manualshive.com logo in svg

Cisco ASR 5000, Administration Manual, Page: 142 / 466

Share
Download
Cisco ASR 5000 Administration Manual Download Page 142

Change the chassis key to the new desired value.

Save the configuration with this new chassis key.

Refer to

Configuring a Chassis Key

in

System Settings

for additional information.

Support for ICSR Configurations

Inter-Chassis Session Recovery (ICSR) is a redundancy configuration that employs two identically configured
ASR 5x00 chassis as a redundant pair.

ICSR chassis share the same chassis key. If the ICSR detects that the two chassis have incompatible chassis
keys, an error message is logged but the ICSR system will continue to run. Without the matching chassis key,
the standby ICSR chassis can recover services if the active chassis goes out of service; the standby chassis
will still have access to the passwords in their decrypted form.

ICSR chassis use Service Redundancy Protocol (SRP) to periodically check to see if the redundancy
configuration matches with either decrypted passwords or DES-based two-way encryption strings. Since the
configuration is generated internally to the software, users are not able to access the configuration used to
check ICSR compatibility.

Encrypted SNMP Community Strings

Simple Network Management Protocol (SNMP) uses community strings as passwords for network elements.
Although these community strings are sent in clear-text in the SNMP PDUs, the values can be encrypted in
the configuration file.

The

snmp community encrypted name

command enables the encryption of SNMP community strings. For

additional information, see the

Global Configuration Mode Commands

chapter in the

Command Line Interface

Reference

.

Lawful Intercept Restrictions

This section describes some of the security features associated with the provisioning of Lawful Intercept (LI).
For additional information, refer to the

Lawful Intercept Configuration Guide

.

LI Server Addresses

An external authenticating agent (such as RADIUS or Diameter) sends a list of LI server addresses as part of
access-accept. For any intercept that was already installed or will be installed for that subscriber, a security
check is performed to match the LI server address with any of the LI-addresses that were received from the
authenticating agent. Only those addresses that pass this criteria will get the intercepted information for that
subscriber.

While configuring a campon trigger, the user will not be required to enter the destination LI server addresses.
When a matching call for that campon trigger is detected, a security check is done with the list received from
the authentication agent. The LI-related information is only forwarded if a matching address is found.

When an active-only intercept is configured, if a matching call is found, a security check is made for the LI
address received from the authentication agent and the intercept configuration will be rejected.

   ASR 5000 System Administration Guide, StarOS Release 21.1

114

System Security

Support for ICSR Configurations

Summary of Contents for ASR 5000

Page 1: ...istration Guide StarOS Release 21 1 First Published 2017 01 26 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Page 2: ... IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE T...

Page 3: ...e 4 Bindings 4 Services 4 AAA Servers 5 Subscribers 5 Trusted Builds 6 How the System Selects Contexts 6 Context Selection for Context level Administrative User Sessions 7 Context Selection for Subscriber Sessions 9 Understanding the ASR 5000 Boot Process 9 Understanding Configuration Files 11 IP Address Notation 12 IPv4 Dotted Decimal Notation 13 IPv6 Colon Separated Hexadecimal Notation 13 CIDR ...

Page 4: ...reating an Allowed Users List 31 SSH User Login Authentication 31 Secure Session Logout 32 Changing Default sshd Secure Session Logout Parameters 33 SSH Client Login to External Servers 33 Generating SSH Client Key Pair 33 Pushing an SSH Client Public Key to an External Server 34 Configuring the Management Interface with a Second IP Address 35 C H A P T E R 3 System Settings 37 Configuring a Secon...

Page 5: ...guring Context level Administrators 48 Configuring Context level Operators 49 Configuring Context level Inspectors 49 Configuring LI Administrators 50 Verifying Context level Administrative User Configuration 50 Configuring Local User Administrative Users 50 Verifying Local User Configuration 51 Updating Local User Database 51 Updating and Downgrading the local user Database 51 Provisioning Lawful...

Page 6: ...AC Addresses 63 Verifying Virtual MAC Address Configuration 64 Configuring Packet Processing and Line Card Availability 64 Verifying Packet Processing and Line Card Configurations 65 Configuring Line Card and SPIO Port Redundancy 65 Enabling Line Card and SPIO Port Redundancy 68 Verifying Line Card and SPIO Port Redundancy 69 Configuring Line Card and SPIO Port Redundancy Auto Recovery 69 Verifyin...

Page 7: ... on XGLCs 79 C H A P T E R 4 Config Mode Lock Mechanisms 81 Overview of Config Mode Locking 81 Requesting an Exclusive Lock 82 Effect of Config Lock on URL Scripts 83 Saving a Configuration File 84 Reload and Shutdown Commands 84 show administrators Command 85 C H A P T E R 5 Management Settings 87 ORBEM 87 Configuring ORBEM Client and Port Parameters 88 Configuring IIOP Transport Parameters 88 Ve...

Page 8: ...Route for an Interface 102 Viewing and Verifying Port Configuration 102 ATM Interfaces and Ports 103 Enabling the OLC ATM Line Card 104 Creating an IP Interface for Use with an ATM Port 104 Configuring an ATM Port to Use an IP Interface 104 Configuring an ATM Port for an SS7 Link 105 Binding an SS7 Link to an ATM Port 105 Verifying Port and Interface Configuration 105 Frame Relay Interfaces and Po...

Page 9: ...ss to Operating System Shell 116 Test Commands 116 Enabling cli test commands Mode 116 Enabling Password for Access to CLI test commands 116 Exec Mode cli test commands 117 Configuration Mode cli test commands 117 C H A P T E R 9 Software Management Operations 119 Understanding the Local File System 119 File Types Used by the Local File System 120 Understanding the boot sys File 120 Maintaining th...

Page 10: ...nd Build Number 130 Verify Free Space on the flash Device 130 Download the Software Image from the Support Site 131 Transfer StarOS Image to flash on the Chassis 131 Saving a Copy of the Current Configuration File 131 Preparing for a Software Downgrade 132 Downgrading from Release 12 2 to 12 0 132 Downgrading from Release 15 0 to 14 0 132 Downgrading from Release 20 0 133 Software Upgrade Methods ...

Page 11: ...se Keys 144 Session Use and Feature Use Licenses 144 Installing New License Keys 144 Cutting and Pasting the Key 145 Adding License Keys to Configuration Files 145 License Expiration Behavior 146 Requesting License Keys 146 Viewing License Information 147 Deleting a License Key 147 Management Card Replacement and License Keys 147 Managing Local User Administrative Accounts 147 Configuring Local Us...

Page 12: ...lk Statistics 161 Clearing Bulk Statistics Counters and Information 161 Bulkstats Schema Nomenclature 161 Statistic Types 161 Data Types 162 Key Variables 162 Bulk Statistics Event Log Messages 164 C H A P T E R 1 2 System Logs 165 System Log Types 165 Configuring Event Logging Parameters 166 Configuring Event Log Filters 166 Exec Mode Filtering 167 Global Configuration Mode Filtering 169 Configur...

Page 13: ...EDs 198 Checking the LED on the PFU 198 Checking the LEDs on the SMC 199 SMC Run Fail LED States 200 SMC Active LED States 201 SMC Standby LED States 202 SMC Status LED States 203 SMC Service LED States 203 SMC Busy LED States 204 Checking the LEDs on the Packet Processing Cards 204 Packet Processing Card Run Fail LED States 205 Packet Processing Card Active LED States 206 Packet Processing Card S...

Page 14: ...ard or SPIO Switchover 219 Halting Cards 220 Initiate a Card Halt 220 Restoring a Previously Halted Card 221 Verifying Network Connectivity 221 Using the ping or ping6 Command 221 Syntax 221 Troubleshooting 222 Using the traceroute or traceroute6 Command 222 traceroute IPv4 Syntax 222 traceroute6 IPv6 Syntax 223 Viewing IP Routes 223 Viewing the Address Resolution Protocol Table 223 Using the Syst...

Page 15: ... 240 Verifying the ACL Configuration to an Individual Subscriber 240 Applying an ACL to the Subscriber Named default 241 Applying an ACL to the Subscriber Named default 241 Verifying the ACL Configuration to the Subscriber Named default 242 Applying an ACL to Service specified Default Subscriber 242 Applying an ACL to Service specified Default Subscriber 243 Verifying the ACL Configuration to Serv...

Page 16: ...255 Adding Static Routes to a Context 256 Deleting Static Routes From a Context 256 OSPF Routing 256 OSPF Version 2 Overview 257 Basic OSPFv2 Configuration 258 Enabling OSPF Routing For a Specific Context 258 Enabling OSPF Over a Specific Interface 258 Redistributing Routes Into OSPF Optional 258 Confirming OSPF Configuration Parameters 259 OSPFv3 Routing 259 OSPFv3 Overview 259 Basic OSPFv3 Confi...

Page 17: ...iguration Commands 266 Confirming BGP Configuration Parameters 268 Bidirectional Forwarding Detection 268 Overview of BFD Support 269 Configuring BFD 269 Configuring a BFD Context 270 Configuring IPv4 BFD for Static Routes 270 Configuring IPv6 BFD for Static Routes 270 Configuring BFD for Single Hop 271 Configuring Multihop BFD 271 Scaling of BFD 272 Associating BGP Neighbors with the Context 272 ...

Page 18: ...ormation 278 C H A P T E R 1 7 VLANs 281 Overview 281 Overlapping IP Address Pool Support GGSN 282 RADIUS VLAN Support Enhanced Charging Services 282 APN Support PDN Gateway P GW 282 Creating VLAN Tags 283 Verifying the Port Configuration 283 Configuring Subscriber VLAN Associations 284 RADIUS Attributes Used 284 Configuring Local Subscriber Profiles 284 Verify the Subscriber Profile Configuration...

Page 19: ...2 0 System Recovery 305 Prerequisites 305 Console Access 305 Boot Image 305 Accessing the boot CLI 306 Initiate a Reboot 306 Interrupt the Boot Sequence 306 Enter CLI Mode 307 boot Command Syntax 307 Booting from a Selected Image 307 Boot Using No Configuration FIle 307 Boot Using A Specified Configuration File 308 C H A P T E R 2 1 Session Recovery 309 How Session Recovery Works 309 Additional AS...

Page 20: ...nication 328 Chassis Switchover 328 Configuring Interchassis Session Recovery ICSR 329 Configuring the Service Redundancy Protocol SRP Context 330 Creating and Binding the SRP Context 330 Configuring SRP Context Parameters 331 Basic Parameters 331 SRP Redundancy AAA and Diameter Guard Timers 332 DSCP Marking of SRP Messages 333 Optimizing Switchover Transitions 333 Allow Non VoLTE Traffic During I...

Page 21: ...ics Collection on a Standby System 342 Verifying the Primary and Backup Chassis Configuration 342 Configuring Subscriber State Management Audit Process 343 Troubleshooting ICSR Operation 343 Updating the Operating System 344 Both ICSR Chassis 349 Downloading and Transferring the StarOS Build 349 Standby Backup Chassis 350 Performing Health Checks 350 Performing SRP Checks 350 Performing BGP Checks...

Page 22: ...bal Configuration Mode 362 support record 362 support collection 362 Exec Mode Commands 363 show support record 363 delete support record 363 show support collection 363 A P P E N D I X A Engineering Rules 365 CLI Session Rules 365 ASR 5000 Interface and Port Rules 365 Line Card Rules 366 Packet Data Network PDN Interface Rules 367 ASR 5000 Packet Processing Card Rules 367 Context Rules 367 Subscr...

Page 23: ...ECKPOINT 400 SERVICE_ID MAPPING 400 VPNMGR_ID MAPPING 401 Micro checkpoints 401 Uncategorized 402 SESS_UCHKPT_CMD_INVALIDATE_CRR 402 SESS_UCKKPT_CMD_UPDATE_CLPSTATS 402 SESS_UCHKPT_CMD_UPDATE_IDLESECS 402 DCCA Category 403 SESS_UCHKPT_CMD_DCCA_SESS_INFO 403 ECS Category 403 SESS_UCHKPT_CMD_ACS_CALL_INFO 403 SESS_UCHKPT_CMD_ACS_GX_LI_INFO 404 SESS_UCHKPT_CMD_ACS_SESS_INFO 404 SESS_UCHKPT_CMD_DEL_AC...

Page 24: ...D_GGSN_UPDATE_STATS 411 SESS_UCHKPT_CMD_UPDATE_COA_PARAMS 411 Gx Interface Category 412 SESS_UCHKPT_CMD_ACS_VOLUME_USAGE 412 SESS_UCHKPT_CMD_UPDATE_SGX_INFO 412 NAT Category 412 SESS_UCHKPT_CMD_GR_UPDATE_NAT_REALM_PORT_INFO1 412 SESS_UCHKPT_CMD_GR_UPDATE_NAT_REALMS 413 SESS_UCHKPT_CMD_NAT_SIP_ALG_CALL_INFO 413 SESS_UCHKPT_CMD_NAT_SIP_ALG_CONTACT_PH_INFO 414 SESS_UCHKPT_CMD_UPDATE_DSK_FLOW_CHKPT_IN...

Page 25: ...N 419 SESS_UCHKPT_CMD_CGW_UPDATE_BEARER_QOS 420 SESS_UCHKPT_CMD_CGW_UPDATE_PDN 420 SESS_UCHKPT_CMD_CGW_UPDATE_STATS 420 SESS_UCHKPT_CMD_CGW_UPDATE_UE_PARAM 420 SESS_UCHKPT_CMD_SAMOG_ACCT_INTERIM_INFO 420 SESS_UCHKPT_CMD_SAMOG_ACCT_START_INFO 421 SESS_UCHKPT_CMD_SAMOG_EOGRE_TUNNEL_INFO 421 SESS_UCHKPT_CMD_SAMOG_GTPV1_UPDATE_PDN_INFO 422 SESS_UCHKPT_CMD_SAMOG_HANDOFF_AUTHEN_INFO 422 SESS_UCHKPT_CMD_...

Page 26: ...ASR 5000 System Administration Guide StarOS Release 21 1 xxvi Contents ...

Page 27: ...on Description Notice Type Provides information about important features or instructions Information Note Alerts you of potential damage to a program device or system Caution Alerts you of potential personal injury or fatality May also alert you of potential electrical hazards Warning Description Typeface Conventions This typeface represents displays that appear on your terminal screen for example...

Page 28: ...ww cisco com ASR 5000 Installation Guide AAA Interface Administration and Reference Command Line Interface Reference GTPP Interface Administration and Reference IP Security IPSec Reference Release Change Reference SNMP MIB Reference Statistics and Counters Reference Thresholding Configuration Guide Product specific and feature specific Administration guides Contacting Customer Support Use the info...

Page 29: ...erstanding the ASR 5000 Boot Process page 9 Understanding Configuration Files page 11 IP Address Notation page 12 Alphanumeric Strings page 14 System Management Overview ASR 5000 management capabilities reflect the requirements of the Telecommunications Management Network TMN model for network element NE and element management system EMS functions The system also supports external element manageme...

Page 30: ... optical MMF 1000Base SX SFP 802 3z compliant Gigabit Ethernet ports In release 20 0 and higher Trusted StarOS builds the Telnet and FTP options are not available Important Support for Common Object Request Broker Architecture CORBA via an Object Request Broker Element Manager ORBEM interface and Simple Network Management Protocol version 1 SNMPv1 and version 2 SNMPv2 for fault management Authenti...

Page 31: ...l connector number For example Port 24 1 identifies connector number 1 on the SPIO card in slot 24 Associate ports with contexts through bindings For additional information on bindings refer to the Bindings section below You can configure each physical port to support multiple logical IP interfaces each with up to 17 IP addresses one primary and up to 16 secondaries For complete information on lin...

Page 32: ...rt type A service to an IP address assigned to a logical interface within the same context This allows the interface to take on the characteristics that is support the protocols required by the service Dynamic binding associates a subscriber to a specific egress context based on the configuration of their profile or system parameters This provides a higher degree of deployment flexibility as it al...

Page 33: ...rimary types of subscribers RADIUS based Subscribers The most common type of subscriber these users are identified by their International Mobile Subscriber Identity IMSI number an Electronic Serial Number ESN or by their domain name or user name They are configured on and authenticated by a RADIUS AAA server Upon successful authentication various attributes that are contained in the subscriber pro...

Page 34: ...or TACACS In release 20 0 and higher Trusted StarOS builds Telnet is not supported Important Trusted Builds A Trusted build is a starfile image from which non secure or low security features have been deleted or disabled However the binaries in the Trusted starfile image are are identical to those found in other starfiles for a particular StarOS release build number In general a Trusted build is m...

Page 35: ...y is enabled SSHD for example in that context For all FTP or SFTP connections you must connect through an SPIO interface If you SFTP or FTP as a non local context account you must use the username syntax of username contextname In release 20 0 and higher Trusted StarOS builds FTP is not supported Important The context selection process becomes more involved if you are configuring the system to pro...

Page 36: ...ext level administrative user Items in the table correspond to the circled numbers in the flowchart Figure 2 Context level Administrative User AAA Context ASR 5000 System Administration Guide StarOS Release 21 1 8 System Operation and Configuration Context Selection for Context level Administrative User Sessions ...

Page 37: ...d context the AAA configuration within the AAA Administrator Default Domain context is used If the default domain is not configured or does not match a configured context or domain go to item 4 item below 3 If a domain was specified as part of the username but it did not match a configured context or if a domain was not specified as part of the username the system determines if the AAA Administrat...

Page 38: ...rational Step 3 If the SMC in slot 8 successfully executes all POSTs the card in slot 8 becomes the active SMC The SMC in slot 9 becomes the standby card If there is a problem with the SMC in slot 8 the card in slot 9 becomes the active SMC Once the active and standby order is determined the SPIO cards in slots 24 and 25 are placed into active and standby mode as determined by the direct mapping o...

Page 39: ...wered on and there is no configuration file the active SMC invokes the system s Quick Setup wizard Use the Quick Setup wizard to configure basic system parameters for communication across the management network The wizard creates a configuration file system cfg that you can use as a starting point for subsequent configurations This allows you to configure the system automatically by applying the c...

Page 40: ...e commands at the CLI prompt Refer to the instructions in Software Management Operations When you apply a configuration file after the boot process the file does not delete the configuration loaded as part of the boot process Only those commands that are duplicated are overwritten Important Configuration files can be stored in any of the following locations CompactFlash Installed on the SMC PCMCIA...

Page 41: ...xample fe80 0 0 0 202 b3ff fe1e 8329 becomes fe80 202 b3ff fe1e 8329 IPv6 allows 128 bits for an Internet Protocol address and can support 2128 340 282 366 920 938 000 000 000 000 000 000 000 000 internet addresses CIDR Notation Classless Inter Domain Routing CIDR notation is a compact specification of an Internet Protocol address and its associated routing prefix It is used for both IPv4 and IPv6...

Page 42: ...es Alphanumeric Strings Some CLI commands require the entry of an alphanumeric string to define a value The string is a contiguous collection of alphanumeric characters with a defined minimum and maximum length number of characters Character Set The alphanumeric character set is a combination of alphabetic Latin letters and or numeric Arabic digits characters The set consists of the numbers 0 to 9...

Page 43: ...lon dollar sign wildcard dot equals sign exclamation point percent slash forward vertical bar The following characters may be used to delimit the domain from the user name for global AAA functions at sign dash or hyphen hash or pound sign percent slash backward must be entered as double slash slash forward Quoted Strings If descriptive text requires the use of spaces between words the string must ...

Page 44: ...ASR 5000 System Administration Guide StarOS Release 21 1 16 System Operation and Configuration Quoted Strings ...

Page 45: ...to the system the active System Management Card SMC typically the one installed in chassis slot 8 automatically launches a Quick Setup Wizard on its console port The serial console port is located on the SPIO card installed in slot 24 This wizard is guides you through the initial configuration of the system You can choose not to use the wizard and perform the initial configuration by issuing comma...

Page 46: ...edicated LI context yes no no 14 Enable LOCAL interface yes no yes 17 LOCAL Out of band Ip Address ip_address 18 LOCAL Out of band subnet mask subnet_mask 19 Default gateway Ip Address gw_ip_address 20 Enable remote access yes no yes 21 Enable sshd yes no yes 22 Enter a default SSH key size 2048 3072 4096 5120 7168 9216 2048 23 Enable sftp server yes no yes 24 Enable telnetd yes no no 25 Enable ft...

Page 47: ... name of the default administrative user configured through the wizard is admin Administrative username is an alphanumeric string of 1 through 32 characters that is case sensitive Configure an administrative username for the system 7 Administrative user password is an alphanumeric string of 1 through 63 characters that is case sensitive For release 21 0 and later you can enter 127 characters for t...

Page 48: ...gure a single SPIO out of band management interface for out of band system management 14 17 18 Enter an IP address Configure a default gateway for the interface 19 Enter yes to allow remote access to this system Instructions for configuring the second management interface can be found in the System Settings chapter Enable remote access 20 Secure Shell SSH uses TCP port number 22 by default if enab...

Page 49: ...ompts An example of a created script is displayed in the example below Variables are displayed in italics variable Review the configure script created by the wizard based on your inputs Once applied the parameter configuration is automatically saved to the system cfg file stored on the primary SMC compact flash card Apply the configuration file to the system Do you want to view the configuration s...

Page 50: ...nfiguration consists of the following Configuring a context level security administrator and hostname Configuring the Ethernet interface s on the SPIO that is installed behind the primary SMC Configuring the system for remote CLI access via Telnet SSH or FTP secured or unsecured In release 20 0 and higher Trusted StarOS builds telnet and FTP are not supported Important ASR 5000 System Administrati...

Page 51: ...ileges To ensure security in accordance with Law Enforcement Agency LEA standards LI administrative users must access the system using the Secure Shell SSH protocol only LI privileges can be optionally configured for use within a single context system wide For additional information see the Lawful Intercept Configuration Guide Note Step 4 Enter the following command at the prompt to exit the conte...

Page 52: ...lot port no shutdown interface_name is the name of the interface that you configured in step 7b i Specify which Ethernet media you are using Enter the following local host_name config port slot port media rj45 sfp The SPIO is equipped with dual RJ 45 and dual SFP interfaces The RJ 45 interfaces connect the system to the management network with CAT3 or CAT5 Ethernet cable The SFP interfaces connect...

Page 53: ...upported in a previous release may be concealed in subsequent releases StarOS continues to parse concealed keywords in existing scripts and configuration files created in a previous release But the concealed keyword no longer appears in the command syntax for use in new scripts or configuration files Entering a question mark will not display a concealed keyword as part of the Help text A removed k...

Page 54: ...op Protocol Prec Cost Interface 0 0 0 0 0 ipaddress static 1 0 spio1 network 0 0 0 0 connected 0 0 spio1 Step 9 Verify the interface binding by entering the following command local host_name show ip interface name interface_name interface_name is the name of the interface that was configured in step 7b The CLI output should be similar to the sample output Intf Name spio1 Intf Type Broadcast Descri...

Page 55: ...n below CLI print failure Failure SSH V1 contains multiple structural vulnerabilities and is no longer considered secure Therefore we don t support v1 rsa SSH key any longer please generate a new v2 rsa key to replace this old one If the system boots from a configuration that contains the v1 rsa key you can expect a boot failure when logging in through SSH The workaround is to log in via the Conso...

Page 56: ...he cipher options for that context Step 1 Enter the SSH Configuration mode local host_name config ctx server sshd Step 2 Specify the desired encryption algorithms local host_name config sshd ciphers algorithm Notes algorithm is a string of 1 through 511 alphanumeric characters that specifies the algorithm s to be used as a single string of comma separated variables no spaces in priority order from...

Page 57: ...a keyword has been removed from and the v2 dsa keyword concealed within the ssh generate CLI command The only keyword available for generating SSH keys is v2 rsa The generated key pair remains in use until the command is issued again Important Step 1 Enter the context configuration mode local host_name config context context_name local host_name config ctx Step 2 Generate an SSH key pair local hos...

Page 58: ...v2 dsa v2 rsa Notes username user_name specifies an existing StarOS administrator user name as having authorized keys for access to the sshd server The user_name is expressed as an alphanumeric string of 1 through 255 characters User names should have been previously created via the Context Configuration mode administrator command using the nopassword option to prevent bypassing of the sshd keys R...

Page 59: ...ss are separately checked restricting logins to those users from that particular IP address If the pattern is in the format USER context IP_ADDRESS then user name StarOS context and IP address are separately checked restricting logins to those users associated with the specific context from that particular IP address The following limits apply to the user_list The maximum length of this string is ...

Page 60: ...I commands allow you to disable or modify this default sshd disconnect behavior For higher security Cisco recommends at least a client alive countmax of 2 and client alive interval of 5 Smaller session logout values may lead to occasional ssh session logouts Adjust values to balance security and user friendliness Important The client active countmax command sets the number of client alive messages...

Page 61: ... alive interval 5 Step 5 Exit the SSH Configuration mode local host_name config sshd end local host_name SSH Client Login to External Servers StarOS supports public key authentication for SSH SFTP access from the StarOS gateway to external servers You configure this feature by generating SSH client key pairs and pushing the client public key to external servers By default StarOS only supports user...

Page 62: ...to an External Server You must push the SSH client public key to an external server to support SSH SFTP access to that server Step 1 From the Exec mode run the push ssh key command local host_name push ssh key host_name host_ip_address user username context context_name local host_name host_name specifies the remote server using its logical host name which must be resolved via DNS lookup It is exp...

Page 63: ... the secondary IP address and subnet mask by entering the following command local host_name config if eth ip ipv address ipaddress subnet_mask secondary Step 5 Exit the configuration mode by entering the following command local host_name config if eth end Step 6 Confirm the interface ip addresses by entering the following command local host_name show config context local The CLI output should look...

Page 64: ...ASR 5000 System Administration Guide StarOS Release 21 1 36 Getting Started Configuring the Management Interface with a Second IP Address ...

Page 65: ...age 38 Configuring System Timing page 39 Configuring Transmit Timing Source page 43 Enabling CLI Timestamping page 45 Configuring CLI Confirmation Prompts page 45 Configuring System Administrative Users page 47 Configuring TACACS for System Administrative Users page 54 Separating Authentication Methods page 58 Configuring a Chassis Key page 61 Configuring Virtual MAC Addresses page 63 Verifying Vi...

Page 66: ... 45 interfaces connect the system to the management network with CAT3 or CAT5 Ethernet cable The SFP interfaces connect the system to the management network with 1000Base SX optical fiber cable Option In the Ethernet Port configuration mode configure the port speed if needed by entering the medium command Refer to the Command Line Interface Reference for a complete explanation of this command In t...

Page 67: ...stem to communicate with one or more Network Time Protocol NTP server s to ensure that the clock is always accurate In the event of a power outage the clock is maintained with an accuracy of one minute per month for up to 10 years This ensures that when power is restored the system is ready to process sessions and generate accounting log and event data with accurate timestamps In addition to confi...

Page 68: ...nitially installed When enabled the active SMC will synchronize with external sources If not enabled the active SMC will use its local clock as a time source In the event of an NTP server or network outage an already running SMC will continue to use NTP to maintain time accuracy but in a holdover mode All cards with CPUs synchronize to the active SMC internally This occurs even if an external NTP ...

Page 69: ...ck with no external source A local clock with no external source is usually a last resort clock when no better clock is available It is typically configured on a site s intermediate NTP server so that when a WAN network outage occurs hosts within the site can continue to synchronize amongst themselves You can configure this in ntpd or on many commercially available NTP devices This local clock sho...

Page 70: ...d Table 3 NTP Parameters Description Column Title List of the current NTP servers One of these characters precedes each IP address to show the server s current condition Rejected No response X False tick Excess Outlyer Candidate Selected System peer o PPS peer remote Last reported NTP reference to which the server is synchronizing refid NTP server stratum level st Communication type broadcast mult...

Page 71: ...ified port on an OLC OLC2 or CLC CLC2 This method of timing requires that the SPIO be equipped with the optional Stratum 3 clock module The timing is then distributed via the SPIO to all line cards in the chassis To use BITS timing the SPIO card must include the optional BITS E1 BNC or T1 DS1 3 pin timing interface For additional interface information refer to the ASR 5000 Installation Guide Impor...

Page 72: ...rces Use the following example to configure both BITS and line timing as the timing sources configure card CLC_slot framing mode exit port atm OLC_slot port line timing no shutdown exit port channelized CLC_slot port line timing no shutdown exit port bits slot port recover line1 LC_slot port recover line2 LC_slot port no shutdown end Save the configuration as described in the Verifying and Saving ...

Page 73: ...Automatic Confirmation You can use the autoconfirm command to disable confirmation prompting for configuration commands The autoconfirm command is available in the Exec mode and Global Configuration mode Enabling the autoconfirm feature automatically supplies a Yes response to configuration command prompts including for critical commands such as reload and shutdown By default autoconfirm is disabl...

Page 74: ...o yes local host_name config To disable commandguard once it has been enabled use the no commandguard command The status of commandguard is output in show configuration commands Requiring Confirmation for Specific Exec Mode Commands A keyword for the commandguard command allows you to apply mandatory prompting for specified categories of Exec mode configuration commands even when autoconfirm is en...

Page 75: ...leges Security Administrators have read write privileges and can execute all CLI commands including those available to Administrators Operators and Inspectors Administrators have read write privileges and can execute any command in the CLI except for a few security related commands that can only be configured by Security Administrators Administrators can configure or modify system settings and exe...

Page 76: ...n administrator without an associated password Enable this option when using ssh public keys authorized key command in SSH Configuration mode as a sole means of authentication When enabled this option prevents someone from using an administrator password to gain access to the user account Save the configuration as described in the Verifying and Saving Your Configuration chapter Configuring Context...

Page 77: ...nd Saving Your Configuration chapter Configuring Context level Inspectors Use the example below to configure context level inspectors configure context local inspector user_name encrypted nopassword password password end Notes Additional keyword options are available that identify active administrators or place time thresholds on the administrator Refer to the Command Line Interface Reference for ...

Page 78: ...ommand show configuration context local This command displays all of the configuration parameters you modified within the Local context during this session The following displays sample output for this command In this example a security administrator named testadmin was configured config context local interface mgmt1 ip address 192 168 1 10 255 255 255 0 exit subscriber default exit administrator ...

Page 79: ...SAUser was configured Username SAUser Auth Level secadmin Last Login Never Login Failures 0 Password Expired Yes Locked No Suspended No Lockout on Pw Aging Yes Lockout on Login Fail Yes Updating Local User Database Update the local user administrative configuration by running the following Exec mode command This command should be run immediately after creating removing or editing administrative us...

Page 80: ...enticate the Security Administrator The downgrade process does not convert PBKDF2 hashed passwords to MD5 format The downgrade process re reads the database from the flash directory reconstructs the database in the older format and writes it back to the disk Since the PBKDF2 hashed passwords cannot be converted to the MD5 hash algorithm and earlier StarOS releases cannot parse the PBKDF2 encryptio...

Page 81: ...cated LI context limits access to the LI configuration to the one VPN context which requires it Once configured as a Dedicated LI context system it can never be re configured any other type of LI context system Refer to the Lawful Intercept Configuration Guide before attempting to create a Dedicated LI context Figure 5 LI Context Configurations Restricting User Access to a Specified Root Directory...

Page 82: ...exit Associating an SFTP root Directory with an Administrator The administrator command allows an administrator to associate an SFTP root directory for a specified administrator configure context local administrator user_name password password ftp sftp server sftp_name exit Associating an SFTP root Directory with a Config Administrator The config administrator command allows an administrator to as...

Page 83: ...med in TACACS Configuration Mode Enabling the TACACS function is performed in the Global Configuration Mode The system supports the configuration of up to three TACACS servers Once configured and enabled on the system TACACS authentication is attempted first By default if TACACS authentication fails the system then attempts to authenticate the user using non TACACS AAA services such as RADIUS For ...

Page 84: ...pported Important StarOS User Account Requirements TACACS users who are allowed administrative access to the system must have the following user account information defined in StarOS username password administrative role and privileges For instructions on defining users and administrative privileges on the system refer to Configuring System Administrative Users Important Configuring TACACS AAA Ser...

Page 85: ... context TACACS authentication can also be configured for non local context VPN logins TACACS must configured and enabled with the option described below A stop keyword option is available for the TACACS Configuration mode on unknown user command If TACACS is enabled with the command keyword option the VPN context name into which the user is attempting a login must match the VPN name specified in ...

Page 86: ...state user login complete current privilege level 15 remote client application ssh remote client ip address 111 11 11 11 last server reply status 1 total TACACS sessions 1 For details on all TACACS maintenance commands refer to the Command Line Interface Reference Important Separating Authentication Methods You can configure separate authentication methods for accessing the Console port and establ...

Page 87: ...ole line configure local user allow aaa authentication noconsole exit Since local user authentication is always performed before AAA based authentication and local user allow aaa authentication noconsole is enabled the behavior is the same as if no local user allow aaa authentication is configured There is no impact on vty lines This command does not apply for a Trusted build because the local use...

Page 88: ...users will still be able to access the Console and vty lines For additional information see the Updating and Downgrading the local user Database on page 51 Important This command does not apply for a Trusted build because the local used database is unavailable Important Limit Console Access for AAA based Users AAA based users normally login through on a vty line However you may want to limit a few...

Page 89: ...ferent chassis key value The chassis key is used to generate the chassis ID which is stored in a file and used as the master key for protecting sensitive data such as passwords and secrets in configuration files For release 15 0 and higher the chassis ID is an SHA256 hash of the chassis key The chassis key can be set by users through a CLI command or via the Quick Setup Wizard If the chassis ID do...

Page 90: ... Line Interface Reference Beginning with Release 15 0 the chassis ID will be generated from the chassis key using a more secure algorithm The resulting 44 character chassis ID will be stored in the same file Release 14 and Release 15 chassis IDs will be in different formats Release 15 will recognize a Release 14 chassis ID and consider it as valid Upgrading from 14 x to 15 0 will not require chang...

Page 91: ...he corresponding ports on the upper and lower line cards have the same assigned MAC address When you enable virtual MAC addressing these addresses are all assigned from the specified block of 256 addresses If you enable virtual MAC addressing and remove a line card from the system MAC addresses do not have to be reassigned because the MAC addresses in use do not belong to any line card Therefore i...

Page 92: ...cessing cards are placed into standby mode You must activate some of these cards in order to configure and use them for session processing Others may remain in standby mode to serve as redundant components When you activate an application card the line card behind it shows up as attached and in a Ready state Only when you bind a logical interface to one of the ports of the line card pair will the ...

Page 93: ...s three packet processing cards that are in standby mode They are installed in chassis slots 14 15 and 16 If an active processing card fails and you want the packet processing card in slot 15 to replace the failed packet processing card followed by the packet processing card in slot 14 enter the following command card standby priority 15 14 In the unlikely event that the packet processing cards in...

Page 94: ...y disabling a port that is one of a redundant pair A redundant pair comprises both the active and standby ports for example 17 1 and 33 1 If 17 1 is active administratively disabling 17 1 through the CLI does not make 33 1 active It disables both 17 1 and 33 1 because an action on one port has the same effect on both Refer to Enabling Line Card and SPIO Redundancy below and Creating and Configurin...

Page 95: ...gy Example Using Line Card Port Redundancy Figure 7 Port Redundancy Failover in Cable Defect Scenario In the example above an Ethernet cable is cut or unplugged causing the link to go down When this event occurs the system with port mode redundancy enabled recognizes the link down state and makes port 33 1 the active port The switching devices using some port redundancy scheme recognizes the failu...

Page 96: ...icates that port redundancy will be enabled This is the default redundancy mode You do not need to use this configuration for each line card or SPIO The system intuitively understands that if the command is entered for an active line card the standby line will operate in the same mode For example if you enter the command for the line card in slot 17 it automatically places the line card in Slot 33...

Page 97: ... to return use to the original port This feature is applied on a per port basis allowing you to configure specific ports to be used on individual line cards or SPIOs For example you could configure ports 1 through 4 as preferred on the line card in slot 17 and configure ports 5 through 8 as the preferred ports on the line card in slot 33 On a SPIO you could configure port 1 as preferred on the SPI...

Page 98: ...nterface TAP None Link State Up Link Duplex Unknown Link Speed Unknown Flow Control Disabled Link Aggregation Group None Logical ifIndex 285278209 Operational State Down Active SFP Module 285278209 Configuring ASR 5000 Link Aggregation A Link Aggregation Group LAG works by exchanging control packets via Link Aggregation Control Protocol LACP over configured physical ports with peers to reach agree...

Page 99: ...ther card when certain active port counts or bandwidth thresholds are crossed LAG and Multiple Switches This feature connects ports on XGLCs or QGLCs to ports on Ethernet switches A port failure switch forces all ports in a LAG to switch to another XGLC or QGLC when a specified threshold is crossed This works in a way similar to the auto switch feature for port redundancy LACP runs between the ASR...

Page 100: ...ne whether to initiate an auto switch including automatic L2 port switch Two switches can also be connected to odd and even slots of an XGLC in active active mode without L2 redundancy Two LACP instances are started for odd and even slots and similar monitoring and switching occurs The figure below shows an LAG established across two line card ports with L2 redundancy Figure 10 LAG with L2 Redunda...

Page 101: ...he LAG manager also enters extends the hold period when an administrator manually switches ports to trigger a card switch Preferred Slot You can define which card is preferred per LAG group as a preferred slot When a preferred slot is specified system behavior varies based on card type QGLC the preferred slot is selected when both the top and bottom slots have the same number of active LACP ports ...

Page 102: ... mode CLI commands show configuration link aggregation group group_number show link aggregation info lacp info statistics table all utilization table group group_number See the Command Line Interface Reference for detailed information on each command Suppressing SPOF Alarm for XGLC An XGLC that has not been configured for horizontal port redundancy with an adjacent XGLC constitutes a Single Point ...

Page 103: ...s continue to be aggregated Top and bottom QGLCs can be connected to different switches in a LAG Requirements Observe the following requirements Assure that links between the two systems are full duplex and at the same speed Set the port medium configuration to auto or full duplex and maximum speed An aggregation group can consist of from one to four ports A port can only be in one aggregation gro...

Page 104: ...res top and bottom card slots link aggregation takes place horizontally within ports on different XGLCs Link Aggregation Control One port in an aggregation group is configured as a master so that all traffic except control traffic in the aggregation group logically passes through this port It is recommended although not required that you set up the master first by managing card slot ports and unse...

Page 105: ...of two peers form the Link Aggregation Group Identifier LAGID You can aggregate links having the same LAGID Systems are often configured initially with each port in its own aggregation requiring a separate key per port or with all ports in the same aggregation a single key for all ports Negotiation via LACP would qualify the actual aggregation Systems exchange information about system ID port key ...

Page 106: ... within the LAG can be set to toggle the link Enable this option via the link aggregation toggle link command at the Card Configuration Mode or Ethernet Port Configuration Mode Horizontal Link Aggregation with Two Ethernet Switches When a LAG contains two sets of ports each connecting to a different Ethernet switch the operator has the ability to specify the slot port connected to the destination ...

Page 107: ... which has the potential to increase system throughput However there is no increased support in total subscriber capacity due to other system resource restrictions This feature is disabled by default and can be enabled via the Global Configuration mode require demux card command It is only supported for a limited number of products Refer to the product Administration Guide for additional informati...

Page 108: ...e XGLC in the ASR 5000 chassis The XGLC is a one port card You should also configure flow control at 6Gbps on the peer ports of all routers in your network that are connected to the ASR 5000 Bidirectional flow control slows down the traffic flow rate from these routers when the ASR 5000 sends a flow control beacon whenever an XGLC is throttled ASR 5000 System Administration Guide StarOS Release 21...

Page 109: ...nfig mode Warning One or more other administrators may be configuring this system There are no default restrictive behavior changes when entering config mode under a shared lock Note When multiple administrators edit or save the running config concurrent changes may result in conflicting inconsistent or missing configuration commands A similar problem can occur when saving the configuration if som...

Page 110: ...s all other administrators to exit out of configuration mode This administrator will be taking the exclusive lock soon You may want to use this option before actually forcing administrators out of configuration mode If there are no other administrators in config mode entering configure lock immediately grants you an exclusive lock local host_name configure lock Info No one else can access config m...

Page 111: ...strators would typically not anticipate seeing the message in their session output StarOS logs all major config mode lock interactions to the event log and syslog facility if configured You can access a record of what interactions transpired at any time Important Effect of Config Lock on URL Scripts When attempting to load a config script file using the configure url command you must acquire eithe...

Page 112: ...d shutdown commands can result in a corrupted or partial configuration file when either of these commands are executed while a save configuration command is still in progress To prevent this problem from occurring the reload and shutdown commands share a CLI shutdown lock with all save configuration commands executed across StarOS This means while any save configuration command is executing StarOS...

Page 113: ...ession is currently in Config Mode shared lock s Administrator session is currently saving the config f Administrator session is currently loading the config file L Administrator session is currently in Config Mode with the exclusive lock The following is sample output of the show administrators command indicating current lock mode local asr5500 show administrators Administrator Operator Name M Ty...

Page 114: ...ASR 5000 System Administration Guide StarOS Release 21 1 86 Config Mode Lock Mechanisms show administrators Command ...

Page 115: ...n commands and keyword options are presented In many cases other optional commands and keyword options are available Refer to the Command Line Interface Reference for detailed information about all commands Important To configure the system to communicate with an EMS Step 1 Set client ID parameters and configure the STOP TCP port settings by applying the example configuration in Configuring ORBEM ...

Page 116: ... filters to determine which events are to be sent By default the Service sends all error and higher level events info level events for the ORBS facility CLI command logs and license change logs Optionally configure a filter by including the event notif service filter command Enter this command for each filter you need to configure Configuring IIOP Transport Parameters Use the following example to ...

Page 117: ...f Operations Completed 2895 Number of Events Processed 0 Avg Operation Processing time 87214 usecs last 1000 87950 usecs SNMP MIB Browser This section provides instructions to access the latest Cisco Starent MIB files using a MIB Browser An updated MIB file accompanies every StarOS release For assistance to set up an account and access files please contact your Cisco sales or service representativ...

Page 118: ...unzip it and extract it to the same folder Step 4 Double click on the new companion xx x x xxxxx file folder Step 5 Unzip and extract the companion xx x x xxxxx tar file Step 6 From your MIB browser search for and open the starent my file within the tar file You can use any SNMP MIB Browser that allows you to compile a MIB my file before viewing it Step 7 To compile the MIB file click on the STARE...

Page 119: ...ap The SNMP MIB browser allows you to search for specific MIBs You can search for a specific OID object identifier to find a specific MIB entry For information on SNMP MIBs changes for a specific release refer to the SNMP MIB Changes in Release xx chapter of the appropriate version of the to the Release Change Reference Important ASR 5000 System Administration Guide StarOS Release 21 1 91 Manageme...

Page 120: ...age 92 Step 2 To view your new SNMP configuration follow the steps in Verifying SNMP Parameters on page 93 Step 3 Save the configuration as described in Verifying and Saving Your Configuration Configuring SNMP and Alarm Server Parameters Use the following example to set SNMP and alarm server parameters configure system contact contact_name system location location_name snmp authentication failure ...

Page 121: ...ptions associated with this command Use the snmp mib command to enable other industry standard and Cisco MIBs By default only the STARENT MIB is enabled By default SNMP runtime debugging always runs and consumes CPU cycles for event logging To control CPU usage you can set no snmp runtime debug to disable runtime debugging An option to this command allows you to specify SNMP token values that will...

Page 122: ...able individual traps to allow only traps of a certain type or alarm level to be generated This section provides instructions for disabling enabling SNMP traps Commands used in the configuration samples in this section provide base functionality The most common commands and keyword options are presented In many cases other optional commands and keyword options are available Refer to the Command Li...

Page 123: ...le includes IP address pool configuration Using this example enter the following commands to verify proper feature configuration Enter the show ip pool command to display the IP address pool configuration The output from this command should look similar to the sample shown below In this example all IP pools were configured in the isp1 context context isp1 Type P Public R Private S Static E Resourc...

Page 124: ... that your context was created and configured properly by entering the show context name name command The output shows the active context Its ID is similar to the sample displayed below In this example a context named test1 is configured Context Name ContextID State test1 2 Active System Configuration Verify that your entire configuration file was created and configured properly by entering the sh...

Page 125: ...ze a file system with a specific storage device For additional information see the Exec Mode Commands chapter in the Command Line Interface Reference Saving the Configuration These instructions assume that you are at the root prompt for the Exec mode local host_name To save your current configuration enter the following command save configuration url obsolete encryption showsecrets verbose redunda...

Page 126: ...l device for the active SMC you must synchronize the local file system on both SMCs See Synchronizing File Systems on page 97 Important To save a configuration file called system cfg to a directory that was previously created called cfgfiles on the CompactFlash in the SMC enter the following command save configuration flash cfgfiles system cfg ASR 5000 System Administration Guide StarOS Release 21...

Page 127: ...9 Ethernet Interfaces and Ports page 100 ATM Interfaces and Ports page 103 Frame Relay Interfaces and Ports page 106 Contexts Even though multiple contexts can be configured to perform specific functions they are all created using the same procedure Creating Contexts Commands used in the configuration examples in this section represent the most common or likely commands and or keyword options In m...

Page 128: ...tructions on configuring specific services and options Ethernet Interfaces and Ports Regardless of the type of application interface the procedure to create and configure it consists of the following Step 1 Create an interface and assign an IP address and subnet mask to it by applying the example configuration in Creating an Interface on page 101 Step 2 Assign a physical port for use by the interf...

Page 129: ...h on L3 fail address command to configure the interface for switchover to the port on the redundant line card if connectivity to a specified IP address is lost This IP address can be entered using IPv4 dotted decimal or IPv6 colon separated hexadecimal notation Configuring a Port and Binding It to an Interface Use the following example configuration to configure and assign a port to an interface c...

Page 130: ...ed Multiple static routes can be configured to the same destination to provide an alternative means of communication in case the preferred route fails Viewing and Verifying Port Configuration Step 1 Verify that your interface configuration settings are correct by entering the following commands local host_name context context_name context_name host_name show ip ipv6 interface context_name represen...

Page 131: ...ces and Ports This section describes the minimum configuration required to use IP over ATM IPoA through an Optical ATM line card OLC OLC2 The procedures describe how to Step 1 Set the framing method for a specific OLC type line card and make the card active by using the procedure defined in Enabling the OLC ATM Line Card on page 104 Step 2 Create an IP over ATM interface PVC interface by following...

Page 132: ...cal ATM line card Setting the framing method is required to make the card operational Entering no shutdown makes the card active Creating an IP Interface for Use with an ATM Port Use the following example to create an IP interface to use with ATM configure context ctxt_name interface intf_name point to point ip address ip_addr net_mask ip address ip_addr net_mask secondary end Notes The context mu...

Page 133: ... timing and save the configuration Binding an SS7 Link to an ATM Port Use the following example to bind an already configured SS7 link to a PVC interface for an ATM port configure port atm slot port pvc vpi vpi_num vci vci_num bind link ss7 routing domain ss7rd_id linkset id id link id id end Notes Save the configuration as described in the Verifying and Saving Your Configuration chapter Verifying...

Page 134: ...Line Card on page 107 Step 2 Configure the path framing mapping Frame Relay characteristics and the data link connection identifiers DLCIs as illustrated in the example configuration in Configuring the Channel Characteristics on page 107 Step 3 Configure the appropriate timing source BITS from the SPIO or line timing from attached remote to ensure transmit synchronization by applying the example c...

Page 135: ...relay All other options are not fully supported at this time Configuring the Channel Characteristics Use the following example to configure the path framing mapping timeslots and the Frame Relay interface and LMI characteristics for a specific CLC CLC2 port configure port channelized slot port path path_id ds1 e1 number_of_connections frame_mapping multiplex multiplex framing framing_mode mapping ...

Page 136: ...de Framing Mode SDH Redundant With Not Redundant Preferred Port Non Revertive Physical ifIndex 453050368 Administrative State Disabled Link State Unknown Line Timing Yes SFP Module Not Present Path 1 e1 1 tu12 au3 1 1 crc4 bit async Timeslots 12 14 Frame Relay Intf Typ DCE Frame Relay LMI Type Q933A Frame Relay LMI n391 6 Frame Relay LMI n392 2 Frame Relay LMI n393 2 Frame Relay LMI t391 10 Frame ...

Page 137: ...ed Up None FR DLCI 1 1 1 52 Enabled Up Active FR DLCI 1 2 1 53 Enabled Down Active ASR 5000 System Administration Guide StarOS Release 21 1 109 System Interfaces and Ports Verifying the Frame Relay Interface Configuration and Status ...

Page 138: ...ASR 5000 System Administration Guide StarOS Release 21 1 110 System Interfaces and Ports Verifying the Frame Relay Interface Configuration and Status ...

Page 139: ...vely and not echoed to the user On the ASR5000 the encrypted chassis key is stored in the Compact Flash card on each SMC If the chassis key identifier stored in the header comment line of the configuration file does not match the chassis key an error message is displayed to the user The user can change the chassis key value simply by entering the chassis key again The previous chassis key is repla...

Page 140: ...Release 15 chassis IDs will be in different encryption formats Release 15 will recognize a Release 14 chassis ID and consider it as valid Upgrading from 14 x to 15 0 will not require changing the chassis ID or configuration file However if the chassis key is reset in Release 15 through the setup wizard or chassis key CLI command a new chassis ID will be generated in Release 15 format 44 instead of...

Page 141: ...ion C This algorithm specifies the use of the HMAC SHA512 cipher algorithm for encryption and authentication Passwords encrypted with this key will have C prefixes in the configuration file Also for release 19 2 and higher the encryption key is hashed from the chassis ID and a 16 byte Initialization Vector IV obtained from an internal random number generator No two passwords are encrypted using th...

Page 142: ...le The snmp community encrypted name command enables the encryption of SNMP community strings For additional information see the Global Configuration Mode Commands chapter in the Command Line Interface Reference Lawful Intercept Restrictions This section describes some of the security features associated with the provisioning of Lawful Intercept LI For additional information refer to the Lawful In...

Page 143: ...t be allowed to increase their privileges or gain access to sensitive data such as passwords which were entered by higher privileged users The ASR 5x00 can only detect changes in users and user attributes such as privilege level when these users are configured through the ASR 5x00 Important Notification of Users Being Added or Deleted Users with low level authorization should not be able to create...

Page 144: ...To enable access to test commands a Security Administrator must log into the Global Configuration mode and enter cli hidden This command sequence is shown below local host_name config local host_name config cli hidden local host_name config By default cli hidden is disabled Low level diagnostic and test commands keywords will now be visible to a user with Administrator or higher privilege There is...

Page 145: ...rd is specified the password argument is interpreted as an encrypted string containing the password value If the encrypted keyword is not specified the password argument is interpreted as the actual plain text value If tech support test commands password is never configured StarOS will create a new password If the password keyword is not entered for cli test commands the user is prompted no echo t...

Page 146: ... trap starTestModeEntered is generated whenever a user enters CLI test commands mode Important ASR 5000 System Administration Guide StarOS Release 21 1 118 System Security Configuration Mode cli test commands ...

Page 147: ... made up of files that are stored on one or more of the following flash A CompactFlash card located on the circuit board of the SMC is the default storage media for the operating system software image CLI configuration and crash log files used by the system pcmcia1 This device is available when an ATA Type I or Type II PCMCIA card is inserted into PC Card Slot on the front panel of the SMC hd raid...

Page 148: ...e to store the prioritized boot stack parameters and file groups the system uses during startup Modify this file only through system CLI commands and not through external means Boot parameters contain information the system needs to locate the operating system image file including bootmode This setting is typically configured to normal and identifies how the system starts network interface configu...

Page 149: ...ng command synchronizes the file systems between two SMCs local host_name filesystem synchronize flash pcmcia1 all checkonly from to noconfirm The following command synchronizes the file systems on two SMC flash devices local host_name filsystem synchronize flash Creating Directories Use the mkdir command to create a new directory on the specific local device This directory can then be incorporate...

Page 150: ...fg Deleting Files The delete command removes a designated file from its specified location on the local file system This command can only be issued to a local device on the SMC Note that this command does not allow for wildcard entries each filename must be specified in its entirety Do not delete the boot sys file If deleted the system will not reboot on command and will be rendered inoperable Cau...

Page 151: ...tatistics during testing or created off line using a text editor There may be pre existing configuration files stored on the local file system that can be applied to a running system at any time If a configuration file is applied to a system currently running another CLI configuration any like contexts services logical interfaces physical ports IP address pools or other configured items will be ov...

Page 152: ...on editable file that executes on the system creating its runtime operating system OS It is important to verify a new operating system image file before attempting to load it To accomplish this a proprietary checksum algorithm is used to create checksum values for each portion of the application stored within the bin file during program compilation This information can be used to validate the actu...

Page 153: ...n files stored locally on the system Upon system startup or reboot the system looks on one of its local devices or hd raid located on the active SMC for the specific software image and accompanying configuration text file When using the local booting method you only need to configure boot stack parameters The system can also be configured to obtain its software image from a specific external netwo...

Page 154: ...n this example that the first two boot stack entries Priorities 18 and 19 load the image file operating system software from an external network server using the Trivial File Transfer Protocol TFTP while all configuration files are located on the flash device Also notice the boot network interface and boot network configuration commands located at the top of the boot stack These commands define wh...

Page 155: ...d see the Global Configuration Mode Commands chapter of the Command Line Interface Reference The following command creates a new boot stack entry using a boot priority of 3 boot system priority 3 image flash image_filename bin config flash config_name cfg Boot stack changes saved to the boot sys file are not executed until the system is rebooted Important Synchronize the local file systems on the ...

Page 156: ...etwork Boot network parameters define the protocols and IP address information for SPIO interfaces used to reach the external network server that hosts the operating system software image file To configure boot network parameters make sure you are at the Exec mode prompt local host_name Step 1 Enter the Global Configuration mode by entering the following command local host_name configure The follo...

Page 157: ...network server If your network uses STP a typical delay time of 30 seconds should suffice Save your configuration as described in the Verifying and Saving Your Configuration chapter Important Configuring a Boot Nameserver To enter the hostname of the network server that hosts the operating system software image first configure the IP address of the Domain Name Service DNS server referred to as a n...

Page 158: ...or security options Trusted images are identifiable by the presence of _T in the platform name For example asr5000_T 20 0 0 bin SPA The software version information can be viewed from the CLI in the Exec mode by entering the show version command localhost_name show version You can run the Exec mode show build command to display additional information about the StarOS build release Verify Free Spac...

Page 159: ...red to transfer the file using binary mode Failure to use binary transfer mode will make the transferred operating system image file unusable In release 20 0 and higher Trusted StarOS builds FTP is not supported Important Transfer the file to the flash device using an SFTP client with access to the system Verify that the image file was successfully transferred to the flash device by running the fo...

Page 160: ...g the obsolete encryption keyword in conjunction with the Exec mode save configuration command as shown in the example local host_name save configuration flash v120_system cfg obsolete encryption Warning Use of weaker encryption significantly reduces the security of the system Are you sure Yes No Yes To reboot the system using the old configuration change the boot configuration via the Global Conf...

Page 161: ...er verification the password is hashed using the appropriate old weak encryption algorithm and saved in the database to allow earlier versions of StarOS to authenticate the Security Administrator The downgrade process does not convert PBKDF2 hashed passwords to MD5 format The downgrade process re reads the database from the flash directory reconstructs the database in the older format and writes i...

Page 162: ...grade is performed in five stages where each stage is limited to performing only specific functions until the system is prepared to move to the next stage Each stage is explained below System Requirements to Support the On line Software Upgrade Method A system requires a minimal amount of hardware to support this software upgrade method The minimum required application cards are Two SMCs one Activ...

Page 163: ...t be cancelled unless an emergency exists After Stage 1 the only way that an on line software upgrade can be terminated is to issue the reload command This causes a system restart that could leave the system in an abnormal state requiring manual intervention Issuing the reload command should be avoided and only used as a last resort Important Once all the calls on the system are terminated the sof...

Page 164: ...orarily saved by the system is not loaded at this point Instead only minimal commands used to control the system are loaded Once this SMC is operational another SMC switchover occurs and the second SMC is restarted loading the new software version During this period since both SMC are effectively now running the new operating system software image the system can continue to perform the on line sof...

Page 165: ...is cancels all redirection tasks configured by the overload policies and the system can once again begin accepting new sessions Performing an On line Software Upgrade This procedure describes how to perform a software upgrade using the on line software upgrade method This procedure assumes that you have a CLI session established and are placing the new operating system image file onto the local fi...

Page 166: ...er Trusted StarOS builds FTP is not supported Step 5 Back up the current CLI configuration file by entering the following command local host_name copy from_url to_url noconfirm For information on using the copy command please see the Copying Files and Directories section The following command example creates a backup copy of a file called general cfg located on the flash device to a file called ge...

Page 167: ...essing cards Next it begins to update each active packet processing card one at a time The system monitors all sessions being processed by active packet processing cards When all sessions facilitated by a specific Session Manager task are either self terminated or automatically terminated based on the thresholds configured in step 8 the system migrates the packet processing cards in active mode to...

Page 168: ...sions the last step of this process requires a reboot to actually apply the software upgrade This procedure assumes that you have a CLI session established and are placing the new operating system image file onto the local file system To begin make sure you are at the Exec mode prompt local host_name Configure a Newcall Policy Configure a newcall policy from the Exec mode to meet your service requ...

Page 169: ...nce Configure a Message of the Day Banner Optional Configure a Message of the Day banner informing other management users that the system will be rebooted by entering the following command from the Global Configuration mode prompt local host_name config banner motd banner_text banner_text is the message that you would like to be displayed and can be up to 2048 alphanumeric characters Note that ban...

Page 170: ...enumber some or all of the other entries before proceeding Use the no boot system priority command to delete a book stack entry local host_name configure local host_name config no boot system priority number To add new boot stack entries to the boot sys file enter the following commands local host_name configure local host_name config boot system priority number image image_url config cfg_url For ...

Page 171: ...rocedure requires upgrading the primary and standby chassis using the off line method while each is in standby mode Performing Dynamic Software Updates StarOS allows the runtime loading of plugins All StarOS builds include a default baseline plugin This feature is currently used to dynamically update the detection logic used to filter P2P applications via the Application Detection and Control ADC ...

Page 172: ...erial numbers of both CompactFlash cards This allows the license to be distributed across both SMCs ensuring that licensed capacity and features remain available during a switchover event Session Use and Feature Use Licenses Session use and feature use licenses are software mechanisms that provide session limit controls and enable special features within the system These electronic licenses are st...

Page 173: ...e will not be accepted A Failure error will appear in the output of the license key command when you attempt to configure an invalid license key If you use the force option to install an invalid license key the license will be placed into a 30 day grace period StarOS will generate daily syslog error messages and SNMP traps during the grace period The output of the show license information command ...

Page 174: ...iguration as described in the Verifying and Saving Your Configuration chapter License Expiration Behavior When a license expires there is a built in grace period of 30 days that allows normal use of the licensed session use and feature use licenses This allows you to obtain a new license without any interruption of service The following Exec mode command lists the license information including the...

Page 175: ...d the CompactFlash card on the new SMC must be exchanged with the CompactFlash from the original SMC because the license key was generated based on the serial number of the CompactFlash card associated with the original SMC Exchanging the two CompactFlash card modules ensures that license redundancy is maintained as the license key will continue to match both CompactFlash serial numbers on both SP...

Page 176: ...configuring account lockouts and user suspensions Local User Account Lockouts Local user accounts can be administratively locked for the following reasons Login failures The configured maximum login failure threshold has been reached Refer to the local user max failed logins command in the Global Configuration Mode Commands chapter of the Command Line Interface Reference for details Password Aging...

Page 177: ...ty administrators can reset passwords for local users by entering the following command from the root prompt in the Exec mode local host_name password change username name name is the name of the local user account for which the password is to be changed When a security administrator resets a local user s password the system prompts the user to change their password the next time they login All ne...

Page 178: ...ASR 5000 System Administration Guide StarOS Release 21 1 150 Software Management Operations Changing Local User Passwords ...

Page 179: ...e in Global Configuration Mode It is not necessary to exit the Config mode to run a show command The pipe character is only available if the command is valid in the Exec mode Important This chapter includes the following sections SNMP Notifications page 151 Monitoring System Status and Performance page 151 Clearing Statistics and Counters page 153 Monitoring ASR 5000 Hardware Status page 153 SNMP ...

Page 180: ...system uptime time since last reboot View NTP Server Status show ntp status View NTP servers status View System Resources show resources cpu View all system resources such as CPU resources and number of managers created View System Alarms show alarm outstanding all verbose View information about all currently outstanding alarms show alarm statistics View system alarm statistics View Congestion Con...

Page 181: ...unters It may be necessary to periodically clear statistics and counters in order to gather new information The system provides the ability to clear statistics and counters based on their grouping PPP MIPHA MIPFA etc Statistics and counters can be cleared using the CLI clear command Refer to the Exec Mode Commands chapter in the Command Line Interface Reference for detailed information on using th...

Page 182: ... their hardware revision and the firmware version of the on board Field Programmable Gate Array FPGAs show hardware card slot_number View details of a specific card Output contains same information as output of both show hardware inventory and show hardware version board View Card Diagnostics show maximum temperature show card diag slot_number View boot power and temperature diagnostics show tempe...

Page 183: ...sage information show cpu info graphs verbose View CPU usage information View Component Temperature Information show temperature View current component temperatures show maximum temperatures View maximum temperatures reached since last timestamp ASR 5000 System Administration Guide StarOS Release 21 1 155 Monitoring the System Monitoring ASR 5000 Hardware Status ...

Page 184: ...ASR 5000 System Administration Guide StarOS Release 21 1 156 Monitoring the System Monitoring ASR 5000 Hardware Status ...

Page 185: ...lk statistics file Optionally a number can be specified by an administrator in the optional configuration method Command details and descriptions of keywords and variables for commands in this chapter are located in the Bulk Statistics Configuration Mode Commands and Bulk Statistics File Configuration Mode Commands chapters in the Command Line Interface Reference Configuring Standard Settings The ...

Page 186: ...al xmit_time_interval limit mem_limit exit bulkstats collection end In release 20 0 and higher Trusted StarOS builds FTP is not supported SFTP is the recommended transfer protocol Important Configuring Bulk Statistic Schemas In each configuration example described in Configuring Standard Settings on page 157 and Configuring Optional Settings on page 158 the following is the primary command used to...

Page 187: ...oes not remove the file You must save the system configuration to retain the configuration change After completing changes to the bulk statistics configuration you must save the system configuration to save the changes If the bulkstats config command is enabled the bulkstats configuration file will be updated Important Using show bulkstats Commands There are several Exec mode show bulkstats comman...

Page 188: ...test time File Footer Bulkstats Receivers Primary 192 168 0 100 using FTP with username administrator Records awaiting transmission 0 Bytes awaiting transmission 0 Total records collected 0 Total bytes collected 0 Total records transmitted 0 Total bytes transmitted 0 Total records discarded 0 Total bytes discarded 0 Last transfer time required 0 second s No successful data transfers No attempted d...

Page 189: ...e not been successfully transferred Bulkstats Schema Nomenclature This section describes the nomenclature associated with configuring and viewing bulkstats Statistic Types The following statistic types are defined in the Statistics and Counters Reference user document published prior to Release 20 0 and displayed in the output of the Exec mode show bulkstats variables command Counter A counter rec...

Page 190: ... the Exec mode show bulkstats variables command Int32 A 32 bit integer the roll over to zero limit is 4 294 967 295 Int64 A 64 bit integer the roll over to zero limit is 18 446 744 073 709 551 615 Float A numeric value that includes decimal points for example 1 345 String A series of ASCII alphanumeric characters in a single grouping usually pre configured Key Variables Every schema has some varia...

Page 191: ...he seconds time2 String Information The UTC time that the collection file was created in HH MM format where HH represents the hours MM represents the minutes time3 In32 Information The number of seconds since Jan 1 1970 00 00 00 GMT epochtime String Information Lists all bulkstat schemas available on this platform schemas String Information Lists all bulkstats schemas that have changed the schema ...

Page 192: ...on swbuild Bulk Statistics Event Log Messages The stat logging facility captures several events that can be useful for diagnosing errors that could occur with either the creation or writing of a bulk statistic data set to a particular location The following table displays information pertaining to these events Table 10 Logging Events Pertaining to Bulk Statistics Additional Information Severity Ev...

Page 193: ... Monitor Logs page 179 Viewing Logging Configuration and Statistics page 180 Viewing Event Logs Using the CLI page 181 Configuring and Viewing Crash Logs page 181 Reducing Excessive Event Logging page 185 Checkpointing Logs page 186 Saving Log Files page 186 Event ID Overview page 187 System Log Types There are five types of logs that can be configured and viewed on the system Not all Event Logs c...

Page 194: ...es This information is useful in determining the cause of the crash Configuring Event Logging Parameters The system can be configured to generate logs based on user defined filters The filters specify the facilities system tasks or protocols that the system is to monitor and severity levels at which to trigger the generation of the event entries Event logs are stored in system memory and can be vi...

Page 195: ...or packet data units when logged as one of none raw format unformatted hex hexadecimal format hex ascii hexadecimal and ASCII similar to a main frame dump pdu verbosity pdu_level Specifies the level of verboseness to use in logging of packet data units as an integer from 1 through 5 where 5 is the most detailed Save the configuration as described in the Verifying and Saving Your Configuration chap...

Page 196: ...el trace display trace events and all events with a higher severity level debug display all events This keyword is only supported in conjunction with the active keyword Note critical info Specifies that events with a category attribute of critical information are to be displayed Examples of these types of events can be seen at bootup when system processes and tasks are being initiated This is the ...

Page 197: ...st useful Repeat to disable logging for additional event IDs or event ID ranges Save the configuration as described in the Verifying and Saving Your Configuration chapter Configuring syslog Servers Information generated by the run time event logging filters can be transmitted to a syslog server for permanent storage The data transmitted to the syslog server is meant to be used for informational pu...

Page 198: ...nstances Use the following example to configure active logging in Global Configuration mode local host_name config logging filter runtime facility facility level report_level Notes Configure the logging filter that determines which system facilities should be logged and at what levels For detailed information see Specifying Facilities on page 170 and Event Severities on page 195 Repeat for every f...

Page 199: ...ux IPCF BindMux Demux Manager logging facility bngmgr Broadband Network Gateway BNG Demux Manager logging facility bssap Base Station Sub system Application Part protocol facility for the login interface between the SGSN and the MSC VLR 2 5G and 3G bssgp Base Station Sub system GPRS Protocol logging facility handles exchange information between the SGSN and the BSS 2 5G only callhome Call Home app...

Page 200: ... Diameter Accounting diameter auth Diameter Authentication diameter dns Diameter DNS subsystem diameter ecs ACS Diameter signaling facility diameter engine Diameter version2 engine logging facility diameter hdd Diameter Horizontal Directional Drilling HDD Interface facility diameter svc Diameter Service diamproxy DiamProxy logging facility dpath IPSec Data Path logging facility drvctrl Driver Cont...

Page 201: ...GCDR facility gtpc GTP C protocol logging facility gtpcmgr GTP C protocol manager logging facility gtpp GTP prime protocol logging facility gtpu GTP U protocol logging facility gtpumgr GTP U Demux manager gx ty diameter Gx Ty Diameter messages facility gy diameter Gy Diameter messages facility h248prt H 248 port manager facility hamgr Home Agent manager logging facility hat High Availability Task ...

Page 202: ... IP Address Resolution Protocol facility ip interface IP interface facility ip route IP route facility ipms Intelligent Packet Monitoring System IPMS logging facility ipne IP Network Enabler IPNE facility ipsec IP Security logging facility ipsecdemux IPSec demux logging facility ipsg IP Service Gateway interface logging facility ipsgmgr IP Services Gateway facility ipsp IP Pool Sharing Protocol lo...

Page 203: ...ata Mobile IP data facility mobile ipv6 Mobile IPv6 logging facility mpls Multiprotocol Label Switching MPLS protocol logging facility mrme Multi Radio Mobility Entity MRME logging facility mseg app Mobile Services Edge Gateway MSEG application logging facility This option is not supported in this release mseg gtpc MSEG GTP C application logging facility This option is not supported in this releas...

Page 204: ... PAGINGMGR logging facility pccmgr Intelligent Policy Control Function IPCF Policy Charging and Control PCC Manager library pdg Packet Data Gateway PDG logging facility pdgdmgr PDG Demux Manager logging facility pdif Packet Data Interworking Function PDIF logging facility pgw Packet Data Network Gateway PGW logging facility pmm app Packet Mobility Management PMM application logging facility ppp Po...

Page 205: ...ging facility sctp Stream Control Transmission Protocol SCTP Protocol logging facility sef_ecs Severely Errored Frames SEF APIs printing facility sess gr SM GR facility sessctrl Session Controller logging facility sessmgr Session Manager logging facility sesstrc session trace logging facility sft Switch Fabric Task logging facility sgs SGs interface protocol logging facility sgsn app SGSN APP logg...

Page 206: ...SCF NNI logging facility sscop Service Specific Connection Oriented Protocol SSCOP logging facility ssh ipsec Secure Shell SSH IP Security logging facility ssl Secure Socket Layer SSL message logging facility stat Statistics logging facility supserv Supplementary Services logging facility H 323 system System logging facility tacacsplus TACACS Protocol logging facility tcap TCAP Protocol logging fa...

Page 207: ...bug purposes only Important Use the following example to configure trace logs in the Exec mode local host_name logging trace callid call_id ipaddr ip_address msid ms_id username username Once all of the necessary information has been gathered the trace log can be deleted by entering the following command local host_name no logging trace callid call_id ipaddr ip_address msid ms_id username username...

Page 208: ...re displayed when the verbose keyword is used Table 11 Logging Configuration and Statistics Commands Description Field General Logging Statistics Displays the total number of events generated by the system Total events received Displays the number of applications receiving the events Number of applications receiving events Logging Source Statistics Displays a list of system processes that have gen...

Page 209: ...ffer When the active log memory buffer is copied to the inactive log memory buffer existing information in the inactive log memory buffer is deleted Both active and inactive event log memory buffers can be viewed using the CLI in Exec mode However it is preferable to view the inactive log in order to prevent any data from being over written The information from the active log buffer can be copied ...

Page 210: ...s are automatically synchronized across redundant management cards SMC MIO UMIO Full core dumps are not synchronized across management cards Important The following behaviors apply to the crash logging process When a crash event arrives on an active management card the event record is stored in its crashlog2 file along with the minicore NPU or kernel dump file in flash crsh2 The crash event and du...

Page 211: ...cur to the specified location The name format is crash card cpu time core Where card is the card slot cpu is the number of the CPU on the card and time is the Portable Operating System Interface POSIX timestamp in hexadecimal notation Use the following example to configure a software crash log destination in the Global Configuration mode configure crash enable encrypted url crash_url end Notes Ref...

Page 212: ...number assigned by StarOS when logging the crash event SW Version StarOS build release in format RR n bbbbb Similar Crash Count number of similar crashes Time of first crash timestamp when first crash occurred in format YYYY MMM DD hh mm ss Failure message text of event message Function code identifier Process where the crash occurred Card CPU PID etc Crash time timestamp for when the crash occurr...

Page 213: ...ume timestamp Internal trap notification trap_id ThreshLSLogsVolume threshold upper_percent measured value actual_percent for facility facility_name instance instance_id ThreshClearLSLogsVolume timestamp Internal trap notification trap_id ThreshClearLSLogsVolume threshold upper_percent measured value actual_percent for facility facility_name instance instance_id If a trigger condition occurs withi...

Page 214: ...ties taking place This command may also be a part of periodic regular maintenance to manage log data Checkpointing logs moves the current log data to the inactive logs Only the most recently check pointed data is retained in the inactive logs A subsequent check pointing of the logs results in the prior check pointed inactive log data being cleared and replaced with the newly check pointed data Che...

Page 215: ... Access Control List ACL Facility acl log 90000 90999 Active Charging Service Controller ACSCtrl Facility acsctrl 91000 91999 Active Charging Service Manager ACSMgr Facility acsmgr 186000 186999 Ares Fabric Controller ASR 5500 only afctrl 187000 187999 Ares Fabric Manager ASR 5500 only afmgr 65000 65999 Alarm Controller Facility alarmctrl 160900 161399 Access Link Control Application Part ALCAP Pr...

Page 216: ...y csp 77000 77499 Content Steering Service CSS Facility ESC css 77500 77599 Content Service Selection CSS RADIUS Signaling Facility css sig 92840 92849 Cx Diameter Message Facility cx diameter 62000 62999 Daughter Card Controller Facility dcardctrl 57000 57999 Daughter Card Manager Facility dcardmgr 110000 110999 Demux Manager Facility demuxmgr 126000 126999 Diameter Gmb DGMB Application Manager F...

Page 217: ...lity egtpu 178000 178999 Evolved Packet Data Gateway ePDG Facility epdg 2000 2999 Event Log Facility evlog 33000 33999 Foreign Agent FA Manager Facility famgr 96000 96999 Firewall Facility firewall 149000 149999 Femto Network Gateway FNG Facility fng 201900 202699 Gb Manager Facility gbrmgr 66000 66999 GGSN Charging Data Record G CDR Facility gcdr 88100 88299 GPRS Mobility Management GMM Facility ...

Page 218: ...000 113999 Internet Group Management Protocol IGMP Facility igmp 122000 122999 IKEv2 Facility ikev2 98100 98999 IMS Authorization Service Library Facility ims authorizatn 124000 124999 IMS SH Library Facility ims sh 114000 114999 International Mobile Subscriber Identity IMSI Manager Facility imsimgr 144000 145999 IMS User Equipment IMSUE Facility imsue 19000 19999 IP Address Resolution Protocol AR...

Page 219: ... 87100 87299 Mobile Application Part MAP Protocol Facility SS7 map 121000 121199 MegaDiameter Manager Facility megadiammgr 147000 147999 Mobility Management Entity MME Application Facility mme app 212000 212499 MME evolved Multimedia Broadcast Multicast Service eMBMS Facility mme embms 155800 156199 MME Miscellaneous Facility mme misc 154000 154999 MME Demux Manager Facility mmedemux 137000 137499...

Page 220: ...GR Driver Facility npumgr drv 167000 167999 NPUMGR Flow Facility npumgr flow 168000 168999 NPUMGR Forwarding Facility npumgr fwd 164000 164999 NPUMGR Initialization Facility npumgr init 180000 180999 NPUMGR LC Facility npumgr lc 166000 166999 NPUMGR Port Facility npumgr port 165000 165999 NPUMGR Recovery Facility npumgr recovery 181000 181999 NPUMGR VPN Facility npumgr vpn 176000 176999 NPUSIM Fac...

Page 221: ...ANAP Facility ranap 13000 13999 Recovery Control Task RCT Facility rct 67000 67999 Redirector Task RDT Facility rdt 14000 14999 Resource Manager RM Facility resmgr 92860 92869 Rf Diameter Messages Facility rf diameter 35000 35999 Routing Information Protocol RIP Facility rip 103000 103999 Robust Header Compression ROHC Protocol Facility rohc 93000 93999 RSVP Protocol Facility rsvp 152000 152009 RA...

Page 222: ...cility sgw 92850 92859 Sh Diameter Messages Facility sh diameter 95000 95999 SIPCDPRT Facility sipcdprt 4000 4999 System Initiation Task SIT Main Facility sitmain 88300 88499 Short Message Service SMS Facility sm app 116800 116899 SMS Service Facility sms 115800 115899 Sub Network Dependent Convergence Protocol SNDCP Facility sndcp 22000 22999 Simple Network Management Protocol SNMP Facility snmp ...

Page 223: ...y vmgctxmgr 5000 5999 Virtual Private Network VPN Facility vpn 104900 104999 WiMAX DATA Facility wimax data 104000 104899 WiMAX R6 Protocol Signaling Facility wimax r6 Event Severities The system provides the flexibility to configure the level of information that is displayed when logging is enabled The following levels are supported critical Logs only those events indicating a serious error has o...

Page 224: ... dev pts 2 The following table describes the elements of contained in the sample output Table 13 Event Element Descriptions Description Element Date Timestamp indicating when the event was generated 2011 Dec 11 5 18 41 993 Information about the event including The facility the event belongs to The event ID The event s severity level In this example the event belongs to the CLI facility has an ID o...

Page 225: ... Data Collector page 228 Detecting Faulty Hardware When power is applied to the chassis power is sequentially applied to management cards application cards and line cards Each PFU application and line card installed in the system incorporates light emitting diodes LEDs that indicate its operating status This section describes how to use these status LEDs to verify that all of the installed compone...

Page 226: ...Slot 24 Run Fail Green Active Green Standby Off Slot 25 Run Fail Green Active Off Standby Green Slot 30 Run Fail Green Active Green Standby Off Slot 33 Run Fail Green Active Off Standby Off Slot 40 Run Fail Green Active Green Standby Off The status of the two Power Filter Units PFUs can be viewed by entering the show power chassis command in the Exec mode Checking the LED on the PFU Each PFU has a...

Page 227: ...y If a power distribution panel PDP is installed between the power distribution frame PDF and the chassis verify that the circuit breakers are set to ON If a PDP is installed between the PDF and the chassis check the cables from the PDP to the chassis for continuity If all of the above suggestions have been verified then it is likely that the PFU is not functional Please contact your service repre...

Page 228: ...cates the overall status of the card This LED should be green for normal operation The possible states for this LED are described in the following table If the LED is not green use the troubleshooting information in the table to diagnose the problem ASR 5000 System Administration Guide StarOS Release 21 1 200 Troubleshooting Checking the LEDs on the SMC ...

Page 229: ...tage and current to the chassis Verify that the card is properly installed per the instructions in the ASR 5000 Installation Guide If all of the above suggestions have been verified it is possible that the SMC is not functional Please contact your service representative SMC Active LED States The Active LED on the SMC indicates that the software is loaded on the card and it is ready for operation F...

Page 230: ...eration For the SMC installed in slot 8 this LED should be off for normal operation The possible states for this LED are described in the following table If the LED is not green use the troubleshooting information in the table to diagnose the problem Table 17 SMC Standby LED States Troubleshooting Description Color None needed for the SMC in slot 9 If green for the SMC in slot 8 then verify it is ...

Page 231: ...f so the card is receiving power and POST test results are positive If it is off the card is not receiving power Card is not receiving power None SMC Service LED States The Service LEDs on the SMCs indicate that the system requires maintenance or service for example the system could not locate a a valid software image at boot up or a high temperature condition exists This LED is off during normal ...

Page 232: ... NOTE You should wait until this LED is off before removing the SMC from the chassis This practice ensures the integrity of all data being transferred to or from the memory device Data is being read from written to one of the memory devices Green Blinking Green No maintenance needed The memory devices are not in use None Checking the LEDs on the Packet Processing Cards The ASR 5000 supports a vari...

Page 233: ... Run Fail LED indicates the overall status of the card This LED should be green for normal operation The possible states for this LED are described in the following table If the LED is not green use the troubleshooting information in the table to diagnose the problem ASR 5000 System Administration Guide StarOS Release 21 1 205 Troubleshooting Checking the LEDs on the Packet Processing Cards ...

Page 234: ...f all of the above suggestions have been verified it is possible that the packet processing card is not functional Please contact your service representative Packet Processing Card Active LED States The Active LED on a packet processing card indicates that the software is loaded on the card and that the card is ready for operation When the system first boots up all installed packet processing card...

Page 235: ...ocessing cards should be redundant remain in standby mode and which should be active The possible states for this LED are described in the following table If the LED is not green use the troubleshooting information in the table to diagnose the problem Table 23 Packet Processing Card Standby LED States Troubleshooting Description Color The first time power is applied to the system all of the packet...

Page 236: ...possible states for all of the SPIO LEDs are described in the sections that follow SPIO Run Fail LED States The SPIO Run Fail LED indicates the overall status of the card This LED should be green for normal operation The possible states for this LED are described in the following table If the LED is not green use the troubleshooting information in the table to diagnose the problem ASR 5000 System ...

Page 237: ...at the software is loaded on the card and that the card is ready for operation For the SPIO installed in chassis slot 24 this LED should be green for normal operation For the SPIO installed in slot 25 this LED should be off for normal operation The possible states for this LED are described in the following table If the LED is not green use the troubleshooting information in the table to diagnose ...

Page 238: ...formation on associated status and alarm conditions Verify that the Run Fail LED is green If so the card is receiving power and POST test results are positive If it is off the card is not receiving power Card is not receiving power OR Card is in Active Mode None Check the state of the Active LED If it is green the card is in active mode This is normal for the SPIO in slot 24 since the chassis auto...

Page 239: ...on the link Prior to configuration this is normal operation No traffic is present on the link None Checking the LEDs on Ethernet Line Cards The ASR 5000 can be equipped with a variety of Ethernet line cards that support subscriber traffic For detailed information about the types of line cards and their applications refer to the ASR 5000 Installation Guide The following line cards are currently sup...

Page 240: ...tallation Guide If all of the above suggestions have been verified it is possible that the line card is not functional Please contact your service representative Ethernet Line Card Active LED States The Active LEDs on the Ethernet line cards indicate that the operating software is loaded on the card and that the card is ready for operation QGLCs and XGLCs only work in an ASR 5000 behind specific t...

Page 241: ...ctive Ethernet Line Card Standby LED States The Standby LEDs on the Ethernet line cards indicate that software is loaded on the cards but are serving as redundant components The line cards will remain in a ready mode until their corresponding packet processing card is made active via configuration While in ready mode the Active LED should be off After the packet processing card is made active the ...

Page 242: ... problem Table 32 Ethernet Line Card Interface Link LED States Troubleshooting Description Color None needed NOTE This LED will not indicate the presence of a network link until the interface parameters are set during the software configuration process Link is up Green Verify that the Run Fail LED is green If so the card is receiving power If it is off the card is not receiving power No power is a...

Page 243: ...n the link None Checking the LEDs on the RCC Each RCC is equipped with status LEDs as listed below Run Fail Active Standby Figure 16 RCC LED Locations The possible states for all of the RCC LEDs are described in the sections that follow RCC Run Fail LED States The Run Fail LED indicates the overall status of the card This LED should be green for normal operation ASR 5000 System Administration Guid...

Page 244: ...presentative RCC Active LED States The Active LED on the RCC indicates that the card is being used For normal operation this LED should be off on both RCCs The possible states for this LED are described in the following table If the LED is not green use the troubleshooting information in the table to diagnose the problem Table 35 RCC Active LED States Troubleshooting Description Color The RCC is a...

Page 245: ...oring the System Testing System Alarm Outputs The system provides the following two physical alarm mechanisms System Audible Alarm Located on the SPC SMC the speaker is used to provide an audible indicator that a minor major or critical alarm has occurred CO Alarms Interface Located on the SPIO this interface provides a 10 pin connector that enables three dry contact relays Form C for the triggeri...

Page 246: ..._name card switch from 24 or 25 to 25 or 24 You will receive the following prompt Are You Sure Yes No Step 2 Press Y to start the switchover Step 3 Verify that the switchover was successful by entering the following command local host_name show card table Check the entry in the Oper State column next to the SMC just switched Its state should be Standby Manually Initiating a Packet Processing Card ...

Page 247: ...assis slot will automatically be placed in standby mode In the event that the active card experiences a failure the system will automatically switch traffic to the standby card in the lower slot The XGLC is a full height card that supports 1 1 side by side redundancy Side by side horizontal redundancy allows two XGLC cards installed in neighboring slots to act as a redundant pair Side by side pair...

Page 248: ...dundant component prior to entering the offline mode This section describes how to initiate a card halt and restore halted components Initiate a Card Halt Follow the instructions below to manually initiate a card halt These instructions assume you are at the root prompt for the Exec mode Step 1 Initiate a manual card migration by entering the following command local host_name card halt slot slot i...

Page 249: ...l private networks VPNs that operate independently of other contexts Ports interfaces and routes configured in one context cannot be tested from another context without additional configuration To switch between contexts enter the following command at the root prompt for the Exec mode local host_name context context_name context_name is the name of the context to which you wish to switch The follo...

Page 250: ...and you have access to the device that you re attempting to ping ping the system from that device If there is still no response it is likely that the packets are getting discarded by a network device Use the traceroute or traceroute6 and show ip static route commands discussed in this chapter to further troubleshoot the issue Using the traceroute or traceroute6 Command The traceroute or traceroute...

Page 251: ... context IPv4 routing table indicates the Best or Used route Destination Nexthop Protocol Prec Cost Interface 0 0 0 0 0 10 0 4 1 static 0 0 SPIO1 10 0 4 0 24 0 0 0 0 kernel 0 0 SPIO1 10 0 4 0 32 0 0 0 0 kernel 0 0 SPIO1 10 0 4 3 32 0 0 0 0 kernel 0 0 SPIO1 10 0 4 255 32 0 0 0 0 kernel 0 0 SPIO1 Viewing the Address Resolution Protocol Table The system provides a mechanism for viewing Address Resolu...

Page 252: ...m provides a protocol monitoring utility This tool displays protocol information for a particular subscriber session or for every session being processed The monitor tool may cause session processing delays and or data loss Therefore it should be used only when troubleshooting Caution Using the Protocol Monitor The protocol monitor displays information for every session that is currently being pro...

Page 253: ...d with that option C D E etc To increase or decrease the verbosity use the plus or minus keys The current state ON enabled or OFF disabled is shown to the right of each option Step 7 Press the Enter key to refresh the screen and begin monitoring The monitor remains active until disabled To quit the protocol monitor and return to the prompt press q Using the Protocol Monitor for a Specific Subscrib...

Page 254: ...ortion of a sample of the monitor s output for a subscriber named user2 aaa The default protocols were monitored Incoming Call MSID 0000012345 Callid 002dc6c2 Username user2 aaa SessionType unknown Status Active Service Name xxx1 Src Context source Dest Context OUTBOUND 10 02 35 415 Eventid 25001 0 PPP Tx PDU 9 PAP 9 Auth Ack 1 Msg OUTBOUND 10 02 35 416 Eventid 25001 0 PPP Tx PDU 14 IPCP 14 Conf R...

Page 255: ... identifying where and when an event occurred along with its probably cause The show support details command includes information that is not otherwise accessible to users but that is helpful in the swift resolution of issues by TAC Platforms with large configuration files can take up to 30 minutes to complete an SSD Executing the show support details command consumes system resources and may redu...

Page 256: ...be collected When it is time to collect support data the scheduler executes the configured sequence of CLI commands and stores the results in a gunzipped gz file on the hard disk This file is called an SDR Support Data Record and represents a snapshot of the overall state of the system at that time Technical Assistance Center TAC personnel and local administrators can review the SDRs on line or by...

Page 257: ...ability depends on the platform type Important This chapter contains the following sections Overview page 229 Understanding ACLs page 230 Configuring ACLs on the System page 232 Applying IP ACLs page 234 Overview IP access lists commonly known as access control lists ACLs control the flow of packets into and out of the system They are configured on a per context basis and consist of rules ACL rule...

Page 258: ... empty ACL Important Each rule specifies the action to take when a packet matches the specifies criteria This section discusses the rule actions and criteria supported by the system Actions ACLs specify that one of the following actions can be taken on a packet that matches the specified criteria Permit The packet is accepted and processed Deny The packet is rejected Redirect The packet is forward...

Page 259: ...em when subscriber packets are being encapsulated such as Mobile IP and other tunneling encapsulation Within the system subscriber packet encapsulation is done in a distributed way and a 16 bit IP identification space is divided and distributed to each entity which does the encapsulation so that unique IP identification value can be assigned for IP headers during encapsulation Since this distribut...

Page 260: ... control list facility to subscribers Step 1 Create the access control list by following the example configuration in Creating ACLs on page 232 Step 2 Specify the rules and criteria for action in the ACL list by following the example configuration in Configuring Action and Criteria for Subscriber Traffic on page 233 Step 3 Optional The system provides an undefined ACL that acts as a default filter...

Page 261: ...ding on how the ACL is to be used For more information refer to the Engineering Rules chapter Use the information provided in the Actions and Criteria to configure the rules that comprise the ACL For more information refer to the ACL Configuration Mode Commands and IPv6 ACL Configuration Mode Commands chapters in the Command Line Interface Reference Configuring an Undefined ACL As discussed previo...

Page 262: ...iguring ACLs on the System on page 232 prior to beginning these procedures The procedures described below also assume that the subscribers have been previously configured Important As discussed earlier you can apply an ACL to any of the following Applying an ACL to an Individual Interface on page 236 Applying an ACL to All Traffic Within a Context on page 238 known as a policy ACL Applying an ACL ...

Page 263: ...icy ACL configured in the Destination Context is applied prior to forwarding 3 An outbound ACL configured on the interface in the Destination Context through which the packet is being forwarded is applied 4 Packet coming from the packet data network to the mobile node right to left Description Order An inbound ACL configured for the receiving interface configured in the Destination Context is appl...

Page 264: ...e This section provides information and instructions for applying one or more ACLs to an individual interface configured on the system This section provides the minimum instruction set for applying the ACL list to an interface on the system For more information on commands that configure additional parameters and options refer to the Ethernet Interface Configuration Mode Commands chapter in the Co...

Page 265: ...me service redundancy protocol exit interface interface_name ip address ip_address mask exit subscriber default exit aaa group default exit gtpp group default end Applying the ACL to a Context To apply the ACLs to a context use the following configuration configure context acl_ctxt_name noconfirm ip ipv6 access group acl_list_name in out preference end Notes The context name is the name of the ACL...

Page 266: ... context For more information on commands that configure additional parameters and options refer to the Context Configuration Mode Commands chapter in the Command Line Interface Reference Important To configure the system to provide access control list facility to subscribers Step 1 Apply the configured ACL as described in Applying the ACL to a Context on page 237 Step 2 Verify that ACL is applied...

Page 267: ...an individual subscriber whose profile is configured locally on the system This section provides the minimum instruction set for applying the ACL list to all traffic within a context For more information on commands that configure additional parameters and options refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference Important To configure the system t...

Page 268: ...Subscriber These instructions are used to verify the ACL configuration Verify that your ACL lists were applied properly by entering the following command in Exec Mode local host_name show configuration context context_name context_name is the name of the context containing the subscriber subs1 to which the ACL s was were applied The output of this command displays the configuration of the entire c...

Page 269: ...ess control list by following the example configuration in Applying an ACL to the Subscriber Named default on page 241 Step 2 Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to the Subscriber Named default on page 242 Step 3 Save your configuration to flash memory an external memory device and or a network location using the Exec mode save...

Page 270: ...f the entire context Examine the output for the commands pertaining to interface configuration The commands display the ACL s applied using this procedure configure context context_name ip access list acl_name deny host ip_address deny ip any host ip_address exit ip access group access_group_name service redundancy protocol exit interface interface ip address ip_address mask exit subscriber name d...

Page 271: ...Subscriber To apply the ACL to a service specified Default subscriber use the following configuration configure context acl_ctxt_name noconfirm pdsn service fa service ha service service_name default subscriber svc_default_subs_name exit subscriber name svc_default_subs_name ip ipv6 access group acl_list_name in out end Notes The context name is the name of the ACL context containing the interface...

Page 272: ...The subscriber profile could be configured locally on the system or remotely on a RADIUS server The system provides for the configuration of subscriber functions that serve as default values when specific attributes are not contained in the individual subscriber s profile The following table describes these functions Table 38 Functions Used to Provide Default Subscriber Attributes Description Func...

Page 273: ...text dest_context_name noconfirm apn apn_name ip ipv6 access group acl_list_name in out end Notes The ACL to be applied must be in the destination context of the APN which can be different from the context where the APN is configured If neither the in nor the out keyword is specified the ACL will be applied to all inbound and outbound packets Up to eight ACLs can be applied to a group provided tha...

Page 274: ...er to the Verifying and Saving Your Configuration chapter Verifying the ACL Configuration to APNs To verify the ACL configuration Verify that your ACL lists were applied properly by entering the following command in Exec Mode show configuration context context_name context_name is the name of the context containing the APN apn1 having default subscriber to which the ACL s was were applied The outp...

Page 275: ...ongested or clear These thresholds function in a way similar to operation thresholds that are configured for the system as described in the Thresholding Configuration Guide The primary difference is that when congestion thresholds are reached a service congestion policy and an SNMP trap starCongestion are generated A threshold tolerance dictates the percentage under the configured threshold that m...

Page 276: ...icies as described in Enabling Congestion Control Redirect Overload Policy on page 250 Step 4 Configure disconnecting subscribers based on call or inactivity time as described in Disconnecting Subscribers Based on Call or Inactivity Time on page 250 Step 5 Save your configuration as described in the Verifying and Saving Your Configuration chapter Configuring the Congestion Control Threshold To con...

Page 277: ...For the GGSN the reply code is 199 no resources available For the SaMOG MME redirect is not available For the MME create action profiles for optional major and minor thresholds using the congestion action profile command under lte policy in the Global Configuration mode For the MME you can specify service as critical major or minor to set a policy and associate an action profile for the respective...

Page 278: ... the service overload policies were properly configured enter the following command in the Exec Mode local host_name show service_type name service_name This command lists the entire service configuration Verify that the information displayed for the Overload Policy is accurate Repeat this configuration example to configure additional services in other contexts Verify the Congestion Control Config...

Page 279: ... default overload disconnect threshold connect time dur_thresh end To disable the overload disconnect feature for this subscriber use the following configuration example configure context context_name subscriber subscriber_name no overload disconnect threshold inactivity time threshold connect time end ASR 5000 System Administration Guide StarOS Release 21 1 251 Congestion Control Enabling Congest...

Page 280: ...ASR 5000 System Administration Guide StarOS Release 21 1 252 Congestion Control Enabling Congestion Control Redirect Overload Policy ...

Page 281: ...ection describes how to configure the elements needed to define routing policies Routing policies modify and redirect routes to and from the system to satisfy specific network deployment requirements Use the following building blocks to configure routing policies Route Access Lists The basic building block of a routing policy Route access lists filter routes based on a range of IP addresses IP Pre...

Page 282: ...t config context context_name route access list extended identifier deny permit ip address ip_address route access list named list_name deny permit ip_address mask any exact match route access list standard identifier permit deny ip_address wildcard_mask any network_address Notes A maximum of 64 access lists are supported per context A maximum of 16 entries can defined for each route access list S...

Page 283: ...fig context isp1 route access list named RACLin1a permit 88 151 1 0 30 route access list named RACLin1a permit 88 151 1 4 30 route access list named RACLany permit any route map RMnet1 deny 100 match ip address route access list RACLin 1 a exit route map RMnet1 deny 200 match ip address route access list RACLin 1 b exit route map RMnet1 permit 1000 match ip address route access list RACLany exit r...

Page 284: ..._address ip_mask ip_addr_mask_combo next hop next_hop_address egress_name precedence precedence cost cost Notes You can configure a maximum of 1 200 static routes per context Save your configuration as described in the Verifying and Saving Your Configuration chapter Deleting Static Routes From a Context Use the following configuration example to remove static routes from a context s configuration ...

Page 285: ...nation in the AS Externally derived routing information appears on the tree as leaves The cost of a route is described by a single dimensionless metric OSPF allows sets of networks to be grouped together Such a grouping is called an area The topology of this area is hidden from the rest of the AS which enables a significant reduction in routing traffic Also routing within the area is determined on...

Page 286: ...nge the cost refer to the ip ospf cost command in the Ethernet Interface Configuration Mode Commands chapter of the Command Line Interface Reference Important Notes Save your configuration as described in the Verifying and Saving Your Configuration chapter Redistributing Routes Into OSPF Optional Redistributing routes into OSPF means any routes from another protocol that meet specified a specified...

Page 287: ...e same as OSPF version 2 OSPFv3 expands on OSPF version 2 to provide support for IPv6 routing prefixes and the larger size of IPv6 addresses OSPFv3 dynamically learns and advertises redistributes IPv6 routes within an OSPFv3 routing domain In OSPFv3 a routing process does not need to be explicitly created Enabling OSPFv3 on an interface will cause a routing process and its associated configuration...

Page 288: ...sing the OSPFv3 protocol to all OSPF areas This is an optional configuration config context context_name router ospf3 redistribute connected static end Notes Save your configuration as described in the Verifying and Saving Your Configuration chapter Confirming OSPFv3 Configuration Parameters To confirm the OSPF router configuration use the following command and look for the section labeled router ...

Page 289: ...outers This information builds a picture of AS connectivity from which routes are filtered and AS level policy decisions are enforced BGP 4 provides classless inter domain routing This includes support for advertising an IP prefix and eliminates the concept of network class within BGP BGP 4 also allows the aggregation of routes including the aggregation of AS paths On the ASR 5000 BGP routes with ...

Page 290: ...rence for details on these commands If a BGP task restarts because of a processing card failure a migration a crash or the removal of a processing card all peering session and route information is lost Important Configuring BGP This section describes how to configure and enable basic BGP routing support in the system config context context_name router bgp AS_number neighbor ip_address remote as AS...

Page 291: ...er internet local AS no advertise no export value AS community_number AS community_number AS community_number internet local AS no advertise no export value AS community_number AS community_number AS community_number You can permit or deny the following BGP community destinations internet Advertise this route to the internet community and any router that belongs to it local AS Use in confederation...

Page 292: ...ber match community named named_list standard identifier BGP Extended Communities Configuring a BGP Extended Community Route Target A BGP extended community defines a route target MPLS VPNs use a 64 bit Extended Community attribute called a Route Target RT An RT enables distribution of reachability information to the correct information table You configure a BGP extended community via a Context Co...

Page 293: ...cal preference in the route map because local preference is directly used in the route selection algorithm ICSR and SRP Groups BGP is employed with Interchassis Session Recovery ICSR configurations linked via Service Redundancy Protocol SRP By default an ICSR failover is triggered when all BGP peers within a context are down Optionally you can configure SRP peer groups within a context ICSR failov...

Page 294: ...also be separately set for each address family If configured this value over rides the peer s default advertisement interval for that address family only BGP will send route update message for each AFI SAFI based on the advertisement interval configured for that AFI SAFI If no AFI SAFI advertisement interval is configured the peer based default advertisement interval is used In ICSR configurations...

Page 295: ...or this configuration description text Defines the administrative distance for routes The administrative distance is the default priority for a specific route or type route distance admin distance prefix prefix_addr route access list list_name bgp external ebgp_dist internal ibgp_dist local local_dist Enforces the first AS for Exterior Border Gateway Protocol eBGP routes enforce first as Adds a pr...

Page 296: ...d_time update source ip_address weight value Specifies a network to announce via BGP network ip_address mask route map map_name Redistributes routes via BGP from another protocol to BGP neighbors redistribute connected ospf rip static route map map_name Overrides the configured router identifier and causes BGP peers to reset router id ip_address Configures the BGP background scanner interval in se...

Page 297: ...bally enabled via the bfd protocol command and or individually enabled disabled per interface This function is used to test the forwarding path on the remote system The system supports BFD in asynchronous mode with optional Echo capability via static or BGP routing On an ASR 5000 one of the packet processing cards must be configured as a demux card in order for BFD to function See the Configuring ...

Page 298: ... exit Configure BFD static route ip route static bfd if_name ipv4_gw_address Add static routes ip route ipv4_address ipv4_mask ip route ipv4_address ipv4_mask Configuring IPv6 BFD for Static Routes Enable BFD on an Interface config context bfd_context_name interface if_name ipv6 address ipv6_address ipv6_mask bfd interval interval_value min_rx rx_value multiplier multiplier_value bfd echo exit Con...

Page 299: ...Associating OSPF Neighbors with the Context on page 272 On the ASR 5000 routes with IPv6 prefix lengths less than 12 and between the range of 64 and 128 are not supported Important Configuring Multihop BFD Enable BFD on an interface config context bfd_context_name interface if_name ip address ipv4_address ipv4_mask ipv6 address ipv6_address ipv6_mask bfd interval interval_value min_rx rx_value mul...

Page 300: ...context_name router bgp AS_number neighbor neighbor_ip address remote as rem_AS_number neighbor neighbor_ip address ebgp multihop max hop max_hops neighbor neighbor_ip address update source update src_ip address neighbor neighbor_ip address failover bfd multihop Notes Repeat the sequence to add neighbors Associating OSPF Neighbors with the Context config context context_name router ospf neighbor n...

Page 301: ...using IPv4 dotted decimal or IPv6 colon separated hexadecimal notation chassis to chassis enables BFD to run between primary and backup chassis on non SRP links chassis to router enables BFD to run between chassis and router Saving the Configuration Save your configuration as described in the Verifying and Saving Your Configuration chapter Chassis to Chassis BFD Monitoring for ICSR An operator can...

Page 302: ...terval end Configure ICSR Switchover Guard Timer The SRP Configuration mode guard timer command configures the redundancy guard period and monitor damping period for SRP service monitoring Use these guard timers to ensure that local failures such as card reboots and task restarts do not result in ICSR events which can be disruptive configure context context_name service redundancy protocol variabl...

Page 303: ... session if BFD signals a failure configure context context_name ip route ip_address ip_mask ip_address ip_mask gateway_ip_address next hop next_hop_ip_address point to point tunnel egress_intrfc_name cost cost fall over bfd multihop mhsess_name precedence precedence vrf vrf_name cost value fall over bfd multihop mhsess_name precedence precedence end The ip route command now also allows you to add...

Page 304: ...configure context context_name interface interface_name broadcast bfd interval interval_num min_rx milliseconds multiplier value end Notes milliseconds is an integer from 50 through 10000 Default 50 Enable Advertising BGP Routes from Standby ICSR Chassis For information on configuring the feature see Advertising BGP Routes from a Standby ICSR Chassis on page 265 Saving the Configuration Save your ...

Page 305: ...lot which must also specify a slot in its member link configuration Likewise if you configure a linkagg peer without a slot you must delete it before configuring a peer with a slot specified Only one IPv4 or IPv6 BFD session based configuration is allowed per linkagg interface for compliance with RFC 7130 Important Configuring Support for BFD Linkagg Member links The bfd linkagg peer command enabl...

Page 306: ...s option specifies the card for which this configuration is intended Saving the Configuration Save your configuration as described in the Verifying and Saving Your Configuration chapter Viewing Routing Information To view routing information for the current context run one of the following Exec mode commands show ip route Displays information for IPv4 routes in the current context show ipv6 route ...

Page 307: ... 208 230 231 0 24 0 0 0 0 connected 0 0 local1 Total route count 5 ASR 5000 System Administration Guide StarOS Release 21 1 279 Routing Viewing Routing Information ...

Page 308: ...ASR 5000 System Administration Guide StarOS Release 21 1 280 Routing Viewing Routing Information ...

Page 309: ...Management Operations Important Overview page 281 Creating VLAN Tags page 283 Verifying the Port Configuration page 283 Configuring Subscriber VLAN Associations page 284 VLAN Related CLI Commands page 285 Overview Virtual LANs VLANs provide greater flexibility in the configuration and use of contexts and services They are configured as tags on a per port basis and allow more complex configurations...

Page 310: ...ivate IP address space not to be concerned about escalating hardware costs or complex configurations RADIUS VLAN Support Enhanced Charging Services VPN customers often use private address space which can easily overlap with other customers The subscriber addresses are supported with overlapping pools which can be configured in the same virtual routing context RADIUS Server and NAS IP addresses do ...

Page 311: ...iguration Run the following command to verify the port configuration local host_name show port info slot port An example of this command s output when at least one VLAN has been configured for the port is shown below Port 17 1 Port Type 1000 Ethernet Role Service Port Description None Set Controlled By Card 1 Packet Services Card Redundancy Mode Port Mode Framing Mode Unspecified Redundant With 33...

Page 312: ...ributes can be configured within subscriber profiles on the RADIUS server to allow the association of a specific VLAN to the subscriber SN Assigned VLAN ID In the Starent VSA dictionary SN1 Assigned VLAN ID In the Starent VSA1 dictionary Since the instructions for configuring subscriber profiles differ between RADIUS server applications this section only describes the individual attributes that ca...

Page 313: ...p gateway mode Note To access the vlan keyword aaa large configuration must be enabled via the Global Configuration mode radius attribute nas ip address address ip_address nexthop forwarding address ip_address vlan vlan_id AAA Server Group Configuration Mode Configures the VLAN identifier to be associated with the subscriber traffic in the destination context ip vlan vlan_id ACS Charging Action Co...

Page 314: ...used with the assigned address for the subscriber session to receive packets If the IP pool from which the address is assigned is configured with a VLAN ID this subscriber configured VLAN ID overrides it ip vlan vlan_id Subscriber Configuration Mode Binds a virtual interface and context to support VLAN service bind interface interface_name context_name VLAN Configuration Mode Enables or disables p...

Page 315: ...tion interval show logical port utilization table vlan 5 minute hourly Exec Mode Displays NPU counters for a previously configured VLAN ID show port info slot port vlan vlan_id Exec Mode ASR 5000 System Administration Guide StarOS Release 21 1 287 VLANs VLAN Related CLI Commands ...

Page 316: ...ASR 5000 System Administration Guide StarOS Release 21 1 288 VLANs VLAN Related CLI Commands ...

Page 317: ...E page 291 IPv6 Support for BGP MPLS VPNs page 293 VPN Related CLI Commands page 296 Introduction Service providers require the ability to support a large number of corporate Access Point Names APNs which have a number of different addressing models and requirements The ASR 5x00 uses BGP MPLS Layer 3 VPNs to segregate corporate customer APNs in a highly scalable manner This solution conforms to RF...

Page 318: ...red with VRFs and exchanges VPN routes with other PEs in its AS via MP iBGP Multi Protocol internal BGP connections and the MPLS CE via an MP eBGP connection The EBGP connection allows the PE to change next hop IP addresses and labels in the routes learned from IBGP peers before advertising them to the MPLS CE The MPLS CE in this case uses only MP eBGP to advertise and learn routes Label Distribut...

Page 319: ...n protocols The ASR 5x00 can be configured to add two labels an outer label learned from LDP or RSVP TE RSVP Traffic Engineering an inner label learned from MP iBGP This solution supports traffic engineering and QoS initiated via the ASR 5x00 Sample Configuration In this example VRFs are configured on the ASR 5x00 PE and pools are associated with VRFs The ASR 5x00 exchanges VPN routes with its IBG...

Page 320: ...vrf2 route target export 300 2 route target import 300 2 route distinguisher 300 2 exit router id 2 2 2 2 neighbor 192 168 107 20 remote as 300 neighbor 192 168 107 20 update source node1_loopback address family vpnv4 neighbor 192 168 107 20 activate neighbor 192 168 107 20 send community both neighbor 192 168 107 20 next hop self exit address family ipv4 vrf vrf1 redistribute connected exit addre...

Page 321: ...dresses The system appends RD to IPv6 routes and exchanges the labeled IPv6 RD using the VPNv6 address family The Address Family Identifier AFI and Subsequent Address Family Identifier SAFI fields for VPNv6 routes will be set to 2 and 128 respectively The IPv6 VPN traffic will be transported to the BGP speaker via IPv4 tunneling The BGP speaker advertises to its peer a Next Hop Network Address fie...

Page 322: ... 2005 0101 32 private 0 vrf vrf2 exit ipv6 pool vrf3 v6pool prefix 2005 0101 32 private 0 vrf vrf3 exit Configure interfaces interface ce_interface_to_rtr ip address 192 168 110 90 255 255 255 0 exit interface ce_v6_interface ip address 2009 0101 0101 0101 1 96 exit interface ce_loopback loopback ip address 52 1 2 3 255 255 255 255 exit interface vrf1 loop loopback ip vrf forwarding vrf1 ip addres...

Page 323: ...xport 800 2 route target import 800 2 exit address family ipv4 vrf vrf2 redistribute connected redistribute static exit address family ipv6 vrf vrf2 redistribute connected redistribute static exit ip vrf vrf3 route distinguisher 800 3 route target export 800 3 route target import 800 3 exit address family ipv6 vrf vrf3 redistribute connected redistribute static exit Configure APNs apn walmart51 co...

Page 324: ... IPv6 Configuration Mode Sends the community attributes to a peer router neighbor neighbor ip_address send community both extended standard BGP Address Family IPv4 IPv6 Configuration Mode Redistributes routes into BGP from another protocol as BGP neighbors redistribute connected BGP Address Family IPv4 IPv6 Configuration Mode Enables the exchange of routing information with a peer router neighbor ...

Page 325: ...ration of BGP attributes for the VRF ip vrf vrf_name BGP Configuration Mode Assigns a Route Distinguisher RD for the VRF The RD value must be a unique value on the router for each VRF route distinguisher as_value ip_address rd_value BGP IP VRF Configuration Mode Adds a list of import and export route target extended communities to the VRF route target both import export as_value ip_address rt_valu...

Page 326: ...uration Mode Globally enables the MPLS forwarding of IPv4 packets along normally routed paths mpls ip Context Configuration Mode Configures COA traffic to use the specified MPLS labels inlabel identifies inbound COA traffic outlabel1 and outlabel2 specify the MPLS labels to be added to the COA response outlabel1 is the inner output label outlabel2 is the outer output label radius change authorize ...

Page 327: ...protocol and enters the MPLS LDP Configuration Mode in the current context This command configures the protocol parameters for the MPLS protocol family protocol ldp MPLS IP Configuration Mode Configure advertisement of Implicit NULL or Explicit NULL label for all the prefixes advertised by the system in this context advertise labels explicit null implicit null MPLS LDP Configuration Mode Configure...

Page 328: ...onnect information MPLS tunnel cross connects between interfaces and Label Switched Paths LSPs connect two distant interface circuits of the same type via MPLS tunnels that use LSPs as the conduit show mpls cross connect Exec Mode show Commands Displays MPLS FEC to NHLFE FTN table information show mpls ftn vrf vrf_name Exec Mode show Commands Displays contents of the MPLS FTN table for a specified...

Page 329: ...page 301 Configuring Internal Content Service Steering page 302 Overview Content Server Selection CSS is a StarOS function that defines how traffic will be handled based on the content of the data presented by a mobile subscriber or to a mobile subscriber CSS is a broad term that includes features such as load balancing NAT HTTP redirection and DNS redirection The content server services can be ei...

Page 330: ...commands and or keyword options are presented In many cases other optional commands and or keyword options are available Refer to the Command Line Interface Reference for complete information regarding all commands Not all commands or keywords variables may be supported or available Availability varies on the platform type and installed license s Defining IP Access Lists for Internal CSS IP ACLs s...

Page 331: ...figure the service to use that subscriber as the default profile Applying an ACL to the Subscriber Named default Optional For information on how to apply an ACL to the default subscriber refer to the Applying an ACL to the Subscriber Named default section in the Access Control Lists chapter Applying an ACL to Service specified Default Subscribers Optional For information on how to apply an ACL to ...

Page 332: ...ASR 5000 System Administration Guide StarOS Release 21 1 304 Content Service Steering Applying an ACL to Multiple Subscribers via APNs Optional ...

Page 333: ...d reboot requires that you have access to the system via a console port and have an uncorrupted copy of the StarOS boot image file stored in flash memory on the management card or accessible from an external memory device Console Access The boot recovery sequence can only be executed via a terminal connected to the serial console port on the active management card This connection can be through a ...

Page 334: ...ccess the boot CLI you must interrupt an in progress reload reboot sequence This system recovery process interrupts subscriber service by dropping any existing flows and preventing traffic from being processed during the boot interval It should only be initiated as an emergency measure Caution Initiate a Reboot A reload can be initiated in one of two ways Power cycle the chassis Turn the circuit b...

Page 335: ...rnal file on a memory device attached to the management card The URL must be entered in the following format flash pcmcia1 usb1 filename Booting from a Selected Image You will issue a boot command via the boot CLI to initiate the system recovery process Boot Using No Configuration FIle This procedure boots the system using the specified boot image without also loading a configuration file A sample...

Page 336: ...onfiguration File This procedure boots the system using the specified boot image and configuration file A sample command string appears below 8 0 cli boot config flash system cfg flash image_filename bin The boot sequence ends with the appearance of the CLI prompt local host_name Confirm that the desired configuration has loaded by running the Exec mode show configuration command ASR 5000 System A...

Page 337: ...re Requirements page 312 Configuring the System to Support Session Recovery page 312 Recovery Control Task Statistics page 316 How Session Recovery Works This section provides an overview of how this feature is implemented and the recovery process The Session Recovery feature provides seamless failover and reconstruction of subscriber session information in the event of a hardware or software faul...

Page 338: ...cket processing card perform session recovery Session Call state information is saved in the peer AAA manager task because each AAA manager and session manager task is paired together These pairs are started on physically different packet processing cards to ensure task recovery There are some situations wherein session recovery may not operate properly These include Additional software or hardwar...

Page 339: ...connections GGSN session using more than 1 service instance MIP L2TP with IPSec integration MIP session with multiple concurrent bindings Mobile IP sessions with L2TP Multiple MIP sessions Always refer to the Administration Guides for individual products for other possible session recovery and Interchassis Session Recovery ICSR support limitations Important When session recovery occurs the system ...

Page 340: ...fully configured chassis would experience a smaller decrease in subscriber capacity versus a minimally configured chassis The amount by which control transaction processing capacity is reduced The reduction in subscriber data throughput The recovery time for a failed software task The recovery time for a failed packet processing card A packet processing card migration may temporarily impact sessio...

Page 341: ... your configuration as described in Verifying and Saving Your Configuration The system when started enables session recovery creates all mirrored standby mode tasks and performs packet processing card reservations and other operations automatically Step 4 After the system has been configured and placed in service you should verify the preparedness of the system to support this feature as described...

Page 342: ... configuration file manually Exercise caution when doing this to ensure that this command is placed among the first few lines of any existing configuration file it must appear before the creation of any non local context Disabling the Session Recovery Feature To disable the session recovery feature on a system enter the no require session recovery command from the Global Configuration mode prompt ...

Page 343: ... Attempts Success Last Attempt Last Success Full 69 68 29800ms 29800ms Micro 206 206 20100ms 20100ms Current state SMGR_STATE_CONNECTED FSM Event trace State Event SMGR_STATE_OPEN SMGR_EVT_NEWCALL SMGR_STATE_NEWCALL_ARRIVED SMGR_EVT_ANSWER_CALL SMGR_STATE_NEWCALL_ANSWERED SMGR_EVT_LINE_CONNECTED SMGR_STATE_LINE_CONNECTED SMGR_EVT_LINK_CONTROL_UP SMGR_STATE_LINE_CONNECTED SMGR_EVT_AUTH_REQ SMGR_STA...

Page 344: ...l no buffers 0 Total flush no buffers 0 Total flush queue full 0 Total flush out of range 0 Total flush svc change 0 Total out of seq pkt drop 0 Total out of seq arrived 0 IPv4 Reassembly Statistics Success 0 In Progress 0 Failure timeout 0 Failure no buffers 0 Failure other reasons 0 Redirected Session Entries Allowed 2000 Current 0 Added Deleted 0 Revoked for use by different subscriber 0 Recove...

Page 345: ...for show rct stats verbose local host_name show rct stats verbose RCT stats Details Last 5 Actions Stats 1 Action Shutdown From 4 To 5 Start Time 2013 Aug 30 03 02 00 132 Duration 002 804 sec Is Card Usable Yes Failure Reason CPU_CRITICAL_TASK_FAILURE Failure Device CPU_0 Recovery Status Success Facility N A Instance N A RCT stats Details Last 5 Actions Stats 2 Action Shutdown From 12 To 13 Start ...

Page 346: ...IGRATE Facility vpnmgr Instance 13 Stats 5 Action Migration From 6 To 7 Start Time 2013 Aug 30 04 18 30 106 Duration 004 134 sec Is Card Usable Yes Failure Reason N A Failure Device N A Recovery Status TASK_MIGRATION_FAIL_RENAME Facility sessmgr Instance 63 RCT stats Summary Migrations 3 Average time 4 260 sec Switchovers 0 ASR 5000 System Administration Guide StarOS Release 21 1 318 Session Recov...

Page 347: ...ry ICSR page 329 Troubleshooting ICSR Operation page 343 Updating the Operating System page 344 Overview The ICSR feature provides the highest possible availability for continuous call processing without interrupting subscriber services ICSR allows the operator to configure geographically distant gateways for redundancy purposes In the event of a node or gateway failure ICSR allows sessions to be ...

Page 348: ...ess Concentrator LAC functionality for ICSR is supported by the following protocol and services eGTP enhanced GPRS Tunneling Protocol GGSN Gateway GPRS Support Node P GW Packet Data Network Gateway SAEGW System Architecture Evolution Gateway L2TP Access Concentrator LAC functionality for ICSR is not supported by the following services HA Home Agent PMIP Proxy Mobile IP L2TP Network Server LNS func...

Page 349: ...the checkpoint duration checkpoint data is collected on the session SRP CLI Commands Exec Mode CLI Commands Exec mode srp CLI configuration commands can be used to enable disable and initiate SRP functions The table below lists and briefly describes these commands For complete information see the Exec Mode Commands D S chapter of the Command Line Interface Reference Table 44 srp CLI Commands Descr...

Page 350: ...ate the switchover despite the mismatch es The output of the show checkpoint statistics verbose command will not indicate Ready for a session manager instance smgr inst in the peer conn column for any instance that is not connected to the peer chassis Important show Commands Exec mode show srp commands display a variety of information related to SRP functions The table below lists and briefly desc...

Page 351: ...al value of the route modifier value is determined by the chassis configured role and is initialized to a value that is higher than a normal operational value This ensures that in the event of an SRP link failure and an SRP task failure the correct chassis is still preferred in the routing domain For ICSR you must configure busyout ip pool commands in the same order on Active and Standby chassis t...

Page 352: ... context Destination to configure monitoring and routing to the PDN AAA RADIUS server Border Gateway Protocol BGP ICSR uses the route modifier to determine the chassis priority ICSR is a licensed Cisco feature Verify that each chassis has the appropriate license before using these procedures To do this log in to both chassis and execute a show license information command Look for Inter Chassis Ses...

Page 353: ... shows an ICSR network Figure 24 ASR 5000 ICSR Network ICSR Operation This section shows operational flows for ICSR ASR 5000 System Administration Guide StarOS Release 21 1 325 Interchassis Session Recovery ICSR Operation ...

Page 354: ...ing figure shows an ICSR process flow due to a primary failure Figure 25 ICSR Process Flow Primary Failure ASR 5000 System Administration Guide StarOS Release 21 1 326 Interchassis Session Recovery ICSR Operation ...

Page 355: ...g figure shows an ICSR process flow due to a manual switchover Figure 26 ICSR Process Flow Manual Switchover ASR 5000 System Administration Guide StarOS Release 21 1 327 Interchassis Session Recovery ICSR Operation ...

Page 356: ...ey both send Hello messages at each hello interval Subscriber sessions that exceed the checkpoint session duration are included in checkpoint messages that are sent to the standby chassis The checkpoint message contains subscriber session information so if the active chassis goes out of service the backup chassis becomes active and is able to continue processing the subscriber sessions Additional ...

Page 357: ...hassis Session Recovery ICSR The ICSR configuration must be the same on the primary and backup chassis If each chassis has a different Service Redundancy Protocol SRP configuration the session recovery feature does not function and sessions cannot be recovered when the active chassis goes out of service Important This section describes how to configure basic ICSR on each chassis For information on...

Page 358: ...col SRP Context To configure the system to work with ICSR Step 1 Create the chassis redundancy context and bind it to the IP address of the primary chassis by applying the example configuration in Creating and Binding the SRP Context on page 330 Step 2 Configure the chassis redundancy context with priority chassis mode hello interval dead interval and peer IP address by applying the example config...

Page 359: ...uration changes on the primary chassis first Important Basic Parameters This configuration assigns a chassis mode and priority and also configures the redundancy link between the primary and backup chassis configure context srp_ctxt_name service redundancy protocol chassis mode primary backup priority priority peer ip address ip_address hello interval dur_sec dead interval dead_dur_sec end Notes I...

Page 360: ... seconds guard period seconds diameter switchover timers damping period seconds guard period seconds srp redundancy timers aaa damping period seconds guard period seconds bgp damping period seconds guard period seconds diam damping period seconds guard period seconds end Notes aaa switchover timers sets timers that prevent back to back ICSR switchovers due to an AAA failure post ICSR switchover wh...

Page 361: ...ng Class 3 low drop PHB af32 Assured Forwarding Class 3 medium drop PHB af33 Assured Forwarding Class 3 high drop PHB af41 Assured Forwarding Class 4 low drop PHB af42 Assured Forwarding Class 4 medium drop PHB af43 Assured Forwarding Class 4 high drop PHB be Best effort Per Hop Behaviour default cs1 Class selector 1 PHB cs2 Class selector 2 PHB cs3 Class selector 3 PHB cs4 Class selector 4 PHB cs...

Page 362: ... the newly active gateway when accounting is not deemed critical This functionality extends to all other traffic including data sessions and default bearer traffic for IMS e911 The following ICSR functionality is provided for all non VoLTE data traffic When a switchover occurs the newly active gateway forwards all traffic the moment the gateway becomes active External communication with billing se...

Page 363: ...ring switchover transition This command overwrites the switchover allow volte data traffic command if enabled on a P GW configure context context_name service redundancy protocol switchover allow all data traffic The switchover allow all data traffic command must be run on both chassis to enable this feature Important The switchover allow volte data traffic SRP Configuration mode CLI command allow...

Page 364: ...uring a planned switchover The outage window is the amount time between initiating an ICSR switchover and when the newly active chassis starts processing data You must enable one of the commands identified above on both ICSR chassis prior to enabling this command Important Graceful Cleanup of ICSR After Audit of Failed Calls During an Audit on the gateways P GW S GW GGSN SAE GW after Session Recov...

Page 365: ... is allowed during this flush the call may get disconnected based on the control message type and accounting information will be lost for calls that existed before switchover Audit During audit new calls are not allowed because synchronization of call resources may result in clearing of the calls The switchover control outage optimization CLI command allows new calls during the Accounting Flush as...

Page 366: ...kpoint session command allows you to enable generation of NACK messages in response to checkpoint message failures on a Standby ICSR chassis The nack keyword will only appear if a special ICSR optimization feature license has been purchased and installed Contact your Cisco account representative for assistance Important configure context context_name service redundancy protocol variable checkpoint...

Page 367: ...tion Verify that your SRP contexts were created and configured properly by running the show srp info command Exec Mode on each chassis Modifying the Source Context for ICSR To modify the source context of core service Step 1 Add the Border Gateway Protocol BGP router AS path and configure the gateway IP address neighbor IP address remote IP address in the source context where the core network serv...

Page 368: ...d across multiple paired VLANs and IPv4 or IPv6 connectivity is lost by all members of a peer group A sample configuration for SRP peer groups within a context PGWin appears below monitor bgp context PGWin 10 1 1 16 group 1 monitor bgp context PGWin 10 1 1 17 group 1 monitor bgp context PGWin 69 2 215 0 group 2 monitor bgp context PGWin 69 2 215 1 group 2 monitor bgp context PGWin 2001 4333 201 11...

Page 369: ...figuration in Destination Context on page 342 Step 5 Save your configuration as described in Verifying and Saving Your Configuration Configuring BGP Router and Gateway Address in Destination Context Use the following example to create the BGP context and network addresses configure context dest_ctxt_name router bgp AS_num network gw_ip_address neighbor neighbor_ip_address remote as AS_num end Note...

Page 370: ... chassis Enter the show configuration srp command on both chassis Exec mode Verify that both chassis have the same SRP configuration information The output looks similar to the following config context source interface haservice loopback ip address 172 17 1 1 255 255 255 255 srp activate exit radius attribute nas ip address address 172 17 1 1 radius server 192 168 83 2 encrypted key 01abd002c82b4a...

Page 371: ...nfig context ctx_name service redundancy protocol audit daily start time 06 00 audit periodicity 90 end Troubleshooting ICSR Operation SSD StarOS supports an ICSR specific show support details SSD command that outputs the results from a series of Exec mode show commands This mini SSD reduces capture time when debugging ICSR timing issues between the Active and Standby chassis facilitating quicker ...

Page 372: ... on ICSR chassis requires performing an Off line update of each chassis while it is standby mode Traffic disruption is minimal since an active chassis will be handling call sessions while the standby chassis is being updated The general upgrade sequence is as follows Download the StarOS software image and copy transfer it to both chassis Save the currently running configurations on both chassis Up...

Page 373: ... complete view of all the procedures required to complete the StarOS upgrade process Figure 28 ICSR Software Upgrade Part 1 ASR 5000 System Administration Guide StarOS Release 21 1 345 Interchassis Session Recovery Updating the Operating System ...

Page 374: ...Figure 29 ICSR Software Upgrade Part 2 ASR 5000 System Administration Guide StarOS Release 21 1 346 Interchassis Session Recovery Updating the Operating System ...

Page 375: ...Figure 30 ICSR Software Upgrade Part 3 ASR 5000 System Administration Guide StarOS Release 21 1 347 Interchassis Session Recovery Updating the Operating System ...

Page 376: ...Figure 31 ICSR Software Upgrade Part 4 ASR 5000 System Administration Guide StarOS Release 21 1 348 Interchassis Session Recovery Updating the Operating System ...

Page 377: ...e command local host_name directory flash Step 2 Access to the Cisco support site and download facility is username and password controlled Download the software image to a network location or physical device PCMCIA card from which it can be uploaded to the flash device Step 3 Transfer the new operating system image file to the flash device on the SMC using one of the following methods ASR 5000 Sy...

Page 378: ...build and re transfer it onto the chassis Confirm that the correct image version and build description is displayed Important Standby Backup Chassis Log into the backup standby chassis and perform the tasks described below Performing Health Checks Health checks are a series of Exec mode show commands to determine the readiness of the system to handle a software update Step 1 Run show card table al...

Page 379: ...e following Global Configuration command local host_name config boot system priority number image image_url flash filename config cfg_url flash filename Step 3 Assign the next highest priority to this entry by using the N 1 method wherein you assign a priority number that is one number less than your current highest priority If priority 1 is in use you must renumber the existing entries to ensure ...

Page 380: ...ior to saving the updated configuration file Verifying the Software Version After the system has successfully booted verify that the new StarOS version is running by executing the Exec mode show version command You can run the Exec mode show build command to display additional information about the StarOS build release Saving the Configuration File Use the Exec mode save configuration command to s...

Page 381: ...command All existing sessions will be migrated to the backup chassis and it begins servicing new session requests Allow the switchover process to complete Step 2 On the primary chassis run the show srp info command Chassis State should indicate Standby when switchover is complete Step 3 On the backup chassis confirm the switchover is complete by running the show srp info command Chassis State shou...

Page 382: ...ackup chassis active The primary chassis is now processing sessions with the upgraded software Step 1 On the backup chassis run the srp initiate switchover command All existing sessions will be migrated to the primary chassis and it begins servicing new session requests Allow the switchover process to complete Step 2 On the backup chassis run the show srp info command Chassis State should indicate...

Page 383: ... the backup configuration Step 2 Remove the topmost boot entry n and synchronize the configuration across the management cards local host_name config local host_name config no boot system priority n local host_name config end local host_name filesystem synchronize all Step 3 Reboot the system to load its previous configuration local host_name reload Step 4 Perform health checks as described in Per...

Page 384: ...ASR 5000 System Administration Guide StarOS Release 21 1 356 Interchassis Session Recovery Fallback Procedure ...

Page 385: ...ed by a background CLI task called the record collector The administrator configures the SDC via the CLI with the commands to be executed on a periodic basis The record collector always runs in the background and checks if there are records to be collected When it is time to collect support data the scheduler executes the configured sequence of CLI commands and stores the results in a gunzipped gz...

Page 386: ...ne command by itself will result in just that one command output constituting the contents of the entire SDR The user may configure a specific set of record sections for the SDR which may or may not include some or all of the default SDR record sections This configuration is stored in the Global Configuration section of the configuration file Refer to Configuration Commands Global Configuration Mo...

Page 387: ...ration Mode Once the SDR is stored the SDC waits the sleep duration interval specified via the support collection command before collecting another SDR The period between SDRs is equal to the configured sleep duration interval the time taken to collect the previous record Important Managing Record Collection The SDRs are stored together in a self relative set This self relative set is called a Sup...

Page 388: ... maximum SDR count of 5 is reached the SDRs continue to be SDR 0 through SDR 4 with the file timestamps indicating that the files are changing over time The time interval between collections may vary by several minutes in relation to the specified sleep duration This is because the interval specifies the idle time between scheduled collection runs Since the actual overhead of the collecting proces...

Page 389: ...R CLI Commands You may use the collected support data records to view support data chronologically If the default list and sequence of sections is inadequate for system monitoring you can configure your own set of record section commands that make up a particular support record Refer to the SDR CLI Command Strings appendix for a listing of supported CLI strings show commands for record sections Th...

Page 390: ...ifies the CLI strings included in default record sections Important The no support record command removes either a specific section of the record definition or all of the sections If you specify the default support record command the default record section definition of that specified record section is used If neither the keyword all or section is specified all the record section definitions are r...

Page 391: ...ecord id along with the collection time stamp The record id variable identifies a single SDR The to keyword specifies the endpoint record id when displaying a range of SDRs The section keyword displays a particular section of the record delete support record delete support record record id to record id The delete support records command removes an SDR with a specified record id or all SDRs in the ...

Page 392: ... of all valid record section definitions The display also indicates whether the record section is enabled or disabled by default local host_name show support collection definitions The output of this command reflects the sequence in which record sections will be output regardless of the sequence in which they may have been entered by the user Refer to the SDR CLI Command Strings appendix for addit...

Page 393: ...of six CLI sessions at all times One of the six sessions is further reserved for use exclusively by a CLI session on a Console serial interface Additional CLI sessions beyond the pre reserved limit are permitted if sufficient management resources are available If the Resource Manager is unable to reserve resources for a CLI session beyond those that are pre reserved users with administrator privil...

Page 394: ...terface in only one context but you can configure multiple interfaces up to 512 Ethernet or 1 024 ATM in a single context You can apply a maximum of 128 access control list ACL rules to a single logical interface All ports are identified by their slot port Each physical port on a Gigabit Ethernet 1000 or Quad Gigabit line card may contain up to a maximum of 1 024 VLAN tags Each physical port on an...

Page 395: ...llowing The total number of packet processing cards that will become operationally active is increased by one In the event of a failure the line card s directly behind the packet processing cards will become available directly or to another packet processing cards via the RCC If you want processing only application cards all line card slots directly behind the such cards can be empty Otherwise dis...

Page 396: ...ddresses are being used and how they are subnetted Important Each address in the pool requires approximately 60 bytes of memory The amount of memory required however depends on a number of factors such as the pool type and hold timer usage Therefore in order to conserve available memory you may need to limit the number of pools depending on the number of addresses to be configured and the number o...

Page 397: ... higher 300 virtual routing and forwarding VRF tables per context 2 048 VRFs per chassis APN limit is 2 048 per chassis VRF limits and APN limits should be identical 64 000 IP routes NEMO Network Mobility Prior to Release 15 0 256K prefixes framed routes per chassis and up to 8 dynamically learned prefixes per MR Mobile Router Release 15 0 and higher 512K prefixes framed routes per chassis and up ...

Page 398: ...ted are used Default is not used when local authentication for local subscribers is performed Important Configure default subscriber templates on a per AAA realm domain aliases configured within a context basis Configure default subscriber templates on a per PDSN FA ASN GW or HA service For AAA authenticated subscribers the selection of local subscriber template to use for setting attributes is in...

Page 399: ... per IPSec policy is 1 The maximum number of IPSec ACL rules per context is 1 024 The maximum number of IPSec ACL rules per crypto map is 8 The maximum number of ACLs you can configure per context is limited by the number of rules allowed within each ACL If each ACL contained the maximum number of rules 128 the maximum number of ACLs per context is 8 128 X 8 ACLs 1 024 ACL rules per context The ma...

Page 400: ...ASR 5000 System Administration Guide StarOS Release 21 1 372 Engineering Rules ECMP Groups ...

Page 401: ...hese tasks communicate with each other as needed to share control and data signals As a result processes can be distributed across multiple tasks thus reducing the overall work load on any given task and improving system performance This distributed design provides fault containment that greatly minimizes the impact to processes or sessions due to a failure The Exec mode show task command displays...

Page 402: ...iguration parameters The SCT is mainly responsible for storing configuration data for the applications that run on the system The SCT subsystem runs only on the active management card and synchronizes the information it contains with the SCT subsystem on the standby management card Resource Management RM This subsystem assigns resources such as CPU loading and memory for every system task upon sta...

Page 403: ...mobile subscribers packet oriented data session flows High touch user data processing consists of the following Payload transformation Filtering and scheduling Statistics collection Policing Controllers and Managers Many of the primary subsystems are composed of controller tasks called Controllers and subordinated tasks called Managers Controllers serve several purposes Monitor the state of their ...

Page 404: ...Subsystem Table 46 System Initiation Subsystem Tasks Function Description Task Initiated at system start up System Initiation Task Main SITMAIN Reads and provides startup configuration to other SIT components Starts SITREAP sub function Maintains CPU state information Starts management cards in either active or standby mode SIT Parent Sub function SITPARENT Registers tasks with HAT task Notifies C...

Page 405: ... and control functions because of the CPU s hardware capabilities Reports the loss of any task on its CPU to hatsystem sub function Controls the LEDs on the management card ASR 5x00 only Initializes and monitors the dedicated hardware on the management card ASR 5x00 only Controls all the HAT sub function tasks in the system It is initiated on system start up High Availability Task System Controlle...

Page 406: ...th the SIT task on the local CPU to get its entire task table and the resources associated with each task Gathers current resource utilization for each task Sends the resource data to the rmctrl task Virtual Private Networking Subsystem Table 49 Virtual Private Networking VPN Subsystem Tasks Function Description Task Created at system start up VPN Controller vpnctrl Initiates the VPN Manager for e...

Page 407: ...aintains the BGP peering connections Applies any defined BGP routing policy Created by VPN Manager for each context that has enabled the OSPF routing protocol router ospf Context Configuration mode CLI command Open Shortest Path First ospf Responsible for learning and redistributing routing information via the OSPF protocol Maintains the OSPF neighboring relationship Maintains the LSA database Per...

Page 408: ...c routing Interfaces to the kernel for routing interface updates Redistributes routing information to dynamic routing protocols Calculates nexthop reachability Network Processing Unit Subsystem Table 50 Network Processing Unit NPU Subsystem Tasks Function Description Task Created at StarOS start up Kernel based NPU Simulator VPC DI VPC SI knpusim Provides port configuration services to the CSP tas...

Page 409: ...services to the CSP task Provides interface binding and forwarding services to the VPN Manager Provides flow insertion and removal services to Session Manager and AAA Manager tasks Provides recovery services to the NPU Controller Created for every DPC installed and started NPU Simulator ASR 5500 npusim Provides port configuration services to the CSP task Provides interface binding and forwarding s...

Page 410: ... information from VPN Managers Distributes IP interface address information to other Session Processing Subsystem sub managers Manages Enhanced Charging Service ECS Content Filtering and URL Blacklisting services Created by the Session Controller Session Manager sessmgr Provides a subscriber processing system that supports multiple session types Multiple Session Managers can run on a single CPU an...

Page 411: ...ng gateway functions CGFs Multiple AAA Managers can run on a single CPU and or can be distributed throughout any CPU present in the system AAA operations for the CLI are done through a AAA Manager running on the active management card Starts whenever the Global Configuration mode gtpp single source command is configured When GTPP single sourcing is enabled aaaproxy generates requests to the accoun...

Page 412: ...his task for load sharing Access Link Control Application Part Manager ASR 5000 only alcapmgr Runs the ALCAP protocol stack and handles the IuCS over ATM associations Maintains AAL2 node entity databases Provides nodal functions for IuCS over ATM interface on ALCAP protocol Responsible for receiving EDR UDR records from different ACSMGR instances in the system Charging Detail Record Module cdrmod ...

Page 413: ...rough to the messages from application to the Diameter server Just acts as a forwarding agent does not maintain any queues A single Diameter proxy is used to service multiple Diameter applications Created by the Session Controller for each context in which an egtp service of interface type sgw egress or MME is configured Enhanced GPRS Tunneling Protocol Egress Manager egtpemgrr Handles certain EGT...

Page 414: ... them to different Session Manager tasks for load balancing Maintains a list of current Session Manager tasks to aid in system recovery Verifies validity of GTPC messages Maintains a list of current GTPC sessions Handles GTPC Echo messaging to from SGSN Created by the Session Controller for each context in which a GTPU service is configured Supported for both GTPUv0 and GTPUv1 GPRS Tunneling Proto...

Page 415: ...bdemux Distributes incoming Iuh connections to HNB Managers in the system Remains aware of all the active HNB GW services in the system With session recovery SR enabled this demux manager is usually established on one of the CPUs on the first active packet processing card Starts when an HNB GW service configuration is detected There can be multiple instances of this task for load sharing All HNB M...

Page 416: ...r Identity Manager for SGSN imsimgr Selects SessMgr when not done by linkmgr or sgtpcmgr tasks for calls sessions based on IMSI P TMSI Load balances across SessMgrs to select one to which a subscriber will be assigned Maintains records for all subscribers on the system Maintains mapping between the IMSI P TMSI and SessMgrs With session recovery SR enabled this demux manager is usually established ...

Page 417: ...eded depending on loading Layer 2 Tunneling Protocol Manager l2tpmgr Responsible for all aspects of L2TP processing Maintains protocol state machines for all L2TP sessions and tunnels Triggers IPSec encryption for new L2TP tunnels as needed Works with Session Managers to gracefully bring down tunnels With session recovery SR enabled this demux manager is usually established on one of the CPUs on t...

Page 418: ...ets and a list of its service user protocol layers and service provider protocol layers SGSN Master Manager mmgr Runs as a single instance Handles nodal SS7 Iu and Gb functionality Implements master linkmgr functionality for SS7 route status aggregation Implements master linkmgr functionality for RNC and BSC status aggregation With session recovery SR enabled this demux manager is usually establis...

Page 419: ...ss the available pccmgrs along with the session binding functions Monitors load on pccmgrs Distributes incoming IP CAN connections across pccmgrs in the system Performs session binding binds IP CAN Gateway session with the AF Session Ensures all messaging for an IMSI across various interfaces is directed towards the selected pccmgr Remains aware of all the active PCC services in the system With se...

Page 420: ...ce is enabled A minimum of two packet processing cards are required to initiate these eight tasks Standard Routing Database srb Receives the static database from the session controller Each srb task loads two database volumes one primary and one secondary The srb task also stores the static DB Rates and categorizes the URL based on the DB volumes and CSI Category Set Index stored on it Performs pe...

Page 421: ...ata presented by or sent to a mobile subscriber CSS encompasses features such as load balancing NAT HTTP redirection DNS redirection The content server services can be either external to the platform or integrated within the platform External CSS servers are configured via the Context Configuration mode css server command The CSS Controller does not create CSS Managers CSS Managers are stopped and...

Page 422: ...hassis to read local accessible hardware sensors and report them back to the hwctrl Hardware Manager hwmgr The subsystem responsible for starting most of the network services InterNET Service Daemon inetd Listens for requests from connecting clients such as FTP SFTP and telnet When a TCP packet or UDP packet arrives with a particular destination port number inetd launches the appropriate server pr...

Page 423: ...SF Virtual Machine VPC DI Processes incoming broadcast messages from the Client processes such as sessctrl distributes them to the correct Target Facility such as sessmgr creates the correct responses and sends them back to the correct Client As part of the Messenger process provides a reliable channel for tasks to send control messages to the Messenger Daemon Name Service Controller nscontrol Mai...

Page 424: ...s with concerned Controller Tasks to execute the function The response errors from the execution are interpreted formulated into an EMF response and handed off to EMS servers ORBEM Service ASR 5x00 only orbs Notifies the EMS servers of event occurrences ORBEM Notification Service ASR 5x00 only orbns Registers such EMS servers and subscribes them to associated event types As the events occur the co...

Page 425: ...g alerts if configured Polls the needed statistics variables maintains state and generates log messages SNMP notification of threshold crossings Threshold Server threshold ASR 5000 System Administration Guide StarOS Release 21 1 397 StarOS Tasks Management Processes ...

Page 426: ...ASR 5000 System Administration Guide StarOS Release 21 1 398 StarOS Tasks Management Processes ...

Page 427: ...lity for encoding and decoding the checkpoint message The ICSR framework provides the APIs for transport of the instance level checkpoint information and associated statistics Macro checkpoints contain full session information and micro checkpoints contain only a few variables Macro checkpoints are sent initially from the active chassis to the standby chassis on power up and reload and periodicall...

Page 428: ...y ECS to delete or modify a rule on the standby chassis Time based Yes Frequency 30 minutes Event based Yes Events Occurs 1 When a new rule is added or deleted on the active chassis 2 Every 30 minutes if the ECS is registered for periodic micro checkpointing Accounting Delta Cumulative Related CLI command show session subsystem facility sessmgr instance instance no debug info and show srp micro ch...

Page 429: ...sessmgr instance instance no debug info Micro checkpoints This section lists and briefly describes the characteristics of micro checkpoints by application category Micro checkpoints are listed in alphabetical order under the following categories Uncategorized on page 402 DCCA Category on page 403 ECS Category on page 403 ePDG Category on page 407 Firewall ECS Category on page 409 GGSN Category on ...

Page 430: ...S_UCKKPT_CMD_UPDATE_CLPSTATS This micro checkpoint sends VoLTE data statistics Time based Yes Frequency Event based Yes Events Occurs during ICSR background checkpointing A chassis switchover triggers the sending of VoLTE data stats Accounting Delta Cumulative CMD ID 4 Related CLI command None SESS_UCHKPT_CMD_UPDATE_IDLESECS This micro checkpoint sends remaining number of seconds before idle timeo...

Page 431: ...int CCA Assume positive state transitions Accounting Yes Delta Cumulative Cumulative CMD ID 19 Related CLI command None ECS Category SESS_UCHKPT_CMD_ACS_CALL_INFO This micro checkpoint sends critical ECS call level data Time based Yes Frequency Event based Yes Events Occurs whenever ECS call level information is created or modified Accounting No Delta Cumulative N A CMD ID 179 Related CLI command ...

Page 432: ...r related data Time based Yes Frequency Event based Yes Events Occurs whenever ECS bearer information is created or modified Accounting No Delta Cumulative N A CMD ID 33 Related CLI command None SESS_UCHKPT_CMD_DEL_ACS_CALL_INFO This micro checkpoint notifies that a Release Call event has occurred Time based No Frequency N A Event based Yes Events Occurs whenever an ECS Release Call message is pro...

Page 433: ...ed by ECS Time based Yes Frequency Event based Yes Events Occurs whenever dynamic charging action information is created or modified Accounting No Delta Cumulative N A CMD ID 141 Related CLI command None SESS_UCHKPT_CMD_DYNAMIC_CHRG_DEL_CA_INFO This micro checkpoint notifies that a dynamic charging action has been deleted Time based No Frequency N A Event based Yes Events Occurs whenever a dynamic...

Page 434: ...information maintained by ECS Time based Yes Frequency Event based Yes Events Occurs whenever dynamic QoS group information is created or modified Accounting No Delta Cumulative N A CMD ID 140 Related CLI command None SESS_UCHKPT_CMD_DYNAMIC_RULE_DEL_INFO This micro checkpoint notifies that a dynamic rule has been deleted Time based No Frequency Event based Yes Events Occurs whenever a dynamic rul...

Page 435: ...point synchronizes deleted ePDG bearers between the active and standby chassis Time based No Frequency N A Event based Yes Events N A Accounting Yes Delta Cumulative Cumulative CMD ID 110 Related CLI command show srp micro checkpoint statistics debug info SESS_UCHKPT_CMD_UPDATE_EPDG_BEARER This micro checkpoint synchronizes ePDG bearers between the active and standby chassis Time based No Frequenc...

Page 436: ...CMD_UPDATE_EPDG_REKEY This micro checkpoint synchronizes ePDG rekey statistics between the active and standby chassis Time based Yes Frequency 30 seconds Event based No Events N A Accounting Yes Delta Cumulative Cumulative CMD ID 110 Related CLI command show srp micro checkpoint statistics debug info SESS_UCHKPT_CMD_UPDATE_EPDG_STATS This micro checkpoint synchronizes session statistics between th...

Page 437: ...d stateful firewall access rules Accounting No Delta Cumulative N A CMD ID 186 Related CLI command None SESS_UCHKPT_CMD_SFW_RULE_INFO This micro checkpoint notifies the addition of dynamically enabled stateful firewall SFW access rules Time based No Frequency N A Event based Yes Events Occurs whenever PCRF sends a command to enable the predefined SFW access rules Accounting Yes Delta Cumulative Cu...

Page 438: ...s checkpoint is sent upon expiry of this timer Time based Yes Frequency RPR timer Event based Yes Events Occurs when the secondary bearer creation RPR timer expires Accounting Delta Cumulative CMD ID 118 Related CLI command SESS_UCHKPT_CMD_GGSN_UPDATE_SESSION This micro checkpoint is sent in a Network or UE initiated update procedure except for updates that result in the following scenarios Creati...

Page 439: ... micro checkpoint periodically sends session statistics Time based Yes Frequency Every five minutes Event based No Events N A Accounting Yes Delta Cumulative Cumulative CMD ID 116 Related CLI command None SESS_UCHKPT_CMD_UPDATE_COA_PARAMS This micro checkpoint updates input and output ACL parameters Time based Frequency Event based Yes Events COA Change of Authorization response Accounting Delta C...

Page 440: ...sion related information Time based No Frequency N A Event based Yes Events Triggered on receiving CCA I U or RAR from PCRF Accounting Yes Delta Cumulative Cumulative CMD ID 137 Related CLI command None NAT Category SESS_UCHKPT_CMD_GR_UPDATE_NAT_REALM_PORT_INFO1 This micro checkpoint is sent when a port chunk is allocated or deallocated for a subscriber sharing a NAT IP address with other subscrib...

Page 441: ... allocated during call setup and this micro checkpoint is sent Time based No Frequency N A Event based Yes Events Triggered when a NAT IP address is allocated to or deallocated from a subscriber Accounting No Delta Cumulative N A CMD ID 45 Related CLI command None SESS_UCHKPT_CMD_NAT_SIP_ALG_CALL_INFO This micro checkpoint is sent when a new SIP flow is created or deleted for a subscriber while SI...

Page 442: ... to pace 10 micro checkpoints whenever the timer fires granularity 2 sec This only occurs if there are new flows that need to be micro checkpointed Otherwise no micro micro checkpoints are sent Time based No Frequency See explanation above Event based Yes Events Triggered when a new NAT flow is created or deleted Accounting No Delta Cumulative N A CMD ID 96 Related CLI command None SESS_UCHKPT_CMD...

Page 443: ...No Frequency N A Event based Yes Events Triggered when the S GW sets the Over Charging Protection Bit Accounting No Delta Cumulative N A CMD ID 159 Related CLI command None SESS_UCHKPT_CMD_PGW_SGWRESTORATION_INFO This micro checkpoint indicates the interval that a call will remain up when the S GW is down Time based No Frequency N A Event based Yes Events Triggered when the S GW goes into Restorat...

Page 444: ... a UBR or MBR procedure Accounting No Delta Cumulative N A CMD ID 193 Related CLI command show srp checkpoint statistics active verbose and show session subsystem facility sessmgr instance instance_number debug info SESS_UCHKPT_CMD_PGW_UPDATE_APN_AMBR Reserved for future use SESS_UCHKPT_CMD_PGW_UPDATE_INFO Reserved for future use SESS_UCHKPT_CMD_PGW_UPDATE_LI_PARAM This micro checkpoint indicates ...

Page 445: ...Every five minutes Event based No Events N A Accounting Yes Delta Cumulative Cumulative CMD ID 65 Related CLI command None Rf Interface Category SESS_UCHKPT_CMD_ACS_ACCOUNTING_TYPE_QCI_RF This micro checkpoint indicates a change in the SDF QCI based Rf accounting buckets Time based Yes Frequency 4 seconds for aamgr checkpoint and 18 seconds for GR checkpoint Event based No Events N A Accounting Ye...

Page 446: ...ates a change in the SDF based Rf accounting buckets Time based Yes Frequency 4 seconds for aamgr checkpoint and 18 seconds for GR checkpoint Event based No Events N A Accounting Yes Delta Cumulative Cumulative CMD ID 125 Related CLI command None SESS_UCHKPT_CMD_ACS_ACCOUNTING_TYPE_RATING_GROUP_RF_WITH_FC This micro checkpoint indicates complete SDF based Rf accounting buckets Time based Yes Frequ...

Page 447: ...elta Cumulative N A CMD ID 202 Related CLI command None SaMOG Category SESS_UCHKPT_CMD_CGW_DELETE_BEARER Reserved for future use SESS_UCHKPT_CMD_CGW_DELETE_PDN This micro checkpoint indicates a PDN connection has been deleted Time based No Frequency N A Event based Yes Events Occurs whenever SaMOG sends a Delete Session Req or upon receiving a Delete Bearer Request Accounting No Delta Cumulative N...

Page 448: ...a change in APN AMBR Time based No Frequency N A Event based Yes Events Occurs when a change in APN AMBR is received from the P GW due to a reauthorization AAR Received from AAA Server or Update Bearer Request Accounting No Delta Cumulative N A CMD ID 168 Related CLI command show subscriber samog only full SESS_UCHKPT_CMD_CGW_UPDATE_STATS Reserved for future use SESS_UCHKPT_CMD_CGW_UPDATE_UE_PARAM...

Page 449: ...T request is received from the WLC Accounting No Delta Cumulative N A CMD ID 174 Related CLI command show subscriber samog only full SESS_UCHKPT_CMD_SAMOG_EOGRE_TUNNEL_INFO This micro checkpoint is sent for an Inter RG handoff for EoGRE subscriber sessions This checkpoint updates the VMAC Address and WLC EoGRE tunnel end point address Time based No Frequency N A Event based Yes Events Occurs whene...

Page 450: ...e subscriber session is in Handoff state Time based No Frequency N A Event based Yes Events Occurs on completion of Re Authentication for an existing SaMOG subscriber session currently in Handoff state Accounting No Delta Cumulative N A CMD ID 176 Related CLI command show subscriber samog only full SESS_UCHKPT_CMD_SAMOG_HANDOFF_INIT_INFO This micro checkpoint is sent for a SaMOG session on receipt...

Page 451: ..._TIMER_INFO This micro checkpoint updates the Binding Cache Life timer and MIPv6 biding status for a SaMOG session Time based No Frequency N A Event based Yes Events Occurs whenever a PMIPv6 PBU is received with a lifetime of zero from the WLC Accounting No Delta Cumulative N A CMD ID 190 Related CLI command show subscriber samog only full SESS_UCHKPT_CMD_SAMOG_MULTI_ROUND_AUTHEN_INFO This micro c...

Page 452: ...uthentication for an existing SaMOG subscriber session Accounting No Delta Cumulative N A CMD ID 172 Related CLI command show subscriber samog only full SESS_UCHKPT_CMD_SAMOG_REAUTHOR_INFO This micro checkpoint is sent for a SaMOG session when subscriber Re authorization is completed Time based No Frequency N A Event based Yes Events Occurs on receiving and successfully processing AAR from the AAA...

Page 453: ...eference or the online Help for the command The table below also indicates default and non default strings It reflects the output sequence of the show support collection definitions command Table 54 ASR 5000 SDR CLI Command Strings Command String Default SDR No show version verbose Enabled 0 show clock Enabled 1 show clock universal Enabled 2 show configuration Enabled 3 show_profile Enabled 4 sho...

Page 454: ...led 23 debug hdctrl client list Enabled 24 show card info Disabled 25 show card diag Enabled 26 show card table all Enabled 27 show port table all Enabled 28 show port info Enabled 29 show port utilization table Enabled 30 show data path congestion Enabled 31 show npu details Disabled 32 show lagmgr details Disabled 33 show fans Enabled 34 show hardware version fans Disabled 35 show power chassis ...

Page 455: ...4 show persistdump list Disabled 55 show persistdump display Disabled 56 show snmp trap history verbose Enabled 57 show snmp trap statistics verbose Disabled 58 show logs Enabled 59 show ge switch counters Enabled 60 ethtool S cpeth Enabled 61 Standby SMC Ophir Mac counters Enabled 62 show messenger settings Disabled 63 show messenger nameservice Enabled 64 show messenger statistics Enabled 65 sho...

Page 456: ...ma service all Disabled 84 show dhcp service all Disabled 85 show sgsn service all Disabled 86 show sgsn sessmgr all memory statistics Disabled 87 show operator policy all Disabled 88 show call control profile all Disabled 89 show apn profile all Disabled 90 show imei profile all Disabled 91 show gprs service all Disabled 92 show iups service all Disabled 93 show sgtp service all Disabled 94 show ...

Page 457: ...cs Disabled 120 show cli configuration monitor Disabled 121 show srp info Enabled 122 show srp checkpoint statistics Enabled 123 show srp checkpoint statistics verbose Disabled 124 show srp checkpoint statistics sessmgr all Disabled 125 show srp checkpoint statistics ipsecmgr all Disabled 126 show srp checkpoint statistics sessmgr all write list stats Enabled 127 show srp monitor Disabled 128 show...

Page 458: ...n all mtp3 statistics linkset all link all Disabled 148 show ss7 routing domain all routes Disabled 149 show sccp network all status all Disabled 150 show global title translation association Disabled 151 show global title translation address map Disabled 152 show egtpc peers Enabled 153 show egtpc statistics interface mme Disabled 154 show egtpc statistics interface sgsn Enabled 155 show egtpc st...

Page 459: ...s all Enabled 179 show sccp statistics Disabled 180 show tcap statistics Disabled 181 show map statistics Disabled 182 show sms statistics Disabled 183 show pdg service statistics Disabled 184 show hnbgw sessmgr all memory statistics Disabled 185 show hnbgw sessmgr all internal statistics Disabled 186 show hnbgw disconnect reasons Disabled 187 show cs network statistics Disabled 188 show ps networ...

Page 460: ...all Enabled 210 show gtpp accounting servers Disabled 211 show gtpp statistics verbose Disabled 212 show gtpp counters all Disabled 213 show gtpp storage server Disabled 214 show gtpp storage server statistics verbose Disabled 215 show gtpp storage server local file statistics verbose Disabled 216 show gtpp storage server local file counters all Disabled 217 show gtpp storage server streaming file...

Page 461: ... Disabled 247 show npu details Disabled 248 show active charging service all Disabled 249 show active charging tcp proxy statistics all verbose debug info Disabled 250 show active charging edr udr file flow control counters verbose debug only Disabled 251 show active charging service statistics Disabled 252 show active charging analyzer statistics Disabled 253 show active charging dns learnt ip ad...

Page 462: ...sabled 274 debug acsmgr show flow stats max simultaneous flows ip Disabled 275 debug acsmgr show flow stats max simultaneous flows tcp Disabled 276 debug acsmgr show flow stats max simultaneous flows udp Disabled 277 debug acsmgr show flow stats duration based all flows Disabled 278 debug acsmgr show flow stats duration based tcp Disabled 279 debug acsmgr show flow stats duration based udp Disable...

Page 463: ...cs Disabled 304 show active charging firewall statistics debug info Disabled 305 show active charging nat statistics Disabled 306 show demuxmgr statistics asngwmgr all Disabled 307 show asngw service all Disabled 308 show asngw service statistics verbose Disabled 309 show demuxmgr statistics asnpcmgr all Disabled 310 show asnpc service all Disabled 311 show asnpc service statistics verbose Disable...

Page 464: ...isabled 331 show active charging tethering detection statistics Disabled 332 show ims authorization service statistics Disabled 333 show ims authorization policy control statistics Disabled 334 show ims authorization policy control statistics debug info Disabled 335 show local policy statistics summary Disabled 336 show rohc statistics Disabled 337 show dns client statistics Disabled 338 show hss ...

Page 465: ...control statistics mme full Disabled 360 show congestion control statistics imsimgr all full Disabled 361 show ge switch counters second sample Enabled 362 ethtool S cpeth Enabled 363 Standby SMC Ophir Mac counters second sample ASR 5000 only Enabled 364 show cli history Disabled 365 card cpu boxer summary Disabled 366 show sls service all Disabled 367 show sls service peers all Disabled 368 show ...

Page 466: ...ASR 5000 System Administration Guide StarOS Release 21 1 438 ASR 5000 SDR CLI Strings ASR 5000 SDR CLI Command Strings ...

Reviews:

No comments