Alcatel-Lucent 7705 SAR System Management Manual Download Page 32 | Manualshive

Page: 32 / 356

Alcatel-Lucent 7705 SAR System Management Manual Download Page 32

Other Security Features

32

7705 SAR OS System Management Guide

Other Security Features

Secure Shell (SSH)

Secure Shell Version 1 (SSH1) is a protocol that provides a secure, encrypted Telnet-like
connection to a router. A connection is always initiated by the client (the user).
Authentication takes place by one of the configured authentication methods (local, RADIUS,
or ). With authentication and encryption, SSH allows for a secure connection over
an insecure network.

The 7705 SAR allows you to configure SSH1 or Secure Shell Version 2 (SSH2). SSH1 and
SSH2 are different protocols and encrypt at different parts of the packets. SSH1 uses the
server as well as host keys to authenticate systems, whereas SSH2 only uses host keys. SSH2
does not use the same networking implementation that SSH1 does and is considered a more
secure, efficient, and portable version of SSH. Rather than validating identities via
passwords, SSH2 can also use public key encryption to authenticate remote hosts. For
example, if you were to connect to a remote host also running SSH2, the secure shell would
use this system to verify that the remote system is the host and not a computer set up to imitate
it.

SSH runs on top of a transport layer (like TCP or IP), and provides authentication and
encryption capabilities. SSH supports remote login to another computer over a network,
remote command execution, and file relocation from one host to another.

The 7705 SAR has a global SSH server process to support inbound SSH and SCP sessions
initiated by external SSH or SCP client applications. The SSH server supports SSH1. Note
that this server process is separate from the SSH and SCP client commands on the 7705 SAR,
which initiate outbound SSH and SCP sessions.

Inbound SSH sessions are counted as inbound Telnet sessions for the purposes of the
maximum number of inbound sessions specified by Login Control. Inbound SCP sessions are
counted as inbound FTP sessions by Login Control.

When the SSH server is enabled, an SSH security key is generated. The key is only valid until
either the node is restarted or the SSH server is stopped and restarted. The key size is
non-configurable and set at 1024 bits. When the server is enabled, both inbound SSH and
SCP sessions will be accepted provided the session is properly authenticated.

When the global SSH server process is disabled, no inbound SSH or SCP sessions will be
accepted.

«
...
30
31
32
33
34
...
»

Summary of Contents for 7705 SAR

Page 1: ...trade secret information which is the property of Alcatel Lucent Not to be made available to or copied or used by anyone who is not an employee of Alcatel Lucent except when there is a valid non disc...

Page 2: ...r other distribution of the products for any such application without the prior written consent of Alcatel Lucent shall be at the customer s sole risk The customer hereby agrees to defend and hold Alc...

Page 3: ...ation 23 Accounting 24 RADIUS Accounting 24 TACACS Accounting 24 Security Controls 26 When a Server Does Not Respond 26 Access Request Flow 26 Vendor Specific Attributes VSAs 28 Sample User VSA Config...

Page 4: ...TACACS Authorization 62 Configuring TACACS Accounting 63 Security Command Reference 65 Command Hierarchies 65 Configuration Commands 66 Login Control Commands 72 Show Commands 73 Clear Commands 73 De...

Page 5: ...206 Log Destinations 208 Console 208 Session 208 Memory Logs 209 Log Files 209 SNMP Trap Group 210 Syslog 211 Event Logs 212 Event Sources 213 Event Control 214 Log Manager and Event Logs 216 Event F...

Page 6: ...log ID 244 Deleting a Syslog ID 245 Modifying an SNMP Trap Group 245 Deleting an SNMP Trap Group 246 Modifying a Log Filter 247 Deleting a Log Filter 249 Modifying Event Control Parameters 249 Returni...

Page 7: ...w Output Fields 157 Table 18 Show Users Output Fields 158 SNMP 161 Table 19 Show SNMP Counters Output Fields 193 Table 20 Show System Information Output Fields 195 Table 21 Show System Access Group Fi...

Page 8: ...Fields 301 Table 46 Log Collector Output Fields 303 Table 47 Log ID Output Fields 305 Table 48 SNMP Trap Group Output Fields 308 Table 49 Syslog Output Fields 309 List of Acronyms 311 Table 50 Acrony...

Page 9: ...05 SAR OS System Management Guide 9 List of Figures Security 17 Figure 1 RADIUS Requests and Responses 19 Figure 2 Security Flow 27 Event and Accounting Logs 205 Figure 3 Event Logging Block Diagram 2...

Page 10: ...List of Figures 10 7705 SAR OS System Management Guide...

Page 11: ...well as Command Line Interface CLI syntax and command usage Audience This guide is intended for network administrators who are responsible for configuring the 7705 SAR routers It is assumed that the...

Page 12: ...filtering and routing policies 7705 SAR OS MPLS Guide This guide describes how to configure Multiprotocol Label Switching MPLS Resource Reservation Protocol for Traffic Engineering RSVP TE and Label...

Page 13: ...ducts from a distributor or authorized reseller contact the technical support staff for that distributor or reseller for assistance If you purchased an Alcatel Lucent service agreement follow this lin...

Page 14: ...About This Guide 14 7705 SAR OS System Management Guide...

Page 15: ...n this book is presented in an overall logical configuration flow Each section describes a software area and provides CLI syntax and command usage to configure parameters for a functional area Table 1...

Page 16: ...Alcatel Lucent 7705 SAR System Management Configuration Process 16 7705 SAR OS System Management Guide...

Page 17: ...rovides information to configure security parameters Topics in this chapter include Authentication Authorization and Accounting Security Controls Vendor Specific Attributes VSAs Other Security Feature...

Page 18: ...he session The accounting data can then be used to analyze trends and also for billing and auditing purposes You can configure the 7705 SAR to use local Remote Authentication Dial In User Service RADI...

Page 19: ...information If the RADIUS server does not respond within a specified time the router issues the access request to the next configured servers Each RADIUS server must be configured identically to guara...

Page 20: ...ccess permissions and command authorization profiles must be configured on each router Any combination of these authentication methods can be configured to control network access from a 7705 SAR route...

Page 21: ...enticating a request Round robin In round robin mode the server used to authenticate a request is the next server in the list following the last authentication request For example if server 1 is used...

Page 22: ...rized to issue the command the command is executed If the user is not authorized to issue the command then the command is not executed Profiles must be created on each 7705 SAR router and should be id...

Page 23: ...authorization method is configured RADIUS authorization or TACACS Local authorization is restored when RADIUS authorization is disabled You must configure profile and user access information locally R...

Page 24: ...outer issues the accounting request to the next configured RADIUS server up to 5 User passwords and authentication keys of any type are never transmitted as part of the accounting request When RADIUS...

Page 25: ...he configuration to see if TACACS accounting is required for the particular event If TACACS accounting is required then depending on the accounting record type specified the device sends a start packe...

Page 26: ...ponsive again are performed If a server is down it will not be contacted for 5 minutes If a login is attempted after 5 minutes then the server is contacted again If a server has the health check featu...

Page 27: ...ADIUS server and the user name and password are not recognized access is denied and passed on to the next authentication option in this case the TACACS server The process continues until the request i...

Page 28: ...es for local and remote authentication The authentication order parameters configured on the router must include the local keyword The user name may or may not be configured on the 7705 SAR router The...

Page 29: ...home directory If this VSA is not configured the user is allowed to access the entire file system timetra login exec login exec string specifies the login exec file that is executed when the user log...

Page 30: ...conditions are not met The timetra cmd parameters allow the user to use the configure show and debug commands Matching strings specified in the timetra action command are permitted for this user users...

Page 31: ...gerAlcatel IPD ATTRIBUTE Alc Default Router18ipaddrAlcatel IPD RADIUS accounting VSAs ATTRIBUTE Alc Acct I Inprof Octets 6419octetsAlcatel IPD ATTRIBUTE Alc Acct I Outprof Octets 6420octetsAlcatel IPD...

Page 32: ...verify that the remote system is the host and not a computer set up to imitate it SSH runs on top of a transport layer like TCP or IP and provides authentication and encryption capabilities SSH suppor...

Page 33: ...be used to properly delimit directories and the filename The 7705 SAR support for SSH and SCP is the same for both IPv4 and IPv6 addressing including support for SSH1 and SSH2 in band and out of band...

Page 34: ...ource port TCP ACK TCP SYN To avoid DoS like attacks overwhelming the control plane while ensuring that critical control traffic such as signaling is always serviced in a timely manner the 7705 SAR ha...

Page 35: ...DES and Triple DES 3DES are supported for encryption DES is a widely used method of data encryption using a private secret key Both the sender and the receiver must know and use the same private key...

Page 36: ...not configured then password profiles and user access information must be configured on each router in the domain If RADIUS authorization is enabled then VSAs must be configured on the RADIUS server R...

Page 37: ...e 37 Configuring Security with CLI This section provides information to configure security using the command line interface Topics in this section include Setting Up Security Attributes Security Confi...

Page 38: ...guring Password Management Parameters Configuring Profiles Configuring Users RADIUS authentication with local authorization By default authentication is enabled locally Perform the following tasks to...

Page 39: ...zation with authentication For RADIUS authorization with authentication configure these tasks on each participating 7705 SAR router Configuring RADIUS Authorization For RADIUS authorization VSAs must...

Page 40: ...e Configuring Accounting Refer to the following sections to configure accounting Local accounting is not implemented For information about configuring accounting policies refer to Configuring Logging...

Page 41: ...CS enable one to five RADIUS and or TACACS servers configure RADIUS and or TACACS parameters The following example displays default values for security parameters ALU 1 config system security info det...

Page 42: ...rivacy read no security notify no security access group snmp rw security model snmpv1 security level no auth no privacy read no security write no security notify no security access group snmp rw secur...

Page 43: ...ment of the 7705 SAR router by other nodes outside either specific sub networks or through designated ports By default there are no filters associated with security options The management access filte...

Page 44: ...p prefix netmask src port port id cpm renum old entry number new entry number no shutdown Use the following CLI commands to configure an IPv6 management access filter CLI Syntax config system security...

Page 45: ...ip 10 10 10 1 32 config system security mgmt access filter ip filter entry action permit config system security mgmt access filter ip filter entry exit The following example displays the management a...

Page 46: ...p ip filter entry entry id create action accept drop description description string log log id match protocol protocol id dscp dscp name dst ip ip address mask ip address netmask dst port tcp udp port...

Page 47: ...exit entry 20 create no action description CPM Filter 10 4 101 2 201 log 101 exit no shutdown A ALU 49 config sys sec cpm ip filter Configuring Password Management Parameters Configuring password mana...

Page 48: ...info password authentication order radius tacplus local aging 365 minimum length 8 attempts 5 time 5 lockout 20 exit ALU 1 config system security Configuring Profiles Profiles are used to deny or per...

Page 49: ...nfig system security profile entry 3 config system security profile entry match exit The following example displays the user profile output ALU 1 config system security info profile ghost default acti...

Page 50: ...security user 49ers config system security user access ftp snmp console config system security user console config system security user console member default ghost config system security user consol...

Page 51: ...ser to testuserA MINOR CLI User testuserA already exists use overwrite flag config system security config system security copy user testuser to testuserA overwrite config system security The following...

Page 52: ...login exit snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group testgroup exit ALU 12 config system security user Copying a Profile CLI Syntax config system security copy u...

Page 53: ...ription match password action permit exit entry 60 no description match show config action deny exit entry 70 no description match show action permit exit entry 80 no description match enable admin ac...

Page 54: ...t exit exit profile administrative default action permit all exit Configuring SSH Use the SSH command to configure the SSH server as SSH1 SSH2 or both The default is SSH2 This command should only be e...

Page 55: ...sessions value outbound max sessions value idle timeout minutes disable pre login message login text string name login banner motd url url prefix source url text motd text string The following example...

Page 56: ...ntication Configuring RADIUS Authorization Configuring RADIUS Accounting Configuring 802 1x RADIUS Policies Configuring RADIUS Authentication RADIUS is disabled by default and must be explicitly enabl...

Page 57: ...us server 1 address A A A A A A A 1 secret test11 security radius server 2 address 10 10 0 1 secret test2 security radius server 3 address 10 10 0 2 secret test3 security radius server 4 address 10 10...

Page 58: ...use the following CLI commands to configure RADIUS authorization CLI Syntax config system security radius authorization The following example displays the CLI syntax usage Example config system securi...

Page 59: ...ge Example config system security config system security radius config system security radius accounting The following example displays the RADIUS accounting configuration ALU 1 config system security...

Page 60: ...server type no shutdown source address ip address timeout seconds no shutdown The following example displays the CLI syntax usage Example config system security config system security dot1x config sy...

Page 61: ...A A 1 secret test1 security tacplus server 2 address 10 10 0 6 secret test2 security tacplus server 3 address 10 10 0 7 secret test3 security tacplus server 4 address 10 10 0 8 secret test4 security t...

Page 62: ...onfig system security config system security tacplus config system security tacplus authorization config system security tacplus no shutdown The following example displays the TACACS authorization con...

Page 63: ...security tacplus accounting The following example displays the TACACS accounting configuration ALU 1 config system security tacplus info accounting authorization timeout 5 single connection server 1...

Page 64: ...Security Configuration Procedures 64 7705 SAR OS System Management Guide...

Page 65: ...Commands Management Access Filter Commands IPv6 Management Access Filter Commands CPM Filter Commands IPv6 CPM Filter Commands Password Commands Profile Commands User Commands RADIUS Commands TACACS C...

Page 66: ...application6 app no telnet server no telnet6 server vprn network exceptions number seconds no vprn network exceptions Management Access Filter Commands config system security no management access filt...

Page 67: ...bel no log no next header next header router router instance no router src ip ipv6 address prefix length no src ip src port port id cpm no src port renum old entry number new entry number no shutdown...

Page 68: ...rt src port number mask no src port tcp ack true false no tcp ack tcp syn true false no tcp syn renum old entry id new entry id no shutdown IPv6 CPM Filter Commands config system security no cpm filte...

Page 69: ...n password aging days no aging attempts count time minutes1 lockout minutes2 no attempts authentication order method 1 method 2 method 3 exit on reject no authentication order no complexity numeric sp...

Page 70: ...ricted to home snmp authentication none hash md5 key 1 sha key 1 privacy privacy level key 2 group group name no group user template tacplus_default radius_default no access ftp console console login...

Page 71: ...t key hash hash2 port port no server server index no single connection timeout seconds no timeout no shutdown no use default template 802 1x Commands config system security no dot1x no radius plcy nam...

Page 72: ...system login control no exponential backoff ftp inbound max sessions value no inbound max sessions idle timeout minutes disable no idle timeout no login banner motd url url prefix source url text motd...

Page 73: ...ilter entry entry id ipv6 filter entry entry id management access filter ip filter entry entry id ipv6 filter entry entry id password options profile user profile name source address ssh retry user id...

Page 74: ...Security Command Reference 74 7705 SAR OS System Management Guide Debug Commands debug radius detail hex no radius...

Page 75: ...Security 7705 SAR OS System Management Guide 75 Command Descriptions Configuration Commands Show Commands Clear Commands Debug Commands...

Page 76: ...eneric Security Commands Security Commands Management Access Filter Commands CPM Filter Commands Global Password Commands Password Commands Profile Management Commands User Management Commands RADIUS...

Page 77: ...the string contains special characters spaces etc the entire string must be enclosed within double quotes shutdown Syntax no shutdown Context config system security management access filter ip filter...

Page 78: ...o the return key and a new password at login must be selected Parameters source user the user to copy from The user must already exist source profile the profile to copy from The profile must already...

Page 79: ...t Default all read version set to accept both versions 1 and 2 Parameters read version 1 2 all when the read version is configured as all both versions 1 and 2 will be accepted by the system Otherwise...

Page 80: ...fies the application to use the source IPv6 address specified by the source address command The no form of the command removes the specified source address from the application causing the application...

Page 81: ...e 7705 SAR sends ICMP replies to a source IP address in response to TTL expiry IP packets that have been received for all VPRN instances in the system and from all network IP interfaces Packets includ...

Page 82: ...of the 7705 SAR by other nodes outside either specific sub networks or through designated ports Management filters as opposed to other traffic filters are enforced by system software The no form of t...

Page 83: ...will be issued entry Syntax no entry Context config system security management access filter ip filter config system security management access filter ipv6 filter Description This command is used to...

Page 84: ...the configured criteria will be permitted deny specifies that packets not matching the selection criteria will be denied deny host unreachable specifies that packets not matching the selection criter...

Page 85: ...ender requests special handling such as non default QoS or real time service This command applies to IPv6 filters only Parameters value the flow identifier in an IPv6 packet header that can be used to...

Page 86: ...ary DHB keywords none crtp crudp egp eigrp encap ether ip gre icmp idrp igmp igp ip ipv6 ipv6 frag ipv6 icmp ipv6 no nxt isis iso ip l2tp ospf igp pim pnni ptp rdp rsvp stp tcp udp vrrp udp tcp wildca...

Page 87: ...sed in the match criteria Values 1 to 2147483647 src ip Syntax src ip ip prefix mask ip prefix netmask no src ip Context config system security management access filter ip filter entry Description Thi...

Page 88: ...x x x x x x x eight 16 bit pieces x x x x x x d d d d x 0 to FFFF H d 0 to 255 D prefix length 1 to 128 src port Syntax src port port id cpm no src port Context config system security management acce...

Page 89: ...lter ipv6 filter Description This command renumbers existing management access filter entries to resequence filter entries The 7705 SAR exits on the first match found and executes the actions in accor...

Page 90: ...disables the CPM filter default action Syntax default action accept drop Context config system security cpm filter Description This command specifies the action to be applied to packets when the packe...

Page 91: ...reated you can navigate to the entry context without using the create keyword All IPv4 filter entries can specify one or more matching criteria There are no range based restrictions on any IPv4 filter...

Page 92: ...igured all criteria must be satisfied AND function before the action associated with the match is executed A match context may consist of multiple match criteria but multiple match statements cannot b...

Page 93: ...ting Header for IPv6 44 ipv6 frag Fragment Header for IPv6 45 idrp Inter Domain Routing Protocol 46 rsvp Reservation Protocol 47 gre General Routing Encapsulation 58 ipv6 icmp ICMP for IPv6 59 ipv6 no...

Page 94: ...criteria but multiple match statements cannot be entered per entry The no form of the command removes the match criteria for the entry id Parameters next header the IPv6 next header to match This para...

Page 95: ...7 af32 cp29 af33 cp31 cs4 cp33 af41 cp35 af42 cp37 af43 cp39 cs5 cp41 cp42 cp43 cp44 cp45 ef cp47 nc1 cp49 cp50 cp51 cp52 cp53 cp54 cp55 nc2 cp57 cp58 cp59 cp60 cp61 cp62 cp63 dst ip Syntax dst ip ip...

Page 96: ...ress on the interface Values ipv6 address x x x x x x x x eight 16 bit pieces x x x x x x d d d d x 0 to FFFF H d 0 to 255 D prefix length 1 to 128 dst port Syntax dst port tcp udp port number mask no...

Page 97: ...ets that have the MF bit set to zero and have the Fragment Offset field also set to zero icmp code Syntax icmp code icmp code no icmp code Context config system security cpm filter ip filter entry mat...

Page 98: ...xpressed in decimal hexadecimal or binary DHB keywords none echo reply dest unreachable echo request time exceeded parameter problem ip option Syntax ip option ip option value ip option mask no ip opt...

Page 99: ...multiple option true false no multiple option Context config system security cpm filter ip filter entry match Description This command configures matching packets that contain more than one option fi...

Page 100: ...o option present false specifies matching on IP packets that do not have any option field present in the IP header an option field of 0 src ip Syntax src ip ip address mask ip address netmask no src i...

Page 101: ...prefix length the IPv6 address on the interface Values ipv6 address x x x x x x x x eight 16 bit pieces x x x x x x d d d d x 0 to FFFF H d 0 to 255 D prefix length 1 to 128 src port Syntax src port s...

Page 102: ...do not have the ACK bit set in the control bits of the TCP header of the IP packet tcp syn Syntax tcp syn true false no tcp syn Context config system security cpm filter ip filter entry match config...

Page 103: ...ired in some cases because the OS exits when the first match is found and executes the actions according to the accompanying action command This requires that entries be sequenced correctly from most...

Page 104: ...ter the show users command the Administrator can see which users are in this mode enter the enable admin command again at the root prompt and an error message will be returned A ALU 1 show users User...

Page 105: ...xity requirements for the password are determined by the complexity command For example file copy ftp test secret 131 12 31 79 test srcfile cf3 destfile In this example the user name test and password...

Page 106: ...id before the user must change their password The no form of the command reverts to the default value Default no aging is enforced Parameters days the maximum number of days the password is valid Valu...

Page 107: ...ion This command configures the sequence in which password authentication authorization and accounting is attempted among RADIUS TACACS and local passwords The order should be from the most preferred...

Page 108: ...reject is configured and the user does not exist the user will not be authenticated the user is authenticated locally then other methods if configured will be used for authorization and accounting th...

Page 109: ...ond intervals Servers that are not configured will have 3 seconds of idle time If in this process a server is found to be unreachable or a previously unreachable server starts responding depending on...

Page 110: ...le default Parameters user profile name the user profile name entered as a character string The string is case sensitive and limited to 32 ASCII 7 bit printable characters with no spaces default actio...

Page 111: ...ing action command Entries should be sequenced from most explicit to least explicit An entry may not have any match criteria defined in which case everything matches but must have at least the keyword...

Page 112: ...ommand are denied The no form of this command removes a match condition Default no match command string is specified Parameters command string the CLI command or CLI tree level that is the scope of th...

Page 113: ...user name and then pressing at the password prompt Unless an administrator explicitly changes the password it will be null The hashed value displayed uses the user name and null password field so when...

Page 114: ...s access for a specific application The no access command denies permission for all management access methods To deny a single access method enter the no form of the command followed by the method to...

Page 115: ...n This command configures a user s login exec file which executes whenever the user successfully logs in to a console session Only one exec file can be configured If multiple login exec commands are e...

Page 116: ...ry directory directory no home directory Context config system security user config system security user template Description This command configures the local home directory for the user for both con...

Page 117: ...ample config system security user testuser1 config system security user password zx Uhcn6ReMOZ3BVrWcvk hash2 config system security user exit config system security info user testuser1 password zx Uhc...

Page 118: ...e Description This command prevents users from navigating above their home directories for file access A user is not allowed to navigate to a directory higher in the directory tree on the home directo...

Page 119: ...pecified keys are stored in an encrypted format in the configuration file The password must be entered in encrypted form when the hash parameter is used md5 key 1 the MD5 authentication key is stored...

Page 120: ...inks a user to a group name The access command links the group with one or more views security model s security level s and read write and notify permissions Default no group name is associated with a...

Page 121: ...ect mode the first server as defined by the server command is the primary server This server is always used first when authenticating a request In round robin mode the server used to authenticate a re...

Page 122: ...Context config system security radius Description This command configures RADIUS authorization parameters for the system The no form of this command disables RADIUS authorization for the system Defaul...

Page 123: ...o five RADIUS servers can be configured at any one time RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received A highe...

Page 124: ...ys are stored in encrypted form in the configuration file with the hash parameter specified hash2 specifies that the key is entered in a more complex encrypted form If the hash2 parameter is not used...

Page 125: ...nting and configures the type of accounting record packet that is to be sent to the TACACS server The record type parameter indicates whether TACACS accounting start and stop packets will be sent or j...

Page 126: ...r from the lowest index to the highest index Values 1 to 5 ip address the IP address of the TACACS server Two TACACS servers cannot have the same IP address An error message is generated if the server...

Page 127: ...connection timeout Syntax timeout seconds no timeout Context config system security tacplus Description This command configures the number of seconds the router waits for a response from a TACACS ser...

Page 128: ...to the data plane of the 7705 SAR This configuration differs from the RADIUS server configured under the config system security radius context that authenticates CLI login users who get access to the...

Page 129: ...figuration Default n a Parameters server index the index for the 802 1x server Values 1 to 5 ip address the IP address of the 802 1x server Each 802 1x server must have a unique IP address An error me...

Page 130: ...nd reverts to the default value Default system IP address Parameters ip address the source address of the RADIUS packet in dotted decimal notation Values 0 0 0 0 to 255 255 255 255 shutdown Syntax no...

Page 131: ...radius plcy Description This command configures the number of seconds the router waits for a response from a RADIUS server The no form of the command reverts to the default value Default 5 Parameters...

Page 132: ...ctrl c or tilde and dot assuming the is the default escape character for the SSH session Default ssh the SSH server is enabled preserve key Syntax no preserve key Context config system security ssh D...

Page 133: ...ost keys to authenticate systems whereas SSH2 only uses host keys SSH2 does not use the same networking implementation that SSH1 does and is considered a more secure efficient and portable version of...

Page 134: ...attacks when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password The no form of the command disables exponential backoff Default no exponential ba...

Page 135: ...This timer can be set per session The no form of the command reverts to the default value Default 30 Parameters minutes the idle timeout in minutes Values 1 to 1440 disable when the disable option is...

Page 136: ...ng n r will start the string at the beginning of the new line while entering n will start the second line below the last character from the first line pre login message Syntax pre login message login...

Page 137: ...ions in the login control context The no form of the command reverts to the default value Default 5 Parameters value the maximum number of concurrent inbound Telnet sessions expressed as an integer Va...

Page 138: ...Security Command Reference 138 7705 SAR OS System Management Guide Show Commands Security Show Commands Login Control Show Commands...

Page 139: ...no security no security snmp rw snmpv1 none no security no security no security snmp rw snmpv2c none no security no security no security snmp rwa snmpv1 none iso iso iso snmp rwa snmpv2c none iso iso...

Page 140: ...urity authentication Authentication sequence radius tacplus local type status timeout single retry server address secs conn count radius 10 10 10 103 up 5 n a 5 radius 10 10 0 1 up 5 n a 5 radius 10 1...

Page 141: ...conn sent rejected errors pkts pkts 10 10 10 103 0 0 0 10 10 0 1 0 0 0 10 10 0 2 0 0 0 A ALU 7 Table 8 Show System Security Authentication Output Fields Label Description Sequence The sequence in whic...

Page 142: ...cli readwrite public r no security v1 v2c snmp ro No of Communities 3 A ALU 48 Retry count Displays the number of times the router attempts to contact the RADIUS server for authentication if there ar...

Page 143: ...e fields Sample Output A ALU 35 show system security cpm filter ip filter CPM IP Filters Entry Id Dropped Forwarded Description 2 0 0 CPM filter 2 3 25880 0 CPM filter 3 4 25880 0 CPM filter 4 5 25882...

Page 144: ...Id 101 Src IP 10 4 101 2 32 Src Port 0 Dest IP 10 4 101 1 32 Dest Port 0 Protocol tcp Dscp ef ICMP Type Undefined ICMP Code Undefined Fragment True Option present Off IP Option n a Multiple Option Tr...

Page 145: ...ICMP Type The ICMP type field in the ICMP header Fragment The 3 bit fragment flags or 13 bit fragment offset field IPv4 filters only IP Option The IP option setting IPv4 filters only TCP syn The SYN...

Page 146: ...ter entry Values 1 to 9999 Default All filter entries Output The following output is an example of management access filter information and Table 11 describes the fields Sample Output A ALU 7 show sys...

Page 147: ...y of the filter entries are permitted Deny Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will b...

Page 148: ...ocal Configured complexity options Minimum password length 6 A ALU 7 Dest port The destination port Next header The next header ID to match Undefined indicates no next header is specified IPv6 filters...

Page 149: ...stem security Action permit Time in minutes per login attempt The period of time in minutes that a specified number of unsuccessful attempts can be made before the user is locked out Lockout period wh...

Page 150: ...Label Description User Profile The profile name used to deny or permit user console access to a hierarchical branch or to specific commands Def action Permit all Permits access to all commands Deny D...

Page 151: ...put IPv4 ALU 7 show system security ssh SSH is enabled SSH preserve key Enabled SSH protocol version 1 Enabled RSA host key finger print c6 a9 57 cb ee ec df 33 1a cd d2 ef 3f b5 46 34 SSH protocol ve...

Page 152: ...State The administrative state of the SSH server enabled or disabled Operational State The operational state of the SSH server up or down Preserve Key Enabled preserve key is enabled Disabled preserve...

Page 153: ...ays Parameters user id displays information for the specified user Default all users detail displays detailed user information to the summary output Output The following output is an example of user i...

Page 154: ...n n never 0 0 y Number of users 2 ALU 7 ALU 7 show system security user detail Users user id New User Permissions Password Login Failed Local Pwd Console ftp snmp Expires Attempts Logins Conf admin n...

Page 155: ...P access Password expires The number of days the user has left before they must change their login password Attempted logins The number of times the user has attempted to log in irrespective of whethe...

Page 156: ...view 1 3 6 1 2 1 4 included mgmt view 1 3 6 1 2 1 5 included mgmt view 1 3 6 1 2 1 6 included mgmt view 1 3 6 1 2 1 7 included mgmt view 1 3 6 1 2 1 31 included mgmt view 1 3 6 1 2 1 77 included mgmt...

Page 157: ...name The name of the view Views control the accessibility of a MIB object within the configured MIB view and subtree oid tree The object identifier of the ASN 1 subtree mask The bit mask that defines...

Page 158: ...er Type Login time Idle time From admin Console 27MAY2014 13 16 59 10d 07 35 04 A admin SSHv2 29MAY2014 17 32 47 0d 00 05 10 3301 xxxx xxxx admin Telnet 06JUN2014 14 23 35 0d 00 00 00 138 120 xxx xxx...

Page 159: ...thentication Description This command clears authentication statistics Parameters ip int name clears the authentication statistics for the specified interface name If the string contains special chara...

Page 160: ...ommands radius Syntax radius detail hex no radius Context debug Description This command enables debugging for RADIUS connections The no form of the command disables the debugging Parameters detail di...

Page 161: ...ent Guide 161 SNMP In This Chapter This chapter provides information to configure SNMP Topics in this chapter include SNMP Overview Which SNMP Version to Use Configuration Notes Configuring SNMP with...

Page 162: ...of network hosts that use SNMP An SNMP manager can obtain get a value from an SNMP agent or store set a value in the agent The manager uses definitions in the management information base MIB to perfor...

Page 163: ...iew Access Control MIB VACM defines the user access control features The SNMP COMMUNITY MIB is used to associate SNMPv1 SNMPv2c community strings with SNMPv3 VACM access control SNMPv3 uses a user nam...

Page 164: ...security objects read write all permission grants read and write access to all objects in the MIB including security objects User Based Security Model Community Strings User based security model USM c...

Page 165: ...e network users to control their access privileges and views Additional access parameters must be explicitly configured if the preconfigured access groups and views for SNMPv1 and SNMPv2c do not meet...

Page 166: ...s it passes from system to system Many SNMPv1 and SNMPv2c implementations are restricted read only access which in turn reduces the effectiveness of a network monitor in which network control applicat...

Page 167: ...onfiguration that failed to load must be initialized properly Start SNMP with the config system snmp no shutdown command Use caution when changing the SNMP engine ID If the SNMP engine ID is changed i...

Page 168: ...Configuration Notes 168 7705 SAR OS System Management Guide...

Page 169: ...ement Guide 169 Configuring SNMP with CLI This section provides information about configuring SNMP with CLI Topics in this chapter include SNMP Configuration Overview Basic SNMP Security Configuration...

Page 170: ...ope of managed objects available The community command is used to associate a community string with a specific access method and the required SNMP version SNMPv1 or SNMPv2c The access methods are read...

Page 171: ...System Management Guide 171 Configuring SNMPv3 The 7705 SAR implements SNMPv3 If security features other than the default views are required the following parameters must be configured views access g...

Page 172: ...uded exit view no security subtree 1 3 6 1 6 3 15 1 1 mask ff type included exit access group snmp ro security model snmpv1 security level no auth no privacy read no security notify no security access...

Page 173: ...rsion usm community community string hash hash2 group group name view view name subtree oid value mask mask value type included excluded Configuring a Community String SNMPv1 and SNMPv2c community str...

Page 174: ...nfiguration ALU 1 config system security snmp info community uTdc9j48PBRkxn5DcSjchk hash2 rwa version both community Lla RtAyRW2 hash2 r version v2c ALU 1 config system security snmp Configuring View...

Page 175: ...rity model and security level Use the following CLI syntax to configure access features CLI Syntax config system security snmp access group group name security model security model security level secu...

Page 176: ...e969 privacy none config system security user snmp group testgroup config system security user snmp exit config system security user exit The following example displays the user s SNMP configuration A...

Page 177: ...following example displays the SNMP community configuration ALU 1 config system security snmp info view testview subtree 1 mask ff exit view testview subtree 1 3 6 1 2 mask ff type excluded exit acces...

Page 178: ...SAR OS System Management Guide The following example displays the system SNMP default values ALU 104 config system snmp info detail shutdown engineID 0000xxxx000000000xxxxx00 packet size 1500 general...

Page 179: ...SNMP 7705 SAR OS System Management Guide 179 SNMP Command Reference Command Hierarchies Configuration Commands SNMP System Commands SNMP Security Commands Show Commands...

Page 180: ...name 1 write view name 2 notify view name 3 no access group group name security model security model security level security level context context name prefix match read view name 1 write view name 2...

Page 181: ...ection for CLI syntax and command descriptions config system security no user user name no snmp authentication none hash md5 key 1 sha key 1 privacy privacy level key 2 group group name no group Show...

Page 182: ...SNMP Command Reference 182 7705 SAR OS System Management Guide Command Descriptions Configuration Commands Show Commands...

Page 183: ...SNMP 7705 SAR OS System Management Guide 183 Configuration Commands SNMP System Commands SNMP Security Commands...

Page 184: ...se the engine ID of the first system and configure it in the new system to preserve SNMPv3 security keys This allows management stations to use their existing authentication keys for the new system En...

Page 185: ...config system snmp Description This command configures the maximum SNMP packet size generated by this node If the packet size exceeds the MTU size of the egress interface the packet will be fragmented...

Page 186: ...s automatically invoked in the event of a reboot when the processing of the configuration file fails to complete or when an SNMP persistent index file fails while the bof persist on command is enabled...

Page 187: ...and security level Access must be configured unless security is limited to SNMPv1 SNMPv2c with community strings see community Default access group configurations cannot be modified or deleted To rem...

Page 188: ...view name 1 specifies the keyword and variable of the view to read the MIB objects This command must be configured for each view to which the group has read access Values up to 32 characters write vi...

Page 189: ...h hash2 Context config system security snmp Description This command creates SNMP community strings for SNMPv1 and SNMPv2c access This command is used in combination with the predefined access groups...

Page 190: ...urity levels and USM communities must be explicitly configured Optionally additional views that specify more specific OIDs MIB objects in the subtree can be configured The no form of this command remo...

Page 191: ...and exclude statements configures the access available in the view It is possible to have a view with different subtrees with their own masks and include and exclude statements This allows you to cust...

Page 192: ...ntry whose value of vacmViewTreeFamilySubtree has the most sub identifiers The no form of this command removes the mask from the configuration Default no mask Parameters mask value the mask value asso...

Page 193: ...s SNMP counters in packets 463 in gets 93 in getnexts 0 in sets 370 out packets 463 out get responses 463 out traps 0 variables requested 33 variables set 497 A ALU 1 Table 19 Show SNMP Counters Outpu...

Page 194: ...NMP Max Message Size 1500 SNMP Admin State Enabled SNMP Oper State Enabled SNMP Index Boot Status Not Persistent SNMP Sync State OK Tel Tel6 SSH FTP Admin Enabled Disabled Enabled Disabled Tel Tel6 SS...

Page 195: ...Rev 5 Cfg OK Script N A Cfg OK Script Status not used Cfg Fail Script N A Cfg Fail Script Status not used Microwave S W Package invalid Management IP Addr 192 168 xxx xxx 20 Primary DNS Server 192 16...

Page 196: ...he administrative state of the Telnet Telnet IPv6 SSH and FTP sessions Tel Tel6 SSH FTP Oper The operational state of the Telnet Telnet IPv6 SSH and FTP sessions BOF Source The boot location of the BO...

Page 197: ...Rev The maximum number of backup revisions maintained for a configuration file This value also applies to the number of revisions maintained for the BOF file Cfg OK Script URL the location and name o...

Page 198: ...IP address of the tertiary DNS server DNS Domain The DNS domain name of the node DNS Resolve Preference n a BOF Static Routes To the static route destination Next Hop the next hop IP address used to...

Page 199: ...s 8 A ALU 1 A ALU 1 show system security access group snmp ro Access Groups group name security security read write notify model level view view view snmp ro snmpv1 none no security no security No of...

Page 200: ...cli readwrite No of Communities 3 A ALU 1 Table 22 Show Communities Output Fields Label Description Community The community string name for SNMPv1 and SNMPv2c access only Access r The community strin...

Page 201: ...never 2 0 y testuser n n n y never 0 0 y Number of users 2 A ALU 1 Table 23 Show User Output Fields Label Description User ID The name of a system user Need New PWD Yes the user must change their pass...

Page 202: ...The following output is an example of system security view information and Table 24 describes the fields Sample Output A ALU 1 show system security view Views view name oid tree mask permission iso 1...

Page 203: ...ed in group name snmp ro snmp rw A ALU 1 A ATMIMA1 config show system security view capabilities Views view name oid tree mask permission iso 1 included iso 1 0 8802 no support iso 1 3 6 1 3 37 no sup...

Page 204: ...lue OIDs uniquely identify MIB objects in the subtree Mask The mask value and the mask type along with the oid value configured in the view command determines the access of each sub identifier of an o...

Page 205: ...This Chapter This chapter provides information about configuring event and accounting logs on the 7705 SAR Topics in this chapter include Logging Overview Log Destinations Event Logs Accounting Logs C...

Page 206: ...are generated by the USER application and pertain to the configuration and operation of the node Debug events debug events are generated by the DEBUG application and pertain to trace or other debuggi...

Page 207: ...service class basis In addition to gathering information critical for service billing accounting records can be analyzed to provide insight about customer service trends for potential service revenue...

Page 208: ...y type of log destination that can be configured for an accounting log Console Sending events to a console destination means the message will be sent to the system console The console device can be us...

Page 209: ...this rule is subject to the incoming rate of the data being logged For example if the rate is very low the actual rollover time may be longer than the configured value The retention time for a log fil...

Page 210: ...ng log file is created in act collect SNMP Trap Group An event log can be configured to send events to SNMP trap receivers by specifying an SNMP trap group destination An SNMP trap group can have mult...

Page 211: ...the 7705 SAR uses six internal severity levels the severity levels are mapped to syslog severities Table 26 displays the severity level mappings to syslog severities Table 26 7705 SAR to Syslog Severi...

Page 212: ...Log Event logs are the means of recording system generated events for later analysis Events are messages generated by the system by applications or processes within the 7705 SAR Figure 3 depicts a fun...

Page 213: ...l events that directly affect the configuration or operation of the node Change events are generated by the USER application Debug The debug event source is the debugging configuration that has been e...

Page 214: ...y as the generation and suppression options See Simple Logger Event Throttling Events are assigned a default severity level in the system but the application event severities can be changed by the use...

Page 215: ...I gen 0 0 LDP 2001 vRtrLdpStateChange MI gen 0 0 2002 vRtrLdpInstanceStateChange MI gen 0 0 2003 vRtrLdpIfStateChange MI gen 0 0 LOGGER L 2001 STARTED MI gen 5 0 2002 tmnxLogTraceError CR gen 0 0 2005...

Page 216: ...og can only have a single destination The destination for the log ID destination can be one of console session syslog snmp trap group memory or a file on the local file system an optional event filter...

Page 217: ...al to not equal to less than less than or equal to greater than or greater than or equal to an event number within the application equal to not equal to less than less than or equal to greater than or...

Page 218: ...ted the event a subject identifying the affected object a short text description The general format for an event in an event log with either a memory console or file destination is as follows nnnn YYY...

Page 219: ...ethod is applied the logger application has no information about the managed object that generated the event and cannot distinguish between events generated by object A from events generated by object...

Page 220: ...o off for each specific event type It must be explicitly enabled for each event type where throttling is desired This makes backwards compatibility of configuration files easier to manage Default Syst...

Page 221: ...sub record types and default collection period for service and network accounting policies When creating accounting policies one service accounting policy can be defined as the default If statistics...

Page 222: ...d sap SapId qid QueueId hoo OfferedHiPrioOctets hod DroppedHiPrioOctets loo LowOctetsOffered lod LowOctetsDropped uco UncoloredOctetsOffered iof InProfileOctetsForwarded oof OutOfProfileOctetsForwarde...

Page 223: ...ktsDropped ucp UncoloredPacketsOffered ipf InProfilePktsForwarded opf OutOfProfilePktsForwarded Service egress packets sep svc SvcId sap SapId qid QueueId ipf InProfilePktsForwarded ipd InProfilePktsD...

Page 224: ...13800 xml gz Accounting files always have the prefix act followed by the accounting policy ID log ID and timestamp The accounting log file naming and log file destination properties such as rollover a...

Page 225: ...intervals on the log files and the frequency of file retrieval must also be considered when designing accounting policy deployments The amount of data stored depends on the type of record collected th...

Page 226: ...gured before they can be applied to a log ID A file ID can only be assigned to either one log ID or one accounting policy Accounting policies must be configured in the config log context before they c...

Page 227: ...7 Configuring Logging with CLI This section provides information to configure logging using the command line interface Topics in this section include Log Configuration Overview Log Type Basic Event Lo...

Page 228: ...r with logging information for monitoring and troubleshooting You can configure logging parameters to save information in a log file or direct the messages to other devices Logging commands allow you...

Page 229: ...ormation can be sent to a syslog host that is capable of receiving selected syslog messages from a network element Event control configures a particular event or all events associated with an applicat...

Page 230: ...cy ID a log source a log destination The following displays a log configuration example ALU 12 config log info echo Log Configuration file id 1 description This is a test file id location cf3 exit fil...

Page 231: ...ring an Event Log An event log file contains information used to direct events alarms traps and debug information to their respective destinations One or more event sources can be specified File IDs S...

Page 232: ...s a test log file filter 1 from main security to file 1 exit ALU 12 config log log id Configuring a File ID To create a log file a file ID is defined that specifies the target compact flash drive and...

Page 233: ...n system memory on the compact flash drive in a compressed tar XML format and can be retrieved using FTP or SCP See Configuring an Event Log and Configuring a File ID Accounting policies must be confi...

Page 234: ...config log acct policy record service ingress packets config log acct policy default config log acct policy to file 1 config log acct policy exit config log accounting policy 5 config log acct policy...

Page 235: ...press throttle rate events interval seconds The following displays an example of an event control configuration command syntax Example config log config log event control atm 2014 generate critical co...

Page 236: ...fault action drop forward description description string entry entry id action drop forward description description string match application eq neq application id number eq neq lt lte gt gte event id...

Page 237: ...id 2 shutdown description This is a test log file filter 1 from main security to file 1 exit ALU 12 config log Configuring an SNMP Trap Group The associated log id does not have to be configured befo...

Page 238: ...tion ALU 12 config log info snmp trap group 2 trap target target name address 10 10 10 104 5 snmpv3 notify community communitystring exit log id 2 description This is a test log file filter 1 from mai...

Page 239: ...og config log syslog 1 config log syslog description This is a syslog file config log syslog address 10 10 10 104 config log syslog facility user config log syslog level warning The following displays...

Page 240: ...ing an SNMP Trap Group Deleting an SNMP Trap Group Modifying a Log Filter Deleting a Log Filter Modifying Event Control Parameters Returning to the Default Event Control Configuration Modifying a Log...

Page 241: ...ALU 12 config log log id The following displays an example of modifying log file parameters Example config log config log log id 2 config log log id description Chassis log file config log log id fil...

Page 242: ...description LocationTest location cf3 rollover 600 retention 24 exit log id 2 description Chassis log file filter 2 from security to file 1 exit ALU 12 config log Use the following CLI syntax to dele...

Page 243: ...ters Example config log config log file id 1 config log file id description LocationTest config log file id location cf3 config log file id rollover 2880 retention 500 config log file id exit The foll...

Page 244: ...CLI Syntax config log syslog syslog id address ip address description description string facility syslog facility level emergency alert critical error warning notice info debug log prefix log prefix s...

Page 245: ...fig log no syslog syslog id The following displays an example of deleting a syslog ID Example config log config log no syslog 1 Modifying an SNMP Trap Group Use the following CLI syntax to modify an S...

Page 246: ...ple config log config log snmp trap group 10 config log snmp trap group no trap target 10 10 10 104 5 config log snmp trap group snmp trap group trap target 10 10 0 91 1 snmpv2c notify community com1...

Page 247: ...roup 10 config log snmp trap group no trap target 10 10 0 91 1 config log snmp trap group exit config log no snmp trap group 10 Modifying a Log Filter Use the following CLI syntax to modify a log filt...

Page 248: ...ions Example config log config log filter 1 config log filter description This allows n config log filter default action forward config log filter entry 1 config log filter entry action drop config lo...

Page 249: ...rameters CLI Syntax config log event control application id event name event number generate severity level throttle event control application id event name event number suppress The following display...

Page 250: ...onfig log no event control filter 2001 config log no event control mpls 2001 ALU 12 config log info detail echo Log Configuration event control atm 2004 generate minor event control atm 2005 generate...

Page 251: ...de 251 Log Command Reference Command Hierarchies Configuration Commands Accounting Policy Commands Event Control Commands Log File Commands Log Filter Commands Syslog Commands Logging Destination Comm...

Page 252: ...d no shutdown to file file log file id Event Control Commands config log event control application id event name event number generate severity level throttle event control application id event name e...

Page 253: ...n no match application eq neq application id no application number eq neq lt lte gt gte event id no number router eq neq router instance regexp no router severity eq neq lt lte gt gte severity level n...

Page 254: ...id description description string no description trap target name address ip address port port snmpv1 snmpv2c snmpv3 notify community communityName snmpv3SecurityName security level no auth no privacy...

Page 255: ...Event and Accounting Logs 7705 SAR OS System Management Guide 255 Clear Commands clear log log id...

Page 256: ...Log Command Reference 256 7705 SAR OS System Management Guide Command Descriptions Configuration Commands Show Commands Clear Commands...

Page 257: ...AR OS System Management Guide 257 Configuration Commands Generic Commands Accounting Policy Commands Event Control Commands Log File Commands Log Filter Commands Syslog Commands Logging Destination Co...

Page 258: ...ration Default No text description is associated with this configuration Parameters string The description can contain a string of up to 80 characters composed of printable 7 bit ASCII characters If t...

Page 259: ...the entity This leads to the loss of event data policy id when an accounting policy is shut down no accounting data is written to the destination log ID Counters in the billing data reflect totals no...

Page 260: ...annot be removed unless it is removed from all the SAPs or channels where the policy is applied Default No default accounting policy is defined Parameters policy id the policy ID that uniquely identif...

Page 261: ...nting policy can only contain one record name To obtain a list of all record types that can be configured use the show log accounting records command ALU 12 config log show log accounting records Acco...

Page 262: ...ccounting policy The characteristics of the file ID such as rollover and retention intervals must have already been defined in the config log file id context A file ID can only be used once The file i...

Page 263: ...ontrol chassis extAlarmInput1Detected specify whether the event is generated or suppressed config log event control chassis extAlarmInput1Detected generate change the severity level for this event the...

Page 264: ...ay a list of all event short names use the show log event control command Values a valid event name or event number Default n a generate specifies that logger event is created when this event occurs T...

Page 265: ...umber of log events that can be logged within the specified interval for a specific event Once the limit has been reached any additional events of that type will be dropped and the event drop count wi...

Page 266: ...ces A file ID and associated file definition must exist for each log and billing file that must be stored in the file system A file is created when the file ID defined by this command is selected as t...

Page 267: ...f the location fails for example the compact flash card fills up during the write process a trap is sent The no form of the command removes the file ID from the configuration A file ID can only be rem...

Page 268: ...h file is deleted the system attempts to create the new file A medium severity trap is issued to indicate that the compact flash is either not available or that no space is available on the specified...

Page 269: ...fault time to keep the file in the system The retention time is based on the rollover time of the file The retention time is used as a factor to determine which files should be deleted first as the fi...

Page 270: ...command removes the filter association from log IDs which causes those logs to forward all events Default No event filters are defined Parameters filter id uniquely identifies the filter Values 1 to...

Page 271: ...omplete and rendered inactive The no form of the command removes the specified entry from the event filter Entries removed from the event filter are immediately removed from all log IDs where the filt...

Page 272: ...and to display a list of the valid applications Match context can consist of multiple match parameters application event number severity subject but multiple match statements cannot be entered per ent...

Page 273: ...a TiMOS application event number as a match criterion TiMOS event numbers uniquely identify a specific logging event within an application Only one number command can be entered per event filter entry...

Page 274: ...e value of router command parameters When the regexp keyword is specified the string in the router command is a regular expression string that will be matched against the router string in the log even...

Page 275: ...neq subject regexp no subject Context config log filter entry match Description This command adds an event subject as a match criterion The subject is the entity for which the event is reported such...

Page 276: ...sted in Table 37 subject a string used as the subject match criterion regexp specifies the type of string comparison to use to determine if the log event matches the value of subject command parameter...

Page 277: ...og id node Default No syslog IDs are defined Parameters syslog id the syslog ID number for the syslog destination expressed as a decimal integer Values 1 to 10 address Syntax address ip address no add...

Page 278: ...erwrites the previous facility code If multiple facilities need to be generated for a single syslog target host then multiple log id entries must be created each with its own filter criteria to select...

Page 279: ...r higher than the threshold are sent to the syslog target host Only a single threshold level can be specified If multiple level commands are entered the last command will overwrite the previous comman...

Page 280: ...colon and a space to the string and it is inserted in the syslog message after the date stamp and before the syslog message content Only one string can be entered If multiple strings are entered the...

Page 281: ...he UDP port that will be used to send syslog messages to the syslog target host The port configuration is needed if the syslog target host uses a port other than the standard UDP syslog port 514 Only...

Page 282: ...cified for a log id The destination of an event stream can be an in memory buffer console session snmp trap group syslog or file Use the event control command to suppress the generation of events alar...

Page 283: ...o form of the command removes the specified event filter from the log id Default no filter Parameters filter id the event filter policy ID is used to associate the filter with the log id configuration...

Page 284: ...ed in the to command for this destination log id The change event stream contains all events that directly affect the configuration or operation of this node To limit the events forwarded to the chang...

Page 285: ...id The characteristics of the log file id referenced here must have already been defined in the config log file id log file id context Values 1 to 99 to memory Syntax to memory size Context config log...

Page 286: ...g or memory log needs to be modified the log ID must be removed then recreated Default No destination is specified to snmp Syntax to snmp size Context config log log id Description This command is one...

Page 287: ...If the log destination needs to be changed or if the maximum size of an SNMP log or memory log needs to be modified the log ID must be removed then recreated Default No destination is specified Param...

Page 288: ...ted to one or more SNMP trap groups Logger events that can be forwarded as SNMP traps are always defined on the main event source The no form of the command deletes the SNMP trap group Default There a...

Page 289: ...rap target up to 28 characters in length ip address the IP address of the trap receiver Only one IP address destination can be specified per trap destination group Values ipv4 address a b c d host bit...

Page 290: ...tify community communityName snmpv3SecurityName specifies the community string for snmpv1 or snmpv2c or the snmpv3 security name If no notify community parameter is configured then no alarms or traps...

Page 291: ...bes the fields Sample Output A ALU 1 show log accounting policy Accounting Policies Policy Type Def Admin Oper Intvl File Record Name Id State State Id 1 access No Up Up 15 1 service ingress packets 2...

Page 292: ...gned Def Yes indicates that the policy is a default access policy No indicates that the policy is not a default access policy Admin State Displays the administrative state of the policy Up indicates t...

Page 293: ...ts 5 2 service egress octets 5 3 service ingress packets 5 4 service egress packets 5 A ALU 1 applications Syntax applications Context show log Description This command displays a list of all applicat...

Page 294: ...tput A ALU 1 show log applications Log Event Application Names Application Name APS ATM BGP CHASSIS CPMHWFILTER DEBUG DHCP EFM_OAM ETH CFM FILTER IP ISIS LDP LOGGER MPLS NTP OAM OSPF PORT PPP PTP RIP...

Page 295: ...vent only Default all events for the application event number displays event control for the specified application event number only Default all events for the application Output The following output...

Page 296: ...t1Detected CR gen 0 0 2058 extAlarmInput2Detected MA gen 0 0 2059 extAlarmInput3Detected MA gen 0 0 2060 extAlarmInput4Detected MI gen 0 0 2061 extAlarmCleared MA gen 0 0 2062 syncIfTimingExternAlarm...

Page 297: ...e event ID number within the application L ID an L in front of an ID represents event types that do not generate an associated SNMP notification Most events do generate a notification only the excepti...

Page 298: ...e 43 describes the fields Sample Output A ALU 1 show log file id File Id List file id rollover retention admin backup oper location location location 1 60 4 cf3 none none 2 60 3 cf3 none none 3 1440 1...

Page 299: ...t Table 45 Table 43 Log File Summary Output Fields Label Description file id The log file ID rollover The rollover time for the log file which is the amount of time before the file is partitioned into...

Page 300: ...Operator off Event Number 0 Operator off Severity major Operator greaterThanOrEqual Subject Operator off Match Type exact string Router Operator off Match Type exact string Description Collect only ev...

Page 301: ...ter entry application match criterion Event Number The event log filter event ID match criterion Severity cleared the event log filter severity match is cleared indeterminate the event log filter entr...

Page 302: ...tus enabled Dest Type memory Security Logged 3 Dropped 0 Change Logged 3896 Dropped 0 Debug Logged 0 Dropped 0 A ALU 1 Operator There is an operator field for each match criteria application event num...

Page 303: ...ource event stream to limit the events output to this log s destination If the value is 0 then all events in the source log are forwarded to the destination Status Enabled logging is enabled Disabled...

Page 304: ...ers log id displays the contents of the specified log file or memory log ID The log ID must have a destination of an SNMP or log file or a memory log for this parameter to be used Values 1 to 99 Defau...

Page 305: ...ldest in descending sequence number order on the screen When using the ascending parameter the log will be shown from the oldest to the newest entry Default Descending Output The following output is a...

Page 306: ...t connected then all entries are dropped Syslog all selected log events are sent to the syslog address SNMP traps events defined as SNMP traps are sent to the configured SNMP trap destinations and are...

Page 307: ...RP information overwritten for 138 120 52 253 by 00 e0 52 d4 a5 00 3718 2008 02 01 11 54 15 40 UTC MINOR IP 2004 management PIP MANAGEMENT ARP information overwritten for 138 120 52 253 by 00 e0 5e 00...

Page 308: ...syslog Syslog Target Hosts Id Ip Address Port Sev Level Below Level Drop Facility Pfx Level 2 unknown 514 info 0 local7 yes 3 unknown 514 info 0 mail yes A ALU 48 config log Table 48 SNMP Trap Group...

Page 309: ...syslog messages Facility The facility code for messages sent to the syslog target host Severity Level The syslog message severity level threshold Below Level Dropped A count of messages not sent to t...

Page 310: ...y log or log file Memory logs are reinitialized and cleared of contents Log files are manually rolled over by this command This command is only applicable to event logs that are directed to file desti...

Page 311: ...r 7705 SAR 7705 Service Aggregation Router 7710 SR 7710 Service Router 7750 SR 7750 Service Router 9500 MPR 9500 microwave packet radio ABR area border router available bit rate AC alternating current...

Page 312: ...em number ATM asynchronous transfer mode ATM PVC ATM permanent virtual circuit B3ZS bipolar with three zero substitution Batt A battery A B bit beginning bit first packet of a fragment Bc committed bu...

Page 313: ...lid unicast address but the destination port interface is not yet known therefore traffic needs to be forwarded to all destinations unknown traffic is treated as broadcast BOF boot options file BPDU b...

Page 314: ...Processing Module CPM is used instead of CSM when referring to CSM filtering to align with CLI syntax used with other SR products CSM management ports are referred to as CPM management ports in the C...

Page 315: ...n DHB decimal hexadecimal or binary DHCP dynamic host configuration protocol DHCPv6 dynamic host configuration protocol for IPv6 DIS designated intermediate system DLCI data link connection identifier...

Page 316: ...DUS do not use for synchronization DV delay variation e911 enhanced 911 service EAP Extensible Authentication Protocol EAPOL EAP over LAN E bit ending bit last packet of a fragment E BSR elected BSR E...

Page 317: ...to end ETH CFM Ethernet connectivity fault management IEEE 802 1ag EVDO evolution data optimized EVPL Ethernet virtual private link EXP bits experimental bits currently known as TC FC forwarding class...

Page 318: ...gn exchange subscriber GFP generic framing procedure GigE Gigabit Ethernet GNSS global navigation satellite system GPON Gigabit Passive Optical Network GPS Global Positioning System GRE generic routin...

Page 319: ...v6 Internet control message protocol for IPv6 ICP IMA control protocol cells IDS intrusion detection system IEEE Institute of Electrical and Electronics Engineers IEEE 1588v2 Institute of Electrical a...

Page 320: ...termediate System IS IS TE IS IS traffic engineering extensions ISO International Organization for Standardization IW interworking JP join prune LB loopback lbf in pound force inch LBM loopback messag...

Page 321: ...st LSU link state update LT linktrace LTE long term evolution line termination equipment LTM linktrace message LTN LSP ID to NHLFE LTR link trace reply MA maintenance association MAC media access cont...

Page 322: ...aintenance entity group MEG ID maintenance entity group identifier MEN Metro Ethernet network MEP maintenance association end point MFC multi field classification MHF MIP half function MIB management...

Page 323: ...d unit MRU maximum receive unit MSDU MAC Service Data Unit MSO multi system operator MS PW multi segment pseudowire MTIE maximum time interval error MTSO mobile trunk switching office MTU maximum tran...

Page 324: ...ervice processing NSSA not so stubby area NTP network time protocol NTR network timing reference OADM optical add drop multiplexer OAM operations administration and maintenance OAMPDU OAM protocol dat...

Page 325: ...te branch exchange PCP priority code point PCR proprietary clock recovery PDU protocol data units PDV packet delay variation PDVT packet delay variation tolerance PE provider edge router PEAPv0 protec...

Page 326: ...ipment PSK pre shared key PSN packet switched network PSNP partial sequence number PDU PTM packet transfer mode PTP performance transparency protocol precision time protocol PVC permanent virtual circ...

Page 327: ...RTM RPS radio protection switching RRO record route object RS 232 Recommended Standard 232 also known as EIA TIA 232 RSA Rivest Shamir and Adleman authors of the RSA encryption algorithm RSHG residen...

Page 328: ...ts SAR F 7705 Service Aggregation Router fixed form factor chassis SAR H 7705 Service Aggregation Router temperature and EMC hardened to the following specifications IEEE 1613 and IEC 61850 3 SAR Hc 7...

Page 329: ...t is used to drop and add four specific wavelengths from the network it has two models One model is used to add and drop the following wavelengths 1471 1491 1511 1531 nm One model is used to add and d...

Page 330: ...larm input connector a unit that is equipped with an AC power input connector five Gigabit Ethernet data ports three SFP ports one RJ 45 Ethernet port and one RJ 45 PoE port a GPS receiver and an RJ 4...

Page 331: ...SLARP serial line address resolution protocol SLID subscriber location identifier of a GPON module SLM synthetic loss measurement SNMP Simple Network Management Protocol SNPA subnetwork point of attac...

Page 332: ...System Plus TC traffic class formerly known as EXP bits TCP transmission control protocol TDEV time deviation TDM time division multiplexing TE traffic engineering TEID tunnel endpoint identifier TFTP...

Page 333: ...Telecommunications System 3G UNI user to network interface uRPF unicast reverse path forwarding V 11 ITU T V series Recommendation 11 V 24 ITU T V series Recommendation 24 V 35 ITU T V series Recommen...

Page 334: ...uting and forwarding table VRRP virtual router redundancy protocol VSE vendor specific extension VSO vendor specific option VT virtual trunk WCDMA wideband code division multiple access transmission p...

Page 335: ...mental and safety standards telecom standards and supported protocols EMC Industrial Standards Compliance EMC Regulatory and Customer Standards Compliance Environmental Standards Compliance Safety Sta...

Page 336: ...Std C37 90 2 Withstand Capability of Relay Systems to Radiated Electromagnetic Interference from Transceivers IEEE Std C37 90 3 IEEE Standard Electrostatic Discharge Tests for Protective Relays EN 501...

Page 337: ...ed disturbances IEC 61000 4 8 Power frequency magnetic field immunity test IEC 61000 4 9 Pulse Magnetic field immunity test IEC 61000 4 10 Damped Oscillatory Magnetic Field IEC 61000 4 11 Voltage dips...

Page 338: ...al Safety Generic Criteria for Network Telecommunications Equipment AS NZS CISPR 22 Information technology equipment Radio disturbance characteristics Limits and methods of measurement 2 2 2 2 2 2 2 2...

Page 339: ...heat IEC 60068 2 30 Environmental testing Part 2 Tests Test Db and guidance Damp heat cyclic 12 12 hour cycle IEC 60255 21 2 Electrical relays Part 21 Vibration shock bump and seismic tests on measur...

Page 340: ...509 5 EN 60721 3 3 Class 3C4 EN 60068 2 11 Salt Mist EN 50155 Class ST4 Conformal Coating 5 Table 53 Environmental Standards Compliance Continued Standard Title Platform SAR F SAR A SAR M SAR M fan le...

Page 341: ...uipment Non Environmental Consideration IEC EN 60950 22 Information technology equipment Safety Equipment installed outdoors IEC 60529 Degrees of Protection Provided by Enclosures IP Code 1 2 1 2 1 1...

Page 342: ...rective 2011 65 EU RoHS2 Restriction of the use of certain Hazardous Substances in Electrical and Electronic Equipment RoHS2 NEBS Level 3 Compliant Telcordia CE Mark CRoHS Logo Ministry of Information...

Page 343: ...ervice Layer OAM IEEE 802 1p q VLAN Tagging IEEE 802 3 10BaseT IEEE 802 3ab Ethernet Physical Layer Parameters and Specifications for 1000 Mb s Operation Over 4 Pair of Category 5 Balanced Copper Cabl...

Page 344: ...p band circuits ITU T X 21 RS 422 Interface between Data Terminal Equipment and Data Circuit Terminating Equipment for Synchronous Operation on Public Data Networks ITU T Y 1731 OAM functions and mech...

Page 345: ...4271 BGP 4 previously RFC 1771 RFC 4360 BGP Extended Communities Attribute RFC 4364 BGP MPLS IP Virtual Private Networks VPNs previously RFC 2574bis BGP MPLS VPNs RFC 4456 BGP Route Reflection Altern...

Page 346: ...AG Version 7 0 and report of Self Test Result ATU T Register 3 ITU T G 992 3 G dmt bis Annex A B J M ITU T G 992 5 Annex A B J M ITU T G 992 1 ADSL ITU T G 992 3 Annex K 2 ADSL2 ITU T G 992 5 Annex K...

Page 347: ...works RFC 3587 IPv6 Global Unicast Address Format RFC 3595 Textual Conventions for IPv6 Flow Label RFC 4007 IPv6 Scoped Address Architecture RFC 4193 Unique Local IPv6 Unicast Addresses RFC 4291 IPv6...

Page 348: ...MPLS Label Distribution Protocol LDP RFC 4379 Detecting Multi Protocol Label Switched MPLS Data Plane Failures NETWORK MANAGEMENT ITU T X 721 Information technology OSI Structure of Management Informa...

Page 349: ...Model USM for version 3 of the Simple Network Management Protocol SNMPv3 RFC 3418 SNMP MIB draft ietf disman alarm mib 04 txt draft ietf mpls ldp mib 07 txt draft ietf ospf mib update 04 txt draft iet...

Page 350: ...t of PPP High Level Data Link Control HDLC over MPLS Networks RFC 4619 Encapsulation Methods for Transport of Frame Relay over Multiprotocol Label Switching MPLS Networks RFC 4816 Pseudowire Emulation...

Page 351: ...Protocol draft ietf secsh connection txt SSH Connection Protocol draft ietf secsh newmodes txt SSH Transport Layer Encryption Modes SYNCHRONIZATION G 781 Synchronization layer functions 2001 09 17 G 8...

Page 352: ...efinitions of Managed Objects for the Virtual Router Redundancy Protocol RFC 3768 Virtual Router Redundancy Protocol RFC 5798 Virtual Router Redundancy Protocol Version 3 for IPv4 and IPv6 Proprietary...

Page 353: ...Standards and Protocol Support 7705 SAR OS System Management Guide 353 TIMETRA SERV MIB mib TIMETRA SYSTEM MIB mib TIMETRA TC MIB mib TIMETRA VRRP MIB mib...

Page 354: ...Standards and Protocol Support 354 7705 SAR OS System Management Guide...

Page 355: ...documentation and product support Customer documentation http documentation alcatel lucent com Technical support http support alcatel lucent com Documentation feedback documentation feedback alcatel l...

Page 356: ...2015 Alcatel Lucent All rights reserved 3HE 09688 AAAA TQZZA Edition 01...

Reviews:

No comments