Alcatel-Lucent 7950 SR System Management Manual Download Page 46 | Manualshive

Page: 46 / 462

Alcatel-Lucent 7950 SR System Management Manual Download Page 46

Other Security Features

Page 46

7950 SR OS System Management Guide

Other Security Features

Secure Shell (SSH)

Secure Shell Version 1 (SSH) is a protocol that provides a secure, encrypted Telnet-like
connection to a router. A connection is always initiated by the client (the user). Authentication
takes places by one of the configured authentication methods (local, RADIUS, or ).
With authentication and encryption, SSH allows for a secure connection over an insecure
network.

The OS allows you to configure Secure Shell (SSH) Version 2 (SSH2). SSH1 and SSH2 are
different protocols and encrypt at different parts of the packets. SSH1 uses server as well as
host keys to authenticate systems whereas SSH2 only uses host keys. SSH2 does not use the
same networking implementation that SSH1 does and is considered a more secure, efficient,
and portable version of SSH.

SSH runs on top of a transport layer (like TCP or IP), and provides authentication and
encryption capabilities.

The OS has a global SSH server process to support inbound SSH and SCP sessions initiated
by external SSH or SCP client applications. The SSH server supports SSHv1. Note that this
server process is separate from the SSH and SCP client commands on the routers which
initiate outbound SSH and SCP sessions.

Inbound SSH sessions are counted as inbound telnet sessions for the purposes of the maximum
number of inbound sessions specified by Login Control. Inbound SCP sessions are counted as
inbound ftp sessions by Login Control.

When SSH server is enabled, an SSH security key is generated. The key is only valid until
either the node is restarted or the SSH server is stopped and restarted (unless the preserve-key
option is configured for SSH). The key size is non-configurable and set at 1024 bits. When the
server is enabled, both inbound SSH and SCP sessions will be accepted provided the session is
properly authenticated.

When the global SSH server process is disabled, no inbound SSH or SCP sessions will be
accepted.

When using SCP to copy files from an external device to the file system, the SCP server will
accept either forward slash (“/”) or backslash (“\”) characters to delimit directory and/or
filenames. Similarly, the SCP client application can use either slash or backslash characters,
but not all SCP clients treat backslash characters as equivalent to slash characters. In
particular, UNIX systems will often times interpret the backslash character as an “escape”
character which does not get transmitted to the SCP server. For example, a destination

«
...
44
45
46
47
48
...
»

Summary of Contents for 7950 SR

Page 1: ...7950 SR OS System Management Guide Software Version 7950 SR OS 11 0 R5 September 2013 Document Part Number 93 0401 02 04 93 0401 02 04...

Page 2: ...ritten permission from Alcatel Lucent Alcatel Lucent Alcatel Lucent and the Alcatel Lucent logo are trademarks of Alcatel Lucent All other trademarks are the property of their respective owners The in...

Page 3: ...Protection 32 CPU Protection Extensions ETH CFM 35 Distributed CPU Protection DCP 37 Applicability of Distributed CPU Protection 39 Log Events Statistics Status and SNMP support 40 DCP Policer Resour...

Page 4: ...DIUS Accounting 80 Configuring 802 1x RADIUS Policies 81 Configuring CPU Protection Policies 82 TACACS Configurations 83 Enabling TACACS Authentication 83 Configuring TACACS Authorization 84 Configuri...

Page 5: ...r and Event Logs 308 Event Filter Policies 309 Event Log Entries 310 Simple Logger Event Throttling 312 Default System Log 313 Accounting Logs 314 Accounting Records 314 Accounting Files 317 Design Co...

Page 6: ...Modifying a File ID 347 Deleting a File ID 348 Modifying a Syslog ID 349 Deleting a Syslog 350 Modifying an SNMP Trap Group 351 Deleting an SNMP Trap Group 352 Modifying a Log Filter 353 Deleting a Lo...

Page 7: ...Queuing Output Fields 229 Table 18 Show User Profile Output Fields 230 Table 19 Show Source Address Output Fields 231 Table 20 Show View Output Fields 235 Table 21 Show Users Output Fields 238 SNMP Ta...

Page 8: ...ields 429 Table 42 Show Log Collector Output Fields 431 Table 43 SNMP Trap Group Output Fields 436 Table 44 Show Log Syslog Output Fields 437 Facility Alarms Table 45 Alarm Alarm Name Raising Event Sa...

Page 9: ...e Marking 33 Figure 4 Per SAP per Protocol Static Rate Limiting with DCP 38 Figure 5 Per Network Interface per Protocol Static Rate Limiting with DCP 38 SNMP Figure 6 SNMPv1 and SNMPv2c Configuration...

Page 10: ...Page 10 7950 SR OS System Management Guide List of Figures...

Page 11: ...nd SSH servers and the router clock This document is organized into functional chapters and provides concepts and descriptions of the implementation flow as well as Command Line Interface CLI syntax a...

Page 12: ...erfaces and associated attributes such as an IP address as well as IP and MAC based filtering and VRRP and Cflowd 7950 SR OS Routing Protocols Guide This guide provides an overview of routing concepts...

Page 13: ...ed reseller contact the technical support staff for that distributor or reseller for assistance If you purchased an Alcatel Lucent service agreement contact technical assistance at http www alcatel lu...

Page 14: ...About This Guide Page 14 7950 SR OS System Management Guide...

Page 15: ...this book is presented in an overall logical configuration flow Each section describes a software area and provides CLI syntax and command usage to configure parameters for a functional area Table 1...

Page 16: ...Alcatel Lucent 7950 SR Router Configuration Process Page 16 7950 SR OS System Management Guide...

Page 17: ...ccounting on page 18 Authentication on page 19 Authorization on page 24 Accounting on page 28 Security Controls on page 30 When a Server Does Not Respond on page 30 Access Request Flow on page 31 Vend...

Page 18: ...nd auditing purposes You can configure routers to use local Remote Authentication Dial In User Service RADIUS or Terminal Access Controller Access Control System Plus TACACS security to validate users...

Page 19: ...igured then these methods are attempted If no other authentication methods are configured or all methods reject the authentication request then access is denied For the RADIUS server selection round r...

Page 20: ...is is referred to as local authentication Remote security servers such as RADIUS or TACACS are not enabled RADIUS Authentication Remote Authentication Dial In User Service RADIUS is a client server se...

Page 21: ...rver is reachable when the operational state UP when a valid response is received within a timeout period which is configurable by the retry parameter on the RADIUS policy level A server is treated as...

Page 22: ...e same user database RADIUS Authentication If the first server in the list cannot find a user the next server in the RADIUS server list is not queried and access is denied If multiple RADIUS servers a...

Page 23: ...wed to a given system TACACS is an encryption protocol and therefore less secure than the later Terminal Access Controller Access Control System Plus TACACS and RADIUS protocols TACACS and RADIUS have...

Page 24: ...is authenticated The profiles and user access information specifies the actions the user can and cannot perform By default local authorization is enabled Local authorization is disabled only when a di...

Page 25: ...tion is attempted if configured in the authorization order When authorization is configured and profiles are downloaded to the router from the RADIUS server the profiles are considered temporary confi...

Page 26: ...priv lvl option is not configured then each CLI command issued by an operator is sent to the TACACS server for authorization The authorization request sent by SR OS contains the first word of the CLI...

Page 27: ...erent A dut c configure service A dut c config service vprn 555 customer 1 create A dut c config service vprn shutdown This results in the following AVPairs cmd configure cmd arg service cmd configure...

Page 28: ...ng tracks user activity to a specified host When RADIUS accounting is enabled the server is responsible for receiving accounting requests and returning a response to the client indicating that it has...

Page 29: ...type specified sends a start packet to the TACACS accounting server which contains information about the event The TACACS accounting server acknowledges the start packet and records information about...

Page 30: ...the primary server is responsive again are not performed If a server is down it will not be contacted for 5 minutes If a login is attempted after 5 minutes then the server is contacted again When a s...

Page 31: ...the request is passed to the next TACACS server with the next lowest index TACACS server 2 and so on If a request is sent to an active RADIUS server and the user name and password is not recognized ac...

Page 32: ...he rate is a per port limit each port in the system will have control traffic destined to the CPM limited to this rate protocol protection Blocks network control traffic for unconfigured protocols If...

Page 33: ...ey are modifiable but cannot be deleted Policy 254 This is the default policy that is automatically applied to access interfaces Traffic above 6000 pps is discarded overall rate 6000 per source rate m...

Page 34: ...terface This helps mitigate DoS attacks by filtering invalid control traffic before it hits the CPU The system automatically populates and maintains a per interface list of configured such as valid pr...

Page 35: ...ch logic is applied This means ordering the entries in the proper sequence is important to ensure the proper behavior is achieved Even thought the number of eth cfm entries is limited to ten the entry...

Page 36: ...nd is not specific to the eth cfm rate limiting feature describe here When an MP is configured on a SAP Binding within a service which allows an external source to communicate with that MP for example...

Page 37: ...mple SAPs The basic types of policers in DCP are Enforcement Policers An instance of a policer that is policing a flow of packets comprised of a single or small set of protocols s arriving on a single...

Page 38: ...ies static mixed and dynamic Traffic switched from monitoring to enforcing policers if a trigger is tripped Dynamic parameters Static policers Local monitoring policers Optional marking or discarding...

Page 39: ...ized per SAP interface cpu protection can be employed to rate limit or mark this traffic if desired Control traffic that arrives on a network interface but inside a tunnel for example SDP LSP PW and l...

Page 40: ...DCP throttles the rate of DCP events to avoid event floods when multiple parallel attacks or problems are occurring Many of the DCP log events can be individually enabled or disabled at the DCP polic...

Page 41: ...policer free on the associated card fp then the object will be blocked from being created Similarly for local monitors once a local monitoring policer is configured and referenced by a protocol then...

Page 42: ...her rate infrastructure protocols such as BGP It is recommended to configure an exceed action of low priority for routing and infrastructure protocols Marked packets are more likely to be discarded if...

Page 43: ...protocol arp create enforcement static my arp policer exit protocol pppoe pppoa create enforcement static my ppp policer exit exit A node1 config subscr mgmt msap policy info dist cpu protection my dd...

Page 44: ...old down 60 exit exit protocol pppoe pppoa create enforcement dynamic my local monitor dynamic parameters detection time 600 rate packets 3 within 10 initial delay 3 exceed action discard hold down 12...

Page 45: ...access timetra profile profile name When configuring this VSA for a user it is assumed that the user profiles are configured on the local router and the following applies for local and remote authenti...

Page 46: ...ss is separate from the SSH and SCP client commands on the routers which initiate outbound SSH and SCP sessions Inbound SSH sessions are counted as inbound telnet sessions for the purposes of the maxi...

Page 47: ...DoS attacks Control Processor Module Queuing CPMQ implements separate hardware based queues which are allocated on a per peer basis CPMQ allocates a separate queue for each LDP and BGP peer and ensur...

Page 48: ...but not to packets from a management Ethernet port CPM packet filtering and queuing is performed by network processor hardware using no resources on the main CPUs There are three filters that can be...

Page 49: ...d 4 seconds If the system is configured for user lockout then the user will be locked out when the number of attempts is exceeded However if lockout is not configured there are three password entry at...

Page 50: ...t is 10 minutes An security event log will be generated as soon as a user account has exceeded the number of allowed attempts and the show system security user command can be used to display the total...

Page 51: ...Lucent OS supports network access control of client devices PCs STBs etc on an Ethernet network using the IEEE 802 1x standard 802 1x is known as Extensible Authentication Protocol EAP over a LAN net...

Page 52: ...ing messages Packet Formats 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Kind Length T K Alg ID Res Key ID Authentication Data Option Syntax Kind 8 bits The Kind field ident...

Page 53: ...h The Authentication Data field contains data that is used to authenticate the TCP segment This data includes but need not be restricted to a MAC The length and format of the Authentication Data Field...

Page 54: ...ter K i Shared secret to use with key i config system security keychain direction uni receive entry with shared secret parameter config system security keychain direction uni send entry with shared se...

Page 55: ...describes security configuration caveats General If a RADIUS or a TACACS server is not configured then password profiles and user access information must be configured on each router in the domain If...

Page 56: ...Configuration Notes Page 56 7950 SR OS System Management Guide...

Page 57: ...ing Management Access Filters on page 65 Configuring CPM Filters Policy on page 67 Configuring Password Management Parameters on page 68 Configuring Profiles on page 71 Configuring Users on page 72 Co...

Page 58: ...wing tasks to configure security on each participating router Configuring Profiles on page 71 Configuring RADIUS Authentication on page 78 Configuring Users on page 72 RADIUS authentication To impleme...

Page 59: ...guring Profiles on page 71 For RADIUS authorization VSAs must be configured on the RADIUS server See Vendor Specific Attributes VSAs on page 45 RADIUS authorization For RADIUS authorization with authe...

Page 60: ...7950 SR OS System Management Guide TACACS authorization For TACACS authorization with authentication configure these tasks on each participating router Enabling TACACS Authentication on page 83 Confi...

Page 61: ...efer to the following sections to configure accounting Local accounting is not implemented For information about configuring accounting policies refer to Configuring Logging with CLI on page 323 Confi...

Page 62: ...CS servers RADIUS and or TACACS parameters The following example displays default values for security parameters A ALA 1 config system security info detail no hash control telnet server no telnet6 ser...

Page 63: ...p snmp rw security model snmpv2c security level no auth no privacy read no security write no security notify no security access group snmp rwa security model snmpv1 security level no auth no privacy r...

Page 64: ...ties of authentication authorization and accounting configurations For example authentication can be enabled locally and on RADIUS and TACACS servers Authorization can be executed locally on a RADIUS...

Page 65: ...apply to the management Ethernet port The OS implementation exits the filter when the first match is found and execute the actions according to the specified action For this reason entries must be seq...

Page 66: ...default action permit entry 10 src ip 3FFE 1 1 128 next header rsvp log action deny exit exit mac filter default action permit entry 12 match frame type ethernet_II svc id 1 src mac 00 01 01 01 01 01...

Page 67: ...c ip 192 100 2 0 24 exit exit exit ipv6 filter shutdown entry 30 create action drop log 190 match next header tcp dscp ef dst ip 3FFE 2 2 128 src port 100 100 tcp syn true tcp ack false flow label 10...

Page 68: ...configured locally Use the following CLI commands to configure password support CLI Syntax config system security password admin password password hash hash2 aging days attempts count time minutes1 l...

Page 69: ...to pem format A SR 7 Dut A admin certificate export type cert input R1 0cert der output cf3 R1 0cert pem format pem The following displays an example of profile output A SR 7 Dut A config system secur...

Page 70: ...n using cert auth interface VPRN1 tunnel create sap tunnel 1 private 1 create ipsec tunnel Sanity 1 create security policy 1 local gateway address 30 1 1 13 peer 50 1 1 15 delivery service 300 dynamic...

Page 71: ...ured locally or on the RADIUS server Use the following CLI commands to configure user profiles CLI Syntax config system security profile user profile name default action deny all permit all none renum...

Page 72: ...ogin exec url prefix source url member user profile name user profile name up to 8 max new password at login home directory url prefix directory directory directory password password hash hash2 restri...

Page 73: ...y info keychain abc direction bi entry 1 key ZcvSElJzJx wBZ9biCtOVQJ9YZQvVU S hash2 alg orithm aes 128 cmac 96 begin time 2006 12 18 22 55 20 exit exit exit exit keychain basasd direction uni receive...

Page 74: ...ity copy user testuser to testuserA MINOR CLI User testuserA already exists use overwrite flag config system security config system security copy user testuser to testuserA overwrite config system sec...

Page 75: ...cess snmp console cannot change password exit snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group testgroup exit A ALA 12 config system security user exit A ALA 12 config...

Page 76: ...security info A ALA 49 config system security info detail profile default default action none entry 10 no description match exec action permit exit entry 20 no description match exit action permit exi...

Page 77: ...30 no description match help action permit exit entry 40 no description match logout action permit exit entry 50 no description match password action permit exit entry 60 no description match show con...

Page 78: ...0 SR OS Router Configuration Guide The other commands are optional The server command adds a RADIUS server and configures the RADIUS server s IP address index and key values The index determines the s...

Page 79: ...Vendor Specific Attributes VSAs on page 45 On the local router use the following CLI commands to configure RADIUS authorization CLI Syntax config system security radius authorization The following dis...

Page 80: ...g system security radius accounting The following displays RADIUS accounting configuration example A ALA 1 config system security info radius shutdown authorization accounting retry 5 timeout 5 server...

Page 81: ...re generic parameters for 802 1x authentication enter the following CLI syntax CLI Syntax config system security dot1x radius plcy policy name server server index address ip address secret key port po...

Page 82: ...fo link specific rate 4000 policy 4 create no alarm description My new CPU Protection policy overall rate 9000 per source rate 2000 out profile rate 4000 exit policy 254 create exit policy 255 create...

Page 83: ...the following CLI commands to configure profiles CLI Syntax config system security tacplus server server index address ip address secret key timeout seconds no shutdown The following displays a TACACS...

Page 84: ...nds to configure RADIUS authorization CLI Syntax config system security tacplus authorization no shutdown The following displays a TACACS authorization configuration example A ALA 1 config system secu...

Page 85: ...cplus accounting The following displays a TACACS accounting configuration example A ALA 1 config system security tacplus info accounting authorization timeout 5 server 1 address 10 10 0 5 secret test1...

Page 86: ...SH server is disabled This setting should not be changed while the SSH server is running since the actual change only takes place after SSH is disabled or enabled CLI Syntax config system security ssh...

Page 87: ...value idle timeout minutes disable pre login message login text string name login banner motd url url prefix source url text motd text string The following displays a login control configuration exam...

Page 88: ...Configuring Login Controls Page 88 7950 SR OS System Management Guide...

Page 89: ...Queue Commands on page 95 CPU Protection Commands on page 96 Security Password Commands on page 97 Profile Commands on page 99 RADIUS Commands on page 100 SSH Commands on page 100 TACPLUS Commands on...

Page 90: ...ce address application app ip int name ip address no application app application6 app ipv6 address no application6 no telnet server LLDP Commands configure system lldp message fast tx time no message...

Page 91: ...id no src port src port old entry number new entry number renum old entry number new entry number no shutdown no ipv6 filter default action permit deny deny host unreachable no entry entry id action...

Page 92: ...s ieee address mask no src mac ssap ssap value ssap mask no ssap svc id service id no svc id renum old entry number new entry number no shutdown CPM Filter Commands config system ftp server no cpm fil...

Page 93: ...id new entry id no shutdown no ipv6 filter no entry entry id action accept drop queue queue id no action description description string no description log log id no log match next header next header n...

Page 94: ...um old entry id new entry id no shutdown no mac filter no entry entry id action accept drop queue queue id no action description description string no description log log id no log match frame type fr...

Page 95: ...Security 7950 SR OS System Management Guide Page 95 CPM Queue Commands config system security no cpm queue no queue queue id cbs cbs no cbs mbs mbs no mbs rate rate cir cir no rate...

Page 96: ...faces and SAPs Refer to the appropriate guides See Preface for document titles for command syntax and usage for applying CPU protection policies Examples of entities that can have CPU protection polic...

Page 97: ...w priority hold down seconds none log events verbose no log events rate packets ppi max within seconds initial delay packets kbps kilobits per second max mbs size bytes kilobytes enforcement static po...

Page 98: ...no aging attempts count time minutes1 lockout minutes2 no attempts authentication order method 1 method 2 method 3 exit on reject no authentication order no complexity numeric special character mixed...

Page 99: ...nfig system ftp server Profile Commands no profile user profile name default action deny all permit all none no entry entry id action deny permit description description string no description ftp serv...

Page 100: ...h2 no server server index no shutdown timeout seconds no timeout no use default template SSH Commands config system ftp server SSH Commands ssh no preserve key no server shutdown no version SSH versio...

Page 101: ...n none hash md5 key 1 sha key 1 privacy none des key aes 128 cfb key key 2 group group name no group User Template Commands config system ftp server user template tacplus_default radius_default no acc...

Page 102: ...n key hash key hash2 key hash hash2 algorithm algorithm begin time date hours minutes UTC now forever end time date hours minutes UTC now for ever no shutdown tolerance seconds forever send entry entr...

Page 103: ...und max sessions idle timeout minutes disable no idle timeout no login banner motd url url prefix source url text motd text string no motd pre login message login text string name no pre login message...

Page 104: ...olicy policy id association protocol protection violators port interface sap video sdp dist cpu protection policy policy id association detail keychain keychain name detail management access filter ip...

Page 105: ...Server clear router radius proxy server server name statistics Debug Commands debug radius detail hex no radius no ocsp no ocsp profile name Tools Commands tools dump security dist cpu protection vio...

Page 106: ...Security Command Reference Page 106 7950 SR OS System Management Guide...

Page 107: ...urity cpm filter mac filter entry Description This command creates a text description stored in the configuration file for a configuration context This command associates a text string with a configur...

Page 108: ...em hash control Syntax hash control read version 1 2 all write version 1 2 no hash control Context config system security Description Whenever the user executes a save or info command the system will...

Page 109: ...es on inband interfaces and does not apply on the outband management inter face Packets going out the management interface will keep using that as source IP address IN other words when the RADIUS serv...

Page 110: ...ntp ping radius snmptrap syslog tacplus telnet traceroute ipv6 address Specifies the name of the IPv6 address telnet server Syntax no telnet server Context config system security Description This comm...

Page 111: ...all network IP interfaces This includes labeled user packets ping and traceroute packets within VPRN This feature currently also limits the same packets when received within the context of an LSP sho...

Page 112: ...stem lldp Description This command configures the duration of the fast transmission period Parameters time Specifies the fast transmission period in seconds Values 1 3600 Default 1 message fast tx ini...

Page 113: ...Default 5 reinit delay Syntax reinit delay time no reinit delay Context config system lldp Description This command configures the time before re initializing LLDP on a port Parameters time Specifies...

Page 114: ...s command configures the multiplier of the tx interval Parameters multiplier Specifies the multiplier of the tx interval Values 2 10 Default 4 tx interval Syntax tx interval interval no tx interval Co...

Page 115: ...eates the context to configure FTP login control parameters idle timeout Syntax idle timeout minutes disable no idle timeout Context config system login control Description This command configures the...

Page 116: ...essions Context config system login control telnet Description This parameter limits the number of inbound Telnet and SSH sessions A maximum of 15 telnet and ssh connections can be established to the...

Page 117: ...ext of the message of the day The motd text string must be enclosed in double quotes Multiple text strings are not appended to one another Some special characters can be used to format the message tex...

Page 118: ...cters spaces etc the entire string must be enclosed within double quotes Some special characters can be used to format the message text The n character creates multiline messages and the r character r...

Page 119: ...y ssh Description This command enables the SSH servers running on the system Default At system startup only the SSH server is enabled version Syntax version ssh version no version Context config syste...

Page 120: ...scription This command creates the context to configure the Telnet login control parameters enable graceful shutdown Syntax no enable graceful shutdown Context config system login control telnet Descr...

Page 121: ...sed to other traffic filters are enforced by system software The no form of the command removes management access filters from the configuration Default No management access filters are defined ip fil...

Page 122: ...lection criteria will be denied and that a host unreachable message will not be issued Note deni host unreachable only applies to ip filter and ipv6filter default action Syntax default action permit d...

Page 123: ...fault 65535 exact match Values 1 65535 decimal entry Syntax no entry entry id Context config system security mgmt access filter ip filter config system security mgmt access filter ipv6 filter config s...

Page 124: ...which the sender requests special handling such as non default quality of service or real time service Parameters value Specify the flow identifier in an IPv6 packet header that can be used to discrim...

Page 125: ...d by its respective protocol number Well known protocol numbers include ICMP 1 TCP 6 and UDP 17 The no form the command removes the protocol from the match criteria Default No protocol match criterion...

Page 126: ...y mgmt access filter ip filter entry config system security mgmt access filter ipv6 filter entry Description This command configures a router name or service ID to be used as a management access filte...

Page 127: ...config system security mgmt access filter ipv6 filter config system security mgmt access filter mac filter Description This command shutdowns the management access filter match Syntax match frame typ...

Page 128: ...start and an end or operator lt gt eq followed by an opcode with the value between 0 and 255 is defined then the command is invalid The following table provides opcode values Table 7 Opcode Values CFM...

Page 129: ...ss filter mac filter entry match Description This command configures Dot1p match conditions Parameters dot1p value The IEEE 802 1p value in decimal Values 0 7 mask This 3 bit mask can be configured us...

Page 130: ...dst mac ieee address ieee address mask no dst mac Context config system security mgmt access filter mac filter entry match Description This command configures the destination MAC match condition Para...

Page 131: ...exclusive based on the frame format The no form of the command removes the previously entered etype field as the match criteria Default no etype Parameters ethernet type The Ethernet type II frame Et...

Page 132: ...e two byte snap pid value to be used as a match criterion in hexadecimal Values 0x0000 0xFFFF src mac Syntax src mac ieee address ieee address mask no src mac Context config system security mgmt acces...

Page 133: ...the ssap match criterion Default no ssap Parameters ssap value The 8 bit ssap match criteria value in hex Values 0x00 0xFF ssap mask This is optional and may be used when specifying a range of ssap va...

Page 134: ...ement access filter match criterion The no form of the command removes the source IP address match criterion Default No source IP match criterion is specified Parameters ip prefix mask The IP prefix f...

Page 135: ...p prefix list Creates a list of IPv4 prefixes for match criteria in IPv4 ACL and CPM filter policies ipv6 prefix list name A string of up to 32 characters of printable ASCII characters If special char...

Page 136: ...ed access to all the commands The minimum length of the password is determined by the minimum length command The com plexity requirements for the password is determined by the complexity command NOTE...

Page 137: ...prompted for a password If the password matches user is given unrestricted access to all the commands The minimum length of the password is determined by the minimum length command The com plexity re...

Page 138: ...is exceeded the user is locked out for a specified time period If multiple attempts commands are entered each command overwrites the previously entered com mand The no attempts command resets all val...

Page 139: ...n is 1 RADIUS 2 TACACS and 3 local passwords Parameters method 1 The first password authentication method to attempt Default radius Values radius tacplus local method 2 The second password authenticat...

Page 140: ...se Specifies that at least one upper and one lower case character must be present in the password This keyword can be used in conjunction with the numeric and special character parameters However if t...

Page 141: ...SHA 96 and des keys configured in the system security section If multiple minimum length commands are entered each command overwrites the previous entered command The no form of the command reverts t...

Page 142: ...sword Commands Page 142 7950 SR OS System Management Guide password Syntax password Context config system security Description This command creates the context to configure password management paramet...

Page 143: ...levels are spec ified Because the OS exits when the first match is found subordinate levels cannot be modified with sub sequent action commands More specific action commands should be entered with a l...

Page 144: ...profiles and the default action of the first profile is permit all then the second profile will never be evaluated because the permit all is executed first Set the first profile default action to non...

Page 145: ...responding action If more than one entry is configured the entry ids should be numbered in staggered increments to allow users to insert a new entry without requiring renumbering of the existing entri...

Page 146: ...mand renumbers profile entries to re sequence the entries Since the OS exits when the first match is found and executes the actions according to accompanying action command re numbering is useful to r...

Page 147: ...permission snmp Specifies SNMP permission This keyword is only configurable in the config system security user context console Specifies console access serial port or Telnet permission authentication...

Page 148: ...th is 20 octets 40 printable characters The complexity of the key is determined by the complexity command privacy none Do not perform SNMP packet encryption Default privacy none privacy des key key 2...

Page 149: ...s the context to configure user profile membership for the console either Telnet or serial port user copy Syntax copy user source user profile source profile to destination overwrite Context config sy...

Page 150: ...text config system security user template Description This command configures the profile for the user based on this template Parameters user profile name The user profile name entered as a character...

Page 151: ...x password password hash hash2 Context config system security user Description This command configures the user password for console and FTP access The use of the hash keyword sets the initial passwor...

Page 152: ...he password for the user that must be entered by this user during the login procedure The minimum length of the password is determined by the minimum length command The maximum length can be up to 20...

Page 153: ...rectory higher in the directory tree on the home directory device The user is allowed to create and access subdirectories below their home directory If a home directory is not configured or the home d...

Page 154: ...ept from the RADIUS server user Syntax no user user name Context config system security Description This command creates a local user and a context to edit the user configuration If a new user name is...

Page 155: ...mary server for the first request the second server as primary for the second request and so on If the router gets to the end of the list it starts again with the first server accounting Syntax no acc...

Page 156: ...te Authentication Dial In User Service RADIUS Parameters port The TCP port number to contact the RADIUS server Values 1 65535 radius Syntax no radius Context config system security Description This co...

Page 157: ...removes the server from the configuration Default No RADIUS servers are configured Parameters index The index for the RADIUS server The index determines the sequence in which the servers are queried...

Page 158: ...eout seconds no timeout Context config system security radius Description This command configures the number of seconds the router waits for a response from a RADIUS server The no form of the command...

Page 159: ...to the highest index Values 1 5 address ip address The IP address of the TACACS server Two TACACS servers cannot have the same IP address An error message is generated if the server address is a dupl...

Page 160: ...le server addresses for each router for redundancy The no form of the command removes the TACACS configuration accounting Syntax accounting record type start stop stop only no accounting Context confi...

Page 161: ...cts the user name SR OS sends a continue message with the user name TACACS server replies with TAC_PLUS_AUTHEN_STATUS_GETPASS and a server_msg SR OS displays the server_msg which may contain for examp...

Page 162: ...Description This command administratively disables the TACACS protocol operation Shutting down the proto col does not remove or change the configuration other than the administrative state The operati...

Page 163: ...er the config system security dot1x radius plcy con text authenticates clients who get access to the data plane of the routeras opposed to the RADIUS server configured under the config system radius c...

Page 164: ...d Parameters server index The index for the Dot1x server The index determines the sequence in which the servers are queried for authentication requests Servers are queried in order from lowest to high...

Page 165: ...n This command administratively disables the 802 1x protocol operation Shutting down the protocol does not remove or change the configuration other than the administrative state The operational state...

Page 166: ...chain command is entered the command will not be accepted and an error indicating that the keychain is in use will be printed Default none Parameters keychain name Specifies a keychain name which iden...

Page 167: ...security keychain direction bi config system security keychain direction uni receive config system security keychain direction uni send Description This command defines a particular key in the keychai...

Page 168: ...y combination of ASCII characters up to 33 for the hash key and 96 characters for the hash2 key in length encrypted If spaces are used in the string enclose the entire string in quotation marks This i...

Page 169: ...the time after which the key specified by the authentication key is no lon ger eligible to sign and or authenticate the protocol stream in the hh mm ss format Seconds are optional and if not included...

Page 170: ...configures the TCP option number accepted in TCP packets received Default 254 Parameters option number Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header...

Page 171: ...ault action accept drop Context config system security cpm filter Description This command specifies the action to take on the traffic when the filter entry matches If there are no filter entry define...

Page 172: ...st have at least one filter match entry Entries are created and deleted by user The default match criteria is match none Parameters entry id Identifies a CPM filter entry as configured on this system...

Page 173: ...efore the action associated with the match is executed A match context may consist of multiple match criteria but multiple match statements cannot be entered per entry The no form of the command remov...

Page 174: ...6 icmp 58 ICMP for IPv6 ipv6 no nxt 59 No Next Header for IPv6 ipv6 opts 60 Destination Options for IPv6 iso ip 80 ISO Internet Protocol eigrp 88 EIGRP ospf igp 89 OSPFIGP ether ip 97 Ethernet within...

Page 175: ...ny no action Context config system security mgmt access filter mac filter Description This command creates the action associated with the management access filter match criteria entry The action keywo...

Page 176: ...an IP filter match crite rion The no form of the command removes the DSCP match criterion Default no dscp No dscp match criterion Parameters dscp name Configures a dscp name that has been previously m...

Page 177: ...sed as an IPv6 filter match crite rion To match on the destination IPv6 address specify the address The no form of the command removes the destination IP address match criterion Default No destination...

Page 178: ...decimal integer Values 0 65535 accepted in decimal hex or binary port list name Specifies the port list name to be used as a match criteria for the destination port mask Specifies the 16 bit mask to...

Page 179: ...ation Extension Header presence absence in a packet when evaluating match criteria of a given filter policy entry Default no fragment Parameters true Specifies to match on all fragmented IP packets A...

Page 180: ...s the criterion from the match entry Default no icmp code no match criterion for the ICMP code Parameters icmp code Specifies the ICMP code values that must be present to match Values 0 255 icmp type...

Page 181: ...the option number Thus to match on IP packets that contain the Router Alert option option number 20 enter the option type of 148 10010100 Values 0 255 ip option mask Specifies a range of option number...

Page 182: ...er A match will occur for all packets that have the option field present An option field of zero is considered as no option present false Specifies matching on IP packets that do not have any option f...

Page 183: ...0 700 0 217A Values ipv4 address a b c d host bits must be 0 x x x x x x d d d d interface x 0 FFFF H d 0 255 D interface 32 characters maximum mandatory for link local addresses mask Specifies the 16...

Page 184: ...sed the string must be enclosed within double quotes src port Syntax src port src port number mask Context config sys sec cpm ip filter entry match config sys sec cpm ipv6 filter entry match Descripti...

Page 185: ...the control bits of the TCP header of an IP or IPv6 packet as an IP filter match criterion Note that an entry containing Layer 4 match criteria will not match non initial 2nd 3rd etc fragments of a f...

Page 186: ...action command This requires that entries be sequenced cor rectly from most to least explicit Parameters old entry id Enter the entry number of an existing entry Values 1 2048 new entry id Enter the n...

Page 187: ...ers to allocate dedicated CPM cbs Syntax cbs cbs no cbs Context config system cpm queue queue Description This command specifies the amount of buffer that can be drawn from the reserved buffer portion...

Page 188: ...fig system security cpm queue queue Description This command specifies the maximum bandwidth that will be made available to the queue in kilobits per second kbps Parameters rate Specifies the administ...

Page 189: ...bled in order for TTL protection to operate The no form of the command disables TTL security Parameters min ttl value Specify the minimum TTL value for an incoming BGP packet Values 1 255 ttl security...

Page 190: ...rity parameters for incoming packets When the feature is enabled SSH Telnet will accept incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL...

Page 191: ...is cleared each second and is based on the ingress port Default max no limit Parameters packet rate limit Specifies a packet arrival rate limit in packets per second for link level protocols Values 1...

Page 192: ...te context alarm Syntax no alarm Context config sys security cpu protection policy Description This command enables the generation of an event when a rate is exceed The event includes information abou...

Page 193: ...pplication Values range 0 255 within specified range multiple ranges allowed number 0 255 specific level number may be combined with range out profile rate Syntax out profile rate packet rate limit no...

Page 194: ...e Context config sys security cpu protection policy Description This command configures a per source packet arrival rate limit Use this command to apply a packet arrival rate limit on a per source bas...

Page 195: ...nfigured then protocol protection will discard any IS IS packets received on that interface Default no protocol protection Parameters allow sham links Allows sham links As OSPF sham links form an adja...

Page 196: ...iven then per MAC rate limiting should be performed using the per source rate from the associated cpu protection policy If no CPU protection policy is assigned to a SAP then a default policy is used t...

Page 197: ...applied to objects such as SAPs and network interfaces Parameters policy name Name of the policy to be configured description Syntax no description string Context config system security dist cpu prote...

Page 198: ...ial burst or a burst after the policer bucket has drained to zero in addition to the normal ppi This would typically be set to a value that is equal to the number of received packets in several full h...

Page 199: ...ameters number of policers specifies the number of policers to be reserved Values 0 1000 32k exceed action Syntax exceed action discard hold down seconds low priority hold down seconds none Context co...

Page 200: ...o log events verbose Context config system security dist cpu protection policy static policer Description This command controls the creation of log events related to static policer status and activity...

Page 201: ...an enforcement policer has marked or discarded one or more packets software may detect this some time after the packets are actually discarded and an optional hold down seconds value has been specifie...

Page 202: ...all unspecified bucket This includes traffic snooping for example PIM in VPLS as well as con trol traffic that is flooded in an R VPLS instance and also extracted to the CPM such as ARP ISIS and VRRP...

Page 203: ...unspecified protocol if the all unspecified proto col is created in the policy Default none Parameters names Signifies protocol name Values arp dhcp http redirect icmp igmp mld ndis pppoe pppoa all u...

Page 204: ...hen the associated local monitoring policer is considered as exceeding its rate parameters at the end of a minimum monitoring time of 60 seconds log events Syntax no log events verbose Context config...

Page 205: ...more protocols in the policy Once this policer name is referenced by a protocol then this policer will be instantiated for each object e g SAP or network interface that is created and references this...

Page 206: ...Distributed CPU Protection Commands Page 206 7950 SR OS System Management Guide...

Page 207: ...ty no security snmp ro snmpv2c none no security no security snmp rw snmpv1 none no security no security no security snmp rw snmpv2c none no security no security no security snmp rwa snmpv1 none iso is...

Page 208: ...server Status Current status of the RADIUS server Type The authentication type Timeout secs The number of seconds the router waits for a response from a RADIUS server Single connection Enabled Specif...

Page 209: ...stics Authentication sequence radius tacplus local server address status type timeout secs single connection retry count 10 10 10 103 up radius 5 n a 5 10 10 0 1 up radius 5 n a 5 10 10 0 2 up radius...

Page 210: ...count health check enabled interval 30 Login Statistics server address conn accepted rejected errors logins logins local n a 4 0 Authorization Statistics TACACS server address conn sent rejected error...

Page 211: ...ecurity Description This command displays CPM filters Table 11 Show Communities Output Fields Label Description Community The community string name for SNMPv1 and SNMPv2c access only Access r The comm...

Page 212: ...lter description Log ID Displays the log ID where matched packets will be logged Src IP Displays the source IP address netmask or prefix list Dest IP Displays the destination IP address netmask Src Po...

Page 213: ...8 0 CPM Filter 10 4 112 2 112 113 26034 0 CPM Filter 10 4 113 2 113 114 26050 0 CPM Filter 10 4 114 2 114 115 26066 0 CPM Filter 10 4 115 2 115 116 26084 0 CPM Filter 10 4 116 2 116 A ALA 35 A ALA 35...

Page 214: ...lter description Log ID Log Id where matched packets will be logged Src IP Displays Source IP address netmask Dest IP Displays Destination IP address netmask Src Port Displays Source Port Number range...

Page 215: ...M Filter 11 108 2 108 109 25880 0 CPM Filter 11 109 2 109 A ALA 35 A ALA 35 show system security cpm filter ipv6 filter entry 101 CPM IPv6 Filter Entry Entry Id 1 Description CPM Filter 11 101 2 101 F...

Page 216: ...ction information Sample Output show system security cpu protection eth cfm monitoring SAP s where the protection policy Eth CFM rate limit is exceeded SAP Id Service Id Plcy 1 1 1 3 100 1 SAP s found...

Page 217: ...03 21 2009 23 35 59 4000000023 61234 91 91 91 91 91 91 6 23 03 21 2009 23 33 19 03 21 2009 23 36 19 4000000024 61234 92 92 92 92 92 92 7 24 03 21 2009 23 33 29 03 21 2009 23 36 39 4000000025 max Aggre...

Page 218: ...41 59 03 22 2009 01 53 39 3000000043 00 00 00 00 00 02 03 22 2009 00 43 39 03 22 2009 01 56 59 3000000044 00 00 00 00 00 03 03 22 2009 00 45 19 03 22 2009 02 00 19 3000000045 00 00 00 00 00 04 03 22...

Page 219: ...CPU Protection policy 100 Description Not Specified SAP associations Service Id 3 Type VPLS SAP 1 1 1 mac monitoring SAP 1 1 2 eth cfm monitoring aggr car SAP 1 1 3 eth cfm monitoring SAP 1 1 4 Number...

Page 220: ...for CPU Protection policy 255 Description Default Modifiable CPU Protection Policy assigned to Network Interfaces SAP associations None SDP associations Service Id 3 Type VPLS SDP 1 2 SDP 1 4 eth cfm...

Page 221: ...gr SDP 1 5 mac monitoring SDP 17407 4123456789 eth cfm monitoring car Number of SDP s 4 Interface associations None Managed SAP associations None Video Interface associations None A bksim130 show syst...

Page 222: ...010 22 37 11 3000000004 1 5 3 100 61234 05 01 2010 01 43 49 06 27 2010 22 37 14 3000000005 5 SDP s found Video clients where the protection policy per source rate limit is violated Client IP Address V...

Page 223: ...protection policy information Parameters policy id Displays CPU protection policy information for the specified policy ID association This keyword displays policy id associations protocol protection...

Page 224: ...1 23002 47094 Num CPM Mac filter entries 1 B bksim67 mac filter Syntax mac filter entry entry id Context show system security management access filter Description This command displays management acc...

Page 225: ...ion number receive 254 Oper state Up A ALA A A ALA A show system security keychain test detail Key chain test TCP Option number send 254 Admin state Up TCP Option number receive 254 Oper state Up Key...

Page 226: ...ecified entry Values 1 9999 Output Management Access Filter Output The following table describes management access filter output fields Table 15 Show Management Access Filter Output Fields Label Descr...

Page 227: ...and displays management access IPv6 filters Parameters entry id Specifies the IPv6 filter entry ID to display Values 1 9999 Output A Dut C show system security management access filter ipv6 filter ent...

Page 228: ...valid attempts permit ted per login Displays the number of unsuccessful login attempts allowed for the specified time Time in minutes per login attempt Displays the period of time in minutes that a sp...

Page 229: ...s command enables or disables CPMCFM hardware queuing per peer TTL security only operates when per peer queuing is enabled Output Per Peer Queuing Output The following table describes per peer queuing...

Page 230: ...ll Entry 10 Description Match Command configure system security Table 18 Show User Profile Output Fields Label Description User Profile Displays the profile name used to deny or permit user console ac...

Page 231: ...e following table describes source address output fields Sample Output A SR 7 show system security source address Source Address applications Application IP address Interface Name Oper status telnet 1...

Page 232: ...Displays that SSH server is disabled SSH Preserve Key Enabled Displays that preserve key is enabled Disabled Displays that preserve key is disabled SSH protocol ver sion 1 Enabled Displays that SSH1...

Page 233: ...ers who are currently locked out Output User Output The following table describes user output fields Label Description User ID The name of a system user Need new pwd Y The user must change his passwor...

Page 234: ...ry for the user for both console and FTP access Restricted to home Yes The user is not allowed to navigate to a directory higher in the directory tree on the home directory device No The user is allow...

Page 235: ...view view name detail Context show system security Description This command displays the SNMP MIB views Parameters view name Specify the name of the view to display output If no view name is specifie...

Page 236: ...w 1 3 6 1 2 1 2 included vprn view 1 3 6 1 2 1 4 included vprn view 1 3 6 1 2 1 5 included vprn view 1 3 6 1 2 1 6 included vprn view 1 3 6 1 2 1 7 included vprn view 1 3 6 1 2 1 15 included vprn view...

Page 237: ...e Authority CA profile association Displays associated CA profiles ocsp cache Syntax ocsp cache entry id Context show certificate Description This command displays the current cached OCSP results The...

Page 238: ...ut A ALA 7 show users User Type From Login time Idle time testuser Console 21FEB2007 04 58 55 0d 00 00 00 A Number of users 1 A indicates user is in admin mode A ALA 7 Table 21 Show Users Output Field...

Page 239: ...rs spaces etc the entire string must be enclosed within double quotes ip address Clears the authentication statistics for the specified IP address ip filter Syntax ip filter entry entry id Context cle...

Page 240: ...ystem Management Guide ipv6 filter Syntax ipv6 filter entry entry id Context clear cpm filter Description This command clears IPv6 filter information Parameters entry entry id Specifies a particular C...

Page 241: ...ommand clears the records of sources exceeding their per source rate limit protocol protection Syntax protocol protection Context clear cpu protection Description This command clears the interface cou...

Page 242: ...ears CPM queue information Parameters queue id Specifies the CPM queue ID Values 33 2000 radius proxy server Syntax radius proxy server server name statistics Context clear router Description This com...

Page 243: ...d disables the debugging Parameters detail Displays detailed output hex Displays the packet dump in hex format ocsp Syntax no ocsp Context debug Description This command enables debug output of OCSP p...

Page 244: ...Debug Commands Page 244 7950 SR OS System Management Guide...

Page 245: ...6 SNMP Architecture on page 246 Management Information Base on page 246 SNMP Protocol Operations on page 247 SNMP Versions on page 247 Management Information Access Control on page 248 User Based Secu...

Page 246: ...or store set a value in the agent The manager uses definitions in the management information base MIB to perform operations on the managed device such as retrieving values from variables or blocks of...

Page 247: ...nificant events that occur on the router SNMP Versions The agent supports multiple versions of the SNMP protocol SNMP Version 1 SNMPv1 is the original Internet standard network management framework SN...

Page 248: ...al views which specify more specific OIDs MIB objects in the subtree can be configured Access to the management information in as SNMPv1 SNMPv2c agent is controlled by the inclusion of a community nam...

Page 249: ...to different organizations A view defines a subset of the agent s managed objects controlled by the access rules associated with that view Pre defined views are available that are particularly useful...

Page 250: ...y the router can be modified SNMP authentication allows the device to validate the managing node that issued the SNMP message and determine if the message has been tampered with User access and authen...

Page 251: ...SNMPv2c implementations are restricted read only access which in turn reduces the effectiveness of a network monitor in which network control applications cannot be supported To implement SNMPv3 an au...

Page 252: ...uration and Implementation Flow Yes Yes No No SNMPv3 Use Predefined Access Group Configuration Start Configure Community String with R RW RWAAccess SNMPv1 SNMPv2cONLY Configure Views Configure Access...

Page 253: ...tifications are issued if an SNMP trap group has been configured In order to enable SNMP the portions of the configuration that failed to load must be initialized properly Start SNMP with the config s...

Page 254: ...Configuration Notes Page 254 7950 SR OS System Management Guide...

Page 255: ...Configuring SNMP with CLI This section provides information about configuring SNMP with CLI Topics in this chapter include SNMP Configuration Overview on page 256 Basic SNMP Security Configuration on...

Page 256: ...g with a specific access method and the required SNMP version SNMPv1 or SNMPv2c The access methods are Read Only Grants read only access to the entire management structure with the exception of the se...

Page 257: ...1 mask ff type included exit view no security subtree 1 3 6 1 6 3 15 1 1 mask ff type included exit access group snmp ro security model snmpv1 security level no auth no privacy read no security notify...

Page 258: ...nity Options on page 263 Configuring Other SNMP Parameters on page 264 CLI Syntax config system security snmp attempts count time minutes1 lockout minutes2 community community string access permission...

Page 259: ...write and read write all permission for the MIB objects accessible to the community The SNMP version SNMPv1 or SNMPv2c Default access features are pre configured by the agent for SNMPv1 SNMPv2c Use t...

Page 260: ...value mask mask value type included excluded The following displays a view configuration example A cses A13 config system security snmp info view testview subtree 1 mask ff exit view testview subtree...

Page 261: ...stem security snmp access group group name security model security model secu rity level security level context context name pre fix match read view name 1 write view name 2 notify view name 3 The fol...

Page 262: ...r user name access ftp snmp console snmp authentication none hash md5 key sha key privacy none des key aes 128 cfb key key group group name The following displays a user s SNMP configuration example A...

Page 263: ...community options CLI Syntax config system security snmp usm community community string group group name The following displays a SNMP community configuration example A ALA 1 config system security s...

Page 264: ...modify the system SNMP options CLI Syntax config system snmp engineID engine id general port port packet size bytes no shutdown The following example displays the system SNMP default values A ALA 104...

Page 265: ...l context context name prefix match read view name 1 write view name 2 notify view name 3 no access group group name security model security model secu rity level security level context context name p...

Page 266: ...ystem security no user user name no snmp authentication none hash md5 key 1 sha key 1 privacy none des key aes 128 cfb key key 2 group group name no group Show Commands show snmp counters streaming co...

Page 267: ...l SNMPv3 MD5 and SHA security digest keys and may render the node unmanageable When a chassis is replaced use the engine ID of the first system and configure it in the new system to preserve SNMPv3 se...

Page 268: ...nted The no form of this command to revert to default Default 1500 bytes Parameters bytes The SNMP packet size in bytes Values 484 9216 snmp Syntax snmp Context config system Description This command...

Page 269: ...sables SNMP agent operations System management can then only be performed using the command line interface CLI Shutting down SNMP does not remove or change configuration parameters other than the admi...

Page 270: ...el snmpv1 snmpv2c usm security level no auth no privacy auth no privacy privacy Default none Parameters group name Specify a unique group name up to 32 characters security model snmpv1 snmpv2c usm Spe...

Page 271: ...pts Syntax attempts count time minutes1 lockout minutes2 no attempts Context config system security snmp Description This command configures a threshold value of unsuccessful SNMP connection attempts...

Page 272: ...oves a community string Default none Parameters community string Configure the SNMPv1 SNMPv2c community string access permissions r Grants only read access to objects in the MIB except security object...

Page 273: ...view according to the value of vacmViewTreeFamilyType in the entry whose value of vacmViewTreeFamilySubtree has the most sub identifiers The no form of this command removes the mask from the configur...

Page 274: ...ring This group must be configured first in the config system security snmp access group context Default none view Syntax view view name subtree oid value no view view name subtree oid value Context c...

Page 275: ...mple 1 3 6 1 6 3 11 2 1 combined with the mask and include and exclude statements configures the access available in the view It is possible to have a view with different subtrees with their own masks...

Page 276: ...SNMP Security Commands Page 276 7950 SR OS System Management Guide...

Page 277: ...s delivered to SNMP from the transport service in gets Displays the number of SNMP get request PDUs accepted and pro cessed by SNMP in getnexts Displays the number of SNMP get next PDUs accepted and p...

Page 278: ...utput Counters Output The following table describes SNMP streaming counters output fields Output Counters Output The following table describes SNMP streaming counters output fields Sample Output A Dut...

Page 279: ...390 north and longitude 122 0550 west System Up Time The time since the last reboot SNMP Port The port which SNMP sends responses to management requests SNMP Engine ID The ID for either the local or r...

Page 280: ...RL and filename of the configuration file used for the most recent boot Last Boot Cfg Version Displays the version of the configuration file used for the most recent boot Last Boot Config Header Displ...

Page 281: ...oot up configuration file execution Not used No CLI script file was executed Cfg Fail Script Status Successful Failed The results from the execution of the CLI script file specified in the Cfg Fail Sc...

Page 282: ...106 cfg Last Boot Cfg Version WED MAY 23 11 58 26 2012 UTC Last Boot Config Header TiMOS C 0 0 I3339 cpm i386 ALCATEL XRS 7950 Copyright c 2000 2012 Alcatel Lucent All rights reserved All use subject...

Page 283: ...P Oper State Enabled SNMP Index Boot Status Not Persistent SNMP Sync State OK Telnet SSH FTP Admin Enabled Enabled Disabled Telnet SSH FTP Oper Up Up Down BOF Source cf1 Image Source primary Config So...

Page 284: ...scribes the access group output fields Sample Output A ALA 1 show system security access group Access Groups group name security security read write notify model level view view view Table 25 Show Sys...

Page 285: ...rite notify model level view view view snmp ro snmpv1 none no security no security No of Access Groups A ALA 1 authentication Syntax authentication statistics Context show system security Description...

Page 286: ...g table describes the communities output fields single connection Specifies whether a single connection is established with the server The connection is kept open and is used by all the TELNET SSH FTP...

Page 287: ...escription This command displays password options Table 26 Show Communities Output Fields Label Description Community The community string name for SNMPv1 and SNMPv2c access only Access r The communit...

Page 288: ...by PPQ CPM filter SAP etc Label Description Password aging in days Number of days a user password is valid before the user must change his password Number of invalid attempts permit ted per login Disp...

Page 289: ...profile If no profile name is displayed the entire list of profile names are listed Output Profile Output The following table describes the profile output fields Label Description Per Peer Queuing Di...

Page 290: ...ser to execute the config system security command enable admin Enables the user to enter a special administra tive mode by entering the enable admin command exec Enables the user to execute exec the c...

Page 291: ...it Entry 80 Description Match Command enable admin Action permit User Profile administrative Def Action permit all Entry 10 Description Match Command configure system security Action permit Entry 20 D...

Page 292: ...cription SSH status SSH is enabled Displays that SSH server is enabled SSH is disabled Displays that SSH server is disabled Key fingerprint The key fingerprint is the server s identity Clients trying...

Page 293: ...name of a system user Need New PWD Yes The user must change his password at the next login No The user is not forced to change his password at the next login User Permission Console Specifies whether...

Page 294: ...1 included no security 1 3 6 1 6 3 15 1 1 included No of Views 6 A ALA 1 Table 29 Show System Security View Output Fields Label Description View name The name of the view Views control the accessibili...

Page 295: ...detail Views view name oid tree mask permission no security 1 included no security 1 3 6 1 6 3 excluded no security 1 3 6 1 6 3 10 2 1 included no security 1 3 6 1 6 3 11 2 1 included no security 1 3...

Page 296: ...Show Commands Page 296 7950 SR OS System Management Guide...

Page 297: ...8 Log Destinations on page 300 Event Logs on page 305 Event Sources on page 306 Event Control on page 307 Log Manager and Event Logs on page 308 Event Filter Policies on page 309 Event Log Entries on...

Page 298: ...The following are events within the OS and have the following characteristics A time stamp in UTC or local time The generating application A unique event ID within the application The VRF ID A subjec...

Page 299: ...bout customer service trends for potential service revenue opportunities Accounting statistics on network ports can be used to track link utilization and network traffic pattern trends This informatio...

Page 300: ...ending events to a console destination means the message will be sent to the system console The console device can be used as an event log destination Session A session destination is a temporary log...

Page 301: ...ay be longer than the configured value The retention time for a log file specifies the amount of time the file should be retained on the system based on the creation date and time of the file When a l...

Page 302: ...re yyyy is the four digit year for example 2007 mm is the two digit number representing the month for example 12 for December dd is the two digit number representing the day of the month for example 0...

Page 303: ...r SNMP traps that will be sent out of band through the Management Ethernet port on the SF the source IP address of the trap is the IP interface address defined on the Management Ethernet port For SNMP...

Page 304: ...to syslog severities Table 31 Router to Syslog Severity Level Mappings Severity Level Numerical Severity highest to lowest Syslog Configured Severity Definition 0 emergency System is unusable 3 1 aler...

Page 305: ...generated by the system by applications or processes within the router Figure 7 depicts a function block diagram of event logging Figure 7 Event Logging Block Diagram Logs CLI0001B EVENT SOURCES EVEN...

Page 306: ...ion or operation of the node Change events are generated by the USER application The Change event stream also includes the tmnxConfigModify 2006 tmnxConfigCreate 2007 tmnxConfigDelete 2008 and tmnxSta...

Page 307: ...er method of event control and is configured similarly to the generation and suppression options See Simple Logger Event Throttling on page 312 Events are assigned a default severity level in the syst...

Page 308: ...be configured at a time One or more log sources The source stream or streams to be sent to log destinations can be specified The source must be identified before the destination can be specified The...

Page 309: ...e treated if they have met the match criteria Entries are evaluated in order from the lowest to the highest entry ID The first matching event is subject to the forward or drop action for that entry Va...

Page 310: ...A subject identifying the affected object A short text description The general format for an event in an event log with either a memory console or file destination is as follows nnnn YYYY MM DD HH MM...

Page 311: ...AJOR A major severity event severity level 4 MINOR A minor severity event severity level 5 WARNING A warning severity event severity 6 application The application generating the log message event_id T...

Page 312: ...and therefore no way to retrieve event history data lost by this throttling method A particular event type can be generated by multiple managed objects within the system At the point this throttling...

Page 313: ...which logs events from the main event source not security debug etc Log 99 exists by default The following example displays the log 99 configuration ALA 1 config log info detail echo Log Configuration...

Page 314: ...de field descriptions When creating accounting policies one service accounting policy and one network accounting policy can be defined as default If statistics collection is enabled on a SAP or networ...

Page 315: ...PacketsOffered ood OutOfProfileOctetsDropped oof OutOfProfileOctetsForwarded ooo OutOfProfileOctetsOffered uco UncoloredOctetsOffered Table 35 Queue Group Record Types Record Name Description qgone Po...

Page 316: ...port based Queue Groups member port LAGMemberPort used for port based Queue Groups data slot Slot used for Forwarding Plane based Queue Groups forwarding plane ForwardingPlane used for Forwarding Plan...

Page 317: ...like rollover and retention are discussed in more detail in Log Files on page 301 Design Considerations The router has ample resources to support large scale accounting policy deployments When prepari...

Page 318: ...edefined records containing a given field for XML field name of a custom record field Changed Statistics Only A record is only generated if a significant change has occurred to the fields being writte...

Page 319: ...ficant change in corresponding counters A significant change is defined in terms of a cumulative value the sum of all reference counters This concept is applicable to all methods used for gathering ac...

Page 320: ...s deleted or changed the latest information will be written in the XML file with a final tag indication in the record header AA Accounting per Forwarding Class This feature allows the operator to repo...

Page 321: ...lied to a log File IDs syslog IDs or SNMP trap groups must be configured before they can be applied to a log ID A file ID can only be assigned to either one log ID or one accounting policy Accounting...

Page 322: ...Configuration Notes Page 322 7950 SR OS System Management Guide...

Page 323: ...LI This section provides information to configure logging using the command line interface Topics in this section include Log Configuration Overview on page 324 Log Types on page 324 Basic Event Log C...

Page 324: ...arms traps and debug information to their respective targets SNMP trap groups SNMP trap groups contain an IP address and community names which identify targets to send traps following specified events...

Page 325: ...g destination The following displays a log configuration example A ALA 12 config log info echo Log Configuration event control 2001 generate critical file id 1 description This is a test file id locat...

Page 326: ...log Target on page 340 Configuring an Event Log A event log file contains information used to direct events alarms traps and debug information to their respective destinations One or more event source...

Page 327: ...OS System Management Guide Page 327 The following displays a log file configuration example ALA 12 config log log id info log id 2 description This is a test log file filter 1 from main security to fi...

Page 328: ...before it is closed and a new log file is created The retention interval determines how long the file will be stored on the CF before it is deleted Use the following CLI syntax to configure a log fil...

Page 329: ...type and collection interval Only one record type can be configured per accounting policy When creating accounting policies one service accounting policy and one network accounting policy can be defi...

Page 330: ...ypes that have throttling enabled by this event control command CLI Syntax config log event control application id event name event number gen erate severity level throttle event control application i...

Page 331: ...to all event types that have throttling enabled by the event control command Use the following CLI syntax to configure the throttle rate CLI Syntax config log throttle rate events interval seconds Th...

Page 332: ...event id router eq neq router instance regexp severity eq neq lt lte gt gte severity level subject eq neq subject regexp The following displays a log filter configuration example A ALA 12 config log i...

Page 333: ...ays a basic SNMP trap group configuration example A ALA 12 config log info snmp trap group 2 trap target 10 10 10 104 5 snmpv3 notify community coummunitystring exit log id 2 description This is a tes...

Page 334: ...ap target test2 address 20 20 20 5 snmpv2c notify community xyztesting A SetupCLI config log snmp trap group In the following output note that the Replay field changed from disabled to enabled A Setup...

Page 335: ...test index 35 changed administrative state inService operational state inService 3817 2008 04 22 23 35 39 89 UTC WARNING SNMP 2005 Base xyz test Interface xyz test is operational 3816 2008 04 22 23 3...

Page 336: ...t Example config log snmp trap group exit all configure port 1 1 1 shutdown tools perform log test event The Replay from field is updated with the sequence id of the first event that will be replayed...

Page 337: ...OGGER 2011 Base Event Test Test event has been generated with system object identifier tmnxModelSR12Reg System description TiMOS B 0 0 private both i386 ALCATEL SR 7750 Copyright c 2000 2008 Alcatel L...

Page 338: ...eplayed and the Last replay field timestamp has been updated A SetupCLI show log snmp trap group 44 SNMP Trap Group 44 Description none Name xyz test Address 10 10 10 3 Port 162 Version v2c Community...

Page 339: ...ted with system object identifier tmnxModelSR12Reg System description TiMOS B 0 0 private both i386 ALCATEL SR 7750 Copyright c 2000 2008 Alcatel Lucent All rights reserved All use subject to applicab...

Page 340: ...syslog file CLI Syntax config log syslog syslog id description description string address ip address log prefix log prefix string port port level emergency alert critical error warning notice in fo de...

Page 341: ...change 20 ref queue all i counters in profile packets forwarded count out profile packets forwarded count exit e counters in profile packets forwarded count out profile packets forwarded count exit ex...

Page 342: ...g class exit to aa sub counters flows admitted count flows denied count flows active count packets admitted count octets admitted count packets denied count octets denied count max throughput octet co...

Page 343: ...page 346 Modifying a File ID on page 347 Deleting a File ID on page 348 Modifying a Syslog ID on page 349 Deleting a Syslog on page 350 Modifying an SNMP Trap Group on page 351 Deleting an SNMP Trap G...

Page 344: ...o memory size to session to snmp size to syslog syslog id The following displays the current log configuration ALA 12 config log log id info log id 2 description This is a test log file filter 1 from...

Page 345: ...7950 SR OS System Management Guide Page 345 The following displays the modified log file configuration A ALA 12 config log info log id 2 description Chassis log file filter 2 from security to file 1...

Page 346: ...1 description LocationTest location cf1 rollover 600 retention 24 exit log id 2 description Chassis log file filter 2 from security to file 1 exit A ALA 12 config log Use the following CLI syntax to...

Page 347: ...CLI Syntax config log file id log file id description description string location cflash id rollover minutes retention hours The following displays the current log configuration A ALA 12 config log i...

Page 348: ...a File ID NOTE All references to the file ID must be deleted before the file ID can be removed Use the following CLI syntax to delete a log ID CLI Syntax config log no file id log file id The followin...

Page 349: ...ix log prefix string port port level emergency alert critical error warning notice in fo debug facility syslog facility The following displays an example of the syslog ID modifications Example config...

Page 350: ...OS System Management Guide Deleting a Syslog Use the following CLI syntax to delete a syslog file CLI Syntax config log no syslog syslog id The following displays an example to delete a syslog ID Exam...

Page 351: ...roup configuration A ALA 12 config log info snmp trap group 10 trap target 10 10 10 104 5 snmpv3 notify community coummunitystring exit A ALA 12 config log The following displays an example of the com...

Page 352: ...t name The following displays the SNMP trap group configuration A ALA 12 config log info snmp trap group 10 trap target 10 10 0 91 1 snmpv2c notify community com1 exit A ALA 12 config log The followin...

Page 353: ...erity level subject eq neq subject regexp The following output displays the current log filter configuration ALA 12 config log info echo Log Configuration filter 1 default action drop description This...

Page 354: ...2001 config log filter entry match no severity config log filter entry match exit The following displays the log filter configuration A ALA 12 config log filter info filter 1 description This allows...

Page 355: ...no filter filter id The following output displays the current log filter configuration A ALA 12 config log filter info filter 1 description This allows n entry 1 action drop match application eq user...

Page 356: ...rottle event control application id event name event number sup press The following displays the current event control configuration A ALA 12 config log info event control 2014 generate critical A ALA...

Page 357: ...no event control 2002 config log no event control 2014 A ALA 12 config log info detail echo Log Configuration event control 2001 generate minor event control 2002 generate warning event control 2003 g...

Page 358: ...Log Management Tasks Page 358 7950 SR OS System Management Guide...

Page 359: ...ds on page 366 Clear Command on page 366 Log Configuration Commands config log app route notifications no cold start wait no route recovery wait event control application id event name event number ge...

Page 360: ...y Commands config log collection interval minutes no collection interval accounting policy acct policy id no accounting policy acct policy id no default description description string no description n...

Page 361: ...tted count no packets denied count e counters all no e counters no in profile octets discarded count no in profile octets forwarded count no in profile packets discarded count no in profile packets fo...

Page 362: ...count ref aa specific counter any no ref aa specific counter ref override counter ref override counter id ref override counter all no ref override counter e counters all no e counters no in profile oc...

Page 363: ...ount no high octets discarded count no high octets offered count no high packets discarded count no high packets offered count no in profile octets forwarded count no in profile packets forwarded coun...

Page 364: ...o action description description string no description no match application eq neq application id no application number eq neq lt lte gt gte event id no number router eq neq router instance regexp no...

Page 365: ...down no shutdown time format local utc to console to file log file id to memory size to session to snmp size to syslog syslog id SNMP Trap Group Commands config log no snmp trap group log id descripti...

Page 366: ...ug no level log prefix log prefix string no log prefix port port no port Show Commands show log accounting policy acct policy id access network accounting records applications event control applicatio...

Page 367: ...guration The string must be entered Parameters string The description can contain a string of up to 80 characters composed of printable 7 bit ASCII characters If the string contains special characters...

Page 368: ...ailable route For example this delay may be used to increase the chances that other system modules such as IOMs XCMs MDAs XMAs are fully programmed with the new route before the application takes acti...

Page 369: ...ted regardless of the destination While this feature can save processor resources there may be a negative effect on the ability to troubleshoot problems if the logging entries are squelched In reverse...

Page 370: ...en the events are generated by default Default generate specific throttle rate events limit The log event throttling rate can be configured independently for each log event using this keyword This spe...

Page 371: ...og messages Default outband secondary Specifies the secondary routing preference for traffic generated for SNMP notifications and syslog messages The routing context specified by the secondary route p...

Page 372: ...e that must be stored in the file system A file is created when the file ID defined in this command is selected as the destination type for a specific log or accounting record Log files are collected...

Page 373: ...umber for the file expressed as a decimal integer Values 1 99 location Syntax location cflash id backup cflash id no location Context config log file file id Description This command specifies the pri...

Page 374: ...le file id Description This command configures how often an event or accounting log is rolled over or partitioned into a new file An event or accounting log is actually composed of multiple individual...

Page 375: ...hich causes those logs to forward all events Default No event filters are defined Parameters filter id The filter ID uniquely identifies the filter Values 1 1000 default action Syntax default action d...

Page 376: ...Description This command is used to create or edit an event filter entry Multiple entries may be created using unique entry id numbers The TiMOS implementation exits the filter on the first match foun...

Page 377: ...eters entry id The entry ID uniquely identifies a set of match criteria corresponding action within a filter Entry ID values should be configured in staggered increments so you can insert a new entry...

Page 378: ...per entry The no form of the command removes the match criteria for the entry id Default No match context is defined application Syntax application eq neq application id no application Context config...

Page 379: ...terion is specified Parameters eq neq lt lte gt gte This operator specifies the type of match Valid operators are listed in the table below Valid operators are event id The event ID expressed as a dec...

Page 380: ...and can be entered per event filter entry The latest severity command overwrites the previous command The no form of the command removes the severity match criterion Default no severity No severity le...

Page 381: ...mand removes the subject match criterion Default no subject No subject match criterion specified Parameters eq neq This operator specifies the type of match Valid operators are listed in the following...

Page 382: ...D number for the syslog destination expressed as a decimal integer Values 1 10 address Syntax address ip address no address Context config log syslog syslog id Description This command adds the syslog...

Page 383: ...t with a given facility code The no form of the command reverts to the default value Default local7 syslog entries are sent with the local7 facility code Parameters syslog facility The syslog facility...

Page 384: ...strings are entered the last string overwrites the previous string The alphanumeric string can contain lowercase a z uppercase A Z and numeric 0 9 characters The no form of the command removes the log...

Page 385: ...dard UDP syslog port 514 Only one port can be configured If multiple port commands are entered the last entered port overwrites the previously entered ports The no form of the command reverts to defau...

Page 386: ...log events that can be logged within the specified interval for a specific event Once the limit has been reached any additional events of that type will be dropped for example the event drop count wil...

Page 387: ...SNMP trap group Default There are no default SNMP trap groups Parameters log id The log ID value of a log configured in the log id context Alarms and traps cannot be sent to the trap receivers until a...

Page 388: ...n expressed as a deci mal integer Only one port can be specified per trap target statement If multiple traps need to be issued to the same address then multiple ports must be configured Default 162 Va...

Page 389: ...onfigured the security name must be configured for authentica tion The keyword privacy specifies both authentication and privacy encryption is required When this option is configured the security name...

Page 390: ...mand removes the specified event filter from the log id Default no filter No event filter policy is specified for a log id Parameters filter id The event filter policy ID is used to associate the filt...

Page 391: ...Instructs all debug trace messages in the debug stream to be sent to the destination configured in the to command for this destination log id Filters applied to debug messages are limited to applicat...

Page 392: ...eds to be modified the log ID must be removed and then re created Default No destination is specified to file Syntax to file log file id Context config log log id log id Description This command speci...

Page 393: ...created Default none Parameters size The size parameter indicates the number of events that can be stored in the memory Default 100 Values 50 1024 to session Syntax to session Context config log log...

Page 394: ...e The size parameter defines the number of events stored in this memory log Default 100 Values 50 1024 to syslog Syntax to syslog syslog id Context config log log id Description This is one of the com...

Page 395: ...scription This command specifies whether the time should be displayed in local or Coordinated Universal Time UTC format Default utc Parameters local Specifies that timestamps are written in the system...

Page 396: ...ed to be written before a new access default policy can be configured Network accounting policies are policies that can be applied to one or more network ports Any changes made to an existing policy u...

Page 397: ...efined on a network port accounting records will be produced in accordance with the default network policy If no network default policy is created then no accounting records will be collected other th...

Page 398: ...ng Policy Commands Page 398 7950 SR OS System Management Guide When the no version of this command is selected optional router information is not include at the top of the file Default no include rout...

Page 399: ...octets 15 6 network egress octets 15 7 network ingress packets 15 8 network egress packets 15 9 compact service ingress octets 5 10 combined service ingress 5 11 combined network ing egr octets 15 12...

Page 400: ...red modifies the record from network to service or from service to network then the old record name must be removed using the no form of this command Only one record may be configured in a single acco...

Page 401: ...complete subscriber ingress egress 5 17 aa protocol 15 18 aa application 15 19 aa app group 15 20 aa subscriber protocol 15 21 aa subscriber application 15 23 custom record subscriber 5 24 custom rec...

Page 402: ...6 complete subscriber ingress egress 5 17 aa protocol 15 18 aa application 15 19 aa app group 15 20 aa subscriber protocol 15 21 aa subscriber application 15 23 custom record subscriber 5 24 custom re...

Page 403: ...nfig log file context A file id can only be used once The file is generated when the file policy is referenced This command identifies the type of accounting file to be created The file definition def...

Page 404: ...ng Policy Commands Page 404 7950 SR OS System Management Guide If the to command is executed while the accounting policy is in operation then it becomes active during the next collection interval Valu...

Page 405: ...0 Parameters minutes Specifies the collection interval in minutes Values 5 120 custom record Syntax no custom record Context config log acct policy Description This command enables the context to conf...

Page 406: ...es the admitted flow count The no form of the command excludes the flow s admitted count in the AA subscriber s custom record Default no flows admitted count flows denied count Syntax no flows denied...

Page 407: ...Syntax no octets denied count Context config log acct policy cr aa aa from sub cntr config log acct policy cr aa aa to sub cntr Description This command includes the denied octet count in the AA subs...

Page 408: ...parameters The no form of the command excludes the to subscriber count queue Syntax no queue queue id Context config log acct policy cr Description This command specifies the queue id for which count...

Page 409: ...ontext config log acct policy cr oc e count config log acct policy cr roc e count config log acct policy cr queue e count config log acct policy cr ref queue e count Description This command includes...

Page 410: ...rwarded count Context config log acct policy cr oc e count config log acct policy cr roc e count config log acct policy cr queue e count config log acct policy cr ref queue e count Description This co...

Page 411: ...carded count Context config log acct policy cr oc e count config log acct policy cr roc e count config log acct policy cr queue e count config log acct policy cr ref queue e count Description This com...

Page 412: ...config log acct policy cr oc i count config log acct policy cr roc i count config log acct policy cr queue i count config log acct policy cr ref queue i count Description This command includes all pac...

Page 413: ...policy cr oc i count config log acct policy cr roc i count config log acct policy cr queue i count config log acct policy cr ref queue i count Description This command includes the high packets disca...

Page 414: ...warded count Context config log acct policy cr oc i count config log acct policy cr roc i count config log acct policy cr queue i count config log acct policy cr ref queue i count Description This com...

Page 415: ...t Syntax no low octets offered count Context config log acct policy cr oc i count config log acct policy cr roc i count config log acct policy cr queue i count config log acct policy cr ref queue i co...

Page 416: ...cy cr roc i count config log acct policy cr queue i count config log acct policy cr ref queue i count Description This command includes the out of profile packets forwarded count The no form of the co...

Page 417: ...not they have changed within the last accounting interval Parameters any Indicates that a record is collected as long as any field records activity when non zero significant change value is configure...

Page 418: ...ange Context config log acct policy cr Description This command configures the significant change required to generate the record Parameters delta Specifies the delta change significant change that is...

Page 419: ...iption Policy ID The identifying value assigned to a specific policy Type Identifies accounting record type forwarded to the configured account ing file access Indicates that the policy is an access a...

Page 420: ...lect Stats Svc Id 101 SAP 1 1 8 1 Collect Stats Svc Id 102 SAP 1 1 8 2 Collect Stats Svc Id 103 SAP 1 1 8 3 Collect Stats Svc Id 104 SAP 1 1 8 4 Collect Stats Svc Id 105 SAP 1 1 8 5 Collect Stats Svc...

Page 421: ...nting records Context show log Description This command displays accounting policy record names Output Accounting Records Output The following table describes accounting records output fields Sample O...

Page 422: ...ts 5 13 complete service ingress egress 5 14 combined sdp ingress egress 5 15 complete sdp ingress egress 5 16 complete subscriber ingress egress 5 17 aa protocol 15 18 aa application 15 19 aa app gro...

Page 423: ...ebug igmp lldp mirror ospf pim port snmp system user vrtr event name Only displays event control for the named application event Default All events for the application event number Only displays event...

Page 424: ...MallocFailed MA gen 0 0 L 2007 ipArpBadInterface MI gen 0 0 L 2008 ipArpDuplicateIpAddress MI gen 0 0 L 2009 ipArpDuplicateMacAddress MI gen 0 0 ISIS 2001 vRtrIsisDatabaseOverload WA gen 0 0 2002 vRtr...

Page 425: ...d MI gen 0 0 VRTR 2001 tmnxVRtrMidRouteTCA MI gen 0 0 2002 tmnxVRtrHighRouteTCA MI gen 0 0 2003 tmnxVRtrHighRouteCleared MI gen 0 0 2004 tmnxVRtrIllegalLabelTCA MA gen 0 0 2005 tmnxVRtrMcastMidRouteTC...

Page 426: ...show log Description This command displays event file log information If no command line parameters are specified a summary output of all event log files is displayed Specifying a file ID displays de...

Page 427: ...f1 file name expired state cf1 log log0302 20060501 012205 yes complete cf1 log log0302 20060501 014049 yes complete cf1 log log0302 20060501 015344 yes complete cf1 log log0302 20060501 015547 yes in...

Page 428: ...d Log Filters Filter Applied Default Description Id Action 1 no forward 5 no forward 10 no forward 1001 yes drop Collect events for Serious Errors Log A ALA 48 config log Table 39 Event Log Filter Sum...

Page 429: ...on for the event log filter is to forward events not matching filter entries Description Filter id The description string for the filter ID Table 41 Log Filter Match Criteria Output Fields Label Descr...

Page 430: ...erion warning The log event filter entry application event severity warning match criterion Subject Displays the event log filter entry application event ID subject string match criterion Router Displ...

Page 431: ...the events that are not explicitly directed to any other event stream Security The security stream contains all events that affect attempts to breach system security such as failed login attempts att...

Page 432: ...n to the console or not A user logged in to the console device or connected to the CLI via a remote telnet or SSH session can also create a log with a destination type of session Events are displayed...

Page 433: ...n of an SNMP or file log or a memory log for this parameter to be used Default Displays the event log summary Values 1 99 severity severity level Displays only events with the specified and higher sev...

Page 434: ...this log s source event stream to limit the events output to this log s destination If the value is 0 then all events in the source log are forwarded to the destination Admin State Up Indicates that t...

Page 435: ...ottle interval 10 configuration modified 67 2007 01 25 00 34 53 97 UTC CRITICAL SYSTEM 2029 Base Redundancy The active CPM card A is operating in singleton mode There is no standby CPM card 66 2007 01...

Page 436: ...t show log Description This command displays SNMP trap group configuration information Parameters log id Displays only SNMP trap group information for the specified trap group log ID Values 1 99 Outpu...

Page 437: ...d Replay from n a Last replay never A SetupCLI config log snmp trap group syslog Syntax syslog syslog id Context show log Description This command displays syslog event log destination summary informa...

Page 438: ...ending syslog messages Facility The facility code for messages sent to the syslog target host Severity Level The syslog message severity level threshold Below Level Dropped A count of messages not sen...

Page 439: ...Event and Accounting Logs 7950 SR OS System Management Guide Page 439 Below Level Drop 0 Description Linux Station Springsteen A MV SR config log...

Page 440: ...vent log ID Memory logs are reinitialized and cleared of contents File logs are manually rolled over by this command This command is only applicable to event logs that are directed to file destination...

Page 441: ...ion about configuring event and accounting logs in the system Topics in this chapter include Facility Alarms Overview on page 442 Facility Alarms vs Log Events on page 443 Facility Alarm Severities an...

Page 442: ...s CLI display show routines allows the system operator to easily identify current facility alarm conditions and recently cleared alarms without searching event logs or monitoring various card and port...

Page 443: ...alarm Log event filtering throttling and discarding of events during overload do not affect Facility Alarm processing Log events are processed by the Facility Alarm module before they are discarded i...

Page 444: ...as Log events that use the term alarm tmnxEqPortSonetAlarm configure card fp hi bw mcast src alarm configure mcast management multicast info policy bundle channel source override video analyzer alarms...

Page 445: ...ted LED on the CPM CCM Major with an associated LED on the CPM CCM Minor with an associated LED on the CPM CCM Warning no LED Alarms inherit their severity from the raising event Log events that are a...

Page 446: ...port alarm is cleared and a card alarm will be active for the MDA XMA If the MDA XMA comes back into service and the port is still down then a port alarm becomes active once again The supported Facili...

Page 447: ...1 tmnxEqPowerSupplyFailureDc Power supply 2 DC failure tmnxChassisNotification Clear 7 2011 1 tmnxEqPowerSupplyRemoved Power supply 1 power lost tmnxEqPowerSupplyInser ted 7 2017 1 tmnxEqSyncIfTiming...

Page 448: ...output failure tmnxChassisNotification Clear 7 2073 x same as 7 2019 x but for the BITS2 input same as 7 2019 x but for the BITS2 input same as 7 2019 x but for the BITS2 input 59 2004 1 linkDown Int...

Page 449: ...rd that has been removed IOM XCM or MDA XMA removal will cause a loss of service for all services running on that card A fabric removal can impact traffic to from all cards Before taking any recovery...

Page 450: ...be required The power supply itself may be faulty so replacement may be necessary 7 2008 1 tmnxEqPowerSupplyFail ureAc Generated when an AC failure is detected on a power supply Reduced power can cau...

Page 451: ...will have the same indices as those of the tmnxCpmCardTable Timing reference 1 cannot be used as a source of timing into the central clock Address issues with the signal associated with timing referen...

Page 452: ...one IOM XCM is still running older software A s w mismatch between the CPM and IOM XCM is generally fine for a short duration during an upgrade but may not allow for correct long term operation Comple...

Page 453: ...es that the SNMP entity acting in an agent role has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state but not from the not...

Page 454: ...Facility Alarm List Page 454 7950 SR OS System Management Guide...

Page 455: ...BGP RFC 1997 BGP Communities Attribute RFC 2385 Protection of BGP Sessions via MD5 RFC 2439 BGP Route Flap Dampening RFC 2558 Multiprotocol Extensions for BGP 4 RFC 2918 Route Refresh Capability for B...

Page 456: ...ietf isis wg multi topology xx txt Multicast RFC 1112 Host Extensions for IP Multicasting Snooping RFC 2236 Internet Group Management Protocol Snooping RFC 3376 Internet Group Management Protocol Ver...

Page 457: ...ched MPLS Data Plane Failures RFC 6425 Detecting Data Plane Failures in Point to Multipoint Multiprotocol Label Switching MPLS Extensions to LSP Ping MPLS TP 7750 7450 only RFC 5586 MPLS Generic Assoc...

Page 458: ...329 5 Annex E extensions QoS Measurement for VoIP Method for determining an Equipment Impairment Factor using Passive Monitoring ITU T Rec P 564 Conformance testing for voice over IP transmission qual...

Page 459: ...Management Information Base for IPv6 Textual Conventions and General Group RFC 2558 SONET MIB RFC 2571 SNMP Framework MIB RFC 2572 SNMP MPD MIB RFC 2573 SNMP Target notification MIB RFC 2574 SNMP Use...

Page 460: ...Standards and Protocols Page 460 Standards and Protocols...

Page 461: ...ups 303 syslog 303 configuring accounting policy 329 basic 325 command reference file ID commands 363 filter commands 363 log ID commands 365 syslog commands 366 event control 330 event log 326 file I...

Page 462: ...SNMP overview access control 248 access groups 249 users 250 USMs 249 views 249 architecture 246 MIBs 246 versions 247 configuring access options 261 basic 257 command reference security commands 265...

Reviews:

No comments