manualshive.com logo in svg

Cisco SCE8000 GBE, Configuration Manual, Page: 205 / 262

Share
Download
Cisco SCE8000 GBE Configuration Manual Download Page 205

10-17

Cisco SCE8000 Software Configuration Guide, Rel 3.1.6S

OL-16479-01

Chapter 10      Identifying and Preventing Distributed-Denial-Of-Service Attacks

  Subscriber Notifications

Subscriber Notifications 

  •

Configuring the Subscriber Notification Port, page 10-17

  •

How to Remove the Subscriber Notification Port, page 10-17

Subscriber notification is a capability used- for notifying a subscriber in real-time about current attacks 
involving IP addresses mapped to that subscriber. Subscriber notification is configured on a 
per-attack-detector level, as explained above, and must also be enabled and configured by the application 
loaded to the SCE platform, as explained in the appropriate Service Control Application user guide.

In the current solutions, the SCE Platform notifies the subscriber about the attack by redirecting HTTP 
flows originating from the subscriber to the service provider’s server, that should notify the subscriber 
that he is under attack. This raises a question regarding TCP attacks originating from the subscriber that 
are configured with block action. Such attacks cannot normally be notified to the subscriber using HTTP 
redirection, since all HTTP flows originating from the subscriber are TCP flows, and they are therefore 
blocked along with all other attack flows. To enable effective use of HTTP redirect, there is a CLI 
command that prevents blocking of TCP flows originating from the subscriber to a specified TCP port, 
even when the above scenario occurs.

Configuring the Subscriber Notification Port  

You can define a port to be used as the subscriber notification port. The attack filter will never block TCP 
traffic from the subscriber side of the SCE platform to this port, leaving it always available for subscriber 
notification.

Options  

The following option is available:

  •

portnumber 

— the number of the port to be used as the subscriber notification port

Step 1

From the SCE(config if)# prompt, type 

attack-filter subscriber-notification ports

 

portnumber 

and 

press 

Enter

.

How to Remove the Subscriber Notification Port  

Step 1

From the SCE(config if)# prompt, type 

no attack-filter subscriber-notification ports

 

and press 

Enter

.

Summary of Contents for SCE8000 GBE

Page 1: ...tems Inc 170 West Tasman Drive San Jose CA 95134 1706 USA http www cisco com Tel 408 526 4000 800 553 NETS 6387 Fax 408 527 0883 Cisco SCE8000 Software Configuration Guide Release 3 1 6S February 15 2011 Text Part Number OL 16479 01 ...

Page 2: ...AIM ALL WARRANTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT O...

Page 3: ...sco Service Control Capabilities 1 2 SCE Platform Description 1 3 Management and Collection 1 4 Network Management 1 5 Subscriber Management 1 5 Service Configuration Management 1 6 Data Collection 1 6 C H A P T E R 2 Command Line Interface 2 1 Getting Help 2 1 Authorization and Command Levels Hierarchy 2 2 CLI Command Hierarchy 2 3 Prompt Indications 2 5 CLI Help Features 2 6 Partial Help 2 6 Arg...

Page 4: ...ace Configuration mode 2 15 Entering Line Interface Configuration Mode 2 16 How to navigate from one Interface Configuration Mode to another 2 16 The do Command Executing Commands Without Exiting 2 16 Creating a CLI Script 2 17 C H A P T E R 3 Basic Cisco SCE8000 Platform Operations 3 1 Starting the Cisco SCE8000 Platform 3 1 Checking Conditions Prior to System Startup 3 1 Starting the System and ...

Page 5: ...Directory 4 2 How to Change Directories 4 2 How to Display your Working Directory 4 2 How to List the Files in a Directory 4 2 Working with Files 4 3 How to Rename a File 4 3 How to Delete a File 4 3 Copying Files 4 4 How to Display File Contents 4 5 How to Unzip a File 4 5 The User Log 4 5 The Logging System 4 5 Copying the User Log 4 6 Enabling and Disabling the User Log 4 6 Viewing the User Log...

Page 6: ...S Client 5 9 How to Manage the User Database 5 12 Configuring AAA Login Authentication 5 16 Configuring AAA Privilege Level Authorization Methods 5 17 Configuring AAA Accounting 5 18 Monitoring TACACS Servers 5 19 Monitoring TACACS Users 5 19 Configuring Access Control Lists ACLs 5 19 About Access Control Lists 5 20 Options 5 20 How to Add Entries to an ACL 5 21 How to Remove an ACL 5 21 How to En...

Page 7: ...IP Routing Table 5 34 IP Advertising 5 35 Configuring IP Advertising 5 36 How to Display the Current IP Advertising Configuration 5 37 How to Configure the IP Address of the Management Interface 5 37 Options 5 37 Configuring the IP Address of the Management Interface Example 5 37 Configuring Time Clocks and Time Zone 5 38 Displaying the System Time 5 38 Displaying the System Time Example 5 38 Disp...

Page 8: ...5 46 Options 5 46 Adding Hosts to Removing them from the Host Table Examples 5 46 How to Display Current DNS Settings 5 46 Displaying Current DNS Settings Example 5 46 C H A P T E R 6 Configuring the Line Interface 6 1 Line Interfaces 6 1 Flow Control and Bandwidth Considerations 6 1 Maximum Packet Size 6 1 How to Configure the Ten Gigabit Ethernet Line Interfaces 6 2 Tunneling Protocols 6 2 Selec...

Page 9: ...16 Counting Dropped Packets 6 16 About Counting Dropped Packets 6 16 Disabling the Hardware Packet Drop 6 17 C H A P T E R 7 Configuring the Connection 7 1 Configuring the Connection Mode 7 1 Options 7 1 Configuring the Connection Mode Example 7 2 Monitoring the Connection Mode 7 2 Monitoring the Connection Mode Example 7 3 Configuring the Link Mode 7 3 About the Link Mode 7 3 Options 7 3 External...

Page 10: ...ecovery Mode 7 11 Options 7 12 Configure the Failure Recovery Mode Examples 7 12 Configuring the SCE Platform SM Connection 7 12 Configuring the Behavior of the SCE Platform in Case of Failure of the SM 7 13 Options 7 13 Configuring the SM SCE Platform Connection Timeout 7 13 Options 7 13 C H A P T E R 8 Raw Data Formatting The RDR Formatter and NetFlow Exporting 8 1 RDR Formatter and NetFlow Expo...

Page 11: ...o Add a Mapping to a Category 8 15 How to Remove a Mapping from a Category 8 15 How to Restore the Default Mapping for a Specified RDR Tag 8 15 Displaying Data Destination Configuration and Statistics 8 16 How to the Display the Current RDR Formatter Configuration 8 16 Displaying the RDR Formatter Configuration Example 8 16 How to the Display the Current RDR Formatter Statistics 8 17 Displaying th...

Page 12: ...mous Groups 9 10 Options 9 10 How to Export Anonymous Groups 9 10 Options 9 10 Monitoring Subscribers 9 10 How to Monitor the Subscriber Database 9 11 How to Display the Subscriber Database Counters 9 11 Clearing the Subscriber Database Counters 9 12 Displaying Subscribers 9 12 Displaying Subscribers All Current Subscriber Names 9 13 Displaying Subscribers By Subscriber Property or Prefix 9 13 How...

Page 13: ...Display Aging for Anonymous Group Subscribers 9 22 How to Display Aging for Introduced Subscribers 9 22 Configuring the SCE Platform SM Connection 9 23 Options 9 23 How to Configure the Behavior of the SCE Platform in Case of Failure of the SM 9 23 How to Configure the SM SCE Platform Connection Timeout 9 23 C H A P T E R 10 Identifying and Preventing Distributed Denial Of Service Attacks 10 1 Att...

Page 14: ...ues 10 15 How to Disable a Specific Attack Detector 10 15 How to Disable All Non default Attack Detectors 10 15 How to Disable All Attack Detectors 10 16 Sample Attack Detector Configuration 10 16 Subscriber Notifications 10 17 Configuring the Subscriber Notification Port 10 17 Options 10 17 How to Remove the Subscriber Notification Port 10 17 Preventing and Forcing Attack Detection 10 18 Options ...

Page 15: ...oyment Scenarios 11 3 Single ISG Router with a Single SCE Platform 1xISG 1xSCE 11 3 Multiple ISG Routers with Multiple SCE Platforms via Load Balancing NxISG MxSCE 11 4 SCMP Peer Devices 11 4 Connection Management 11 5 SCMP Subscriber Management 11 6 GUID and Subscriber ID 11 6 Configuring the SCMP 11 6 Configuring SCMP Parameters 11 6 How to Enable the SCMP 11 7 How to Disable the SCMP 11 7 How t...

Page 16: ...fied SCMP peer device 11 14 How to display the statistics for all SCMP peer devices 11 14 How to display the statistics for a specified SCMP peer device 11 15 Monitoring the RADIUS Client 11 15 A P P E N D I X A Cisco Service Control MIBs A 1 MIB Files A 1 Loading MIBs A 4 pcube to Cisco MIB Mapping A 4 Pcube Engage MIB CISCO SCA BB MIB A 5 pcube to Cisco MIB Mapping Detailed OID Mappings A 5 A P ...

Page 17: ...sion Cisco Service Control Release and Date Change Summary OL 16479 01 3 1 6S February 15 2011 Updated Appendix A OL 16479 01 3 1 6S May 6 2010 Republished OL 16479 01 3 1 6S June 2008 Created the Cisco SCE8000 Software Configuration Guide Section Title Description 1 Cisco Service Control Overview page 1 1 Overview of SCE platform management 2 Command Line Interface page 2 1 Detailed explanation o...

Page 18: ...age 7 1 Explanation of how to configure the connection mode link mode and failure behaviors 8 Raw Data Formatting The RDR Formatter and NetFlow Exporting page 8 1 Explanation of how to configure the connection mode link mode and failure behaviors 9 Managing Subscribers page 9 1 Explanation of how to import and export subscriber information and how to monitor subscribers 10 Identifying and Preventi...

Page 19: ...shipped with your SCE8000 platform Conventions This document uses the following conventions Note Means reader take note Tip Means the following information will help you solve a problem Convention Indication bold font Commands and keywords and user entered text appear in bold font italic font Document titles new or emphasized terms and arguments for which you supply values are in italic font Eleme...

Page 20: ... bodily injury Obtaining Documentation and Submitting a Service Request For information on obtaining documentation submitting a service request and gathering additional information see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in...

Page 21: ...dware and specific software solutions that address various operational and business related challenges Service providers can use the SCE platform to support classification analysis and control of Internet and IP traffic Service control enables service providers to Capitalize on existing infrastructure Analyze charge for and control IP network traffic at multigigabit wire line speeds Identify and t...

Page 22: ...olutions include Subscriber and application awareness Application level drilling into IP traffic for real time understanding and controlling of usage and content at the granularity of a specific subscriber Subscriber awareness The ability to map between IP flows and a specific subscriber to maintain the state of each subscriber transmitting traffic through the SCE platform and to enforce the appro...

Page 23: ...rms provide real time classification of network use The classification provides the basis of the SCE platform advanced traffic control and bandwidth policing functionality Where most bandwidth control functionality ends the SCE platform provides further control and shaping options including Layer 7 stateful wire speed packet inspection and classification Robust support for more than 600 protocols ...

Page 24: ...work management Subscriber management Service Configuration management These management interfaces are designed to comply with common management standards and to integrate easily with existing OSS infrastructure Figure 1 2 LINK RX Cisco SCE 2000 Series 4xGBE TX RX MM TX LINK RX TX RX MM TX LINK RX TX RX MM TX LINK RX TX RX MM TX GBE 1 SUB LINE NET PWR B STATUS PWR A BYPASS 10 100 1000 LINK ACTIVE ...

Page 25: ...ween OSS and SCE platforms Subscriber information is stored in the SM database and can be distributed between multiple platforms according to actual subscriber placement The SM provides subscriber awareness by mapping network IDs to subscriber IDs It can obtain subscriber information using dedicated integration modules that integrate with AAA devices such as RADIUS or DHCP servers Subscriber infor...

Page 26: ...ons of the SCE platform result in the generation of Raw Data Records RDRs which the SCE platform forwards using a simple TCP based protocol RDR Protocol 2 RDRs are processed by the Cisco service control management suite collection manager 3 The collection manager software is an implementation of a collection system that receives RDRs from one or more SCE platforms It collects these records and pro...

Page 27: ...e The SCE platform supports up to eleven concurrent CLI sessions five sessions initiated by Telnet connection five sessions via SSH connection and one session on the console port Getting Help page 2 1 Authorization and Command Levels Hierarchy page 2 2 CLI Help Features page 2 6 Navigational and Shortcut Features page 2 7 Managing Command Output page 2 9 CLI Authorization Levels page 2 11 Exiting ...

Page 28: ...ry For example to configure parameters related to the Line Card you need to be within the Linecard Interface Configuration Mode See CLI Command Hierarchy page 2 3 The following sections describe the available Authorization and Command Hierarchy Levels and how to maneuver within them The on screen prompt indicates both your authorization level and your command hierarchy level as well as the assigne...

Page 29: ...utomatically moves you to Privileged Exec mode To move to any of the configuration modes you must enter commands specific to that mode A telnet session begins with a request for password and will not continue until the proper user password is supplied This enhances the security of the system by not revealing its identity to unauthorized people The list of available commands in each mode can be vie...

Page 30: ...h the system supports up to five concurrent Telnet connections you cannot configure them separately This means that any number you enter in the line vty command 0 1 2 3 or 4 will act as a 0 and configure all five connections together Note In order for the auto completion feature to work when you move from one interface configuration mode to another you must first exit the current interface configu...

Page 31: ... global configuration mode SCE configure SCE config clock timezone PST 10 SCE config interface GigabitEthernet 1 1 SCE config if speed 100 SCE config if exit SCE config interface Linecard 0 SCE config if link mode forwarding SCE config if exit SCE config exit sce Prompt Indications The on screen prompt indicates your authorization level your command hierarchy level and the assigned host name The s...

Page 32: ...tial help because it lists only the keywords or arguments that begin with the abbreviation you entered Example The following example illustrates how typing c displays all available arguments that start with the letter c SCE config snmp server c Communitycontact SCE config snmp server c Argument Help To obtain a list of command s associated keywords or parameters type a question mark in place of a ...

Page 33: ... often shown as no to denote it is optional For example the command service telnetd enables the telnet server while the no service telnetd command disables the telnet server Navigational and Shortcut Features Command History page 2 7 Keyboard Shortcuts page 2 8 Tab Completion page 2 9 FTP User Name and Password page 2 9 Command History CLI maintains a history buffer of the most recent commands you...

Page 34: ...s Description Shortcut key Navigational shortcuts Move cursor one character to the right CTRL F Move cursor one character to the left CTRL B Move cursor one word to the right forward ESC F Move cursor one word to the left backward ESC B Move cursor to the start of the line CTRL A Move cursor to the end of the line CTRL E Editing shortcuts Delete the character where the cursor is located CTRL D Del...

Page 35: ...assword CLI enables saving FTP user name and password to be used in FTP operations download and upload per session These settings are effective during the current CLI session The following example illustrates how to set FTP password and user name and the use in these settings for getting a file named config tmp from a remote station using FTP protocol sce ip FTP password pw123 sce ip FTP username ...

Page 36: ...tput You can filter the output of certain commands such as show more and dir so that output lines are displayed only if they include or exclude a specified expression The filtering options are as follows include Shows all lines that include the specified text exclude Does not show any lines that include the specified text begin Finds the first line that includes the specified text and shows all li...

Page 37: ...rization A higher level of authorization is accessed by logging in with appropriate password as described in the procedures below In each authorization level all the commands of the lower authorization layers are available in addition to commands that are authorized only to the current level The following CLI commands are related to authorization levels enable disable Each authorization level has ...

Page 38: ... How to log in with Root level authorization Step 1 Initiate a telnet connection Step 2 A Password prompt appears Type in the user level password and press Enter The SCE prompt appears You now have user level authorization Step 3 From the SCE prompt type enable 15 and press Enter The system prompts for a password by showing the prompt Password Step 4 Type in the password for the Root level and pre...

Page 39: ...onfig prompt type exit and press Enter The appropriate prompt for the previous level appears Example This example illustrates how to change the authorization level from User to Root and then revert back to Admin No password is required for moving to a lower authorization level SCE config if exit SCE config Navigating Between Configuration Modes Entering and Exiting Global Configuration Mode page 2...

Page 40: ...components that are configured by the Interface Configuration Modes are Card Linecard Interface Linecard 0 The Linecard interface configures the main functionality of viewing and handling traffic on the line Ports See Configuring the Ports page 2 14 Telnet Line Configuration Mode Line vty 0 The Line Configuration Mode enables you to configure Telnet parameters Configuring the Ports Refer to the fo...

Page 41: ... The SCE config if prompt appears The system prompt changes to reflect the higher level mode How to Return to the Global Configuration mode Step 1 Type exit and press Enter How to Enter Linecard Interface Configuration mode The following procedure is for entering LineCard Interface Configuration mode The procedures for entering the other interfaces are the same except for the interface command as ...

Page 42: ... 1 Type exit and press Enter You are returned to the Global Configuration Mode Step 2 Type the appropriate command to enter a different Interface Configuration Mode The do Command Executing Commands Without Exiting There are four configuration command modes Global configuration mode Management interface configuration mode Interface configuration mode Line configuration mode When you are in one of ...

Page 43: ...ure filename scr where filename scr is the name of the script with a scr file extension Step 2 Perform the actions you want to be included in the script Step 3 Type script stop The system saves the script The following is an example of recording a script for upgrading software sce script capture upgrade scr sce configure SCE config boot system new pkg Verifying package file Package file verified O...

Page 44: ...2 18 Cisco SCE8000 Software Configuration Guide Rel 3 1 6S OL 16479 01 Chapter 2 Command Line Interface Creating a CLI Script ...

Page 45: ...Shutting Down the SCE Platform page 3 14 Starting the Cisco SCE8000 Platform The procedures for starting the Cisco SCE8000 platform are explained in the following sections Checking Conditions Prior to System Startup page 3 1 Starting the System and Observing Initial Conditions page 3 2 Final Tests page 3 2 Checking Conditions Prior to System Startup Check the following conditions before you start ...

Page 46: ...he AC power source or make sure the circuit breakers at the DC panels are turned to the on position Turn on the switches on both power supplies Step 3 Listen for the fans you should immediately hear them operating Step 4 During the boot process observe the following LEDs on the SCE8000 SCM E The Power LEDs should be green Optical Bypass LED should be green while the Cisco SCE8000 is in bypass and ...

Page 47: ...ation status is Warning Description 1 Power Supply problem 2 Line feed problem 3 Amount of External bypass devices detected is lower than expected amount How to View the User Log Counters View the user log for errors that occurred during the installation process Step 1 At the SCE prompt type show logger device user file log counters and press Enter Examples for Viewing the User Log Counters The fo...

Page 48: ...y 11 2008 cli type 1 version 1 no management agent notifications notification list 1417 1418 804 815 1404 1405 1406 1407 1408 400 no management agent notifications notification list 402 421 440 441 444 445 446 450 437 457 no management agent notifications notification list 3593 3594 3595 10040 snmp server community public ro RDR formatter forwarding mode multicast RDR formatter destination 10 56 9...

Page 49: ...interfaces for the purpose of configuration and management All interfaces supply an API to the same database of the SCE platform and any configuration made through one interface is reflected through all interfaces Furthermore when saving the running configuration to the startup configuration from any management interface all configuration settings are saved regardless of the management interface u...

Page 50: ...k filter subscriber notification ports 80 replace spare memory code bytes 3145728 interface GigabitEthernet 1 1 ip address 10 56 96 46 255 255 252 0 interface TenGigabitEthernet 3 0 0 bandwidth 10000000 burst size 50000 global controller 0 name Default Global Controller interface TenGigabitEthernet 3 1 0 bandwidth 10000000 burst size 50000 global controller 0 name Default Global Controller interfa...

Page 51: ...iguration you want to restore Note You cannot undo the configuration restore command Step 3 Type copy system config tx1 system config txt The system sets the startup configuration to the configuration from config tx1 Example for Restoring a Previous Configuration The following example displays a saved configuration file and then restores the file to overwrite the current configuration SCE more sys...

Page 52: ...gement framework install activated package SCA BB management agent property com pcube management framework install activated version 3 1 6 build 79 management agent property com pcube management framework install activation date Sun May 11 08 44 04 GMT 00 00 2008 flow filter partition name ignore_filter first rule 4 num rules 32 flow filter partition name udpPortsToOpenBySw first rule 40 num rules...

Page 53: ...pld 0xa1b7 cpld ufm 0xa803 summit 0x10007 cf Model SMART CF FwRev 0x20060811 Size 4062240KB CFC 0 board type P2 cpus 3 cpu 0 SVR 0x80900121 cpu 0 PVR 0x80040202 cpu 0 freq 1500MHz cpu 1 SVR 0x80900121 cpu 1 PVR 0x80040202 cpu 1 freq 1500MHz cpu 2 SVR 0x80900121 cpu 2 PVR 0x80040202 cpu 2 freq 1500MHz cpu eeprom 2 1 1500MHz cpld 0 0xb20e cpld 1 0xb20e cpld 2 0xb20e cpld 0 ufm 0xb803 cpld 1 ufm 0xb8...

Page 54: ...n Software revision LineCard S N CAT1202G07D Power Supply type AC SML Application information is No application is configured Logger status Enabled Platform SCE8000 4x10GBE Management agent interface version SCE Agent 3 1 6 Build 134 Software package file ftp ftpserver simba pkg SCE8000 uptime is 9 minutes 54 seconds How to Display the SCE Platform Inventory Unique Device Identification UDI is a C...

Page 55: ...Chassis DESCR CISCO7604 PID CISCO7604 VID V0 SN FOX105108X5 NAME SCE8000 Service Control Module SCM in slot 1 DESCR SCE8000 SCM E PID SCE8000 SCM E VID V0 SN CAT1122584N NAME SCE8000 SPA Interface Processor SIP in slot 3 DESCR SCE8000 SIP PID SCE8000 SIP VID V0 SN CAT1150G07F NAME SPA 1X10GE L V2 DESCR SPA 1X10GE L V2 PID SPA 1X10GE L V2 VID V02 SN JAE11517RMR NAME SPA 1X10GE L V2 DESCR SPA 1X10GE...

Page 56: ...lot 2 DESCR Container SCE8000 Service Control Module SCM slot PID VID SN NAME SCE8000 Physical Slot 3 DESCR Container SCE8000 SPA Interface Processor SIP slot PID VID SN NAME SCE8000 Physical Slot 4 DESCR Container SCE8000 Optical Bypass slot PID VID SN NAME SCE8000 Fan Module DESCR Container SCE8000 Fan Module PID VID SN NAME SCE8000 AC and DC power supply DESCR Container SCE8000 AC and DC power ...

Page 57: ...rt PID VID SN NAME TenGigabitEthernet3 3 0 DESCR SCE8000 SPA port PID VID SN NAME SCE8000 FAN 1 DESCR FAN MOD 4HS PID FAN MOD 4HS VID V01 SN DCH11013744 NAME SCE8000 AC power supply 0 DESCR PWR 2700 AC 4 PID PWR 2700 AC 4 VID V02 SN APQ105000MV NAME SCE8000 DC power supply 1 DESCR PWR 2700 DC 4 PID PWR 2700 DC 4 VID V03 SN APQ1049000S NAME SCE8000 optic 3 0 0 DESCR XFP 10GLR OC192SR PID XFP 10GLR ...

Page 58: ...1 DESCR SCE8000 traffic processor PID VID SN NAME SCE8000 traffic processor 12 DESCR SCE8000 traffic processor PID VID SN How to Display the System Uptime Use this command to see how long the system has been running since the last reboot Step 1 At the SCE prompt type show system uptime and press Enter Example for Displaying the System Uptime The following example shows how to display the system up...

Page 59: ...orm is required before turning the power off This helps to ensure that non volatile memory devices in the SCE platform are properly flushed in an orderly manner Note When the SCE platform restarts it loads the startup configuration so all changes made in the running configuration will be lost You are advised to save the running configuration before performing reload as described in How to Save or ...

Page 60: ... Note Since the SCE platform can recover from the power down state only by being physically turned off or cycling the power this command can only be executed from the serial CLI console This limitation helps prevent situations in which a user issues this command from a Telnet session and then realizes he or she has no physical access to the SCE platform ...

Page 61: ...directories Note Regarding disk capacity While performing disk operations the user should take care that the addition of new files that are stored on the SCE disk do not cause the disk to exceed 70 Working with Directories page 4 1 Working with Files page 4 3 Working with Directories How to Create a Directory page 4 1 How to Delete a Directory page 4 2 How to Change Directories page 4 2 How to Dis...

Page 62: ...mdir Step 1 From the SCE prompt type rmdir directory name and press Enter Use this command only for an empty directory How to Change Directories Use this command to change the path of the current working directory cd Step 1 From the SCE prompt type cd new path and press Enter How to Display your Working Directory pwd Step 1 From the SCE prompt type pwd and press Enter How to List the Files in a Di...

Page 63: ...tions and press Enter How to Include Files in Sub Directories in the Directory Files List Step 1 From the SCE prompt type dir r and press Enter Working with Files How to Rename a File page 4 3 How to Delete a File page 4 3 Copying Files page 4 4 How to Display File Contents page 4 5 How to Unzip a File page 4 5 How to Rename a File rename Step 1 From the SCE prompt type rename current file name ne...

Page 64: ... a File from an FTP Site Use the copy command to upload and download commands from and FTP site In this case either the source or destination filename must begin with ftp Step 1 From the SCE prompt type copy ftp username password 10 10 10 10 h source file destination file name and press Enter To upload a file to an FTP site specify the FTP site as the destination ftp username password 10 10 10 10 ...

Page 65: ... page 4 5 Generating a File for Technical Support page 4 7 The Logging System Copying the User Log page 4 6 Enabling and Disabling the User Log page 4 6 Viewing the User Log Counters page 4 6 Viewing the User Log page 4 7 Clearing the User Log page 4 7 Events are logged to one of two log files After a file reaches maximum capacity the events logged in that file are then temporarily archived New ev...

Page 66: ... press Enter Enabling and Disabling the User Log By default the user log is enabled You can disable the user log by configuring the status of the logger Disabling the User Log page 4 6 Enabling the User Log page 4 6 Disabling the User Log Step 1 From the SCE prompt type configure and press Enter Step 2 From the SCE config prompt type logger device User File Log disabled and press Enter Enabling th...

Page 67: ...er Log Step 1 From the SCE prompt type clear logger device user file log and press Enter Step 2 The system asks Are you sure Step 3 Type Y and press Enter Generating a File for Technical Support In order for technical support to be most effective the user should provide them with the information contained in the system logs Use the logger get support file command to generate a support file via FTP...

Page 68: ...4 8 Cisco SCE8000 Software Configuration Guide Rel 3 1 6S OL 16479 01 Chapter 4 Utilities The User Log ...

Page 69: ...e Management Port Physical Parameters page 5 2 Configuring the Available Interfaces page 5 6 Configuring and Managing the SNMP Interface page 5 25 IP Configuration page 5 33 Configuring and Managing the SNMP Interface page 5 25 Configuring Time Clocks and Time Zone page 5 38 Domain Name Server DNS Settings page 5 44 About Management Interface and Security The Service Control Module is equipped wit...

Page 70: ...ng The GBE management interface is configured as follows mode Gigabit Ethernet Interface configuration mode interface designation 1 1 Step 1 Type configure and press Enter Enters Global Configuration mode The command prompt changes to SCE config Step 2 Type interface GigabitEthernet 1 1 and press Enter Enters GigabitEthernet Interface Configuration mode The command prompt changes to SCE config if ...

Page 71: ...IP address of the management interface via telnet will result in loss of the telnet connection and inability to reconnect with the interface Note After changing the IP address you must reload the SCE platform so that the change will take effect properly in all internal and external components of the SCE platform See Rebooting and Shutting Down the SCE Platform page 3 14 Setting the IP Address and ...

Page 72: ...The following options are available speed speed in Mbps of the currently selected management port 0 1 or 0 2 10 100 auto default auto negotiation do not force speed on the link If the duplex parameter is configured to auto changing the speed parameter has no effect Step 1 From the SCE config if prompt type speed 10 100 auto and press Enter Specify the desired speed option Configuring the Speed of ...

Page 73: ...1 From the SCE config if prompt type duplex auto full half and press Enter Specify the desired duplex option Configuring the Duplex Operation of the Management Interface Example The following example shows how to use this command to configure the management port to half duplex mode SCE config if duplex half How to Monitor the Management Interface Use this command to display the following informati...

Page 74: ...tication Authorization and Accounting TACACS Authentication Authorization and Accounting page 5 6 Login Authentication page 5 7 Accounting page 5 7 Privilege Level Authorization page 5 7 General AAA Fallback and Recovery Mechanism page 5 8 About Configuring TACACS page 5 8 TACACS Authentication Authorization and Accounting TACACS is a security application that provides centralized authentication o...

Page 75: ...he TACACS server ACCEPT The user is authenticated and service may begin REJECT The user has failed to authenticate The user may be denied further access or will be prompted to retry the login sequence depending on the TACACS server ERROR An error occurred at some time during authentication This can be either at the server or in the network connection between the server and the SCE platform If an E...

Page 76: ...ility in case of an error The AAA methods available are TACACS AAA is performed by the use of a TACACS server allows authentication authorization and accounting Local AAA is performed by the use of a local database allows authentication and authorization Enable AAA is performed by the use of user configured passwords allows authentication and authorization None no authentication authorization acco...

Page 77: ...l database and TACACS are both configured it is recommended to configure the same user names in both TACACS and the local database This will allow the users to access the SCE platform in case of TACACS server failure Note If TACACS is used as the login method the TACACS username is used automatically in the enable command Therefore it is important to configure the same usernames in both TACACS and...

Page 78: ...nterval may be defined This timeout interval is defined as the timeout interval for any server host for which a timeout interval is not explicitly configured when the server host is defined If the default timeout interval is not configured a default of five seconds is assigned to any server for which a timeout interval is not explicitly configured The procedures for configuring the SCE platform TA...

Page 79: ...d press Enter How to Configure the Global Default Key Use this command to define the global default key for the TACACS server hosts This default key can be overridden for a specific TACACS server host by explicitly configuring a different key for that TACACS server host Options The following options are available key string default encryption key that all TACACS servers and clients will use when c...

Page 80: ... No global default timeout interval is defined Each TACACS server host may still have a specific timeout interval defined However any server host that does not have a timeout interval explicitly defined uses the global default timeout interval is now configured to a five second timeout interval How to Manage the User Database TACACS maintains a local user database Up to 100 users can be configured...

Page 81: ...r MD5 encrypted secret password The following options are available name name of the user to be added password a clear text password May be saved in the local list in either of two formats as clear text in MD5 encrypted form if the secret keyword is used encrypted secret an MD5 encryption string password The following keywords are available nopassword There is no password associated with this user...

Page 82: ...the SCE platform sends an authentication request to the TACACS server specifying the requested privilege level The SCE platform grants the requested privilege level only after the TACACS server authenticates the enable command password and verifies that the user has sufficient privileges the enter the requested privilege level Options The following options are available name name of the user whose...

Page 83: ...5 encryption string password The following keywords are available secret the password is saved in MD5 encrypted form Use with either of the following keywords to indicate the format of the password as entered in the command 0 use with the password option to specify a clear text password that will be saved in MD5 encrypted form 5 use with the encrypted secret option to specify an MD5 encryption str...

Page 84: ... Maximum Login Attempts Use this command to set the maximum number of login attempts that will be permitted before the session is terminated Options The following options are available number of attempts The maximum number of login attempts that will be permitted before the telnet session is terminated This is relevant only for Telnet sessions From the local console the number of re tries is unlim...

Page 85: ...hods explained above List them in the order of priority How to Delete the Login Authentication Methods List Step 1 From the SCE config prompt type no aaa authentication login default and press Enter If the login authentication methods list is deleted the default login authentication method only enable password will be used TACACS authentication will not be used Configuring AAA Privilege Level Auth...

Page 86: ...t be used Configuring AAA Accounting Use this command to enable or disable TACACS accounting About AAA Accounting page 5 18 Options page 5 18 How to Enable AAA Accounting page 5 18 How to Disable AAA Accounting page 5 19 About AAA Accounting If TACACS accounting is enabled the SCE platform sends an accounting message to the TACACS server after every command execution The accounting message is logg...

Page 87: ...and press Enter How to Display Statistics Keys and Timeouts for TACACS Servers Step 1 From the SCE prompt type show tacacs all and press Enter Note Although most show commands are accessible to viewer level users the all option is available only at the admin level Use the command enable 10 to access the admin level Monitoring TACACS Users Use this command to display the users in the local database...

Page 88: ...checked is found within the IP address range defined by the entry determines the result according to the permit deny flag in the matched entry If no matching entry is found in the access list access is denied You can create up to 99 access lists An ACL is enabled by the ip access class command If an ACL is enabled when a request comes in the SCE platform first checks if there is permission for acc...

Page 89: ...tries to an ACL Example The following example adds an entry to the access list number 1 that permits access only to IP addresses in the range of 10 1 1 0 10 1 1 255 SCE config access list 1 permit 10 1 1 0 0 0 0 255 How to Remove an ACL Use this command to remove an ACL with all its entries Step 1 From the SCE config prompt type no access list number and press Enter Removes the specified ACL with ...

Page 90: ...t to Telnet interface line vty no access list no service telnetd no timeout show line vty timeout How to Prevent Telnet Access Use this command to disable access by Telnet altogether Step 1 From the SCE config prompt type no service telnetd and press Enter Current Telnet sessions are not disconnected but no new Telnet sessions are allowed How to Configure the Telnet Timeout The SCE platform suppor...

Page 91: ...itting it to SSH clients Note The keys are kept on the tffs0 file system which means that a person with knowledge of the enable password can access both the private and public keys The SSH server implementation provides protection against eavesdroppers who can monitor the management communication channels of the SCE platform but it does not provide protection against a user with knowledge of the e...

Page 92: ...ves the existing SSH key set from non volatile memory If the SSH server is currently enabled it will continue to run since it only reads the keys from non volatile memory when it is started However if the startup configuration specifies that the SSH server is enabled the SCE platform will not be able to start the SSH server on startup if the keys have been deleted To avoid this situation after exe...

Page 93: ...age 5 25 How to Enable the SNMP Interface You must define at least one community string to allow SNMP access For complete information on community strings See Configuring SNMP Community Strings page 5 28 Step 1 From the SCE config prompt type snmp server enable and press Enter How to Disable the SNMP Interface Step 1 From the SCE config prompt type no snmp server and press Enter Configuring and Ma...

Page 94: ...es described in RFC 1215 The SNMPv1 and SNMPv2C specifications define the following basic operations that are supported by SCE platform Security Considerations By default the SNMP agent is disabled for both read and write operations When enabled SNMP is supported over the management port only in band management is not supported In addition the SCE platform supports the option to configure communit...

Page 95: ...mmands snmp server enable no snmp server no snmp server community all no default snmp server enable traps no snmp server host all no snmp server contact no snmp server location CLI Commands for Monitoring SNMP Following is a list of CLI commands available for monitoring SNMP These are Viewer mode commands and are available when the SNMP agent is enabled show snmp available when SNMP agent is disab...

Page 96: ... 28 How to Remove a Community String page 5 29 How to Display the Configured Community Strings page 5 29 To enable SNMP management you must configure SNMP community strings to define the relationship between the SNMP manager and the agent After receiving an SNMP request the SNMP agent compares the community string in the request to the community strings that are configured for the agent The reques...

Page 97: ...hows how to display the configured SNMP communities SCE show snmp community Community public Access Authorization RO Access List Index 1 SCE How to Configure SNMP Notifications Use these commands to configure The destinations that will receive SNMP notifications hosts Which types of notifications will be sent traps About SNMP Notifications page 5 29 How to Define SNMP Hosts page 5 30 About SNMP No...

Page 98: ...ons explicitly SCE platform can be configured to generate either SNMPv1 style or SNMPv2c style notifications By default the SCE platforms sends SNMPv1 notifications Following are some sample procedures illustrating how to do the following Configure hosts NMS to which the SNMP agent should send notifications Remove disable a host NMS from receiving notifications Enable the SNMP agent to send authen...

Page 99: ...o snmp server host ip address and press Enter Configuring the SCE Platform to Stop Sending Notifications to a Host Example The following example shows how to remove the host with the IP Address 192 168 0 83 SCE config no snmp server host 192 168 0 83 How to Configure SNMP Traps Use this command to configure the notifications that will be sent to the defined host Options page 5 31 How to Enable the...

Page 100: ...nfig prompt type snmp server enable traps snmp authentication and press Enter How to Enable the SNMP Server to Send All Enterprise Notifications Step 1 At the SCE config prompt type snmp server enable traps enterprise and press Enter How to Enable the SNMP Server to Send a specific Enterprise Notification Step 1 At the SCE config prompt type snmp server enable traps enterprise attack chassis link ...

Page 101: ...latform maintains a static routing table When a packet is sent the system checks the routing table for proper routing and forwards the packet accordingly In cases where the SCE platform cannot determine where to route a packet it sends the packet to the default gateway SCE platform supports the configuration of the default gateway as the default next hop router as well as the configuration of the ...

Page 102: ...dress of the routing entry in dotted notation mask The relevant subnet mask in dotted notation next hop The IP address of the next hop in the route in dotted notation Must be within the MNG interface subnet Step 1 From the SCE config prompt type ip route prefix mask next hop and press Enter Adds the specified IP routing entry to the routing table How to Add an Entry to the IP Routing Table Example...

Page 103: ...ute prefix mask and press Enter Displays the routing table for the specified subnet prefix mask Displaying the IP Routing Table for a Specified Subnet Example This example shows how to display the routing table for a specified subnet SCE show ip route 10 1 60 0 255 255 255 0 prefix mask next hop 10 1 60 0 255 255 255 0 10 1 1 5 sce IP Advertising Configuring IP Advertising page 5 36 How to Display...

Page 104: ... interval 300 seconds destination The IP address of the destination for the ping requests default destination 127 0 0 1 How to Enable IP Advertising Step 1 From the SCE config prompt type ip advertising and press Enter Enables IP advertising How to Configure the IP Advertising Destination Step 1 From the SCE config prompt type ip advertising destination destination and press Enter Configures the d...

Page 105: ...ents of the SCE platform Options The following options are available ip address The IP address of the management interface If both management ports are connected so that a backup management link is available this IP address will be act as a virtual IP address for the currently active management port regardless of which physical port is currently active subnet mask subnet mask of the management int...

Page 106: ...calendar time is used to set the system clock The calendar is not used for time tracking during system operation A system clock which creates all the time stamps during normal operation This clock clears if the system shuts down During a system boot the clock is initialized to show the time indicated by the calendar It does not matter which clock you set first as long as you use the clock and cale...

Page 107: ...te you want to set in the following format hh mm ss day month year Step 1 From the SCE prompt type clock set time date and press Enter Sets the system clock to the specified time and date Setting the System Clock Example The following example shows how to set the clock to 20 minutes past 10 AM May 13 2007 updates the calendar and then displays the time SCE clock set 10 20 00 13 may 2007 SCE clock ...

Page 108: ... 10 20 00 13 may 20017 SCE clock read calendar SCE show calendar 10 21 06 UTC THU May 13 2007 Setting the Time Zone Options The following options are available zone The name of the time zone to be displayed default GMT hours The hours offset from UTC This must be an integer in the range 23 to 23 default 0 minutes The minutes offset from UTC This must be an integer in the range of 0 to 59 Use this ...

Page 109: ...on how the dates for the beginning and end of daylight saving time are determined for the particular location recurring If daylight saving time always begins and ends on the same day every year as in the United States the clock summer time recurring command is used The beginning and ending days for daylight saving time can be configured once and the system will automatically perform the switch eve...

Page 110: ...ght saving time recurring specify a day of the month week first last day of the week month not recurring specify a date month day of the month year Define two days Day1 beginning of daylight saving time Day2 end of daylight saving time In the Southern hemisphere month2 must be before month1 as daylight saving time begins in the fall and ends in the spring Specify the exact time that the transition...

Page 111: ...m the SCE config prompt type clock summer time zone date1 month1 year1 time1 date2 month2 year2 time2 offset and press Enter Defining Non Recurring Daylight Saving Time Transitions Example The following example shows how to configure non recurring daylight saving time for a time zone designated DST as follows Daylight saving time begins 0 00 on April 16 2004 Daylight saving time ends 23 59 October...

Page 112: ... mapped to the corresponding IP address The IP host table can be configured using the command ip host 3 If the name does not contain the dot character and the domain name function is enabled See the ip domain lookup command and a default domain name is specified See the ip domain name command the default domain name is appended to the given name to form a fully qualified host name This in turn is ...

Page 113: ...pecify the address of one or more name servers to use for name and address resolution Step 1 From the SCE config prompt type ip name server server address1 server address2 server address3 and press Enter Defines the servers at the specified addresses as domain name servers Defining Domain Name Servers Example The following example shows how to configure the two name server DNS IP addresses SCE con...

Page 114: ...ddress and press Enter Adds the specified host to the host table Adding Hosts to Removing them from the Host Table Examples The following example shows how to add a host to the host table SCE config ip host PC85 10 1 1 61 The following example shows how to remove a hostname together with all its IP mappings SCE config no ip host PC85 How to Display Current DNS Settings Step 1 From the SCE prompt t...

Page 115: ...on of the Cisco SCE8000 Installation and Configuration Guide Flow Control and Bandwidth Considerations Note By design the SCE platform reacts to Ethernet flow control and does not activate it Therefore it is possible for a situation to arise in which flow control actually stalls the SCE platform by overflowing the SCE platform queues thereby causing traffic to be dropped on the Rx interfaces If th...

Page 116: ... Configuration page 6 8 Tunneling technology is used across various telecommunications segments to solve a wide variety of networking problems The SCE platform is designed to recognize and process various tunneling protocols in several ways The SCE platform is able to either ignore the tunneling protocols skip the header or treat the tunneling information as subscriber information classify The fol...

Page 117: ...LS and L2TP for the purpose of packet injection such as block flow and redirect flow operations To view the effective flow open mode use the show interface linecard 0 flow open mode command Note For directions on how to configure the asymmetric tunneling option see Asymmetric L2 Support page 6 7 L2TP L2TP is an IP based tunneling protocol therefore the system must be specifically configured to rec...

Page 118: ...riber traffic When IPinIP skip is disabled the system treats the external IP header as the subscriber traffic resulting in all IPinIP traffic being reported as generic IP Guidelines for configuring IPinIP tunnels IPinIP and other tunnels IPinIP is supported simultaneously with plain IP traffic and any other tunneling protocol supported by the SCE platform Overlapping IP addresses There is no suppo...

Page 119: ...es in the chapter Using the Service Configuration Editor Traffic Control in the Cisco Service Control Application for Broadband User Guide for further information Use this command to configure the SCE platform to mark the DSCP bits of the internal IP header This command takes effect only when IPinIP skip is enabled Step 1 From the SCE config if prompt type ip tunnel IPinIP DSCP marking skip and pr...

Page 120: ...ification is mutually exclusive with other tunnel based classification or IP tunnels An a symmetric environment is an environment in which the VLAN tags might not be the same in the upstream and downstream directions of the same flow The SCE platform is configured by default to work in symmetric environments A specific command should be used to allow correct operation of the SCE platform in asymme...

Page 121: ... port 1701 Step 1 From the SCE config if prompt type L2TP identify by port number portnumber and press Enter Asymmetric L2 Support You should enable asymmetric layer 2 support in cases where the following conditions apply for any flows Each direction of the flow has a different MAC address The routers do not accept packets with the MAC address of the other link Note Asymmetric routing topology sup...

Page 122: ...ication being run by the SCE platform is changed Possible uses for traffic rules and counters include Enabling the user to count packets according to various criteria Since the traffic counters are readable via the ciscoServiceControlTpStats MIB these might be used to monitor up to 32 types of packets according to the requirements of the installation Ignoring certain types of flows When a traffic ...

Page 123: ...d for the TCP UDP protocols only Direction Upstream Downstream TCP only The possible actions are Count the packet by a specific traffic counter Block the packet do not pass it to the other side Ignore the packet do not provide service for this packet No bandwidth metering transaction reporting etc is done Quick forward the packet with service forward delay sensitive packets through the fast path w...

Page 124: ...d in a traffic rule Use the following commands to create and delete traffic counters How to Create a Traffic Counter page 6 10 How to Delete a Traffic Counter page 6 10 How to Delete all Existing Traffic Counters page 6 11 How to Create a Traffic Counter Options The following options are available name The name of the counter Count packets the counter is incremented by 1 for each packet it counts ...

Page 125: ...ate a Traffic Rule Options The following options are available IP specification all all but ip address ip range ip address is a single IP address in dotted decimal notation such as 10 1 2 3 ip range is an IP subnet range in the dotted decimal notation followed by the number of significant bits such as 10 1 2 0 24 Use the all but keyword to exclude the specified IP address or range of IP addresses ...

Page 126: ...ounter If a counter name is defined the count action is also defined implicitly The keyword name must appear as well as the actual name of the counter none If none is specified then an action must be explicitly defined via the action option action not required if the action is count only One of the following block Block the specified traffic ignore Bypass the specified traffic traffic receives no ...

Page 127: ...e subnet 10 10 10 0 24 Protocol TCP Ports subscriber side 100 200 network side all Tunnel id all Direction downstream Traffic counter counter2 Action Block The actions performed will be counting and blocking The first command enables tunnel id mode SCE config if traffic rule tunnel id mode SCE config if traffic rule name rule2 IP addresses subscriber side all network side all but 10 10 10 0 24 pro...

Page 128: ...ets bytes and the name of the rule using the counter and traffic counter value You can also reset a specific counter or all counters How to View a Specified Traffic Rule page 6 14 How to View all Traffic Rules page 6 14 How to View a Specified Traffic Counter page 6 15 How to View all Traffic Counters page 6 15 How to Reset a Specified Traffic Counter page 6 15 How to Reset all Traffic Counters pa...

Page 129: ...tep 1 From the SCE prompt type show interface linecard 0 traffic counter all and press Enter Displays the value of the each counter and lists the traffic rules that use it Viewing the Traffic Counters Example The following example displays information for all existing traffic counters SCE show interface linecard 0 traffic counter all Counter cnt value 0 packets Rules using it None Counter cnt2 val...

Page 130: ... 1 5 How to Display the DSCP Marking Configuration Use this command to display the state of DSCP marking enabled or disabled per interface and the DSCP translation table Step 1 From the SCE prompt type show interface linecard 0 ToS marking and press Enter Counting Dropped Packets About Counting Dropped Packets page 6 16 Disabling the Hardware Packet Drop page 6 17 About Counting Dropped Packets By...

Page 131: ...ped packets has a considerable effect on system performance and therefore by default the drop wred packets by hardware mode is enabled Disabling the Hardware Packet Drop Use this command to disable the drop wred packets by hardware mode enabling the software to count all dropped packets By default hardware packet drop is enabled Note Disabling this feature may have both delay and performance impli...

Page 132: ...6 18 Cisco SCE8000 Software Configuration Guide OL 16479 02 Chapter 6 Configuring the Line Interface Counting Dropped Packets ...

Page 133: ... Connection Mode The connection mode command allows you to configure the topology of the system in one command The connection mode is determined by the physical installation of the SCE platform Note This command can only be used if the line card is in either no application or shutdown mode If an application is installed on the SCE platform the command will fail with an error message and help instr...

Page 134: ...s Note If the external bypass option is configured two optical bypass devices must be properly connected one on each link If an optical bypass device is not detected the command is executed but a warning is issued The system then enters warning mode until either the command is changed or the presence of an optical bypass device is detected Default inline mode external bypass Not applicable to rece...

Page 135: ...e according to the configured connection mode However the link mode command can be used to enforce a specific desired mode This may be useful when debugging the network or in cases where we would like the SCE platform just to forward the traffic Note This is only relevant to inline topologies even though the configuration is available also when in receive only mode Options The following link mode ...

Page 136: ...ese protect the line against power failure or total hardware failure which prevents the hardware card from bypassing the traffic Each external optical device protects a single traffic link passing through the SCE platform The main objective of the external bypass is to provide automatic redundancy and failover support However the user can also manually enable the external bypass assuming it is con...

Page 137: ... type external bypass and press Enter How to Deactivate the External Bypass Step 1 From the SCE config if prompt type no external bypass and press Enter How to Set the External Bypass to the Default State The default state of the external optical bypass is deactivated Step 1 From the SCE config if prompt type default external bypass and press Enter 242125 Default bypass state no power Non default ...

Page 138: ...ble Link Failure Reflection page 7 6 How to Disable Link Failure Reflection page 7 6 Enabling and Disabling Link Failure Reflection on All Ports page 7 7 Configuring Link Failure Reflection in Linecard Aware Mode page 7 8 In some topologies link failure on one port must be reflected to the related port to allow the higher layer redundancy protocol in the network to detect the failure and function ...

Page 139: ...e link state of the first port is reflected on all the ports When recovering from the failure state the forced down ports the other link are brought up only after the first failed port link has recovered In addition the reflection algorithm will not try to reflect failure for this link again for the next 15 seconds to avoid link stability problems on auto negotiation Options The following options ...

Page 140: ...ected to the all other SCE platform ports Two reciprocal ports of the SCE8000 are down simultaneously indicating a possible problem in the linecard of the router to which the SCE platform is connected In this case the failure is not reflected to any of the other interfaces This allows the second link in the SCE platform to continue functioning without interruption Use the no form of this command w...

Page 141: ...flow are geographically remote especially common upon peering insertion In this type of scenario the asymmetric routing solution enables the SCE platform to handle such traffic allowing SCA BB to classify traffic based on a single direction and to apply basic reporting and global control features to uni directional traffic Asymmetric Routing and Other Service Control Capabilities Asymmetric routin...

Page 142: ... Current status of asymmetric routing mode enabled or disabled TCP unidirectional flows ratio the ratio of TCP unidirectional flows to total TCP flows per traffic processor calculated over the period of time since the SCE platform was last reloaded or since the counters were last reset Step 1 From the SCE prompt type show interface linecard 0 asymmetric routing topology and press Enter Displays th...

Page 143: ...when performing an application upgrade How to Force a Virtual Failure page 7 11 How to Exit from a Virtual Failure page 7 11 How to Force a Virtual Failure Step 1 From the SCE config if prompt type force failure condition and press Enter The system asks for confirmation Forcing failure will cause a failover do you want to continue n Step 2 Type Y and press Enter to confirm the forced failure How t...

Page 144: ...mode non operational Example 2 This example sets the system to the default failure recovery mode SCE config default failure recovery operation mode Configuring the SCE Platform SM Connection Configuring the Behavior of the SCE Platform in Case of Failure of the SM page 7 13 Configuring the SM SCE Platform Connection Timeout page 7 13 The user can configure the behavior of the SCE platform in case ...

Page 145: ...n the SCE platform and the SM No action is taken To specify the action that the SCE platform will perform if the SCE SM connection fails use this command Step 1 From the SCE config if prompt type subscriber sm connection failure action force failure none remove mappings shut and press Enter To specify that the system operational status of the SCE platform should be warning if the SCE SM connection...

Page 146: ...7 14 Cisco SCE8000 Software Configuration Guide Rel 3 1 6S OL 16479 01 Chapter 7 Configuring the Connection Configuring the SCE Platform SM Connection ...

Page 147: ... RDR Formatter page 8 12 Configuring NetFlow Exporting Support page 8 13 Configuring Dynamic Mapping of RDRs to Categories page 8 14 Displaying Data Destination Configuration and Statistics page 8 16 Disabling the Linecard from Sending RDRs page 8 18 RDR Formatter and NetFlow Exporting Support The RDR Formatter page 8 1 NetFlow page 8 2 Data Destinations page 8 3 The RDR Formatter The RDR formatte...

Page 148: ...be optionally aggregated before being stored on the hard disk Export Packet A packet originating at the exporter carrying the records of the exporter to the NetFlow collector Packet Header The first part of an export packet the packet header provides basic information about the packet such as the NetFlow version number of records contained within the packet sequence numbering and the observation d...

Page 149: ...r NetFlow exporting is configured to be sent over a NetFlow destination this report will not be formatted and sent and a special counter will be incremented along and a warning will be logged See the output of the show rdr formatter statistics command unsupported tags Although template records and data records can be mixed in the same export packet the template must precede any related data record...

Page 150: ...se the data types are divided into up to four groups and each group or category is assigned to a particular destination or destinations The categories are defined by the application running on the SCE platform The system supports up to four categories Therefore the destination must be configured regarding each category in use Each destination may be assigned to more than one category and may be as...

Page 151: ...likely to be sent to this destination Redundant forwarding mode Assign a high priority to the primary destination for the system category Assign a lower priority to the secondary destination for the system category Setting DSCP for NetFlow When using the NetFlowV9 protocol priority can be defined by configuring a DSCP value to be assigned to the NetFlow packets This DSCP value defines the DiffServ...

Page 152: ...Data Destination page 8 6 Configuring the Data Categories page 8 7 Configuring the Forwarding Mode page 8 12 Configuringa Data Destination There are three general categories of CLI commands related to the configuration of data destinations General commands that apply to both the RDRv1 protocol and the NetFlow protocol Commands that are relevant only to the RDR formatter may affect NetFlow exportin...

Page 153: ...ter destination 10 1 1 205 port 33000 protocol NetFlowV9 transport udp Example 2 The following example shows how to configure two destinations in a system without using the categories The first destination will automatically be assigned a priority of 100 and therefore the priority does not need to be explicitly defined For the second destination the priority must be explicitly defined The same pri...

Page 154: ...on 1 100 protocol the protocol used for data sent to the destination either RDRv1 or NetFlow if no protocol is assigned the protocol is RdrV1 transport the transport type TCP or UDP optional as this parameter is determined by the protocol General Guidelines A maximum of four categories can be configured in one command The category may defined by either number or name A different priority may be as...

Page 155: ...is a loss of connection to either destination transmission of data of the relevant category is interrupted until the connection is re established There is no redundant connection defined for either category SCE config rdr formatter category number 2 name prepaid SCE config rdr formatter destination 10 1 1 205 port 33000 category number 1 priority 90 protocol RdrV1 transport tcp SCE config rdr form...

Page 156: ...nfig rdr formatter destination 10 1 1 205 port 33000 priority 90 protocol RdrV1 transport tcp SCE config rdr formatter destination 10 1 1 206 port 33000 priority 95 protocol RdrV1 transport tcp SCE config no rdr formatter destination 10 1 1 206 port 33000 category name prepaid protocol RdrV1 transport tcp Example 4 This example illustrates a more complex configuration with one category prepaid ass...

Page 157: ...nfig rdr formatter forwarding mode multicast SCE config rdr formatter category number 1 name billing SCE config rdr formatter category number 2 name prepaid SCE config rdr formatter category number 3 name special prepaid SCE config rdr formatter destination 10 1 1 205 port 33000 category name billing priority 90 category name prepaid priority 80 protocol RdrV1 transport tcp SCE config rdr formatte...

Page 158: ...t destination one destination after the other in a round robin manner It is the responsibility of the collectors to aggregate the records Step 1 From the SCE config prompt type rdr formatter forwarding mode mode and press Enter Configures the specified forwarding mode Configuring the Forwarding Mode Example The following example shows how to set the forwarding mode to multicast SCE config rdr form...

Page 159: ...Buffer The buffer size must be set to 0 Step 1 From the SCE config prompt type rdr formatter history size 0 and press Enter Sets the size of the RDR formatter history buffer Configuring NetFlow Exporting Support Options page 8 13 How to Configure a DSCP Value for NetFlow page 8 14 How to Configure the Template Refresh Interval page 8 14 Options The following options are relevant specifically to Ne...

Page 160: ...0 Step 1 From the SCE config prompt type rdr formatter destination ip address port port number protocol NetFlowV9 template data timeout timeout value and press Enter Sets the template refresh interval Configuring Dynamic Mapping of RDRs to Categories Dynamic configuration of RDRs to multiple categories is supported page 8 14 Configuring Mappings page 8 15 Dynamic configuration of RDRs to multiple ...

Page 161: ...tag must be already configured in the Formatter by the application category number Number of the category 1 4 to which to map the RDR tag How to Add a Mapping to a Category Step 1 From the SCE config prompt type rdr formatter rdr mapping tag id tag number category number category number and press Enter If the table already contains a mapping with the same tag and category number an error is issued...

Page 162: ...ce for a complete description of the other show rdr formatter commands How to the Display the Current RDR Formatter Configuration The system can display the complete data destination configuration or just specific parameters Step 1 From the SCE prompt type show rdr formatter and press Enter Displays the current RDR formatter configuration Displaying the RDR Formatter Configuration Example The foll...

Page 163: ...ueue 0 thrown 0 format mismatch 0 unsupported tags 1701243 rate 2 RDRs per second max rate 64 RDRs per second Category 2 sent 12040436 in queue 0 thrown 0 format mismatch 0 unsupported tags 0 rate 12 RDRs per second max rate 453 RDRs per second Category 3 sent 0 in queue 0 thrown 0 format mismatch 0 unsupported tags 0 rate 0 RDRs per second max rate 0 RDRs per second Category 4 sent 0 in queue 0 t...

Page 164: ... Sending RDRs The silent command disables the linecard from issuing data records Both RDRs and NetFlow export packets are suppressed Use the no form of this command if you want the linecard to send records Step 1 From the SCE config if prompt type silent and press Enter To enable the linecard to produce data records use the following command Step 1 From the SCE config if prompt type no silent and ...

Page 165: ...bout Subscribers page 9 1 Importing and Export ingSubscriber Information page 9 5 Removing Subscribers and Templates page 9 7 Importing and Exporting Anonymous Groups page 9 9 Monitoring Subscribers page 9 10 Configuring Subscriber Aging page 9 21 Configuring the SCE Platform SM Connection page 9 23 Information About Subscribers What is a Subscriber page 9 1 Subscriber Modes in Service Control Sol...

Page 166: ...erver Cable residential subscriber Cable residential user IP address The list of IP addresses of the CPEs is allocated dynamically by a DHCP server Owner of a 3G phone that is subscribed to data services 3G phone owner The MS ISDN which is dynamically allocated by a Radius server A corporate enterprise customer of the service provider The corporate enterprise and the traffic it produces The set of...

Page 167: ...orted such as top subscribers with the OSS IDs quota tracking such as tracking a subscriber quota over time even when network IDs change as well as dynamic binding of packages to subscribers The two Subscriber Aware modes are Static subscriber aware The network IDs are static The system supports the definition of static subscribers directly to the SCE platform This is achieved by using the SCE pla...

Page 168: ...he appropriate CLI command The SCE platform can also export the currently configured subscribers subscriber templates and anonymous groups to csv formatted files Subscriber csv files and subscriber template csv files are application specific Refer to the relevant application documentation for the definition of the file format Each line in a csv file should contain either a comment beginning with t...

Page 169: ...mal followed by the amount of significant bits Example 10 3 0 0 16 template index is the index of the subscriber template to be used by subscribers belonging to this anonymous group manager name optional is either SM or the name of the SCMP peer Use SM to pull subscribers from the SM if it exists If not specified SM is assumed Here is an example of an anonymous groups csv file Yet another comment ...

Page 170: ...nfig if prompt type subscriber import csv file filename and press Enter Imports the subscriber information from the specified file Imported subscriber information is added to the existing subscriber information It does not overwrite the existing data If the information in the imported file is not valid the command will fail during the verification process before it is actually applied How to Expor...

Page 171: ...mmands to remove all subscribers anonymous groups or subscriber templates from the system no subscriber all no subscriber anonymous group all clear interface linecard subscriber anonymous default subscriber template all Use the following commands to remove a specific subscriber or anonymous group from the system no subscriber name no subscriber anonymous group name These subscriber management comm...

Page 172: ...us subscriber group to be removed Step 1 From the SCE config if prompt type no subscriber anonymous group name group name and press Enter Removes the specified anonymous subscriber group How to Remove All Anonymous Subscriber Groups Step 1 From the SCE config if prompt type no subscriber anonymous group all and press Enter Removes all anonymous subscriber groups How to Remove All Anonymous Subscri...

Page 173: ... all subscribers managed by a specified device The device can be either of the following The SM A specified SCMP peer device How to Remove Subscribers from the SM Step 1 From the SCE config if prompt type no subscriber sm all and press Enter Clears all subscribers from the SM How to Remove Subscribers from a Specified SCMP Peer Device Options The following option is available peer device name the ...

Page 174: ...m of 1000 anonymous groups How to Export Anonymous Groups Options The following option is available filename name of the csv file Step 1 From the SCE config if prompt type subscriber anonymous group export csv file filename and press Enter Exports all existing anonymous groups to the specified csv file Monitoring Subscribers How to Monitor the Subscriber Database page 9 11 Displaying Subscribers p...

Page 175: ... the subscriber database and to clear the total and maximum counters show interface linecard 0 subscriber db counters The following counters are displayed Current number of subscribers Current number of introduced subscribers Current number of anonymous subscribers Current number of active subscribers with active traffic sessions Current number of subscribers with mappings Current number of IP map...

Page 176: ...08 Peak number cleared at 07 47 49 UTC SUN May 11 2008 Event counters Subscriber introduced 249999 Subscriber pulled 0 Subscriber aged 0 Pull request notifications sent 0 Pull request by ID notifications sent 0 Subscriber pulled by ID 0 State notifications sent 0 Logout notifications sent 0 Subscriber mapping TIR contradictions 0 Clearing the Subscriber Database Counters Step 1 From the SCE prompt...

Page 177: ...earch for all subscribers that match a specified value of one of the subscriber properties or are greater than or less than the specified value You can also search for all subscribers that match a specified prefix You can also find out how many subscribers match any one of these criteria rather than displaying all the actual subscriber names How to display subscribers that match a specified value ...

Page 178: ...er How to display subscribers that match a specified prefix Options The following options are available prefix subscriber prefix to match Step 1 From the SCE prompt type show interface linecard 0 subscriber prefix prefix and press Enter How to display subscribers that match a specified suffix Options The following options are available suffix subscriber suffix to match Step 1 From the SCE prompt t...

Page 179: ...ard 0 subscriber amount prefix prefix and press Enter How to Display Subscribers By Mapping IP Address or VLAN ID How to display subscribers that are mapped to a specified IP address or range of IP addresses page 9 16 How to display subscribers that are mapped to IP addresses that are included in a given IP address or IP range page 9 16 How to display subscribers that are mapped to a specified VLA...

Page 180: ... x x x or range of IP addresses x x x x y to match Step 1 From the SCE prompt type show interface linecard 0 subscriber mapping included in IP ip range and press Enter How to display subscribers that are mapped to a specified VLAN ID Options The following options are available VLAN id VLAN ID to match Step 1 From the SCE prompt type show interface linecard 0 subscriber mapping VLAN id VLAN id and ...

Page 181: ... 18 You can display the following information about a specified subscriber values of the various subscriber properties mappings IP address or VLAN ID OS counters current number of flows bandwidth Use the following commands to display subscriber information show interface linecard 0 subscriber properties show interface linecard 0 subscriber name name show interface linecard 0 subscriber name name m...

Page 182: ...ons are available name subscriber name Step 1 From the SCE prompt type show interface linecard 0 subscriber name name properties and press Enter How to display mappings for a specified subscriber Options The following options are available name subscriber name Step 1 From the SCE prompt type show interface linecard 0 subscriber name name mappings and press Enter How to display OS counters for a sp...

Page 183: ...onymous subscriber groups aging see How to Display Aging for Anonymous Group Subscribers page 9 22 currently configured anonymous groups currently configured subscriber templates configuration of a specified anonymous group number of subscribers in a specified anonymous group or in all anonymous groups Use the following commands to display anonymous subscriber information show interface linecard 0...

Page 184: ... subscriber group Step 1 From the SCE prompt type show interface linecard 0 subscriber anonymous name group name and press Enter How to display all subscribers currently in anonymous groups Step 1 From the SCE prompt type show interface linecard 0 subscriber anonymous and press Enter How to display the number of subscribers in a specified anonymous group Options The following options are available...

Page 185: ...ging Subscribers page 9 3 aging is the automatic removal of a subscriber when no traffic sessions assigned to it have been detected for a certain amount of time Aging may be enabled or disabled and the aging timeout period in minutes can be specified Aging can be configured separately for introduced subscribers and for anonymous subscribers Use the following commands to configure and monitor aging...

Page 186: ...nfig if prompt type no subscriber aging anonymous timeout aging time and press Enter How to Set the Aging Timeout Period for Introduced Subscribers Options The following option is available aging time the time interval in minutes after which an inactive subscriber will be aged Step 1 From the SCE config if prompt type no subscriber aging introduced timeout aging time and press Enter How to Display...

Page 187: ...ical to the operation of the system no action needs to be configured Options The following options are available action the action to take in case of failure of the SCE platform SM connection force failure force failure of SCE platform The SCE platform then acts according to the behavior configured for the failure state remove mappings remove all current subscriber mappings shut the SCE platform s...

Page 188: ...9 24 Cisco SCE8000 Software Configuration Guide Rel 3 1 6S OL 16479 01 Chapter 9 Managing Subscribers Configuring the SCE Platform SM Connection ...

Page 189: ...ng page 10 2 Attack Detection page 10 3 Attack Detection Thresholds page 10 4 Attack Handling page 10 4 Hardware Filtering page 10 5 Attack Filtering The SCE platform includes extensive capabilities for identifying DDoS attacks and protecting against them Attack filtering is performed using specific IP attack detectors A specific IP attack detector tracks the rate of flows total open and total sus...

Page 190: ...ows are flows for which the SCOS did not see proper establishment TCP or saw only a single packet all other protocols Separate rate meters are maintained both for each IP address separately single side and for IP address pairs the source and destination of a given flow so when a specific IP is attacking a specific IP this pair of IP addresses defines a single incident dual sided Based on these two...

Page 191: ...is configured separately See Specific Attack Detectors page 10 12 Attack Detection Specific IP detections are identified with the following parameters Specific IP address or two IP addresses for dual sided detections Protocol TCP UDP ICMP or Other Port For TCP UDP attacks that have a fixed destination port Side Interface Subscriber Network from which attack packets are sent Attack direction If a s...

Page 192: ...s and a common destination port are metered twice By themselves to detect a port based attack Together with flows with the same IP address and different destination ports to detect a port less attack If a port based attack occurs and the rate of flows is above both thresholds port based thresholds and the port less thresholds it is desirable for the port based attack to be detected before the port...

Page 193: ...edirecting HTTP requests of this subscriber to a server that will notify it of the attack In addition when blocking TCP traffic the system can be configured not to block a specified port to make this redirection possible This port is then considered to be un blockable Note Subscriber notification can only function if supported by the Service Control Application currently loaded to the SCE platform...

Page 194: ...k lasting two hours whose configured action is block the maximum delay in detecting the end will be 64 minutes Hardware attack filtering is an automatic process and is not user configurable However due to the effects of hardware attack filtering on attack reporting it is important to be aware of when hardware processing has been activated and so monitoring of hardware filtering is essential There ...

Page 195: ... flows than the traffic of an IP address belonging to a residential subscriber The same threshold cannot be adequate in both cases To let the SCE platform treat such special cases differently the user can configure non default attack detectors in the range of 1 99 Like the default attack detector non default attack detectors can be configured with different sets of values of action and thresholds ...

Page 196: ... detector is used Use the following commands to configure and enable attack detection no attack filter protocol protocol attack direction direction attack detector default number protocol protocol attack direction direction side side action action open flows number suspected flows rate number suspected flows ratio number attack detector default number protocol protocol attack direction direction s...

Page 197: ... or disabled for single sided or dual sided attacks Default all directions destination port TCP and UDP protocols only Defines whether specific IP detection is enabled or disabled for port based or port less detections Default both port based or port less Use the no form of the command to disable the configured specific IP detection How to Enable Specific IP Detection Step 1 From the SCE config if...

Page 198: ...10 12 Use these commands to configure the values for the default attack detector for the following parameters Attack handling action Thresholds Subscriber notification Sending an SNMP trap If a specific attack detector is defined for a particular attack type it will override the configured default attack detector Options The following options are available attack detector The attack detector being...

Page 199: ... detector default protocol TCP UDP dest port specific not specific both ICMP other all attack direction single side source single side destination single side both dual sided all side subscriber network both action report block open flows rate number suspected flows rate rate suspected flows ratio ratio and press Enter Configures the default attack detector for the defined attack type Step 2 From ...

Page 200: ... All Attack Types Step 1 From the SCE config if prompt type default attack detector default and press Enter Reinstates the system defaults for the defined attack types Specific Attack Detectors Use these commands to define thresholds actions subscriber notification setting and sending an SNMP trap for a specific attack detector for selected set of attack types Options page 10 13 How to Enable a Sp...

Page 201: ... and UDP protocols may be configured for specified ports only This is the list of specified destination ports per protocol Up to 15 different TCP port numbers and 15 different UDP port numbers can be specified Configuring a TCP UDP port list for a given attack detector affects only attack types that have the same protocol TCP UDP and are port based i e detect a specific destination port Settings f...

Page 202: ...efine the Subscriber Notification Setting for a Specific Attack Detector Use the following command to set the subscriber notification setting for a given attack detector and selected set of attack types Step 1 From the SCE config if prompt type attack detector number protocol TCP UDP dest port specific not specific both ICMP other all attack direction single side source single side destination sin...

Page 203: ...which means that the attack detector does not take part in determining the response for attacks of this attack type Step 1 From the SCE config if prompt type default attack detector number protocol TCP UDP dest port specific not specific both ICMP other all attack direction single side source single side destination single side both dual sided all side subscriber network both and press Enter Defin...

Page 204: ...cted flows rate 100 suspected flows ratio 10 and press Enter Configures the default ICMP threshold and action Step 3 From the SCE config if prompt type attack detector 1 access list 3 comment DNS servers and press Enter Enables attack detector 1 and assigns ACL 3 to it Step 4 From the SCE config if prompt type attack detector 1 UDP ports list 53 Defines the list of UDP destination ports for attack...

Page 205: ...tion regarding TCP attacks originating from the subscriber that are configured with block action Such attacks cannot normally be notified to the subscriber using HTTP redirection since all HTTP flows originating from the subscriber are TCP flows and they are therefore blocked along with all other attack flows To enable effective use of HTTP redirect there is a CLI command that prevents blocking of...

Page 206: ...n there is time to plan the needed changes properly Use the don t filter command described below for this type of case An ISP is informed that one of his subscribers is being attacked by a UDP attack from the network side The ISP wants to protect the subscriber from this attack by blocking all UDP traffic to the subscriber but unfortunately the SCE platform did not recognize the attack Alternative...

Page 207: ...ingle side destination single side both ip ip address dual sided source ip source ip address destination ip dest ip address side subscriber network both and press Enter How to Remove a dont filter Setting from a Specified Situation Step 1 From the SCE config if prompt type no attack filter dont filter protocol TCP UDP dest port port number not specific ICMP other attack direction single side sourc...

Page 208: ...ecific ICMP other attack direction single side source single side destination single side both ip ip address dual sided source ip source ip address destination ip dest ip address side subscriber network both and press Enter How to Remove All force filter Settings Step 1 From the SCE config if prompt type no attack filter force filter all and press Enter Monitoring Attack Filtering Monitoring Attac...

Page 209: ...ation duration seconds total flows hw filter If the end of the attack was declared as a result of a no force filter command or a new don t filter command Attack Filter Forced to end action2 IP info from side side protocol protocol Attack end forced using a no force filter or a don t filter command The format of the reason string sent when an attack begins is If attack end was detected in the traff...

Page 210: ...t attack detector configuration page 10 24 How to display all attack detector configurations page 10 25 How to display filter state enabled or disabled page 10 25 How to display configured threshold values and actions page 10 25 How to display the current counters page 10 27 How to display all currently handled attacks page 10 27 How to display all existing force filter settings page 10 27 How to ...

Page 211: ...threshold for ratio of suspected flow rate to open flow rate Subscriber notification enabled or disabled Alarm sending an SNMP trap enabled or disabled Options The following option is available number the number of the attack detector to display Step 1 From the SCE prompt type show interface linecard 0 attack detector number and press Enter Example SCE show interface LineCard 0 attack detector 1 D...

Page 212: ...dest only Report 1000 500 50 No No TCP sub source only Report 1000 500 50 No No TCP sub dest only Report 1000 500 50 No No TCP net source dest Report 100 50 50 No No TCP sub source dest Report 100 50 50 No No TCP port net source only Report 1000 500 50 No No TCP port net dest only Report 1000 500 50 No No TCP port sub source only Report 1000 500 50 No No TCP port sub dest only Report 1000 500 50 N...

Page 213: ... TCP dest source enabled TCP port source only enabled TCP port dest only enabled TCP port dest source enabled UDP source only enabled UDP dest only enabled UDP dest source enabled UDP port source only enabled UDP port dest only enabled UDP port dest source enabled ICMP source only enabled ICMP dest only enabled other source only enabled other dest only enabled SCE How to display configured thresho...

Page 214: ...0 No No No No ICMP net src Report 500 250 50 No No No No ICMP net dst Report 500 250 50 No No No No ICMP sub src Report 500 250 50 No No Yes No 1 ICMP sub dst Report 500 250 50 No No No No other net src Report 500 250 50 No No No No other net dst Report 500 250 50 No No No No other sub src Report 500 250 50 No No No No other sub dst Report 500 250 50 No No No No N below a value means that the valu...

Page 215: ... dest ip address dest port portnumber current and press Enter How to display all currently handled attacks Step 1 From the SCE prompt type show interface linecard 0 attack filter current attacks and press Enter How to display all existing force filter settings Step 1 From the SCE prompt type show interface linecard 0 attack filter force filter and press Enter How to display all existing don t filt...

Page 216: ...0 9 Viewing the Attack Log The Attack Log page 10 28 How to View the Attack Log page 10 29 How to Copy the Attack Log to a File page 10 29 The Attack Log The attack log contains a message for each specific IP detection of attack beginning and attack end Messages are in CSV format The message for detecting attack beginning contains the following data IP address Pair of addresses if detected Protoco...

Page 217: ...the second log file reaches maximum capacity the system then reverts to logging events to the first log file thus overwriting the temporarily archived information stored in that file The following SNMP trap indicates that the attack log is full and a new log file has been opened ST_LINE_ATTACK_LOG_IS_FULL Note When the attack log is large it is not recommended to display it Copy a large log to a f...

Page 218: ...10 30 Cisco SCE8000 Software Configuration Guide Rel 3 1 6S OL 16479 01 Chapter 10 Identifying and Preventing Distributed Denial Of Service Attacks Monitoring Attack Filtering ...

Page 219: ...ithout requiring coordination and orchestration by additional components SCMP Terminology page 11 2 Deployment Scenarios page 11 3 SCMP Peer Devices page 11 4 SCMP Subscriber Management page 11 6 The SCMP is a Cisco proprietary protocol that uses the RADIUS protocol with CoA Change of Authorization support as a transport layer The SCMP provides connection management messages subscriber management ...

Page 220: ...n the new Subscriber Accounting RDR and are sent according to the interval defined in the PQB configuration SCMP Terminology SCMP terminology is similar to but not identical to existing SCE platform terminology It is derived from the ISG terminology since every SCE subscriber is actually an ISG session subscriber The client who is purchasing service from the Service Provider and is receiving the b...

Page 221: ...one ISG router with a single SCE platform Figure 11 1 Single ISG Router with a Single SCE Platform Note The red dotted lines depict the control path communication A deployment of this type might be used with ISG running on a service gateway or BRAS terminating a large number of subscribers However note that deploying only one SCE platform results in a single point of failure which is not generally...

Page 222: ...undant Note An ISG device cannot push sessions to two SCE platforms at the same time You must configure multiple SCE platforms with load balancing MGSCP to work in pull integration mode SCMP Peer Devices An SCMP peer device is a Cisco device running IOS with the ISG module enabled The SCE platform supports the ability to communicate with several SCMP peer devices at the same time However each peer...

Page 223: ...igned a subscriber template the default template is used One SCE platform supports a maximum of 20 SCMP peer devices Connection Management The SCMP attempts to maintain an open connection to each peer device The following figure illustrates the SCMP connection state functionality Figure 11 3 SCMP Connection State Functionality The loss of sync timeout prevents the SCE platform from retaining sessi...

Page 224: ...equires the use of a globally unique identifier GUID that is created by and identifies each SCMP peer device The GUID is a 16 character long ASCII string The SCE platform uses the GUID for all communication with the SCMP peer SCMP creates the SCE subscriber ID from the concatenation of any or all the following user related RADIUS attributes with the GUID as the suffix Calling Station Id NAS port I...

Page 225: ...g prompt type scmp and press Enter How to Disable the SCMP Step 1 From the SCE config prompt type no scmp and press Enter How to Configure the SCMP Peer Device to Push Sessions When SCMP establishes a connection with an SCMP peer device it informs the device whether the SCMP is configured to push sessions or to wait till the sessions are pulled by the SCE platform Use this command to specify push ...

Page 226: ... more than one SCE platform This configuration takes effect only after the connection is re established Default is disabled subscribers can be provisioned to more than one SCE platform Step 1 From the SCE config prompt type scmp subscriber force single sce and press Enter How to Disable Forcing Each Subscriber to Single SCE Platform Use this command to disable forcing each subscriber to only one S...

Page 227: ...loss of sync timeout interval is the amount of time between loss of connection between the SCE platform and an SCMP peer device and the loss of sync event To prevent miss classification loss of sync event removes all subscribers that were provisioned by the relevant SCMP peer device Options The following options are available interval Loss of sync timeout interval in seconds Default 90 seconds Ste...

Page 228: ...command defines the specified anonymous group to be the IP range of the SCMP peer device You must define the specified SCMP peer device before assigning the anonymous group Options The following options are available group name Name of the anonymous subscriber group to be associated with the specified SCMP peer device range optional IP range defined for the anonymous group template optional group ...

Page 229: ...ting the device Step 1 First remove all anonymous groups assigned to the device SCE config if no subscriber anonymous group name group name IP range range template template scmp name peer device name Step 2 Repeat this step for all anonymous groups assigned to the SCMP peer device Step 3 When all anonymous groups have been removed from the device exit LineCard Interface Configuration mode SCE conf...

Page 230: ...Id User Name Default no elements concatenated with the GUID Step 1 Disable the SCMP SCE config no scmp Step 2 Define the subscriber ID SCE config scmp subscriber id append to guid radius attributes Calling Station Id NAS Port Id User Name Calling Station Id NAS Port Id User Name Calling Station Id NAS Port Id User Name Step 3 Enable the SCMP SCE config scmp Configuring the RADIUS Client You can co...

Page 231: ... client How to Monitor the SCMP Options page 11 13 How to display the general SCMP configuration page 11 14 How to display the configuration all currently defined SCMP peer devices page 11 14 How to display the configuration for a specified SCMP peer device page 11 14 How to display the statistics for all SCMP peer devices page 11 14 How to display the statistics for a specified SCMP peer device p...

Page 232: ...Subscriber Id structure GUID How to display the configuration all currently defined SCMP peer devices Step 1 From the SCE prompt type show scmp all and press Enter How to display the configuration for a specified SCMP peer device Step 1 From the SCE prompt type show scmp name device name and press Enter Example SCE show scmp name isg SCMP Connection isg status 10 56 208 91 auth port 1812 acct port...

Page 233: ...es received 72 Establish requests sent 1 Establish replies received 1 Accounting requests sent 20 Accounting replies received 20 Subscriber queries sent 0 Subscriber query response recv 0 Request retry exceeded 0 Requests replied with errors 0 Subscriber requests received 50 Subscriber responses sent 50 Failed Requests 0 Keep alive sent 1 Keep alive received 1 Monitoring the RADIUS Client Use the ...

Page 234: ...11 16 Cisco SCE8000 Software Configuration Guide Rel 3 1 6S OL 16479 01 Chapter 11 Managing the SCMP Monitoring the SCMP Environment ...

Page 235: ...ture It points out backward compatible issues and provides mapping guidelines from old MIB or OID group to a new MIB Note These MIB updates are supported on the SCE8000 platform only The pcube MIB is backward compatible to 3 1 6 for the SCE 1000 and SCE 2000 platforms The list of supported MIBs is described at the following URL under the Cisco Service Routing Products section Select the desired pr...

Page 236: ... the system CISCO ENTITY FRU CONTROL MIB my Monitor s and configures operational status of Field Replaceable Units CISCO ENTITY REDUNDANCY MIB my Supports configuration control and monitoring of redundancy protection for various kinds of components on Cisco managed devices CISCO ENTITY REDUNDANCY TC MIB my Defines the textual conventions used within Cisco Entity Redundancy MIBs CISCO ENTITY SENSOR...

Page 237: ...vice control entity CISCO SERVICE CONTROL SUBSCRIBERS MIB my Provides global and specific information on subscribers managed by a service control entity CISCO SERVICE CONTROL TP STATS MIB my Provides information and statistics on the traffic processor s of a service control entity CISCO SERVICE CONTROL ATTACK MIB my Provides information related to different types of attacks detected on the network...

Page 238: ...ion is an overview of how the former pcube MIB maps to the current Cisco MIBs Two P cube MIBs are mapped PcubeSeMIB and PcubeEngageMIB CISCO SCABB MIB Table A 4 Overall tree structure related objects Pcube Object Name New MIB Object Name MIB Name pcube CISCO SERVICE CONTROL or cServiceControl pcubeProducts ciscoMgmt pcubeModules Removed pcubeSeMIB See Table A 5 on page A 4 Table A 5 PcubeSeMIB Pcu...

Page 239: ...ny objects in the group are no longer necessary pcubeTxQueuesGroup CISCO QUEUE MIB with a few modifications pcubeGlobalControllersGroup CISCO SERVICE CONTROLLER MIB pcubeTrafficCountersGroup CISCO SERVICE CONTROL TP STATS MIB pcubeAttackGroup CISCO SERVICE CONTROL ATTACK MIB pcubeVasTrafficForwardingGrp CISCO SERVICE CONTROL VAS MIB pcubeMplsVpnAutoLearnGrp CISCO SERVICE CONTROL MPLS MIB pcubeTrap...

Page 240: ...ble entStateUsage unknown 1 entStateTable entStateAlarm critical 2 or major 3 sysFailureRecovery 1 3 6 1 4 1 5655 4 1 1 2 CISCO ENTITY EXT MIB ceExtConfigRegTable ceExt ConfigRegEntry ceExtConfi gRegister 1 3 6 1 4 1 9 9 195 1 2 1 1 sysVersion 1 3 6 1 4 1 5655 4 1 1 2 1 ENTITY MIB entPhysicalDescr 1 3 6 1 2 1 47 1 1 1 1 2 Table A 7 pchassisGrp 1 3 6 1 4 1 5655 4 1 2 pcube Object Name OID New MIB N...

Page 241: ...erSupplyInputTy pe 1 3 6 1 4 1 9 9 117 1 6 1 1 2 pchassisLineFeedAlarm 1 3 6 1 4 1 5655 4 1 2 10 CISCO ENTITY FRU CONTROL MIB cefcFRUPowerOperStatu s 1 3 6 1 4 1 9 9 117 1 1 2 1 2 Table A 8 pmoduleGrp 1 3 6 1 4 1 5655 4 1 3 pcube Object Name OID New MIB New Object Name OID pmoduleTable 1 3 6 1 4 1 5655 4 1 3 1 ENTITY MIB entPhysicalTable 1 3 6 1 2 1 47 1 1 1 pmoduleEntry 1 3 6 1 4 1 5655 4 1 3 1 1...

Page 242: ...ttackFilteringTime 1 3 6 1 4 1 5655 4 1 3 1 1 12 CISCO SERVICE CONTROL ATTACK MIB cscaInfoDownStream AttackFilteringTime 1 3 6 1 4 1 9 9 5555 1 3 1 3 pmoduleDownStream LastAttack FilteringTime 1 3 6 1 4 1 5655 4 1 3 1 1 13 CISCO SERVICE CONTROL ATTACK MIB cscaInfoDownStreamLast AttackFilteringTime 1 3 6 1 4 1 9 9 5555 1 3 1 4 pmoduleAttack ObjectsClearTime 1 3 6 1 4 1 5655 4 1 3 1 1 14 Not mapped ...

Page 243: ...1 9 9 631 1 2 1 7 Table A 10 diskGrp 1 3 6 1 4 1 5655 4 1 5 all objects mapped to HOST RESOURCE MIB pcube Object Name OID New Object Name OID diskNumUsedBytes 1 3 6 1 4 1 5655 4 1 5 1 hrStorageTable hrStorageUsed 1 3 6 1 2 1 25 2 3 1 6 diskNumFreeBytes 1 3 6 1 4 1 5655 4 1 5 2 hrStorageTable hrStorageUsed hrStorageTable hrStorageSize 1 3 6 1 2 1 25 2 3 1 6 1 3 6 1 2 1 25 2 3 1 5 Table A 11 rdrForm...

Page 244: ...ontrolRDRFormatterNumRep ortsDiscarded 1 3 6 1 4 1 9 9 637 1 1 1 3 rdrFormatterClear CountersTime 1 3 6 1 4 1 5655 4 1 6 5 Not mapped rdrFormatterReportRate 1 3 6 1 4 1 5655 4 1 6 6 cServiceControlRDRFormatterReportR ate 1 3 6 1 4 1 9 9 637 1 1 1 4 rdrFormatterReportRate Peak 1 3 6 1 4 1 5655 4 1 6 7 cscRdrFormatterReportRatePeak 1 3 6 1 4 1 9 9 637 1 1 1 5 rdrFormatterReportRate PeakTime 1 3 6 1 ...

Page 245: ...tStatus 1 3 6 1 4 1 5655 4 1 6 12 1 2 cServiceControlRDRFormatterCategor yDestStatus 1 3 6 1 4 1 9 9 637 1 4 1 2 Table A 12 loggerGrp 1 3 6 1 4 1 5655 4 1 7 all mapped objects mapped to CISCO SYSLOG EVENT EXT MIB pcube Object Name OID New Object Name OID loggerUserLogEnable 1 3 6 1 4 1 5655 4 1 7 1 Not mapped loggerUserLogNumInfo 1 3 6 1 4 1 5655 4 1 7 2 cslogEventDispositionTable 1 3 6 1 4 1 9 9 ...

Page 246: ...umVlan MappingsFree 1 3 6 1 4 1 9 9 628 1 2 1 8 subscribersNumActive 1 3 6 1 4 1 5655 4 1 8 1 1 9 cServiceControlSubscribersNumActiv e 1 3 6 1 4 1 9 9 628 1 2 1 9 subscribersNumActivePe ak 1 3 6 1 4 1 5655 4 1 8 1 1 10 Not mapped subscribersNumActivePe akTime 1 3 6 1 4 1 5655 4 1 8 1 1 11 Not mapped subscribersNumUpdates 1 3 6 1 4 1 5655 4 1 8 1 1 12 cServiceControlSubscribersNumUpda tes 1 3 6 1 4...

Page 247: ...olSubscribersRowStatus 1 3 6 1 4 1 9 9 628 1 1 1 4 cServiceControlSubscribersPackageIn dex 1 3 6 1 4 1 9 9 628 1 1 1 5 cServiceControlSubscribersRealTime Monitor 1 3 6 1 4 1 9 9 628 1 1 1 6 Table A 14 trafficProcessorGrp 1 3 6 1 4 1 5655 4 1 9 pcube Object Name OID New MIB New Object Name OID tpInfoTable 1 3 6 1 4 1 5655 4 1 9 1 CISCO SERVICE CONTROL TP STATS MIB cscTpTable 1 3 6 1 4 1 9 9 634 1 1...

Page 248: ... 4 1 9 1 1 9 Not mapped tpNumTcpActive FlowsPeakTime 1 3 6 1 4 1 5655 4 1 9 1 1 10 Not mapped tpNumUdpActiveFlo ws 1 3 6 1 4 1 5655 4 1 9 1 1 11 CISCO SERVICE CONTROL TP STATS MIB cscTpUdpActiveFlo ws 1 3 6 1 4 1 9 9 634 1 1 1 5 tpNumUdpActive FlowsPeak 1 3 6 1 4 1 5655 4 1 9 1 1 12 Not mapped tpNumUdpActive FlowsPeakTime 1 3 6 1 4 1 5655 4 1 9 1 1 13 Not mapped tpNumNonTcpUdp ActiveFlows 1 3 6 1 ...

Page 249: ...Packets 1 3 6 1 4 1 9 9 634 1 1 1 13 tpTotalNumIp BroadcastPackets 1 3 6 1 4 1 5655 4 1 9 1 1 25 CISCO SERVICE CONTROL TP STATS MIB cscTpTotalIp BroadcastPackets 1 3 6 1 4 1 9 9 634 1 1 1 14 tpTotalNum TtlErrPackets 1 3 6 1 4 1 5655 4 1 9 1 1 26 CISCO SERVICE CONTROL TP STATS MIB cscTpTotalTTLErrPa ckets 1 3 6 1 4 1 9 9 634 1 1 1 15 tpTotalNumTcpUdp CrcErrPackets 1 3 6 1 4 1 5655 4 1 9 1 1 27 CISC...

Page 250: ... 4 1 9 9 634 1 1 1 20 Table A 15 pportGrp 1 3 6 1 4 1 5655 4 1 10 pcube Object Name OID New MIB New Object Name OID pportTable 1 3 6 1 4 1 5655 4 1 1 0 1 Not mapped Information provided by ENTITY MIB pportEntry 1 3 6 1 4 1 5655 4 1 1 0 1 1 Not mapped Information provided by ENTITY MIB pportModuleIndex 1 3 6 1 4 1 5655 4 1 1 0 1 1 1 ENTITY MIB entPhysicalContainedIn 1 3 6 1 2 1 47 1 1 1 1 4 pportIn...

Page 251: ...ISCO QUEUE M IB cQIfTable and cQStatsTable 1 3 6 1 4 1 9 9 37 1 2 txQueuesEntry 1 3 6 1 4 1 5655 4 1 11 1 1 CISCO QUEUE M IB cQStatsEntry 1 3 6 1 4 1 9 9 37 1 2 1 txQueuesModu leIndex 1 3 6 1 4 1 5655 4 1 11 1 1 1 Not mapped txQueuesPortIn dex 1 3 6 1 4 1 5655 4 1 11 1 1 2 RFC1213 MIB ifIndex The entry is indexed by ifIndex of IF MIB 1 3 6 1 2 1 2 2 1 1 txQueuesQueue Index 1 3 6 1 4 1 5655 4 1 11 ...

Page 252: ... globalControllersPortIndex 1 3 6 1 4 1 5655 4 1 12 1 1 2 Not mapped Provided by entityPhyIndex globalControllersIndex 1 3 6 1 4 1 5655 4 1 12 1 1 3 ciscoServiceControlGlobalC ontrollersIndex 1 3 6 1 4 1 9 9 9999 1 5 1 1 1 globalControllersDescriptio n 1 3 6 1 4 1 5655 4 1 12 1 1 4 ciscoServiceControlGlobalC ontrollersDescription 1 3 6 1 4 1 9 9 9999 1 5 1 1 2 globalControllersBandwidth 1 3 6 1 4 ...

Page 253: ...New Object Name OID attackTypeTable 1 3 6 1 4 1 5655 4 1 15 1 cscaTypeTable 1 3 6 1 4 1 9 9 5555 1 2 attackTypeEntry 1 3 6 1 4 1 5655 4 1 15 1 1 cscaTypeEntry 1 3 6 1 4 1 9 9 5555 1 2 1 attackTypeIndex 1 3 6 1 4 1 5655 4 1 15 1 1 1 cscaTypeIndex 1 3 6 1 4 1 9 9 5555 1 2 1 1 attackTypeName 1 3 6 1 4 1 5655 4 1 15 1 1 2 cscaTypeName 1 3 6 1 4 1 9 9 5555 1 2 1 2 attackTypeCurrentNumA ttacks 1 3 6 1 4...

Page 254: ...CISCO SERVICE CONTROL MPLS MIB pcube Object Name OID New Object Name OID mplsVpnSoftwareCoun tersTable 1 3 6 1 4 1 5655 4 1 17 1 cSCMplsCountersTable 1 3 6 1 4 1 9 9 695 1 1 mplsVpnSoftwareCoun tersEntry 1 3 6 1 4 1 5655 4 1 17 1 1 cSCMplsCountersEntry 1 3 6 1 4 1 9 9 695 1 1 1 mplsVpnMaxHWMapp ings 1 3 6 1 4 1 5655 4 1 17 1 1 1 cSCMplsMaxHWMappings 1 3 6 1 4 1 9 9 695 1 1 1 1 mplsVpnCurrentHWM ap...

Page 255: ...r NoActiveConnection Trap 1 3 6 1 4 1 9 9 637 0 3 rdrConnectionUpTrap 1 3 6 1 4 1 5655 4 0 12 CISCO SERVICE CONTROL RDR MIB cServiceControlRdr ConnectionStatus UpTrap 1 3 6 1 4 1 9 9 637 0 6 rdrConnectionDown Trap 1 3 6 1 4 1 5655 4 0 13 CISCO SERVICE CONTROL RDR MIB cServiceControlRdr ConnectionStatusDo wnTrap 1 3 6 1 4 1 9 9 637 0 4 telnetSessionStartedTr ap 1 3 6 1 4 1 5655 4 0 14 CISCO TELNET ...

Page 256: ...nge 1 3 6 1 4 1 9 9 498 0 2 moduleLostRedundanc yTrap 1 3 6 1 4 1 5655 4 0 31 CISCO ENTITY REDUNDANCY MIB ceRedunProtectStatu sChange 1 3 6 1 4 1 9 9 498 0 2 moduleSmConnection DownTrap 1 3 6 1 4 1 5655 4 0 32 CISCO ENTITY ALARM MIB ceAlarmAsserted ceAlarmCleared 1 3 6 1 4 1 9 9 138 2 0 1 1 3 6 1 4 1 9 9 138 2 0 2 moduleSmConnection UpTrap 1 3 6 1 4 1 5655 4 0 33 CISCO ENTITY ALARM MIB ceAlarmAsse...

Page 257: ...CE CONTROL SUBSCRIBER MIB cServiceControlSubs criberMappingTrap 1 3 6 1 4 1 9 9 628 0 1 loggerLineAttackLog FullTrap 1 3 6 1 4 1 5655 4 0 44 CISCO ENTITY ALARM MIB ceAlarmAsserted ceAlarmCleared 1 3 6 1 4 1 9 9 138 2 0 1 1 3 6 1 4 1 9 9 138 2 0 2 vasServerOpertional StatusChangeTrap 1 3 6 1 4 1 5655 4 0 45 CISCO SERVICE CONTROL VAS MIB cscVasOperStatusCh ange 1 3 6 1 4 1 9 9 9999 0 1 pullRequestNu...

Page 258: ...A 24 Cisco SCE8000 Software Configuration Guide Release 3 1 6S OL 16479 01 Appendix A Cisco Service Control MIBs pcube to Cisco MIB Mapping ...

Page 259: ...s that insure that no traffic will be dropped while in this state These mechanisms will prioritize packet handling over service related actions As a result symptoms of service loss might be experienced Following are several examples Broken reports during the congestion period sometimes appears as saw tooth pattern Bandwidth enforcement levels are not met No UDP traffic is being reported this is be...

Page 260: ...rvice control tp stats include cscTpFlowsCapacityUtilization It is advisable to consider sizing of the solution when the flows capacity utilization exceeds 90 regularly at peak hours Subscribers Capacity SNMP cServiceControlSubscribersInfoEntry Refer to the cisco service control subscriber MIB for more information CLI command show snmp MIB cisco service control subscriber The Cisco SCE8000 platfor...

Page 261: ...where the SCE platform is installed in locations where the network traffic does not match its capacity and performance envelopes permanent service loss can occur This is measured in hours Service loss is defined as the ratio of the number of packets that did not receive service as expected to the total number of packets that were processed by the SCE platform Monitoring Service Loss SNMP cscTpServ...

Page 262: ...B 4 Cisco SCE8000 Software Configuration Guide Rel 3 1 6S OL 16479 01 Appendix B Monitoring SCE Platform Utilization Service Loss ...

Reviews:

No comments