background image

IPsec Interoperability of OA-700

Left running head: 
Chapter name (automatic)

30

Beta

Beta

CLI Configuration Guide

Alcatel-Lucent

C

ONFIGURATION

C

ONFIGURING

 OA-700

Current Configuration:

!

! NVRAM config last updated at 15:42:46 GMT Mon Jan 24 2000 

from line 0

!

 Statlog Configuration

!

statlog logging: enabled

    console logging: level debugging

    monitor logging: level debugging

    os logging: level informational

    buffer logging: level debugging

    external server logging: level informational

                                                                                           

log buffer size:   (131072 bytes)

                                                                                           

log timestamp enabled

!

! Port Based VLAN Global Configurations!

!

! VLAN Table Static Configurations!

!

!

! Bridge Configuration

!

!

interface GigabitEthernet3/0

 ip address 192.168.1.1/24

!

! Port Based VLAN Interface Configurations!

 no shutdown

!

interface GigabitEthernet3/1

 ip address 203.124.152.254/24

!

! Port Based VLAN Interface Configurations!

 no shutdown

!

!

ip route 0.0.0.0/0 203.124.152.50

!

!

!

Match-list created for the two subnets to communicate with each other:

match-list m1

1 ip prefix 192.168.1.0/24 prefix 10.91.10.0/24

!

Summary of Contents for OmniAccess 700

Page 1: ...r Support 800 995 2696 International Customer Support 818 878 4507 Internet service esd alcatel lucent com Website www alcatel lucent com Part No 060223 00 Rev B For final production import color definitions from daldoc01 docteam templates framemaker book template color defs production colors fm OmniAccess 700 CLI Configuration Guide Release Versions 2 2 2 2 R02 2 3 ...

Page 2: ...nstallation instructions it may not function exactly to the said specifications Modifying the equipment without Alcatel Lucent s written authorization may result in the equipment no longer complying with the said dimensions Copyright 2008 Alcatel Lucent All rights reserved Alcatel Lucent and Alcatel Lucent logo are registered trademarks of Alcatel Lucent The contents or specifications contained wi...

Page 3: ...ne ASE 6 Document Conventions 7 Obtaining Documentation 8 Reference Publications 8 Obtaining Technical Assistance 9 Documentation Feedback 9 Part 1 Introduction 2 The Command Line Interface 13 CLI Overview 13 Introduction to CLI Modes 14 CLI User Mode 14 CLI Configuration Mode 14 CLI Sub Configuration Mode SCM 14 CLI Modes 15 User Mode UM 17 Super User Mode SUM 18 Example 18 Configuration Mode CM ...

Page 4: ...pter Conventions 43 Management Plane Overview 44 Out of Band Management Console or Modem 44 Inband Management SSH and Telnet 46 Idle Timeout 50 Example 50 Ping 50 Example 50 Traceroute 54 Example 54 Terminal Settings 57 Example 57 System Name 57 Example 57 AAA Configuration on OA 700 58 To Enable AAA Services 58 Example 58 Authentication Commands 59 Show Commands 76 Setting and Displaying the Syst...

Page 5: ... and Troubleshooting 108 Environmental Information 108 Example 108 System Hardware Information 110 Example 110 System Status 113 Example 113 To View the Current State Of LEDs 113 Example 113 To View Process Information 114 Example 114 Memory Information 115 Example 115 Hot Key Support 116 SNMP Simple Network Management Protocol 118 SNMP Agent and Manager 119 SNMP Version 120 SNMPv3 Protocol Overvi...

Page 6: ...154 Alcatel Lucent Specific Overview on Ethernet Interfaces 154 Ethernet Configuration 155 Ethernet Interface Configuration Steps 155 Ethernet Interface Configuration Flow 156 Ethernet Interface Configuration Commands 157 Ethernet Interface Show Commands 159 Ethernet Interface Clear Commands 162 6 Layer 2 Switching Configuration 163 Chapter Conventions 163 Switching Overview 164 Alcatel Lucent Spe...

Page 7: ...tion Steps 201 IRB Commands 202 IRB Configuration using OA 700 203 Topology for IRB Configuration on OA 700 203 9 802 1X Port Based Authentication 205 Chapter Conventions 205 802 1X Overview 206 Generic terms used in 802 1X 207 Using 802 1X with VLAN Assignment 209 Alcatel Lucent Specific Overview 209 802 1X Configuration 210 802 1X Configuration Steps 210 802 1X Configuration Flow 213 802 1X Conf...

Page 8: ...n 256 T1 Configuration Steps 256 T1 Configuration Flow 258 T1 Configuration Commands 259 T1 Show Commands 267 Troubleshooting T1 Lines 269 12 Universal Serial Port USP Line Card 271 Chapter Conventions 272 USP Line Card V 35 X 21 RS 232 Overview 273 Alcatel Lucent Specific Overview 274 V 35 X 21 RS 232 Configuration 275 V 35 X 21 RS 232 Interface Configuration Steps 275 V 35 X 21 RS 232 Configurat...

Page 9: ...nents 312 PPP Operation 312 PPP Configuration 313 PPP Configuration Steps 314 PPP Configuration Flow 316 PPP Configuration Commands 317 PPP Optional Parameters 318 PPP Show Commands 326 PPP Debug Commands 333 16 Point to Point Protocol over Ethernet PPPoE 335 Chapter Conventions 335 PPPoE Overview 336 PPPoE Operation 336 Alcatel Lucent Specific Overview on PPPoE Features 336 PPPoE Configuration 33...

Page 10: ...eaving LFI 375 Chapter Conventions 375 LFI Overview 376 Alcatel Lucent Specific Overview on LFI Features 376 Overview of LFI in MLPPP 377 Packet Formats 377 Configuration of LFI on MLPPP 379 LFI Configuration on MLPPP 380 LFI MLPPP Configuration Steps 381 LFI MLPPP Configuration Flow 384 LFI MLPPP Configuration Commands 385 LFI MLPPP Show Commands 388 Configuration Example of LFI on MLPPP 389 Over...

Page 11: ...CC 424 Nesting Of Match lists 426 Show commands in CC 428 Deletion Commands in CC 431 Sample examples on the usage of CC across applications 433 Example 1 433 Example 2 434 Example 3 435 Part 5 Routing Protocols 21 Protocol Independent Features 439 Chapter Conventions 439 Protocol Independent Configuration 440 Protocol Independent Configuration Commands 441 22 Routing Information Protocol 467 Chap...

Page 12: ...15 Show Commands in OSPF 533 Clear Commands in OSPF 542 OSPF Configuration on OA 700 543 Example 1 543 25 Multicast Routing 545 Chapter Conventions 545 Multicast Overview 546 Protocol Independent Multicast PIM 546 Internet Group Management Protocol IGMP 547 RFCs 548 PIM Configuration 549 PIM Configuration Steps 549 PIM Configuration Flow 551 PIM Configuration Commands 552 Show Commands in PIM 557 ...

Page 13: ...VRF CE Overview 591 VRF CE Configuration 593 VRF CE Configuration Steps 593 VRF CE Configuration Flow 595 VRF CE CLI Commands 596 VRF Show Commands 605 Example 605 VRF Clear Commands 610 Example 610 Part 6 Network Security 28 Network Address Translation 613 Chapter Conventions 613 NAT Overview 614 Types of NAT 614 Benefits of NAT 616 Before You Configure NAT 616 Alcatel Lucent Specific Overview 61...

Page 14: ...iguration Commands 655 Filter Show Commands 659 Filter Deletion Commands 661 Filter Clear Commands 662 Filter Debug Commands 663 Sample Examples of Configuring Filters on OA 700 664 Managing Security Configuration 665 Insertions 665 Updations 666 Network Attacks An Overview 668 Types of Network Attacks 668 Default Attacks Rate limiting Stateful 669 Default Attacks Non rate Limiting Stateless 671 O...

Page 15: ...ed ALG and DNAT Example Using OA 700 730 Security Best Practices 732 Rules for Configuring Packet Filters 732 30 IP Security Virtual Private Network 737 Chapter Conventions 738 IPsec VPN Overview 739 IPsec Enabled VPN 741 IPsec Connection Types 741 IPsec Concepts 743 Benefits of IPsec Enabled VPN 748 Default Configuration Setting on OA 700 749 IPsec VPN Configuration 750 IPsec VPN Configuration St...

Page 16: ...aversal 800 Scenarios Depicting IPsec Nat traversal 801 IPsec Tunnel Interface 803 Before You Configure IPsec Tunnel Interface 803 Default Configuration 804 IPsec Tunnel Interface Configuration 805 IPsec Tunnel Interface Configuration Steps 805 IPsec Tunnel Interface Configuration Flow 807 IPsec Tunnel Interface Configuration Commands 808 IPsec Tunnel Configuration Scenarios using OA 700 815 31 In...

Page 17: ...rent Firewall 855 Chapter Conventions 855 TF Overview 856 OA 700 Specific Overview 856 TF Configuration 857 TF Configuration Steps 857 TF Configuration Flow 858 TF Configuration Commands 859 Show Commands in TF 861 Clear Commands in TF 862 TF Configuration on OA 700 863 Configuration Steps 863 Show Commands 863 34 Call Admission Controller 865 Chapter Conventions 865 CAC Overview 866 Measurement B...

Page 18: ...hony Service Configuration Example on OA 700 908 OA 700 in Stand alone Mode 908 Configuration Steps 909 Show Commands 909 OA 700 in Survivability Mode 910 Configuration Steps 911 Show Commands 912 Part 7 Quality of Service 36 Quality of Service 915 Chapter Conventions 915 QoS Overview 916 Generic terms used in QoS 916 Alcatel Lucent Specific Overview on QoS 918 Traffic Without Policing and Shaping...

Page 19: ...ion Commands 972 QoS on FR Show Commands 973 Part 8 TCP IP Services 37 DHCP Dynamic Host Configuration Protocol Server 977 Chapter Conventions 977 DHCP Server Overview 978 Alcatel Lucent Specific Overview 978 DHCP Server Configuration 979 DHCP Server Configuration Steps 979 DHCP Server Configuration Flow 981 DHCP Server Configuration Commands 982 DHCP Server Show Commands 989 DHCP Server Test Scen...

Page 20: ... Configuration Steps 1011 DNS Client Configuration Flow 1012 DNS Client Configuration Commands 1013 DNS Client Test Scenario using OA 780 1017 Configuration Steps 1017 Part 9 License Manager 41 License Manager 1021 Chapter Conventions 1021 License Manager Overview 1022 Alcatel Lucent Specific Features 1022 To Install a License File 1023 Example 1023 To Back up a License File 1026 Example 1026 To R...

Page 21: ...ry From Lifeline Mode to Normal Mode 1045 Lifeline Configuration Scenario 1046 Part 11 Application Hosting Application Services Engine ASE 43 Web Cache Server 1051 Chapter Conventions 1051 Web Cache Server Overview 1052 Web Cache Server Configuration 1053 Web Cache Configuration Steps 1053 Web Cache Configuration Flow 1054 Web Cache Server Configuration Commands 1055 Web Cache Server Parameters 10...

Page 22: ...iguration 24 Verification 28 Configuring IPsec between OA 700 and Sonicwall PRO 3060 29 Configuration 30 Configuring Sonicwall PRO 3060 32 Verification 36 F Software Licenses and Acknowledgements 39 Linux Kernel 40 Intel Linux Device Driver Software 40 PMC Sierra Linux Device Driver Software 40 Mindspeed Linux Device Driver Software 41 eCos 41 U Boot 42 Linux STP 42 Paul s PPP Package 42 DHCP 44 t...

Page 23: ...e2fsprogs 57 InetUtils gawk GDB 57 cURL 58 PCRE 58 MD5 59 GNU General Public License 60 GNU Lesser General Public License 66 Mozilla Public License 75 ...

Page 24: ...figuration Flow 276 An HDLC frame with an information field 284 HDLC Configuration Flow 289 FR Configuration Flow 301 PPP Configuration Flow 316 PPPoE Configuration Flow 340 Sample Deployment Scenario for MLPPP 348 MLPPP Header in Long Sequence Number Format 349 MLPPP Header in Short Sequence Number Format 350 MLPPP Configuration Flow 354 MLFR frame format for data packets 363 MLFR frame format fo...

Page 25: ...iguration Flow 843 GRE Configuration Topology 847 GRE IP Filters DoS Configuration Topology 849 GRE IPsec Configuration Topology 851 TF Configuration Flow 858 CAC Configuration Flow 870 Typical Enterprise Voice Deployment 884 Typical Voice Deployment Scenario for OA 700 Products 885 OA 700 in Stand alone Mode Configuration Flow 891 OA 700 in Survivability Mode Configuration Flow 891 OA 700 in Stan...

Page 26: ... 1054 IPsec Interoperability Between OA 700 and VPN Firewall Brick 23 LAN Tunnel Editor Endpoint 1 Endpoint 2 a 26 LAN Tunnel Editor Endpoint 1 Endpoint 2 b 27 LAN Tunnel Editor Endpoint 1 Endpoint 2 c 28 IPsec Interoperability Between OA 700 and Sonicwall PRO 3060 29 Configuring Local network behind Sonicwall 32 Configuring External IP Address for Sonicwall 33 Configuring IPsec Policy and Destina...

Page 27: ...use of network resources Configuring the LAN and WAN interfaces effectively Optimizing routing services to enhance network scalability Integrating networks with different routing protocols Adding intelligence and flexibility to use the ACLs across applications using the Common Classifiers Setting improved security policies on the network for users and their services Extending the network to new pl...

Page 28: ...t show mem show proc etc Chapter 4 Virtual Router Redundancy Protocol details a study on VRRP implementation on the OA 700 It is a method of providing nonstop path redundancy and gateway redundancy for an enterprise network by sharing protocol and Media Access Control MAC addresses between redundant gateways PART II LAN INTERFACES This part introduces the commands and steps to configure the LAN in...

Page 29: ...nds for Frame Relay FR encapsulation on an interface It includes the configuration commands for LMI DLCI and FR fragmentation Chapter 15 Point to Point Protocol provides the configuration commands for Point to point PPP encapsulation on an interface It includes CLI commands for configuring LCP IPCP Counters and Timers Authentication etc Chapter 16 Point to Point Protocol over Ethernet PPPoE provid...

Page 30: ...f the topology and the stability of the network as it expands All the chapters in this part focus on configuring the routing services Chapter 21 Protocol Independent Features provides commands that are generic across all routing protocols You are required to have a thorough knowledge of this chapter before you proceed to configure the routing protocols Chapter 22 Routing Information Protocol and C...

Page 31: ...ies and Zone configuration The Time range CLI includes commands and procedure to configure scheduling in different applications such as Firewall Chapter 30 IP Security Virtual Private Network begins a survey of advanced security services and provides details about IPsec a leading technology for building VPNs IPsec building blocks include IKE Transform Sets Security Associations Modes Authenticatio...

Page 32: ...II TCP IP SERVICES This part consists of Chapter 37 DHCP Dynamic Host Configuration Protocol Server that focuses on DHCP Server configuration and Chapter 38 TFTP Trivial File Transfer Protocol Server that documents the TFTP Server configuration commands Chapter 39 DHCP Dynamic Host Configuration Protocol Relay focuses on DHCP Relay configuration and Chapter 40 DNS Domain Name Service Client docume...

Page 33: ...Square brackets enclosing keywords or arguments separated by a vertical line indicates an optional choice x y Braces enclosing keywords or arguments separated by a vertical line indicate a required choice You must select one w x y Nested sets of square brackets or braces indicate optional or required choices within the optional or required elements x y OR x y Braces enclosing keywords or arguments...

Page 34: ...arning is used in similar cases as caution This also indicates a situation where the reader needs to pay extra attention to avoid hazardous situations OBTAINING DOCUMENTATION Alcatel Lucent provides several ways to obtain technical assistance and other technical resources Documents can be downloaded from our support site service esd alcatel lucent com REFERENCE PUBLICATIONS The following publicati...

Page 35: ...t Team provides 24 hour a day technical support services online and over the phone For Customer issues and help contact Alcatel Lucent US Customer Support 800 995 2696 International Customer Support 818 878 4507 E mail support ind alcatel com Website service esd alcatel lucent com DOCUMENTATION FEEDBACK We value your comments and suggestions about our documentation If you have any comments about t...

Page 36: ...CLI Configuration Guide Left running head Chapter name automatic 10 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 37: ...ors fm Alcatel Lucent 11 Beta Beta For final production import color definitions from daldoc01 docteam templates framemaker book template color defs production colors fm Do not import other template elements such as page layout To return to the draft version import color def ns from draft colors fm To switch to the beta version import color def ns from beta colors fm Pagination Numeric continuous ...

Page 38: ...Left running head Chapter name automatic 12 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 39: ... console and connections via SSH Telnet and Modem The CLI which automatically starts once the required processes on the Switch Card are up provides commands that you can use to perform various tasks including configuring the OA 700 monitoring and troubleshooting the system enabling network connectivity and verifying the system hardware This chapter provides an overview of the CLI For more detailed...

Page 40: ...ch is the User Mode UM CLI CONFIGURATION MODE In the configuration mode you can configure the OA 700 by creating a hierarchy of configuration statements by using the CLI or by creating a text ASCII file that contains the statement hierarchy The statement hierarchy is identical in both the CLI and text configuration file You can configure different applications running on OA 700 including interface...

Page 41: ...ace Configuration Mode ICM Application Router en Router Config t Interface This mode is accessed from the CM Enters into a specific application For ex BGP RIP OSPF Firewall Filter NAT IPSec Time Range etc This mode is accessed from the CM Many features are enabled on a per interface basis ICMcommands modify the operation of an interface Sub Interface Configuration Mode S ICM Show Commands Monitor ...

Page 42: ...odify the configuration Type the config terminal command to enter the Configuration Mode This mode is used to configure the system globally or to enter specific configuration modes to configure specific elements such as interfaces or protocols In the Application Configuration Mode you can enter into a specific application by entering the corresponding name such as router OSPF BGP RIP IP NAT IP fil...

Page 43: ...ng commands ping and ssh are available The UM command set is a subset of the SUM command set UM is also the starting point for accessing the SUM command set USER MODE COMMAND SET Command in UM Description clear Reset functions enable Turn on privileged commands exit Exit from current mode help Description of the interactive help system logout Exit from the EXEC mping Multicast Ping mtrace Trace re...

Page 44: ...hat you set up password authentication for users who need to access the SUM command set The SUM mode prompt consists of the host name of the device followed by a pound sign or if no host name is configured the prompt is displayed as ALU SUM COMMAND SET Command in UM Description enable Enables SUM Command in SUM Description clear Reset functions clock System Clock configure Enter configuration mode...

Page 45: ... DNS name to an IP address or vice versa package Package Manipulation ping Send echo messages power Control power on specified line card quit Quit this session reload Reboot the Chassis rmdir Delete directory save Saving the configuration file service Set terminal line parameters show Show running system information ssh Open a ssh connection telnet Open a telnet connection terminal Set terminal li...

Page 46: ... stored across router reboots To access CM enter the following command in SUM EXAMPLE ALU configure terminal ALU config Enter configuration commands one per line End with CNTL Z To exit the Configuration Mode and return to the SUM enter the Control Z command ALU config Z ALU CM COMMAND SET Command in SUM Description configure terminal Enters Configuration Mode Command in CM Description aaa Authent...

Page 47: ...TTP interface Select an interface to configure ip Global IP configuration sub commands ip policy Define Modify PBR policy key chain Key management license License operations line Configure a terminal line list Define a new list Modify an existing list liveness Define behavior in case of liveness test failures logging Modify message logging facilities mac address table Configure the mac address tab...

Page 48: ...urations ssh SSH service tacacs server Modify TACACS query parameters telnet Telnet service tftp server To provide TFTP service for file requests time range Define Modify a time range object top Enter top level configuration mode transparent forward Define modify transparent forward policy undebug Debugging functions see also undebug up Go up one mode username Establish user name authentication Co...

Page 49: ...d configures a E1 controller and channelized serial interface ALU config controller E1 0 0 ALU config controller E1 ALU config controller E1 exit ALU config ALU config interface Serial 0 0 0 ALU config if Serial0 0 0 To exit the ICM and return to the CM enter the Exit command ALU config if GigabitEthernet7 0 exit ALU config Command in CM Description interface name slot port This command enables yo...

Page 50: ...ce on a channelized serial interface ALU config interface Serial 0 0 0 1 ALU config if Serial0 0 0 1 To exit from the S ICM and return to the ICM use the Exit command To end your configuration session and return to SUM mode press Ctrl Z or enter the End command Command in CM Description interface name slot port channel This command enables you to configure a sub interface on a Gigabit Ethernet int...

Page 51: ...eturn to the previous configuration mode EXAMPLE ALU configure Enter configuration commands one per line End with CNTL Z ALU config interface GigabitEthernet 7 0 ALU config if GigabitEthernet7 0 Z ALU Command in CM Description router bgp 1 65535 Enters BGP router configuration mode router ospf 1 65535 Enters OSPF router configuration mode router rip Enters RIP router configuration mode ip filter n...

Page 52: ...terface GigabitEthernet 7 0 ALU config if GigabitEthernet7 0 C ALU ALU configure Enter configuration commands one per line End with CNTL Z ALU config interface GigabitEthernet 7 0 ALU config if GigabitEthernet7 0 exit ALU config ALU configure Enter configuration commands one per line End with CNTL Z ALU config interface GigabitEthernet 7 0 ALU config if GigabitEthernet7 0 top ALU config INITIAL SE...

Page 53: ...ode enter a question mark at the CLI prompt You can also get a list of keywords and arguments associated with any command by using the context sensitive help feature ENABLE CLI HELP EXAMPLE ALU config service completion spacebar complete ALU config no service completion spacebar complete ALU config service completion tab complete ALU config no service completion tab complete Command in CM Descript...

Page 54: ...config show i PRIVILEGE COMMANDS inband inband interfaces Display information for all interfaces internal Internal info ip IP information ip policy ip policy keyword ipx IPX protocol Command in CM Description prompt help Displays a brief description of the help system prompt abbreviated command entry Lists commands in the current mode that begin with a particular character string prompt abbreviate...

Page 55: ...cess lists List IP access lists as path access list List AS path access lists community list List community list dhcp Dynamic Host Configuration Protocol commands filter filter details mroute Multicast multicast Multicast nat NAT keyword prefix list List IP prefix Lists rpf Show RPF information for multicast source BASIC COMMANDS bgp BGP information fib IP FIB Table Statistics igmp IGMP informatio...

Page 56: ...d until you use the Return or Enter key This way you can modify the command if the full command was not what you intended by the abbreviation If the CLI cannot complete the command it displays the list of commands that begin with that set of characters For example typing show ip i tab will list all commands which start with show ip i in the current command mode ALU config show ip i tab igmp interf...

Page 57: ...rward character Moves the cursor one character to the right Esc B Back word Moves the cursor back one word Esc F Forward word Moves the cursor forward one word Ctrl A Beginning of line Moves the cursor to the beginning of the line Ctrl E End of line Moves the cursor to the end of the command line Ctrl P or the Up Arrow key Previous command Recalls commands in the history buffer beginning with the ...

Page 58: ...m the cursor to the end of the command line Esc D Deletes from the cursor to the end of the word Keystrokes Function Details Ctrl Y Recalls the most recent entry in the buffer press keys simultaneously Keystrokes Function Details Ctrl T Transposes the character to the left of the cursor with the character located at the cursor Keystrokes Function Details Esc C Capitalizes the letter at the cursor ...

Page 59: ...configure t 7 interface GigabitEthernet 7 0 8 exit 9 interface GigabitEthernet 7 0 10 ip address 10 91 0 24 24 11 top 12 configure t 13 interface GigabitEthernet 7 05B 14 interface GigabitEthernet 7 0 1 15 interface GigabitEthernet 7 0 3 1 16 service completion spacebar complete 17 no service completion spacebar complete 18 no service completion 19 show history Keystrokes Function Details History ...

Page 60: ...ardware In addition certain physical interface types support sub interfaces For example for 802 1Q VLANs and for Frame Relay 6 1007 DLCIs The sub interfaces for 802 1Q should be in the range from 1 to 4096 as per the IEEE specification and 4096 sub interfaces should be allowed though not necessarily a good idea for every physical interface For Frame Relay the number of DLCIs allowed per interface ...

Page 61: ... Last clearing of show interface counters never Queueing strategy fifo Output queue 0 0 size max 0 drops Input queue 0 0 size max 0 drops 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 0 packets input 0 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 0 watchdog 0 multicast 0 pause input 0 packets ...

Page 62: ...sions 0 interface resets 0 output buffer failures 0 output buffers swapped out EXAMPLE 3 ALU show interfaces loopback1 is up line protocol is up Hardware is Loopback Internet address not set MTU 1500 bytes BW 1000000 Kbit DLY 0 usec reliability 0 255 txload 0 255 rxload 0 255 Encapsulation LOOPBACK loopback not set Last input never output never output hang never Last clearing of show interface cou...

Page 63: ...ackets sec 0 packets input 0 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 0 abort 0 packets output 0 bytes 0 underruns 0 output errors 0 collisions 0 interface resets 0 output buffer failures 0 output buffers swapped out Tunnel1 is up line protocol is down Internet address not set MTU 1476 bytes BW 1000000 Kbit DLY 0 usec Mor...

Page 64: ...interface brief Interface IP Address Admin State Oper State GigabitEthernet1 0 unassigned down down GigabitEthernet1 1 unassigned down down Vlan213 2 2 2 2 down down 4 4 4 4 s Loopback222 3 3 3 3 up up Loopback2 9 9 9 9 up up 1 1 1 1 s 7 7 7 7 s Loopback1 unassigned up up Command in CM Description show ip interface brief This command displays information about IP interfaces only ...

Page 65: ...U config if GigabitEthernet7 0 shutdown ALU config if GigabitEthernet7 0 no shutdown Command in UM Description clear counters interface name slot port channel subchannel Clears interface counters for specific port in specific slot Command in ICM Description shutdown This is entered in the Interface Configuration Mode This command administratively brings down the interface no shutdown This is enter...

Page 66: ... primary interface goes down the same connected route gets added to routing table on the backup interface because of which static routes routing protocols etc would work as is without any human intervention But the features like firewall policies etc that are applied on the primary interface would not be automatically applied to the backup interfaces In typical scenarios these feature configuratio...

Page 67: ...aseTx Fx ARP type ARPA ARP Timeout never Last input never output never output hang never Last clearing of show interface counters never Queueing strategy fifo Output queue 0 0 size max 0 drops Input queue 0 0 size max 0 drops 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 10 packets input 7468 bytes 0 no buffer Received 7 broadcasts 0 runts 0 giants 0 in...

Page 68: ...nters never Queueing strategy fifo Output queue 0 0 size max 0 drops Input queue 0 0 size max 0 drops Conversations 0 0 0 0 active max active max total Reserved Conversations 0 0 allocated max allocated Available Bandwidth 1536 kilobits sec 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 0 packets input 0 bytes 0 no buffer Received 0 broadcasts 0 runts 0 ...

Page 69: ... Settings System Name AAA Configuration on OA 700 Setting and Displaying the System Time and Date System Logging and Debugging Rate Limiting in Statlog Saving Log Messages The File System Configuration File Management Software Package Management Reloading the System System Monitoring and Troubleshooting SNMP Simple Network Management Protocol CHAPTER CONVENTIONS Acronym Description AAA Authenticat...

Page 70: ...management through any of the dedicated management ports such as console or modem are commonly referred to as out of band management OUT OF BAND MANAGEMENT CONSOLE OR MODEM CONSOLE ACCESS The console port is located in the front panel of the OA 700 The console parameters can be set with the commands given below EXAMPLE ALU config line console exec timeout 0 ALU config line console exec timeout 45 ...

Page 71: ...A Configuration on OA 700 on page 58 section in this chapter EXAMPLE ALU config modem enable ALU config modem disable Note For more information on connecting the system to the external network console and modem refer to Connecting the System to the Network section in the OA 780 OA 740 Hardware Users Guide Command in SUM Description modem enable disable This command is used to enable or disable the...

Page 72: ... enable disable the SSH service ssh vrf vrf name ip address hostname user name version 1 2 Use this command to access a remote computer by SSH clear known_hosts ip address This command enables you to clear the address key mapping for all the IP addresses a single IP address from the known_hosts file SSH client maintains a list of IP addresses and associated RSA keys in the file called known_hosts ...

Page 73: ...oot The authenticity of host 172 25 19 1 172 25 19 1 can t be established RSA key fingerprint is b5 b8 c9 6b 0e 28 df a8 b0 06 7a 23 7f 03 96 6b Are you sure you want to continue connecting yes no yes Warning Permanently added 172 25 19 1 RSA to the list of known hosts root 172 25 19 1 s password Last login Mon Dec 6 17 34 48 2004 root linux sw root exit logout Connection to 172 25 19 1 closed ALU...

Page 74: ...10 91 0 1 Note For more information on connecting the system to the internal network refer to the Connecting the System to the Network section in the OA 780 Hardware Users Guide There is a limit on the number of non console CLI sessions using SSH Telnet and modem For OA 780 the limit is four sessions and for OA 740 it is two sessions This excludes the console session HTTP HYPER TEXT TRANSFER PROTO...

Page 75: ... refer to the release note HTTPS in addition to the normal HTTP uses SSL encryption for secure transmission of files EXAMPLE ALU config https enable TO VIEW ACCESS SERVER STATUS EXAMPLE ALU config show access server status http enable https enable ssh enable Command in UM Description https enable disable Use this command to enable disable the HTTPS service Command in UM Description show access ser...

Page 76: ...PLE ALU ping 192 168 10 121 Sending 5 64 byte ICMP Echos to 192 168 10 121 timeout is 10 seconds Success rate is 100 percent 5 5 round trip min avg max 0 124 0 191 0 356 ms Command in CM Description no line vty exec timeout 0 35791 0 60 This command is used to configure the timeout in minutes or seconds for SSH Telnet and Modem CLI sessions These sessions close if they are idle for the specified t...

Page 77: ... ping packets ICMP echo requests to be sent Default is 5 packets and is the same as in normal ping Enter the Target ip address IP address to which the ping packets have to be sent Enter the Source IP Address Source IP address can be any IP address on the OA 700 If source IP address does not belong to OA 700 an error Source IP Address does not belong to the box Ping may not be successful is thrown ...

Page 78: ...e maximum in milliseconds Set the df bit value n Specify whether or not the Don t Fragment DF bit is to be set on the ping packet If yes is specified the Don t Fragment option does not allow this packet to be fragmented when it has to go through a segment with a smaller Maximum Transmission Unit MTU and you will receive an error message from the device that wanted to fragment the packet This is us...

Page 79: ...g command ALU ping Enter the packet size 64 100 Enter the number of packets 5 7 Enter the Target ip address 2 2 2 12 Enter the Source IP Address Enter the source interface Enter the TOS value 0 Enter the Time out value 2 Set the df bit value n Set the ttl value 64 Press C to Stop Sending 7 92 byte ICMP Echos to 2 2 2 12 timeout is 2 seconds Success rate is 100 percent 7 7 round trip min avg max 3 ...

Page 80: ... traceroute command An extended traceroute command can be used to see what path packets take in order to get to a destination The command can also be used to check routing at the same time This is helpful for troubleshooting routing loops or to determine where packets are getting lost You can use the extended ping command in order to determine the type of connectivity problem and then use the exte...

Page 81: ... Enter the Datagram Size 38 Specify the ICMP payload size in bytes in the range 36 18024 Default size is 38 bytes Enter the Timeout value 2 Enter the number of seconds to wait for a response to a probe the packet The range being 1 3600 in seconds The default is 2 seconds Enter the Probecount 3 Enter the number of probes to be sent at each TTL level in the range 1 10 The default count is 3 Enter th...

Page 82: ...2 2 12 2 2 2 12 4 089 ms Enter the TOS value 0 Specify the Type of Service ToS value in the range 0 255 The requested ToS is placed in each probe but there is no guarantee that all routers process the ToS It is the Internet service s quality selection The default is 0 Set the df bit value n Specify whether or not the Don t Fragment DF bit is to be set on the ping packet If yes is specified the Don...

Page 83: ...he system a more informative name use the hostname command The host name shows up in the CLI prompt EXAMPLE ALU config hostname ALU Command in CM Description terminal length 0 512 Sets the terminal length for the session terminal monitor priority 0 7 This command is used to display the log messages of specified and lower numerically higher priorities in the terminal window This terminal could be l...

Page 84: ... based on the idea that each individual user will have some unique information that sets the user apart from others Authorization is the process of granting or denying a user access to network resources once the user has been authenticated The amount of information and the type of services the user has access to depends on the user s authorization level Accounting is the process of keeping track o...

Page 85: ...TICATION METHOD TO CONFIGURE USER ACCOUNT EXAMPLE ALU config username ALU1 password pass1 ALU config username ALU1 nopassword ALU config username ALU1 secret pass2 Command in CM Description username user name password 5 password nopassword secret 5 password This command is used to create a new user account and user password The User accounts configured using this command will form a part of the lo...

Page 86: ... rad1 The following error is displayed if you try to configure a RADIUS server group with the name local ALU config aaa server group radius local The name of the Group is reserved ALU config no aaa server group radius rad1 Command in CM Description aaa server group radius name This command is used to configure a RADIUS server group Note You cannot enter a RADIUS server group as local as it is a re...

Page 87: ...alues are configured explicitly The following are the RADIUS server options Authentication Port auth port This is the destination port on which the RADIUS server is listening Deadtime The time in minutes that should elapse before you again try to connect to a non responding server Key This is the encryption key between the OA 700 and the RADIUS server Timeout This determines the number of seconds ...

Page 88: ...and is used to specify a global deadtime value that will be applied to all the RADIUS Server Groups provided there is no server specific deadtime configured The default deadtime value is 5 minutes The no command deletes the global RADIUS deadtime value from the configuration and resets it to default for all servers that do not have a server specific deadtime value no radius server key 5 string str...

Page 89: ...provided there is no server specific retransmit value configured The default retransmit value is 3 The no command deletes the global RADIUS retransmit value from the configuration and resets it to default for all servers that do not have a server specific retransmit value no radius server timeout 1 1000 This command is used to specify a global timeout value that will be applied to all the RADIUS G...

Page 90: ... tac1 The following error is displayed if you try to configure a TACACS server group with the name local ALU config aaa server group tacacs local The Name of the Group is reserved ALU config no aaa server group tacacs tac1 Command in CM Description aaa server group tacacs name This command is used to configure a TACACS server group Note You cannot enter a TACACS server group as local as it is a re...

Page 91: ...igured Default global values for these parameters exist that will come into effect if neither per server nor global values are configured explicitly The following are the TACACS server options Authentication Port auth port This is the destination port on which TACACS server is listening Key This is the encryption key between the OA 700 and the TACACS server Timeout This determines the number of se...

Page 92: ...rver specific port no tacacs server key 5 string string This command is used to specify a global key that will be applied to all the TACACS Groups provided there is no server specific key configured If 5 option is used then enter the key string in an encrypted format The default key is empty string The no command deletes the global TACACS key from the configuration and resets it to default for all...

Page 93: ...ation method requiring user name RADIUS and TACACS server groups is associated with enable authentication then a default user name of enab15 is used EXAMPLE ALU config enable secret test Secret for level 15 is set Command in CM Description enable secret password 5 password Sets the password to grant access to the privileged mode secret The password is stored in an encrypted format 5 specifies that...

Page 94: ...e user is allowed access If it says that the user is not authenticated then the user is denied access But if there is an error in the query then the second method in the list is approached and similar steps are repeated until the end of the list is reached If there are errors in queries to all the methods then the user is denied access TO CONFIGURE A METHOD LIST EXAMPLE ALU config aaa method list ...

Page 95: ...entication console method list name This command associates an already configured method list with the dot1X client type The no command removes the associated method list from the console client type no aaa authentication dot1x method list name This command associates an already configured method list with dot 1X client type Note The method list to be associated with dot1x clients should contain o...

Page 96: ...uthentication web m1 no aaa authentication remotelogin method list name This command associates an already configured method list with remote login client type Note The client type Remote Login is a reference to SSH and Telnet clients The no command removes the associated method list from the remote login client type no aaa authentication web method list name This command associates an already con...

Page 97: ...ult non editable password for this login would be the chassis ID which is displayed as part of chassis information both in CLI and Device Manager The serial number of the back panel is considered to be the chassis ID It could be obtained through show chassis in this way EXAMPLE ALU config show chassis Physical inventory at Thu Dec 11 19 06 36 2008 System started approximately Thu Dec 11 18 32 42 2...

Page 98: ... 3 1 30 MDC Serial number SM0645000014 Revision R Version 01 PB Power tray active Slot number 22 Part number 902612 90 Manufacturer ALU Description Power tray Serial number ND0533002043 Version 00 Revision A00 SC Switch card active Slot number 24 Part number 902613 90 Manufacturer ALU Description Switch card Serial number DD0504001023 Version 00 Revision Q LoL firmware version 2 2 68 Loader versio...

Page 99: ... seen for the boot options 3 Select Disable Startup Configuration option 4 Select Boot from storage medium option 5 Once the reload is done you can enter the new password for the superadmin ALU reload Do you want to save config before rebooting y n y Building configuration OK Do you really want to reboot the Chassis y n y Press C for Boot options C BOOT OPTIONS 1 Rescue Options 2 Reload Device 3 D...

Page 100: ...er a delimiting character to start the message This character should not appear in the message to be displayed Enter the message and end it with the delimiting character used You can enter a multi lined descriptive message no aaa authentication fail message delimiter multi lined string delimiter This command is used to enter a descriptive message to be displayed after a failed login attempt Enter ...

Page 101: ...lcatel Lucent EXAMPLE ALU config aaa authentication banner Only authorized access permitted ALU config aaa authentication success message Login attempt successfull ALU config aaa authentication fail message Login failed ALU config aaa authentication username prompt u1 ALU config aaa authentication password prompt p1 ...

Page 102: ...g show aaa methodlists aaa method list m1 rad1 tac1 local aaa method list m2 tac1 TO VIEW METHOD LISTS ASSOCIATED WITH THE CLIENT TYPE EXAMPLE ALU config show aaa client methodlist associations aaa authentication remotelogin m2 aaa authentication web m1 Command in SUM CM Description show aaa local users details This command displays the details of all the locally configured users on the system Com...

Page 103: ...group radius rad3 radius server 1 1 1 1 auth port 300 TO VIEW TACACS SERVER GROUP CONFIGURATION EXAMPLE ALU config show aaa tacacs aaa server group tacacs tac1 tacacs server 12 34 42 2 tacacs server 23 4 2 232 auth port 2050 key some Command in SUM CM Description show aaa radius This command shows the details of the RADIUS Server Groups configured Command in SUM CM Description show aaa tacacs This...

Page 104: ...the chassis is powered down it will maintain time with reasonable accuracy even if the chassis is powered down Typically the RTC is only read during power up in order to initialize the system clock However it may be used as a trusted time source and read periodically to adjust the system time The system time is the time coordinated among the various processors in the chassis It is this time that m...

Page 105: ...tem clock is changed Current setting is Tue Sep 25 17 59 20 2007 ALU show clock RTC set to Tue Sep 25 18 00 06 2007 System time is Tue Sep 25 18 00 06 2007 Not synchronized with external source Command in SUM Description clock set hh mm ss mm dd yyyy This command allows you to set the RTC as well as the system s clock date and time The time must be specified as GMT The year range is between 2000 2...

Page 106: ... time source This is valid only for NTP and RDATE protocols Rate The rate at which the synchronization should be performed Typically the settings are in the multi hour range The default value for the rate is every 12 hours Note 1 Server name is mandatory for ntp and rdate protocols 2 The parameter number depicts the number of minutes or hours between updates 3 The server name can be specified eith...

Page 107: ...tion no logging on This command is used to enable logging of messages By default logging of messages is enabled The no command disables logging no logging buffered priority 0 7 size 4 16384 This command is used to store the log information in the memory buffer If a priority value is given messages of that priority and higher numerically lower will be buffered Size denotes the buffer size in kiloby...

Page 108: ...ce timestamps log ALU config terminal monitor ALU config clear logging no logging watermark 100 10000 This command is used to set a watermark level in terms of number of log messages up to which the log messages get stored no service timestamps log This command is used to display the date and time of the log messages By default Service timestamps log is enabled terminal monitor 0 7 This command di...

Page 109: ...AN card removed from slot 2 2005 Oct 13 03 31 07 CM 5 LOG SLOT L2 83000019 is vacated 2005 Oct 13 03 31 08 CM 6 LOG LIVENESS 2 83000019 will report once on failure 2005 Oct 13 03 31 08 CM 6 LOG SCAN card removed from slot 2 2005 Oct 13 03 31 09 CM 5 LOG SLOT L2 83000019 is vacated 2005 Oct 13 03 31 09 CM 6 LOG LIVENESS 2 83000019 will report once on failure 2005 Oct 13 03 31 12 CM 6 LOG SCAN card ...

Page 110: ...ith priority 3 ALU show logging priority 3 exact 2005 Oct 13 14 13 06 ntpdate 3 LOG No server suitable for synchronization found EXAMPLE 3 The following example shows messages containing the text temperature ALU config show logging string temperature 2006 Sep 19 09 59 23 CM 7 LOG SCAN chassis temperature 47 setting fan speed to high succeeded 2006 Sep 19 10 00 59 ENVAGT 4 LOG EA 7 Cannot read temp...

Page 111: ...er seconds 1 3600 is not given default interval is taken as 1 second Tag and subtag string can have only one word The no command removes the specified rate limiting configuration logging rate limit no unique This command restricts the number of messages in a given interval to that specified in the rate limiting command and prevents logging of unique messages By default rate limiting does not preve...

Page 112: ... 5 in 2 seconds execute the following command ALU config logging rate limit 5 2 tag snort 2003 Dec 22 18 41 10 CLI 6 ACL User created Filter policy f5 In this message the sub tag is ACL To have finer control the subtag of a particular tag can also be rate limited To limit the number of messages coming from ACL s CLI plugin to 10 in a second execute the following command ALU config logging rate lim...

Page 113: ... By default messages up to informational level 6 are stored ALU save logging priority 5 exact This saves log messages with priority equal to 5 ALU save logging string time This saves log messages with string time This is case sensitive ALU save logging tag cli This saves log messages originating from CLI Command in SUM CM Description save logging This command is used to save the information in the...

Page 114: ...t of these commands show version show clock dir user cores show chassis show running config show controller show interfaces show vlan Brief show access lists show ip protocols show ip route show netio show arp show arp traffic show mac address table show subsystem show logging priority 7 This command shows information about all the slots too Since the output of all these commands would be very lon...

Page 115: ...st This command displays the contents of the cores directory in the user area ALU config dir user cores Permission Size Date modified Name rw 147456 Sep 5 08 31 core 1329 3 clim sh 1157445064 24 rw 147456 Sep 5 13 20 core 1355 3 clim sh 1157462445 24 rw 147456 Aug 3 12 11 core 1363 3 clim sh 1154607060 24 Command in SUM Description dir fpkey licenses user This command displays all the directories ...

Page 116: ...rotocols EXAMPLE ALU copy tftp 10 91 0 35 my config config running config The copy command can also be used in an interactive mode as shown below If the remote file details are not given the command prompts for the same ALU config copy ftp user Address name of remote host 10 91 2 87 Remote Port Enter for default Source Path File tmp test_file Username anonymous admin Password Local filename test_f...

Page 117: ...owing command deletes a file in fpkey ALU config delete fpkey backup_package The following command deletes a file in fpkey ALU config delete user backup_config The following command deletes a config file ALU config delete config file config1 Command in SUM Description delete all fpkey user This command is used to delete all the files in fpkey or user directory delete fpkey filename This command is...

Page 118: ...em reloads Optionally you can save the configuration file under a different file name Once the file is saved you can use the copy commands to export it to an external system using TFTP FTP options TO VIEW THE CONFIGURATION The following commands are used to view the configuration written to USB as well as the configuration currently running and in memory EXAMPLE 1 ALU config show running config Cu...

Page 119: ...e EXAMPLE 2 ALU config show startup config NVRAM config last updated at 06 25 14 GMT Wed Nov 08 2006 from line 0 Statlog Configuration logging on logging buffered priority 7 logging buffered size 128 logging console 3 logging system 5 logging remote 1 1 1 1 port 514 priority 7 service timestamps log hostname ndm 70 PVST Global configuration spanning tree snmp enable modem disable SNMP Configuratio...

Page 120: ...startup config TO SAVE THE CONFIGURATION UNDER A DIFFERENT FILE NAME To save the running configuration under a different file name use the following command EXAMPLE ALU save running config my config Saving to my config Command in SUM Description save running config This command saves the running configuration to the start up configuration The command write memory can also be used to save the runni...

Page 121: ... config file command EXAMPLE ALU show config file my config NVRAM config last updated at 08 13 52 GMT Sun Dec 25 2005 by ALU Statlog Configuration logging on logging buffered priority 7 logging buffered size 10000 no logging console logging system 4 logging remote 10 91 0 94 port 514 priority 7 logging remote 10 91 0 173 port 514 priority 7 service timestamps log hostname OA700 BLR modem enable ht...

Page 122: ...luded snmp server view V1 1 3 6 1 6 3 16 included snmp server view V2 1 3 6 1 6 3 16 included snmp server view default view 1 3 6 1 6 3 15 included snmp server view V3 1 3 6 1 2 1 1 included snmp server view default view 1 included snmp server access default group security model v3 noauth read default view write default view aaa services aaa authentication login default local enable secret 5 b96be...

Page 123: ...licy class class default shape committed rate 512000 committed burst 96000 class high priority map priority class gre map shape committed rate 350000 committed burst 50000 class tunnel class policy map traffic in policy class class default police committed rate 750000 commit action transmit committed burst 144000 exceed action drop class exclude police map interface GigabitEthernet7 1 service poli...

Page 124: ...erver ALU config copy running config tftp Address name of remote host 10 91 2 87 Remote Port Enter for default Destination Path File running config URL specification sanity OK proceeding with copy please wait Copy successful TO LOAD A CONFIGURATION FILE EXAMPLE ALU load config file config1 Loading config1 to running config Percent Complete Command in SUM Description copy from location to location ...

Page 125: ...elete config file my config ALU config write erase Are you sure you want to erase startup config file yes no yes yes OK startup config file erased Command in SUM Description delete config file file name This command is used to delete the configuration file from the config directory write erase This command is used to delete the startup config permanently The command erase startup config can also b...

Page 126: ... the most basic building blocks in the system which sometimes require a reload of the specific card or the whole system for a software upgrade to take effect Before upgrading a software module check the current versions of the modules read the release notes to make sure you are aware of any potential conflicts between different module versions PACKAGE TYPES Packages are the vehicles for software d...

Page 127: ...sure you want to install alu apps 2 1 22 1 npm y n y Installing new release alu apps 2 1 22 1 npm OK Complete Deleting temporary file OK Do you want to set default immediately Yes Chassis will be rebooted automatically No Manually run set default at a later time Proceed y n y Do you want to save config before proceeding y n y Building configuration OK Setting Default image to 2 1 22 1 Command in S...

Page 128: ...essing flash images Verifying and decompressing OK LoL Version 2 2 68 Slot 1 3 Status Done Done Flash updated successfully in slot 1 Flash updated successfully in slot 3 TO TAKE A BACKUP OF THE PACKAGE EXAMPLE ALU config package backup ftp Remote Host 10 91 2 87 Remote Port Enter for default Path backup apps 2 2 25 1 npm Username Enter for none vinaykumar Password Backing up Applications package C...

Page 129: ...diately Yes Chassis will be rebooted automatically No Manually run set default at a later time Proceed y n y Do you want to save config before proceeding y n y Building configuration OK Setting Default image to 2 1 23 1 Command in SUM CM Description package remove package name Removes the specified package However the default package cannot be removed Command in SUM CM Description package set defa...

Page 130: ...on Prevention System 2 1 22 1 IPSec IPSec VPN service 2 1 22 1 Infrastructure Infrastructure components of the system 2 1 22 1 Management OOB Out Of Band Management 2 1 22 1 Management Tools Internal support tools 2 1 22 1 ALU X ModuLive Operating system 2 1 22 1 Networking base Networking infrastructure 2 1 22 1 OSPF OSPF Protocol 2 1 22 1 QoS Quality of Service 2 1 22 1 RIP Routing Information P...

Page 131: ...Guide Alcatel Lucent 2 1 22 1 Serial Frame Relay HDLC T1E1 Serial 2 1 22 1 VRRP Virtual Router Redundancy Protocol 21 Components Listed EXAMPLE 2 ALU show version Alcatel Lucent Software Version 2 3 1 Build 30 Copyright c 2003 2008 by Alcatel Lucent Inc Built on Mon Dec 8 21 08 28 IST 2008 Flash version 2 2 68 ...

Page 132: ...r for the confirmation is N so the user is obligated to type in a Y not case sensitive 2 You will be asked if you want to record the current configuration information before reloading If the information is not recorded any changes made since the system was last started will be lost 3 Another action is to record the current system time in the RTC This is done in the presumption that the system time...

Page 133: ...en powered down by some other means such as a sensor reading that exceeds the defined range of operation Once a slot is powered down some form of intervention is required to power it back The power command can be used to power it back Alternatively the card can be physically removed from the slot for a few seconds then re inserted or the entire chassis can be power cycled There are four forms of m...

Page 134: ...ues of the temperature and various reference voltages on that card The sensor readings are monitored to ensure that they are within safe operating ranges and if not the card may be powered down see section Managing Individual Slots Any deviation will be noted in the log EXAMPLE ALU show environment Chassis environment readings Report generated at Wed May 14 06 18 32 2008 Chassis temperature 41C SE...

Page 135: ...PCI configuration status Ready Reported at Wed May 14 06 18 28 2008 4 seconds ago Temperature reading 31 500C Opteron temperature 46 0C Opteron status Active Voltage reading 4 91V 1 1 25V 3 2 49V 0 Acceptable voltage range is 6 Acceptable temperatures vary depending on the card type but generally range from 0 600C Warnings will be logged and the fan speed adjusted if any of the cards show a temper...

Page 136: ...as non pluggable front panel components of the system These reports are available in common format This command is available at all configuration modes EXAMPLE The first example is a typical card report In this case the switch card is in slot 24 ALU show chassis slot 24 Physical inventory at Thu Dec 11 19 06 36 2008 SC Switch card active Slot number 24 Part number 902613 90 Manufacturer ALU Descri...

Page 137: ...oader version 2 33 ALU OS version 2 3 1 30 MDC Serial number WL0544000288 Revision A00 Version 01 SE Services engine active Slot number 3 Part number 902601 90 Manufacturer ALU Description Services engine Serial number DD0538002047 Version 01 Revision A00 Opteron CPU Version 10 Opteron CPU Frequency 1994 MHz LoL firmware version 2 2 68 Loader version 2 33 ALU OS version 2 3 1 30 MDC Serial number ...

Page 138: ...d active Slot number 24 Part number 902613 90 Manufacturer ALU Description Switch card Serial number DD0504001023 Version 00 Revision Q LoL firmware version 2 2 68 Loader version 2 33 ALU OS version 2 3 1 30 FP Fan tray passive Slot number 26 Part number 902614 90 Manufacturer ALU Description Fan tray Serial number DD05XX000000 Version 00 Revision A00 BP ALU OA780 chassis passive Slot number 29 Pa...

Page 139: ... 3 Services engine Card Ready TO VIEW THE CURRENT STATE OF LEDS EXAMPLE ALU config show led Name State Primary SC green Standby SC vacant Front panel Active green Modem off Console green Usb off Command in SUM Description show system status This command displays the status of the different cards in the system Command in UM Description show led This command displays the current state of the LEDs on...

Page 140: ...ot 2308 S vrrp 331 root 1384 S udp agent 332 root 1520 S statsagent 333 root 2368 S statlogd c 334 root 2388 S ribmgr ribmgr initial 335 root 2544 S srm srm initial 337 root 2308 S aclmgr aclmgr initial 338 root 2268 S rip rip initial 339 root 2164 S pvstd 340 root 1884 S pluto nofork nat_traversal 341 root 6336 S ospfd ospfd initial 343 root 2268 S mcribmgr mcribmgr initial 344 root 2096 S ipcd i...

Page 141: ... etc EXAMPLE ALU config show memory total used free shared buffers cached Mem 380014592 180305920 199708672 0 176128 43839488 Swap 0 0 0 MemTotal 371108 kB MemFree 195028 kB MemShared 0 kB Buffers 172 kB Cached 42812 kB SwapCached 0 kB Active 13964 kB Inactive 136824 kB HighTotal 0 kB HighFree 0 kB LowTotal 371108 kB LowFree 195028 kB SwapTotal 0 kB SwapFree 0 kB Note In addition to the total memo...

Page 142: ...ing as its responding to user input OA 700 being multi processor platform the problem could be in any other card process but CLI is locked due to some inter dependency Due to WAN LAN interfaces being non operational the only access to OA 700 is through console modem through which user can still access OA 700 and diagnose the problem The system is placed in a remote location and hence physical acce...

Page 143: ...table gives the standard key combinations used to send BREAK signal on different platforms Software Operating System Key Hyperterminal Windows XP Ctrl Break Kermit Linux Unix Ctrl l Ctrl b Minicom Linux Ctrl a f Telnet N A Ctrl then type send brk Teraterm Windows Alt b Terminal Windows Break Ctrl Break Tip UNIX Ctrl then Break or Ctrl c VT 100 Emulation N A F16 Z TERMINAL Apple Command b ...

Page 144: ...Local management and remote management are the two ways of managing a device connected to a network Local management demands human intervention where the managed object is situated This becomes cumbersome when the network devices are numerous and widespread Managing such a system becomes tedious and quite impossible In such a situation SNMP is used to manage the network remotely Using a workstatio...

Page 145: ...n the devices This application runs on a computer that is used to manage one or more network management systems Consider an organization having its branches in different geographical locations Administration of all the computers present in different localities would be difficult When the System Administrator s computer is installed with the manager and all other systems and devices across all the ...

Page 146: ...OVERVIEW SNMP Version 3 SNMPv3 is an interoperable standard based protocol for network management It provides secure access to devices by a combination of authenticating and encrypting packets over the network The security features provided in SNMPv3 are Message integrity ensuring that a packet has not been tampered with in transit Authentication determining the message is from a valid source Encr...

Page 147: ... snmp disable TO CONFIGURE SNMP AGENT COMMUNITY EXAMPLE ALU config snmp agent rocommunity private ALU config no snmp agent rocommunity Command in CM Description snmp enable This command is used to enable the SNMP service snmp disable This command is used to disable the SNMP service Command in CM Description snmp agent rocommunity rwcommunity community string This command configures the SNMP agent ...

Page 148: ...ntact contact details location location name name This command is used to configure the SNMP system contact details system s physical location information and SNMP system name no snmp system contact location name This command removes the specified SNMP system details Command in CM Description snmp trap enable This command enables the agent to send the SNMP traps to the configured host Command in C...

Page 149: ...ing to a particular security model EXAMPLE ALU config snmp server group testgroup user123 security model v3 ALU config no snmp server group testgroup user123 security model v3 Command in CM Description snmp server user user name auth MD5 SHA auth password priv DES privilege password This command is used to configure a SNMPv3 user no snmp server user user name This command deletes a SNMPv3 user Com...

Page 150: ...o snmp server access testgroup security model v3 auth Command in CM Description snmp server view view name MIB family name included excluded This command is used to configure a SNMP view View name represents the MIB view and the MIB family name represents the MIB view sub tree associated with the view name no snmp server view view name MIB family name This command deletes a view Command in CM Desc...

Page 151: ...ALU config show snmp details SNMP status Enabled Traps Enabled System information System Contact support alcatel lucent com name alu1 System Location Not configured Community Access Community String read only private read write Not configured Trap Host Trap Port Version Trap Community 1 1 1 1 10 v1 test 1 1 1 11 11 v1 test1 Command in CM Description show snmp details This command is used to view t...

Page 152: ...MP packets output 0 Too big errors 2 No such name errors 0 Bad values errors 0 General errors 557 Get Responses 0 Traps TO VIEW SNMP USER CONFIGURATION EXAMPLE ALU config show snmp user User Name user123 Authentication Protocol MD5 Security Level Auth Command in CM Description show snmp stats This command displays the SNMP statistics Command in CM Description show snmp user user name This command ...

Page 153: ...LE ALU config show snmp view ViewName Status MIBFamily view123 included 1 3 6 1 TO VIEW SNMP ACCESS CONFIGURATION EXAMPLE ALU config show snmp access Group Name testgroup Security Level auth Security model v3 Read View read view Write View write view Command in CM Description show snmp group This command displays the configuration of the configured SNMP groups Command in CM Description show snmp v...

Page 154: ...ntact support alcatel lucent com name alu1 snmp agent rocommunity private snmp trap 1 1 1 1 v1 test 10 snmp trap 1 1 1 11 v1 test1 11 snmp server user user123 auth MD5 passpass1 snmp server group testgroup user123 security model v3 snmp server view view123 1 3 6 1 included snmp server access testgroup security model v3 auth read read view write write view Command in CM Description show snmp This c...

Page 155: ...mand GET The following snmpget command for v1 and v2 can be used to retrieve the value of a MIB object snmpget v 1 2c c community string agent ip address MIB object The following snmpget command for v3 can be used to retrieve the value of a MIB object snmpget v 3 u user name l noauthnopriv authnopriv authpriv a MD5 SHA A auth password x DES X privilege password host ip address MIB object GETNEXT T...

Page 156: ...be used to fetch all the MIB objects supported at the agent snmpwalk v 1 2c c community string agent ip address The following command for v3 can be used to fetch all the MIB objects supported at the agent snmpwalk v 3 u user name l noauthnopriv authnopriv authpriv a MD5 SHA A auth password x DES X privilege password host ip address MIB object SNMP MIB GUI The SNMP MIB objects can be queried and se...

Page 157: ...rfaces like Ethernet VRRP is supported on GigabitEthernet GigE interface on the OA 700 This chapter includes the following sections VRRP Overview VRRP Configuration VRRP Interface Tracking VRRP Configuration Scenario using OA 700 The VRRP Overview section serves as an additional information on VRRP You can skip this section and move directly to the configuration section CHAPTER CONVENTIONS Acronym...

Page 158: ...ual router s IP addresses on a LAN can then be used as the default first hop router by end hosts The advantage gained from using VRRP is a higher availability default path without requiring configuration of dynamic routing or router discovery protocols on every end host During the startup or through the use of the priority and preempt commands one of the routers is chosen to be the Active router M...

Page 159: ...ddress must be configured and the operational state of the interface must be up for VRRP to operate Step 3 Administratively bring up the interface ALU config if interface name no shutdown Example ALU config if GigabitEthernet7 0 no shutdown Step 4 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if Gig...

Page 160: ...undancy Protocol Left running head Chapter name automatic 134 Beta Beta CLI Configuration Guide Alcatel Lucent Step 7 Use the show and debug commands to monitor and debug the VRRP configuration See Monitor and Debug VRRP ...

Page 161: ...nfiguration Except on the first page right running head Heading1 or Heading1NewPage text automatic 135 Alcatel Lucent Beta Beta CLI Configuration Guide VRRP CONFIGURATION FLOW Figure 2 VRRP Configuration Flow ...

Page 162: ...OUP Note Group ID is in the range 1 8 EXAMPLE ALU config if GigabitEthernet7 0 vrrp 5 ip 10 91 0 8 ALU config if GigabitEthernet7 0 no vrrp 5 ip 10 91 0 8 Command in CM Description interface name This command is used to configure an interface Command in ICM Description vrrp 1 8 ip ip address This command configures a VRRP group with the specified ID on the interface and specifies a primary IP addr...

Page 163: ...or secondary on any interface except on the interface on which the group is getting configured It cannot be used as the group address for any other group on the same interface or on any other interface EXAMPLE 1 ALU config if GigabitEthernet7 0 ip address 10 1 1 1 24 ALU config if GigabitEthernet7 0 ip address 10 2 1 1 24 secondary ALU config if GigabitEthernet7 0 vrrp 1 ip 10 1 1 1 ALU config if ...

Page 164: ...p 1 ip 10 1 1 1 Error 10 1 1 1 already assigned as interface IP to GigabitEthernet3 0 ALU config if GigabitEthernet3 1 ALU config if GigabitEthernet3 1 interface GigabitEthernet 3 0 ALU config if GigabitEthernet3 0 vrrp 2 ip 20 1 1 1 Error 20 1 1 1 already assigned as interface IP to GigabitEthernet3 1 ALU config if GigabitEthernet3 0 EXAMPLE 2 ALU config if GigabitEthernet3 0 vrrp 1 ip 10 1 1 1 A...

Page 165: ...ree conditions have to be met The primary address of the interface must be configured The operational state of the interface must be up The primary address of the group must be configured TO CONFIGURE VRRP ROUTER PRIORITY Note Priority cannot be changed for a VRRP group that is an IP address owner i e VRRP group address same as the interface address The default priority for this group is set to 25...

Page 166: ...efined string up to 80 characters is allowed EXAMPLE ALU config if GigabitEthernet7 0 vrrp 7 description ALU vrrp Command in ICM Description vrrp 1 8 preempt This command enables the preempt mode By enabling the preempt mode the configured router takes over as the master of a group if it has a higher priority than the existing master virtual router no vrrp 1 8 preempt The no form of the above comm...

Page 167: ...or the VRRP group By default the timer value is configured in seconds It is in the range 1 255 The timer value can be configured in milliseconds by using the keyword msec It is in the range 50 999 msecs EXAMPLE ALU config if GigabitEthernet7 0 vrrp 7 timers advertise 5 Command in ICM Description vrrp 1 8 authentication text password This command is used to set authentication for the VRRP group Com...

Page 168: ...enabled if learning is enabled TO CONFIGURE INTERFACE TRACKING EXAMPLE ALU config if GigabitEthernet7 0 vrrp group track interface serial1 0 0 Command in CM Description vrrp 1 8 timers learn This command configures the backup virtual router to learn the advertisement interval used by the master virtual router no vrrp 1 8 timers learn This command disables learning The backup router uses the config...

Page 169: ... interval is 3 000 secs Interface GigabitEthernet3 0 Group 2 State is Master Virtual IP address is 20 1 1 1 Virtual MAC address is 0000 5e00 0102 Advertisement interval is 1 000 sec Preemption enabled Priority is 100 Master Router is 10 1 1 1 local priority is 100 Master Advertisement interval is 1 000 secs Master Down interval is 3 000 secs ALU config if GigabitEthernet3 0 ALU config if GigabitEt...

Page 170: ...is 3 000 secs Interface GigabitEthernet3 0 Group 2 State is Master Virtual IP address is 20 1 1 1 Virtual MAC address is 0000 5e00 0102 Advertisement interval is 1 000 sec Preemption enabled Priority is 100 Master Router is 10 1 1 1 local priority is 100 Master Advertisement interval is 1 000 secs Master Down interval is 3 000 secs TO VIEW VRRP CONTROL DEBUG MESSAGES EXAMPLE ALU debug vrrp control...

Page 171: ...ill actively monitor the status of the specified interface Any change in the status of the interface will affect the priority of the router When track interface is enabled for a VRRP group the behavior of the router is as follows WHEN THE TRACK INTERFACE GOES DOWN The following section details the process followed by a router when it is either in master state or backup state when the track interfa...

Page 172: ...rface went down it performs the following The router will take the following actions when the track interface comes up Cancels master down timer Sets the master down interval to skew time Sets the operational priority to 255 Schedules the new master down timer The above action result in the router becoming the master Case ii Router is not the Address Owner The router will take the following action...

Page 173: ...Beta Beta CLI Configuration Guide VRRP CONFIGURATION SCENARIO USING OA 700 The topology consists of the following components OA 780 Alcatel Lucent OmniSwitch Switch PC Laptop Figure 3 VRRP Topology PROCEDURE Configure LAN stations 192 168 1 4 192 168 1 5 192 168 1 6 with default gateway address of 192 168 1 3 which is IP address of Virtual Router ...

Page 174: ...aster router because of the highest priority 255 OmniSwitch i VRRP Group ID is 1 ii OmniSwitch VLAN ID is 10 iii Assign IP address 192 168 1 2 255 255 255 0 to VLAN 10 iv VRRP IP address is 192 168 1 3 v Priority for the group is 110 OmniSwitch becomes the backup router because of the lower priority OA 780 ALU config terminal ALU config interface GigabitEthernet7 1 ALU config if GigabitEthernet7 1...

Page 175: ...tel Lucent 149 Beta Beta For final production import color definitions from daldoc01 docteam templates framemaker book template color defs production colors fm Do not import other template elements such as page layout To return to the draft version import color def ns from draft colors fm To switch to the beta version import color def ns from beta colors fm Pagination Numeric continuous with prece...

Page 176: ...Left running head Chapter name automatic 150 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 177: ...s Engine SE on the OA 700 The Ethernet Overview section serves only as an additional information on the Ethernet Interfaces You can skip this section and directly go to the configuration details Ethernet Configuration section Refer Alcatel Lucent Specific Overview on Ethernet Interfaces to get a detailed overview on the usage of Ethernet interfaces on the OA 700 CHAPTER CONVENTIONS Acronym Descrip...

Page 178: ...all devices on the network Once a device is attached to this cable it has the ability to communicate with any other attached device This allows the network to expand to accommodate new devices without requiring any modification to those devices already on the network Refer the following section to configure the Ethernet interfaces on your system Ethernet Basics Ethernet Terminologies Full duplex E...

Page 179: ...ed frames which are variably sized chunks of information Each frame must include for example both a destination address and a source address which identify the recipient and the sender of the message The address uniquely identifies the node No two Ethernet devices should ever have the same address Ethernet addressing Ethernet addressing implements a broadcast address A frame with a destination add...

Page 180: ...Ethernet Full duplex refers to the ability of a network to send and receive data at the same time Legacy Ethernet is half duplex meaning information can move in only one direction at a time In a totally switched network nodes only communicate with the switch and never directly with each other Switched networks also employ either twisted pair or fiber optic cabling both of which use separate conduc...

Page 181: ...face name no shutdown Example ALU config if GigabitEthernet7 0 no shutdown Step 4 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if GigabitEthernet7 0 ip address 20 20 20 20 24 Step 5 Configure parameters that are optional on the interface Configure Duplex Operation on the interface See To Configure ...

Page 182: ...thernet Interfaces on SE Left running head Chapter name automatic 156 Beta Beta CLI Configuration Guide Alcatel Lucent ETHERNET INTERFACE CONFIGURATION FLOW Figure 5 Ethernet Interface Configuration Flow ...

Page 183: ...duplex full ALU config if GigabitEthernet7 0 no duplex TO CONFIGURE FLOW CONTROL EXAMPLE ALU config if GigabitEthernet7 0 flowcontrol send on ALU config if GigabitEthernet7 0 no flowcontrol send on Command in CM Description interface GigabitEthernet slot port This command allows you to configure GigE interface Command in ICM Description duplex auto full half This command configures duplex operatio...

Page 184: ...fig if GigabitEthernet7 0 speed 100 ALU config if GigabitEthernet7 0 no speed Command in ICM Description mtu 64 1500 This command is used to configure the MTU of the interface i e the maximum packet size that the interface can accept no mtu 64 1500 The no command sets the MTU to its default The default MTU is 1500 bytes Command in ICM Description speed 10 100 1000 auto This command configures the ...

Page 185: ...d 0 packets output 0 bytes 0 underruns 0 output errors 0 collisions 0 interface resets 0 babbles 0 late collision 0 deferred 0 lost carrier 0 no carrier 0 output buffer failures 0 output buffers swapped out loopback is up line protocol is up Internet address is 11 11 11 11 24 MTU 1500 bytes BW 0 Kbit DLY 0 usec reliability 0 255 txload 0 255 rxload 0 255 Encapsulation LOOPBACK loopback not set Kee...

Page 186: ... 0 pause input 4766 packets output 486524 bytes 0 underruns 0 output errors 0 collisions 0 interface resets 0 babbles 0 late collision 0 deferred 2 lost carrier 2 no carrier 0 pause output 0 output buffer copied 0 interrupts 0 failures ALU EXAMPLE 2 ALU show interfaces GigabitEthernet 7 0 GigabitEthernet7 0 is up line protocol is up Hardware address is 0000 1111 2222 0000 1111 2222 Internet addres...

Page 187: ...input never output never output hang never Last clearing of show interface counters never Queueing strategy fifo Output queue 0 0 size max 0 drops Input queue 0 0 size max 0 drops 5 minute input rate 344 bits sec 1 packets sec 5 minute output rate 8 bits sec 0 packets sec 68 packets input 5108 bytes 0 no buffer Received 39 broadcasts 0 runts 0 giants 0 input errors 0 CRC 0 frame 0 overrun 0 ignore...

Page 188: ...nterface confirm y ALU config TO CLEAR COUNTERS ON GIGE INTERFACE EXAMPLE ALU config if GigabitEthernet7 0 clear Clear counters on this interface confirm y ALU config Command in ICM CM Description clear counters GigbitEthernet slot port subinterface_number This command clears the counters on a specific GigE interface Command in ICM Description clear This command is used in the Interface Configurat...

Page 189: ...ts and Hybrid ports The Switching Overview section serves as an additional information on L2 switching You can skip this section and directly go to the configuration details L2 Switching Configuration Refer to the Alcatel Lucent Specific Overview on Switching for Alcatel Lucent specific features Basic scenarios using switching on OA 700 is given in the last section You can refer to this section fo...

Page 190: ... units bridges and switches provide several advantages The switch acts as a firewall for some potentially damaging network errors and will accommodate communication between a larger number of devices than would be supported on any single LAN connected to the bridge Bridges and switches extend the effective length of a LAN permitting the attachment of distant stations that was not previously permit...

Page 191: ...dresses Physical addresses also known as link layer hardware or MAC layer addresses identify individual devices Most hardware devices are permanently assigned this number during the manufacturing process Switches operating at Layer 2 are very fast because they are just sorting physical addresses but they usually are not very smart that is they do not look at the data packet very closely to learn a...

Page 192: ...packets iii Trunk A trunk port sends and receives only tagged packets iv Hybrid These ports are used to connect both VLAN aware tagged devices as well as VLAN unaware untagged devices The default VLAN id is VLAN 1 Supports software bridging VLAN can be configured on any number of line cards If VLAN spreads across the line cards line rate switching can not be achieved All interfaces are by default ...

Page 193: ...runk hybrid provided access configuration exists If no access configuration exists interface is set to pure bridging mode In the Hybrid mode if a VLAN is configured as both native VLAN and Trunk VLAN native VLAN takes precedence If no mode is configured on the switchport and if no access VLAN configuration exists on the switchport the switchport will be in pure bridging mode In this mode packets a...

Page 194: ...o configure L2 to either Access Trunk or Hybrid mode These steps are optional Configure L2 interface to operate in Pure Bridging Mode Step 1 Configure L2 interface to Pure Bridging mode by using no switchport mode command See To Configure Mode for the L2 Interface If no access VLAN is configured OR Configure L2 interface to operate in Access Mode Step 1 Configure L2 interface to Access mode by usi...

Page 195: ...owed when the interface is configured to Hybrid mode See To Configure Trunk VLAN Step 3 Configure Native VLAN untagged VLAN See To Configure Hybrid Native VLAN Step 5 Configure optional parameters on the interface Configure Duplex Operation on the interface See To Configure Duplex Operation Configure Speed on the interface See To Configure Speed Step 6 Monitor and troubleshoot the configuration us...

Page 196: ...Layer 2 Switching Configuration Left running head Chapter name automatic 170 Beta Beta CLI Configuration Guide Alcatel Lucent L2 SWITCHING CONFIGURATION FLOW Figure 8 L2 Switching Configuration Flow ...

Page 197: ...Command in CM Description interface switchport slot port This command is used to configure an L2 interface Command in ICM Description no shutdown This command is used to administratively bring up the L2 interface shutdown This command is used to administratively bring down the L2 interface Command in ICM Description switchport mode trunk hybrid This command is used configure the L2 interface in th...

Page 198: ...5 8 9 ALU config if switchport1 0 no switchport trunk allowed vlan 3 5 Command in ICM Description switchport access vlan 2 4094 This command is used to configure VLANs for access mode in the range 2 4094 no switchport access vlan This command deletes the access VLANs configured on the interface This makes it to switch over to the pure bridging mode Command in ICM Description switchport trunk allow...

Page 199: ... if switchport1 0 no speed Command in ICM Description switchport hybrid native vlan 2 4094 This command is used to configure Native VLAN for hybrid mode in the range 2 4094 no switchport hybrid native vlan This command deletes the native VLAN configured on the interface and resets it to its default The default hybrid native VLAN ID is 1 Command in ICM Description duplex auto full half This command...

Page 200: ...ion 2 30 ALU OS version 2 2 20 R02 MDC Serial number WL0534000127 Revision Q Version 01 SE Services engine active Slot number 3 Part number 902601 90 Manufacturer ALU Description Services engine I Serial number ND0533001498 Version 00 Revision A00 Opteron CPU Version 10 Opteron CPU Frequency 1994 MHz LoL firmware version 2 2 68 Loader version 2 33 ALU OS version 2 2 20 R02 PB Power tray active Slo...

Page 201: ... number DD05XX000000 Version 00 Revision A LoL firmware version 2 2 68 Loader version 2 33 ALU OS version 2 2 20 R02 FP Fan tray passive Slot number 26 Part number 902614 90 Manufacturer ALU Description Fan tray Serial number DD0429000107 Version 00 Revision A00 BP ALU OA780 chassis passive Slot number 29 Part number 902611 90 Manufacturer ALU Description ALU OA780 chassis Serial number DD05XX0000...

Page 202: ... packets sec 5 minute output rate 0 bits sec 0 packets sec 1950230 packets input 722390067 bytes Received 48676 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 0 watchdog 14154 In multicast 0 pause input 0 input packets with dribble condition detected 1971500 packets output 842881406 bytes 328 Sent broadcasts 0 output errors 0 collisions 0 interface resets ...

Page 203: ...port0 0 Access ALU config show vlan Brief VLAN_ID Status Interface name Mode 1 Inactive switchport0 2 No Mode switchport0 3 No Mode switchport0 4 No Mode switchport0 5 No Mode 10 Inactive switchport0 0 Access switchport0 7 Access switchport0 6 Trunk 20 Inactive switchport0 1 Access Command in CM Description show vlan Brief id 1 4094 The show vlan Brief command displays all the VLANs that are confi...

Page 204: ...6d23 switchport0 0 10 Dynamic 00c0 9f33 6e54 switchport0 0 10 Dynamic 00c0 9f33 7c84 switchport0 0 10 Dynamic 0000 5e00 0101 switchport0 1 20 Dynamic 0008 a16b 6597 switchport0 1 20 Dynamic 0008 a170 59ea switchport0 1 20 Dynamic 0008 a170 5e1d switchport0 1 20 Dynamic 0008 a170 5e21 switchport0 1 20 Dynamic 0008 a177 fecc switchport0 1 20 Dynamic 0008 a177 fece switchport0 1 20 Dynamic 0008 a178 ...

Page 205: ...atic 179 Alcatel Lucent Beta Beta CLI Configuration Guide L2 SWITCHING CLEAR COMMANDS TO CLEAR THE MAC ADDRESS TABLE EXAMPLE ALU clear mac address table Dynamic Command in CM Description clear mac address table Dynamic slot slot number vlan 1 4094 This command clears the mac address table learnt by the system ...

Page 206: ...ll the L2 ports participate in pure bridging OA 700 AS A SWITCH WITH NO VLANS The topology consists of the following components 1 OA 700 6 PCs Laptops Figure 9 Switching with no VLANs PROCEDURE By default all Switch ports will be in bridged mode They belong to 1 broadcast domain ALU config interface switchport1 0 ALU config if switchport1 0 ALU config if switchport1 0 no shutdown To check for reac...

Page 207: ...with ports S0 2 and S0 3 VLAN2 is configured with ports S0 4 and S0 5 and VLAN3 is configured with ports S0 6 and S0 7 Hence hosts 1 and 2 belong to VLAN1 hosts 3 and 4 belong to VLAN2 and hosts 5 and 6 belong to VLAN3 TO CONFIGURE ACCESS VLAN ALU config if switchport1 0 switchport access vlan 10 ALU config if switchport1 0 TO DELETE ACCESS VLAN CONFIGURED ALU config if switchport1 0 no switchport...

Page 208: ...Layer 2 Switching Configuration Left running head Chapter name automatic 182 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 209: ...e parameter descriptions and their corresponding default values refer to the OmniAccess 700 CLI Command Reference Guide This chapter includes the configuration steps CLI syntax with its description and configuration examples The commands are described in sequential order of configuration This chapter is divided into the following sections Per VLAN Spanning Tree PVST Overview PVST Configuration PVS...

Page 210: ...ovide path redundancy Spanning Tree Protocol defines a tree that spans all switches in an extended network Spanning Tree Protocol forces certain redundant data paths into a standby blocked state If one network segment in the Spanning Tree Protocol becomes unreachable or if Spanning Tree Protocol costs change the spanning tree algorithm reconfigures the spanning tree topology and reestablishes the ...

Page 211: ...al ALU config Step 2 Enable PVST See To Enable PVST Step 3 To configure Forward time Hello time Max age Priority for PVST See To Set Forward time Hello time Max age Priority for PVST Optional Step 4 Configure L2 interface ALU config interface switchport slot port ALU config if switchport slot port Example ALU config interface switchport 1 0 ALU config if switchport1 0 Configure PVST Optional param...

Page 212: ...Per VLAN Spanning Tree Left running head Chapter name automatic 186 Beta Beta CLI Configuration Guide Alcatel Lucent PVST CONFIGURATION FLOW Figure 11 PVST Configuration Flow ...

Page 213: ... following command enables the spanning tree for the default VLAN id i e VLAN 1 ALU config spanning tree The deletion of the spanning tree will follow the same rule ALU config no spanning tree The following example configures spanning tree for VLAN 100 ALU config spanning tree vlan 100 The deletion of the spanning tree will follow the same rule ALU config no spanning tree vlan 100 Command in CM De...

Page 214: ...n 100 max age 40 The following command resets the PVST Forward time Hello time Maximum age Bridge priority to its default ALU config no spanning tree vlan 100 forward time ALU config no spanning tree vlan 100 hello time ALU config no spanning tree vlan 100 max age Command in CM Description spanning tree vlan 1 4094 forward time 4 30 hello time 1 10 max age 6 40 priority 0 65535 This command is ent...

Page 215: ...E ALU config if switchport1 0 spanning tree vlan 100 cost 1000 ALU config if switchport1 0 no spanning tree vlan 100 cost Command in ICM Description spanning tree vlan 1 4094 spanning disabled This command is entered in the interface configuration mode This disables the Spanning tree on a specific interface no spanning tree vlan 1 4094 spanning disabled The no command enables the Spanning tree on ...

Page 216: ...d on a per port basis EXAMPLE ALU config if switchport1 0 spanning tree vlan 100 port priority 250 ALU config if switchport1 0 no spanning tree vlan 100 port priority Command in ICM Description spanning tree vlan 1 4094 port priority 0 255 This command is entered in the Interface Mode This command is used to prioritize a specific interface no spanning tree vlan 1 4094 port priority 0 255 The no co...

Page 217: ...ge 20 sec Forward Delay 15 sec Port Designated Name Port ID Prio Cost sts Cost Bridge ID Port ID switchport0 0 128 8 128 4 FWD 0 00 07 50 0c a1 00 128 13 switchport0 1 128 7 128 4 DIS 0 00 11 8b 00 27 12 128 7 switchport0 2 128 6 128 4 DIS 0 00 11 8b 00 27 12 128 6 switchport0 3 128 5 128 4 DIS 0 00 11 8b 00 27 12 128 5 switchport0 4 128 4 128 4 DIS 0 00 11 8b 00 27 12 128 4 switchport0 5 128 3 12...

Page 218: ...0 00 11 8b 00 27 12 128 8 switchport1 1 128 7 128 4 FWD 0 00 11 8b 00 27 12 128 7 switchport1 2 128 6 128 4 FWD 0 00 11 8b 00 27 12 128 6 switchport1 3 128 5 128 4 FWD 0 00 11 8b 00 27 12 128 5 switchport1 4 128 4 128 4 FWD 0 00 11 8b 00 27 12 128 4 switchport1 5 128 3 128 4 FWD 0 00 11 8b 00 27 12 128 3 switchport1 6 128 2 128 4 DIS 0 00 11 8b 00 27 12 128 2 switchport1 7 128 1 128 4 DIS 0 00 11 ...

Page 219: ... priority 128 Designated root has priority 2 address 00 07 50 0c a1 03 Designated bridge has priority 2 address 00 07 50 0c a1 03 Designated port Id is 128 13 path cost 4 Timers message age 0 forward delay 0 hold 0 BPDU sent 0 received 535 EXAMPLE 2 ALU config show spanning tree vlan 1 Spanning tree 1 is executing the IEEE compatible Spanning Tree Protocol Bridge Identifier has priority 32768 addr...

Page 220: ... received 0 Interface switchport1 4 port 4 in Spanning tree 1 is Forwarding Port path cost 4 Port priority 128 Designated root has priority 32768 address 00 11 8b 00 27 12 Designated bridge has priority 32768 address 00 11 8b 00 27 12 Designated port Id is 128 4 path cost 0 Timers message age 0 forward delay 0 hold 0 BPDU sent 120 received 0 Interface switchport1 5 port 3 in Spanning tree1 is Forw...

Page 221: ...or vlan 1 OA700 2 is Root Spanning Tree for vlan 2 OA700 2 is Root Spanning Tree for vlan 3 OA700 1 is Root ON OA700 1 PVST Global configuration ALU config spanning tree ALU config spanning tree vlan 2 ALU config spanning tree vlan 3 ALU config spanning tree vlan 3 priority 3 ALU config interface switchport0 0 ALU config if switchport0 0 switchport mode hybrid ALU config if switchport0 0 switchpor...

Page 222: ... trunk allowed vlan 2 3 ALU config if switchport0 0 no shutdown EXAMPLE 2 Configure PVST on OA 700 Spanning Tree provides a mechanism for loop detection and guarantees only one path exists between two end stations Spanning Tree is not turned on by default on L2 GE When no VLANs are configured on the L2 ports all ports of the switch belong to one broadcast domain All the L2 ports will participate i...

Page 223: ... spanning tree ALU config if switchport1 2 interface switchport 1 0 ALU config if switchport1 0 spanning tree cost 1000 CHECK THE CONFIGURATION WITH THE SHOW COMMAND ALU config show spanning tree brief vlan 1 VLAN1 Spanning tree enabled protocol IEEE ROOT ID Priority 32768 Address 00 11 8b 00 27 12 This bridge is the root Hello Time 2 sec Max Age 20 sec Forward Delay 15 sec Bridge ID Priority 3276...

Page 224: ...Per VLAN Spanning Tree Left running head Chapter name automatic 198 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 225: ...grated Routing and Bridging IRB on the OA 700 The Integrated Routing and Bridging Overview section serves as a comprehensive study on the IRB information IRB Configuration details the command used to configure IRB on the OA 700 The last section IRB Configuration using OA 700 provides a real time scenario for configuring IRB on the OA 700 CHAPTER CONVENTIONS Acronym Description CM Configuration Mod...

Page 226: ...rt will then be capable of taking part in both bridging and routing at the same time This technology is called IRB on the OA 700 If the physical ports belonging to a VLAN are thought of as defining a logical bridge switch then the mechanism of sending an incoming packet from this bridge to the logical router inside the OA 700 is to connect the bridge and the router by a logical VLAN interface This...

Page 227: ... be for VLAN 1 See To Configure VLAN Interface Step 2 Attach the VLAN to one or more switchports through the CLI commands for access trunk and hybrid ports Refer chapter on switching Layer 2 Switching Configuration for a detailed insight on the VLAN commands Step 3 Configure IP address and attach policies such as Filter IDS etc on the VLAN interface through known CLI commands for other services No...

Page 228: ...earing of show interface counters never Queueing strategy fifo Output queue 0 0 size max 0 drops Input queue 0 0 size max 0 drops 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 2034961 packets input 0 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 input errors 0 CRC 0 frame 0 overrun 1580 ignored 0 watchdog 0 multicast 0 pause input 2035879 p...

Page 229: ...onents 1 OA 700 A Serial Connector 6 PCs Laptops Figure 14 IRB Topology PROCEDURE By default all switchports will be in bridge mode They belong to one broadcast domain CONFIGURE BRIDGING ALU config interface switchport1 0 ALU config if switchport1 0 ALU config if switchport1 0 no shutdown ALU config if switchport1 0 switchport access vlan 100 CONFIGURE A VIRTUAL INTERFACE ALU config interface vlan...

Page 230: ...hapter name automatic 204 Beta Beta CLI Configuration Guide Alcatel Lucent CHECK FOR REACHABILITY BETWEEN HOSTS Verify by pinging from 10 10 10 5 to 10 10 10 20 and also ping to check for WAN connectivity For ex ping from 10 10 10 5 to any HTTP address ...

Page 231: ... CLI syntax with its description and configuration examples The commands are described in sequential order of configuration For a more detailed information on the parameter descriptions and their corresponding default values refer to the OmniAccess 700 CLI Command Reference Guide This chapter is divided into the following sections 802 1X Overview 802 1X Configuration 802 1X Configuration Example C...

Page 232: ... that port when the authentication and authorization fails The following diagram shows the deployment scenario of 802 1X This diagram shows the supplicant authenticator and authentication server in a 802 1X network The 802 1X requires one authenticator port In the diagram controlled port and uncontrolled port are the logical port in Authenticator System The controlled port shown here is not author...

Page 233: ...l in 802 1X is called EAP encapsulation over LANs EAPOL 802 1X is a standard for passing EAP over a wired LAN It packages EAP messages in Ethernet frames The following is the communications among Supplicant Authenticator and Authentication Server The authenticator sends an EAP Request Identity packet to the supplicant as soon as it detects that the link is active The supplicant sends an EAP Respon...

Page 234: ...802 1X Port Based Authentication Left running head Chapter name automatic 208 Beta Beta CLI Configuration Guide Alcatel Lucent Figure 16 Message Exchange ...

Page 235: ...When the port is in the force authorized force unauthorized unauthorized or shutdown state it is placed in the configured access VLAN If an 802 1X port is authenticated and put in the RADIUS server assigned VLAN any change to the port access VLAN configuration does not take effect If the multi auth mode is enabled on a 802 1X port the dynamic VLAN featured is disabled i e VLAN information received...

Page 236: ...nticate a user ALU config aaa services ALU config aaa server group radius name ALU config rad grp radius server ip address key string ALU config rad grp exit ALU config aaa method list name methods ALU config aaa authentication dot1x method list name Example ALU config aaa services ALU config aaa server group radius rad1 ALU config rad1 grp radius server 10 0 0 254 key admin ALU config rad1 grp ex...

Page 237: ...rt based authentication on the L2GE interface See To Enable 802 1X Port based Authentication on L2 Interface Step 7 Configure 802 1X Optional parameters on a L2 interface See Configure 802 1X Optional Parameters on a L2 interface Enable periodic reauthentication See To Enable Periodic Reauthentication Configure time out for periodic reauthentication See To Configure Time out for Periodic Reauthent...

Page 238: ...e Hosts Reset configurable 802 1X parameters to default Values See To Reset Configurable 802 1X Parameters To Default Values Manually reauthenticate the client See To Manually Reauthenticate the Client Initialize the authentication for the client See To Initialize the Authentication for the Client Step 8 Use the show commands to recheck and view the details configured See 802 1X Show Commands ...

Page 239: ...figuration Except on the first page right running head Heading1 or Heading1NewPage text automatic 213 Alcatel Lucent Beta Beta CLI Configuration Guide 802 1X CONFIGURATION FLOW Figure 17 802 1X Configuration Flow ...

Page 240: ...enable 802 1X port based authentication globally When enabled the port based authentication on the interface will be forced authorized no dot1x system auth control This command is used to disable 802 1X port based authentication globally Command in ICM Description dot1x port control auto forced authorized forced unauthorized This command is entered in the Interface Configuration Mode This command ...

Page 241: ...x timeout reauth period 4500 ALU config if switchport5 0 no dot1x timeout reauth period Command in ICM Description dot1x reauthentication This command is used to enable periodic reauthentication of the client By default this is disabled no dot1x reauthentication This command is used to disable periodic reauthentication of the client Command in ICM Description dot1x timeout reauth period 1 65535 Th...

Page 242: ...tx period Command in ICM Description dot1x timeout quiet period 1 3600 This command sets the number of seconds that the OA 700 remains in the quiet state following a failed authentication exchange with the client no dot1x timeout quiet period 1 3600 This command sets the quiet period to its default The default is 60 seconds Command in ICM Description dot1x timeout tx period 1 3600 This command set...

Page 243: ...dot1x max request 3 ALU config if switchport5 0 no dot1x max request Command in ICM Description dot1x timeout supp timeout 1 65535 This command sets the switch to client retransmission time for the EAP request frame no dot1x timeout supp timeout 1 65535 This command sets the supp timeout to its default The default is 30 seconds Command in ICM Description dot1x max request 1 10 This command sets th...

Page 244: ...onfig if switchport5 0 dot1x host mode multi host ALU config if switchport5 0 no dot1x host mode TO RESET CONFIGURABLE 802 1X PARAMETERS TO DEFAULT VALUES EXAMPLE ALU config if switchport5 0 dot1x default Command in ICM Description dot1x host mode multi host multi auth This command is used to allow multiple hosts clients or multiple authentication on an 802 1X authorized port Make sure that the po...

Page 245: ...terface switchport 5 0 TO INITIALIZE THE AUTHENTICATION FOR THE CLIENT EXAMPLE ALU config dot1x initialize interface switchport 5 0 Command in CM Description dot1x re authenticate interface switchport slot port This command is used to manually reauthenticate the clients connected to a port Command in CM Description dot1x initialize interface switchport slot port This command initializes the authen...

Page 246: ...period 60 tx period 30 supp timeout 30 server timeout 30 max req 2 operation_mode Single Host port control Auto Supplicant 00 0D 62 2B 76 FA Status Authorized Current Identifier 3 Authenticator state machine State Authenticated Reauth count 0 Backend state machine State Idle Request count 0 Reauthentication state machine state Initialize Command in SUM CM Description show dot1x all interface switc...

Page 247: ... 5 5 0 Last Last EAPOLVer EAPOLSrc 2 00 0D 62 2B 76 FA Tx EAPOL EAP EAP Total Req ID Req oth 23 5 10 TO VIEW MAC ADDRESS OF THE AUTHENTICATED SUPPLICANT EXAMPLE ALU show dot1x interface switchport 0 0 authenticated mac 00 0D 62 2B 76 FA Command in SUM CM Description show dot1x statistics all interface switchport slot port This command is used to display the 802 1X statistics of all switchports or ...

Page 248: ...ON EXAMPLE Figure 18 802 1X Topology ALCATEL LUCENT CONFIGURATION Current Configuration Statlog Configuration logging on logging buffered priority 7 logging buffered size 128 logging console 7 logging system 5 service timestamps log hostname ALU VRF Configuration MULTICAST Configuration dot1x system auth control SNMP Configurations aaa services ...

Page 249: ...ethod list method 01 rad 01 aaa authentication dot1x method 01 aaa authorization enable interface GigabitEthernet7 0 ip address 192 168 20 1 24 no shutdown top interface GigabitEthernet7 1 shutdown top interface Vlan100 ip address 192 168 10 1 24 no shutdown top interface switchport0 0 switchport access vlan 100 dot1x port control auto no shutdown top interface switchport0 1 switchport access vlan...

Page 250: ...1 Enabled Multi Auth Auto yes switchport0 2 Disabled Single Host Force Authorized n a switchport0 3 Disabled Single Host Force Authorized n a switchport0 4 Disabled Single Host Force Authorized n a switchport0 5 Disabled Single Host Force Authorized n a switchport0 6 Disabled Single Host Force Authorized yes switchport0 7 Disabled Single Host Force Authorized n a 802 1X port details 802 1X is enab...

Page 251: ...0 max req 2 operation_mode Multi Auth port control Auto Supplicant 00 13 8F 10 FB 12 Status Authorized Current Identifier 3 Authenticator state machine State Authenticated Reauth count 0 Backend state machine State Idle Request count 0 Reauthentication state machine state Initialize Supplicant 00 0D 61 2A 71 FA Status Authorized Current Identifier 15 Authenticator state machine State Authenticated...

Page 252: ...d Authentication Left running head Chapter name automatic 226 Beta Beta CLI Configuration Guide Alcatel Lucent 802 1X is disabled on switchport0 5 802 1X is disabled on switchport0 6 802 1X is disabled on switchport0 7 ...

Page 253: ... corresponding default values for each refer to the OmniAccess 700 CLI Command Reference Guide This chapter includes the following sections Port Monitoring Overview Port Monitoring Configuration Port Monitoring Configuration on OA 700 The Port Monitoring Overview section serves as an additional information on the port monitoring You can skip this section and directly forward to the configuration s...

Page 254: ...lly when fending off an attack It enables the administrator to keep a close track of switch performance and alter it if necessary An administrator configures port monitoring by assigning a port to copy all packets and another port where those packets will be sent A packet bound for or heading away from the first port will be forwarded onto the second port as well The administrator places a protoco...

Page 255: ...tchport slot port ALU config if switchport slot port Example ALU config interface switchport 1 0 ALU config if switchport1 0 Note The L2 interface on which port monitoring is being configured should not be in Trunk Hybrid mode And also 802 1X should not be configured on the interface Step 2 Administratively bring up the interface ALU config if interface name no shutdown Example ALU config if switc...

Page 256: ...ig show port monitor PORT MONITERING PORT MONITERED TRAFFIC TYPE switchport1 0 switchport1 6 both switchport1 7 ingress Command in ICM Description port monitor interface switchport slot port both egress ingress This command is entered in the Interface Configuration Mode This command is used to configure port monitoring Specify the traffic to be monitored You can either monitor ingress egress traff...

Page 257: ... 1 3 and 1 1 respectively Switchport 1 0 is to be monitored for both ingress and egress traffic using switchport 1 3 Switchport 1 3 being the monitoring port has to receive the mirrored data from switchport 1 0 To configure port monitoring the following configuration is to be used CONFIGURE PORT MONITORING ALU config interface switchport 1 3 ALU config if switchport1 3 port monitor switchport 1 0 ...

Page 258: ...Port Monitoring Left running head Chapter name automatic 232 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 259: ...catel Lucent 233 Beta Beta For final production import color definitions from daldoc01 docteam templates framemaker book template color defs production colors fm Do not import other template elements such as page layout To return to the draft version import color def ns from draft colors fm To switch to the beta version import color def ns from beta colors fm Pagination Numeric continuous with pre...

Page 260: ...Left running head Chapter name automatic 234 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 261: ...tely This chapter describes various configuration steps to configure T1 interface see T1 Configuration and E1 interface see E1 Configuration This chapter is divided into the following sections T1 and E1 Overview E1 Interface Overview E1 Configuration T1 Interface Overview T1 Configuration CHAPTER CONVENTIONS Acronym Description SUM Super User Mode ALU CM Configuration Mode ALU config CCM Controlle...

Page 262: ...ssion facility Figure 20 OA 700 T1E1 Line Card Note For information on the LED status of the T1E1 line card with respect to each port please refer OA 780 OA 740 Hardware Users Guide The T1 and E1 is designed for use in businesses The T1 standard is mostly deployed in Japan and North American countries while the E1 is prevalent in Europe and most of the Asian countries including India The E1s and t...

Page 263: ... 64 Kbps data throughput An E1 line connects two points in one of which the information is multiplexed and in the second demultiplexed Figure 21 E1 Frame Structure The following sections detail on the E1 configuration E1 Timeslot Functionalities Mechanisms Supported by the E1 interface E1 Modes of Operation E1 TIMESLOT FUNCTIONALITIES The 32 time slots of an E1 card are denoted by TS0 TS1 TS31 res...

Page 264: ...clocks Clock recovery is achieved by the shape of the signal The synchronization information is carried in the TS0 of every even frame Such a frame is called Frame Alignment Signal FAS An FAS carries the unique pattern 0011011 bits 1 7 that specifies the alignment of the frame THE SIGNALING MECHANISM Signaling mechanisms provide a wide range of functions and their protocol is application specific ...

Page 265: ...daries synchronization is achieved using TS0 Multiframe MF TS0 is used for the synchronization of the Multiframes All other channels are unaffected Multiframe structure is used for two purposes CAS signaling and Cyclic Redundancy Check CRC Each of these modes are independent from the use of the other MF CAS Same as MF One channel that is dedicated for signaling CAS MF CRC Using the Si bits of each...

Page 266: ...ps on the controller See To Configure Channelized E1 This command creates a channel group that will form a channelized serial interface Step 4 Administratively bring up the E1 controller See To Bring Up Shutdown the E1 Controller Step 5 Configure Optional parameters for E1 See Configure Optional Parameters for E1 Controller Configure framing See To Configure Framing Configure the line termination ...

Page 267: ...g if interface name ip address ip address subnet mask ip address prefix length Example ALU config if Serial0 0 0 ip address 20 20 20 20 24 Step 9 Configure encapsulation See To Set Encapsulation on the Interface Optional Step 10 Configure MTU Maximum Transmission Unit on the Interface See To Configure MTU on the Interface Optional Step 11 See To View the E1 Controller Configuration to view the E1 ...

Page 268: ...T1E1 Line Card Left running head Chapter name automatic 242 Beta Beta CLI Configuration Guide Alcatel Lucent E1 CONFIGURATION FLOW Figure 22 E1 Configuration Flow ...

Page 269: ...ype E1 0 Note The line card is not functional until card type is set Reboot Reload the chassis to change the card type which will remove the previous configuration Use controller and channel group commands to relaod the card type TO CONFIGURE AN E1 CONTROLLER EXAMPLE ALU config controller E1 0 0 ALU config controller E1 Command in CM Description card type E1 T1 slot Use this command to set the car...

Page 270: ...oller ALU config controller E1 channel group 0 timeslots 1 31 To associate contiguous timeslots with the controller ALU config controller E1 channel group 0 timeslots 1 10 ALU config controller E1 channel group 0 timeslots 4 5 6 To associate non contiguous timeslots with the controller ALU config controller E1 channel group 0 timeslots 1 4 20 2 In the above example the channel group command is sho...

Page 271: ...ts cannot overlap hence one timeslot cannot be part of more than one channel group TO BRING UP SHUTDOWN THE E1 CONTROLLER EXAMPLE The following example administratively brings up the controller ALU config controller E1 1 0 ALU config controller E1 no shutdown The following example shuts down the controller ALU config controller E1 1 0 ALU config controller E1 shutdown Note Online Insertion and Rem...

Page 272: ...annelized or framed E1 This implies that unframed and channelized functionality are mutually exclusive Following are the sequence of commands to configure E1 into Unframed mode No version of this command will restore the default framing mode i e esf ALU config controller E1 0 0 ALU config controller E1 no shutdown ALU config controller E1 unframed ALU config controller E1 no unframed As system is ...

Page 273: ... sets the E1 frame type to crc4 ALU config controller E1 no framing TO CONFIGURE LINE TERMINATION EXAMPLE The following example selects 120 as the E1 line impedance ALU config controller E1 line termination 120 Command in CCM Description framing crc4 no crc4 Use this command to configure framing to either crc4 or no crc4 no framing The no command sets the framing to its default The default framing...

Page 274: ...CE ON E1 EXAMPLE The following example configures the E1 0 clocksource to line ALU config controller E1 clocksource line The following example configures the E1 0 clocksource to internal ALU config controller E1 no clocksource Command in CCM Description linecode ami hdb3 This command is used to set a Line Encoding for the E1 interface no linecode The no command sets the linecode to its default The...

Page 275: ...XAMPLE ALU config interface Serial 0 0 0 ALU config if Serial0 0 0 shutdown ALU config interface Serial 0 0 0 ALU config if Serial0 0 0 no shutdown Note We support Online Insertion and Removal OIR functionality for T1E1 line card Command in CM Description interface Serial slot port channel This command is entered in the Configuration Mode to configure a serial interface in the specific slot or por...

Page 276: ...Serial0 0 0 no mtu Command in ICM Description encapsulation frame relay ppp hdlc mlfr bundle_id mlppp bundle_id This command is entered in the interface configuration mode to set encapsulation on the interface no encapsulation The no command sets the encapsulation to its default The default encapsulation is HDLC Command in ICM Description mtu 64 1500 This command is used to configure the MTU value...

Page 277: ...hannelized E1 Line termination is 120ohm No Alarm Detected Framing is crc4 Line Code is hdb3 Clock Source is internal Total Data Since last clearing of counters 1 Line Code Violation 0 Framing Errors 0 CRC Errors 0 Far End Block Errors E1 1 3 is administratively down ALU show controller E1 1 2 E1 1 2 is up Line Card type is Channelized E1 Line termination is 120ohm No Alarm Detected Framing is crc...

Page 278: ...t queue 0 0 size max 0 drops Input queue 0 0 size max 0 drops Conversations 0 0 0 0 active max active max total Reserved Conversations 0 0 allocated max allocated Available Bandwidth 64 kilobits sec 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 7 packets input 154 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC ...

Page 279: ... E1 signal on controller E1 0 ALU config controller E1 1 0 ALU config controller E1 loopback network line The following example disables the loopback on controller E1 0 ALU config controller E1 0 0 ALU config controller E1 no loopback Command in CCM Description loopback local network line payload remote line payload Use the loopback controller configuration command to put the T1 or E1 line into lo...

Page 280: ... Cards T1 Modes of Operation FRAME FORMATS USED IN T1 CARDS The T1 standard defines two frame formats as described below THE SUPER FRAME SF A Superframe is a structure constructed of 12 Frames numbered 1 12 It is also called as the D4 frame Two mechanisms can be activated using SF s synchronization mechanism which is always activated and signaling mechanism which is optional The synchronization me...

Page 281: ...ty It uses every 4th bit of the framing bits in the ESF beginning at the second one Data Link Frames 1 3 5 7 9 11 13 15 17 19 21 23 operates using every second framing bit beginning at the first frame of the ESF These bits create a 4 Kbps data link called the Facility Data Link FDL This channel is used for delivering maintenance information and supervisory control Two kinds of messages are carried...

Page 282: ...face configuration mode See To Configure Channelized T1 This command creates a channel group that will form a channelized serial interface Step 4 Administratively bring up the T1 controller See To Bring Up Shutdown the T1 Controller Step 5 Configure Optional parameters for T1 See Configure Optional Parameters for T1 Controller Configure cablelength See To Configure a Short Cablelength To Configure...

Page 283: ...nterface name ip address ip address subnet mask ip address prefix length Example ALU config if Serial0 0 0 ip address 20 20 20 20 24 Step 9 Configure encapsulation on the interface See To Set Encapsulation on the Interface Optional Step 10 Configure MTU Maximum Transmission Unit on the Interface See To Configure MTU on the Interface Optional Step 11 See To View the Controller Configuration to view...

Page 284: ...T1E1 Line Card Left running head Chapter name automatic 258 Beta Beta CLI Configuration Guide Alcatel Lucent T1 CONFIGURATION FLOW Figure 23 T1 Configuration Flow ...

Page 285: ... type is set Reboot Reload the chassis to change the card type which will remove the previous configuration Use controller and channel group commands to relaod the card type TO CONFIGURE T1 CONTROLLER EXAMPLE ALU config controller T1 0 0 ALU config controller T1 Command in CM Description card type E1 T1 slot Use this command to set the card type Use T1 keyword to set the card type to T1 Command in...

Page 286: ...er T1 channel group 0 timeslots 1 24 To associate contiguous timeslots with the controller ALU config controller T1 channel group 0 timeslots 1 10 ALU config controller T1 channel group 0 timeslots 1 2 3 To associate non contiguous timeslots with the controller ALU config controller T1 channel group 0 timeslots 1 4 20 2 In the above example the channel group command is shown only with a value of 0...

Page 287: ...values of timeslots ALU config controller T1 channel group 2 timeslots 3 6 9 Note Timeslots cannot overlap hence one timeslot cannot be part of more than one channel group TO BRING UP SHUTDOWN THE T1 CONTROLLER EXAMPLE ALU config controller T1 no shutdown ALU config controller T1 shutdown Note We support Online Insertion and Removal OIR functionality for T1E1 line card Command in CCM Description n...

Page 288: ...nsmit attenuation of controller T1 of slot 1 and port 1 to the appropriate levels for a cable between 111 and 220 feet long ALU config controller T1 1 1 ALU config controller T1 cablelength short 220 The following example sets the cablelength to its default ALU config controller T1 1 1 ALU config controller T1 no cablelength Command in CCM Description cablelength long 15db 22 5db 7 5db 0db This co...

Page 289: ...hich line code type ami or b8zs is required for your T1 circuit EXAMPLE The following example specifies AMI as the linecode type for a T1 line ALU config controller T1 linecode ami The following example sets b8zs as the linecode type ALU config controller T1 no linecode Command in CCM Description framing esf sf This command is entered in the controller configuration mode to configure framing type ...

Page 290: ...ollowing example creates an interface at slot 0 and port 0 at group 0 ALU config interface Serial0 0 0 ALU config if Serial0 0 0 Command in CCM Description clocksource internal line This command is entered in the controller configuration mode to set clocksource for T1 interface The keyword clocksource is used to transmit clock signals no clocksource The no command sets the clocksource to its defau...

Page 291: ...Serial0 0 0 encapsulation ppp ALU config if Serial0 0 0 no encapsulation Command in ICM Description no shutdown This command is entered in the interface configuration mode to bring up the interface shutdown This command is entered in the interface configuration mode to shutdown the interface Command in ICM Description encapsulation frame relay ppp hdlc mlfr bundle_id mlppp bundle_id This command i...

Page 292: ...E INTERFACE EXAMPLE ALU config if Serial0 0 0 mtu 100 ALU config if Serial0 0 0 no mtu Command in ICM Description mtu 64 1500 This command is used to configure the MTU value on the serial interface i e the maximum size of the transmitted layer 2 payload no mtu The no command sets the MTU to its default The default MTU is 1500 bytes ...

Page 293: ...ype is Channelized T1 Cablelength is long 0db No Alarm Detected Framing is esf Line Code is b8zs Clock Source is internal Total Data Since last clearing of counters 0 Line Code Violation 0 Framing Errors 0 Out of Frame 0 Bit Errors T1 1 3 is administratively down ALU show controller T1 1 2 T1 1 2 is up Line Card type is Channelized T1 Cablelength is long 0db No Alarm Detected Framing is esf Line C...

Page 294: ...t queue 0 0 size max 0 drops Input queue 0 0 size max 0 drops Conversations 0 0 0 0 active max active max total Reserved Conversations 0 0 allocated max allocated Available Bandwidth 64 kilobits sec 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 7 packets input 154 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC ...

Page 295: ...oller T1 0 ALU config controller T1 0 0 ALU config controller T1 loopback network payload The following example disables the loopback on the controller T1 0 ALU config controller T1 0 0 ALU config controller T1 no loopback Command in CCM Description loopback local network line payload remote line payload Use the loopback controller configuration command to put the T1 or E1 line into loopback mode ...

Page 296: ...T1E1 Line Card Left running head Chapter name automatic 270 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 297: ...tion of the USP Line Card V 35 X 21 RS 232 This chapter includes the configuration steps CLI syntax with its description and configuration examples For instructions on using the commands and to get a detailed description on each of their parameters refer to the USP Line Card chapter in the OmniAccess 700 CLI Command Reference Guide This chapter is divided into the following sections USP Line Card ...

Page 298: ...nt CHAPTER CONVENTIONS Acronym Description CRC Cyclic Redundancy Check DCE Data Circuit Terminating Equipment DTE Data Terminal Equipment CM Configuration Mode ALU config ICM Interface Configuration Mode ALU config interface name MTU Maximum Transmission Unit OIR Online Insertion and Removal RxC Receive Clock TxC Transmit Clock ...

Page 299: ... X 21 RS 232 are well known communication protocols over synchronous serial lines V 35 Interface The V 35 interface was originally specified by CCITT as an interface for 48kbps line transmissions It has been adopted for all line speeds above 20kbps V 35 is a mixture of balanced and common earth signal interfaces The control lines including DTR DSR DCD RTS and CTS are single wire common earth inter...

Page 300: ...sical interfaces type V 35 X 21 RS 232 and mode of operation DTE DCE 1 V 35 X 21 RS 232 Card LEDs 2 V 35 X 21 RS 232 Port LEDs 3 68 pin VHDCI Connector 4 Thumb Screw Figure 24 Universal Serial Port Line Card V 35 X 21 RS 232 Note For information on the pin out connection and the LED status of the USP Line Card with respect to each port refer OA 780 OA 740 Hardware Users Guide FEATURE SUPPORTED The...

Page 301: ...tep 2 Configure a Serial interface See To Configure a Serial Interface Step 3 Administratively bring up the interface See To Bring Up Down a Serial V 35 X 21 RS 232 Interface Step 4 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if Serial0 0 ip address 20 20 20 20 24 Step 5 Configure optional paramet...

Page 302: ...rsal Serial Port USP Line Card Left running head Chapter name automatic 276 Beta Beta CLI Configuration Guide Alcatel Lucent V 35 X 21 RS 232 CONFIGURATION FLOW Figure 25 V 35 X 21 RS 232 Configuration Flow ...

Page 303: ... V 35 X 21 RS 232 interface ALU config interface Serial 0 0 ALU config if Serial0 0 no shutdown The following example administratively brings down the V 35 X 21 RS 232 interface ALU config interface Serial 0 0 ALU config if Serial0 0 shutdown Command in CM Description interface Serial slot port Enters Serial Interface Configuration Mode This command is entered in the Configuration Mode to configur...

Page 304: ...ockrate Note In RS 232 mode maximum clock rate of 256 Kbps is supported TO CONFIGURE CRC EXAMPLE ALU config if Serial0 0 crc 16 ALU config if Serial0 0 no crc Command in ICM Description clockrate 64000 128000 256000 512000 1024000 2048000 This command configures the clock rate no clockrate 64000 128000 256000 512000 1024000 2048000 The no command sets the clock rate to default 64000 bps Command in...

Page 305: ... CONFIGURE LOOPBACK Loopback command can be used for troubleshooting and diagnostic purpose When interface is configured in loopback mode Tx data and Tx clock loop to internal controller as Rx data and Rx clock In the same way Rx data and Rx clock on line loop out on line as Tx data and Tx clock EXAMPLE ALU config if Serial0 0 loopback ALU config if Serial0 0 no loopback Command in ICM Description...

Page 306: ...UM TRANSMISSION UNIT The MTU command is used to configure the MTU value on the serial interface i e the maximum size of the transmitted layer 2 payload EXAMPLE ALU config if Serial 0 0 0 mtu 1200 Command in ICM Description encapsulation frame relay ppp hdlc mlfr bundle_id mlppp bundle_id This command sets the encapsulation on the serial interface Command in ICM Description mtu 64 1500 Configures t...

Page 307: ...s Conversations 0 0 0 active max active max total Reserved Conversations 0 0 allocated max allocated Available Bandwidth 2048 kilobits sec 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 12105 packets input 167342 bytes 0 no buffer 0 Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 0 abort 31734317 packet...

Page 308: ...LEAR COMMAND TO CLEAR INTERFACE COUNTERS EXAMPLE ALU clear counters Serial 0 0 Note You can clear the counters of the interface in the Interface Configuration Mode with a clear command without entering into the user mode Command in ICM Description clear counters Serial slot port Clears the counters for a specified serial interface ...

Page 309: ...This chapter includes a conceptual overview of HDLC and covers an introduction of HDLC architecture with the steps involved to configure HDLC encapsulation with the necessary commands To get an in depth view on the description of the argument list or parameters and the default values refer to the OmniAccess 700 CLI Command Reference Guide This chapter is divided into the following sections HDLC Ov...

Page 310: ...only Cisco HDLC The following sections describe HDLC HDLC Frame Structure HDLC Frame Formats HDLC Protocol Operation HDLC FRAME STRUCTURE HDLC data units transmitted from one station to another are referred to as frames The figure shown below is a graphical representation of an HDLC frame with information field Figure 26 An HDLC frame with an information field Field Name Size in bits Flag Field F ...

Page 311: ...e IP at the higher level would be represented with the code 0x0800 Bytes after this are higher level protocol data Packets with type 0x8035 carry a protocol referred to as SLARP SLARP has two functions IP address determination and serial line keepalive For the SLARP keepalive protocol each system sends the other a keepalive packet at a user configurable interval The default interval is 10 seconds ...

Page 312: ...ic 286 Beta Beta CLI Configuration Guide Alcatel Lucent HDLC CONFIGURATION Refer to the following sections to enable HDLC encapsulation on a T1 or E1 interface or a Serial interface V 35 X 21 HDLC Configuration Steps HDLC Configuration Flow HDLC Configuration Commands ...

Page 313: ...interface ALU config controller T1 channel group 0 23 timeslots 1 24 speed 56K 64K Note Creation of a channel group is a pre requisite for configuring a Serial interface on a T1 or an E1 controller Step 4 Administratively bring up the controller ALU config controller T1 no shutdown Step 5 Exit from the controller mode ALU config controller T1 exit ALU config Note The above steps can be skipped if ...

Page 314: ...0 0 0 no shutdown Step 8 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if Serial0 0 0 ip address 20 20 20 20 24 Step 9 Configure HDLC encapsulation By default the system has HDLC encapsulation on an interface There is no need to explicitly configure it See To Configure HDLC Encapsulation Note If the...

Page 315: ...nfiguration Except on the first page right running head Heading1 or Heading1NewPage text automatic 289 Alcatel Lucent Beta Beta CLI Configuration Guide HDLC CONFIGURATION FLOW Figure 27 HDLC Configuration Flow ...

Page 316: ... 0 0 no encapsulation frame relay TO CONFIGURE HDLC ENCAPSULATION EXAMPLE ALU config if Serial0 0 0 encapsulation hdlc Command in ICM Description no encapsulation frame relay ppp mlppp mlfr This command is used to configure encapsulation on the interface to HDLC This command is applicable only if the encapsulation is already set to Frame Relay or PPP Command in ICM Description encapsulation hdlc T...

Page 317: ... down when looped Command in ICM Description hdlc keepalive 0 32767 This command configures the HDLC keepalive interval The same value shall be configured on the peer A value of 0 turns off the keepalive feature no hdlc keepalive This command resets the keepalive interval to its default The default keepalive interval is 10 seconds Command in ICM Description hdlc down when looped This command is us...

Page 318: ...s Conversations 0 0 0 0 active max active max total Reserved Conversations 0 0 allocated max allocated Available Bandwidth 1536 kilobits sec 5 minute input rate 16 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 370 packets input 8880 bytes 0 no buffer Received 0 broadcasts 0 runts 0 giants 0 throttles 0 input errors 0 CRC 0 frame 0 overrun 0 ignored 0 abort 367 packets output...

Page 319: ... debug hdlc keepalive TO DISABLE DEBUGGING ON HDLC EXAMPLE ALU config no debug hdlc all Command in SUM or CM Description debug hdlc all detail level 1 9 This command shows all the debug messages pertaining to HDLC functionality debug hdlc keepalive output all log vty This command shows the HDLC keepalive messages Command in SUM or CM Description no debug hdlc all keepalive The no command disables ...

Page 320: ...High level Data Link Control Left running head Chapter name automatic 294 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 321: ...ns on using the FR commands and descriptions on each of their parameters with the corresponding default values for each refer to the OmniAccess 700 CLI Command Reference Guide This chapter is divided into the following sections Frame Relay Overview Frame Relay Configuration The overview section serves only as an additional information on the FR protocol You can skip this section and directly proce...

Page 322: ...quipment is to provide clocking and switching services in a network FRAME RELAY VIRTUAL CIRCUITS FR provides connection oriented data link layer communication This means that a defined connection exists between each pair of devices and that each such connection is associated with a connection identifier This service is implemented by using the FR virtual circuit which is essentially a logical conn...

Page 323: ... enterprise networks Public Carrier Provided Networks The Frame Relay switching equipment is located in the central office of a telecommunications carrier Subscribers are charged based on their network use but are relieved from administering and maintaining the Frame Relay network equipment and service Generally the DCE equipment is owned by the telecommunications provider and the DTE equipment is...

Page 324: ...8 Beta Beta CLI Configuration Guide Alcatel Lucent FRAME RELAY CONFIGURATION Refer to the following sections to enable FR encapsulation on a T1 or E1 line card Frame Relay Configuration Steps Frame Relay Configuration Flow Frame Relay Configuration Commands ...

Page 325: ... serial interface ALU config controller T1 channel group 0 23 timeslots 1 24 speed 56K 64K Note Creation of a channel group is a pre requisite for configuring a Serial Interface on a T1 or an E1 controller Step 4 Administratively bring up the controller ALU config controller T1 no shutdown Step 5 Exit from the controller mode ALU config controller T1 exit ALU config Note The above steps can be ski...

Page 326: ...Example ALU config if Serial0 0 0 no shutdown Step 8 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if Serial0 0 0 ip address 20 20 20 20 24 Step 9 Configure Frame Relay encapsulation See To Enable FR Encapsulation on an Interface Step 10 Configure Frame Relay LMI Local Management Interface See Local...

Page 327: ...onfiguration Except on the first page right running head Heading1 or Heading1NewPage text automatic 301 Alcatel Lucent Beta Beta CLI Configuration Guide FRAME RELAY CONFIGURATION FLOW Figure 28 FR Configuration Flow ...

Page 328: ... frame relay Note If the encapsulation of a serial interface is changed to FR the QoS policy will be detached from the interface if the depth of the QoS policy is more than three after giving a warning message You have to decrease the policy depth to less than or equal to three and explicitly attach the policy to the interface Command in ICM Description encapsulation frame relay This command is en...

Page 329: ...black holes TO CONFIGURE LMI TYPE Enter this command in the Interface Configuration mode Note LMI Autosense is activated by default as the system acts as a DTE The LMI autosense will be activated when the physical interface is up and LMI type is not configured on that interface EXAMPLE The following example sets the LMI to ANSI standard ALU config if Serial0 0 0 frame relay lmi type ansi The follo...

Page 330: ...figuration mode EXAMPLE The following example sets the polling interval to 8 ALU config if Serial0 0 0 frame relay lmi n391dte 8 The following example sets the polling interval to default i e 6 ALU config if Serial0 0 0 no frame relay lmi n391dte Command in ICM Description frame relay keepalive 0 32767 This command is used to configure the LMI Keepalive interval The default LMI Keepalive value is ...

Page 331: ...ET DTE MONITORED EVENT COUNT EXAMPLE The following example sets the DTE monitored events count to 7 ALU config if Serial0 0 0 frame relay lmi n393dte 7 The following example sets the lmi n393dte to its default value i e 4 ALU config if Serial0 0 0 no frame relay lmi n393dte Command in ICM Description frame relay lmi n392dte 1 10 This command sets the DTE error threshold no frame relay lmi n392dte ...

Page 332: ... can also be configured on a sub interface And multiple sub interfaces with FR can be configured For configuring Frame Relay on a sub interface follow the steps given below Step 1 Repeat the steps Step 1 to Step 7 as given in the section Frame Relay Configuration Steps Step 2 Configure sub interface on the serial interface ALU config interface Serial slot port channel subchannel ALU config if Seri...

Page 333: ...24 123 10 1 255 255 255 0 Step 4 Repeat Step 11 DLCI configuration as given in the section Frame Relay Configuration Steps Note If you are configuring FR on a sub interface on a Serial interface V 35 X 21 configure a sub interface using the following command ALU config interface Serial slot port subchannel ALU config if Serial slot port subchannel Example ALU config interface Serial0 0 1 ALU confi...

Page 334: ...relay pvc interface Serial 0 0 0 PVC Statistics for interface Serial0 0 0 Frame Relay DTE DLCI 200 DLCI USAGE LOCAL PVC STATUS ACTIVE INTERFACE Serial0 0 0 input pkts 0 output pkts 0 in bytes 0 out bytes 0 in pkts dropped 0 out pkts dropped 0 in FECN pkts 0 out FECN pkts 0 in BECN pkts 0 out BECN pkts 0 in DE pkts 0 out DE pkts 0 out bcast pkts 0 out bcast bytes 0 ALU config if Serial0 0 0 Command...

Page 335: ...id Keep IE Len 0 Num Status Enq Sent 0 Num Status msgs Rcvd 0 Num Update Status Rcvd 0 Num Status Timeouts 0 The following example displays the FR LMI configuration details and parameters for a specific interface ALU config if Serial0 0 0 show frame relay lmi interface Serial 0 0 0 LMI Statistics for interface Serial0 0 0 Frame Relay DTE LMI TYPE AUTOSENSE Invalid Unnumbered info 0 Invalid Prot Di...

Page 336: ...g frame relay all Command in SUM or CM Description debug frame relay all detail level 1 9 This command shows all the debug messages pertaining to FR functionality debug frame relay fse keepalive mlfr output all log vty 1 256 all console this This command shows the debug FR Full Status Keepalive Multi Link Protocol messages Command in SUM or CM Description no debug frame relay all fse keepalive mlf...

Page 337: ...uthentication and troubleshoot PPP through the CLI For instructions on using the PPP commands and descriptions on each of their parameters refer to the OmniAccess 700 CLI Command Reference Guide Refer to the following to configure PPP encapsulation on an interface PPP Overview PPP Configuration CHAPTER CONVENTIONS Acronym Description CM Configuration Mode ALU config CHAP Challenge Handshake Authen...

Page 338: ...int to point links On a serial interface PPP contains four main components HDLC like Framing PPP uses framing similar to HDLC as a basis for encapsulating datagrams over serial links For more information see High level Data Link Control chapter LCP PPP uses an extensible LCP to establish configure and test data link connection Authentication Authentication protocols PAP CHAP EAP are used to authen...

Page 339: ... right running head Heading1 or Heading1NewPage text automatic 313 Alcatel Lucent Beta Beta CLI Configuration Guide PPP CONFIGURATION PPP Configuration Steps PPP Configuration Flow PPP Configuration Commands PPP Show Commands PPP Debug Commands ...

Page 340: ...fig controller T1 channel group 0 23 timeslots 1 24 speed 56K 64K Note Creation of a channel group is a pre requisite for configuring a Serial Interface on a T1 or an E1 controller Step 4 Administratively bring up the controller ALU config controller T1 no shutdown Step 5 Exit from the controller mode ALU config controller T1 exit ALU config Note The above steps can be skipped if the T1 or E1 cont...

Page 341: ...onfig if interface name no shutdown Example ALU config if Serial0 0 0 no shutdown Step 8 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if Serial0 0 0 ip address 20 20 20 20 24 Step 9 Set encapsulation to PPP on the interface See To Set PPP Encapsulation on an Interface Step 10 Configure PPP Optional...

Page 342: ...Point to Point Protocol Left running head Chapter name automatic 316 Beta Beta CLI Configuration Guide Alcatel Lucent PPP CONFIGURATION FLOW Figure 29 PPP Configuration Flow ...

Page 343: ...ication All timers and counters will be protocol defaults There will be no compression There will be no negotiation of DNS or WINS addresses LCP negotiation will be attempted max configure times as soon as encapsulation is changed to PPP and on failure it will be further restarted after an interval Note that all no commands for counters and timers reset the parameters to default values TO SET PPP ...

Page 344: ...nfig if Serial1 0 0 ppp lcp negotiate Note LCP negotiation is automatically started when the encapsulation is set to PPP or when the link is administratively brought up on a PPP interface or when the MTU is changed on the interface TO SET ECHO INTERVAL EXAMPLE ALU config if Serial1 0 0 ppp lcp echo interval 200 ALU config if Serial1 0 0 no ppp lcp echo interval Command in ICM Description ppp lcp n...

Page 345: ... ppp lcp max echo 0 30 This command denotes the maximum number of unanswered LCP echo requests sent before LCP decides that the peer is down The value 0 implies that the link will not be brought down on the basis of unanswered echo requests no ppp lcp max echo The no command sets the maximum number of unanswered LCP echo requests to is default i e 5 Command in ICM Description ppp timeout restart i...

Page 346: ...changed on the interface EXAMPLE ALU config if Serial1 0 0 ppp ipcp negotiate TO SET IPCP ADDRESS PARAMETERS EXAMPLE ALU config if Serial0 0 0 ppp ipcp address accept local ALU config if Serial0 0 0 no ppp ipcp address accept local Command in ICM Description ppp ipcp negotiate This command is used to initiate the IPCP negotiation on the interface Command in ICM Description ppp ipcp address accept ...

Page 347: ... no ppp ipcp address pool local Command in ICM Description ppp ipcp address accept peer This command sets the flag to accept the peer s IP address during IPCP By default the flag is set to accept the peer s IP address during IPCP no ppp ipcp address accept peer The no command sets the flag to reject the peer s IP address during IPCP Command in ICM Description ppp ipcp address pool local ip address...

Page 348: ... 10 ALU config if Serial0 0 0 no ppp timeout max terminate Command in ICM Description ppp timeout restart timer 1 30 This command sets a timer for re transmission of LCP and NCP packets no ppp timeout restart timer The no command resets the restart timer to its default The default restart timer value is 3 seconds Command in ICM Description ppp timeout max terminate 1 30 This command sets the maxim...

Page 349: ...imeout max configure 1 30 This command sets the maximum number of configure request packets LCP or NCP sent without receiving a valid Ack NaK Reject before assuming that the peer is unable to respond no ppp timeout max configure The no command sets the max configure value to its default The default max configure value is 10 seconds Command in ICM Description ppp timeout max failure 1 30 This comma...

Page 350: ...Serial0 0 0 no ppp authentication TO SET THE AUTHENTICATION USER NAME EXAMPLE ALU config if Serial0 0 0 ppp authentication username ALU ALU config if Serial0 0 0 no ppp authentication username Command in ICM Description ppp authentication pap chap eap This command enables you to configure an authentication protocol for authenticating the peer no ppp authentication The no command removes the authen...

Page 351: ...no ppp authentication client password Command in ICM Description ppp authentication password password This command enables you to set a password for PPP authentication on the server side no ppp authentication password The no command deletes the configured PPP authentication password on the server side Command in ICM Description ppp authentication client username username This command is used to se...

Page 352: ...val 60 sec LCP Restart Interval 30 sec IPCP pool IP address 50 51 52 54 IPCP local IP address from peer Reject IPCP peer IP address Reject PPP Restart timer 3 sec PPP Max Terminate 2 PPP Max Configure 10 PPP Max Failure 5 Authentication protocol pap Authentication username user1 Authentication password secret1 Authentication client username user2 Authentication client password secret2 Command in S...

Page 353: ... Naks 0 0 LCP Configure Rejects 0 0 LCP Terminate Requests 0 0 LCP Terminate Acks 0 0 LCP Code Rejects 0 0 LCP Protocol Rejects 0 0 LCP Echo Requests 4 4 LCP Echo Replies 4 4 LCP Discard Requests 0 0 LCP Invalid Packets 0 0 IN OUT IPCP Configure Requests 4 2 IPCP Configure Acks 2 2 IPCP Configure Naks 0 2 IPCP Configure Rejects 0 0 IPCP Terminate Requests 0 0 IPCP Terminate Acks 0 0 IPCP Code Reje...

Page 354: ... 100 101 102 103 24 MTU 1200 bytes BW 1544 Kbit DLY 0 usec reliability 0 255 txload 0 255 rxload 0 255 loopback not set Encapsulation ppp Keepalive set 10 sec LCP Open CHAP Client Open EAP Server Open IPCP Open Last input never output never output hang never Last clearing of show interface counters never Queueing strategy fifo Output queue 0 0 size max 0 drops Input queue 0 0 size max 0 drops Conv...

Page 355: ...VIEW THE PPP LCP CONFIGURATION EXAMPLE ALU show ppp lcp configuration Serial 0 0 0 LCP Max Echoes 5 LCP Echo Interval 60 sec LCP Restart Interval 30 sec TO VIEW THE PPP LCP STATISTICS EXAMPLE ALU show ppp lcp statistics Serial 0 0 0 IN OUT LCP Configure Requests 2 2 LCP Configure Acks 2 2 LCP Configure Naks 0 0 LCP Configure Rejects 0 0 LCP Terminate Requests 0 0 LCP Terminate Acks 0 0 LCP Code Re...

Page 356: ...PCP peer IP address Reject TO VIEW THE PPP IPCP STATISTICS EXAMPLE ALU show ppp ipcp statistics Serial 0 0 0 IN OUT IPCP Configure Requests 6 13 IPCP Configure Acks 6 6 IPCP Configure Naks 5 0 IPCP Configure Rejects 2 0 IPCP Terminate Requests 0 2 IPCP Terminate Acks 2 0 IPCP Code Rejects 0 0 IPCP Invalid Packets 0 0 Command in SUM Description show ppp ipcp configuration interface name Displays PP...

Page 357: ...P SESSION STATISTICS EXAMPLE ALU show ppp session statistics Serial 0 0 0 PPP data packets received 0 PPP control packets received 20 Packets dropped 0 PPP sessions initiated 1 PPP sessions received 1 PPP sessions successful 2 PPP sessions terminated 1 Command in SUM Description show ppp timeout configuration interface name Displays the timer and counter configuration information for a specified i...

Page 358: ...authentication statistics Serial 0 0 0 IN OUT PAP Authentication Requests 2 2 PAP Authentication Acks 2 2 PAP Authentication Naks 0 0 PAP Invalid Packets 0 0 IN OUT CHAP Challenges 0 0 CHAP Responses 0 0 CHAP Successes 0 0 CHAP Failures 0 0 CHAP Invalid Packets 0 0 IN OUT EAP Requests 0 4 EAP Responses 4 0 EAP Successes 0 2 EAP Failures 0 0 EAP Invalid Packets 0 0 Command in SUM Description show p...

Page 359: ... debug ppp echo TO DISABLE DEBUGGING ON PPP EXAMPLE ALU config no debug ppp echo Command in SUM or CM Description debug ppp all detail level 1 9 This command shows all the debug messages pertaining to the PPP functionality debug ppp echo output all log vty This command shows the LCP echo requests and reply messages Command in SUM or CM Description no debug ppp all echo The no command disables the ...

Page 360: ...Point to Point Protocol Left running head Chapter name automatic 334 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 361: ...tions on using the PPPoE commands and descriptions on each of their parameters refer to the OmniAccess 700 CLI Command Reference Guide The chapter is divided into the following sections PPPoE Overview PPPoE Configuration CHAPTER CONVENTIONS Acronym Description CM Configuration Mode ALU config CPE Customer Premises Equipment GigE Gigabit Ethernet ICM Interface Configuration Mode ALU config interfac...

Page 362: ...ch as the giving of an IP address to the peer However as the intent behind PPPoE is to use it in a client server scenario such as a corporate office using a connection to its ISP the PPPoE protocol describes a client server relationship PPPoE clients attempt to discover a PPPoE server through an Ethernet broadcast the PADI packet One or more PPPoE servers on the Ethernet LAN respond through a PADO...

Page 363: ... page right running head Heading1 or Heading1NewPage text automatic 337 Alcatel Lucent Beta Beta CLI Configuration Guide PPPOE CONFIGURATION PPPoE Configuration Steps PPPoE Configuration Flow PPPoE Configuration Commands PPPoE Show Commands ...

Page 364: ...P address configuration is optional when PPPoE encapsulation is configured on the GigE interface The operational mode is always PPPoE client The client gets the IP address from the PPPoE server whenever the IPCP negotiation happens For this you need to configure ppp ipcp address accept local on the interface For more details on this refer to the IPCP configuration section documented in the Point t...

Page 365: ...mum retry timer See To Set Maximum Retry for PADIs Note Configuration of LCP parameters IPCP parameters timers and counters and authentication are optional and these commands are similar to the commands that are documented in the PPP chapter The show commands are also similar to the PPP show commands For more details on these commands refer to the Point to Point Protocol chapter ...

Page 366: ...Point to Point Protocol over Ethernet PPPoE Left running head Chapter name automatic 340 Beta Beta CLI Configuration Guide Alcatel Lucent PPPOE CONFIGURATION FLOW Figure 30 PPPoE Configuration Flow ...

Page 367: ...ode EXAMPLE ALU config if GigabitEthernet3 0 encapsulation pppoe ALU config if GigabitEthernet3 0 no encapsulation pppoe Command in ICM Description encapsulation pppoe This command sets the PPPoE encapsulation on the Gigabit Ethernet interface OA 700 always acts as a PPPoE client no encapsulation pppoe This command removes the PPPoE encapsulation configured on the interface This also removes the P...

Page 368: ... interface GigabitEthernet3 0 ALU config if GigabitEthernet3 0 pppoe service name ISP1 ALU config if GigabitEthernet3 0 no pppoe service name Note The PPPoE service name configured on OA 700 should match the service name supported on the server If service name is not configured then the client accepts any service offered by the PPPoE server Command in ICM Description pppoe service name name This c...

Page 369: ...ly started when the link is administratively brought up on a PPPoE interface It starts off by sending a PADI Also whenever encapsulation pppoe is configured on an administratively up GigE interface EXAMPLE ALU config if GigabitEthernet3 0 pppoe negotiate Command in ICM Description pppoe negotiate This command is used to initiate the PPPoE negotiation on the interface This command helps to terminat...

Page 370: ...ry timer Command in ICM Description pppoe retry timer 0 300 This command sets the initial timer for re transmission of PPPoE PADI PADR packets in the absence of a PADO PADS from a server This wait time is doubled after each retry Note However after three unanswered PADIs wait period is reset to retry timer If the retry timer value is set to 0 PPPoE client sends only one PADI PADR no pppoe retry ti...

Page 371: ...tion and IPCP negotiations follow 3 The default MTU Maximum Transmission Unit on an interface with PPPoE will be 1492 as required by RFC 2516 PPPoE always negotiates the MTU even if it is user configured After the negotiations MTU is set to be either user configured MTU or server suggested MTU whichever is lesser Irrespective of the MTU value OA 700 will still be able to receive PPPoE packets with...

Page 372: ...N EXAMPLE ALU config show pppoe configuration GigabitEthernet 7 0 pppoe max retry 15 pppoe retry timer 5 s pppoe service name ISP1 Note You can also view the PPPoE configuration by using the show interfaces GigabitEhternet slot port command Command in SUM CM Description show pppoe configuration GigabitEthernet slot port Displays the PPPoE specific configurations on the GigE interface ...

Page 373: ...uctions on using the MLPPP commands and descriptions on each of their parameters refer to the OmniAccess 700 CLI Command Reference Guide The chapter is divided into the following sections MLPPP Overview MLPPP Configuration MLPPP Configuration Example CHAPTER CONVENTIONS Acronym Description CM Configuration Mode ALU config CPE Customer Premises Equipment ICM Interface Configuration Mode ALU config ...

Page 374: ...r channels to it on an as needed basis All IP related configuration is placed on the bundle interface The member links can be added or removed from the bundle at any time and the bundle is up as long as there is at least one member link This mechanism leaves all IP configuration intact even while changing the bandwidth of the bundle by adding or removing links The Layer 2 protocol needs to co oper...

Page 375: ...otiation Optionally an Endpoint Discriminator Option or SSHNF Option may also be sent out LCP negotiation and optional link authentication take place on each bundle link IPCP negotiation happens over the bundle meaning IPCP packets may be sent on any one of the bundle links Certain LCP packets like LCP Echo Request and LCP Echo Reply may be transmitted over the bundle IP packets are sent over the ...

Page 376: ...ed on the system MLPPP protocol negotiation or data reaching the system on an unconfigured interface are dropped Bundles cannot be deleted but can be shutdown and thereby made unusable Without any QoS configuration applied on the MLPPP bundle the packet distribution across the MLPPP member links within a bundle is handled in a weighted round robin fashion the weight being the bandwidth of the link...

Page 377: ... page right running head Heading1 or Heading1NewPage text automatic 351 Alcatel Lucent Beta Beta CLI Configuration Guide MLPPP CONFIGURATION MLPPP Configuration Steps MLPPP Configuration Flow MLPPP Configuration Commands MLPPP Show Commands ...

Page 378: ...LU config controller T1 channel group 0 23 timeslots 1 24 speed 56K 64K Note Creation of a channel group is a pre requisite for configuring a Serial Interface on a T1 or an E1 controller Step 4 Administratively bring up the controller ALU config controller T1 no shutdown Step 5 Exit from the controller mode ALU config controller T1 exit ALU config Note The above steps can be skipped if the T1 or E...

Page 379: ...ace name ip address ip address subnet mask ip address prefix length Example ALU config if mlppp100 ip address 20 20 20 20 24 Note Bundle Configuration is a pre requisite for Member Link Configuration Step 9 Configure MLPPP load threshold See To Configure MLPPP Load Threshold Optional Member Link Configuration Step 10 Enter Serial interface configuration mode for Member Link Configuration ALU confi...

Page 380: ...Multilink Point to Point Protocol Left running head Chapter name automatic 354 Beta Beta CLI Configuration Guide Alcatel Lucent MLPPP CONFIGURATION FLOW Figure 34 MLPPP Configuration Flow ...

Page 381: ... commands IP routing protocols as well as policies such as ACL NAT IDS IPsec etc configured on an individual interface will not be effective as long as the interface is part of the MLPPP bundle Once the interface is no longer part of the bundle the policies configured on the individual interface will become active TO CONFIGURE MLPPP BUNDLE INTERFACE EXAMPLE ALU config interface mlppp 100 ALU confi...

Page 382: ...lppp Note If the encapsulation of a serial interface is changed to MLPPP from HDLC PPP FR the QoS policy applied on the serial interface will be removed after giving a warning message Command in ICM Description encapsulation mlppp 1 256 This command sets MLPPP encapsulation on an interface The interface becomes a member link of the bundle interface identified by the bundle ID no encapsulation mlpp...

Page 383: ...kets 0 bytes 0 packets output 0 Control packets 0 Data packets 0 bytes 0 packets dropped 0 giants received Fragmentation Fragment Delay 0 ms 0 fragmented 0 couldn t fragment 0 fragments created 0x0 sent sequence Reassembly Slippage MRU 32 0 fragments in reassembly list 0 lost fragments 0 reordered 0 discarded fragments 0 reassembled 0 lost received 0 couldn t reassemble 0 fragments received 0x0 re...

Page 384: ...LU config controller T1 0 0 ALU config controller T1 channel group 0 timeslots 1 ALU config controller T1 exit ALU config ALU config interface Serial 0 0 0 ALU config if Serial0 0 0 no shutdown ALU config if Serial0 0 0 encapsulation mlppp 10 ALU config controller T1 0 0 ALU config controller T1 channel group 1 timeslots 2 ALU config controller T1 exit ALU config ALU config interface Serial 0 0 1 ...

Page 385: ...ot s Used 1 64Kbps each Transmitter delay is 0 flags ALU config show interfaces mlppp 10 mlppp10 is up line protocol is up Internet address is 3 3 3 3 24 MTU 1494 bytes BW 128 Kbit DLY 0 usec reliability 255 255 txload 237 255 rxload 0 255 Encapsulation mlppp loopback not set IPCP Initial Last input never output never output hang never Last clearing of show interface counters never 2 packets input...

Page 386: ...Multilink Point to Point Protocol Left running head Chapter name automatic 360 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 387: ...y MLFR encapsulation on a T1 or an E1 interface or a Serial V 35 X 21 interface You are required to refer to the T1E1 Line Card and Universal Serial Port USP Line Card chapters before proceeding to this The chapter is divided into the following sections MLFR Overview MLFR Configuration CHAPTER CONVENTIONS Acronym Description CM Configuration Mode ALU config ICM Interface Configuration Mode ALU con...

Page 388: ...made multilink enabled bundle and link identifiers are configured appropriately This results in the transmission of appropriate Link Integrity Protocol messages on the bundle link Once the bundle link state machine reaches the UP state normal Frame Relay Link Management LMI procedures are started over the bundle This means the LMI packets can be sent over any of the associated bundle links as they...

Page 389: ...n the first page right running head Heading1 or Heading1NewPage text automatic 363 Alcatel Lucent Beta Beta CLI Configuration Guide Figure 35 MLFR frame format for data packets Figure 36 MLFR frame format for control packets ...

Page 390: ...e system However bundles will not be created dynamically MLFR protocol negotiation or data reaching the system on an unconfigured interface will be dropped Bundles cannot be deleted but can be shut down and thereby made unusable Without any QoS configuration applied on the MLFR bundle the packet distribution across the MLFR member links within a bundle will be handled in a round robin fashion The ...

Page 391: ...nnelized serial interface ALU config controller T1 channel group 0 23 timeslots 1 24 speed 56K 64K Note Creation of a channel group is a pre requisite for configuring a Serial Interface on a T1 or an E1 controller Step 4 Administratively bring up the controller ALU config controller T1 no shutdown Step 5 Exit from the controller mode ALU config controller T1 exit ALU config Note The above steps ca...

Page 392: ...ddress prefix length Example ALU config if mlfr100 ip address 20 20 20 20 24 Step 9 Configure Frame Relay LMI Local Management Interface type See To Configure Local Management Interface LMI Type Optional Step 10 Configure Data Link Connection Identifiers DLCI on the interface See To Configure Data link Connection Identifier DLCI Step 11 Assign a Bundle Identification BID name to the MLFR bundle co...

Page 393: ...erface Step 15 Configure MLFR Optional Parameters Assign Link Identification LID to the interface See To Assign Link Identification LID to the Interface Configure the Hello interval See To Configure Hello Interval Configure the Acknowledge interval See To Configure the Acknowledge Interval Configure the retry count See To Configure the Retry Count Step 16 Use the show commands to view the MLFR con...

Page 394: ...Multilink Frame Relay Left running head Chapter name automatic 368 Beta Beta CLI Configuration Guide Alcatel Lucent MLFR CONFIGURATION FLOW Figure 37 MLFR Configuration Flow ...

Page 395: ...ig interface mlfr 100 ALU config if mlfr100 TO CONFIGURE LOCAL MANAGEMENT INTERFACE LMI TYPE Note LMI Autosense is activated by default as the system acts as a DTE The LMI autosense will be activated when the physical interface is up and LMI type is not configured on that interface EXAMPLE The following example sets the LMI to ANSI standard ALU config if mlfr100 frame relay lmi type ansi The follo...

Page 396: ...THE BUNDLE EXAMPLE ALU config if mlfr100 mlfr bid ALU1 Note Configuring a Bundle Interface is a pre requisite to Member Link configuration Command in ICM Description frame relay interface dlci 16 1007 This command is used to configure a DLCI on an MLFR interface no frame relay interface dlci 16 1007 The no command deletes the configured DLCI from the MLFR interface Command in ICM Description mlfr ...

Page 397: ...al interface will be detached after giving a warning message TO ASSIGN LINK IDENTIFICATION LID TO THE INTERFACE EXAMPLE ALU config if Serial0 0 0 mlfr lid ALU wan link ALU config if Serial0 0 0 no mlfr lid ALU wan link Command in ICM Description encapsulation mlfr 1 256 This command sets the encapsulation on an interface to MLFR and attaches it to the bundle interface configured no encapsulation m...

Page 398: ... peer or the duration it waits before resending the hello message EXAMPLE ALU config if Serial0 0 0 mlfr ack interval 5 ALU config if Serial0 0 0 no mlfr ack interval 5 Command in ICM Description mlfr hello interval 1 180 This command configures the hello interval The range of this interval is from 1 to 180 seconds no mlfr hello interval 1 180 This command resets the hello interval to its default ...

Page 399: ... 3072 Kbit DLY 0 usec reliability 255 255 txload 0 255 rxload 0 255 Encapsulation mlfr bundle loopback not set Last input never output never output hang never Last clearing of show interface counters never 614 packets input 325 controld packets 289 data packets 34295 bytes 26599 packets output 26216 controld packets 383 data packets 458430 bytes 53 packets dropped 0 giant packets Command in ICM De...

Page 400: ... 55 Hello_rcvd 56 Hello_ack_sent 56 Hello_ack_rcvd 55 Last input never output never output hang never Last clearing of show interface counters never Queueing strategy fifo Output queue 0 0 size max 0 drops Input queue 0 0 size max 0 drops Conversations 0 0 0 0 active max active max total Reserved Conversations 0 0 allocated max allocated Available Bandwidth 1536 kilobits sec 5 minute input rate 24...

Page 401: ... Port USP Line Card Multilink Point to Point Protocol and Frame Relay chapters before proceeding to this The chapter is divided into the following sections LFI Overview Overview of LFI in MLPPP LFI Configuration on MLPPP Overview of LFI in Frame Relay LFI Configuration on FR CHAPTER CONVENTIONS Acronym Description CM Configuration Mode ALU config ICM Interface Configuration Mode ALU config interfa...

Page 402: ...led and the packet reconstructed This method of fragmenting and interleaving helps guarantee the appropriate Quality of Service QoS for the real time traffic Consider a 1500 byte data frame that is being sent out of a 64 Kbps serial interface The interface in this case needs 187ms just to place that data frame on the wire If a smaller packet for example a voice frame were sitting behind that data ...

Page 403: ...link eventually it passes through Slippage on multilink interface allows configuration of buffer in terms of MRU which represent number of fragments to be stored without getting reassembled The default value will be 32 MRU size packets to be stored The range will be 16 256 MRU worth of data PACKET FORMATS Network Protocol packets are first encapsulated according to the normal PPP procedures 2 byte...

Page 404: ...to 0 for all other fragments A fragment may have both the B eginning and E nding fragment bits set to 1 Between the E nding fragment bit and the sequence number is a reserved field whose use is not currently defined which must be set to zero It is 2 bits long when the use of short sequence numbers has been negotiated 6 bits otherwise Currently short sequence number format is supported The FCS fiel...

Page 405: ...12 8 128 32 ms Fragment delay over MLPPP interface specifies how long it will take for a fragment to exit the interface in milliseconds The appropriate packet size to meet the specified serialization delay is automatically calculated The default value of Fragment delay is 0 In that case no fragmentation will be performed no fragment delay command will set the fragment delay to default value and he...

Page 406: ...d Chapter name automatic 380 Beta Beta CLI Configuration Guide Alcatel Lucent LFI CONFIGURATION ON MLPPP LFI MLPPP Configuration Steps LFI MLPPP Configuration Flow LFI MLPPP Configuration Commands LFI MLPPP Show Commands Configuration Example of LFI on MLPPP ...

Page 407: ...controller configuration refer to the T1E1 Line Card chapter and refer to Multilink Point to Point Protocol for MLPPP configuration Step 1 Enter Configuration Mode ALU configure terminal ALU config Step 2 Configure T1 Controller ALU config controller T1 slot port ALU config controller T1 Step 3 Configure the channel group on the controller before entering the Interface Configuration Mode This comm...

Page 408: ...ort USP Line Card chapter Step 6 Configure a MLPPP bundle interface ALU config interface mlppp 1 256 Example ALU config interface mlppp 100 ALU config if mlppp100 Step 7 Administratively bring up the interface ALU config if interface name no shutdown Example ALU config if mlppp100 no shutdown Step 8 Configure IP address for the interface ALU config if interface name ip address ip address subnet ma...

Page 409: ...p 12 Enter Serial interface configuration mode for Member Link Configuration ALU config interface Serial slot port channel ALU config if Serial slot port channel Example ALU config interface Serial0 0 0 ALU config if Serial0 0 0 Step 13 Administratively bring up the interface ALU config if interface name no shutdown Example ALU config if Serial0 0 0 no shutdown Step 14 Set MLPPP encapsulation on t...

Page 410: ...Link Fragmentation and Interleaving LFI Left running head Chapter name automatic 384 Beta Beta CLI Configuration Guide Alcatel Lucent LFI MLPPP CONFIGURATION FLOW Figure 40 LFI MLPPP Configuration Flow ...

Page 411: ...m the links irrespective of LFI enabled on the receiving side Based on the slippage parameter configuration buffer is allocated on the receiver side Once the buffer is full the first unassembled packet is dropped TO ATTACH A POLICY MAP TO THE MLPPP INTERFACE EXAMPLE ALU config interface mlppp 100 ALU config if mlppp100 service policy out P1 ALU config if mlppp100 no service policy out P1 Note In t...

Page 412: ...ize Command in ICM Description fragment delay 1 256 This command is entered in the Interface Configuration mode This command is used to configure the fragment delay on the MLPPP bundle interface Fragment delay on the MLPPP interface specifies how long it will take for a fragment to exit the interface in milliseconds The appropriate fragment size to meet the specified serialization fragment delay i...

Page 413: ...in ICM Description slippage mru 16 256 This command is entered in the Interface Configuration mode This command is used to configure the number of fragments which can be stored at a time on a MLPPP bundle Slippage on MLPPP interface allows configuration of buffer in terms of MRU which represent number of fragments to be stored without getting reassembled Based on the slippage parameter configurati...

Page 414: ...er output hang never Last clearing of show interface counters never 2 packets input 2 Control packets 0 Data packets 28 bytes 2 packets output 2 Control packets 0 Data packets 28 bytes 0 packets dropped 0 giants received Fragmentation Fragment Delay 10 ms 5 fragmented 0 couldn t fragment 10 fragments created 0x9 sent sequence Reassembly Slippage MRU 16 0 fragments in reassembly list 0 lost fragmen...

Page 415: ...ay of 10 ms on serial 0 0 interfaces is achieved Figure 41 LFI Configuration on MLPPP On OA700 A a Configure MLPPP bundle interface ALU 1 enable ALU 1 configure terminal ALU 1 config interface mlppp 1 ALU 1 config if mlppp1 ip address 10 1 1 1 24 ALU 1 config if mlppp1 no shutdown ALU 1 config if mlppp1 exit ALU 1 config b Configure policy map Associate match list and class map with the policy map...

Page 416: ...ALU 1 config if Serial0 0 0 no shutdown ALU 1 config if Serial0 0 0 encapsulation mlppp 1 On OA700 B a Configure MLPPP bundle interface ALU 2 enable ALU 2 configure terminal ALU 2 config interface mlppp 2 ALU 2 config if mlppp2 ip address 10 1 1 2 24 ALU 2 config if mlppp2 no shutdown ALU 2 config if mlppp2 exit ALU 2 config b Configure policy map Associate match list and class map with the policy...

Page 417: ...elay but also shows how many fragmentation reassembly have been performed R2 config if show interface mlppp 2 mlppp2 is up line protocol is up Internet address is 10 1 1 2 24 MTU 1494 bytes BW 512 Kbit DLY 0 usec reliability 255 255 txload 20 255 rxload 20 255 Encapsulation mlppp loopback not set IPCP Open Last input never output never output hang never Last clearing of show interface counters nev...

Page 418: ...peed To decrease the serialization delay interleaving functionality must be performed Interleaving functionality is implemented through QoS configured on the FR interface END TO END FRAGMENTATION End to End fragmentation is used between two end devices and is restricted to use on PVCs only It is useful when the PVC is configured through slower trunk interfaces PACKET FORMATS End to End Fragmentati...

Page 419: ...erialization delay is specified on Frame Relay interface the fragment size should be configured As a rule of thumb divide the line speed by 800 to get a fragment size that results in a 10 ms serialization delay For example on a 64 000 bps link divide 64 000 by 800 to get 80 This means that if a fragment size of 80 is configured fragments will have a serialization delay of 10 ms The default value o...

Page 420: ...name automatic 394 Beta Beta CLI Configuration Guide Alcatel Lucent LFI CONFIGURATION ON FR LFI FR Configuration Steps LFI FR Configuration Flow LFI FR Configuration Commands LFI Configuration on FR Sub Interface LFI FR Show Commands Configuration Example of LFI on FR ...

Page 421: ...troller configuration refer to the T1E1 Line Card chapter and refer to Frame Relay for FR configuration Step 1 Enter Configuration Mode ALU configure terminal ALU config Step 2 Configure T1 Controller ALU config controller T1 slot port ALU config controller T1 Step 3 Configure the channel group on the controller before entering the Interface Configuration Mode This command creates a channel group ...

Page 422: ...ce V 35 X 21 refer to Universal Serial Port USP Line Card chapter Step 6 Enter Serial interface configuration mode for Member Link Configuration ALU config interface Serial slot port channel ALU config if Serial slot port channel Example ALU config interface Serial0 0 0 ALU config if Serial0 0 0 Step 7 Administratively bring up the interface ALU config if interface name no shutdown Example ALU con...

Page 423: ...ial1 0 0 ALU config if Serial0 0 0 frame relay interface dlci 100 Step 11 Configure fragment size on the Serial interface See To Configure Fragment Size on an Interface Step 12 Configure slippage MRU on the Serial interface See To Configure Slippage MRU Maximum Receive Unit on an Interface Step 13 Configure QoS out policy on the interface See To Attach a Policy Map to the Interface For more inform...

Page 424: ...Link Fragmentation and Interleaving LFI Left running head Chapter name automatic 398 Beta Beta CLI Configuration Guide Alcatel Lucent LFI FR CONFIGURATION FLOW Figure 43 LFI FR Configuration Flow ...

Page 425: ...full the first unassembled packet is dropped TO CONFIGURE FRAGMENT SIZE ON AN INTERFACE EXAMPLE ALU config if Serial 0 0 0 frame relay fragment 80 end to end ALU config if Serial 0 0 0 no frame relay fragment end to end Note When fragment size is configured on FR interface sub interface fragmentation will happen if at least one of the following is configured There are multiple VC present one main ...

Page 426: ... service policy out P1 Command in ICM Description slippage mru 16 128 This command is entered in the Interface Configuration mode This command specifies the number of fragments that can be buffered per Virtual Circuit The default slippage MRU value is 32 MRU no slippage mru The no command sets the slippage MRU to its default i e 32 MRU Command in ICM Description service policy in out policy map na...

Page 427: ...annel ALU config if Serial slot port channel subchannel Example ALU config interface Serial 0 0 0 1 ALU config if Serial0 0 0 1 Step 3 Configure IP address for the sub interface ALU config if Serial slot port channel subchannel ip address ip address subnet mask ip address prefix length Example ALU config if Serial0 0 0 1 ip address 124 123 10 1 255 255 255 0 Step 4 Repeat 10 to 13 as given in the ...

Page 428: ...aring of show interface counters never Queueing strategy fifo Output queue 0 0 size max 0 drops Input queue 0 0 size max 0 drops Conversations 0 0 0 0 active max active max total Reserved Conversations 0 0 allocated max allocated Available Bandwidth 1536 kilobits sec 5 minute input rate 0 bits sec 0 packets sec 5 minute output rate 0 bits sec 0 packets sec 0 packets input 0 bytes 0 no buffer Recei...

Page 429: ... 20 reordered TO VIEW FRAGMENTATION AND REASSEMBLY STATISTICS PER VC EXAMPLE ALU config show frame relay pvc DLCI 100 DLCI USAGE LOCAL PVC STATUS STATIC INTERFACE Serial0 0 0 End to End Fragmentation Statistics Packets fragmented 10 Fragments Created 220 fragments failed 0 End to End Reassembly Statistics fragments received 220 fragments reassembled 220 fragments dropped 0 fragments timeout 0 frag...

Page 430: ...ta Beta CLI Configuration Guide Alcatel Lucent End to End Fragmentation Statistics Packets fragmented 10 Fragments Created 220 fragments failed 0 End to End Reassembly Statistics fragments received 220 fragments reassembled 220 fragments dropped 0 fragments timeout 0 fragments reordered 0 ...

Page 431: ...gure Serial interface Set FR encapsulation and configure DLCI on the interface ALU 1 config controller T1 0 0 ALU 1 config controller T1 channel group 0 timeslots 1 ALU 1 config controller T1 exit ALU 1 config ALU 1 config interface Serial 0 0 0 ALU 1 config if Serial0 0 0 no shutdown ALU 1 config if Serial0 0 0 ip address 2 2 2 1 24 ALU 1 config if Serial0 0 0 encapsulation frame relay ALU 1 conf...

Page 432: ... if Serial1 0 0 no shutdown ALU 2 config if Serial0 0 0 ip address 2 2 2 2 24 ALU 2 config if Serial0 0 0 encapsulation frame relay ALU 2 config if Serial0 0 0 frame relay interface dlci 100 b Configure policy map Associate match list and class map with the policy map ALU config match list m2 ALU config match list m2 udp any any ALU config class map c2 ALU config qos c2 match m2 ALU config policy ...

Page 433: ...m Alcatel Lucent 407 Beta Beta For final production import color definitions from daldoc01 docteam templates framemaker book template color defs production colors fm Do not import other template elements such as page layout To return to the draft version import color def ns from draft colors fm To switch to the beta version import color def ns from beta colors fm Pagination Numeric continuous with...

Page 434: ...Left running head Chapter name automatic 408 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 435: ...SSIFIERS This chapter gives an insight of all the commands to configure the match lists It is divided into the following sections CC Overview CC Configuration Sample examples on the usage of CC across applications CHAPTER CONVENTIONS Acronym Description SUM Super User Mode ALU CM Configuration Mode ALU config Match list CM Match list Configuration Mode ALU config match list name ...

Page 436: ...s new features were developed the classification became more complex and varied This complexity grew from the fact that people wanted to match traffic on increasing number of packet fields Enhancement in speeds of the interface and switching has increased ascent on classification performance Last but not the least a generic classification model was required in order to match traffic classes which ...

Page 437: ...HITECTURE A key design aspect of the CC is that it separates the classification from the action This allows the classification to be performed once for a particular packet and then different features can use the result to derive their own action The below diagram depicts usage of common classification by different features Figure 3 Elements in Common Classifiers Classifications referred in applica...

Page 438: ...ateways ALG and assigned when the packet is initially classified BEFORE YOU CONFIGURE CC Consider the following points before configuring the match lists If no protocol is specified then IP is the default protocol Fields that are not referenced in the rule are by default considered a wildcard match e g if the protocol portion of the rule is not specified it is automatically considered as an any ma...

Page 439: ...ing of the concept and framework required to configure lists match lists and arguments used for configuring advanced rulesets within the match lists See Elements Used in Configuring CC Step 2 Configure Match lists See To Configure a Match list Step 3 Configure the appropriate rules within the match list sub configuration mode These rules are a combination of different elements and their arguments ...

Page 440: ...th an IP address from Specifies a 16 bit UDP or TCP Source port service Specifies a 16 bit UDP or TCP Destination port interface Refers to an interface in the system Protocol The protocols supported are IP TCP UDP and ICMP It is also possible to define a specific protocol like IKE by using the keyword Protocol IP Precedence Specifies the IP precedence ToS Specifies the Type of Service ICMP type an...

Page 441: ...her ToS or IP Precedence and vice versa MNEMONICS FOR DSCP Mnemonic Description af11 Assured Forwarding 11 af12 Assured Forwarding 12 af13 Assured Forwarding 13 af21 Assured Forwarding 21 af22 Assured Forwarding 22 af23 Assured Forwarding 23 af31 Assured Forwarding 31 af32 Assured Forwarding 32 af33 Assured Forwarding 33 af41 Assured Forwarding 41 af42 Assured Forwarding 42 af43 Assured Forwarding...

Page 442: ...ts with priority precedence 1 immediate Match packets with immediate precedence 2 flash Match packets with flash precedence 3 flash override Match packets with flash override precedence 4 critical Match packets with critical precedence 5 internet Match packets with internetwork control precedence 6 network Match packets with network control precedence 7 Mnemonic Description max reli Maximum reliab...

Page 443: ...cation to their parameters Apart from this these rules are applied for all flows irrespective of the interfaces Each rule is differentiated by a line number In general the following have to be considered before configuring a rule The Source Destination from to order of the fields must configure a rule The fields specified in the rule must all match for the rule to be matched so the components of t...

Page 444: ... ESP keywords are similar to IP protocol Their applications are usually in the security domains The protocol keyword is used to assign a number to the protocol types in use The protocol name to number mapping can be found at http www iana org assignments protocol numbers TO CONFIGURE A RULE EXAMPLE ALU config match list test 10 tcp host 1 1 1 1 32 any from 6050 to 80 The above concept can be made ...

Page 445: ...ce ssh ALU config match list m1 2 udp interface GigabitEthernet 7 0 interface GigabitEthernet 3 0 fragment length eq 1659 ALU config match list m1 3 icmp any any length gt 92 EX 3 To classify traffic coming from network 192 168 10 0 24 and going to 192 168 11 0 24 Match list M1 depicts this Match lists 2 and 3 depicts the usage of UDP and ICMP protocols in CC ALU config match list m1 ALU config ma...

Page 446: ...le fields e g the following configuration ALU config list i1 prefix 10 0 0 0 8 prefix 11 0 0 0 8 ALU config list i2 prefix 20 0 0 0 8 prefix 21 0 0 0 8 ALU config match list m1 ALU config match list m1 1 ip list i1 list i2 type normal ALU config match list m1 2 ip list i1 list i2 type rpc ALU config match list m1 3 ip list i1 list i2 type ftp ALU config match list m1 4 ip list i1 list i2 type tftp...

Page 447: ...igabitEthernet7 0 interface GigabitEthernet 3 0 service smtp EX 3 The power and flexibility of the rulesets can be best seen when the list references are used especially in multiple fields e g the following configuration ALU config list i1 prefix 10 0 0 0 8 prefix 11 0 0 0 8 ALU config list i2 prefix 20 0 0 0 8 prefix 21 0 0 0 8 ALU config match list m1 ALU config match list m1 1 tcp list i1 list ...

Page 448: ...refix 192 168 1 0 24 prefix 192 168 2 0 24 ALU config list L4 prefix 192 168 18 0 24 prefix 192 168 19 0 24 ALU config match list m1 ALU config match list m1 1 udp list L3 list L4 service tftp Command in Match list CM Description 1 65535 udp any host source ip address interface name list name prefix source ip address prefix length any host destination ip address interface name list name prefix des...

Page 449: ... prefix source ip address prefix length any host destination ip address interface name list name prefix destination ip address prefix length dscp 0 63 dscp mnemonics fragment icmp type 0 255 icmp subtype 0 255 ip precedence 0 7 precedence mnemonics length 1 1500 eq ge gt le lt range 1 1500 tos 0 15 tos mnemonics This command is used to configure rules for the ICMP protocol in a match list Command ...

Page 450: ...t s name effectively extending the list by combining the elements in the other list as shown below ALU config list l1 interface GigabitEthernet 3 0 interface serial 1 0 0 ALU config list l2 prefix 10 0 0 0 8 prefix 20 0 0 0 8 ALU config list Zone1 list l1 list l2 EX 2 In this example there are two networks 192 168 1 0 24 and 192 168 2 0 24 which need to communicate with two other networks 192 168 ...

Page 451: ...18 0 and 192 168 18 1 This can be represented by the classifier as ALU config list L3 host 192 168 1 0 host 192 168 1 1 ALU config list L4 host 192 168 18 0 host 192 168 18 1 ALU config match list m2 ALU config match list m2 tcp list L3 list L4 service telnet EX 5 This example shows a simple usage of match list with a single rule ALU config list L1 host 21 1 1 1 interface GigabitEthernet 7 0 ALU c...

Page 452: ...LU config match list m2 tcp prefix 192 168 2 0 24 any service smtp ALU config match list m2 include m1 EX 2 Consider another example to configure match lists using appropriate rulesets with the include keyword ALU config match list m1 ALU config match list m1 1 prefix 10 0 0 0 8 host 21 1 1 1 ALU config match list m1 2 list l2 list l3 ALU config match list m2 ALU config match list m2 1 tcp any any...

Page 453: ... necessary modes of configurations included ALU en ALU configure terminal ALU config list l1 host 192 168 0 4 prefix 192 168 0 1 24 interface GigabitEthernet7 0 ALU config list l2 host 192 168 0 3 include l1 ALU config match list m1 ALU config match list m1 tcp any list l1 length 23 from ssh service range 23 35 ALU config match list m1 exit ALU config match list m2 ALU config match list m2 include...

Page 454: ...4 4 prefix 6 6 6 0 24 list l2 host 5 3 4 6 prefix 1 10 10 0 24 The following example displays the details of the list L1 and L2 configured ALU config show list l1 list l1 host 5 5 5 5 host 4 4 4 4 prefix 6 6 6 0 24 ALU config ALU config show list l2 list l2 host 5 3 4 6 prefix 1 10 10 0 24 ALU config Command in SUM Description show list name This command displays the details of all the lists that ...

Page 455: ...any type ftp match list m2 1 tcp any any service ssh match list m3 1 udp any any The following example displays the details of match lists m1and m2 ALU config match list m1 show match list m1 match list m1 1 icmp any any 2 tcp any any service http 3 ip any any type tftp ALU config match list m1 show match list m2 match list m2 1 tcp any any service ssh 2 udp any any Command in SUM Description show...

Page 456: ...THE DETAILS OF THE INCLUDED MATCH LIST EXAMPLE The following example displays the details of match list m1 ALU config match list m2 show include match list m1 1 tcp any any service ssh 2 udp prefix 22 1 1 0 8 any Command in Match list CM Description show rule 1 65535 This command is entered within the Match list Configuration Mode to display the details of the rule corresponding to the line rule n...

Page 457: ...ollowing example deletes the list L1 ALU config no list L1 TO DELETE A MATCH LIST Note If a match list is in use it cannot be deleted The deletion of match lists as in case of lists cannot be globally applied to all the match lists that are configured They can be deleted only one at a time EXAMPLE The following example deletes the match list M1 ALU config no match list M1 Command in CM Description...

Page 458: ...U config match list m2 1 tcp any any service ssh ALU config match list m2 2 udp prefix 22 1 1 0 8 any ALU config match list m2 3 include m1 Now to delete the included match list use the no include command ALU config match list m2 no include match list m1 Command in Match list CM Description no rule 1 65535 This command is entered in the Match list Configuration mode to delete a specific rule from ...

Page 459: ... 1 ip prefix 10 91 0 0 24 prefix 10 0 1 0 24 match list SV tunnel 1 ip prefix 10 0 1 0 24 prefix 10 91 0 0 24 match list ike 1 udp host 203 196 196 74 host 64 174 59 66 from 500 match list esp 1 esp host 203 196 196 74 host 64 174 59 66 match list nat 1 ip prefix 10 91 0 0 24 any match list ike SV 1 udp host 64 174 59 66 host 203 196 196 74 from 500 match list esp SV 1 esp host 64 174 59 66 host 2...

Page 460: ...ons list L1 interface GigabitEthernet 7 0 prefix 10 1 0 0 16 prefix 20 0 0 0 8 host 30 1 1 1 host 40 1 1 0 list L2 prefix 192 168 0 0 16 prefix 192 170 0 0 16 list L3 interface GigabitEthernet 3 0 interface GigabitEthernet 7 1 match list m1 ip List L1 interface GigabitEthernet 7 0 match list m2 tcp any List L2 service telnet tcp any List L2 type normal match list m3 ip prefix 192 99 55 0 24 any ud...

Page 461: ...24 and 192 168 2 0 24 which need to communicate with 2 other networks 192 168 18 0 24 and 192 168 19 0 24 using telnet This can be represented by the classifier as list L3 prefix 192 168 1 0 24 prefix 192 168 2 0 24 list L4 prefix 192 168 18 0 24 prefix 192 168 19 0 24 match list m1 tcp list L3 list L4 service telnet Now a filter can be created and applied to the appropriate interface ip filter f1...

Page 462: ...Common Classifiers Left running head Chapter name automatic 436 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 463: ... fm Alcatel Lucent 437 Beta Beta For final production import color definitions from daldoc01 docteam templates framemaker book template color defs production colors fm Do not import other template elements such as page layout To return to the draft version import color def ns from draft colors fm To switch to the beta version import color def ns from beta colors fm Pagination Numeric continuous wi...

Page 464: ...Left running head Chapter name automatic 438 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 465: ...ocol Independent Configuration Commands For instructions on using the commands and descriptions on each of their parameters with the corresponding default values refer to the OmniAccess 700 CLI Command Reference Guide CHAPTER CONVENTIONS Acronym Description UM User Mode ALU SUM Super User Mode ALU CM Configuration Mode ALU config RCM Router Configuration Mode ALU config router ospf Route map CM Ro...

Page 466: ...rm any of the tasks described in the following sections Configure Static Routes Configure IP Unnumbered Interface Configure Access List Configure Prefix list Configure AS path Access list Configure Route Maps Redistribute Routing Information Filtering Routing Information Configure Administrative Distance Configure Maximum Paths Protocol Independent Features Show Commands Protocol Independent Featu...

Page 467: ...s can be configured without Gateway IP address Static routes for Ethernet interfaces have to be configured with gateway IP address If gateway address as well as interface name is specified in the static route then route is activated only if gateway is reachable through the specified interface Router might not be able to determine the routes to all other networks In that case you can configure defa...

Page 468: ...ot another unnumbered interface If the associated numbered interface is configured as an unnumbered interface then the existing IP address shall be deleted and the interface shall be made as an unnumbered interface In this case the unnumbered interface also loses the IP address If the IP address on the associated numbered interface is deleted then the unnumbered interface also loses the IP address...

Page 469: ...tement match is found and an action associated with the statement match is performed The main result from the evaluation of an access list is permit or deny When applied to redistribution an ACL determines if a particular route can or cannot be redistributed Each ACL ends with an implicit deny statement by design convention there is no similar convention for route maps If the end of a route map is...

Page 470: ...mmand in CM Description access list 1 99 1300 1999 deny permit ip address network number ip address prefix length any host host ipaddress log This command is used to configure a Standard Access list Command in CM Description access list 100 199 2000 2699 deny permit 0 255 gre icmp ipinip pim rsvp tcp udp source ip address network number source ip address prefix length any host source host ipaddres...

Page 471: ...ard test ALU config std nacl TO CONFIGURE STANDARD IP ACCESS LIST RULE EXAMPLE ALU config std nacl permit host 10 0 0 1 ALU config std nacl permit 11 0 0 0 8 TO CONFIGURE EXTENDED IP ACCESS LIST EXAMPLE ALU config ip access list extended test ALU config ext nacl Command in CM Description ip access list standard 1 99 1300 1999 access list name This command is used to define a named access list And ...

Page 472: ...tended IP Access list CM Description permit deny igre icmp ip ipinip pim rsvp tcp udp 0 255 any host host ip address source ip address prefix length source ip address subnet mask operators any host host ip address destination ip address prefix length destination ip address subnet mask log log input enable fragment precedence 0 7 keywords tos 0 15 keywords This command is used to configure a rule f...

Page 473: ... All of the standard rules of access lists apply to the configuration of extended community lists Regular expressions are supported by the expanded range of extended community list numbers TO CONFIGURE STANDARD COMMUNITY LIST EXAMPLE ALU config ip community list 1 permit internet ALU config ip community list 2 permit no export TO CONFIGURE EXTENDED COMMUNITY LIST Command in CM Description ip commu...

Page 474: ...efix numbers and greater than or equal to prefix numbers can be used together The order of the le and ge commands does not matter CONFIGURE AS PATH ACCESS LIST A regular expression is a pattern used to match against an input string In case of BGP we can have a regular expression to match particular autonomous system path This is used to filter updates from neighbors EXAMPLE In the following exampl...

Page 475: ...route map can verify if the type of route is internal or if it has a IP address During redistribution if the route does not match any clause in a route map then the route redistribution is denied as if the route map contained deny statement at the end Route maps are preferred if you intend to either modify route information during redistribution or if you need more powerful matching capability Rou...

Page 476: ...ences Route maps can have permit and deny action If route matches match criteria in route map then route map action is performed So if result is permit we allow redistribution of routes If one route map sequence number is not matched then next sequence number of the route map is evaluated Each route map has two sets of configuration match Applies this match criteria for the route set If match crit...

Page 477: ...ion match as path 1 199 Matches a BGP autonomous system path access list match community 1 99 100 199 exact match Matches a BGP community list match ip address 1 99 1300 2699 access list name prefix list prefix list name Matches a destination network number address that is permitted by a standard access list an extended access list or a prefix list or perform policy routing on packets match ip nex...

Page 478: ...ibute set comm list 1 99 100 199 delete Removes the communities from the community attribute of an inbound or outbound update set dampening 1 45 1 20000 1 20000 1 255 Sets BGP route dampening factors set local preference 0 4294967295 Assigns a local preference to the BGP path set weight 0 4294967295 Use this command to set weight of route BGP has weight attribute If the same route is received from...

Page 479: ...r routing protocols They can only redistribute routes to other dynamic routing protocols Although redistribution is a protocol independent feature some of the match and set commands are specific to a particular protocol Command in RCM Description redistribute connected static bgp 1 65535 ospf 1 65535 metric 0 16777214 metric type 1 2 route map map name tag 0 4294967295 subnets This command is used...

Page 480: ...still not to send any routing traffic out of interfaces Classical example of this is when we run OSPF over GRE tunnel interface In this case site routes are advertised To prevent routing protocol traffic in the site network you can use default interface command or else use route redistribution mechanism TO PREVENT ROUTING UPDATES THROUGH AN INTERFACE To prevent other routers on a local network fro...

Page 481: ...to the above problem is to configure the routing protocol on all interfaces and manually set the passive interface router configuration on the interfaces where adjacency is not desired With the Default Passive Interface feature this problem is solved by allowing all interfaces to be set as passive by default using a single passive interface default command Then configure individual interfaces wher...

Page 482: ...es not support Distribute list feature in OSPF EXAMPLE ALU config router bgp AS1 distribute list 1 in GigabitEthernet 7 0 ALU config router rip distribute list prefix prefix example in GigabitEthernet 7 0 Command in RCM Description distribute list 1 199 1300 2699 access list name prefix prefix list in out interface name Permits or denies routes from being advertised in routing updates depending up...

Page 483: ...han others An administrative distance is a rating of the trustworthiness of a routing information source such as an individual router or a group of routers In a network some routing protocols and some routers can be more reliable than others as sources of routing information Also when multiple routing protocols are running on the same interface it is possible for the same route to be advertised by...

Page 484: ... use of administrative distance as it can result in inconsistent routing information including forwarding loops Command in RCM Description distance 1 255 ip address subnet mask ip address prefix length 1 99 1300 1999 This command is used to define an administrative distance for OSPF or RIP or BGP The default distance for RIP is 120 The default distance for OSPF is 110 The default distance is 20 fo...

Page 485: ...P and Static routes can install a maximum number of 16 ECMP paths And RIP installs maximum 8 ECMP paths Static route maximum path limit is not configurable EXAMPLE ALU config router ospf 1 maximum paths 5 Command in RCM Description maximum paths number of paths Enter this command in the Router Configuration Mode This command is used to configure the maximum number of ECMP paths to be allowed in a ...

Page 486: ...l Routes from connected metric 3 static metric 4 Default version control send version 2 receive version 2 Automatic network summarization is in effect Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Interface Send Recv Key chain GigabitEthernet7 1 2 2 loopback1 2 2 Routing for Networks 1 0 0 0 4 0 0 0 Routing Information Sources G...

Page 487: ...TION EXAMPLE ALU show ip access lists Standard IP access list test permit host 10 0 0 1 0 packets permit 11 0 0 0 0 255 255 255 0 packets deny 12 0 0 0 0 255 255 255 0 packets ALU TO VIEW IP PREFIX LIST CONFIGURATION EXAMPLE ALU show ip prefix list ip prefix list test seq 5 deny 10 0 0 0 8 ge 23 ALU Show Command in SUM Description show access lists 1 2699 access list name This command displays the...

Page 488: ...route map route map test permit sequence 1 Description Exit Policy Match clauses community community list filter 1 ip address access lists prefix list testprefix Set clauses route map test deny sequence 2 Description Exit Policy Match clauses Set clauses ALU Show Command in SUM Description show ip as path access list 1 199 This command displays the AS path access list configuration Show Command in...

Page 489: ...Match clauses ip address access lists 1 Set clauses metric 10 route map testset permit sequence 10 Description Exit Policy Match clauses Set clauses metric 20 ALU TO VIEW IP COMMUNITY LIST CONFIGURATION EXAMPLE ALU show ip community list Community standard access list 1 permit internet Community standard access list 2 permit no export ALU Show Command in SUM Description show ip community list 1 19...

Page 490: ...connected Serial0 0 2 6 0 0 0 is variably subnetted 2 subnets 2 masks S 6 6 6 0 24 1 0 is directly connected Serial0 0 2 O 6 6 6 6 32 110 10 1 via 5 5 0 1 Serial0 0 0 via 5 5 1 1 Serial0 0 1 via 5 5 2 1 Serial0 0 2 S 7 0 0 0 8 1 0 is directly connected Serial0 0 0 is directly connected Serial0 0 1 10 0 0 0 24 is subnetted 1 subnet C 10 91 2 0 0 0 is directly connected GigabitEthernet7 0 99 0 0 0 2...

Page 491: ...ectly connected Serial0 0 0 is directly connected Serial0 0 1 S 100 0 0 0 8 1 0 via 10 91 2 5 GigabitEthernet7 0 ALU EXAMPLE 3 ALU show ip route connected Codes R RIP O OSPF C connected S static M mcstatic B BGP IA OSPF inter area route E1 OSPF external type 1 route E2 OSPF external type 2 route N1 OSPF NSSA external type 1 route N2 OSPF NSSA external type 2 route candidate default route 5 0 0 0 2...

Page 492: ... 227 2 9618 8244 Total 228 3 9702 8316 Mask distribution 3 routes at length 8 1 route at length 16 226 routes at length 24 1 route at length 32 ALU EXAMPLE 5 ALU show ip route supernets only S 172 0 0 0 8 1 0 via 1 1 1 5 GigabitEthernet7 1 O E2 193 0 0 0 8 110 20 1 via 1 1 1 2 GigabitEthernet7 1 ALU PROTOCOL INDEPENDENT FEATURES CLEAR COMMAND EXAMPLE ALU clear ip route Command in SUM Description c...

Page 493: ...ds For a detailed information on the RIP commands refer to the RIP chapter in the OmniAccess 700 CLI Command Reference Guide This chapter includes the following sections RIP Overview RIP Configuration The RIP Overview section serves only as an additional information on RIP You can skip this section and directly go to the configuration section of this chapter detailed in RIP Configuration CHAPTER C...

Page 494: ...t regular time intervals by default 30 seconds in Alcatel Lucent s implementation If the router does not receive any updates from a neighboring router for a time interval known as the invalid timer it marks all routes from the neighboring router as invalid And if there is still no sign of life from the neighboring router after the router s flush timer has expired all the routes are removed RIP use...

Page 495: ...Heading1NewPage text automatic 469 Alcatel Lucent Beta Beta CLI Configuration Guide RIP CONFIGURATION Refer to the following sections to configure RIP on your system RIP Configuration Steps RIP Configuration Flow RIP Configuration Commands RIP Show Commands RIP Clear Commands ...

Page 496: ...inistratively bring up the interface ALU config if interface name no shutdown Example ALU config if GigabitEthernet7 0 no shutdown Step 3 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if GigabitEthernet7 0 ip address 20 20 20 20 24 Step 4 Enable RIP See To Enable RIP Step 5 Configure the major netwo...

Page 497: ... RIP Neighbor Configure Administrative Distance See To Configure Administrative Distance Configure Default Metric Value See To Configure Default Metric Value Configure RIP Timers See To Configure RIP Timers Apply Offsets to Routing Metrics See To Apply Offsets to Routing Metrics RIP Authentication See RIP Authentication RIP and Default Route See RIP and Default Route Configure Auto Summary See To ...

Page 498: ...Routing Information Protocol Left running head Chapter name automatic 472 Beta Beta CLI Configuration Guide Alcatel Lucent RIP CONFIGURATION FLOW Figure 4 RIP Configuration Flow ...

Page 499: ...mmands you can use on the router RIP routing updates will be sent and received only through interfaces which falls in the configured network EXAMPLE ALU config router rip network 10 0 0 0 ALU config router rip no network 10 0 0 0 Command in CM Description router rip This command enters into the Router Configuration mode This enables to configure RIP specific commands Command in RCM Description net...

Page 500: ...uter rip no version Command in RCM Description version 1 2 This command is used to configure RIP version v1 v2 on the OA 700 Configure RIP version to v1 to send and receive only RIPv1 messages and configure RIP version to v2 to send and receive only RIPv2 messages Note RIPv2 is an enhancement of RIPv1 and not a separate protocol By default RIP process configured on OA 700 system sends only RIPv1 m...

Page 501: ... which that information originated This behavior usually optimizes communications among multiple routers particularly when links are broken RIP uses Split Horizon and Poison Reverse to ensure that routes learned on a particular interface are not re advertised out of that same interface or if they are that they are advertised as unreachable EXAMPLE ALU config if GigabitEthernet7 0 ip split horizon ...

Page 502: ...P broadcasts on the link and updates the routing table accordingly EXAMPLE ALU config router rip passive interface GigabitEthernet 7 0 ALU config router rip no passive interface GigabitEthernet 7 0 Command in ICM Description ip rip v2 broadcast Use this command to send routing updates to broadcast address This command is used to allow RIP Version 2 update packets to be sent as broadcast packets in...

Page 503: ... 24 router rip network 172 19 0 0 neighbor 172 19 3 1 passive interface GigabitEthernet 3 1 TO CONFIGURE ADMINISTRATIVE DISTANCE Show ip protocols command shows the default distance for all routing protocols EXAMPLE ALU config router rip distance 130 10 0 0 0 8 20 ALU config router rip no distance Command in RCM Description neighbor neighbor address Defines a neighboring router to exchange the rou...

Page 504: ...ution configuration command to make the current routing protocol to use the same metric value for all the redistributed routes This is explained below router rip network 172 19 0 0 default metric 10 redistribute static redistribute ospf 1 metric 5 As per the example all the routes imported from the Static routing protocol will be assigned metric of 10 In case of routes imported from OSPF routing p...

Page 505: ...ds Default is 240 seconds Sleeptime Interval for postponing routing updates in the event of a flash update in milliseconds EXAMPLE ALU config router rip timers basic 10 30 30 90 ALU config router rip no timers basic Note The Invalid and Holddown timer interval should be at least three times the value of Update timer For Flush timer the interval should be longer than the larger of the Invalid and H...

Page 506: ...AMPLE ALU config access list 1 permit 10 33 0 0 0 0 0 0 ALU config router rip ALU config router network 192 168 1 0 ALU config router network 10 0 0 0 ALU config router offset list 1 in 2 Serial0 0 1 The syntax of the offset list says Examine RIP advertisements incoming from interface Serial0 0 1 For route entries matching the addresses specified in access list 1 add 2 hops to the metric If no int...

Page 507: ...r which RIP authentication is enabled Plain Text Authentication and MD5 Authentication The default authentication in every RIP Version 2 packet is Plain Text Authentication The OA 700 implementation of RIPv2 message authentication includes the choice of simple password or MD5 authentication and the option of defining multiple keys or passwords on a key chain TO CONFIGURE KEY CHAIN EXAMPLE ALU conf...

Page 508: ... rip authentication key chain allen ALU config if GigabitEthernet7 0 no ip rip authentication key chain allen Command in Key chain Key Mode Description key string key string This command is used to configure the password for the key Command in ICM Description ip rip authentication key chain key chain name Use the following command in the Interface Configuration mode This command is used to associa...

Page 509: ...config router rip no validate update source ALU config router rip validate update source Command in ICM Description ip rip authentication mode md5 text Use the following command in the Interface Configuration mode This command is used to configure the authentication mode to be used by the interface or let it default mode The default authentication mode is Plain Text authentication no ip rip authen...

Page 510: ...AMPLE ALU config router rip default information originate ALU config router rip no default information originate TO CONFIGURE AUTO SUMMARY EXAMPLE ALU config router rip auto summary ALU config router rip no auto summary Command RCM mode Description default information originate This command is used to generate default route into RIP no default information originate The no command disables default ...

Page 511: ...h the prefix list keyword EXAMPLE ALU config router rip distribute list prefix prefix example in GigabitEthernet 7 0 ALU config router rip no distribute list prefix prefix example in GigabitEthernet 7 0 Command RCM Description distribute list 1 199 1300 2699 gateway ip prefix list name prefix ip prefix list name in out interface name This command suppresses networks from being advertised in routin...

Page 512: ...iption redistribute bgp 1 65535 connected ospf 1 65535 match external nssa external 1 2 internal static metric 1 16 transparent route map route map reference This command is used to import routes from other routing protocols no redistribute bgp 1 65535 connected ospf 1 65535 match external nssa external 1 2 internal static metric 1 16 transparent route map route map reference This command disables...

Page 513: ...hed after 240 seconds Default redistribution metric is 3 Redistributing External Routes from connected metric 3 static metric 4 Default version control send version 2 receive version 2 Automatic network summarization is in effect Outgoing update filter list for all interfaces is not set Incoming update filter list for all interfaces is not set Interface Send Recv Key chain GigabitEthernet7 1 2 2 l...

Page 514: ...TO VIEW IP RIP INTERFACES Enter this command in the Configuration Mode as follows EXAMPLE ALU show ip rip interfaces RIP Interface Table Interface Interface Address Interface Mask Send Ver Recv Ver Flags GigabitEthernet7 0 1 1 1 2 255 255 255 0 2 2 B S GigabitEthernet7 1 10 91 2 6 255 255 255 0 2 2 Flags U Unnumbered P Passive B V2 Broadcast S Split horizon disabled ALU Command in SUM Description ...

Page 515: ...thernet7 0 Routes learned 0 Updates sent 0 11 Bad msgs received 14 Trig Updates sent 0 2 Auth failures 0 Responses sent 0 0 Unicast tx failure 0 Routes advertised 0 3 Bcast tx failures 0 Updates received 0 40 Mcast tx failures 0 Requests received 0 0 Bad Rtes received 0 0 GigabitEthernet7 1 Routes learned 1 Updates sent 0 8 Bad msgs received 5 Trig Updates sent 0 0 Auth failures 0 Responses sent 0...

Page 516: ...w Send lifetime 00 00 00 02 Feb 2001 Infinite Valid Now key chain alu2 key 2 key string lucent Accept lifetime Always Valid Always Valid Valid Now Send lifetime Always Valid Always Valid Valid Now ALU show key chain alu1 key chain alu1 key 1 key string alcatel lucent Accept lifetime 00 00 00 01 Jan 2000 Infinite Valid Now Send lifetime 00 00 00 02 Feb 2001 Infinite Valid Now Command in SUM Descrip...

Page 517: ...atel Lucent Beta Beta CLI Configuration Guide RIP CLEAR COMMANDS The section below details the procedure to clear RIP configuration on your system TO RESTART THE RIP PROCESS EXAMPLE ALU clear ip rip database Command in SUM Description clear ip rip database statistics Clears the RIP database or the RIP statistics ...

Page 518: ...Routing Information Protocol Left running head Chapter name automatic 492 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 519: ... commands and descriptions on each of their parameters with the corresponding default values for each refer to the OmniAccess 700 CLI Command Reference Guide This chapter includes the following sections BGP Overview BGP Configuration A Typical BGP Example Using OA 700 The BGP Overview section serves as an additional information on BGP You can skip this section and directly forward to the configura...

Page 520: ...ch BGP update message consists of a list of NLRI and a set of Path Attributes shared amongst them Common path attributes are AS_PATH NEXT HOP etc BGP uses locally configured policies for route selection among the different updates BGP neighbors form a TCP connection between one another They exchange messages to open and confirm the connection parameters The initial data flow is the entire BGP rout...

Page 521: ...e OmniAccess 700 CLI Command Reference Guide BGP CONFIGURATION STEPS This section lists steps to configure BGP Step 1 Enter into Interface Configuration Mode ALU config interface name Example ALU config interface GigabitEthernet7 0 ALU config if GigabitEthernet7 0 Step 2 Administratively bring up the interface ALU config if interface name no shutdown Example ALU config if GigabitEthernet7 0 no shu...

Page 522: ...er name automatic 496 Beta Beta CLI Configuration Guide Alcatel Lucent Step 6 Configure the networks See To Configure Networks to be Advertised Step 7 View BGP configuration See BGP Show Commands Step 8 Reset BGP configuration See BGP Clear Commands ...

Page 523: ...onfiguration Except on the first page right running head Heading1 or Heading1NewPage text automatic 497 Alcatel Lucent Beta Beta CLI Configuration Guide BGP CONFIGURATION FLOW Figure 5 BGP Configuration Flow ...

Page 524: ...neighbor that this router wishes to peer with needs to be configured A BGP neighbor can be either internal or external Internal Neighbor Neighbors who are in the same AS This is also referred to as an iBGP connection External Neighbor Neighbors who are in different AS This is also commonly referred to as an eBGP connection External neighbors are usually adjacent to each other if they are not ebgp ...

Page 525: ... network statement decides where the update is to be sent This command is also used to configure BGP weight A weight is a number that can be assigned to a path so that the path selection process can be controlled The administrative weight is local to the router EXAMPLE ALU config router bgp AS30 network 35 0 0 0 8 Command in RCM Description network network number mask subnetmask ip address prefix ...

Page 526: ...112 110 100 50 300 ALU TO VIEW THE BGP SUMMARY EXAMPLE ALU show ip bgp summary BGP router identifier 111 111 111 111 local AS number 200 7 Prefix entries using 416 bytes of memory 7 Path entries for prefixes using 392 bytes of memory Dampening enabled 0 History paths 2 Dampened paths 3 Path attribute entries using 672 bytes of memory 2 Aspath entries using 614 bytes of memory 2 Community entries u...

Page 527: ...ding 0 Route map for incoming advertisements is metric1 Connections established 9 dropped 8 Last reset 00 12 44 due to Interface Flap Connection state is ESTAB Local host 1 1 1 1 Local port 32835 Foreign host 1 1 1 2 Foreign port 179 iss 0 snduna 0 sndnxt 0 sndwnd 2 irs 0 rcvnxt 0 rcvwnd 0 SRTT 0 ms RTTO 51964 ms RTV 34464 ms minRTT 0 ms BGP neighbor is 111 111 111 112 remote AS 300 external link ...

Page 528: ...ed 0 dampened 1 Number of updates pending 0 withdrawals pending 0 Route map for incoming advertisements is metric Connections established 10 dropped 9 Last reset 00 17 05 due to BGP Notification sent Cease Error Connection state is ESTAB Local host 111 111 111 111 Local port 179 Foreign host 111 111 111 112 Foreign port 32832 iss 0 snduna 0 sndnxt 0 sndwnd 2 irs 0 rcvnxt 0 rcvwnd 0 SRTT 0 ms RTTO ...

Page 529: ...t is required for changes to the routing policy for a specific peer such as route maps distribute lists prefix lists and filter lists that affect the inbound updates An outbound soft reset is required for the policy changes affecting outbound updates When soft reset is used to send a new set of updates to a neighbor it is called outbound soft reset For this type of reset the connection is not rese...

Page 530: ...ally have higher memory overhead since additional routing information needs to be stored The router needs to be configured to store the routing information it needs for this kind of inbound soft reset as shown below The clear ip bgp command can be used to initiate a soft reset which will generate a new set of inbound BGP table updates based on the stored information Command in SUM Description clea...

Page 531: ... Guide TO RESET A ROUTER USING BGP OUTBOUND SOFT RESET To perform an outbound soft reset no pre configuration is required Enter this command in the Super User Mode and Configuration Mode as follows Command in SUM Description clear ip bgp neighbor address peer group name soft out Performs a outbound soft reset on the connection specified in the command ...

Page 532: ...CAL BGP EXAMPLE USING OA 700 Figure 6 BGP Configuration Scenario ROUTER A hostname RouterA interface Serial0 0 0 ip address 10 10 1 6 30 encapsulation ppp interface GigabitEthernet7 0 ip address 10 1 1 1 24 router bgp 1 neighbor 10 10 1 5 remote as 3 address family ipv4 unicast network 10 1 1 0 24 neighbor 10 10 1 5 activate ...

Page 533: ...dress 10 2 1 1 24 router bgp 2 neighbor 10 10 1 9 remote as 3 address family ipv4 unicast network 10 2 1 0 24 neighbor 10 10 1 9 activate ROUTER C hostname RouterC interface Serial0 0 0 ip address 10 1 1 5 30 encapsulation ppp interface Serial0 1 0 ip address 10 1 1 9 30 encapsulation ppp interface GigabitEthernet7 0 ip address 10 3 1 1 24 router bgp 3 neighbor 10 10 1 6 remote as 1 neighbor 10 10...

Page 534: ...Border Gateway Protocol Left running head Chapter name automatic 508 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 535: ... chapter includes the following sections OSPF Overview OSPF Configuration OSPF Configuration on OA 700 The OSPF Overview section serves as an additional information for Open Shortest Path First Protocol You can skip this section and directly go to the configuration section of this chapter CHAPTER CONVENTIONS Acronym Description ABR Area Border Router ASBR Autonomous System Border Router CM Configu...

Page 536: ...g and receiving packets using IP multicast are also supported in OSPF Using OSPF a host that obtains a change to a routing table or detects a change in the network immediately multicasts the information to all other hosts in the network so that all will have the same routing table information Unlike RIP in which the entire routing table is sent the host using OSPF sends only the part that has chan...

Page 537: ...PF Step 6 describes other important but optional configuration commands for OSPF Step 1 Configure an interface Enter Interface Configuration Mode ALU config interface name Example ALU config interface GigabitEthernet7 0 ALU config if GigabitEthernet7 0 Note OSPF can be configured on GigabitEthernet Serial Tunnel VLAN Loopback interfaces Step 2 Administratively bring up the interface ALU config if ...

Page 538: ...onfigure OSPF Interface Parameters See To Configure OSPF Interface Parameters LSA Group Pacing See LSA Group Pacing Configure OSPF for Non broadcast Networks See To Configure OSPF for Non broadcast Networks Configure Route Summarization See To Configure Route Summarization Generate a Default Route See To Generate a Default Route Control Default Metrics See To Control Default Metrics Configure OSPF...

Page 539: ...nfiguration Except on the first page right running head Heading1 or Heading1NewPage text automatic 513 Alcatel Lucent Beta Beta CLI Configuration Guide OSFP CONFIGURATION FLOW Figure 7 OSPF Configuration Flow ...

Page 540: ...ify the range of IP addresses to be associated with the routing process and assign area IDs to be associated with that range of IP addresses Use the following commands for this purpose EXAMPLE ALU config router ospf 1 ALU config router ospf 1 TO CONFIGURE OSPF NETWORK Specify the interfaces on which to run OSPF and their areas with the network area command This command is flexible reflecting the f...

Page 541: ...a Information about external routes are not sent to the stub areas Instead a default external route is generated by the ABR to provide information to the stub areas regarding the destinations outside the autonomous system To take advantage of the OSPF stub area support default routing must be used in the stub area To further reduce the number of LSAs sent to a stub area configure the no summary ke...

Page 542: ...ssage digest Enables authentication for an OSPF area Use message digest keyword to enable MD5 authentication The default authentication is Plain Text authentication no area 0 4294967295 ip address authentication message digest Disables authentication for an OSPF area Command in RCM Description area 0 4294967295 ip address default cost 0 16777215 Assigns a specific cost to the default summary route...

Page 543: ...ted during the translation To specify area parameters to configure OSPF NSSA enter the following command You can set a type 7 default route that can be used to reach external destinations When configured the router generates a type 7 default route into the NSSA Every router within the same area must agree that the area is NSSA otherwise the routers will not form adjacency EXAMPLE ALU config router...

Page 544: ...configured as a stub as it forms the backbone of the network EXAMPLE ALU config router ospf 1 area 1 stub no summary Command in RCM Description area 0 4294967295 ip address range ip address subnet mask ip address prefix length not advertise Specifies an address range for which a single route will be advertised If not advertise keyword is used the Type 3 summary LSA is suppressed and the networks r...

Page 545: ...through stub areas To display information about virtual links use the show ip ospf virtual links command To display the router ID of an OSPF router use the show ip ospf command EXAMPLE ALU config router ospf 1 area 1 virtual link 202 202 202 5 Command in RCM Description area 0 4294967295 ip address virtual link router id authentication message digest null hello interval retransmit interval retrans...

Page 546: ...y the ip ospf cost command overrides the cost resulting from the auto cost command ip ospf retransmit interval 1 65535 Specifies the time in seconds between LSA retransmissions for adjacencies belonging to an OSPF interface The default retransmit interval is 5 seconds ip ospf transmit delay 1 65535 Sets the estimated time in seconds required to send a link state update packet on an OSPF interface ...

Page 547: ...itEthernet7 0 ip ospf priority 2 ALU config if GigabitEthernet7 0 ip ospf hello interval 20 ALU config if GigabitEthernet7 0 ip ospf dead interval 50 ALU config if GigabitEthernet7 0 ip ospf mtu ignore ALU config if GigabitEthernet7 0 ip ospf database filter all out ip ospf mtu ignore Disables detection of OSPF MTU mismatch in Database Description Packets By default MTU mismatch detection is enabl...

Page 548: ...fig if GigabitEthernet7 0 ip ospf message digest key 100 md5 passwordline Command in ICM Description ip ospf authentication message digest null This command is used to enable authentication for OSPF Use message digest keyword to enable MD5 authentication The default authentication mode is Plain Text authentication If null keyword is used then no authentication is used It is used to override authen...

Page 549: ...ctions Group pacing results in more efficient use of the router Group pacing avoids sudden increases in the CPU usage and network resources This feature is most beneficial to large OSPF networks By default the OSPF LSA group pacing is enabled Original LSA Behavior Each OSPF LSA has an age which indicates the validity of the LSA Once LSA reaches the maximum age 1 hour it is discarded During the agi...

Page 550: ...checksumming and aging EXAMPLE ALU config router ospf 1 timers lsa group pacing 100 TO REDUCE LSA FLOODING By design OSPF requires LSAs to be refreshed as they expire after 3600 seconds Some implementations have tried to improve the flooding by reducing the frequency to refresh from 30 minutes to about 50 minutes This solution reduces the amount of refresh traffic but requires at least one refresh...

Page 551: ...e nonbroadcast neighbor associated with the IP address specified The default is 0 Poll Interval The router sends unicast hello packets every poll interval to the neighbor from which hello packets have not been received within the dead interval Cost Assigns a cost to the neighbor Neighbors with no specific cost configured will assume the cost of the interface Database filter all Filters the outgoin...

Page 552: ...ddress into their areas When routes from other protocols are redistributed into OSPF each route is advertised individually in an external LSA However you can configure OA 700 to advertise a single route for all the redistributed routes that are covered by a specified network address and mask This helps decrease the size of the OSPF link state database To advertise one summary route for all redistr...

Page 553: ...rce the ASBR to generate a default route enter the following command EXAMPLE ALU config router ospf 1 default information originate always metric 100 TO CONFIGURE REDISTRIBUTION EXAMPLE ALU config router ospf 1 redistribute static metric 19 metric type 1 Command in RCM Description default information originate always metric 0 16777214 metric type 1 2 route map route map name Forces the autonomous ...

Page 554: ...determined by the bandwidth interface configuration command If you have multiple links with high bandwidth you might want to specify a larger number to differentiate the cost on those links To do so enter the following command EXAMPLE ALU config router ospf 1 auto cost reference bandwidth 100 Command in RCM Description auto cost reference bandwidth 1 4294967 This command is used to calculate the i...

Page 555: ...m another routing domain learned via redistribution are external The default distance for each type of route is 110 To change any of the OSPF distance values enter the following command Distance ospf command is used when we have multiple OSPF instance and we want prefer routes of one OSPF instance over routes of other instance EXAMPLE ALU config router ospf 1 distance 60 10 0 0 0 8 ALU config rout...

Page 556: ...er ospf 1 no log adjacency changes Command in RCM Description timers spf 0 65535 0 65535 Configures the delay time and hold time for Shortest Path First SPF calculation spf delay Delay time in seconds between when OSPF receives a topology change and when it starts an SPF calculation The default time is 5 seconds A value of 0 means that there is no delay that is the SPF calculation starts immediate...

Page 557: ...d used to calculate summary route costs has changed Use the no compatible rfc1583 command to enable the calculation method used per RFC 2328 EXAMPLE ALU config router ospf 1 compatible rfc1583 TO CONFIGURE DEFAULT METRIC EXAMPLE ALU config router ospf 30 default metric 60000 Command in RCM Description alt abr cisco ibm This command enables OSPF router behavior specified in RFC 3509 By default OSPF...

Page 558: ... ROUTER ID EXAMPLE ALU config router ospf 30 router id 35 0 0 1 TO VIEW OSPF RUNNING CONFIGURATION EXAMPLE ALU config router ospf 30 write ospf Command in RCM Description router id ip address This command configures the OSPF router ID Command in RCM Description write ospf This command is used to view the OSPF running configuration ...

Page 559: ... may not reach antilabor in the first attempt OSPF protocol adds those packets in re transmission lists To view list of LSAs waiting to be flooded over a specified interface use the following command EXAMPLE ALU show ip ospf flood list OSPF Router with ID 1 1 1 2 Process ID 1 Interface GigabitEthernet 7 0 Queue length 1 Type LS ID ADV RTR Seq NO Age Checksum 1 1 1 1 2 1 1 1 2 0x8000001D 0 0x04EA A...

Page 560: ...o the OSPF database show ip ospf 1 65535 flood list GigabitEthernet Serial slot port Loopback 0 14487 Displays a list of LSAs waiting to be flooded over an interface show ip ospf 1 65535 interface GigabitEthernet Serial slot port Loopback 0 14487 statistics Displays OSPF related interface information show ip ospf 1 65535 neighbor neighbor router id GigabitEthernet Serial slot port Loopback 0 14487...

Page 561: ... 2 normal 0 stub 0 nssa Full neighbors 2 External flood list length 0 Area BACKBONE 0 Number of interfaces in this area is 1 Area has message digest authentication SPF algorithm executed 36 times Area ranges are Number of LSA 6 Checksum Sum 0x35E53 Number of opaque link LSA 0 Checksum Sum 0x0 Flood list length 0 Area 1 Number of interfaces in this area is 1 Area has no authentication SPF algorithm...

Page 562: ... 1 2 96 0x80000019 0xF2F0 1 6 6 6 6 6 6 6 6 2430 0x80000008 0xC20B 1 Net Link States Area 0 Link ID ADV Router Age Seq Checksum 2 2 2 1 6 6 6 6 2430 0x80000006 0xB91F 1 1 1 2 1 1 1 2 1121 0x80000004 0xBD46 Summary Net Link States Area 0 Link ID ADV Router Age Seq Checksum 2 2 2 0 1 1 1 2 96 0x80000002 0x43CC Router Link States Area 1 Link ID ADV Router Age Seq Checksum Link count 1 1 1 2 1 1 1 2 1...

Page 563: ...1 1 2 24 Area 0 Process ID 1 Router ID 1 1 1 2 Network Type BROADCAST Cost 1 Transmit Delay is 1 sec State DR Priority 1 Designated Router ID 1 1 1 2 Intf address 1 1 1 2 Backup Designated router ID 1 1 1 1 Intf address 1 1 1 1 Timer intervals configured Hello 10 Dead 40 Wait 40 Retransmit 5 Hello due in 00 00 03 Neighbor Count is 1 Adjacent neighbor count is 1 Adjacent with neighbor 1 1 1 1 Backu...

Page 564: ...igest authentication enabled ALU ALU show ip ospf interface statistics GigabitEthernet7 0 Internet Address 1 1 1 2 24 ProcessID 1 Area 0 Hello Packets Received 516 Hello Packets Sent 508 Database Description Packets Received 11 Database Description Packets Sent 9 LS Request Packets Received 1 LS Request Packets Sent 2 LS Update Packets Received 22 LS Update Packets Sent 11 LS Acknowledgment Packet...

Page 565: ...1 FULL DR 00 00 35 2 2 2 1 GigabitEthernet7 1 ALU ALU show ip ospf neighbor detail Neighbor 1 1 1 1 interface address 1 1 1 1 In the area 0 via interface GigabitEthernet7 0 Neighbor priority is 1 State is FULL 19 state changes DR is 1 1 1 2 BDR is 1 1 1 1 Options is 0x42 Dead timer due in 00 00 31 Neighbor is up for 00 49 28 retransmission queue length 0 number of retransmissions 1 Neighbor 6 6 6 ...

Page 566: ...rface process Interface Process Table Interface Attached Process Waiting Process GigabitEthernet7 0 20 GigabitEthernet7 0 20 loopback 9 loopback1 Ex 9 ALU show ip ospf request list OSPF Router with ID 1 1 1 2 Process ID 1 Neighbor 6 6 6 6 interface GigabitEthernet 7 1 address 2 2 2 2 Type LS ID ADV RTR Seq NO Age Checksum 1280 192 175 142 0 1 1 1 1 0x80000003 774 0x9FFB 1280 192 175 206 0 1 1 1 1 ...

Page 567: ...rnet 7 1 address 2 2 2 2 Link state retransmission due in 0 sec Queue length 1 Type LS ID ADV RTR Seq NO Age Checksum 3 1 1 1 0 1 1 1 2 0x80000001 2 0x69AA ALU Ex 11 ALU show ip ospf route OSPF Router with ID 1 1 1 2 Process ID 1 Dest Mask Type Adv Rtr Cost Area tag NextHop 2 0 0 0 8 Summ 1 1 1 2 20 0 0 0 0 0 1 1 1 0 24 Ext 2 0 0 0 0 20 0 1 1 1 2 2 0 0 0 8 Summ 1 1 1 2 20 0 0 0 0 0 2 2 2 0 24 Ext ...

Page 568: ...intervals configured Hello 10 Dead 40 Wait 40 Retransmit 5 Hello due in 00 00 04 Adjacency state FULL Retransmission queue length 2 number of retransmission 0 ALU CLEAR COMMANDS IN OSPF TO RESTART AN OSPF PROCESS To restart an OSPF process use the following command Command in SUM Description clear ip ospf 1 65535 process redistribution counters neighbor neighbor id interface name interface statist...

Page 569: ...ta Beta CLI Configuration Guide OSPF CONFIGURATION ON OA 700 EXAMPLE 1 Figure 8 OSPF Configuration Scenario ROUTER A hostname RouterA interface Serial0 0 0 ip address 10 1 1 9 30 encapsulation ppp interface GigabitEthernet7 0 ip address 10 5 1 1 24 router ospf 1 log adjacency changes network 10 1 1 0 24 area 0 network 10 5 0 0 16 area 5 ...

Page 570: ...gabitEthernet7 0 ip address 10 5 1 2 24 router ospf 1 log adjacency changes network 10 1 1 0 24 area 0 network 10 5 0 0 16 area 5 ROUTER C hostname RouterC interface Serial0 0 0 ip address 10 1 1 6 30 encapsulation ppp interface GigabitEthernet7 0 ip address 10 8 1 1 24 interface GigabitEthernet7 1 ip address 10 8 2 1 24 shutdown router ospf 1 log adjacency changes network 10 1 1 0 24 area 0 netwo...

Page 571: ...st Overview PIM Configuration IGMP Configuration Multicast Configuration on OA 700 The Multicast Overview section serves as an additional information on the Routing Information Protocol You can skip this section and directly go to the configuration section of this chapter CHAPTER CONVENTIONS Acronym Description CM Configuration Mode ALU config ICM Interface Configuration Mode ALU config interface ...

Page 572: ...a to the RP When a receiver wants to receive data the last hop router with respect to the receiver registers with the RP A data stream then can flow from the sender to the RP and to the receiver Routers in the path optimize the path and automatically remove any unnecessary hops even at the rendezvous point Protocol Overview PIM SM is a multicast routing protocol that can use the underlying unicast...

Page 573: ...ts from source RP sends join message towards source and this forms source specific Shortest Path Tree SPT This is to reduce the encapsulation and decapsulation overhead For many receivers the route to source via the RP may not be shortest To obtain lower latencies router on receiver LAN joins SPT once it receives some packets over RPTree This is called as switching to SPT from RPT INTERNET GROUP M...

Page 574: ...ched network When host joins multicast group it transmit IGMPv2 report message Host sends this report 2 3 times to avoid membership report being lost IGMPv2 host sends group leave message before leaving group When a Querier receives a Leave Group message for a group that has group members on the reception interface it sends Last Member Query Count Group Specific Queries every Last Member Query Int...

Page 575: ...rface GigabitEthernet3 0 ALU config if GigabitEthernet3 0 Note PIM can be configured on Layer 3 interfaces Step 2 Administratively bring up the interface ALU config if interface name no shutdown Example ALU config if GigabitEthernet3 0 no shutdown Step 3 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config...

Page 576: ...re PIM Interface Parameters See To Configure PIM Interface Parameters Configure message interval for PIM See To Configure Message Interval Configure Source tree Switching Threshold See To Configure Source tree Switching Threshold Configure PIM as BSR See To Configure PIM as BSR Configure RP candidate priority See To Configure RP Candidate Priority Step 8 View PIM configuration See Show Commands in...

Page 577: ...onfiguration Except on the first page right running head Heading1 or Heading1NewPage text automatic 551 Alcatel Lucent Beta Beta CLI Configuration Guide PIM CONFIGURATION FLOW Figure 9 PIM Configuration Flow ...

Page 578: ...LU config ip multicast routing TO ENABLE PIM ON AN INTERFACE EXAMPLE ALU config if GigabitEthernet3 0 ip pim sparse mode Command in CM Description ip multicast routing This command enables multicast routing and forwarding on OA 700 Multicast routing is disabled by default Command in ICM Description ip pim sparse mode Enter this command in the Interface Configuration Mode This command is used to en...

Page 579: ...P address for a multicast group Command in CM Description ip pim rp address ip address override This command is used to configure the RP router address for all multicast groups Override keyword can be used to give preference to static RP over dynamic RP Command in CM Description ip pim rp candidate interface name group list access list name 1 99 This command is used to configure the PIM router as ...

Page 580: ...s only enabled when all neighbors on an interface advertise they are capable of using DR priority option DR is responsible for sending register packets to RP Command in ICM Description ip pim dr priority 0 4294967294 Specifies PIM router DR priority on an interface This DR priority is used in the DR election algorithm Default DR priority is 1 ip pim query interval 0 65535 PIM router sends periodic...

Page 581: ...used to configure the policy to control switching traffic from shared Tree RPT to Shortest Path Tree SPT EXAMPLE ALU config ip pim spt threshold 100 group list 10 Command in CM Description ip pim message interval 1 65535 PIM router sends periodic join and prune messages on interfaces over which it has at least one neighbor Use this command to configure this interval in seconds The default message ...

Page 582: ...ig ip pim rp candidate priority 10 Command in CM Description ip pim bsr candidate interface name 0 30 0 255 This command is used to configure the PIM router as BSR candidate BSR uses specified interface address 0 30 Indicates the hash length This value is used to select one RP 0 255 Indicates the priority of the BSR router Command in CM Description ip pim rp candidate priority 0 255 This command i...

Page 583: ...ss Interface Ver Nbr Query DR DR Mode Count Intvl Prior 3 3 3 4 GigabitEthernet3 0 v2 S 0 30 1 3 3 3 4 ALU TO VIEW PIM NEIGHBOR INFORMATION EXAMPLE ALU show ip pim neighbor PIM Neighbor Table Neighbor Interface Uptime Expires Ver DR Address Prio Mode 8 8 8 8 Serial0 0 0 00 09 37 00 01 39 v2 1 DR 6 6 6 7 Serial0 1 0 00 09 45 00 01 33 v2 1 DR ALU Command in SUM CM Description show ip pim interface i...

Page 584: ...e 1 1 1 1 via bootstrap Uptime 00 00 32 expires 00 01 58 ALU config ALU config show ip pim rp mapping PIM Group to RP Mappings Group s 225 0 0 0 8 RP 1 1 1 1 v2 Info source 1 1 1 1 via bootstrap priority 0 holdtime 53760 Uptime 00 00 45 expires 14 55 15 Group s 228 0 0 0 8 RP 2 2 2 1 v2 Info source 2 2 2 1 via bootstrap priority 0 holdtime 38400 Uptime 00 03 55 expires 10 39 05 ALU config Command ...

Page 585: ...00 35 seconds ALU config TO VIEW SG STATE INFORMATION EXAMPLE ALU show ip pim state info PIMv2 State information Flags M Nexthop from Mroute T Terminating K KeepAlive Timer Running S SPT bit set 224 1 1 1 JOINED 00 00 55 00 00 05 RP 5 5 5 5 flags Incoming interface GigabitEthernet3 1 RPF neighbor 5 5 5 5 Downstream interface state GigabitEthernet3 0 00 00 55 flags A inherited_olist GigabitEthernet...

Page 586: ...g TO CLEAR IP PIM BSR EXAMPLE ALU clear ip pim bsr Command in SUM CM Description clear ip pim state info group address source address This command clears the PIM SG State information Command in SUM CM Description clear ip pim neighbor interface name neighbor address This command clears the neighbor information on an interface Command in SUM CM Description clear ip pim rp mapping rp address This co...

Page 587: ...e Configuration Mode ALU config interface name Example ALU config interface GigabitEthernet3 0 ALU config if GigabitEthernet3 0 Note IGMP can be configured on Layer 3 interfaces Step 2 Administratively bring up the interface ALU config if interface name no shutdown Example ALU config if GigabitEthernet3 0 no shutdown Step 3 Configure IP address for the interface ALU config if interface name ip add...

Page 588: ...ber query interval See To Configure IGMP Last Member Query Interval Configure querier time out See To Configure IGMP Querier Time out Configure query interval See To Configure IGMP Query Interval Configure query max response time See To Configure IGMP Query Max Response Time Configure IGMP join group See To Join Multicast Group Configure IGMP access group See To Configure IGMP Access Group Step 7 ...

Page 589: ...nfiguration Except on the first page right running head Heading1 or Heading1NewPage text automatic 563 Alcatel Lucent Beta Beta CLI Configuration Guide IGMP CONFIGURATION FLOW Figure 10 IGMP Configuration Flow ...

Page 590: ...onfig ip multicast routing TO ENABLE IGMP ON AN INTERFACE EXAMPLE ALU config if GigabitEthernet3 0 ip pim sparse mode Command in CM Description ip multicast routing This command enables multicast routing and forwarding on OA 700 Multicast routing is disabled by default Command in ICM Description ip pim sparse mode Enter this command in the Interface Configuration Mode This command is used to enabl...

Page 591: ...QUERY INTERVAL When a multicast host leaves a group the host sends an IGMP leave group message To check if this host is the last to leave the group IGMP router sends an IGMP group specific query message If no reports are received before the configured last member query interval routers assumes that no receiver is interested in this group EXAMPLE ALU config if GigabitEthernet3 0 ip igmp last member...

Page 592: ... General Query on each attached network for which this router is the Querier EXAMPLE ALU config if GigabitEthernet3 0 ip igmp querier timeout 100 Note Make sure that all IGMP routers on LAN have same querier time out Else router with less querier time out will always become querier TO CONFIGURE IGMP QUERY INTERVAL EXAMPLE ALU config if GigabitEthernet3 0 ip igmp query interval 100 Command in ICM D...

Page 593: ... if GigabitEthernet3 0 ip igmp join group 226 2 2 2 TO CONFIGURE IGMP ACCESS GROUP EXAMPLE ALU config if GigabitEthernet3 0 ip igmp access group 10 Command in ICM Description ip igmp query max response time 1 25 This command configures the maximum response time in seconds advertised in IGMP queries The default query max response time is 10 seconds Command in ICM Description ip igmp join group grou...

Page 594: ... 2 Router Version 2 Query Interval 125 Querier Timeout 255 Max query response time 10 Last member query count 2 Last member query response time 1000 Access Group set 0 Number of joins on this interface 84 Number of leave message on this interface 7 Querier on this interface 7 7 7 3 Interface DR is 7 7 7 3 Total groups on this interface 1 Group 1 224 1 1 1 Command in SUM CM Description show ip igmp...

Page 595: ...gs Rates Waiting for latest Incoming Interface Serial0 0 0 RPF failures 0 Outgoing Interfaces 1 GigabitEthernet3 0 225 5 5 5 uptime 0 09 37 flags Rates Waiting for latest Incoming Interface GigabitEthernet3 1 RPF failures 0 Outgoing Interfaces 0 TO VIEW IP MULTICAST TRAFFIC STATISTICS EXAMPLE ALU show ip multicast traffic IP Multicast statistics Rcvd 4449 total 838 link local Sent 3334 forwarded 0...

Page 596: ...ST TO CLEAR MULTICAST ROUTING INFORMATION EXAMPLE ALU clear ip mroute TO CLEAR MULTICAST TRAFFIC EXAMPLE ALU clear ip multicast traffic Command in SUM CM Description clear ip mroute This command clears multicast routing information Command in SUM CM Description clear ip multicast traffic This command resets the multicast traffic counters ...

Page 597: ... group 227 7 7 7 and receivers connected to Router R1 are joined to multicast groups 225 5 5 5 and 227 7 7 7 Router R4 is configured as RP for all the multicast groups All the routers have static RP configuration with RP address as 3 3 3 2 OSPF routing is used in this topology to make sure that all routers are reachable Multicast sender for group 225 5 5 5 and 227 7 7 7 is connected to router R6 I...

Page 598: ...cy changes network 8 0 0 0 8 area 0 network 10 91 0 0 16 area 0 ip pim rp address 3 3 3 2 ROUTER 2 CONFIGURATION ip multicast routing interface GigabitEthernet7 0 ip address 1 1 1 2 255 255 255 0 ip pim sparse mode interface Serial0 0 0 ip address 6 6 6 1 255 255 255 0 ip pim sparse mode interface GigabitEthernet7 1 ip address 2 2 2 1 255 255 255 0 ip pim sparse mode router ospf 1 log adjacency ch...

Page 599: ...sparse mode interface Serial0 0 0 ip address 8 8 8 1 24 encapsulation hdlc ip pim sparse mode router ospf 1 log adjacency changes network 2 0 0 0 8 area 0 network 3 0 0 0 8 area 0 network 8 0 0 0 8 area 0 ip pim rp address 3 3 3 2 ROUTER 4 CONFIGURATION ip multicast routing interface GigabitEthernet7 0 ip address 3 3 3 2 255 255 255 0 ip pim sparse mode interface GigabitEthernet7 1 ip address 4 4 ...

Page 600: ...ges network 4 0 0 0 8 area 0 network 5 0 0 0 8 area 0 ip pim rp address 3 3 3 2 ROUTER 6 CONFIGURATION ip multicast routing interface Loopback0 ip address 99 99 99 1 255 255 255 0 interface GigabitEthernet7 0 ip address 5 5 5 1 255 255 255 0 ip pim sparse mode interface Serial0 0 0 ip address 6 6 6 2 255 255 255 0 ip pim sparse mode interface GigabitEthernet7 1 ip address 7 7 7 2 255 255 255 0 ip ...

Page 601: ...00 inherited_olist Serial0 0 0 227 7 7 7 JOINED 00 09 26 00 00 34 RP 3 3 3 2 flags Incoming interface GigabitEthernet7 1 RPF neighbor 3 3 3 2 Downstream interface state GigabitEthernet7 0 00 09 26 flags G JOIN ET 00 03 02 PPT 00 00 00 Serial0 0 0 00 00 16 flags G JOIN ET 00 03 14 PPT 00 00 00 inherited_olist GigabitEthernet7 0 Serial0 0 0 R3 config R3 config show ip mroute IP Multicast Forwarding ...

Page 602: ...Prio Mode 2 2 2 1 GigabitEthernet7 0 02 59 10 00 01 33 v2 1 Not DR 3 3 3 2 GigabitEthernet7 1 02 58 43 00 01 30 v2 1 DR 8 8 8 2 Serial0 0 0 00 02 36 00 01 44 v2 1 DR R3 config R3 config show ip pim interface Address Interface Ver Nbr Query DR DR Mode Count Intvl Prior 2 2 2 2 GigabitEthernet7 0 v2 S 1 30 1 2 2 2 2 3 3 3 1 GigabitEthernet7 1 v2 S 1 30 1 3 3 3 2 8 8 8 1 Serial0 0 0 v2 S 1 30 1 8 8 8...

Page 603: ...fault values refer to the OmniAccess 700 CLI Command Reference Guide This chapter includes the following sections PBR Overview PBR Configuration PBR Configuration Example The PBR Overview section serves as an additional information on the PBR You can skip this section and directly go to the configuration section of this chapter CHAPTER CONVENTIONS Acronym Description PBR Policy Based Routing CM Co...

Page 604: ...g PBR customers can implement policies that selectively cause packets to take different paths PBR provides the ability to route traffic based on attributes other than the destination IP address Attributes like source IP address protocol type can be used to define policies and apply them to an interface ALCATEL LUCENT SPECIFIC OVERVIEW OA 700 supports PBR that allows routing of packets based on pol...

Page 605: ...p 2 Configure an IP policy See To Configure an IP Policy Configure a Rule inside an IP policy See To Configure a Rule for an IP Policy Attach an IP Policy to an Interface Step 3 Enter into Interface Configuration Mode ALU config interface name Example ALU config interface GigabitEthernet3 0 ALU config if GigabitEthernet3 0 Note IP policy can be configured on any interface Step 4 Administratively b...

Page 606: ...on Guide Alcatel Lucent Step 6 Attach the configured IP policy to an appropriate interface See To Attach Detach an IP Policy to an Interface Note An interface can have only one IP policy applied on it at any time Step 7 Use the show commands to view PBR configuration See Show Commands in PBR ...

Page 607: ...nfiguration Except on the first page right running head Heading1 or Heading1NewPage text automatic 581 Alcatel Lucent Beta Beta CLI Configuration Guide PBR CONFIGURATION FLOW Figure 12 PBR Configuration Flow ...

Page 608: ...ath of the packet The for us keyword redirects the packet to the management plane of the OA 700 Only one of next hop and or interface or for us shall be in effect at any time If the interface and next hop are specified together then the packet shall be forwarded to the specified next hop on the specified interface Note When the interface option is chosen as Ethernet VLAN it is mandatory to specify...

Page 609: ...icy CM Description 1 65535 match all any match list name not match list name for us interface interface name next hop ip address next hop ip address This command is used to configure rules associate match lists and set priority for the rule for an IP policy The range for the rule number is 1 65535 This rule number signifies the priority of a rule By default the numbering pattern for rule number is...

Page 610: ...br1 is attached to the GigabitEthernet3 1 the following command detaches it from the interface ALU config interface GigabitEthernet3 1 ALU config if GigabitEthernet3 1 no ip policy pbr1 Command in ICM Description ip policy ip policy name This command is used to attach an IP policy to an interface Note An interface can have only one IP policy applied on it at any time Transparent forwarding command...

Page 611: ...d by best effort IP forwarding ip policy pbr1 PBR 0 Drop 0 0 hits on 1 match any m1 next hop 1 1 1 1 Command in SUM CM Description show ip policy name This command is used to view all the IP policies configured in the system This command is also used to view the details of a specific IP policy This command also displays interfaces on which these policies are applied Command in SUM CM Description s...

Page 612: ...MANDS TO CLEAR IP POLICY STATISTICS EXAMPLE ALU config clear ip policy statistics Command in SUM CM Description clear ip policy statistics ip policy name This command clears the statistics of all the IP policies configured in the system If a policy name is specified then the statistics for the specified IP policy are cleared ...

Page 613: ...ace Detailed Steps Step 1 Create a match list for finance department and engineering department ALU config match list fin dept ALU config match list fin dept 10 ip prefix 10 1 1 0 24 any ALU config match list fin dept exit ALU config match list engg dept ALU config match list engg dept 10 ip prefix 10 1 2 0 24 any ALU config match list engg dept exit ALU config Step 2 Create a routing policy to ro...

Page 614: ...ANDS Verify the IP policy configuration by using the following show command ALU config show ip policy xyz corporate policy IP Policy configuration ip policy xyz corporate policy 10 match any fin dept next hop 203 121 10 1 20 match any engg dept next hop 150 23 221 50 exit interface Vlan10 ip policy xyz corporate policy exit ...

Page 615: ...addresses can be overlapped among the VPNs VRF CE uses input interfaces to distinguish routes for different VPNs and forms virtual packet forwarding tables by associating one or more Layer 3 interfaces with each VRF A Layer 3 interface can belong to only one VRF at any time Interfaces in a VRF can be either physical or logical such as VLANs This chapter includes the following sections VRF CE Overv...

Page 616: ...ucent CHAPTER CONVENTIONS Acronym Description VRF CE Virtual Routing and Forwarding Customer Edge CM Configuration Mode ALU config ICM Interface Configuration Mode ALU config interface name RCM Router Configuration Mode ALU config router OSPF Open Shortest Path First BGP Border Gateway Protocol RIP Routing Information Protocol ...

Page 617: ...nels could be either Layer 2 circuits such as frame relay PVCs or ATM PVCs or Layer 3 tunneling protocols such as GRE IP IP IPSec L2TP etc Figure below depicts the possible deployment scenarios using VRF CE It shows three VPN networks Orange Green and Blue Each VPN has three sites 1 2 and 3 Orange VPN Site 1 connects to a non VRF aware router at site 2 Orange VPN Site 1 connects to a VRF aware rou...

Page 618: ...fault VRF is similar to any other VRF in the system with one minor difference The default VRF is always present and you cannot modify delete this VRF All interfaces and services are initially associated with the default VRF Notes A VRF CE system is shared by multiple customers and all the customers have their own routing tables Since multiple VPNs can connect to the same VRF CE system they all can...

Page 619: ...protocols in VRF To configure static route in a VRF See To Configure Static Route in a VRF And Or To configure OSPF routing in a VRF See To Configure OSFP in a VRF And Or To configure BGP routing in a VRF See To Configure BGP in a VRF And Or To configure RIP routing in a VRF See To Configure RIP in a VRF Step 3 Configure Static ARP in VRF See To Configure Static ARP in VRF Optional Associate VRF t...

Page 620: ...ured on the interface is removed when this command is executed Step 7 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if GigabitEthernet7 0 ip address 20 20 20 20 24 Step 8 Using Management Utilities in a VRF See Using Management Utilities in a VRF Optional Step 9 System Monitoring Commands in VRF See...

Page 621: ...ration Except on the first page right running head Heading1 or Heading1NewPage text automatic 595 Alcatel Lucent Beta Beta OA 780 CLI Configuration Guide VRF CE CONFIGURATION FLOW Figure 15 VRF CE Configuration Flow ...

Page 622: ...Note Maximum number of VRFs supported is 64 TO CONFIGURE DESCRIPTION FOR A VRF EXAMPLE ALU config vrf description ALU routing Command in CM Description ip vrf vrf name This command is used to configure a VRF This enters the VRF Configuration Mode no ip vrf vrf name This command deletes the configured VRF All routing protocol configuration within the VRF is removed Command in VRF CM Description des...

Page 623: ... 1 1 1 0 24 2 2 2 2 TO CONFIGURE OSFP IN A VRF Supports 30 OSPF instances per system EXAMPLE ALU config router ospf 1 vrf ALU vrf ALU config router ospf 1 Command in CM Description ip route vrf vrf name destination network subnet mask destination network prefix length gateway ip address interface name gateway ip address 1 255 This command adds a static routing entry into the specified VRF routing ...

Page 624: ...commands will apply to the default VRF 3 There is no change in the syntax of the existing BGP commands Only those affected by VRF CE are listed in this document EXAMPLE ALU config router bgp 30 ALU config router bgp AS30 address family ipv4 unicast vrf ALU_vrf ALU config router af ucast Command in RCM Description address family ipv4 unicast vrf vrf name Enter this command in the BGP Routing Config...

Page 625: ... in the address family mode will apply to the VRF if the address family is associated with the VRF 3 There is no change in the syntax of the existing RIP commands Only those affected by VRF CE are listed in this document EXAMPLE ALU config router rip ALU config router rip address family ipv4 unicast vrf ALU_vrf Command in RCM Description address family ipv4 unicast vrf vrf name Enter this command ...

Page 626: ... arp vrf vrf name ip address hardware address This command adds a static ARP entry If the VRF name is specified then the ARP entry is added to the specified VRF else it is added to the default VRF clear arp cache vrf vrf name Clears the ARP cache If the VRF name is specified it clears the ARP cache for the specified VRF show arp vrf vrf name This command displays the ARP entries in the specified V...

Page 627: ...rrors Req Resp recvd without Mac on interface 0 Req not sent because of no IP Address 0 Req not sent becuase of no MAC 0 Resp received without req 0 TO ASSOCIATE A VRF TO AN INTERFACE EXAMPLE ALU config if GigabitEthernet3 0 ip vrf forwarding ALU vrf Command in ICM Description ip vrf forwarding vrf name Enter this command in the Interface Configuration Mode This command is used to associate a VRF ...

Page 628: ... vrf vrf name ip address hostname Telnet command is used for logging into a remote system specified by the address If the VRF name is specified the packets will be routed using the routing table of the specified VRF on a interface associated with the VRF ssh vrf vrf name ip address hostname user name version 1 2 SSH command is used for logging into a remote system specified by the address If the V...

Page 629: ...led 0 no route ICMP statistics Rcvd 5 total 0 errors 0 dst unreach 0 time exceed 0 param probs 0 source quench 0 redirects 0 echo req 5 echo rpy 0 timestamp req 0 timestamp rpy 0 addr mask req 0 addr mask rpy Sent 10 total 0 errors 0 dst unreach 0 time exceed 0 param probs 0 source quench 0 redirects 10 echo req 0 echo rpy 0 timestamp req 0 timestamp rpy 0 addr mask req 0 addr mask rpy ALU config ...

Page 630: ...ct 0 RIB Connected 0 Total leaves 12 Level 0 1 Level 1 4 Level 2 4 Level 3 3 Total branches 12 LB nodes 0 For Us adj 8 Connected rtes 2 Memory used 12760 IP FIB table statistics Leaf creates 47 Leaf deletes 35 Branch create 42 Branch delete 30 Branch extends 41 Branch coalesc 30 System Adjacency Counters Adjacencies 4294967291 Adj reference 106 Adj unrefer 53 Adj Memory 496 ALU config ALU config c...

Page 631: ...interfaces is not set Routing for Networks 4 0 0 0 8 Routing Information Sources Gateway Distance Last Update 4 4 4 1 110 00 05 56 Distance default is 110 Routing Protocol is bgp 100 IGP synchronization is enabled Automatic route summarization is disabled Command in CM Description show ip vrf interfaces vrf name Displays information on the defined VRF instances The interfaces keyword gives the inf...

Page 632: ... 200 local 200 ALU config ALU config show ip route vrf ALU vrf Codes R RIP O OSPF C connected S static M mcstatic B BGP A ASE IA OSPF inter area route E1 OSPF external type 1 route E2 OSPF external type 2 route N1 OSPF NSSA external type 1 route N2 OSPF NSSA external type 2 route candidate default route Gateway of last resort is not set 1 0 0 0 is variably subnetted 2 subnets 2 masks B 1 0 0 0 8 2...

Page 633: ...lays the routes that are permitted by the BGP community list If the VRF name is specified it displays the routes that are permitted by the BGP community list for the specified VRF show ip bgp flap statistics vrf vrf name This command displays the flap statistics of BGP routes If the VRF name is specified it displays the flap statistics of BGP routes for the specified VRF show ip bgp neighbors vrf ...

Page 634: ...ty list vrf v1 1 BGP local router ID is 25 0 0 1 Status codes s suppressed d damped h history valid best i internal Origin codes i IGP e EGP incomplete Prefix len Next Hop Metric LocPref Weight Path 140 100 1 0 24 40 0 0 1 1000 50 0 10i ALU config show ip bgp flap statistics vrf v1 BGP local router ID is 200 1 1 1 Status codes s suppressed d damped h history valid best i internal Origin codes i IG...

Page 635: ...Unicast advertised and received Received 26 messages 0 notifications 0 in queue Sent 19 messages 0 notifications 0 in queue Minimum time between advertisement runs is 30 seconds For Address Family IPv4 Unicast Route refresh request received 0 sent 0 Number of Unicast prefixes received 1 Prefixes advertised 1 accepted 1 filtered 0 dampened 1 Number of updates pending 0 withdrawals pending 0 Connect...

Page 636: ... 45000 SND SSTHRESH 2147483647 RCV SSTHRESH 5840 ADV MSS 1460 REORDERING 3 ALU config show ip bgp peer group ALU config clear ip bgp vrf v1 10 VRF CLEAR COMMANDS EXAMPLE ALU config clear ip route vrf ALU vrf Command in CM Description clear ip route vrf vrf name Clears the IP routing table If the VRF name is specified it clears the IP routing table for the specified VRF ...

Page 637: ... fm Alcatel Lucent 611 Beta Beta For final production import color definitions from daldoc01 docteam templates framemaker book template color defs production colors fm Do not import other template elements such as page layout To return to the draft version import color def ns from draft colors fm To switch to the beta version import color def ns from beta colors fm Pagination Numeric continuous wi...

Page 638: ...Left running head Chapter name automatic 612 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 639: ...For instructions on using the NAT commands and descriptions on each of their parameters refer to the NAT CLI Commands in the OmniAccess 700 CLI Command Reference Guide This chapter includes the following sections NAT Overview Source NAT Configuration Destination NAT Configuration CHAPTER CONVENTIONS Acronym Description UM User Mode ALU SUM Super User Mode ALU CM Configuration Mode ALU config ICM I...

Page 640: ...ensively and efficiently As a fringe benefit NAT automatically hides internal IP addresses and hence offers protection from exposing hosts on the private network to the Internet Refer the following section for more details on NAT Types of NAT Benefits of NAT Before You Configure NAT Alcatel Lucent Specific Overview TYPES OF NAT This section describes following types of NAT Network Address Port Tra...

Page 641: ...ic circumstances Static NAT also called inbound mapping allows external devices to initiate connections to computers on the private domain Note In case of a firewall being used in conjunction with Static NAT a filter or policy on the firewall must exist for each address map to allow inbound traffic DYNAMIC NAT Allow hosts on the private network to start conversation to the external network with th...

Page 642: ... be configured on an internal or external interface 2 You should also be sure that you have a basic understanding of the IP protocol port numbers host address mapping specifically you should know how to configure dynamic NATs 3 Configure the common classifiers to decide on the match list Refer to the Common Classifiers of this guide to configure the match lists ALCATEL LUCENT SPECIFIC OVERVIEW In ...

Page 643: ...l which interacts with the external world For the hosts behind the firewall to interact with the external world the local network s IP addresses have to be substituted with that of the firewall With this target the firewall will automatically SNAT and De SNAT the packets hence making it possible to make connections from the LAN to the Internet Refer the following section to configure SNAT on your ...

Page 644: ...eters Configure SNAT with host IP address See To Configure SNAT with Host IP Address Configure address pool See To Configure SNAT with an IP Address Pool Configure port range See To Configure SNAT with Port Range Configure Static SNAT See To Configure Static SNAT Reorder the rules in the match list for the configured SNAT See To Reorder the Rules in SNAT Attach configured SNAT to an Interface Step...

Page 645: ...me ip address ip address subnet mask ip address prefix length Example ALU config if GigabitEthernet7 0 ip address 20 20 20 20 24 Step 8 Attach the configured SNATs to appropriate interfaces as per the desired direction i e either IN OUT See To Attach a NAT Policy to an Interface Step 9 Turn On Turn Off the statistics on an Interface To Turn On Off Statistics on an Interface Optional Step 10 View N...

Page 646: ...Network Address Translation Left running head Chapter name automatic 620 Beta Beta CLI Configuration Guide Alcatel Lucent SNAT CONFIGURATION FLOW Figure 16 SNAT Configuration Flow ...

Page 647: ...ore than one match list within a firewall policy add multiple rules with different match lists 2 When you configure a SNAT without any IP address the address used for natting is taken as the IP address of the interface to which the NAT policy is bound EXAMPLE ALU config nat N1 10 match m1 source nat Command in CM Description ip nat nat policy name This command is used to configure a NAT policy Thi...

Page 648: ...policy on the interface EXAMPLE ALU config nat N1 match m1 source nat pool l1 Command in NCM Description 1 65535 match all any match list name source nat host ip address host name port range 2048 65535 2048 65535 static This command is used to configure a SNAT with host IP address Note If no address is configured the IP address of the egress interface on which the NAT policy is applied will be use...

Page 649: ...n 1 65535 match all any match list name source nat port range 2048 65535 2048 65535 This command is used to configure SNAT with a port range Note If no port range is specified a default port range of 2048 65535 is used Command in NCM Description 1 65535 match all any match list name source nat static This command is used to configure a static SNAT that uses one to one address mapping without port ...

Page 650: ...n Also the line numbers can be seen only in the show command Note Refer to the Updations section to know more on the change and renumber keywords EXAMPLE ALU config nat N1 renumber ALU config nat N1 change 10 20 Command in NCM Description renumber Use this command to generate a numbering scheme for the SNAT rules configured change 1 65535 1 65535 Use this command to change the priority order of a ...

Page 651: ...ny any type ftp ALU config exit ALU config ip filter f1 ALU config filter f1 match m1 deny ALU config exit ALU config ip nat n1 ALU config nat n1 match m1 source nat ALU config exit ALU config interface GigabitEthernet 7 0 ALU config if GigabitEthernet7 0 ip filter in f1 ALU config if GigabitEthernet7 0 ip nat out n1 Command in ICM Description ip nat in out nat policy name Enter this command in th...

Page 652: ...U config if GigabitEthernet7 0 ip nat statistics out ALU config interface GigabitEthernet7 0 ALU config if GigabitEthernet7 0 no ip nat statistics out Command in ICM Description ip nat statistics in out both This command turns on statistics for a given interface By default the NAT statistics on an interface is turned off no ip nat statistics in out both This command turns off the statistics for a ...

Page 653: ... 1 1 1 any type ftp ip nat n1 match m2 source nat host 174 35 8 1 static match m1 source nat pool p1 interface GigabitEthernet7 0 ip nat out n1 EXAMPLE 2 Single address translation with no port translation list p1 prefix 192 168 56 0 24 match list host1 ip host 10 1 1 1 any type ftp match list host2 ip host 10 1 1 2 any type ftp match list net11 ip prefix 11 1 1 0 24 any type ftp ip nat n2 match h...

Page 654: ...IP The destination address of the packet is changed and rerouted to the host For DNAT you can specify a single internal target to connect the external service requests such as HTTP to one or several targets for load balancing For DNAT IP pool or host address must be specified Refer the following sections to configure DNAT on your system DNAT Configuration Steps DNAT Configuration Flow DNAT Configu...

Page 655: ...ional parameters Configure port number for DNAT See To Configure Port Number for DNAT Configure Static DNAT See To Configure Static DNAT Reorder the rules in the match list for the configured DNAT See To Reorder the Rules in DNAT Attach configured DNAT to an Interface Step 5 Enter into Interface Configuration Mode ALU config interface name Example ALU config interface GigabitEthernet7 0 ALU config...

Page 656: ...l Lucent Step 8 Attach the configured DNATs to appropriate interfaces as per the desired direction i e either IN OUT See To Attach a NAT Policy to an Interface Step 9 Turn On Turn Off the statistics on an Interface To Turn On Statistics on an Interface Optional Step 10 View NAT configuration See NAT Show Commands ...

Page 657: ...AT Configuration Except on the first page right running head Heading1 or Heading1NewPage text automatic 631 Alcatel Lucent Beta Beta CLI Configuration Guide DNAT CONFIGURATION FLOW Figure 17 DNAT Configuration Flow ...

Page 658: ... Command in NCM Description 1 65535 match all any match list name destination nat host ip address host name port 1 65535 pool list name port 1 65535 static This command is used to configure a DNAT with one or more rules associate match lists and set priority for the rule for the configured DNAT The range for the rule number is 1 65535 This rule number signifies the priority of a rule By default th...

Page 659: ...at N2 match m1 destination nat host 192 168 10 91 ALU config nat N2 match m1 destination nat pool l1 TO CONFIGURE PORT NUMBER FOR DNAT EXAMPLE ALU config nat N2 match m1 destination nat host 192 168 10 91 port 100 ALU config nat N2 match m1 destination nat pool l1 port 100 TO CONFIGURE STATIC DNAT EXAMPLE ALU config nat N2 match m1 destination nat pool l1 static Command in NCM Description 1 65535 ...

Page 660: ... and one egress NAT policy Command in NCM Description renumber Use this command to generate a numbering scheme for the DNAT rules configured change 1 65535 1 65535 Use this command to change the priority order of a specific DNAT rule configured Command in ICM Description ip nat in out nat policy name Enter this command in the Interface Configuration Mode This command is used to attach a NAT policy...

Page 661: ... external interface GigabitEthernet7 0 with destination IP address 201 176 18 1 will have that destination address translated to 14 1 1 1 or 14 1 1 2 and destination port translated to 8080 This is used in a typical web server farm load balancing situation list p1 host 14 1 1 1 host 14 1 1 2 match list m1 tcp any host 201 176 18 1 service http ip nat N1 10 match M1 destination nat pool p1 match m1...

Page 662: ...on Guide Alcatel Lucent BYPASS IPSEC TRAFFIC TO BYPASS THE IPSEC TRAFFIC EXAMPLE ALU config ip nat snat ALU config nat snat match m1 bypass Command in CM Description 1 65535 match all any match list name bypass This command is used in conjunction with the SNAT or DNAT commands to bypass the traffic ...

Page 663: ... nat n1 10 match all m1 source nat TO VIEW NAT STATISTICS EXAMPLE The following example shows detailed statistics for the NAT policy n1 ALU show ip nat statistics n1 ip nat n1 Dropped 0 Bypassed 0 Enqueued 0 10 match any m1 source nat host 1 1 1 1 Translated 0 Bypassed 0 PORTS Allocated 0 Released 0 20 match any m2 source nat host 1 1 1 2 Translated 0 Bypassed 0 PORTS Allocated 0 Released 0 interf...

Page 664: ... The following example shows NAT statistics on a specified interface ALU show ip nat statistics GigabitEthernet7 0 Out ip nat n1 Dropped 0 Bypassed 0 Enqueued 0 10 match any m1 source nat host 1 1 1 1 NATted Packets 0 20 match any m2 source nat host 1 1 1 2 NATted Packets 0 interface GigabitEthernet7 0 out Command in SUM Description show ip nat statistics interface name in out both This command di...

Page 665: ...ters of NAT n1 ALU clear ip nat statistics n1 ALU The following example clears the statistics of the NAT for interface GigabitEthernet7 0 ALU clear ip nat statistics GigabitEthernet7 0 in ALU Command in SUM Description clear ip nat statistics nat policy name This command clears the statistics of a specific NAT policy clear ip nat statistics interface name in out both This command is used to clear ...

Page 666: ...ALU debug firewall nat Command in SUM Description debug firewall session filter nat attack alg intrusion selector saddr ip address daddr ip address protocol number sport number dport number output permanent all detail level This command turns on the debugging functionality for NAT on OA 700 no debug firewall session filter nat attack alg intrusion selector saddr ip address daddr ip address protoco...

Page 667: ...n The following example depicts the way to accomplish this Note Rule numbers are displayed only in show command EXAMPLE Consider the following example for inserting another rule in NAT ip nat N1 10 match m1 source nat pool p1 20 match m2 source nat pool p2 30 match m3 source nat pool p3 interface GigabitEthernet3 0 ip nat out N1 If m4 is the match that has its priority in between m1 and m2 then to...

Page 668: ...mbers of each rule and sets them to the consecutive multiples of 10 EXAMPLE Consider the following example ip nat N1 10 match M1 source nat 20 match M2 source nat 30 match M3 source nat 25 match M4 source nat This generates a numbering scheme without a proper order The output of the show command will be ip nat N1 10 match M1 source nat 20 match M2 source nat 25 match M4 source nat 30 match M3 sour...

Page 669: ...ber position EXAMPLE Consider the following example ip nat N1 10 match M1 source nat 20 match M2 source nat 30 match M3 source nat 40 match M4 source nat In the above sequence if m4 has a priority 40 Use the change keyword to change the priority of m4 ALU config nat N1 change 40 25 To view the NAT configuration after changing the priority use the show command The output appears as shown ip nat N1 ...

Page 670: ...deleting ALU config interface GigabitEthernet7 0 ALU config if GigabitEthernet7 0 no ip nat out nat1 TO ENFORCE DELETION OF NAT GLOBALLY EXAMPLE To force deletion of the NAT N1 ALU config no ip nat N1 force Command in CM Description no ip nat name This command is used to delete a specific NAT policy when it is not attached to any interface Command in CM Description no ip nat name force The force k...

Page 671: ...nat statistics out TO DELETE A NAT RULE EXAMPLE In the example below the component or action corresponding to the rule 30 is deleted ALU config nat N1 no rule 30 Command in ICM Description no ip nat in out nat name This command detaches a NAT policy attached to an interface This command does not delete the NAT policy definition in its entirety It only detaches it from its interface If the command ...

Page 672: ...Network Address Translation Left running head Chapter name automatic 646 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 673: ...heir parameters refer to the Filer and Firewall section in the OmniAccess 700 CLI Command Reference Guide CHAPTER CONVENTIONS Acronym Description ALG Application Level Gateway CLI Command Line Interface DoS Denial of Service SUM Super User Mode ALU CM Configuration Mode ALU config FCM Filter Configuration Mode ALU config filter name FwCM Firewall Configuration Mode ALU config firewall F PCM Firewa...

Page 674: ... retrieving information and the Internet is treated as an untrusted zone Communication between the trusted and untrusted zones needs to be authorized controlled and monitored in effective yet transparent ways so that malevolent entities do not have access to the information that is privileged and sensitive Mechanisms that allow administrators to enforce such a regulation are called Firewalls A fir...

Page 675: ... for they can operate from the application layer to link layer A common type is a protocol gateway used to connect networks running different network or application protocols e g TCP IP IPX Because a network gateway can appear at the edge of the network it is likely to implement related functions like firewalling on the gateway APPLICATION LEVEL GATEWAY ALG An ALG has the capability to conduct str...

Page 676: ... advanced implementation of packet filtering that inspects packets at higher network layers up to the application layer Such filters interpret transport level information such as TCP and UDP headers to analyze and record all current connections This process is known as stateful inspection A stateful packet filter records the status of all connections and allows only those packets that are associat...

Page 677: ... action for a filter is deny However you can change this option by using the keyword permit OA 700 by default supports stateful inspection To convert it to a stateless inspection firewall use the keyword stateless If no rules match cases are defined the default keyword can be used to just configure a permit or deny on all incoming and outgoing traffic Filtering takes place only when filters are bo...

Page 678: ...ers syntax Refer to the chapter on Common Classifiers in this guide Step 2 Configure a filter See To Create a Filter Configure Rule for a filter See To Configure a Rule for a Filter Step 3 Configure Filter Optional Parameters Configure a stateless filter See To Configure a Stateless Filter Reorder the rules in the filter See To Reorder the Rules in the Filter Step 4 Enter into Interface Configurat...

Page 679: ...ss ip address subnet mask ip address prefix length Example ALU config if GigabitEthernet7 0 ip address 20 20 20 20 24 Step 7 Interface Binding Attach the configured filters to the appropriate interfaces as per the desired direction i e either IN OUT See To Attach Detach a Filter to an Interface Note An interface can have only one ingress and one egress filter Step 8 Use the show commands to view t...

Page 680: ...Filter and Firewall Left running head Chapter name automatic 654 Beta Beta CLI Configuration Guide Alcatel Lucent FILTER CONFIGURATION FLOW Figure 19 Filter Configuration Flow ...

Page 681: ...mit deny reset log verbose timer timer object This command is used to configure rules associate match lists and set priority for the rule for a filter and also set the action deny or permit for the configured rules By default any keyword is used The range for the rule number is 1 65535 This rule number signifies the priority of a rule By default the numbering pattern for rule number is the next mu...

Page 682: ...mit log The example below configures a deny rule with reset option on all the IP traffic on the filter configured ALU config filter f1 10 match m1 deny reset TO CONFIGURE A STATELESS FILTER Note The filters on OA 700 are by default stateful This behavior can be overridden by the keyword stateless EXAMPLE The following example sets the filter to stateless ALU config filter f1 stateless In the examp...

Page 683: ...ing the priority give the show command The output appears as shown show ip filter f1 ip filter f1 10 match m1 deny 15 match m4 deny reset 20 match m2 deny log 30 match m3 deny default permit Now to generate a numbering scheme with a proper order use the keyword renumber as follows ALU config ip filter f1 ALU config filter f1 renumber To view the filter configuration after renumbering give the show...

Page 684: ...0 ALU config interface GigabitEthernet7 0 ALU config if GigabitEthernet7 0 no ip filter in f1 Command in ICM Description ip filter in out filter name This command is used to attach a filter to an interface in in or out direction Filter is applied to the ingress incoming traffic if in keyword is used Filter is applied to the egress outgoing traffic if out keyword is used no ip filter in out filter ...

Page 685: ...filter f1 10 match any m1 permit 20 match any m1 permit default deny interface GigabitEthernet7 0 In Stats Off ip filter f2 10 match any m2 deny default deny interface GigabitEthernet7 0 In Stats Off b The following syntax displays the filter f1 s details ALU config filter f1 show ip filter f1 ip filter f1 10 match any m1 permit 20 match any m1 permit default deny interface GigabitEthernet7 0 In S...

Page 686: ...filter statistics GigabitEthernet 7 0 in ip filter f1 20 match any m1 permit Hits 0 10 match any m1 permit Hits 2 default deny interface GigabitEthernet7 0 In Stats On ip filter f2 20 match any m2 deny Hits 0 default deny Hits 0 interface GigabitEthernet7 0 In Stats Off Command in SUM ICM Description show ip filter statistics interface name in out both filter name This command displays the statist...

Page 687: ...he force command from the configuration mode itself This gives the flexibility in deleting a filter even without detaching it from its interfaces As a result it reduces the complexity and time EXAMPLE If the filter f1 has to be deleted when attached to a an interface apply the following syntax ALU config no ip filter f1 force TO DELETE A COMPONENT IN THE FILTER EXAMPLE The example below deletes th...

Page 688: ...MANDS TO CLEAR FILTER STATISTICS EXAMPLE ALU clear ip filter statistics GigabitEthernet7 0 in ALU ALU clear ip filter statistics GigabitEthernet3 0 out ALU Command in SUM Description clear ip filter statistics interface name in out both filter name This command is used to clear the statistics of a filter on a particular interface ...

Page 689: ...disables debugging for the source IP 10 91 0 52 ALU no debug firewall selector saddr 10 91 0 52 Command in SUM Description debug firewall session filter nat attack alg intrusion selector saddr ip address daddr ip address protocol number sport number dport number output permanent all detail level This command turns on debugging for the filter statistics configured The selector keyword is used to de...

Page 690: ...it interface GigabitEthernet7 0 ip filter in f1 ip filter out f2 EXAMPLE 2 Consider the following example where filter f2 is regarded as stateless Now the return traffic will be dropped For example HTTP requests from internal network matches m1 in f2 they will be passed to external network But the HTTP response coming back will be blocked by filter f1 since previously allowed traffic is stateless ...

Page 691: ... NEW RULE The need for insertion of match lists become inevitable when you wish to include one or a group of rules after you have configured the match lists for a particular application The following example depicts the way to accomplish this Note Line numbers will not be shown unless you specifically enter it The line numbers are displayed only in the show command view EXAMPLE Consider the follow...

Page 692: ...LINE NUMBERS Use the keyword renumber to normalize the line numbers of each rule and set them to the consecutive multiples of 10 EXAMPLE Consider the following configuration ip filter f1 10 match m1 permit 15 match m4 deny reset 20 match m2 deny log 30 match m3 permit stateless Here the numbers does not follow the specified order This becomes more complex when you try to enter another match in bet...

Page 693: ... 20 match m2 deny log 30 match m3 permit 40 match m4 deny reset In the above sequence if m4 has a priority 40 Use the change keyword to change the priority of m4 ALU config ip filter f1 ALU config filter f1 change 40 15 To view the filter configuration after changing the priority use the show command The output appears as shown show ip filter f1 ip filter f1 10 match m1 permit 15 match m4 deny res...

Page 694: ...ks Consumption of scarce limited or non renewable resources Destruction or alteration of configuration information Physical destruction or alteration of network components The OA 700 provides an effective way to prevent these attacks against their networks The OA 700 employs rate limiting and rule based filtering to prevent these attacks The following sections describe usage guidelines to configur...

Page 695: ...67295 A perpetrator sends a large amount of ICMP echo ping traffic at IP broadcast addresses all of it having a spoofed source address of a victim If the routing device delivering traffic to the broadcast addresses performs the IP broadcast to another broadcast function most hosts on that IP network will take the ICMP echo request and reply to it with an echo reply each multiplying the traffic by ...

Page 696: ...t the system from this attack this command is also included in the default attack prevention list UDP FLOOD udp flood threshold 1 4294967295 1 4294967295 A UDP Flood Attack is possible when an attacker sends a UDP packet to a random port on the victim system When the victim system receives a UDP packet it will determine what application is waiting on the destination port When it realizes that ther...

Page 697: ...s the vulnerability of the TCP IP IP fragmentation re assembly codes which do not properly handle the overlapping IP fragments IP TINY FRAG ip tiny frag max frag num min frag size 1 4294967295 If the fragment size is made small enough to force some of a TCP packet s TCP header fields into the second fragment filter rules that specify patterns for those fields will not match If the filtering implem...

Page 698: ...ncluded in the default DoS prevention list TCP SYN FIN tcp syn fin This has TCP packets with both SYN and FIN flag set causing a denial of service This attack is prevented by using the default keyword or can be inserted in the user defined list TCP XMAS SCAN tcp xmas scan This frame should never be seen in normal TCP operation Sometimes this is done in preparation for a future attack or sometimes ...

Page 699: ...ince the victim s system would be forwarding the frames to the wrong address it will be unable to reach other networks This attack can be prevented by adding this command in the DoS prevention list ICMP REDIRECT icmp redirect This command is not a default DoS setting The square brackets around the whole command denotes its only optional However the above command can be included in the DoS preventi...

Page 700: ... behind a filtering router firewall After gaining root access and taking over existing terminal and login connections intruders can gain access to remote hosts This command is not included in the default attack list Can be explicitly included to secure the network from this attack UDP SNORK ATTACK udp snork attack This is an attempt to connect two services which if enabled will engage in an indefi...

Page 701: ... the Firewall Sub Configuration Mode See To Enter Firewall Configuration Mode Step 3 Configure DoS attack Object This enters the Attack Sub Configuration Mode See To Configure DoS Attack Object Step 4 Configure attacks to the configured attack object See To Configure Default Attacks Rate Limiting Non rate Limiting for an Attack Object OR To Configure All Attacks for an Attack Object Including Defa...

Page 702: ...s for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if GigabitEthernet7 0 ip address 20 20 20 20 24 Step 10 Attach the configured firewall policies to appropriate interfaces as per the desired direction i e either IN OUT See To Attach a Firewall Policy to an Interface Step 11 View the firewall configuration See Firewall Sho...

Page 703: ...ation Except on the first page right running head Heading1 or Heading1NewPage text automatic 677 Alcatel Lucent Beta Beta CLI Configuration Guide NETWORK ATTACK PREVENTION CONFIGURATION FLOW Figure 20 Network Attack Prevention Flowchart ...

Page 704: ...m bootup an attack object and a policy map is created by the system These are the System default Attack Object and the System default Policy This system default policy is attached to the system default attack object and by default is attached to the system traffic Note 1 You can only modify the system default attack object but cannot delete it 2 You cannot modify delete the system default policy 3...

Page 705: ...ir default settings except icmp block trace route icmp router advertisement icmp redirect and ip rate threshold These attacks too can be either manually turned on for detection or filters can be applied to block them The minimum time resolution you can enter is 5 milliseconds Command in F ACM Description default stateless This command is used to configure all the default attacks for an attack obje...

Page 706: ...attack You can create a default attack setting to check only the stateless attacks by using the keyword default stateless The following attacks are the Default Stateless Default Non Rate Limiting attacks ip tear drop ip tiny frag 50 64 icmp ping of death 50 65507 ip zero length ip land attack tcp xmas scan tcp_ invalid urgent offset tcp null scan tcp syn fin tcp fin no ack udp fraggle attack Note ...

Page 707: ...ription all This command is used to configure all the attacks including all Default and Optional attacks for an attack object no all The no command disables all the attacks configured for an attack object Command in F ACM Description udp port loopback threshold 1 4294967295 1 4294967295 This command is used to configure udp port loopback attack for an attack object udp flood threshold 1 4294967295...

Page 708: ... for an attack object tcp invalid urgent offset This command is used to configure tcp invalid urgent offset attack for an attack object tcp xmas scan This command is used to configure tcp xmas scan attack for an attack object ip land attack This command is used to configure ip land attack for an attack object ip source routing This command is used to configure ip source routing attack for an attac...

Page 709: ...l attack system default ALU config firewall attack system default all TO LOG ALL THE ATTACKS EXAMPLE ALU config firewall attack A1 log ALU config firewall attack A1 no log ip tiny frag max frag num min frag size 1 4294967295 This command is used to configure ip tiny frag attack for an attack object icmp ping of death max frag num max total length 1 4294967295 This command is used to configure icmp...

Page 710: ...sed to configure a firewall policy This enters the firewall policy sub configuration mode Command in F PCM Description 1 65535 match any all match list name attack name drop reset time range name Enter this command in the Firewall Policy Configuration Mode This command is used to attach an attack object to a firewall policy and create rules associate match lists and set priority for the rule for a...

Page 711: ...P1 10 match m1 permit 20 match m2 deny log 30 match m3 permit 40 match m4 deny reset In the above sequence if m4 has a priority 40 Use the change keyword to change the priority of m4 ALU config firewall policy P1 ALU config firewall P1 change 40 15 To view the policy configuration after changing the priority give the show command The output appears as shown show firewall policy P1 ip policy P1 10 ...

Page 712: ...O ATTACH A FIREWALL POLICY TO AN INTERFACE Note Firewall policy will take into effect once it is attached to an interface EXAMPLE ALU config interface GigabitEthernet7 0 ALU config if GigabitEthernet7 0 firewall policy in P1 Command in ICM Description firewall policy in out policy name This command is used to attach a firewall policy to an interface in in or out direction Firewall policy is applie...

Page 713: ... minutes Default UDP value is 5 minutes Default ICMP value is 30 seconds EXAMPLE ALU config firewall session ALU config firewall session default timeout tcp 10 Command in Firewall Session Mode Description default timeout icmp tcp udp 0 2147483648 Enter this command in the Firewall Session Configuration Mode Firewall session table has a periodic timer to age out inactive entries To change these def...

Page 714: ...thernet7 0 In TO VIEW THE ATTACK COMPONENTS EXAMPLE The following syntax is used to view the details of attack A1 ALU show firewall attack A1 attack A1 udp port loopback 10 1000 udp flood 200 1000 tcp fin scan icmp ip address sweep 2 10 icmp dest unrch storm 2 10 icmp ping flood 2 10 tcp syn flood 100 1000 5 udp fraggle attack Command in SUM Description show firewall policy name This command is us...

Page 715: ...L SESSION DETAILS EXAMPLE To view the firewall session use the following syntax ALU show firewall session TCP Sessions 0 UDP Sessions 0 ICMP Sessions 1 GRE Sessions 0 Total Sessions 1 Free Sessions 127999 The following syntax is used to view the details of firewall session ALU config show firewall session detail ID 70 ICMP timeout 28 secs used by NAT Initiator 10 91 1 108 13 10 91 0 1 13 Responder...

Page 716: ...ator 10 91 1 108 13 10 91 0 1 13 Responder 10 91 0 1 34416 10 91 1 108 34416 ALU config if GigabitEthernet7 1 show firewall session destination ip 10 91 0 1 ID 70 ICMP timeout 25 secs used by NAT Initiator 10 91 1 108 13 10 91 0 1 13 Responder 10 91 0 1 34416 10 91 1 108 34416 Command in SUM Description show firewall session proto tcp udp icmp This command displays the firewall sessions with respe...

Page 717: ...ription no firewall policy in out name This command detaches a firewall policy attached to an interface This command does not delete the firewall policy definition in its entirety It only detaches it from its interface If the command no firewall policy name is issued at the top level and if this firewall policy is not bound to any interface it deletes the firewall policy definition Command in FwCM...

Page 718: ...efault policy system default 10 match all attack system default drop system traffic firewall policy system default Command in FCM Description no attack name This deletes the specified DoS attack object and its configuration You cannot delete an attack object if it is attached to an interface Command in CM Description no attack name force This deletes a specified DoS attack object from the global l...

Page 719: ... fin tcp null scan tcp invalid urgent offset tcp xmas scan ip land attack icmp echo storm attack udp short header tcp header frag ip zero length ip tiny frag 50 64 icmp ping of death 50 65506 ip tear drop Note 1 The show running configuration command does not display the system default policy 2 The show running configuration command displays only the newly created non default attacks for the syste...

Page 720: ...0 91 0 52 ALU no debug firewall selector saddr 10 91 0 52 Command in SUM Description debug firewall session filter nat attack alg intrusion selector saddr ip address daddr ip address protocol number sport number dport number output permanent all detail level Use this command to turn on debugging for specified firewall features The selector keyword allows you to debug only selected traffic no debug...

Page 721: ...hing ip any any type any firewall attack a1 default stateless policy p1 match everything attack a1 reset interface GigabitEthernet7 0 firewall policy in p1 EXAMPLE 2 This example checks traffic from outside zone to inside zone for attacks defined in d1 If found TCP RST will be sent to both source and destination for TCP traffic Packets will be dropped for non TCP traffic list outside zone interfac...

Page 722: ...tel Lucent EXAMPLE 3 The following configuration selectively checks traffic from GigabitEthernet3 0 to subnet 10 0 0 0 8 for all default attacks match list m2 ip any prefix 10 0 0 0 8 type any firewall attack a2 default policy p2 match m2 attack a2 reset interface GigabitEthernet3 0 firewall policy in p2 ...

Page 723: ...s and systems are known entities and hence communication between the known entities is conducted in an environment of integrity Hence data presented from resulting communication is not checked for malicious content or intent In a corporate network all systems within the domain of the company is considered to be within a trusted zone UNTRUSTED ZONE CONFIGURATION The domain falling outside the trust...

Page 724: ...pically comprises the servers and related network resources that need exposure to the untrusted zone without compromising security of a trusted zone A DMZ creates a buffer space between the Internet and the private network which is accessed by both Internet and the internal network A DMZ typically contains the following Web Server Mail Server Application Gateway E Commerce Systems Example of syste...

Page 725: ...a mail server a web server and access to the internet using a leased line with a static IP 2 The LAN nodes are designated and placed in the trusted zone 3 The mail server and web server need to be accessed from the Internet and the local LAN Since these servers are exposed in some form to the Internet they are placed in the DMZ 4 All traffic going out to the Internet is subject to NAT Figure 23 Th...

Page 726: ...arded ICMP rate limiting to be applied to 2 second IP ADDRESSING SCHEME 1 LAN addresses fall in 3 subnets 10 0 0 0 24 192 168 0 0 24 172 16 0 0 25 2 The Public IP of the link is 202 24 45 100 This is forwarded to Mail Server and Web Server using NAT Serial Number From To Allow 1 Trusted LAN DMZ All services 2 Untrusted Internet Mail server in DMZ SMTP POP IMAP HTTP HTTPS DNS 3 Untrusted Internet W...

Page 727: ...erial0 0 no shutdown ALU config if Serial0 0 ip address 202 24 45 100 30 ALU config if Serial0 0 exit ALU config 2 Put a Default Route Going Towards the Internet ALU config ip route 0 0 0 0 0 Serial0 0 3 The three zones are configured by using Lists and attaching the interfaces to these lists It is also possible to define the networks within the lists ALU config list Trust interface GigabitEtherne...

Page 728: ...net mail access 4 tcp list Untrust host 202 24 45 100 30 service http ALU config match list Internet mail access 5 tcp list Untrust host 202 24 45 100 30 service 443 iv Webserver access from the internet ALU config match list webserver access ALU config match list webserver access 1 tcp list Untrust host 202 24 45 100 30 service http ALU config match list webserver access 2 tcp list Untrust host 2...

Page 729: ...h list RFC 1918 2 ip list 1918 list DMZ 6 Rules for Managing the Box from Untrust DMZ and Trust Zone Through SSH and Telnet ALU config list untrust manage host 202 24 45 100 ALU config list dmz manage host 172 16 0 132 ALU config list trust mange host 10 0 0 1 host 192 168 1 1 host 172 16 0 1 25 7 Configuring the Match lists For Inband Management Through SSH and Telnet ALU config match list manage...

Page 730: ...ll attack atk1 udp flood ALU config firewall attack atk1 udp fraggle attack ALU config firewall attack atk1 udp port loopback ALU config firewall attack atk1 udp snork attack ALU config firewall attack atk1 icmp block trace route ALU config firewall attack atk1 icmp dest unrch storm ALU config firewall attack atk1 icmp ip address sweep ALU config firewall attack atk1 icmp ping flood threshold 2 10...

Page 731: ...er in untrust ALU config filter out trust 10 match any Internet Trust permit ALU config filter out trust 20 match any trust manage permit ALU config filter out trust default deny Applying this filter as out on the un trust interface ALU config if GigabitEthernet3 0 ip filter out in untrust B Filters for DMZ Zone ALU config ip filter DMZ traffic ALU config filter DMZ match any Internet mail access ...

Page 732: ...ss permit ALU config filter out untrust 20 match any untrust DMZ access permit ALU config filter out untrust default deny This filter is applied as out filter ALU config if Serial0 0 ip filter out out untrust 12 Configuring Source NAT for all Traffic Going Towards Internet ALU config ip nat source nat ALU config nat source nat match any source nat source nat Applying the Source NAT on the serial i...

Page 733: ...tion for trusted untrusted dmz traffic in ACL NAT or DoS policies and further apply these policies to the interfaces Match list trusted Ip 10 1 1 0 24 any Match list dmz Ip 148 64 4 0 24 any Match list any ip Ip any any Ip nat nat policy Match trusted source nat Ip filter permit dmz policy Match dmz permit Ip filter deny untrusted policy Match any ip deny Suppose Gigabit Ethernet 7 1 is facing ext...

Page 734: ...y Match list dmz Ip interface GigabitEthernet3 0 any Suppose Gigabit Ethernet 7 1 is facing external networks you will need to bind these NAT and Filter policies to this interface Interface GigabitEthernet7 1 Physical i f to untrusted networks Ip nat out nat policy This will NAT internal traffic Ip filter out permit dmz policy This will permit DMZ traffic without translation Ip filter in deny untr...

Page 735: ...g time range TO CONFIGURE A TIME RANGE Time range enters the Time range sub configuration mode Here the time configured for scheduling is the local time and not the GMT time Therefore it has the option to permit automatic changing to from daylight savings time Note User must issue clock command to set the clock in OA 700 so that the time range configuration can take effect precisely EXAMPLE ALU co...

Page 736: ...COMMAND EXAMPLE If t1 is a schedule then to view the particulars in it use the following command ALU show time range time range t1 absolute 10 10 10 5 6 2006 time range t2 absolute 10 10 10 2 5 2006 Command in Time range Mode Description absolute hh mm ss mm dd yyyy to hh mm ss mm dd yyyy periodic daily weekly sunday monday weekend hh mm ss to hh mm ss This command is used to configure an absolute...

Page 737: ...ons OmniAccess supports SIP as a service and can screen SIP traffic allowing and denying it based on a policy that you configure SIP is a predefined service in OA 700 and uses port 5060 as the destination port DNS Domain Name System or Service or Server DNS is an Internet service that translates domain names into IP addresses Because domain names are alphabetic they re easier to remember The Inter...

Page 738: ...e Streaming Protocol RTSP is a standard for controlling streaming data over the World Wide Web RTSP uses RTP Real Time Transport Protocol to format packets of multimedia content But whereas H 323 is designed for video conferences of moderately sized groups RTSP is designed to efficiently broadcast audio visual data to large groups TFTP Trivial File Transfer Protocol TFTP a simple form of the File ...

Page 739: ...this guide TO CONFIGURE ALG EXAMPLE ALU config match list m1 ALU config match list m1 udp any any service sip ALU config match list m1 ALU config match list m1 tcp any any service dns Note Use the port number to configure any other standard ALG service apart from those given in the above commands Command in Match list Mode Description udp any any service dns nfs rpc portmap sip tftp This command i...

Page 740: ...IEW FTP ALG STATISTICS EXAMPLE ALU config show firewall alg ftp statistics Total SNAT Port commands 0 Total DNAT Port commands 0 Total Filter Port commands 0 Total SNAT Pasv Response commands 0 Total DNAT Pasv Response commands 0 Total Filter Pasv Response commands 0 Total Pinholes created 0 Total Pinholes matched 0 Total Pinholes timed out 0 Total Pinholes failed 0 Command in CM Description show ...

Page 741: ... 0 Total Pinholes created 0 Total Pinholes matched 0 Total Pinholes timed out 0 Total Pinholes failed 0 TO VIEW RPC PORTMAP ALG STATISTICS EXAMPLE ALU config show firewall alg rpc statistics Total SNAT RPC CALL Packets 0 Total DNAT RPC REPLY Packets 0 Total DNAT DUMP REPLY Packets 0 Total Pinholes created 0 Total Pinholes matched 0 Total Pinholes failed 0 Total Pinholes removed 0 Command in CM Des...

Page 742: ...s 1 Total allocated SIP Call Sessions 1 Total SIP Call Sessions freed 0 Total RTP Sessions 0 Total RTCP Sessions 0 Total RTP Pinholes created 2 Total RTP Pinholes freed 1 Total RTP Pinholes matched 1 Total RTP Pinholes timeout 0 Total RTCP Pinholes created 2 Total RTCP Pinholes freed 0 Total RTCP Pinholes matched 0 Total RTCP Pinholes timeout 0 Total SIP Packets with Non SDP message body 0 Total S...

Page 743: ...ug counters Total malloc operations 0 Total failed malloc operations 0 Total memory release operations 0 TO VIEW TFTP ALG DEBUG COUNTERS EXAMPLE ALU config show firewall alg tftp debug counters Total malloc operations 0 Total failed malloc operations 0 Total memory release operations 0 Command in CM Description show firewall alg dns debug counters This command is used to view the DNS ALG debug cou...

Page 744: ...S EXAMPLE ALU config show firewall alg sip debug counters Total malloc passed sip sessions and calls 0 Total malloc failed 0 Total memory free count sip sessions and calls 0 Total sip packets translated 0 Total sdp packets translated 0 Total sip packets retransmitted 0 Command in CM Description show firewall alg rpc debug counters This command is used to view the RPC Portmap ALG debug counters Com...

Page 745: ...xt automatic 719 Alcatel Lucent Beta Beta CLI Configuration Guide FIREWALL ALG CLEAR COMMANDS TO CLEAR FIREWALL ALG SIP STATISTICS EXAMPLE ALU config clear firewall alg sip statistics Command in CM Description clear firewall alg sip statistics This command is used to clear the the ALG SIP statistics ...

Page 746: ...u also have the flexibility to use ALG based on the rules defining specific service configuration apart from those on well known ports If you do not want to use ALG for a particular service configure service none This customization of invoking ALG on user configured ports is an enhancement specific to OA 700 and is not available on other systems Note ALG configuration is system wide firewall confi...

Page 747: ...tp TO MODIFY PRIORITY OF AN EXISTING ALG RULE EXAMPLE The following example shows how to change the priority of a rule ALU config customized service change 10 1 Command in Customized Service Mode Description 1 65535 match any all match list name service service name alcatel tftp dns ftp none rpc rtsp sip tftp This command creates a rule for mapping ALG action for a well known service to a non stan...

Page 748: ...fig customized service no rule 10 TO VIEW THE DETAILS OF A ALG RULE BASED SERVICE EXAMPLE ALU config show customized service 20 match any m2 service none Command in Customized Service Mode Description no rule 1 65535 This command deletes an existing ALG rule Command in CM Description show customized service This command shows the ALG rule based service details ...

Page 749: ...ent attacks coming from internal networks through VPN Another benefit from NOE ALG is to precisely identify RTP and RTCP traffic so that user can apply QoS on the voice traffic PERSISTENT MEMORY When NOE phone request passes through OA 700 ALG assigns a unique sub address to phone This sub address is used to tell the call server about the existence of multiple phone terminal behind NAT box If ALG ...

Page 750: ...in a firewall policy and attach it to an interface To configure filter and attaching filter to an interface see Filter Configuration section in this chapter To configure DoS and attaching DoS to an interface see Network Attack Prevention Configuration section in this chapter To configure NAT and attaching NAT policy to an interface see Network Address Translation chapter To configure IDS and attac...

Page 751: ...h m1 service alcatel tftp TO CLASSIFY NOE TRAFFIC EXAMPLE ALU config match list m1 filter ALU config match list m1 filter udp any any type noe Command in Customized Service Mode Description 1 65535 match any all match list name service alcatel tftp This command is entered in the customized service mode Use this command to define NOE TFTP traffic The match list configured should match the TFTP traf...

Page 752: ... remain unused and while configuring CLI will throw an error for wrong port range If you give wrong address then CLI will accept the command but ports may not be reserved for the same So only IP addresses from the Source NAT SNAT pool needs to be used in this command You can give the same command for multiple NAT pool IP addresses Range should always have minimum four ports else it does not make s...

Page 753: ...ics noe pinholes outstanding 0 noe sessions created 1 noe sessions released 0 noe sessions timed out 0 RTP pinholes outstanding 0 RTP sessions created 0 RTP sessions released 0 RTP sessions terminated from noe time outs 0 RTCP pinholes outstanding 0 RTCP sessions created 0 RTCP sessions released 0 RTCP sessions terminated from noe time outs 0 Command in CM Description show firewall alg noe statist...

Page 754: ... output if NAT is not enabled on the OA 700 TO VIEW NOE ALG DEBUG COUNTERS EXAMPLE ALU config show firewall alg noe debug counters Total malloc passed noe sessions and calls 2951 Total malloc failed 0 Total memory free count noe sessions and calls 0 Total noe packets translated 7690 Total sdp packets translated 26 Total noe packets retransmitted 330 Command in CM Description show firewall alg noe ...

Page 755: ...at the phone signaling link will break and the phone will reboot So user should be careful while using this command EXAMPLE ALU config clear firewall alg noe subaddress mapping TO CLEAR NOE ALG STATISTICS EXAMPLE ALU config clear firewall alg noe statistics Command in CM Description clear firewall alg noe subaddress mapping phone ip address phone mac address This command is used to clear the sub a...

Page 756: ...so that they can be accessed from outside using DNAT As a standard service FTP ALG is registered only on port 21 so outsiders will not be able to access internal servers To allow outside access to internal FTP Servers FTP ALG should be registered on those ports where FTP Server is listening for a control connection The following example illustrates how rule based ALG solves this problem by mapping...

Page 757: ...tch list m4 ALU config match list m4 tcp any host 203 100 100 2 28 service 21 DNAT Configuration ALU config match list m3 ip nat dnat ALU config nat dnat match m1 destination nat host 10 1 1 1 ALU config nat dnat match m2 destination nat host 10 1 1 2 ALU config nat dnat match m3 destination nat host 10 1 1 3 Customized Service Configuration ALU config customized service ALU config customized serv...

Page 758: ...u may use to provide level of security in the network The following are some general procedures which needs to be kept in mind These are independent of Firewall configuration Keeping network user accounts off the Internet service computers such as web servers FTP servers and firewall Having separate administrative accounts with different passwords for these devices Regularly scan the system logs f...

Page 759: ...iving on the internal interface that have source field indicating that the packet came from outside the network Drop all incoming packets to interior computers that have no externally accessible service Drop and log all private addresses coming on the external interface As per RFC 1918 the address blocks 10 0 0 0 to 10 255 255 255 255 172 16 0 0 to 172 16 31 255 and 192 168 0 0 to 192 168 255 255 ...

Page 760: ...ns port internally for remote unauthorized control of computers Drop syn packets from outside to internal ports 1023 Most legitimate services are configured on ports 1024 Disallow incoming FTP data connections thus allowing passive FTP only Disallow SMTP connections port 25 from the outside to other than mail server Establish service destinations rules for other services such as HTTP Many of the u...

Page 761: ...packets sec Hence depending upon the traffic pattern the threshold can be set If the threshold is crossed it might be pointer to a syn attack One can configure the threshold as dos p1 tcp syn flood threshold 40 packets per msec PORT SCAN ATTACKS This attacks happens whereby one source IP address sends IP packets to 10 different ports at the same destination IP address within a defined interval Thi...

Page 762: ...Filter and Firewall Left running head Chapter name automatic 736 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 763: ...nents tunneling and security To get a succinct knowledge on the parameters and default values refer to the VPN section in OmniAccess 700 CLI Command Reference Guide Note IPsec VPN is not supported in the no crypto image For information on the no crypto release refer to the release note Note The basic security package provides IPsec functionality having lower encryption upto 64bit algorithms only I...

Page 764: ...o map name CRL Certificate Revocation List CSR Certificate Signing Request DPD Dead Peer Detection ESP Encapsulating Security Payload ICM Interface Configuration Mode ALU config interface name IKE Internet Key Exchange IKE Policy Mode IKE Policy Configuration Mode ALU config IKE policy name ISAKMP Internet Security Association and Key Management Protocol PFS Perfect Forward Secrecy PKI Public Key ...

Page 765: ...bility across the globe the need for security has almost become inevitable But now with the evolution of security through VPN s this is possible and gives the capability to connect the private offices and users to use any untrusted IP network for secure interconnections through this virtual mode This medium of communication also worked out to be highly attractive as a replacement to the private le...

Page 766: ...marily focuses on the implementation of secure VPNs with IPsec In a TCP IP network the packet is routed based on the network layer information while the actual data is held in the IP layer Hence by securing the IP layer it is possible to secure the network The following sections provide a conceptual overview of IPsec VPN IPsec Enabled VPN IPsec Connection Types IPsec Concepts Benefits of IPsec Ena...

Page 767: ...nd a firewall to make a connection to a remote computer or network The firewall that is protecting the individual computer does not participate in the VPN connection or authenticate it but rather allows the connection through the firewall A home connection that is connected to a company network is an example of this type of connection HOST TO HOST This connection is for connecting two computers to...

Page 768: ...tive private networks to each other The tunnel is formed between respective networks to forward the traffic between the locations The figure below depicts a general scenario of IPsec VPN Tunnel 2 is the secured VPN channel that connects the Finance department and Accounts department of two geographically displaced locations Tunnel 1 users have no access to this path Figure 26 A General Scenario of...

Page 769: ...ple this mode can be used to create a secure association between two personal workstations each of which has a public address The protection here is extended to the payload of IP data TUNNEL MODE This mode is used to provide data security between two networks It provides protection for the entire IP packet and is sent by adding an outer IP header which corresponds to the two tunnel endpoints The u...

Page 770: ...st from a message of arbitrary length and a 16 byte key The resulting hash is used like a fingerprint of the input to verify content and source authenticity and integrity Secure Hash Algorithm 1 SHA 1 An algorithm that produces a 160 bit hash from a message of arbitrary length and a 20 byte key It is generally regarded as more secure than MD5 because of the larger hashes it produces ENCAPSULATING ...

Page 771: ...Standard AES AES uses a 128 bit 192 bit and 256 bit keys INTERNET KEY EXCHANGE Internet Key Exchange IKE defines the mechanism to establish SA s Security Association requirements to secure packets between the two IPsec peers The tunnel negotiation happens using IKE protocol IKE uses Internet Security Association and Key Management Protocol ISAKMP as the framework to send the messages IKE messages ...

Page 772: ...tiation happens in two phases PHASE 1 Phase 1 is also called as the Main Mode The objective of Phase 1 is to establish a secure channel authenticate the negotiating parties and generate shared keys to protect IKE protocol messages Figure 28 Phase 1 Negotiation Main Mode MESSAGE 1 MESSAGE 2 MESSAGE 3 MESSAGE 4 MESSAGE 5 MESSAGE 6 ISAKMP HEADER ISAKMP HEADER ISAKMP HEADER Proposal Payload s Accepted...

Page 773: ...assword is exactly the same on all the computers authenticating the connection and is case sensitive Digital Signatures RSA or DSS Certificates of the peers are exchanged in the last two messages and hashes are calculated over these certificates to authenticate each other A RSA Key is an authentication method that uses a program to generate a set of authentication keys This program is built into I...

Page 774: ...nects machines inside two private address cloud For e g India branch and California headquarters Reduces the operational costs versus traditional WAN since VPN works over the public network Internet Extended geographic connectivity Reduces transit time and transportation costs for remote users Improves productivity Simplifies network topology Provides global networking opportunities Provides telec...

Page 775: ...y pfs group2 iii Default IPsec security association lifetime in seconds 28800 iv Default IKE lifetime in seconds 86400 Default authentication mechanism Preshared Keys PSK If a transform set is not configured the default transform set is applied to the crypto map Following are the default values for transform set i esp sha1 des ii esp md5 des If a crypto map is not configured you can attach the def...

Page 776: ...fer to the Common Classifiers chapter in this guide Step 2 Configure a preshared key See IPsec Configuration with Preshared Key OR Configure X 509 certificates See IPsec Configuration with X 509 Certificates Step 3 Configure IKE policy See To Configure an IKE Policy Step 4 Configure a Transform Set See To Configure Transform set in IPsec Step 5 Configure Crypto Map See To Configure IPsec Crypto Ma...

Page 777: ... ip address subnet mask ip address prefix length Example ALU config if GigabitEthernet7 0 ip address 20 20 20 20 24 Step 9 Attach the configured crypto map to an interface See To Attach Crypto Map to an Interface Step 10 Configure Dead Peer Detection See Dead Peer Detection DPD Optional Step 11 Know the default values allowed by the OA 700 See Default Configuration Setting on OA 700 Step 12 View t...

Page 778: ...IP Security Virtual Private Network Left running head Chapter name automatic 752 Beta Beta CLI Configuration Guide Alcatel Lucent IPSEC VPN CONFIGURATION FLOW Figure 30 IPsec Configuration Flowchart ...

Page 779: ...er nested match list list A rule should not have the port range or interfaces keywords However these constraints can be overcome by applying multiple crypto maps to the same interface For Example match list m1 ip prefix 10 0 0 0 8 prefix 9 0 0 0 8 IPSEC CONFIGURATION WITH PRESHARED KEY The Preshared key is used to authenticate peers This key is same on both the IPsec gateways It is denoted in the ...

Page 780: ...ryption and digital signature services across a wide variety of applications TO GENERATE A RSA KEY PAIR If the key modulus is greater than 2000 it can take few minutes to generate the keys bg will generate the keys in the background and free the CLI Use bg to generate the keys in the background and proceed with other configurations that do not depend on the key generation EXAMPLE ALU config crypto...

Page 781: ...ust chain until a self signed root CA certificate is reached TO CONFIGURE THE SUBJECT NAME FOR A CERTIFICATE SIGNING REQUEST CSR EXAMPLE ALU ca ALUCA subject name CN Bart Simpson O ALU C US Command in CM Description crypto ca identity name This command configures a CA identity with the name specified Command in CA Identity CM Description import ca cert fpkey file path ftp tftp http https scp This ...

Page 782: ... CSR EXAMPLE ALU config crypto certificate request req_Simpson generate key name exampleKey ca ALUCA Command in CA Identity CM Description import crl fpkey file path ftp tftp http https scp This command imports a CRL from the remote location Note Currently SCP option is not supported Command in CA Identity CM Description import signed cert name fpkey file path ftp tftp http https scp This command ...

Page 783: ...e export fpkey file path ftp tftp scp This command exports the CSR from the OA 700 to a remote location If none of the optional arguments are specified then the command will have the same effect as the To View CSR Details command Note Currently SCP option is not supported Command in CM Description crypto certificate database refresh This command adds the imported certificate or key to the IPsec da...

Page 784: ... can be done if the peer is not enrolled with any of the trusted CAs and if the peer is trusted Thus one does not have to rely on the certificate to be transmitted by the peer as part of the IKE protocol EXAMPLE ALU config crypto peer certificate cert_Bouvier import ftp Command in CM Description crypto crl check strict This command makes the CRL policy strict It ensures that if no CRL is present o...

Page 785: ...eer id user fqdn selma_bouvier alcatel lucent com TO SPECIFY THE ISSUER CA OF THE PEER S CERTIFICATE EXAMPLE ALU ike identity exampleidentity peer ca CN ALU OU Certificate Authority C US Command in CM Description crypto ike identity name force This command configures an IKE identity Entering this command changes the mode to ike identity mode Command in IKE Identity CM Description peer id dn fqdn u...

Page 786: ...TIFICATE TO BE USED EXAMPLE ALU ike identity exampleidentity my cert cert_Simpson Command in IKE Identity CM Description my id dn fqdn user fqdn name address ip address This command configures self identity Command in IKE Identity CM Description my ca name This command specifies the issuer CA of the user s certificate This is an optional command Command in IKE Identity CM Description my cert name ...

Page 787: ...E ALU config crypto ca cert ALUca delete Command in IKE Identity CM Description peer cert name This command specifies the self signed peer s certificate This can be used if a trusted peer is not enrolled to any of the CAs Command in CM Description crypto key export rsa name fpkey file path ftp tftp scp This command exports the RSA keys from the OA 700 If none of the optional arguments are used it ...

Page 788: ...ALU config crypto peer certificate cert_Bouvier delete TO DELETE AN RSA KEY PAIR EXAMPLE ALU config crypto rsa key examplekey delete Command in CM Description crypto signed cert name delete This command deletes the specified signed certificate Command in CM Description crypto peer certificate name delete This command deletes the specified peer certificate Command in CM Description crypto rsa key n...

Page 789: ... this secure channel to negotiate the final keys The more often the key is changed the more a channel is secure TO CONFIGURE AN IKE POLICY EXAMPLE ALU config crypto ike policy P1 ALU config crypto ike policy P1 Note The force keyword is used to modify or edit an IKE policy in use Command in CM Description crypto ike policy name force Use this command to configure a IKE policy The policy name can b...

Page 790: ...policy P1 proposal md5 aes 128 ALU config crypto ike policy P1 no proposal Command in IKE Policy CM Description proposal algo algo algo algo Note Options for algo are md5 aes128 md5 aes192 md5 aes256 md5 des md5 3des sha1 aes128 sha1 aes192 sha1 aes256 sha1 des sha1 3des Use this command to configure an IKE proposal You can configure a maximum of 4 proposals no proposal This command deletes the pr...

Page 791: ...onds There is no default value for IPsec security association lifetime in Kilobytes EXAMPLE ALU config crypto ike policy P1 ipsec security association lifetime kilobytes 5400 ALU config crypto ike policy P1 ipsec security association lifetime seconds 5400 ALU config crypto ike policy P1 no ipsec security association lifetime kilobytes ALU config crypto ike policy P1 no ipsec security association l...

Page 792: ...ARD SECRECY GROUP EXAMPLE ALU config crypto ike policy P1 pfs group1 ALU config crypto ike policy P1 no pfs Command in IKE Policy CM Description lifetime seconds 540 86400 This command is used to configure a IKE lifetime no lifetime seconds The no command resets the IKE lifetime to its default Command in IKE Policy CM Description pfs group1 group2 group5 This command is used to configure a PFS gro...

Page 793: ...ns for proposal under transform set esp md5 3des encapsulation with MD5 and 3DES encryption esp md5 aes128 encapsulation with MD5 and 128 bit AES encryption esp md5 aes192 encapsulation with MD5 and 192 bit AES encryption esp md5 aes256 encapsulation with MD5 and 256 bit AES encryption esp md5 des encapsulation with MD5 and 56 bit DES encryption esp sha1 3des encapsulation with SHA1 and 3DES encry...

Page 794: ... config crypto ipsec transform set myset esp md5 3des esp md5 aes128 esp md5 aes192 TO DELETE A TRANSFORM SET GLOBALLY This command deletes the transform set from the global configuration mode If a transform set is being used by any crypto map it is prohibited from deletion Hence the transform set must be first disabled from the crypto map and then deleted EXAMPLE ALU config no crypto ipsec transf...

Page 795: ...rce This option is used to modify a crypto map when it is applied to an interface EXAMPLE ALU config crypto map exampleMap ipsec ike examplePolicy ALU config crypto map exampleMap TO ATTACH MATCH LIST TO A CRYPTO MAP Note If you try to attach a match list to a crypto map that already has one it overrides the existing match list EXAMPLE ALU config crypto map exampleMap match matchlist1 ALU config c...

Page 796: ...ig crypto map exampleMap no transform set Command in Crypto Map CM Description peer ip address This command attaches a peer to a crypto map Note You can attach a maximum of four peers to a crypto map no peer ip address The no command detaches the specified peer attached to a crypto map Note You cannot delete a peer from the crypto map if the crypto map is attached to an interface Command in Crypto...

Page 797: ...Guide TO ATTACH PFS GROUP TO A CRYPTO MAP EXAMPLE ALU config crypto map exampleMap pfs group1 ALU config crypto map exampleMap no pfs Command in Crypto Map CM Description pfs group1 group2 group5 This command attaches a PFS group to a crypto map Note If no PFS group is attached to a crypto map group2 PFS is used no pfs The no command disables PFS completely ...

Page 798: ...eMap lifetime kilobytes 1005236 ALU config crypto map exampleMap no lifetime seconds ALU config crypto map exampleMap no lifetime kilobytes Command in Crypto Map CM Description lifetime kilobytes 512 2147483647 seconds 540 86400 This command configures lifetime for a crypto map Use Kilobytes keyword to configure lifetime in kilobytes and use Seconds keyword to configure lifetime in seconds for a c...

Page 799: ...against the crypto map and to use the specified policy during connection or security association negotiation EXAMPLE ALU config interface GigabitEthernet7 0 ALU config if GigabitEthernet7 0 crypto map exampleMap ALU config if GigabitEthernet7 0 no crypto map exampleMap Command in Crypto Map CM Description ike identity name This command attaches an IKE identity to a crypto map no ike identity The n...

Page 800: ...nection can override the global DPD configuration by specifying its own DPD policy in its crypto map TO CONFIGURE DPD GLOBALLY EXAMPLE ALU config crypto ike dpd interval 10 timeout 35 ALU config no crypto ike dpd Command in CM Description crypto ike dpd interval 5 3600 timeout 5 72000 This command configures the DPD globally with the interval in seconds for which the keep alive messages will be se...

Page 801: ...fined both the dpd none command and no dpd command produce the same result Command in Crypto Map CM Description dpd interval 5 3600 timeout 5 72000 none This command configures a DPD at the crypto map mode This command allows all connections associated with a crypto map to use a DPD policy that is different from the global policy The keyword none disables DPD for all the connections associated wit...

Page 802: ...072 service timestamps log interface GigabitEthernet7 0 ip address 2 2 2 2 8 mac addr 0000 4567 6789 no shutdown interface GigabitEthernet7 1 ip address 1 1 1 2 8 mac addr 0000 3456 4567 no shutdown ip route 3 0 0 0 8 2 2 2 1 match list m1 1 ip prefix 1 0 0 0 8 prefix 3 0 0 0 8 ipsec Policy configuration crypto ike key linux peer 2 2 2 1 Key in Use by 1 cryptomap s crypto ike policy ike proposal m...

Page 803: ...tones com my id fqdn flintstones com my cert cert_flintstones crypto ike key topSecret peer 100 1 200 4 crypto ike key anotherTopSecret peer 126 2 34 68 crypto ike dpd interval 15 timeout 60 crypto ike policy default proposal sha1 aes128 ipsec security association lifetime seconds 28800 lifetime seconds 86400 pfs group2 crypto ike policy examplePolicy proposal sha1 aes256 ipsec security associatio...

Page 804: ... default transform set default pfs group2 lifetime seconds 28800 Not Applied to Any Interface TO VIEW CRYPTO MAP EXAMPLE ALU config show crypto map crypto map ALU2 ipsec ike ike peer 202 192 192 1 match m1 transform set default pfs group2 Applied to GigabitEthernet7 1 interface GigabitEthernet7 1 crypto map ALU2 The following example displays a the details for a specified crypto map ALU show crypt...

Page 805: ...onds 3600 pfs group2 crypto ike policy ALU2 proposal md5 3des ipsec security association lifetime seconds 28600 lifetime seconds 2500 pfs group5 The following is an example of the crypto policy with default values ALU config show crypto ike policy crypto ike policy sample proposal sha1 aes128 ipsec security association lifetime seconds 28800 lifetime seconds 3600 pfs group2 Command in SUM CM Descr...

Page 806: ... seconds 3600 TO VIEW CRYPTO IPSEC TRANSFORM SET EXAMPLE ALU show crypto ipsec transform set crypto ipsec transform set myset esp md5 3des Transform Set in Use by 1 cryptomap s ALU show crypto ipsec transform set myset crypto ipsec transform set myset esp md5 3des Command in SUM CM Description show crypto ipsec transform set name This command displays all the transform sets configured If the Trans...

Page 807: ...fb59c time left 28793secs 0kb esp sa id 12 Decaps 7 Decrypt 7 Auth 7 Errors 0 OUTBOUND ESP Algo crypt DES CBC len 64 auth SHA1 HMAC len 160 TUNNEL MODE Replay Detection Enabled Yes ESP spi 0x541a7498 time left 28793secs 0kb esp sa id 16 Encaps 7 Encrypt 7 Auth 7 Errors 0 Command in SUM CM Description show crypto ipsec sa interface name map name peer ip address This command displays IPsec SA detail...

Page 808: ...MZlrU5EgW0 iTv7tZhBfu9Be6hzAiEAxCC2wzozczYb Vu34ghDwp8Bcr5dyRH1qqKXAWfhjO18CIHy5WOo1a0lYAhy5pKebJpZ i0ukEA65 m9qjd1aguKyjAiEAsZOVJsppjyUsN9cbLFi LITE5s9OzKhpi 0Xbd6xqi0CIQCR p2uSbE2LoC4r3XovZoVF1mLzZLrC3WZcMKRk0qeO0Q END RSA PRIVATE KEY ALU config show crypto rsa key exampleKey public key BEGIN PUBLIC KEY MFwwDQYJKoZIhvcNAQEBBQADSwAwSAJBALrzr88JSfTvE9 n4 4oMrXvBuL4yTFt RESB0j9JgslrWtFz0HuvP16CNBVU...

Page 809: ... my id DN CN CM Burns O ALU C IN my cert cert_Burns crypto ike identity exampleIdentity peer id user fqdn selma_bouvier ALU com peer ca CN ALU OU Certificate Authority C US my id DN CN Bart Simpson O ALU C US my cert cert_Simpson ALU config show crypto ike identity exampleIdentity crypto ike identity exampleIdentity peer id user fqdn selma_bouvier ALU com peer ca CN ALU OU Certificate Authority C ...

Page 810: ...f 06 e2 f8 c9 31 6d 44 44 81 d2 3f 49 82 c9 6b 5a d1 73 d0 7b af 3f 5e 82 34 15 54 49 a7 d3 5e 69 29 c4 72 57 25 6a ee 02 f8 2c dd 59 2f 03 ad Exponent 65537 0x10001 X509v3 extensions X509v3 Basic Constraints CA FALSE Netscape Comment OpenSSL Generated Certificate X509v3 Subject Key Identifier 88 75 2D 47 AC E8 AB C3 5F 9F E1 93 6B 7E 07 9C A3 B0 24 CB X509v3 Authority Key Identifier keyid 05 98 D...

Page 811: ...tcHNvbjBcMA0GCSqGSIb3DQEBAQUAA0sAMEgCQQC686 PCUn07xPfp PuKDK1 7wbi MkxbUREgdI SYLJa1rRc9B7rz9egjQVVEmn015pKcRyVyVq7gL4LN1ZLwOt AgMBAAGjgaYwgaMwCQYDVR0TBAIwADAsBglghkgBhvhCAQ0EHxYdT3BlblNTTCBH ZW5lcmF0ZWQgQ2VydGlmaWNhdGUwHQYDVR0OBBYEFIh1LUes6KvDX5 hk2t B5yj sCTLMEkGA1UdIwRCMECAFAWY0iXTGBKhx0t6mNLYJXMra66xoSWkIzAhMRAwDgYD VQQDFAdDQV8weDAxMQ0wCwYDVQQKEwROZXRkggEAMA0GCSqGSIb3DQEBBAUAA4GB AAwwOpa7Kr5sU...

Page 812: ...c5 a7 ca 69 7f d1 77 33 38 6a 66 89 07 66 d2 08 d4 b8 98 3f e0 99 11 f8 3f 78 9b 27 51 8d ee 5e e7 2a 5a 3a d2 dc dc f7 45 b9 1e 8e c2 ed 2a 5e a5 29 03 3d ab 6e 2d fd 6c eb c5 72 a8 54 44 a6 03 70 4e d0 38 33 Exponent 65537 0x10001 X509v3 extensions X509v3 Subject Key Identifier A8 80 7E 54 63 61 76 66 DE E0 98 6C 10 31 6D EB 1E 9D 4C 46 X509v3 Authority Key Identifier keyid A8 80 7E 54 63 61 76 ...

Page 813: ...AhBgkqhkiG9w0BCQEWFGZyZWRA ZmxpbnRzdG9uZXMuY29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDMdzM1 ECyQan26CFuXaOvqkbvit6ydQpU2Otur0zgEOJs0GDEiaXjeETd Hn8Qm7qWYOPd vXSTz9ytxafKaX RdzM4amaJB2bSCNS4mD gmRH4P3ibJ1GN7l7nKlo60tzc90W5 Ho7C7SpepSkDPatuLf1s68VyqFREpgNwTtA4MwIDAQABo4G5MIG2MB0GA1UdDgQW BBSogH5UY2F2Zt7gmGwQMW3rHp1MRjCBhgYDVR0jBH8wfYAUqIB VGNhdmbe4Jhs EDFt6x6dTEahYqRgMF4xCzAJBgNVBAYTAlVTMRAwDgYDVQQI...

Page 814: ... 13 92 f4 14 f2 a6 7a 75 35 96 f5 12 3f 77 32 ef c2 a7 28 4b 81 69 10 a5 05 0d dd 2f 73 20 70 58 b5 d9 2f d9 13 c8 c1 20 c6 f7 34 c9 c0 23 06 b4 32 6c 65 48 06 78 18 48 fe 78 ab ba 5c a3 f5 0b c8 64 95 5b a6 27 c1 43 ca d9 f5 d0 bd 5c EXAMPLE ALU config show crypto crl ca ALUCA pem BEGIN X509 CRL MIIBDzB6MA0GCSqGSIb3DQEBBAUAMCExEDAOBgNVBAMUB0NBXzB4MDExDTALBgNV BAoTBE5ldGQXDTA2MDEwOTExNDYzN1oXDTA2M...

Page 815: ...5 1d 18 76 c4 f8 aa a9 c1 bb 14 1f 15 38 cc 8f 8c e6 5c 3c a1 b8 10 4b 1a 98 c2 7d b4 d0 cd Exponent 65537 0x10001 X509v3 extensions X509v3 Subject Key Identifier 05 98 D2 25 D3 18 12 A1 C7 4B 7A 98 D2 D8 25 73 2B 6B AE B1 X509v3 Authority Key Identifier keyid 05 98 D2 25 D3 18 12 A1 C7 4B 7A 98 D2 D8 25 73 2B 6B AE B1 DirName CN CA_0x01 O ALU serial 00 X509v3 Basic Constraints CA TRUE Signature A...

Page 816: ...AwEAAaN6MHgwHQYDVR0OBBYEFAWY0iXTGBKhx0t6mNLYJXMra66xMEkGA1Ud IwRCMECAFAWY0iXTGBKhx0t6mNLYJXMra66xoSWkIzAhMRAwDgYDVQQDFAdDQV8w eDAxMQ0wCwYDVQQKEwROZXRkggEAMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEE BQADgYEADAuSnB1grGLgf MdnHvo3mcJQ6EuR9F4wRf2DKrvUVXim1 KDp 6UVVX SCtMj drfGVLz5my3IMt2pljDK1rM2YZke81y93YdEg0pkDC8I22ijJjjPCCFBRa o1besVBCb7MP6vEmvi7OnmH1JMOIqxNCcIKA fHSjwLVW2L Psw END CERTIFICATE TO VIEW CSR...

Page 817: ...4 72 57 25 6a ee 02 f8 2c dd 59 2f 03 ad Exponent 65537 0x10001 Attributes a0 00 Signature Algorithm md5WithRSAEncryption 57 7b 73 45 07 37 a3 c6 a3 fc 46 5d a6 c7 00 b1 2c c8 15 00 8f ef 47 c5 0d fa 81 a3 82 90 15 76 ad 10 42 ef 68 a5 58 5a e8 7b 17 85 d3 2b f5 c5 ca ca db c1 f0 d5 a6 87 b6 0b 13 a2 35 2f 91 cb ALU config show crypto certificate request req_Simpson pem BEGIN CERTIFICATE REQUEST M...

Page 818: ... an outbound SA EXAMPLE ALU clear crypto ipsec sa all ALU ALU clear crypto ipsec sa 16 ALU Command in SUM CM Description clear crypto ipsec counters This command is used to reset the IPsec SA related counters for Encapsulation Encryption Authentication and Error Command in SUM CM Description clear crypto ipsec sa all sa_index This command is used to clear all the IPsec SAs or IPsec SAs correspondi...

Page 819: ...ypto ike key rtalukdar peer 10 0 0 1 ALU config match list m1 ALU config match list m1 ip prefix 20 0 0 0 24 prefix 10 0 0 0 24 ALU config match list m1 top ALU config crypto map demomap ipsec ike default ALU config crypto map demomap match m1 ALU config crypto map demomap peer 10 0 0 1 ALU config crypto map demomap top ALU config show crypto crypto ike key rtalukdar peer 10 0 0 1 crypto ike polic...

Page 820: ...systems EDITING A MATCH LIST ATTACHED TO THE CRYPTO MAP ALU config match list tunnel ALU config match list tunnel 1 ip prefix 10 91 0 0 24 prefix 10 0 0 0 24 ALU config crypto map cryp tunnel ipsec ike default ALU config crypto map cryp tunnel match tunnel Now if we want to tunnel traffic from 192 168 0 0 24 to 10 0 0 0 24 ALU config match list tunnel ALU config match list tunnel 1 ip prefix 10 91...

Page 821: ...h nxt tunnel With respect to editing a match list within a crypto map consider the following scenarios CASE I DELETION OF THE MATCH LIST USED BY A CRYPTO MAP Match list cannot be deleted if it is attached to a crypto map CASE II DELETION OF THE RULE IN A MATCH LIST USED BY A CRYPTO MAP A rule in the match list cannot be deleted if the match list is attached to a crypto map CASE III MODIFYING THE R...

Page 822: ...ue preshared keys are tied to a specific IP address Group Group preshared keys are tied to a group name identity Wild card These keys are not associated with any factor unique information to determine a peer s identity Since a Wild Card Key is not tied to a specific IP address it should not be used when deploying site to site VPN tunnels When using Wild Card keys every single device uses the same ...

Page 823: ...ame can be found at the following site http www nist gov public_affairs releases g01 111 htm Data Integrity is brought about using HASH algorithms like MD5 and SHA 1 SHA 1 is considered to be more secure than MD5 because of its greater bit strength SHA 1 uses 160 bit hash algorithm while MD5 uses only 128 bit It is recommended to use SHA 1 instead of MD 5 Both the IPsec phases offer the ability to...

Page 824: ...sec are applied on same interface public From a performance perspective this is not a good conjunction Hence the OA 700 allows you to use the bypass command to bypass all the NAT traffic and allow only the IPsec traffic This can be achieved in the following ways Note The match list used in IPsec should be applied as bypass rule in NAT with higher priority as compared to the match list specifying t...

Page 825: ...nfiguration Guide ROUTING ENTRY For IPsec tunnel to come up you must have a routing entry for the destination address in the match list For example match list m1 ip prefix 10 0 0 0 8 prefix 9 0 0 0 8 This is applied to the crypto map attached to interface gig3 1 Then you should have a routing entry ip route 9 0 0 0 8 gig3 1 Otherwise the tunnel will not come up ...

Page 826: ...es it easier to deploy NAT and IPsec together by resolving these issues NAT T uses UDP User Datagram Protocol encapsulation This enables NAT devices to change IP or port addresses without modifying the IPsec packet Additionally to prevent an IKE aware NAT from modifying IKE packets IPsec NAT T peers change the IKE UDP port of 500 to the UDP port 4500 during IKE negotiation There is no configuratio...

Page 827: ...m1 1 ip prefix 10 0 0 0 24 prefix 10 91 0 0 24 ALU config interface GigabitEthernet 7 0 ALU config if GigabitEthernet7 0 ip address 202 50 24 2 24 ALU config if GigabitEthernet7 0 crypto map map1 ALU config if GigabitEthernet7 0 show crypto crypto ike key secret peer 202 50 24 1 crypto ike policy default proposal sha1 aes128 ipsec security association lifetime seconds 28800 lifetime seconds 86400 ...

Page 828: ... 24 1 24 ALU config if GigabitEthernet7 0 crypto map map1 ALU config show crypto crypto ike key secret peer 202 50 24 2 crypto ike policy default proposal sha1 aes128 ipsec security association lifetime seconds 28800 lifetime seconds 86400 pfs group2 crypto ipsec transform set default esp sha1 aes256 esp sha1 3des esp md5 aes256 esp md5 3des crypto map map1 ipsec ike default peer 202 50 24 2 match...

Page 829: ...affic needs to be secure Tunnel fail over can be handled by having traffic routed through another tunnel interface Allows to run dynamic routing protocols over the tunnel BEFORE YOU CONFIGURE IPSEC TUNNEL INTERFACE Here are a few guidelines that you need to pay attention to when configuring the OA 700 for the IPsec Tunnel interface 1 Routing setup must be in ordinance 2 The interface must be a con...

Page 830: ...rity association lifetime in seconds 28800 iv Default IKE lifetime in seconds 86400 Default authentication mechanism Preshared Keys PSK If a transform set is not configured the default transform set is applied to the profile Following are the default values for transform set i esp sha1 des ii esp md5 des If a crypto map is not configured you can attach the default profile to an interface Following...

Page 831: ...all these parameters preshared key X 509 certificates IKE policy Transform Set are already given in the earlier sections of the document hence it is not repeated in this section Use the links to see the specific commands Configure a preshared key using See IPsec Configuration with Preshared Key Note While configuring preshared key for IPsec Tunnel interface the peer address should be the destinati...

Page 832: ...e See To Administratively Bring Up Shutdown the Tunnel Interface Configure IP address for the tunnel interface See To Configure IP Address on a Tunnel Interface Set the mode on the tunnel interface See To Configure Mode on a Tunnel Interface Configure the tunnel source for the tunnel interface See To Configure Source IP Address for the Tunnel Configure the tunnel destination on the tunnel interfac...

Page 833: ...Except on the first page right running head Heading1 or Heading1NewPage text automatic 807 Alcatel Lucent Beta Beta CLI Configuration Guide IPSEC TUNNEL INTERFACE CONFIGURATION FLOW Figure 32 IPsec Tunnel Interface Configuration Flowchart ...

Page 834: ...iations established via IKE Note Force This option is used to modify a IPsec profile when it is applied to an interface EXAMPLE ALU config crypto ipsec profile PF1 ALU ipsec profile PF1 TO ATTACH AN IKE POLICY TO AN IPSEC PROFILE Note If no IKE policy is attached to an IPsec profile default IKE policy is used EXAMPLE ALU ipsec profile PF1 ike policy IKE1 ALU ipsec profile PF1 no ike policy Command...

Page 835: ... EXAMPLE ALU ipsec profile PF1 pfs group2 ALU ipsec profile PF1 no pfs Command in IPsec Profile CM Description transform set name This command is used to attach an already configured transform set to an IPsec profile no transform set The no command detaches the specified transform set attached to the profile Note A transform set must be first detached from the profile to delete it globally Command...

Page 836: ...rofile if the Authentication type is rsa sig EXAMPLE ALU ipsec profile PF1 ike identity ID01 ALU ipsec profile PF1 no ike identity Command in IPsec Profile CM Description lifetime kilobytes 512 2147483647 seconds 540 86400 This command configures lifetime for an IPsec profile Use kilobytes keyword to configure lifetime in kilobytes and use seconds keyword to configure lifetime in seconds for a pro...

Page 837: ...IP ADDRESS ON A TUNNEL INTERFACE EXAMPLE ALU config if Tunnel1 ip address 20 20 20 20 24 ALU config if Tunnel1 ip address 192 168 0 1 255 255 255 255 Command in CM Description interface Tunnel 0 14487 This command is used to configure a tunnel interface Command in ICM Description no shutdown This command is used to administratively bring up the tunnel interface shutdown This command is used to adm...

Page 838: ...thernet7 0 ALU config if Tunnel1 no tunnel source 2 2 2 1 or ALU config if Tunnel1 no tunnel source GigabitEthernet7 0 Command in ICM Description mode gre ipsec This command is used to set the mode on tunnel interface To configure IPsec tunnel interface set the mode to IPsec Note By default tunnel is configured in GRE mode Command in ICM Description tunnel source ip address interface name This com...

Page 839: ...pecified policy during connection or security association negotiation EXAMPLE ALU config if Tunnel1 ipsec profile PF1 ALU config if Tunnel1 no ipsec profile PF1 Command in ICM Description tunnel destination ip address This command sets the destination IP address of the tunnel at the remote end no tunnel destination ip address The no command removes the configured destination IP address Command in ...

Page 840: ...LE CONFIGURATION EXAMPLE ALU config show crypto ipsec profile crypto ipsec profile PF1 ike policy secret transform set transet1 ike identity ID01 pfs group2 lifetime seconds 28800 Applied to interface Tunnel1 ipsec profile PF1 ALU config Command in SUM CM Description show crypto ipsec profile profile name This command displays the IPsec profile details ...

Page 841: ...Heading1 or Heading1NewPage text automatic 815 Alcatel Lucent Beta Beta CLI Configuration Guide IPSEC TUNNEL CONFIGURATION SCENARIOS USING OA 700 The OA 700 topology below consists of the following components 1 OA 700 1 Alcatel Lucent Brick Figure 33 IPsec Tunnel Interface Configuration Topology ...

Page 842: ...1 ALU ipsec profile PF1 pfs group2 c Configure an interface ALU 1 config interface GigabitEthernet7 1 ALU config if GigabitEthernet7 1 no shutdown ALU config if GigabitEthernet7 1 ip address 2 2 2 1 d Configure a tunnel interface ALU 1 config interface Tunnel 1 ALU 1 config if Tunnel1 no shutdown ALU 1 config if Tunnel1 ip address 192 168 0 1 255 255 255 255 ALU 1 config if Tunnel1 mode ipsec e Sp...

Page 843: ... Command Reference Guide Note IDS IDS and IDS signature update is a licensed feature and not part of the basic security package To enable this functionality you need to first install the license For more information on how to install the license refer to License Manager chapter This chapter includes the following sections IDS Overview IDS Configuration IDS Configuration Scenario Using OA 700 CHAPT...

Page 844: ...uspicious patterns that may indicate an attempt to attack break in or otherwise compromise a system IDS can be network based or host based passive or reactive and can rely on either misuse detection or anomaly detection ALCATEL LUCENT SPECIFIC OVERVIEW The OA 700 supports Snort engine for IDS functionality IDS CONFIGURATION Refer to the following sections to configure IDS IDS Configuration Steps I...

Page 845: ...s Update Snort Rule See To Update Snort Rule Rollback Snort Rule Database See To Rollback Snort Rule Database Manually Rebuild Signature Database See To Manually Rebuild Signature Database Modifying Snort Rule for detecting intrusion See To Modify Group Level Detection Enable Disable Snort Rule See To Enable Disable Snort Rule Modify Snort Rule See To Modify Snort Rule Prevent Snort Rule Modificat...

Page 846: ... if interface name no shutdown Example ALU config if GigabitEthernet7 0 no shutdown Step 9 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if GigabitEthernet7 0 ip address 20 20 20 20 24 Step 10 Attach the configured firewall policy to appropriate interfaces in the ingress direction of the interface S...

Page 847: ...nfiguration Except on the first page right running head Heading1 or Heading1NewPage text automatic 821 Alcatel Lucent Beta Beta CLI Configuration Guide IDS CONFIGURATION FLOW Figure 34 IDS Configuration Flow ...

Page 848: ...nsor1 snort no threshold ALU config firewall no intrusion sensor sensor1 snort Command in FwCM Description intrusion sensor name snort no threshold threshold 1 4294967295 1 4294967295 Use this command to create an intrusion sensor based on snort Enter this command in the Firewall configuration mode Use the threshold keyword to configure the threshold for the sensor Use the no threshold keyword to ...

Page 849: ...ion on the no crypto release refer to the release note EXAMPLE ALU config firewall intrusion snort update instant https https uid pwd ids alu com signature tar gz rebuild Command in FwCM Description intrusion snort This command enters the snort configuration mode Command in Intrusion Snort CM Description update instant scheduled daily hh mm ss monthly 1 31 hh mm ss weekly Sunday Monday hh mm ss de...

Page 850: ... http http private server path to the directory signature 2 3 49 tar gz passive This will update to signature 2 3 49 without checking whether it is latest or not TO ROLLBACK SNORT RULE DATABASE EXAMPLE ALU config firewall intrusion snort rollback 2 3 1 TO MANUALLY REBUILD SIGNATURE DATABASE EXAMPLE ALU config firewall intrusion snort rebuild 2 3 0 TO MODIFY GROUP LEVEL DETECTION EXAMPLE ALU config...

Page 851: ...d unknown sid 1292 rev 8 Modification of rule to EXTERNAL_NET is shown below ALU config firewall intrusion snort rule modify 1292 content alert tcp EXTERNAL_NET any EXTERNAL_NET any msg ATTACK RESPONSES directory listing flow from_server established content Volume Serial Number classtype bad unknown sid 1292 rev 8 Command in Intrusion Snort CM Description rule enable category name classtype name p...

Page 852: ... classtype name priority high low medium reset category name classtype name priority high low medium This command enables you to modify the group level prevention Command in F PCM Description 1 65535 match all any match list name intrusion sensor name detection prevention reset Enter this command in the Firewall Policy Configuration mode This command is used to attach an intrusion sensor to a fire...

Page 853: ...nterface EXAMPLE ALU config interface GigabitEthernet7 0 ALU config if GigabitEthernet7 0 firewall policy in P1 Command in ICM Description firewall policy in out policy name This command is used to attach a firewall policy to which an intrusion sensor is attached to an interface in in or out direction Firewall policy is applied to the ingress incoming traffic if the in keyword is used Firewall pol...

Page 854: ...ion sensor sensor1 snort intrusion sensor sensor4 snort intrusion sensor s1 snort exit TO VIEW ARCHIVES EXAMPLE ALU show firewall intrusion snort archives Version no Details Date of Download Time of Downl 2 3 0 Current initial Command in SUM Description show firewall intrusion sensor name Use this command to view intrusion sensor configuration details Command in SUM Description show firewall intru...

Page 855: ... 27 51 ppote Exp POLICY RULES alert tcp EXTERNAL_NET any HOME_NET 21 msg POLICY FTP anonymous login at alert tcp HOME_NET 23 EXTERNAL_NET any msg POLICY WinGate telnet server we have started to see multiple versions of this beyond 003 003 so we have expanded this signature to take that into account alert tcp EXTERNAL_NET any HOME_NET any msg POLICY VNC server response More Command in SUM Descripti...

Page 856: ...15 reference nessu alert udp any 19 any 7 msg DOS UDP echo chargen bomb reference cve 1999 0103 reference cve 1999 0635 classtype attempted dos sid 271 rev 4 TO VIEW DISABLED RULES GROUPS EXAMPLE ALU show firewall intrusion snort rule disable SID Command in SUM Description show firewall intrusion snort rule category name classtype name disable category classtype pri ority sid priority high low med...

Page 857: ...ICS EXAMPLE ALU show firewall intrusion snort statistics rule all Command in SUM Description show firewall intrusion snort statistics interface name Use this command to display Snort statistics on a specified interface Command in SUM Description show firewall intrusion snort statistics preprocessor back orifice http inspect rpc stream4 Use this command to display statistics for a specific Snort pr...

Page 858: ...uration Guide Alcatel Lucent TO VIEW REPORTS AND STATUS OF SNORT SIGNATURE UPDATE EXAMPLE ALU show firewall intrusion snort update report Command in SUM Description show firewall intrusion snort update report status Use this command to display the status of the Snort signature database update ...

Page 859: ...r http inspect TO CLEAR GROUP LEVEL SNORT STATISTICS EXAMPLE ALU clear firewall intrusion snort statistics rule all num class type class type1 Command in SUM Description clear firewall intrusion snort statistics Use this command to clear Snort statistics Command in SUM Description clear firewall intrusion snort statistics preprocessor back orifice http inspect rpc stream4 Use this command to clear...

Page 860: ...ug firewall session filter nat attack alg intrusion selector saddr ip address daddr ip address protocol number sport number dport number output permanent all detail level This command turns on the debugging functionality for IDS on the OA 700 The selector keyword allows you to debug only selected traffic no debug firewall session filter nat attack alg intrusion selector saddr ip address daddr ip a...

Page 861: ...exit Step 2 Create an intrusion sensor ALU config firewall ALU config firewall intrusion sensor ids1 snort ALU config intrusion sensor ids1 exit Step 3 Create a firewall policy ALU config firewall ALU config firewall policy p1 ALU config firewall p1 Step 4 Attach match list and intrusion sensor to the firewall policy and specify the action detection or prevention ALU config firewall p1 match m1 in...

Page 862: ...tel Lucent IDS TOPOLOGY The topology consists of the following components OA 780 3 PCs with 2 PCs running Nessus TEST CASE In the topology given below OA 780 is configured in the Prevention mode Attacks from PC 1 and PC 2 running application Nessus is intercepted by the OA 780 and dropped Figure 35 IDS Topology ...

Page 863: ...corresponding default values refer to the OmniAccess 700 CLI Command Reference Guide This chapter includes the configuration steps CLI syntax with its description and configuration examples The commands are described in the sequential order of configuration This chapter includes the following sections GRE Overview GRE Tunnel Configuration GRE Configuration Scenarios using OA 700 CHAPTER CONVENTION...

Page 864: ...der to establish a tunnel a GRE tunnel must be configured from the remote endpoint No intermediary routers need to be configured and the tunnel rides on top of the standard IP The only requirement is that the tunnel must be configured in a context where the remote endpoint is reachable If the remote address of a GRE tunnel is not reachable then any circuit associated with that tunnel is brought do...

Page 865: ...ce are not visible to the other routing table instance unless it is explicitly redistributed Therefore even though customer routes are present in our routing table they will not be picked up by the provider OSPF instance Therefore it is possible for us to have independent OSPF routing instances for the VPN going over the tunnel and the connectivity to the provider network In terms of BGP it is pos...

Page 866: ...eader and transport the payload over the GRE tunnel GRE protocol header size minimum without any options is 4 bytes GRE header format is as follows Reserved0 0 13 bits Ver 0 bits Protocol 16bits GRE uses the ethernet protocol identifiers from RFC 1700 to identify the type of protocol packet that is being tunnelled GRE packet is encapsulated using an outer IP header Outer IP header s protocol value...

Page 867: ...ing up the interface ALU config if interface name no shutdown Example ALU config if GigabitEthernet7 0 no shutdown Step 3 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if GigabitEthernet7 0 ip address 20 20 20 20 24 Step 4 Configure a Tunnel interface See To Configure a Tunnel Interface Administrati...

Page 868: ...ide Alcatel Lucent Configure the tunnel destination on the tunnel interface See To Configure Destination IP Address for the Tunnel Set the tunnel DF BIT See To Set the Tunnel DF BIT Optional To resolve tunnel source and destination See To Resolve Tunnel Source and Destination from a Different VRF Optional ...

Page 869: ...l Configuration Except on the first page right running head Heading1 or Heading1NewPage text automatic 843 Alcatel Lucent Beta Beta CLI Configuration Guide GRE CONFIGURATION FLOW Figure 36 GRE Configuration Flow ...

Page 870: ...hutdown ALU config if Tunnel7 shutdown TO CONFIGURE IP ADDRESS ON A TUNNEL INTERFACE EXAMPLE ALU config if Tunnel7 ip address 20 20 20 20 24 Command in CM Description interface Tunnel 0 14487 This command is used to create a tunnel interface Command in ICM Description no shutdown This command is used to administratively bring up the tunnel interface shutdown This command is used to administrativel...

Page 871: ...XAMPLE ALU config if Tunnel7 tunnel source 10 91 0 7 or ALU config if Tunnel7 tunnel source GigabitEthernet7 0 ALU config if Tunnel7 no tunnel source 10 91 0 7 or ALU config if Tunnel7 no tunnel source GigabitEthernet7 0 Command in ICM Description mode gre ipsec This command is used to set the mode on tunnel interface Note By default tunnel is configured in the GRE mode Command in ICM Description ...

Page 872: ...stination of a tunnel should belong to the same VRF This command allows you to deploy VRF lite solution with a single WAN link EXAMPLE ALU config if Tunnel7 tunnel vrf ALU vrf1 Command in ICM Description tunnel destination ip address This command sets the destination IP address of the tunnel at the remote end no tunnel destination ip address The no command removes the configured destination IP add...

Page 873: ... GRE was used to transport non routable protocols like SNA and non IP protocols like IPX Appletalk and DECnet since normal IP Security IPsec configurations could not transfer routing protocols such as OSPF In current applications IPsec provides security by encrypting packets sent over GRE tunnels The following features can be configured on a GRE Tunnel GRE GRE IP Filters DoS GRE over IPsec 1 GRE C...

Page 874: ...nel end points ALU 1 config if Tunnel1 tunnel source 2 2 2 1 ALU 1 config if Tunnel1 tunnel destination 2 2 2 3 ON OA700 2 a Configure a tunnel interface ALU 2 config interface tunnel 1 ALU 2 config if Tunnel1 ip address 192 168 0 2 255 255 255 0 ALU 2 config if Tunnel1 no shutdown b Specify tunnel end points ALU 2 config if Tunnel1 tunnel source 2 2 2 3 ALU 2 config if Tunnel1 tunnel destination ...

Page 875: ... head Heading1 or Heading1NewPage text automatic 849 Alcatel Lucent Beta Beta CLI Configuration Guide 2 GRE IP FILTERS DOS CONFIGURATION Figure 38 GRE IP Filters DoS Configuration Topology GRE IP filters Dos can be configured to deny permit specific traffic through the GRE tunnel ...

Page 876: ...nfig if tunnel1 ip filter in tr access ALU 1 config if tunnel1 exit Create Firewall Policy for protecting the network against DOS attacks 1 Configure a rule using match list for any packet that matches classification 2 Create an attack policy which includes the signature against DoS attack 3 Create a firewall policy which uses the rule and attack policy created earlier 4 Apply the firewall policy ...

Page 877: ...ic 851 Alcatel Lucent Beta Beta CLI Configuration Guide 3 GRE OVER IPSEC CONFIGURATION The following figure displays a typical scenario to configure GRE over IPsec Figure 39 GRE IPsec Configuration Topology IPsec is used for transport mode encryption for tunneled traffic only Ensure tunnel end point reachability from OA700 1 ...

Page 878: ...b Configure an IKE policy ALU 1 config crypto ike policy test ALU 1 config ike pollicy test proposal md5 des ALU 1 config ike pollicy test ipsec security association lifetime seconds 28800 ALU 1 config ike pollicy test lifetime seconds 86400 ALU 1 config ike pollicy test pfs group2 c Configure an IKE Key ALU 1 config crypto ike key test1234 peer 2 2 2 3 d Configure a transform set ALU 1 config cry...

Page 879: ...fic 1 gre host 2 2 2 3 host 2 2 2 1 b Configure an IKE policy ALU 2 config crypto ike policy test1 ALU 2 config ike pollicy test1 proposal md5 des ALU 2 config ike pollicy test1 ipsec security association lifetime seconds 30000 ALU 2 config ike pollicy test1 lifetime seconds 86400 ALU 2 config ike pollicy test1 pfs group2 c Configure an IKE Key ALU 2 config crypto ike key testtest1 peer 2 2 2 1 d ...

Page 880: ...Generic Routing Encapsulation Left running head Chapter name automatic 854 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 881: ...s CLI syntax with its description and configuration examples The commands are described in the sequential order of configuration This chapter includes the following sections TF Overview TF Configuration TF Configuration on OA 700 The TF Overview section serves as an additional information on the Transparent Firewall You can skip this section and directly go to the configuration section of this cha...

Page 882: ...ted devices from a subnet to traverse the firewall while access to other devices on the same subnet is denied OA 700 SPECIFIC OVERVIEW OA 700 supports TF on Ethernet interface Services Engine Gigabit Ethernet IP packets on the TF is subjected to L3 filters that can be applied on the ingress egress path on an interface The TF framework allows ARP packets and IP packets to be bridged across the TF e...

Page 883: ...LU config interface name Example ALU config interface GigabitEthernet3 0 ALU config if GigabitEthernet3 0 Step 2 Administratively bring up the interface ALU config if interface name no shutdown Example ALU config if GigabitEthernet3 0 no shutdown Step 3 Configure TF on an interface and optionally attach TF policy See Step 4 on the interface See To Configure TF on an Interface Note An interface can...

Page 884: ...Transparent Firewall Left running head Chapter name automatic 858 Beta Beta CLI Configuration Guide Alcatel Lucent TF CONFIGURATION FLOW Figure 40 TF Configuration Flow ...

Page 885: ...0 If the TF policy TF1 is attached to the GigabitEthernet3 0 the following command detaches it from the interface ALU config interface GigabitEthernet3 0 ALU config if GigabitEthernet3 0 no transparent forward TF1 Command in ICM Description transparent forward tf policy name interface interface name This command is entered in the Interface Configuration mode This command is used to configure TF fe...

Page 886: ...delete a TF policy If the policy is attached to any of the interfaces it cannot be deleted The force keyword will automatically detach the specified policy from respective interfaces and deletes the TF policy Command in TF CM Description pass through protocol 1 65535 appletalk ipx nonip This command is used to define how the non IP packets should be treated in a TF configuration Using this command...

Page 887: ...et7 1 transparent forward interface GigabitEthernet7 0 exit transparent forward tf pass through protocol ipx exit interface GigabitEthernet7 0 transparent forward tf interface GigabitEthernet7 1 exit ALU config Command in SUM CM Description show transparent forward name This command is used to view all the TF policies configured in the system If a TF policy is specified then the details of the spe...

Page 888: ...rent forward statistics Command in SUM CM Description show transparent forward statistics tf policy name This command is used to display the statistics of all the TF policies configured in the system If a policy name is specified then the statistics for the specified TF policy are displayed This displays the number of IP ARP IPX Appletalk other protocol packets excluding the above forwarded by TF ...

Page 889: ...STEPS Quick Steps 1 Create a TF policy and configure the pass through protocol 2 Configure TF on an interface Detailed Steps Step 1 Create a TF policy for bridging IPX packets transparently ALU config transparent forward TF1 ALU config transparent forward TF1 pass through protocol ipx Step 2 Configure an interface apply the TF policy for forwarding IP ARP and IPX packets coming in on GigE 3 1 to G...

Page 890: ...Transparent Firewall Left running head Chapter name automatic 864 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 891: ...Access 700 CLI Command Reference Guide This chapter includes the following sections CAC Overview CAC Configuration CAC Configuration on OA 700 The CAC Overview section serves as an additional information on CAC functionality You can skip this section and directly go to the configuration section of this chapter CHAPTER CONVENTIONS Acronym Description CAC Call Admission Controller CM Configuration M...

Page 892: ...ngent on its QoS requirement and sensitive to latency and packet loss CAC is required for such traffic CAC is therefore a deterministic and informed decision that is made before a voice call is established It is based on the availability of the network resources that are required to provide suitable QoS for the new call There are different mechanisms which can be used to provide CAC functionality ...

Page 893: ... That is if calls are to be admitted based on bandwidth interface should have an egress QoS policy configuration with bandwidth specified for RTP traffic Hierarchical queuing is supported for CAC Thus QoS policy should contain some priority class with bandwidth specified for RTP traffic that is to be allowed Both absolute and percentage bandwidth is supported If bandwidth is not configured call ad...

Page 894: ...C object See To Create a CAC Object Step 4 Configure parameters bandwidth call threshold or both under a CAC object See To Configure Parameters Under a CAC Object Note The following configurations are pre requisite for bandwidth based CAC Match list that matches voice traffic Class map with a match list for RTP traffic QoS policy map Traffic class as priority class with bandwidth configuration App...

Page 895: ...gabitEthernet7 0 no shutdown Step 7 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if GigabitEthernet7 0 ip address 20 20 20 20 24 Step 8 Enable CAC on an interface See To Enable CAC on an Interface Step 9 Enable priority call configuration See To Enable Priority Call Configuration Optional Step 10 U...

Page 896: ...Call Admission Controller Left running head Chapter name automatic 870 Beta Beta CLI Configuration Guide Alcatel Lucent CAC CONFIGURATION FLOW Figure 41 CAC Configuration Flow ...

Page 897: ... config ac TO CREATE A CAC OBJECT EXAMPLE ALU config ac call admission control mycac1 ALU config ac cac mycac1 ALU config ac no call admission control mycac1 Command in CM Description admission control This command enters the Admission Control Configuration Mode This mode allows you to configure CAC specific configuration Command in AC CM Description call admission control cac object name This com...

Page 898: ...call threshold 10 ALU config ac cac mycac1 no protocol sip bandwidth Command in AC CAC Object CM Description protocol sip bandwidth call threshold 1 500 This command is used to configure protocol type bandwidth limit for the number of active calls in a CAC object When bandwidth is configured for CAC calls are allowed depending on the bandwidth availability The bandwidth information is obtained fro...

Page 899: ...f bandwidth is specified then the QoS policy should be configured on the interface When a primary interface goes down the backup interface comes up and the calls will be transferred on the backup interface and corresponding bandwidth will be reserved If sufficient bandwidth is not available on the backup interface all the calls using lower bandwidth and having maximum duration will be selectively ...

Page 900: ... active in this scenario also priority calls will be allowed We can configure priority calls based on the extension exact match of the extension or prefix match of the extension If an extension matches both prefix and exact exact match configuration will be taken into consideration Two levels of priority are provided high and medium EXAMPLE ALU config ac cac priority call extension exact 9000 high...

Page 901: ...call priority call extension exact 911 high call admission control mycac1 protocol sip bandwidth call threshold 10 interface GigabitEthernet7 0 admission control cac mycac1 interface GigabitEthernet7 1 admission control cac mycac1 Command in SUM CM Description show admission control cac cac object name This command displays the configured CAC object s This command displays priority configuration p...

Page 902: ...shold Statistics Call Threshold 10 Active Call Count 0 Priority Call Count 0 Rejected Call Count 0 Bandwidth Statistics Policy 2 Class 40 Total Bw 1000000 bps Used Bw 0 bps Command in SUM CM Description show admission control statistics cac interface name This command displays the CAC statistics that includes total used and free bandwidth for all the interfaces It also displays total call count ca...

Page 903: ...ion control statistics active calls Interface GigabitEthernet7 0 Protocol SIP No of Active Calls 1 Priority Source IP Destination IP Call_id H 5 5 5 1 2 2 2 2 5579eee99e407494 Command in SUM CM Description show admission control cac call priority This command displays the priority call configuration details Command in SUM CM Description show admission control statistics active calls interface inte...

Page 904: ... 0 Command in SUM CM Description clear admission control statistics cac interface name This command clears the rejected call count on all the interfaces If the interface name is specified it clears the rejected call count on the specified interface Command in SUM CM Description clear admission control active calls interface interface name call id extension This command releases CAC resources bandw...

Page 905: ...e egress interface on which CAC is to be applied 5 Enter Admission Control configuration mode and configure a CAC object 6 Configure parameters bandwidth call threshold or both under a CAC object 7 Enable CAC on an interface Detailed Steps Step 1 Configure match list that matches voice traffic ALU config match list cac match ALU config match list cac match 1 udp any any type rtp Step 2 Configure c...

Page 906: ...ace ALU config interface GigabitEthernet7 0 ALU config if GigabitEthernet7 0 admission control cac mycac VERIFY CAC CONFIGURATION Verify the CAC configuration by using the following show commands ALU config show admission control cac mycac call admission control mycac protocol sip bandwidth call threshold 20 interface GigabitEthernet7 0 admission control cac mycac ALU config show admission control...

Page 907: ... the basic package To enable this functionality you need to first install the license For more information on how to install the license refer to License Manager chapter Also note that if a valid license for Telephony Service is installed after enabling the feature you have to explicitly execute telephony enable see To Enable Disable Telephony Functionality on OA 700 command for the feature to fun...

Page 908: ... Configuration Mode ALU config FXO Foreign Exchange Office FXS Foreign Exchange Station IVR Interactive Voice Response MOH Music On Hold PSTN Public Switched Telephone Network PCRE PERL Compatible Regular Expression ROR Remote Office Resiliency SIP Session Initiation Protocol SME Small and Medium Enterprises SUM Super User Mode ALU VS Voice Survivability ...

Page 909: ... to be forwarded to an external call server OA 700 IN SURVIVABILITY MODE In any typical enterprise deployment all the voice related functionality is implemented at the central office Branch offices rely on it for call processing voice messaging IVR MOH etc The figure below depicts typical enterprise deployment This deployment model has been popularized by major VoIP vendors as it reduces overall c...

Page 910: ... and use third party PSTN gateway functionality for PSTN connectivity The figure below depicts a branch office deployment scenario where OA 700 solution is used as access solution with IP based call server running on it to provide communication between the local phones during survivability mode It also shows a partner product being used as a PSTN gateway for external world connectivity of local ph...

Page 911: ...ario for OA 700 Products VOICE SURVIVABILITY PROCESS IN OA 700 ROR and call server modules are the main constituents of VS process The main tasks of Telephony Service are as follows ROR continuously finds the status of call servers WAN link And directs the calls to alternate call severs like secondary tertiary when primary is down The call server on OA 700 provides local server features ...

Page 912: ...ink remote call servers becomes operational it completes any existing calls on the local server then turns it off and pass all the voice calls to the appropriate call server CALL SERVER MODULE IN TELEPHONY SERVICE PROCESS The call server provides the following features Connect calls between IP phones Connect calls between IP phones and PSTN gateway Provide call handling features like call routing ...

Page 913: ...s to IP phones in head office or other branch office have to be routed via PSTN Hence all the call handling features may not be available for these types of calls Also note calls to external phones is supported by configuring a specific user dial plan These calls are routed via the WAN link provided the link is up The number of external calls that can be made is based on the capacity of PSTN gatew...

Page 914: ...gateway product Lifeline provides a relay for connecting FXO and FXS ports directly so that calls can me made using analog phones via PSTN connected to the FXO port IP PHONES Configuration of IP phones is not done on OA 700 IP phones can be configured via software images loaded onto them using TFTP server configured on the OA 700 ADDITIONAL CONFIGURATION ON OA 700 FOR ENHANCED TELEPHONY SERVICE FU...

Page 915: ...config Step 2 Enter Telephony Service mode See To Enter Telephony Service Mode Step 3 Configure telephony client See To Configure Telephony Client Step 4 Enable telephony functionality on OA 700 See To Enable Disable Telephony Functionality on OA 700 Note Telephony client should be configured before enabling the telephony functionality Step 5 Configure dial plan See Configure Dial Plan Optional Co...

Page 916: ...figure Call Server on ROR Step 6 Call Server Optional Parameters Configure dial plan See Configure Dial Plan Configure default dial plan for local calls See To Configure Dial Plan for Local Calls Configure dial plan rule for local external PSTN calls See To Configure Dial Plan Rule for Local External PSTN Calls Note If a third party PSTN gateway is being used for the external calls then configurin...

Page 917: ...ht running head Heading1 or Heading1NewPage text automatic 891 Alcatel Lucent Beta Beta CLI Configuration Guide TELEPHONY SERVICE CONFIGURATION FLOW Figure 44 OA 700 in Stand alone Mode Configuration Flow Figure 45 OA 700 in Survivability Mode Configuration Flow ...

Page 918: ...k and the call servers EXAMPLE ALU telephony service telephony identity address 3 3 3 50 name 2000 Command in CM Description telephony service This command enters the Telephony Service Mode Command in Telephony Service Mode Description telephony identity address client ip address name client user name vrf vrf name This command is used to configure the IP address and name of a telephony client Note...

Page 919: ...ephony service telephony disable Command in Telephony Service Mode Description telephony enable This command enables telephony functionality on OA 700 Note When you execute this command if a valid license for Telephony Service is not installed the following message License not available for telephony feature is displayed For more information on how to install the license refer to License Manager c...

Page 920: ...s applied Command in Telephony Service Mode Description ror callserver address ip address priority 1 5 vrf vrf name This command is used to configure IP address of the call server like primary secondary call server to the list of call servers maintained by ROR and its priority Priority is used to set the priority for the call server Value as 1 in priority parameter corresponds to primary call serv...

Page 921: ...s 1 If no dial plans are configured then the following default dial plan is considered telephony default dialplan dest num pattern 0 9 4 Destination pattern of any four digit telephony user dialplan rule 1 pattern 1 9 1 d user 2222 Destination pattern starting with non zero number followed by any number telephony user dialplan rule 2 pattern 0 1 1 9 1 d user 2222 Destination pattern starting with ...

Page 922: ... following example calls to phones having 3 characters followed by 2 digits will be successful ALU telephony service telephony default dialplan dest num pattern a z 3 0 9 2 Command in Telephony Service Mode Description telephony default dialplan dest num pattern number pattern This command is used to configure the dial plan for local numbers within the LAN registered with the call servers Note Des...

Page 923: ... but calls with characters will be dropped ALU telephony service telephony default dialplan dest num pattern d 6 In the following example calls to phones having 3 characters followed by 2 digits will be successful All 4 digit and 5 digit calls will also be allowed ALU telephony service telephony default dialplan dest num pattern a z 3 0 9 2 0 9 4 d 5 7 In the following example calls with any numbe...

Page 924: ...ony user dialplan rule 2 pattern 2776407 user 2202 3 3 3 202 ALU telephony service telephony user dialplan rule 3 pattern d user 3303 3 3 3 124 Command in Telephony Service Mode Description telephony user dialplan rule 1 3 pattern destination number pattern user pstn gateway extension number gateway ip address This command is used to configure dial plan rules for local external numbers You can con...

Page 925: ... is checked against rule 2 of telephony user defined dialplan If the match is found then call will be forwarded to 2202 If all the above match fails it is checked against rule 3 of telephony user defined dialplan which matches and then the call is forwarded to 3303 In the following example calls with 4 digits will be successful and the call will be forwarded to the dialled number at the specified ...

Page 926: ...ng the response for the keep alive Retry Count X Retry After determines the time before the call servers are declared down Command in Telephony Service Mode Description ror keep alive message register options retry count 1 6 retry after 30 3600 This command is used to configure the message type message interval and the message count for the keep alive message Keep alive type can be either Register...

Page 927: ... the outbound proxy server on both the phone and OA 700 Also the IP address of the outbound proxy server should not be the same as any of the ROR call servers Command in Telephony Service Mode Description ror display message interval 30 3600 This command is used to configure the interval in seconds at which the display messages is to be transmitted to the phones from the ROR module The default ror...

Page 928: ...er 100 0 0 12 Priority 3 Status True Survivability Mode Enable Status InActive When all call servers are down OA 700 switches to survivability mode ALU config show telephony status Call Server 100 0 0 10 Priority 1 Status False Call Server 100 0 0 11 Priority 2 Status False Call Server 100 0 0 12 Priority 3 Status False Survivability Mode Enable Status Active When no call servers are configured OA...

Page 929: ... 3 3 101 Agent PolycomSoundPointIP SPIP_300 UA 2 1 3 0028 Expires 2008 11 27 12 54 42 User 3310 100 0 0 12 Contact sip 3310 3 3 3 101 Agent PolycomSoundPointIP SPIP_300 UA 2 1 3 0028 Expires 2008 11 27 12 56 44 User 3310 100 0 0 10 Contact sip 3310 3 3 3 101 Agent PolycomSoundPointIP SPIP_300 UA 2 1 3 0028 Command in SUM CM Description show telephony registered users This command displays the deta...

Page 930: ...onfig show telephony identity details telephony name 2000 telephony address 3 3 3 50 TO VIEW KEEP ALIVE MESSAGE DETAILS EXAMPLE ALU config show ror keep alive message details keep_alive_message type is REGISTER keep_alive_message retry count 3 keep_alive_message retry interval 30 seconds Command in SUM CM Description show telephony identity details Displays the IP address and name of the telephony...

Page 931: ...ion 0 0 7 caller number 220 callee number 3310 1 total TO VIEW ROR UPTIME EXAMPLE ALU config show ror uptime 0 0 32 uptime is in hh mm ss format Command in SUM CM Description show telephony running call details Displays call information caller and callee user name duration of the call and total number of calls during Survivability and Stand alone mode Command in SUM CM Description show ror uptime ...

Page 932: ...rity 2 ror callserver address 100 0 0 12 priority 3 ror keep alive message register retry count 1 retry after 30 telephony default dialplan dest num pattern 0 9 3 telephony user dialplan rule 1 pattern 2 1 7 77 777 6 1 4 1 0 1 7 1 user 3301 3 3 3 124 telephony user dialplan rule 2 pattern 2776407 user 2202 3 3 3 202 telephony user dialplan rule 3 pattern d user 3303 3 3 3 124 telephony debug level...

Page 933: ... DEBUG COMMANDS TO SET DEBUG LEVEL EXAMPLE ALU config telephony debug level 7 Command in SUM CM Description telephony debug level 0 7 This command enables debugging of Telephony Service features 0 disables debugging 1 7 specifies the depth of the debugging information to be viewed Higher the number detailed debugging information is displayed The default debug level is 0 ...

Page 934: ...OA 700 IN STAND ALONE MODE Consider a scenario with no call servers configured and OA 700 solution is used as a Stand alone Call Server to provide communication between the local phones Also a partner product is used as a PSTN gateway for external world connectivity of local phones during WAN link failure Figure 46 OA 700 in Stand alone Mode Configuration Example ...

Page 935: ... functionality on OA 700 ALU telephony service telephony enable Step 4 Configure dial plan for local external PSTN calls ALU telephony service telephony user dialplan rule 1 pattern 2 1 7 2 6 1 4 1 0 1 7 1 user 3301 10 2 1 1 Step 5 Configure dial plan for external calls via WAN link ALU telephony service telephony user dialplan rule 2 pattern 1234 user 5000 100 0 0 1 In the above scenario where th...

Page 936: ...scenario where OA 700 solution is used as access solution with IP based call server running on it to provide communication between the local phones during survivability mode Also a partner product is used as a PSTN gateway for external world connectivity of local phones during WAN link failure Figure 47 OA 700 in Survivability Mode Configuration Example ...

Page 937: ...ervice ror callserver address 10 91 10 1 priority 1 ALU telephony service ror callserver address 10 91 10 2 priority 2 ALU telephony service ror callserver address 10 91 10 3 priority 3 Step 5 Configure dial plan for local external PSTN calls ALU telephony service telephony user dialplan rule 1 pattern 2 1 7 2 6 1 4 1 0 1 7 1 user 3301 10 2 1 1 In the above scenario when the primary call server go...

Page 938: ... running head Chapter name automatic 912 Beta Beta CLI Configuration Guide Alcatel Lucent SHOW COMMANDS Verify the telephony configuration and status by using the show commands like show telephony status show telephony config ...

Page 939: ...fm Alcatel Lucent 913 Beta Beta For final production import color definitions from daldoc01 docteam templates framemaker book template color defs production colors fm Do not import other template elements such as page layout To return to the draft version import color def ns from draft colors fm To switch to the beta version import color def ns from beta colors fm Pagination Numeric continuous wit...

Page 940: ...Left running head Chapter name automatic 914 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 941: ...ften include availability uptime bandwidth throughput latency delay and error rate This chapter includes the following sections QoS Overview QoS Configuration QoS Test Scenarios on OA 780 QoS over Tunnel Interface QoS on Frame Relay Per PVC Queuing CHAPTER CONVENTIONS Acronym Description SUM Super User Mode ALU CM Configuration Mode ALU config ICM Interface Configuration Mode ALU config interface ...

Page 942: ...ata A network monitoring system must typically be deployed as a part of QoS to insure that networks are performing at the desired level QoS supports voice and data service simultaneously on the OA 700 This include controlled resource sharing by providing bandwidth guarantee for different classes It also provides features that make QoS configuration simpler by means of Auto QoS commands GENERIC TER...

Page 943: ...lling network traffic It differentiates IP traffic so that the traffic s relative priority could be determined on a per hop basis It helps certain types of traffic like voice get precedence over others DIFFERENTIATED SERVICES FIELD DS FIELD Defines the packets class or type in a Diff serve domain The classical TOS field in the IP header is renamed as DS field Six bits of the DS field are used as a...

Page 944: ...s are classified using common classifier and exploits the one pass classification feature on the OA 700 These packets based on classification are grouped into a class QoS is applied on each flow FEATURES SUPPORTED BY OA 700 1 Traffic policy definition and policy management 2 Packet Classification Multi field packet classification Behavior Aggregate BA classification TOS Precedence based classifica...

Page 945: ...ded packets user configurable DSCP to Queue Mapping Static 7 DiffServ EF AF Expedited Forwarding PHB Assured Forwarding PHB Architecture for Differentiated Service 8 Egress queues configurable at interface or sub interface level Queuing per Interface LAN WAN Queuing per Virtual Circuit FR T1E1 Queuing per Tunnel Hierarchical up to 4 levels 9 Bandwidth Management Priority Queuing Bandwidth Allocati...

Page 946: ...flow before implementing the QoS Figure 48 Data Traffic before Policing And Shaping In the above diagram the portion marked red implies the packet flow exceeding the allowed bandwidth level If QoS is not implemented all these packets are dropped 1 4 0 6 4 1 9 2 1 1 0 1 4 0 8 0 9 0 T ra fficW ith o u t S h a p in ga n dP o licin g A rriv al R ate in kb A va ila b leb an d w id th 1 2 8k b p s ...

Page 947: ...LICING Figure 49 Data Traffic with Policing The diagram above depicts the traffic flow after implementing Policing Here the packets exceeding the available bandwidth are all dropped This provides for a decent flow of traffic 1 2 8 6 4 1 2 8 1 1 0 1 2 8 8 0 9 0 T ra fficW ithP o lic in g A rriv a l R a te in k b T im eins e c A v a ila b leb a n d w id th 1 2 8k b p s ...

Page 948: ...ping The above diagram depicts the traffic flow after implementing Shaping Here the packets are all shaped and queued The packets exceeding the available bandwidth is queued up and there is no loss of data 1 2 8 1 2 1 2 8 A v a ila b leb a n d w id th 1 2 8k b p s 4 8 1 8 1 0 6 4 1 1 0 8 0 1 2 8 9 0 T ra fficW ithS h a p in g A rriv a l R a te in k b T im eins e c ...

Page 949: ...ne possible solution Voice 128 no one else should use this also high priority VPN traffic Total of 768 Kbps to be shared between SMTP and CVS Public Internet Total of 1 MBPS to be shared between web and SMTP A Link sharing scheme to suite this is deployed on the OA 700 with the help of hierarchical link sharing feature on the 2Mbps link as shown in the figure below Class in tree structure will be ...

Page 950: ...tomatic 924 Beta Beta CLI Configuration Guide Alcatel Lucent Figure 52 Link Sharing Solution Hierarchical queues are configured using service policy command within a policy Thus policy in a policy configuration provides hierarchal link sharing structure ...

Page 951: ... tunnels is depicted in the figure below This type of link sharing is achieved using regular hierarchical link sharing algorithm Figure 53 Link Bandwidth sharing requirements over VPN tunnels In order to provide classification a pre classify command is introduced For the purpose of providing service policy in the tunnel each of the tunnel IPSec or GRE must support interface abstraction QoS policy ...

Page 952: ...hernet7 0 Note 1 Auto QoS can be configured on Gigabit Ethernet Serial Frame Relay FR Multilink Point to Point MLPPP Multilink Frame Relay MLFR and VLAN interfaces To view QoS on Frame Relay interface and sub interface configuration see QoS on FR and FR Sub Interface section in this chapter 2 Auto QoS cannot be configured on tunnel interface Step 2 Administratively bring up the interface ALU confi...

Page 953: ...ace Step 6 Enter into the Interface Configuration Mode ALU config interface name Example ALU config interface GigabitEthernet7 0 ALU config if GigabitEthernet7 0 Note 1 QoS can be configured on Gigabit Ethernet Serial Tunnel Frame Relay FR Multilink Point to Point MLPPP Multilink Frame Relay MLFR and VLAN interfaces To view QoS on Frame Relay interface and sub interface configuration see QoS on FR...

Page 954: ... Note An interface can have only one policy map attached in a direction Step 10 View the Policy map details using the respective show commands See QoS Show Commands Step 11 Clear the queuing interface statistics See QoS Clear Commands QoS Optional Parameters Configure attributes of a Traffic Class See Traffic Class Attributes Configuration Configure Hierarchical Policy See Hierarchical Policy Conf...

Page 955: ...on Except on the first page right running head Heading1 or Heading1NewPage text automatic 929 Alcatel Lucent Beta Beta CLI Configuration Guide QOS CONFIGURATION FLOW Figure 54 QoS Configuration Flow Auto QoS Procedure ...

Page 956: ...Quality of Service Left running head Chapter name automatic 930 Beta Beta CLI Configuration Guide Alcatel Lucent Figure 55 QoS Configuration Flow Standard Procedure ...

Page 957: ...atch list names 3 The match list name is an alphanumeric string You can configure any number of match lists 4 There is no priority among the different match statements It is just a logical OR among them TO CONFIGURE A CLASS MAP EXAMPLE ALU config class map C1 match all ALU config qos C1 ALU config no class map C1 Class Map C1 removed Command in CM Description class map class map name match any all...

Page 958: ...o configure the default class as an argument TO CONFIGURE A POLICY MAP EXAMPLE ALU config policy map P1 ALU config qos P1 ALU config qos P1 no policy map P1 Policy map P1 deleted Command in Class map Mode Description 1 65535 match all any match list name This command is used to configure rules associate match lists and set priority for the rule for a class map The range for the rule is 1 65535 Thi...

Page 959: ... C1 removed Command in Policy map Mode Description description line The description for the policy map configured Command in Policy map Mode Description class class map name class default This command is used to configure a traffic class i e associate a user defined class map to the policy map Use class default keyword to configure the default traffic class to the policy map This command enters Cl...

Page 960: ...ault Note 1 You cannot attach a QoS policy in the egress direction to a serial interface which has MLPPP MLFR encapsulation The system gives a warning message 2 You cannot attach a QoS policy having four levels of hierarchy on a FR interface 3 You cannot attach a policy map on the tunnel interface in the ingress direction EXAMPLE ALU config interface GigabitEthernet 7 0 ALU config if GigabitEthern...

Page 961: ...al parameter of excess burst size The traffic received on a flow that is to be policed is examined The rate of the traffic is compared to a configured token bucket and action is taken based on the result When sufficient number of tokens is available then the arriving traffic is said to confirm and then the corresponding number of tokens are removed from the bucket If there are not enough tokens th...

Page 962: ...fr de fr fecn ip dscp 0 63 dscp mnemonics ip precedence 0 7 precedence mnemonics tos 0 15 tos mnemonics transmit committed burst 40 150000 exceed action drop set ecn ce fr becn fr de fr fecn ip dscp 0 63 dscp mnemonics ip precedence 0 7 precedence mnemonics tos 0 15 tos mnemonics transmit excess burst 40 150000 violate action drop set ecn ce fr becn fr de fr fecn ip dscp 0 63 dscp mnemonics ip pre...

Page 963: ...CLASS Sets the class priority to network control Note Network control class will have the highest priority among all the traffic classes Priority class will have the next priority Default class has the least priority EXAMPLE ALU config qos P1 C1 network control ALU config pmap P1 C1 no network control Command in Class Mode Description priority This command configures the traffic class as a priorit...

Page 964: ...transmitted EXAMPLE ALU config qos P1 C1 shape committed rate 90000 committed burst 6000 ALU config qos P1 C1 no shape TO CONFIGURE QUEUE LIMIT EXAMPLE ALU config qos P1 C1 queue limit 155 ALU config qos P1 C1 no queue limit Command in Class Mode Description shape committed rate 8000 10000000 committed burst 40 150000 peak rate 8000 10000000 excess burst 40 150000 This command sets QoS shaping par...

Page 965: ...s of data traffic between pairs of applications It automatically smooths out bursts to reduce average latency Weighted fair queuing uses some parts of the protocol header to determine flow identity For IP it uses the IP protocol code the source and destination IP addresses and the source and destination TCP or UDP ports Note You can enable or disable fair queue only on the Class Default EXAMPLE AL...

Page 966: ...higher priority packets It can selectively discard lower priority traffic when the interface begins to get congested and provide differentiated performance characteristics for different classes of service WRED can also be configured to ignore the IP precedence when making drop decisions so that non weighted RED behavior is achieved WRED can provide separate thresholds and weights for different IP ...

Page 967: ...nfig qos P1 C1 no random detect values random detect ip precedence 0 7 min thresh 50 750 max thresh 150 950 Use this command to change the default ip precedence based WRED values This command populates the WRED values but does not enable the feature To enable this use random detect ip precedence command Note The queue limit of the traffic class should be greater than the max thresh value no random...

Page 968: ...dth 101 ALU config pmap P1 C1 no bandwidth Command in Class Mode Description set ecn ce fr becn fr de fr fecn ip dscp 0 63 dscp mnemonics ip precedence 0 7 precedence mnemonics tos 0 15 tos mnemonics vlan 1p This command can be used to set IP Precedence IP DSCP ToS flags on the matched packet FECN BECN DE bits marking on the FR interface and 802 1p marking on the VLAN interface no set ecn ce fr be...

Page 969: ...mmand with percentage bandwidth command across sibling classes EXAMPLE ALU config pmap P1 C1 priority bandwidth 101 ALU config pmap P1 C1 no priority Command in Class Mode Description priority bandwidth 101 700000000 percent 1 100 This command is used to set the traffic class as a priority class and configure bandwidth for the same 101 700000000 the absolute bandwidth bps value 1 100 bandwidth in ...

Page 970: ... the class needs Auto QoS configuration automatically gets enabled on the interface These configurations are not editable Note Auto QoS commands are available only in the Interface Configuration mode VOIP AUTO QOS CONFIGURATION Auto QoS VoIP create policies and classes as required by VoIP application VoIP Auto QoS is typically configured on the Serial Interface that has HDLC and PPP encapsulation ...

Page 971: ...fy these match lists and class maps The policy is not applied on to the interface automatically you have to explicitly apply this template on an interface TO CONFIGURE AUTO QOS TEMPLATE EXAMPLE ALU config auto qos template voip p1 ALU config no auto qos template voip p1 Auto QoS template removed Command in ICM Description auto qos diff serv This command enables Auto QoS Diff Serv on an interface a...

Page 972: ...d service policy to the traffic class disable fair queue on the Default Class EXAMPLE 1 Create policies p1 and p2 and configure traffic class c1 and c2 in each of the policy ALU conifg policy map p1 ALU config qos p1 class c1 ALU config qos p1 c1 ALU conifg policy map p2 ALU config qos p1 class c2 ALU config qos p1 c2 Now policy p2 can be included in the policy p1 using the service policy command ...

Page 973: ...only one Traffic whole bandwidth is available for the traffic c1 EXAMPLE 3 When a parent policy is having more than one traffic class and some of the class is having the bandwidth configured Consider a policy p1 with two classes c12 and c13 with bandwidth 30 and 70 respectively and policy p2 included in p1 under class c12 ALU conifg policy map p1 ALU config qos p1 class c12 ALU config qos p1 c12 s...

Page 974: ...child policy on the same RANDOM DETECT RED WRED is applicable only on the leaf class If there is RED WRED configured on a class then child policy can be added on the class But if there is child attached to a class then RED WRED cannot be configured on the class Example 1 Consider a policy p1 with class c1 and random detect enabled And policy p2 without random detect included in p1 ALU conifg polic...

Page 975: ... the above example class c2 is random detect enable but c1 is not SET MARKING Marking can be configured in every level But marking will be applicable in the leaf level only QUEUE LIMIT Queue limit can be configured in every level But queue limit will be applicable in the leaf level only Example 1 Consider a policy p1 with class c1 and queue limit 150 enabled And policy p2 without queue limit inclu...

Page 976: ...21 ALU config qos p2 c2 queue limit 150 ALU config qos p2 class c22 ALU config qos p2 c2 queue limit 250 ALU config qos p1 c1 service policy p2 In the above example parent class c1 does not have any queue limit but its child classes c21 c22 are having the queue limits 150 and 250 respectively The queue limit of the parent is calculated by this following formula Parent s class queue limit Sum of qu...

Page 977: ...t policy Notes 1 You are not allowed to use the tunnel command in a policy map that is attached to a tunnel interface 2 You can configure tunnel class only if there is a policy map attached to the tunnel interface 3 The maximum level of the policy on the tunnel interface is three 4 QoS preclassify command is used in the interface mode to store the classification index 5 A policy map can have multi...

Page 978: ...f any tunnel class is created then it will use the classification information to classify the encrypted packets Note QoS Pre Classify is applicable on the tunnel interface only EXAMPLE ALU config interface tunnel 1 ALU config tunnel1 qos preclassify ALU config tunnel1 no qos preclassify Command in Policy map Mode Description tunnel Tunnel 0 14487 bandwidth 101 700000000 percent 1 100 This command ...

Page 979: ... from a queue TO VIEW THE CLASS MAP CONFIGURATION EXAMPLE ALU config show class map cmap1 class map c1 match any 1 match any m1 m2 2 match any m2 m4 m5 TO VIEW THE POLICY MAP CONFIGURATION EXAMPLE ALU config show policy map P1 policy map p1 interface serial0 0 0 EGRESS 10 class cm_ef random detect ip dscp 20 class cm_af11 65535 class class default Command in SUM CM Description show class map name ...

Page 980: ...af13 50 150 10 af21 100 150 10 af22 75 150 10 af23 50 150 10 af31 100 150 10 af32 75 150 10 af33 50 150 10 af41 100 150 10 af42 75 150 10 af43 50 150 10 ef 125 150 10 ALU config show random detect defaults ip precedence ip precedence Min Thresh Max Thresh Drop Probability 0 50 150 10 1 60 160 10 2 70 170 10 3 80 180 10 4 90 190 10 5 100 200 10 6 110 210 10 7 120 220 10 Command in SUM CM Descriptio...

Page 981: ... Random drops Tail drops Min Th Max Th Mark Prob be 0 0 50 150 1 10 af11 0 0 100 150 1 10 af12 0 0 75 150 1 10 af13 0 0 50 150 1 10 af21 0 0 100 150 1 10 af22 0 0 75 150 1 10 af23 0 0 50 150 1 10 af31 0 0 100 150 1 10 af32 0 0 75 150 1 10 af33 0 0 50 150 1 10 af41 0 0 100 150 1 10 af42 0 0 75 150 1 10 af43 0 0 50 150 1 10 ef 0 0 125 150 1 10 Class cm_af11 match any match any m1_af11 0 packets tota...

Page 982: ...onfig show queuing statistics interface GigabitEthernet7 0 service policy in p1 class class default Packets dropped 0 Packets dequeued 0 Bytes dequeued 0 class c1 Packets dropped 0 Packets dequeued 0 Bytes dequeued 0 interface GigabitEthernet7 1 service policy out p1 class class default Packets dropped 0 Packets dequeued 0 Bytes dequeued 0 Queue length Packets 0 Command in SUM CM Description show ...

Page 983: ...h any 1 match any m1 class map 3 match any class map c5 match any 3 match any m1 policy map p1 description p1 is the name of the policy map class c1 priority shape committed rate 90000 committed burst 6000 police committed rate 9600 commit action drop committed burst 1500 exceed action drop excess burst 2000 violate action transmit queue limit 155 random detect ip dscp 0 min thresh 50 max thresh 1...

Page 984: ...faces where the QoS policy has been attached EXAMPLE ALU show qos running config Qos Configurations Use show match list NAME to expand the match lists match list m1 match list m2 class map c1 match any 1 match any m1 m2 policy map p1 description p1 is the name of the policy map class c1 priority shape committed rate 90000 committed burst 6000 police committed rate 9600 commit action drop committed...

Page 985: ...22 min threshold 150 max threshold 300 random detect ip dscp af23 min threshold 100 max threshold 300 random detect ip dscp class autoqos class af3 match ip any any dscp af31 match ip any any dscp af32 match ip any any dscp af33 bandwidth percent 20 queue limit 350 random detect ip dscp af31 min threshold 200 max threshold 300 random detect ip dscp af32 min threshold 150 max threshold 300 random d...

Page 986: ...tted rate 350000 committed burst 30000 exceed action drop violate action drop class class default fair queue ALU config show auto qos voip auto qos voip class autoqos voip control class match any tcp any any service range 1719 1720 udp any any service range 1719 1720 udp any any service range 2427 2428 tcp any any service rtsp tcp any any service range 2000 2002 udp any any service 5060 network co...

Page 987: ...eared ingress stats for interface GigabitEthernet 7 0 Success Cleared egress stats for interface GigabitEthernet 7 0 QOS DEBUG COMMANDS TO DEBUG QOS CREDITS EXAMPLE ALU config qos credits debug Command in SUM CM Description clear queuing statistics interface name in out in out This command clears the QoS statistics on that particular interface Command in SUM CM Description qos credits debug This c...

Page 988: ...n OA 780 configure QoS policy to shape the traffic to 5 Mbps using shape command on interesting traffic 1 Define Class maps to Match Egress Traffic ALU config match list allow traffic ALU config match list allow traffic ip host 192 168 1 2 host 192 168 2 2 ALU config class map class1 ALU config cmap match any allow traffic ALU config cmap exit 2 Define Policy map With Class names ALU config policy...

Page 989: ...nuous ping from Traffic Generator to Host B On the OA 780 configure QoS policy to prioritize traffic ICMP as given in the above example Generate additional traffic IP on the Traffic Generator Increase the rate of this secondary IP traffic to exceed line 10 Mbps capacity Since ICMP is given higher precedence by virtue of its high priority ping will still go through even though IP traffic is dropped...

Page 990: ...config qos flow policy priority traffic priority ALU config qos flow policy priority traffic exit 3 Verifying QoS Priority 1 Without configuring QoS on OA 780 send both ping and IP traffic exceeding egress line capacity Since all egress traffic are given same treatment by OA 780 ping gets dropped randomly along with IP traffic 2 By configuring Priority on OA 780 we can verify that IP traffic gets ...

Page 991: ... interface application A will consume all the available bandwidth leaving nothing or only small amount of bandwidth to application B With QoS applied on the interface you can allocate 48 Kbit s bandwidth to application A and 16 Kbit bandwidth to application B This arrangement provides guaranteed access and required bandwidth for both the applications QOS ON FR AND FR SUB INTERFACE QoS can be confi...

Page 992: ... number configured on the interface will be added to the Default policy This ensures equal bandwidth sharing for all the PVCs on the interface If you require a specific bandwidth on a PVC then use the following command frame relay qos bandwidth percent 0 100 The DLCI class in the Default policy will not have any QoS attributes other than bandwidth To configure other QoS parameters a QoS policy wit...

Page 993: ...n FR section in Link Fragmentation and Interleaving chapter for more details on link fragmentation and interleaving on FR Three levels of QoS policy can be configured on the FR interface sub interface in the egress direction In the ingress direction four levels of QoS policies can be configured The QoS policy attached to tunnel interface going through the FR interface will have the restriction of ...

Page 994: ...nfiguration refer to the T1E1 Line Card chapter refer to Frame Relay for FR configuration Step 1 Enter Configuration Mode ALU configure terminal ALU config Step 2 Configure T1 Controller ALU config controller T1 slot port ALU config controller T1 Step 3 Configure the channel group on the controller before entering the Interface Configuration Mode This command creates a channel group that forms a c...

Page 995: ...ring a Serial interface V 35 X 21 refer to Universal Serial Port USP Line Card chapter Step 6 Enter Serial interface configuration mode for Member Link Configuration ALU config interface Serial slot port channel ALU config if Serial slot port channel Example ALU config interface Serial0 0 0 ALU config if Serial0 0 0 Step 7 Administratively bring up the interface ALU config if interface name no shu...

Page 996: ... relay interface dlci 16 1007 Example ALU config interface Serial1 0 0 ALU config if Serial0 0 0 frame relay interface dlci 100 Step 11 Configure bandwidth on a FR interface See To Configure Bandwidth on a FR Interface Optional Step 12 Configure QoS policy on the FR Interface See To Attach a Policy Map to a FR Interface Optional For more information on configuring policy map refer to QoS Configura...

Page 997: ...olicy in P1 ALU config if Serial 0 0 0 no service policy in P1 Note In the above example P1 is the QoS policy map attached to the interface Configurations for the QoS policy map is not shown in this section For more information on configuring policy map and other QoS attributes refer to QoS Configuration in this chapter Command in ICM Description frame relay qos bandwidth percent 0 100 This comman...

Page 998: ...erial slot port channel subchannel Example ALU config interface Serial 0 0 0 1 ALU config if Serial0 0 0 1 Step 3 Configure IP address for the sub interface ALU config if Serial slot port channel subchannel ip address ip address subnet mask ip address prefix length Example ALU config if Serial0 0 0 1 ip address 124 123 10 1 255 255 253 3 Step 4 Repeat 10 to 12 as given in the section QoS on FR Con...

Page 999: ... SHOW COMMANDS TO VIEW BANDWIDTH DETAILS ON FRAME RELAY INTERFACES EXAMPLE ALU config show qos frame relay bandwidth config interface Serial0 2 frame relay qos bandwidth percent 10 interface Serial0 2 0 frame relay qos bandwidth percent 90 Command in SUM CM Description show qos frame relay bandwidth config This command displays the bandwidth configuration details on the FR interfaces ...

Page 1000: ...Quality of Service Left running head Chapter name automatic 974 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 1001: ...s fm Alcatel Lucent 975 Beta Beta For final production import color definitions from daldoc01 docteam templates framemaker book template color defs production colors fm Do not import other template elements such as page layout To return to the draft version import color def ns from draft colors fm To switch to the beta version import color def ns from beta colors fm Pagination Numeric continuous w...

Page 1002: ...Left running head Chapter name automatic 976 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 1003: ... the commands for DHCP Server configuration For instructions on using the DHCP Server commands and descriptions on each of their parameters with the corresponding default values for each refer to the OmniAccess 700 CLI Command Reference Guide This chapter includes the following sections DHCP Server Overview DHCP Server Configuration DHCP Server Test Scenarios using OA 780 CHAPTER CONVENTIONS Acron...

Page 1004: ...assigning it a unique IP address Many ISPs Internet Service Providers use dynamic IP addressing for dial up users ALCATEL LUCENT SPECIFIC OVERVIEW By default the DHCP service is disabled and you should enable the DHCP server explicitly for the service to become available The DHCP server in the OA 700 provides DHCP clients with an IP address along with other network and boot information based on th...

Page 1005: ...rface Configuration Mode ALU config interface name Example ALU config interface GigabitEthernet7 0 ALU config if GigabitEthernet7 0 Step 2 Administratively bring up the interface ALU config if interface name no shutdown Example ALU config if GigabitEthernet7 0 no shutdown Step 3 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix ...

Page 1006: ... Configure DHCP server optional parameters Exclude IP address from a network range See To Exclude IP Address from a Network Range Configure host pool for manual binding See To Configure a Host Pool Configure DHCP Options See To Configure DHCP Options Step 7 View the DHCP server configuration by using the show commands See DHCP Server Show Commands ...

Page 1007: ...uration Except on the first page right running head Heading1 or Heading1NewPage text automatic 981 Alcatel Lucent Beta Beta CLI Configuration Guide DHCP SERVER CONFIGURATION FLOW Figure 58 DHCP Server Configuration Flow ...

Page 1008: ...unique across the system EXAMPLE ALU config ip dhcp pool p1 vrf alu vrf ALU config dhcp pool p1 ALU config no ip dhcp pool p1 Pool Deleted Command in CM Description service dhcp enable This command is used to enable the DHCP service on the OA 700 By default DHCP service is disabled service dhcp disable This command is used to disable the DHCP service on the OA 700 Command in CM Description ip dhcp...

Page 1009: ...ubnet mask ip address prefix length This command is used to specify the network to which the pool belongs to no network ip address subnet mask ip address prefix length Deletes a configured network pool Command in DHCP Pool CM Description range lower ip address higher ip address automatic This command is used to configure the range of IP addresses within the network of the pool which are used to se...

Page 1010: ...hcp pool p2 exclude ip 1 2 3 65 TO CONFIGURE A HOST POOL EXAMPLE ALU config dhcp pool p2 host 1 2 3 66 1122 aabb 55ff ALU config dhcp pool p2 no host 1 2 3 66 1122 aabb 55ff Command in DHCP Pool CM Description exclude ip ip address This command is used to exclude an IP address of the range from the pool The excluded IP address should exist within the configured range Command in DHCP Pool CM Descri...

Page 1011: ...er RFC 2132 TO CONFIGURE DHCP GLOBAL OPTIONS Command in CM Description no ip dhcp option bootfile name file name vrf vrf name This command is used to configure the boot file for a host no ip dhcp option dns server ip address vrf vrf name This command is used to configure the DNS server IP address to be used by the clients no ip dhcp option domain name name vrf vrf name This command is used to conf...

Page 1012: ... ALU config ip dhcp option domain name ALU ALU config ip dhcp option lease time 1000250 ALU config ip dhcp option log server 1 1 1 1 ALU config ip dhcp option ntp server 1 1 1 1 ALU config ip dhcp option routers 1 1 1 1 ALU config ip dhcp option subnet mask 255 255 255 0 ALU config ip dhcp option tftp server 3 2 2 1 ALU config ip dhcp option time offset 100 no ip dhcp option tftp server string vrf...

Page 1013: ...d by the clients no option lease time 1 4294967295 This command is used to configure the time for which a client can use the IP address assigned to it no option log server ip address This command is used to configure the MIT LCS UDP log server IP address to be used by the clients no option ntp server ip address This command is used to configure the IP address of the Network Time Protocol server to...

Page 1014: ... p1 option dns server 1 2 2 2 ALU config dhcp pool p1 option domain name ALU ALU config dhcp pool p1 option lease time 106400 ALU config dhcp pool p1 option log server 1 1 1 1 ALU config dhcp pool p1 option ntp server 1 1 1 1 ALU config dhcp pool p1 option routers 1 1 1 1 ALU config dhcp pool p1 option subnet mask 255 255 255 0 ALU config dhcp pool p1 option tftp server 3 2 2 1 ALU config dhcp poo...

Page 1015: ...0 Number of leases 50 Pool Range 1 2 3 50 1 2 3 100 Boot File Name boot_image Command in SUM CM Description show ip dhcp options vrf vrf name This command shows all the DHCP global options configured If the VRF name is specified it displays the DHCP global options for the specified VRF If no VRF is specified the options are displayed for the Default VRF Command in SUM CM Description show ip dhcp p...

Page 1016: ...g show ip dhcp bindings dynamic IP Address Hardware Address Lease Expiration Type Pool 10 91 2 87 00 0f fe 3a 63 da Wed Jan 17 23 38 11 2007 DYNAMIC p1 Command in SUM CM Description show ip dhcp bindings dynamic manual pool name vrf vrf name This command shows all the assigned leases the IP addresses allocated to the hosts Dynamic This keyword shows all the dynamically assigned leases of all the p...

Page 1017: ...CLI Configuration Guide TO VIEW DHCP SERVER STATISTICS EXAMPLE ALU config show ip dhcp server statistics Message Received DHCPDISCOVER 0 DHCPREQUEST 14 DHCPDECLINE 0 DHCPRELEASE 0 DHCPINFORM 8 Message Sent DHCPOFFER 0 DHCPACK 0 DHCPNAK 0 Command in SUM CM Description show ip dhcp server statistics This command shows the DHCP server statistics ...

Page 1018: ...a Beta CLI Configuration Guide Alcatel Lucent DHCP SERVER TEST SCENARIOS USING OA 780 Figure 59 DHCP Server Test Scenario using OA 780 Consider a scenario with OA 780 as a DHCP Server with two hosts Host 1 and Host 2 connected to LAN with MAC address 0100 0b6a e295 and 1122 aabb 55ff respectively ...

Page 1019: ...ernet7 0 ip address 20 20 20 20 24 Step 2 Enable DHCP Service on the OA 780 ALU config service dhcp enable Step 3 Configure DHCP pool ALU config ip dhcp pool p1 ALU config dhcp pool p1 Step 4 Configure a Network Pool and Network Range for the pool ALU config dhcp pool p1 network 20 20 20 0 24 ALU config dhcp pool p1 range 20 20 20 50 20 20 20 100 When the host 1 and host 2 sends broadcast request ...

Page 1020: ...DHCP Dynamic Host Configuration Protocol Server Left running head Chapter name automatic 994 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 1021: ...the TFTP Server configuration commands For instructions on using the TFTP Server commands and descriptions on each of their parameters with the corresponding default values for each refer to the OmniAccess 700 CLI Command Reference Guide This chapter includes the following sections TFTP Server Overview TFTP Server Configuration CHAPTER CONVENTIONS Acronym Description SUM Super User Mode ALU CM Con...

Page 1022: ...is based on the Open BSD tftp hpa version 1 3 version of the code TFTP services implemented on the OA 700 platform allows you to configure download files from the user area of the USB For the ease of use each file can be added with an alias associated with it and you can get the file referring to the alias name Only tftp get option is allowed and the tftp put requests are silently discarded You ca...

Page 1023: ...uration Flow TFTP Configuration Commands TFTP Show Commands TFTP CONFIGURATION STEPS The following steps details the procedure to configure TFTP server on the OA 700 Step 1 Enable TFTP service See To Enable Disable TFTP Service Step 2 Copy files for download through TFTP and optionally configure alias for easy access See To Configure Files for Download Through TFTP and to Create File Alias Step 3 ...

Page 1024: ...TFTP Trivial File Transfer Protocol Server Left running head Chapter name automatic 998 Beta Beta CLI Configuration Guide Alcatel Lucent TFTP CONFIGURATION FLOW Figure 60 TFTP Configuration Flow ...

Page 1025: ...ervice on the OA 700 Command in CM Description tftp server user filename with path alias file alias This command is used to specify files allowed for download through the TFTP server Using the alias keyword you can create an alias for the file You can then download the file through this alias instead of its actual path This could be useful if the file s name or path is tedious A file can have mult...

Page 1026: ... voiptest ALU config no tftp server user voip www voip update php ALU config no tftp server alias voiptest TFTP SHOW COMMANDS TO VIEW TFTP FILES EXAMPLE ALU config show tftp files TFTP File Alias a N A tftpd N A voip www voip update php N A voip www voip update php voiptest Command in SUM CM Description show tftp files This command shows the list of files configured for download through the TFTP s...

Page 1027: ...HCP Relay configuration For instructions on using the DHCP Relay commands and descriptions on each of their parameters with the corresponding default values for each refer to the OmniAccess 700 CLI Command Reference Guide This chapter includes the following sections DHCP Relay Overview DHCP Relay Configuration DHCP Relay Test Scenarios using OA 780 CHAPTER CONVENTIONS Acronym Description SUM Super...

Page 1028: ... servers by listening for client DHCP broadcast requests and forwarding them on to the server In addition the Relay Agent receives the server s response and passes the response back to the client The relay agent allows the client and server to reside on different subnets ALCATEL LUCENT SPECIFIC OVERVIEW DHCP Relay forwarding to the DHCP server is implemented directly or via rebroadcast on another ...

Page 1029: ...ce GigabitEthernet7 0 ALU config if GigabitEthernet7 0 Step 2 Administratively bring up the interface ALU config if interface name no shutdown Example ALU config if GigabitEthernet7 0 no shutdown Step 3 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if GigabitEthernet7 0 ip address 20 20 20 20 24 Ste...

Page 1030: ...Dynamic Host Configuration Protocol Relay Left running head Chapter name automatic 1004 Beta Beta CLI Configuration Guide Alcatel Lucent DHCP RELAY CONFIGURATION FLOW Figure 61 DHCP Relay Configuration Flow ...

Page 1031: ...d in ICM Description ip dhcp relay dhcp server ip address This command is entered in the Interface Configuration mode This command is used to configure the DHCP server to which the DHCP requests are to be forwarded Note A maximum of four DHCP relays can be configured on an interface no ip dhcp relay dhcp server ip address This command is used to disable all a specific relay configured on an interf...

Page 1032: ... Guide Alcatel Lucent TO VIEW DHCP RELAY CONFIGURATION EXAMPLE ALU config show ip dhcp relay Interface Relay destination GigabitEthernet3 0 192 168 1 1 GigabitEthernet3 0 GigabitEthernet3 1 Command in SUM CM Description show ip dhcp relay interface name This command shows the DHCP Relay configuration of all an interface ...

Page 1033: ...ALU config if GigabitEthernet7 0 ip dhcp relay 192 168 1 1 OR Configure the interface through which the DHCP relay requests have to be rebroadcasted ALU config if GigabitEthernet7 0 ip dhcp relay interface GigabitEthernet 7 1 When the host 2 sends broadcast requests the DHCP Relay listens to them and forwards to the DHCP server The DHCP client receives the server s response and passes the response...

Page 1034: ...DHCP Dynamic Host Configuration Protocol Relay Left running head Chapter name automatic 1008 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 1035: ...for DNS Client configuration For instructions on using the DNS Client commands and descriptions on each of their parameters with the corresponding default values for each refer to the OmniAccess 700 CLI Command Reference Guide This chapter includes the following sections DNS Client Overview DNS Client Configuration DNS Client Test Scenario using OA 780 CHAPTER CONVENTIONS Acronym Description SUM S...

Page 1036: ...Guide Alcatel Lucent DNS CLIENT OVERVIEW The DNS Client functionality on the OA 700 allows for resolution of host names to IP addresses and vice versa DNS CLIENT CONFIGURATION This section includes the following DNS Client Configuration Steps DNS Client Configuration Flow DNS Client Configuration Commands ...

Page 1037: ...thernet7 0 no shutdown Step 3 Configure IP address for the interface ALU config if interface name ip address ip address subnet mask ip address prefix length Example ALU config if GigabitEthernet7 0 ip address 20 20 20 20 24 Step 4 Enable domain lookup See To Enable Disable IP Domain Lookup Step 5 Specify DNS server to which the requests are to be sent See To Specify DNS Server Step 6 Configure DNS...

Page 1038: ...DNS Domain Name Service Client Left running head Chapter name automatic 1012 Beta Beta CLI Configuration Guide Alcatel Lucent DNS CLIENT CONFIGURATION FLOW Figure 63 DNS Client Configuration Flow ...

Page 1039: ...ess translation By default domain lookup is enabled no ip domain lookup This command is used to disable the domain lookup Command in CM Description ip name server ip address prefer primary secondary ter tiary This command is used to add DNS server to which the resolution requests are be sent You can add maximum of three DNS servers and specify the order of preference to them individually Primary S...

Page 1040: ...in name name This command is used to configure the default domain name which is used in domain lookup no ip domain name name This command is used to remove the default domain name Command in CM Description ip domain list name This command is used to add domain names to the domain list These are the domain names which are to be appended to the host names while lookup By default the default domain n...

Page 1041: ...dress This command is used to remove a static address mapping for a host If the address is specified the removal is successful only if the exact mapping exists Command in CM Description ip host max age 30 31556952 This command is used to configure the maximum time in seconds for which the dynamic host entries will be stored in DNS client cache Host entries will be stored for a time which is the mi...

Page 1042: ... 1 1 1 1 2 1 1 1 3 Dynamic host maximum age seconds 300 Address Type TTL Name 64 233 187 99 static www google com 216 109 112 135 dynamic 294 yahoo com TO CLEAR DYNAMIC HOST INFORMATION EXAMPLE ALU config clear host Command in SUM CM Description show hosts This command shows all the configuration parameters and all learned name address mappings Command in SUM CM Description clear host host name Th...

Page 1043: ...erver CONFIGURATION STEPS Step 1 Enable domain lookup on the OA 780 ALU config ip domain lookup Step 2 Specify DNS name server to which the requests are to be sent ALU config ip name server 192 168 1 1 primary When user tries to ping to a host by issuing the command ping URL a DNS query request is sent by OA 780 to the DNS server When the OA 780 gets a valid response with the IP address for the UR...

Page 1044: ...DNS Domain Name Service Client Left running head Chapter name automatic 1018 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 1045: ... fm Alcatel Lucent 1019 Beta Beta For final production import color definitions from daldoc01 docteam templates framemaker book template color defs production colors fm Do not import other template elements such as page layout To return to the draft version import color def ns from draft colors fm To switch to the beta version import color def ns from beta colors fm Pagination Numeric continuous w...

Page 1046: ...Left running head Chapter name automatic 1020 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 1047: ...l view and take back up of these license files For more detailed information on the parameter descriptions and their corresponding default values refer to the OmniAccess 700 CLI Command Reference Guide This chapter includes the configuration steps CLI syntax with its description and configuration examples for the license manager component The commands are described in the sequential order of confi...

Page 1048: ...are contained in a set of license files that will describe the features authorized to run on the OA 700 License Manager helps in managing these license files Note The license file is in XML format Based on the user requirement Alcatel Lucent would generate an appropriate license ALCATEL LUCENT SPECIFIC FEATURES Ability to install backup and show licenses Serial number and date of issue for a licen...

Page 1049: ... 50 0 0 2 Remote Port Enter for default Source Path File tftpboot ipsec740 lic home testuser ipsec740 lic Username anonymous testuser Password License file downloaded successfully 1 License for feature IPSEC installed successfully Issued on Thu Aug 21 11 53 20 2008 Chassis ID WL0537000214 Serial num 3 Details IP Security Encryption Attributes Name Value VALIDITY UNLIMITED 2 License for feature IDS...

Page 1050: ...ed License is empty C This is an example of installing a license file that is corrupt The license file is digitally signed and even a change of single character corrupts it ALU config license install ftp Address name of remote host 50 0 0 2 Remote Port Enter for default Source Path File home testuser testipsec740 lic Username anonymous testuser Password License file downloaded successfully 1 Licen...

Page 1051: ... Source Path File home testuser testipsec740 lic home testuser test1 lic Username anonymous testuser Password License file downloaded successfully 1 License for feature IPSEC was not issued for this chassis Issued on Tue Sep 16 11 32 00 2008 Chassis ID ND0536000298 Serial num 3 Details IP Security Encryption Attributes Name Value VALIDITY UNLIMITED 2 License for feature IDS UPDATE was not issued f...

Page 1052: ...xample of installing a license file with an incorrect format not as per Alcatel Lucent s specifications ALU config license install fpkey License name wrong_format lic Failed The file is not of proper format TO BACK UP A LICENSE FILE EXAMPLE ALU config license backup ipsec740 lic user Backup license name ipsec740 lic License backed up successfully Command in SUM Description license backup license n...

Page 1053: ...ued on Thu Aug 21 11 53 20 2008 Chassis ID WL0537000214 Serial num 3 Details IP Security Encryption Attributes Name Value VALIDITY UNLIMITED Command in SUM Description license remove license name This command is used to remove the specified license file It checks for valid licenses in the file being deleted The command also asks for confirmation for deletion Once confirmed this would delete the li...

Page 1054: ...ttributes Name Value VALIDITY UNLIMITED ALU show licenses ipsec740 lic 1 License for feature IPSEC is valid License ipsec740 lic Issued on Thu Aug 21 11 53 20 2008 Chassis ID WL0537000214 Serial num 3 Details IP Security Encryption Attributes Name Value VALIDITY UNLIMITED 2 License for feature IDS UPDATE is valid License ipsec740 lic Issued on Thu Aug 21 11 53 20 2008 Chassis ID WL0537000214 Seria...

Page 1055: ...fied Name rw 1879 Aug 21 12 23 ipsec740 lic ALU config dir licenses Permission Size Date modified Name rw 1879 Aug 21 12 23 ipsec740 lic Command in SUM CM Description show licenses feature list This command is used to view a list of all licensable features present on the OA 700 The features shown require a license for their functioning The command also specifies whether a license has been installe...

Page 1056: ...uide Alcatel Lucent DISPLAY MESSAGES The following messages are displayed by License Manager across all commands Message Condition Cannot complete the operation now When the License Manager is busy and is not responding Unable to connect to backend When the License Manager is not functioning ...

Page 1057: ...Lucent 1031 Beta Beta For final production import color definitions from daldoc01 docteam templates framemaker book template color defs production colors fm Do not import other template elements such as page layout To return to the draft version import color def ns from draft colors fm To switch to the beta version import color def ns from beta colors fm Pagination Numeric continuous with precedin...

Page 1058: ...Left running head Chapter name automatic 1032 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 1059: ...oring of various system components both hardware and software with automated recovery procedures When a drastic failure condition occurs the system switches to the Lifeline Mode which allows only management of the OA 780 When the automated recovery procedures fail the component is turned off and flagged for attention to the system administrator The key success factors for a unified services platfo...

Page 1060: ...description and configuration examples The commands are described in sequential order of configuration This chapter describes why the system switches to the Lifeline Mode its behavior under various scenarios and commands with their syntax specific to the Lifeline Mode CHAPTER CONVENTIONS Acronym Description CM Configuration Mode ALU config NOC Network Operations Center ...

Page 1061: ...dedicated architecture multiple access mechanisms to reach the system and unified management of all services TERMS USED IN LIFELINE Lifeline Mode A state of the OA 780 system When the system experiences a critical hardware or software failure it discontinues control data plane functions but continues to provide remote access for management purposes only Normal Mode The state of the system in regul...

Page 1062: ...ate bus architecture dedicated processors dedicated switching fabric and separate management software processes This enables complete isolation of system management functions from packet processing and control plane functions As a result management access to the system is unaffected under conditions such as failure of a data plane function like routing or firewall or high main processor utilizatio...

Page 1063: ... Management Architecture It plays a critical role in ensuring that access to system management functions through the management plane is always available This will be elaborated further in the following section using a few example scenarios LIFELINE SOFTWARE Lifeline Manager Lifeline Manager is a Lifeline software architecture unit responsible for detecting and responding to system failures This m...

Page 1064: ...tiated to ensure uninterrupted access through management plane processes running on a different line card as illustrated below Figure 67 Uninterrupted Access to System Management As a result full management functionality is available for rapid troubleshooting and corrective action In traditional solutions such a scenario would have led to a complete loss of management access and functionality The ...

Page 1065: ...most cases a restart of the feature will resolve the issue and the problem is fixed without any manual intervention If there is an extended failure within a very short interval of time typically two minutes an alarm is raised to trigger manual intervention for troubleshooting and restart of the feature The Lifeline management framework ensures that remote management access is always available for ...

Page 1066: ...is enabled SNMP traps are sent according to configuration indicating the failure INTERFACE CARDS THAT ARE CURRENTLY SUPPORTED T1 or E1 line cards all L2 encapsulation protocols available on the T1 or E1 ports in Normal Mode are supported in Lifeline Mode viz HDLC PPP and Frame Relay and L2 GE Layer 2 line cards FUNCTIONALITY AVAILABLE IN LIFELINE MODE The following functions are available when OA ...

Page 1067: ...the configuration of additional routing information that can be used when the system goes to the Lifeline mode OPERATION OF OA 780 IN LIFELINE MODE When there is a failure on the OA 780 and it switches to the Lifeline Mode remote in band access of the system is possible This is an exclusive feature of the OA 780 It enables the administrator to access the system using the same network interface and...

Page 1068: ...omponents The configuration commands will allow you to update and save the running and startup configuration of the system potentially with the intention of repairing the failure that caused the system to go in to Lifeline Mode SPECIAL LIFELINE PROMPT When the OA 780 is in the Lifeline Mode the CLI prompt changes from hostname to Lifeline hostname TO ENABLE DISABLE LIFELINE EXAMPLE ALU config life...

Page 1069: ...anagement station Note You must ensure that this route is reasonable and correct and that other routers along the route path chosen are willing to handle the routing as well This route is similar to a default static route The interface used for forwarding packets via this route must be one of the line cards that support lifeline See Interface Cards that are Currently Supported EXAMPLE ALU config l...

Page 1070: ...nnected S static M mcstatic B BGP A ASE IA OSPF inter area route E1 OSPF external type 1 route E2 OSPF external type 2 route N1 OSPF NSSA external type 1 route N2 OSPF NSSA external type 2 route candidate default route Gateway of last resort is not set 10 0 0 0 22 is subnetted 1 subnet 10 91 0 0 0 0 is directly connected GigabitEthernet7 1 Command in Lifeline Mode Description show lifeline This co...

Page 1071: ...of the OA 780 Lifeline mode is the change in CLI prompt Lifeline hostname On seeing this prompt you should issue the show lifeline command which will display the reason for the failure Based on the failure in the OA 780 which caused it to go into the Lifeline Mode specific action has to be taken to repair corresponding to the faults so the OA 780 can be restored to Normal Mode Command in Lifeline ...

Page 1072: ...ration corresponds to the IP addresses shown in the equipment connection diagram above OA 780 CPE Router NVRAM config last updated at 06 31 57 GMT Tue Nov 15 2005 from line 0 Statlog Configuration logging on logging buffered priority 6 logging buffered size 128 logging console 6 logging system 6 logging remote 10 0 1 56 port 514 priority 5 Syslog to NOC terminal service timestamps log Chassis mana...

Page 1073: ...shutdown channel group 0 timeslots 1 24 T1 Interface defined top controller T1 4 1 top controller T1 4 2 top controller T1 4 3 top interface Serial4 0 0 Note Any PPP Frame Relay configuration currently does not apply ip address 7 7 7 1 24 IP address of T1 WAN interface encapsulation hdlc Encapsulation is set to HDLC no shutdown top interface GigabitEthernet7 0 ip address 172 16 0 3 16 Branch offic...

Page 1074: ...Lifeline Left running head Chapter name automatic 1048 Beta Beta CLI Configuration Guide Alcatel Lucent line con 0 end ...

Page 1075: ...Except on the first page right running head Heading1 or Heading1NewPage text automatic 1049 Alcatel Lucent Beta Beta CLI Configuration Guide Part 11 Application Hosting Application Services Engine ASE ...

Page 1076: ...Left running head Chapter name automatic 1050 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 1077: ...s Engine ASE in the OmniAccess 700 The Web Cache Server Overview section serves as an additional information on the Web Cache Server You can skip this section and directly go to the configuration section of this chapter Note The Web Cache implementation uses Squid public domain software licensed under the terms of the GNU General Public License CHAPTER CONVENTIONS Acronym Description CM Configurat...

Page 1078: ...ta CLI Configuration Guide Alcatel Lucent WEB CACHE SERVER OVERVIEW Web Cache provides local caching of Internet web pages onto the local server This provides faster access to the pages and also reduces the bandwidth required REFERENCE www squid cache org www visolve com ...

Page 1079: ...Step 1 Enter ASE mode See To Enter ASE Configuration Mode Step 2 Configure ASE IP address See To Configure IP Address for ASE Step 3 Install Web Cache See To Install Web Cache Server Step 4 Configure Web Cache Server parameters See Web Cache Server Parameters Optional Step 5 Start the Web Cache Server See To Start Web Cache Service Step 6 View the Web Cache configuration See Web Cache Show Command...

Page 1080: ...Web Cache Server Left running head Chapter name automatic 1054 Beta Beta CLI Configuration Guide Alcatel Lucent WEB CACHE CONFIGURATION FLOW Figure 69 Web Cache Configuration Flow ...

Page 1081: ...IGURE IP ADDRESS FOR ASE EXAMPLE ALU config ase ase address 1 2 2 3 Note All applications hosted on the ASE will be accessible via this address Make sure this address is reachable via appropriate routing TO INSTALL WEB CACHE SERVER EXAMPLE ALU config ase application web cache install Command in CM Description ase Enters in to the ASE configuration mode Command in ASE Mode Description ase address i...

Page 1082: ...TO SAVE WEB CACHE SERVER CONFIGURATION EXAMPLE ALU config ase application web cache save Command in ASE Mode Description application web cache start This command starts the Web Cache service This applies the latest configuration Command in ASE Mode Description application web cache stop This command stops the Web Cache service Command in ASE Mode Description application web cache restart This comm...

Page 1083: ...ORE DEFAULT CONFIGURATION EXAMPLE ALU config ase application web cache default TO UNINSTALL RADIUS SERVICE EXAMPLE ALU config ase application web cache uninstall Command in ASE Mode Description application web cache default This command restores the default configuration Command in ASE Mode Description application web cache uninstall This command uninstalls the Web Cache Server ...

Page 1084: ...Bungled squid conf line 5 http_access deny test Squid Cache Version 2 5 STABLE10 Terminated abnormally WEB CACHE NETWORK CONFIGURATION This section describes the network address configuration commands TO ENTER THE CONFIGURE NETWORK MODE EXAMPLE ALU config webcache cache network ALU config webcache network Command in ASE Mode Description webcache Enters the Cache configuration mode Command in Web C...

Page 1085: ...EER CACHE MODE EXAMPLE ALU config webcache cache peercache ALU config webcache peer Command Equivalent Squid Directive Reference Web page http port 80 1025 65535 http_port port http www visolve com squid squid24s1 network php icp port 0 1025 65535 icp_port port htcp port 0 1025 65535 htcp_port port tcp outgoing address ip address tcp_outgoing_addre ss ip address udp incoming address ip address udp...

Page 1086: ...hostname type http_port icp_port options http www visolve com squid squid24s1 neighbour php hierarchy stoplist words hierarchy_stoplist words no cache allow deny acl name 0 2147483647 no_cache deny allow aclname cache_peer_domain ip address host name domain name cache_peer_domain cache_host domain domain neighbor type domain ip address host name multicast parent sibling domain name neighbor_type_d...

Page 1087: ... text automatic 1061 Alcatel Lucent Beta Beta CLI Configuration Guide CACHE SIZE CONFIGURATION TO ENTER THE CACHE SIZE MODE EXAMPLE ALU config webcache cache cachesize ALU config webcache size Command in Web Cache Mode Description cache cachesize This command is used to enter into the cache size module ...

Page 1088: ...m object size 0 2147483647 maximum_object_siz e bytes minimum object size 0 2147483647 minimum_object_siz e bytes maximum object size in memory 0 2147483647 maximum_object_siz e_in_memory bytes ipcache_low 0 100 ipcache_low percentage ipcache_high 0 100 ipcache_high percentage ipcache size 0 2147483647 ipcache_size number of entries fqdncache size 0 2147483647 fqdncache_size number of entries cach...

Page 1089: ..._nameservers IPaddress http www visolve com squid squid24s1 externals php ftp username name ftp_user username ftp list width 0 2147483647 ftp_list_width number ftp passive off on ftp_passive on off dns retransmit interval 0 2147483647 minutes seconds dns_retransmit_int erval time units dns timeout 0 2147483647 minutes seconds dns_timeout time units authenticate ttl 0 2147483647 hours minutes secon...

Page 1090: ...UNING THE WEB CACHE This section describes the important parameters that determine the Web Cache performance TO ENTER THE TUNING MODE EXAMPLE ALU config webcache cache cachetuning ALU config webcache tuning Command in Web Cache Mode Description cache cachetuning This command is used to enter into the tuning module ...

Page 1091: ...x_s ize KB MB negative ttl 0 2147483647 hours minutes seconds negative_ttl time units positive dns ttl 0 2147483647 hours minutes seconds positive_dns_ttl time units negative dns ttl 0 2147483647 hours minutes seconds negative_dns_ttl time units quick abort min 0 2147483647 kb mb quick_abort_min KB MB quick abort max 0 2147483647 kb mb quick_abort_max KB MB quick abort pct 0 100 quick_abort_pct pe...

Page 1092: ... Beta CLI Configuration Guide Alcatel Lucent TIMEOUT CONFIGURATION TO ENTER THE TIMEOUT MODE EXAMPLE ALU config webcache cache timeout ALU config webcache timeout Command in Web Cache Mode Description cache timeout This command is used to enter into the timeout module ...

Page 1093: ...147483647 days minutes seconds weeks peer_connect_timeo ut time units client_lifetime 0 2147483647 days minutes seconds weeks client_lifetime time units read_timeout 0 2147483647 days minutes seconds weeks read_timeout time units request_timeout 0 2147483647 days minutes seconds weeks request_timeout seconds half_closed_clients off on half_closed_client s on off pconn_timeout 0 2147483647 days min...

Page 1094: ...hese commands can be used to grant access to the users based upon the various parameters like source destination address source destination domain protocol port etc The relevant commands are described below TO ENTER ACCESS CONTROL MODE EXAMPLE ALU config ase webcache cache accesscontrol ALU config webcache acl Command in Web Cache Mode Description cache accesscontrol This command enters into the a...

Page 1095: ...in name acl aclname srcdomain domain name acl_dest_domain acl name domain name acl aclname dstdomain domain name acl_source_domain_regex acl name domain name regex acl aclname srcdom_regex pattern acl_dest_domain_regex acl name domain name regex acl aclname dstdom_regex pattern acl_time acl name SMTWHFA 0 23 0 59 0 23 0 59 acl aclname time day abbreviations h1 m1 h2 m2 acl_url_regex acl name i reg...

Page 1096: ...me acl aclname proxy_auth username acl_proxy_auth_regex acl name i regex acl aclname proxy_auth_regex i pattern acl_req_mime_type acl name mime type pattern acl aclname req_mime_type pattern aclsnmp_community acl name community string acl aclname snmp_community community http_access allow deny acl name 0 2147483647 http_access allow deny aclname icp_access allow deny acl name 0 2147483647 icp_acce...

Page 1097: ...EXAMPLE ALU config webcache delete acl my_acl src ident_lookup_access allow deny acl name 0 2147483647 ident_lookup_acces s allow deny aclname http_reply_access allow deny acl name 0 2147483647 http_reply_access allow deny aclname This is complementary to http_access Added to the squid 2 5 http www visolve com squid squid30 accesscontrols php http_reply _access Command in Web Cache Mode Descriptio...

Page 1098: ...st 20 no_cache deny QUERY 30 http_access allow all 40 http_reply_access allow all 50 icp_access deny all 60 miss_access allow all 70 ident_lookup_access deny all 80 reply_body_max_size 0 allow all Now use the no command to delete the acl test ALU config webcache acl no acl_src test 1 2 3 4 nm 255 255 255 0 The following show command shows that the ACL test is also removed from the access rule http...

Page 1099: ... ALU config webcache admin CACHE ADMIN PARAMETERS Command in Web Cache Mode Description cache admin This command enters into the admin module Command Equivalent Squid Directive Reference Web page visible_hostname host name visible_hostname anyhostname http www visolve com squid squid24s1 admin_parameter php unique_hostname host name unique_hostname hostname cache_mgr email id cache_mgr Administrat...

Page 1100: ...ON PARAMETERS Command in Web Cache Mode Description cache cachereg This command enters into the cache registration module This mode allows the user to configure announcement feature parameters Command Equivalent Squid Directive Reference Web page announce_period 0 2147483647 days minutes seconds weeks years announce_period time units http www visolve com squid squid24s1 registration php announce_h...

Page 1101: ...in Web Cache Mode Description cache accel This command enters into the accel module Command Equivalent Squid Directive Reference Web page httpd_accel_host ip address host name virtual httpd_accel_host hostname IP virtu al http www visolve com squid squid24s1 httpd_accelerator php httpd_accel_port 80 1025 65535 httpd_accel_port port httpd_accel_single_host off on httpd_accel_single _host on off htt...

Page 1102: ...n domain name append_domain domainname http www visolve com squid squid24s1 miscellaneous php always_direct allow deny acl name 0 2147483647 always_direct allow deny aclname never_direct allow deny acl name 0 2147483647 never_direct allow deny aclname snmp_port 1025 65535 snmp_port port snmp_access allow deny acl name 0 2147483647 snmp_access allow deny aclname as_whois_server server name as_whois...

Page 1103: ...b_high 0 2147483647 alub_high entries alub_low 0 2147483647 alub_low entries alub_ping_period 0 2147483647 days minutes seconds weeks alub_ping_period time units query_icmp off on query_icmp on off reload_into_ims off on reload_into_ims on off snmp_incoming_address ip address snmp_incoming_addr ess ip address snmp_outgoing_address ip address snmp_outgoing_addr ess ip address store_avg_object_size ...

Page 1104: ... performing rate limiting and traffic shaping Cache hits will not be delayed and only the object fetches from the sever will be delayed Relevant parameters are described below TO ENTER THE DELAY POOL MODE EXAMPLE ALU config ase webcache cache delaypool ALU config webcache delaypool Command in Web Cache Mode Description cache delaypool This command enters into the delay pools mode ...

Page 1105: ...ery_terms off on strip_query_terms on off ignore_unknown_ nameservers off on ignore_unknown_nam eservers on off server_persistent_ connections off on server_persistent_ connections on off client_persistent_ connections off on client_persistent_ connections on off ie_refresh off on ie_refresh on off broken_posts allow deny acl name 0 2147483647 broken_posts allow deny acl name delay_access delay po...

Page 1106: ...name extension_methods request method high_memory_warning 0 2147483647 kb mb bytes high_memory_warnin g size specification high_page_fault_warning 0 2147483647 high_page_fault_wa rning time units high_response_time_warn ing 0 2147483647 high_response_time _warning msec max_open_disk_fds 0 2147483647 max_open_disk_fds number nonhierarchical_direct off on nonhierarchical_di rect on off pipeline_pref...

Page 1107: ...cast groups is not set udp_incoming_address 0 0 0 0 udp_outgoing_address 255 255 255 255 TO VIEW PEER CACHE CONFIGURATION EXAMPLE ALU config ase webcache show webcache peer cache_peer 10 91 10 25 multicast 1025 1030 icp_query_timeout 0 maximum_icp_query_timeout 2000 mcast_icp_query_timeout 2000 dead_peer_timeout 10 seconds hierarchy_stoplist cgi bin Command in Web Cache Mode Description show webca...

Page 1108: ...e cache_mem 8 MB cache_swap_low 90 cache_swap_high 95 maximum_object_size 4096 KB minimum_object_size 0 KB maximum_object_size_in_memory 8 KB ipcache_size 1024 ipcache_low 90 ipcache_high 95 fqdncache_size 1024 cache_replacement_policy lru memory_replacement_policy lru reply_header_max_size 20 KB Command in Web Cache Mode Description show webcache size This command displays the cache size details ...

Page 1109: ...cache show webcache timeouts forward_timeout 4 minutes connect_timeout 1 minute peer_connect_timeout 30 seconds read_timeout 15 minutes request_timeout 5 minutes persistent_request_timeout 1 minute client_lifetime 1 weeks half_closed_clients on pconn_timeout 120 seconds ident_timeout 10 seconds shutdown_lifetime 30 seconds Command in Web Cache Mode Description show webcache timeouts This command d...

Page 1110: ...webcache tuning No wais relay host defined wais_relay_port 0 request_header_max_size 20 KB request_body_max_size 20 kb quick_abort_min 16 KB quick_abort_max 16 KB quick_abort_pct 95 negative_ttl 5 minutes positive_dns_ttl 6 hours negative_dns_ttl 1 minute range_offset_limit 0 KB Command in Web Cache Mode Description show webcache tuning This command displays the web cache tuning details ...

Page 1111: ...show webcache extfun ftp_user Squid ftp_list_width 32 ftp_passive on ftp_sanitycheck on ftp_telnet_protocol on dns_retransmit_interval 5 seconds dns_timeout 2 minutes No dns name server is set redirect_rewrites_host_header on authenticate_cache_garbage_interval 1 hour authenticate_ttl 1 hour authenticate_ip_ttl 0 seconds Command in Web Cache Mode Description show webcache extfun This command displ...

Page 1112: ...ncoming_dns_average 4 min_icp_poll_cnt 8 min_dns_poll_cnt 8 min_http_poll_cnt 8 max_open_disk_fds 0 offline_mode off uri_whitespace strip mcast_miss_addr not set using default value 255 255 255 255 nonhierarchical_direct on prefer_direct off strip_query_terms on redirector_bypass off ignore_unknown_nameservers on digest_generation on digest_bits_per_entry not set using default value 5 digest_rebui...

Page 1113: ...sistent_connections on detect_broken_pconn off balance_on_multiple_ip on pipeline_prefetch off request_entities off high_response_time_warning 0 high_page_fault_warning 0 high_memory_warning 0 store_dir_select_algorithm least load ie_refresh off vary_ignore_expire off sleep_after_fork 0 relaxed_header_parser on TO VIEW CACHE REGISTRATION CONFIGURATION EXAMPLE ALU config ase webcache show webcache ...

Page 1114: ...0 miss_access allow all 30 icp_access deny all 40 http_reply_access allow all 50 http_access allow all 60 no_cache deny QUERY TO VIEW WEB CACHE ADMIN PARAMETERS EXAMPLE ALU config ase webcache show webcache admin cache_mgr webmaster visible_hostname anything unique_hostname not set Command in Web Cache Mode Description show webcache acls This command displays the web cache ACL details Command in W...

Page 1115: ... TO VIEW WEB CACHE MISCELLANEOUS CONFIGURATION EXAMPLE ALU config ase webcache show webcache misc dns_testnames netscape com internic net nlanr net microsoft com tcp_recv_buffer_size not set using default value 0 bytes memory_pools on memory_pools_limit 5 MB forwarded_for on log_icp_queries on icp_hit_stale off minimum_direct_hops 4 minimum_direct_rtt 400 store_avg_object_size 13 KB Command in Web...

Page 1116: ...igh 1000 alub_ping_period 5 minutes query_icmp off test_reachability off buffered_logs off reload_into_ims off short_icon_urls off maximum_single_addr_tries 1 retry_on_error off snmp_port not set using default value 3401 snmp_incoming_address not set using default value 0 0 0 0 snmp_outgoing_address not set using default value 255 255 255 255 as_whois_server whois ra net ...

Page 1117: ...m mail channel test NONE text html 1172764443 700 131946 10 91 2 30 TCP_MISS 503 1487 GET http mail google com mail NONE text html 1172764443 700 59351 10 91 2 30 TCP_MISS 503 1487 GET http mail google com mail NONE text html 1172764443 700 101621 10 91 2 30 TCP_MISS 503 1487 POST http mail google com mail NONE text html 1172764464 250 132236 10 91 2 30 TCP_MISS 503 1480 GET http www google com ur...

Page 1118: ...Web Cache Server Left running head Chapter name automatic 1092 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 1119: ...lors fm Alcatel Lucent 1 Beta Beta For final production import color definitions from daldoc01 docteam templates framemaker book template color defs production colors fm Do not import other template elements such as page layout To return to the draft version import color def ns from draft colors fm To switch to the beta version import color def ns from beta colors fm Pagination Numeric continuous ...

Page 1120: ...Left running head Chapter name automatic 2 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 1121: ...17 tcp udp Quote 8 msp 18 tcp udp Message Send Protocol 9 chargen 19 tcp udp Character Generator 364 10 ftp data 20 tcp udp File Transfer Protocol Data for passive connection 959 11 ftp 21 tcp udp FTP control 959 12 ssh 22 tcp udp SSH remote login protocol Internet Drafts 13 telnet 23 tcp udp Telnet 854 14 smtp 25 tcp udp Simple Mail Transfer Protocol 821 15 time 37 tcp udp Timeserver 16 rlp 39 tc...

Page 1122: ... udp 35 hostname 101 tcp udp Usually from sri nic 36 iso tsap 102 tcp Part of ISODE 37 csnet ns 105 tcp udp Also used by CSO name server 38 3com tsmux 106 tcp udp Poppassd 39 rtelnet 107 tcp udp Remote Telnet 40 pop2 109 tcp udp POP version 2 41 POP3 tcp 110 Post Office Protocol V3 1939 1957 42 sunrpc 111 tcp udp RPC 4 0 portmapper TCP 43 auth 113 tcp udp Authentication tap ident 44 sftp 115 tcp u...

Page 1123: ...Unix Multiplexer 63 at rtmp 201 tcp udp AppleTalk routing 64 at nbp 202 tcp udp AppleTalk name binding 65 at echo 204 tcp udp AppleTalk echo 66 at zis 206 tcp udp AppleTalk zone information 67 qmtp 209 tcp udp Quick Mail Transfer Protocol 68 z39 50210 210 tcp udp NISO Z39 50 database 69 ipx 213 tcp udp IPX 70 imap3 220 tcp udp Interactive Mail Access 71 link 245 tcp udp ttylink 72 fatserv 347 tcp ...

Page 1124: ...v6 server 547 tcp udp 94 rtsp 554 tcp udp Real Time Stream Control Protocol 95 nntps 563 tcp udp NNTP over SSL 96 whoami 565 tcp udp 97 submission 587 tcp udp mail message submission 98 npmp local 610 tcp udp npmp local DQS 99 npmp gui 611 tcp udp npmp gui DQS 100 hmmp ind 612 tcp udp HMMP Indication DQS 101 ipp 631 tcp udp Internet Printing Protocol 102 ldaps 636 tcp udp LDAP over SSL 103 acap 67...

Page 1125: ... SQL Server 118 ms sql m 1434 tcp udp Microsoft SQL Monitor 119 ica 1494 tcp udp Citrix ICA Client 120 wins 1512 tcp udp Microsoft s Windows Internet Name Service 121 ingreslock 1524 tcp udp 122 prospero np 1525 tcp udp Prospero non privileged 123 datametrics 1645 tcp udp Old radius entry 124 sa msg port 1646 tcp udp sa msg port old radacct entry 125 kermit 1649 tcp udp 126 l2tp 1701 tcp udp l2f 1...

Page 1126: ...udp udp sftp side effect 146 codasrv 2432 tcp udp server port 147 codasrv se 2433 tcp udp udp sftp side effectQ 148 hpstgmgr 2600 tcp udp HPSTGMGR 149 discp client 2601 tcp udp discp client 150 discp server 2602 tcp udp discp server 151 servicemeter 2603 tcp udp Service Meter 152 nsc ccs 2604 tcp udp NSC CCS 153 nsc posa 2605 tcp udp NSC POSA 154 netmon 2606 tcp udp Dell Netmon 155 corbaloc 2809 t...

Page 1127: ...r 172 afs3 errors 7006 tcp udp Error interpretation service 173 afs3 bos 7007 tcp udp Basic overseer process 174 afs3 update 7008 tcp udp Server to server updater 175 afs3 rmtsys 7009 tcp udp Remote cache manager service 176 sd 9876 tcp udp Session Director 177 amanda 10080 tcp udp amanda backup services 178 pgpkeyserver 11371 tcp udp PGP GPG public keyserver 179 h323callsigalt 11720 tcp udp H323 ...

Page 1128: ...ers for Services Left running head Chapter name automatic 10 Beta Beta CLI Configuration Guide Alcatel Lucent 190 tfido 60177 tcp udp Ifmail 200 fido 60179 tcp udp Ifmail Sl No Name Protocol Type Description RFCs References ...

Page 1129: ...hentication Dial in User Service RADIUS RFC 3579 Dot1x extensions to RADIUS SNMP SNMPv1 is defined in RFC 1157 SNMPv2c is defined in several RFC s RFC 2578 2580 3416 3418 SNMPv3 is defined by several RFC s in RFC 2576 3410 3415 MANAGEMENT SSH V3 compliance RFC 4250 RFC 4251 RFC 4252 RFC 4253 RFC 4254 RFC 4256 RFC 4335 RFC 4344 RFC 4345 RFC 4419 Diffie Hellman Group Exchange for the Secure Shell SS...

Page 1130: ... RFC 1990 The PPP Multilink Protocol RFC 2427 Multiprotocol Interconnect over Frame Relay RFC 2570 FRF 16 UNI NNI Multilink Frame Relay Interworking Implementation Agreement LAYER 2 PROTOCOLS PPP RFC 1661 PPP RFC 1662 PPP in HDLC like framing RFC 1332 IPCP RFC 1334 PAP RFC 1994 CHAP RFC 3748 EAP ROUTING RIP RFC 1058 RIPv1 RFC 2453 RIPv2 OSPF RFC 2328 OSPFv2 RFC 1587 OSPF NSSA Option RFC 1583 OSPF ...

Page 1131: ...abilities Advertisement with BGP 4 obsoleted by rfc3392 IPSEC VPN VPN RFC 2401 Security Architecture for the Internet Protocol RFC 2411 IP Security Document Roadmap Basic Protocols RFC 2402 IP Authentication Header RFC 2406 IP Encapsulating Security Payload ESP Key Management RFC 2367 PF_KEY Key Management API Version 2 RFC 2407 The Internet IP Security Domain of Interpretation for ISAKMP RFC 2408...

Page 1132: ...e Alcatel Lucent GRE RFC 2784 QOS RFC 2475 Architecture for Differentiated Service RFC 2597 Assured Forwarding PHB Group RFC 2598 Expedited Forwarding PHB RFC 2697 Single Rate Three Color Marker RFC 2698 Two Rate Three Color Marker Note All the above listed RFCs are applicable to both OA 780 and OA 740 ...

Page 1133: ...Establishment The connection to server timed out Maybe the remote server is not running In case the package is being taken from user area or fpkey 1 The error package does not exist is displayed if the package is not really there 2 In case of fpkey if it could not be mounted then Failed to mount Fpkey is displayed The installation can also fail in the verification stage because of the following re...

Page 1134: ...rors can occur 1 Unable to connect to remote host This means that there is no route to remote host 2 Access denied This means that you do not have proper access permissions to backup the package in the given location 3 User name Password incorrect Incorrect user name and password 4 Write error at server side There has been a write error at the remote site Probably there was no space left 5 Error i...

Page 1135: ...T IP PRECEDENCE DEFAULT VALUES FOR RANDOM DETECT IP DSCP ip precedence Min Threshold Max Threshold Drop Probability 0 50 150 10 1 60 160 10 2 70 170 10 3 80 180 10 4 90 190 10 5 100 200 10 6 110 210 10 7 120 220 10 ip precedence Min Threshold Max Threshold Drop Probability 0 50 150 10 1 50 150 10 2 50 150 10 3 50 150 10 4 50 150 10 5 50 150 10 6 50 150 10 7 50 150 10 8 50 150 10 9 50 150 10 10 50 ...

Page 1136: ... 150 10 19 50 150 10 20 40 120 10 21 50 150 10 22 32 96 10 23 50 150 10 24 50 150 10 25 50 150 10 26 50 150 10 27 50 150 10 28 40 120 10 29 50 150 10 30 32 96 10 31 50 150 10 32 50 150 10 33 50 150 10 34 50 150 10 35 50 150 10 36 40 120 10 37 50 150 10 38 32 96 10 39 50 150 10 40 50 150 10 41 50 150 10 42 50 150 10 43 50 150 10 ip precedence Min Threshold Max Threshold Drop Probability ...

Page 1137: ...CLI Configuration Guide 44 50 150 10 45 50 150 10 46 50 150 10 47 50 150 10 48 50 150 10 49 50 150 10 50 50 150 10 51 50 150 10 52 50 150 10 53 50 150 10 54 50 150 10 55 50 150 10 56 50 150 10 57 50 150 10 58 50 150 10 59 50 150 10 60 50 150 10 61 50 150 10 62 50 150 10 63 50 150 10 ip precedence Min Threshold Max Threshold Drop Probability ...

Page 1138: ...tomatic 20 Beta Beta CLI Configuration Guide Alcatel Lucent IP DSCP MNEMONICS DSCP Mnemonics Values default 0 cs1 8 cs2 16 cs3 24 cs4 32 cs5 40 cs6 48 cs7 56 ef 46 af11 10 af12 12 af13 14 af21 18 af22 20 af23 22 af31 26 af32 28 af33 30 af41 34 af42 36 af43 38 ...

Page 1139: ... text automatic 21 Alcatel Lucent Beta Beta CLI Configuration Guide IP PRECEDENCE MNEMONICS TOS MNEMONICS IP Precedence Mnemonics Values routine 0 priority 1 immediate 2 flash 3 flash override 4 critical 5 internet 6 network 7 TOS Mnemonics Values min delay 8 max tput 4 max reli 2 flash 1 normal 0 ...

Page 1140: ...QoS Values and Mnemonics Left running head Chapter name automatic 22 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 1141: ...URING IPSEC TUNNEL BETWEEN OA 700 AND VPN FIREWALL BRICK The following scenario explains how to establish a IPsec tunnel between the OA 700 and VPN Firewall Brick Topology Figure 70 IPsec Interoperability Between OA 700 and VPN Firewall Brick The test network consists of VPN Firewall Brick running a crypto image The IPsec tunnel is created for the host 10 91 10 2 24 and 192 168 60 18 24 to communi...

Page 1142: ...g buffered size 131072 service timestamps log hostname ALU Port Based VLAN Global Configurations VLAN Table Static Configurations Bridge Configuration IP address configured on the interface pointing the internal network interface GigabitEthernet3 0 ip address 192 168 60 20 24 no shutdown top IP address configured on the interface pointing the external network interface GigabitEthernet3 1 ip addres...

Page 1143: ... set crypto ike policy ALU1 proposal md5 3des md5 des sha1 des sha1 3des pfs group2 ipsec security association lifetime seconds 28800 lifetime seconds 3600 Policy in Use by 1 cryptomap s Transform set created for defining the proposal to be used for encryption crypto ipsec transform set myset esp md5 3des Transform Set in Use by 1 cryptomap s Crypto map created pointing to the remote peer crypto m...

Page 1144: ...c 26 Beta Beta CLI Configuration Guide Alcatel Lucent CONFIGURING VPN FIREWALL BRICK VPN Firewall Brick offers a web Graphical User Interface GUI which enables you to configure the IPsec tunnel The steps are as given below Figure 71 LAN Tunnel Editor Endpoint 1 Endpoint 2 a ...

Page 1145: ...etween OA 700 and VPN Firewall Brick Except on the first page right running head Heading1 or Heading1NewPage text automatic 27 Alcatel Lucent Beta Beta CLI Configuration Guide Figure 72 LAN Tunnel Editor Endpoint 1 Endpoint 2 b ...

Page 1146: ...Left running head Chapter name automatic 28 Beta Beta CLI Configuration Guide Alcatel Lucent Figure 73 LAN Tunnel Editor Endpoint 1 Endpoint 2 c VERIFICATION On OA 700 the tunnel can be verified by issuing show crypto ipsec sa command ...

Page 1147: ...xplains how to establish a IPsec tunnel between the OA 700 system and Sonicwall Topology Figure 74 IPsec Interoperability Between OA 700 and Sonicwall PRO 3060 The above network shows the setup used to create a tunnel between Sonicwall and OA 700 The tunnel is built to allow network behind the OA 700 gateway 192 168 1 0 to communicate with network behind Sonicwall 10 91 10 0 The IPsec tunnel hence...

Page 1148: ...r logging level debugging external server logging level informational log buffer size 131072 bytes log timestamp enabled Port Based VLAN Global Configurations VLAN Table Static Configurations Bridge Configuration interface GigabitEthernet3 0 ip address 192 168 1 1 24 Port Based VLAN Interface Configurations no shutdown interface GigabitEthernet3 1 ip address 203 124 152 254 24 Port Based VLAN Inte...

Page 1149: ...ey created crypto ike key Ty cH peer 203 124 152 50 Transform set created for encryption Policy in Use by 1 cryptomap s crypto ipsec transform set myset esp md5 des Transform Set in Use by 1 cryptomap s Crypto map created calling the IKE policy configured earlier crypto map mymap ipsec ike test peer 203 124 152 50 match m1 transform set myset pfs group1 Crypto map applied to the interface connecte...

Page 1150: ...ser Interface GUI which enables you to configure the site to site IPsec tunnel The steps are as given below Creating local network behind Sonicwall Select Network Settings Configure icon for LAN to configure the internal network IP address This internal network is called localnet behind the Sonicwall Figure 75 Configuring Local network behind Sonicwall Enter the local IP address and the Subnet Mas...

Page 1151: ...tel Lucent Beta Beta CLI Configuration Guide Creating External IP address for Sonicwall Select Network Settings Configure icon for WAN to configure the external network IP address Figure 76 Configuring External IP Address for Sonicwall Enter the WAN IP address and the Subnet Mask Note Reboot Sonicwall for the configured IP address to come into effect ...

Page 1152: ...CLI Configuration Guide Alcatel Lucent Configuring IPsec Tunnel on Sonicwall Select VPN Settings Add General to configure IPsec policy Figure 77 Configuring IPsec Policy and Destination Network Select the IPsec keying mode Enter the policy name peer IP address key and destination network ...

Page 1153: ...r Heading1NewPage text automatic 35 Alcatel Lucent Beta Beta CLI Configuration Guide Select VPN Settings Add Proposals to configure IPsec proposal Figure 78 Configuring IPsec Phase 1 and Phase 2 Proposals Select the appropriate algorithms for Phase 1 and Phase 2 Proposals Enable PFS Group and enter the lifetime ...

Page 1154: ...er name automatic 36 Beta Beta CLI Configuration Guide Alcatel Lucent VERIFICATION The VPN configuration on the OA 700 can be verified by using the commands show crypto map and show crypto The tunnel setup on Sonicwall can be verified by viewing the Log page ...

Page 1155: ...Configuring IPsec between OA 700 and Sonicwall PRO 3060 Except on the first page right running head Heading1 or Heading1NewPage text automatic 37 Alcatel Lucent Beta Beta CLI Configuration Guide ...

Page 1156: ...IPsec Interoperability of OA 700 Left running head Chapter name automatic 38 Beta Beta CLI Configuration Guide Alcatel Lucent ...

Page 1157: ...his product Linux Kernel Intel Linux Device Driver Software PMC Sierra Linux Device Driver Software Mindspeed Linux Device Driver Software eCos U Boot Linux STP Paul s PPP Package DHCP tftp hpa Net SNMP OpenSSH ZEBRA CLI GNU Pth The GNU Portable Threads TCP Proxy and Reassembly Strongswan IKE FreeBSD Crypto Library Snort Mbedthis AppWeb libxslt BusyBox iputils e2fsprogs InetUtils gawk GDB cURL PCR...

Page 1158: ...ublic License is provided at the end of this chapter and also available from http www gnu org licenses gpl html PMC SIERRA LINUX DEVICE DRIVER SOFTWARE COPYRIGHT C 2003 PMC SIERRA INC ALL RIGHTS RESERVED Copyright c 1999 SBS Technologies Communications Products Formerly SciTech Inc All Rights Reserved Unpublished Proprietary Source Code This software embodies materials and concepts which are propr...

Page 1159: ... the accuracy reliability or correctness of this software and any use of this software is soley at your own risk ECOS Copyright C 1998 1999 2000 2001 2002 2003 Red Hat Inc Copyright C 2002 2003 John Dallaway Copyright C 2002 2003 Nick Garnett Copyright C 2002 2003 Jonathan Larmour Copyright C 2002 2003 Andrew Lunn Copyright C 2002 2003 Gary Thomas Copyright C 2002 2003 Bart Veer eCos is free softw...

Page 1160: ...of the License or at your option any later version A copy of the GNU General Public License is provided at the end of this chapter and also available from http www gnu org licenses gpl html PAUL S PPP PACKAGE Paul s PPP Package is obtained from http ppp samba org This product includes software developed by Computing Services at Carnegie Mellon University http www cmu edu computing Paul Mackerras p...

Page 1161: ... in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 The name s of the authors of this software must not be used to endorse or promote products derived from this software without prior written permission 4 Redistributions of any form whatsoever must retain the foll...

Page 1162: ...5 2003 Internet Software Consortium All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this...

Page 1163: ... the following acknowledgement This product includes software developed by the University of California Berkeley and its contributors 4 Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR ...

Page 1164: ...S FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE COPYRIGHT HOLDERS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TO...

Page 1165: ...N NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY W...

Page 1166: ...T SHALL CORE SDI S A BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES RESULTING FROM THE USE OR MISUSE OF THIS SOFTWARE Ariel Futoransky futo core sdi com http www core sdi com ssh keyscan was contributed by David Mazieres under a BSD style license Copyright 1995 1996 by David Mazieres dm lcs mit edu Modification and redistribution in source and binary forms ...

Page 1167: ...e the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution THIS SOFTWARE IS PROVIDED BY THE AUTHOR AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE AUTHOR BE LIAB...

Page 1168: ... NO EVENT SHALL THE ABOVE COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM DAMAGES OR OTHER LIABILITY WHETHER IN AN ACTION OF CONTRACT TORT OR OTHERWISE ARISING FROM OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE Except as contained in this notice the name s of the above copyright holders shall not be used in advertising or otherwise to promote the sale use or othe...

Page 1169: ... this list of conditions and the following disclaimer 2 Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in the documentation and or other materials provided with the distribution 3 Neither the name of the University nor the names of its contributors may be used to endorse or promote products derived from this software wi...

Page 1170: ...sh DES etc code not just the SSL code The SSL documentation included with this distribution is covered by the same copyright terms except that the holder is Tim Hudson tjh cryptsoft com Copyright remains Eric Young s and as such any Copyright notices in the code are not to be removed If this package is used in a product Eric Young should be given attribution as the author of the parts of the libra...

Page 1171: ... license SNORT Copyright C 1998 2002 Martin Roesch roesch sourcefire com Copyright C 2002 2003 Sourcefire Inc This program is free software you can redistribute it and or modify it under the terms of the GNU General Public License as published by the Free Software Foundation either version 2 of the License or at your option any later version This program is distributed in the hope that it will be ...

Page 1172: ...e rights to use copy modify merge publish distribute sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMP...

Page 1173: ...te it and or modify it under the terms of the GNU General Public License as published by the Free Software Foundation either version 2 of the License or at your option any later version This program is distributed in the hope that it will be useful but WITHOUT ANY WARRANTY without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE See the GNU General Public License fo...

Page 1174: ...RISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Some files have the following license Rdisc this program was developed by Sun Microsystems Inc and is provided for unrestricted use provided that this legend is included on all tape media and as a part of the software program in whole or part Users may copy or modify Rdisc without charge and they ma...

Page 1175: ...n and or other materials provided with the distribution 3 The name of the author may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ALL OF WHICH ARE HEREBY D...

Page 1176: ...am ac uk Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above copyright notice this list of conditions and the following disclaimer Redistributions in binary form must reproduce the above copyright notice this list of conditions and the following disclaimer in...

Page 1177: ...lgorithm in all material mentioning or referencing this software or this function License is also granted to make and use derivative works provided that such works are identified as derived from the RSA Data Security Inc MD5 Message Digest Algorithm in all material mentioning or referencing the derived work RSA Data Security Inc makes no representations concerning either the merchantability of thi...

Page 1178: ... that you know you can do these things To protect your rights we need to make restrictions that forbid anyone to deny you these rights or to ask you to surrender the rights These restrictions translate to certain responsibilities for you if you distribute copies of the software or if you modify it For example if you distribute copies of such a program whether gratis or for a fee you must give the ...

Page 1179: ... this License along with the Program You may charge a fee for the physical act of transferring a copy and you may at your option offer warranty protection in exchange for a fee 2 You may modify your copy or copies of the Program or any portion of it thus forming a work based on the Program and copy and distribute such modifications or work under the terms of Section 1 above provided that you also ...

Page 1180: ...fer to distribute corresponding source code This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer in accord with Subsection b above The source code for a work means the preferred form of the work for making modifications to it For an executable work complete source code means all the source code for...

Page 1181: ...sfy both it and this License would be to refrain entirely from distribution of the Program If any portion of this section is held invalid or unenforceable under any particular circumstance the balance of the section is intended to apply and the section as a whole is intended to apply in other circumstances It is not the purpose of this section to induce you to infringe any patents or other propert...

Page 1182: ...WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NECESSARY SERVICING REPAIR OR CORRECTION 12 IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGR...

Page 1183: ...t notice like this when it starts in an interactive mode Gnomovision version 69 Copyright C year name of author Gnomovision comes with ABSOLUTELY NO WARRANTY for details type show w This is free software and you are welcome to redistribute it under certain conditions type show c for details The hypothetical commands show w and show c should show the appropriate parts of the General Public License ...

Page 1184: ...make sure that you have the freedom to distribute copies of free software and charge for this service if you wish that you receive source code or can get it if you want it that you can change the software and use pieces of it in new free programs and that you are informed that you can do these things To protect your rights we need to make restrictions that forbid distributors to deny you these rig...

Page 1185: ...ordinary General Public License for many libraries However the Lesser license provides advantages in certain special circumstances For example on rare occasions there may be a special need to encourage the widest possible use of a certain library so that it becomes a de facto standard To achieve this non free programs must be allowed to use the library A more frequent case is that a free library d...

Page 1186: ...omplete source code as you receive it in any medium provided that you conspicuously and appropriately publish on each copy an appropriate copyright notice and disclaimer of warranty keep intact all the notices that refer to this License and to the absence of any warranty and distribute a copy of this License along with the Library You may charge a fee for the physical act of transferring a copy an...

Page 1187: ...ion 2 of the ordinary GNU General Public License has appeared then you can specify that version instead if you wish Do not make any other change in these notices Once this change is made in a given copy it is irreversible for that copy so the ordinary GNU General Public License applies to all subsequent copies and derivative works made from that copy This option is useful when you wish to copy par...

Page 1188: ...u must supply a copy of this License If the work during execution displays copyright notices you must include the copyright notice for the Library among them as well as a reference directing the user to the copy of this License Also you must do one of these things a Accompany the work with the complete corresponding machine readable source code for the Library including whatever changes were used ...

Page 1189: ... facilities This must be distributed under the terms of the Sections above b Give prominent notice with the combined library of the fact that part of it is a work based on the Library and explaining where to find the accompanying uncombined form of the same work 8 You may not copy modify sublicense link with or distribute the Library except as expressly provided under this License Any attempt othe...

Page 1190: ...sistent application of that system it is up to the author donor to decide if he or she is willing to distribute software through any other system and a licensee cannot impose that choice This section is intended to make thoroughly clear what is believed to be a consequence of the rest of this License 12 If the distribution and or use of the Library is restricted in certain countries either by pate...

Page 1191: ...GENERAL SPECIAL INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR INABILITY TO USE THE LIBRARY INCLUDING BUT NOT LIMITED TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF THE LIBRARY TO OPERATE WITH ANY OTHER SOFTWARE EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES END OF TERMS AND CONDIT...

Page 1192: ...e GNU Lesser General Public License along with this library if not write to the Free Software Foundation Inc 51 Franklin Street Fifth Floor Boston MA 02110 1301 USA Also add information on how to contact you by electronic and paper mail You should also get your employer if you work as a programmer or your school if any to sign a copyright disclaimer for the library if necessary Here is a sample al...

Page 1193: ...s ______________________________________ The Initial Developer of the Original Code is ________________________ Portions created by ______________________ are Copyright C ______ _______________________ All Rights Reserved Contributor s ______________________________________ Alternatively the contents of this file may be used under the terms of the _____ license the ___ License in which case the pr...

Reviews: