36 “Quality of Service” provides the configuration commands for QoS. It includes CLI commands for configuring policing, shaping, queueing network traffic, auto QoS, etc. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 32: Part Viii - Tcp/Ip Services
“DHCP (Dynamic Host Configuration Protocol) Server” that focuses on DHCP Server configuration. Chapter 38 “DHCP (Dynamic Host Configuration Protocol) Client” documents the commands for DHCP client configuration on OmniAccess 5740 USG. Chapter 39 “TFTP (Trivial File Transfer Protocol) Server” documents the TFTP Server configuration commands.
Page 33: Document Conventions
The 'no' form of a command is issued to either set it to commands its default value or to negate it. [ ^ ] [ ^ ] in the command indicate negation. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 34: Obtaining Documentation
Warning: Warning is used in similar cases as caution. This also indicates a situation where the reader needs to pay extra attention to avoid hazardous situations. BTAINING OCUMENTATION Alcatel-Lucent provides several ways to obtain technical assistance and other technical resources. Documents can be downloaded from our support site service.esd.alcatel-lucent.com. EFERENCE...
Page 35: Obtaining Technical Assistance
Obtaining Technical Assistance BTAINING ECHNICAL SSISTANCE For all customers, partners, resellers, and distributors who hold valid Alcatel- Lucent service contracts, the Alcatel-Lucent Technical Support Team provides 24- hour-a-day, technical support services online and over the phone. For Customer issues and help, contact:...
Page 36 Left running head: Chapter name (automatic) OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 37: Part 1 Introduction
To switch to the beta version, import color def’ns from beta-colors.fm Part 1 Introduction Pagination: Numeric & continuous Optional footer: Alcatel-Lucent with Manual title (to set, preceding redefine ManualTitle OmniAccess 5740 Unified Services Gateway CLI Configuration Guide section of Beta Beta Beta Beta variable) book...
Page 38 Left running head: Chapter name (automatic) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 39: The Command Line Interface
VERVIEW The Command Line Interface (CLI) is the primary interface to access the OmniAccess 5740 USG. The CLI is the interface for console and connections via SSH, Telnet, and Modem. The CLI, which automatically starts once the required processes are up provides commands that you can use to perform various tasks, including configuring the OmniAccess 5740 USG, monitoring and troubleshooting the system, enabling network connectivity, and verifying the system hardware.
Page 40: Introduction To Cli Modes
User Mode (UM) and Super User Mode (SUM). When you log in to the OmniAccess 5740 USG and the start the CLI session, you are at the top level of the CLI User Mode which is the User Mode (UM).
Page 41: Cli Modes
IPSec, Time-Range etc. Sub-Interface Configuration Mode (S-ICM) This mode is accessed from Interface Configuration Mode This is a sub-mode of the ICM. Figure 1: Configuration Modes Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 42: Cli Modes
The command “top” is used to jump to configuration mode from which ever mode you are in. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 43 Set terminal line parameters service Show running system information show Open a SSH connection Open a telnet connection telnet Set terminal line parameters terminal Trace route to destination traceroute Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 44 List files on a filesystem Turn off privileged commands.Exits from disable the SUM to the UM mode. Erase a filesystem erase Exit from current mode exit Description of the interactive help help system Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 45 Open a ssh connection Open a telnet connection telnet Set terminal line parameters terminal Trace route to destination traceroute Disable debugging functions undebug Write running configuration to memory, write network, or terminal Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 46 Change a dialer list rule's line number change Set QoS Class Map. class-map Terminating the Session clear System clock settings clock Select a controller to configure controller IPSEC VPN module crypto Customize services customized-service Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 47 Configure the mac address table mac-address-table Define/Modify a match-list match-list NAT port reservation nat-ip Negate a command or set its defaults Enters OAM global configuration mode Package Manipulation package Add a Policy-Map policy-map Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 48 Define/Modify a time range object time-range Enter top level configuration mode Define/modify transparent-forward policy transparent-forward Debugging functions (see also undebug 'undebug') Go up one mode Establish user name authentication username Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 49 ALU(config)# controller E1 0/0 ALU(config-controller E1)# ALU(config-controller E1)# exit ALU(config)# ALU(config)#interface Serial 0/0:0 ALU(config-if Serial0/0:0)# To exit the ICM and return to the CM, enter the Exit command. ALU(config-if GigabitEthernet3/0)# exit ALU(config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 50 To exit from the S-ICM and return to the ICM, use the Exit command. To end your configuration session and return to SUM mode, press Ctrl-Z or enter the End command. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 51: Exiting Configuration Modes
UM mode. You can use the Exit command in any configuration mode to return to the previous configuration mode. XAMPLE ALU# configure Enter configuration commands, one per line. End with CNTL/Z. ALU(config)# interface GigabitEthernet 3/0 ALU(config-if GigabitEthernet3/0)# ^Z ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 52: Initial Setup
ALU(config-if GigabitEthernet3/0)# top ALU(config)# NITIAL ETUP Whenever the system configuration is empty, you are automatically entered into the initial setup program, which takes you through the basic configuration steps. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 53: Using The Command Line Interface
Disable Tab completion no service completion tab-complete XAMPLE ALU(config)# service completion spacebar-complete ALU(config)# no service completion spacebar-complete ALU(config)# service completion tab-complete ALU(config)# no service completion tab-complete Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 54 This type of Help is called the Word Help. XAMPLE ALU(config)# show i? ** PRIVILEGE COMMANDS ** inband inband interfaces Display information for all interfaces internal Internal info IP information ip-policy ip-policy keyword IPX protocol Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 55 OSPF information PIM information protocols IP routing protocol process parameters and statistics IP RIP show commands route IP routing table traffic IP Traffic Statistics VPN Routing/Forwarding instance information Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 56: Partial Help
When you enter a partial command (part of a command) and press the Enter key, the CLI executes the best matched command. XAMPLE ALU(config)# sh ip int br Interface IP Address Admin State Oper State GigabitEthernet3/0 unassigned down GigabitEthernet3/1 10.91.1.146 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 57: Command Line Editing
Ctrl-I Complete command. History This gives the list of all commands entered in the present session, with a maximum limit of 2000 commands. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 58 Esc, L Changes the letters from the cursor to the end of the word to lowercase. Esc, U Capitalizes letters from the cursor to the end of the word. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 59: Command History
12: configure t 13: interface GigabitEthernet 3/05B 14: interface GigabitEthernet 3/0.1 15: interface GigabitEthernet 3/0:3.1 16: service completion spacebar-complete 17: no service completion spacebar-complete 18: no service completion 19: show history Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 60: Configuring Interfaces
<64-1500> MTU (Maximum Transmission Unit) size. IP C NTERFACE ONFIGURATION Command (in ICM) Description Assigns an IP address and subnet mask ip address {<ip-address to the interface. subnet-mask>|<ip-address/ prefix-length>} Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 61: Interface Show Commands
0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer copied, 0 interrupts, 0 failures Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 62 Tunnel0 is up, line protocol is down Internet address is 192.168.1.2/30 MTU 1476 bytes, BW 1000000 Kbit, DLY 0 usec, reliability 255/255, txload 0/255, rxload 0/255 Loopback not set Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 63 Status Protocol switchport1/0 Down Down switchport1/1 Down Down switchport1/2 Down Down switchport1/3 Down Down GigabitEthernet3/0 Down GigabitEthernet3/1 Down Tunnel0 Down Tunnel1 Down Tunnel3 Down Tunnel5 Down mlppp1 Down Down Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 64 IP Address Admin State Oper State GigabitEthernet1/0 unassigned down down GigabitEthernet1/1 unassigned down down Vlan213 2.2.2.2 down down 4.4.4.4 (s) Loopback222 3.3.3.3 Loopback2 9.9.9.9 1.1.1.1 (s) 7.7.7.7 (s) Loopback1 unassigned Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 65: Clear Interface Commands
Mode. This command administratively brings down the interface. This is entered in the Interface Configuration no shutdown Mode. This command administratively brings up the interface. XAMPLE ALU(config-if GigabitEthernet3/0)# shutdown ALU(config-if GigabitEthernet3/0)# no shutdown Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 66: Backup Interface
This command is used to remove an no backup interface interface as a backup interface. <interface-name> XAMPLE ALU(config-if GigabitEthernet3/0)# backup interface Serial1/0:0 ALU(config-if GigabitEthernet3/0)# no backup interface Serial1/ Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 67 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer copied, 0 interrupts, 0 failures Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 68 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Timeslot(s) Used:1-24 (64Kbps each), Transmitter delay is 0 flags Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 69: System Configuration And Monitoring
ONITORING YSTEM ONFIGURATION AND ONITORING ASKS There are several mandatory and optional configuration options available to configure the OmniAccess 5740 USG. To get a clear insight on them, refer to the following sections: • “Management Plane Overview” • “Terminal Settings”...
Page 70: Chapter Conventions
Configuration Mode - ALU (config)# Interface Configuration Mode - ALU (config-if)# Management Information Base Network Time Protocol SNMP Simple Network Management Protocol Super User Mode - ALU# User Datagram Protocol User Security Model Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 71: Management Plane Overview
ONSOLE OR ODEM ONSOLE CCESS The console port is located in the front panel of the OmniAccess 5740 USG. The console parameters can be set with the commands given below. Command (in CM) Description This command is used to configure the...
Page 72 Left running head: Chapter name (automatic) System Configuration and Monitoring ODEM CCESS The OmniAccess 5740 USG can be managed using the modem port on its front panel. Command (in CM) Description This command is used to enable or modem {enable|disable} disable the modem port.
Page 73: Inband Management (Ssh And Telnet)
IP address. Hence, it is required to clear the file before you can establish a session to the same IP address across VRFs. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 74 Warning: Permanently added '172.25.19.1' (RSA) to the list of known hosts. root@172.25.19.1's password: Last login: Mon Dec 6 17:34:48 2004 [root@linux-sw root]# exit logout Connection to 172.25.19.1 closed. ALU(config)# clear known_hosts Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 75 “Connecting the System to the Network” section in the OmniAccess 5740 Unified Services Gateway Hardware Users Guide. There is a limit on the number of non-console CLI sessions, using SSH, Telnet, and modem. The limit is two sessions for OmniAccess 5740 USG. This excludes the console session. HTTP (H...
Page 76 Description Use this command to see the list of show access-server status inband-management services that are currently enabled. XAMPLE ALU(config)# show access-server status http enable https enable ssh enable Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 77: Idle Timeout
USG and any remote machine. XAMPLE ALU(config)# ping 192.168.10.121 Sending 5,64-byte ICMP Echos to 192.168.10.121, timeout is 10 seconds !!!!! Success rate is 100 percent (5/5), round-trip min/avg/max = 0.124/0.191/0.356 ms Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 78 System Configuration and Monitoring XTENDED When a normal ping command is sent from a OmniAccess 5740 USG, the source address of the ping is the IP address of the interface that the packet uses to exit the router. If an extended ping command is used, the source IP address can be changed to any IP address on the OmniAccess 5740 USG.
Page 79 Anything less than 80 percent is usually considered problematic. round-trip min/avg/max = 2/4/5 ms: Round-trip travel time intervals for the protocol echo packets, including minimum/ average/maximum (in milliseconds). Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 80 Set the df-bit value[n]: Set the ttl value[64]: Press ^C to Stop.. Sending 7,92-byte ICMP Echos to 2.2.2.12,timeout is 2 seconds !!!!!!! Success rate is 100 percent (7/7),round-trip min/avg/max = 3.499/3.833/3.915 ms Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 81: Traceroute
The command terminates when any of these happens: • the destination responds • the maximum TTL is exceeded • the user interrupts the trace with the escape sequence. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 82 Enter the Target IP address: The interface or IP address of the Enter the Source IP Address: OmniAccess 5740 USG to be used as a source address for the probes. If source IP address is not specified, the router normally picks the IP address of the outbound interface to use.
Page 83 Enter the Destination Port[33434]: Enter the TOS value[0x0]: Set the df-bit value[n]: traceroute to 2.2.2.12 (2.2.2.12), 30 hops max, 38 byte packets. 2.2.2.12 (2.2.2.12) 3.151 ms 2.2.2.12 (2.2.2.12) 4.089 ms Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 84: Terminal Settings
‘hostname’ command. The host name shows up in the CLI prompt. Command (in CM) Description To configure the system name. hostname <name> XAMPLE ALU(config)# hostname ALU Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 85: Aaa Configuration On Omniaccess 5740 Usg
5740 USG ONFIGURATION ON CCESS The OmniAccess 5740 USG is targeted at the edge of enterprises that have a good deal of valuable data in their networks. It is important to ensure that the customer has knowledge and control over the...
Page 86: Authentication Commands
Stores the user password in an encrypted format. The ‘no’ command deletes the no username <user-name> specified user account. XAMPLE ALU(config)# username ALU1 password pass1 ALU(config)# username ALU1 nopassword ALU(config)# username ALU1 secret pass2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 87 The following error is displayed if you try to configure a RADIUS server group with the name ‘local’: ALU(config)# aaa server-group radius local The name of the Group is reserved ALU(config)# no aaa server-group radius rad1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 88 Deadtime: The time (in minutes) that should elapse, before you again try to connect to a non-responding server. • Key: This is the encryption key between the OmniAccess 5740 USG and the RADIUS server. • Timeout: This determines the number of seconds that the OmniAccess 5740 USG should wait for a reply from the RADIUS server before retrying.
Page 89 The default key is “” (empty string). The ‘no’ command deletes the global RADIUS key from the configuration, and resets it to default (for all servers that do not have a server specific key). Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 90 XAMPLE ALU(config)# radius-server auth-port 1800 ALU(config)# radius-server deadtime 10 ALU(config)# radius-server key test ALU(config)# radius-server retransmit 5 ALU(config)# radius-server timeout 10 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 91 The following error is displayed if you try to configure a TACACS+ server group with the name ‘local’’: ALU(config)# aaa server-group tacacs local The Name of the Group is reserved ALU(config)# no aaa server-group tacacs tac1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 92 Authentication Port (auth-port): This is the destination port on which TACACS+ server is listening. • Key: This is the encryption key between the OmniAccess 5740 USG and the TACACS+ server. • Timeout: This determines the number of seconds that the OmniAccess 5740 USG should wait for a reply from the TACACS+ server before retrying.
Page 93 (for all servers that do not have a server specific timeout value). XAMPLE ALU(config)# tacacs-server auth-port 100 ALU(config)# tacacs-server key test1 ALU(config)# tacacs-server timeout 10 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 94 Remote clients will be denied access with the message 'No password Set'. This is the default behavior. XAMPLE ALU(config)# enable secret test Secret for level 15 is set Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 95 ALU(config)# aaa method-list m1 rad3 One of the Specified Groups doesn't have any server in it ALU(config)# no aaa method-list m1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 96 This command associates an already [no] aaa authentication configured method-list with clients seeking enable <method-list-name> access to SUM. The 'no' command removes the associated method list from the enable client-type. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 97 XAMPLE ALU(config)# aaa authentication console m1 ALU(config)# aaa authentication dot1x m2 ALU(config)# aaa authentication enable m1 ALU(config)# aaa authentication remotelogin m1 ALU(config)# aaa authentication web m1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 98 Serial number: DG0818000008 Revision: 00 Version: 03 BP - ALU OA740 chassis (passive) Slot number: 29 Part number: 902610-90 Manufacturer: Description: Serial number: DG0812000678 Version: 00 Revision: 00 Base MAC: 00:11:8b:02:91:00 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 99 You can then login using the newly configured superadmin password. Note: For any reason, if you are not able to reset the superadmin password from the above mentioned procedure, follow the rescue mode options “Rescue Mode Options” section. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 100 The default text> password-prompt is "Password:". The 'no' command brings the default back into effect. XAMPLE ALU(config)# aaa authentication banner @Only authorized access permitted.@ Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 101 Chapter name (automatic) System Configuration and Monitoring ALU(config)# aaa authentication success-message $Login attempt successfull.$ ALU(config)# aaa authentication fail-message $Login failed!$ ALU(config)# aaa authentication username-prompt u1 ALU(config)# aaa authentication password-prompt p1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 102: Show Commands
XAMPLE ALU(config)# show aaa-users Session-ID UserName ClientType Remote-Address superadmin Console guest 10.91.2.87 firewall-admin TELNET 154.34.222.1 superadmin HTTP 143.23.34.12 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 103 Command (in SUM/CM) Description This command displays the associations show aaa-client-methodlist- between client types and method-lists. associations XAMPLE ALU(config)# show aaa-client-methodlist-associations aaa authentication remotelogin m2 aaa authentication web m1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 104: Clear Commands
This can be used to clear a misbehaving or an unnecessary session. The session ID can be obtained from the ‘show aaa-users’ command. XAMPLE ALU(config)# clear session 5 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 105: Setting And Displaying The System Time And Date
The failure of the RTC to maintain the correct time after a power cycle may be a symptom of a discharged battery. The internal battery is not a field serviceable. Contact Services & Support for chassis replacement instructions. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 106: Set Time Zone
ALU(config)# show clock RTC set to Tue Sep 29 11:50:11 2009 System time is Tue Sep 29 17:20:11 IST 2009 Timezone set to ASIA/CALCUTTA Not synchronized with external source Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 107: Clock Synchronize
XAMPLE ALU(config)# clock synchronize using ntp server 10.91.2.87 every 120 minutes This command has no output. To verify the settings, use the ‘show clock’ command described in this section. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 108: System Logging And Debugging
OGGING AND EBUGGING The OmniAccess 5740 USG can be configured for logging, based on severity of the message and module. The severity of the log messages are indicated by the priority, which varies from 0-7. Lower the numerical value of priority, higher is the criticality of the message.
Page 109: Example
ALU(config)# logging buffered priority 5 ALU(config)# logging remote 1.1.1.1 priority 5 ALU(config)# logging console 5 ALU(config)# logging system ALU(config)# logging watermark 10000 ALU(config)# service timestamps log ALU(config)# terminal monitor ALU(config)# clear logging Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 110 2005 Oct 13 03:31:09: %CM-5-LOG: SLOT L2 (83000019) is vacated 2005 Oct 13 03:31:09: %CM-6-LOG: LIVENESS 2[83000019] will report once on failure 2005 Oct 13 03:31:12: %CM-6-LOG: SCAN card removed from slot 2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 111: Example 1
Oct 13 10:44:47: %CLI-6-LOG: A Client Logged in to the Box through SSH from 10.91.2.87 2005 Oct 13 10:45:41: %CLI-6-LOGSRV: Logging buffer size set to 128K by User:privileged user. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 112: Rate Limiting In Statlog
In case of conflict, wherein a message has more than one rate-limiting configuration applicable to it, say for example, for its tag and its subtag, the following order of preference is followed: • subtag • • priority Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 113: Example 1
The above command limits the messages of priority 5 (notification) or lower (level 6 and 7) to 50 per second. XAMPLE ALU(config)# logging rate-limit no unique ALU(config)# logging rate-limit unique Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 114: Saving Log Messages
This saves log messages with priority equal to 5. ALU(config)# save logging string time This saves log messages with string time. This is case sensitive. ALU(config)# save logging tag cli This saves log messages originating from CLI. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 115: Viewing Tech Support
IEWING UPPORT When a problem or a bug is encountered in the system, you can send the output of the following command to Alcatel-Lucent’s tech-support department. This provides enough information to the technical-support department to locate and debug the error.
Page 116: The File System
ALU(config)# dir user:cores Permission Size Date modified Name --------- ---- ------------- ------ -rw- 147456 Sep 5 08:31 core.1329.3.clim-sh.1157445064.24 -rw- 147456 Sep 5 13:20 core.1355.3.clim-sh.1157462445.24 -rw- 147456 Aug 3 12:11 core.1363.3.clim-sh.1154607060.24 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 117: Example 2
Remote Port [ Enter for default ] : Source Path/File []? fdc.txt Username [anonymous]? user Password []? Local file already exits.Overwrite the file(y/n) [n]? y URL specification sanity OK, proceeding with copy (please wait) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 118: Deleting Files
The following command deletes a file in fpkey: ALU(config)# delete fpkey:backup_package The following command deletes a file in fpkey: ALU(config)# delete user:backup_config The following command deletes a config file: ALU(config)# delete config-file config1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 119: Configuration File Management
7 logging buffered size 128 logging console 3 logging system 5 logging remote 1.1.1.1 port 514 priority 7 service timestamps log hostname ndm-70 snmp enable Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 120 3 logging system 5 logging remote 1.1.1.1 port 514 priority 7 service timestamps log hostname ndm-70 ! PVST Global configuration spanning-tree snmp enable modem disable ! SNMP Configurations --More-- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 121 Description This command saves the running save running-config <file- configuration under the specified file name> name in the config directory. XAMPLE ALU(config)# save running-config my-config Saving to my-config ... Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 122 4 logging remote 10.91.0.94 port 514 priority 7 logging remote 10.91.0.173 port 514 priority 7 service timestamps log hostname OA5740-BLR modem enable http enable https enable Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 123 . ip name-server 10.91.0.249 interface loopback1 ip address 203.124.211.225/27 no shutdown interface GigabitEthernet3/0 description GigabitEthernet 3/0 ip address 59.144.47.105/24 no shutdown !QoS Configuration class-map high-priority-map match-any Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 124 144000 exceed-action drop class exclude-police-map interface GigabitEthernet3/1 service-policy out traffic-out-policy service-policy in traffic-in-policy line vty 4 transport input none line con 0 no exec-timeout firewall session default timeout tcp 7200 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 125 This file should be present in the config directory. (Use the copy commands to copy the file to the config directory). XAMPLE ALU(config)# load config-file config1 Loading config1 to running-config... /-------- Percent Complete -------- |********************************* Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 126 XAMPLE ALU(config)# delete config-file my-config ALU(config)# write erase Are you sure you want to erase startup-config file yes/no [yes]:yes [OK] startup-config file erased. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 127: Software Package Management
ACKAGE ANAGEMENT The OmniAccess 5740 USG is a modular system. From the hardware side, this means that different physical parts of the system can be removed, inserted, and upgraded independent of each other. From the software side, it means that software modules can be upgraded individually.
Page 128 No : Manually run set-default at a later time Proceed? (y/[n]) : y Do you want to save config before proceeding ([y]/n) : y Building configuration... [OK] Setting Default image to 3.0.0.82.0... Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 129 Remote Port [ Enter for default ] : Path : backup-alu-apps.740.3.0.0.82.0.npm Username [Enter for none] : user1 Password : Backing up Applications package... Creating... Uploading file. This could take a while...Completed. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 130 No : Manually run set-default at a later time Proceed? (y/[n]) : y Do you want to save config before proceeding ([y]/n) : y Building configuration... [OK] Setting Default image to 3.0.0.82.0... Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 131 Networking-base Networking infrastructure 3.0.0.82.0 OSPF OSPF Protocol 3.0.0.82.0 Quality of Service 3.0.0.82.0 Routing Information Protocol 3.0.0.82.0 NHRP Next Hop Resolution Protocol 3.0.0.82.0 Routing-base Routing Infrastructure 3.0.0.82.0 SNMP SNMP-v2 support Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 132 27 Components Listed XAMPLE ALU# show version Alcatel-Lucent Software, Version 3.0.0, Build 82 Copyright (c) 2003-2010 by Alcatel-Lucent Inc. Built on Tue Jul 6 13:41:35 IST 2010 Flash version - 2.2.71 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 133: Reloading The System
Do you want to save config before rebooting (y/[n])n ALU# The system is going down NOW !! Sending SIGTERM to all processes. Terminated Sending SIGKILL to all processes. Please stand by while rebooting the system. Restarting system. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 134: Managing Individual Slots
LOTS The power command allows the privileged user to control the power of slots 0-2 on the OmniAccess 5740 USG. Powering down an occupied slot is almost equivalent to physically removing the card from the chassis. Individual cards within the chassis may be managed separately by controlling their power.
Page 135: System Monitoring And Troubleshooting
PCI configuration status: Ready Reported at Fri Apr 23 15:28:43 2010 (1 seconds ago) Temperature reading: 30.000C Opteron temperature : 33.0C Opteron status : Active Voltage reading: 5.04V(0%) 1.31V(1%) 2.49V(0%) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 136: System Hardware Information
SE - Services engine (active) Slot number: 3 Part number: 902601-90 Manufacturer: Description: Services engine Serial number: DG0818000126 Version: 02 Revision: 00 CPU Version: 1 (Low Power Opteron) Opteron CPU Version: 1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 137: System Status
This command displays the status of the show system-status different cards in the system. XAMPLE ALU(config)# show system-status Slot Description Status -------------------------------------------------------- 8-port copper GigE Card Ready Services engine Card Ready Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 138: Leds
LEDs on the front panel. XAMPLE ALU(config)# show led Name State ---- ----- Primary SC green Standby SC vacant Front panel ----- ----- Active green Modem Console green Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 139: To View Process Information
507 root 3944 S controld 510 root 46312 S switchd 11 511 root 2264 S bgp bgp initial 2691 root 344 S sleep 30 2700 root 672 S rshd Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 140: Memory Information
0 kB SwapFree: 0 kB Note: In addition to the total memory displayed, 128 MB is reserved for data buffers. This is not displayed in the total system memory. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 141: Hot Key Support
• The system is placed in a remote location and hence physical access is difficult. CLI user prompt is needed even to re-load OmniAccess 5740 USG, which remains elusive. The "Hot Key" functionality on OmniAccess 5740 USG is activated when a...
Page 142 Ctrl-\b Minicom Linux Ctrl-a f Telnet Ctrl-], then type send Teraterm Windows Alt-b Terminal Windows Break Ctrl-Break UNIX Ctrl-], then Break or Ctrl-c VT 100 Emulation Z-TERMINAL Apple Command-b Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 143: Rescue Mode Options
Heading1 or Heading1NewPage text (automatic) System Monitoring and Troubleshooting ESCUE PTIONS If you are facing any problem in the bootup of OmniAccess 5740 USG, you can use any of the rescue options given below. • Power off and power on the OmniAccess 5740 USG.
Page 144 0. Reload Device Reboot the device. • 1. Rescue Shell Unix type debug shell. • 2. Directory listing Lists files in the user: partition or in the fpkey: usb. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 145 Backup all config related files to the FPkey. This can be restored later. • 9. Restore Config area from Front Panel USB Restore config files that were backed up into a file on Front Panel USB (fpkey). Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 146: Factory Default Configuration
This requires OmniAccess 5740 USG to boot with predefined configuration from the factory. Such a configuration is stored in factory default configuration. Whenever OmniAccess 5740 USG boots up for the first time, it always loads with this factory default configuration.
Page 147: To Reload Factory Default Configuration
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) Factory Default Configuration The factory default image on OmniAccess 5740 USG will have the following configurations preconfigured [with the Serial card (USP -V.35/X.21/RS-232) installed on the system]: •...
Page 148: Importing Certificates
Enter up to 80 characters on a line. Enter a blank line to exit. Note: Currently, SCP option is not supported. XAMPLE ALU(config-ALUCA)# import ca-cert ftp: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 149 Displays all the certificate identities and show certificate identity also displays the specified certificate. <name> XAMPLE ALU(config)# show certificate identity certificate SomeOtherCA subject-name /O=ALU/C=IN/CN=CM Burns certificate ALUCA subject-name /CN=Bart Simpson/O=ALU/C=US Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 150 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 88:75:2D:47:AC:E8:AB:C3:5F:9F:E1:93:6B:7E:07:9C:A3:B0:24:CB X509v3 Authority Key Identifier: keyid:05:98:D2:25:D3:18:12:A1:C7:4B:7A:98:D2:D8:25:73:2B:6B:AE:B1 DirName:/CN=CA_0x01/O= serial:00 Signature Algorithm: md5WithRSAEncryption 0c:30:3a:96:bb:2a:be:6c:53:47:b9:5d:b4:40:1d:0e:4a:85: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 151 Not After : Jan 27 12:30:49 2006 GMT Subject: CN=CA_0x01, O= Subject Public Key Info: Public Key Algorithm: rsaEncryption RSA Public Key: (1024 bit) Modulus (1024 bit): 00:b2:bf:d4:a9:46:f0:d3:38:3c:46:e1:52:0e:e4: 31:1c:0c:81:70:90:1a:95:dd:79:44:c6:e3:1b:c6: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 152 43:a1:2e:47:d1:78:c1:17:f6:0c:aa:ef:51:55:e2:9b:5f:8a: 0e:9f:ba:51:55:57:48:2b:4c:8f:f7:6b:7c:65:4b:cf:99:b2: dc:83:2d:da:99:63:0c:ad:6b:33:66:19:91:ef:35:cb:dd:d8: 74:48:34:a6:40:c2:f0:8d:b6:8a:32:63:8c:f0:82:14:14:5a: a3:56:de:b1:50:42:6f:b3:0f:ea:f1:26:be:2e:ce:9e:61:f5: 24:c3:88:ab:13:42:70:82:80:f9:f1:d2:8f:02:d5:5b:62:ff: 3e:cc ALU(config)# show certificate ca-cert ALUCA pem -----BEGIN CERTIFICATE----- MIICMjCCAZugAwIBAgIBADANBgkqhkiG9w0BAQQFADAhMRAwDgYDVQQDFAdDQV8w eDAxMQ0wCwYDVQQKEwROZXRkMB4XDTA1MTIyODEyMzA0OVoXDTA2MDEyNzEyMzA0 OVowITEQMA4GA1UEAxQHQ0FfMHgwMTENMAsGA1UEChMETmV0ZDCBnzANBgkqhkiG 9w0BAQEFAAOBjQAwgYkCgYEAsr/UqUbw0zg8RuFSDuQxHAyBcJAald15RMbjG8aj 7NfVGJ7C0BSjjDXANOGf/yyu/Q6yb1pZPshn6PinorqE2eUKzK/gz2c2pOb1ItWI cjyqhb6SBod4am5pO6tzvcBc64UdGHbE+KqpwbsUHxU4zI+M5lw8obgQSxqYwn20 0M0CAwEAAaN6MHgwHQYDVR0OBBYEFAWY0iXTGBKhx0t6mNLYJXMra66xMEkGA1Ud IwRCMECAFAWY0iXTGBKhx0t6mNLYJXMra66xoSWkIzAhMRAwDgYDVQQDFAdDQV8w eDAxMQ0wCwYDVQQKEwROZXRkggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE BQADgYEADAuSnB1grGLgf/MdnHvo3mcJQ6EuR9F4wRf2DKrvUVXim1+KDp+6UVVX SCtMj/drfGVLz5my3IMt2pljDK1rM2YZke81y93YdEg0pkDC8I22ijJjjPCCFBRa o1besVBCb7MP6vEmvi7OnmH1JMOIqxNCcIKA+fHSjwLVW2L/Psw= -----END CERTIFICATE----- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 153: Snmp (Simple Network Management Protocol)
Some of the advantages of using SNMP are: • Standardized protocol • Universal acceptance • Portability • Lightweight • Extensibility • Widely deployed Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 154: Snmp Agent And Manager
PDUs are encapsulated in the UDP (User Datagram Protocol) for transportation across the network. UDP is a connectionless transport protocol included in the TCP/IP suite and described in RFC. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 155: Snmp Version
SNMP packet. Three security models are available: SNMPv1, SNMPv2c, and SNMPv3. Three security levels are available: Auth, Noauth, and Priv. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 156: Snmp Configuration Commands
This command removes read-only/ no snmp agent {rocommunity read-write community string |rwcommunity} configured on the SNMP agent. XAMPLE ALU(config)# snmp agent rocommunity private ALU(config)# no snmp agent rocommunity Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 157 SNMP traps to the configured host. This command disables sending the no snmp trap enable SNMP traps to the configured host. XAMPLE ALU(config)# snmp trap enable ALU(config)# no snmp trap enable Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 158 ALU(config)# snmp-server user user123 auth MD5 pass123456 priv DES test123456 ALU(config)# no snmp-server user user123 SNMP G ONFIGURE ROUP SNMP group has a set of users belonging to a particular security model. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 159 This command deletes a view. no snmp-server view <view- name> <MIB-family-name> XAMPLE ALU(config)# snmp-server view view123 .1.3.6.1 included ALU(config)# no snmp-server view view123 .1.3.6.1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 160 <group- control configuration. name> security-model {v1|v2c|v3} {auth|noauth|priv} XAMPLE ALU(config)# snmp-server access testgroup security-model v3 auth read read-view write write-view notify notify-view ALU(config)# no snmp-server access testgroup security-model v3 auth Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 161: Snmp Show Commands
: support@alcatel-lucent.com name alu1 System Location : [Not configured] Community-Access Community-String ---------------- ---------------- read-only private read-write [Not configured] Trap-Host Trap-Port Version Trap-Community --------- --------- ------- -------------- 1.1.1.1 test 1.1.1.11 test1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 162 If the user name is specified, the configuration for the specified user is displayed. XAMPLE ALU(config)# show snmp user --------------------------------------- User Name : user123 Authentication Protocol: MD5 Security Level: Auth --------------------------------------- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 163 This command displays the SNMP show snmp access access configuration. XAMPLE ALU(config)# show snmp access --------------------------------------- Group Name: testgroup Security Level: auth Security model: v3 Read View: read-view Write View: write-view --------------------------------------- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 164 1.1.1.11 v1 test1 11 snmp-server user user123 auth MD5 passpass1 snmp-server group testgroup user123 security-model v3 snmp-server view view123 .1.3.6.1 included snmp-server access testgroup security-model v3 auth read read- view write write-view Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 165: Snmp Mib Cli
The snmpgetnext command for v3 can be used to retrieve the value of the next available MIB object in the lexicographically ordered tree. snmpgetnext –v 3 –u <user-name> -l {noauthnopriv|authnopriv |authpriv} -a {MD5|SHA} -A <auth-password> -x <DES> -X <privilege-password> <host ip-address> <MIB object> Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 166: Snmp Mib Gui
SNMP operations on the agent running on the device. Note: Ensure that the version and community string settings of the MIB browser is compatible with the agent, before performing any operation from the MIB browser. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 167: Virtual Router Redundancy Protocol
ROTOCOL This chapter provides an overview of the Virtual Router Redundancy Protocol configuration on the OmniAccess 5740 USG. VRRP can be configured on multi- access interfaces like Ethernet. VRRP is supported on GigabitEthernet (GigE) and VLAN interface on the OmniAccess 5740 USG.
Page 168: Vrrp Overview
The VRRP Interface Tracking feature extends the capabilities of the VRRP to allow tracking of specific interfaces within the router that can alter the priority of a router. 3768 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 169: Vrrp Configuration
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) VRRP Configuration VRRP C ONFIGURATION Refer the following sections to configure VRRP on your OmniAccess 5740 USG: • “VRRP Configuration Steps” • “VRRP Configuration Flow” • “VRRP CLI Commands”...
Page 170: Vrrp Configuration Flow
Left running head: Chapter name (automatic) Virtual Router Redundancy Protocol VRRP C ONFIGURATION Figure 2: VRRP Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 171: Vrrp Cli Commands
This command removes all configuration no vrrp <1-8> associated with the VRRP group on the interface. XAMPLE ALU(config-if GigabitEthernet3/0)# vrrp 5 ip 10.91.0.8 ALU(config-if GigabitEthernet3/0)# no vrrp 5 ip 10.91.0.8 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 172 ALU(config-if GigabitEthernet3/0)# ip address 10.2.1.1/24 secondary ALU(config-if GigabitEthernet3/0)# vrrp 1 ip 10.1.1.1 ALU(config-if GigabitEthernet3/0)# vrrp 2 ip 10.2.1.1 ALU(config-if GigabitEthernet3/0)# vrrp 3 ip 20.1.1.1 ALU(config-if GigabitEthernet3/0)# vrrp 4 ip 30.1.1.1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 173 Error - Address already configured in a VRRP group on an another interface ALU(config-if GigabitEthernet3/1)#ip address 10.2.1.1/24 secondary Error - Address already configured in a VRRP group on an another interface ALU(config-if GigabitEthernet3/1)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 174: Modify Global Vrrp Group Parameters
VRRP group. The “no” command restores the default no vrrp <1-8> priority priority for the VRRP group. The default priority is 100. XAMPLE ALU(config-if GigabitEthernet3/0)# vrrp 7 priority 104 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 175 User-defined string up to 80 characters is allowed. Command (in ICM) Description This command assigns a text description vrrp <1-8> description to the VRRP group. <string> XAMPLE ALU(config-if GigabitEthernet3/0)# vrrp 7 description ALU-vrrp Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 176 VRRP G ONFIGURE UTHENTICATION FOR A ROUP Note: • OmniAccess 5740 USG supports null authentication and plain-text authentication. • Maximum of 8 characters are allowed in the authentication string. Command (in ICM) Description This command is used to set authentication vrrp <1-8>...
Page 177 Note: Learning and millisecond timers are mutually exclusive. That is, learning cannot be enabled when millisecond timers are enabled and millisecond timers cannot be enabled if learning is enabled. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 178 The “no” command removes tracking of no vrrp <1-8> track-interface the interface in a VRRP group. XAMPLE ALU(config-if GigabitEthernet3/0)# vrrp group track-interface serial 1/0:0 decrement 60 ALU(config-if GigabitEthernet3/0)# no vrrp group track- interface Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 179: Monitor And Debug Vrrp
ALU(config-if GigabitEthernet3/0)# show vrrp all brief Interface Grp Prio Preempt State Master addr Group addr GigabitEthernet3/0 1 255 Y Master 10.1.1.1 10.1.1.1 GigabitEthernet3/0 2 100 Y Master 10.1.1.1 20.1.1.1 ALU(config- if GigabitEthernet3/0)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 180 Advertisement interval is 1.000 sec Preemption enabled Priority is 100 Master Router is 10.1.1.1 (local), priority is 100 Master Advertisement interval is 1.000 secs Master Down interval is 3.000 secs Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 181 ALU# debug vrrp control all VRRP M ANAGEMENT ESSAGES Command (SUM/CM) Description This command displays VRRP debug vrrp management management debug messages. {all|protocol|vrrpfs} XAMPLE ALU# debug vrrp management all Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 182: Vrrp Interface Tracking
The router will not take any action when the track interface goes down. When router is in backup state, router will have priority based on the decrement value configured. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 183 The router will switch to backup state if a router with the next highest priority overrides it. Else, the router will remain in master state to provide some minimal set of services. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 184: Vrrp Configuration Scenario Using Omniaccess 5740 Usg
Alcatel-Lucent OmniSwitch • Switch • PC/Laptop Figure 3: VRRP Topology ROCEDURE Configure LAN stations (192.168.1.4, 192.168.1.5, 192.168.1.6) with default gateway address of 192.168.1.3, which is IP address of Virtual Router. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 185: Vrrp Configuration
Heading1 or Heading1NewPage text (automatic) VRRP Configuration Scenario using OmniAccess 5740 USG VRRP C ONFIGURATION In the following example, OmniAccess 5740 USG and OmniSwitch belongs to VRRP Group 1. Note: Both VRRP routers should be configured with same group ID.
Page 186 Left running head: Chapter name (automatic) Virtual Router Redundancy Protocol Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 187: Part 2 Lan Interfaces And Configuration
To switch to the beta version, import color def’ns from beta-colors.fm Part 2 LAN Interfaces and Configuration Pagination: Numeric & continuous Optional footer: Alcatel-Lucent with Manual title (to set, preceding redefine ManualTitle OmniAccess 5740 Unified Services Gateway CLI Configuration Guide section of Beta Beta Beta Beta variable) book...
Page 188 Left running head: Chapter name (automatic) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 189: Ethernet Interfaces On Se
Ethernet Interfaces on SE HAPTER THERNET NTERFACES ON This chapter details the Ethernet Interface configuration on the OmniAccess 5740 USG. These interfaces can be used in the slots pertaining to the “Services Engine (SE)” on the OmniAccess 5740 USG. “Ethernet Overview”...
Page 190: Ethernet Overview
Modern advancements have increased these distances considerably allowing Ethernet networks to span tens of kilometers. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 191: Ethernet Terminologies
If it is not, the station discards the frame without even examining its contents. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 192: Switched Ethernet
The LEDs on SE card indicate Active or Fault conditions. The LEDs on Gigabit Ethernet ports of SE card indicate Link Status and Activity. The SE card can be installed in slots 2, 3 in OmniAccess 5740 USG. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide...
Page 193: Ethernet Configuration
Configure Speed on the interface. See “To Configure Speed” Step 6: View the configuration details on the interface. See “Ethernet Interface Show Commands”. Step 7: Clear interface statistics. See “Ethernet Interface Clear Commands”. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 194: Ethernet Interface Configuration Flow
Left running head: Chapter name (automatic) Ethernet Interfaces on SE THERNET NTERFACE ONFIGURATION Figure 5: Ethernet Interface Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 195: Ethernet Interface Configuration Commands
XAMPLE The following example administratively brings up the GigE interface: ALU(config-if GigabitEthernet3/0)# no shutdown The following example administratively brings down the GigE interface: ALU(config-if GigabitEthernet3/0)# shutdown Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 196 The “no” command sets the flow control no flowcontrol {receive|send} to its default. By default, flow control is {off|on} set to “Off”. XAMPLE ALU(config-if GigabitEthernet3/0)# flowcontrol send on ALU(config-if GigabitEthernet3/0)# no flowcontrol send on Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 197 {10|100|1000|auto} speed. The “no” command sets the interface no speed speed to its default. The default speed is “auto”. XAMPLE ALU(config-if GigabitEthernet3/0)# speed 100 ALU(config-if GigabitEthernet3/0)# no speed Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 198: Configure Gige Sub-Interface
This command is used to remove the no encapsulation dot1q dot1q encapsulation on the GigE sub- interface. XAMPLE ALU(config-subif GigabitEthernet3/0:1)# encapsulation dot1q 10 ALU(config-subif GigabitEthernet3/0:1)# no encapsulation dot1q Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 199: Ethernet Interface Show Commands
ARP type: ARPA, ARP Timeout never Last input never, output never, output hang never Last clearing of "show interface" counters never 5 minute input rate 0 bits/sec, 0 packets/sec Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 200 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer copied, 0 interrupts, 0 failures Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 201 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer copied, 0 interrupts, 0 failures Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 202: Ethernet Interface Clear Commands
This command is used in the Interface clear Configuration Mode. This command clears the counters on a specific GigE interface. XAMPLE ALU(config-if GigabitEthernet3/0)# clear Clear counters on this interface [confirm]y ALU(config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 203: Layer 2 Switching Configuration
This chapter covers the commands used to configure switching on the Layer 2 (L2) cards in the OmniAccess 5740 USG. It provides a broad overview on the L2 GE commands with an expansive outlook on VLAN support consisting of Access ports, Trunk ports and Hybrid ports.
Page 204: Switching Overview
Note: The OmniAccess 5740 USG supports only transparent bridging. Bridging and switching occur at the link layer, which controls data flow, handles transmission errors, provides physical addressing, and manages access to the physical medium.
Page 205: Layer 2 Switching
- that is, they do not look at the data packet very closely to learn anything more about where it is headed. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 206: Alcatel-Lucent Specific Overview On Switching
“switchport mode trunk”. • Similarly, if an interface has both access and hybrid configuration, the interface can be set to hybrid mode by issuing the command “switchport mode hybrid”. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 207 VLAN tag information. Note: MTU configuration is not supported on switchport interfaces. However, MTU can be configured on VLAN interfaces. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 208: L2 Switching Configuration
See “To Configure Mode for the L2 Interface” (if Trunk/ Hybrid mode is already configured) Step 2: Configure VLAN for Access mode. See “To Configure VLAN for Access Mode” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 209 Step 6: Monitor and troubleshoot the configuration using the “show” commands. “L2 Switching Show Commands” Step 7: Use the clear command to clear the MAC address table entries. See “L2 Switching Clear Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 210: L2 Switching Configuration Flow
Left running head: Chapter name (automatic) Layer 2 Switching Configuration L2 S WITCHING ONFIGURATION Figure 8: L2 Switching Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 211: L2 Switching Commands
If no access VLAN is configured, then the interface moves to pure bridging mode. XAMPLE ALU(config-if switchport1/0)# switchport mode trunk ALU(config-if switchport1/0)# no switchport mode Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 212 <2-4094>... XAMPLE ALU(config-if switchport1/0)# switchport trunk allowed vlan 3 ALU(config-if switchport1/0)# switchport trunk allowed vlan 5 8 ALU(config-if switchport1/0)# no switchport trunk allowed vlan Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 213 The default hybrid native VLAN ID is 1. XAMPLE ALU(config-if switchport1/0)# switchport hybrid native vlan 7 ALU(config-if switchport1/0)# no switchport hybrid native vlan Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 214 {10|100|1000|auto} speed. The “no” command sets the interface no speed speed to its default. The default speed is “auto”. XAMPLE ALU(config-if switchport1/0)# speed 100 ALU(config-if switchport1/0)# no speed Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 215: L2 Switching Show Commands
Revision: 00 Version: 03 SE - Services engine (active) Slot number: 3 Part number: 902601-90 Manufacturer: Description: Services engine Serial number: SM0622000067 Version: 01 Revision: 00 Opteron CPU Version: 10 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 216 Version: 01 BP - ALU OA740 chassis (passive) Slot number: 29 Part number: 902610-90 Manufacturer: Description: ALU OA740 chassis Serial number: ND0608000093 Version: 00 Revision: 00 Base MAC: 00:11:8b:00:dd:00 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 217 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 Out multicast, 0 lost carrier, 0 no carrier, 0 pause output 0 output buffer failures, 0 output buffers swapped out Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 218 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier 0 output buffer copied, 0 interrupts, 0 failures Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 219 ALU(config)# show vlan Brief VLAN_ID Status Interface name Mode --------- ---------- ------------------- ----- Inactive switchport0/2 No-Mode switchport0/3 No-Mode switchport0/4 No-Mode switchport0/5 No-Mode Inactive switchport0/0 Access switchport0/7 Access switchport0/6 Trunk Inactive switchport0/1 Access Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 220 Dynamic 0008.a16b.6597 switchport0/1 Dynamic 0008.a170.59ea switchport0/1 Dynamic 0008.a170.5e1d switchport0/1 Dynamic 0008.a170.5e21 switchport0/1 Dynamic 0008.a177.fecc switchport0/1 Dynamic 0008.a177.fece switchport0/1 Dynamic 0008.a178.4b19 switchport0/1 Dynamic 0008.a17b.ba3d switchport0/1 Dynamic 000c.f1c3.85a9 switchport0/1 Dynamic Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 221: L2 Switching Clear Commands
<slot-number> process for all the switchports for a specified slot. XAMPLE ALU(config)# clear lan counters slot 0 Clearing LAN counters ..Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 222: Switching Configuration Using Omniaccess 5740 Usg
By default, all Switch ports will be in bridged mode. They belong to 1 broadcast domain. ALU(config)# interface switchport1/0 ALU(config-if switchport1/0)# ALU(config-if switchport1/0)# no shutdown To check for reachability between hosts, verify with ping from, say Host 1 to Host Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 223: Vlans
5 and 6 belong to VLAN3. VLAN ONFIGURE CCESS ALU(config-if switchport1/0)# switchport access vlan 10 ALU(config-if switchport1/0)# VLAN C ELETE CCESS ONFIGURED ALU(config-if switchport1/0)# no switchport access vlan Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 224 Each VLAN is a separate broadcast domain. There is reachability between hosts within same VLAN. This can be verified with ping from, say host 1 to host 2. However, ping from host 1 to host 5 would fail. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 225: Per Vlan Spanning Tree
Per VLAN Spanning Tree Protocol Plus (PVST+). For a more detailed information on the parameter descriptions and their corresponding default values, refer to the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. This chapter includes the configuration steps, CLI syntax with its description and configuration examples.
Page 226: Per Vlan Spanning Tree (Pvst+) Overview
(at layer-2) by forwarding some VLANs on one trunk and other VLANs on another trunk without causing a Spanning Tree loop. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 227: Pvst+ Configuration
“To Calculate the PVST+ Cost” • Set the Port-priority. See “To Set PVST+ Port Priority” Step 5: Use the show commands to recheck and view the details configured. See “Show Commands in PVST+” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 228: Pvst+ Configuration Flow
Left running head: Chapter name (automatic) Per VLAN Spanning Tree + PVST+ C ONFIGURATION Figure 11: PVST+ Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 229: Pvst+ Configuration Commands
The following example configures spanning tree for VLAN 100: ALU(config)# spanning-tree enable vlan 100 The deletion of the spanning tree will follow the same rule. ALU(config)# no spanning-tree enable vlan 100 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 230 ALU(config)# no spanning-tree enable vlan 100 forward-time ALU(config)# no spanning-tree enable vlan 100 hello-time ALU(config)# no spanning-tree enable vlan 100 max-age ALU(config)# no spanning-tree enable vlan 100 priority 100 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 231 - The PVST+ cost is configured on a per port basis. XAMPLE ALU(config-if switchport1/0)# spanning-tree vlan 100 cost 1000 ALU(config-if switchport1/0)# no spanning-tree vlan 100 cost Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 232 - PVST+ Port Priority is configured on a per port basis. XAMPLE ALU(config-if switchport1/0)# spanning-tree vlan 100 port- priority 250 ALU(config-if switchport1/0)# no spanning-tree vlan 100 port- priority Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 233: Show Commands In Pvst
XAMPLE ALU# show spanning-tree summary Name Blocking Listening Learning Forwarding STP Active --------- -------- --------- -------- ---------- ---------- VLAN1 VLAN2 VLAN3 --------------- -------- --------- -------- ---------------- 3 VLANs Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 234: Topology
Interface switchport1/2 (port 6) in Spanning tree 1 is Forwarding Port path cost 4, Port priority 128 Designated root has priority 32768, address 00.11.8b.00.27.12 Designated bridge has priority 32768, address 00.11.8b.00.27.12 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 235 Designated bridge has priority 32768, address 00.11.8b.00.27.12 Designated port Id is 128.1 path cost 0 Timers: message age 0, forward delay 0, hold 0 BPDU: sent 0, received 0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 236: Pvst+ Configuration Examples
ALU(config)# spanning-tree vlan 3 ALU(config)# spanning-tree vlan 3 priority 3 ALU(config)# interface switchport0/0 ALU(config-if switchport0/0)# switchport mode hybrid ALU(config-if switchport0/0)# switchport trunk allowed vlan 2 3 ALU(config-if switchport0/0)# no shutdown Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 237 ALU(config)# spanning-tree vlan 2 priority 3 ALU(config)# spanning-tree vlan 3 ALU(config)# interface switchport0/0 ALU(config-if switchport0/0)# switchport mode hybrid ALU(config-if switchport0/0)# switchport trunk allowed vlan 2 3 ALU(config-if switchport0/0)# no shutdown Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 238: Example 2 - Spanning Tree With No Vlan (Default Vlan)
PANNING REE WITH NO EFAULT Configure spanning tree on OmniAccess 5740 USG: Spanning Tree provides a mechanism for loop detection and guarantees only one path exists between two end stations. Spanning Tree is not turned on by default on L2.
Page 239: Procedure
OA5740-C(config)#interface switchport1/2 OA5740-C(config-if switchport1/2)#no shutdown OA5740-C(config)# spanning-tree ERIFICATION Verify the spanning tree by using the following show commands: • show spanning-tree brief • show spanning-tree summary • show spanning-tree Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 240 Left running head: Chapter name (automatic) Per VLAN Spanning Tree + Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 241: Integrated Routing And Bridging
This chapter covers the commands used to configure Integrated Routing and Bridging (IRB) on the OmniAccess 5740 USG. For instructions on using the commands and to get a detailed description on each of their parameters, refer to OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. HAPTER...
Page 242: Integrated Routing And Bridging Overview
If the physical ports belonging to a VLAN are thought of as defining a logical bridge/switch, then the mechanism of sending an incoming packet from this bridge to the logical router inside the OmniAccess 5740 USG is to connect the bridge and the router by a logical VLAN interface. This interface forms a logical pipe between the bridge and the router inside the system.
Page 243: Irb Configuration
- A given VLAN interface for IRB can be used only on the 8 ports of the same L2-GE card. - The IRB VLANs cannot be configured on the Service Engine ports. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 244: Irb Commands
2035879 packets output, 0 bytes, 0 underruns 0 output errors, 0 collisions, 0 interface resets 0 babbles, 0 late collision, 0 deferred 0 lost carrier, 0 no carrier, 0 pause output Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 245: Irb Configuration Using Omniaccess 5740 Usg
ROCEDURE By default, all switchports will be in bridge mode. They belong to one broadcast domain. By configuring IRB on OmniAccess 5740 USG, local or unroutable traffic is bridged among bridge interfaces and routable traffic is routed to other routed interfaces.
Page 246 ALU(config-if Vlan 100)# ip address 10.10.10.20/24 ONFIGURE RIDGING ALU(config)# interface switchport 2/0 ALU(config-if-switchport2/0)# ALU(config-if-switchport2/0)# no shutdown ALU(config-if-switchport2/0)# switchport access vlan 100 ERFICATION Verify by pinging from 10.10.10.5 to 20.20.20.1. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 247: 802.1X Port-Based Authentication
ASED UTHENTICATION This chapter describes how to configure IEEE 802.1X port-based authentication on the OmniAccess 5740 USG. This chapter includes the configuration steps, CLI syntax with its description and configuration examples. The commands are described in sequential order of configuration.
Page 248: Overview
The uncontrolled port in Authenticator system is basically used for sending/ receiving 802.1x control frame. Once authentication is successful, then the controlled port will be open to access the service offered by authenticator. Figure 15: 802.1X deployment scenario Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 249: Generic Terms Used In 802.1X
An entity that provides an authentication service to an authenticator. This service determines from the credentials provided by the supplicant whether the supplicant is authorized to access the services provided by the OmniAccess 5740 USG in which the Authenticator resides. The example of the authentication servers: RADIUS server.
Page 250: Message Exchange
Left running head: Chapter name (automatic) 802.1X Port-Based Authentication Figure 16: Message Exchange Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 251: Using 802.1X With Vlan Assignment
UCENT PECIFIC VERVIEW Alcatel-Lucent’s Gigabit Ethernet line card (L2GE Card) is used for layer-2 functionality. 802.1X is a port based authentication protocol, which provides the access to the port. Before giving any access to the hosts, which are connected to L2GE ports, needs to be authenticated on L2GE ports.
Page 252: Configuration
Left running head: Chapter name (automatic) 802.1X Port-Based Authentication 802.1X C ONFIGURATION Refer to the following sections to configure 802.1X on the OmniAccess 5740 USG: • “802.1X Configuration Steps” • “802.1X Configuration Flow” • “802.1X Configuration Commands” • “802.1X Show Commands”...
Page 253 • Configure switch-to-client retransmission time for EAP-request frames. “To Configure Switch-to-client Retransmission Time for EAP-request Frames” • Configure switch-to-client frame retransmission number. See “To Configure Switch-to-client Frame Retransmission Number” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 254 Initialize the authentication for the client. See “To Initialize the Authentication for the Client” Step 8: Use the show commands to recheck and view the details configured. See “802.1X Show Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 255: Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) 802.1X Configuration 802.1X C ONFIGURATION Figure 17: 802.1X Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 256: Configuration Commands
L2 [auto|forced-unauthorized interface, and resets to its default. |forced-unauthorized] The default authentication is forced- authorized. XAMPLE ALU(config-if switchport5/0)# dot1x port-control auto ALU(config-if switchport5/0)# no dot1x port-control auto Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 257 This command sets the reauthentication no dot1x timeout reauth- period to its default. period [<1-65535>] The default is 3600 seconds. XAMPLE ALU(config-if switchport5/0)# dot1x timeout reauth-period 4500 ALU(config-if switchport5/0)# no dot1x timeout reauth-period Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 258 This command sets the tx-period to its no dot1x timeout tx-period default. [<1-3600>] The default is 30 seconds. XAMPLE ALU(config-if switchport5/0)# dot1x timeout tx-period 60 ALU(config-if switchport5/0)# no dot1x timeout tx-period Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 259 [<1-10>] This command sets the max-request to its default. The default is 2. XAMPLE ALU(config-if switchport5/0)# dot1x max-request 3 ALU(config-if switchport5/0)# no dot1x max-request Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 260 ONFIGURABLE ARAMETERS EFAULT ALUES Command (in ICM) Description This command is used to reset the dot1x default configurable 802.1X parameters to the default values. XAMPLE ALU(config-if switchport5/0)# dot1x default Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 261 LIENT Command (in CM) Description This command initializes the dot1x initialize interface authentication for the client connected to a switchport <slot/port> port. XAMPLE ALU(config)# dot1x initialize interface switchport 5/0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 262: Show Commands
Status : Authorized Current Identifier : Authenticator state machine State : Authenticated Reauth count: Backend state machine State : Idle Request count : Reauthentication state machine state : Initialize Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 263 Command (in SUM/CM) Description This command displays the mac- show dot1x interface address of the authenticated supplicant. switchport <slot/port> authenticated-mac XAMPLE ALU# show dot1x interface switchport 0/0 authenticated-mac 00.0D.62.2B.76.FA Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 264: Configuration Example
7 logging buffered size 128 logging console 7 logging system 5 service timestamps log hostname ALU !VRF Configuration ! MULTICAST Configuration dot1x system-auth-control ! SNMP Configurations aaa services Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 265 100 dot1x port-control auto no shutdown interface switchport0/1 switchport access vlan 100 dot1x port-control auto dot1x host-mode multi-auth no shutdown interface switchport0/2 shutdown interface switchport0/3 shutdown interface switchport0/4 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 266 : supp-timeout : server-timeout : max-req : operation_mode : Single-Host port-control : Auto Supplicant : 00.00.00.00.00.00 Status : Unauthorized Current Identifier : Authenticator state machine State : Initialize Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 267 Idle Request count : Reauthentication state machine state : Initialize ---------------------------------------- 802.1X is disabled on switchport0/2 ---------------------------------------- 802.1X is disabled on switchport0/3 ---------------------------------------- 802.1X is disabled on switchport0/4 ---------------------------------------- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 268 Left running head: Chapter name (automatic) 802.1X Port-Based Authentication 802.1X is disabled on switchport0/5 ---------------------------------------- 802.1X is disabled on switchport0/6 ---------------------------------------- 802.1X is disabled on switchport0/7 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 269: Port Monitoring
For instructions on using the port monitoring commands and descriptions on each of their parameters with the corresponding default values for each, refer to the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. This chapter includes the following sections: •...
Page 270: Port Monitoring Overview
The analyzer captures and evaluates the data without affecting the client on the original port. Note: Port Monitoring is not enabled across cards. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 271: Port Monitoring Configuration
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) Port Monitoring Configuration ONITORING ONFIGURATION The following lists the steps to configure Port Monitoring on the OmniAccess 5740 USG: ONITORING ONFIGURATION TEPS Step 1: Configure L2 interface.
Page 272: Port Monitoring Commands
This command displays the port show port monitor [interface monitoring details on the specified port. switchport <slot/port>] XAMPLE ALU(config)# show port monitor PORT-MONITERING PORT-MONITERED TRAFFIC-TYPE --------------- -------------- ------------ switchport1/0 switchport1/6 both switchport1/7 ingress Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 273: Port Monitoring Configuration On Omniaccess 5740 Usg
1/0. To configure port monitoring, the following configuration is to be used: ONFIGURE ONITORING ALU(config)# interface switchport 1/3 ALU(config-if switchport1/3)# port monitor switchport 1/0 both Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 274 Left running head: Chapter name (automatic) Port Monitoring ERIFICATION ALU(config)# show port monitor PORT-MONITERING PORT-MONITERED TRAFFIC-TYPE --------------- -------------- ------------ switchport1/3 switchport1/0 both Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 275: Part 3 Wan Interfaces And Protocols
To switch to the beta version, import color def’ns from beta-colors.fm Part 3 WAN Interfaces and Protocols Pagination: Numeric & continuous Optional footer: Alcatel-Lucent with Manual title (to set, preceding redefine ManualTitle OmniAccess 5740 Unified Services Gateway CLI Configuration Guide section of Beta Beta Beta Beta variable) book...
Page 276 Left running head: Chapter name (automatic) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 277: T1E1 Line Card
“T1 Configuration” HAPTER ONVENTIONS Acronym Description Configuration Mode - ALU (config)# Controller Configuration Mode - ALU (config-controller)# Interface Configuration Mode - ALU (config-interface name)# Super User Mode - ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 278: T1 And E1 Overview
Note: For information on the LED status of the T1E1 line card with respect to each port, please refer “OmniAccess 5740 Unified Services Gateway Hardware Users Guide”. The T1 and E1 is designed for use in businesses. The T1 standard is mostly deployed in Japan and North American countries, while the E1 is prevalent in Europe and most of the Asian countries, including India.
Page 279: E1 Interface Overview
TS0 is dedicated for synchronization, alarms and messages, unless configured differently. • TS16 is usually used for signaling, but can carry data as well. • TS1-TS15 and TS17-TS31 are used for carrying user data. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 280: Mechanisms Supported By The E1 Interface
• Channel Associated Signaling (CAS) - In each Multiframe, each channel has a predetermined frame. In this frame, half of TS16 is dedicated for this channel signaling information. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 281: E1 Modes Of Operation
• In E1 lines, cable-length is referred to as Line Termination. There is no variation of Long and Short cable length. • OmniAccess 5740 USG supports fractional T1 or E1. • OmniAccess 5740 USG supports Unframed E1. • OmniAccess 5740 USG supports channelized T1 or E1.
Page 282: E1 Configuration
Step 6: Enter Interface Configuration Mode to configure the channelized serial interface. See “To Configure a Serial Interface” Note: Creation of a channel-group is a pre-requisite prior to configuring a serial interface. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 283 (Optional) Step 11: See “To View the E1 Controller Configuration” to view the E1 configuration details. Step 12: View the interface configuration details. See “To View Interface Configuration” command. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 284: E1 Configuration Flow
Left running head: Chapter name (automatic) T1E1 Line Card E1 C ONFIGURATION Figure 22: E1 Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 285: E1 Configuration Commands
Command (in CM) Description This command configures an E1 or T1 controller {E1|T1} <slot/port> controller. Use E1 keyword to configure an E1 controller. XAMPLE ALU(config)# controller E1 0/0 ALU(config-controller E1)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 286 <0-30> group configured on the controller. Note: The OmniAccess 5740 USG supports unframed E1 and channelized E1. You can configure only 20 channel groups per card. XAMPLE The following example configures a channel group on controller E1 at the first slot and at the 0th port: 1.
Page 287 ALU(config-controller E1)# shutdown Note: Online Insertion and Removal (OIR) functionality is supported on the T1 and E1 cards. After re-insertion, the default state of the controller is in ‘shutdown’ state. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 288 ALU(config-controller E1)#unframed ALU(config-controller E1)#no unframed As system is creating channel-group 0, serial interface will be available, and you will require to configure it too. ALU(config)#interface Serial 0/0:0 ALU(config-if Serial0/0:0)#no shutdown Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 289 The “no” command sets the impedance no line-termination value to its default. The default line-termination value is 120 ohm. XAMPLE The following example selects 120 as the E1 line impedance: ALU(config-controller E1)#line-termination 120 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 290 XAMPLE The following example configures the E1 0 clocksource to line: ALU(config-controller E1)# clocksource line The following example configures the E1 0 clocksource to internal: ALU(config-controller E1)# no clocksource Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 291 XAMPLE ALU(config)#interface Serial 0/0:0 ALU(config-if Serial0/0:0)# shutdown ALU(config)#interface Serial 0/0:0 ALU(config-if Serial0/0:0)# no shutdown Note: We support Online Insertion and Removal (OIR) functionality for T1E1 line card. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 292 The “no” command sets the no encapsulation encapsulation to its default. The default encapsulation is HDLC. XAMPLE The following example shows how to set the FR encapsulation: ALU(config-if Serial 0/0:0)# encapsulation frame-relay Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 293 2 payload. The “no” command sets the MTU to its no mtu default. The default MTU is 1500 bytes. XAMPLE ALU(config-if Serial0/0:0)# mtu 1200 ALU(config-if Serial0/0:0)# no mtu Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 294: E1 Show Commands
Framing is crc4, Line Code is hdb3, Clock Source is internal Total Data (Since last clearing of counters) 1 Line Code Violation, 0 Framing Errors 0 CRC Errors, 0 Far End Block Errors Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 295 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Timeslot(s) Used:1 (64Kbps each), Transmitter delay is 0 flags Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 296: Troubleshooting E1 Lines
E1 0: ALU(config)#controller E1 1/0 ALU(config-controller E1)# loopback network line The following example disables the loopback on controller E1 0: ALU(config)# controller E1 0/0 ALU(config-controller E1)# no loopback Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 297: T1 Interface Overview
These "robbed" bits form a channel with capacity of 10.666 Kbps. If CCS is in use, then one Timeslot (TS), usually TS 24, is dedicated for signaling purposes. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 298: T1 Modes Of Operation
ESF + CAS/CRC/FDL. • CCS: Can be used in each of the framed formats by dedicating one channel (usually TS-24) for delivering the signaling messages in a predetermined protocol. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 299: T1 Configuration
Step 6: Enter Interface Configuration Mode to configure the channelized serial interface. See “To Configure a Serial Interface” Note: Creation of a channel-group is a pre-requisite prior to configuring a serial interface. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 300 Configure MTU on the Interface” (Optional) Step 11: See “To View the Controller Configuration” to view T1 configuration. Step 12: View the interface configuration details. See “To View Interface Configuration” command. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 301: T1 Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) T1 Configuration T1 C ONFIGURATION Figure 23: T1 Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 302: T1 Configuration Commands
{E1|T1} <slot/port> controller. Use T1 keyword to configure a port in the T1 mode. The T1 has a bandwidth of 1.544 Mbps. XAMPLE ALU(config)# controller T1 0/0 ALU(config-controller T1)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 303 ALU(config-controller T1)#channel-group 0 timeslots 1,4,20 2. In the above example, the channel-group command is shown only with a value of ‘0’. The following example uses value in the range of 0-23: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 304 The keyword “shutdown” will administratively bring down the controller. XAMPLE ALU(config-controller T1)# no shutdown ALU(config-controller T1)# shutdown Note: We support Online Insertion and Removal (OIR) functionality for T1E1 line card. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 305 1 to the appropriate levels for a cable between 111 and 220 feet long: ALU(config)#controller T1 1/1 ALU(config-controller T1)# cablelength short 220 The following example sets the cablelength to its default: ALU(config)#controller T1 1/1 ALU(config-controller T1)# no cablelength Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 306 The following example specifies AMI as the linecode type for a T1 line: ALU(config-controller T1)# linecode ami The following example sets b8zs, as the linecode type: ALU(config-controller T1)# no linecode Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 307 Serial <slot/ configuration mode to configure a serial port:channel> interface. XAMPLE The following example creates an interface at slot 0 and port 0 at group 0: ALU(config)#interface Serial0/0:0 ALU(config-if Serial0/0:0)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 308 This command is used to remove the IP no ip address {<ip-address address for the interface. subnet-mask>|<ip-address/ prefix-length>} XAMPLE ALU(config-if Serial0/0:0)# ip address 20.20.20.20/24 ALU(config-if Serial0/0:0)# no ip address 20.20.20.20/24 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 309 2 payload. The “no” command sets the MTU to its no mtu default. The default MTU is 1500 bytes. XAMPLE ALU(config-if Serial0/0:0)# mtu 100 ALU(config-if Serial0/0:0)# no mtu Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 310: T1 Show Commands
Framing is esf, Line Code is b8zs, Clock Source is internal Total Data (Since last clearing of counters) 0 Line Code Violation, 0 Framing Errors 0 Out of Frame, 0 Bit Errors Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 311 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Timeslot(s) Used:1 (64Kbps each), Transmitter delay is 0 flag Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 312: Troubleshooting T1 Lines
T1 0: ALU(config)# controller T1 0/0 ALU(config-controller T1)# loopback network payload The following example disables the loopback on the controller T1 0: ALU(config)# controller T1 0/0 ALU(config-controller T1)# no loopback Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 313: Universal Serial Port (Usp) Line Card
For instructions on using the commands and to get a detailed description on each of their parameters, refer to the USP Line Card chapter in the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. This chapter is divided into the following sections.
Page 314: Chapter Conventions
Data Terminal Equipment Configuration Mode - ALU (config)# Interface Configuration Mode - ALU (config-interface name)# Maximum Transmission Unit Online Insertion and Removal Receive Clock Super User Mode - ALU# Transmit Clock Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 315: Usp Line Card (V.35/X.21/Rs-232) Overview
For synchronous communication, these signals provide timing information for the transmitter and receiver, which may operate at different baud rates. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 316: Alcatel-Lucent Specific Overview
Figure 24: Universal Serial Port Line Card (V.35/X.21/RS-232) Note: For information on the pin out connection and the LED status of the USP Line Card with respect to each port, refer “OmniAccess 5740 Unified Services Gateway Hardware Users Guide”. EATURE...
Page 317: Configuration
“To Configure Loopback” • Set Encapsulation. See “To Set Encapsulation” • Configure MTU. See “To Configure MTU (Maximum Transmission Unit)” Step 6: See “Show Command” to view the interface configuration. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 318: V.35/X.21/Rs-232 Configuration Flow
Left running head: Chapter name (automatic) Universal Serial Port (USP) Line Card V.35/X.21/RS-232 C ONFIGURATION Figure 25: V.35/X.21/RS-232 Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 319: V.35/X.21/Rs-232 Configuration Commands
XAMPLE The following example administratively brings up the V.35/X.21/RS-232 interface: ALU(config-if Serial0/0)# no shutdown The following example administratively brings down the V.35/X.21/RS-232 interface: ALU(config-if Serial0/0)# shutdown Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 320 This command is used to remove the IP no ip address {<ip-address address for the interface. subnet-mask>|<ip-address/ prefix-length>} XAMPLE ALU(config-if Serial0/0)# ip address 20.20.20.20/24 ALU(config-if Serial0/0)# no ip address 20.20.20.20/24 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 321: V.35/X.21/Rs-232 Dte And Dce Cli Configuration Commands
16: This command enables the 16 bit CRC. The “no” command sets CRC to default no crc {16|32} value 16. XAMPLE ALU(config-if Serial0/0)# crc 16 ALU(config-if Serial0/0)# no crc Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 322 This command configures an interface in loopback loopback mode. The “no” command removes the no loopback loopback configured on the interface. XAMPLE ALU(config-if Serial0/0)# loopback ALU(config-if Serial0/0)# no loopback Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 323 2 payload. Command (in ICM) Description Configures the MTU value on the serial mtu <64-1500> interface. XAMPLE ALU(config-if Serial0/0)# mtu 1200 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 324: Show Command
DCD=up DSR=up DTR=up RTS=up CTS=up Note: You can view the details of the interface in the Interface Configuration Mode with a ‘show’ command without entering into the user mode. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 325: Clear Command
ALU# clear counters Serial 0/0 Note: You can clear the counters of the interface in the Interface Configuration Mode with a ‘clear’ command without entering into the user mode. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 326 Left running head: Chapter name (automatic) Universal Serial Port (USP) Line Card Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 327: High-Level Data Link Control
You can skip this section, and go straight to configuration steps. HAPTER ONVENTIONS Acronym Description HDLC High-level Data Link Control Interface Configuration Mode - ALU (config-interface name)# Super User Mode - ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 328: Hdlc Overview
High-level Data Link Control (HDLC) protocol. In fact, many other layer 2 protocols are based on HDLC, particularly its framing structure. Note: The OmniAccess 5740 USG supports only Cisco HDLC. The following sections describe HDLC: • “HDLC Frame Structure”...
Page 329: Hdlc Frame Formats
If two is differ by 3 or more, it considers the serial line as failed, and will not route further higher-level data across it until an acceptable keepalive response is received. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 330: Hdlc Configuration
Refer to the following sections to enable HDLC encapsulation on a T1 or E1 interface or a Serial interface (V.35/X.21): • “HDLC Configuration Steps” • “HDLC Configuration Flow” • “HDLC Configuration Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 331: Hdlc Configuration Steps
(V.35/X.21). The steps (Step 6 - Step 12) hold good for configuration of HDLC on a V.35/X.21 interface, except that there is no channel group number in the interface name. Configure serial interface using the following command: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 332 If the encapsulation on the interface is pre-configured for either Frame Relay or PPP (Point to Point), then configure HDLC encapsulation. See “To Set Encapsulation to its Default (HDLC)” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 333 “To Configure HDLC Keepalive Interval” (Optional) Step 12: Configure loopback detection. See “To Enable Loopback Detection” command. (Optional) Step 13: View the status of HDLC. See “Show Interface Status” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 334: Hdlc Configuration Flow
Left running head: Chapter name (automatic) High-level Data Link Control HDLC C ONFIGURATION Figure 27: HDLC Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 335: Hdlc Configuration Commands
Description This command is entered in the Interface encapsulation hdlc Configuration Mode. This command is used to configure encapsulation on an interface to HDLC. XAMPLE ALU(config-if Serial0/0:0)# encapsulation hdlc Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 336 This command disables bringing down of no hdlc down-when-looped the line protocol when loopback is detected on the interface. This is the default behavior. XAMPLE ALU(config-if Serial0/0:0)# no hdlc down-when-looped Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 337 0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Timeslot(s) Used:1-24 (64Kbps each), Transmitter delay is 0 flags ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 338 EBUGGING ON Command (in SUM/CM) Description The “no” command disables the debug no debug hdlc {all|keepalive functionality. By default, debug is [output {all|log|vty}]} disabled. XAMPLE ALU(config)# no debug hdlc all Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 339: Frame Relay
CLI. For instructions on using the FR commands and descriptions on each of their parameters with the corresponding default values for each, refer to the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. This chapter is divided into the following sections: •...
Page 340: Frame Relay Overview
The actual deployment of SVCs is minimal in today's FR network. • Permanent Virtual Circuits (PVC) - These are permanently established connections that are used for frequent and consistent data transfers between DTE devices across a FR network. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 341: Frame Relay Network Deployments
FR networks are public carrier-provided networks. • Private Enterprise Networks - In private FR networks, the administration and maintenance of the network is the responsibility of an enterprise. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 342: Frame Relay Configuration
Refer to the following sections to enable FR encapsulation on a T1 or E1 line card: • “Frame Relay Configuration Steps” • “Frame Relay Configuration Flow” • “Frame Relay Configuration Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 343: Frame Relay Configuration Steps
(V.35/X.21). The steps (Step 6 - Step 11) hold good for configuration of FR on a V.35/ X.21 interface, except that there is no channel group number in the interface name. Configure a serial interface using the following command: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 344 FR DLCI can also be configured on a sub-interface. Multiple sub-interfaces with different FR DLCI are also configurable. Step 13: View the status of the Frame Relay protocol on a specified interface. “Frame Relay Show Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 345: Frame Relay Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) Frame Relay Configuration RAME ELAY ONFIGURATION Figure 28: FR Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 346: Frame Relay Configuration Commands
QoS policy is more than three, after giving a warning message. You have to decrease the policy depth to less than or equal to three, and explicitly attach the policy to the interface. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 347 ALU(config)# interface Serial <slot/port:channel.subchannel> ALU(config-if Serial <slot/port:channel.subchannel>)# Example: ALU(config)# interface Serial 0/0:0.1 ALU(config-if Serial0/0:0.1)# Step 3: Configure IP address for the sub-interface ALU(config-if Serial <slot/port:channel.subchannel>)# ip address {<ip-address subnet-mask>|<ip-address/prefix-length>} Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 348 If you are configuring FR on a sub-interface on a Serial interface (V.35/X.21), configure a sub-interface using the following command: ALU(config)# interface Serial <slot/port>.subchannel ALU(config-if Serial<slot/port.subchannel>)# Example: ALU(config)#interface Serial0/0.1 ALU(config-if Serial0/0.1)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 349 The following example sets the LMI to ANSI standard: ALU(config-if Serial0/0:0)# frame-relay lmi-type ansi The following example sets the LMI-type to its default, i.e., auto-sense: ALU(config-if Serial0/0:0)# no frame-relay lmi-type Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 350 The following example sets the polling interval to 8: ALU(config-if Serial0/0:0)#frame-relay lmi-n391dte 8 The following example sets the polling interval to default, i.e., 6: ALU(config-if Serial0/0:0)# no frame-relay lmi-n391dte Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 351 The following example sets the DTE monitored events count to 7: ALU(config-if Serial0/0:0)# frame-relay lmi-n393dte 7 The following example sets the lmi-n393dte to its default value, i.e., 4: ALU(config-if Serial0/0:0)# no frame-relay lmi-n393dte Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 352 FECN pkts out FECN pkts in BECN pkts out BECN pkts in DE pkts out DE pkts out bcast pkts out bcast bytes Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 353 Invalid Information ID Invalid Report IE Len Invalid Report Request Invalid Keep IE Len Num Status Enq. Sent Num Status msgs Rcvd Num Update Status Rcvd Num Status Timeouts Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 354 ISABLE EBUGGING ON Command (in SUM/CM) Description The “no” command disables the debug no debug frame-relay functionality. By default, debug is {all|fse|keepalive|mlfr} disabled. XAMPLE ALU(config)# no debug frame-relay all Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 355: Point-To-Point Protocol
PPP through the CLI. For instructions on using the PPP commands and descriptions on each of their parameters, refer to the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. Refer to the following to configure PPP encapsulation on an interface: •...
Page 356: Ppp Overview
• CHAP (RFC 1994) • EAP (RFC 3748) The Alcatel-Lucent implementation of PPP conforms to the above specifications. PPP C OMPONENTS PPP provides a method for transmitting datagrams over point-to-point links. On a serial interface, PPP contains four main components: •...
Page 357: Ppp Configuration
Heading1 or Heading1NewPage text (automatic) PPP Configuration PPP C ONFIGURATION • “PPP Configuration Steps” • “PPP Configuration Flow” • “PPP Configuration Commands” • “PPP Show Commands” • “PPP Debug Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 358: Ppp Configuration Steps
(V.35/X.21). The steps (Step 6 - Step 10) hold good for configuration of PPP on a V.35/X.21 interface, except that there is no channel group number in the interface name. Configure serial interface using the following command: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 359 Configure LCP parameters. See “Link Control Protocol Configuration” • Configure IPCP parameters. See “IP Control Protocol (IPCP) Configuration” • Configure Timers and Counters. See “PPP Counters and Timers Configuration” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 360 Left running head: Chapter name (automatic) Point-to-Point Protocol • Configure authentication through user name and password. See “PPP Authentication Configuration” Step 12: Use the “PPP Show Commands” to view PPP configuration. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 361: Ppp Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) PPP Configuration PPP C ONFIGURATION Figure 29: PPP Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 362: Ppp Configuration Commands
This command sets the encapsulation to no encapsulation ppp its default. The default encapsulation on a serial interface is HDLC. XAMPLE ALU(config)# interface Serial1/0:0 ALU(config-if Serial1/0:0)# encapsulation ppp ALU(config-if Serial1/0:0)# no encapsulation ppp Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 363: Ppp Optional Parameters
The “no” command sets the echo- no ppp lcp echo-interval interval to its default value. The default value is 10 seconds. XAMPLE ALU(config-if Serial1/0:0)# ppp lcp echo-interval 200 ALU(config-if Serial1/0:0)# no ppp lcp echo-interval Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 364 NCP restart-interval to its default. The default LCP/NCP restart- interval is 30 seconds. XAMPLE ALU(config-if Serial0/0:0)# ppp timeout restart-interval 10 ALU(config-if Serial0/0:0)# no ppp timeout restart-interval Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 365 IPCP negotiation on the interface. Note: By default the OmniAccess 5740 USG system responds to IPCP negotiation initiated by the peer. Auto-negotiation happens when the IP address is changed on the interface. XAMPLE ALU(config-if Serial1/0:0)# ppp ipcp negotiate...
Page 366 On a PPPoE enabled interface, the commands ‘no ppp ipcp address accept-peer’ and ‘ppp ipcp address pool local <ip-address>’ should not be configured as the interface is always in PPPoE client mode. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 367 The “no” command sets the max- no ppp timeout max-terminate terminate value to its default. The default max-terminate value is “2”. XAMPLE ALU(config-if Serial0/0:0)# ppp timeout max-terminate 10 ALU(config-if Serial0/0:0)# no ppp timeout max-terminate Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 368 The “no” command sets the max-failure no ppp timeout max-failure value to its default. The default max-failure value is “5”. XAMPLE ALU(config-if Serial0/0:0)# ppp timeout max-failure 10 ALU(config-if Serial0/0:0)# no ppp timeout max-failure Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 369 The “no” command deletes the no ppp authentication username configured PPP authentication user name on the server side. XAMPLE ALU(config-if Serial0/0:0)# ppp authentication username ALU ALU(config-if Serial0/0:0)# no ppp authentication username Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 370 The “no” command deletes the no ppp authentication client- configured authentication user name on username the client side. XAMPLE ALU(config-if Serial0/0:0)# ppp authentication client-username client1 ALU(config-if Serial0/0:0)# no ppp authentication client- username Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 371 The “no” command deletes the no ppp authentication client- configured authentication password on password the client side. XAMPLE ALU(config-if Serial0/0:0)# ppp authentication client-password pass1 ALU(config-if Serial0/0:0)# no ppp authentication client- password Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 372: Ppp Show Commands
PPP Max Terminate PPP Max Configure : 10 PPP Max Failure Authentication protocol : pap Authentication username : user1 Authentication password : secret1 Authentication client-username : user2 Authentication client-password : secret2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 373 IPCP Configure Naks: IPCP Configure Rejects: IPCP Terminate Requests: IPCP Terminate Acks: IPCP Code Rejects: IPCP Invalid Packets: PAP Authentication Requests: PAP Authentication Acks: PAP Authentication Naks: PAP Invalid Packets: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 374 Reserved Conversations: 0/0 (allocated/max allocated) Available Bandwidth 1544 kilobits/sec 5 minute input rate 0 bits/sec, 0 packets/sec 5 minute output rate 0 bits/sec, 0 packets/sec 50 packets input, 0 bytes, 0 no buffer Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 375 LCP Configure Naks: LCP Configure Rejects: LCP Terminate Requests: LCP Terminate Acks: LCP Code Rejects: LCP Protocol Rejects: LCP Echo Requests: LCP Echo Replies: LCP Discard Requests: LCP Invalid Packets: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 376 ALU# show ppp ipcp statistics Serial 0/0:0 IPCP Configure Requests: IPCP Configure Acks: IPCP Configure Naks: IPCP Configure Rejects: IPCP Terminate Requests: IPCP Terminate Acks: IPCP Code Rejects: IPCP Invalid Packets: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 377 ALU# show ppp session statistics Serial 0/0:0 PPP data packets received: PPP control packets received: Packets dropped: PPP sessions initiated: PPP sessions received: PPP sessions successful: PPP sessions terminated: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 378 PAP Authentication Acks: PAP Authentication Naks: PAP Invalid Packets: CHAP Challenges: CHAP Responses: CHAP Successes: CHAP Failures: CHAP Invalid Packets: EAP Requests: EAP Responses: EAP Successes: EAP Failures: EAP Invalid Packets: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 379: Ppp Debug Commands
ISABLE EBUGGING ON Command (in SUM/CM) Description The “no” command disables the debug no debug ppp {all|echo} functionality. By default, debug is disabled. XAMPLE ALU(config)# no debug ppp echo Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 380 Left running head: Chapter name (automatic) Point-to-Point Protocol Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 381: Point-To-Point Protocol Over Ethernet (Pppoe)
“Ethernet Interfaces on SE” chapter before proceeding with this. For instructions on using the PPPoE commands and descriptions on each of their parameters, refer to the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. The chapter is divided into the following sections: •...
Page 382: Pppoe Overview
The following features are available with the current release: • Supports PPPoE on Gigabit Ethernet interfaces. • The OmniAccess 5740 USG supports RFC 2516 (PPPoE) without necessarily conforming to all the optional items mentioned in the specification. • 1 PPPoE client session per SE Gigabit Ethernet interface.
Page 383: Pppoe Configuration
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) PPPoE Configuration ONFIGURATION • “PPPoE Configuration Steps” • “PPPoE Configuration Flow” • “PPPoE Configuration Commands” • “PPPoE Show Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 384: Pppoe Configuration Steps
IPCP configuration section documented in the “Point-to-Point Protocol” chapter. You can also have a static IP address configured on the PPPoE enabled interface provided appropriate configurations are done at the remote end. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 385 PPP chapter. The show commands are also similar to the PPP show commands. For more details on these commands, refer to the “Point-to-Point Protocol” chapter. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 386: Pppoe Configuration Flow
Left running head: Chapter name (automatic) Point-to-Point Protocol over Ethernet (PPPoE) ONFIGURATION Figure 30: PPPoE Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 387: Pppoe Configuration Commands
This also removes the PPPoE server given IP address, and restores the configured IP address on the interface (if any). XAMPLE ALU(config-if GigabitEthernet3/0)# encapsulation pppoe ALU(config-if GigabitEthernet3/0)# no encapsulation pppoe Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 388: Pppoe Optional Parameters
ALU(config-if GigabitEthernet3/0)# pppoe service-name ISP1 ALU(config-if GigabitEthernet3/0)# no pppoe service-name Note: The PPPoE service-name configured on OmniAccess 5740 USG should match the service-name supported on the server. If “service-name” is not configured, then the client accepts any service offered by the PPPoE server.
Page 389 XAMPLE ALU(config-if GigabitEthernet3/0)# pppoe ac-name ISP123 ALU(config-if GigabitEthernet3/0)# no pppoe ac-name Note: The access concentrator name configured on OmniAccess 5740 USG should match the concentrator name of the server. NITIATE EGOTIATION ANUALLY Command (in ICM)
Page 390 The ‘no’ command resets the retry- no pppoe retry-timer timer to its default. The default retry-timer value is 10 seconds. XAMPLE ALU(config-if GigabitEthernet3/0)# pppoe retry-timer 15 ALU(config-if GigabitEthernet3/0)# no pppoe retry-timer Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 391 After the negotiations, MTU is set to be either user configured MTU or server suggested MTU, whichever is lesser. • Irrespective of the MTU value, OmniAccess 5740 USG will still be able to receive PPPoE packets with payload of 1492 bytes. Alcatel-Lucent...
Page 392: Pppoe Show Commands
GigE interface. GigabitEthernet <slot/port> XAMPLE ALU(config)# show pppoe statistics GigabitEthernet 3/0 PADI sent: PADO received: 24 PADO dropped: PADR sent: PADS received: 13 PADT sent: PADT received: 0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 393: Multilink Point To Point Protocol
Port (USP) Line Card” chapters before proceeding to this. For instructions on using the MLPPP commands and descriptions on each of their parameters, refer to the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. The chapter is divided into the following sections: •...
Page 394: Mlppp Overview
MLPPP is an extension to PPP. See “Point-to-Point Protocol” for information about PPP. Microsoft Windows, Linux, and other operating systems support MLPPP. Many routers also support Multilink PPP. Figure 31: Sample Deployment Scenario for MLPPP Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 395: Mlppp Components
PPP header. It contains a sequence number and additionally allows for fragmentation or re-assembly of the packet. MLPPP is also referred to as MP or MPPP. Figure 32: MLPPP Header in Long Sequence Number Format Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 396: Alcatel-Lucent Specific Overview On Mlppp Features
EATURES The following features are available with the current release: • The OmniAccess 5740 USG supports RFC 1990 (MLPPP Protocol) without necessarily conforming to all the optional items mentioned in the specification. • Specifically, the system supports the logical aggregation, into a configured MLPPP bundle of any number of channelized or fractional T1 or E1 interfaces, Serial (V.35/X.21) interfaces, etc.
Page 397: Mlppp Configuration
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) MLPPP Configuration MLPPP C ONFIGURATION • “MLPPP Configuration Steps” • “MLPPP Configuration Flow” • “MLPPP Configuration Commands” • “MLPPP Show Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 398: Mlppp Configuration Steps
(V.35/X.21). The steps (Step 6 - Step 12) hold good for configuration of MLPPP on a V.35/X.21 interface, except that there is no channel group number in the interface name. Configure a serial interface using the following command: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 399 Step 11: Enter Serial interface configuration mode for Member Link Configuration ALU(config)# interface Serial <slot/port:channel> ALU(config-if Serial<slot/port:channel>)# Example: ALU(config)#interface Serial0/0:0 ALU(config-if Serial0/0:0)# Step 12: Administratively bring up the interface ALU(config-if <interface-name>)# no shutdown Example: ALU(config-if Serial0/0:0)# no shutdown Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 400 Multilink Point to Point Protocol Step 13: Configure encapsulation on the interface. See “To Set MLPPP Encapsulation on an Interface” Step 14: Use the “MLPPP Show Commands” to view the MLPPP configuration. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 401: Mlppp Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) MLPPP Configuration MLPPP C ONFIGURATION Figure 34: MLPPP Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 402: Mlppp Configuration Commands
This command removes the load threshold no mlppp load-threshold on the MLPPP bundle. {high|low} {outbound|inbound} XAMPLE ALU(config-if mlppp100)# mlppp load-threshold high outbound 100 ALU(config-if mlppp100)# no mlppp load-threshold high outbound Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 403 If the encapsulation of a serial interface is changed to MLPPP from HDLC/PPP/FR, the QoS policy applied on the serial interface will be removed after giving a warning message. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 404: Mlppp Show Commands
0 fragments received, 0x0 received sequence ALU(config)# show mlppp 10 MLPPP bundle 10 link state information: IPCP: Open MEMBER LINKS AUTH CLIENT AUTH SERVER Serial0/0:1 Open ----- Serial0/0:0 Open ----- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 405: Mlppp Configuration Example
Encapsulation mlppp, MLPPP Bundle Id: 10 keepalive set (10 sec) LCP: Open Last input never, output never, output hang never Last clearing of "show interface" counters never Queueing strategy: fifo Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 406 0 fragments received, 0x0 received sequence ALU(config)# show mlppp 10 MLPPP bundle 10 link state information: IPCP: Open MEMBER LINKS AUTH CLIENT AUTH SERVER Serial0/0:1 Open ----- Serial0/0:0 Open ----- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 407: Multilink Frame Relay
“MLFR Overview” • “MLFR Configuration” HAPTER ONVENTIONS Acronym Description Configuration Mode - ALU (config)# Interface Configuration Mode - ALU (config-interface name)# MLFR Mutilink Frame Relay Super User Mode - ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 408: Mlfr Overview
The MLFR packet is encapsulated using an MLFR header, which is different from the standard Frame Relay header. It contains a sequence number and also allows for fragmentation/reassembly of the MLFR packet. MLFR is also referred to as MFR. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 409: Mlfr Frame Format For Data Packets
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) MLFR Overview Figure 35: MLFR frame format for data packets Figure 36: MLFR frame format for control packets Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 410: Alcatel-Lucent Specific Overview On Mlfr Features
VERVIEW ON EATURES The following features are available with the current release: • The OmniAccess 5740 USG supports FRF 16.1 (Multilink Frame Relay UNI/NNI Implementation Agreement) without necessarily conforming to all the optional items mentioned in the specification. • Specifically, the system will support the logical aggregation into a configured MLFR bundle to support any number of interfaces, including channelized and fractional serial interfaces.
Page 411: Mlfr Configuration Steps
(V.35/X.21). The steps (Step 6 - Step 16) hold good for configuration of MLFR on V.35/X.21 interface, except that there is no channel group number in the interface name. Configure a serial interface using the following command: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 412 “To Assign Bundle Identification (BID) to the Bundle” (Optional) Member Link Configuration Step 13: Enter Serial interface configuration mode ALU(config)# interface Serial <slot/port:channel> ALU(config-if Serial<slot/port:channel>)# Example: ALU(config)#interface Serial0/0:0 ALU(config-if Serial0/0:0)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 413 “To Configure the Acknowledge Interval” • Configure the retry count. See “To Configure the Retry Count” Step 17: Use the show commands to view the MLFR configuration. See “MLFR Show Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 414: Mlfr Configuration Flow
Left running head: Chapter name (automatic) Multilink Frame Relay MLFR C ONFIGURATION Figure 37: MLFR Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 415: Mlfr Configuration Commands
The following example sets the LMI to ANSI standard: ALU(config-if mlfr100)# frame-relay lmi-type ansi The following example sets the LMI-type to its default, i.e., ‘auto-sense’: ALU(config-if mlfr100)# no frame-relay lmi-type Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 416 This command removes the configured no mlfr bid <name> bid name from the bundle interface. XAMPLE ALU(config-if mlfr100)# mlfr bid ALU1 Note: Configuring a Bundle Interface is a pre-requisite to Member Link configuration. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 417 This command removes the configured no mlfr lid <name> LID name from the interface that is part of the bundle. XAMPLE ALU(config-if Serial0/0:0)# mlfr lid ALU-wan-link ALU(config-if Serial0/0:0)# no mlfr lid ALU-wan-link Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 418 1 second to 10 seconds. This command resets the acknowledge no mlfr ack-interval <1-10> interval to its default, i.e., 4 seconds. XAMPLE ALU(config-if Serial0/0:0)# mlfr ack-interval 5 ALU(config-if Serial0/0:0)# no mlfr ack-interval 5 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 419: Mlfr Show Commands
Last clearing of "show interface" counters never 614 packets input( 325 controld packets, 289 data packets),34295 bytes 26599 packets output( 26216 controld packets, 383 data packets),458430 bytes 53 packets dropped 0 giant packets Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 420 Timeslot(s) Used:1-24 (64Kbps each), Transmitter delay is 0 flags Note: All the show commands that take IP interface name as an argument will also take MLFR interface as a parameter. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 421: Ethernet Oam (Operations, Administration, And Maintenance)
This chapter covers the commands used to configure Ethernet OAM (Operations, Administration, and Maintenance) feature on OmniAccess 5740 USG. For instructions on using the commands and to get a detailed description on each of their parameters, refer to OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. HAPTER...
Page 422 Maintenance Association End Point Identifier MAID Maintenance Association Identifier Protocol Data Unit Super User Mode - ALU# VLAN Virtual LAN Wide Area Network One-way Delay Measurement Two-way Delay Measurement Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 423: Oam Overview
IP/MPLS core, the Ethernet metro, and to the customer's premises. Ethernet OAM helps to achieve increased availability and reduced mean time to repair (MTTR), thereby directly impacting the competitiveness of the service provider. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 424: Alcatel-Lucent Specific Overview
UCENT PECIFIC VERVIEW • Supports Ethernet OAM functionality on Gigabit Ethernet interface and BCP enabled T1E1 serial interface on OmniAccess 5740 USG. LEMENTS OF The following figure shows graphical representation of the main elements of OAM: • Maintenance Domain (MD) The network or the part of the network for which faults in connectivity can be managed.
Page 425 Maintenance Entity for each of the other MEPs in the same MA. • Maintenance Association End Point Identifier (MEPID) A small integer, unique over a given MA, identifying a specific MEP. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 426: Oam Configuration On Omniaccess
Step 9: Configure maintenance association end point identifier. “To Configure MEP (Maintenance Association End Point)” Step 10: Administratively bring up a MEP. See “To Administratively Bring Up/ Down MEP” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 427 Initiate Ethernet CFM one-way delay test on a MEP. See “To Initiate Ethernet CFM One-way Delay Test” Initiate Ethernet CFM two-way delay test on a MEP. See “To Initiate Ethernet CFM Two-way Delay Test” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 428 Step 15: Initiate Ethernet OAM fault isolation test. See “To Initiate Ethernet OAM Fault Isolation Test - Link Trace Test” (Optional) Step 16: See “OAM Show Commands” to view OAM configuration. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 429: Oam Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) OAM Configuration on OmniAccess 5740 USG OAM C ONFIGURATION Figure 38: OAM configuration flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 430: Oam Configuration Commands
You cannot delete a MD if its associated with a MA. First delete the MA to delete the XAMPLE ALU(config-oam)# eth-cfm domain 1 name string domain123 level 1 ALU(config-oam)# no eth-cfm domain 1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 431 This command is used to configure a remote-mep <1-8191> remote MEP. This command is used to delete a no remote-mep <1-8191> remote MEP. XAMPLE ALU(config-oam-domain-assoc)# remote-mep 10 ALU(config-oam-domain-assoc)# no remote-mep 10 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 432 This command is used to delete the no ccm-interval configured CCM interval and reset it to [10m|10s|1m|1s] the default value. The default CCM interval is 1 second. XAMPLE ALU(config-oam-domain-assoc)# ccm-interval 1m ALU(config-oam-domain-assoc)# no ccm-interval Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 433 MEP. This command is used to shutdown administratively bring down the MEP. By default, MEP will be in shutdown state. XAMPLE ALU(config-oam-domain-assoc-mep)# no shutdown ALU(config-oam-domain-assoc-mep)# shutdown Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 434 Command (in OAM-DA MEP CM) Description This command is used to enable/disable ccm {disable|enable} CCM messages on a MEP. By default, the CCM will be disabled. XAMPLE ALU(config-oam-domain-assoc-mep)# ccm enable ALU(config-oam-domain-assoc-mep)# ccm disable Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 435 [<1-6>] value and reset it to the default. The default lowest priority defect value is 2. XAMPLE ALU(config-oam-domain-assoc-mep)# fault-alarm lowest-priority- defect 1 ALU(config-oam-domain-assoc-mep)# no fault-alarm lowest- priority-defect Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 436 [<250-1000>] it to default value. The default reset-time is 1000 milliseconds. XAMPLE ALU(config-oam-domain-assoc-mep)# fault-alarm reset-time 400 ALU(config-oam-domain-assoc-mep)# no fault-alarm reset-time 400 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 437 [1s|60s] configured AIS interval and reset it to the default. The default AIS interval is 1 second. XAMPLE ALU(config-oam-domain-assoc-mep)# eth-ais interval 60s ALU(config-oam-domain-assoc-mep)# no eth-ais interval Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 438 This command is used to initiate an eth-cfm eth-test <mac-address> Ethernet test signal. mep <1-8191> domain <0-65535> association <0-65535> [{datasize <1-1480>|priority <0-7>}] XAMPLE ALU(config-oam)# eth-cfm eth-test 1111.1111.1111 mep 10 domain 1 association 10 priority 2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 439 This command is used to initiate a ETH- eth-cfm 2DMtest <mac-address> CFM two-way delay test. mep <1-8191> domain <0-65535> association <0-65535> [priority <0-7>] XAMPLE ALU(config-oam)# eth-cfm 2DMtest 1111.1111.1111 mep 10 domain 1 association 10 priority 2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 440 This command is used to initiate a eth-cfm linktrace <mac- linktrace test. address> mep <1-8191> domain <0-65535> association <0- 65535> [ttl <1-255>] XAMPLE ALU(config-oam)# eth-cfm linktrace 1111.1111.1111 mep 10 domain 1 association 10 ttl 10 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 441 {Down|Up}] XAMPLE ALU(config)# show eth-cfm cfm-stack-table --------------------------------------------------------- Dot1ag Stack Table Information --------------------------------------------------------- Interface VLAN-id level Dir MdIndex MaIndex MepIndex MacAddress GigabitEthernet 3/0 Down 00e0.b1c6.df2a GigabitEthernet 3/0:1 10 Down 00e0.b1c6.df2a Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 442 DefRemoteCCM DefErrorCCM DefXconCCM HighestDefect: DefNone Defect Flags: DefNone AIS-Enable: Disabled AIS Priority: 1 AIS Interval: 1 AIS Level: 0 --------------------------------------------------------- MEP Linktrace Message Information --------------------------------------------------------- LtRxUnexplained: 0 LtNextSequence: 2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 443 LbRxBadOrder: 0 LbRxBadMsdu: 0 LbTxReply: 0 LbStatus: False LbResult: True DestIsMepId: False DestMepId: 10 SendCount: 0 VlanDropEnable: 0 SequenceNum: 2 NextSequenceId: 2 DestMac: 0000:0000:0000 VlanPriority: 0 DataTLV: None --------------------------------------------------------- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 444 Absent 0E0.B1B2.539C Fri Jan 2 02:31:49 1970 False True Absent Absent 0E0.B1C6.3CBC Fri Jan 2 02:31:49 1970 False True Absent Absent 011.8B 2.7911 Fri Jan 2 02:31:49 1970 --------------------------------------------------------------- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 445 <0-65535> 1DM-test-results remote-peer-mac <mac-address> XAMPLE ALU(config)# show eth-cfm mep 100 domain 100 association 100 1DM-test-results remote-peer-mac 00e0.b1c6.df2a ------------------------------------------------------------------------ 1DM Test Result ------------------------------------------------------------------------ PEER MAC Delay(microseconds) Variation(microseconds) 00:e0:b1:c6:df:2a 4060307296 234660000 ------------------------------------------------------------------------ Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 446 <0-65535> 2DM-test-results remote-peer-mac <mac-address> XAMPLE ALU(config)# show eth-cfm mep 10 domain 100 association 100 2DM-test-results remote-peer-mac 00e0.b1b2.539c ------------------------------------------------------------------------ 2DM Test Result ------------------------------------------------------------------------ PEER MAC Delay(microseconds) Variation(microseconds) 00:e0:b1:b2:53:9c 10000 10000 ------------------------------------------------------------------------ Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 447: Oam Configuration Using Omniaccess 5740 Usg
ONFIGURATION USING CCESS Consider a scenario with VLAN-A service running between two OmniAccess 5740 USG - OA5740-A and OA5740-B. In order to monitor and troubleshoot the service level and network level defects, enable Ethernet OAM on device A and device B.
Page 448 Administratively bring up a MEP. OA5740-B(config-oam-domain-assoc-mep)# no shutdown g) Enable a continuity check protocol on a MEP. OA5740-B(config-oam-domain-assoc-mep)# ccm enable ERIFICATION Verify OAM association information using the show commands. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 449: Bridging Configuration
This chapter covers the commands used to configure bridging on OmniAccess 5740 USG. For instructions on using the commands and to get a detailed description on each of their parameters, refer to OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. HAPTER...
Page 450: Bridging Overview
PECIFIC RIDGING VERVIEW Bridging feature on OmniAccess 5740 USG helps in carrying same VLAN tag across the interfaces, carrying multiple network protocols data seamlessly and avoids complexity of a router configuration. MAC Address, VLAN ID and 802.1p information remain intact while forwarding through WAN interfaces.
Page 451 IGABIT THERNET NTERFACE Bridging is supported on Gigabit Ethernet port on OmniAccess 5740 USG. The packets from these ports can be bridged to Layer2 /WAN ports. Bridging is supported only on the main interface, though tag packets can be received on the main and sub-interfaces. Unlike main interface, sub-interface supports only routing.
Page 452: Bridging Configuration On Ppp/Mlppp/Fr/Mlfr/Hdlc/Gige Interface
Left running head: Chapter name (automatic) Bridging Configuration PPP/MLPPP/FR/MLFR/HDLC/ RIDGING ONFIGURATION ON NTERFACE Refer to the following sections to configure bridging on OmniAccess 5740 USG: • “Bridging Configuration Steps” • “Bridging Configuration Flow” • “Bridging Configuration Commands” RIDGING ONFIGURATION TEPS Note: The following bridging configuration commands are shown for a serial (V.35/X.21/RS-...
Page 453 “To Enable/Disable BCP on the Interface” Note: 1. To prevent undesirable loops and have path redundancy in the network, you can enable Spanning Tree Protocol (STP) on OmniAccess 5740 USG when bridging is enabled. Refer to “Per VLAN Spanning Tree +”...
Page 454: Bridging Configuration Flow
Left running head: Chapter name (automatic) Bridging Configuration RIDGING ONFIGURATION Figure 40: BCP configuration flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 455: Bridging Configuration Commands
BCP will be disabled if the last VLAN configuration is removed. This command is also used to delete range of VLANs configured on the interface. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 456 This following example configures range of VLANs on the interface ALU(config)# interface Serial 0/0 ALU(config-if Serial0/0)# vlan range 50 100 This following example removes the VLANs configured on the interface: ALU(config-if Serial0/0)# no vlan 20 30 40 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 457 0 protocol packets dropped, 0 non ppp packets dropped 14 packets bridged, 2 bridge packets dropped Fragmentation: Fragment Delay 0 ms 0 fragmented, 0 couldn't fragment 0 fragments created, 0x18 sent sequence Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 458 HDLC interface. XAMPLE ALU(config-if Serial0/0)# show hdlc statistics Keepalive received Keepalive sent Giant packets received Bridge packets received : 62 Bridge packets dropped Non IP packets dropped Packet errors Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 459 DE pkts out bcast pkts out bcast bytes End-to-End Fragmentation Statistics Packets Fragmented Fragments created Fragments failed End-to-End Reassembly Statistics Fragments Received Fragments Reassembled Fragments Dropped Fragments Timeout Fragments Rordered Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 460 VLAN-ID. XAMPLE ALU(config)# show vlan Brief VLAN_ID Interface name Mode --------- ----------------- -------- switchport3 Access Serial0/0 Trunk switchport0 Access Serial0/0 Trunk switchport1 No-Mode switchport2 No-Mode Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 461 Bridging Configuration on PPP/MLPPP/FR/MLFR/HDLC/GigE Interface RIDGING LEAR OMMANDS LEAR RIDGE TATISTICS Command (in SUM/CM) Description This command is used to clear the bridge clear bridge statistics node statistics. XAMPLE ALU(config)# clear bridge statistics Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 462: Bcp Configuration Using Omniaccess
WAN link. The hosts in the LAN belong to same subnet and need to communicate through the WAN link. Figure 41: BCP configuration scenario on OmniAccess 5740 USG By enabling bridging on the serial interface 0/0 on OA5740-A, packets coming out of VLAN 10 are bridged as tagged packets.
Page 463: Link Fragmentation And Interleaving (Lfi)
Data Terminal Equipment Frame Relay Link Control Protocol MLPPP Multi Link Point to Point Protocol Maximum Receive Unit MRRU Maximum Receive Reconstructed Unit Point-to-Point Super User Mode - ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 464: Lfi Overview
PECIFIC VERVIEW ON EATURES The following features are available with the current release: • The OmniAccess 5740 USG supports RFC 1990 (MLPPP) without necessarily conforming to all the optional items mentioned in the specification. • Multilink PPP with interleaving •...
Page 465: Overview Of Lfi In Mlppp
Individual fragments by default will have long sequence number, therefore, have the following format: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 466: Mlppp Header In Long Sequence Number Format
There is no separate FCS applied to the reconstituted packet as a whole if transmitted in more than one fragment. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 467: Configuration Of Lfi On Mlppp
Packets. Interleaving functionality will be performed by QoS configured on MLPPP bundle interface. Note: To achieve best latency results, it is recommended that all the constituent links in a MLPPP bundle have similar bandwidth. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 468: Lfi Configuration On Mlppp
“LFI - MLPPP Configuration Steps” • “LFI - MLPPP Configuration Flow” • “LFI - MLPPP Configuration Commands” • “LFI - MLPPP Show Commands” • “Configuration Example of LFI on MLPPP” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 469: Lfi - Mlppp Configuration Steps
Creation of a channel-group is a pre-requisite for configuring a Serial Interface on a T1 or an E1 controller. Step 5: Administratively bring up the controller. ALU(config-controller T1)# no shutdown Step 6: Exit from the controller mode ALU(config-controller T1)# exit ALU(config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 470 Configuring QoS out policy is mandatory for link fragmentation. If only fragment delay is configured and QoS out policy is not configured, then the link fragmentation will not come into effect. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 471 Step 15: Set MLPPP encapsulation on the interface. ALU(config-if <interface-name>)# encapsulation mlppp <1-256> Example: ALU(config)#interface Serial1/0:0 ALU(config-if Serial1/0:0)# encapsulation mlppp 100 Step 16: Use “LFI - MLPPP Show Commands” to view the LFI configuration. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 472: Lfi - Mlppp Configuration Flow
Left running head: Chapter name (automatic) Link Fragmentation and Interleaving (LFI) LFI - MLPPP C ONFIGURATION Figure 44: LFI - MLPPP Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 473: Lfi - Mlppp Configuration Commands
Configurations for the QoS policy map and the attributes within the policy is not shown in this section. For more information on configuring policy map, refer to QoS Configuration section in the “Quality of Service” chapter. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 474 ALU(config-if mlppp100)# fragment delay 10 ALU(config-if mlppp100)# no fragment delay Note: The MTU (Maximum Transmission Unit) of the individual links in a MLPPP bundle should be greater than the fragment size. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 475 The ‘no’ command sets the slippage MRU no slippage mru to its default, i.e., 32 MRU. XAMPLE ALU(config)# interface mlppp 100 ALU(config-if mlppp100)# slippage mru 16 ALU(config-if mlppp100)# no slippage mru Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 476: Lfi - Mlppp Show Commands
Reassembly: Slippage MRU 16 0 fragments in reassembly list 0 lost fragments, 0 reordered 11 discarded fragments, 0 reassembled 0 timeouts, 0 couldn't reassemble 0 fragments received, 0xb received sequence Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 477: Configuration Example Of Lfi On Mlppp
Configure policy map. Associate match-list and class map with the policy map. ALU-1(config)# match-list m1 ALU-1(config-match-list-m1)# tcp any any ALU-1(config)# class-map c1 ALU-1(config-qos-c1)# match m1 ALU-1(config)# policy-map P1 ALU-1(config-qos-P1)# class C1 ALU-1(config-qos-P1-C1)# priority Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 478 Configure QoS out policy on the MLPPP interface. ALU-1(config-if mlppp2)# service-policy out P2 d) Configure fragment delay and slippage MRU over the MLPPP interface ALU-2(config-if mlppp2)#fragment delay 10 ALU-2(config-if mlppp2)#slippage mru 20 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 479 10 fragments created, 0x9 sent sequence Reassembly: Slippage MRU 20 0 fragments in reassembly list 0 lost fragments, 0 reordered 11 discarded fragments, 0 reassembled 0 timeouts, 0 couldn't reassemble 0x10 received sequence Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 480: Overview Of Lfi In Frame Relay
The (C)ontrol bit is set to 0 in all fragments. It is reserved for future control functions. There is a separate sequence number maintained for each fragmented PVC between DTE peers. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 481: Configuration Of Lfi On Fr (And Fr Sub Interface)
ONFIGURATION OF NTERFACE LFI is configurable on FR interfaces on OmniAccess 5740 USG. Unlike MLPPP, where a desired serialization delay is specified, on Frame Relay interface the fragment size should be configured. As a rule of thumb, divide the line speed by 800 to get a fragment size that results in a 10-ms serialization delay.
Page 482: Lfi Configuration On Fr
“LFI - FR Configuration Flow” • “LFI-FR Configuration Commands” • “LFI Configuration on FR Sub Interface” • “LFI - FR Show Commands” • “Configuration Example of LFI on FR” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 483: Lfi - Fr Configuration Steps
Creation of a channel-group is a pre-requisite for configuring a Serial Interface on a T1 or an E1 controller. Step 5: Administratively bring up the controller. ALU(config-controller T1)# no shutdown Step 6: Exit from the controller mode ALU(config-controller T1)# exit ALU(config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 484 ALU(config-if <interface-name>)# ip address {<ip- address subnet-mask>|<ip-address/prefix-length>} Example: ALU(config-if Serial0/0:0)# ip address 20.20.20.20/24 Step 10: Set FR encapsulation on the interface. ALU(config-if <interface-name>)# encapsulation frame- relay Example: ALU(config)#interface Serial0/0:0 ALU(config-if Serial0/0:0)# encapsulation frame-relay Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 485 Interface” For more information on configuring policy map, refer to “Quality of Service” chapter. Step 15: Use “LFI - FR Show Commands” to view the LFI-FR configuration. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 486: Lfi - Fr Configuration Flow
Left running head: Chapter name (automatic) Link Fragmentation and Interleaving (LFI) LFI - FR C ONFIGURATION Figure 47: LFI - FR Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 487: Lfi-Fr Configuration Commands
DLCI configured). - QoS policy is configured on the FR Interface. It is recommended that the fragment size configured is greater than the priority packet size. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 488 This command detaches the policy map no service-policy {in|out} from the interface. <policy-map name> XAMPLE ALU(config-if Serial 0/0:0)# service-policy out P1 ALU(config-if Serial 0/0:0)# no service-policy out P1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 489: Lfi Configuration On Fr Sub Interface
If you are configuring FR on a sub-interface on a Serial interface (V.35/X.21), configure a sub-interface using the following command: ALU(config)# interface Serial <slot/port>.subchannel ALU(config-if Serial<slot/port.subchannel>)# Example: ALU(config)#interface Serial0/0.1 ALU(config-if Serial0/0.1)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 490: Lfi - Fr Show Commands
0 output errors, 0 collisions, 0 interface resets 0 output buffer failures, 0 output buffers swapped out 0 carrier transitions Timeslot(s) Used:1-24 (64Kbps each), Transmitter delay is 0 flags Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 491 End-to-End Reassembly Statistics fragments received fragments reassembled fragments dropped fragments timeout fragments reordered DLCI = 110, DLCI USAGE = LOCAL, PVC STATUS = STATIC, INTERFACE = Serial0/ 0:0.1 ………… Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 492 Chapter name (automatic) Link Fragmentation and Interleaving (LFI) End-to-End Fragmentation Statistics Packets fragmented Fragments Created fragments failed End-to-End Reassembly Statistics fragments received fragments reassembled fragments dropped fragments timeout fragments reordered Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 493: Configuration Example Of Lfi On Fr
Configure policy map. Associate match-list and class map with the policy map. ALU-1(config)# match-list m1 ALU-1(config-match-list-m1)# tcp any any ALU-1(config)# class-map c1 ALU-1(config-qos-c1)# match m1 ALU-1(config)# policy-map P1 ALU-1(config-qos-P1)# class C1 ALU-1(config-qos-P1-C1)# priority Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 494 ALU-2(config-if Serial1/0:0)# slippage mru 16 Verification with Show Command You can verify the LFI-FR configuration using the following commands: • show interface serial <slot/port> • show frame-relay fragments • show frame-relay pvc Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 495: Part 4 Common Classification
To switch to the beta version, import color def’ns from beta-colors.fm Part 4 Common Classification Pagination: Numeric & continuous Optional footer: Alcatel-Lucent with Manual title (to set, preceding redefine ManualTitle OmniAccess 5740 Unified Services Gateway CLI Configuration Guide section of Beta Beta Beta Beta variable) book...
Page 496 Left running head: Chapter name (automatic) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 497: Common Classifiers
“Sample examples on the usage of CC across applications” HAPTER ONVENTIONS Acronym Description Configuration Mode - ALU (config)# Match-list CM Match-list Configuration Mode - ALU (config-match-list-name)# Super User Mode - ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 498: Cc Overview
QoS, VPN, Firewall, IDS, etc. The OmniAccess 5740 USG incorporates multiple services like routing, switching, firewall, VPN, and QoS. As part of our unified architecture, we have evolved a common classifier design which decouples classification and action.
Page 499: Benefits Of Alcatel-Lucent Devices Common Classifiers
Rules themselves can consist of individual elements arranged in a specific manner, and can include references to lists of elements. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 500: Before You Configure Cc
The keyword “service” defines the destination port for a TCP or UDP protocol. • The keyword “type” defines the header type and kicks in by ALGs (Application Level Gateways). Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 501: Cc Configuration
TEPS The following section gives the overview of the steps required to configure the common classifiers on the OmniAccess 5740 USG, which includes the “Lists and Match-lists”. Step 1: At the inception, you are required to have a thorough knowledge of the elements used in configuring CC before proceeding further.
Page 502: Elements Used In Configuring Cc
A higher level description of the packet stored in the packet context, derived from some application or feature. Used by the ALGs (Application Level Gateways). DSCP Specifies IP Differential Service Code Point (DSCP). Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 503 Assured Forwarding 43 Class Selector 1 Class Selector 2 Class Selector 3 Class Selector 4 Class Selector 5 Class Selector 6 Class Selector 7 default Default Expedited Forwarding Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 504 Match packets with network control precedence (7) NEMONICS FOR Mnemonic Description normal Normal Service (0) min-cost Minimize monetary cost (1) max-reli Maximum reliability (2) max-tput Maximum throughput (4) min-delay Minimize delay (8) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 505: To Configure A Match-List
The “service” keyword in TCP and UDP protocols refer to the destination port. Currently, the ‘service’ keyword in TCP or UDP can have only the following values: ftp-data|ftp|ssh|telnet|smtp|dns|tftp|http|pop2|pop3|imap| snmp|snmptrap|bgp Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 506 To classify traffic coming from network 192.168.10.0/24 and going to 192.168.11.0/24, the match-list would look as shown below. ALU(config)# match-list m1 ALU(config-match-list-m1)# tcp prefix 192.168.10.0/24 prefix 192.168.11.0/24 service ssh Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 507 ALU(config-match-list-m1)# 1 tcp prefix 192.168.10.0/24 prefix 192.168.11.0/24 service ssh ALU(config)# match-list m2 ALU(config-match-list-m2)# 1 udp interface GigabitEthernet 3/0 interface GigabitEthernet 3/1 ALU(config)# match-list m3 ALU(config-match-list-m3)# 1 icmp any any Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 508 ALU(config)# match-list m1 ALU(config-match-list-m1)# 1 ip list i1 list i2 ALU(config-match-list-m1)# 2 ip list i1 list i2 ALU(config-match-list-m1)# 3 ip list i1 list i2 ALU(config-match-list-m1)# 4 ip list i1 list i2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 509 ALU(config)# list i1 prefix 10.0.0.0/8 prefix 11.0.0.0/8 ALU(config)# list i2 prefix 20.0.0.0/8 prefix 21.0.0.0/8 ALU(config)# match-list m1 ALU(config-match-list-m1)# 1 tcp list i1 list i2 service telnet Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 510 This can be represented by the classifier as: ALU(config)# list L3 prefix 192.168.1.0/24 prefix 192.168.2.0/24 ALU(config)# list L4 prefix 192.168.18.0/24 prefix 192.168.19.0/24 ALU(config)# match-list m1 ALU(config-match-list-m1)# 1 udp list L3 list L4 service tftp Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 511 |tos {<0-15>|<tos-mnemonics>}] XAMPLE The following example configures a ICMP rule with ‘any any’ and icmp-type value 10, and icmp-subtype value 5’: ALU(config-match-list-test)# icmp any any icmp-type 10 icmp- subtype 5 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 512: To Configure Rules Using The Protocol Numbers
Description This command is used to ethernet {any|mac <source-mac- configure rule based on Ethernet address>} {any|mac <destination- parameters. mac-address>} [priority <0-7>|vlan- id <1-4094>} XAMPLE ALU(config-match-list-m1)# ethernet mac 1122.aabb.55ff any Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 513: Lists In Cc
ALU(config)# match-list m1 ALU(config-match-list-m1)# 1 tcp list L3 list L4 service telnet ALU(config-match-list-m1)# 2 tcp list L3 list L4 service telnet ALU(config-match-list-m1)# 3 udp list L3 list L4 service snmp Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 514 192.168.12.0/24 and 192.168.13.0/24. ALU(config)# list L1 prefix 192.168.12.0/24 prefix 192.168.13.0/24 ALU(config)# match-list m1 ALU(config-match-list-m1)# 1 tcp any list L1 service ssh ALU(config-match-list-m1)# 2 tcp any list L1 service pop3 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 515: Nesting Of Match-Lists
ALU(config-match-list-m2)# 4 include m1 Note: There is no ordering of rules inside a match-list. All the rules are of same priority. The rule numbers are used only for reference. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 516 ALU(config)# list l2 host 192.168.0.3 include l1 ALU(config)# match-list m1 ALU(config-match-list-m1)# tcp any list l1 length 23 from ssh service range 23 35 ALU(config-match-list-m1)# exit ALU(config)# match-list m2 ALU(config-match-list-m2)# include m1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 517: Show Commands In Cc
The following example displays the details of the list L1 and L2 configured: ALU(config)# show list l1 list l1 host 5.5.5.5 host 4.4.4.4 prefix 6.6.6.0/24 ALU(config)# ALU(config)# show list l2 list l2 host 5.3.4.6 prefix 1.10.10.0/24 ALU(config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 518 1 icmp any any 2 tcp any any service http 3 ip any any ALU(config-match-list-m1)# show match-list m2 match-list m2 1 tcp any any service ssh 2 udp any any Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 519 XAMPLE The following example displays the details of match-list m1: ALU(config-match-list-m2)# show include match-list m1 1 tcp any any service ssh 2 udp prefix 22.1.1.0/8 any Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 520: Deletion Commands In Cc
They can be deleted only one at a time. XAMPLE The following example deletes the match-list M1: ALU(config)# no match-list M1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 521 ALU(config-match-list-m2)# 1 tcp any any service ssh ALU(config-match-list-m2)# 2 udp prefix 22.1.1.0/8 any ALU(config-match-list-m2)# 3 include m1 Now, to delete the included match-list, use the ‘no include’ command: ALU(config-match-list-m2)# no include m1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 522: Sample Examples On The Usage Of Cc Across Applications
1 esp host 64.174.59.66 host 203.196.196.74 match-list icmp 1 icmp prefix 10.91.0.0/24 prefix 10.0.1.0/24 match-list icmp-traffic 1 icmp any any match-list dos 1 ip any any match-list ospf 89 any any Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 523: Example 2
L1 interface GigabitEthernet 3/1 service smtp ip any L2 ip any L1 include m2 ip filter f1 match all m1 permit match m3 permit match m2 deny reset Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 524: Example 3
L3 list L4 service telnet Now, a filter can be created and applied to the appropriate interface. ip filter f1 match m1 permit interface GigabitEthernet 3/1 ip filter in f1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 525: Part 5 Routing Protocols
To switch to the beta version, import color def’ns from beta-colors.fm Part 5 Routing Protocols Pagination: Numeric & continuous Optional footer: Alcatel-Lucent with Manual title (to set, preceding redefine ManualTitle OmniAccess 5740 Unified Services Gateway CLI Configuration Guide section of Beta Beta Beta Beta variable) book...
Page 526 Left running head: Chapter name (automatic) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 527: Protocol Independent Features
• “Protocol-Independent Configuration” • “Protocol-Independent Configuration Commands” For instructions on using the commands and descriptions on each of their parameters with the corresponding default values, refer to the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. HAPTER ONVENTIONS Acronym...
Page 528: Protocol-Independent Configuration
“Configure Route Maps” • “Redistribute Routing Information” • “Filtering Routing Information” • “Configure Administrative Distance” • “Configure Maximum Paths” • “Protocol Independent Features Show Commands” • “Protocol Independent Features Clear Command” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 529: Protocol-Independent Configuration Commands
Command (in CM) Description This command is used to ip route {vrf <name>|destination configure a static route. network subnet-mask|destination network/prefix-length} {<gateway-ip- address>|<interface-name> [<gateway- ip-address>]}[<1-255>] XAMPLE ALU(config)# ip route 1.1.1.0/24 2.2.2.2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 530 Unnumbered IP on Serial interfaces shall support PPP, HDLC, FR, MLPPP, MLFR, encapsulations. Note: OmniAccess 5740 USG supports static routing over unnumbered interfaces. Dynamic routing protocols on unnumbered interface (RIP, OSPF, and BGP) are not supported. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide...
Page 531 Access-lists are used in route map as a matching parameter. Note: In OmniAccess 5740 USG, access lists are only used for control plane filtering. BGP uses access-lists for filtering update packets from/to neighbor. BGP also uses community-lists and as-path lists.
Page 532 {<100-199>|<2000- Extended Access-list. 2699>} {deny|permit} {<0-255> |gre|icmp|ip|ipinip|pim|rsvp| tcp|udp} {source-ip-address [network-number]|source-ip- address/prefix-length|any|host <source-host-ipaddress>} {destination-ip-address [network-number]|destination- ip-address/prefix-length| any|host <destination-host- ipaddress>}[log] XAMPLE ALU(config)# access-list 101 permit ip 162.168.0.0 0.0.0.0 255.255.252.0 0.0.0.0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 533 This command is used to define a named ip access-list extended {<100- access list. And, enters Extended 199>|<2000-2699>|<access-list- Access-list Configuration Mode. name>} XAMPLE ALU(config)# ip access-list extended test ALU(config-ext-nacl)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 534 IP access list. prefix-length>|<source-ip-address subnet-mask>} [operators] {any|host <host-ip-address>| <destination-ip-address/prefix- length>|<destination-ip-address subnet-mask>} [log] [log-input] [enable fragment] [precedence [<0-7>|<keywords>] [tos [<0- 15>|<keywords>]]] XAMPLE ALU(config-ext-nacl)# permit ip 24.0.0.0/8 25.0.0.0/8 ALU(config-ext-nacl)# deny ip any 13.0.0.0/8 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 535 ALU(config)# ip community-list 2 permit no-export ONFIGURE XTENDED OMMUNITY LIST Command (in CM) Description This command is used to configure a ip community-list <100-199> Extended Community-list. {deny|permit} <regular- expression> Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 536 In the following example, the IP as-path access-list commands create an as-path access list named '1' to deny only those routes that include paths from or through autonomous systems 100: ALU(config)# ip as-path access-list 1 deny _100_ Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 537 This sequence number signifies the priority of a route-map rule. XAMPLE ALU(config)# route-map rip-to-ospf deny 10 ALU(config-route-map)# match ip address prefix-list test ALU(config-route-map)# set route-type external type-1 ALU(config)# route-map ospf-to-eigrp permit 20 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 538 To redistribute route or to perform set action, all the match criteria should be satisfied. • If a set command is not present in a route-map, then the route is redistributed without modification of its current attributes. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 539 ALU(config-route-map)# match ip address prefix-list testprefix ALU(config-route-map)# match ip next-hop 1 ALU(config-route-map)# match ip route-source 5 ALU(config-route-map)# match metric 10 ALU(config-route-map)# match interface GigabitEthernet 3/0 ALU(config-route-map)# match route-type external type-2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 540 XAMPLE ALU(config-route-map)# set community 10 ALU(config-route-map)# set comm-list 130 delete ALU(config-route-map)# set dampening 10 2000 2000 15 ALU(config-route-map)# set local-preference 100 ALU(config-route-map)# set weight 10 ALU(config-route-map)# set origin incomplete Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 541 {bgp <1-65535>|connected redistribute routes to RIP. |ospf <1-65535> [match {{external|nssa-external}[1|2] |internal}]|static} [metric {<1-16> |transparent}|route-map <route-map Note: Currently, while reference>] redistributing BGP/OSPF routes to RIP, metric parameter has to be configured. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 542 XAMPLE ALU(config-router ospf 1)#redistribute static metric 19 metric- type 1 ALU(config-router rip)#redistribute bgp 1 route-map test ALU(config-router bgp AS1)#redistribute ospf 1 route-map testospf weight 10 ALU(config-router ospf1)# default-metric 10 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 543 Command (in RCM) Description Enter this command in Router passive-interface <interface- Configuration Mode. name> Suppresses sending of routing updates through the specified interface. XAMPLE ALU(config-router ospf1)#passive-interface GigabitEthernet 3/0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 544 <interface- that need to have adjacencies set. name> XAMPLE ALU(config-router ospf1)# passive-interface default ALU(config-router ospf1)# no passive-interface GigabitEthernet To verify the passive interfaces, use ‘show ip ospf interface’ command. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 545 The distribute-list in command is used to filter networks in received routing updates. Note: The OmniAccess 5740 USG does not support Distribute-list feature in OSPF. XAMPLE ALU(config-router bgp AS1)#distribute-list 1 in ALU(config-router rip)# distribute-list prefix prefix-example in GigabitEthernet 3/0...
Page 546 By specifying administrative distance values, you enable the router to intelligently discriminate between sources of routing information. The router will always pick the route whose routing protocol has the lowest administrative distance. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 547 This application is generally discouraged if you are unfamiliar with this particular use of administrative distance as it can result in inconsistent routing information, including forwarding loops. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 548 <24-1460> This command removes the MSS configuration on the interface. XAMPLE ALU(config-if GigabitEthernet3/0)# ip tcp adjust-mss 500 ALU(config-if GigabitEthernet3/0)# no ip tcp adjust-mss 500 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 549 Incoming update filter list for all interfaces is not set Interface Send Recv Key-chain GigabitEthernet3/1 loopback1 Routing for Networks: 1.0.0.0 4.0.0.0 Routing Information Sources: Gateway Interface Distance Last Update 1.1.1.1 GigabitEthernet3/1 00:00:00 Distance: (default is 120) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 550 Show Command (in SUM/CM) Description This command displays the IP Prefix-list show ip prefix-list configuration. [<prefix-list name>] XAMPLE ALU# show ip prefix-list ip prefix-list test seq 5 deny 10.0.0.0/8 ge 23 ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 551 Description: Exit Policy: Match clauses: community (community-list filter): 1 ip address (access-lists): prefix-list testprefix Set clauses: route-map test, deny, sequence 2 Description: Exit Policy: Match clauses: Set clauses: ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 552 This command displays the IP Community- show ip community-list [<1- list configuration. 199>] XAMPLE ALU# show ip community-list Community standard access list 1 permit internet Community standard access list 2 permit no-export ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 553 Serial0/0:1 10.0.0.0/24 is subnetted, 1 subnet 10.91.2.0 [0/0] is directly connected, GigabitEthernet3/0 99.0.0.0/24 is subnetted, 1 subnet 99.99.99.0 [0/0] is directly connected, loopback1 100.0.0.0/8 [1/0] via 10.91.2.5, GigabitEthernet3/0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 554 5.5.1.0 [0/0] is directly connected, Serial0/0:1 5.5.2.0 [0/0] is directly connected, Serial0/0:2 10.0.0.0/24 is subnetted, 1 subnet 10.91.2.0 [0/0] is directly connected, GigabitEthernet3/0 99.0.0.0/24 is subnetted, 1 subnet 99.99.99.0 [0/0] is directly connected, loopback1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 555 This will not clear the static routes. name>} If VRF is specified, it clears the IP routing table for the specified VRF. XAMPLE ALU# clear ip route * Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 556 Left running head: Chapter name (automatic) Protocol Independent Features Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 557: Routing Information Protocol
NFORMATION ROTOCOL This chapter covers the Routing Information Protocol (RIP) configuration used in the OmniAccess 5740 USG. It provides a broad overview on RIP V1 and V2 configuration including the timer, authentication, default route, and monitoring commands. For a detailed information on the RIP commands, refer to the RIP chapter in the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide.
Page 558: Rip Overview
RIP uses User Datagram Protocol (UDP) data packets to exchange routing information. The routing information updates are sent at regular time intervals (by default, 30 seconds in Alcatel-Lucent’s implementation). If the router does not receive any updates from a neighboring router for a time interval known as the invalid timer, it marks all routes from the neighboring router as invalid.
Page 559: Rip Configuration
Refer to the following sections to configure RIP on your system: • “RIP Configuration Steps” • “RIP Configuration Flow” • “RIP Configuration Commands” • “RIP Show Commands” • “RIP Clear Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 560: Rip Configuration Steps
“To Configure RIP Behavior on an Interface” • Enable or Disable Split Horizon. See “To Enable/Disable Split Horizon” • Enable or Disable Broadcast Updates. See “To Enable/Disable Broadcast Updates” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 561 “RIP and Default Route” • Configure Auto Summary. See “To Configure Auto Summary” • RIP Redistribution. See “RIP Redistribution” • Configure RIP trigger update. See “To Configure RIP Trigger Update” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 562: Rip Configuration Flow
Left running head: Chapter name (automatic) Routing Information Protocol RIP C ONFIGURATION Figure 4: RIP Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 563: Rip Configuration Commands
RIP stops sending updates through interfaces on this network. Also these interfaces will not be advertised in any RIP updates. XAMPLE ALU(config-router rip)# network 10.0.0.0 ALU(config-router rip)# no network 10.0.0.0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 564: Rip Optional Parameters
5740 USG system sends only RIPv1 messages but receives both RIPv1 and RIPv2 messages. no version This command resets the configured routing protocol version. XAMPLE ALU(config-router rip)# version 1 ALU(config-router rip)# no version Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 565 This command enables the split horizon ip split-horizon [poison- mechanism. reverse] This command disables the split horizon no ip split-horizon [poison- mechanism. reverse] XAMPLE ALU(config-if GigabitEthernet3/0)# ip split-horizon ALU(config-if GigabitEthernet3/0)# no ip split-horizon Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 566 The "passive interface" command can be issued under RIP to make the OmniAccess 5740 USG system a silent host on the specified data link. Like other hosts, it listens to the RIP broadcasts on the link and updates the routing table accordingly.
Page 567 <1-255> distance to default. ‘Show ip protocols’ command shows the default distance for all routing protocols. XAMPLE ALU(config-router rip)# distance 130 10.0.0.0/8 20 ALU(config-router rip)# no distance Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 568 As per the example, all the routes imported from the Static routing protocol will be assigned metric of 10. In case of routes imported from OSPF routing protocol, a metric of 5 is assigned to all the routes. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 569 Holddown values, the proper Holddown interval cannot elapse, which results in a new route being accepted before the Holddown interval expires. Choose these values properly to improve network convergence time and to control routing traffic. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 570 1, add 2 hops to the metric." If no interface is identified, the list will modify either all incoming updates or all outgoing updates specified by the access-list on any interface. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 571 The default authentication in every RIP Version 2 packet is Plain Text Authentication. The OmniAccess 5740 USG implementation of RIPv2 message authentication includes the choice of simple password or MD5 authentication and the option of defining multiple keys, or passwords, on a "key chain".
Page 572 This chain <key-chain name> disables RIP authentication. XAMPLE ALU(config-if GigabitEthernet3/0)# ip rip authentication key- chain allen ALU(config-if GigabitEthernet3/0)# no ip rip authentication key-chain allen Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 573 By default, RIP validates the source IP address of incoming RIP routing updates. This command validates the source IP validate-update-source address of incoming RIP routing updates. XAMPLE ALU(config-router rip)# no validate-update-source ALU(config-router rip)# validate-update-source Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 574 By default, this feature is enabled. The ‘no’ command disables auto- no auto-summary summary, and sends sub-prefix routing information across classful network boundaries. XAMPLE ALU(config-router rip)# auto-summary ALU(config-router rip)# no auto-summary Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 575 Specify either an access list or a prefix list with the distribute-list command. Use the gateway keyword only with the prefix-list keyword. XAMPLE ALU(config-router rip)# distribute-list prefix prefix-example in GigabitEthernet 3/0 ALU(config-router rip)# no distribute-list prefix prefix- example in GigabitEthernet 3/0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 576 2091: Triggered Extensions to RIP to Support Demand Circuits]. The ‘no’ command disables the RIP no ip rip triggered trigger update. XAMPLE ALU(config-if Serial0/0:1)# ip rip triggered ALU(config-if Serial0/0:1)# no ip rip triggered Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 577: Rip Show Commands
Incoming update filter list for all interfaces is not set Interface Send Recv Key-chain GigabitEthernet3/1 loopback1 Routing for Networks: 1.0.0.0 4.0.0.0 Routing Information Sources: Gateway Interface Distance Last Update 1.1.1.1 GigabitEthernet3/1 00:00:00 Distance: (default is 120) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 578 RIP Interface Table ------------------- Flags Interface Interface Address Interface Mask Send Ver Recv Ver GigabitEthernet3/0 1.1.1.2 255.255.255.0 GigabitEthernet3/1 10.91.2.6 255.255.255.0 (Flags - U: Unnumbered P:Passive B:V2 Broadcast S:Split horizon disabled) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 579 Bad msgs received Trig Updates sent Auth failures Responses sent *Unicast tx failure 0 Routes advertised Bcast tx failures Updates received Mcast tx failures Requests received Bad Rtes received Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 580 ALU(config)# show key-chain alu1 key-chain alu1 key 1 key-string alcatel-lucent Accept lifetime (00:00:00 01 Jan 2000) - (Infinite) [Valid Now] Send lifetime (00:00:00 02 Feb 2001) - (Infinite) [Valid Now] Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 581: Rip Clear Commands
The section below details the procedure to clear RIP configuration on your system. RIP P ESTART THE ROCESS Command (in SUM/CM) Description Clears the RIP database or the RIP clear ip rip statistics. {database|statistics} XAMPLE ALU# clear ip rip database Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 582 Left running head: Chapter name (automatic) Routing Information Protocol Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 583: Border Gateway Protocol
ATEWAY ROTOCOL This chapter covers the Border Gateway Protocol (BGP) configurations used in the OmniAccess 5740 USG. It provides a broad overview on BGP-4 configuration including the neighbors, networks, advertising networks, reset, and monitoring commands. For instructions on using the BGP commands and descriptions on each of their...
Page 584: Bgp Overview
Autonomous Systems (ASs). This is sufficient to construct a graph of AS connectivity from which routing loops may be pruned and some policy decisions at the AS level may be enforced. The Alcatel-Lucent implementation of BGP supports BGP-4 specified in RFC 1771.
Page 585: Bgp Configuration
This chapter lists only the mandatory steps to configure BGP. There are various other optional parameters that can be configured for BGP. To know more about the optional commands, refer to the BGP chapter in the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide.
Page 586 Step 6: Configure the networks. See “To Configure Networks to be Advertised” Step 7: View BGP configuration. See “BGP Show Commands” Step 8: Reset BGP configuration. See “BGP Clear Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 587: Bgp Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) BGP Configuration BGP C ONFIGURATION Figure 5: BGP Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 588: Bgp Configuration Commands
ONFIGURATION OMMANDS There are several mandatory and optional configuration options available to configure BGP in OmniAccess 5740 USG. Some of the basic configuration required for a BGP connection with a peer is described in the following sections in this chapter.
Page 589 BGP border router that will <name>|weight <0-65535>}] provide better information about the network. 0-65535 specifies an absolute weight to a BGP network. XAMPLE ALU(config-router bgp AS30)#network 35.0.0.0/8 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 590: Bgp Show Commands
3 Path attribute entries using 672 bytes of memory 2 Aspath entries using 614 bytes of memory 2 Community entries using 44 bytes of memory Neighbor MsgRcvd MsgSent InQ OutQ Up/Down State/PfxRcd 1.1.1.2 00:12:46 111.111.111.112 4 00:17:39 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 591 Received 322 messages, 1 notifications, 0 in queue Sent 331 messages, 8 notifications, 0 in queue Minimum time between advertisement runs is 30 seconds For Address Family IPv4 Unicast Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 592 Foreign host: 111.111.111.112, Foreign port: 32832 iss: 0 snduna: 0 sndnxt: 0 sndwnd: 2 irs: 0 rcvnxt: 0 rcvwnd: 0 SRTT: 0 ms, RTTO: 18750 ms, RTV: 7500 ms, minRTT: 0 ms Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 593: Bgp Clear Commands
To do a hard reset of the BGP connection, use the following command: Command (in SUM/CM) Description This command clears the set BGP clear ip bgp {*|<neighbor- configuration details. address>|<peer-group-name>} XAMPLE ALU# clear ip bgp 1.1.1.1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 594 Command (in SUM/CM) Description Performs a soft reset on the connection clear ip bgp {*|<neighbor- specified in the command, using the address>|<peer-group-name>} stored routing table information for that soft in connection. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 595 Super User Mode and Configuration Mode as follows: Command (in SUM/CM) Description Performs a outbound soft reset on the clear ip bgp {*|<neighbor- connection specified in the command. address>|<peer-group-name>} soft Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 596: A Typical Bgp Example Using Omniaccess 5740 Usg
Serial0/0:0 ip address 10.10.1.6/30 encapsulation ppp interface GigabitEthernet3/0 ip address 10.1.1.1/24 router bgp 1 address-family ipv4 unicast neighbor 10.10.1.5 remote-as 3 neighbor 10.10.1.5 activate network 10.1.1.0/24 network 10.10.1.0/24 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 597 Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) A Typical BGP Example Using OmniAccess 5740 USG OUTER hostname RouterB interface Serial0/0:0 ip address 10.10.1.10/30 encapsulation ppp interface GigabitEthernet3/0 ip address 10.2.1.1/24 router bgp 2 address-family ipv4 unicast neighbor 10.10.2.9 remote-as 3...
Page 598 Left running head: Chapter name (automatic) Border Gateway Protocol Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 599: Open Shortest Path First
This chapter covers the Open Shortest Path First (OSPF) configuration for the OmniAccess 5740 USG. For instructions on using the commands and descriptions on each of their parameters with the corresponding default values, refer to the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. This chapter includes the following sections: •...
Page 600: Ospf Overview
OSPF supports a variable network subnet mask so that a network can be subdivided. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 601: Ospf Configuration
Step 3: Configure IP address for the interface ALU(config-if <interface-name>)# ip address {<ip- address subnet-mask>|<ip-address/prefix-length>} Example: ALU(config-if GigabitEthernet3/0)# ip address 20.20.20.20/24 Step 4: Enable OSPF. See “To Enable OSPF” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 602 Configure OSPF Administrative Distances. See “To Configure OSPF Administrative Distances” • Configure Route Calculation Timers. See “To Configure Route Calculation Timers” • Log Adjacency Changes. See “To Log Adjacency Changes” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 603: Osfp Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) OSPF Configuration OSFP C ONFIGURATION Figure 7: OSPF Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 604: Ospf Configuration Commands
{<ip-address subnet- the area ID for that interface. mask>|<ip-address/prefix- length>} area {<0-4294967295>| <ip-address>} Note: Area ‘0’ is called the backbone area. XAMPLE ALU(config-router ospf 1)# network 10.0.0.0/8 area 1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 605: Ospf Optional Parameters
ABR. This prevents it from sending summary link advertisement (LSAs type 3) into the stub area. To specify an area parameter for your network, use the following commands: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 606 Removes the specific cost assigned to no area {<0-4294967295>|<ip- the default summary route used for the address>} default-cost <0- stub area/NSSA. 16777215> XAMPLE ALU(config-router ospf 1)# area 1 default-cost 100 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 607 When configured, the router generates a type 7 default route into the NSSA. Every router within the same area must agree that the area is NSSA; otherwise, the routers will not form adjacency. XAMPLE ALU(config-router ospf 1)# area 1 nssa Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 608 [no-summary] Note: The area ‘0’ cannot be configured as a stub as it forms the backbone of the network. XAMPLE ALU(config-router ospf 1)# area 1 stub no-summary Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 609 To display information about virtual links, use the ‘show ip ospf virtual-links’ command. To display the router ID of an OSPF router, use the ‘show ip ospf’ command. XAMPLE ALU(config-router ospf 1)# area 1 virtual-link 202.202.202.5 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 610 OSPF router dead because it has not received a hello packet. On broadcast network, the dead- interval is four times the hello- interval. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 611 ALU(config-if GigabitEthernet3/0)# ip ospf priority 2 ALU(config-if GigabitEthernet3/0)# ip ospf hello-interval 20 ALU(config-if GigabitEthernet3/0)# ip ospf dead-interval 50 ALU(config-if GigabitEthernet3/0)# ip ospf mtu-ignore ALU(config-if GigabitEthernet3/0)# ip ospf database-filter all Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 612 The “no” form of these commands negates the configured authentication. XAMPLE ALU(config-if GigabitEthernet3/0)# ip ospf authentication ALU(config-if GigabitEthernet3/0)# ip ospf authentication-key passwordtest ALU(config-if GigabitEthernet3/0)# ip ospf message-digest-key 100 md5 passwordline Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 613 10 minutes. The router keeps track of the LSAs it generates and the LSAs it receives from other routers. The router refreshes the LSAs it generated and ages the LSAs it received from other routers. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 614 Command (in ICM) Description Suppresses the unnecessary flooding of ip ospf flood-reduction LSAs in stable topologies. XAMPLE ALU(config-if GigabitEthernet3/0)# ip ospf flood-reduction Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 615 • Database-filter all: Filters the outgoing LSAs to an OSPF neighbor. XAMPLE ALU(config-router ospf 1)# neighbor 10.0.0.1 priority 1 poll- interval 130 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 616 When routes from other protocols are redistributed into OSPF, each route is advertised individually in an external LSA. However, you can configure OmniAccess 5740 USG to advertise a single route for all the redistributed routes that are covered by a specified network address and mask. This helps decrease the size of the OSPF link-state database.
Page 617 This command is used redistribute redistribute {connected| routes to OSPF. static|bgp <1-65535>|ospf <1- 65535>}[metric <0- 16777214>|metric-type <1- 2>|route-map <map-name>|tag <0-4294967295>|subnets] XAMPLE ALU(config-router ospf 1)#redistribute static metric 19 metric- type 1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 618 The OSPF metric is calculated as the reference bandwidth value divided by the bandwidth, with reference bandwidth equal to 10 by default. XAMPLE ALU(config-router ospf 1)# auto-cost reference-bandwidth 100 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 619 ‘Distance ospf’ command is used when we have multiple OSPF instance and we want prefer routes of one OSPF instance over routes of other instance. XAMPLE ALU(config-router ospf 1)# distance 60 10.0.0.0/8 ALU(config-router ospf 1)# distance ospf external 10 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 620 Use ‘detail’ keyword to log the messages for all state changes. This command is used to disable no log-adjacency-changes logging. XAMPLE ALU(config-router ospf 1)# log-adjacency-changes detail ALU(config-router ospf 1)# no log-adjacency-changes Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 621 ETRIC Command (in RCM) Description This command sets the default metric default-metric <1-4294967295> values for the OSPF routing protocol. The default metric is 20. XAMPLE ALU(config-router ospf 30)#default-metric 60000 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 622 ALU(config-router ospf 30)#router-id 35.0.0.1 OSPF R UNNING ONFIGURATION Command (in RCM) Description This command is used to view the OSPF write ospf running configuration. XAMPLE ALU(config-router ospf 30)#write ospf Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 623: Show Commands In Ospf
ALU# show ip ospf flood-list OSPF Router with ID (1.1.1.2) (Process ID 1) Interface GigabitEthernet 3/0, Queue length 1 Type LS ID ADV RTR Seq NO Checksum 1.1.1.2 1.1.1.2 0x8000001D 0x04EA Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 624 Displays a list of all LSAs show ip ospf [<1-65535>] waiting to be resent. retransmission-list [neighbor-router- id] [<interface-name>] Displays the OSPF internal show ip ospf [<1-65535>] route routing table. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 625 SPF algorithm executed 8 times Area ranges are Number of LSA 5. Checksum Sum 0x234A3 Number of opaque link LSA 0. Checksum Sum 0x0 Flood list length 0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 626 0x80000005 0x579A 6.6.6.6 6.6.6.6 1745 0x80000002 0xD8F9 Net Link States (Area 1) Link ID ADV Router Seq# Checksum 2.2.2.2 1.1.1.2 1747 0x80000001 0x4AA5 Summary Net Link States (Area 1) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 627 Process ID 1, Router ID 1.1.1.2, Network Type BROADCAST, Cost: 1 Transmit Delay is 1 sec, State BDR, Priority 1 Designated Router (ID) 6.6.6.6, Intf address 2.2.2.1 Backup Designated router (ID) 1.1.1.2, Intf address 2.2.2.2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 628 LS Request Packets Received 0, LS Request Packets Sent 2 LS Update Packets Received 14, LS Update Packets Sent 38 LS Acknowledgment Packets Received 19, LS Acknowledgment Packets Sent 8 Errors 1, Events 0 ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 629 Neighbor priority is 1, State is FULL, 10 state changes DR is 2.2.2.2 BDR is 2.2.2.1 Options is 0x42 Dead timer due in 00:00:35 Neighbor is up for 00:31:32 retransmission queue length 0, number of retransmissions 0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 630 Neighbor 6.6.6.6, interface GigabitEthernet 3/1 address 2.2.2.2 Type LS ID ADV RTR Seq NO Checksum 1280 192.175.142.0 1.1.1.1 0x80000003 0x9FFB 1280 192.175.206.0 1.1.1.1 0x80000003 0xDC7E 1280 192.175.15.0 1.1.1.1 0x80000003 0x1A01 ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 631 0.0.0.0 0.0.0.0 Example 12: ALU# show ip ospf summary-address OSPF Process 1, Summary-address 192.175.0.0/255.255.0.0 Metric -1, Type 2, Tag 4 2.0.0.0/ 255.0.0.0 Metric 20, Type 2, Tag 0 router-2(config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 632: Clear Commands In Ospf
Description Restarts OSPF router if only process clear ip ospf [[<1-65535> ID is specified. |process|redistribution|counters [neighbor] [neighbor-id] For other parameters, it restarts the [interface-name]|interface specified counters/feature. statistics [hello|ddp|lsupd |lsack|lsreq][<interface-name>]] Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 633: Ospf Configuration On Omniaccess 5740 Usg
Figure 8: OSPF Configuration Scenario OUTER hostname RouterA interface Serial0/0:0 ip address 10.1.1.9/30 encapsulation ppp interface GigabitEthernet3/0 ip address 10.5.1.1/24 router ospf 1 log-adjacency-changes network 10.1.1.0/24 area 0 network 10.5.0.0/16 area 5 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 634 Serial0/0:0 ip address 10.1.1.6/30 encapsulation ppp interface GigabitEthernet3/0 ip address 10.8.1.1/24 interface GigabitEthernet3/1 ip address 10.8.2.1/24 shutdown router ospf 1 log-adjacency-changes network 10.1.1.0/24 area 0 network 10.8.0.0/16 area 8 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 635: Multicast Routing
Multicast Routing HAPTER ULTICAST OUTING This chapter covers the Multicast routing configuration for the OmniAccess 5740 USG. For instructions on using the commands and descriptions on each of their parameters with the corresponding default values, refer to the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide.
Page 636 Left running head: Chapter name (automatic) Multicast Routing Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 637: Multicast Overview
For these and other reasons, the PIM-SM/SSM has emerged as the most popular multicast routing protocol for most service providers today. OmniAccess 5740 USG supports PIM and IGMP. The OmniAccess 5740 USG software supports the following multicast forwarding features: •...
Page 638: Internet Group Management Protocol (Igmp)
(version 1 or 2) while it has a timer running, it stops its timer for the specified group and does not send a Report, in order to suppress duplicate Reports. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 639: Rfcs
Reports are received after the response time of the last query expires, the routers assume that the group has no local members. IGMPv2 is compatible with IGMPv1 routers. The OmniAccess 5740 USG supports IGMPv2 as default IGMP version. As IGMPv2 is backward compatible, it works well with IGMPv1 host as well. •...
Page 640: Pim Configuration
“PIM Configuration Commands” • “Show Commands in PIM” PIM C ONFIGURATION TEPS The steps given below helps in configuring PIM routing on the OmniAccess 5740 USG. Step 1: Configure an interface. Enter Interface Configuration Mode. ALU(config)# interface <name> Example: ALU(config)# interface GigabitEthernet3/0...
Page 641 Configure PIM as BSR. See “To Configure PIM as BSR” • Configure RP candidate priority. See “To Configure RP Candidate Priority” Step 8: View PIM configuration. See “Show Commands in PIM” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 642: Pim Configuration Flow
Left running head: Chapter name (automatic) Multicast Routing PIM C ONFIGURATION Figure 9: PIM Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 643: Pim Configuration Commands
After enabling this command, PIM starts sending hello packets to form neighborship. This command is used to disable PIM on no ip pim sparse-mode an interface. XAMPLE ALU(config-if GigabitEthernet3/0)# ip pim sparse-mode Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 644 RP is the root of shared tree. Data flows from source to RP on SPT, and RP sends data on RPT. Each group can have different RP. There are various ways to learn/ configure RP for a group. OmniAccess 5740 USG supports static RP and dynamic RP (learning RP using BSR protocol). PIM S...
Page 645 Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) PIM Configuration Note: All routers in the PIM domain should have same RP address for a multicast group. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 646 <group- to RP mapping. If RP information for address> the given group does not exist then command gives error else output shows the RP information for the given group. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 647 In case, the access-list is specified, this threshold value is used only for the groups, which matches the access-list. The default spt-threshold is 0 Kbps. XAMPLE ALU(config)# ip pim spt-threshold 100 group-list 10 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 648 ONFIGURE ANDIDATE RIORITY Command (in CM) Description This command is used to configure the ip pim rp-candidate-priority priority of the RP candidate. <0-255> XAMPLE ALU(config)# ip pim rp-candidate-priority 10 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 649: Show Commands In Pim
XAMPLE ALU#show ip pim neighbor PIM Neighbor Table Neighbor Interface Uptime/Expires DR Address Prio/Mode 8.8.8.8 Serial0/0:0 00:09:37/00:01:39 1/ DR 6.6.6.7 Serial0/1:0 00:09:45/00:01:33 1/ DR Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 650 Info source: 1.1.1.1 (?), via bootstrap, priority 0, holdtime = 53760 Uptime: 00:00:45, expires 14:55:15 Group(s) 228.0.0.0/8 RP 2.2.2.1 (?) v2 Info source: 2.2.2.1 (?), via bootstrap, priority 0, holdtime = 38400 Uptime: 00:03:55, expires 10:39:05 (config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 651 K - KeepAlive Timer Running, S - SPT bit set (*,224.1.1.1), JOINED 00:00:55/00:00:05, RP 5.5.5.5, flags: Incoming interface: GigabitEthernet3/1, RPF neighbor 5.5.5.5 Downstream interface state: GigabitEthernet3/0, 00:00:55, flags:A inherited_olist: GigabitEthernet3/0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 652: Clear Commands In Pim
ALU# clear ip pim rp-mapping IP PIM BSR LEAR Command (in SUM/CM) Description This command clears the BSR clear ip pim bsr [<bsr-address>] address. XAMPLE ALU# clear ip pim bsr Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 653: Igmp Configuration
ALU(config-if GigabitEthernet3/0)# ip address 20.20.20.20/24 Step 4: Enable Multicast routing. See “To Enable Multicast Routing” Step 5: Enable IGMP on an interface:. See “To Enable IGMP on an Interface” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 654 Configure IGMP access group. See “To Configure IGMP Access Group” Step 7: View IGMP configuration. See “Show Commands in IGMP” Step 8: View Multicast configuration. See “Show Commands in Multicast” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 655: Igmp Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) IGMP Configuration IGMP C ONFIGURATION Figure 10: IGMP Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 656: Igmp Configuration Commands
After enabling this command, IGMP learns the multicast host information on given interface. This command is used to disable IGMP no ip pim sparse-mode on an interface. XAMPLE ALU(config-if GigabitEthernet3/0)# ip pim sparse-mode Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 657 Use this command to configure the ip igmp last-member-query- last-member query interval (in interval <100-65535> milliseconds) for the IGMP. The default last-member-query- interval is 1000 milliseconds. XAMPLE ALU(config-if GigabitEthernet3/0)# ip igmp last-member-query- interval 2000 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 658 <1-65535> the interval (in seconds) at which the IGMP router sends query messages on an interface. The default query-interval is 125 seconds. XAMPLE ALU(config-if GigabitEthernet3/0)# ip igmp query-interval 100 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 659 99>|<access-list-name>} access-lists. This restricts the host on a subnet joining only multicast groups that are permitted by access-lists. XAMPLE ALU(config-if GigabitEthernet3/0)# ip igmp access-group 10 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 660: Show Commands In Igmp
Number of joins on this interface = 84 Number of leave message on this interface = 7 Querier on this interface = 7.7.7.3 Interface DR is 7.7.7.3 Total groups on this interface Group 1 224.1.1.1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 661: Show Commands In Multicast
IP Multicast statistics: Rcvd: 4449 total, 838 link local Sent: 3334 forwarded, 0 send register 0 send assert, 3 first data pkt notice Errors: 1 rpf failure, 1 drop Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 662: Clear Commands In Multicast
XAMPLE ALU# clear ip mroute LEAR ULTICAST RAFFIC Command (in SUM/CM) Description This command resets the multicast clear ip multicast traffic traffic counters. XAMPLE ALU# clear ip multicast traffic Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 663: Multicast Configuration On Omniaccess 5740 Usg
Multicast sender for group 225.5.5.5 and 227.7.7.7 is connected to router R6. In the given scenario, you can see the multicast routing table entries on routers to verify multicast routing. Show command outputs on router R3 is given. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 664 2.2.2.1 255.255.255.0 ip pim sparse-mode router ospf 1 log-adjacency-changes network 1.0.0.0/8 area 0 network 2.0.0.0/8 area 0 network 6.0.0.0/8 area 0 ip pim rp-address 3.3.3.2 ip pim spt-threshold infinity Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 665 3.3.3.2 255.255.255.0 ip pim sparse-mode interface GigabitEthernet3/1 ip address 4.4.4.2 255.255.255.0 ip pim sparse-mode router ospf 1 log-adjacency-changes network 3.0.0.0/8 area 0 network 4.0.0.0/8 area 0 ip pim rp-address 3.3.3.2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 666 GigabitEthernet3/1 ip address 7.7.7.2 255.255.255.0 ip pim sparse-mode router ospf 1 network 5.0.0.0/8 area 0 network 6.0.0.0/8 area 0 network 7.0.0.0/8 area 0 ip pim rp-address 3.3.3.2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 667: Verifying Multicast Routing
IP Multicast statistics: Rcvd: 11134 total, 4802 link local Sent: 5973 forwarded, 0 send register 5 send assert, 1 first data pkt notice Errors: 5 rpf failure, 5 drop R3(config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 668 1/ DR R3(config)# R3(config)# show ip pim interface Address Interface Ver/ Query Mode Count Intvl Prior 2.2.2.2 GigabitEthernet3/0 v2/S 2.2.2.2 3.3.3.1 GigabitEthernet3/1 v2/S 3.3.3.2 8.8.8.1 Serial0/0:0 v2/S 8.8.8.2 R3(config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 669: Policy Based Routing
This chapter covers the Policy Based Routing (PBR) configuration for the OmniAccess 5740 USG. For instructions on using the commands and descriptions on each of their parameters with the corresponding default values, refer to the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. This chapter includes the following sections: •...
Page 670: Pbr Overview
UCENT PECIFIC VERVIEW • OmniAccess 5740 USG supports PBR that allows routing of packets based on policies (match-lists) to a specified egress interface/next hop. • OmniAccess 5740 USG shall support PBR as an infrastructure for other software components to add system PBR rules. This shall enable the applications to treat certain traffic in a special way.
Page 671: Pbr Configuration
ALU(config-if <interface-name>)# no shutdown Example: ALU(config-if GigabitEthernet3/0)# no shutdown Step 5: Configure IP address for the interface ALU(config-if <interface-name>)# ip address {<ip- address subnet-mask>|<ip-address/prefix-length>} Example: ALU(config-if GigabitEthernet3/0)# ip address 20.20.20.20/24 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 672 An interface can have only one IP policy applied on it at any time. Step 7: Use the show commands to view PBR configuration. See “Show Commands in PBR” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 673: Pbr Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) PBR Configuration PBR C ONFIGURATION Figure 12: PBR Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 674: Pbr Configuration Commands
Left running head: Chapter name (automatic) Policy Based Routing PBR C ONFIGURATION OMMANDS The following steps are used to configure a PBR on the OmniAccess 5740 USG. IP P ONFIGURE AN OLICY Command (in CM) Description This command is used to create an IP ip-policy <name>...
Page 675 The command deletes a rule no rule <1-65535> corresponding to the rule number. XAMPLE ALU(config-ip-policy-pbr1)# 10 match m1 m2 not m3 interface GigabitEthernet 3/0 next-hop 1.2.2.1 ALU(config-ip-policy-pbr1)# 20 match m1 m2 next-hop 1.2.2.2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 676 ALU(config-if GigabitEthernet3/1)# ip-policy pbr1 If the IP policy pbr1 is attached to the GigabitEthernet3/1, the following command detaches it from the interface: ALU(config)# interface GigabitEthernet3/1 ALU(config-if GigabitEthernet3/1)# no ip-policy pbr1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 677: Show Commands In Pbr
PBR - Policy Based Routed, Drop - Dropped 0 packets forwarded by best effort IP forwarding ip-policy pbr1 : PBR - 0 Drop - 0 0 hits on : 1 match any m1 next-hop 1.1.1.1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 678: Clear Commands
IP policies configured in the policy name>] system. If a policy-name is specified, then the statistics for the specified IP policy are cleared. XAMPLE ALU(config)# clear ip-policy statistics Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 679: Pbr Configuration Example
PBR Configuration Example PBR C ONFIGURATION XAMPLE Figure 13: PBR Configuration Scenario using OmniAccess 5740 USG Consider a scenario, a corporate XYZ with two departments - Finance and Engineering. XYZ would like to send finance department's traffic on to the next-hop 203.121.10.1 and send engineering department's traffic on 150.23.221.50.
Page 680: Configuration Steps
OA5740(config-ip-policy-xyz-corporate-policy)# 20 match engg-dept next-hop 150.23.221.50 OA5740(config-ip-policy-corporate-policy)# exit OA5740(config)# Step 3: Apply the IP policy on the interface. OA5740(config)# interface vlan 10 OA5740(config-if Vlan10)# ip-policy xyz-corporate-policy OA5740(config-if Vlan10)# exit OA5740(config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 681: Verification
Verify the IP policy configuration by using the following show command: ALU(config)# show ip-policy xyz-corporate-policy ! IP-Policy configuration ip-policy xyz-corporate-policy 10 match any fin-dept next-hop 203.121.10.1 20 match any engg-dept next-hop 150.23.221.50 exit interface Vlan10 ip-policy xyz-corporate-policy exit Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 682 Left running head: Chapter name (automatic) Policy Based Routing Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 683: Virtual Routing And Forwarding
“VRF-CE Overview” section provides an insight on the concept of VRF-CE. This information serves as an educational overview. You can skip this section and move onto the VRF-CE configuration directly. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 684: Chapter Conventions
Interface Configuration Mode - ALU (config-interface name)# OSPF Open Shortest Path First Router Configuration Mode - ALU (config-router)# Routing Information Protocol Super User Mode - ALU# VRF-CE Virtual Routing and Forwarding Customer Edge Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 685: Vrf-Ce Overview
2 via PVC. Blue VPN site 1 connects to a non-VRF aware router at site 2 via an IP tunnel. Similarly, it connects to a VRF-aware router at site 3 via an IP tunnel. Figure 14: VRF-CE Deployment Scenario Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 686 Since multiple VPNs can connect to the same VRF-CE system, they all can use overlapping IP addresses. • VRF-CE lets multiple customers share the same physical link. • All routing protocols can be used between the CE and ISP. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 687: Vrf-Ce Configuration
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) VRF-CE Configuration VRF-CE C ONFIGURATION Refer the following sections to configure VRF-CE on the OmniAccess 5740 USG: • “VRF-CE Configuration Steps” • “VRF-CE Configuration Flow” • “VRF-CE CLI Commands”...
Page 688 “Using Management Utilities in a VRF” (Optional) Step 9: System Monitoring Commands in VRF. See “System Monitoring Commands in VRF” (Optional) Step 10: View the VRF-CE configuration. See “VRF Show Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 689: Vrf-Ce Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) VRF-CE Configuration VRF-CE C ONFIGURATION Figure 16: VRF-CE Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 690: Vrf-Ce Cli Commands
Maximum number of VRFs supported is 64. ONFIGURE ESCRIPTION FOR A Command (in VRF CM) Description This command is used to specify description description <description- for a VRF. string> XAMPLE ALU(config-vrf)# description ALU-routing Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 691 VRF. If the VRF name is not specified, then the OSPF instance is associated with the Default VRF. XAMPLE ALU(config)# router ospf 1 vrf ALU-vrf ALU(config-router ospf 1)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 692 If the VRF name is not specified, then the configurations are associated with the Default VRF. XAMPLE ALU(config)# router bgp 30 ALU(config-router bgp AS30)# address-family ipv4 unicast vrf ALU_vrf ALU(config-router-af-ucast)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 693 Configuration Mode. vrf <vrf-name> This command associates the address family with the VRF and enters the VRF configuration mode. XAMPLE ALU(config)# router rip ALU(config-router rip)# address-family ipv4 unicast vrf ALU_vrf Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 694 ALU(config)# clear arp traffic ALU-vrf ALU(config)# show arp vrf ALU-vrf Protocol Address Age (min) Hardware Addr Type Interface Internet 4.4.4.4 0011.8b00.8491 ARPA GigabitEthernet3/0 Internet 4.4.4.2 Incomplete ARPA GigabitEthernet3/0 Internet 4.4.4.1 0002.166f.c4d0 ARPA GigabitEthernet3/0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 695 IP address configuration on the interface is removed when this command is executed. Hence, configure the IP address after associating a VRF to an interface. XAMPLE ALU(config-if GigabitEthernet3/0)# ip vrf forwarding ALU-vrf Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 696 VRF on a interface associated with the VRF. XAMPLE ALU(config)# ping vrf ALU-vrf 1.2.3.1 ALU(config)# telnet vrf ALU-vrf 10.91.0.22 ALU(config)# ssh vrf ALU-vrf 10.91.0.25 ALU(config)# traceroute vrf ALU-vrf 1.2.3.1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 697 0 time exceed, 0 param probs, 0 source quench 0 redirects, 10 echo req, 0 echo rpy 0 timestamp req, 0 timestamp rpy 0 addr mask req, 0 addr mask rpy ALU(config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 698 Branch extends: 41 Branch coalesc: 30 System Adjacency Counters: Adjacencies : 4294967291 Adj reference : 106 Adj unrefer : 53 Adj Memory : 496 ALU(config)# ALU(config)# clear ip traffic vrf ALU-vrf Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 699: Vrf Show Commands
Routing for Networks: 4.0.0.0/8 Routing Information Sources: Gateway Distance Last Update 4.4.4.1 00:05:56 Distance: (default is 110) Routing Protocol is "bgp 100" IGP synchronization is enabled Automatic route summarization is disabled Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 700 1.1.1.0/24 [110/110][1] via 4.4.4.1, GigabitEthernet3/0 4.0.0.0 is variably subnetted, 2 subnets, 2 masks 4.0.0.0/8 [20/0] via 4.4.4.1, GigabitEthernet3/0 4.4.4.0/24 [0/0] is directly connected, GigabitEthernet3/0 5.0.0.0/8 [20/0] via 4.4.4.1, GigabitEthernet3/0 (config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 701 BGP local router ID is 200.1.1.1 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 702 Status codes: s suppressed, d damped, h history, * valid, > best, i - internal Origin codes: i - IGP, e - EGP, ? - incomplete Prefix/len From Flaps Duration Reuse Path * d 100.1.1.0/24 10.0.0.3 00:06:45 00:24:00 65002i Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 703 SND MSS : 1460 RCV MSS : 536 UNACKED SACKED LOST RETRANSMITS Last Data Sent: 25190 Lask Ack Sent : 0 Last Data Recv: 23590 Last Ack Recv : 23590 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 704: Vrf Clear Commands
Clears the IP routing table. If the VRF name clear ip route [vrf <vrf- is specified, it clears the IP routing table for name>] * the specified VRF. XAMPLE ALU(config)# clear ip route vrf ALU-vrf * Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 705: Part 6 Network Security
To switch to the beta version, import color def’ns from beta-colors.fm Part 6 Network Security Pagination: Numeric & continuous Optional footer: Alcatel-Lucent with Manual title (to set, preceding redefine ManualTitle OmniAccess 5740 Unified Services Gateway CLI Configuration Guide section of Beta Beta Beta Beta variable) book...
Page 706 Left running head: Chapter name (automatic) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 707: Network Address Translation
ETWORK DDRESS RANSLATION After you install OmniAccess 5740 USG, use the CLI to configure the system for Network Address Translation (NAT). This chapter includes steps for configuring the Source NAT (SNAT) and Destination NAT (DNAT). For instructions on using the NAT commands and descriptions on each of their parameters, refer to OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide.
Page 708: Nat Overview
Public IP to free ports. This helps in uniquely identifying incoming replies on those connections to specific systems within the network. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 709 The NAT device achieves this by building a mapping table between the internal and external hosts on the fly based on the traffic flow. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 710: Benefits Of Nat
• Supports multiple match-lists with different NAT IP Pool or host address. • In OmniAccess 5740 USG, the default for NAT configuration is dynamic mapping. The keyword “static” has to be used to convert this setting to static. • OmniAccess 5740 USG supports reflexive/stateful inspection.
Page 711: Source Nat Configuration
Refer the following section to configure SNAT on your system: • “SNAT Configuration Steps” • “SNAT Configuration Flow” • “SNAT Configuration Commands” • “Sample Configurations of SNAT on OmniAccess 5740 USG” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 712: Snat Configuration Steps
Step 5: Enter into Interface Configuration Mode ALU(config)# interface <name> Example: ALU(config)# interface GigabitEthernet3/0 ALU(config-if GigabitEthernet3/0)# Step 6: Administratively bring up the interface ALU(config-if <interface-name>)# no shutdown Example: ALU(config-if GigabitEthernet3/0)# no shutdown Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 713 “To Attach a NAT Policy to an Interface” Step 9: Turn On /Turn Off the statistics on an Interface “To Turn On/Off Statistics on an Interface” (Optional) Step 10: View NAT configuration. See “NAT Show Commands”. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 714: Snat Configuration Flow
Left running head: Chapter name (automatic) Network Address Translation SNAT C ONFIGURATION Figure 17: SNAT Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 715: Snat Configuration Commands
2. When you configure a SNAT without any IP address, the address used for natting is taken as the IP address of the interface to which the NAT policy is bound. XAMPLE ALU(config-nat-N1)# 10 match m1 source-nat Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 716 If a SNAT policy with the pool configuration is attached to an interface, and at any given point of time, the list is modified, you need to reapply the NAT policy on the interface. XAMPLE ALU(config-nat-N1)# match m1 source-nat pool l1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 717 Note: If no address is configured, the IP address of the egress interface on which the NAT policy is applied will be used. XAMPLE ALU(config-nat-N1)# match m1 source-nat static Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 718 SNAT rule configured. Note: Refer to the “Updations” section to know more on the “change” and “renumber” keywords. XAMPLE ALU(config-nat-N1)# renumber ALU(config-nat-N1)# change 10 20 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 719 ALU(config)# exit ALU(config)# ip nat n1 ALU(config-nat n1)# match m1 source-nat ALU(config)# exit ALU(config)# interface GigabitEthernet 3/0 ALU(config-if GigabitEthernet3/0)# ip filter in f1 ALU(config-if GigabitEthernet3/0)# ip nat out n1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 720 {in|out|both} statistics for a given interface. XAMPLE ALU(config)# interface GigabitEthernet3/0 ALU(config-if GigabitEthernet3/0)# ip nat statistics out ALU(config)# interface GigabitEthernet3/0 ALU(config-if GigabitEthernet3/0)# no ip nat statistics out Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 721: Sample Configurations Of Snat On Omniaccess 5740 Usg
11.1.1.0/24 any type ftp ip nat n2 match host1 source-nat host 192.168.10.1 static match host2 source-nat host 192.168.10.2 static match net11 source-nat pool p1 static interface GigabitEthernet3/0 ip nat out n2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 722: Destination Nat Configuration
Refer the following sections to configure DNAT on your system: • “DNAT Configuration Steps” • “DNAT Configuration Flow” • “DNAT Configuration Commands” • “Sample Configuration Example of DNAT on OmniAccess 5740 USG” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 723: Dnat Configuration Steps
ALU(config-if <interface-name>)# no shutdown Example: ALU(config-if GigabitEthernet3/0)# no shutdown Step 7: Configure IP address for the interface ALU(config-if <interface-name>)# ip address {<ip- address subnet-mask>|<ip-address/prefix-length>} Example: ALU(config-if GigabitEthernet3/0)# ip address 20.20.20.20/24 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 724 “To Attach a NAT Policy to an Interface” Step 9: Turn On /Turn Off the statistics on an Interface “To Turn On Statistics on an Interface” (Optional) Step 10: View NAT configuration. See “NAT Show Commands”. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 725: Dnat Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) Destination NAT Configuration DNAT C ONFIGURATION Figure 18: DNAT Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 726: Dnat Configuration Commands
And, this command is used to configure a DNAT with host IP address or an IP address pool. Note: Presently, ‘Hostname’ option is not supported. Only host IP address can be configured. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 727 This command is used to configure a [<1-65535>] match [{all|any}] static DNAT that uses one-to-one <match-list name> destination- address mapping without port nat pool <list-name> static translation. XAMPLE ALU(config-nat-N2)# match m1 destination-nat pool l1 static Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 728 DNAT rule configured. Note: Refer to the “Updations” section to know more on the “change” and “renumber” keywords. XAMPLE ALU(config-nat-N2)# renumber ALU(config-nat-N2)# change 10 20 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 729 “interface name” as the source and destination as “any”. Example: ALU(config)# match-list dnat ALU(config-match-list-dnat)# tcp interface GigabitEthernet3/0 any service http ALU(config)# ip nat dnat ALU(config)# match any dnat destination-nat host 1.1.1.1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 730: Sample Configuration Example Of Dnat On Omniaccess 5740 Usg
14.1.1.2 match-list m1 host 201.176.18.1 service http ip nat N1 10 match M1 destination-nat pool p1 match m1 destination-nat pool p1 port 8080 ALU(config-if GigabitEthernet3/0) ip nat in n1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 731: Bypass Ipsec Traffic
This command is used in conjunction [<1-65535>] match [{all|any}] with the SNAT or DNAT commands to <match-list name> bypass bypass the traffic. XAMPLE ALU(config)# ip nat snat ALU(config-nat-snat)# match m1 bypass Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 732: Nat Show Commands
1 match all m3 destination-nat host 2.2.2.2 2. The following example shows the configuration details of a specific NAT policy: ALU# show ip nat n1 ip nat n1 10 match all m1 source-nat Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 733 Dropped: 0, Bypassed: 0, Enqueued: 0 10 match any m1 source-nat host 1.1.1.1 NATted Packets: 0 20 match any m2 source-nat host 1.1.1.2 NATted Packets: 0 interface GigabitEthernet3/0 out Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 734: Nat Clear Commands
The following example clears the counters of NAT ‘n1’. ALU# clear ip nat statistics n1 ALU# The following example clears the statistics of the NAT for interface ‘GigabitEthernet3/0’. ALU# clear ip nat statistics GigabitEthernet3/0 in ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 735: Nat Debug Commands
<number>][output|permanent]| all [detail-level]} Notes: 1. saddr == source address 2. daddr == destination address 3. sport == source port 4. dport == destination port XAMPLE ALU# debug firewall nat Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 736: Modifying Nat Configuration
10 match m1 source-nat pool p1 15 match m4 source-nat pool p4 20 match m2 source-nat pool p2 30 match m3 source-nat pool p3 interface GigabitEthernet3/0 ip nat out N1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 737: Updations
This section explains how to update a NAT rule. ENUMBER THE By default, the numbering pattern used in OmniAccess 5740 USG is multiples of ten. The “renumber” command is useful if a new rule is to be included in- between two existing rules of the NAT policy without actually changing the sequence of numbering.
Page 738 M4 source-nat match M3 source-nat Now, to generate a numbering scheme with a proper order, use the keyword “renumber” as explained in the section “To Renumber the List”. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 739: Nat Deletion Commands
This command when used also deletes all the associated NAT policy rules. XAMPLE To force deletion of the NAT N1: ALU(config)# no ip nat N1 force Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 740 <1-65535> policy corresponding to the line number. XAMPLE In the example below, the component or action corresponding to the rule 30 is deleted. ALU(config-nat-N1)# no rule 30 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 741: Filter And Firewall
HAPTER ILTER AND IREWALL After installing the OmniAccess 5740 USG, use the CLI to configure the OmniAccess 5740 USG for security. This chapter provides the CLI commands for configuring the filters, firewall policies, and DoS attack prevention. For instructions on using the commands and to get a detailed description on each of their parameters, refer to OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide.
Page 742: Network Security - An Overview
• “Network Security Terminologies” • “Firewall Mechanisms” • “Before You Configure Filters and Firewalls” • “OmniAccess 5740 USG Specific Overview” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 743: Network Security Terminologies
ALGs look for altered data, potentially harmful traffic, data appropriateness, and also have the capability to log these. Figure 19: Depicting ALG Scenario Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 744: Firewall Mechanisms
Stateful firewalls are also known as "dynamic" packet filters. Note: OmniAccess 5740 USG supports stateful and stateless inspection. By default, OmniAccess 5740 USG firewall is ‘stateful’. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide...
Page 745: Before You Configure Filters And Firewalls
CCESS PECIFIC VERVIEW • For OmniAccess 5740 USG, the default action for a filter is “deny”. However, you can change this option by using the keyword “permit”. • OmniAccess 5740 USG, by default, supports “stateful inspection”. To convert it to a stateless inspection firewall, use the keyword “stateless”.
Page 746: Filter Configuration
• “Filter Deletion Commands” • “Filter Debug Commands” • “Sample Examples of Configuring Filters on OmniAccess 5740 USG” ILTER ONFIGURATION TEPS This section lists the steps to be followed while configuring a filter. Step 1: Configure the match-lists using the common classifiers syntax. (Refer to the chapter on “Common Classifiers”...
Page 747 Detach a Filter to an Interface” Note: An interface can have only one ingress and one egress filter. Step 8: Use the show commands to view the configured filters. See “Filter Show Commands”. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 748: Filter Configuration Flow
Left running head: Chapter name (automatic) Filter and Firewall ILTER ONFIGURATION Figure 20: Filter Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 749: Filter Configuration Commands
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) Filter Configuration ILTER ONFIGURATION OMMANDS The following steps are used to configure a filter on the OmniAccess 5740 USG: REATE A ILTER Command (in CM) Description This command configures a filter.
Page 750 Note: The filters on OmniAccess 5740 USG are by default stateful. This behavior can be overridden by the keyword “stateless”. XAMPLE The following example sets the filter to stateless.
Page 751 To view the filter configuration after renumbering, give the show command. The output appears as shown: show ip filter f1 ip filter f1 match m1 deny match m4 deny reset match m2 deny match m3 deny log default permit Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 752 ALU(config-if GigabitEthernet3/0)# ip filter in f1 If the filter f1 is interfaced to GigabitEthernet3/0, the following example detaches it from GigabitEthernet3/0: ALU(config)# interface GigabitEthernet3/0 ALU(config-if GigabitEthernet3/0)# no ip filter in f1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 753: Filter Show Commands
The following syntax displays the filter f1’s details: ALU(config-filter-f1)# show ip filter f1 ip filter f1 10 match any m1 permit default deny interface GigabitEthernet3/0 In, Stats Off Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 754 The following command displays the filter statistics in the "IN" direction: ALU(config)# show ip filter statistics GigabitEthernet 3/0 ip filter f1 20 match any m1 permit Hits 0 default deny interface GigabitEthernet3/0 In, Stats On Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 755: Filter Deletion Commands
XAMPLE If the filter f1 has to be deleted when attached to a an interface, apply the following syntax: ALU(config)# no ip filter f1 force Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 756: Filter Clear Commands
[<interface-name> interface or clear statistics for a {in|out|both}|<filter-name>] specific filter. XAMPLE ALU# clear ip filter statistics GigabitEthernet3/0 in ALU# ALU# clear ip filter statistics GigabitEthernet3/0 out ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 757: Filter Debug Commands
The example below enables debugging for the source IP 10.91.0.52 ALU# debug firewall selector saddr 10.91.0.52 The example below disables debugging for the source IP 10.91.0.52 ALU# no debug firewall selector saddr 10.91.0.52 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 758: L2 (Layer2) Filter Configuration Commands
ILTER ONFIGURATION OMMANDS MAC filters can be configured on OmniAccess 5740 USG like IP filters though the included match-list will be based on Ethernet parameters only (source MAC, destination MAC, 802.1Q class of service and VLAN tag value). For more information on configuring MAC based match-list, refer to “Common...
Page 759 The ‘reset’ keyword can be used in conjunction only with the “deny” keyword. XAMPLE ALU(config)# l2 filter F1 ALU(config-filter-F1)# 10 match m3 permit ALU(config-filter-F1)# 10 match m3 deny reset Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 760 ALU(config-if GigabitEthernet3/0)# l2 filter in F1 If the filter F1 is interfaced to GigabitEthernet, the following command detaches it from the interface: ALU(config)# interface GigabitEthernet 3/0 ALU(config-if GigabitEthernet3/0)# no l2 filter in F1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 761: L2 Filter Show Commands
If a L2 filter name is specified, it displays the statistics for the specified filter. XAMPLE ALU(config)# show l2 filter statistics l2 filter F1 default deny Hits 0 interface GigabitEthernet3/0 In Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 762: L2 Filter Clear Commands
TATISTICS Command (in SUM/CM) Description This command is used to clear the clear ip filter statistics <name>] statistics of a L2 filter. XAMPLE ALU(config)# clear l2 filter statistics F1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 763: Sample Examples Of Configuring Filters On Omniaccess 5740 Usg
If you need to give access from the network 192.168.1.0/24 to 192.168.2.0/24 for FTP traffic, the CLI would be as follows: match-list m1 tcp prefix 192.168.1.0/24 prefix 192.168.2.0/24 type ftp ip filter f1 10 match m1 permit default deny Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 764: Managing Security Configuration
15 match m4 deny reset To view the filter f1’s configuration: show ip filter f1 ip filter f1 match m1 permit match m4 deny reset match m2 deny log match m3 permit stateless Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 765: Updations
Managing Security Configuration PDATIONS The numbering pattern employed by default in the OmniAccess 5740 USG is multiples of ten. If a new rule has to be included in between two existing rules, without actually changing the sequence of numbering, use the “renumber”...
Page 766 10 match m1 permit Now, to change this to deny, then you need to enter “deny" in the filter configuration mode. ip filter f1 10 match m1 deny Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 767: Network Attacks - An Overview
“Optional Attacks” The Default Attacks are the ones that are present in the default attack prevention list of the OmniAccess 5740 USG. These attacks can be either manually turned on for detection or filters can be applied to block them.“To Configure Default Attacks (Rate Limiting / Non-rate Limiting) for an Attack Object”...
Page 768: Default Attacks (Rate-Limiting / Stateful)
Essentially, a port scan consists of sending a message to each port, one at a time. The kind of response received indicates whether the port is used and can therefore be probed for weakness. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 769 The malicious intruder could generate lots of these packets in order to totally overwhelm the systems and network. This keyword is included with appropriate parameters in the default list. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 770: Default Attacks (Non-Rate Limiting / Stateless)
Denial -of Service. To avoid the attack, this keyword is also placed in the default list. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 771 This has TCP packets with both SYN and FIN flag set, causing a denial of service. This attack is prevented by using the “default” keyword or can be inserted in the user-defined list. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 772: Optional Attacks
This command is not a default DoS setting. This attack is not set for protection by default in the OmniAccess 5740 USG, but you can turn it on by explicitly adding the above keyword in the user-defined attack prevention list.
Page 773 This will cause many frames to be unnecessarily transmitted, and dramatically reduce the performance of the network and the systems involved. To avoid this Denial of Service overload attempt, this command is placed in the default prevention list. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 774: Network Attack Prevention Configuration
“To Create a DoS Rule Inside a Firewall Policy” Attach a Firewall Policy to an Interface Step 7: Enter into Interface Configuration Mode ALU(config)# interface <name> Example: ALU(config)# interface GigabitEthernet3/0 ALU(config-if GigabitEthernet3/0)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 775 “IN/OUT”. See “To Attach a Firewall Policy to an Interface” Step 11: View the firewall configuration. See “Firewall Show Commands” Step 12: Delete the firewall configuration. See “Firewall Deletion Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 776: Network Attack Prevention Configuration Flow
Left running head: Chapter name (automatic) Filter and Firewall ETWORK TTACK REVENTION ONFIGURATION Figure 21: Network Attack Prevention Flowchart Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 777: Network Attack Prevention Configuration Commands
1. You can only modify the system default attack object but cannot delete it. 2. You cannot modify/delete the system default policy. 3. You can modify/delete the user created attack objects and the attack policies associated to it. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 778 You can create a “default” attack setting to check default attacks on ingress traffic to all interfaces. In OmniAccess 5740 USG, the default DoS attack is configured for the prevention of all attacks and their default settings except "icmp-block-trace-route", "icmp- router-advertisement", "icmp-redirect".
Page 779 NAT or DoS configuration. This is why you can see these attacks in the “show” output even when you have not configured them. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 780 XAMPLE ALU(config-firewall-attack-A1)# all ALU(config-firewall-attack-A1)# no all The following are the Optional attacks that are not present in the default attack prevention list of the OmniAccess 5740 USG: icmp_router_advertisement icmp_redirect ip_spoofing icmp_block_trace_route ip_source_routing...
Page 781 This command is used to configure tcp- tcp-header-frag header-frag attack for an attack object. This command is used to configure ip- ip-zero-length zero-length attack for an attack object. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 782 The ‘no’ command disables the individual attack configured for an attack object. Example: ALU(config-firewall-attack-A1)# no ip-tear-drop Note: You can also modify the System Default Attack Object by entering into the system- default attack object. Example: ALU(config-firewall)# attack system-default ALU(config-firewall-attack-system-default)# all Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 783 Note: Currently, multiple match-lists cannot be associated to a firewall policy rule. To configure more than one match-list within a firewall policy, add multiple rules with different match-lists. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 784 20 match m2 attack atk reset 30 match m3 attack atk reset Now, to generate a numbering scheme with a proper order, use the keyword “renumber” as follows: ALU(config-firewall)# policy P1 ALU(config-firewall-P1)# renumber Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 785 (outgoing) traffic if “out” keyword is used. Note: Firewall policy will take into effect once it is attached to an interface. XAMPLE ALU(config)# interface GigabitEthernet3/0 ALU(config-if GigabitEthernet3/0)# firewall policy in P1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 786 • Default TCP value is 900 seconds. • Default UDP value is 300 seconds. • Default ICMP value is 30 seconds. XAMPLE ALU(config-firewall)# session ALU(config-firewall-session)# default timeout tcp 10 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 787: Firewall Show Commands
The following syntax is used to view the details of attack A1: ALU# show firewall attack A1 attack A1 udp-port-loopback 10 1000 udp-flood 200 1000 tcp-fin-scan icmp-ip-address-sweep 2 10 icmp-dest-unrch-storm 2 10 icmp-ping-flood 2 10 tcp-syn-flood 100 1000 5 udp-fraggle-attack Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 788 The following syntax is used to view the details of firewall session ALU(config)# show firewall session detail ID 70 ICMP timeout 28 secs, used by NAT Initiator: (10.91.1.108:13)=>(10.91.0.1:13) Responder: (10.91.0.1:34416)=>(10.91.1.108:34416) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 789 ID 70 ICMP timeout 25 secs, used by NAT Initiator: (10.91.1.108:13)=>(10.91.0.1:13) Responder: (10.91.0.1:34416)=>(10.91.1.108:34416) ALU(config)# show firewall session destination ip 10.91.0.1 ID 70 ICMP timeout 25 secs, used by NAT Initiator: (10.91.1.108:13)=>(10.91.0.1:13) Responder: (10.91.0.1:34416)=>(10.91.1.108:34416) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 790 PECIFIC IREWALL OLICY Command (in F-PCM) Description This deletes only the rule in the firewall no rule <1-65535> policy corresponding to the line number. XAMPLE ALU(config-firewall-P1)# no rule 30 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 791 This command is used to view the show firewall policy system- system default policy configuration. default XAMPLE ALU# show firewall policy system-default policy system-default 10 match all attack system-default drop system-traffic firewall policy system-default Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 792 The deleted default attacks are displayed with a prefix “no”, and the modified default attacks are displayed with the modified parameters. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 793 Command (in SUM/CM) Description This command is used to clear the clear firewall session session-id firewall sessions for a specific <0-128000> session ID. XAMPLE ALU(config)# clear firewall session session-id 200 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 794: Firewall Debug Commands
The example below enables debugging for the source IP 10.91.0.52 ALU# debug firewall selector saddr 10.91.0.52 The example below disables debugging for the source IP 10.91.0.52 ALU# no debug firewall selector saddr 10.91.0.52 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 795: Sample Firewall Policy Configurations On Omniaccess 5740 Usg
GigabitEthernet3/1 match-list m1 tcp list outside-zone list inside-zone type ftp firewall attack d1 default policy p1 match m1 attack d1 drop interface GigabitEthernet3/0 firewall policy in p1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 796 10.0.0.0/8 for all default attacks: match-list m2 ip interface GigabitEthernet3/0 prefix 10.0.0.0/8 type firewall attack a2 default policy p2 match m2 attack a2 reset interface GigabitEthernet3/0 firewall policy in p2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 797: Zone Configuration
The domain falling outside the "trusted zone" is the "untrusted zone". Hence, external networks which comprise traffic or systems that are not within the administrative purview of a private network, such as the Internet, is an example of "untrusted zone". Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 798: Semi-Trusted Zone Or Demilitarized Zone
• Mail Server • Application Gateway • E-Commerce Systems Example of systems to place on a DMZ include Web servers and FTP servers. Figure 23: Three Zone Network Topology Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 799: Three Zone Firewall Example
LAN. Since these servers are exposed in some form to the Internet, they are placed in the DMZ. 4. All traffic going out to the Internet is subject to NAT. Figure 24: Three Zone Firewall Network Topology Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 800 1. LAN addresses fall in 3 subnets • 10.0.0.0/24 • 192.168.0.0/24 • 172.16.0.0/25 2. The Public IP of the link is 202.24.45.100. This is forwarded to Mail Server and Web Server using DNAT. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 801 Configuring Lists with IP addresses rather than interfaces lead to the more efficient system operation, as it does not have to a lookup to determine egress interface and then apply filter. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 802 ALU(config-match-list-DMZ-access)# 2 tcp list DMZ list Untrust service dns ALU(config-match-list-DMZ-access)# 3 udp list DMZ list Untrust service dns (vi) Internet access to Trust ALU(config)# match-list Internet-Trust ALU(config-match-list-Internet-Trust)# ip any any Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 803 ALU(config-match-list-DoS)# 2 ip any list DMZ 9. Configuring rule for SNATing the trusted and DMZ network. ALU(config)# match-list source-nat ALU(config-match-list-source-nat)# 1 ip list Trust any ALU(config-match-list-source-nat)# 2 ip list DMZ any Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 804 Left running head: Chapter name (automatic) Filter and Firewall 10. Configuring the DoS attacks from which protection is required. In this case, we configure all the available attacks present on the OmniAccess 5740 USG. ALU(config)# firewall ALU(config-firewall)# attack atk1 ALU(config-firewall-attack-atk1)# tcp-fin-no-ack...
Page 805 ALU(config-if GigabitEthernet3/1)#ip filter in DMZ-traffic ALU(config)#ip filter DMZ-out ALU(config-filter-DMZ-out)#10 match any DMZ-Trust permit ALU(config-filter-DMZ-out)#default deny Applying the filter as "out" on the DMZ interface ALU(config-if GigabitEthernet3/1)#ip filter out DMZ-out Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 806 ALU(config-nat-DNAT)#match any Internet-mail-access destination-nat host 172.16.0.130 ALU(config-nat-DNAT)#match any webserver-access destination-nat host 172.16.0.131 Apply DNAT rule as a IN nat policy for the mail and webserver access. ALU(config-if Serial0/0:0)#ip nat in DNAT Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 807: Example 2: Simple Zone Configuration In Omniaccess 5740 Usg
5740 USG XAMPLE IMPLE ONFIGURATION IN CCESS In OmniAccess 5740 USG, you can define classification for trusted/ untrusted/DMZ traffic in ACL, NAT, or DoS policies, and further apply these policies to the interfaces: match-list trusted ip 10.0.0.0/24 any match-list dmz ip 172.16.0.0/24 any...
Page 808 //This will permit DMZ traffic without ip filter out permit-dmz-policy translation //This will deny all untrusted ip filter in deny-untrusted-policy traffic originated from outside //Done Exit Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 809: Time-Range/Timer Configuration
GMT time. Therefore, it has the option to permit automatic changing to/from daylight savings time. Note: User must issue “clock” command to set the clock in OmniAccess 5740 USG, so that the time-range configuration can take effect precisely. XAMPLE...
Page 810: Time-Range Show Command
XAMPLE If “t1” is a schedule, then to view the particulars in it, use the following command: ALU# show time-range time-range t1 absolute 10:10:10 5/6/2006 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 811: Algs Supported In Omniaccess
ALGs Supported in OmniAccess 5740 USG 5740 USG UPPORTED IN CCESS The ALGs (Application Level Gateway) supported in OmniAccess 5740 USG are listed below. The Session Initiation Protocol (SIP) is an application-layer control protocol that can establish, modify, and terminate multimedia sessions such as Internet telephony calls.
Page 812 Trivial File Transfer Protocol (TFTP) a simple form of the File Transfer Protocol (FTP). TFTP uses the User Datagram Protocol (UDP) and provides no security features. It is often used by servers to boot diskless workstations, X-terminals, and routers. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 813: Alg Configuration Commands
ALU(config)# match-list m1 ALU(config-match-list-m1)# tcp any any service dns Note: Use the port number to configure any other standard ALG service apart from those given in the above commands. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 814 Total SNAT Pasv Response commands Total DNAT Pasv Response commands Total Filter Pasv Response commands : 0 Total Pinholes created Total Pinholes matched Total Pinholes timed out Total Pinholes failed Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 815 ALU(config)# show firewall alg rpc statistics Total SNAT RPC CALL Packets Total DNAT RPC REPLY Packets Total DNAT DUMP REPLY Packets Total Pinholes created Total Pinholes matched Total Pinholes failed Total Pinholes removed Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 816 Total RTCP Pinholes timeout Total SIP Packets with Non-SDP message body Total SIP Packets with invalidate payload Total SIP Packets with invalidate SDP payload Total SIP Packets out of order Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 817 TFTP ALG debug counters. XAMPLE ALU(config)# show firewall alg tftp debug-counters Total malloc operations Total failed malloc operations Total memory release operations Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 818 Total malloc passed, sip sessions and calls Total malloc failed Total memory free count, sip sessions and calls Total sip packets translated Total sdp packets translated Total sip packets retransmitted Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 819 IREWALL TATISTICS Command (in SUM/CM) Description This command is used to clear the clear firewall alg sip statistics the ALG SIP statistics. XAMPLE ALU(config)# clear firewall alg sip statistics Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 820: Customized-Service Rule Based Alg Configuration
SERVICE ASED ONFIGURATION The OmniAccess 5740 USG now supports the customized-service rule based ALG (Application Level Gateway) configuration. By definition, the ALGs operate on well known ports or standard ports. The customized service gives an additional point of invocation of the ALG and the capability to remove or disable the invocation from well-known ports.
Page 821 Use this command to change the priority change {<1-65535> <1-65535>} of a specific ALG rule configured. XAMPLE The following example shows how to change the priority of a rule; ALU(config-customized-service)# change 10 1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 822 ETAILS OF A ASED ERVICE Command (in SUM/CM) Description This command shows the ALG rule show customized-service based service details. XAMPLE ALU(config)# show customized-service 20 match any m2 service none Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 823: Typical Rule Based Alg And Dnat Example Using Omniaccess 5740 Usg
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) Typical Rule Based ALG and DNAT Example Using OmniAccess 5740 USG DNAT E YPICAL ASED XAMPLE SING 5740 USG CCESS When there are multiple internal FTP servers inside the DMZ and sufficient Public IP addresses are not available, these multiple FTP servers should run on different ports so that they can be accessed from outside using DNAT.
Page 824 ALU(config-customized-service)#match m4 service none Show Customized-Service Configuration ALU(config)# show customized service 10 match m1 service ftp 20 match m2 service ftp 30 match m3 service ftp 40 match m4 service none Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 825: Security - Best Practices
The point to be noted here is that rules are evaluated by firewall from first to last. The rules are: • ICMP Rules • IP Rules • UDP Rules • TCP Rules Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 826 Drop X-Windows (packets using ports 6000-6003). It is possible for a hacker to control mouse and keyboard for a host inside the network. • Drop SNMP (packets using ports 161 and 162). Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 827 IMITING Rate limiting is a good method of prevention against Denial -of -service attack. Most common of them are: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 828 IP address within a defined interval. This again can be prevented by setting a threshold (5 milliseconds is the default). This can be configured as: ALU(config-firewall)# attack p1 ALU(config-firewall-attack-p1)# port-scan threshold 10 1000 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 829: Ip Security - Virtual Private Network
IPsec VPN, its components, tunneling, and security. To get a succinct knowledge on the parameters and default values, refer to the VPN section in OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. Note: The basic security package provides IPsec functionality having lower encryption (up to 64bit) algorithms only.
Page 830: Chapter Conventions
IKE Policy Configuration Mode - ALU (config-IKE policy name)# ISAKMP Internet Security Association and Key Management Protocol Perfect Forward Secrecy Public Key Infrastructure Security Association Security Policy Database Super User Mode - ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 831: Ipsec Vpn Overview
Extranets with service agents, partners, etc. • Secure connectivity from home to the office network. Branch Offices Mobile Worker Head Office Home Office Branch Offices Figure 26: General VPN Usage Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 832 The following sections provide a conceptual overview of IPsec VPN: • “IPsec Enabled VPN” • “IPsec Connection Types” • “IPsec Concepts” • “Benefits of IPsec Enabled VPN” • “Default Configuration Setting on OmniAccess 5740 USG” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 833: Ipsec Enabled Vpn
"Road Warrior" connection and the remote computer is not behind a firewall. The IP address that the remote computer will be using is normally not known for configuration. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 834 VPN channel that connects the Finance department and Accounts department of two geographically displaced locations. Tunnel 1 users have no access to this path. Figure 27: A General Scenario of IPsec - VPN Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 835: Ipsec Concepts
The outer IP header corresponds to these gateways. Since the tunnel mode hides the original IP header, it facilitates security of the networks with private IP address space. Figure 28: Tunnel Mode Note: OmniAccess 5740 USG supports only Tunnel Mode. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 836 IP header to the now encrypted packet. This new IP header contains the destination address needed to route the protected data through the network. Note: The OmniAccess 5740 USG supports the ESP protocol, which also provides AH functionality. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide...
Page 837 IP addresses, ports, etc. With each policy, a Security Association (SA) is associated. You should mainly configure the encryption algorithm and authentication algorithm that should be used. The cryptographic key should be configured. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 838 Nonce Payload ISAKMP HEADER MESSAGE 5 Identity Payload Authentication Data Payload ENCRYPTED ISAKMP HEADER MESSAGE 6 Identity Payload Authentication Data Payload ENCRYPTED Figure 29: Phase 1 Negotiation - Main Mode Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 839 E N C R Y P T E D Figure 30: Phase 2 Negotiation - Quick Mode A full Diffie-Hellman key exchange may be done to provide Perfect Forward Secrecy (PFS). Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 840: Benefits Of Ipsec Enabled Vpn
Extended geographic connectivity. • Reduces transit time and transportation costs for remote users. • Improves productivity. • Simplifies network topology. • Provides global networking opportunities. • Provides telecommuter support. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 841: Default Configuration Setting On Omniaccess 5740 Usg
EFAULT ONFIGURATION ETTING ON CCESS To ease the setup of IPsec tunnel, OmniAccess 5740 USG provides the following default configurations: • If an IKE policy is not configured, you can attach ‘default’ IKE policy to the crypto map. Following are the default values for the ‘default’ IKE policy: Default proposal in IKE policy: md5-des ii.
Page 842: Ipsec Vpn Configuration
• “IPsec VPN Show Commands” VPN C ONFIGURATION TEPS The following are the steps to configure IPsec VPN on the OmniAccess 5740 USG: Step 1: Configure match-list and match-list rules. For more information on this, refer to the “Common Classifiers”...
Page 843 Step 10: Configure Dead Peer Detection. See “Dead Peer Detection (DPD)” (Optional) Step 11: Know the default values allowed by the OmniAccess 5740 USG. See “Default Configuration Setting on OmniAccess 5740 USG” Step 12: View the IPsec configuration. See “IPsec VPN Show Commands”.
Page 844: Ipsec Vpn Configuration Flow
Left running head: Chapter name (automatic) IP Security - Virtual Private Network VPN C ONFIGURATION Figure 31: IPsec Configuration Flowchart Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 845: Ipsec Configuration Commands
(access-list) needs to be configured. This match-list is called by the crypto map command. In the OmniAccess 5740 USG, a wide variety of match-lists can be defined. However, a well-defined subset of match-lists can be used for IPsec tunnel. A match-list should not have ‘any any’...
Page 846: Example
XAMPLE ALU(config)# crypto key generate rsa 1024 exampleKey % The generated keys will be named examplekey ... starting key generation. Please wait... % Keys successfully generated. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 847: To Import A Rsa Key
This command configures a CA identity crypto ca identity <name> with the name specified. Note: Entering this command changes the mode to ca-identity mode. XAMPLE ALU(config)# crypto ca identity ALUCA Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 848 This command specifies the subject subject-name <subject-name> distinguished name that would appear in the certificate request for this CSR, if generated on the OmniAccess 5740 USG. XAMPLE ALU(config-ca-ALUCA)# subject-name /CN=Bart Simpson/O=ALU/C=US Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 849 (“To Generate a CSR”) and export the CSR (“To Export a CSR”) from the OmniAccess 5740 USG to a remote location to generate the X.509 signed certificate on the OmniAccess 5740 USG. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide...
Page 850 “To View CSR Details” command. Note: Currently, SCP option is not supported. XAMPLE ALU(config)# crypto certificate-request req_Simpsom export ftp: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 851 Note: The crypto certificates will take into effect only after issuing the ‘refresh’ command. XAMPLE ALU(config)# crypto certificate-database refresh Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 852 TRICT OLICY By default, the OmniAccess 5740 USG has a lenient CRL policy, i.e., even if the CRL is not present (not imported) or expired, the peer's certificate will be accepted. There is an option of making this CRL policy strict.
Page 853 SSUER OF THE ERTIFICATE Command (in IKE Identity CM) Description This command specifies the issuer (CA) peer-ca <name> of the peer's certificate. XAMPLE ALU(config-ike-identity-exampleidentity)# peer-ca CN=ALU, OU=Certificate Authority, C=US Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 854 <name> signed certificate to be used during IKE negotiation. This should be one among the certificates imported under the “To Import a Signed Certificate” command. XAMPLE ALU(config-ike-identity-exampleidentity)# my-cert cert_Simpson Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 855: To Export Rsa Keys
ALU(config)# crypto key export rsa examplekey tftp: CA C ELETE A ERTIFICATE Command (in CM) Description This command deletes the specified CA crypto ca-cert <name> delete certificate. XAMPLE ALU(config)# crypto ca-cert ALUca delete Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 856: To Delete A Signed Certificate
ALU(config)# crypto peer-certificate cert_Bouvier delete RSA K ELETE AN Command (in CM) Description This command deletes the specified crypto rsa-key <name> delete RSA key pair. XAMPLE ALU(config)# crypto rsa-key examplekey delete Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 857: Internet Key Exchange (Ike) Policy
XAMPLE ALU(config)# crypto ike policy P1 ALU(config-crypto-ike-policy-P1)# Note: The “force“ keyword is used to modify or edit an IKE policy in use. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 858 The ‘no’ command resets the IKE policy to its default. Note: If no proposal is configured for an IKE policy, md5-des is taken as the default proposal. XAMPLE ALU(config-crypto-ike-policy-P1)# proposal md5-aes-128 ALU(config-crypto-ike-policy-P1)# no proposal Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 859 There is no default value for IPsec SA lifetime in Kilobytes. XAMPLE ALU(config-crypto-ike-policy-P1)# ipsec security-association lifetime kilobytes 5400 ALU(config-crypto-ike-policy-P1)# ipsec security-association lifetime seconds 5400 ALU(config-crypto-ike-policy-P1)# no ipsec security-association lifetime kilobytes ALU(config-crypto-ike-policy-P1)# no ipsec security-association lifetime seconds Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 860 If the PFS group is not explicitly configured, group2 is used as the default PFS. The ‘no’ command resets the PFS no pfs group to default. XAMPLE ALU(config-crypto-ike-policy-P1)# pfs group1 ALU(config-crypto-ike-policy-P1)# no pfs Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 861: To Configure Transform-Set In Ipsec
SHA1 and 192 bit AES encryption • esp-sha1-aes256 encapsulation with SHA1 and 256 bit AES encryption • esp-sha1-des encapsulation with SHA1 and 56 bit DES encryption Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 862 Left running head: Chapter name (automatic) IP Security - Virtual Private Network Note: The OmniAccess 5740 USG will have a default transform-set configuration with parameters esp-sha1-des and esp-md5-des. XAMPLE ALU(config)# crypto ipsec transform-set netset esp-sha1-aes256 ALU(config)# crypto ipsec transform-set myset esp-md5-3des esp-...
Page 863: To Configure Ipsec Crypto Map
If you try to attach a match-list to a crypto map that already has one, it overrides the existing match-list provided it satisfies the match-list criteria for IPSec. XAMPLE ALU(config-crypto-map-exampleMap)# match matchlist1 ALU(config-crypto-map-exampleMap)# no match matchlist1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 864 You cannot delete a peer from the crypto map if the crypto map is attached to an interface. XAMPLE ALU(config-crypto-map-exampleMap)# peer 100.10.61.20 ALU(config-crypto-map-exampleMap)# peer mysmb.dyndns.org ALU(config-crypto-map-exampleMap)# no peer 100.10.61.20 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 865 If no PFS group is attached to a crypto map, group2 PFS is used. The ‘no’ command disables PFS no pfs completely. XAMPLE ALU(config-crypto-map-exampleMap)# pfs group1 ALU(config-crypto-map-exampleMap)# no pfs Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 866 IKE policy associated with the crypto map, then the default lifetime is considered. XAMPLE ALU(config-crypto-map-exampleMap)# lifetime seconds 1000 ALU(config-crypto-map-exampleMap)# lifetime kilobytes 1005236 ALU(config-crypto-map-exampleMap)# no lifetime seconds ALU(config-crypto-map-exampleMap)# no lifetime kilobytes Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 867: To Attach Crypto Map To An Interface
To delete, first detach the crypto map from the interface. XAMPLE ALU(config)# interface GigabitEthernet 3/0 ALU(config-if GigabitEthernet3/0)# crypto map exampleMap ALU(config-if GigabitEthernet3/0)# no crypto map exampleMap Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 868: Dead Peer Detection (Dpd)
DPD interval specified. This command disables DPD for IPsec no crypto ike dpd globally. XAMPLE ALU(config)# crypto ike dpd interval 10 timeout 35 ALU(config)# no crypto ike dpd Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 869 ALU(config-crypto-map-map1)# dpd delay 15 timeout 60 ALU(config-crypto-map-map1)# dpd NONE ALU(config-crypto-map-map1)# no dpd Note: If there is no global DPD defined, both the dpd none command and no dpd command produce the same result. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 870: Ipsec Vpn Show Commands
! Key in Use (by 1 cryptomap/s) crypto ike policy ike proposal md5-3des pfs group2 ipsec security-association lifetime seconds 590 lifetime seconds 1500 ! Policy in Use (by 1 cryptomap/s) crypto ipsec transform-set myset esp-md5-3des Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 871 ALU2 ipsec-ike ike peer 2.2.2.1 match m1 transform-set myset pfs group2 ! Applied to : GigabitEthernet3/1 interface GigabitEthernet3/1 crypto map ALU2 line vty 4 transport input none line con 0 ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 872 ! Applied to : GigabitEthernet3/1 interface GigabitEthernet3/1 crypto map exampleMap !crypto ipsec profile default ike-policy default transform-set default pfs group2 lifetime seconds 28800 ! Not Applied to Any Interface Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 873 The following example displays the details for a specified crypto map: ALU(config)# show crypto map examplemap crypto map examplemap ipsec-ike P1 peer 10.10.10.1 match m1 transform-set default pfs group2 ! Applied to : GigabitEthernet3/1 interface GigabitEthernet3/1 crypto map examplemap Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 874 ! Policy in Use (by 1 cryptomaps/ipsec-profiles) crypto ike policy P1 proposal sha1-aes128 ipsec security-association lifetime seconds 28800 lifetime seconds 86400 pfs group2 authentication pre-shared ! Policy in Use (by 1 cryptomaps/ipsec-profiles) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 875 XAMPLE ALU(config)# show crypto ipsec transform-set !crypto ipsec transform-set default esp-md5-des esp-sha1-des crypto ipsec transform-set ts1 esp-md5-des ALU(config)# show crypto ipsec transform-set ts1 crypto ipsec transform-set ts1 esp-md5-des Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 876 TUNNEL MODE Replay Detection Enabled: Yes ESP spi:0xc3fb59c time-left:28793secs/0kb esp-sa-id:12 Decaps:7 Decrypt:7 Auth:7 Errors:0 ********OUTBOUND******** ESP Algo:crypt:DES-CBC len:64 auth:SHA1-HMAC len:160 TUNNEL MODE Replay Detection Enabled: Yes ESP spi:0x541a7498 time-left:28793secs/0kb esp-sa-id:16 Encaps:7 Encrypt:7 Auth:7 Errors:0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 877 -----BEGIN RSA PRIVATE KEY----- MIIBOwIBAAJBALrzr88JSfTvE9+n4+4oMrXvBuL4yTFtRESB0j9JgslrWtFz0Huv P16CNBVUSafTXmkpxHJXJWruAvgs3VkvA60CAwEAAQJATCC1Q6p1qj68qgOU5kMK O1mlRUGns+/Zr8fplInbrybL7aUyw0ZbOxwR47nhv2cPJmBEVYBgD3MJBpmoCoQ3 JQIhAPQF4cc793YnqQjDmMZlrU5EgW0+iTv7tZhBfu9Be6hzAiEAxCC2wzozczYb Vu34ghDwp8Bcr5dyRH1qqKXAWfhjO18CIHy5WOo1a0lYAhy5pKebJpZ/i0ukEA65 m9qjd1aguKyjAiEAsZOVJsppjyUsN9cbLFi+LITE5s9OzKhpi+0Xbd6xqi0CIQCR p2uSbE2LoC4r3XovZoVF1mLzZLrC3WZcMKRk0qeO0Q== -----END RSA PRIVATE KEY----- ALU(config)# show crypto rsa-key exampleKey public-key -----BEGIN PUBLIC KEY----- MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALrzr88JSfTvE9+n4+4oMrXvBuL4yTFt RESB0j9JgslrWtFz0HuvP16CNBVUSafTXmkpxHJXJWruAvgs3VkvA60CAwEAAQ== -----END PUBLIC KEY----- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 878 DN /CN=Bart Simpson/O=ALU/C=US my-cert cert_Simpson ALU(config)# show crypto ike identity exampleIdentity crypto ike identity exampleIdentity peer-id user-fqdn selma_bouvier@ALU.com peer-ca CN=ALU, OU=Certificate Authority, C=US my-id DN /CN=Bart Simpson/O=ALU/C=US my-cert cert_Simpson Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 879 Exponent: 65537 (0x10001) X509v3 extensions: X509v3 Basic Constraints: CA:FALSE Netscape Comment: OpenSSL Generated Certificate X509v3 Subject Key Identifier: 88:75:2D:47:AC:E8:AB:C3:5F:9F:E1:93:6B:7E:07:9C:A3:B0:24:CB X509v3 Authority Key Identifier: keyid:05:98:D2:25:D3:18:12:A1:C7:4B:7A:98:D2:D8:25:73:2B:6B:AE:B1 DirName:/CN=CA_0x01/O= serial:00 Signature Algorithm: md5WithRSAEncryption Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 880 <name> Displays the details of the specified peer show crypto peer-certificate certificate in the base64 pem format. [<name> [pem]] XAMPLE ALU(config)# show crypto peer-certificate cert_fred cert_barney cert_wilma Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 881 X509v3 Subject Key Identifier: A8:80:7E:54:63:61:76:66:DE:E0:98:6C:10:31:6D:EB:1E:9D:4C:46 X509v3 Authority Key Identifier: keyid:A8:80:7E:54:63:61:76:66:DE:E0:98:6C:10:31:6D:EB:1E:9D:4C:46 DirName:/C=US/ST=Bedrock/CN=Fred Flintstone/ emailAddress=fred@flintstones.com serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption 2d:b4:af:ef:cb:25:79:fe:11:9a:85:2e:a5:ef:27:9c:87:21: 00:c8:19:89:19:05:ae:6a:2f:d0:02:df:ba:70:e9:ac:81:29: f2:ff:dc:da:35:e4:d0:43:ec:ec:7c:73:24:c9:52:d8:c9:0a: 90:40:6f:64:df:0d:65:16:bf:96:22:fb:06:fb:6b:0b:17:24: c2:2e:33:0b:2d:f6:76:ec:8e:e7:9e:cc:4e:c6:fa:25:a2:7f: 4a:79:c9:ba:55:67:a9:74:4e:5e:30:ff:37:13:94:cd:db:47: 26:30:c6:19:38:31:62:12:70:5f:00:e7:80:01:2c:8a:da:d5: e0:e5 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 882 IP Security - Virtual Private Network ALU(config)# show crypto peer-certificate cert_fred pem -----BEGIN CERTIFICATE----- MIIC7DCCAlWgAwIBAgIBADANBgkqhkiG9w0BAQQFADBeMQswCQYDVQQGEwJVUzEQ MA4GA1UECBMHQmVkcm9jazEYMBYGA1UEAxMPRnJlZCBGbGludHN0b25lMSMwIQYJ KoZIhvcNAQkBFhRmcmVkQGZsaW50c3RvbmVzLmNvbTAeFw0wNjA2MjIwNjU2MTNa Fw0wNjA3MjIwNjU2MTNaMF4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdCZWRyb2Nr MRgwFgYDVQQDEw9GcmVkIEZsaW50c3RvbmUxIzAhBgkqhkiG9w0BCQEWFGZyZWRA ZmxpbnRzdG9uZXMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMdzM1 ECyQan26CFuXaOvqkbvit6ydQpU2Otur0zgEOJs0GDEiaXjeETd/Hn8Qm7qWYOPd vXSTz9ytxafKaX/RdzM4amaJB2bSCNS4mD/gmRH4P3ibJ1GN7l7nKlo60tzc90W5 Ho7C7SpepSkDPatuLf1s68VyqFREpgNwTtA4MwIDAQABo4G5MIG2MB0GA1UdDgQW BBSogH5UY2F2Zt7gmGwQMW3rHp1MRjCBhgYDVR0jBH8wfYAUqIB+VGNhdmbe4Jhs EDFt6x6dTEahYqRgMF4xCzAJBgNVBAYTAlVTMRAwDgYDVQQIEwdCZWRyb2NrMRgw FgYDVQQDEw9GcmVkIEZsaW50c3RvbmUxIzAhBgkqhkiG9w0BCQEWFGZyZWRAZmxp bnRzdG9uZXMuY29tggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEEBQADgYEA LbSv78slef4RmoUupe8nnIchAMgZiRkFrmov0ALfunDprIEp8v/c2jXk0EPs7Hxz JMlS2MkKkEBvZN8NZRa/liL7BvtrCxckwi4zCy32duyO557MTsb6JaJ/SnnJulVn qXROXjD/NxOUzdtHJjDGGTgxYhJwXwDngAEsitrV4OU= -----END CERTIFICATE----- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 883 Signature Algorithm: md5WithRSAEncryption 45:6b:da:5f:10:09:77:7c:16:1e:a4:c2:aa:b6:3c:04:d1:ca: 4c:bc:9c:74:07:a7:a4:8a:09:cc:ad:e0:8b:9c:34:9d:05:c0: 63:3b:d7:01:9c:e0:29:44:38:e4:f8:e9:81:69:13:92:f4:14: f2:a6:7a:75:35:96:f5:12:3f:77:32:ef:c2:a7:28:4b:81:69: 10:a5:05:0d:dd:2f:73:20:70:58:b5:d9:2f:d9:13:c8:c1:20: c6:f7:34:c9:c0:23:06:b4:32:6c:65:48:06:78:18:48:fe:78: ab:ba:5c:a3:f5:0b:c8:64:95:5b:a6:27:c1:43:ca:d9:f5:d0: bd:5c XAMPLE ALU(config)# show crypto crl ca ALUCA pem -----BEGIN X509 CRL----- MIIBDzB6MA0GCSqGSIb3DQEBBAUAMCExEDAOBgNVBAMUB0NBXzB4MDExDTALBgNV BAoTBE5ldGQXDTA2MDEwOTExNDYzN1oXDTA2MDIwODExNDYzN1owKDASAgEBFw0w NjAxMDkxMTQ2MTJaMBICAQIXDTA2MDEwOTExNDYxNlowDQYJKoZIhvcNAQEEBQAD gYEARWvaXxAJd3wWHqTCqrY8BNHKTLycdAenpIoJzK3gi5w0nQXAYzvXAZzgKUQ4 5PjpgWkTkvQU8qZ6dTWW9RI/dzLvwqcoS4FpEKUFDd0vcyBwWLXZL9kTyMEgxvc0 ycAjBrQybGVIBngYSP54q7pco/ULyGSVW6YnwUPK2fXQvVw= -----END X509 CRL----- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 884 X509v3 extensions: X509v3 Subject Key Identifier: 05:98:D2:25:D3:18:12:A1:C7:4B:7A:98:D2:D8:25:73:2B:6B:AE:B1 X509v3 Authority Key Identifier: keyid:05:98:D2:25:D3:18:12:A1:C7:4B:7A:98:D2:D8:25:73:2B:6B:AE:B1 DirName:/CN=CA_0x01/O= serial:00 X509v3 Basic Constraints: CA:TRUE Signature Algorithm: md5WithRSAEncryption 0c:0b:92:9c:1d:60:ac:62:e0:7f:f3:1d:9c:7b:e8:de:67:09: 43:a1:2e:47:d1:78:c1:17:f6:0c:aa:ef:51:55:e2:9b:5f:8a: 0e:9f:ba:51:55:57:48:2b:4c:8f:f7:6b:7c:65:4b:cf:99:b2: dc:83:2d:da:99:63:0c:ad:6b:33:66:19:91:ef:35:cb:dd:d8: 74:48:34:a6:40:c2:f0:8d:b6:8a:32:63:8c:f0:82:14:14:5a: a3:56:de:b1:50:42:6f:b3:0f:ea:f1:26:be:2e:ce:9e:61:f5: 24:c3:88:ab:13:42:70:82:80:f9:f1:d2:8f:02:d5:5b:62:ff: 3e:cc Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 885 <name> Displays the details of the specified CSR show crypto certificate- in the base64 pem format. request [<name> [pem]] XAMPLE ALU(config)# show crypto certificate-request req_Simpson req_Burns Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 886 Exponent: 65537 (0x10001) Attributes: a0:00 Signature Algorithm: md5WithRSAEncryption 57:7b:73:45:07:37:a3:c6:a3:fc:46:5d:a6:c7:00:b1:2c:c8: 15:00:8f:ef:47:c5:0d:fa:81:a3:82:90:15:76:ad:10:42:ef: 68:a5:58:5a:e8:7b:17:85:d3:2b:f5:c5:ca:ca:db:c1:f0:d5: a6:87:b6:0b:13:a2:35:2f:91:cb ALU(config)# show crypto certificate-request req_Simpson pem -----BEGIN CERTIFICATE REQUEST----- MIHtMIGYAgEAMDMxFTATBgNVBAMTDEJhcnQgU2ltcHNvbjENMAsGA1UEChMETmV0 RDELMAkGA1UEBhMCVVMwXDANBgkqhkiG9w0BAQEFAANLADBIAkEAuvOvzwlJ9O8T 36fj7igyte8G4vjJMW1ERIHSP0mCyWta0XPQe68/XoI0FVRJp9NeaSnEclclau4C +CzdWS8DrQIDAQABoAAwDQYJKoZIhvcNAQEEBQADQQBXe3NFBzejxqP8Rl2mxwCx LMgVAI/vR8UN+oGjgpAVdq0QQu9opVha6HsXhdMr9cXKytvB8NWmh7YLE6I1L5HL -----END CERTIFICATE REQUEST----- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 887: Clear Commands In Ipsec
Note: The sa-index must be a valid sa-index of an outbound SA. XAMPLE ALU# clear crypto ipsec sa all ALU# ALU# clear crypto ipsec sa 16 ALU# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 888: Ipsec Scenarios On Omniaccess 5740 Usg
86400 pfs group2 !crypto ipsec transform-set default esp-md5-des esp-sha1-des crypto map demomap ipsec-ike default peer 10.0.0.1 match m1 transform-set default pfs group2 ! Not Applied to Any Interface Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 889 “!” at the beginning of the line. This would help in knowing whether the value was set or assumed. Another point to note is that the OmniAccess 5740 USG does not support AH in IPsec. AH is a very weak mechanism and hence is not used in most modern systems.
Page 890 DDING AN XTRA ULE TO THE ATCH LIST SED BY A RYPTO An extra rule cannot be added to a match-list if it is attached to a crypto map. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 891: Best Practices For Deploying Ipsec Vpn
It is up to you to decide upon the key length. It is recommended to use a minimum key length of 16 characters. Note: The OmniAccess 5740 USG supports only unique preshared key to provide better security. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide...
Page 892: Ipsec Access Control
It is recommended to use Diffie-Hellmann PFS Group 5. • group1: Use Diffie-Hellman Group 1: 768 bits • group2: Use Diffie-Hellman Group 2: 1024 bits • group5: Use Diffie-Hellman Group 5: 1536 bits Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 893: Network Address Translation
NAT bypass must be configured. Generally NAT and IPsec are applied on same interface (public). From a performance perspective, this is not a good conjunction. Hence OmniAccess 5740 USG allows you to use the bypass command, to bypass all the IPsec traffic and NAT the other traffic.
Page 894: Ipsec Nat-Traversal
This command is used to enable or disable crypto nat-traversal NAT traversal for IPsec on the {enable|disable} OmniAccess 5740 USG. By default, NAT Traversal is enabled. XAMPLE ALU(config)# crypto nat-traversal disable Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 895: Scenarios Depicting Ipsec Nat-Traversal
!crypto ipsec transform-set default esp-md5-des esp-sha1-des crypto map map1 ipsec-ike default peer 202.50.24.1 match m1 transform-set default pfs group2 ! Applied to : GigabitEthernet3/0 interface GigabitEthernet3/0 crypto map map1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 896 !crypto ipsec transform-set default esp-md5-des esp-sha1-des crypto map map1 ipsec-ike default peer 202.50.24.2 match m1 transform-set default pfs group2 ! Applied to : GigabitEthernet3/0 interface GigabitEthernet3/0 crypto map map1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 897: Ipsec Tunnel Interface
IPsec Tunnel Interface UNNEL NTERFACE Alcatel-Lucent provides support for IPsec in a tunnel mode with encryption, intended for secure site-to-site communications over an untrusted network. Currently IPsec can be configured through a crypto map and applied to a interface.In addition, IPsec as a tunnel interface is required so that, •...
Page 898: Default Configuration For An Ipsec Profile On Omniaccess 5740 Usg
EFAULT ONFIGURATION FOR AN ROFILE ON CCESS The OmniAccess 5740 USG provides the following default configurations for an IPsec Profile: • If an IKE policy is not configured, the ‘default’ ike policy is applied to the IPsec profile. Following are the default values for IKE policy: Default proposal in IKE policy: md5-des ii.
Page 899: Ipsec Tunnel Interface Configuration
Attach an IKE policy to an IPsec profile. See “To Attach an IKE Policy to an IPsec Profile” • Attach a transform set to an IPsec profile. See “To Attach a Transform Set to an IPsec Profile” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 900 Step 4: View the IPsec tunnel configuration. See “To View the IPsec Profile Configuration” Note: All the IPsec parameters related show commands are valid for this section also. For more details, see “IPsec VPN Show Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 901: Ipsec Tunnel Interface Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) IPsec Tunnel Interface Configuration UNNEL NTERFACE ONFIGURATION Figure 33: IPsec Tunnel Interface Configuration Flowchart Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 902: Ipsec Tunnel Interface Configuration Commands
Note: If no IKE policy is attached to an IPsec profile, ‘default’ IKE policy is used. XAMPLE ALU(ipsec-profile-PF1)# ike-policy IKE1 ALU(ipsec-profile-PF1)# no ike-policy Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 903 If no PFS group is attached to an IPsec profile, group2 PFS is used. The ‘no’ command disables PFS no pfs completely. XAMPLE ALU(ipsec-profile-PF1)# pfs group2 ALU(ipsec-profile-PF1)# no pfs Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 904 IPsec profile and the IKE policy associated with the IPsec profile, then the default lifetime is considered. XAMPLE ALU(ipsec-profile-PF1)# lifetime seconds 1000 ALU(ipsec-profile-PF1)# lifetime kilobytes 1005236 ALU(ipsec-profile-PF1)# no lifetime seconds ALU(ipsec-profile-PF1)# no lifetime kilobytes Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 905 This command is used to no shutdown administratively bring up the tunnel interface. This command is used to shutdown administratively bring down the tunnel interface. XAMPLE ALU(config-if Tunnel1)# no shutdown ALU(config-if Tunnel1)# shutdown Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 906 {gre|ipsec} on tunnel interface. To configure IPsec tunnel interface, set the mode to IPsec. Note: By default, tunnel is configured in GRE mode. XAMPLE ALU(config-if Tunnel1)# mode ipsec Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 907 The “no” command removes the no tunnel destination <ip- configured destination IP address. address> XAMPLE ALU(config-if Tunnel1)# tunnel destination 2.2.2.3 ALU(config-if Tunnel1)# no tunnel destination 2.2.2.3 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 908 You cannot delete an IPsec profile that is applied to the interface. To delete, first detach the IPsec profile from the tunnel interface. XAMPLE ALU(config-if Tunnel1)# ipsec-profile PF1 ALU(config-if Tunnel1)# no ipsec-profile PF1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 909 XAMPLE ALU(config)# show crypto ipsec profile crypto ipsec profile PF1 ike-policy secret transform-set transet1 ike-identity ID01 pfs group2 lifetime seconds 28800 ! Applied to: interface Tunnel1 ipsec-profile PF1 ALU(config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 910: Ipsec Tunnel Configuration Scenarios Using Omniaccess 5740 Usg
IP Security - Virtual Private Network UNNEL ONFIGURATION CENARIOS USING 5740 USG CCESS The OmniAccess 5740 USG topology below consists of the following components: • 1 OmniAccess 5740 USG • 1 Alcatel-Lucent Brick Figure 34: IPsec Tunnel Interface Configuration Topology...
Page 911 Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) IPsec Tunnel Configuration Scenarios using OmniAccess 5740 USG 5740 USG CCESS a) IPsec VPN configuration: Configure preshared key, IKE policy, Transform Set. ALU-1(config)# crypto ike key top_secret1612 peer 2.2.2.3...
Page 912: Dynamic Multipoint Virtual Private Network (Dmvpn) Overview
Whenever required, a spoke queries the NHS with a NHRP RESOLUTION request to get information about other spoke. After having the information about the peer, the spoke initiates a IPSec tunnel establishment in the normal way. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 913: Alcatel-Lucent Specific Overview
“License Manager” chapter. - Currently OmniAccess 5740 USG supports DMVPN interoperability with Cisco IOS Version 12.4 (18b). We do not support interoperability with any CISCO IOS version that has NHRP phase 3 implementation (like Cisco IOS Version 12.4(24)T2, Version 15.0(1)M1).
Page 914: Dmvpn Configuration
“IPsec VPN Show Commands” DMVPN C ONFIGURATION TEPS The following are the steps to configure DMVPN on OmniAccess 5740 USG: Step 1: Configure a NHRP (Next Hop Resolution Protocol) object. See “To Configure a NHRP Object” Step 2: Configure parameters under a NHRP object.
Page 915 Administratively bring up the tunnel interface. See “To Administratively Bring Up/Shutdown the Tunnel Interface” • Configure IP address for the tunnel interface. See “To Configure IP Address on a Tunnel Interface” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 916 “To Attach a NHRP Object to the Tunnel Interface” Note: All the IPsec parameters related show commands are valid for this section also. For more details, see “IPsec VPN Show Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 917: Dmvpn Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) DMVPN Configuration DMVPN C ONFIGURATION Figure 35: DMVPN configuration flowchart Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 918: Dmvpn Configuration Commands
This is the tunnel IP address of the NHS. This command is used to delete the no nhs <ip-address> IP address of the NHS from a NHRP object. XAMPLE ALU(config-nhrp-alu-dmvpn)# nhs 192.168.1.1 ALU(config-nhrp-alu-dmvpn)# no nhs 192.168.1.1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 919 This command is used to delete the no map {<nhs-ip-address> <nbma- static map entry. address>|multicast dynamic} XAMPLE ALU(config-nhrp-alu-dmvpn)# map 192.168.1.1 1.1.1.1 ALU(config-nhrp-alu-dmvpn)# no map 192.168.1.1 1.1.1.1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 920 (in seconds) for NHRP cache. The “no” command resets the no holdtime holdtime to its default. The default holdtime for NHRP cache is 7200 seconds. XAMPLE ALU(config-nhrp-alu-dmvpn)# holdtime 300 ALU(config-nhrp-alu-dmvpn)# no holdtime Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 921 NBMA network must share the same authentication string. The “no” command removes the no authentication authentication string. XAMPLE ALU(config-nhrp-alu-dmvpn)# authentication alu123 ALU(config-nhrp-alu-dmvpn)# no authentication Authentication removed. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 922 You cannot delete a NHRP object that is applied to the interface. To delete, first detach the a NHRP object from the interface. XAMPLE ALU(config-if Tunnel1)# nhrp alu-dmvpn ALU(config-if Tunnel1)# no nhrp alu-dmvpn Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 923 ALU(config)# show ip nhrp 172.23.1.5/32 via 172.23.1.5 Tunnel0 created, expire: 00:00:34 Type: cached, Flags: up NBMA address: 10.1.5.2 172.23.1.1/32 via 172.23.1.1 Tunnel0 created, never expire Type: static, Flags: up NBMA address: 10.0.1.1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 924 Tunnel configuration on an interface. <0-14487> XAMPLE ALU(config)# show ip nhrp interface Tunnel 0 172.23.1.1/32 via 172.23.1.1 Tunnel0 created, never expire Type: static, Flags: up NBMA address: 10.0.1.1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 925 Command (in SUM/CM) Description This command clears the dynamically clear ip nhrp learned NHRP entries from the NHRP cache. It does not delete the static mappings. XAMPLE ALU(config)# clear ip nhrp Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 926: Dmvpn Configuration Scenarios Using Omniaccess 5740 Usg
IP Security - Virtual Private Network DMVPN C ONFIGURATION CENARIOS USING CCESS 5740 USG The OmniAccess 5740 USG topology below consists of the following components: • 2 OmniAccess 5740 USG • 1 Hub that supports NHS functionality Figure 36: DMVPN tunnel interface configuration topology...
Page 927 OA5740-A(config-if Tunnel1)# mode multipoint-gre f) Specify tunnel source, attach the configured IPsec profile and NHRP object to the tunnel. OA5740-A(config-if Tunnel1)# tunnel source 10.1.2.1 OA5740-A(config-if Tunnel1)# ipsec-profile PF1 OA5740-A(config-if Tunnel1)# nhrp alu-dmvpn Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 928 OA5740-B(config-if Tunnel1)# tunnel source 10.1.3.1 OA5740-B(config-if Tunnel1)# ipsec-profile PF2 OA5740-B(config-if Tunnel1)# nhrp alu-dmvpn1 ERIFICATION WITH OMMAND Verify the configuration by using the ‘show ip nhrp [configuration]’’ command. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 929: Ipsec Vpn Server Overview
VPN gateway also. LCATEL UCENT PECIFIC VERVIEW • OmniAccess 5740 USG uses Strongswan for IKE and the version of aggressive code ported to 4.3.5. • Supports Alcatel-Lucent IPsec Client version 10.0. • Uses RADIUS to authenticate Alcatel-Lucent IPsec Client.
Page 930: Ipsec Vpn Server Configuration
VPN S ERVER ONFIGURATION TEPS The following are the steps to configure IPsec VPN Server on OmniAccess 5740 USG: Step 1: Configure a crypto client object. See “To Configure Client Object” Step 2: Configure parameters under a crypto client object.
Page 931 Use the links to see the specific commands. • Configure pre-shared key. See “IPsec Configuration with Preshared Key” Note: While configuring Pre-shared key for a client profile, the peer address should always be 0.0.0.0. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 932 ALU(config-if <interface-name>)# ip address {<ip- address subnet-mask>|<ip-address/prefix-length>} Example: ALU(config-if GigabitEthernet3/0)# ip address 2.2.2.1/ Step 9: Attach the configured client profile to an interface. See “To Attach a Client Profile to an Interface” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 933 Step 10: View the IPsec tunnel configuration. See “Show Commands For IPsec VPN Server Configuration” All the IPsec parameters related show commands are valid for this section also. For more details, see “IPsec VPN Show Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 934: Ipsec Vpn Server Configuration Flow
Left running head: Chapter name (automatic) IP Security - Virtual Private Network VPN S ERVER ONFIGURATION Figure 37: IPsec VPN server configuration flowchart Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 935: Ipsec Vpn Server Configuration Commands
First detach it from the client profile and then delete it. XAMPLE ALU(config)# crypto client object myclientobject ALU(config-client-obj-myclientobject)# ALU(config)# no crypto client object myclientobject Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 936 <ip-address> the IP address of the secondary DNS in a crypto client object. XAMPLE ALU(config-client-obj-myclientobject)# primary_dns_ip 1.1.1.1 secondary_dns_ip 1.1.1.2 ALU(config-client-obj-myclientobject)# no primary_dns_ip 1.1.1.1 ALU(config-client-obj-myclientobject)# no secondary_dns_ip 1.1.1.2 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 937 <ip-address> the IP address of the secondary WINS Server in a crypto client object. XAMPLE ALU(config-client-obj-myclientobject)# primary_wins_ip 1.1.1.5 secondary_wins_ip 1.1.1.6 ALU(config-client-obj-myclientobject)# no primary_wins_ip 1.1.1.5 ALU(config-client-obj-myclientobject)# no secondary_wins_ip 1.1.1.6 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 938 IPsec client connection is brought down. The default keep-alive value is 60 seconds. XAMPLE ALU(config-client-obj-myclientobject)# keep-alive 30 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 939 By default, save password is set to No. XAMPLE ALU(config-client-obj-myclientobject)# save-password yes Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 940 LIENT ROFILE Command (in Client Profile CM) Description This command is used to attach an already ike-policy <name> configured IKE policy to a client profile. XAMPLE ALU(config-client-prof-myclientprofile)# ike-policy IKE1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 941 This command is used to configure ipsec security-association the IPsec SA lifetime in seconds for a lifetime seconds <540-86400> client profile. XAMPLE ALU(config-client-prof-myclientprofile)# ipsec security- association lifetime seconds 5400 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 942 To delete, first detach the client profile from the interface. XAMPLE ALU(config-if GigabitEthernet3/0)# crypto client profile myclientprofile ALU(config-if GigabitEthernet3/0)# no crypto client profile myclientprofile Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 943 Idle Timeout:300 sec Primary DNS Server:A.B.C.D Secondary DNS Server:A.B.C.D Primary WINS Server: A.B.C.D Secondary WINS Server:A.B.C.D Client Firewall:Pass Save Password:Yes Local Client Address List:ClList Local Server Address List:SerList Authentication Method List:rad Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 944 Left running head: Chapter name (automatic) IP Security - Virtual Private Network Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 945: Intrusion Detection/Intrusion Prevention System
For instructions on using the commands and to get a detailed description on each of their parameters, refer to Intrusion Detection/Intrusion Prevention System chapter in the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. Note: IDS (IDS and IDS signature update) is a licensed feature, and not part of the basic security package.
Page 946: Ids/Ips Overview
LCATEL UCENT PECIFIC VERVIEW The OmniAccess 5740 USG supports Snort engine for IDS/IPS functionality. IDS/IPS C ONFIGURATION Refer to the following sections to configure IDS/IPS: • “IDS/IPS Configuration Steps”...
Page 947 (For a detailed information on firewall, refer “Filter and Firewall” chapter.) Step 6: Attach the configured intrusion sensors to the firewall policy. See “To Create a Intrusion Rule Inside a Firewall Policy” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 948 Step 10: Attach the configured firewall policy to appropriate interfaces in the ingress direction of the interface. See “To Attach a Firewall Policy to an Interface” Step 11: View the intrusion sensor configuration using show commands. See “Show Commands” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 949: Ids/Ips Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) IDS/IPS Configuration IDS/IPS C ONFIGURATION Figure 38: IDS/IPS Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 950: Ids/Ips Configuration Commands
Left running head: Chapter name (automatic) Intrusion Detection/Intrusion Prevention System IDS/IPS C ONFIGURATION OMMANDS The following commands are used to configure IDS/IPS on the OmniAccess 5740 USG. IDS/IPS S ONFIGURE AN ENSOR Note: The OmniAccess 5740 USG supports Snort based sensors.
Page 951 The URL for HTTP or HTTPS should be provided in the following way: For e.g., ‘update instant https https://<username:password@<server-name/ip>/signature.tar.gz passive/rebuild’. It is preferable to upgrade the signatures from Alcatel-Lucent HTTPS server: ‘idsdl.esd.alcatel-lucent.com’ with user name ‘external’ and password ‘G#tS1g5’. It will internally verify the signature versions and download the latest signatures.
Page 952 This command enables you to modify the rule prevention {{{category group level prevention. <name>|classtype <name>| priority {high|low|medium}| reset {category <name> |classtype <name>|priority {high|low|medium}}} XAMPLE ALU(config-firewall-intrusion-snort)# rule prevention category attack-responses Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 953 Modification of rule to $EXTERNAL_NET is shown below: ALU(config-firewall-intrusion-snort)# rule modify 1292 content alert tcp $EXTERNAL_NET any -> $EXTERNAL_NET any (msg:"ATTACK-RESPONSES directory listing"; flow:from_server,established; content:"Volume Serial Number"; classtype:bad-unknown; sid:1292; rev:8;) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 954 Currently, multiple match-lists cannot be associated to a firewall policy rule. To configure more than one match-list within a firewall policy, add multiple rules with different match-lists. XAMPLE ALU(config)#firewall ALU(config-firewall)#policy policy1 ALU(config-firewall-policy1)#1 match m1 intrusion sensor1 detection Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 955 (outgoing) traffic if the “out” keyword is used. Note: The Firewall policy will take effect once it is attached to an interface. XAMPLE ALU(config)# interface GigabitEthernet3/0 ALU(config-if GigabitEthernet3/0)# firewall policy in P1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 956: Ids/Ips Show Commands
Use this command to display snort show firewall intrusion snort signature archives. archives XAMPLE ALU#show firewall intrusion snort archives Version no | Details Date of Download |Time of Downl- 2.3.0 Current initial Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 957 00 00 00 00 00 00 00 00 00 0 0 00 00 00 00 00 00 00 00 00|"; reference:arachnids,449; classtype:attempted-rec on; sid:467; rev:3;) --More-- Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 958 Use this command to display the show firewall intrusion snort information of group of rules that are rule disable disabled. {category|classtype|priority| sid} XAMPLE ALU# show firewall intrusion snort rule disable sid Disable sid: Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 959 ID, category, statistics rule {<1- class type, or priority. 4294967295..>|all|category <name>|classtype <name>| priority {high|low|medium} XAMPLE ALU# show firewall intrusion snort statistics rule all Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 960 Command (in SUM/CM) Description Use this command to display the status show firewall intrusion snort of the Snort signature database update. update [(report|status)] XAMPLE ALU# show firewall intrusion snort update report Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 961: Ids/Ips Clear Commands
Use this command to clear group level clear firewall intrusion Snort statistics. snort statistics rule {<1- 4294967295..>|all|category <name>|classtype <name>| priority {high|low|medium} XAMPLE ALU#clear firewall intrusion snort statistics rule all Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 962: Ids/Ips Debug Commands
Notes: 1. saddr == source address 2. daddr == destination address 3. sport == source port 4. dport == destination port XAMPLE ALU# debug firewall intrusion ALU# no debug firewall intrusion Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 963: Ids/Ips Configuration Scenario Using Omniaccess 5740 Usg
Heading1 or Heading1NewPage text (automatic) IDS/IPS Configuration Scenario Using OmniAccess 5740 USG IDS/IPS C 5740 ONFIGURATION CENARIO SING CCESS The step-by-step procedure to configure IDS/IPS using the OmniAccess 5740 USG is given below. ONFIGURATION TEPS UICK TEPS 1. Create match-list. 2. Create intrusion sensor.
Page 964: Ids/Ips Topology
• 3 PCs - with 2 PCs running Nessus In the topology given below, OmniAccess 5740 USG is configured in the Prevention mode. Attacks from PC-1 and PC-2 running application Nessus is intercepted by the OmniAccess 5740 USG and dropped.
Page 965: Generic Routing Encapsulation
This chapter documents the commands for GRE (Generic Routing Encapsulation) configuration. For more detailed information on the parameter descriptions and their corresponding default values, refer to the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. This chapter includes the following sections: •...
Page 966: Gre Overview
Public addresses must be used for tunnel endpoint addresses. It is possible to use private IP addresses as the GRE tunnel interface IP address allowing a private address VPN to be carried over a public network. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 967: Gre Tunnel Features
USTOMER AND ROVIDER OUTING In OmniAccess 5740 USG, OSPF protocol instances operate upon their own instance of the routing table. Routes from one routing table instance are not visible to the other routing table instance unless it is explicitly redistributed.
Page 968: Summary
Non IP Packets are not supported in the standard release. But it is available as a part of the component upgrade. • By default, when a tunnel is configured for a destination address, the mode is GRE. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 969: Gre Tunnel Configuration
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) GRE Tunnel Configuration GRE T UNNEL ONFIGURATION Refer to the following sections to configure GRE on the OmniAccess 5740 USG: • “GRE Configuration Steps” • “GRE Configuration Flow” •...
Page 970 Destination from a Different VRF” • Configure GRE keep alive interval. See “To Configure GRE Keep-alive Interval” • Configure GRE keep alive maximum tries. See “To Configure GRE Keep- alive Maximum Tries” Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 971: Gre Configuration Flow
Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) GRE Tunnel Configuration GRE C ONFIGURATION Figure 40: GRE Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 972: Gre Configuration Commands
Command (in ICM) Description This command is used to assign an IP ip address {<ip-address address and subnet mask to the tunnel subnet-mask>|<ip-address/ interface. prefix-length>} XAMPLE ALU(config-if Tunnel7)# ip address 20.20.20.20/24 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 973 IP address of the |<interface-name>} tunnel. XAMPLE ALU(config-if Tunnel7)# tunnel source 10.91.0.7 ALU(config-if Tunnel7)# tunnel source GigabitEthernet3/0 ALU(config-if Tunnel7)# no tunnel source 10.91.0.7 ALU(config-if Tunnel7)# no tunnel source GigabitEthernet3/0 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 974 This command sets the value of the DF- tunnel df-bit {clear|set|copy- bit for the Outer-IP header. from-inner-ip} The default DF-BIT value is ‘clear’. XAMPLE ALU(config-if Tunnel7)# tunnel df-bit clear Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 975 100> messages to be sent. This command resets the keepalive max no gre-keep-alive-max-tries tries value to its default. <1-100> The default keepalive max-tries is 3. XAMPLE ALU(config)# gre-keep-alive-max-tries 10 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 976: Gre Configuration Scenarios Using Omniaccess 5740 Usg
• • GRE + IP Filters + DoS • GRE over IPsec 1. GRE C ONFIGURATION The OmniAccess 5740 USG topology below consists of the following components: • OA5740-A • OA5740-B Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide...
Page 977 Except on the first page, right running head: Heading1 or Heading1NewPage text (automatic) GRE Configuration Scenarios using OmniAccess 5740 USG Figure 41: GRE Configuration Topology Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 978 ALU-2(config-if Tunnel1)#ip address 192.168.0.2 255.255.255.0 ALU-2(config-if Tunnel1)#no shutdown b) Specify tunnel end-points ALU-2(config-if Tunnel1)#tunnel source 2.2.2.3 ALU-2(config-if Tunnel1)#tunnel destination 2.2.2.1 ERIFICATION WITH OMMAND Verify the configuration by issuing “show ip route” command. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 979: Gre + Ip Filters + Dos Configuration
2. GRE + IP F ILTERS ONFIGURATION Figure 42: GRE+ IP Filters + DoS Configuration Topology GRE + IP filters + Dos can be configured to deny/permit specific traffic through the GRE tunnel. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 980 ALU-1(config-fiewall-p1)#match dos attack atk1 drop ALU-1(config-fiewall-p1)#exit d) Apply the firewall policy to the tunnel interface in the ingress direction ALU-1(config)#interface tunnel 1 ALU-1(config-if tunnel1)#firewall policy in p1 ALU-1(config-if tunnel1)#exit Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 981: Gre Over Ipsec Configuration
The following figure displays a typical scenario to configure GRE over IPsec: Figure 43: GRE + IPsec Configuration Topology IPsec is used for transport mode encryption for tunneled traffic only. Ensure tunnel end-point reachability from OA5740-A. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 982 Configure a crypto map ALU-1(config)#crypto map test ipsec-ike test ALU-1(config-crypto-map-test)#peer 2.2.2.3 ALU-1(config-crypto-map-test)#match tunnel-traffic ALU-1(config-crypto-map-test)#transform-set test ALU-1(config-crypto-map-test)#pfs group2 f) Attach crypto map to the interface ALU(config)# interface GigabitEthernet3/1 ALU(config-if GigabitEthernet3/1)# crypto map test Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 983 Configure a crypto map ALU-2(config)#crypto map test1 ipsec-ike test1 ALU-2(config-crypto-map-test1)#peer 2.2.2.1 ALU-2(config)#match tunnel-traffic ALU-2(config)#transform-set test1 ALU-2(config)#pfs group2 f) Attach crypto map to the interface ALU(config)# interface GigabitEthernet3/0 ALU(config-if GigabitEthernet3/0)# crypto map test1 Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 984 Left running head: Chapter name (automatic) Generic Routing Encapsulation Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 985: Transparent Firewall
OmniAccess 5740 USG. For more detailed information on the parameter descriptions and their corresponding default values, refer to the OmniAccess 5740 Unified Services Gateway CLI Command Reference Guide. This chapter includes the configuration steps, CLI syntax with its description, and configuration examples.
Page 986: Tf Overview
VERVIEW The Transparent Firewall (Forwarding) feature allows the users to "drop" the OmniAccess 5740 USG in their existing network without changing configuration of their network-connected devices. Thus, users can allow selected devices from a subnet to traverse the firewall while access to other devices on the same subnet is denied.
Page 987: Tf Configuration
• “Clear Commands in TF” TF C ONFIGURATION TEPS This section lists the steps for configuring TF on the OmniAccess 5740 USG. Configure TF on an Interface Step 1: Enter into Interface Configuration Mode ALU(config)# interface <name> Example: ALU(config)# interface GigabitEthernet3/0...
Page 988: Tf Configuration Flow
Left running head: Chapter name (automatic) Transparent Firewall TF C ONFIGURATION Figure 44: TF Configuration Flow Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 989: Tf Configuration Commands
ALU(config-if GigabitEthernet3/0)# transparent-forward TF1 interface Vlan 10 If the TF policy ‘TF1’ is attached to the GigabitEthernet3/0, the following command detaches it from the interface: ALU(config)# interface GigabitEthernet3/0 ALU(config-if GigabitEthernet3/0)# no transparent-forward Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 990 By default, IP and ARP protocols are configured as passthrough protocols. The command removes the pass through no pass-through protocol {<1- configuration. 65535>|appletalk|ipx|nonip} XAMPLE ALU(config-transparent-forward-TF1)# pass-through protocol nonip ALU(config-transparent-forward-TF1)# no pass-through protocol nonip Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 991: Show Commands In Tf
XAMPLE ALU(config)# show transparent-forward ! Transparent-forward configuration interface GigabitEthernet3/1 transparent-forward interface GigabitEthernet3/0 exit transparent-forward tf pass-through protocol nonip exit interface GigabitEthernet3/0 transparent-forward tf interface GigabitEthernet3/1 exit ALU(config)# Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 992: Clear Commands In Tf
TF policies configured in the statistics [<tf-policy name>] system. If a TF policy is specified, then the statistics for the specified TF policy are cleared. XAMPLE ALU(config)# clear transparent-forward statistics Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 993: Tf Configuration On Omniaccess 5740 Usg
TF1 interface GigabitEthernet 3/0 OMMANDS Verify the TF policy configuration by using the following show command: ALU(config)# show transparent-forward transparent-forward TF1 pass-through protocol nonip exit interface GigabitEthernet3/1 transparent-forward TF1 interface GigabitEthernet3/0 exit Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 994 Left running head: Chapter name (automatic) Transparent Firewall Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 995: Part 7: Quality Of Service
To switch to the beta version, import color def’ns from beta-colors.fm Part 7 Quality of Service Pagination: Numeric & continuous Optional footer: Alcatel-Lucent with Manual title (to set, preceding redefine ManualTitle OmniAccess 5740 Unified Services Gateway CLI Configuration Guide section of Beta Beta Beta Beta variable) book...
Page 996 Left running head: Chapter name (automatic) Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 997: Quality Of Service
Class Map configured - ALU (config-class-map)# Interface Configuration Mode - ALU (config-interface name)# Policy-map Mode Policy Map configured - ALU (config-policy-map)# Random Early Detection Super User Mode - ALU# WRED Weighted Random Early Detection Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 998: Qos Overview
QoS to insure that networks are performing at the desired level. QoS supports voice and data service simultaneously on the OmniAccess 5740 USG. This include controlled resource sharing by providing bandwidth guarantee for different classes.
Page 999 (EF) XPEDITED ORWARDING The intent of the EF Per-Hop Behavior (PHB) is to provide a building block for low loss, low delay and low jitter services. Alcatel-Lucent OmniAccess 5740 Unified Services Gateway CLI Configuration Guide Beta Beta...
Page 1000: Alcatel-Lucent Specific Overview On Qos
Policing functionality is normally applied at the ingress QoS processing stage. Egress QoS processing deals with features that are applicable to packets that leaves the OmniAccess 5740 USG. For e.g., shaping that fits the outgoing traffic in to a committed rate envelope, is implemented at the egress QoS processing stage.