manualshive.com logo in svg

Cisco ASR 5500, System Administration Manual, Page: 109 / 430

Share
Download
Cisco ASR 5500 System Administration Manual Download Page 109

Generating the Public and Private Keys

The RSA public key is stored in PEM format (.pem file), and can be generated using one of the following
OpenSSL commands in the example below:

openssl rsa -in pri_key.pem - pubout -out pub_key.pem

-or--

openssl rsa -in pri_key.pem -RSAPublicKey_out -out pub_key.pem

An RSA private key in PEM format can be generated using the OpenSSL command in the following example:

openssl genrsa -out pri_key.pem 2048

For more information on the

openssl rsa

and

openssl genrsa

commands, refer their respective OpenSSL

manual pages.

Validate the Digital Signature

When signature verification is enabled, validation of the digital signature occurs when the system boots up
and loads the configuration file (or any time when the config file is loaded). The system determines if signature
verification is enabled (or disabled) by looking for the

.enable_cfg_pubkey

file in the secure directory. For

more information, refer

Enable or Disable Signature Verification, on page 84

.

The system validates the signed configuration file using the following steps:

1

Extract the RSA public signing key from the flash.

2

Extract the configuration file

s digital signature (the first line).

3

Convert the signature from base64 to binary format.

4

Decrypt the signature using the RSA public key.

5

Calculate the SHA512 hash for the plain config file resulting in a message digest.

6

Compare the decrypted signature value and newly calculated message digest. If they match, the configuration
file is successfully validated.

Configuring Signature Verification

Import RSA Public Key for Verification

To verify the signed configuration file, an RSA public key (in PEM format) must be imported. Use the
following command to import the RSA public key:

This command can only be executed from the console.

Important

cfg-security import public-key url url_address
Notes:

Any existing .pem file will be replaced with the new .pem file when the command is executed.

url_address

may refer to a local or a remote file, and must be entered using the following format:

[file:]{/flash | /usb1 | /hd-raid | /sftp}[/directory]/filename

ASR 5500 System Administration Guide, StarOS Release 21.5    

83

Secure System Configuration File

Validate the Digital Signature

Summary of Contents for ASR 5500

Page 1: ...istration Guide StarOS Release 21 5 First Published 2017 11 30 Americas Headquarters Cisco Systems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 ...

Page 2: ... IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR INABILITY TO USE T...

Page 3: ...rvices 2 AAA Servers 3 Subscribers 3 Trusted Builds 4 How the System Selects Contexts 4 Context Selection for Context level Administrative User Sessions 5 Context Selection for Subscriber Sessions 8 Understanding Configuration Files 8 IP Address Notation 9 IPv4 Dotted Decimal Notation 9 IPv6 Colon Separated Hexadecimal Notation 9 CIDR Notation 10 Alphanumeric Strings 10 Character Set 11 Quoted Str...

Page 4: ...sion Logout 20 Changing Default sshd Secure Session Logout Parameters 21 SSH Client Login to External Servers 21 Setting SSH Client Ciphers 21 Setting Preferred Authentication Methods 22 Generating SSH Client Key Pair 23 Pushing an SSH Client Public Key to an External Server 24 Enabling NETCONF 24 C H A P T E R 3 System Settings 25 Configuring System Timing 25 Setting the System Clock and Time Zon...

Page 5: ...tion 37 Updating Local User Database 37 Updating and Downgrading the local user Database 38 Restricting User Access to a Specified Root Directory 39 Configuring an SFTP root Directory 39 Associating an SFTP root Directory with a Local User 39 Associating an SFTP root Directory with an Administrator 39 Associating an SFTP root Directory with a Config Administrator 40 Configuring TACACS for System A...

Page 6: ...guration File 54 Reload and Shutdown Commands 54 show administrators Command 55 C H A P T E R 5 Management Settings 57 ORBEM 57 Configuring ORBEM Client and Port Parameters 58 Configuring IIOP Transport Parameters 58 Verifying ORBEM Parameters 59 SNMP MIB Browser 59 SNMP Support 62 Configuring SNMP and Alarm Server Parameters 62 Verifying SNMP Parameters 63 Controlling SNMP Trap Generation 64 C H ...

Page 7: ...ity 75 Protection of Passwords 75 Secure Password Encryption 75 Support for Non Current Encryptions and Decryptions 76 Support for ICSR Configurations 76 Encrypted SNMP Community Strings 77 Lawful Intercept Restrictions 77 LI Server Addresses 77 Modifying Intercepts 78 Adding Modifying and Removing Users 78 Notification of Users Being Added or Deleted 78 Notification of Changes in Privilege Levels...

Page 8: ...Local File System 86 File System Management Commands 86 Creating Directories 86 Renaming Files and Directories 87 Copying Files 87 Deleting Files 87 Removing Directories 87 Formatting Local Devices 88 Applying Pre existing CLI Configuration Files 88 Viewing Files on the Local File System 89 Viewing the Contents of a Local Device 89 Viewing CLI Configuration and boot sys Files 89 Validating an Oper...

Page 9: ...storing the Previous Software Image 98 Managing License Keys 98 New System License Keys 98 Session Use and Feature Use Licenses 98 Installing New License Keys 99 Cutting and Pasting the Key 99 Adding License Keys to Configuration Files 99 License Expiration Behavior 100 Requesting License Keys 100 Viewing License Information 100 Deleting a License Key 101 Managing Local User Administrative Account...

Page 10: ...ing Communication with the Collection Server 116 Configuring Standard Settings 116 Configuring Optional Settings 117 Configuring Bulk Statistic Schemas 117 Configuring a Separate Bulkstats Config File 118 Using show bulkstats Commands 118 Verifying Your Configuration 119 Saving Your Configuration 120 Viewing Collected Bulk Statistics Data 120 Collecting Bulk Statistics Samples in SSD 120 Manually ...

Page 11: ...nfiguring and Viewing Crash Logs 143 Crash Logging Architecture 143 Configuring Software Crash Log Destinations 144 Viewing Abridged Crash Log Information Using the CLI 145 Reducing Excessive Event Logging 146 Configuring Log Source Thresholds 147 Checkpointing Logs 147 Saving Log Files 148 Event ID Overview 148 Event Severities 157 Understanding Event ID Information in Logged Output 157 C H A P T...

Page 12: ...nstances of CDRMOD 168 Configuring the Hexdump Module 169 Configuring the Hexdump File Parameters 171 Enabling or Disabling Hexdump 174 Enabling PCAP Trace for MME 174 Monitoring and Troubleshooting PCAP Trace 175 Show Command s and or Outputs 175 show cdr statistics 175 show hexdump module cdr file space usage 176 show hexdump module statistics 177 C H A P T E R 1 7 System Recovery 181 Prerequisi...

Page 13: ...r 194 Applying an ACL to the Subscriber Named default 195 Applying an ACL to the Subscriber Named default 195 Verifying the ACL Configuration to the Subscriber Named default 196 Applying an ACL to Service specified Default Subscriber 196 Applying an ACL to Service specified Default Subscriber 197 Verifying the ACL Configuration to Service specified Default Subscriber 197 Applying a Single ACL to M...

Page 14: ...xt 210 OSPF Routing 210 OSPF Version 2 Overview 211 Basic OSPFv2 Configuration 212 Enabling OSPF Routing For a Specific Context 212 Enabling OSPF Over a Specific Interface 212 Redistributing Routes Into OSPF Optional 212 Confirming OSPF Configuration Parameters 213 OSPFv3 Routing 213 OSPFv3 Overview 213 Basic OSPFv3 Configuration 213 Enabling OSPFv3 Routing For a Specific Context 213 Enabling OSPF...

Page 15: ...ctional Forwarding Detection 222 Overview of BFD Support 223 Configuring BFD 223 Configuring a BFD Context 224 Configuring IPv4 BFD for Static Routes 224 Configuring IPv6 BFD for Static Routes 224 Configuring BFD for Single Hop 225 Configuring Multihop BFD 225 Scaling of BFD 226 Associating BGP Neighbors with the Context 226 Associating OSPF Neighbors with the Context 226 Associating BFD Neighbor ...

Page 16: ...verlapping IP Address Pool Support GGSN 235 RADIUS VLAN Support Enhanced Charging Services 236 APN Support PDN Gateway P GW 236 Creating VLAN Tags 236 Verifying the Port Configuration 237 Configuring Subscriber VLAN Associations 238 RADIUS Attributes Used 238 Configuring Local Subscriber Profiles 238 Verify the Subscriber Profile Configuration 238 VLAN Related CLI Commands 239 C H A P T E R 2 2 BG...

Page 17: ...y Works 257 Configuring the System to Support Session Recovery 259 Enabling Session Recovery 259 Enabling Session Recovery on an Out of Service System 260 Enabling Session Recovery on an In Service System 260 Disabling the Session Recovery Feature 261 Viewing Session Recovery Status 261 Viewing Recovered Session Information 262 Recovery Control Task Statistics 263 show rct stats Command 263 Sample...

Page 18: ...ace Parameters 279 Configuring NACK Generation for SRP Checkpoint Messaging Failures 280 Enabling NACK Messaging from the Standby Chassis 280 Selective Disabling of NACK Messaging 281 Configuring LZ4 Compression Algorithm 281 Reducing Sync Up Time with Standby ICSR Chassis 281 Verifying SRP Configuration 282 Modifying the Source Context for ICSR 282 Configuring BGP Router and Gateway Address 283 C...

Page 19: ...the Update Process 295 Waiting for Session Synchronization 295 Primary System 295 Initiating an SRP Switchover 296 Checking AAA Monitor Status on the Newly Active System 296 Completing the Software Update 296 Initiating an SRP Switchover 297 Making Test Calls 297 Fallback Procedure 297 C H A P T E R 2 6 Support Data Collector 299 Overview 299 Configuring SDR Collection 300 Displaying the SDR Colle...

Page 20: ...ubsystems 314 Controllers and Managers 315 Subsystem Tasks 316 System Initiation Subsystem 316 High Availability Subsystem 317 Resource Manager Subsystem 318 Virtual Private Networking Subsystem 318 Network Processing Unit Subsystem 320 Session Subsystem 322 Platform Processes 331 Management Processes 334 A P P E N D I X C NETCONF and ConfD 337 Feature Summary and Revision History 337 Overview 338...

Page 21: ...rver ConfD 354 Bulkstats 355 Exec CLI Model 357 CLI Based YANG Model for ECS Commands 358 Seeding and Synchronizing the CDB 359 show configuration confd Command 359 CDB Maintenance 360 clear confdmgr confd cdb 360 configure confd url 360 save configuration url confd 361 Supported StarOS ECS Configuration Commands 361 A P P E N D I X D ICSR Checkpointing 363 Overview of Checkpointing 363 Macro chec...

Page 22: ...CHKPT_CMD_DYNAMIC_CHRG_QG_INFO 370 SESS_UCHKPT_CMD_DYNAMIC_RULE_DEL_INFO 370 SESS_UCHKPT_CMD_DYNAMIC_RULE_INFO 371 ePDG Category 371 SESS_UCHKPT_CMD_DELETE_EPDG_BEARER 371 SESS_UCHKPT_CMD_UPDATE_EPDG_BEARER 371 SESS_UCHKPT_CMD_UPDATE_EPDG_PEER_ADDR 372 SESS_UCHKPT_CMD_UPDATE_EPDG_REKEY 372 SESS_UCHKPT_CMD_UPDATE_EPDG_STATS 372 Firewall ECS Category 373 SESS_UCHKPT_CMD_SFW_DEL_RULE_INFO 373 SESS_UC...

Page 23: ...0 SESS_UCHKPT_CMD_PGW_UPDATE_LI_PARAM 380 SESS_UCHKPT_CMD_PGW_UPDATE_PDN_COMMON_PARAM 381 SESS_UCHKPT_CMD_PGW_UPDATE_QOS 381 SESS_UCHKPT_CMD_PGW_UPDATE_SGW_CHANGE 381 SESS_UCHKPT_CMD_PGW_UPDATE_STATS 381 Rf Interface Category 381 SESS_UCHKPT_CMD_ACS_ACCOUNTING_TYPE_QCI_RF 381 SESS_UCHKPT_CMD_ACS_ACCOUNTING_TYPE_QCI_RF_WITH_FC 382 SESS_UCHKPT_CMD_ACS_ACCOUNTING_TYPE_RATING_GROUP_RF 382 SESS_UCHKPT_...

Page 24: ...I_PROV_INFO 387 SESS_UCHKPT_CMD_SAMOG_MIPV6_TIMER_INFO 387 SESS_UCHKPT_CMD_SAMOG_MULTI_ROUND_AUTHEN_INFO 387 SESS_UCHKPT_CMD_SAMOG_REAUTHEN_INFO 388 SESS_UCHKPT_CMD_SAMOG_REAUTHOR_INFO 388 A P P E N D I X E ASR 5500 SDR CLI Command Strings 389 A P P E N D I X F Cisco Secure Boot 403 Fundamental Concepts 403 Secure Boot Overview 404 MIO2 Support for Secure Boot 404 Image Naming Conventions 404 Veri...

Page 25: ...e Alerts you of potential damage to a program device or system Caution Alerts you of potential personal injury or fatality May also alert you of potential electrical hazards Warning Description Typeface Conventions This typeface represents displays that appear on your terminal screen for example Login Text represented as a screen display This typeface represents commands that you enter for example...

Page 26: ...ts are available on www cisco com AAA Interface Administration and Reference Command Line Interface Reference GTPP Interface Administration and Reference IPSec Reference Release Change Reference SNMP MIB Reference Statistics and Counters Reference Thresholding Configuration Guide Product specific and feature specific Administration guides Contacting Customer Support Use the information in this sec...

Page 27: ...tion defines important terms used throughout this guide Contexts A context is a logical grouping or mapping of configuration parameters that pertain to various physical ports logical IP interfaces and services A context can be thought of as a virtual private network VPN The system supports the configuration of multiple contexts Each context is configured and operates independently of the others On...

Page 28: ...iation between elements within the system There are two types of bindings static and dynamic Static binding is accomplished through system configuration Static bindings associate A specific logical interface configured within a particular context to a physical port Once the interface is bound traffic can flow through the context as if it were any physically defined circuit Static bindings support ...

Page 29: ...s are the end users of the service they gain access to the Internet their home network or a public network through the system There are three primary types of subscribers RADIUS based Subscribers The most common type of subscriber these users are identified by their International Mobile Subscriber Identity IMSI number an Electronic Serial Number ESN or by their domain name or user name They are co...

Page 30: ...ever management subscribers may also be authenticated remotely via RADIUS if an AAA configuration exists within the local context or TACACS Trusted Builds A Trusted build is a starfile image from which non secure or low security features have been deleted or disabled However the binaries in the Trusted starfile image are are identical to those found in other starfiles for a particular StarOS relea...

Page 31: ...s you must connect through an MIO management interface If you SFTP or FTP as a non local context account you must use the username syntax of username contextname In release 20 0 and higher Trusted StarOS builds FTP is not supported Important The context selection process becomes more involved if you are configuring the system to provide local authentication or work with a AAA server to authenticat...

Page 32: ...ext level administrative user Items in the table correspond to the circled numbers in the flowchart Figure 1 Context level Administrative User AAA Context ASR 5500 System Administration Guide StarOS Release 21 5 6 System Operation and Configuration Context Selection for Context level Administrative User Sessions ...

Page 33: ... the AAA Administrator Default Domain context is used If the default domain is not configured or does not match a configured context or domain go to item 4 item below 3 If a domain was specified as part of the username but it did not match a configured context or if a domain was not specified as part of the username the system determines if the AAA Administrator Last Resort context parameter is co...

Page 34: ...t configuration file processing Important The commands and configuration data within the file are organized and formatted just as they would be if they were being entered at the CLI prompt For example if you wanted to create a context called source in the CLI you would enter the following commands at their respective prompts local host_name config local host_name config context source source host_...

Page 35: ...ys view the online Help for the CLI command to verify acceptable forms of IP address notation IPv4 Dotted Decimal Notation An Internet Protocol Version 4 IPv4 address consists of 32 bits divided into four octets These four octets are written in decimal numbers ranging from 0 to 255 and are concatenated as a character string with full stop delimiters dots between each number For example the address...

Page 36: ... address may denote a single distinct interface address or the beginning address of an entire network In the latter case the CIDR notation specifies the address block allocation of the network The maximum size of the network is given by the number of addresses that are possible with the remaining least significant bits below the prefix This is often called the host identifier For example the addre...

Page 37: ...oted below ampersand apostrophe arrow brackets see exception below asterisk see wildcard exception below braces brackets dollar sign see wildcard exception below exclamation point see exception below parentheses percent see exception below pound sign see exception below question mark quotation mark single quotation mark double semicolon slash backward see exception below slash forward see exceptio...

Page 38: ... hyphen hash or pound sign percent slash backward must be entered as double slash slash forward Quoted Strings If descriptive text requires the use of spaces between words the string must be entered within double quotation marks For example interface Rack 3 Chassis 1 port 5 2 ASR 5500 System Administration Guide StarOS Release 21 5 12 System Operation and Configuration Quoted Strings ...

Page 39: ... Configuring the maximum number of sessions is recommended for all privileged accounts Important Security administrators can limit the number of concurrent interactive CLI sessions with three different ways depending on the authentication method which his used for that particular user account StarOS supports three login authentication methods TACACS Server users Local User users AAA Context users ...

Page 40: ...both are specified then the idle timeout should always be lower than the session timeout since a lower session timeout will always be reached first Important For additional information on configuring the maximum number of minutes that an interactive CLI session can be in use see the idle sessions threshold command and the clear tacacs sessions CLI command in the CLI Reference and the show tacacs s...

Page 41: ...vice you want to log in from and store the public key on the system that you wish to log into SSH host keys are generated within a specified StarOS context The context is associated with a user interface You set or remove an administrative user name having authorized keys for access to the sshd server associated with context Setting SSH Key Size The Global Configuration mode ssh key size CLI comma...

Page 42: ...to right from those shown below blowfish cbc symmetric key block cipher Cipher Block Chaining CBC 3des cbc Triple Data Encryption Standard CBC aes128 cbc Advanced Encryption Standard AES 128 bit key size CBC aes128 ctr AES 128 bit key size Counter mode encryption CTR aes192 ctr AES 192 bit key size CTR aes256 ctr AES 256 bit key size CTR aes128 gcm openssh com AES 128 bit key size Galois Counter M...

Page 43: ...key type v2 rsa local host_name config ctx Setting SSH Key Pair The ssh key command sets the public private key pair to be used by the system The v2 dsa keyword is concealed in the ssh key command Specify the SSH key pair parameters local host_name config ctx ssh key data length octets type v2 rsa Notes data is the encrypted key expressed as an alphanumeric string of 1 through 1023 characters leng...

Page 44: ...to the System Settings chapter for additional information on creating administrators host host_ip specifies the IP address of an SSH host having the authorization keys for this username The IP address must be in IPv4 dotted decimal or IPv6 colon separated hexadecimal notation type specifies the key type v2 rsa is the only supported type SSH User Login Restrictions An administrator can restrict SSH...

Page 45: ...ress The following limits apply to the user_list The maximum length of this string is 3000 bytes including spaces The maximum number of AllowUsers which is counted by spaces is 256 which is consistent with the limit from OpenSSH If you exceed either of the above limits an error message is displayed The message prompts you to use a regular expression pattern to shorten the string or remove all the ...

Page 46: ...ive interval of 5 Smaller session logout values may lead to occasional ssh session logouts Adjust values to balance security and user friendliness Important The client active countmax command sets the number of client alive messages which may be sent without sshd receiving any messages back from the SSH client default 3 If this threshold is reached while the client alive messages are being sent ss...

Page 47: ...n for SSH SFTP access from the StarOS gateway to external servers You configure this feature by generating SSH client key pairs and pushing the client public key to external servers By default StarOS only supports username password authentication to external servers Note Setting SSH Client Ciphers The SSH Client Configuration mode ciphers CLI command configures the cipher priority list when loggin...

Page 48: ...Trusted build is aes256 ctr aes192 ctr aes128 ctr Step 3 Exit the SSH Client Configuration mode local host_name config ssh end local host_name Setting Preferred Authentication Methods The SSH Client Configuration mode preferredauthentications CLI command configures the preferred methods of authentication Step 1 Enter the SSH Client Configuration mode local host_name config client ssh Step 2 Specif...

Page 49: ...y private_key_string specifies a private key value as an alphanumeric string of 1 through 4499 characters length key_length specifies the length of the key in bytes as an integer from 0 through 65535 type v2 rsa specifies the SSH client key type The only supported SSH client key type is v2 rsa Step 3 Generate SSH client key pair local host_name config ssh ssh generate key type v2 rsa local host_na...

Page 50: ...ame specifies a valid username on the external server as an alphanumeric string of 1 to 79 characters context context_name specifies a valid context name The context name is optional If it is not provided the current context is used for processing Step 2 Repeat Step 1 to support SSH SFTP access on other external servers Step 3 Test SSH client login to an external server local host_name ssh hostnam...

Page 51: ...LI Timestamping page 30 Configuring CLI Confirmation Prompts page 30 Configuring System Administrative Users page 32 Configuring TACACS for System Administrative Users page 40 Separating Authentication Methods page 44 Configuring a Chassis Key page 46 Enabling Automatic Reset of FSC Fabric page 48 Configuring System Timing The system is equipped with a clock that supplies the timestamp for statist...

Page 52: ...ing the system to enable the use of the Network Time Protocol NTP Configure the system clock and time zone prior to implementing NTP support This greatly reduces the time period that must be corrected by the NTP server Important Many of the services offered by the StarOS require accurate timekeeping derived through NTP If the time reference s used by StarOS are not accurate the services may be unr...

Page 53: ...our NTP servers Important Save the configuration as described in the Verifying and Saving Your Configuration chapter Configuring NTP Servers with Local Sources NTP can use network peers local external clocks such as GPS devices or a local clock with no external source A local clock with no external source is usually a last resort clock when no better clock is available It is typically configured o...

Page 54: ...r o PPS Peer v remote refid st t when poll reach delay offset jitter 10 81 254 202 GPS 1 u 160 1024 377 21 516 0 019 0 009 The following table describes the parameters output by the show ntp associations command Table 2 NTP Parameters Description Column Title List of the current NTP servers One of these characters precedes each IP address to show the server s current condition Rejected No response...

Page 55: ...ommand corrects a scenario where SFs come online late following chassis load or reload and the configuration pertaining to those SFs is not applied and thereby lost configure no wait cards active all number standby number timeout seconds end Notes all Pause until all active mode cards attain operational status number Pause until the specified number of active mode cards attain operational status n...

Page 56: ...Automatic Confirmation You can use the autoconfirm command to disable confirmation prompting for configuration commands The autoconfirm command is available in the Exec mode and Global Configuration mode Enabling the autoconfirm feature automatically supplies a Yes response to configuration command prompts including for critical commands such as reload and shutdown By default autoconfirm is disabl...

Page 57: ...Yes No yes local host_name config To disable commandguard once it has been enabled use the no commandguard command The status of commandguard is output in show configuration commands Requiring Confirmation for Specific Exec Mode Commands A keyword for the commandguard command allows you to apply mandatory prompting for specified categories of Exec mode configuration commands even when autoconfirm ...

Page 58: ... additional administrative users having the following privileges Security Administrators have read write privileges and can execute all CLI commands including those available to Administrators Operators and Inspectors Administrators have read write privileges and can execute any command in the CLI except for a few security related commands that can only be configured by Security Administrators Adm...

Page 59: ...ity to impact security configurations and attributes or could adversely affect the services stability and performance of the system The maximum number of simultaneous CLI sessions is configurable when attempting a new Local User login and a new AAA context based login If the maximum number of sessions is set to 0 then the user is authenticated regardless of the login type When the CLI task starts ...

Page 60: ...eate a config administrator without an associated password Enable this option when using ssh public keys authorized key command in SSH Configuration mode as a sole means of authentication When enabled this option prevents someone from using a config administrator password to gain access to the user account Save the configuration as described in the Verifying and Saving Your Configuration chapter C...

Page 61: ...on mode require segregated li configuration command permanently segregates display of System and Lawful Intercept CLI The CLI commands with Lawful Intercept keyword are encrypted and can only be viewed by an administrator with li administration privilege In a Trusted build LI segregation is turned on and cannot be disabled The require segregated li configuration command is invisible Important Segr...

Page 62: ... guide Note In Release 21 4 and higher Trusted builds only Users can only access the system through their respective context interface If the user attempts to log in to their respective context through a different context interface that user will be rejected Irrespective of whether the users are configured in any context with authorized keys or allowusers with this feature these users will be reje...

Page 63: ...entify active administrators or place time thresholds on the administrator Refer to the Command Line Interface Reference for more information about the local user username command For additional information on the local user database see Updating and Downgrading the local user Database on page 38 Verifying Local User Configuration Verify that the configuration was successful by entering the follow...

Page 64: ...esult in the database StarOS then clears the Weak Hash flag for that user Since hash functions are one way it is not possible to convert PBKDF2 hashed passwords to the MD5 format The local user database must be downgraded prior to reverting to StarOS releases prior to 20 0 Important To downgrade the local user database to use the MD5 hash algorithm a Security Administrator must run the Exec mode d...

Page 65: ...rectory can be assigned to one or more users Configuring an SFTP root Directory The subsystem sftp command allows the assignment of an SFTP root directory and associated access privilege level configure context local server sshd subsystem sftp name sftp_name root dir pathname mode read only readwrite Notes sftp_name is an alphanumeric string that uniquely identifies this subsystem pathname specifi...

Page 66: ...n on the TACACS AAA service configuration is performed in TACACS Configuration Mode Enabling the TACACS function is performed in the Global Configuration Mode The system supports the configuration of up to three TACACS servers Once configured and enabled on the system TACACS authentication is attempted first By default if TACACS authentication fails the system then attempts to authenticate the use...

Page 67: ...nistrative users The plain text or encrypted password for each user The name of the group to which each user belongs A list of user groups TACACS privilege levels and commands that are allowed denied for each group TACACS privilege levels are stored as Attribute Value Pairs AVPs in the network s TACACS server database Users are restricted to the set of commands associated with their privilege leve...

Page 68: ...e below to configure TACACS AAA services on the system configure tacacs mode server priority priority_number ip address tacacs srvr_ip_address end Note server priority priority_number Must be an integer from 1 to 3 releases prior to 18 2 or 1 through 4 releases 18 2 that specifies the order in which this TACACS server will be tried for TACACS authentication 1 is the highest priority and 3 or 4 is ...

Page 69: ...e local context login would not be attempted and the admin account login authentication would fail configure tacacs mode on unkown user stop quest end Verifying the TACACS Configuration This section describes how to verify the TACACS configuration Log out of the system CLI then log back in using TACACS services Once TACACS AAA services are configured and enabled on the StarOS the system first will...

Page 70: ...onsole access and AAA VPN context users with access only via vty lines Important Separating authentication methods Console versus vty lines requires disabling Console access for users based on the type of authentication Disable TACACS Authentication for Console A noconsole keyword for the Global Configuration mode aaa tacacs command disables TACACS authentication on the Console line configure aaa ...

Page 71: ...le TACACS services within a context configure context ctx_name no aaa tacacs Use the aaa tacacs Context Configuration command to enable TACACS services within a context where it has been previously disabled AAA TACACS services must be enabled in the Global Configuration mode all contexts before you can selectively disable the services at the context level You cannot selectively enable TACACS servi...

Page 72: ...e for the Context Configuration mode commands shown below configure context ctx_name administrator username encrypted nopassword password noconsole config administrator username encrypted nopassword password noconsole inspector username encrypted nopassword password noconsole operator username encrypted nopassword password noconsole exit The noconsole keyword disables user access to the Console li...

Page 73: ... the chassis key and chassis ID have 32 byte entropy for key security If a chassis ID is not available encryption and decryption for sensitive data in configuration files will not work Configuring a New Chassis Key Value CLI Commands Only a user with Security Administrator privilege can execute the chassis key value and chassis keycheck commands Important Use the Exec mode chassis key value key_st...

Page 74: ...is key that is the same as the original value will not resolve the issue because of the new method used to generate the chassis ID After setting a new chassis key you must save the configuration before initiating a reload See the Verifying and Saving Your Configuration chapter Caution Quick Setup Wizard The Quick Setup Wizard prompts the user to enter a chassis key value If a chassis key value is ...

Page 75: ...tarOS will attempt to reset each FSC as an integer from 1 to 99 or unlimited will not stop until FSC is reset The default setting is 1 To enable this feature you must first configure the Fabric Egress Drop Threshold via the Global Configuration mode fabric egress drop threshold command Important ASR 5500 System Administration Guide StarOS Release 21 5 49 System Settings Enabling Automatic Reset of...

Page 76: ...ASR 5500 System Administration Guide StarOS Release 21 5 50 System Settings Enabling Automatic Reset of FSC Fabric ...

Page 77: ...nfig mode Warning One or more other administrators may be configuring this system There are no default restrictive behavior changes when entering config mode under a shared lock Note When multiple administrators edit or save the running config concurrent changes may result in conflicting inconsistent or missing configuration commands A similar problem can occur when saving the configuration if som...

Page 78: ...s all other administrators to exit out of configuration mode This administrator will be taking the exclusive lock soon You may want to use this option before actually forcing administrators out of configuration mode If there are no other administrators in config mode entering configure lock immediately grants you an exclusive lock local host_name configure lock Info No one else can access config m...

Page 79: ...strators would typically not anticipate seeing the message in their session output StarOS logs all major config mode lock interactions to the event log and syslog facility if configured You can access a record of what interactions transpired at any time Important Effect of Config Lock on URL Scripts When attempting to load a config script file using the configure url command you must acquire eithe...

Page 80: ...d shutdown commands can result in a corrupted or partial configuration file when either of these commands are executed while a save configuration command is still in progress To prevent this problem from occurring the reload and shutdown commands share a CLI shutdown lock with all save configuration commands executed across StarOS This means while any save configuration command is executing StarOS...

Page 81: ...ession is currently in Config Mode shared lock s Administrator session is currently saving the config f Administrator session is currently loading the config file L Administrator session is currently in Config Mode with the exclusive lock The following is sample output of the show administrators command indicating current lock mode local asr5500 show administrators Administrator Operator Name M Ty...

Page 82: ...ASR 5500 System Administration Guide StarOS Release 21 5 56 Config Mode Lock Mechanisms show administrators Command ...

Page 83: ...her ORBEM is not supported Important The system can be managed by a Common Object Broker Request Architecture CORBA based Element Management System EMS Commands used in the configuration samples in this section provide base functionality The most common commands and keyword options are presented In many cases other optional commands and keyword options are available Refer to the Command Line Inter...

Page 84: ... client id command multiple times to configure multiple clients If a client ID is de activated due to reaching the configured maximum number of attempts use the activate client id command to reactivate it If a firewall exists between the system and the EMS open the SIOP port number and the TCP port number 15011 If the ORB Notification Service is enabled via the event notif service command you can ...

Page 85: ...cation On Debug Level Off IDL Version Check On Number of Current Sessions 1 Number of Event Channels Open 0 Number of Operations Completed 2895 Number of Events Processed 0 Avg Operation Processing time 87214 usecs last 1000 87950 usecs SNMP MIB Browser This section provides instructions to access the latest Cisco Starent MIB files using a MIB Browser An updated MIB file accompanies every StarOS r...

Page 86: ...unzip it and extract it to the same folder Step 4 Double click on the new companion xx x x xxxxx file folder Step 5 Unzip and extract the companion xx x x xxxxx tar file Step 6 From your MIB browser search for and open the starent my file within the tar file You can use any SNMP MIB Browser that allows you to compile a MIB my file before viewing it Step 7 To compile the MIB file click on the STARE...

Page 87: ...ap The SNMP MIB browser allows you to search for specific MIBs You can search for a specific OID object identifier to find a specific MIB entry For information on SNMP MIBs changes for a specific release refer to the SNMP MIB Changes in Release xx chapter of the appropriate version of the to the Release Change Reference Important ASR 5500 System Administration Guide StarOS Release 21 5 61 Manageme...

Page 88: ... Step 2 To view your new SNMP configuration follow the steps in Verifying SNMP Parameters on page 63 Step 3 Save the configuration as described in Verifying and Saving Your Configuration Configuring SNMP and Alarm Server Parameters Use the following example to set SNMP and alarm server parameters configure system contact contact_name system location location_name snmp authentication failure trap s...

Page 89: ...ptions associated with this command Use the snmp mib command to enable other industry standard and Cisco MIBs By default only the STARENT MIB is enabled By default SNMP runtime debugging always runs and consumes CPU cycles for event logging To control CPU usage you can set no snmp runtime debug to disable runtime debugging An option to this command allows you to specify SNMP token values that will...

Page 90: ...able individual traps to allow only traps of a certain type or alarm level to be generated This section provides instructions for disabling enabling SNMP traps Commands used in the configuration samples in this section provide base functionality The most common commands and keyword options are presented In many cases other optional commands and keyword options are available Refer to the Command Li...

Page 91: ...e includes IP address pool configuration Using the example below enter the listed commands to verify proper feature configuration Enter the show ip pool command to display the IP address pool configuration The output from this command should look similar to the sample shown below In this example all IP pools were configured in the isp1 context context isp1 Type P Public R Private S Static E Resour...

Page 92: ...fy that your context was created and configured properly by entering the show context name name command The output shows the active context Its ID is similar to the sample displayed below In this example a context named test1 is configured Context Name ContextID State test1 2 Active System Configuration Verify that your entire configuration file was created and configured properly by entering the ...

Page 93: ...the Configuration These instructions assume that you are at the root prompt for the Exec mode local host_name To save your current configuration enter the following command save configuration url obsolete encryption showsecrets verbose redundant noconfirm url specifies the location in which to store the configuration file It may refer to a local or a remote file Do not use the forward slash colon ...

Page 94: ...ASR 5500 System Administration Guide StarOS Release 21 5 68 Verifying and Saving Your Configuration Saving the Configuration ...

Page 95: ...n be configured to perform specific functions they are all created using the same procedure Creating Contexts Commands used in the configuration examples in this section represent the most common or likely commands and or keyword options In many cases other commands and or keyword options are available Refer to the Command Line Interface Reference for complete information regarding all commands Im...

Page 96: ...IP address and subnet mask to it by applying the example configuration in Creating an Interface on page 71 Step 2 Assign a physical port for use by the interface and bind the port to the interface by applying the example configuration in Configuring a Port and Binding It to an Interface on page 71 Step 3 Optionally configure a static route for the interface by applying the example configuration in...

Page 97: ...ectivity to a specified IP address is lost This IP address can be entered using IPv4 dotted decimal or IPv6 colon separated hexadecimal notation Configuring a Port and Binding It to an Interface Use the following example configuration to configure and assign a port to an interface configure port ethernet slot port description description no shutdown bind interface interface_name context_name end N...

Page 98: ... mgmt1 was configured in the local context Example In this example an interface named mgmt1 was configured in the local context Intf Name mgmt1 Intf Type Broadcast IP State UP Bound to 10 11 untagged ifIndex 285278209 IP Address 192 168 100 3 Subnet Mask 255 255 255 0 Bcast Address 192 168 100 255 MTU 1500 Resoln Type ARP ARP timeout 3600 secs Number of Secondary Addresses 0 Total interface count ...

Page 99: ...andard Switch virtual switch configuration at the host level and the vSphere Distributed Switch a single virtual switch that spans multiple associated hosts VLANs and Management Ports The management interface supports VLAN configuration This support extends to the local context Bulkstats can be sent out an interface other than the normal management interface This interface also supports VLANs You ...

Page 100: ...ASR 5500 System Administration Guide StarOS Release 21 5 74 System Interfaces and Ports VLANs and Management Ports ...

Page 101: ...ult for StarOS releases prior to 21 0 the system encrypts passwords using an MD5 based cipher option A These passwords also have a random 64 bit 8 byte salt added to the password The chassis key is used as the encryption key Setting a chassis key supports an encryption method where the decryption requires the knowledge of a shared secret Only a chassis with knowledge of this shared secret can acce...

Page 102: ...algorithm command is config cli encrypt algorithm A B C Support for Non Current Encryptions and Decryptions The system supports previously formatted encrypted passwords The syntax of the encrypted passwords indicates which methodology was used for encryption If the system does not see a prefix before the encrypted password the earlier encryption method using a fixed key will be used If the encrypt...

Page 103: ... sends a list of LI server addresses as part of access accept For any intercept that was already installed or will be installed for that subscriber a security check is performed to match the LI server address with any of the LI addresses that were received from the authenticating agent Only those addresses that pass this criteria will get the intercepted information for that subscriber While confi...

Page 104: ...tion should not be able to create users with high level authorization However if a malicious actor were to be able to create a high level authorized user they could then delete the other high level authorized users thereby locking them out of the system The following SNMP traps notify an administrator when users are added or removed starLocalUserAdded indicates that a new local user account has be...

Page 105: ...he test commands mode has been enabled Important Enabling Password for Access to CLI test commands A Security Administrator can set a plain text or encrypted password for access to CLI test commands The password value is stored in flash along with the boot configuration information The show configuration and save configuration commands will never output this value in plain text The Global Configur...

Page 106: ...d keyword is not entered for cli test commands the user is prompted no echo to enter the password Also cli hidden must be enabled by an administrator to access the CLI test commands Important Exec Mode cli test commands Exec mode commands are available to a privileged user who enters the command cli test commands from Exec mode local host_name cli test commands encrypted password password Warning ...

Page 107: ... page 83 Feature Summary and Revision History Summary Data All Applicable Product s or Functional Area ASR 5500 VPC DI VPC SI Applicable Platform s Disabled Feature Default Not Applicable Related Changes in This Release ASR 5500 System Administration Guide VPC DI System Administration Guide VPC SI System Administration Guide Related Documentation ASR 5500 System Administration Guide StarOS Release...

Page 108: ...ate a Digital Signature The operator can sign the configuration file using the following steps 1 Perform an SHA512 hash on the configuration file to create a message digest Example Linux OpenSSL openssl dgst sha512 binary out digest cfg_file 2 Create a digital signature by encrypting the message digest value with the RSA private key Example Linux OpenSSL openssl pkeyutl sign in digest inkey pri_ke...

Page 109: ...the signed configuration file using the following steps 1 Extract the RSA public signing key from the flash 2 Extract the configuration file s digital signature the first line 3 Convert the signature from base64 to binary format 4 Decrypt the signature using the RSA public key 5 Calculate the SHA512 hash for the plain config file resulting in a message digest 6 Compare the decrypted signature valu...

Page 110: ...ortant no cfg security sign Notes Enabling signature verification cfg security sign command will create an empty file named enable_cfg_pubkey in the same directory where the PEM file exists Use the no cfg security sign command to disable verification of signature in the configuration file Disabling signature verification no cfg security sign command will remove the enable_cfg_pubkey file The syste...

Page 111: ... by end users CLI Configuration File This file type is identified by its cfg extension These are text files that contain CLI commands that work in conjunction with the operating system software image These files determine services to be provided hardware and software configurations and other functions performed by the system The files are typically created by the end user You can modify the files ...

Page 112: ...to automatically start its CLI based Quick Setup Wizard upon the first successful boot Refer to Getting Started for more information on using the Quick Setup Wizard Maintaining the Local File System Use CLI commands to manage and maintain the devices that make up the local file system Execute all the commands described in this section in the Exec Mode Unless otherwise specified you must have secur...

Page 113: ...cal host_name copy flash cfgfiles system cfg flash configs_old system_2011 cfg To copy a configuration file called init_config cfg to the root directory of a TFTP server with a hostname of config_server enter the following command local host_name copy flash cfgfiles init_confg cfg tftp config_server init_config cfg Deleting Files The delete command removes a designated file from its specified loca...

Page 114: ...stem enter the following command local host_name filesystem format flash usb1 hd raid Applying Pre existing CLI Configuration Files A pre existing CLI configuration file is any cfg file created to provide utility functions such as clearing all statistics during testing or created off line using a text editor There may be pre existing configuration files stored on the local file system that can be ...

Page 115: ...t Validating an Operating System File The operating system software image file identified by its bin extension is a non readable non editable file that executes on the system creating its runtime operating system OS It is important to verify a new operating system image file before attempting to load it To accomplish this a proprietary checksum algorithm is used to create checksum values for each ...

Page 116: ...fine the system boot method as explained in the section that follows System Boot Methods The local boot method uses software image and configuration files stored locally on the system On system startup or reboot the system looks on one of its local devices or hd raid for the specific software image and accompanying configuration text file When using the local booting method you only need to config...

Page 117: ...the output for a combination network booting and local booting configuration Notice in this example that the first two boot stack entries Priorities 18 and 19 load the image file operating system software from an external network server using the Trivial File Transfer Protocol TFTP while all configuration files are located on the flash device Also notice the boot network interface and boot network...

Page 118: ...mber image image_url config cfg_url The following command creates a new boot stack entry using a boot priority of 3 boot system priority 3 image flash image_filename bin config flash config_name cfg Boot stack changes saved to the boot sys file are not executed until the system is rebooted Important filesystem synchronize all Deleting a Boot Stack Entry This procedure details how to remove an indi...

Page 119: ... Free Space on the flash Device Verify that there is enough free space on the flash device to accommodate the new StarOS image file by entering the following Exec mode command local host_name directory flash The following is an example of the type of directory information displayed rwxrwxr x 1 root root 7334 May 5 17 29 asr config cfg rwxrwxr x 1 root root 399 Jun 7 18 32 system cfg rwxrwxr x 1 ro...

Page 120: ...ernal memory device or network URL This renamed copy assures that you will have a fallback loadable configuration file should a problem be encountered during the upgrade Downgrading from Release 15 0 to 14 0 Release 14 and Release 15 chassis IDs use different encryption formats Release 15 will recognize a Release 14 chassis ID and consider it as valid Upgrading from 14 x to 15 0 will not require c...

Page 121: ... continue to login with their credentials After the system comes up with the earlier StarOS release suspended users can be identified in the output of the show local user verbose command To reactivate suspended users a Security Administrator can Set temporary passwords for suspended users using the Exec mode password change local user username command Reset the suspend flag for users using the Con...

Page 122: ...banner motd banner_text banner_text is the message that you would like to be displayed and can be up to 2048 alphanumeric characters Note that banner_text must begin with and end in quotation marks For more information in entering CLI banner information see the CLI Reference The banner is displayed when an administrative user logs onto the CLI Back up the Current CLI Configuration File Back up the...

Page 123: ...tems Synchronize the local file systems on the management cards by entering the following command local host_name filesystem synchronize all Save the Running Configuration Save the currently running upgraded configuration prior to rebooting the chassis To save the running configuration to the current configuration file enter the following command local host_name save configuration flash Reboot the...

Page 124: ...following Exec Mode command lists the license information local host_name show license information With no license key installed the session use licenses for PDSN HA GGSN and L2TP LNS are limited to 10 000 sessions Important Session Use and Feature Use Licenses Session use and feature use licenses are software mechanisms that provide session limit controls and enable special features within the sy...

Page 125: ...ense key command An invalid license will not be accepted A Failure error will appear in the output of the license key command when you attempt to configure an invalid license key If you use the force option to install an invalid license key the license will be placed into a 30 day grace period StarOS will generate daily syslog error messages and SNMP traps during the grace period The output of the...

Page 126: ...d features before it configures contexts Important Step 4 Save your configuration as described in the Verifying and Saving Your Configuration chapter License Expiration Behavior When a license expires there is a built in grace period of 30 days that allows normal use of the licensed session use and feature use licenses This allows you to obtain a new license without any interruption of service The...

Page 127: ...count password properties are configured globally and apply to all local user accounts The system supports the configuration of the following password properties Complexity Password complexity can be forced to be compliant with ANSI T1 276 2003 History length How many previous password versions should be tracked by the system Maximum age How long a user can use the same password Minimum number of ...

Page 128: ...r to the local user username command in the Global Configuration Mode Commands chapter of the Command Line Interface Reference for details Important Local User Account Suspensions Local user accounts can be suspended as follows configure suspend local user name A suspension can be removed by entering configure no suspend local user name Changing Local User Passwords Local user administrative users...

Page 129: ...sion History Summary Data All Applicable Product s or Functional Area ASR 5500 VPC SI VPC DI Applicable Platform s Disabled Configuration Required Feature Default Not Applicable Related Changes in This Release ASR 5500 System Administration Guide Command Line Interface Reference VPC DI System Administration Guide VPC SI System Administration Guide Related Documentation ASR 5500 System Administrati...

Page 130: ...ng Legacy Licensing consists of software activation by installing Product Activation Keys PAK on to the Cisco product A Product Activation Key is a purchasable item ordered in the same manner as other Cisco equipment and used to obtain license files for feature set on Cisco Products Smart Software Licensing is a cloud based licensing of the end to end platform through the use of a few tools that a...

Page 131: ... allows you to manage and activate your licenses to devices monitor license use and track Cisco license purchases Through transparent access you have a real time view into your Smart Licensing products IT administrators can manage licenses and account users within your organization s Smart Account through the Smart Software Manager Step 1 In a browser window enter the following URL http software c...

Page 132: ...SI 1 0_dcb12293 10c0 4e90 b35e b10a9f8bfac1 VPC_SI Virtualized Packet Core Single instance regid 2017 02 com cisco VPC_DI 1 0_5cb68f91 c1d6 48d6 9482 e9750203f5e6 VPC_DI Virtualized Packet Core Distributed instance Entitlement Tags Entitlement tags indentify features in use for a service type Entitlement Tag Service Type Description TagId regid 2017 02 com cisco ASR5K 00 PW10GTWY 1 0_85a577a1 017d...

Page 133: ...he following command to verify the configuration show configuration grep license Register the system with the Product Instance Registration token provided when you registered the products on software cisco com using the following Exec mode command license smart register idtoken token The system will now automatically report entitlement usage count to the CSSM server and receive a compliance status...

Page 134: ...s Shows the services that are currently supported and the corresponding Smart Entitlement Tag statistics Shows individual feature license status status Shows overall Smart Licensing status information summary Shows summary of Smart Licensing status tech support Shows information useful for debugging issues with Smart Licensing udi Shows details for all Unique Device Identifiers UDI usage Shows the...

Page 135: ...ther ALLOW or BLOCK cur_call_count Current number of sessions calls counted for the entire product for a particular service type max_call_count Maximum number of sessions calls counted for the entire product for a particular service type last_lic_count License count last reported to Cisco licensing CSSM for particular service type max_lic_count Maximum license count reported to Cisco licensing CSS...

Page 136: ...ASR 5500 System Administration Guide StarOS Release 21 5 110 Smart Licensing Smart Licensing Bulk Statistics ...

Page 137: ...mmand to run all Exec Mode show commands while in Global Configuration Mode It is not necessary to exit the Config mode to run a show command The pipe character is only available if the command is valid in the Exec mode Important SNMP Notifications page 111 Monitoring System Status and Performance page 111 Clearing Statistics and Counters page 113 SNMP Notifications In addition to the CLI the syst...

Page 138: ...how ntp status View NTP servers status View System Resources show resources cpu View all system resources such as CPU resources and number of managers created View System Alarms show alarm outstanding all verbose View information about all currently outstanding alarms show alarm statistics View system alarm statistics View Congestion Control Statistics show congestion control statistics View Conge...

Page 139: ...DI show cloud monitor di network View monitored statistics about the VPC DI network relative to a specific card VPC DI The commands or keywords variables that are available are dependent on platform type product version and installed license s Important Some commands have different outputs depending on the platform type Important Clearing Statistics and Counters It may be necessary to periodically...

Page 140: ...ASR 5500 System Administration Guide StarOS Release 21 5 114 Monitoring the System Clearing Statistics and Counters ...

Page 141: ...nually Gathering and Transferring Bulk Statistics page 120 Clearing Bulk Statistics Counters and Information page 121 Bulkstats Schema Nomenclature page 121 Bulk Statistics Event Log Messages page 124 Feature Summary and Revision History Summary Data All Applicable Product s or Functional Area ASR 5500 VPC DI VPC SI Applicable Platform s Disabled Configuration Required Feature Default Not Applicab...

Page 142: ...kstats configuration details except for schema Pre 21 2 First introduced Configuring Communication with the Collection Server Two configuration methods are available for defining how bulk statistics are collected and managed A standard configuration allows the system to automatically assign a number to the bulk statistics file Optionally a number can be specified by an administrator in the optiona...

Page 143: ...r secondary receiver header format header_format footer format footer_format exit schema_type schema format format_string sample interval time_interval transfer interval xmit_time_interval limit mem_limit exit bulkstats collection end In release 20 0 and higher Trusted StarOS builds FTP is not supported SFTP is the recommended transfer protocol Important Configuring Bulk Statistic Schemas In each ...

Page 144: ...n file from the url edit it and copy it back to flash Changes can be applied by using the no form of the bulkstats config command followed by reconfiguring the bulkstats config command When the bulkstats config command is enabled StarOS removes the existing bulk statistics sub mode configuration from the system configuration file You must save the system configuration to retain the configuration c...

Page 145: ...114 Bytes awaiting transmission 8092 Total records collected 59926 Total bytes collected 4190178 Total records transmitted 59812 Total bytes transmitted 4188512 Total records discarded 0 Total bytes discarded 0 Last collection time required 2 second s Last transfer time required 0 second s Last successful transfer Wednesday December 7 12 14 30 EDT 2011 Last successful tx recs 190 Last successful t...

Page 146: ...ault bulkstats ssd samples command disables collection of bulkstats samples in the SSD archive Each bulkstats sample contains bulkstats from one transfer history Currently a maximum of two bulkstats sample can be included in the SSD archive The sample files are collected in a temporary storage location at var tmp bulkstats under the file name ssd_bulkstats_file bulkstat_file_number _sample1 txt an...

Page 147: ...s reached All counter statistics are cumulative and reset only by one of the following methods roll over when the limit is reached after a system restart or after a clear command is performed The limit depends upon the data type Gauge A gauge statistic indicates a single value a snapshot representation of a single point in time within a defined time frame The gauge changes to a new value with each...

Page 148: ...These key variables provide index markers to identify to which object the statistics apply For example in the card schema the card number variable card uniquely identifies a card For an HA service the keys would be vpnname plus servname as the combination uniquely identifies an HA service So in a given measurement interval one row of statistics will be generated per unique key There are also a num...

Page 149: ...ion The date adjusted for the local timezone that the collection file was created in YYYYMMDD format where YYYY represents the year MM represents the month and DD represents the day localdate String Information The date that the collection file was created in YYYYMMDD format where YYYY represents the year MM represents the month and DD represents the day The date displays in local time not UTC loc...

Page 150: ...llowing table displays information pertaining to these events Table 5 Logging Events Pertaining to Bulk Statistics Additional Information Severity Event ID Event Unable to open local file filename for storing bulkstats data Warning 31002 Local File Open Error Unable to open url filename for storing bulkstats data Warning 31018 Receiver Open Error Unable to write to url filename while storing bulks...

Page 151: ...gs page 131 Specifying Facilities page 132 Configuring Trace Logging page 141 Configuring Monitor Logs page 141 Viewing Logging Configuration and Statistics page 142 Viewing Event Logs Using the CLI page 142 Configuring and Viewing Crash Logs page 143 Reducing Excessive Event Logging page 146 Checkpointing Logs page 147 Saving Log Files page 148 Event ID Overview page 148 Feature Summary and Revis...

Page 152: ...level below default logging level error level These event logs and traps are enabled by default in this release and cannot be disabled Refer to Global Configuration Mode Filtering on page 130 for more information No commands have been added or modified as a result of this feature The show snmp trap statistics command output was expanded to show details in the event that logging events have been di...

Page 153: ...ages at various levels like critical error warning and debug Stateful Firewall and NAT attack logs also provide information on the source IP address destination IP address protocol or attack type for any packet dropped due to an attack and are also sent to a syslog server if configured in the system For more information on logging support for Stateful Firewall and NAT see the Logging Support chapt...

Page 154: ... source within the system full Displays detailed information about event including source information identifying where within the system the event was generated pdu data format Specifies output format for packet data units when logged as one of none raw format unformatted hex hexadecimal format hex ascii hexadecimal and ASCII similar to a main frame dump pdu verbosity pdu_level Specifies the leve...

Page 155: ... a higher severity level unusual display unusual events and all events with a higher severity level info display info events and all events with a higher severity level trace display trace events and all events with a higher severity level debug display all events This keyword is only supported in conjunction with the active keyword Note critical info Specifies that events with a category attribut...

Page 156: ...ate a Critical Event log cli 30999 critical as well as an SNMP trap 1361 DisabledEventIDs with the specific Event IDs or Event ID range that was disabled These event logs and traps are enabled by default in this release and cannot be disabled If an administrator lowers the logging level using the logging filter runtime facility facility level report_level command below the default level of error t...

Page 157: ...text in order to isolate the log traffic from the network traffic Important Use the following example to configure syslog servers configure context local logging syslog ip_address end Notes ip_address specifies the IP address of a system log server on the network in IPv4 dotted decimal or IPv6 colon separated hexadecimal notation A number of keyword options variables are available for the logging ...

Page 158: ... which is most useful Repeat to disable logging for additional event IDs or event ID ranges A number of keyword options variables are available for the Exec mode logging active command Refer to the Exec Mode Commands chapter in the Command Line Interface Reference for more information Once all of the necessary information has been gathered the Active log display can be stopped by entering the foll...

Page 159: ...d in prepaid applications 2 5G and 3G cbsmgr Cell Broadcasting Service CBS logging facility HNBGW cdf Charging Data Function CDF logging facility cfctrl Content filtering controller logging facility cfmgr Content filtering manager logging facility cgw Converged Access Gateway CGW logging facility cli Command Line Interface CLI logging facility cmp Certificate Management Protocol IPSec logging faci...

Page 160: ...l user equipment manager dpath IPSec Data Path logging facility drvctrl Driver Controller logging facility eap diameter Extensible Authentication Protocol EAP IP Sec urity facility eap ipsec Extensible Authentication Protocol EAP IPSec facility eap sta s6a s13 s6b diameter EAP STA S6A S13 S6B Diameter messages facility ecs css ACSMGR Session Manager Signalling Interface facility egtpc eGTP C loggi...

Page 161: ...ilability Task HAT process facility hdctrl HD Controller logging facility henbapp Home Evolved NodeB HENB App facility Do not use this keyword for HENB GW in Release 20 henbgw HENB GW facility Do not use this keyword for HENB GW in Release 20 henbgw pws HENB GW Public Warning System logging facility Do not use this keyword for HENB GW in Release 20 henbgw sctp acs HENB GW access Stream Control Tra...

Page 162: ...ol Sharing Protocol logging facility kvstore Key Value Store KVSTORE Store facility l2tp control Layer 2 Tunneling Protocol L2TP control logging facility l2tp data L2TP data logging facility l2tpdemux L2TP Demux Manager logging facility l2tpmgr L2TP Manager logging facility lagmgr Link Aggregation Group LAG manager logging facility lcs Location Services LCS logging facility ldap Lightweight Direct...

Page 163: ... application logging facility This option is not supported in this release mseg gtpu MSEG GTP U application logging facility This option is not supported in this release msegmgr MSEG Demux Manager logging facility This option is not supported in this release mtp2 Message Transfer Part 2 MTP2 Service logging facility mtp3 Message Transfer Part 3 MTP3 Protocol logging facility multicast proxy Multic...

Page 164: ...otocol PPP link and packet facilities pppoe PPP over Ethernet logging facility proclet map frwk Proclet mapping framework logging facility push VPNMGR CDR push logging facility radius acct RADIUS accounting logging facility radius auth RADIUS authentication logging facility radius coa RADIUS change of authorization and radius disconnect ranap Radio Access Network Application Part RANAP Protocol fa...

Page 165: ...sgsn failures SGSN call failures attach activate rejects logging facility 2 5G sgsn gtpc SGSN GTP C Protocol logging control messages between the SGSN and the GGSN sgsn gtpu SGSN GTP U Protocol logging user data messages between the SGSN and GGSN sgsn mbms bearer SGSN Multimedia Broadcast Multicast Service MBMS Bearer app SMGR logging facility sgsn misc Used by stack manager to log binding and rem...

Page 166: ...gging facility testctrl Test Controller logging facility testmgr Test Manager logging facility threshold threshold logging facility ttg Tunnel Termination Gateway TTG logging facility tucl TCP UDP Convergence Layer TUCL logging facility udr User Data Record UDR facility used with the Charging Service user data User data logging facility user l3tunnel User Layer 3 tunnel logging facility usertcp st...

Page 167: ...call_id ipaddr ip_address msid ms_id username username Configuring Monitor Logs Monitor logging records all activity associated with all of a particular subscriber s sessions This functionality is available in compliance with law enforcement agency requirements for monitoring capabilities of particular subscribers Monitors can be performed based on a subscriber s MSID or username and are only inte...

Page 168: ...sequence ids by process Displays the number of event messages that have been back logged in comparison to the total number of events generated Msg backlog stat with total cnt Displays the percentage of logging source LS layer 2 L2 event drops LS L2 filter drop rate Displays abnormal logging source LS statistics if any Abnormal Log Source Statistics Runtime Logging Buffer Statistics Displays the nu...

Page 169: ...m stores information that could be useful in determining the reason for the crash This information can be maintained in system memory or it can be transferred and stored on a network server The system supports the generation of the following two types of logs Crash log Crash logs record all possible information pertaining to a software crash full core dump Due to their size they can not be stored ...

Page 170: ...on both management cards Information for a maximum of 120 crash events can be stored on management cards Duplicate crash events bump the count of hits in the existing record and update the new record with the old crash record Additions to the count use the timestamp for the first time the event happened Configuring Software Crash Log Destinations The system can be configured to store software cras...

Page 171: ... can also be displayed flash crsh2 Follow the instructions in this section to view software crash events that have occurred on the system These instructions assume that you are at the root prompt for the Exec mode Step 1 View a list of software crash events by entering the following Exec mode command local host_name show crash all list number crash_num Notes Run show crash list to obtain the numbe...

Page 172: ...set to zero and is incremented for each log event that is sent to evlogd If the count reaches a threshold before the second is up the event is sent queued or dropped if the evlogd messenger queue is full When any facility exceeds the upper threshold set with this command for the rate of message logging and remains in the same state for prolonged interval StarOS notifies the user via an SNMP trap o...

Page 173: ...lume enables or disables this feature You can verify the configuration of this threshold by running the Exec mode show threshold command Save the configuration as described in the Verifying and Saving Your Configuration chapter Checkpointing Logs Checkpointing identifies logged data as previously viewed or marked Checkpointing allows you to only display log information since the last checkpoint In...

Page 174: ...e Reference Event ID Overview The use of event IDs depends on the platform type and the licenses running on the platform Important Identification numbers IDs are used to reference events as they occur when logging is enabled on the system As described previously logs are collected on a per facility basis Each facility possesses its own range of event IDs as indicated in the following table Table 7...

Page 175: ...ndMux Manager Facility Intelligent Policy Control Function IPCF bindmux 182000 182999 Broadband Network Gateway BNG Manager Facility bngmgr 131000 131199 Base Station System Application Part BSSAP Service Facilities bssap 115050 115099 Base Station System GPRS Protocol BSSGP Facility bssgp 173600 173999 Call Home Facility callhome 87900 88099 CAMEL Application Part CAP Facility cap 74000 74999 CHA...

Page 176: ...lling HDD Interface Facility diameter hdd 121200 121999 Diameter Service Facility diameter svc 119000 119999 Diameter Proxy Facility diamproxy 54000 54999 Data Path for IPSec Facility dpath 39000 39999 Driver Controller Facility drvctrl 40000 40999 DS3 and DS3 E Line Card Manager Facility part of NPU Manager Controller Facility ds3mgr 92870 92879 Extensible Authentication Protocol EAP Diameter Fac...

Page 177: ... Facility gx ty diameter 92810 92819 Gy Diameter Messages Facility gy diameter 42000 42999 H 248 Protocol Facility h248prt 34000 34999 Home Agent HA Manager Facility hamgr 3000 3999 High Availability Task HAT Facility hat 132000 132999 Hard Disk HD Controller Facility hdctrl 184000 184999 HDD Share Facility hddshare 195000 195999 Home eNodeB GW Facility henb gw 196000 196999 Home eNodeB Applicatio...

Page 178: ...DU Protocol Facility l2tp data 63000 63999 L2TP Demux Facility l2tpdemux 48000 48999 L2TP Manager Facility l2tpmgr 179000 179999 Link Aggregation Group LAG Manager Facility lagmgr 160000 160499 Lightweight Directory Access Protocol LDAP Request Facility ldap 69000 69999 Lawful Intercept LI Log Facility li 89500 89999 Link Manager Facility linkmgr 115700 115799 Logical Link Control LLC Layer Facili...

Page 179: ...mseg gtpu 171000 171999 MSEG Manager Facility Not supported in this release msegmgr 116900 116999 Message Transfer Part 2 MTP2 Service Facility SS7 mtp2 115600 115699 Message Transfer Part 3 MTP3 Service Facility SS7 mtp3 94000 94999 Multicast Proxy Facility multicast proxy 153000 153999 Network Access Signaling NAS Facility nas 78000 78999 Network Storage Facility netwstrg 16000 16999 Network Pro...

Page 180: ...Data Network Gateway PGW Facility pgw 89200 89499 Packet Mobility Management PMM Application Facility SGSN pmm app 25000 25999 Point To Point Protocol PPP Facility ppp 183000 183999 Point to Point Protocol over Ethernet PPPoE Facility pppoe 76000 76999 PTT Facility ptt 133000 133999 PUSH VPNMgr CDR Push Facility push 24000 24999 RADIUS Accounting Protocol Facility radius acct 23000 23999 RADIUS Au...

Page 181: ...pplication Interface Facility sgsn app 89100 89199 SGSN Call Failures Facility sgsn failures 116000 116599 SGSN GTP C Protocol Facility sgsn gtpc 86900 87099 SGSN GTP U Protocol Facility sgsn gtpu 116600 116799 SGSN MBMS Bearer Application SMGR Facility sgsn mbms bearer 88800 89099 SGSN Miscellaneous Facility sgsn misc 86400 86499 SGSN System Components Facility sgsn system 88700 88799 SGSN Tests ...

Page 182: ...ogging Facility SS7 tcap 174000 174999 Test Controller Facility testctrl 175000 175999 Test Manager Facility testmgr 61000 61999 Threshold Facility threshold 130000 130999 Tunnel Termination Gateway TTG Facility ttg 88500 88699 TCP UDP Convergence Layer TUCL Facility SS7 tucl 79000 79999 User Data Record UDR Facility udr 51000 51999 User Data Facility user data 75000 75999 User L3 Tunnel Facility ...

Page 183: ...severity Each of the above levels correspond to the severity level of the event ID Therefore only those event IDs with a severity level equal to the logging level are displayed Understanding Event ID Information in Logged Output This section explains the event information that is displayed when logging is enabled The following displays a sample output for an event that was logged 2011 Dec 11 5 18 ...

Page 184: ... The event s details Event details may or may not include variables that are specific to the occurrence of the event CLI session ended for Security Administrator admin on device dev pts 2 ASR 5500 System Administration Guide StarOS Release 21 5 158 System Logs Understanding Event ID Information in Logged Output ...

Page 185: ...e issued on a context by context basis Contexts act like virtual private networks VPNs that operate independently of other contexts Ports interfaces and routes configured in one context cannot be tested from another context without additional configuration To switch between contexts enter the following command at the root prompt for the Exec mode local host_name context context_name context_name i...

Page 186: ...procedures Verify that the correct IP address was entered Attempt to ping a different device on the same network If the ping was successful then it is likely that your system configuration is correct Verify that the device you are attempting to ping is powered and functioning properly Verify the port is operational Verify that the configuration of the ports and interfaces within the context are co...

Page 187: ...route6 to 2001 4A2B 1f3F 2001 4A2B 1f3F 30 hops max 40 byte packets 1 2001 4A2B 1f3F 2001 4A2B 1f3F 0 446 ms 0 235 ms 0 178 ms Viewing IP Routes The system provides a mechanism for viewing route information to a specific node or for an entire context This information can be used to verify network connectivity and to ensure the efficiency of the network connection The command has the following synt...

Page 188: ...owing a context s ARP table Flags codes C Completed M Permanent P Published Not answered T has requested trailers Address Link Type Link Address Flags Mask Interface 10 0 4 240 ether 00 05 47 02 20 20 C MIO1 10 0 4 7 ether 00 05 47 02 03 36 C MIO1 10 0 4 1 ether 00 01 30 F2 7F 00 C MIO1 Using the System Diagnostic Utilities The system provides protocol monitor and test utilities that are useful wh...

Page 189: ...n the protocol monitor WARNING You have selected options that can DISRUPT USER SERVICE Existing CALLS MAY BE DROPPED and or new CALLS MAY FAIL Under heavy call load some debugging output may not be displayed Proceed Select Y es or N o Step 5 Enter Y to proceed with the monitor or N to go back to the previous menu C Control Events ON D Data Events ON E EventID Info ON H Display ethernet ON I Inboun...

Page 190: ...monitor was invoked a screen of available monitoring options appears Step 4 Configure the amount of information that is displayed by the monitor To enable or disable options enter the letter or 2 digit number associated with that option C D E 11 12 etc To increase or decrease the verbosity use the plus or minus keys The current state ON enabled or OFF disabled is shown to the right of each option ...

Page 191: ...utput when the Exec mode show support details command is run It displays a comprehensive list of system information that is useful for troubleshooting purposes In most cases the output of this command is requested by the Technical Assistance Center TAC An SSD output tar file can redirected to a local or remote location URL The tar file includes support_summary An ASCII text file that contains the ...

Page 192: ...e SSD For additional information about the show support details command see the Exec Mode show Commands Q S chapter in the Command Line Interface Reference Configuring and Using the Support Data Collector The task of collecting the support data is performed by a background CLI task called the record collector The administrator configures the Support Data Collector SDC via the CLI with the commands...

Page 193: ...e 168 Monitoring and Troubleshooting PCAP Trace page 175 Feature Information Summary Data ePDG IPSec MME SaMOG Applicable Product s or Functional Area ASR 5500 vPC SI vPC DI Applicable Platform s Disabled Feature Default Not Applicable Related Changes in This Release ASR 5500 System Administration Guide StarOS Release 21 5 167 ...

Page 194: ...PCAP functionality The output can be stored in a text file in a hard disk and later transferred to an external server through SFTP using a PUSH or PULL method The text file can then be converted to a pcap file using external tools such as text2pcap or imported directly as PCAP using packet analyzer tools such as wireshark PCAP trace and hexdump file collection can be enabled or disabled under the ...

Page 195: ...y use harddisk command to configure the keywords to its the default setting purge Not enabled push interval 60 seconds push trigger 80 percent remove file after transfer Disabled transfer mode PUSH use harddisk Disabled Use the no hexdump purge remove file after transfer use harddisk command to disable the configured hexdump file storage and processing purge Disables the deleting of record files o...

Page 196: ...ord must be enabled for hexdump records Important Use the transfer mode pull module only push primary encrypted url url url secondary encrypted secondary url secondary url secondary_url via local context max files files max tasks max_tasks module only keywords to specify the transfer mode to be used when transferring hexdump files to an external file server pull Specifies that the destination serv...

Page 197: ...le Parameters Use the following configuration to specify the format of the hexdump files config context context_name hexdump module file compression gzip none current prefix prefix delete timeout seconds directory directory_name exclude checksum record field separator hyphen omit underscore headers name file_name reset indicator rotation num records number tariff time minute minutes hour hours tim...

Page 198: ...en symbol between two fields omit Omits the field separator between two fields underscore Specifies the field separator as an _ underscore symbol between two fields Use the headers keyword to include a file header summarizing the record layout Use the name file_name to specify a string to be used as the base file name for hexdump files file_name must be an alphanumeric string from 1 through 31 cha...

Page 199: ...t Excludes the sequence number from the file name padded Includes the padded sequence number with preceding zeros in the file name This is the default setting padded six length Includes the padded sequence number with six preceding zeros in the file name unpadded Includes the unpadded sequence number in the file name Use the storage limit limit keyword to set the storage limit Files will be delete...

Page 200: ...ump capturing U Mon Display ON Use this option to display message captures on the terminal Default ON When this option is turned off monitoring will still run in the background V PCAP Hexdump NONE Use this option to enable or disable capturing hexdump packets globally Default None V PCAP Hexdump ON Hexdump capture is enabled with the prompt Warning Turning ON OFF will impact other cli logging term...

Page 201: ...ariff time 0 Hexdump module files rotated due to records limit 0 Hexdump module file rotation failures 0 Hexdump module files deleted 0 Hexdump module records deleted 0 Hexdump module records received 0 Current open Hexdump module files 0 Time of last Hexdump module file deletion 0 Table 9 show cdr statistics Command Output Descriptions Description Field EDR UDR file Statistics Indicates the CDRMO...

Page 202: ...ords received Total number of hexdump files currently open Current open Hexdump module files Time of the last deleted hexdump file Time of last Hexdump module file deletion show hexdump module cdr file space usage The following fields are available in the output of the show hexdump module cdr file space usage command in support of this feature CDRMOD Instance Id 2 Hexdump module File Storage LIMIT...

Page 203: ...SH Statistics Successful File Transfers 0 Failed File Transfers 0 Num of times PUSH initiated 0 Num of times PUSH Failed 0 Num of times PUSH cancelled due to HD failure 0 Num of periodic PUSH 0 Num of manual PUSH 0 Current status of PUSH Not Running Last completed PUSH time N A Primary Server Statistics Successful File Transfers 0 Failed File Transfers 0 Num of times PUSH initiated 0 Num of times ...

Page 204: ...imes a hexdump file was closed and a new hexdump file was created since the records limit was reached Hexdump module files rotated due to records limit Total number of times hexdump file rotation failed Hexdump module file rotation failures Total number of times hexdump files were deleted Hexdump module files deleted Total number of times hexdump records were deleted Hexdump module records deleted...

Page 205: ...rs Total number of times PUSH operation was initiated to transfer hexdump files to the primary storage server Num of times PUSH initiated Total number of times PUSH operation failed to transfer hexdump files to the primary storage server Num of times PUSH Failed Total number of periodic times PUSH operation was performed to the primary storage server Num of periodic PUSH Total number of times the ...

Page 206: ...H Failed Total number of periodic times PUSH operation was performed to the secondary storage server Num of periodic PUSH Total number of times the PUSH operation to the secondary storage server was performed manually Num of manual PUSH Indicates if the PUSH operation to the secondary storage server is currently running Current status of PUSH Indicates the time when the last PUSH operation to the ...

Page 207: ...e system recovery process will prompt you to enter the path name for the location of the StarOS boot image from which the system will boot By default the boot command will timeout and attempt to reload the highest priority image from flash memory using the default configuration file The StarOS software is delivered as a single binary file bin file extension and is loaded as a single instance for t...

Page 208: ...oot CLI you must interrupt an in progress reload reboot sequence This system recovery process interrupts subscriber service by dropping any existing flows and preventing traffic from being processed during the boot interval It should only be initiated as an emergency measure Caution Initiate a Reboot ASR 5500 System Administration Guide StarOS Release 21 5 182 System Recovery Accessing the boot CL...

Page 209: ...ability depends on the platform type Important This chapter contains the following sections Overview page 183 Understanding ACLs page 184 Configuring ACLs on the System page 186 Applying IP ACLs page 188 Overview IP access lists commonly known as access control lists ACLs control the flow of packets into and out of the system They are configured on a per context basis and consist of rules ACL rule...

Page 210: ... empty ACL Important Each rule specifies the action to take when a packet matches the specifies criteria This section discusses the rule actions and criteria supported by the system Actions ACLs specify that one of the following actions can be taken on a packet that matches the specified criteria Permit The packet is accepted and processed Deny The packet is rejected Redirect The packet is forward...

Page 211: ...em when subscriber packets are being encapsulated such as Mobile IP and other tunneling encapsulation Within the system subscriber packet encapsulation is done in a distributed way and a 16 bit IP identification space is divided and distributed to each entity which does the encapsulation so that unique IP identification value can be assigned for IP headers during encapsulation Since this distribut...

Page 212: ... control list facility to subscribers Step 1 Create the access control list by following the example configuration in Creating ACLs on page 186 Step 2 Specify the rules and criteria for action in the ACL list by following the example configuration in Configuring Action and Criteria for Subscriber Traffic on page 187 Step 3 Optional The system provides an undefined ACL that acts as a default filter...

Page 213: ...ding on how the ACL is to be used For more information refer to the Engineering Rules chapter Use the information provided in the Actions and Criteria to configure the rules that comprise the ACL For more information refer to the ACL Configuration Mode Commands and IPv6 ACL Configuration Mode Commands chapters in the Command Line Interface Reference Configuring an Undefined ACL As discussed previo...

Page 214: ...iguring ACLs on the System on page 186 prior to beginning these procedures The procedures described below also assume that the subscribers have been previously configured Important As discussed earlier you can apply an ACL to any of the following Applying an ACL to an Individual Interface on page 190 Applying an ACL to All Traffic Within a Context on page 192 known as a policy ACL Applying an ACL ...

Page 215: ...icy ACL configured in the Destination Context is applied prior to forwarding 3 An outbound ACL configured on the interface in the Destination Context through which the packet is being forwarded is applied 4 Packet coming from the packet data network to the mobile node right to left Description Order An inbound ACL configured for the receiving interface configured in the Destination Context is appl...

Page 216: ...This section provides information and instructions for applying one or more ACLs to an individual interface configured on the system This section provides the minimum instruction set for applying the ACL list to an interface on the system For more information on commands that configure additional parameters and options refer to the Ethernet Interface Configuration Mode Commands chapter in the Comm...

Page 217: ...me service redundancy protocol exit interface interface_name ip address ip_address mask exit subscriber default exit aaa group default exit gtpp group default end Applying the ACL to a Context To apply the ACLs to a context use the following configuration configure context acl_ctxt_name noconfirm ip ipv6 access group acl_list_name in out preference end Notes The context name is the name of the ACL...

Page 218: ...ontext For more information on commands that configure additional parameters and options refer to the Context Configuration Mode Commands chapter in the Command Line Interface Reference Important To configure the system to provide access control list facility to subscribers Step 1 Apply the configured ACL as described in Applying the ACL to a Context on page 191 Step 2 Verify that ACL is applied p...

Page 219: ...an individual subscriber whose profile is configured locally on the system This section provides the minimum instruction set for applying the ACL list to all traffic within a context For more information on commands that configure additional parameters and options refer to the Subscriber Configuration Mode Commands chapter in the Command Line Interface Reference Important To configure the system t...

Page 220: ...Subscriber These instructions are used to verify the ACL configuration Verify that your ACL lists were applied properly by entering the following command in Exec Mode local host_name show configuration context context_name context_name is the name of the context containing the subscriber subs1 to which the ACL s was were applied The output of this command displays the configuration of the entire c...

Page 221: ...ess control list by following the example configuration in Applying an ACL to the Subscriber Named default on page 195 Step 2 Verify that ACL is applied properly on interface by following the steps in Verifying the ACL Configuration to the Subscriber Named default on page 196 Step 3 Save your configuration to flash memory an external memory device and or a network location using the Exec mode save...

Page 222: ...the entire context Examine the output for the commands pertaining to interface configuration The commands display the ACL s applied using this procedure configure context context_name ip access list acl_name deny host ip_address deny ip any host ip_address exit ip access group access_group_name service redundancy protocol exit interface interface ip address ip_address mask exit subscriber name def...

Page 223: ...Subscriber To apply the ACL to a service specified Default subscriber use the following configuration configure context acl_ctxt_name noconfirm pdsn service fa service ha service service_name default subscriber svc_default_subs_name exit subscriber name svc_default_subs_name ip ipv6 access group acl_list_name in out end Notes The context name is the name of the ACL context containing the interface...

Page 224: ...stem or remotely on a RADIUS server The system provides for the configuration of subscriber functions that serve as default values when specific attributes are not contained in the individual subscriber s profile The following table describes these functions Table 13 Functions Used to Provide Default Subscriber Attributes Description Function Within each context the system creates a subscriber cal...

Page 225: ...n have up to 256 rules Four access groups can be applied for each APN for example ip access group acl_list_name_1 in ip access group acl_list_name_2 out ipv6 access group acl_list_name_3 in ipv6 access group acl_list_name_4 out Applying an ACL to Multiple Subscriber via APNs If IP ACLs are applied to subscribers via attributes in their profile the subscriber profile could be configured locally on ...

Page 226: ... lists were applied properly by entering the following command in Exec Mode show configuration context context_name context_name is the name of the context containing the APN apn1 having default subscriber to which the ACL s was were applied The output of this command displays the configuration of the entire context Examine the output for the commands pertaining to interface configuration The comm...

Page 227: ...ongested or clear These thresholds function in a way similar to operation thresholds that are configured for the system as described in the Thresholding Configuration Guide The primary difference is that when congestion thresholds are reached a service congestion policy and an SNMP trap starCongestion are generated A threshold tolerance dictates the percentage under the configured threshold that m...

Page 228: ...icies as described in Enabling Congestion Control Redirect Overload Policy on page 204 Step 4 Configure disconnecting subscribers based on call or inactivity time as described in Disconnecting Subscribers Based on Call or Inactivity Time on page 204 Step 5 Save your configuration as described in the Verifying and Saving Your Configuration chapter Configuring the Congestion Control Threshold To con...

Page 229: ...For the GGSN the reply code is 199 no resources available For the SaMOG MME redirect is not available For the MME create action profiles for optional major and minor thresholds using the congestion action profile command under lte policy in the Global Configuration mode For the MME you can specify service as critical major or minor to set a policy and associate an action profile for the respective...

Page 230: ... the service overload policies were properly configured enter the following command in the Exec Mode local host_name show service_type name service_name This command lists the entire service configuration Verify that the information displayed for the Overload Policy is accurate Repeat this configuration example to configure additional services in other contexts Verify the Congestion Control Config...

Page 231: ... default overload disconnect threshold connect time dur_thresh end To disable the overload disconnect feature for this subscriber use the following configuration example configure context context_name subscriber subscriber_name no overload disconnect threshold inactivity time threshold connect time end ASR 5500 System Administration Guide StarOS Release 21 5 205 Congestion Control Enabling Congest...

Page 232: ...ASR 5500 System Administration Guide StarOS Release 21 5 206 Congestion Control Enabling Congestion Control Redirect Overload Policy ...

Page 233: ...ection describes how to configure the elements needed to define routing policies Routing policies modify and redirect routes to and from the system to satisfy specific network deployment requirements Use the following building blocks to configure routing policies Route Access Lists The basic building block of a routing policy Route access lists filter routes based on a range of IP addresses IP Pre...

Page 234: ...t config context context_name route access list extended identifier deny permit ip address ip_address route access list named list_name deny permit ip_address mask any exact match route access list standard identifier permit deny ip_address wildcard_mask any network_address Notes A maximum of 64 access lists are supported per context A maximum of 16 entries can defined for each route access list S...

Page 235: ...fig context isp1 route access list named RACLin1a permit 88 151 1 0 30 route access list named RACLin1a permit 88 151 1 4 30 route access list named RACLany permit any route map RMnet1 deny 100 match ip address route access list RACLin 1 a exit route map RMnet1 deny 200 match ip address route access list RACLin 1 b exit route map RMnet1 permit 1000 match ip address route access list RACLany exit r...

Page 236: ..._address ip_mask ip_addr_mask_combo next hop next_hop_address egress_name precedence precedence cost cost Notes You can configure a maximum of 1 200 static routes per context Save your configuration as described in the Verifying and Saving Your Configuration chapter Deleting Static Routes From a Context Use the following configuration example to remove static routes from a context s configuration ...

Page 237: ...nation in the AS Externally derived routing information appears on the tree as leaves The cost of a route is described by a single dimensionless metric OSPF allows sets of networks to be grouped together Such a grouping is called an area The topology of this area is hidden from the rest of the AS which enables a significant reduction in routing traffic Also routing within the area is determined on...

Page 238: ...nge the cost refer to the ip ospf cost command in the Ethernet Interface Configuration Mode Commands chapter of the Command Line Interface Reference Important Notes Save your configuration as described in the Verifying and Saving Your Configuration chapter Redistributing Routes Into OSPF Optional Redistributing routes into OSPF means any routes from another protocol that meet specified a specified...

Page 239: ...e same as OSPF version 2 OSPFv3 expands on OSPF version 2 to provide support for IPv6 routing prefixes and the larger size of IPv6 addresses OSPFv3 dynamically learns and advertises redistributes IPv6 routes within an OSPFv3 routing domain In OSPFv3 a routing process does not need to be explicitly created Enabling OSPFv3 on an interface will cause a routing process and its associated configuration...

Page 240: ...sing the OSPFv3 protocol to all OSPF areas This is an optional configuration config context context_name router ospf3 redistribute connected static end Notes Save your configuration as described in the Verifying and Saving Your Configuration chapter Confirming OSPFv3 Configuration Parameters To confirm the OSPF router configuration use the following command and look for the section labeled router ...

Page 241: ...outers This information builds a picture of AS connectivity from which routes are filtered and AS level policy decisions are enforced BGP 4 provides classless inter domain routing This includes support for advertising an IP prefix and eliminates the concept of network class within BGP BGP 4 also allows the aggregation of routes including the aggregation of AS paths On the ASR 5500 BGP routes with ...

Page 242: ...rence for details on these commands If a BGP task restarts because of a processing card failure a migration a crash or the removal of a processing card all peering session and route information is lost Important Configuring BGP This section describes how to configure and enable basic BGP routing support in the system config context context_name router bgp AS_number neighbor ip_address remote as AS...

Page 243: ...er internet local AS no advertise no export value AS community_number AS community_number AS community_number internet local AS no advertise no export value AS community_number AS community_number AS community_number You can permit or deny the following BGP community destinations internet Advertise this route to the internet community and any router that belongs to it local AS Use in confederation...

Page 244: ...ber match community named named_list standard identifier BGP Extended Communities Configuring a BGP Extended Community Route Target A BGP extended community defines a route target MPLS VPNs use a 64 bit Extended Community attribute called a Route Target RT An RT enables distribution of reachability information to the correct information table You configure a BGP extended community via a Context Co...

Page 245: ...cal preference in the route map because local preference is directly used in the route selection algorithm ICSR and SRP Groups BGP is employed with Interchassis Session Recovery ICSR configurations linked via Service Redundancy Protocol SRP By default an ICSR failover is triggered when all BGP peers within a context are down Optionally you can configure SRP peer groups within a context ICSR failov...

Page 246: ...also be separately set for each address family If configured this value over rides the peer s default advertisement interval for that address family only BGP will send route update message for each AFI SAFI based on the advertisement interval configured for that AFI SAFI If no AFI SAFI advertisement interval is configured the peer based default advertisement interval is used In ICSR configurations...

Page 247: ... for this configuration description text Defines the administrative distance for routes The administrative distance is the default priority for a specific route or type route distance admin distance prefix prefix_addr route access list list_name bgp external ebgp_dist internal ibgp_dist local local_dist Enforces the first AS for Exterior Border Gateway Protocol eBGP routes enforce first as Adds a ...

Page 248: ...d_time update source ip_address weight value Specifies a network to announce via BGP network ip_address mask route map map_name Redistributes routes via BGP from another protocol to BGP neighbors redistribute connected ospf rip static route map map_name Overrides the configured router identifier and causes BGP peers to reset router id ip_address Configures the BGP background scanner interval in se...

Page 249: ...bally enabled via the bfd protocol command and or individually enabled disabled per interface This function is used to test the forwarding path on the remote system The system supports BFD in asynchronous mode with optional Echo capability via static or BGP routing On an ASR 5500 one of the packet processing cards must be configured as a demux card in order for BFD to function See the Configuring ...

Page 250: ... exit Configure BFD static route ip route static bfd if_name ipv4_gw_address Add static routes ip route ipv4_address ipv4_mask ip route ipv4_address ipv4_mask Configuring IPv6 BFD for Static Routes Enable BFD on an Interface config context bfd_context_name interface if_name ipv6 address ipv6_address ipv6_mask bfd interval interval_value min_rx rx_value multiplier multiplier_value bfd echo exit Con...

Page 251: ...Associating OSPF Neighbors with the Context on page 226 On the ASR 5500 routes with IPv6 prefix lengths less than 12 and between the range of 64 and 128 are not supported Important Configuring Multihop BFD Enable BFD on an interface config context bfd_context_name interface if_name ip address ipv4_address ipv4_mask ipv6 address ipv6_address ipv6_mask bfd interval interval_value min_rx rx_value mul...

Page 252: ...context_name router bgp AS_number neighbor neighbor_ip address remote as rem_AS_number neighbor neighbor_ip address ebgp multihop max hop max_hops neighbor neighbor_ip address update source update src_ip address neighbor neighbor_ip address failover bfd multihop Notes Repeat the sequence to add neighbors Associating OSPF Neighbors with the Context config context context_name router ospf neighbor n...

Page 253: ...using IPv4 dotted decimal or IPv6 colon separated hexadecimal notation chassis to chassis enables BFD to run between primary and backup chassis on non SRP links chassis to router enables BFD to run between chassis and router Saving the Configuration Save your configuration as described in the Verifying and Saving Your Configuration chapter Chassis to Chassis BFD Monitoring for ICSR An operator can...

Page 254: ...terval end Configure ICSR Switchover Guard Timer The SRP Configuration mode guard timer command configures the redundancy guard period and monitor damping period for SRP service monitoring Use these guard timers to ensure that local failures such as card reboots and task restarts do not result in ICSR events which can be disruptive configure context context_name service redundancy protocol variabl...

Page 255: ... session if BFD signals a failure configure context context_name ip route ip_address ip_mask ip_address ip_mask gateway_ip_address next hop next_hop_ip_address point to point tunnel egress_intrfc_name cost cost fall over bfd multihop mhsess_name precedence precedence vrf vrf_name cost value fall over bfd multihop mhsess_name precedence precedence end The ip route command now also allows you to add...

Page 256: ...configure context context_name interface interface_name broadcast bfd interval interval_num min_rx milliseconds multiplier value end Notes milliseconds is an integer from 50 through 10000 Default 50 Enable Advertising BGP Routes from Standby ICSR Chassis For information on configuring the feature see Advertising BGP Routes from a Standby ICSR Chassis on page 219 Saving the Configuration Save your ...

Page 257: ...lot which must also specify a slot in its member link configuration Likewise if you configure a linkagg peer without a slot you must delete it before configuring a peer with a slot specified Only one IPv4 or IPv6 BFD session based configuration is allowed per linkagg interface for compliance with RFC 7130 Important Configuring Support for BFD Linkagg Member links The bfd linkagg peer command enabl...

Page 258: ...s option specifies the card for which this configuration is intended Saving the Configuration Save your configuration as described in the Verifying and Saving Your Configuration chapter Viewing Routing Information To view routing information for the current context run one of the following Exec mode commands show ip route Displays information for IPv4 routes in the current context show ipv6 route ...

Page 259: ... 208 230 231 0 24 0 0 0 0 connected 0 0 local1 Total route count 5 ASR 5500 System Administration Guide StarOS Release 21 5 233 Routing Viewing Routing Information ...

Page 260: ...ASR 5500 System Administration Guide StarOS Release 21 5 234 Routing Viewing Routing Information ...

Page 261: ...llow more complex configurations to be implemented The VLAN tag allows a single physical port to be bound to multiple logical interfaces that can be configured in different contexts Therefore each Ethernet port can be viewed as containing many logical ports when VLAN tags are employed Overlapping IP Address Pool Support GGSN Overlapping IP Address pools allow operators to more flexibly support mul...

Page 262: ... and RADIUS configuration and network design This feature allows the following scenarios to be defined in the same context Overlapping RADIUS NAS IP addresses for various RADIUS server groups representing different APNs Overlapping RADIUS server IP addresses for various RADIUS servers groups Every overlapping NAS IP address is given a unique next hop address which is then bound to an interface tha...

Page 263: ...edundancy Mode Port Mode Redundant With 6 11 Preferred Port Non Revertive Physical ifIndex 85262336 Administrative State Enabled Configured Duplex Auto Configured Speed Auto Fault Unidirection Mode 802_3ae clause 46 Configured Flow Control Enabled Interface MAC Address 64 9E F3 69 5B EA SRP Virtual MAC Address None Fixed MAC Address 64 9E F3 69 5B CA Link State Up Link Duplex Full Link Speed 10 Gb...

Page 264: ...ary Since the instructions for configuring subscriber profiles differ between RADIUS server applications this section only describes the individual attributes that can be added to the subscriber profile Please refer to the documentation that shipped with your RADIUS server for instructions on configuring subscribers Important Configuring Local Subscriber Profiles Use the configuration example belo...

Page 265: ...er to be associated with the subscriber traffic in the destination context ip vlan vlan_id ACS Charging Action Configuration Mode When a nexthop forwarding address is configured the overlap vlanid keyword enables support for overlapping IP address pools and associates the pool with the specified VLAN ID ip pool pool_name nexthop forwarding address ip_address overlap vlanid vlan_id Context Configur...

Page 266: ...e context_name VLAN Configuration Mode Enables or disables port ingress incoming mode no ingress mode VLAN Configuration Mode Configures an 802 1p VLAN priority bit for ASN GW service only priority value VLAN Configuration Mode Enables or disables traffic over the current VLAN no shutdown VLAN Configuration Mode Associates an IP interface having a VLAN ID with a context vlan map interface if_name ...

Page 267: ...s a PE page 242 IPv6 Support for BGP MPLS VPNs page 244 VPN Related CLI Commands page 246 Introduction Service providers require the ability to support a large number of corporate Access Point Names APNs which have a number of different addressing models and requirements uses BGP MPLS Layer 3 VPNs to segregate corporate customer APNs in a highly scalable manner This solution conforms to RFC 4364 B...

Page 268: ... advertising them to the MPLS CE The MPLS CE in this case uses only MP eBGP to advertise and learn routes Label Distribution Protocol LDP and Resource Reservation Protocol RSVP are not required because of direct connect EBGP peering The MPLS CE in this scenario pushes pops a single label learned over the MP eBGP connection to from the PE as a PE Overview In this scenario the functions as a PE rout...

Page 269: ... export 300 1 route target import 300 1 route distinguisher 300 1 exit ip vrf vrf2 route target export 300 2 route target import 300 2 route distinguisher 300 2 exit router id 2 2 2 2 neighbor 192 168 107 20 remote as 300 neighbor 192 168 107 20 update source node1_loopback address family vpnv4 neighbor 192 168 107 20 activate neighbor 192 168 107 20 send community both neighbor 192 168 107 20 nex...

Page 270: ...bsequent Address Family Identifier SAFI fields for VPNv6 routes will be set to 2 and 128 respectively The IPv6 VPN traffic will be transported to the BGP speaker via IPv4 tunneling The BGP speaker advertises to its peer a Next Hop Network Address field containing a VPN IPv6 address whose 8 octet RD is set to zero and whose 16 octet IPv6 address is encoded as an IPv4 mapped IPv6 address RFC 4291 co...

Page 271: ...op loopback ip vrf forwarding vrf2 ip address 2005 0202 0101 1 128 exit interface vrf3 v6loop loopback ip vrf forwarding vrf3 ip address 2005 0303 0101 1 128 exit Configure BGP along with address families and redistribution rules router bgp 800 router id 1 1 1 1 neighbor 192 168 110 20 remote as 1003 neighbor 192 168 110 20 activate address family vpnv4 neighbor 192 168 110 20 activate neighbor 19...

Page 272: ...mode none aaa group apple group authentication pap 1 chap 2 allow noauthip context name Gi_ce ipv6 address prefix pool vrf3 v6pool exit aaa group amazon group radius ip vrf vrf2 aaa group default exit gtpp group default exit ip igmp profile default exit Bind physical interfaces with the port VPN Related CLI Commands VPN related features and functions are supported across several CLI command modes ...

Page 273: ...or ip_address activate BGP Address Family VRF Configuration Mode Sends the extended community attribute to a peer router In VPN route distinguisher and route target are encoded in the BGP extended community This command enables sending of BGP routes with extended community to a neighbor neighbor ip_address send community both extended standard BGP Address Family VRF Configuration Mode Redistribute...

Page 274: ...nfiguration Mode Creates a VRF and assigns a VRF ID A VRF is created in the router ip vrf vrf_name Context Configuration Mode Associates the pool with that VRF Note By default the configured ipv6 pool will be associated with the global routing domain ipv6 pool pool_name vrf vrf_name Context Configuration Mode Globally enables MPLS Border Gateway Protocol BGP forwarding mpls bgp forwarding Context ...

Page 275: ...bel Switched Path LSP connectivity for the specified forwarding equivalence class FEC It must be followed by an IPv4 or IPv6 FEC prefix lsp ping ip_prefix_FEC Exec Mode Discovers MPLS LSP routes that packets actually take when traveling to their destinations It must be followed by an IPv4 or IPv6 FEC prefix lsp traceroute ip_prefix_FEC Exec Mode Maps the final differentiated services code point DS...

Page 276: ...figuration Mode Configures the LDP Router ID router id ip_address MPLS LDP Configuration Mode Configures the LDP session parameters session timers hold interval seconds keepalive interval seconds MPLS LDP Configuration Mode Table 18 VPN Related Monitoring Commands Description Command CLI Mode Displays information regarding BGP neighbors show ip bgp neighbors Exec Mode show Commands Displays all VP...

Page 277: ...s ftn vrf vrf_name Exec Mode show Commands Displays contents of the MPLS FTN table for a specified VRF show mpls ftn vrf vrf_name Exec Mode show Commands Displays MPLS Incoming Label Map ILM table information show mpls ilm Exec Mode show Commands Displays the MPLS LDP information show mpls ldp Exec Mode show Commands Displays MPLS Next Hop Label Forwarding Entry NHLFE table information show mpls n...

Page 278: ...ASR 5500 System Administration Guide StarOS Release 21 5 252 BGP MPLS VPNs VPN Related CLI Commands ...

Page 279: ...page 253 Configuring Internal Content Service Steering page 254 Overview Content Server Selection CSS is a StarOS function that defines how traffic will be handled based on the content of the data presented by a mobile subscriber or to a mobile subscriber CSS is a broad term that includes features such as load balancing NAT HTTP redirection and DNS redirection The content server services can be ei...

Page 280: ...commands and or keyword options are presented In many cases other optional commands and or keyword options are available Refer to the Command Line Interface Reference for complete information regarding all commands Not all commands or keywords variables may be supported or available Availability varies on the platform type and installed license s Defining IP Access Lists for Internal CSS IP ACLs s...

Page 281: ...figure the service to use that subscriber as the default profile Applying an ACL to the Subscriber Named default Optional For information on how to apply an ACL to the default subscriber refer to the Applying an ACL to the Subscriber Named default section in the Access Control Lists chapter Applying an ACL to Service specified Default Subscribers Optional For information on how to apply an ACL to ...

Page 282: ...ASR 5500 System Administration Guide StarOS Release 21 5 256 Content Service Steering Applying an ACL to Multiple Subscribers via APNs Optional ...

Page 283: ...ollowing sections How Session Recovery Works page 257 Configuring the System to Support Session Recovery page 259 Recovery Control Task Statistics page 263 How Session Recovery Works This section provides an overview of how this feature is implemented and the recovery process The Session Recovery feature provides seamless failover and reconstruction of subscriber session information in the event o...

Page 284: ...SR 5500 only ePDG service evolved Packet Data Gateway GGSN services for IPv4 and PPP PDP contexts HA services supporting Mobile IP and or Proxy Mobile IP session types with or without per user Layer 3 tunnels ASR 5500 only HNB GW HNB Session over IuH ASR 5500 only HNB GW HNB CN Session over IuPS and IuCS ASR 5500 only HNB GW SeGW Session IPSec Tunnel ASR 5500 only HSGW services for IPv4 IPCF Intel...

Page 285: ... to session recovery Any partially connected calls for example a session where HA authentication was pending but has not yet been acknowledged by the AAA server are not recovered when a failure occurs Important Configuring the System to Support Session Recovery The following procedures allow you to configure the session recovery feature for either an operational system that is currently in service...

Page 286: ...he system to support this feature as described in Viewing Session Recovery Status on page 261 Enabling Session Recovery on an In Service System When enabling session recovery on a system that already has a saved configuration the session recovery commands are automatically placed before any service configuration commands in the configuration file To enable the session recovery feature on an in ser...

Page 287: ...from the Global Configuration mode prompt If this command is issued on an in service system then the system must be restarted by issuing the reload command Important Viewing Session Recovery Status To determine if the system is capable of performing session recovery when enabled enter the show session recovery status verbose command from the Exec mode prompt The output of this command should be si...

Page 288: ...MGR_EVT_IPADDR_ALLOC_SUCCESS SMGR_STATE_LINE_CONNECTED SMGR_EVT_AUTH_SUCCESS SMGR_STATE_LINE_CONNECTED SMGR_EVT_UPDATE_SESS_CONFIG SMGR_STATE_LINE_CONNECTED SMGR_EVT_LOWER_LAYER_UP Data Reorder statistics Total timer expiry 0 Total flush tmr expiry 0 Total no buffers 0 Total flush no buffers 0 Total flush queue full 0 Total flush out of range 0 Total flush svc change 0 Total out of seq pkt drop 0 ...

Page 289: ...0 Recovery Control Task Statistics Recovery Control Task RCT statistics show the following Recovery action taken Migration Shutdown Switchover Type of event Planned or Unplanned From card to card slot numbers Start time YYYY MMM DD hh mm sss sss Duration seconds Card failure device such as CPUn Card failure reason Card is in usable state or not failed Recovery action status Success or failure reas...

Page 290: ...ul Enabled Recovered 1 f sessmgr i 6 cpu 50 pid 13170 Recovered 2 f sessmgr i 3 cpu 50 pid 13167 RCT stats Details Last 5 Actions Stats 2 Action Shutdown From 12 To 13 Start Time 2017 Apr 04 03 02 10 100 Is Card Usable Yes Failure Reason NPU_LC_CONNECT_TOP_FAIL Failure Device PAC_LC_CONNECT_HARDWARE Recovery Status Success Facility N A Instance N A Duration 002 901 sec Graceful Enabled Recovered 1...

Page 291: ...pid 13167 Stats 5 Action Migration From 6 To 7 Start Time 2017 Apr 04 04 18 30 106 Is Card Usable Yes Failure Reason N A Failure Device N A Recovery Status TASK_MIGRATION_FAIL_RENAME Facility sessmgr Instance 63 Duration 004 134 sec Graceful Enabled Recovered 1 f sessmgr i 6 cpu 50 pid 13170 Recovered 2 f sessmgr i 3 cpu 50 pid 13167 RCT stats Summary Migrations 3 Average time 4 260 sec Switchover...

Page 292: ...ASR 5500 System Administration Guide StarOS Release 21 5 266 Session Recovery Sample Output for show rct stats verbose ...

Page 293: ...tact your Cisco account representative for detailed information on specific licensing requirements For information on installing and verifying licenses refer to the Managing License Keys section of Software Management Operations Important This chapter discusses the following Overview page 267 ICSR Operation page 271 Configuring ICSR page 271 Troubleshooting ICSR Operation page 286 Updating the Ope...

Page 294: ...t between ICSR chassis This audit ensures that two ICSR peers are synchronized and identifies any discrepancies prior to scheduled or unscheduled switchover events srp initiate audit manual with sync Executes a forced switchover from active to inactive When executed on the active chassis this command switches the active chassis to the inactive state and the inactive chassis to an active state See ...

Page 295: ...srp call loss statistics Displays check pointing statistics on session redundancy data session managers current call recovery records etc show srp checkpoint statistics Displays Service Redundancy Protocol information context chassis state peer connection state etc show srp info Displays SRP monitor information show srp monitor Displays SRP statistics hello messages sent configuration validation r...

Page 296: ...uting domain If communication on the SRP link is lost and both chassis in the redundant pair are claiming to be Active the previously Active chassis is still preferred since it is advertising a smaller AS path into the BGP routing domain The route modifier is incremented as switchover events occur A threshold determines when the route modifier should be reset to its initial value to avoid rollover...

Page 297: ...different Service Redundancy Protocol SRP configuration the session recovery feature does not function and sessions cannot be recovered when the active chassis goes out of service Important This section describes how to configure basic ICSR on each chassis For information on commands that configure additional parameters and options refer to the Command Line Interface Reference For releases prior t...

Page 298: ...Primary and Backup Configuration on page 285 Step 6 Save your configuration as described in Verifying and Saving Your Configuration Configuring the Service Redundancy Protocol SRP Context To configure the system to work with ICSR Step 1 Create the chassis redundancy context and bind it to the IP address of the primary chassis by applying the example configuration in Creating and Binding the SRP Co...

Page 299: ...ncy protocol chassis mode primary backup priority priority peer ip address ip_address hello interval dur_sec dead interval dead_dur_sec end Notes ICSR should be configured and maintained in a separate context When assigning the chassis mode on the backup chassis be sure to enter the backup keyword The checkpoint command sets the amount of time the chassis waits before check pointing an existing ca...

Page 300: ...iod seconds guard period seconds bgp damping period seconds guard period seconds diam damping period seconds guard period seconds end Notes aaa switchover timers sets timers that prevent back to back ICSR switchovers due to an AAA failure post ICSR switchover while the network is still converging damping period configures a delay time to trigger an ICSR switchover due to a monitoring failure withi...

Page 301: ... Class 3 low drop PHB af32 Assured Forwarding Class 3 medium drop PHB af33 Assured Forwarding Class 3 high drop PHB af41 Assured Forwarding Class 4 low drop PHB af42 Assured Forwarding Class 4 medium drop PHB af43 Assured Forwarding Class 4 high drop PHB be Best effort Per Hop Behaviour default cs1 Class selector 1 PHB cs2 Class selector 2 PHB cs3 Class selector 3 PHB cs4 Class selector 4 PHB cs5 ...

Page 302: ... the newly active gateway when accounting is not deemed critical This functionality extends to all other traffic including data sessions and default bearer traffic for IMS e911 The following ICSR functionality is provided for all non VoLTE data traffic When a switchover occurs the newly active gateway forwards all traffic the moment the gateway becomes active External communication with billing se...

Page 303: ...ring switchover transition This command overwrites the switchover allow volte data traffic command if enabled on a P GW configure context context_name service redundancy protocol switchover allow all data traffic The switchover allow all data traffic command must be run on both chassis to enable this feature Important The switchover allow volte data traffic SRP Configuration mode CLI command allow...

Page 304: ...uring a planned switchover The outage window is the amount time between initiating an ICSR switchover and when the newly active chassis starts processing data You must enable one of the commands identified above on both ICSR chassis prior to enabling this command Important Graceful Cleanup of ICSR After Audit of Failed Calls During an Audit on the gateways P GW S GW GGSN SAE GW after Session Recov...

Page 305: ... is allowed during this flush the call may get disconnected based on the control message type and accounting information will be lost for calls that existed before switchover Audit During audit new calls are not allowed because synchronization of call resources may result in clearing of the calls The switchover control outage optimization CLI command allows new calls during the Accounting Flush as...

Page 306: ...kpoint session command allows you to enable generation of NACK messages in response to checkpoint message failures on a Standby ICSR chassis The nack keyword will only appear if a special ICSR optimization feature license has been purchased and installed Contact your Cisco account representative for assistance Important configure context context_name service redundancy protocol variable checkpoint...

Page 307: ...pression algorithm with near linear scalability for multi threaded applications The compression keyword in the SRP Configuration mode checkpoint session command allows you to enable the use of the LZ4 compression algorithm The compression keyword will only appear if a special ICSR optimization feature license has been purchased and installed Contact your Cisco account representative for assistance...

Page 308: ...y that your SRP contexts were created and configured properly by running the show srp info command Exec Mode on each chassis Notes The interval is specified as an integer divisible by 15 in the range from 30 through 1440 Default 45 minutes The interval range for sending full checkpoints is 30 minutes to 24 hours 1140 minutes Modifying the Source Context for ICSR To modify the source context of cor...

Page 309: ...tion is useful in deployments in which a combination of IPv4 and IPv6 peers are spread across multiple paired VLANs and IPv4 or IPv6 connectivity is lost by all members of a peer group A sample configuration for SRP peer groups within a context PGWin appears below monitor bgp context PGWin 10 1 1 16 group 1 monitor bgp context PGWin 10 1 1 17 group 1 monitor bgp context PGWin 69 2 215 0 group 2 mo...

Page 310: ...figuration in Destination Context on page 285 Step 5 Save your configuration as described in Verifying and Saving Your Configuration Configuring BGP Router and Gateway Address in Destination Context Use the following example to create the BGP context and network addresses configure context dest_ctxt_name router bgp AS_num network gw_ip_address neighbor neighbor_ip_address remote as AS_num end Note...

Page 311: ...up systems Step 1 Enter the show configuration srp command on each system Exec mode Step 2 Verify that both chassis have the same SRP configuration information The output looks similar to following config context source interface haservice loopback ip address 172 17 1 1 255 255 255 255 srp activate exit radius attribute nas ip address address 172 17 1 1 radius server 192 168 83 2 encrypted key 01a...

Page 312: ...e Default 60 A sample configuration sequence appears below config context srp service redundancy protocol audit daily start time 06 00 audit periodicity 90 end Troubleshooting ICSR Operation SSD StarOS supports an ICSR specific show support details SSD command that outputs the results from a series of Exec mode show commands This mini SSD reduces capture time when debugging ICSR timing issues betw...

Page 313: ...is performed separately on each system while it is in standby mode Traffic disruption is minimal since an active system will be handling call sessions while the standby system is being updated The general upgrade sequence is as follows 1 Download the StarOS software image and copy transfer it to both the active and standby system 2 Save the currently running configurations on both systems 3 Update...

Page 314: ...or downgrade between StarOS versions in ICSR configurations Contact Cisco TAC for procedural assistance prior to upgrading or downgrading your ICSR deployment Caution Figure 12 ICSR Software Upgrade Part 1 ASR 5500 System Administration Guide StarOS Release 21 5 288 Interchassis Session Recovery Updating the Operating System ...

Page 315: ...Figure 13 ICSR Software Upgrade Part 2 ASR 5500 System Administration Guide StarOS Release 21 5 289 Interchassis Session Recovery Updating the Operating System ...

Page 316: ...Figure 14 ICSR Software Upgrade Part 3 ASR 5500 System Administration Guide StarOS Release 21 5 290 Interchassis Session Recovery Updating the Operating System ...

Page 317: ...Figure 15 ICSR Software Upgrade Part 4 ASR 5500 System Administration Guide StarOS Release 21 5 291 Interchassis Session Recovery Updating the Operating System ...

Page 318: ... both the primary active and backup standby ICSR systems Standby ICSR System Perform the tasks described below on the backup or standby ICSR system ASR 5500 System Administration Guide StarOS Release 21 5 292 Interchassis Session Recovery Both ICSR Systems ...

Page 319: ...nism for monitoring ICSR system status is operational Step 1 Run show srp monitor all Step 2 Review the output for any issues that may preclude performing the software update Performing BGP Checks Border Gateway Protocol BGP checks are only required when BGP is used to support redundant interchassis communication These checks are run per context and per service type Step 1 For each BGP enabled con...

Page 320: ...enumber some or all of the other entries before proceeding Use the no boot system priority command to delete a book stack entry For information on using the boot system priority command refer to the Adding a New Boot Stack Entry section in this guide Synchronizing File Systems Synchronize the local file systems by entering the following Exec mode command local host_name filesystem synchronize all ...

Page 321: ...age 294 Performing Health Checks on page 293 Performing SRP Checks on page 293 Performing BGP Checks on page 293 Waiting for Session Synchronization Allow time for session synchronization to occur between the ICSR chassis before preceding to the next steps Step 1 Run the show session recovery status verbose command on both chassis Proceed to the next steps only when no errors are seen in the outpu...

Page 322: ...AA monitor check You will be checking for the existence of any SNMP traps that indicate the system cannot communicate with AAA servers starSRPAAAUnreachable Step 1 Run the Exec mode command show snmp trap history grep starSRPAAAUnreachable Step 2 There should be no output for this command or no very recent SNMP trap notifications based on the event timestamp Step 3 If the active system cannot comm...

Page 323: ...ssis state is verified and subscribers are migrated perform new call testing to make sure calls are successful Fallback Procedure To revert to the previous configuration and software build perform the following steps as a user with administrative privileges Step 1 Run the Exec mode show boot command The topmost lowest numbered entry of the displayed output should be the new configuration with the ...

Page 324: ...ASR 5500 System Administration Guide StarOS Release 21 5 298 Interchassis Session Recovery Fallback Procedure ...

Page 325: ...ed by a background CLI task called the record collector The administrator configures the SDC via the CLI with the commands to be executed on a periodic basis The record collector always runs in the background and checks if there are records to be collected When it is time to collect support data the scheduler executes the configured sequence of CLI commands and stores the results in a gunzipped gz...

Page 326: ...ne command by itself will result in just that one command output constituting the contents of the entire SDR The user may configure a specific set of record sections for the SDR which may or may not include some or all of the default SDR record sections This configuration is stored in the Global Configuration section of the configuration file Refer to Configuration Commands Global Configuration Mo...

Page 327: ...ration Mode Once the SDR is stored the SDC waits the sleep duration interval specified via the support collection command before collecting another SDR The period between SDRs is equal to the configured sleep duration interval the time taken to collect the previous record Important Managing Record Collection The SDRs are stored together in a self relative set This self relative set is called a Sup...

Page 328: ... maximum SDR count of 5 is reached the SDRs continue to be SDR 0 through SDR 4 with the file timestamps indicating that the files are changing over time The time interval between collections may vary by several minutes in relation to the specified sleep duration This is because the interval specifies the idle time between scheduled collection runs Since the actual overhead of the collecting proces...

Page 329: ...R CLI Commands You may use the collected support data records to view support data chronologically If the default list and sequence of sections is inadequate for system monitoring you can configure your own set of record section commands that make up a particular support record Refer to the SDR CLI Command Strings appendix for a listing of supported CLI strings show commands for record sections Th...

Page 330: ...ifies the CLI strings included in default record sections Important The no support record command removes either a specific section of the record definition or all of the sections If you specify the default support record command the default record section definition of that specified record section is used If neither the keyword all or section is specified all the record section definitions are r...

Page 331: ...ecord id along with the collection time stamp The record id variable identifies a single SDR The to keyword specifies the endpoint record id when displaying a range of SDRs The section keyword displays a particular section of the record delete support record delete support record record id to record id The delete support records command removes an SDR with a specified record id or all SDRs in the ...

Page 332: ... of all valid record section definitions The display also indicates whether the record section is enabled or disabled by default local host_name show support collection definitions The output of this command reflects the sequence in which record sections will be output regardless of the sequence in which they may have been entered by the user Refer to the SDR CLI Command Strings appendix for addit...

Page 333: ...face Additional CLI sessions beyond the pre reserved limit are permitted if sufficient resources are available If the Resource Manager is unable to reserve resources for a CLI session beyond those that are pre reserved users with administrator privileges are prompted to create the new CLI session even without reserved resources Context Rules A maximum of 63 contexts may be configured per chassis E...

Page 334: ... used and how they are subnetted Important Each address in the pool requires approximately 60 bytes of memory The amount of memory required however depends on a number of factors such as the pool type and hold timer usage Therefore in order to conserve available memory you may need to limit the number of pools depending on the number of addresses to be configured and the number of installed applic...

Page 335: ...orwarding VRF tables per context 2 048 VRFs per chassis 256 VRFs per context with demux functions enabled on the MIO card APN limit is 2 048 per chassis VRF limits and APN limits should be identical 64 000 IP routes NEMO Network Mobility Prior to Release 15 0 256K prefixes framed routes per chassis and up to 8 dynamically learned prefixes per MR Mobile Router Release 15 0 and higher 512K prefixes ...

Page 336: ...ted are used Default is not used when local authentication for local subscribers is performed Important Configure default subscriber templates on a per AAA realm domain aliases configured within a context basis Configure default subscriber templates on a per PDSN FA ASN GW or HA service For AAA authenticated subscribers the selection of local subscriber template to use for setting attributes is in...

Page 337: ... per IPSec policy is 1 The maximum number of IPSec ACL rules per context is 1 024 The maximum number of IPSec ACL rules per crypto map is 8 The maximum number of ACLs you can configure per context is limited by the number of rules allowed within each ACL If each ACL contained the maximum number of rules 128 the maximum number of ACLs per context is 8 128 X 8 ACLs 1 024 ACL rules per context The ma...

Page 338: ...ASR 5500 System Administration Guide StarOS Release 21 5 312 Engineering Rules ECMP Groups ...

Page 339: ...hese tasks communicate with each other as needed to share control and data signals As a result processes can be distributed across multiple tasks thus reducing the overall work load on any given task and improving system performance This distributed design provides fault containment that greatly minimizes the impact to processes or sessions due to a failure The Exec mode show task command displays...

Page 340: ...e system The SCT subsystem runs only on the active management card and synchronizes the information it contains with the SCT subsystem on the standby management card Resource Management RM This subsystem assigns resources such as CPU loading and memory for every system task upon start up The RM subsystem monitors resource use to verify that allocations are as specified RM also monitors all session...

Page 341: ...mobile subscribers packet oriented data session flows High touch user data processing consists of the following Payload transformation Filtering and scheduling Statistics collection Policing Controllers and Managers Many of the primary subsystems are composed of controller tasks called Controllers and subordinated tasks called Managers Controllers serve several purposes Monitor the state of their ...

Page 342: ...Subsystem Table 21 System Initiation Subsystem Tasks Function Description Task Initiated at system start up System Initiation Task Main SITMAIN Reads and provides startup configuration to other SIT components Starts SITREAP sub function Maintains CPU state information Starts management cards in either active or standby mode SIT Parent Sub function SITPARENT Registers tasks with HAT task Notifies C...

Page 343: ... and control functions because of the CPU s hardware capabilities Reports the loss of any task on its CPU to hatsystem sub function Controls the LEDs on the management card ASR 5500 only Initializes and monitors the dedicated hardware on the management card ASR 5500 only Controls all the HAT sub function tasks in the system It is initiated on system start up High Availability Task System Controlle...

Page 344: ...th the SIT task on the local CPU to get its entire task table and the resources associated with each task Gathers current resource utilization for each task Sends the resource data to the rmctrl task Virtual Private Networking Subsystem Table 24 Virtual Private Networking VPN Subsystem Tasks Function Description Task Created at system start up VPN Controller vpnctrl Initiates the VPN Manager for e...

Page 345: ...aintains the BGP peering connections Applies any defined BGP routing policy Created by VPN Manager for each context that has enabled the OSPF routing protocol router ospf Context Configuration mode CLI command Open Shortest Path First ospf Responsible for learning and redistributing routing information via the OSPF protocol Maintains the OSPF neighboring relationship Maintains the LSA database Per...

Page 346: ... reachability Network Processing Unit Subsystem Table 25 Network Processing Unit NPU Subsystem Tasks Function Description Task Created at StarOS start up Internal Forwarder Task Intel DPDK VPC DI VPC SI iftask Provides port configuration services to the CSP task Provides interface binding and forwarding services to the VPN Manager Provides flow insertion and removal services to Session Manager and...

Page 347: ...services to the CSP task Provides interface binding and forwarding services to the VPN Manager Provides flow insertion and removal services to Session Manager and AAA Manager tasks Provides recovery services to the NPU Controller Created for every DPC installed and started NPU Simulator ASR 5500 npusim Provides port configuration services to the CSP task Provides interface binding and forwarding s...

Page 348: ... information from VPN Managers Distributes IP interface address information to other Session Processing Subsystem sub managers Manages Enhanced Charging Service ECS Content Filtering and URL Blacklisting services Created by the Session Controller Session Manager sessmgr Provides a subscriber processing system that supports multiple session types Multiple Session Managers can run on a single CPU an...

Page 349: ...ng gateway functions CGFs Multiple AAA Managers can run on a single CPU and or can be distributed throughout any CPU present in the system AAA operations for the CLI are done through a AAA Manager running on the active management card Starts whenever the Global Configuration mode gtpp single source command is configured When GTPP single sourcing is enabled aaaproxy generates requests to the accoun...

Page 350: ... support for GGSN It is instantiated when an MBMS policy CLI is configured in the GGSN Service configuration mode dgmbmgr Diameter Gmb interface Application Manager dgmbmgr Maintains the MBMS UE and bearer contexts Handles the Gmb interface over a Diameter connection to a BMSC Server for MBMS bearer sessions dgmbmgr recovers by polling all sessmgrs for MBMS session states and recreating the MBMS U...

Page 351: ... sessions from MME S4 SGSN SGW and distributes them to different Session Manager tasks for load balancing Maintains list of current EGTP sessions Maintains list of current Session Manager tasks which aids in session recovery Handles GTP Echo messaging With session recovery SR enabled this demux manager is usually established on one of the CPUs on the first active packet processing card Created by ...

Page 352: ...vice is configured Home Agent HA Manager hamgr Receives Mobile IP sessions from the Foreign Agents FAs and distributes them to different Session Manager tasks Maintains a list of current Session Manager tasks that aids in system recovery Functions as the DemuxMgr handles all the PMIP signaling packets Functions as the Demuxmgr for MIPv6 MIPv4 HA With session recovery SR enabled this demux manager ...

Page 353: ...iber sessions Maintains and reports MME related demux statistics on events like Attach by IMSI Attach by GUTI etc Can interact with the following tasks in the system Session Controller MME Manager Session Manager With session recovery SR enabled this demux manager is usually established on one of the CPUs on the first active packet processing card Started by the Session Controller International Mo...

Page 354: ...sing card Created by the Session Controller for each context in which a LAC or LNS service is configured Additional managers are created as needed depending on loading Layer 2 Tunneling Protocol Manager l2tpmgr Responsible for all aspects of L2TP processing Maintains protocol state machines for all L2TP sessions and tunnels Triggers IPSec encryption for new L2TP tunnels as needed Works with Sessio...

Page 355: ...ets and a list of its service user protocol layers and service provider protocol layers SGSN Master Manager mmgr Runs as a single instance Handles nodal SS7 Iu and Gb functionality Implements master linkmgr functionality for SS7 route status aggregation Implements master linkmgr functionality for RNC and BSC status aggregation With session recovery SR enabled this demux manager is usually establis...

Page 356: ...ss the available pccmgrs along with the session binding functions Monitors load on pccmgrs Distributes incoming IP CAN connections across pccmgrs in the system Performs session binding binds IP CAN Gateway session with the AF Session Ensures all messaging for an IMSI across various interfaces is directed towards the selected pccmgr Remains aware of all the active PCC services in the system With se...

Page 357: ...and one secondary The srb task also stores the static DB Rates and categorizes the URL based on the DB volumes and CSI Category Set Index stored on it Performs peer loading in case its peer fails If both the srb task and its peer fail the session controller performs the loading Platform Processes Table 27 Platform Process Tasks Function Description Task Responsible for the overall management of th...

Page 358: ...thin the specific VPN context Fetches the CSS related information for a subscriber If a CSS server goes down the cssmgr task reprograms the NPUs to by pass the service or redistribute the data among the rest of the servers in the service Spawns daughter card managers during system initialization and monitors daughter card managers during system steady state execution It also spawns daughter card m...

Page 359: ...tions Created by the Session Controller establishes and manages secure IKEv1 IKEv2 and IPSec data tunnels IPSec Manager ipsecmgr Central key value store kvstore function that runs on the management card Its primary function is to support recovery and distribution functions Key Value Controller kvctrl Started by npuctrl on the demux card s primary MIO ASR 5500 with a facility level between CSP and ...

Page 360: ...mon sshd DHCPD DNS FTPD INETD NTPD PING RLOGIN SFTPD SFTP SERVER SNMPD SSH SSHD TELNET TELNETD TFTPD TRACEROUTE Note In release 20 0 and higher Trusted StarOS builds FTP and Telnet are not supported Utilities Configuration Manager ucm Management Processes Table 28 Management Process Tasks Function Description Task Periodically polls and gathers bulk statistics and transfers this data to external m...

Page 361: ...oth CLI and signaling based subscriber traces It collects messages to be traced and generates trace files as needed It uploads trace files to the Trace Collection Entity as needed Handles inboard SNMP operations if configured and sends SNMP notifications traps if enabled Simple Network Management Protocol snmp Handles monitoring of threshold crossing alerts if configured Polls the needed statistic...

Page 362: ...ASR 5500 System Administration Guide StarOS Release 21 5 336 StarOS Tasks Management Processes ...

Page 363: ... the Configuration page 345 YANG Models page 353 Show Support Details SSD page 353 ConfD Examples page 354 CLI Based YANG Model for ECS Commands page 358 Feature Summary and Revision History Summary Data All Applicable Product s or Functional Area ASR 5500 VPC SI VPC DI Applicable Platform s Disabled Configuration Required Feature Default Not Applicable Related Changes in This Release ASR 5500 Sys...

Page 364: ...ONF Protocol Configuration Mode added bulkstats netconf and rest commands autosave config command obsoleted show confdmgrcommand added keywords model bulkstats and model confd show confdmgr command output expanded Pre 21 2 First introduced Overview StarOS provides a northbound NETCONF interface that supports a YANG data model for transferring configuration and operational data with the Cisco Netwo...

Page 365: ... supplied APIs Any updates via StarOS CLI are automatically synced back to the CDB YANG is a data modeling language for the NETCONF network configuration protocol It can be used to model both configuration data as well as state data of network elements YANG can also be used to define the format of event notifications emitted by network elements and it allows data modelers to define the signature o...

Page 366: ...nt NETCONF ConfD support requires that a V2 RSA SSH key be configured on the local context If an SSH key is not available StarOS generates an error message Failure The ConfD NETCONF server requires an RSA key on the local context You can run the show ssh key command to verify the existence of an SSH key on the system If an SSH key is not available see the Configuring SSH Options section of the Get...

Page 367: ...text Configuration mode For additional information see the NETCONF Protocol Configuration Mode Commands chapter of the Command Line Interface Reference bulkstats This NETCONF Protocol Configuration mode command enables bulkstats collection and reporting via REST interface By default this command is disabled The command syntax is bulkstats During StarOS statistics gathering bulk statistics are also...

Page 368: ... Any event that is of category critical info regardless of severity will also be converted to notifications Important netconf notifications snmp This NETCONF Protocol Configuration mode command enables SNMP alerts and alarms to be sent out as NETCONF notifications on the stream named StarOS_SNMP The command syntax is netconf notifications snmp Use no netconf notifications snmp to disable NETCONF n...

Page 369: ...e device otherwise the REST interface will not be enabled Important Use no rest auth policy to set the auth policy to none no authentication will be performed A change to the REST interface auth policy may result in a planned restart of ConfD and temporary loss of connectivity over the NETCONF and REST if still enabled interfaces Changes to global certificates which ConfD is using while REST is en...

Page 370: ...till enabled interfaces Changes to global certificates which ConfD is using while REST is enabled will also result in a restart of ConfD Important rest port This NETCONF Protocol Configuration mode command sets the REST interface port number The command syntax is rest port port_number where port_number must be an integer from 1 through 65535 Use no rest port to reset the port number to default 443...

Page 371: ...grep grep_options more Notes The confd keyword displays information about the ConfD engine based on the specified keyword in the following options cdb displays ConfD CDB information netconf displays NETCONF state information state displays current ConfD state information The model keyword displays information about the ConfD model based on the specified keyword in the following options bulkstats b...

Page 372: ...ng the notification for a configuration transaction Notifications Number of times ConfD has sent a configuration update to confdmgr For example this can occur as the result of a commit via confd_cli or during a trigger event Notification failures Number of times configuration received from ConfD was not processed successfully Trigger failures Number of times a CDB dump to confdmgr failed Replay fa...

Page 373: ...s group inspector nacm groups group operator nacm groups group secure_admin nacm rule list secure_admin group secure_admin rule any access action permit rule secure_admin_server_confd module name cisco staros cli config path context server confd access operations create read update action permit V nacm rule list inspector group inspector rule any access access operations read action permit local h...

Page 374: ...og creation time 2017 02 10T16 00 59 00 00 local host_name show confdmgr confd state See below for a sample output for show confdmgr confd state local host_name show confdmgr confd state confd state version 6 3 confd state epoll false confd state daemon status started confd state loaded data models data model cisco staros bulkstats revision 2016 12 14 namespace http www cisco com staros bulkstats ...

Page 375: ...amespace urn ietf params xml ns yang ietf yang library prefix yanglib exported to netconf rest confd state loaded data models data model ietf yang types revision 2013 07 15 namespace urn ietf params xml ns yang ietf yang types prefix yang exported to all confd state loaded data models data model netconf_netmod namespace urn ietf params xml ns netmod notification prefix nm exported to netconf confd...

Page 376: ...ts notification stream replay NETCONF replay support none confd state internal callpoints notification stream replay StarOS replay support builtin confd state internal cdb datastore running transaction id 1484 678453 229261 filename hd raid confd_dir var confd cdb A cdb disk size 3 16 KiB ram size 9 43 KiB read locks 0 write lock set false waiting for replication sync false confd state internal cd...

Page 377: ... the CLI as well as configuration loads from SCT NETCONF updates Number of bulkstats subscription notifications Aborts Number of times a configuration update via NETCONF was aborted Failures Number of errors detected processing any bulkstats configuration requests within confdmgr show confdmgr model confd See below for a sample output for show confdmgr model confd local host_name show confdmgr mod...

Page 378: ...not be erased unless the Context Configuration mode no server confd command is run in the local context to disable ConfD and NETCONF protocol support Note The following is a sample command sequence for clearing the CDB local host_name config local host_name config context local local host_name config ctx no server confd localhost_name config ctx end local host_name clear confdmgr confd cdb About t...

Page 379: ...yang file used to include all other cisco staros configuration models all native models are included here under a common namespace cisco staros exec yang Model to enable CLI exec operations via the restful interface Only users with admin credentials may use this model Used by ConfD locally to parse input cisco staros notif yang Model to enable NETCONF notification streams for StarOS event logging ...

Page 380: ...config confd rest auth policy peer fail local host_name config confd end local host_name show confdmgr State Information State Started Subscriptions 5 Last successful id 1488 211047 99241 Last failed id None Username Not configured Bulkstats Disabled Event notification level Disabled SNMP notifications Disabled REST interface authentication peer fail REST interface certificate rest cert REST inter...

Page 381: ...ient_cert client key cacert users user ssl_cert root_cert rootCA pem confd xmlns http www cisco com staros config xmlns y http tail f com ns rest xmlns staros_config http www cisco com staros config bulkstats false bulkstats netconf port 123 port netconf rest port 234 port auth policy peer fail auth policy certificate rest cert certificate rest confd Bulkstats The following examples show bulk stat...

Page 382: ...r collection interval timer configured for bulkstats Using Curl to Read Statistics See below for a sample use of curl to read statistics via the server ConfD RESTful interface user server curl u admin pswd https rtp mitg si06 cisco com 234 api operational bulkstats operational deep cert users user ssl_cert client_cert client crt key users user ssl_cert client_cert client key cacert users user ssl_...

Page 383: ...cert client crt key users user ssl_cert client_cert client key cacert users user ssl_cert root_cert rootCA pem X POST T exec_cli_show_version xml output xmlns http www cisco com staros exec result Active Software Image Version 21 2 M0 private Image Build Number private Image Description Developer_Build Image Date Thu Feb 23 15 25 47 EST 2017 Boot Image flash qvpc si bin confd Source Commit ID bd23...

Page 384: ...eset PID 2017 02 23 Local changes exist State Information State Started Subscriptions 5 Last successful id 1488 216669 170664 Last failed id None Username Not configured Bulkstats Enabled Event notification level Disabled SNMP notifications Disabled REST interface authentication peer fail REST interface certificate rest cert REST interface host name Not configured Interface Status Port NETCONF Ena...

Page 385: ...elow Step 1 Run Exec mode save configuration url confd to save the ConfD supported StarOS configuration data to a file on the flash device Step 2 Run Exec mode show configuration error to validate the saved configuration Correct any errors before applying the configuration Otherwise ConfD will reject the entire configuration Step 3 Run Exec mode configure confd url to apply the ConfD configuration...

Page 386: ...the local context to disable ConfD and NETCONF protocol support Note The following is a sample command sequence for clearing the CDB local host_name config local host_name config context local local host_name config ctx no server confd localhost_name config ctx end local host_name clear confdmgr confd cdb About to delete the ConfD configuration database The running configuration is NOT affected Ar...

Page 387: ...he configure confd command Supported StarOS ECS Configuration Commands For this release the following StarOS ECS commands are supported for the CLI based YANG model ruledef ruledef_name ip server ip address tcp ether port udp ether port tcp either port range udp ether port range tcp any match udp any match http url httpcookie http x header group of ruledefs ruledefs_group_name add ruledef priority...

Page 388: ...uledefs_group_name charging action charging_action_name indicates support for every option following the prior keyword value Note ASR 5500 System Administration Guide StarOS Release 21 5 362 NETCONF and ConfD Supported StarOS ECS Configuration Commands ...

Page 389: ...lity for encoding and decoding the checkpoint message The ICSR framework provides the APIs for transport of the instance level checkpoint information and associated statistics Macro checkpoints contain full session information and micro checkpoints contain only a few variables Macro checkpoints are sent initially from the active chassis to the standby chassis on power up and reload and periodicall...

Page 390: ...y ECS to delete or modify a rule on the standby chassis Time based Yes Frequency 30 minutes Event based Yes Events Occurs 1 When a new rule is added or deleted on the active chassis 2 Every 30 minutes if the ECS is registered for periodic micro checkpointing Accounting Delta Cumulative Related CLI command show session subsystem facility sessmgr instance instance no debug info and show srp micro ch...

Page 391: ...sessmgr instance instance no debug info Micro checkpoints This section lists and briefly describes the characteristics of micro checkpoints by application category Micro checkpoints are listed in alphabetical order under the following categories Uncategorized on page 366 DCCA Category on page 367 ECS Category on page 367 ePDG Category on page 371 Firewall ECS Category on page 373 GGSN Category on ...

Page 392: ...S_UCKKPT_CMD_UPDATE_CLPSTATS This micro checkpoint sends VoLTE data statistics Time based Yes Frequency Event based Yes Events Occurs during ICSR background checkpointing A chassis switchover triggers the sending of VoLTE data stats Accounting Delta Cumulative CMD ID 4 Related CLI command None SESS_UCHKPT_CMD_UPDATE_IDLESECS This micro checkpoint sends remaining number of seconds before idle timeo...

Page 393: ...int CCA Assume positive state transitions Accounting Yes Delta Cumulative Cumulative CMD ID 19 Related CLI command None ECS Category SESS_UCHKPT_CMD_ACS_CALL_INFO This micro checkpoint sends critical ECS call level data Time based Yes Frequency Event based Yes Events Occurs whenever ECS call level information is created or modified Accounting No Delta Cumulative N A CMD ID 179 Related CLI command ...

Page 394: ...r related data Time based Yes Frequency Event based Yes Events Occurs whenever ECS bearer information is created or modified Accounting No Delta Cumulative N A CMD ID 33 Related CLI command None SESS_UCHKPT_CMD_DEL_ACS_CALL_INFO This micro checkpoint notifies that a Release Call event has occurred Time based No Frequency N A Event based Yes Events Occurs whenever an ECS Release Call message is pro...

Page 395: ...ed by ECS Time based Yes Frequency Event based Yes Events Occurs whenever dynamic charging action information is created or modified Accounting No Delta Cumulative N A CMD ID 141 Related CLI command None SESS_UCHKPT_CMD_DYNAMIC_CHRG_DEL_CA_INFO This micro checkpoint notifies that a dynamic charging action has been deleted Time based No Frequency N A Event based Yes Events Occurs whenever a dynamic...

Page 396: ...information maintained by ECS Time based Yes Frequency Event based Yes Events Occurs whenever dynamic QoS group information is created or modified Accounting No Delta Cumulative N A CMD ID 140 Related CLI command None SESS_UCHKPT_CMD_DYNAMIC_RULE_DEL_INFO This micro checkpoint notifies that a dynamic rule has been deleted Time based No Frequency Event based Yes Events Occurs whenever a dynamic rul...

Page 397: ...point synchronizes deleted ePDG bearers between the active and standby chassis Time based No Frequency N A Event based Yes Events N A Accounting Yes Delta Cumulative Cumulative CMD ID 110 Related CLI command show srp micro checkpoint statistics debug info SESS_UCHKPT_CMD_UPDATE_EPDG_BEARER This micro checkpoint synchronizes ePDG bearers between the active and standby chassis Time based No Frequenc...

Page 398: ...CMD_UPDATE_EPDG_REKEY This micro checkpoint synchronizes ePDG rekey statistics between the active and standby chassis Time based Yes Frequency 30 seconds Event based No Events N A Accounting Yes Delta Cumulative Cumulative CMD ID 110 Related CLI command show srp micro checkpoint statistics debug info SESS_UCHKPT_CMD_UPDATE_EPDG_STATS This micro checkpoint synchronizes session statistics between th...

Page 399: ...d stateful firewall access rules Accounting No Delta Cumulative N A CMD ID 186 Related CLI command None SESS_UCHKPT_CMD_SFW_RULE_INFO This micro checkpoint notifies the addition of dynamically enabled stateful firewall SFW access rules Time based No Frequency N A Event based Yes Events Occurs whenever PCRF sends a command to enable the predefined SFW access rules Accounting Yes Delta Cumulative Cu...

Page 400: ...s checkpoint is sent upon expiry of this timer Time based Yes Frequency RPR timer Event based Yes Events Occurs when the secondary bearer creation RPR timer expires Accounting Delta Cumulative CMD ID 118 Related CLI command SESS_UCHKPT_CMD_GGSN_UPDATE_SESSION This micro checkpoint is sent in a Network or UE initiated update procedure except for updates that result in the following scenarios Creati...

Page 401: ... micro checkpoint periodically sends session statistics Time based Yes Frequency Every five minutes Event based No Events N A Accounting Yes Delta Cumulative Cumulative CMD ID 116 Related CLI command None SESS_UCHKPT_CMD_UPDATE_COA_PARAMS This micro checkpoint updates input and output ACL parameters Time based Frequency Event based Yes Events COA Change of Authorization response Accounting Delta C...

Page 402: ...sion related information Time based No Frequency N A Event based Yes Events Triggered on receiving CCA I U or RAR from PCRF Accounting Yes Delta Cumulative Cumulative CMD ID 137 Related CLI command None NAT Category SESS_UCHKPT_CMD_GR_UPDATE_NAT_REALM_PORT_INFO1 This micro checkpoint is sent when a port chunk is allocated or deallocated for a subscriber sharing a NAT IP address with other subscrib...

Page 403: ... allocated during call setup and this micro checkpoint is sent Time based No Frequency N A Event based Yes Events Triggered when a NAT IP address is allocated to or deallocated from a subscriber Accounting No Delta Cumulative N A CMD ID 45 Related CLI command None SESS_UCHKPT_CMD_NAT_SIP_ALG_CALL_INFO This micro checkpoint is sent when a new SIP flow is created or deleted for a subscriber while SI...

Page 404: ... to pace 10 micro checkpoints whenever the timer fires granularity 2 sec This only occurs if there are new flows that need to be micro checkpointed Otherwise no micro micro checkpoints are sent Time based No Frequency See explanation above Event based Yes Events Triggered when a new NAT flow is created or deleted Accounting No Delta Cumulative N A CMD ID 96 Related CLI command None SESS_UCHKPT_CMD...

Page 405: ...No Frequency N A Event based Yes Events Triggered when the S GW sets the Over Charging Protection Bit Accounting No Delta Cumulative N A CMD ID 159 Related CLI command None SESS_UCHKPT_CMD_PGW_SGWRESTORATION_INFO This micro checkpoint indicates the interval that a call will remain up when the S GW is down Time based No Frequency N A Event based Yes Events Triggered when the S GW goes into Restorat...

Page 406: ... a UBR or MBR procedure Accounting No Delta Cumulative N A CMD ID 193 Related CLI command show srp checkpoint statistics active verbose and show session subsystem facility sessmgr instance instance_number debug info SESS_UCHKPT_CMD_PGW_UPDATE_APN_AMBR Reserved for future use SESS_UCHKPT_CMD_PGW_UPDATE_INFO Reserved for future use SESS_UCHKPT_CMD_PGW_UPDATE_LI_PARAM This micro checkpoint indicates ...

Page 407: ...Every five minutes Event based No Events N A Accounting Yes Delta Cumulative Cumulative CMD ID 65 Related CLI command None Rf Interface Category SESS_UCHKPT_CMD_ACS_ACCOUNTING_TYPE_QCI_RF This micro checkpoint indicates a change in the SDF QCI based Rf accounting buckets Time based Yes Frequency 4 seconds for aamgr checkpoint and 18 seconds for GR checkpoint Event based No Events N A Accounting Ye...

Page 408: ...ates a change in the SDF based Rf accounting buckets Time based Yes Frequency 4 seconds for aamgr checkpoint and 18 seconds for GR checkpoint Event based No Events N A Accounting Yes Delta Cumulative Cumulative CMD ID 125 Related CLI command None SESS_UCHKPT_CMD_ACS_ACCOUNTING_TYPE_RATING_GROUP_RF_WITH_FC This micro checkpoint indicates complete SDF based Rf accounting buckets Time based Yes Frequ...

Page 409: ...elta Cumulative N A CMD ID 202 Related CLI command None SaMOG Category SESS_UCHKPT_CMD_CGW_DELETE_BEARER Reserved for future use SESS_UCHKPT_CMD_CGW_DELETE_PDN This micro checkpoint indicates a PDN connection has been deleted Time based No Frequency N A Event based Yes Events Occurs whenever SaMOG sends a Delete Session Req or upon receiving a Delete Bearer Request Accounting No Delta Cumulative N...

Page 410: ...a change in APN AMBR Time based No Frequency N A Event based Yes Events Occurs when a change in APN AMBR is received from the P GW due to a reauthorization AAR Received from AAA Server or Update Bearer Request Accounting No Delta Cumulative N A CMD ID 168 Related CLI command show subscriber samog only full SESS_UCHKPT_CMD_CGW_UPDATE_STATS Reserved for future use SESS_UCHKPT_CMD_CGW_UPDATE_UE_PARAM...

Page 411: ...T request is received from the WLC Accounting No Delta Cumulative N A CMD ID 174 Related CLI command show subscriber samog only full SESS_UCHKPT_CMD_SAMOG_EOGRE_TUNNEL_INFO This micro checkpoint is sent for an Inter RG handoff for EoGRE subscriber sessions This checkpoint updates the VMAC Address and WLC EoGRE tunnel end point address Time based No Frequency N A Event based Yes Events Occurs whene...

Page 412: ...e subscriber session is in Handoff state Time based No Frequency N A Event based Yes Events Occurs on completion of Re Authentication for an existing SaMOG subscriber session currently in Handoff state Accounting No Delta Cumulative N A CMD ID 176 Related CLI command show subscriber samog only full SESS_UCHKPT_CMD_SAMOG_HANDOFF_INIT_INFO This micro checkpoint is sent for a SaMOG session on receipt...

Page 413: ..._TIMER_INFO This micro checkpoint updates the Binding Cache Life timer and MIPv6 biding status for a SaMOG session Time based No Frequency N A Event based Yes Events Occurs whenever a PMIPv6 PBU is received with a lifetime of zero from the WLC Accounting No Delta Cumulative N A CMD ID 190 Related CLI command show subscriber samog only full SESS_UCHKPT_CMD_SAMOG_MULTI_ROUND_AUTHEN_INFO This micro c...

Page 414: ...uthentication for an existing SaMOG subscriber session Accounting No Delta Cumulative N A CMD ID 172 Related CLI command show subscriber samog only full SESS_UCHKPT_CMD_SAMOG_REAUTHOR_INFO This micro checkpoint is sent for a SaMOG session when subscriber Re authorization is completed Time based No Frequency N A Event based Yes Events Occurs on receiving and successfully processing AAR from the AAA...

Page 415: ...fer to the Command Line Interface Reference or the online Help for the command The table below also indicates default and non default strings It reflects the output sequence of the show support collection definitions command Table 29 ASR 5500 SDR CLI Command Strings Command String Default SDR No show version verbose Enabled 0 show clock Enabled 1 show clock universal Enabled 2 show configuration E...

Page 416: ...23 debug hdctrl client list Enabled 24 show card info Disabled 25 show card diag Enabled 26 show card table all Enabled 27 show port table all Enabled 28 show port info Enabled 29 show port utilization table Enabled 30 show data path congestion Enabled 31 show npu details Disabled 32 show lagmgr details Disabled 33 show fans Enabled 34 show hardware version fans Disabled 35 show power chassis Enab...

Page 417: ...stdump list Disabled 55 show persistdump display Disabled 56 show snmp trap history verbose Enabled 57 show snmp trap statistics verbose Disabled 58 show logs Enabled 59 show messenger settings Disabled 63 show messenger nameservice Enabled 64 show messenger statistics Enabled 65 show messenger bounces Enabled 66 debug limits checkup detailed Disabled 67 show plugin Disabled 68 show module Disable...

Page 418: ... statistics Disabled 87 show operator policy all Disabled 88 show call control profile all Disabled 89 show apn profile all Disabled 90 show imei profile all Disabled 91 show gprs service all Disabled 92 show iups service all Disabled 93 show sgtp service all Disabled 94 show map service all Disabled 95 show gs service all Disabled 96 show ggsn service all Disabled 97 show ggsn service sgsn table ...

Page 419: ...ed 123 show srp checkpoint statistics verbose Disabled 124 show srp checkpoint statistics sessmgr all Disabled 125 show srp checkpoint statistics ipsecmgr all Disabled 126 show srp checkpoint statistics sessmgr all write list stats Enabled 127 show srp monitor Disabled 128 show srp monitor all Enabled 129 show srp monitor diameter debug Disabled 130 show srp statistics Enabled 131 show srp call lo...

Page 420: ... Disabled 150 show global title translation association Disabled 151 show global title translation address map Disabled 152 show egtpc peers Enabled 153 show egtpc statistics interface mme Disabled 154 show egtpc statistics interface sgsn Enabled 155 show egtpc statistics interface sgw ingress Enabled 156 show egtpc statistics interface sgw egress Enabled 157 show egtpc statistics interface pgw in...

Page 421: ...183 show pdg service statistics Disabled 184 show hnbgw sessmgr all memory statistics Disabled 185 show hnbgw sessmgr all internal statistics Disabled 186 show hnbgw disconnect reasons Disabled 187 show cs network statistics Disabled 188 show ps network statistics Disabled 189 show hnbgw statistics Disabled 190 show hnbgw counters Disabled 191 show demux mgr statistics hnbmgr full Disabled 192 sho...

Page 422: ...d 213 show gtpp storage server Disabled 214 show gtpp storage server statistics verbose Disabled 215 show gtpp storage server local file statistics verbose Disabled 216 show gtpp storage server local file counters all Disabled 217 show gtpp storage server streaming file statistics verbose Disabled 218 show gtpp storage server streaming file counters all Disabled 219 show gtpp group all Disabled 22...

Page 423: ...ing service all Disabled 249 show active charging tcp proxy statistics all verbose debug info Disabled 250 show active charging edr udr file flow control counters verbose debug only Disabled 251 show active charging service statistics Disabled 252 show active charging analyzer statistics Disabled 253 show active charging dns learnt ip addresses statistics sessmgr all verbose Disabled 254 show acti...

Page 424: ...ip Disabled 275 debug acsmgr show flow stats max simultaneous flows tcp Disabled 276 debug acsmgr show flow stats max simultaneous flows udp Disabled 277 debug acsmgr show flow stats duration based all flows Disabled 278 debug acsmgr show flow stats duration based tcp Disabled 279 debug acsmgr show flow stats duration based udp Disabled 280 debug acsmgr show flow stats lifetime based all flows Dis...

Page 425: ...info Disabled 305 show active charging nat statistics Disabled 306 show demuxmgr statistics asngwmgr all Disabled 307 show asngw service all Disabled 308 show asngw service statistics verbose Disabled 309 show demuxmgr statistics asnpcmgr all Disabled 310 show asnpc service all Disabled 311 show asnpc service statistics verbose Disabled 312 show demuxmgr statistics phsgwmgr all Disabled 313 show p...

Page 426: ... Disabled 332 show ims authorization service statistics Disabled 333 show ims authorization policy control statistics Disabled 334 show ims authorization policy control statistics debug info Disabled 335 show local policy statistics summary Disabled 336 show rohc statistics Disabled 337 show dns client statistics Disabled 338 show hss peer service service all Disabled 339 show ipms status all Disa...

Page 427: ...stion control statistics mme full Disabled 360 show congestion control statistics imsimgr all full Disabled 361 show ge switch counters second sample Enabled 362 ethtool S cpeth Enabled 363 show cli history Disabled 365 card cpu boxer summary Disabled 366 show sls service all Disabled 367 show sls service peers all Disabled 368 show sls service statistics all Disabled 369 Notes Enabled Included in...

Page 428: ...ASR 5500 System Administration Guide StarOS Release 21 5 402 ASR 5500 SDR CLI Command Strings ASR 5500 SDR CLI Command Strings ...

Page 429: ...m with the code When the code later executes it can self validate by using the same algorithm to create its own signature and compare to the pre computed stored signature or some other system element can do this signature calculation and check A Trusted Element in the scope of system software is a piece of code that is known to be authentic Trusted code is either immutable stored in such a way to ...

Page 430: ...signed boot images but they will ignore the signature Important Image Naming Conventions To distinguish signed from unsigned images Release Engineering adds suffixes to build names for images that are signed For example asr5500 20 0 0 bin SPA indicates a Release key signed as deployable in a customer network Verifying Authenticity The Exec mode show software authenticity command displays informati...

Reviews:

No comments