manualshive.com logo in svg

Alcatel-Lucent 7950 SR, Руководство по управлению системой

Поделиться
Скачать
Alcatel-Lucent 7950 SR Скачать руководство пользователя страница 49

Security

7950 SR OS System Management Guide

Page 49

Exponential Login Backoff

A malicious user may attempt to gain CLI access by means of a dictionary attack using a 
script to automatically attempt to login as an “admin” user and using a dictionary list to test all 
possible passwords.Using the exponential-backoff feature in the 

config>system>login-

control

 context the OS increases the delay between login attempts exponentially to mitigate 

attacks. 

A malicious user may attempt to gain CLI access by means of a dictionary attack using a 
script to automatically attempt to login as an “admin” user and using a dictionary list to test all 
possible passwords.Using the exponential-backoff feature in the config>system>login-control 
context the OS increases the delay between login attempts exponentially to mitigate attacks.

When a user tries to login to a router using a Telnet or an SSH session, there are a limited 
number of attempts allowed to enter the correct password. The interval between the 
unsuccessful attempts change after each try (1, 2 and 4 seconds). If the system is configured 
for user lockout, then the user will be locked out when the number of attempts is exceeded.

However, if lockout is not configured, there are three password entry attempts allowed after 
the first failure, at fixed 1, 2 and 4 second intervals, in the first session, and then the session 
terminates. Users do not have an unlimited number of login attempts per session. After each 
failed password attempt, the wait period becomes longer until the maximum number of 
attempts is reached.

The OS terminates after four unsuccessful tries. A wait period will never be longer than 4 
seconds. The periods are fixed and will restart in subsequent sessions.

Note that the 

config>system>login-control>

[

no

]

 exponential-backoff 

command works in 

conjunction with 

the config>system>security>password>attempts

 command which is also 

a system wide configuration. 

For example:

*A:ALA-48>config>system# security password attempts

  - attempts <count> [time <minutes1>] [lockout <minutes2>]

  - no attempts

 <count>              : [1..64]

 <minutes1>           : [0..60]

 <minutes2>           : [0..1440]

Exponential backoff applies to any user and by any login method such as console, SSH and 
Telnet.

Refer to 

Configuring Login Controls on page 87

. The commands are described in 

Login, 

Telnet, SSH and FTP Commands on page 115

Содержание 7950 SR

Страница 1: ...7950 SR OS System Management Guide Software Version 7950 SR OS 11 0 R5 September 2013 Document Part Number 93 0401 02 04 93 0401 02 04...

Страница 2: ...ritten permission from Alcatel Lucent Alcatel Lucent Alcatel Lucent and the Alcatel Lucent logo are trademarks of Alcatel Lucent All other trademarks are the property of their respective owners The in...

Страница 3: ...Protection 32 CPU Protection Extensions ETH CFM 35 Distributed CPU Protection DCP 37 Applicability of Distributed CPU Protection 39 Log Events Statistics Status and SNMP support 40 DCP Policer Resour...

Страница 4: ...DIUS Accounting 80 Configuring 802 1x RADIUS Policies 81 Configuring CPU Protection Policies 82 TACACS Configurations 83 Enabling TACACS Authentication 83 Configuring TACACS Authorization 84 Configuri...

Страница 5: ...r and Event Logs 308 Event Filter Policies 309 Event Log Entries 310 Simple Logger Event Throttling 312 Default System Log 313 Accounting Logs 314 Accounting Records 314 Accounting Files 317 Design Co...

Страница 6: ...Modifying a File ID 347 Deleting a File ID 348 Modifying a Syslog ID 349 Deleting a Syslog 350 Modifying an SNMP Trap Group 351 Deleting an SNMP Trap Group 352 Modifying a Log Filter 353 Deleting a Lo...

Страница 7: ...Queuing Output Fields 229 Table 18 Show User Profile Output Fields 230 Table 19 Show Source Address Output Fields 231 Table 20 Show View Output Fields 235 Table 21 Show Users Output Fields 238 SNMP Ta...

Страница 8: ...ields 429 Table 42 Show Log Collector Output Fields 431 Table 43 SNMP Trap Group Output Fields 436 Table 44 Show Log Syslog Output Fields 437 Facility Alarms Table 45 Alarm Alarm Name Raising Event Sa...

Страница 9: ...e Marking 33 Figure 4 Per SAP per Protocol Static Rate Limiting with DCP 38 Figure 5 Per Network Interface per Protocol Static Rate Limiting with DCP 38 SNMP Figure 6 SNMPv1 and SNMPv2c Configuration...

Страница 10: ...Page 10 7950 SR OS System Management Guide List of Figures...

Страница 11: ...nd SSH servers and the router clock This document is organized into functional chapters and provides concepts and descriptions of the implementation flow as well as Command Line Interface CLI syntax a...

Страница 12: ...erfaces and associated attributes such as an IP address as well as IP and MAC based filtering and VRRP and Cflowd 7950 SR OS Routing Protocols Guide This guide provides an overview of routing concepts...

Страница 13: ...ed reseller contact the technical support staff for that distributor or reseller for assistance If you purchased an Alcatel Lucent service agreement contact technical assistance at http www alcatel lu...

Страница 14: ...About This Guide Page 14 7950 SR OS System Management Guide...

Страница 15: ...this book is presented in an overall logical configuration flow Each section describes a software area and provides CLI syntax and command usage to configure parameters for a functional area Table 1...

Страница 16: ...Alcatel Lucent 7950 SR Router Configuration Process Page 16 7950 SR OS System Management Guide...

Страница 17: ...ccounting on page 18 Authentication on page 19 Authorization on page 24 Accounting on page 28 Security Controls on page 30 When a Server Does Not Respond on page 30 Access Request Flow on page 31 Vend...

Страница 18: ...nd auditing purposes You can configure routers to use local Remote Authentication Dial In User Service RADIUS or Terminal Access Controller Access Control System Plus TACACS security to validate users...

Страница 19: ...igured then these methods are attempted If no other authentication methods are configured or all methods reject the authentication request then access is denied For the RADIUS server selection round r...

Страница 20: ...is is referred to as local authentication Remote security servers such as RADIUS or TACACS are not enabled RADIUS Authentication Remote Authentication Dial In User Service RADIUS is a client server se...

Страница 21: ...rver is reachable when the operational state UP when a valid response is received within a timeout period which is configurable by the retry parameter on the RADIUS policy level A server is treated as...

Страница 22: ...e same user database RADIUS Authentication If the first server in the list cannot find a user the next server in the RADIUS server list is not queried and access is denied If multiple RADIUS servers a...

Страница 23: ...wed to a given system TACACS is an encryption protocol and therefore less secure than the later Terminal Access Controller Access Control System Plus TACACS and RADIUS protocols TACACS and RADIUS have...

Страница 24: ...is authenticated The profiles and user access information specifies the actions the user can and cannot perform By default local authorization is enabled Local authorization is disabled only when a di...

Страница 25: ...tion is attempted if configured in the authorization order When authorization is configured and profiles are downloaded to the router from the RADIUS server the profiles are considered temporary confi...

Страница 26: ...priv lvl option is not configured then each CLI command issued by an operator is sent to the TACACS server for authorization The authorization request sent by SR OS contains the first word of the CLI...

Страница 27: ...erent A dut c configure service A dut c config service vprn 555 customer 1 create A dut c config service vprn shutdown This results in the following AVPairs cmd configure cmd arg service cmd configure...

Страница 28: ...ng tracks user activity to a specified host When RADIUS accounting is enabled the server is responsible for receiving accounting requests and returning a response to the client indicating that it has...

Страница 29: ...type specified sends a start packet to the TACACS accounting server which contains information about the event The TACACS accounting server acknowledges the start packet and records information about...

Страница 30: ...the primary server is responsive again are not performed If a server is down it will not be contacted for 5 minutes If a login is attempted after 5 minutes then the server is contacted again When a s...

Страница 31: ...the request is passed to the next TACACS server with the next lowest index TACACS server 2 and so on If a request is sent to an active RADIUS server and the user name and password is not recognized ac...

Страница 32: ...he rate is a per port limit each port in the system will have control traffic destined to the CPM limited to this rate protocol protection Blocks network control traffic for unconfigured protocols If...

Страница 33: ...ey are modifiable but cannot be deleted Policy 254 This is the default policy that is automatically applied to access interfaces Traffic above 6000 pps is discarded overall rate 6000 per source rate m...

Страница 34: ...terface This helps mitigate DoS attacks by filtering invalid control traffic before it hits the CPU The system automatically populates and maintains a per interface list of configured such as valid pr...

Страница 35: ...ch logic is applied This means ordering the entries in the proper sequence is important to ensure the proper behavior is achieved Even thought the number of eth cfm entries is limited to ten the entry...

Страница 36: ...nd is not specific to the eth cfm rate limiting feature describe here When an MP is configured on a SAP Binding within a service which allows an external source to communicate with that MP for example...

Страница 37: ...mple SAPs The basic types of policers in DCP are Enforcement Policers An instance of a policer that is policing a flow of packets comprised of a single or small set of protocols s arriving on a single...

Страница 38: ...ies static mixed and dynamic Traffic switched from monitoring to enforcing policers if a trigger is tripped Dynamic parameters Static policers Local monitoring policers Optional marking or discarding...

Страница 39: ...ized per SAP interface cpu protection can be employed to rate limit or mark this traffic if desired Control traffic that arrives on a network interface but inside a tunnel for example SDP LSP PW and l...

Страница 40: ...DCP throttles the rate of DCP events to avoid event floods when multiple parallel attacks or problems are occurring Many of the DCP log events can be individually enabled or disabled at the DCP polic...

Страница 41: ...policer free on the associated card fp then the object will be blocked from being created Similarly for local monitors once a local monitoring policer is configured and referenced by a protocol then...

Страница 42: ...her rate infrastructure protocols such as BGP It is recommended to configure an exceed action of low priority for routing and infrastructure protocols Marked packets are more likely to be discarded if...

Страница 43: ...protocol arp create enforcement static my arp policer exit protocol pppoe pppoa create enforcement static my ppp policer exit exit A node1 config subscr mgmt msap policy info dist cpu protection my dd...

Страница 44: ...old down 60 exit exit protocol pppoe pppoa create enforcement dynamic my local monitor dynamic parameters detection time 600 rate packets 3 within 10 initial delay 3 exceed action discard hold down 12...

Страница 45: ...access timetra profile profile name When configuring this VSA for a user it is assumed that the user profiles are configured on the local router and the following applies for local and remote authenti...

Страница 46: ...ss is separate from the SSH and SCP client commands on the routers which initiate outbound SSH and SCP sessions Inbound SSH sessions are counted as inbound telnet sessions for the purposes of the maxi...

Страница 47: ...DoS attacks Control Processor Module Queuing CPMQ implements separate hardware based queues which are allocated on a per peer basis CPMQ allocates a separate queue for each LDP and BGP peer and ensur...

Страница 48: ...but not to packets from a management Ethernet port CPM packet filtering and queuing is performed by network processor hardware using no resources on the main CPUs There are three filters that can be...

Страница 49: ...d 4 seconds If the system is configured for user lockout then the user will be locked out when the number of attempts is exceeded However if lockout is not configured there are three password entry at...

Страница 50: ...t is 10 minutes An security event log will be generated as soon as a user account has exceeded the number of allowed attempts and the show system security user command can be used to display the total...

Страница 51: ...Lucent OS supports network access control of client devices PCs STBs etc on an Ethernet network using the IEEE 802 1x standard 802 1x is known as Extensible Authentication Protocol EAP over a LAN net...

Страница 52: ...ing messages Packet Formats 0 1 2 3 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 Kind Length T K Alg ID Res Key ID Authentication Data Option Syntax Kind 8 bits The Kind field ident...

Страница 53: ...h The Authentication Data field contains data that is used to authenticate the TCP segment This data includes but need not be restricted to a MAC The length and format of the Authentication Data Field...

Страница 54: ...ter K i Shared secret to use with key i config system security keychain direction uni receive entry with shared secret parameter config system security keychain direction uni send entry with shared se...

Страница 55: ...describes security configuration caveats General If a RADIUS or a TACACS server is not configured then password profiles and user access information must be configured on each router in the domain If...

Страница 56: ...Configuration Notes Page 56 7950 SR OS System Management Guide...

Страница 57: ...ing Management Access Filters on page 65 Configuring CPM Filters Policy on page 67 Configuring Password Management Parameters on page 68 Configuring Profiles on page 71 Configuring Users on page 72 Co...

Страница 58: ...wing tasks to configure security on each participating router Configuring Profiles on page 71 Configuring RADIUS Authentication on page 78 Configuring Users on page 72 RADIUS authentication To impleme...

Страница 59: ...guring Profiles on page 71 For RADIUS authorization VSAs must be configured on the RADIUS server See Vendor Specific Attributes VSAs on page 45 RADIUS authorization For RADIUS authorization with authe...

Страница 60: ...7950 SR OS System Management Guide TACACS authorization For TACACS authorization with authentication configure these tasks on each participating router Enabling TACACS Authentication on page 83 Confi...

Страница 61: ...efer to the following sections to configure accounting Local accounting is not implemented For information about configuring accounting policies refer to Configuring Logging with CLI on page 323 Confi...

Страница 62: ...CS servers RADIUS and or TACACS parameters The following example displays default values for security parameters A ALA 1 config system security info detail no hash control telnet server no telnet6 ser...

Страница 63: ...p snmp rw security model snmpv2c security level no auth no privacy read no security write no security notify no security access group snmp rwa security model snmpv1 security level no auth no privacy r...

Страница 64: ...ties of authentication authorization and accounting configurations For example authentication can be enabled locally and on RADIUS and TACACS servers Authorization can be executed locally on a RADIUS...

Страница 65: ...apply to the management Ethernet port The OS implementation exits the filter when the first match is found and execute the actions according to the specified action For this reason entries must be seq...

Страница 66: ...default action permit entry 10 src ip 3FFE 1 1 128 next header rsvp log action deny exit exit mac filter default action permit entry 12 match frame type ethernet_II svc id 1 src mac 00 01 01 01 01 01...

Страница 67: ...c ip 192 100 2 0 24 exit exit exit ipv6 filter shutdown entry 30 create action drop log 190 match next header tcp dscp ef dst ip 3FFE 2 2 128 src port 100 100 tcp syn true tcp ack false flow label 10...

Страница 68: ...configured locally Use the following CLI commands to configure password support CLI Syntax config system security password admin password password hash hash2 aging days attempts count time minutes1 l...

Страница 69: ...to pem format A SR 7 Dut A admin certificate export type cert input R1 0cert der output cf3 R1 0cert pem format pem The following displays an example of profile output A SR 7 Dut A config system secur...

Страница 70: ...n using cert auth interface VPRN1 tunnel create sap tunnel 1 private 1 create ipsec tunnel Sanity 1 create security policy 1 local gateway address 30 1 1 13 peer 50 1 1 15 delivery service 300 dynamic...

Страница 71: ...ured locally or on the RADIUS server Use the following CLI commands to configure user profiles CLI Syntax config system security profile user profile name default action deny all permit all none renum...

Страница 72: ...ogin exec url prefix source url member user profile name user profile name up to 8 max new password at login home directory url prefix directory directory directory password password hash hash2 restri...

Страница 73: ...y info keychain abc direction bi entry 1 key ZcvSElJzJx wBZ9biCtOVQJ9YZQvVU S hash2 alg orithm aes 128 cmac 96 begin time 2006 12 18 22 55 20 exit exit exit exit keychain basasd direction uni receive...

Страница 74: ...ity copy user testuser to testuserA MINOR CLI User testuserA already exists use overwrite flag config system security config system security copy user testuser to testuserA overwrite config system sec...

Страница 75: ...cess snmp console cannot change password exit snmp authentication hash md5 e14672e71d3e96e7a1e19472527ee969 privacy none group testgroup exit A ALA 12 config system security user exit A ALA 12 config...

Страница 76: ...security info A ALA 49 config system security info detail profile default default action none entry 10 no description match exec action permit exit entry 20 no description match exit action permit exi...

Страница 77: ...30 no description match help action permit exit entry 40 no description match logout action permit exit entry 50 no description match password action permit exit entry 60 no description match show con...

Страница 78: ...0 SR OS Router Configuration Guide The other commands are optional The server command adds a RADIUS server and configures the RADIUS server s IP address index and key values The index determines the s...

Страница 79: ...Vendor Specific Attributes VSAs on page 45 On the local router use the following CLI commands to configure RADIUS authorization CLI Syntax config system security radius authorization The following dis...

Страница 80: ...g system security radius accounting The following displays RADIUS accounting configuration example A ALA 1 config system security info radius shutdown authorization accounting retry 5 timeout 5 server...

Страница 81: ...re generic parameters for 802 1x authentication enter the following CLI syntax CLI Syntax config system security dot1x radius plcy policy name server server index address ip address secret key port po...

Страница 82: ...fo link specific rate 4000 policy 4 create no alarm description My new CPU Protection policy overall rate 9000 per source rate 2000 out profile rate 4000 exit policy 254 create exit policy 255 create...

Страница 83: ...the following CLI commands to configure profiles CLI Syntax config system security tacplus server server index address ip address secret key timeout seconds no shutdown The following displays a TACACS...

Страница 84: ...nds to configure RADIUS authorization CLI Syntax config system security tacplus authorization no shutdown The following displays a TACACS authorization configuration example A ALA 1 config system secu...

Страница 85: ...cplus accounting The following displays a TACACS accounting configuration example A ALA 1 config system security tacplus info accounting authorization timeout 5 server 1 address 10 10 0 5 secret test1...

Страница 86: ...SH server is disabled This setting should not be changed while the SSH server is running since the actual change only takes place after SSH is disabled or enabled CLI Syntax config system security ssh...

Страница 87: ...value idle timeout minutes disable pre login message login text string name login banner motd url url prefix source url text motd text string The following displays a login control configuration exam...

Страница 88: ...Configuring Login Controls Page 88 7950 SR OS System Management Guide...

Страница 89: ...Queue Commands on page 95 CPU Protection Commands on page 96 Security Password Commands on page 97 Profile Commands on page 99 RADIUS Commands on page 100 SSH Commands on page 100 TACPLUS Commands on...

Страница 90: ...ce address application app ip int name ip address no application app application6 app ipv6 address no application6 no telnet server LLDP Commands configure system lldp message fast tx time no message...

Страница 91: ...id no src port src port old entry number new entry number renum old entry number new entry number no shutdown no ipv6 filter default action permit deny deny host unreachable no entry entry id action...

Страница 92: ...s ieee address mask no src mac ssap ssap value ssap mask no ssap svc id service id no svc id renum old entry number new entry number no shutdown CPM Filter Commands config system ftp server no cpm fil...

Страница 93: ...id new entry id no shutdown no ipv6 filter no entry entry id action accept drop queue queue id no action description description string no description log log id no log match next header next header n...

Страница 94: ...um old entry id new entry id no shutdown no mac filter no entry entry id action accept drop queue queue id no action description description string no description log log id no log match frame type fr...

Страница 95: ...Security 7950 SR OS System Management Guide Page 95 CPM Queue Commands config system security no cpm queue no queue queue id cbs cbs no cbs mbs mbs no mbs rate rate cir cir no rate...

Страница 96: ...faces and SAPs Refer to the appropriate guides See Preface for document titles for command syntax and usage for applying CPU protection policies Examples of entities that can have CPU protection polic...

Страница 97: ...w priority hold down seconds none log events verbose no log events rate packets ppi max within seconds initial delay packets kbps kilobits per second max mbs size bytes kilobytes enforcement static po...

Страница 98: ...no aging attempts count time minutes1 lockout minutes2 no attempts authentication order method 1 method 2 method 3 exit on reject no authentication order no complexity numeric special character mixed...

Страница 99: ...nfig system ftp server Profile Commands no profile user profile name default action deny all permit all none no entry entry id action deny permit description description string no description ftp serv...

Страница 100: ...h2 no server server index no shutdown timeout seconds no timeout no use default template SSH Commands config system ftp server SSH Commands ssh no preserve key no server shutdown no version SSH versio...

Страница 101: ...n none hash md5 key 1 sha key 1 privacy none des key aes 128 cfb key key 2 group group name no group User Template Commands config system ftp server user template tacplus_default radius_default no acc...

Страница 102: ...n key hash key hash2 key hash hash2 algorithm algorithm begin time date hours minutes UTC now forever end time date hours minutes UTC now for ever no shutdown tolerance seconds forever send entry entr...

Страница 103: ...und max sessions idle timeout minutes disable no idle timeout no login banner motd url url prefix source url text motd text string no motd pre login message login text string name no pre login message...

Страница 104: ...olicy policy id association protocol protection violators port interface sap video sdp dist cpu protection policy policy id association detail keychain keychain name detail management access filter ip...

Страница 105: ...Server clear router radius proxy server server name statistics Debug Commands debug radius detail hex no radius no ocsp no ocsp profile name Tools Commands tools dump security dist cpu protection vio...

Страница 106: ...Security Command Reference Page 106 7950 SR OS System Management Guide...

Страница 107: ...urity cpm filter mac filter entry Description This command creates a text description stored in the configuration file for a configuration context This command associates a text string with a configur...

Страница 108: ...em hash control Syntax hash control read version 1 2 all write version 1 2 no hash control Context config system security Description Whenever the user executes a save or info command the system will...

Страница 109: ...es on inband interfaces and does not apply on the outband management inter face Packets going out the management interface will keep using that as source IP address IN other words when the RADIUS serv...

Страница 110: ...ntp ping radius snmptrap syslog tacplus telnet traceroute ipv6 address Specifies the name of the IPv6 address telnet server Syntax no telnet server Context config system security Description This comm...

Страница 111: ...all network IP interfaces This includes labeled user packets ping and traceroute packets within VPRN This feature currently also limits the same packets when received within the context of an LSP sho...

Страница 112: ...stem lldp Description This command configures the duration of the fast transmission period Parameters time Specifies the fast transmission period in seconds Values 1 3600 Default 1 message fast tx ini...

Страница 113: ...Default 5 reinit delay Syntax reinit delay time no reinit delay Context config system lldp Description This command configures the time before re initializing LLDP on a port Parameters time Specifies...

Страница 114: ...s command configures the multiplier of the tx interval Parameters multiplier Specifies the multiplier of the tx interval Values 2 10 Default 4 tx interval Syntax tx interval interval no tx interval Co...

Страница 115: ...eates the context to configure FTP login control parameters idle timeout Syntax idle timeout minutes disable no idle timeout Context config system login control Description This command configures the...

Страница 116: ...essions Context config system login control telnet Description This parameter limits the number of inbound Telnet and SSH sessions A maximum of 15 telnet and ssh connections can be established to the...

Страница 117: ...ext of the message of the day The motd text string must be enclosed in double quotes Multiple text strings are not appended to one another Some special characters can be used to format the message tex...

Страница 118: ...cters spaces etc the entire string must be enclosed within double quotes Some special characters can be used to format the message text The n character creates multiline messages and the r character r...

Страница 119: ...y ssh Description This command enables the SSH servers running on the system Default At system startup only the SSH server is enabled version Syntax version ssh version no version Context config syste...

Страница 120: ...scription This command creates the context to configure the Telnet login control parameters enable graceful shutdown Syntax no enable graceful shutdown Context config system login control telnet Descr...

Страница 121: ...sed to other traffic filters are enforced by system software The no form of the command removes management access filters from the configuration Default No management access filters are defined ip fil...

Страница 122: ...lection criteria will be denied and that a host unreachable message will not be issued Note deni host unreachable only applies to ip filter and ipv6filter default action Syntax default action permit d...

Страница 123: ...fault 65535 exact match Values 1 65535 decimal entry Syntax no entry entry id Context config system security mgmt access filter ip filter config system security mgmt access filter ipv6 filter config s...

Страница 124: ...which the sender requests special handling such as non default quality of service or real time service Parameters value Specify the flow identifier in an IPv6 packet header that can be used to discrim...

Страница 125: ...d by its respective protocol number Well known protocol numbers include ICMP 1 TCP 6 and UDP 17 The no form the command removes the protocol from the match criteria Default No protocol match criterion...

Страница 126: ...y mgmt access filter ip filter entry config system security mgmt access filter ipv6 filter entry Description This command configures a router name or service ID to be used as a management access filte...

Страница 127: ...config system security mgmt access filter ipv6 filter config system security mgmt access filter mac filter Description This command shutdowns the management access filter match Syntax match frame typ...

Страница 128: ...start and an end or operator lt gt eq followed by an opcode with the value between 0 and 255 is defined then the command is invalid The following table provides opcode values Table 7 Opcode Values CFM...

Страница 129: ...ss filter mac filter entry match Description This command configures Dot1p match conditions Parameters dot1p value The IEEE 802 1p value in decimal Values 0 7 mask This 3 bit mask can be configured us...

Страница 130: ...dst mac ieee address ieee address mask no dst mac Context config system security mgmt access filter mac filter entry match Description This command configures the destination MAC match condition Para...

Страница 131: ...exclusive based on the frame format The no form of the command removes the previously entered etype field as the match criteria Default no etype Parameters ethernet type The Ethernet type II frame Et...

Страница 132: ...e two byte snap pid value to be used as a match criterion in hexadecimal Values 0x0000 0xFFFF src mac Syntax src mac ieee address ieee address mask no src mac Context config system security mgmt acces...

Страница 133: ...the ssap match criterion Default no ssap Parameters ssap value The 8 bit ssap match criteria value in hex Values 0x00 0xFF ssap mask This is optional and may be used when specifying a range of ssap va...

Страница 134: ...ement access filter match criterion The no form of the command removes the source IP address match criterion Default No source IP match criterion is specified Parameters ip prefix mask The IP prefix f...

Страница 135: ...p prefix list Creates a list of IPv4 prefixes for match criteria in IPv4 ACL and CPM filter policies ipv6 prefix list name A string of up to 32 characters of printable ASCII characters If special char...

Страница 136: ...ed access to all the commands The minimum length of the password is determined by the minimum length command The com plexity requirements for the password is determined by the complexity command NOTE...

Страница 137: ...prompted for a password If the password matches user is given unrestricted access to all the commands The minimum length of the password is determined by the minimum length command The com plexity re...

Страница 138: ...is exceeded the user is locked out for a specified time period If multiple attempts commands are entered each command overwrites the previously entered com mand The no attempts command resets all val...

Страница 139: ...n is 1 RADIUS 2 TACACS and 3 local passwords Parameters method 1 The first password authentication method to attempt Default radius Values radius tacplus local method 2 The second password authenticat...

Страница 140: ...se Specifies that at least one upper and one lower case character must be present in the password This keyword can be used in conjunction with the numeric and special character parameters However if t...

Страница 141: ...SHA 96 and des keys configured in the system security section If multiple minimum length commands are entered each command overwrites the previous entered command The no form of the command reverts t...

Страница 142: ...sword Commands Page 142 7950 SR OS System Management Guide password Syntax password Context config system security Description This command creates the context to configure password management paramet...

Страница 143: ...levels are spec ified Because the OS exits when the first match is found subordinate levels cannot be modified with sub sequent action commands More specific action commands should be entered with a l...

Страница 144: ...profiles and the default action of the first profile is permit all then the second profile will never be evaluated because the permit all is executed first Set the first profile default action to non...

Страница 145: ...responding action If more than one entry is configured the entry ids should be numbered in staggered increments to allow users to insert a new entry without requiring renumbering of the existing entri...

Страница 146: ...mand renumbers profile entries to re sequence the entries Since the OS exits when the first match is found and executes the actions according to accompanying action command re numbering is useful to r...

Страница 147: ...permission snmp Specifies SNMP permission This keyword is only configurable in the config system security user context console Specifies console access serial port or Telnet permission authentication...

Страница 148: ...th is 20 octets 40 printable characters The complexity of the key is determined by the complexity command privacy none Do not perform SNMP packet encryption Default privacy none privacy des key key 2...

Страница 149: ...s the context to configure user profile membership for the console either Telnet or serial port user copy Syntax copy user source user profile source profile to destination overwrite Context config sy...

Страница 150: ...text config system security user template Description This command configures the profile for the user based on this template Parameters user profile name The user profile name entered as a character...

Страница 151: ...x password password hash hash2 Context config system security user Description This command configures the user password for console and FTP access The use of the hash keyword sets the initial passwor...

Страница 152: ...he password for the user that must be entered by this user during the login procedure The minimum length of the password is determined by the minimum length command The maximum length can be up to 20...

Страница 153: ...rectory higher in the directory tree on the home directory device The user is allowed to create and access subdirectories below their home directory If a home directory is not configured or the home d...

Страница 154: ...ept from the RADIUS server user Syntax no user user name Context config system security Description This command creates a local user and a context to edit the user configuration If a new user name is...

Страница 155: ...mary server for the first request the second server as primary for the second request and so on If the router gets to the end of the list it starts again with the first server accounting Syntax no acc...

Страница 156: ...te Authentication Dial In User Service RADIUS Parameters port The TCP port number to contact the RADIUS server Values 1 65535 radius Syntax no radius Context config system security Description This co...

Страница 157: ...removes the server from the configuration Default No RADIUS servers are configured Parameters index The index for the RADIUS server The index determines the sequence in which the servers are queried...

Страница 158: ...eout seconds no timeout Context config system security radius Description This command configures the number of seconds the router waits for a response from a RADIUS server The no form of the command...

Страница 159: ...to the highest index Values 1 5 address ip address The IP address of the TACACS server Two TACACS servers cannot have the same IP address An error message is generated if the server address is a dupl...

Страница 160: ...le server addresses for each router for redundancy The no form of the command removes the TACACS configuration accounting Syntax accounting record type start stop stop only no accounting Context confi...

Страница 161: ...cts the user name SR OS sends a continue message with the user name TACACS server replies with TAC_PLUS_AUTHEN_STATUS_GETPASS and a server_msg SR OS displays the server_msg which may contain for examp...

Страница 162: ...Description This command administratively disables the TACACS protocol operation Shutting down the proto col does not remove or change the configuration other than the administrative state The operati...

Страница 163: ...er the config system security dot1x radius plcy con text authenticates clients who get access to the data plane of the routeras opposed to the RADIUS server configured under the config system radius c...

Страница 164: ...d Parameters server index The index for the Dot1x server The index determines the sequence in which the servers are queried for authentication requests Servers are queried in order from lowest to high...

Страница 165: ...n This command administratively disables the 802 1x protocol operation Shutting down the protocol does not remove or change the configuration other than the administrative state The operational state...

Страница 166: ...chain command is entered the command will not be accepted and an error indicating that the keychain is in use will be printed Default none Parameters keychain name Specifies a keychain name which iden...

Страница 167: ...security keychain direction bi config system security keychain direction uni receive config system security keychain direction uni send Description This command defines a particular key in the keychai...

Страница 168: ...y combination of ASCII characters up to 33 for the hash key and 96 characters for the hash2 key in length encrypted If spaces are used in the string enclose the entire string in quotation marks This i...

Страница 169: ...the time after which the key specified by the authentication key is no lon ger eligible to sign and or authenticate the protocol stream in the hh mm ss format Seconds are optional and if not included...

Страница 170: ...configures the TCP option number accepted in TCP packets received Default 254 Parameters option number Specifies an enumerated integer that indicates the TCP option number to be used in the TCP header...

Страница 171: ...ault action accept drop Context config system security cpm filter Description This command specifies the action to take on the traffic when the filter entry matches If there are no filter entry define...

Страница 172: ...st have at least one filter match entry Entries are created and deleted by user The default match criteria is match none Parameters entry id Identifies a CPM filter entry as configured on this system...

Страница 173: ...efore the action associated with the match is executed A match context may consist of multiple match criteria but multiple match statements cannot be entered per entry The no form of the command remov...

Страница 174: ...6 icmp 58 ICMP for IPv6 ipv6 no nxt 59 No Next Header for IPv6 ipv6 opts 60 Destination Options for IPv6 iso ip 80 ISO Internet Protocol eigrp 88 EIGRP ospf igp 89 OSPFIGP ether ip 97 Ethernet within...

Страница 175: ...ny no action Context config system security mgmt access filter mac filter Description This command creates the action associated with the management access filter match criteria entry The action keywo...

Страница 176: ...an IP filter match crite rion The no form of the command removes the DSCP match criterion Default no dscp No dscp match criterion Parameters dscp name Configures a dscp name that has been previously m...

Страница 177: ...sed as an IPv6 filter match crite rion To match on the destination IPv6 address specify the address The no form of the command removes the destination IP address match criterion Default No destination...

Страница 178: ...decimal integer Values 0 65535 accepted in decimal hex or binary port list name Specifies the port list name to be used as a match criteria for the destination port mask Specifies the 16 bit mask to...

Страница 179: ...ation Extension Header presence absence in a packet when evaluating match criteria of a given filter policy entry Default no fragment Parameters true Specifies to match on all fragmented IP packets A...

Страница 180: ...s the criterion from the match entry Default no icmp code no match criterion for the ICMP code Parameters icmp code Specifies the ICMP code values that must be present to match Values 0 255 icmp type...

Страница 181: ...the option number Thus to match on IP packets that contain the Router Alert option option number 20 enter the option type of 148 10010100 Values 0 255 ip option mask Specifies a range of option number...

Страница 182: ...er A match will occur for all packets that have the option field present An option field of zero is considered as no option present false Specifies matching on IP packets that do not have any option f...

Страница 183: ...0 700 0 217A Values ipv4 address a b c d host bits must be 0 x x x x x x d d d d interface x 0 FFFF H d 0 255 D interface 32 characters maximum mandatory for link local addresses mask Specifies the 16...

Страница 184: ...sed the string must be enclosed within double quotes src port Syntax src port src port number mask Context config sys sec cpm ip filter entry match config sys sec cpm ipv6 filter entry match Descripti...

Страница 185: ...the control bits of the TCP header of an IP or IPv6 packet as an IP filter match criterion Note that an entry containing Layer 4 match criteria will not match non initial 2nd 3rd etc fragments of a f...

Страница 186: ...action command This requires that entries be sequenced cor rectly from most to least explicit Parameters old entry id Enter the entry number of an existing entry Values 1 2048 new entry id Enter the n...

Страница 187: ...ers to allocate dedicated CPM cbs Syntax cbs cbs no cbs Context config system cpm queue queue Description This command specifies the amount of buffer that can be drawn from the reserved buffer portion...

Страница 188: ...fig system security cpm queue queue Description This command specifies the maximum bandwidth that will be made available to the queue in kilobits per second kbps Parameters rate Specifies the administ...

Страница 189: ...bled in order for TTL protection to operate The no form of the command disables TTL security Parameters min ttl value Specify the minimum TTL value for an incoming BGP packet Values 1 255 ttl security...

Страница 190: ...rity parameters for incoming packets When the feature is enabled SSH Telnet will accept incoming IP packets from a peer only if the TTL value in the packet is greater than or equal to the minimum TTL...

Страница 191: ...is cleared each second and is based on the ingress port Default max no limit Parameters packet rate limit Specifies a packet arrival rate limit in packets per second for link level protocols Values 1...

Страница 192: ...te context alarm Syntax no alarm Context config sys security cpu protection policy Description This command enables the generation of an event when a rate is exceed The event includes information abou...

Страница 193: ...pplication Values range 0 255 within specified range multiple ranges allowed number 0 255 specific level number may be combined with range out profile rate Syntax out profile rate packet rate limit no...

Страница 194: ...e Context config sys security cpu protection policy Description This command configures a per source packet arrival rate limit Use this command to apply a packet arrival rate limit on a per source bas...

Страница 195: ...nfigured then protocol protection will discard any IS IS packets received on that interface Default no protocol protection Parameters allow sham links Allows sham links As OSPF sham links form an adja...

Страница 196: ...iven then per MAC rate limiting should be performed using the per source rate from the associated cpu protection policy If no CPU protection policy is assigned to a SAP then a default policy is used t...

Страница 197: ...applied to objects such as SAPs and network interfaces Parameters policy name Name of the policy to be configured description Syntax no description string Context config system security dist cpu prote...

Страница 198: ...ial burst or a burst after the policer bucket has drained to zero in addition to the normal ppi This would typically be set to a value that is equal to the number of received packets in several full h...

Страница 199: ...ameters number of policers specifies the number of policers to be reserved Values 0 1000 32k exceed action Syntax exceed action discard hold down seconds low priority hold down seconds none Context co...

Страница 200: ...o log events verbose Context config system security dist cpu protection policy static policer Description This command controls the creation of log events related to static policer status and activity...

Страница 201: ...an enforcement policer has marked or discarded one or more packets software may detect this some time after the packets are actually discarded and an optional hold down seconds value has been specifie...

Страница 202: ...all unspecified bucket This includes traffic snooping for example PIM in VPLS as well as con trol traffic that is flooded in an R VPLS instance and also extracted to the CPM such as ARP ISIS and VRRP...

Страница 203: ...unspecified protocol if the all unspecified proto col is created in the policy Default none Parameters names Signifies protocol name Values arp dhcp http redirect icmp igmp mld ndis pppoe pppoa all u...

Страница 204: ...hen the associated local monitoring policer is considered as exceeding its rate parameters at the end of a minimum monitoring time of 60 seconds log events Syntax no log events verbose Context config...

Страница 205: ...more protocols in the policy Once this policer name is referenced by a protocol then this policer will be instantiated for each object e g SAP or network interface that is created and references this...

Страница 206: ...Distributed CPU Protection Commands Page 206 7950 SR OS System Management Guide...

Страница 207: ...ty no security snmp ro snmpv2c none no security no security snmp rw snmpv1 none no security no security no security snmp rw snmpv2c none no security no security no security snmp rwa snmpv1 none iso is...

Страница 208: ...server Status Current status of the RADIUS server Type The authentication type Timeout secs The number of seconds the router waits for a response from a RADIUS server Single connection Enabled Specif...

Страница 209: ...stics Authentication sequence radius tacplus local server address status type timeout secs single connection retry count 10 10 10 103 up radius 5 n a 5 10 10 0 1 up radius 5 n a 5 10 10 0 2 up radius...

Страница 210: ...count health check enabled interval 30 Login Statistics server address conn accepted rejected errors logins logins local n a 4 0 Authorization Statistics TACACS server address conn sent rejected error...

Страница 211: ...ecurity Description This command displays CPM filters Table 11 Show Communities Output Fields Label Description Community The community string name for SNMPv1 and SNMPv2c access only Access r The comm...

Страница 212: ...lter description Log ID Displays the log ID where matched packets will be logged Src IP Displays the source IP address netmask or prefix list Dest IP Displays the destination IP address netmask Src Po...

Страница 213: ...8 0 CPM Filter 10 4 112 2 112 113 26034 0 CPM Filter 10 4 113 2 113 114 26050 0 CPM Filter 10 4 114 2 114 115 26066 0 CPM Filter 10 4 115 2 115 116 26084 0 CPM Filter 10 4 116 2 116 A ALA 35 A ALA 35...

Страница 214: ...lter description Log ID Log Id where matched packets will be logged Src IP Displays Source IP address netmask Dest IP Displays Destination IP address netmask Src Port Displays Source Port Number range...

Страница 215: ...M Filter 11 108 2 108 109 25880 0 CPM Filter 11 109 2 109 A ALA 35 A ALA 35 show system security cpm filter ipv6 filter entry 101 CPM IPv6 Filter Entry Entry Id 1 Description CPM Filter 11 101 2 101 F...

Страница 216: ...ction information Sample Output show system security cpu protection eth cfm monitoring SAP s where the protection policy Eth CFM rate limit is exceeded SAP Id Service Id Plcy 1 1 1 3 100 1 SAP s found...

Страница 217: ...03 21 2009 23 35 59 4000000023 61234 91 91 91 91 91 91 6 23 03 21 2009 23 33 19 03 21 2009 23 36 19 4000000024 61234 92 92 92 92 92 92 7 24 03 21 2009 23 33 29 03 21 2009 23 36 39 4000000025 max Aggre...

Страница 218: ...41 59 03 22 2009 01 53 39 3000000043 00 00 00 00 00 02 03 22 2009 00 43 39 03 22 2009 01 56 59 3000000044 00 00 00 00 00 03 03 22 2009 00 45 19 03 22 2009 02 00 19 3000000045 00 00 00 00 00 04 03 22...

Страница 219: ...CPU Protection policy 100 Description Not Specified SAP associations Service Id 3 Type VPLS SAP 1 1 1 mac monitoring SAP 1 1 2 eth cfm monitoring aggr car SAP 1 1 3 eth cfm monitoring SAP 1 1 4 Number...

Страница 220: ...for CPU Protection policy 255 Description Default Modifiable CPU Protection Policy assigned to Network Interfaces SAP associations None SDP associations Service Id 3 Type VPLS SDP 1 2 SDP 1 4 eth cfm...

Страница 221: ...gr SDP 1 5 mac monitoring SDP 17407 4123456789 eth cfm monitoring car Number of SDP s 4 Interface associations None Managed SAP associations None Video Interface associations None A bksim130 show syst...

Страница 222: ...010 22 37 11 3000000004 1 5 3 100 61234 05 01 2010 01 43 49 06 27 2010 22 37 14 3000000005 5 SDP s found Video clients where the protection policy per source rate limit is violated Client IP Address V...

Страница 223: ...protection policy information Parameters policy id Displays CPU protection policy information for the specified policy ID association This keyword displays policy id associations protocol protection...

Страница 224: ...1 23002 47094 Num CPM Mac filter entries 1 B bksim67 mac filter Syntax mac filter entry entry id Context show system security management access filter Description This command displays management acc...

Страница 225: ...ion number receive 254 Oper state Up A ALA A A ALA A show system security keychain test detail Key chain test TCP Option number send 254 Admin state Up TCP Option number receive 254 Oper state Up Key...

Страница 226: ...ecified entry Values 1 9999 Output Management Access Filter Output The following table describes management access filter output fields Table 15 Show Management Access Filter Output Fields Label Descr...

Страница 227: ...and displays management access IPv6 filters Parameters entry id Specifies the IPv6 filter entry ID to display Values 1 9999 Output A Dut C show system security management access filter ipv6 filter ent...

Страница 228: ...valid attempts permit ted per login Displays the number of unsuccessful login attempts allowed for the specified time Time in minutes per login attempt Displays the period of time in minutes that a sp...

Страница 229: ...s command enables or disables CPMCFM hardware queuing per peer TTL security only operates when per peer queuing is enabled Output Per Peer Queuing Output The following table describes per peer queuing...

Страница 230: ...ll Entry 10 Description Match Command configure system security Table 18 Show User Profile Output Fields Label Description User Profile Displays the profile name used to deny or permit user console ac...

Страница 231: ...e following table describes source address output fields Sample Output A SR 7 show system security source address Source Address applications Application IP address Interface Name Oper status telnet 1...

Страница 232: ...Displays that SSH server is disabled SSH Preserve Key Enabled Displays that preserve key is enabled Disabled Displays that preserve key is disabled SSH protocol ver sion 1 Enabled Displays that SSH1...

Страница 233: ...ers who are currently locked out Output User Output The following table describes user output fields Label Description User ID The name of a system user Need new pwd Y The user must change his passwor...

Страница 234: ...ry for the user for both console and FTP access Restricted to home Yes The user is not allowed to navigate to a directory higher in the directory tree on the home directory device No The user is allow...

Страница 235: ...view view name detail Context show system security Description This command displays the SNMP MIB views Parameters view name Specify the name of the view to display output If no view name is specifie...

Страница 236: ...w 1 3 6 1 2 1 2 included vprn view 1 3 6 1 2 1 4 included vprn view 1 3 6 1 2 1 5 included vprn view 1 3 6 1 2 1 6 included vprn view 1 3 6 1 2 1 7 included vprn view 1 3 6 1 2 1 15 included vprn view...

Страница 237: ...e Authority CA profile association Displays associated CA profiles ocsp cache Syntax ocsp cache entry id Context show certificate Description This command displays the current cached OCSP results The...

Страница 238: ...ut A ALA 7 show users User Type From Login time Idle time testuser Console 21FEB2007 04 58 55 0d 00 00 00 A Number of users 1 A indicates user is in admin mode A ALA 7 Table 21 Show Users Output Field...

Страница 239: ...rs spaces etc the entire string must be enclosed within double quotes ip address Clears the authentication statistics for the specified IP address ip filter Syntax ip filter entry entry id Context cle...

Страница 240: ...ystem Management Guide ipv6 filter Syntax ipv6 filter entry entry id Context clear cpm filter Description This command clears IPv6 filter information Parameters entry entry id Specifies a particular C...

Страница 241: ...ommand clears the records of sources exceeding their per source rate limit protocol protection Syntax protocol protection Context clear cpu protection Description This command clears the interface cou...

Страница 242: ...ears CPM queue information Parameters queue id Specifies the CPM queue ID Values 33 2000 radius proxy server Syntax radius proxy server server name statistics Context clear router Description This com...

Страница 243: ...d disables the debugging Parameters detail Displays detailed output hex Displays the packet dump in hex format ocsp Syntax no ocsp Context debug Description This command enables debug output of OCSP p...

Страница 244: ...Debug Commands Page 244 7950 SR OS System Management Guide...

Страница 245: ...6 SNMP Architecture on page 246 Management Information Base on page 246 SNMP Protocol Operations on page 247 SNMP Versions on page 247 Management Information Access Control on page 248 User Based Secu...

Страница 246: ...or store set a value in the agent The manager uses definitions in the management information base MIB to perform operations on the managed device such as retrieving values from variables or blocks of...

Страница 247: ...nificant events that occur on the router SNMP Versions The agent supports multiple versions of the SNMP protocol SNMP Version 1 SNMPv1 is the original Internet standard network management framework SN...

Страница 248: ...al views which specify more specific OIDs MIB objects in the subtree can be configured Access to the management information in as SNMPv1 SNMPv2c agent is controlled by the inclusion of a community nam...

Страница 249: ...to different organizations A view defines a subset of the agent s managed objects controlled by the access rules associated with that view Pre defined views are available that are particularly useful...

Страница 250: ...y the router can be modified SNMP authentication allows the device to validate the managing node that issued the SNMP message and determine if the message has been tampered with User access and authen...

Страница 251: ...SNMPv2c implementations are restricted read only access which in turn reduces the effectiveness of a network monitor in which network control applications cannot be supported To implement SNMPv3 an au...

Страница 252: ...uration and Implementation Flow Yes Yes No No SNMPv3 Use Predefined Access Group Configuration Start Configure Community String with R RW RWAAccess SNMPv1 SNMPv2cONLY Configure Views Configure Access...

Страница 253: ...tifications are issued if an SNMP trap group has been configured In order to enable SNMP the portions of the configuration that failed to load must be initialized properly Start SNMP with the config s...

Страница 254: ...Configuration Notes Page 254 7950 SR OS System Management Guide...

Страница 255: ...Configuring SNMP with CLI This section provides information about configuring SNMP with CLI Topics in this chapter include SNMP Configuration Overview on page 256 Basic SNMP Security Configuration on...

Страница 256: ...g with a specific access method and the required SNMP version SNMPv1 or SNMPv2c The access methods are Read Only Grants read only access to the entire management structure with the exception of the se...

Страница 257: ...1 mask ff type included exit view no security subtree 1 3 6 1 6 3 15 1 1 mask ff type included exit access group snmp ro security model snmpv1 security level no auth no privacy read no security notify...

Страница 258: ...nity Options on page 263 Configuring Other SNMP Parameters on page 264 CLI Syntax config system security snmp attempts count time minutes1 lockout minutes2 community community string access permission...

Страница 259: ...write and read write all permission for the MIB objects accessible to the community The SNMP version SNMPv1 or SNMPv2c Default access features are pre configured by the agent for SNMPv1 SNMPv2c Use t...

Страница 260: ...value mask mask value type included excluded The following displays a view configuration example A cses A13 config system security snmp info view testview subtree 1 mask ff exit view testview subtree...

Страница 261: ...stem security snmp access group group name security model security model secu rity level security level context context name pre fix match read view name 1 write view name 2 notify view name 3 The fol...

Страница 262: ...r user name access ftp snmp console snmp authentication none hash md5 key sha key privacy none des key aes 128 cfb key key group group name The following displays a user s SNMP configuration example A...

Страница 263: ...community options CLI Syntax config system security snmp usm community community string group group name The following displays a SNMP community configuration example A ALA 1 config system security s...

Страница 264: ...modify the system SNMP options CLI Syntax config system snmp engineID engine id general port port packet size bytes no shutdown The following example displays the system SNMP default values A ALA 104...

Страница 265: ...l context context name prefix match read view name 1 write view name 2 notify view name 3 no access group group name security model security model secu rity level security level context context name p...

Страница 266: ...ystem security no user user name no snmp authentication none hash md5 key 1 sha key 1 privacy none des key aes 128 cfb key key 2 group group name no group Show Commands show snmp counters streaming co...

Страница 267: ...l SNMPv3 MD5 and SHA security digest keys and may render the node unmanageable When a chassis is replaced use the engine ID of the first system and configure it in the new system to preserve SNMPv3 se...

Страница 268: ...nted The no form of this command to revert to default Default 1500 bytes Parameters bytes The SNMP packet size in bytes Values 484 9216 snmp Syntax snmp Context config system Description This command...

Страница 269: ...sables SNMP agent operations System management can then only be performed using the command line interface CLI Shutting down SNMP does not remove or change configuration parameters other than the admi...

Страница 270: ...el snmpv1 snmpv2c usm security level no auth no privacy auth no privacy privacy Default none Parameters group name Specify a unique group name up to 32 characters security model snmpv1 snmpv2c usm Spe...

Страница 271: ...pts Syntax attempts count time minutes1 lockout minutes2 no attempts Context config system security snmp Description This command configures a threshold value of unsuccessful SNMP connection attempts...

Страница 272: ...oves a community string Default none Parameters community string Configure the SNMPv1 SNMPv2c community string access permissions r Grants only read access to objects in the MIB except security object...

Страница 273: ...view according to the value of vacmViewTreeFamilyType in the entry whose value of vacmViewTreeFamilySubtree has the most sub identifiers The no form of this command removes the mask from the configur...

Страница 274: ...ring This group must be configured first in the config system security snmp access group context Default none view Syntax view view name subtree oid value no view view name subtree oid value Context c...

Страница 275: ...mple 1 3 6 1 6 3 11 2 1 combined with the mask and include and exclude statements configures the access available in the view It is possible to have a view with different subtrees with their own masks...

Страница 276: ...SNMP Security Commands Page 276 7950 SR OS System Management Guide...

Страница 277: ...s delivered to SNMP from the transport service in gets Displays the number of SNMP get request PDUs accepted and pro cessed by SNMP in getnexts Displays the number of SNMP get next PDUs accepted and p...

Страница 278: ...utput Counters Output The following table describes SNMP streaming counters output fields Output Counters Output The following table describes SNMP streaming counters output fields Sample Output A Dut...

Страница 279: ...390 north and longitude 122 0550 west System Up Time The time since the last reboot SNMP Port The port which SNMP sends responses to management requests SNMP Engine ID The ID for either the local or r...

Страница 280: ...RL and filename of the configuration file used for the most recent boot Last Boot Cfg Version Displays the version of the configuration file used for the most recent boot Last Boot Config Header Displ...

Страница 281: ...oot up configuration file execution Not used No CLI script file was executed Cfg Fail Script Status Successful Failed The results from the execution of the CLI script file specified in the Cfg Fail Sc...

Страница 282: ...106 cfg Last Boot Cfg Version WED MAY 23 11 58 26 2012 UTC Last Boot Config Header TiMOS C 0 0 I3339 cpm i386 ALCATEL XRS 7950 Copyright c 2000 2012 Alcatel Lucent All rights reserved All use subject...

Страница 283: ...P Oper State Enabled SNMP Index Boot Status Not Persistent SNMP Sync State OK Telnet SSH FTP Admin Enabled Enabled Disabled Telnet SSH FTP Oper Up Up Down BOF Source cf1 Image Source primary Config So...

Страница 284: ...scribes the access group output fields Sample Output A ALA 1 show system security access group Access Groups group name security security read write notify model level view view view Table 25 Show Sys...

Страница 285: ...rite notify model level view view view snmp ro snmpv1 none no security no security No of Access Groups A ALA 1 authentication Syntax authentication statistics Context show system security Description...

Страница 286: ...g table describes the communities output fields single connection Specifies whether a single connection is established with the server The connection is kept open and is used by all the TELNET SSH FTP...

Страница 287: ...escription This command displays password options Table 26 Show Communities Output Fields Label Description Community The community string name for SNMPv1 and SNMPv2c access only Access r The communit...

Страница 288: ...by PPQ CPM filter SAP etc Label Description Password aging in days Number of days a user password is valid before the user must change his password Number of invalid attempts permit ted per login Disp...

Страница 289: ...profile If no profile name is displayed the entire list of profile names are listed Output Profile Output The following table describes the profile output fields Label Description Per Peer Queuing Di...

Страница 290: ...ser to execute the config system security command enable admin Enables the user to enter a special administra tive mode by entering the enable admin command exec Enables the user to execute exec the c...

Страница 291: ...it Entry 80 Description Match Command enable admin Action permit User Profile administrative Def Action permit all Entry 10 Description Match Command configure system security Action permit Entry 20 D...

Страница 292: ...cription SSH status SSH is enabled Displays that SSH server is enabled SSH is disabled Displays that SSH server is disabled Key fingerprint The key fingerprint is the server s identity Clients trying...

Страница 293: ...name of a system user Need New PWD Yes The user must change his password at the next login No The user is not forced to change his password at the next login User Permission Console Specifies whether...

Страница 294: ...1 included no security 1 3 6 1 6 3 15 1 1 included No of Views 6 A ALA 1 Table 29 Show System Security View Output Fields Label Description View name The name of the view Views control the accessibili...

Страница 295: ...detail Views view name oid tree mask permission no security 1 included no security 1 3 6 1 6 3 excluded no security 1 3 6 1 6 3 10 2 1 included no security 1 3 6 1 6 3 11 2 1 included no security 1 3...

Страница 296: ...Show Commands Page 296 7950 SR OS System Management Guide...

Страница 297: ...8 Log Destinations on page 300 Event Logs on page 305 Event Sources on page 306 Event Control on page 307 Log Manager and Event Logs on page 308 Event Filter Policies on page 309 Event Log Entries on...

Страница 298: ...The following are events within the OS and have the following characteristics A time stamp in UTC or local time The generating application A unique event ID within the application The VRF ID A subjec...

Страница 299: ...bout customer service trends for potential service revenue opportunities Accounting statistics on network ports can be used to track link utilization and network traffic pattern trends This informatio...

Страница 300: ...ending events to a console destination means the message will be sent to the system console The console device can be used as an event log destination Session A session destination is a temporary log...

Страница 301: ...ay be longer than the configured value The retention time for a log file specifies the amount of time the file should be retained on the system based on the creation date and time of the file When a l...

Страница 302: ...re yyyy is the four digit year for example 2007 mm is the two digit number representing the month for example 12 for December dd is the two digit number representing the day of the month for example 0...

Страница 303: ...r SNMP traps that will be sent out of band through the Management Ethernet port on the SF the source IP address of the trap is the IP interface address defined on the Management Ethernet port For SNMP...

Страница 304: ...to syslog severities Table 31 Router to Syslog Severity Level Mappings Severity Level Numerical Severity highest to lowest Syslog Configured Severity Definition 0 emergency System is unusable 3 1 aler...

Страница 305: ...generated by the system by applications or processes within the router Figure 7 depicts a function block diagram of event logging Figure 7 Event Logging Block Diagram Logs CLI0001B EVENT SOURCES EVEN...

Страница 306: ...ion or operation of the node Change events are generated by the USER application The Change event stream also includes the tmnxConfigModify 2006 tmnxConfigCreate 2007 tmnxConfigDelete 2008 and tmnxSta...

Страница 307: ...er method of event control and is configured similarly to the generation and suppression options See Simple Logger Event Throttling on page 312 Events are assigned a default severity level in the syst...

Страница 308: ...be configured at a time One or more log sources The source stream or streams to be sent to log destinations can be specified The source must be identified before the destination can be specified The...

Страница 309: ...e treated if they have met the match criteria Entries are evaluated in order from the lowest to the highest entry ID The first matching event is subject to the forward or drop action for that entry Va...

Страница 310: ...A subject identifying the affected object A short text description The general format for an event in an event log with either a memory console or file destination is as follows nnnn YYYY MM DD HH MM...

Страница 311: ...AJOR A major severity event severity level 4 MINOR A minor severity event severity level 5 WARNING A warning severity event severity 6 application The application generating the log message event_id T...

Страница 312: ...and therefore no way to retrieve event history data lost by this throttling method A particular event type can be generated by multiple managed objects within the system At the point this throttling...

Страница 313: ...which logs events from the main event source not security debug etc Log 99 exists by default The following example displays the log 99 configuration ALA 1 config log info detail echo Log Configuration...

Страница 314: ...de field descriptions When creating accounting policies one service accounting policy and one network accounting policy can be defined as default If statistics collection is enabled on a SAP or networ...

Страница 315: ...PacketsOffered ood OutOfProfileOctetsDropped oof OutOfProfileOctetsForwarded ooo OutOfProfileOctetsOffered uco UncoloredOctetsOffered Table 35 Queue Group Record Types Record Name Description qgone Po...

Страница 316: ...port based Queue Groups member port LAGMemberPort used for port based Queue Groups data slot Slot used for Forwarding Plane based Queue Groups forwarding plane ForwardingPlane used for Forwarding Plan...

Страница 317: ...like rollover and retention are discussed in more detail in Log Files on page 301 Design Considerations The router has ample resources to support large scale accounting policy deployments When prepari...

Страница 318: ...edefined records containing a given field for XML field name of a custom record field Changed Statistics Only A record is only generated if a significant change has occurred to the fields being writte...

Страница 319: ...ficant change in corresponding counters A significant change is defined in terms of a cumulative value the sum of all reference counters This concept is applicable to all methods used for gathering ac...

Страница 320: ...s deleted or changed the latest information will be written in the XML file with a final tag indication in the record header AA Accounting per Forwarding Class This feature allows the operator to repo...

Страница 321: ...lied to a log File IDs syslog IDs or SNMP trap groups must be configured before they can be applied to a log ID A file ID can only be assigned to either one log ID or one accounting policy Accounting...

Страница 322: ...Configuration Notes Page 322 7950 SR OS System Management Guide...

Страница 323: ...LI This section provides information to configure logging using the command line interface Topics in this section include Log Configuration Overview on page 324 Log Types on page 324 Basic Event Log C...

Страница 324: ...arms traps and debug information to their respective targets SNMP trap groups SNMP trap groups contain an IP address and community names which identify targets to send traps following specified events...

Страница 325: ...g destination The following displays a log configuration example A ALA 12 config log info echo Log Configuration event control 2001 generate critical file id 1 description This is a test file id locat...

Страница 326: ...log Target on page 340 Configuring an Event Log A event log file contains information used to direct events alarms traps and debug information to their respective destinations One or more event source...

Страница 327: ...OS System Management Guide Page 327 The following displays a log file configuration example ALA 12 config log log id info log id 2 description This is a test log file filter 1 from main security to fi...

Страница 328: ...before it is closed and a new log file is created The retention interval determines how long the file will be stored on the CF before it is deleted Use the following CLI syntax to configure a log fil...

Страница 329: ...type and collection interval Only one record type can be configured per accounting policy When creating accounting policies one service accounting policy and one network accounting policy can be defi...

Страница 330: ...ypes that have throttling enabled by this event control command CLI Syntax config log event control application id event name event number gen erate severity level throttle event control application i...

Страница 331: ...to all event types that have throttling enabled by the event control command Use the following CLI syntax to configure the throttle rate CLI Syntax config log throttle rate events interval seconds Th...

Страница 332: ...event id router eq neq router instance regexp severity eq neq lt lte gt gte severity level subject eq neq subject regexp The following displays a log filter configuration example A ALA 12 config log i...

Страница 333: ...ays a basic SNMP trap group configuration example A ALA 12 config log info snmp trap group 2 trap target 10 10 10 104 5 snmpv3 notify community coummunitystring exit log id 2 description This is a tes...

Страница 334: ...ap target test2 address 20 20 20 5 snmpv2c notify community xyztesting A SetupCLI config log snmp trap group In the following output note that the Replay field changed from disabled to enabled A Setup...

Страница 335: ...test index 35 changed administrative state inService operational state inService 3817 2008 04 22 23 35 39 89 UTC WARNING SNMP 2005 Base xyz test Interface xyz test is operational 3816 2008 04 22 23 3...

Страница 336: ...t Example config log snmp trap group exit all configure port 1 1 1 shutdown tools perform log test event The Replay from field is updated with the sequence id of the first event that will be replayed...

Страница 337: ...OGGER 2011 Base Event Test Test event has been generated with system object identifier tmnxModelSR12Reg System description TiMOS B 0 0 private both i386 ALCATEL SR 7750 Copyright c 2000 2008 Alcatel L...

Страница 338: ...eplayed and the Last replay field timestamp has been updated A SetupCLI show log snmp trap group 44 SNMP Trap Group 44 Description none Name xyz test Address 10 10 10 3 Port 162 Version v2c Community...

Страница 339: ...ted with system object identifier tmnxModelSR12Reg System description TiMOS B 0 0 private both i386 ALCATEL SR 7750 Copyright c 2000 2008 Alcatel Lucent All rights reserved All use subject to applicab...

Страница 340: ...syslog file CLI Syntax config log syslog syslog id description description string address ip address log prefix log prefix string port port level emergency alert critical error warning notice in fo de...

Страница 341: ...change 20 ref queue all i counters in profile packets forwarded count out profile packets forwarded count exit e counters in profile packets forwarded count out profile packets forwarded count exit ex...

Страница 342: ...g class exit to aa sub counters flows admitted count flows denied count flows active count packets admitted count octets admitted count packets denied count octets denied count max throughput octet co...

Страница 343: ...page 346 Modifying a File ID on page 347 Deleting a File ID on page 348 Modifying a Syslog ID on page 349 Deleting a Syslog on page 350 Modifying an SNMP Trap Group on page 351 Deleting an SNMP Trap G...

Страница 344: ...o memory size to session to snmp size to syslog syslog id The following displays the current log configuration ALA 12 config log log id info log id 2 description This is a test log file filter 1 from...

Страница 345: ...7950 SR OS System Management Guide Page 345 The following displays the modified log file configuration A ALA 12 config log info log id 2 description Chassis log file filter 2 from security to file 1...

Страница 346: ...1 description LocationTest location cf1 rollover 600 retention 24 exit log id 2 description Chassis log file filter 2 from security to file 1 exit A ALA 12 config log Use the following CLI syntax to...

Страница 347: ...CLI Syntax config log file id log file id description description string location cflash id rollover minutes retention hours The following displays the current log configuration A ALA 12 config log i...

Страница 348: ...a File ID NOTE All references to the file ID must be deleted before the file ID can be removed Use the following CLI syntax to delete a log ID CLI Syntax config log no file id log file id The followin...

Страница 349: ...ix log prefix string port port level emergency alert critical error warning notice in fo debug facility syslog facility The following displays an example of the syslog ID modifications Example config...

Страница 350: ...OS System Management Guide Deleting a Syslog Use the following CLI syntax to delete a syslog file CLI Syntax config log no syslog syslog id The following displays an example to delete a syslog ID Exam...

Страница 351: ...roup configuration A ALA 12 config log info snmp trap group 10 trap target 10 10 10 104 5 snmpv3 notify community coummunitystring exit A ALA 12 config log The following displays an example of the com...

Страница 352: ...t name The following displays the SNMP trap group configuration A ALA 12 config log info snmp trap group 10 trap target 10 10 0 91 1 snmpv2c notify community com1 exit A ALA 12 config log The followin...

Страница 353: ...erity level subject eq neq subject regexp The following output displays the current log filter configuration ALA 12 config log info echo Log Configuration filter 1 default action drop description This...

Страница 354: ...2001 config log filter entry match no severity config log filter entry match exit The following displays the log filter configuration A ALA 12 config log filter info filter 1 description This allows...

Страница 355: ...no filter filter id The following output displays the current log filter configuration A ALA 12 config log filter info filter 1 description This allows n entry 1 action drop match application eq user...

Страница 356: ...rottle event control application id event name event number sup press The following displays the current event control configuration A ALA 12 config log info event control 2014 generate critical A ALA...

Страница 357: ...no event control 2002 config log no event control 2014 A ALA 12 config log info detail echo Log Configuration event control 2001 generate minor event control 2002 generate warning event control 2003 g...

Страница 358: ...Log Management Tasks Page 358 7950 SR OS System Management Guide...

Страница 359: ...ds on page 366 Clear Command on page 366 Log Configuration Commands config log app route notifications no cold start wait no route recovery wait event control application id event name event number ge...

Страница 360: ...y Commands config log collection interval minutes no collection interval accounting policy acct policy id no accounting policy acct policy id no default description description string no description n...

Страница 361: ...tted count no packets denied count e counters all no e counters no in profile octets discarded count no in profile octets forwarded count no in profile packets discarded count no in profile packets fo...

Страница 362: ...count ref aa specific counter any no ref aa specific counter ref override counter ref override counter id ref override counter all no ref override counter e counters all no e counters no in profile oc...

Страница 363: ...ount no high octets discarded count no high octets offered count no high packets discarded count no high packets offered count no in profile octets forwarded count no in profile packets forwarded coun...

Страница 364: ...o action description description string no description no match application eq neq application id no application number eq neq lt lte gt gte event id no number router eq neq router instance regexp no...

Страница 365: ...down no shutdown time format local utc to console to file log file id to memory size to session to snmp size to syslog syslog id SNMP Trap Group Commands config log no snmp trap group log id descripti...

Страница 366: ...ug no level log prefix log prefix string no log prefix port port no port Show Commands show log accounting policy acct policy id access network accounting records applications event control applicatio...

Страница 367: ...guration The string must be entered Parameters string The description can contain a string of up to 80 characters composed of printable 7 bit ASCII characters If the string contains special characters...

Страница 368: ...ailable route For example this delay may be used to increase the chances that other system modules such as IOMs XCMs MDAs XMAs are fully programmed with the new route before the application takes acti...

Страница 369: ...ted regardless of the destination While this feature can save processor resources there may be a negative effect on the ability to troubleshoot problems if the logging entries are squelched In reverse...

Страница 370: ...en the events are generated by default Default generate specific throttle rate events limit The log event throttling rate can be configured independently for each log event using this keyword This spe...

Страница 371: ...og messages Default outband secondary Specifies the secondary routing preference for traffic generated for SNMP notifications and syslog messages The routing context specified by the secondary route p...

Страница 372: ...e that must be stored in the file system A file is created when the file ID defined in this command is selected as the destination type for a specific log or accounting record Log files are collected...

Страница 373: ...umber for the file expressed as a decimal integer Values 1 99 location Syntax location cflash id backup cflash id no location Context config log file file id Description This command specifies the pri...

Страница 374: ...le file id Description This command configures how often an event or accounting log is rolled over or partitioned into a new file An event or accounting log is actually composed of multiple individual...

Страница 375: ...hich causes those logs to forward all events Default No event filters are defined Parameters filter id The filter ID uniquely identifies the filter Values 1 1000 default action Syntax default action d...

Страница 376: ...Description This command is used to create or edit an event filter entry Multiple entries may be created using unique entry id numbers The TiMOS implementation exits the filter on the first match foun...

Страница 377: ...eters entry id The entry ID uniquely identifies a set of match criteria corresponding action within a filter Entry ID values should be configured in staggered increments so you can insert a new entry...

Страница 378: ...per entry The no form of the command removes the match criteria for the entry id Default No match context is defined application Syntax application eq neq application id no application Context config...

Страница 379: ...terion is specified Parameters eq neq lt lte gt gte This operator specifies the type of match Valid operators are listed in the table below Valid operators are event id The event ID expressed as a dec...

Страница 380: ...and can be entered per event filter entry The latest severity command overwrites the previous command The no form of the command removes the severity match criterion Default no severity No severity le...

Страница 381: ...mand removes the subject match criterion Default no subject No subject match criterion specified Parameters eq neq This operator specifies the type of match Valid operators are listed in the following...

Страница 382: ...D number for the syslog destination expressed as a decimal integer Values 1 10 address Syntax address ip address no address Context config log syslog syslog id Description This command adds the syslog...

Страница 383: ...t with a given facility code The no form of the command reverts to the default value Default local7 syslog entries are sent with the local7 facility code Parameters syslog facility The syslog facility...

Страница 384: ...strings are entered the last string overwrites the previous string The alphanumeric string can contain lowercase a z uppercase A Z and numeric 0 9 characters The no form of the command removes the log...

Страница 385: ...dard UDP syslog port 514 Only one port can be configured If multiple port commands are entered the last entered port overwrites the previously entered ports The no form of the command reverts to defau...

Страница 386: ...log events that can be logged within the specified interval for a specific event Once the limit has been reached any additional events of that type will be dropped for example the event drop count wil...

Страница 387: ...SNMP trap group Default There are no default SNMP trap groups Parameters log id The log ID value of a log configured in the log id context Alarms and traps cannot be sent to the trap receivers until a...

Страница 388: ...n expressed as a deci mal integer Only one port can be specified per trap target statement If multiple traps need to be issued to the same address then multiple ports must be configured Default 162 Va...

Страница 389: ...onfigured the security name must be configured for authentica tion The keyword privacy specifies both authentication and privacy encryption is required When this option is configured the security name...

Страница 390: ...mand removes the specified event filter from the log id Default no filter No event filter policy is specified for a log id Parameters filter id The event filter policy ID is used to associate the filt...

Страница 391: ...Instructs all debug trace messages in the debug stream to be sent to the destination configured in the to command for this destination log id Filters applied to debug messages are limited to applicat...

Страница 392: ...eds to be modified the log ID must be removed and then re created Default No destination is specified to file Syntax to file log file id Context config log log id log id Description This command speci...

Страница 393: ...created Default none Parameters size The size parameter indicates the number of events that can be stored in the memory Default 100 Values 50 1024 to session Syntax to session Context config log log...

Страница 394: ...e The size parameter defines the number of events stored in this memory log Default 100 Values 50 1024 to syslog Syntax to syslog syslog id Context config log log id Description This is one of the com...

Страница 395: ...scription This command specifies whether the time should be displayed in local or Coordinated Universal Time UTC format Default utc Parameters local Specifies that timestamps are written in the system...

Страница 396: ...ed to be written before a new access default policy can be configured Network accounting policies are policies that can be applied to one or more network ports Any changes made to an existing policy u...

Страница 397: ...efined on a network port accounting records will be produced in accordance with the default network policy If no network default policy is created then no accounting records will be collected other th...

Страница 398: ...ng Policy Commands Page 398 7950 SR OS System Management Guide When the no version of this command is selected optional router information is not include at the top of the file Default no include rout...

Страница 399: ...octets 15 6 network egress octets 15 7 network ingress packets 15 8 network egress packets 15 9 compact service ingress octets 5 10 combined service ingress 5 11 combined network ing egr octets 15 12...

Страница 400: ...red modifies the record from network to service or from service to network then the old record name must be removed using the no form of this command Only one record may be configured in a single acco...

Страница 401: ...complete subscriber ingress egress 5 17 aa protocol 15 18 aa application 15 19 aa app group 15 20 aa subscriber protocol 15 21 aa subscriber application 15 23 custom record subscriber 5 24 custom rec...

Страница 402: ...6 complete subscriber ingress egress 5 17 aa protocol 15 18 aa application 15 19 aa app group 15 20 aa subscriber protocol 15 21 aa subscriber application 15 23 custom record subscriber 5 24 custom re...

Страница 403: ...nfig log file context A file id can only be used once The file is generated when the file policy is referenced This command identifies the type of accounting file to be created The file definition def...

Страница 404: ...ng Policy Commands Page 404 7950 SR OS System Management Guide If the to command is executed while the accounting policy is in operation then it becomes active during the next collection interval Valu...

Страница 405: ...0 Parameters minutes Specifies the collection interval in minutes Values 5 120 custom record Syntax no custom record Context config log acct policy Description This command enables the context to conf...

Страница 406: ...es the admitted flow count The no form of the command excludes the flow s admitted count in the AA subscriber s custom record Default no flows admitted count flows denied count Syntax no flows denied...

Страница 407: ...Syntax no octets denied count Context config log acct policy cr aa aa from sub cntr config log acct policy cr aa aa to sub cntr Description This command includes the denied octet count in the AA subs...

Страница 408: ...parameters The no form of the command excludes the to subscriber count queue Syntax no queue queue id Context config log acct policy cr Description This command specifies the queue id for which count...

Страница 409: ...ontext config log acct policy cr oc e count config log acct policy cr roc e count config log acct policy cr queue e count config log acct policy cr ref queue e count Description This command includes...

Страница 410: ...rwarded count Context config log acct policy cr oc e count config log acct policy cr roc e count config log acct policy cr queue e count config log acct policy cr ref queue e count Description This co...

Страница 411: ...carded count Context config log acct policy cr oc e count config log acct policy cr roc e count config log acct policy cr queue e count config log acct policy cr ref queue e count Description This com...

Страница 412: ...config log acct policy cr oc i count config log acct policy cr roc i count config log acct policy cr queue i count config log acct policy cr ref queue i count Description This command includes all pac...

Страница 413: ...policy cr oc i count config log acct policy cr roc i count config log acct policy cr queue i count config log acct policy cr ref queue i count Description This command includes the high packets disca...

Страница 414: ...warded count Context config log acct policy cr oc i count config log acct policy cr roc i count config log acct policy cr queue i count config log acct policy cr ref queue i count Description This com...

Страница 415: ...t Syntax no low octets offered count Context config log acct policy cr oc i count config log acct policy cr roc i count config log acct policy cr queue i count config log acct policy cr ref queue i co...

Страница 416: ...cy cr roc i count config log acct policy cr queue i count config log acct policy cr ref queue i count Description This command includes the out of profile packets forwarded count The no form of the co...

Страница 417: ...not they have changed within the last accounting interval Parameters any Indicates that a record is collected as long as any field records activity when non zero significant change value is configure...

Страница 418: ...ange Context config log acct policy cr Description This command configures the significant change required to generate the record Parameters delta Specifies the delta change significant change that is...

Страница 419: ...iption Policy ID The identifying value assigned to a specific policy Type Identifies accounting record type forwarded to the configured account ing file access Indicates that the policy is an access a...

Страница 420: ...lect Stats Svc Id 101 SAP 1 1 8 1 Collect Stats Svc Id 102 SAP 1 1 8 2 Collect Stats Svc Id 103 SAP 1 1 8 3 Collect Stats Svc Id 104 SAP 1 1 8 4 Collect Stats Svc Id 105 SAP 1 1 8 5 Collect Stats Svc...

Страница 421: ...nting records Context show log Description This command displays accounting policy record names Output Accounting Records Output The following table describes accounting records output fields Sample O...

Страница 422: ...ts 5 13 complete service ingress egress 5 14 combined sdp ingress egress 5 15 complete sdp ingress egress 5 16 complete subscriber ingress egress 5 17 aa protocol 15 18 aa application 15 19 aa app gro...

Страница 423: ...ebug igmp lldp mirror ospf pim port snmp system user vrtr event name Only displays event control for the named application event Default All events for the application event number Only displays event...

Страница 424: ...MallocFailed MA gen 0 0 L 2007 ipArpBadInterface MI gen 0 0 L 2008 ipArpDuplicateIpAddress MI gen 0 0 L 2009 ipArpDuplicateMacAddress MI gen 0 0 ISIS 2001 vRtrIsisDatabaseOverload WA gen 0 0 2002 vRtr...

Страница 425: ...d MI gen 0 0 VRTR 2001 tmnxVRtrMidRouteTCA MI gen 0 0 2002 tmnxVRtrHighRouteTCA MI gen 0 0 2003 tmnxVRtrHighRouteCleared MI gen 0 0 2004 tmnxVRtrIllegalLabelTCA MA gen 0 0 2005 tmnxVRtrMcastMidRouteTC...

Страница 426: ...show log Description This command displays event file log information If no command line parameters are specified a summary output of all event log files is displayed Specifying a file ID displays de...

Страница 427: ...f1 file name expired state cf1 log log0302 20060501 012205 yes complete cf1 log log0302 20060501 014049 yes complete cf1 log log0302 20060501 015344 yes complete cf1 log log0302 20060501 015547 yes in...

Страница 428: ...d Log Filters Filter Applied Default Description Id Action 1 no forward 5 no forward 10 no forward 1001 yes drop Collect events for Serious Errors Log A ALA 48 config log Table 39 Event Log Filter Sum...

Страница 429: ...on for the event log filter is to forward events not matching filter entries Description Filter id The description string for the filter ID Table 41 Log Filter Match Criteria Output Fields Label Descr...

Страница 430: ...erion warning The log event filter entry application event severity warning match criterion Subject Displays the event log filter entry application event ID subject string match criterion Router Displ...

Страница 431: ...the events that are not explicitly directed to any other event stream Security The security stream contains all events that affect attempts to breach system security such as failed login attempts att...

Страница 432: ...n to the console or not A user logged in to the console device or connected to the CLI via a remote telnet or SSH session can also create a log with a destination type of session Events are displayed...

Страница 433: ...n of an SNMP or file log or a memory log for this parameter to be used Default Displays the event log summary Values 1 99 severity severity level Displays only events with the specified and higher sev...

Страница 434: ...this log s source event stream to limit the events output to this log s destination If the value is 0 then all events in the source log are forwarded to the destination Admin State Up Indicates that t...

Страница 435: ...ottle interval 10 configuration modified 67 2007 01 25 00 34 53 97 UTC CRITICAL SYSTEM 2029 Base Redundancy The active CPM card A is operating in singleton mode There is no standby CPM card 66 2007 01...

Страница 436: ...t show log Description This command displays SNMP trap group configuration information Parameters log id Displays only SNMP trap group information for the specified trap group log ID Values 1 99 Outpu...

Страница 437: ...d Replay from n a Last replay never A SetupCLI config log snmp trap group syslog Syntax syslog syslog id Context show log Description This command displays syslog event log destination summary informa...

Страница 438: ...ending syslog messages Facility The facility code for messages sent to the syslog target host Severity Level The syslog message severity level threshold Below Level Dropped A count of messages not sen...

Страница 439: ...Event and Accounting Logs 7950 SR OS System Management Guide Page 439 Below Level Drop 0 Description Linux Station Springsteen A MV SR config log...

Страница 440: ...vent log ID Memory logs are reinitialized and cleared of contents File logs are manually rolled over by this command This command is only applicable to event logs that are directed to file destination...

Страница 441: ...ion about configuring event and accounting logs in the system Topics in this chapter include Facility Alarms Overview on page 442 Facility Alarms vs Log Events on page 443 Facility Alarm Severities an...

Страница 442: ...s CLI display show routines allows the system operator to easily identify current facility alarm conditions and recently cleared alarms without searching event logs or monitoring various card and port...

Страница 443: ...alarm Log event filtering throttling and discarding of events during overload do not affect Facility Alarm processing Log events are processed by the Facility Alarm module before they are discarded i...

Страница 444: ...as Log events that use the term alarm tmnxEqPortSonetAlarm configure card fp hi bw mcast src alarm configure mcast management multicast info policy bundle channel source override video analyzer alarms...

Страница 445: ...ted LED on the CPM CCM Major with an associated LED on the CPM CCM Minor with an associated LED on the CPM CCM Warning no LED Alarms inherit their severity from the raising event Log events that are a...

Страница 446: ...port alarm is cleared and a card alarm will be active for the MDA XMA If the MDA XMA comes back into service and the port is still down then a port alarm becomes active once again The supported Facili...

Страница 447: ...1 tmnxEqPowerSupplyFailureDc Power supply 2 DC failure tmnxChassisNotification Clear 7 2011 1 tmnxEqPowerSupplyRemoved Power supply 1 power lost tmnxEqPowerSupplyInser ted 7 2017 1 tmnxEqSyncIfTiming...

Страница 448: ...output failure tmnxChassisNotification Clear 7 2073 x same as 7 2019 x but for the BITS2 input same as 7 2019 x but for the BITS2 input same as 7 2019 x but for the BITS2 input 59 2004 1 linkDown Int...

Страница 449: ...rd that has been removed IOM XCM or MDA XMA removal will cause a loss of service for all services running on that card A fabric removal can impact traffic to from all cards Before taking any recovery...

Страница 450: ...be required The power supply itself may be faulty so replacement may be necessary 7 2008 1 tmnxEqPowerSupplyFail ureAc Generated when an AC failure is detected on a power supply Reduced power can cau...

Страница 451: ...will have the same indices as those of the tmnxCpmCardTable Timing reference 1 cannot be used as a source of timing into the central clock Address issues with the signal associated with timing referen...

Страница 452: ...one IOM XCM is still running older software A s w mismatch between the CPM and IOM XCM is generally fine for a short duration during an upgrade but may not allow for correct long term operation Comple...

Страница 453: ...es that the SNMP entity acting in an agent role has detected that the ifOperStatus object for one of its communication links is about to enter the down state from some other state but not from the not...

Страница 454: ...Facility Alarm List Page 454 7950 SR OS System Management Guide...

Страница 455: ...BGP RFC 1997 BGP Communities Attribute RFC 2385 Protection of BGP Sessions via MD5 RFC 2439 BGP Route Flap Dampening RFC 2558 Multiprotocol Extensions for BGP 4 RFC 2918 Route Refresh Capability for B...

Страница 456: ...ietf isis wg multi topology xx txt Multicast RFC 1112 Host Extensions for IP Multicasting Snooping RFC 2236 Internet Group Management Protocol Snooping RFC 3376 Internet Group Management Protocol Ver...

Страница 457: ...ched MPLS Data Plane Failures RFC 6425 Detecting Data Plane Failures in Point to Multipoint Multiprotocol Label Switching MPLS Extensions to LSP Ping MPLS TP 7750 7450 only RFC 5586 MPLS Generic Assoc...

Страница 458: ...329 5 Annex E extensions QoS Measurement for VoIP Method for determining an Equipment Impairment Factor using Passive Monitoring ITU T Rec P 564 Conformance testing for voice over IP transmission qual...

Страница 459: ...Management Information Base for IPv6 Textual Conventions and General Group RFC 2558 SONET MIB RFC 2571 SNMP Framework MIB RFC 2572 SNMP MPD MIB RFC 2573 SNMP Target notification MIB RFC 2574 SNMP Use...

Страница 460: ...Standards and Protocols Page 460 Standards and Protocols...

Страница 461: ...ups 303 syslog 303 configuring accounting policy 329 basic 325 command reference file ID commands 363 filter commands 363 log ID commands 365 syslog commands 366 event control 330 event log 326 file I...

Страница 462: ...SNMP overview access control 248 access groups 249 users 250 USMs 249 views 249 architecture 246 MIBs 246 versions 247 configuring access options 261 basic 257 command reference security commands 265...

Отзывы:

Нет отзывов

Бренды по названию

Популярные бренды

Загрузить еще бренды