Alcatel-Lucent 7705 SAR Скачать руководство пользователя страница 29 | Manualshive

Страница: 29 / 356

background image

Security

7705 SAR OS System Management Guide

29

All commands at and below the hierarchy level of the matched command are subject
to the

timetra-action

VSA.

Multiple match-strings can be entered in a single

timetra-cmd

VSA. Match

strings must be semicolon (;) separated (maximum string length is 254 characters).

One or more

timetra-cmd

VSAs can be entered followed by a single

timetra-action

VSA:

•

timetra-action <deny | permit>

— causes the permit or deny action to

be applied to all match strings specified since the last

timetra-action

VSA

•

timetra-home-directory <home-directory string>

— specifies the

home directory that applies for the FTP and CLI user. If this VSA is not configured,
the home directory is Compact Flash slot 1 (

cf3

: on all platforms).

•

timetra-restrict-to-home-directory <true | false>

—

specifies if user access is limited to their home directory (and directories and files
subordinate to their home directory). If this VSA is not configured, the user is
allowed to access the entire file system.

•

timetra-login-exec <login-exec-string>

— specifies the login exec

file that is executed when the user login is successful. If this VSA is not configured,
no login exec file is applied.

If no VSAs are configured for a user, then the following applies.

•

The password authentication-order command on the 7705 SAR router must include

local

.

•

The user name must be configured on the 7705 SAR router.

•

The user must be successfully authenticated by the RADIUS server.

•

A valid profile must exist on the 7705 SAR router for this user.

If all conditions listed above are not met, then access to the 7705 SAR router is denied and a
failed login event/trap is written to the security log.

For receiving data from the RADIUS server, the following are supported:

•

Juniper (vendor-id 4874) attributes 4 (Primary DNS server) and 5 (Secondary DNS
server)

•

Redback (vendor-id 2352) attributes 1 (Primary DNS) and 2 (Secondary DNS)

•

sending authentication requests: (from the DSL Forum) (vendor-id 3561), attributes
1 (Circuit ID) and 2 (Remote ID)

«
...
27
28
29
30
31
...
»

Содержание 7705 SAR

Страница 1: ...trade secret information which is the property of Alcatel Lucent Not to be made available to or copied or used by anyone who is not an employee of Alcatel Lucent except when there is a valid non disc...

Страница 2: ...r other distribution of the products for any such application without the prior written consent of Alcatel Lucent shall be at the customer s sole risk The customer hereby agrees to defend and hold Alc...

Страница 3: ...ation 23 Accounting 24 RADIUS Accounting 24 TACACS Accounting 24 Security Controls 26 When a Server Does Not Respond 26 Access Request Flow 26 Vendor Specific Attributes VSAs 28 Sample User VSA Config...

Страница 4: ...TACACS Authorization 62 Configuring TACACS Accounting 63 Security Command Reference 65 Command Hierarchies 65 Configuration Commands 66 Login Control Commands 72 Show Commands 73 Clear Commands 73 De...

Страница 5: ...206 Log Destinations 208 Console 208 Session 208 Memory Logs 209 Log Files 209 SNMP Trap Group 210 Syslog 211 Event Logs 212 Event Sources 213 Event Control 214 Log Manager and Event Logs 216 Event F...

Страница 6: ...log ID 244 Deleting a Syslog ID 245 Modifying an SNMP Trap Group 245 Deleting an SNMP Trap Group 246 Modifying a Log Filter 247 Deleting a Log Filter 249 Modifying Event Control Parameters 249 Returni...

Страница 7: ...w Output Fields 157 Table 18 Show Users Output Fields 158 SNMP 161 Table 19 Show SNMP Counters Output Fields 193 Table 20 Show System Information Output Fields 195 Table 21 Show System Access Group Fi...

Страница 8: ...Fields 301 Table 46 Log Collector Output Fields 303 Table 47 Log ID Output Fields 305 Table 48 SNMP Trap Group Output Fields 308 Table 49 Syslog Output Fields 309 List of Acronyms 311 Table 50 Acrony...

Страница 9: ...05 SAR OS System Management Guide 9 List of Figures Security 17 Figure 1 RADIUS Requests and Responses 19 Figure 2 Security Flow 27 Event and Accounting Logs 205 Figure 3 Event Logging Block Diagram 2...

Страница 10: ...List of Figures 10 7705 SAR OS System Management Guide...

Страница 11: ...well as Command Line Interface CLI syntax and command usage Audience This guide is intended for network administrators who are responsible for configuring the 7705 SAR routers It is assumed that the...

Страница 12: ...filtering and routing policies 7705 SAR OS MPLS Guide This guide describes how to configure Multiprotocol Label Switching MPLS Resource Reservation Protocol for Traffic Engineering RSVP TE and Label...

Страница 13: ...ducts from a distributor or authorized reseller contact the technical support staff for that distributor or reseller for assistance If you purchased an Alcatel Lucent service agreement follow this lin...

Страница 14: ...About This Guide 14 7705 SAR OS System Management Guide...

Страница 15: ...n this book is presented in an overall logical configuration flow Each section describes a software area and provides CLI syntax and command usage to configure parameters for a functional area Table 1...

Страница 16: ...Alcatel Lucent 7705 SAR System Management Configuration Process 16 7705 SAR OS System Management Guide...

Страница 17: ...rovides information to configure security parameters Topics in this chapter include Authentication Authorization and Accounting Security Controls Vendor Specific Attributes VSAs Other Security Feature...

Страница 18: ...he session The accounting data can then be used to analyze trends and also for billing and auditing purposes You can configure the 7705 SAR to use local Remote Authentication Dial In User Service RADI...

Страница 19: ...information If the RADIUS server does not respond within a specified time the router issues the access request to the next configured servers Each RADIUS server must be configured identically to guara...

Страница 20: ...ccess permissions and command authorization profiles must be configured on each router Any combination of these authentication methods can be configured to control network access from a 7705 SAR route...

Страница 21: ...enticating a request Round robin In round robin mode the server used to authenticate a request is the next server in the list following the last authentication request For example if server 1 is used...

Страница 22: ...rized to issue the command the command is executed If the user is not authorized to issue the command then the command is not executed Profiles must be created on each 7705 SAR router and should be id...

Страница 23: ...authorization method is configured RADIUS authorization or TACACS Local authorization is restored when RADIUS authorization is disabled You must configure profile and user access information locally R...

Страница 24: ...outer issues the accounting request to the next configured RADIUS server up to 5 User passwords and authentication keys of any type are never transmitted as part of the accounting request When RADIUS...

Страница 25: ...he configuration to see if TACACS accounting is required for the particular event If TACACS accounting is required then depending on the accounting record type specified the device sends a start packe...

Страница 26: ...ponsive again are performed If a server is down it will not be contacted for 5 minutes If a login is attempted after 5 minutes then the server is contacted again If a server has the health check featu...

Страница 27: ...ADIUS server and the user name and password are not recognized access is denied and passed on to the next authentication option in this case the TACACS server The process continues until the request i...

Страница 28: ...es for local and remote authentication The authentication order parameters configured on the router must include the local keyword The user name may or may not be configured on the 7705 SAR router The...

Страница 29: ...home directory If this VSA is not configured the user is allowed to access the entire file system timetra login exec login exec string specifies the login exec file that is executed when the user log...

Страница 30: ...conditions are not met The timetra cmd parameters allow the user to use the configure show and debug commands Matching strings specified in the timetra action command are permitted for this user users...

Страница 31: ...gerAlcatel IPD ATTRIBUTE Alc Default Router18ipaddrAlcatel IPD RADIUS accounting VSAs ATTRIBUTE Alc Acct I Inprof Octets 6419octetsAlcatel IPD ATTRIBUTE Alc Acct I Outprof Octets 6420octetsAlcatel IPD...

Страница 32: ...verify that the remote system is the host and not a computer set up to imitate it SSH runs on top of a transport layer like TCP or IP and provides authentication and encryption capabilities SSH suppor...

Страница 33: ...be used to properly delimit directories and the filename The 7705 SAR support for SSH and SCP is the same for both IPv4 and IPv6 addressing including support for SSH1 and SSH2 in band and out of band...

Страница 34: ...ource port TCP ACK TCP SYN To avoid DoS like attacks overwhelming the control plane while ensuring that critical control traffic such as signaling is always serviced in a timely manner the 7705 SAR ha...

Страница 35: ...DES and Triple DES 3DES are supported for encryption DES is a widely used method of data encryption using a private secret key Both the sender and the receiver must know and use the same private key...

Страница 36: ...not configured then password profiles and user access information must be configured on each router in the domain If RADIUS authorization is enabled then VSAs must be configured on the RADIUS server R...

Страница 37: ...e 37 Configuring Security with CLI This section provides information to configure security using the command line interface Topics in this section include Setting Up Security Attributes Security Confi...

Страница 38: ...guring Password Management Parameters Configuring Profiles Configuring Users RADIUS authentication with local authorization By default authentication is enabled locally Perform the following tasks to...

Страница 39: ...zation with authentication For RADIUS authorization with authentication configure these tasks on each participating 7705 SAR router Configuring RADIUS Authorization For RADIUS authorization VSAs must...

Страница 40: ...e Configuring Accounting Refer to the following sections to configure accounting Local accounting is not implemented For information about configuring accounting policies refer to Configuring Logging...

Страница 41: ...CS enable one to five RADIUS and or TACACS servers configure RADIUS and or TACACS parameters The following example displays default values for security parameters ALU 1 config system security info det...

Страница 42: ...rivacy read no security notify no security access group snmp rw security model snmpv1 security level no auth no privacy read no security write no security notify no security access group snmp rw secur...

Страница 43: ...ment of the 7705 SAR router by other nodes outside either specific sub networks or through designated ports By default there are no filters associated with security options The management access filte...

Страница 44: ...p prefix netmask src port port id cpm renum old entry number new entry number no shutdown Use the following CLI commands to configure an IPv6 management access filter CLI Syntax config system security...

Страница 45: ...ip 10 10 10 1 32 config system security mgmt access filter ip filter entry action permit config system security mgmt access filter ip filter entry exit The following example displays the management a...

Страница 46: ...p ip filter entry entry id create action accept drop description description string log log id match protocol protocol id dscp dscp name dst ip ip address mask ip address netmask dst port tcp udp port...

Страница 47: ...exit entry 20 create no action description CPM Filter 10 4 101 2 201 log 101 exit no shutdown A ALU 49 config sys sec cpm ip filter Configuring Password Management Parameters Configuring password mana...

Страница 48: ...info password authentication order radius tacplus local aging 365 minimum length 8 attempts 5 time 5 lockout 20 exit ALU 1 config system security Configuring Profiles Profiles are used to deny or per...

Страница 49: ...nfig system security profile entry 3 config system security profile entry match exit The following example displays the user profile output ALU 1 config system security info profile ghost default acti...

Страница 50: ...security user 49ers config system security user access ftp snmp console config system security user console config system security user console member default ghost config system security user consol...

Страница 51: ...ser to testuserA MINOR CLI User testuserA already exists use overwrite flag config system security config system security copy user testuser to testuserA overwrite config system security The following...

Страница 52: ...login exit snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group testgroup exit ALU 12 config system security user Copying a Profile CLI Syntax config system security copy u...

Страница 53: ...ription match password action permit exit entry 60 no description match show config action deny exit entry 70 no description match show action permit exit entry 80 no description match enable admin ac...

Страница 54: ...t exit exit profile administrative default action permit all exit Configuring SSH Use the SSH command to configure the SSH server as SSH1 SSH2 or both The default is SSH2 This command should only be e...

Страница 55: ...sessions value outbound max sessions value idle timeout minutes disable pre login message login text string name login banner motd url url prefix source url text motd text string The following example...

Страница 56: ...ntication Configuring RADIUS Authorization Configuring RADIUS Accounting Configuring 802 1x RADIUS Policies Configuring RADIUS Authentication RADIUS is disabled by default and must be explicitly enabl...

Страница 57: ...us server 1 address A A A A A A A 1 secret test11 security radius server 2 address 10 10 0 1 secret test2 security radius server 3 address 10 10 0 2 secret test3 security radius server 4 address 10 10...

Страница 58: ...use the following CLI commands to configure RADIUS authorization CLI Syntax config system security radius authorization The following example displays the CLI syntax usage Example config system securi...

Страница 59: ...ge Example config system security config system security radius config system security radius accounting The following example displays the RADIUS accounting configuration ALU 1 config system security...

Страница 60: ...server type no shutdown source address ip address timeout seconds no shutdown The following example displays the CLI syntax usage Example config system security config system security dot1x config sy...

Страница 61: ...A A 1 secret test1 security tacplus server 2 address 10 10 0 6 secret test2 security tacplus server 3 address 10 10 0 7 secret test3 security tacplus server 4 address 10 10 0 8 secret test4 security t...

Страница 62: ...onfig system security config system security tacplus config system security tacplus authorization config system security tacplus no shutdown The following example displays the TACACS authorization con...

Страница 63: ...security tacplus accounting The following example displays the TACACS accounting configuration ALU 1 config system security tacplus info accounting authorization timeout 5 single connection server 1...

Страница 64: ...Security Configuration Procedures 64 7705 SAR OS System Management Guide...

Страница 65: ...Commands Management Access Filter Commands IPv6 Management Access Filter Commands CPM Filter Commands IPv6 CPM Filter Commands Password Commands Profile Commands User Commands RADIUS Commands TACACS C...

Страница 66: ...application6 app no telnet server no telnet6 server vprn network exceptions number seconds no vprn network exceptions Management Access Filter Commands config system security no management access filt...

Страница 67: ...bel no log no next header next header router router instance no router src ip ipv6 address prefix length no src ip src port port id cpm no src port renum old entry number new entry number no shutdown...

Страница 68: ...rt src port number mask no src port tcp ack true false no tcp ack tcp syn true false no tcp syn renum old entry id new entry id no shutdown IPv6 CPM Filter Commands config system security no cpm filte...

Страница 69: ...n password aging days no aging attempts count time minutes1 lockout minutes2 no attempts authentication order method 1 method 2 method 3 exit on reject no authentication order no complexity numeric sp...

Страница 70: ...ricted to home snmp authentication none hash md5 key 1 sha key 1 privacy privacy level key 2 group group name no group user template tacplus_default radius_default no access ftp console console login...

Страница 71: ...t key hash hash2 port port no server server index no single connection timeout seconds no timeout no shutdown no use default template 802 1x Commands config system security no dot1x no radius plcy nam...

Страница 72: ...system login control no exponential backoff ftp inbound max sessions value no inbound max sessions idle timeout minutes disable no idle timeout no login banner motd url url prefix source url text motd...

Страница 73: ...ilter entry entry id ipv6 filter entry entry id management access filter ip filter entry entry id ipv6 filter entry entry id password options profile user profile name source address ssh retry user id...

Страница 74: ...Security Command Reference 74 7705 SAR OS System Management Guide Debug Commands debug radius detail hex no radius...

Страница 75: ...Security 7705 SAR OS System Management Guide 75 Command Descriptions Configuration Commands Show Commands Clear Commands Debug Commands...

Страница 76: ...eneric Security Commands Security Commands Management Access Filter Commands CPM Filter Commands Global Password Commands Password Commands Profile Management Commands User Management Commands RADIUS...

Страница 77: ...the string contains special characters spaces etc the entire string must be enclosed within double quotes shutdown Syntax no shutdown Context config system security management access filter ip filter...

Страница 78: ...o the return key and a new password at login must be selected Parameters source user the user to copy from The user must already exist source profile the profile to copy from The profile must already...

Страница 79: ...t Default all read version set to accept both versions 1 and 2 Parameters read version 1 2 all when the read version is configured as all both versions 1 and 2 will be accepted by the system Otherwise...

Страница 80: ...fies the application to use the source IPv6 address specified by the source address command The no form of the command removes the specified source address from the application causing the application...

Страница 81: ...e 7705 SAR sends ICMP replies to a source IP address in response to TTL expiry IP packets that have been received for all VPRN instances in the system and from all network IP interfaces Packets includ...

Страница 82: ...of the 7705 SAR by other nodes outside either specific sub networks or through designated ports Management filters as opposed to other traffic filters are enforced by system software The no form of t...

Страница 83: ...will be issued entry Syntax no entry Context config system security management access filter ip filter config system security management access filter ipv6 filter Description This command is used to...

Страница 84: ...the configured criteria will be permitted deny specifies that packets not matching the selection criteria will be denied deny host unreachable specifies that packets not matching the selection criter...

Страница 85: ...ender requests special handling such as non default QoS or real time service This command applies to IPv6 filters only Parameters value the flow identifier in an IPv6 packet header that can be used to...

Страница 86: ...ary DHB keywords none crtp crudp egp eigrp encap ether ip gre icmp idrp igmp igp ip ipv6 ipv6 frag ipv6 icmp ipv6 no nxt isis iso ip l2tp ospf igp pim pnni ptp rdp rsvp stp tcp udp vrrp udp tcp wildca...

Страница 87: ...sed in the match criteria Values 1 to 2147483647 src ip Syntax src ip ip prefix mask ip prefix netmask no src ip Context config system security management access filter ip filter entry Description Thi...

Страница 88: ...x x x x x x x eight 16 bit pieces x x x x x x d d d d x 0 to FFFF H d 0 to 255 D prefix length 1 to 128 src port Syntax src port port id cpm no src port Context config system security management acce...

Страница 89: ...lter ipv6 filter Description This command renumbers existing management access filter entries to resequence filter entries The 7705 SAR exits on the first match found and executes the actions in accor...

Страница 90: ...disables the CPM filter default action Syntax default action accept drop Context config system security cpm filter Description This command specifies the action to be applied to packets when the packe...

Страница 91: ...reated you can navigate to the entry context without using the create keyword All IPv4 filter entries can specify one or more matching criteria There are no range based restrictions on any IPv4 filter...

Страница 92: ...igured all criteria must be satisfied AND function before the action associated with the match is executed A match context may consist of multiple match criteria but multiple match statements cannot b...

Страница 93: ...ting Header for IPv6 44 ipv6 frag Fragment Header for IPv6 45 idrp Inter Domain Routing Protocol 46 rsvp Reservation Protocol 47 gre General Routing Encapsulation 58 ipv6 icmp ICMP for IPv6 59 ipv6 no...

Страница 94: ...criteria but multiple match statements cannot be entered per entry The no form of the command removes the match criteria for the entry id Parameters next header the IPv6 next header to match This para...

Страница 95: ...7 af32 cp29 af33 cp31 cs4 cp33 af41 cp35 af42 cp37 af43 cp39 cs5 cp41 cp42 cp43 cp44 cp45 ef cp47 nc1 cp49 cp50 cp51 cp52 cp53 cp54 cp55 nc2 cp57 cp58 cp59 cp60 cp61 cp62 cp63 dst ip Syntax dst ip ip...

Страница 96: ...ress on the interface Values ipv6 address x x x x x x x x eight 16 bit pieces x x x x x x d d d d x 0 to FFFF H d 0 to 255 D prefix length 1 to 128 dst port Syntax dst port tcp udp port number mask no...

Страница 97: ...ets that have the MF bit set to zero and have the Fragment Offset field also set to zero icmp code Syntax icmp code icmp code no icmp code Context config system security cpm filter ip filter entry mat...

Страница 98: ...xpressed in decimal hexadecimal or binary DHB keywords none echo reply dest unreachable echo request time exceeded parameter problem ip option Syntax ip option ip option value ip option mask no ip opt...

Страница 99: ...multiple option true false no multiple option Context config system security cpm filter ip filter entry match Description This command configures matching packets that contain more than one option fi...

Страница 100: ...o option present false specifies matching on IP packets that do not have any option field present in the IP header an option field of 0 src ip Syntax src ip ip address mask ip address netmask no src i...

Страница 101: ...prefix length the IPv6 address on the interface Values ipv6 address x x x x x x x x eight 16 bit pieces x x x x x x d d d d x 0 to FFFF H d 0 to 255 D prefix length 1 to 128 src port Syntax src port s...

Страница 102: ...do not have the ACK bit set in the control bits of the TCP header of the IP packet tcp syn Syntax tcp syn true false no tcp syn Context config system security cpm filter ip filter entry match config...

Страница 103: ...ired in some cases because the OS exits when the first match is found and executes the actions according to the accompanying action command This requires that entries be sequenced correctly from most...

Страница 104: ...ter the show users command the Administrator can see which users are in this mode enter the enable admin command again at the root prompt and an error message will be returned A ALU 1 show users User...

Страница 105: ...xity requirements for the password are determined by the complexity command For example file copy ftp test secret 131 12 31 79 test srcfile cf3 destfile In this example the user name test and password...

Страница 106: ...id before the user must change their password The no form of the command reverts to the default value Default no aging is enforced Parameters days the maximum number of days the password is valid Valu...

Страница 107: ...ion This command configures the sequence in which password authentication authorization and accounting is attempted among RADIUS TACACS and local passwords The order should be from the most preferred...

Страница 108: ...reject is configured and the user does not exist the user will not be authenticated the user is authenticated locally then other methods if configured will be used for authorization and accounting th...

Страница 109: ...ond intervals Servers that are not configured will have 3 seconds of idle time If in this process a server is found to be unreachable or a previously unreachable server starts responding depending on...

Страница 110: ...le default Parameters user profile name the user profile name entered as a character string The string is case sensitive and limited to 32 ASCII 7 bit printable characters with no spaces default actio...

Страница 111: ...ing action command Entries should be sequenced from most explicit to least explicit An entry may not have any match criteria defined in which case everything matches but must have at least the keyword...

Страница 112: ...ommand are denied The no form of this command removes a match condition Default no match command string is specified Parameters command string the CLI command or CLI tree level that is the scope of th...

Страница 113: ...user name and then pressing at the password prompt Unless an administrator explicitly changes the password it will be null The hashed value displayed uses the user name and null password field so when...

Страница 114: ...s access for a specific application The no access command denies permission for all management access methods To deny a single access method enter the no form of the command followed by the method to...

Страница 115: ...n This command configures a user s login exec file which executes whenever the user successfully logs in to a console session Only one exec file can be configured If multiple login exec commands are e...

Страница 116: ...ry directory directory no home directory Context config system security user config system security user template Description This command configures the local home directory for the user for both con...

Страница 117: ...ample config system security user testuser1 config system security user password zx Uhcn6ReMOZ3BVrWcvk hash2 config system security user exit config system security info user testuser1 password zx Uhc...

Страница 118: ...e Description This command prevents users from navigating above their home directories for file access A user is not allowed to navigate to a directory higher in the directory tree on the home directo...

Страница 119: ...pecified keys are stored in an encrypted format in the configuration file The password must be entered in encrypted form when the hash parameter is used md5 key 1 the MD5 authentication key is stored...

Страница 120: ...inks a user to a group name The access command links the group with one or more views security model s security level s and read write and notify permissions Default no group name is associated with a...

Страница 121: ...ect mode the first server as defined by the server command is the primary server This server is always used first when authenticating a request In round robin mode the server used to authenticate a re...

Страница 122: ...Context config system security radius Description This command configures RADIUS authorization parameters for the system The no form of this command disables RADIUS authorization for the system Defaul...

Страница 123: ...o five RADIUS servers can be configured at any one time RADIUS servers are accessed in order from lowest to highest index for authentication requests until a response from a server is received A highe...

Страница 124: ...ys are stored in encrypted form in the configuration file with the hash parameter specified hash2 specifies that the key is entered in a more complex encrypted form If the hash2 parameter is not used...

Страница 125: ...nting and configures the type of accounting record packet that is to be sent to the TACACS server The record type parameter indicates whether TACACS accounting start and stop packets will be sent or j...

Страница 126: ...r from the lowest index to the highest index Values 1 to 5 ip address the IP address of the TACACS server Two TACACS servers cannot have the same IP address An error message is generated if the server...

Страница 127: ...connection timeout Syntax timeout seconds no timeout Context config system security tacplus Description This command configures the number of seconds the router waits for a response from a TACACS ser...

Страница 128: ...to the data plane of the 7705 SAR This configuration differs from the RADIUS server configured under the config system security radius context that authenticates CLI login users who get access to the...

Страница 129: ...figuration Default n a Parameters server index the index for the 802 1x server Values 1 to 5 ip address the IP address of the 802 1x server Each 802 1x server must have a unique IP address An error me...

Страница 130: ...nd reverts to the default value Default system IP address Parameters ip address the source address of the RADIUS packet in dotted decimal notation Values 0 0 0 0 to 255 255 255 255 shutdown Syntax no...

Страница 131: ...radius plcy Description This command configures the number of seconds the router waits for a response from a RADIUS server The no form of the command reverts to the default value Default 5 Parameters...

Страница 132: ...ctrl c or tilde and dot assuming the is the default escape character for the SSH session Default ssh the SSH server is enabled preserve key Syntax no preserve key Context config system security ssh D...

Страница 133: ...ost keys to authenticate systems whereas SSH2 only uses host keys SSH2 does not use the same networking implementation that SSH1 does and is considered a more secure efficient and portable version of...

Страница 134: ...attacks when a malicious user can gain access to the CLI by using a script to try admin with any conceivable password The no form of the command disables exponential backoff Default no exponential ba...

Страница 135: ...This timer can be set per session The no form of the command reverts to the default value Default 30 Parameters minutes the idle timeout in minutes Values 1 to 1440 disable when the disable option is...

Страница 136: ...ng n r will start the string at the beginning of the new line while entering n will start the second line below the last character from the first line pre login message Syntax pre login message login...

Страница 137: ...ions in the login control context The no form of the command reverts to the default value Default 5 Parameters value the maximum number of concurrent inbound Telnet sessions expressed as an integer Va...

Страница 138: ...Security Command Reference 138 7705 SAR OS System Management Guide Show Commands Security Show Commands Login Control Show Commands...

Страница 139: ...no security no security snmp rw snmpv1 none no security no security no security snmp rw snmpv2c none no security no security no security snmp rwa snmpv1 none iso iso iso snmp rwa snmpv2c none iso iso...

Страница 140: ...urity authentication Authentication sequence radius tacplus local type status timeout single retry server address secs conn count radius 10 10 10 103 up 5 n a 5 radius 10 10 0 1 up 5 n a 5 radius 10 1...

Страница 141: ...conn sent rejected errors pkts pkts 10 10 10 103 0 0 0 10 10 0 1 0 0 0 10 10 0 2 0 0 0 A ALU 7 Table 8 Show System Security Authentication Output Fields Label Description Sequence The sequence in whic...

Страница 142: ...cli readwrite public r no security v1 v2c snmp ro No of Communities 3 A ALU 48 Retry count Displays the number of times the router attempts to contact the RADIUS server for authentication if there ar...

Страница 143: ...e fields Sample Output A ALU 35 show system security cpm filter ip filter CPM IP Filters Entry Id Dropped Forwarded Description 2 0 0 CPM filter 2 3 25880 0 CPM filter 3 4 25880 0 CPM filter 4 5 25882...

Страница 144: ...Id 101 Src IP 10 4 101 2 32 Src Port 0 Dest IP 10 4 101 1 32 Dest Port 0 Protocol tcp Dscp ef ICMP Type Undefined ICMP Code Undefined Fragment True Option present Off IP Option n a Multiple Option Tr...

Страница 145: ...ICMP Type The ICMP type field in the ICMP header Fragment The 3 bit fragment flags or 13 bit fragment offset field IPv4 filters only IP Option The IP option setting IPv4 filters only TCP syn The SYN...

Страница 146: ...ter entry Values 1 to 9999 Default All filter entries Output The following output is an example of management access filter information and Table 11 describes the fields Sample Output A ALU 7 show sys...

Страница 147: ...y of the filter entries are permitted Deny Specifies that packets not matching the configured selection criteria in any of the filter entries are denied and that a ICMP host unreachable message will b...

Страница 148: ...ocal Configured complexity options Minimum password length 6 A ALU 7 Dest port The destination port Next header The next header ID to match Undefined indicates no next header is specified IPv6 filters...

Страница 149: ...stem security Action permit Time in minutes per login attempt The period of time in minutes that a specified number of unsuccessful attempts can be made before the user is locked out Lockout period wh...

Страница 150: ...Label Description User Profile The profile name used to deny or permit user console access to a hierarchical branch or to specific commands Def action Permit all Permits access to all commands Deny D...

Страница 151: ...put IPv4 ALU 7 show system security ssh SSH is enabled SSH preserve key Enabled SSH protocol version 1 Enabled RSA host key finger print c6 a9 57 cb ee ec df 33 1a cd d2 ef 3f b5 46 34 SSH protocol ve...

Страница 152: ...State The administrative state of the SSH server enabled or disabled Operational State The operational state of the SSH server up or down Preserve Key Enabled preserve key is enabled Disabled preserve...

Страница 153: ...ays Parameters user id displays information for the specified user Default all users detail displays detailed user information to the summary output Output The following output is an example of user i...

Страница 154: ...n n never 0 0 y Number of users 2 ALU 7 ALU 7 show system security user detail Users user id New User Permissions Password Login Failed Local Pwd Console ftp snmp Expires Attempts Logins Conf admin n...

Страница 155: ...P access Password expires The number of days the user has left before they must change their login password Attempted logins The number of times the user has attempted to log in irrespective of whethe...

Страница 156: ...view 1 3 6 1 2 1 4 included mgmt view 1 3 6 1 2 1 5 included mgmt view 1 3 6 1 2 1 6 included mgmt view 1 3 6 1 2 1 7 included mgmt view 1 3 6 1 2 1 31 included mgmt view 1 3 6 1 2 1 77 included mgmt...

Страница 157: ...name The name of the view Views control the accessibility of a MIB object within the configured MIB view and subtree oid tree The object identifier of the ASN 1 subtree mask The bit mask that defines...

Страница 158: ...er Type Login time Idle time From admin Console 27MAY2014 13 16 59 10d 07 35 04 A admin SSHv2 29MAY2014 17 32 47 0d 00 05 10 3301 xxxx xxxx admin Telnet 06JUN2014 14 23 35 0d 00 00 00 138 120 xxx xxx...

Страница 159: ...thentication Description This command clears authentication statistics Parameters ip int name clears the authentication statistics for the specified interface name If the string contains special chara...

Страница 160: ...ommands radius Syntax radius detail hex no radius Context debug Description This command enables debugging for RADIUS connections The no form of the command disables the debugging Parameters detail di...

Страница 161: ...ent Guide 161 SNMP In This Chapter This chapter provides information to configure SNMP Topics in this chapter include SNMP Overview Which SNMP Version to Use Configuration Notes Configuring SNMP with...

Страница 162: ...of network hosts that use SNMP An SNMP manager can obtain get a value from an SNMP agent or store set a value in the agent The manager uses definitions in the management information base MIB to perfor...

Страница 163: ...iew Access Control MIB VACM defines the user access control features The SNMP COMMUNITY MIB is used to associate SNMPv1 SNMPv2c community strings with SNMPv3 VACM access control SNMPv3 uses a user nam...

Страница 164: ...security objects read write all permission grants read and write access to all objects in the MIB including security objects User Based Security Model Community Strings User based security model USM c...

Страница 165: ...e network users to control their access privileges and views Additional access parameters must be explicitly configured if the preconfigured access groups and views for SNMPv1 and SNMPv2c do not meet...

Страница 166: ...s it passes from system to system Many SNMPv1 and SNMPv2c implementations are restricted read only access which in turn reduces the effectiveness of a network monitor in which network control applicat...

Страница 167: ...onfiguration that failed to load must be initialized properly Start SNMP with the config system snmp no shutdown command Use caution when changing the SNMP engine ID If the SNMP engine ID is changed i...

Страница 168: ...Configuration Notes 168 7705 SAR OS System Management Guide...

Страница 169: ...ement Guide 169 Configuring SNMP with CLI This section provides information about configuring SNMP with CLI Topics in this chapter include SNMP Configuration Overview Basic SNMP Security Configuration...

Страница 170: ...ope of managed objects available The community command is used to associate a community string with a specific access method and the required SNMP version SNMPv1 or SNMPv2c The access methods are read...

Страница 171: ...System Management Guide 171 Configuring SNMPv3 The 7705 SAR implements SNMPv3 If security features other than the default views are required the following parameters must be configured views access g...

Страница 172: ...uded exit view no security subtree 1 3 6 1 6 3 15 1 1 mask ff type included exit access group snmp ro security model snmpv1 security level no auth no privacy read no security notify no security access...

Страница 173: ...rsion usm community community string hash hash2 group group name view view name subtree oid value mask mask value type included excluded Configuring a Community String SNMPv1 and SNMPv2c community str...

Страница 174: ...nfiguration ALU 1 config system security snmp info community uTdc9j48PBRkxn5DcSjchk hash2 rwa version both community Lla RtAyRW2 hash2 r version v2c ALU 1 config system security snmp Configuring View...

Страница 175: ...rity model and security level Use the following CLI syntax to configure access features CLI Syntax config system security snmp access group group name security model security model security level secu...

Страница 176: ...e969 privacy none config system security user snmp group testgroup config system security user snmp exit config system security user exit The following example displays the user s SNMP configuration A...

Страница 177: ...following example displays the SNMP community configuration ALU 1 config system security snmp info view testview subtree 1 mask ff exit view testview subtree 1 3 6 1 2 mask ff type excluded exit acces...

Страница 178: ...SAR OS System Management Guide The following example displays the system SNMP default values ALU 104 config system snmp info detail shutdown engineID 0000xxxx000000000xxxxx00 packet size 1500 general...

Страница 179: ...SNMP 7705 SAR OS System Management Guide 179 SNMP Command Reference Command Hierarchies Configuration Commands SNMP System Commands SNMP Security Commands Show Commands...

Страница 180: ...name 1 write view name 2 notify view name 3 no access group group name security model security model security level security level context context name prefix match read view name 1 write view name 2...

Страница 181: ...ection for CLI syntax and command descriptions config system security no user user name no snmp authentication none hash md5 key 1 sha key 1 privacy privacy level key 2 group group name no group Show...

Страница 182: ...SNMP Command Reference 182 7705 SAR OS System Management Guide Command Descriptions Configuration Commands Show Commands...

Страница 183: ...SNMP 7705 SAR OS System Management Guide 183 Configuration Commands SNMP System Commands SNMP Security Commands...

Страница 184: ...se the engine ID of the first system and configure it in the new system to preserve SNMPv3 security keys This allows management stations to use their existing authentication keys for the new system En...

Страница 185: ...config system snmp Description This command configures the maximum SNMP packet size generated by this node If the packet size exceeds the MTU size of the egress interface the packet will be fragmented...

Страница 186: ...s automatically invoked in the event of a reboot when the processing of the configuration file fails to complete or when an SNMP persistent index file fails while the bof persist on command is enabled...

Страница 187: ...and security level Access must be configured unless security is limited to SNMPv1 SNMPv2c with community strings see community Default access group configurations cannot be modified or deleted To rem...

Страница 188: ...view name 1 specifies the keyword and variable of the view to read the MIB objects This command must be configured for each view to which the group has read access Values up to 32 characters write vi...

Страница 189: ...h hash2 Context config system security snmp Description This command creates SNMP community strings for SNMPv1 and SNMPv2c access This command is used in combination with the predefined access groups...

Страница 190: ...urity levels and USM communities must be explicitly configured Optionally additional views that specify more specific OIDs MIB objects in the subtree can be configured The no form of this command remo...

Страница 191: ...and exclude statements configures the access available in the view It is possible to have a view with different subtrees with their own masks and include and exclude statements This allows you to cust...

Страница 192: ...ntry whose value of vacmViewTreeFamilySubtree has the most sub identifiers The no form of this command removes the mask from the configuration Default no mask Parameters mask value the mask value asso...

Страница 193: ...s SNMP counters in packets 463 in gets 93 in getnexts 0 in sets 370 out packets 463 out get responses 463 out traps 0 variables requested 33 variables set 497 A ALU 1 Table 19 Show SNMP Counters Outpu...

Страница 194: ...NMP Max Message Size 1500 SNMP Admin State Enabled SNMP Oper State Enabled SNMP Index Boot Status Not Persistent SNMP Sync State OK Tel Tel6 SSH FTP Admin Enabled Disabled Enabled Disabled Tel Tel6 SS...

Страница 195: ...Rev 5 Cfg OK Script N A Cfg OK Script Status not used Cfg Fail Script N A Cfg Fail Script Status not used Microwave S W Package invalid Management IP Addr 192 168 xxx xxx 20 Primary DNS Server 192 16...

Страница 196: ...he administrative state of the Telnet Telnet IPv6 SSH and FTP sessions Tel Tel6 SSH FTP Oper The operational state of the Telnet Telnet IPv6 SSH and FTP sessions BOF Source The boot location of the BO...

Страница 197: ...Rev The maximum number of backup revisions maintained for a configuration file This value also applies to the number of revisions maintained for the BOF file Cfg OK Script URL the location and name o...

Страница 198: ...IP address of the tertiary DNS server DNS Domain The DNS domain name of the node DNS Resolve Preference n a BOF Static Routes To the static route destination Next Hop the next hop IP address used to...

Страница 199: ...s 8 A ALU 1 A ALU 1 show system security access group snmp ro Access Groups group name security security read write notify model level view view view snmp ro snmpv1 none no security no security No of...

Страница 200: ...cli readwrite No of Communities 3 A ALU 1 Table 22 Show Communities Output Fields Label Description Community The community string name for SNMPv1 and SNMPv2c access only Access r The community strin...

Страница 201: ...never 2 0 y testuser n n n y never 0 0 y Number of users 2 A ALU 1 Table 23 Show User Output Fields Label Description User ID The name of a system user Need New PWD Yes the user must change their pass...

Страница 202: ...The following output is an example of system security view information and Table 24 describes the fields Sample Output A ALU 1 show system security view Views view name oid tree mask permission iso 1...

Страница 203: ...ed in group name snmp ro snmp rw A ALU 1 A ATMIMA1 config show system security view capabilities Views view name oid tree mask permission iso 1 included iso 1 0 8802 no support iso 1 3 6 1 3 37 no sup...

Страница 204: ...lue OIDs uniquely identify MIB objects in the subtree Mask The mask value and the mask type along with the oid value configured in the view command determines the access of each sub identifier of an o...

Страница 205: ...This Chapter This chapter provides information about configuring event and accounting logs on the 7705 SAR Topics in this chapter include Logging Overview Log Destinations Event Logs Accounting Logs C...

Страница 206: ...are generated by the USER application and pertain to the configuration and operation of the node Debug events debug events are generated by the DEBUG application and pertain to trace or other debuggi...

Страница 207: ...service class basis In addition to gathering information critical for service billing accounting records can be analyzed to provide insight about customer service trends for potential service revenue...

Страница 208: ...y type of log destination that can be configured for an accounting log Console Sending events to a console destination means the message will be sent to the system console The console device can be us...

Страница 209: ...this rule is subject to the incoming rate of the data being logged For example if the rate is very low the actual rollover time may be longer than the configured value The retention time for a log fil...

Страница 210: ...ng log file is created in act collect SNMP Trap Group An event log can be configured to send events to SNMP trap receivers by specifying an SNMP trap group destination An SNMP trap group can have mult...

Страница 211: ...the 7705 SAR uses six internal severity levels the severity levels are mapped to syslog severities Table 26 displays the severity level mappings to syslog severities Table 26 7705 SAR to Syslog Severi...

Страница 212: ...Log Event logs are the means of recording system generated events for later analysis Events are messages generated by the system by applications or processes within the 7705 SAR Figure 3 depicts a fun...

Страница 213: ...l events that directly affect the configuration or operation of the node Change events are generated by the USER application Debug The debug event source is the debugging configuration that has been e...

Страница 214: ...y as the generation and suppression options See Simple Logger Event Throttling Events are assigned a default severity level in the system but the application event severities can be changed by the use...

Страница 215: ...I gen 0 0 LDP 2001 vRtrLdpStateChange MI gen 0 0 2002 vRtrLdpInstanceStateChange MI gen 0 0 2003 vRtrLdpIfStateChange MI gen 0 0 LOGGER L 2001 STARTED MI gen 5 0 2002 tmnxLogTraceError CR gen 0 0 2005...

Страница 216: ...og can only have a single destination The destination for the log ID destination can be one of console session syslog snmp trap group memory or a file on the local file system an optional event filter...

Страница 217: ...al to not equal to less than less than or equal to greater than or greater than or equal to an event number within the application equal to not equal to less than less than or equal to greater than or...

Страница 218: ...ted the event a subject identifying the affected object a short text description The general format for an event in an event log with either a memory console or file destination is as follows nnnn YYY...

Страница 219: ...ethod is applied the logger application has no information about the managed object that generated the event and cannot distinguish between events generated by object A from events generated by object...

Страница 220: ...o off for each specific event type It must be explicitly enabled for each event type where throttling is desired This makes backwards compatibility of configuration files easier to manage Default Syst...

Страница 221: ...sub record types and default collection period for service and network accounting policies When creating accounting policies one service accounting policy can be defined as the default If statistics...

Страница 222: ...d sap SapId qid QueueId hoo OfferedHiPrioOctets hod DroppedHiPrioOctets loo LowOctetsOffered lod LowOctetsDropped uco UncoloredOctetsOffered iof InProfileOctetsForwarded oof OutOfProfileOctetsForwarde...

Страница 223: ...ktsDropped ucp UncoloredPacketsOffered ipf InProfilePktsForwarded opf OutOfProfilePktsForwarded Service egress packets sep svc SvcId sap SapId qid QueueId ipf InProfilePktsForwarded ipd InProfilePktsD...

Страница 224: ...13800 xml gz Accounting files always have the prefix act followed by the accounting policy ID log ID and timestamp The accounting log file naming and log file destination properties such as rollover a...

Страница 225: ...intervals on the log files and the frequency of file retrieval must also be considered when designing accounting policy deployments The amount of data stored depends on the type of record collected th...

Страница 226: ...gured before they can be applied to a log ID A file ID can only be assigned to either one log ID or one accounting policy Accounting policies must be configured in the config log context before they c...

Страница 227: ...7 Configuring Logging with CLI This section provides information to configure logging using the command line interface Topics in this section include Log Configuration Overview Log Type Basic Event Lo...

Страница 228: ...r with logging information for monitoring and troubleshooting You can configure logging parameters to save information in a log file or direct the messages to other devices Logging commands allow you...

Страница 229: ...ormation can be sent to a syslog host that is capable of receiving selected syslog messages from a network element Event control configures a particular event or all events associated with an applicat...

Страница 230: ...cy ID a log source a log destination The following displays a log configuration example ALU 12 config log info echo Log Configuration file id 1 description This is a test file id location cf3 exit fil...

Страница 231: ...ring an Event Log An event log file contains information used to direct events alarms traps and debug information to their respective destinations One or more event sources can be specified File IDs S...

Страница 232: ...s a test log file filter 1 from main security to file 1 exit ALU 12 config log log id Configuring a File ID To create a log file a file ID is defined that specifies the target compact flash drive and...

Страница 233: ...n system memory on the compact flash drive in a compressed tar XML format and can be retrieved using FTP or SCP See Configuring an Event Log and Configuring a File ID Accounting policies must be confi...

Страница 234: ...config log acct policy record service ingress packets config log acct policy default config log acct policy to file 1 config log acct policy exit config log accounting policy 5 config log acct policy...

Страница 235: ...press throttle rate events interval seconds The following displays an example of an event control configuration command syntax Example config log config log event control atm 2014 generate critical co...

Страница 236: ...fault action drop forward description description string entry entry id action drop forward description description string match application eq neq application id number eq neq lt lte gt gte event id...

Страница 237: ...id 2 shutdown description This is a test log file filter 1 from main security to file 1 exit ALU 12 config log Configuring an SNMP Trap Group The associated log id does not have to be configured befo...

Страница 238: ...tion ALU 12 config log info snmp trap group 2 trap target target name address 10 10 10 104 5 snmpv3 notify community communitystring exit log id 2 description This is a test log file filter 1 from mai...

Страница 239: ...og config log syslog 1 config log syslog description This is a syslog file config log syslog address 10 10 10 104 config log syslog facility user config log syslog level warning The following displays...

Страница 240: ...ing an SNMP Trap Group Deleting an SNMP Trap Group Modifying a Log Filter Deleting a Log Filter Modifying Event Control Parameters Returning to the Default Event Control Configuration Modifying a Log...

Страница 241: ...ALU 12 config log log id The following displays an example of modifying log file parameters Example config log config log log id 2 config log log id description Chassis log file config log log id fil...

Страница 242: ...description LocationTest location cf3 rollover 600 retention 24 exit log id 2 description Chassis log file filter 2 from security to file 1 exit ALU 12 config log Use the following CLI syntax to dele...

Страница 243: ...ters Example config log config log file id 1 config log file id description LocationTest config log file id location cf3 config log file id rollover 2880 retention 500 config log file id exit The foll...

Страница 244: ...CLI Syntax config log syslog syslog id address ip address description description string facility syslog facility level emergency alert critical error warning notice info debug log prefix log prefix s...

Страница 245: ...fig log no syslog syslog id The following displays an example of deleting a syslog ID Example config log config log no syslog 1 Modifying an SNMP Trap Group Use the following CLI syntax to modify an S...

Страница 246: ...ple config log config log snmp trap group 10 config log snmp trap group no trap target 10 10 10 104 5 config log snmp trap group snmp trap group trap target 10 10 0 91 1 snmpv2c notify community com1...

Страница 247: ...roup 10 config log snmp trap group no trap target 10 10 0 91 1 config log snmp trap group exit config log no snmp trap group 10 Modifying a Log Filter Use the following CLI syntax to modify a log filt...

Страница 248: ...ions Example config log config log filter 1 config log filter description This allows n config log filter default action forward config log filter entry 1 config log filter entry action drop config lo...

Страница 249: ...rameters CLI Syntax config log event control application id event name event number generate severity level throttle event control application id event name event number suppress The following display...

Страница 250: ...onfig log no event control filter 2001 config log no event control mpls 2001 ALU 12 config log info detail echo Log Configuration event control atm 2004 generate minor event control atm 2005 generate...

Страница 251: ...de 251 Log Command Reference Command Hierarchies Configuration Commands Accounting Policy Commands Event Control Commands Log File Commands Log Filter Commands Syslog Commands Logging Destination Comm...

Страница 252: ...d no shutdown to file file log file id Event Control Commands config log event control application id event name event number generate severity level throttle event control application id event name e...

Страница 253: ...n no match application eq neq application id no application number eq neq lt lte gt gte event id no number router eq neq router instance regexp no router severity eq neq lt lte gt gte severity level n...

Страница 254: ...id description description string no description trap target name address ip address port port snmpv1 snmpv2c snmpv3 notify community communityName snmpv3SecurityName security level no auth no privacy...

Страница 255: ...Event and Accounting Logs 7705 SAR OS System Management Guide 255 Clear Commands clear log log id...

Страница 256: ...Log Command Reference 256 7705 SAR OS System Management Guide Command Descriptions Configuration Commands Show Commands Clear Commands...

Страница 257: ...AR OS System Management Guide 257 Configuration Commands Generic Commands Accounting Policy Commands Event Control Commands Log File Commands Log Filter Commands Syslog Commands Logging Destination Co...

Страница 258: ...ration Default No text description is associated with this configuration Parameters string The description can contain a string of up to 80 characters composed of printable 7 bit ASCII characters If t...

Страница 259: ...the entity This leads to the loss of event data policy id when an accounting policy is shut down no accounting data is written to the destination log ID Counters in the billing data reflect totals no...

Страница 260: ...annot be removed unless it is removed from all the SAPs or channels where the policy is applied Default No default accounting policy is defined Parameters policy id the policy ID that uniquely identif...

Страница 261: ...nting policy can only contain one record name To obtain a list of all record types that can be configured use the show log accounting records command ALU 12 config log show log accounting records Acco...

Страница 262: ...ccounting policy The characteristics of the file ID such as rollover and retention intervals must have already been defined in the config log file id context A file ID can only be used once The file i...

Страница 263: ...ontrol chassis extAlarmInput1Detected specify whether the event is generated or suppressed config log event control chassis extAlarmInput1Detected generate change the severity level for this event the...

Страница 264: ...ay a list of all event short names use the show log event control command Values a valid event name or event number Default n a generate specifies that logger event is created when this event occurs T...

Страница 265: ...umber of log events that can be logged within the specified interval for a specific event Once the limit has been reached any additional events of that type will be dropped and the event drop count wi...

Страница 266: ...ces A file ID and associated file definition must exist for each log and billing file that must be stored in the file system A file is created when the file ID defined by this command is selected as t...

Страница 267: ...f the location fails for example the compact flash card fills up during the write process a trap is sent The no form of the command removes the file ID from the configuration A file ID can only be rem...

Страница 268: ...h file is deleted the system attempts to create the new file A medium severity trap is issued to indicate that the compact flash is either not available or that no space is available on the specified...

Страница 269: ...fault time to keep the file in the system The retention time is based on the rollover time of the file The retention time is used as a factor to determine which files should be deleted first as the fi...

Страница 270: ...command removes the filter association from log IDs which causes those logs to forward all events Default No event filters are defined Parameters filter id uniquely identifies the filter Values 1 to...

Страница 271: ...omplete and rendered inactive The no form of the command removes the specified entry from the event filter Entries removed from the event filter are immediately removed from all log IDs where the filt...

Страница 272: ...and to display a list of the valid applications Match context can consist of multiple match parameters application event number severity subject but multiple match statements cannot be entered per ent...

Страница 273: ...a TiMOS application event number as a match criterion TiMOS event numbers uniquely identify a specific logging event within an application Only one number command can be entered per event filter entry...

Страница 274: ...e value of router command parameters When the regexp keyword is specified the string in the router command is a regular expression string that will be matched against the router string in the log even...

Страница 275: ...neq subject regexp no subject Context config log filter entry match Description This command adds an event subject as a match criterion The subject is the entity for which the event is reported such...

Страница 276: ...sted in Table 37 subject a string used as the subject match criterion regexp specifies the type of string comparison to use to determine if the log event matches the value of subject command parameter...

Страница 277: ...og id node Default No syslog IDs are defined Parameters syslog id the syslog ID number for the syslog destination expressed as a decimal integer Values 1 to 10 address Syntax address ip address no add...

Страница 278: ...erwrites the previous facility code If multiple facilities need to be generated for a single syslog target host then multiple log id entries must be created each with its own filter criteria to select...

Страница 279: ...r higher than the threshold are sent to the syslog target host Only a single threshold level can be specified If multiple level commands are entered the last command will overwrite the previous comman...

Страница 280: ...colon and a space to the string and it is inserted in the syslog message after the date stamp and before the syslog message content Only one string can be entered If multiple strings are entered the...

Страница 281: ...he UDP port that will be used to send syslog messages to the syslog target host The port configuration is needed if the syslog target host uses a port other than the standard UDP syslog port 514 Only...

Страница 282: ...cified for a log id The destination of an event stream can be an in memory buffer console session snmp trap group syslog or file Use the event control command to suppress the generation of events alar...

Страница 283: ...o form of the command removes the specified event filter from the log id Default no filter Parameters filter id the event filter policy ID is used to associate the filter with the log id configuration...

Страница 284: ...ed in the to command for this destination log id The change event stream contains all events that directly affect the configuration or operation of this node To limit the events forwarded to the chang...

Страница 285: ...id The characteristics of the log file id referenced here must have already been defined in the config log file id log file id context Values 1 to 99 to memory Syntax to memory size Context config log...

Страница 286: ...g or memory log needs to be modified the log ID must be removed then recreated Default No destination is specified to snmp Syntax to snmp size Context config log log id Description This command is one...

Страница 287: ...If the log destination needs to be changed or if the maximum size of an SNMP log or memory log needs to be modified the log ID must be removed then recreated Default No destination is specified Param...

Страница 288: ...ted to one or more SNMP trap groups Logger events that can be forwarded as SNMP traps are always defined on the main event source The no form of the command deletes the SNMP trap group Default There a...

Страница 289: ...rap target up to 28 characters in length ip address the IP address of the trap receiver Only one IP address destination can be specified per trap destination group Values ipv4 address a b c d host bit...

Страница 290: ...tify community communityName snmpv3SecurityName specifies the community string for snmpv1 or snmpv2c or the snmpv3 security name If no notify community parameter is configured then no alarms or traps...

Страница 291: ...bes the fields Sample Output A ALU 1 show log accounting policy Accounting Policies Policy Type Def Admin Oper Intvl File Record Name Id State State Id 1 access No Up Up 15 1 service ingress packets 2...

Страница 292: ...gned Def Yes indicates that the policy is a default access policy No indicates that the policy is not a default access policy Admin State Displays the administrative state of the policy Up indicates t...

Страница 293: ...ts 5 2 service egress octets 5 3 service ingress packets 5 4 service egress packets 5 A ALU 1 applications Syntax applications Context show log Description This command displays a list of all applicat...

Страница 294: ...tput A ALU 1 show log applications Log Event Application Names Application Name APS ATM BGP CHASSIS CPMHWFILTER DEBUG DHCP EFM_OAM ETH CFM FILTER IP ISIS LDP LOGGER MPLS NTP OAM OSPF PORT PPP PTP RIP...

Страница 295: ...vent only Default all events for the application event number displays event control for the specified application event number only Default all events for the application Output The following output...

Страница 296: ...t1Detected CR gen 0 0 2058 extAlarmInput2Detected MA gen 0 0 2059 extAlarmInput3Detected MA gen 0 0 2060 extAlarmInput4Detected MI gen 0 0 2061 extAlarmCleared MA gen 0 0 2062 syncIfTimingExternAlarm...

Страница 297: ...e event ID number within the application L ID an L in front of an ID represents event types that do not generate an associated SNMP notification Most events do generate a notification only the excepti...

Страница 298: ...e 43 describes the fields Sample Output A ALU 1 show log file id File Id List file id rollover retention admin backup oper location location location 1 60 4 cf3 none none 2 60 3 cf3 none none 3 1440 1...

Страница 299: ...t Table 45 Table 43 Log File Summary Output Fields Label Description file id The log file ID rollover The rollover time for the log file which is the amount of time before the file is partitioned into...

Страница 300: ...Operator off Event Number 0 Operator off Severity major Operator greaterThanOrEqual Subject Operator off Match Type exact string Router Operator off Match Type exact string Description Collect only ev...

Страница 301: ...ter entry application match criterion Event Number The event log filter event ID match criterion Severity cleared the event log filter severity match is cleared indeterminate the event log filter entr...

Страница 302: ...tus enabled Dest Type memory Security Logged 3 Dropped 0 Change Logged 3896 Dropped 0 Debug Logged 0 Dropped 0 A ALU 1 Operator There is an operator field for each match criteria application event num...

Страница 303: ...ource event stream to limit the events output to this log s destination If the value is 0 then all events in the source log are forwarded to the destination Status Enabled logging is enabled Disabled...

Страница 304: ...ers log id displays the contents of the specified log file or memory log ID The log ID must have a destination of an SNMP or log file or a memory log for this parameter to be used Values 1 to 99 Defau...

Страница 305: ...ldest in descending sequence number order on the screen When using the ascending parameter the log will be shown from the oldest to the newest entry Default Descending Output The following output is a...

Страница 306: ...t connected then all entries are dropped Syslog all selected log events are sent to the syslog address SNMP traps events defined as SNMP traps are sent to the configured SNMP trap destinations and are...

Страница 307: ...RP information overwritten for 138 120 52 253 by 00 e0 52 d4 a5 00 3718 2008 02 01 11 54 15 40 UTC MINOR IP 2004 management PIP MANAGEMENT ARP information overwritten for 138 120 52 253 by 00 e0 5e 00...

Страница 308: ...syslog Syslog Target Hosts Id Ip Address Port Sev Level Below Level Drop Facility Pfx Level 2 unknown 514 info 0 local7 yes 3 unknown 514 info 0 mail yes A ALU 48 config log Table 48 SNMP Trap Group...

Страница 309: ...syslog messages Facility The facility code for messages sent to the syslog target host Severity Level The syslog message severity level threshold Below Level Dropped A count of messages not sent to t...

Страница 310: ...y log or log file Memory logs are reinitialized and cleared of contents Log files are manually rolled over by this command This command is only applicable to event logs that are directed to file desti...

Страница 311: ...r 7705 SAR 7705 Service Aggregation Router 7710 SR 7710 Service Router 7750 SR 7750 Service Router 9500 MPR 9500 microwave packet radio ABR area border router available bit rate AC alternating current...

Страница 312: ...em number ATM asynchronous transfer mode ATM PVC ATM permanent virtual circuit B3ZS bipolar with three zero substitution Batt A battery A B bit beginning bit first packet of a fragment Bc committed bu...

Страница 313: ...lid unicast address but the destination port interface is not yet known therefore traffic needs to be forwarded to all destinations unknown traffic is treated as broadcast BOF boot options file BPDU b...

Страница 314: ...Processing Module CPM is used instead of CSM when referring to CSM filtering to align with CLI syntax used with other SR products CSM management ports are referred to as CPM management ports in the C...

Страница 315: ...n DHB decimal hexadecimal or binary DHCP dynamic host configuration protocol DHCPv6 dynamic host configuration protocol for IPv6 DIS designated intermediate system DLCI data link connection identifier...

Страница 316: ...DUS do not use for synchronization DV delay variation e911 enhanced 911 service EAP Extensible Authentication Protocol EAPOL EAP over LAN E bit ending bit last packet of a fragment E BSR elected BSR E...

Страница 317: ...to end ETH CFM Ethernet connectivity fault management IEEE 802 1ag EVDO evolution data optimized EVPL Ethernet virtual private link EXP bits experimental bits currently known as TC FC forwarding class...

Страница 318: ...gn exchange subscriber GFP generic framing procedure GigE Gigabit Ethernet GNSS global navigation satellite system GPON Gigabit Passive Optical Network GPS Global Positioning System GRE generic routin...

Страница 319: ...v6 Internet control message protocol for IPv6 ICP IMA control protocol cells IDS intrusion detection system IEEE Institute of Electrical and Electronics Engineers IEEE 1588v2 Institute of Electrical a...

Страница 320: ...termediate System IS IS TE IS IS traffic engineering extensions ISO International Organization for Standardization IW interworking JP join prune LB loopback lbf in pound force inch LBM loopback messag...

Страница 321: ...st LSU link state update LT linktrace LTE long term evolution line termination equipment LTM linktrace message LTN LSP ID to NHLFE LTR link trace reply MA maintenance association MAC media access cont...

Страница 322: ...aintenance entity group MEG ID maintenance entity group identifier MEN Metro Ethernet network MEP maintenance association end point MFC multi field classification MHF MIP half function MIB management...

Страница 323: ...d unit MRU maximum receive unit MSDU MAC Service Data Unit MSO multi system operator MS PW multi segment pseudowire MTIE maximum time interval error MTSO mobile trunk switching office MTU maximum tran...

Страница 324: ...ervice processing NSSA not so stubby area NTP network time protocol NTR network timing reference OADM optical add drop multiplexer OAM operations administration and maintenance OAMPDU OAM protocol dat...

Страница 325: ...te branch exchange PCP priority code point PCR proprietary clock recovery PDU protocol data units PDV packet delay variation PDVT packet delay variation tolerance PE provider edge router PEAPv0 protec...

Страница 326: ...ipment PSK pre shared key PSN packet switched network PSNP partial sequence number PDU PTM packet transfer mode PTP performance transparency protocol precision time protocol PVC permanent virtual circ...

Страница 327: ...RTM RPS radio protection switching RRO record route object RS 232 Recommended Standard 232 also known as EIA TIA 232 RSA Rivest Shamir and Adleman authors of the RSA encryption algorithm RSHG residen...

Страница 328: ...ts SAR F 7705 Service Aggregation Router fixed form factor chassis SAR H 7705 Service Aggregation Router temperature and EMC hardened to the following specifications IEEE 1613 and IEC 61850 3 SAR Hc 7...

Страница 329: ...t is used to drop and add four specific wavelengths from the network it has two models One model is used to add and drop the following wavelengths 1471 1491 1511 1531 nm One model is used to add and d...

Страница 330: ...larm input connector a unit that is equipped with an AC power input connector five Gigabit Ethernet data ports three SFP ports one RJ 45 Ethernet port and one RJ 45 PoE port a GPS receiver and an RJ 4...

Страница 331: ...SLARP serial line address resolution protocol SLID subscriber location identifier of a GPON module SLM synthetic loss measurement SNMP Simple Network Management Protocol SNPA subnetwork point of attac...

Страница 332: ...System Plus TC traffic class formerly known as EXP bits TCP transmission control protocol TDEV time deviation TDM time division multiplexing TE traffic engineering TEID tunnel endpoint identifier TFTP...

Страница 333: ...Telecommunications System 3G UNI user to network interface uRPF unicast reverse path forwarding V 11 ITU T V series Recommendation 11 V 24 ITU T V series Recommendation 24 V 35 ITU T V series Recommen...

Страница 334: ...uting and forwarding table VRRP virtual router redundancy protocol VSE vendor specific extension VSO vendor specific option VT virtual trunk WCDMA wideband code division multiple access transmission p...

Страница 335: ...mental and safety standards telecom standards and supported protocols EMC Industrial Standards Compliance EMC Regulatory and Customer Standards Compliance Environmental Standards Compliance Safety Sta...

Страница 336: ...Std C37 90 2 Withstand Capability of Relay Systems to Radiated Electromagnetic Interference from Transceivers IEEE Std C37 90 3 IEEE Standard Electrostatic Discharge Tests for Protective Relays EN 501...

Страница 337: ...ed disturbances IEC 61000 4 8 Power frequency magnetic field immunity test IEC 61000 4 9 Pulse Magnetic field immunity test IEC 61000 4 10 Damped Oscillatory Magnetic Field IEC 61000 4 11 Voltage dips...

Страница 338: ...al Safety Generic Criteria for Network Telecommunications Equipment AS NZS CISPR 22 Information technology equipment Radio disturbance characteristics Limits and methods of measurement 2 2 2 2 2 2 2 2...

Страница 339: ...heat IEC 60068 2 30 Environmental testing Part 2 Tests Test Db and guidance Damp heat cyclic 12 12 hour cycle IEC 60255 21 2 Electrical relays Part 21 Vibration shock bump and seismic tests on measur...

Страница 340: ...509 5 EN 60721 3 3 Class 3C4 EN 60068 2 11 Salt Mist EN 50155 Class ST4 Conformal Coating 5 Table 53 Environmental Standards Compliance Continued Standard Title Platform SAR F SAR A SAR M SAR M fan le...

Страница 341: ...uipment Non Environmental Consideration IEC EN 60950 22 Information technology equipment Safety Equipment installed outdoors IEC 60529 Degrees of Protection Provided by Enclosures IP Code 1 2 1 2 1 1...

Страница 342: ...rective 2011 65 EU RoHS2 Restriction of the use of certain Hazardous Substances in Electrical and Electronic Equipment RoHS2 NEBS Level 3 Compliant Telcordia CE Mark CRoHS Logo Ministry of Information...

Страница 343: ...ervice Layer OAM IEEE 802 1p q VLAN Tagging IEEE 802 3 10BaseT IEEE 802 3ab Ethernet Physical Layer Parameters and Specifications for 1000 Mb s Operation Over 4 Pair of Category 5 Balanced Copper Cabl...

Страница 344: ...p band circuits ITU T X 21 RS 422 Interface between Data Terminal Equipment and Data Circuit Terminating Equipment for Synchronous Operation on Public Data Networks ITU T Y 1731 OAM functions and mech...

Страница 345: ...4271 BGP 4 previously RFC 1771 RFC 4360 BGP Extended Communities Attribute RFC 4364 BGP MPLS IP Virtual Private Networks VPNs previously RFC 2574bis BGP MPLS VPNs RFC 4456 BGP Route Reflection Altern...

Страница 346: ...AG Version 7 0 and report of Self Test Result ATU T Register 3 ITU T G 992 3 G dmt bis Annex A B J M ITU T G 992 5 Annex A B J M ITU T G 992 1 ADSL ITU T G 992 3 Annex K 2 ADSL2 ITU T G 992 5 Annex K...

Страница 347: ...works RFC 3587 IPv6 Global Unicast Address Format RFC 3595 Textual Conventions for IPv6 Flow Label RFC 4007 IPv6 Scoped Address Architecture RFC 4193 Unique Local IPv6 Unicast Addresses RFC 4291 IPv6...

Страница 348: ...MPLS Label Distribution Protocol LDP RFC 4379 Detecting Multi Protocol Label Switched MPLS Data Plane Failures NETWORK MANAGEMENT ITU T X 721 Information technology OSI Structure of Management Informa...

Страница 349: ...Model USM for version 3 of the Simple Network Management Protocol SNMPv3 RFC 3418 SNMP MIB draft ietf disman alarm mib 04 txt draft ietf mpls ldp mib 07 txt draft ietf ospf mib update 04 txt draft iet...

Страница 350: ...t of PPP High Level Data Link Control HDLC over MPLS Networks RFC 4619 Encapsulation Methods for Transport of Frame Relay over Multiprotocol Label Switching MPLS Networks RFC 4816 Pseudowire Emulation...

Страница 351: ...Protocol draft ietf secsh connection txt SSH Connection Protocol draft ietf secsh newmodes txt SSH Transport Layer Encryption Modes SYNCHRONIZATION G 781 Synchronization layer functions 2001 09 17 G 8...

Страница 352: ...efinitions of Managed Objects for the Virtual Router Redundancy Protocol RFC 3768 Virtual Router Redundancy Protocol RFC 5798 Virtual Router Redundancy Protocol Version 3 for IPv4 and IPv6 Proprietary...

Страница 353: ...Standards and Protocol Support 7705 SAR OS System Management Guide 353 TIMETRA SERV MIB mib TIMETRA SYSTEM MIB mib TIMETRA TC MIB mib TIMETRA VRRP MIB mib...

Страница 354: ...Standards and Protocol Support 354 7705 SAR OS System Management Guide...

Страница 355: ...documentation and product support Customer documentation http documentation alcatel lucent com Technical support http support alcatel lucent com Documentation feedback documentation feedback alcatel l...

Страница 356: ...2015 Alcatel Lucent All rights reserved 3HE 09688 AAAA TQZZA Edition 01...

Отзывы:

Нет отзывов

Похожие инструкции для 7705 SAR

Бренд: National Instruments Страницы: 162

Sure Cross DX70

Бренд: Banner Страницы: 35

Бренд: TRENDnet Страницы: 2

Proventia A1204

Бренд: Internet Security Systems Страницы: 42

Бренд: Far Tools Страницы: 24

Бренд: Infoblox Страницы: 13

Бренд: Belkin Страницы: 2

Бренд: Global Sun Страницы: 39

Бренд: Tripp Lite Страницы: 34

Бренд: AMX Страницы: 1

Бренд: Aaeon Страницы: 57

Бренд: Juniper Страницы: 196

802.11a/b/g SDIO WiFi Module SDM3100

Бренд: Abocom Страницы: 14

Secure Site Manager 16

Бренд: Black Box Страницы: 16

Бренд: RadioSPECTRAL Страницы: 2

FiberTwist XGS2410

Бренд: Genexis Страницы: 7

SteelCentral NetExpress 470

Бренд: Riverbed Страницы: 140

Бренд: M-Audio Страницы: 67

Бренды по названию

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Популярные бренды

Загрузить еще бренды