Cisco SCE 8000 10GBE Скачать руководство пользователя страница 1

Страница: 1 / 478

Cisco Systems, Inc.



www.cisco.com

Cisco has more than 200 offices worldwide.



Addresses, phone numbers, and fax numbers



are listed on the Cisco website at



www.cisco.com/go/offices.

Cisco SCE 8000 10GBE Software
Configuration Guide

Release 4.1.x



February 07, 2014

Text Part Number: OL-30621-02

Содержание SCE 8000 10GBE

Страница 1: ... more than 200 offices worldwide Addresses phone numbers and fax numbers are listed on the Cisco website at www cisco com go offices Cisco SCE 8000 10GBE Software Configuration Guide Release 4 1 x February 07 2014 Text Part Number OL 30621 02 ...

Страница 2: ...NTIES EXPRESSED OR IMPLIED INCLUDING WITHOUT LIMITATION THOSE OF MERCHANTABILITY FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT OR ARISING FROM A COURSE OF DEALING USAGE OR TRADE PRACTICE IN NO EVENT SHALL CISCO OR ITS SUPPLIERS BE LIABLE FOR ANY INDIRECT SPECIAL CONSEQUENTIAL OR INCIDENTAL DAMAGES INCLUDING WITHOUT LIMITATION LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING OUT OF THE USE OR ...

Страница 3: ...ce Control Capabilities 1 3 Cisco SCE Platform Description 1 4 Bandwidth Management of P2P Traffic 1 5 Management and Collection 1 6 Network Management 1 6 Subscriber Management 1 7 Service Configuration Management 1 7 Data Collection 1 7 IPv6 Support 1 8 C H A P T E R 2 Command Line Interface 2 1 Introduction 2 1 Authorization and Command Mode Levels Hierarchy 2 2 CLI Authorization Levels 2 2 CLI...

Страница 4: ... Configurations 3 5 How to Save or Change the Configuration Settings 3 6 Example for Saving or Changing the Configuration Settings 3 7 Restoring a Previous Configuration 3 8 Example for Restoring a Previous Configuration 3 8 How to Display the Cisco SCE Platform Version Information 3 10 Example for Displaying the Cisco SCE Platform Version Information 3 10 How to Display the Cisco SCE Platform Inv...

Страница 5: ...4 How to Rename a File 4 4 How to Delete a File 4 4 Copying Files 4 5 How to Display File Contents 4 6 How to Unzip a File 4 6 The User Log 4 7 The Logging System 4 7 Copying the User Log 4 7 Enabling and Disabling the User Log 4 8 Viewing the User Log Counters 4 8 Viewing the User Log 4 9 Clearing the User Log 4 9 Generating a File for Technical Support 4 9 Generating a File for Technical Support...

Страница 6: ...apture Settings 4 18 Performing the Flow Capture 4 20 Monitoring the Flow Capture 4 20 C H A P T E R 5 Configuring the Management Interface and Security 5 1 Introduction 5 1 Management Interface and Security 5 2 Configuring the Management Ports 5 3 Entering the Management Interface Configuration Mode 5 3 Configuring the Management Port Physical Parameters 5 4 Setting the IP Address and Subnet Mask...

Страница 7: ...ing Maximum Login Attempts 5 26 Configuring the AAA Login Authentication Methods 5 27 Configuring AAA Privilege Level Authorization Methods 5 28 Configuring AAA Command Level Authorization Methods 5 28 Configuring AAA Accounting 5 29 Monitoring TACACS 5 30 Displaying Statistics for TACACS Servers 5 30 Displaying Statistics Keys and Timeouts for TACACS Servers 5 30 Monitoring TACACS Users 5 31 Conf...

Страница 8: ...ace 5 45 Configuring SNMP Community Strings 5 45 Defining a Community String 5 46 Removing a Community String 5 46 Displaying the Configured Community Strings 5 47 Configuring SNMP Notifications 5 47 Configuring SNMP Server Group 5 48 Configuring SNMP Server View 5 48 Configuring SNMP Server User 5 49 Defining SNMP Hosts 5 50 Configuring SNMP Traps 5 51 SNMP Walk Acceleration for linkServiceUsage ...

Страница 9: ...nes 6 10 How to Define Recurring Daylight Saving Time Transitions 6 11 How to Define Non Recurring Daylight Saving Time Transitions 6 11 How to Cancel the Daylight Saving Time Configuration 6 11 How to Display the Current Daylight Saving Time Configuration 6 12 Configuring SNTP 6 13 How to Enable the SNTP Multicast Client 6 13 How to Disable the SNTP Multicast Client 6 14 How to Enable the SNTP Un...

Страница 10: ...nfiguring CDP on the Cisco SCE 8000 Platform 6 22 Enabling CDP Globally 6 22 Setting CDP Mode 6 23 Enabling CDP on a Specific Traffic Interface 6 23 Setting the Hold Time 6 24 Setting the Timer 6 24 Monitoring and Maintaining CDP 6 25 CDP Configuration Examples 6 27 Example Setting the CDP Mode 6 27 Example Monitoring and Maintaining CDP 6 27 Enabling the CLI Interface Warning Banner 6 29 OS Finge...

Страница 11: ...splay the 6to4 Configuration 7 19 How to Display the DS Lite Configuration 7 19 How to Display the IPinIP Configuration 7 20 How to Display the Logged In VPNs 7 20 Options 7 20 How to Display the Asymmetric L2 Support Mode 7 21 Managed VPNs 7 22 Monitoring VPN Support 7 23 Displaying VPN related Mappings 7 23 Configuring Traffic Rules and Counters 7 26 Traffic Rules and Counters 7 26 What are Traf...

Страница 12: ...nfiguring the Connection Mode Examples 8 3 Monitoring the Connection Mode and Related Parameters 8 4 Connection Mode Examples 8 4 Configuring the Link Mode 8 6 About the Link Mode 8 6 Options 8 6 External Optical Bypass 8 7 How to Activate the External Bypass 8 7 How to Deactivate the External Bypass 8 8 How to Set the External Bypass to the Default State 8 8 How to Display the State of the Extern...

Страница 13: ...Enable Link Failure Reflection on All Ports 8 16 How to Disable Link Failure Reflection on All Ports 8 16 Configuring Link Failure Reflection in Linecard Aware Mode 8 16 How to Enable Linecard Aware Mode 8 17 How to Disable Linecard Aware Mode 8 17 Asymmetric Routing Topology 8 18 Asymmetric Routing and Other Service Control Capabilities 8 18 Enabling Asymmetric Routing 8 18 Monitoring Asymmetric ...

Страница 14: ...guring the RDR Formatter 9 14 Options 9 14 How to Configure the Size of the RDR Formatter History Buffer 9 14 Configuring NetFlow Exporting Support 9 15 Options 9 15 How to Configure a DSCP Value for NetFlow 9 15 Options 9 15 How to Configure the Template Refresh Interval 9 15 Options 9 15 Configuring Dynamic Mapping of RDRs to Categories 9 17 Configuring Mappings 9 17 Options 9 17 How to Restore ...

Страница 15: ...ubscriber csv File Format 10 9 Here is an example of a subscriber csv file in the default format 10 9 Subscriber Anonymous Groups csv File Format 10 9 Importing and Exporting Subscriber Information 10 10 Editing the subaware pro File 10 10 Options 10 11 How to Import Subscriber Information 10 11 How to Export Subscriber Information 10 11 How to Import a Subscriber Template 10 12 How to Export a Su...

Страница 16: ... How to Display Mappings for a Specified Subscriber 10 28 How to Display OS Counters for a Specified Subscriber 10 29 Displaying Anonymous Subscriber Information 10 29 How to Display Currently Configured Anonymous Groups 10 29 How to Display Currently Configured Templates for Anonymous Groups 10 30 How to Display Current Configuration for a Specified Anonymous Group 10 30 How to Display Subscriber...

Страница 17: ...SM SCE Platform Connection Timeout 10 40 Options 10 40 C H A P T E R 11 Redundancy and Failover 11 1 Introduction 11 1 Redundancy and Failover 11 2 Terminology and Definitions 11 2 Redundant Topologies 11 2 External Bypass 11 3 Hardware Bypass 11 3 In line Dual Link Redundant Topology 11 3 Failure Detection 11 3 Link Failure Reflection 11 5 Hot Standby and Failover 11 6 Hot Standby 11 6 Failover 1...

Страница 18: ... Filtering and Attack Detection 12 2 Attack Filtering 12 2 Specific Attack Filtering 12 2 Attack Detection 12 4 Attack Detection Thresholds 12 4 Attack Handling 12 5 Subscriber Notification 12 6 Hardware Filtering 12 6 Configuring Attack Detectors 12 8 Enabling Specific IP Detection 12 10 Options 12 10 How to Enable Specific IP Detection 12 10 How to Enable Specific IP Detection for the TCP Protoc...

Страница 19: ...ptions 12 20 How to Remove the Subscriber Notification Port 12 20 Preventing and Forcing Attack Detection 12 21 Options 12 21 Preventing Attack Filtering 12 21 How to Remove All dont filter Settings 12 22 Forcing Attack Filtering 12 22 How to Remove All force filter Settings 12 23 Monitoring Attack Filtering 12 24 Monitoring Attack Filtering Using SNMP Traps 12 24 Monitoring Attack Filtering Using...

Страница 20: ...ment 13 8 GUID and Subscriber ID 13 8 Configuring the SCMP 13 9 Configuring SCMP Parameters 13 9 How to Enable the SCMP 13 9 How to Disable the SCMP 13 10 How to Configure the SCMP Peer Device to Push Sessions 13 10 Configuring the SCMP Peer Device to Force Each Subscriber to Single Cisco SCE Platform 13 10 Defining the Keep alive Interval Parameter 13 11 Defining the Reconnect Interval Parameter ...

Страница 21: ...orwarding and SCA BB 14 5 VLAN Tags for VAS Traffic Forwarding 14 5 Service Flow 14 5 Data Flow 14 6 Non VAS Data Flow 14 7 VAS Data Flow 14 7 Load Balancing 14 8 Load Balancing and Subscribers 14 8 Load Balancing and Subscriber Mode 14 9 VAS Redundancy 14 10 VAS Server Failure 14 10 VAS Server Group Failure 14 10 Ethernet Switch Failure 14 11 Disabling a VAS Server 14 11 VAS Status and VAS Health...

Страница 22: ...er 14 25 How to Remove the VLAN Tag Number from a Specified VAS Server 14 25 Configuring the Health Check 14 25 How to Enable VAS Server Health Check 14 26 How to Disable VAS Server Health Check 14 27 How to Define the UDP Ports to be Used for Health Check 14 27 How to Remove the UDP Ports Configuration 14 27 Configuring Pseudo IP Addresses for the Health Check Packets 14 27 Configuring a VAS Serv...

Страница 23: ...TCP Segmented HTTP GET Packets 14 38 Cisco SCE Connectivity 14 39 Traffic Mirroring and Bandwidth Management 14 41 Configuring Traffic Mirroring 14 41 Monitoring Traffic Mirroring 14 42 Traffic Mirroring Sample Configuration 14 42 A P P E N D I X A Cisco Service Control MIBs A 1 Introduction A 1 MIB Files A 2 Loading MIBs A 4 pcube to Cisco MIB Mapping A 5 Pcube Engage MIB CISCO SCAS BB MIB A 6 pc...

Страница 24: ... SNMP Walk Functionality for Temperature MIBs A 30 A P P E N D I X B Monitoring Cisco SCE Platform Utilization B 1 Introduction B 1 Cisco SCE Platform Utilization Indicators B 2 CPU Utilization B 2 Flows Capacity B 2 Subscribers Capacity B 2 Service Loss B 3 Monitoring Service Loss B 3 A P P E N D I X C Cisco SCE 8000 Licensing Information C 1 OpenSSH License C 1 NetSNMP License C 9 ...

Страница 25: ... 07 2014 OL 30621 02 Introduction This preface describes who should read Cisco SCE 8000 10GBE Software Configuration Guide how it is organized and its document conventions This guide is for experienced network administrators who are responsible for configuring and maintaining the Cisco SCE platform ...

Страница 26: ...ease 4 1 x February 07 2014 Updated MIB Updates section on page A 27 with limitations on linkUp linkDown trap OL 30621 01 Release 4 1 x December 23 2013 First version of this document new for the Release 4 1 x train The following changes were made from the last release of the 4 0 x train Updated Configuring and Managing the SNMP Interface section on page 5 41 with SNMPv3 details Updated the Tunnel...

Страница 27: ...ous global settings such as system time Domain Name Settings and IP routing Chapter 7 Configuring Line Interfaces Explanation of how to configure tunneling TOS marking and traffic rules Chapter 8 Configuring the Connection Explanation of how to configure the connection mode link mode and failure behaviors Chapter 9 Raw Data Formatting The RDR Formatter and NetFlow Exporting Explanation of how to c...

Страница 28: ...fic mirroring Appendix A Cisco Service Control MIBs Explanation of how to map the proprietary pcube MIB supported in previous releases to the new MIB structure Appendix B Monitoring Cisco SCE Platform Utilization Explanation of how to monitor Cisco SCE platforms that are installed in real traffic Appendix C Cisco SCE 8000 Licensing Information Copy of Open SSH and NetSNMP license information Table...

Страница 29: ...mpliance safety and statutory information for wide area network WAN interfaces for the Cisco SCE 2000 platform refer to the regulatory and safety information document Regulatory Compliance and Safety Information for Cisco SCE8000 For installation and configuration of the other components of the Service Control Management Suite refer to Cisco SCMS Subscriber Management User Guide Cisco SCMS Collect...

Страница 30: ...mmands and keywords and user entered text appear in bold font italic font Document titles new or emphasized terms and arguments for which you supply values are in italic font Elements in square brackets are optional x y z Required alternative keywords are grouped in braces and separated by vertical bars x y z Optional alternative keywords are grouped in brackets and separated by vertical bars stri...

Страница 31: ...ation see the monthly What s New in Cisco Product Documentation which also lists all new and revised Cisco technical documentation at http www cisco com en US docs general whatsnew whatsnew html Subscribe to the What s New in Cisco Product Documentation as an RSS feed and set content to be delivered directly to your desktop using a reader application The RSS feeds are a free service Cisco currentl...

Страница 32: ...8 Cisco SCE 8000 10GBE Software Configuration Guide OL 30621 02 ...

Страница 33: ... introduces the Cisco service control concept and capabilities It also briefly describes the hardware capabilities of the service control engine Cisco SCE platform and the Cisco specific applications that together compose the complete Cisco service control solution Cisco Service Control Solution page 1 2 Cisco Service Control Capabilities page 1 3 Cisco SCE Platform Description page 1 4 Management...

Страница 34: ...llow the service provider to capture profits from IP services through detailed monitoring precise real time control and awareness of applications as they are delivered Service Control for Broadband Service Providers Service providers of any access technology DSL cable mobile and so on targeting residential and business consumers must find new ways to get maximum leverage from their existing infras...

Страница 35: ...rotocol layer Layer 7 For application protocols implemented using bundled flows such as FTP which is implemented using Control and Data flows the Cisco SCE platform understands the bundling connection between the flows and treats them accordingly Application layer stateful real time traffic control The ability to perform advanced control functions including granular bandwidth BW metering and shapi...

Страница 36: ...g functionality Where most bandwidth control functionality ends the Cisco SCE platform provides further control and shaping options including Layer 7 stateful wire speed packet inspection and classification Robust support for more than 600 protocols and applications including General HTTP HTTPS FTP Telnet Network News Transfer Protocol NNTP Simple Mail Transfer Protocol SMTP Post Office Protocol 3...

Страница 37: ...ects the application based on its signature Cisco SCE then includes the amount of network flows of P2P traffic and calculates the bandwidth accordingly The consumed bandwidth is the sum of P2P data and the control traffic Bandwidth limitation takes place as per the enforcement configured in the BWC Default Service BWC When an application is configured with discrete BWC the Cisco SCE does not relat...

Страница 38: ...tructure Network Management The Cisco service control solution provides complete network Fault Configuration Accounting Performance Security FCAPS Management Two interfaces provide network management Command line interface CLI Accessible through the Console port or through a Telnet connection the CLI is used for configuration and security functions SNMP Provides fault management through SNMP traps...

Страница 39: ...d reporting and control is created and applied to a Cisco SCE platform The SCA BB application provides tools to automate the distribution of these configuration files to Cisco SCE platforms This standards based approach makes it easy to manage multiple devices in a large network Service Control provides a GUI to edit and create these files and a complete set of APIs to automate their creation Data...

Страница 40: ...Lite tunnels Cisco SCE devices work on three different system modes namely IPv4 only mode IPv6 only mode and dual stack mode The default mode is dual stack mode To configure the system mode see the Configuring the System Mode section on page 3 17 The following limitations are applicable to the IPv6 features on Cisco SCE Release 4 0 x IPv6 addresses for connectivity to the management interfaces are...

Страница 41: ... when the dual stack mode is enabled and all subscribers are dual stack subsribers subscribers with one IPv4 and one IPv6 address then the device supports only upto 500 000 dual stack subscribers Cisco SCE 8000 devices identifies the IPv6 subscribers based on the MSB 64 bits of the subscriber IPv6 address Cisco SCE 8000 devices support IPv6 subscribers within a range 32 to 64 and not less than 32 ...

Страница 42: ...1 10 Cisco SCE 8000 10GBE Software Configuration Guide OL 30621 02 Chapter 1 Cisco Service Control Overview IPv6 Support ...

Страница 43: ...he CLI is accessed through a Telnet session or directly via the console port on the front panel of the Cisco SCE platform When you enter a Telnet session you enter as the simplest level of user in the User Exec mode The Cisco SCE platform supports up to eleven concurrent CLI sessions five sessions initiated by Telnet connection five sessions via SSH connection and one session on the console port A...

Страница 44: ...s the assigned hostname Note Throughout the manual SCE is used as the sample host name CLI Authorization Levels The Cisco SCE platform has four authorization levels which represent the user access permissions When you initially connect to the Cisco SCE platform you automatically have the most basic authorization level that is User which allows minimum functionality To monitor the system you must h...

Страница 45: ...uired For use by technical field engineers the Root authorization level enables configuration of all advanced settings such as debug and disaster recovery The Root level is used by technical engineers only 15 Table 2 1 Authorization Levels continued Level Description Value Prompt Table 2 2 CLI Modes Mode Description Level Prompt indication User Exec Initial mode Also allows monitoring of the syste...

Страница 46: ...you must enter command specific to that mode The list of available commands in each mode can be viewed using the question mark at the end of the prompt Figure 2 1 illustrates the hierarchical structure of the CLI modes and the CLI commands used to enter and exit a mode Figure 2 1 CLI Command Modes Exit E5 274489 Privileged Exec Mode Exit Exit E1 Exit E2 Exit E3 E4 Global Configuration Mode Interfa...

Страница 47: ...ll act as a 0 and configure all five connections together Note In order for the auto completion feature to work when you move from one interface configuration mode to another you must first exit the current interface configuration mode as illustrated in Figure 2 1 Example This example illustrates moving into and out of configuration modes as follows Enter global configuration mode Configure the Ci...

Страница 48: ...on levels and command modes function together under one hierarchy The User and Viewer authorization levels have only a single command mode When you enter either the Admin authorization level or Root authorization level these levels function in parallel you enter the Privileged EXEC command mode From this command mode you can access the following command modes User EXEC authorization level Viewer a...

Страница 49: ...the relevant command mode Use the do command for this purpose Table 2 5 CLI Command Navigation Hierarchy Authorization Level or Command Mode Use this command to access Use this command to exit User Exec Not applicable logout or exit exits the current CLI session Viewer enable 5 disable Privileged Exec enable 10 or enable 15 accesses root level disable Global Configuration configure exit exits to P...

Страница 50: ...ode command from a configuration command mode Step 1 At the SCE config or SCE config if or SCE config line prompt type do command and press Enter The specified command executes without exiting to the appropriate exec command mode The following example shows how to display the running configuration while in interface configuration mode SCE config if do show running config ...

Страница 51: ...parameters associated with a command type a question mark in place of a keyword or parameter on the command line Note that if Enter is acceptable input the symbol cr represents the Enter key Example The following example illustrates how to get a list of all arguments or keywords expected after the command snmp server SCE config snmp server community Define community string contact Set system conta...

Страница 52: ...summarizes the CLI help features Table 2 6 Getting Help Command Purpose List all commands available for a particular command mode abbreviated command entry Example c calendar cd clear clock configure copy copy passive Obtain a list of commands that begin with a particular character string Do not leave a space between the command and question mark abbreviated command entry Tab Example en Tab enable...

Страница 53: ...rtcuts The Cisco SCE platform has several keyboard shortcuts that make it easier to navigate and use the system Table 2 8 shows the keyboard shortcuts available You can get a display the keyboard shortcuts at any time by typing help bindings Table 2 7 Keyboard Shortcuts for History Functions Arrow Shortcut Description Up arrow Ctrl P Move cursor to the previous command with the same prefix Down ar...

Страница 54: ...em carries out the command using the default authorization level 10 when you press Enter SCE en Enter Password sce Example 2 The following example illustrates how to use the completion feature with a non default value for the argument In this example the enable command is completed using the specified value 15 for the authorization level SCE en 15 Enter Password sce Delete from the cursor position...

Страница 55: ...d and upload per session These settings are effective during the current CLI session The following example illustrates how to set FTP password and user name and the use in these settings for getting a file named config tmp from a remote station using FTP protocol sce ip FTP password pw123 sce ip FTP username user1 sce copy ftp 10 10 10 10 h config tmp myconf txt connecting 10 10 10 10 user name us...

Страница 56: ...e complete output all at one time Scrolling the Screen Display The output of some show and dir commands is quite lengthy and cannot all be displayed on the screen at one time Commands with many lines of output are displayed in chunks of 24 lines You can choose to scroll the display line by line or refresh the entire screen At the prompt after any line you can type one of the following keys for the...

Страница 57: ... of the following options redirect The new output of the command will overwrite the existing contents of the file append The new output of the command will be appended to the existing contents of the file The syntax of redirection commands is as follows command redirect filename command append filename This example illustrates how to do the following Filter the more command to display only the gol...

Страница 58: ...capture filename scr where filename scr is the name of the script with a scr file extension Step 2 Perform the actions you want to be included in the script Step 3 Type script stop The system saves the script The following is an example of recording a script for upgrading software sce script capture upgrade scr sce configure SCE config boot system new pkg Verifying package file Package file verifi...

Страница 59: ...hutdown It also describes how to manage configurations Starting the Cisco SCE 8000 Platform page 3 2 Managing Configurations page 3 5 Example for Displaying the Cisco SCE Platform Version Information page 3 10 How to Display the Cisco SCE Platform Inventory page 3 13 How to Display the System Uptime page 3 17 Configuring the System Mode page 3 17 Configuring the IPv6 Prefix Length page 3 18 Reboot...

Страница 60: ...tion Cisco SCE 8000 platform connected to local console CON port The console terminal is turned on and properly configured Subsequent startups Line interfaces are properly cabled optional Cisco SCE 8000 platform is connected to at least one of the following types of management stations Direct connection to local console CON port Remote management station via the LAN Mng port Starting the System an...

Страница 61: ...ow to View the User Log Counters page 3 3 How to Verify Operational Status After all the ports are connected verify that the Cisco SCE 8000 is not in a Warning state Step 1 On the front panel of the Service Control module examine the Status LED it should be green Step 2 To display the operation status of the system at the Cisco SCE8000 prompt type show system operation status and press Enter A mes...

Страница 62: ...ters The following example shows the current User File Log device counters SCE show logger device user file log counters Logger device User File Log counters Total info messages 1 Total warning messages 0 Total error messages 0 Total fatal messages 0 If there are Total error messages or Total fatal messages use the show logger device user file log command to display details about the errors ...

Страница 63: ...ning configuration using the command show running config Step 1 At the Cisco SCE8000 prompt type show running config The system shows the running configuration SCE8000 show running config This is a general configuration file running config Created on 12 06 13 UTC SUN May 11 2008 cli type 1 version 1 no management agent notifications notification list 1417 1418 804 815 1404 1405 1406 1407 1408 400 ...

Страница 64: ...es before leaving the management session You do that by saving the running configuration to the startup configuration file The Cisco SCE platform provides multiple interfaces for the purpose of configuration and management All interfaces supply an API to the same database of the Cisco SCE platform and any configuration made through one interface is reflected through all interfaces Furthermore when...

Страница 65: ...ttack filter subscriber notification ports 80 replace spare memory code bytes 3145728 interface GigabitEthernet 1 1 ip address 10 56 96 46 255 255 252 0 interface TenGigabitEthernet 3 0 0 bandwidth 10000000 burst size 50000 global controller 0 name Default Global Controller interface TenGigabitEthernet 3 1 0 bandwidth 10000000 burst size 50000 global controller 0 name Default Global Controller int...

Страница 66: ...u cannot undo the configuration restore command Step 3 Type copy system config tx1 system config txt The system sets the startup configuration to the configuration from config tx1 Example for Restoring a Previous Configuration The following example displays a saved configuration file and then restores the file to overwrite the current configuration SCE more system prevconf config tx1 This is a gen...

Страница 67: ...ntroller interface TenGigabitEthernet 3 3 0 bandwidth 10000000 burst size 50000 global controller 0 name Default Global Controller exit ip default gateway 10 56 96 1 line vty 0 4 exit management agent property com pcube management framework install activation operation Install management agent property com pcube management framework install activated package SCA BB management agent property com pc...

Страница 68: ...form version information SCE show version System version Version 3 1 6S Build 279 Build time Jun 10 2008 19 27 47 Change list 335658 Software version is Version 3 1 6S Build 279 Hardware information is Firmware kernel kernel 1 0 0 5 inactive kernel 1 0 0 5 u boot uboot 1 0 0 6 field uboot 0 8 1 13 select ubs cf1 1 0 0 5 secondary ubs cf1 1 0 0 5 Slot 1 SCM 8000 serial num CAT1202G07D part num 73 1...

Страница 69: ...0x1000a summit 1 0x1000a fc 0x1044 CFC 1 board type P2 cpus 3 cpu 0 SVR 0x80900121 cpu 0 PVR 0x80040202 cpu 0 freq 1500MHz cpu 1 SVR 0x80900121 cpu 1 PVR 0x80040202 cpu 1 freq 1500MHz cpu 2 SVR 0x80900121 cpu 2 PVR 0x80040202 cpu 2 freq 1500MHz cpu eeprom 2 1 1500MHz cpld 0 0xb20e cpld 1 0xb20e cpld 2 0xb20e cpld 0 ufm 0xb803 cpld 1 ufm 0xb803 cpld 2 ufm 0xb803 summit 0 0x1000a summit 1 0x1000a fc...

Страница 70: ...m 73 9789 02 part rev A0 vid V01 Part number 73 10598 01 38 Revision Software revision LineCard S N CAT1202G07D Power Supply type AC SML Application information is No application is configured Logger status Enabled Platform SCE8000 4x10GBE Management agent interface version SCE Agent 3 1 6 Build 134 Software package file ftp ftpserver simba pkg SCE8000 uptime is 9 minutes 54 seconds ...

Страница 71: ...evice name Description Product identifier Version identifier Serial number From the SCE prompt type Examples for Displaying the Cisco SCE Platform Inventory Displaying the Cisco SCE Platform Inventory FRUs Only page 3 13 Displaying the Complete Cisco SCE Platform Inventory page 3 14 Displaying the Cisco SCE Platform Inventory FRUs Only The following example shows how to display the inventory UDIs ...

Страница 72: ...SR VID V02 SN AGA1141N43R NAME XFP 10GLR OC192SR DESCR XFP 10GLR OC192SR PID XFP 10GLR OC192SR VID V02 SN AGA1143N4JN Displaying the Complete Cisco SCE Platform Inventory The following example shows how to display the complete inventory UDIs of the SCE platform SCE show inventory raw SCE8000 Chassis DESCR CISCO7604 PID CISCO7604 VID V01 SN FOX105108X5 NAME SCE8000 Physical Slot 1 DESCR Container S...

Страница 73: ...2 SN JAE11517RMR NAME SCE8000 SPA module 3 1 DESCR SPA 1X10GE L V2 PID SPA 1X10GE L V2 VID V02 SN JAE11496E1P NAME SCE8000 SPA module 3 2 DESCR SPA 1X10GE L V2 PID SPA 1X10GE L V2 VID V02 SN JAE11517RIO NAME SCE8000 SPA module 3 3 DESCR SPA 1X10GE L V2 PID SPA 1X10GE L V2 VID V02 SN JAE115295HH NAME TenGigabitEthernet3 0 0 DESCR SCE8000 SPA port PID VID SN NAME TenGigabitEthernet3 1 0 DESCR SCE800...

Страница 74: ...sor 3 DESCR SCE8000 traffic processor PID VID SN NAME SCE8000 traffic processor 4 DESCR SCE8000 traffic processor PID VID SN NAME SCE8000 traffic processor 5 DESCR SCE8000 traffic processor PID VID SN NAME SCE8000 traffic processor 6 DESCR SCE8000 traffic processor PID VID SN NAME SCE8000 traffic processor 7 DESCR SCE8000 traffic processor PID VID SN NAME SCE8000 traffic processor 8 DESCR SCE8000 ...

Страница 75: ...er be configured statically on the device or they can be configured through Gx The number of subscriber mappings in the device is divided between IPv4 and IPv6 based on the const db value The system mode is configured by modifying the value of the seCommonConstDb box ipv6MappingsPercentage const db The default value of the seCommonConstDb box ipv6MappingsPercentage const db is 20 Dual stack mode i...

Страница 76: ...tartup config Step 4 Reboot the Cisco SCE 8000 device Configuring the IPv6 Prefix Length Cisco SCE 8000 devices identifies the IPv6 subscribers based on the MSB 64 bits of the subscriber IPv6 address Cisco SCE 8000 devices support IPv6 subscribers with a range of 32 to 64 and not less than 32 You can configure the IPv6 prefix length using the const db seCommonConstDb box ipv6SystemPrefixLength com...

Страница 77: ...co SCE 8000 device You can configure the system mode and prefix length together The configuration will be effective with a single reload Based on the IPv6 prefix length corresponding number of MSB bits from the total 128 bits will be used to identify subscribers For example if the system prefix length is 48 for a party mapping configuration party mapping ipv6 address 1234 abcd 2123 abbc 0 0 1e 0 n...

Страница 78: ...mmands The following admin level CLI commands can be used to monitor CPU utilization show processes cpu show processes cpu sorted show snmp MIB cisco process Cisco SCE support file The entire measured CPU utilization of the control processor as well as a number of specific internal tasks that were marked important to track is written to the Cisco SCE log files which are part of the Cisco SCE suppo...

Страница 79: ... 19 0 0 0 0 00 0 00 0 00 0 nfsiod 20 0 0 0 0 00 0 00 0 00 0 mtdblockd 21 1198570 119326 0 0 00 0 02 0 02 0 skynet 22 7413850 741207 0 0 00 0 11 0 10 0 hw mon regs 23 556170 49614 0 0 00 0 02 0 01 0 scos dump 24 527310 52718 0 0 00 0 00 0 01 0 wdog kernel The following table lists and describes the fields in the show processes cpu output Table 3 1 show processes cpu Command Output Fields Field Desc...

Страница 80: ...o SCE 8000 Platform Operations Monitoring Control Processor CPU Utilization Note When CPU utilization is higher than about 90 the CPU utilization per task is not reliable and can sum to more than 100 This is because high CPU utilization can influence the task that samples CPU utilization ...

Страница 81: ...load and press Enter A confirmation message appears Step 2 Press Enter to confirm the reboot request accept default which is Yes Examples for Rebooting the Cisco SCE Platform The following example shows the commands for system reboot SCE reload Are you sure Y the system is about to reboot this will end your CLI session How to Shut Down the Cisco SCE Platform Shutting down the Cisco SCE platform is...

Страница 82: ...shutdown You are about to shut down the system The only way to resume system operation after this is to cycle the power off and then back on Continue y IT IS NOW SAFE TO TURN THE POWER OFF Note Since the Cisco SCE platform can recover from the power down state only by being physically turned off or cycling the power this command can only be executed from the serial CLI console This limitation help...

Страница 83: ...iguration Guide OL 30621 02 4 Utilities Revised February 07 2014 OL 30621 02 Introduction This chapter describes the following utilities Working with Cisco SCE Platform Files page 4 2 The User Log page 4 7 Managing Syslog page 4 10 Flow Capture page 4 17 ...

Страница 84: ...ng with Directories How to Create a Directory page 4 2 How to Delete a Directory page 4 2 How to Change Directories page 4 3 How to Display your Working Directory page 4 3 How to List the Files in a Directory page 4 3 How to Create a Directory mkdir From the SCE prompt type How to Delete a Directory There are two different commands for deleting a directory depending on whether the directory is emp...

Страница 85: ...ctory This list may be filtered to include only application files The listing may also be expanded to include all files in any sub directories How to List the Files in the Current Directory page 4 3 How to List the Applications in the Current Directory page 4 4 How to Include Files in Sub Directories in the Directory Files List page 4 4 How to List the Files in the Current Directory From the SCE p...

Страница 86: ... Rename a File page 4 4 How to Delete a File page 4 4 Copying Files page 4 5 How to Display File Contents page 4 6 How to Unzip a File page 4 6 How to Rename a File From the SCE prompt type How to Delete a File From the SCE prompt type Command Purpose dir applications Lists the applications in the current directory Command Purpose dir r Includes files in the sub directories in the directory files ...

Страница 87: ...nds from and FTP site In this case either the source or destination filename must begin with ftp Step 1 From the SCE prompt type copy ftp username password ip address path source file destination file name and press Enter To upload a file to an FTP site specify the FTP site as the destination ftp username password ip address path destination file How to Upload a File to a Passive FTP Site Step 1 F...

Страница 88: ...21 02 Chapter 4 Utilities Working with Cisco SCE Platform Files How to Display File Contents From the SCE prompt type How to Unzip a File From the SCE prompt type Command Purpose more file name Displays file contents Command Purpose unzip file name Unzips a file ...

Страница 89: ...gged in that file are then temporarily archived New events are then automatically logged to the alternate log file When the second log file reaches maximum capacity the system then reverts to logging events to the first log file thus overwriting the temporarily archived information stored in that file Basic operations include Copying the User Log to an external location Viewing the User Log Cleari...

Страница 90: ... SCE prompt type configure and press Enter Step 2 From the SCE config prompt type logger device User File Log enabled and press Enter Viewing the User Log Counters Viewing the user log counters for the current session page 4 8 Viewing the non volatile counter for the user file log page 4 9 There are two types of log counters User log counters Count the number of system events logged from the Cisco...

Страница 91: ...upport to be most effective the user should provide them with the information contained in the system logs Use the logger get support file command to generate a support file via FTP for the use of Cisco technical support staff From the SCE prompt type Generating a File for Technical Support Example SCE logger get support file ftp user 1234 10 10 10 10 c support zip Command Purpose show logger devi...

Страница 92: ...over UDP only Enabling and Disabling Syslog By default logging to the syslog server is disabled Enabling Syslog Step 1 From the SCE prompt type configure and press Enter Step 2 From the SCE config prompt type logging on and press Enter Disabling Syslog Step 1 From the SCE prompt type configure and press Enter Step 2 From the SCE config prompt type no logging on and press Enter Configuring Remote S...

Страница 93: ...d press Enter Configuring the Minimum Severity Level to be Logged to Syslog By default all messages are logged to the Syslog server when it is enabled with the exception of debug messages However you can configure the minimum severity level of the messages to logged to Syslog Table 4 1 lists the syslog severity levels and the corresponding SCOS severity levels Not all syslog severity levels are su...

Страница 94: ...nd press Enter Step 2 From the SCE config prompt type logging trap severity level and press Enter How to Restore the Default Minimum Severity Level for Syslog Messages Step 1 From the SCE prompt type configure and press Enter Step 2 From the SCE config prompt type no logging trap and press Enter Configuring the Syslog Facility You can assign Syslog messages to a specified facility Options The foll...

Страница 95: ...onfig prompt type no logging facility and press Enter Configuring the Syslog Logging Rate Limit You can configure a maximum number of messages logged per second In addition you can specify a severity level above which the rate is unlimited For example you can configure a rate limit for all messages below the fatal severity level mail Mail system news USENET news sys9 System use sys10 System use sy...

Страница 96: ...e limit and press Enter Configuring the Syslog Time Stamp Format You can configure the format of the the time stamp on the messages on the Syslog server You can use the no form of this command to specify the default Syslog time stamp format uptime Options The following time stamp format options are available uptime default Time stamp shows time since the system was last rebooted For example 4w6d t...

Страница 97: ...Default Syslog Time Stamp Format Step 1 From the SCE prompt type configure and press Enter Step 2 From the SCE config prompt type no service timestamps log and press Enter Enabling and Disabling the Syslog Message Counter By default the syslog message counter is enabled You can use this command to disable the syslog message counter When it is disabled no line count appears in the syslog messages D...

Страница 98: ...tilities Managing Syslog How to Display the Syslog Configuration From the SCE prompt type How to Display the Syslog Counters From the SCE prompt type Command Purpose show logging Displays the syslog configuration Command Purpose show logging counters Displays the syslog counters ...

Страница 99: ...e captured by this utility The termination of a capture flow is verified for every new relevant packet that is being captured As long as no packets matching the capturing attributes arrives after the time is exceeded the capturing is not stopped and must be stopped manually File size limitation the maximum captured file size is limited on Cisco SCE 8000 platform to 128MB configurable by a const DB...

Страница 100: ... not possible to apply only a subset of the configured rules For more information regarding configuring traffic rules see Configuring Traffic Rules and Counters section on page 7 26 Configuring the Flow Capture Settings The flow capture settings control aspects of the flow capture process as opposed to defining the flow to be captured These settings limit the scope of the process to maximize the r...

Страница 101: ... flow capture in seconds Default 3600 seconds unlimited There is no time limit to the flow capture and it will continue until stopped by the operator From the SCE config if prompt type How to Configure the Maximum Length of the L4 Payload The following options are available length The maximum number of L4 payload bytes to capture from each packet unlimited There is no limit on the number of L4 pay...

Страница 102: ... which creates two capture files an indicator is appended to this prefix to indicate which Cisco SCE 8000 SCM module created the file For example if you assign the filename myCapFile the system creates myCapFile1 cap and myCapFile2 cap From the SCE prompt type How to Stop a Flow Capture From the SCE prompt type Monitoring the Flow Capture Use the following command to monitor the flow capture proce...

Страница 103: ...ons such as SNMP SSH and TACACS It also explains how to configure users passwords IP configuration clock and time zone and domain name settings Management Interface and Security page 5 2 Configuring the Management Ports page 5 3 Configuring Management Interface VLANs page 5 11 TACACS Authentication Authorization and Accounting page 5 15 Configuring Access Control Lists ACLs page 5 32 Managing the ...

Страница 104: ...nagement ports support management interface redundancy providing the possibility for a backup management link Note The second management port is reflected in all objects related to it in the SNMP interface Note Cisco SCE 8000 does not support IPv6 addresses or connectivity on the management interfaces Perform the following tasks to configure the management interface and management interface securi...

Страница 105: ...the LAN If connecting both management ports for redundancy connect the to the LAN using a switch Step 2 Configure the management port physical parameters See Configuring the Management Port Physical Parameters section on page 5 4 Step 3 Optional Configure the system with management interface redundancy see Management Interface Redundancy section on page 5 8 Entering the Management Interface Config...

Страница 106: ... page 5 4 Configuring the Management Interface Speed and Duplex Parameters page 5 5 Specifying the Active Management Port page 5 7 Setting the IP Address and Subnet Mask of the Management Interface You must define the IP address of the management interface When both management ports are connected providing a redundant management port this IP address always acts as a virtual IP address for the curr...

Страница 107: ...Note After changing the IP address you must reload the Cisco SCE platform so that the change will take effect properly in all internal and external components of the Cisco SCE platform See Rebooting and Shutting Down the Cisco SCE Platform section on page 3 23 Setting the IP Address and Subnet Mask of the Management Interface Example The following example shows how to set the IP address of the Cis...

Страница 108: ... If the duplex parameter is configured to auto changing the speed parameter has no effect Step 1 Access the interface configuration mode for the management interface you want to configure From the SCE config prompt type interface Mng 0 1 0 2 and press Enter Step 2 From the SCE config if prompt type speed 10 100 auto and press Enter Specify the desired speed option Configuring the Speed of the Mana...

Страница 109: ...ple The following example shows how to use this command to configure the management port to half duplex mode SCE config SCE config interface mng 0 2 SCE config if duplex half Specifying the Active Management Port This command explicitly specifies which management port is currently active Its use varies slightly depending on whether the management interface is configured as a redundant interface au...

Страница 110: ...a a switch In this way the IP address of the MNG port is always the same regardless of which physical port is currently active Important information Only one port is active at any time The same virtual IP address and MAC address are assigned to both ports Default Port 1 active Port 2 standby The standby port sends no packets to the network and packets from the network are discarded When a problem ...

Страница 111: ...ble the Automatic Fail Over Mode page 5 9 Use the following command to enable automatic failover The automatic mode must be enabled to support management interface redundancy This mode automatically switches to the backup management link when a failure is detected in the currently active management link This parameter can be configured when in management interface configuration mode for either man...

Страница 112: ...isplay the following information for the management interface speed duplex IP address auto failover configuration From the SCE prompt type Command Purpose show mng interface Mng 0 1 0 2 speed duplex ip address auto fail over Displays the specified GBE management interface configuration for the specified interface If no option is specified all management interface information is displayed for the s...

Страница 113: ...ervices Telnet SSH SNMP by using separate VLANs carried over same physical port see Figure 5 1 Figure 5 1 Management Interface VLANS There are two steps in configuring management VLANs 1 Create the VLAN and assign an IP address mng vlan command 2 Assign the VLAN to a management or control service Use one of the following commands ip ssh mng vlan vty mng vlan snmp server mng vlan When a new managem...

Страница 114: ...ng entries in the routing table Destination Gateway Genmask Flags Metric Ref Use Iface 10 10 20 0 255 255 255 192 U 0 0 0bond0 120 10 10 30 0 255 255 255 192 U 0 0 0bond0 150 10 10 10 0 255 255 255 192 U 0 0 0bond0 100 The following diagram provides another view of the configured management VLAN SCE 8000 PCRF 0CS Source IP 10 10 50 20 SCE IP 10 10 50 10 CM Source IP 10 10 40 18 SCE IP 10 10 40 10 ...

Страница 115: ...gure 3 mng vlan vlan id address ip address mask mask 4 service mng vlan vlan id DETAILED STEPS SCE IPs 192 168 10 1 10 10 20 1 10 10 30 1 SM 128 74 96 2 VLAN 200 VLAN 100 10 10 20 2 10 10 30 2 285708 CM 172 24 20 2 Command Purpose Step 1 enable Example SCE enable Enables privileged EXEC mode Enter your password when prompted Step 2 configure Example SCE configure Enters global configuration mode ...

Страница 116: ...signs the VLAN to the specified service Service options are ip ssh vty snmp server Note The snmp server mng vlan command in either the positive or negative form restarts the SNMP process in order for the changes to take effect This generates a cold start trap Command Purpose Command Purpose show mng vlan vlan id all Displays the IP configuration and configured management service for the specified ...

Страница 117: ...otocol allows customers to configure one or more authentication servers for the Cisco SCE platform providing a secure means of managing the Cisco SCE platform as the authentication server will authenticate each user This then centralizes the authentication database making it easier for the customers to manage the Cisco SCE platform TACACS services are maintained in a database on a TACACS server ru...

Страница 118: ...ative method server for authenticating the user CONTINUE The user is prompted for additional authentication information If the server is unavailable the next authentication method is attempted as explained in General AAA Fallback and Recovery Mechanism section on page 5 17 Accounting The TACACS accounting supports the following functionality Each executed command the command must be a valid one wi...

Страница 119: ...he Cisco SCE platform uses a fall back mechanism to maintain service availability in case of an error The AAA methods available are TACACS AAA is performed by the use of a TACACS server allows authentication authorization and accounting Local AAA is performed by the use of a local database allows authentication and authorization Enable AAA is performed by the use of user configured passwords allow...

Страница 120: ...lar TACACS server that you will be using 2 Configure the Cisco SCE client to work with TACACS server hostname of the server port number shared encryption key the configured encryption key must match the encryption key configured on the server in order for the client and server to communicate 3 Optional Configure the local database if used add new users If the local database and TACACS are both con...

Страница 121: ... for which a key is not explicitly configured when the server host is defined If the default encryption key is not configured a default of no key is assigned to any server for which a key is not explicitly configured Default timeout interval optional A global default timeout interval may be defined This timeout interval is defined as the timeout interval for any server host for which a timeout int...

Страница 122: ...lt key do the following section on page 5 21 From the SCE config prompt type Removing a TACACS Server Host Options The following options are available host name Name of the server to be deleted From the SCE config prompt type Configuring the Global Default Key Use this command to define the global default key for the TACACS server hosts This default key can be overridden for a specific TACACS serv...

Страница 123: ...ing a different timeout interval for that TACACS server host Options The following options are available timeout interval Default time in seconds that the server waits for a reply from the server host before timing out Default 5 seconds To define the global default timeout do the following From the SCE config prompt type Command Purpose tacacs server key key string Defines the global default key f...

Страница 124: ...ng a User page 5 26 Adding a New User to the Local Database Use these commands to add a new user to the local database Up to 100 users may be defined How to Add a User with a Clear Text Password page 5 23 How to Add a User with No Password page 5 23 How to Add a User with an MD5 Encrypted Password Entered in Clear Text page 5 23 How to Add a User with an MD5 Encrypted Password Entered as an MD5 En...

Страница 125: ...ds are available nopassword There is no password associated with this user secret The password is saved in MD5 encrypted form Use with either of the following keywords to indicate the format of the password as entered in the command 0 Use with the password option to specify a clear text password that will be saved in MD5 encrypted form 5 Use with the encrypted secret option to specify an MD5 encry...

Страница 126: ...ge level Options The following options are available name Name of the user whose privilege level is set level The privilege level permitted to the specified user These levels correspond to the CLI authorization levels which are entered via the enable command 0 User 10 Admin 15 default Root From the SCE config prompt type Adding a New User with Privilege Level and Password Use these commands to def...

Страница 127: ...le secret The password is saved in MD5 encrypted form Use with either of the following keywords to indicate the format of the password as entered in the command 0 Use with the password option to specify a clear text password that will be saved in MD5 encrypted form 5 use with the encrypted secret option to specify an MD5 encryption string that will be saved as the user MD5 encrypted secret passwor...

Страница 128: ...Mechanism section on page 5 17 The procedures for configuring login authentication are explained in the following sections Configuring Maximum Login Attempts page 5 26 Configuring the AAA Login Authentication Methods page 5 27 Configuring Maximum Login Attempts Use this command to set the maximum number of login attempts that will be permitted before the session is terminated Options The following...

Страница 129: ... up to four different methods in the order in which they are to be used group TACACS Use TACACS authentication local Use the local username database for authentication enable default Use the enable password for authentication none Use no authentication How to Specify the Login Authentication Methods From the SCE config prompt type How to Delete the Login Authentication Methods List From the SCE co...

Страница 130: ... none Use no authorization How to Specify AAA Privilege Level Authorization Methods From the SCE config prompt type How to Delete the AAA Privilege Level Authorization Methods List From the SCE config prompt type Configuring AAA Command Level Authorization Methods How to Specify AAA Command Level Authorization Methods page 5 29 How to Delete the AAA Command Level Authorization Methods List page 5 ...

Страница 131: ...TACACS accounting How to Enable AAA Accounting page 5 30 How to Disable AAA Accounting page 5 30 If TACACS accounting is enabled the Cisco SCE platform sends an accounting message to the TACACS server after every command execution The accounting message is logged in the TACACS server for the use of the network administrator By default TACACS accounting is disabled Options The following options are...

Страница 132: ...eouts for TACACS Servers From the SCE prompt type Command Purpose aaa authentication accounting commands level default stop start group tacacs Enables AAA accounting The start stop keyword required indicates that the accounting message is sent at the beginning and the end if the command was successfully executed of the execution of a CLI command Command Purpose aaa authentication accounting comman...

Страница 133: ...ing TACACS Users Use this command to display the users in the local database including passwords From the SCE prompt type Command Purpose show users Displays the users in the local database including passwords Note that although most show commands are accessible to viewer level users this command is available only at the admin level Use the command enable 10 to access the admin level ...

Страница 134: ...y determines the result according to the permit deny flag in the matched entry If no matching entry is found in the ACL access is denied You can create up to 99 ACLs ACLs can be associated with system access on the following levels Global IP level If a global list is defined using the ip access class command when a request comes in the Cisco SCE platform first checks if there is permission for acc...

Страница 135: ...its to ignore The following keywords are available permit The specified IP addresses have permission to access the Cisco SCE platform deny The specified IP addresses are denied access to the Cisco SCE platform Adding Entries to an ACL Step 1 Type configure and press Enter Enables Global Configuration mode Step 2 Enter the desired IP address or addresses To configure one IP address type access list...

Страница 136: ...Access Control Lists ACLs Defining a Global ACL A global ACL for permits or denies all traffic to the Cisco SCE platform From the SCE config prompt type Command Purpose ip access class number Applies the specified ACL to all traffic attempting to access the Cisco SCE platform rather than to a specific type of traffic such as Telnet traffic ...

Страница 137: ...t for Telnet sessions that is if there is no activity on the session how long the Cisco SCE platform waits before automatically cutting off the Telnet connection The following commands are relevant to Telnet interface access class in line vty no access list no service telnetd no timeout show line vty access class in show line vty timeout Preventing Telnet Access Use this command to disable access ...

Страница 138: ...Assignment from the Telnet Interface From the SCE config line prompt type Configuring Telnet Timeout The Cisco SCE platform supports timeout of inactive Telnet sessions Options The following options are available timeout The length of time in minutes before an inactive Telnet session will be timed out Default 30 minutes From the SCE config line prompt type Command Purpose no access class in Remove...

Страница 139: ...des cbc blowfish cbc aes256 cbc aes192 cbc aes128 cbc arcfour cast128 cbc RFC 4253 section 6 3 arcfour128 arcfour256 RFC 4345 section 4 rijndael cbc lysator liu se as provided by OpenSSH 4 7p1 An ACL can be configured for SSH as for any other management protocol limiting SSH access to a specific set of IP addresses see Configuring Access Control Lists ACLs section on page 5 32 Key Management Each ...

Страница 140: ...server From the SCE config prompt type Enabling the SSH Server SSH allows you to login only when the user password and AAA authentication are configured Configure at least one user name and password SCE8000 config username username password password Configure AAA authentication for login SCE8000 config aaa authentication login default none From the SCE config prompt type Disabling the SSH Server F...

Страница 141: ...ly reads the keys from non volatile memory when it is started However if the startup configuration specifies that the SSH server is enabled the Cisco SCE platform will not be able to start the SSH server on startup if the keys have been deleted To avoid this situation after executing this command always do one of the following before the Cisco SCE platform is restarted using reload Generate a new ...

Страница 142: ...uring the Management Interface and Security Configuring the SSH Server Monitoring the Status of the SSH Server Use this command to monitor the status of the SSH sever including current SSH sessions From the SCE prompt type Command Purpose show ip ssh Monitors the status of SSH server ...

Страница 143: ...latform supports the original SNMP protocol also known as SNMPv1 Community based SNMPv2 also known as SNMPv2C and SNMPv3 SNMPv1 Is the first version of the Simple Network Management Protocol as defined in RFCs 1155 and 1157 and is a full Internet standard SNMPv1 uses a community based form of security SNMPv2c The revised version of SNMPv1 includes improvements to SNMPv1 in the areas of protocol pa...

Страница 144: ...d by using the privKey of a user to encrypt the data portion of the message being sent The privacy Protocol can be AES or DES Messages can be sent unauthenticated and unencrypted noAuthNoPriv authenticated but unencrypted authNoPriv or authenticated and encrypted authPriv by setting the securityLevel You can create VIEW and GROUPS for access control A VIEW is a set of MIBs or OIDs defined by inclu...

Страница 145: ...s an explicit disable command CLI Commands for Configuring SNMP Following is a list of CLI commands available for configuring SNMPv1 and SNMPv2c These are Global Configuration mode commands snmp server enable no snmp server no snmp server community all no default snmp server enable traps no snmp server host all no snmp server contact no snmp server location Following is a list of CLI commands avai...

Страница 146: ...nt Information Bases are databases of objects that can be monitored by a network management system NMS SNMP uses standardized MIB formats that allow any SNMP tools to monitor any device defined by a MIB For further information concerning MIBs used by the Cisco SCE 8000 platform see the Cisco Service Control MIBs section on page A 1 Configuration via SNMP Cisco SCE platform supports a limited set o...

Страница 147: ...guring SNMP Community Strings section on page 5 45 From the SCE config prompt type How to Disable the SNMP Interface From the SCE config prompt type Configuring SNMP Community Strings Defining a Community String page 5 46 Removing a Community String page 5 46 Displaying the Configured Community Strings page 5 47 To enable SNMP management you must configure SNMP community strings to define the rela...

Страница 148: ...led by both ACLs If no ACL is specified all IP addresses can access the SNMP service For more information about ACLs see Configuring Access Control Lists ACLs section on page 5 32 The following keywords are available ro Read only default accessibility rw Read and write From the SCE config prompt type Defining a Community String Example This example shows how to configure a community string called ...

Страница 149: ...t configured to send any SNMP notifications You must define the Network Management System to which the Cisco SCE platform should send notifications See the table below Configurable Notifications for a list of configurable notifications Whenever one of the events that trigger notifications occurs in the Cisco SCE platform an SNMP notification is sent from the Cisco SCE platform to the list of IP ad...

Страница 150: ... noAuthNoPriv Sets the security level to no authentication and no privacy Group does not require any authentication or encryption security levels for access authNoPriv Sets the security level with authentication and no privacy The users of this group has to authenticate themselves to get access authPriv Sets the security level with authentication and privacy The users of this group requires both a...

Страница 151: ...nfigurations you need not disable the SNMP agent You may notice a delay of few seconds for the configuration to take effect At the SCE config prompt type Options The following options are available user name Sets the SNMP user name group name Specifies the groups to add the user auth Sets the type of authentication MD5 and SHA authentication types are available auth pass phrase Sets the authentica...

Страница 152: ... no privacy The users of this trap has to authenticate themselves to get access authPriv SNMPv3 only Sets the security level with authentication and privacy The users of this trap requires both authentication and encryption security levels for access How to Configure the Cisco SCE Platform to Send Notifications to a Host NMS At the SCE config prompt type Configuring the Cisco SCE Platform to Send ...

Страница 153: ...s are disabled snmp trap name Optional parameter that specifies a specific snmp trap that should be enabled or disabled Currently the only accepted value for this parameter is Authentication enterprise Optional parameter that specifies that all or specific enterprise traps should be enabled or disabled By default enterprise traps are enabled enterprise trap name Optional parameter that specifies a...

Страница 154: ...nmp server enable traps enterprise logger How to Restore All Notifications to the Default Status At the SCE config prompt type Command Purpose snmp server enable traps snmp authentication Enables SNMP server to send authentication failure notifications Command Purpose snmp server enable traps enterprise Enables SNMP server to send all enterprise notifications Command Purpose snmp server enable tra...

Страница 155: ...ration Example SCE8000 configure SCE8000 config snmp server view IPView OID 1 3 6 1 2 1 4 operation include SCE8000 config snmp server view IfView OID 1 3 6 1 2 1 2 2 operation include SCE8000 config snmp server group ipGroup 3 authNoPriv read view IPView SCE8000 config snmp server group ifGroup 3 authPriv read view IfView write view IfView SCE8000 config snmp server group ifGroupReadOnly 3 noAuth...

Страница 156: ...ll Groups List of configured Groups Group Name ipGroup Security Level authNoPriv read view IPView write view none view Group Name ifGroup Security Level authPriv read view IfView write view IfView Group Name ifGroupReadOnly Security Level noAuthNoPriv read view IfView write view none view SCE8000 show snmp group group name ifGroup Group Name ifGroup Security Level authPriv read view IfView write v...

Страница 157: ...apter 5 Configuring the Management Interface and Security Configuring and Managing the SNMP Interface Authentication Protocol SHA Privacy protocol AES SCE8000 show snmp user user name ipUser User ipUser Group Name ipGroup Authentication Protocol MD5 Privacy protocol NONE ...

Страница 158: ...5 56 Cisco SCE 8000 10GBE Software Configuration Guide OL 30621 02 Chapter 5 Configuring the Management Interface and Security Configuring and Managing the SNMP Interface ...

Страница 159: ...perform global configuration tasks including IP routing and clock and time zone settings IP Routing Configuration page 6 2 Configuring Time Clocks and Time Zone page 6 6 Configuring SNTP page 6 13 Domain Name Server DNS Settings page 6 17 Configuring Cisco Discovery Protocol page 6 20 Enabling the CLI Interface Warning Banner page 6 29 OS Fingerprinting and NAT Detection page 6 30 ...

Страница 160: ...atform supports the configuration of the default gateway as the default next hop router as well as the configuration of the routing table to provide different next hop routers for different subnets for maximum configuration of 100 subnets The following sections illustrate how to use CLI commands to configure various parameters The following commands are relevant to IP routing tables ip default gat...

Страница 161: ...0 2 0 0 SCE config ip route 10 2 0 0 255 255 0 0 10 1 1 250 How to Display the IP Routing Table How to Display the Entire IP Routing Table page 6 3 How to Display the IP Routing Table for a Specified Subnet page 6 4 How to Display the Entire IP Routing Table From the SCE prompt type Displaying the Entire IP Routing Table Example This example shows how to display the routing table SCE show ip route...

Страница 162: ... act of periodically sending ping requests to a configured address at configured intervals This maintains the Cisco SCE platform IP MAC addresses in the memory of adaptive network elements such as switches even during a long period of inactivity The following commands are relevant to IP advertising no ip advertising ip advertising destination ip advertising interval default ip advertising destinat...

Страница 163: ... SCE config prompt type Configuring IP Advertising Example The following example shows how to configure IP advertising specifying 10 1 1 1 as the destination and an interval of 240 seconds SCE config ip advertising destination 10 1 1 1 SCE config ip advertising interval 240 How to Display the Current IP Advertising Configuration From the SCE prompt type Command Purpose ip advertising Enables IP ad...

Страница 164: ...e is used to set the system clock The calendar is not used for time tracking during system operation A system clock which creates all the time stamps during normal operation This clock clears if the system shuts down During a system boot the clock is initialized to show the time indicated by the calendar It does not matter which clock you set first as long as you use the clock and calendar read co...

Страница 165: ...me and date you want to set in the following format hh mm ss day month year From the SCE prompt type Setting the System Clock Example The following example shows how to set the clock to 20 minutes past 10 AM May 13 2007 updates the calendar and then displays the time SCE clock set 10 20 00 13 may 2007 SCE clock update calendar SCE show clock 10 21 10 UTC THU May 13 2007 Setting the Calendar The ca...

Страница 166: ...he following example shows that the calendar is set to 10 20 AM May 13 2007 The clock is then synchronized with the calendar setting SCE calendar set 10 20 00 13 may 20017 SCE clock read calendar SCE show calendar 10 21 06 UTC THU May 13 2007 Setting the Time Zone Options The following options are available zone The name of the time zone to be displayed default GMT hours The hours offset from UTC ...

Страница 167: ...6 11 How to Cancel the Daylight Saving Time Configuration page 6 11 How to Display the Current Daylight Saving Time Configuration page 6 12 Options The transition times into and out of daylight saving time may be configured in one of two ways depending on how the dates for the beginning and end of daylight saving time are determined for the particular location recurring If daylight saving time alw...

Страница 168: ...hich daylight saving begins date1 and ends date2 month The month in which daylight saving begins month1 and ends month2 year non recurring only The year in which daylight saving begins year1 and ends year2 offset The difference in minutes between standard time and daylight saving time Default 60 minutes Guidelines General guidelines for configuring daylight saving time transitions Specify the time...

Страница 169: ... From the SCE config prompt type Defining Non Recurring Daylight Saving Time Transitions Example The following example shows how to configure non recurring daylight saving time for a time zone designated DST as follows Daylight saving time begins 0 00 on April 16 2004 Daylight saving time ends 23 59 October 23 2004 Offset 1 hour default SCE config clock summer time DST April 16 2004 00 00 October ...

Страница 170: ...621 02 Chapter 6 Global Configuration Configuring Time Clocks and Time Zone How to Display the Current Daylight Saving Time Configuration From the SCE prompt type Command Purpose show timezone Displays the current time zone and daylight saving time configuration ...

Страница 171: ... source There are two options for the SNTP client These functions are independent and the system employ either one or both Multicast SNTP client Listens to SNTP broadcasts and updates the system clock accordingly Unicast SNTP client Sends a periodic request to a configured SNTP server and updates the system clock according to the server response Note It is recommended that an IP access control lis...

Страница 172: ...The following example shows how to enable an SNTP server at IP address 128 182 58 100 SCE config sntp server 128 182 58 100 Disabling the SNTP Unicast Client How to Disable the SNTP Unicast Client and Remove All Servers From the SCE config prompt type Command Purpose no sntp broadcast client Disables the SNTP multicast client It will not accept any broadcast time updates Command Purpose sntp serve...

Страница 173: ...tween updates 64 through 1024 default interval 64 seconds From the SCE config prompt type Example The following example shows how to set the SNTP update interval for 100 seconds SCE config sntp update interval 100 How to Display SNTP Information From the SCE prompt type Command Purpose no sntp server ip address Removes the specified SNTP unicast server Command Purpose sntp update interval interval...

Страница 174: ...figuration Configuring SNTP Example This example illustrates how to use this command SCE show sntp SNTP broadcast client disabled last update time not available SNTP unicast client enabled SNTP unicast server 128 182 58 100 last update time Feb 10 2002 14 06 41 update interval 100 seconds ...

Страница 175: ...sponding IP address The IP host table can be configured using the command ip host 3 If the name does not contain the dot character and the domain name function is enabled See the ip domain lookup command and a default domain name is specified See the ip domain name command the default domain name is appended to the given name to form a fully qualified host name This in turn is used to perform a DN...

Страница 176: ...e address of one or more name servers to use for name and address resolution From the SCE config prompt type Defining Domain Name Servers Example The following example shows how to configure the two name server DNS IP addresses SCE config ip name server 10 1 1 60 10 1 1 61 How to Remove a Domain Name Server From the SCE config prompt type Removing a Domain Name Server Example The following example...

Страница 177: ... host table SCE config ip host PC85 10 1 1 61 The following example shows how to remove a hostname together with all its IP mappings SCE config no ip host PC85 How to Display Current DNS Settings From the SCE prompt type Displaying Current DNS Settings Example The following example shows how to display current DNS information SCE show hosts Default domain is Cisco com Name address lookup uses doma...

Страница 178: ... or holdtime information which indicates the length of time a receiving device should hold CDP information before discarding it Each device also listens to the periodic CDP messages sent by others in order to learn about neighboring devices and determine when their interfaces to the media go up or down CDP Version 2 CDPv2 is the most recent release of the protocol and provides more intelligent dev...

Страница 179: ...P packets are received and transmitted unchanged Received packets are not processed No packets are generated In this mode bump in the wire behavior is applied to CDP packets This is the backward compatible mode equivalent to not having CDP support Monitor mode CDP packets are received processed and transmitted unchanged CDP packets are analyzed and CDP neighbor information is available No packets ...

Страница 180: ...orm To configure CDP perform the tasks in the following sections Enabling CDP Globally page 6 22 Setting CDP Mode page 6 23 Enabling CDP on a Specific Traffic Interface page 6 23 Setting the Hold Time page 6 24 Setting the Timer page 6 24 Enabling CDP Globally By default CDP is enabled on the Cisco SCE 8000 If you prefer not to use the CDP device discovery capability use the following command to d...

Страница 181: ...CE 8000 section on page 6 21 for a description of the different CDP modes Caution In cascade topologies both Cisco SCE 8000 platforms must be configured to the same CDP mode By default the CDP mode is set to bypass To reset the CDP mode to the default mode bypass use the default cdp mode command To change the CDP mode use the following command in global configuration mode From the SCE config promp...

Страница 182: ...lue Options The following option is available seconds Hold time value to be sent in the CDP update packets in seconds default 180 seconds From the SCE config prompt type Setting the Timer Use this command to configure how often the Cisco SCE 8000 platform sends CDP updates Use either the no or the default form of the command to restore the timer to the default value Options The following option is...

Страница 183: ... table that contains CDP information about neighbors show cdp Displays the following information Interval between transmissions of CDP advertisements transmission timer Number of seconds the CDP advertisement is valid for a given port hold time Version of the advertisement CDP mode show cdp entry device name protocol version Displays protocol and version information about a specific neighboring de...

Страница 184: ...k protocol address Version Advertisement version Native VLAN ID Duplex mode VTP domain name associated with neighbor devices show cdp traffic Displays the following information Total CDP packets output Total CDP packets input Number of CDP advertisements with bad headers Number of times the checksum operation failed Number of times CDP failed to send advertisements Number of times the local device...

Страница 185: ... the significant fields shown in the output of the show cdp neighbors command sce show cdp Global CDP information Sending CDP packets every 60 seconds Sending a holdtime value of 180 seconds Sending CDPv2 advertisements is enabled standard mode CDP packets are received and processed CDP packets are generated sce show cdp neighbors Capability Codes R Router T Trans Bridge B Source Route Bridge S Sw...

Страница 186: ...ce The capability types that can be discovered are R Router T Transparent bridge B Source routing bridge S Switch H Host I device is using IGMP r Repeater Note The capability of the Cisco SCE 8000 is r Repeater since it is installed as a bump in the wire device Platform The product number of the device Port ID The protocol and port number of the device Table 6 3 show cdp neighbors Field Descriptio...

Страница 187: ...ing for unauthorized users trying to connect to Cisco SCE platform It can also provide device details as well as information about the service and application By default the banner is disabled You do not have to shutdown the Cisco SCE platform in order to enable or disable the banner From the SCE config prompt type Command Purpose banner login banner text Enables the display of the specified text ...

Страница 188: ...nd Limitations Due to the nature of the Cisco SCE platform there are certain limitations to the scope of the OS fingerprinting and NAT detection feature OS information is available only for logged in and active subscribers OS fingerprinting is not done continuously for any subscriber If a subscriber changes OS or moves to a NAT environment during the time when they are not sampled OS type or NAT e...

Страница 189: ... which OS information is flushed from the system Signature file Name of OS fingerprint signature file Scan port Port used for opening OS fingerprinting flows GX reporting Enable sending subscriber OS information in Gx messages SUMMARY STEPS 1 enable 2 configure 3 interface linecard 0 4 os fingerprinting 5 Optional os fingerprinting sampling window window interval interval 6 Optional os fingerprint...

Страница 190: ... os flush time time Example SCE config if os fingerprinting os flush time 3 Optional Enables flushing the OS fingerprinting information and configures the time interval in days after which OS fingerprinting information is flushed from the system 1 5 Step 8 os fingerprinting signature file filename Example SCE config if os fingerprinting signature file new signature file Optional Specifies the sign...

Страница 191: ...ng period Sampling interval NAT detection window OS flush time OS fingerprinting port Signature file show os finger printing signature file Displays the unencrypted contents of the signature file show interface linecard slot number subscriber name name os info Displays information about a specified subscriber including detected OS To display only the OS fingerprinting information use the os info o...

Страница 192: ...6 34 Cisco SCE 8000 10GBE Software Configuration Guide OL 30621 02 Chapter 6 Global Configuration OS Fingerprinting and NAT Detection ...

Страница 193: ...1 02 Introduction This chapter describes how to configure the physical line interfaces ports as well as how to configure those interfaces for tunneling DSCP marking and traffic rules Line Interfaces page 7 2 Tunneling Protocols page 7 4 Configuring Traffic Rules and Counters page 7 26 DSCP Marking page 7 36 Counting Dropped Packets page 7 37 ...

Страница 194: ...and does not activate it Therefore a situation could arise in which flow control stalls the Cisco SCE platform by overflowing the Cisco SCE platform queues thereby causing traffic to be dropped on the Rx interfaces If this situation persists for more than five seconds it may trigger the internal sanity checks mechanism within the Cisco SCE platform which may in turn trigger a reload of the Cisco S...

Страница 195: ...s of the ports on link 1 which will switch part of the high volume traffic to the opposite pair of SPAs and prevent either pair of SPAs from exceeding the 16Gbps limit Limitations This command is supported only Link 1 3 2 0 and 3 3 0 It is not supported on Link 0 Only one interface on the link is explicitly configured The corresponding interface is automatically set to the opposite traffic side Th...

Страница 196: ...cols the default behavior for each protocol is in bold Table 7 1 Tunneling Protocol Summary Protocol Supported handling Mode name Symmetric Asymmetric 6to4 Enables the 6to4 mode IP tunnel 6to4 Disables the 6to4 mode no IP tunnel 6to4 6rd Enables the 6to4 mode IP tunnel 6to4 Disables the 6to4 mode no IP tunnel 6to4 DS Lite Enables the DS Lite mode IP tunnel DS Lite Disables the DS Lite mode no IP t...

Страница 197: ...gure the system to treat all flows as having asymmetric layer 2 characteristics including Ethernet VLAN MPLS and L2TP To view the effective flow open mode use the show interface linecard 0 flow open mode command Note For directions on how to configure the asymmetric tunneling option see Asymmetric L2 Support section on page 7 18 L2TP L2TP is an IP based tunneling protocol therefore the system must...

Страница 198: ...is supported on the DS Lite tunnels When DS Lite is enabled the IPv6 traffic is handled as TCP UDP by the traffic processor configured to handle the IPv6 traffic If DS Lite is disabled the IPv6 traffic is bypassed as non TCP UDP by the traffic processor configured to handle the IPv6 traffic DS Lite bundling is supported for FTP traffic IPV6 addresses and L4 ports are used for binding FTP control f...

Страница 199: ...o4 Tunnels page 7 8 Configuring DS Lite Tunnels page 7 9 Configuring L2TP Tunnels page 7 10 Configuring GRE Tunneling page 7 11 Configuring IPinIP Tunneling page 7 13 Configuring DSCP Marking page 7 14 Configuring the 6to4 Environment page 7 15 Configuring the VLAN Environment page 7 16 Configuring the MPLS Environment page 7 17 Configuring the L2TP Environment page 7 18 ...

Страница 200: ...unneling must be enabled or disabled only when no application is loaded or the linecard is shut down Enabling 6to4 Tunneling By default IP tunnel recognition is disabled Use the following steps to enable 6to4 tunnels Step 1 Shut down the linecard This is a root level command From the SCE config if prompt enter shutdown and press Enter Step 2 Enable 6to4 tunneling From the SCE config if prompt ente...

Страница 201: ...nd press Enter Step 3 Restart the linecard From the SCE config if prompt enter no shutdown and press Enter Disabling DS Lite Tunneling Use these steps to disable DS Lite tunneling Step 1 Shut down the linecard This is a root level command From the SCE config if prompt enter shutdown and press Enter Step 2 Disable DS Lite tunneling From the SCE config if prompt enter no ip tunnel DS Lite and press ...

Страница 202: ...onfig if prompt enter no ip tunnel DS Lite Extention Header Support and press Enter Step 3 Restart the linecard From the SCE config if prompt enter no shutdown and press Enter Configuring L2TP Tunnels Caution IP tunneling must be enabled or disabled only when no application is loaded or the linecard is shut down Enabling the L2TP Tunneling By default IP tunnel recognition is disabled Use this comm...

Страница 203: ...eing reported as generic IP Guidelines for configuring GRE tunnels GRE and other tunnels GRE tunnels are supported simultaneously with plain IP traffic and any other tunneling protocol supported by the Cisco SCE platform Overlapping IP addresses There is no support for overlapping IP addresses within different GRE tunnels DSCP marking For GRE traffic DSCP marking can be done on either the external...

Страница 204: ...ep 3 Restart the linecard From the SCE config if prompt enter no shutdown and press Enter Disabling GRE Tunneling Step 1 Shut down the linecard This is a root level command From the SCE config if prompt enter shutdown and press Enter Step 2 Disable GRE tunneling From the SCE config if prompt enter no ip tunnel gre skip and press Enter Step 3 Restart the linecard From the SCE config if prompt enter...

Страница 205: ...eader exclusively see Configuring DSCP Marking section on page 7 14 Caution IPinIP tunneling can be configured enabled disabled or DSCP marking configuration only when there is no application loaded or the linecard is shut down Fragmentation Fragmentation should be avoided whenever possible If it is not possible to avoid fragmentation it is recommended to opt for internal fragmentation If that is ...

Страница 206: ... whether DSCP marking will be performed in the internal or external header Figure 7 1 DSCP Marking for IPinIP or GRE Tunnels Note DSCP marking should be enabled and configured through SCA BB console See the Cisco Service Control Application for Broadband User Guide for further information Version H Len TOS Total Length Identification Fragment Offset Flags TTL Protocol Header Checksum Source Addres...

Страница 207: ...rform DSCP marking on the external IP header use the following command Step 1 Shut down the linecard This is a root level command From the SCE config if prompt type shutdown and press Enter Step 2 Configure the DSCP marking From the SCE config if prompt type no ip tunnel GRE IPinIP DSCP marking skip and press Enter Enables DSCP marking on the external IP header of IPinIP traffic Step 3 Restart the...

Страница 208: ... After Cisco SCE 8000 restarts you can use the following configuration and show commands to configure the 6to4 and 6rd tunnels configure interface linecard 0 IP tunnel 6to4 configure interface linecard 0 no IP tunnel 6to4 show interface linecard 0 IP tunnel6to4 Configuring the VLAN Environment Note The Cisco SCE 8000 supports a maximum of 4096 VLAN tags Use this command to configure the VLAN envir...

Страница 209: ...rect operation of the Cisco SCE platform in asymmetric environments and instruct it to take into consideration that the upstream and downstream of each flow has potentially different VLAN tags Note Using the a symmetric skip value incurs a performance penalty affecting both performance and capacity From the SCE config if prompt type Configuring the VLAN Environment Example The following example se...

Страница 210: ...g traffic rule for all the L2TP traffic This can be done based on the IP ranges in use by the internal IPs in the tunnel as allocated by the LNS or simply for all the traffic passing through the Cisco SCE platform Note By enabling quick forwarding the Cisco SCE can only perform traffic monitoring for externally fragmented L2TP traffic It cannot perform flow redirection flow blocking or rate limiti...

Страница 211: ...ch as in block and redirect operations Note as well that in order to support asymmetric layer 2 the Cisco SCE platform switches to asymmetric flow open mode which incurs a certain performance penalty as well as reducing capacity This is NOT the case for asymmetric routing topology From the SCE config if prompt type Displaying the Tunneling Configuration From the SCE prompt type How to Display the ...

Страница 212: ...pe How to Display the Logged In VPNs Options The following options are available vpn name The name of a specific currently logged in VPN for which to display details all names Use this keyword to display all the VPN names that are currently logged into the system Command Purpose show interface linecard 0 ip tunnel IPinIP Displays the current configuration for the specified tunnel option ...

Страница 213: ...neling Protocols From the SCE prompt type How to Display the Asymmetric L2 Support Mode From the SCE prompt type Command Purpose show interface linecard 0 VPN name vpn name all names Displays the logged in VPNs Command Purpose show interface linecard 0 asymmetric L2 support Displays asymmetric L2 support mode ...

Страница 214: ...LAN or VPN to which the IP addresses of the flow belong VLAN symmetric classify Capacity The system supports 2048 VPNs 80 000 IP mappings over VPNs Limitations for VPN mode Mutually exclusive system modes When the system is working in VPN mode the following modes are not supported DDoS Value Added Services VAS mode Subscriber related limitations The SM must be configured to operate in Push mode In...

Страница 215: ...PN How to Display Mappings for a Specified VPN Options page 7 23 Displaying Mappings for a Specified VPN Examples page 7 23 Options The following option is available vpn name The name of the VPN for which to display mappings From the SCE prompt type Displaying Mappings for a Specified VPN Examples The following example illustrates the output of this command for a VLAN based VPN SCE show interface ...

Страница 216: ...pings included in IP range 10 0 0 0 0 vpn1 Subscriber Sub10 mapping 10 1 4 150 32 vpn1 Subscriber Sub10 mapping 10 1 4 149 32 vpn1 Subscriber Sub10 mapping 10 1 4 145 32 vpn1 Subscriber Sub11 mapping 10 1 4 146 32 vpn1 Total 2 subscribers found with 4 matching mappings How to Display the Number of Subscribers Mapped to an IP range on a Specified VPN Options page 7 24 Displaying the Number of Subsc...

Страница 217: ...ped to range on a Specified VPN Example SCE show interface linecard 0 subscriber amount mapping included in IP 0 0 0 0 0 VPN vpn1 There are 2 subscribers with 4 IP mappings included in IP range 0 0 0 0 0 Command Purpose show interface linecard 0 subscriber amount mapping included in IP ip range VPN vpn name Displays the number of subscribers mapped to an IP range on a specified VPN ...

Страница 218: ...ciscoServiceControlTpStats MIB these might be used to monitor up to 32 types of packets according to the requirements of the installation Ignoring certain types of flows When a traffic rules specifies an ignore action packets matching the rule criteria will not open a new flow but will pass through the Cisco SCE platform without being processed This is useful when a particular type of traffic shou...

Страница 219: ...t to the other side Ignore the packet do not provide service for this packet No bandwidth metering transaction reporting and so on are performed Quick forward the packet with service Forward delay sensitive packets through the fast path while maintaining serviceability for these packets Quick forward the packet with no service quick forwarding ignore forward delay sensitive packets through the fas...

Страница 220: ... name The name of the counter Count packets The counter is incremented by 1 for each packet it counts Count bytes The counter is incremented by the number of bytes in the packet for each packet it counts From the SCE config if prompt type How to Delete a Traffic Counter From the SCE config if prompt type How to Delete all Existing Traffic Counters From the SCE config if prompt type Command Purpose...

Страница 221: ...to exclude the specified IP address or range of IP addresses protocol Any one of the following protocols TCP UDP ICMP IGRP EIGRP IS IS OSPF all port specification all all but port port range Specify the ports only if the protocol is either TCP or UDP Specify the port or port range for both the subscriber side and the network side Specify a range of ports using the form MinPort MaxPort Use the all ...

Страница 222: ...re Forward delay sensitive packets through the fast path with no service provided for these packets flow capture Capture the flow configured by this rule No service to this flow From the SCE config if prompt type Configuring Traffic Rules Examples Example 1 page 7 30 Example 2 page 7 31 Example 3 page 7 31 Example 4 page 7 31 Example 1 This example creates the following traffic rule Name rule1 IP ...

Страница 223: ...protocol tcp ports subscriber side 100 200 network side all tunnel id all direction downstream traffic counter name counter2 action block Example 3 This example creates the following traffic rule Name rule3 IP addresses all Protocol IS IS Direction upstream Traffic counter none Action ignore required since traffic counter none The only action performed will be Ignore SCE config if traffic rule nam...

Страница 224: ... 1 FFFF 1234 5 protocol One of the following protocols TCP UDP all port specification port Specify the ports only if the protocol is either TCP or UDP Specify the port for both the subscriber side and the network side Create multiple rules if you plan to use multiple ports direction Any of the following upstream downstream both traffic counter Either of the following name name of an existing traff...

Страница 225: ...2 ipv6 ip addresses subscriber side all network side all protocol tcp tunnel id all direction downstream traffic counter name counter2 action block SCE config if How to Delete a Traffic Rule From the SCE config if prompt enter How to Delete All Traffic Rules From the SCE config if prompt enter Command Purpose traffic rule name name ipv6 IP addresses all subscriber side IP specification network sid...

Страница 226: ...c Counter page 7 34 How to View All Traffic Counters page 7 35 How to Reset a Specified Traffic Counter page 7 35 How to Reset All Traffic Counters page 7 35 How to View a Specified Traffic Rule From the SCE prompt enter How to View All Traffic Rules From the SCE prompt enter How to View a Specified Traffic Counter From the SCE prompt type Command Purpose no traffic rule capture Removes all flow c...

Страница 227: ...for all existing traffic counters SCE show interface linecard 0 traffic counter all Counter cnt value 0 packets Rules using it None Counter cnt2 value 0 packets Rules using it Rule2 2 counters listed out of 32 available How to Reset a Specified Traffic Counter From the SCE prompt enter How to Reset All Traffic Counters From the SCE prompt enter Command Purpose show interface linecard 0 traffic cou...

Страница 228: ...te DSCP marking is supported only for IPv4 addresses DSCP marking configuration is performed via the SCA BB console The Cisco SCE platform CLI allows you to view the state of DSCP marking enabled or disabled for each interface and to display the DSCP translation table For information on configuring DSCP marking see the Cisco Service Control Application for Broadband User Guide Note DSCP marking in...

Страница 229: ... hardware packet drop is disabled not the default mode When hardware packet drop is enabled default mode this MIB counter provides only a relative value indicating the trend of the number of packet drops with a factor of approximately 1 6 The user can disable the drop wred packets by hardware mode This allows the application to access existing per flow counters The application can then retrieve th...

Страница 230: ...7 38 Cisco SCE 8000 10GBE Software Configuration Guide OL 30621 02 Chapter 7 Configuring Line Interfaces Counting Dropped Packets ...

Страница 231: ... 18 Configuring a Forced Failure page 8 20 Configuring the Failure Recovery Mode page 8 21 Configuring the Cisco SCE Platform SM Connection page 8 22 Note For more information regarding the physical installation of the Cisco SCE 8000 platform and cabling the connections see the Cisco SCE8000 10GBE Installation and Configuration Guide and in particular the following sections Information About the S...

Страница 232: ...cascade options are available only if cascade topology is configured For an overview of the cascade topology see the Cisco Service Control Product Installation Guide sce id In cascaded topologies defines which link is connected to this Cisco SCE platform The sce id parameter which identifies the Cisco SCE platform replaces the physically connected link parameter which identified the link This chan...

Страница 233: ...ng mode Default inline mode external bypass inline cascade mode bypass Not applicable to receive only topologies Note Do not change the connection mode unless the physical installation has been changed Step 1 From the SCE config if prompt type connection mode inline receive only inline cascade receive only cascade sce id 0 1 priority primary secondary on failure bypass external bypass cutoff and p...

Страница 234: ...e current configuration of the connection mode for a cascaded system SCE enable 5 Password cisco SCE show interface linecard 0 connection mode Slot 0 connection mode Connection mode is inline cascade slot 0 sce id is 1 slot 0 is secondary slot 0 is connected to peer slot failure mode is bypass Redundancy status is active SCE Viewing the Cisco SCE ID Example SCE enable 5 Password cisco SCE show int...

Страница 235: ... Status Examples The following example shows the output of this command in the case of two cascaded Cisco SCE 8000 10GBE platforms where the cascade interfaces have not been connected correctly SCE enable 5 Password cisco SCE show interface linecard 0 cascade connection status SCE is improperly connected to peer SCE Please verify that each cascade port is connected to the correct port of the peer ...

Страница 236: ...e options are available Forwarding Forwards traffic to the Cisco SCE platform for processing Bypass Stops all forwarding of traffic to the Cisco SCE platform Traffic still flows through the Cisco SCE platform but is not processed by it in any way This does not affect the redundancy states Cutoff Completely cuts off flow of traffic through the Cisco SCE platform Recommendations and restrictions Not...

Страница 237: ...lover support However the user can also manually enable the external bypass assuming it is connected At power failure the external bypass is automatically activated The external bypass can also be controlled by the software and by hardware in case of software failure In case of power failure the bypass shortcuts the interfaces that are connected to the two sides of the Cisco SCE 8000 bypassing all...

Страница 238: ... is not activated External bypass failure state is activated Amount of expected external bypass devices 2 automatically configured Output Sample One Optical Bypass Module Not Detected External bypass current state is not activated External bypass failure state is activated Amount of expected external bypass devices 2 automatically configured Warning External bypass device expected but not detected...

Страница 239: ...py the Startup Configuration Party Database and Create a Backup File page 8 12 The Cisco SCE 8000 platform supports the Hardware Bypass feature for IPv4 traffic The main objective of this feature is to bypass the traffic of the configured static parties created in the hardware bypass mode at the hardware SIP module level based on their IP address or IP range By default the hardware bypass mode is ...

Страница 240: ...t the Hardware Bypass Staus of a static party From the SCE config prompt type Command Purpose no hw bypass mode Disables the hardware bypass mode of the Cisco SCE 8000 platform It also allows you to reset the hardware bypass state for the specified static parties when these parties are configured in this mode Command Purpose show hw bypass mode Displays the hardware bypass status of the Cisco SCE ...

Страница 241: ...on party database is copied from the running configuration party database The following example shows how to display the contents of the startup party database SCE enable 15 Password cisco SCE show startup config party db This is a party database configuration file running config party db for static parties only Created on 13 34 02 UTC TUE July 12 2011 cli type 1 version 1 hw bypass mode party nam...

Страница 242: ...pass SCE How to Copy the Running Configuration Party Database to the Startup Configuration Party Database From the SCE config prompt type How to Copy the Startup Configuration Party Database and Create a Backup File From the SCE config prompt type Command Purpose show running config party db Displays the contents of the currently running party database configuration for the static parties that are...

Страница 243: ...Note If the mask value is not provided for the corresponding IP address the complete mask value of 32 will be taken into consideration for the specified IP address How to Display All Mappings to Dual Stack Static Subscriber From the SCE config prompt type Command Purpose party mapping ip address ip address name party name Sets the IPv4 address for the specified static party in the Cisco SCE 8000 p...

Страница 244: ...riber From the SCE config prompt type How to Display Dual Stack Static Subscriber From the SCE config prompt type Command Purpose show part name party name IPv6 ranges Displays IPv6 mappings to dual stack static subscriber Command Purpose show part name party name Displays dual stack static subscribers show interface LineCard 0 subscriber name party name Displays dual stack static subscribers ...

Страница 245: ...w to Enable Link Failure Reflection From the SCE config if prompt type How to Disable Link Failure Reflection From the SCE config if prompt type Enabling and Disabling Link Failure Reflection on All Ports Options page 8 16 How to Enable Link Failure Reflection on All Ports page 8 16 How to Disable Link Failure Reflection on All Ports page 8 16 The link reflection on all ports feature extends the l...

Страница 246: ...w to Enable Linecard Aware Mode page 8 17 How to Disable Linecard Aware Mode page 8 17 The linecard aware mode option is an additional extension of the link failure reflection feature for use in MGSCP topologies Use this option when the subscriber side interface and the corresponding network side interface of the same link are connected to the same linecard in the router This mode reflects a failu...

Страница 247: ... reflection itself How to Enable Linecard Aware Mode From the SCE config if prompt type How to Disable Linecard Aware Mode From the SCE config if prompt type Command Purpose link failure reflection on all ports linecard aware mode Enables failure reflection to all ports with linecard aware mode Command Purpose no link failure reflection linecard aware mode Disables linecard aware mode Note that th...

Страница 248: ...ion and to apply basic reporting and global control features to uni directional traffic Asymmetric Routing and Other Service Control Capabilities Asymmetric routing can be combined with most other Service Control capabilities however there are some exceptions Service Control capabilities that cannot be used in an asymmetric routing topology include the following Subscriber redirect Subscriber noti...

Страница 249: ... how to display the current asymmetric routing information SCE show interface linecard 0 asymmetric routing topology Asymmetric Routing Topology mode is disabled TCP Unidirectional flows ratio statistics Traffic Processor 1 0 Traffic Processor 2 0 Traffic Processor 3 0 Traffic Processor 4 0 Traffic Processor 5 0 Traffic Processor 6 0 Traffic Processor 7 0 Traffic Processor 8 0 Traffic Processor 9 ...

Страница 250: ... condition and to exit from the failure condition when performing an application upgrade From the SCE config if prompt type Command Purpose force failure condition Forces a virtual failover condition The system asks for confirmation Forcing failure will cause a failover do you want to continue n Type Y and press Enter to confirm the forced failure no force failure condition Exits from the virtual ...

Страница 251: ... to operational mode non operational After failure the system will remain not operational The default value is operational From the SCE config prompt type Configure the Failure Recovery Mode Examples Example 1 This example sets the system to boot as non operational after a failure SCE config failure recovery operation mode non operational Example 2 This example sets the system to the default failu...

Страница 252: ...ble action The specified action will be performed in case of loss of connection between the Cisco SCE platform and the SM Possible actions are force failure Force failure of Cisco SCE platform The Cisco SCE platform then acts according to the behavior configured for the failure state remove mappings Remove all current subscriber mappings shut The Cisco SCE platform shuts down and quits providing s...

Страница 253: ...ring the Connection Configuring the Cisco SCE Platform SM Connection Options The following option is available interval The timeout interval in seconds From the SCE config if prompt type Command Purpose subscriber sm connection failure timeout interval Configures the connection timeout ...

Страница 254: ...8 24 Cisco SCE 8000 10GBE Software Configuration Guide OL 30621 02 Chapter 8 Configuring the Connection Configuring the Cisco SCE Platform SM Connection ...

Страница 255: ...ervices over IPv6 are classified to the same service IDs as the corresponding services over IPv4 RDRs that contain IP address information provide IPv4 or IPv6 addresses based on the traffic Transaction Usage RDR HTTP Transaction Usage RDR Transaction RDR Blocking RDR and Link Usage RDR support IPv6 information Note Generic transaction usage RDR or anonymized transaction usage RDR is not generated ...

Страница 256: ... reporting data for external application for collecting aggregation storage and processing The NetFlow protocol option integrates the Service Control solution with a wide range of existing data collectors and reporters Release 3 1 0 supports layer 7 application export reporters NetFlow Terminology page 9 2 NetFlow Exporting Support page 9 3 NetFlow Terminology Exporter A device in this case the RD...

Страница 257: ...contain template records and data records The template records define the format of the following data records Each export packet may contain both types of records or only one type of records NetFlow Templates Each RDR type supported for NetFlowV9 exporting has a pre defined mapping that allows the RDR formatter to convert it to a NetFlow V9 report and sent it over a NetFlow destination The Cisco ...

Страница 258: ...t number protocol RDRv1 or NetFlow transport type TCP RDRv1 or UDP NetFlow The destination is assigned a priority for each category to which it is assigned Figure 9 1 illustrates the simplest data destination topology with only one category and one destination Figure 9 1 Data Destination Topology One Category and One Destination Figure 9 2 illustrates a complex topology using two categories and fo...

Страница 259: ...erred to as Category 1 through Category 4 However you can define meaningful names for the categories This generally reduces confusion and prevents errors You can also configure the buffer size for each category The total buffer size is 80 MB Priority The priority value is used to indicate whether the destination should be a destination for a given category Priority is related to the redundant forw...

Страница 260: ...tallation with a high rate of data Simple load balancing Each successive record is sent to a different destination one destination after the other in a round robin manner It is the responsibility of the collectors to aggregate the records If one connection fails the contents of the history buffer are sent to all connected destinations Note Some types of deployments using the NetFlow protocol requi...

Страница 261: ...protocol The protocol used for data sent to the destination either RDRv1 or NetFlow if no protocol is assigned the protocol is RdrV1 transport The transport type TCP or UDP optional as this parameter is determined by the protocol A priority value may be assigned Priority is important in the redundancy forwarding mode but not crucial in multicast mode Remember that in multicast mode the existence o...

Страница 262: ...formatter destination 10 1 1 206 port 33000 priority 80 protocol RdrV1 transport tcp Configuring the Data Categories There are three steps in defining the data categories Define the category names optional Configure the buffer size optional Configure the destinations with the proper priorities for each category as well as configuring all the other destination parameters may be approached in severa...

Страница 263: ... portnumber The port number category number The number of the category 1 4 category name The name to be assigned to the category priority The priority value assigned to this category for this destination 1 100 protocol The protocol used for data sent to the destination either RDRv1 or NetFlow if no protocol is assigned the protocol is RdrV1 transport The transport type TCP or UDP optional as this ...

Страница 264: ... if there is a loss of connection to either destination transmission of data of the relevant category is interrupted until the connection is re established There is no redundant connection defined for either category SCE config rdr formatter category number 2 name prepaid SCE config rdr formatter destination 10 1 1 205 port 33000 category number 1 priority 90 protocol RdrV1 transport tcp SCE confi...

Страница 265: ... a secondary destination SCE config rdr formatter category number 2 name prepaid SCE config rdr formatter destination 10 1 1 205 port 33000 category name prepaid priority 90 category number 1 priority 10 protocol RdrV1 transport tcp SCE config rdr formatter destination 10 1 1 206 port 33000 category number 1 priority 95 protocol RdrV1 transport tcp In the following example all priority values seem...

Страница 266: ...l NetFlowV9 transport udp Example 5 Finally the following example illustrates a configuration with three categories and three destinations as follows Figure 9 6 Category 1 Billing RDRv1 protocol goes to Destination 1 Category 2 Prepaid RDRv1 protocol goes to Destinations 1 and 2 Category 3 Special Prepaid NetFlow V9 protocol goes to Destination 3 RDRv1 protocol goes to Destination 2 Figure 9 6 Con...

Страница 267: ...ry connection fails the records will be sent to the connected destination with the next highest priority multicast All records are sent to all destinations This feature may negatively affect performance in an installation with a high rate of data load balancing Each successive record is sent to a different destination one destination after the other in a round robin manner It is the responsibility...

Страница 268: ...ter history buffer Dynamic mapping of RDRs to categories see Configuring Dynamic Mapping of RDRs to Categories section on page 9 17 Use the following commands to enable or disable the RDR Formatter From the SCE config prompt type How to Configure the Size of the RDR Formatter History Buffer The following option is available size size of the history buffer in bytes Maximum buffer size is 64 KB From...

Страница 269: ...uration The DSCP value must be between 0 and 63 and be entered in HEX format Configuring the frequency of exporting the template records template refresh interval How to Configure a DSCP Value for NetFlow Options The following option is available dscp value DSCP value to be assigned to the NetFlow packets over all destinations 0 63 in HEX format From the SCE config prompt type How to Configure the...

Страница 270: ...ata Formatting The RDR Formatter and NetFlow Exporting Configuring NetFlow Exporting Support From the SCE config prompt type Command Purpose rdr formatter destination ip address port port number protocol NetFlowV9 template data timeout timeout value Sets the template refresh interval ...

Страница 271: ... the application configuration Configuring Mappings Use these command to add or remove a mapping Options page 9 17 How to Restore the Default Mapping for a Specified RDR Tag page 9 17 Options The following options are available tag umber The complete 32 bit value given as an hexadecimal number The RDR tag must be already configured in the Formatter by the application category number Number of the ...

Страница 272: ...d statistics show rdr formatter show rdr formatter connection status show rdr formatter counters show rdr formatter destination show rdr formatter enabled show rdr formatter forwarding mode show rdr formatter rdr mapping show rdr formatter statistics show rdr formatter protocol NetFlowV9 dscp For a complete description of the other show rdr formatter commands see the Cisco SCE8000 CLI Command Refe...

Страница 273: ...0807 thrown 0 format mismatch 0 UM queued 0 sent 0 thrown 0 Logger queued 0 sent 39 thrown 0 Errors thrown 0 Last time these counters were cleared 20 23 05 IST WED March 14 2007 How to the Display the Current RDR Formatter Statistics From the SCE prompt type Displaying the Current RDR Formatter Statistics Example The following example shows how to display the current statistics in a deployment usi...

Страница 274: ... per second Category 4 sent 0 in queue 0 thrown 0 format mismatch 0 unsupported tags 0 rate 0 RDRs per second max rate 0 RDRs per second Destination 10 56 201 50 Port 33000 Status up Sent 13835366 Rate 211 Max 679 Last connection establishment 17 hours 5 minutes 14 seconds Destination 10 56 204 7 Port 33000 Status up Sent 12134054 Rate 183 Max 595 Sent Templates 13732 Sent Data Records 12134054 Re...

Страница 275: ...ng the Linecard from Sending RDRs The silent command disables the linecard from issuing data records Both RDRs and NetFlow export packets are suppressed Use the no form of this command if you want the linecard to send records From the SCE config if prompt type Command Purpose silent Disables the linecard from issuing data records no silent Enables the linecard to produce data records ...

Страница 276: ...obal records More specifically only periodic records are aggregated because other records relate to events like a single transaction or flow and cannot be aggregated across processors if they are aggregated they loose the required granularity Currently the following RDRs are aggregated Virtual Link Usage RDRs VLURs Link Usage RDRs LURs Package Usage RDRs PURs You can disable RDR aggregation for ei...

Страница 277: ...ubscribers Enforce the appropriate policy on subscriber traffic each subscriber can have a different policy Information About Subscribers page 10 2 Importing and Exporting Subscriber Information page 10 10 Removing Subscribers and Templates page 10 13 Importing and Exporting Anonymous Groups page 10 19 Monitoring Subscribers page 10 20 Configuring Subscriber Aging page 10 34 Managing VPNs and VPN ...

Страница 278: ...ntrol solutions Table 10 1 Subscriber Examples The Subscriber Subscriber Characteristics Managed Entity Subscriber Entity Identified By DSL residential subscriber DSL residential user IP address The list of IP addresses is allocated by a Radius server Cable residential subscriber Cable residential user IP address The list of IP addresses of the CPEs is allocated dynamically by a DHCP server Owner ...

Страница 279: ...s performed on an incoming network ID IP address VLAN or VPN ID as the Cisco SCE platform creates an anonymous on the fly record for each subscriber This permits analyzing traffic at an individual network ID level for example to identify monitor what a particular subscriber IP is currently doing as well as control at this level for example to limit each subscriber s bandwidth to a specified amount...

Страница 280: ...the number of subscribers Available memory per traffic processor The main memory consumers in a traffic processor are flows and subscribers The total number of subscribers that can be supported is the number of subscribers per traffic processor multiplied by the number of traffic processors Available memory in the control processor The control processor holds one entry per subscriber However the c...

Страница 281: ... used is either specified while loading the application or a previously configured default capacity option is used Specific capacity CLI command see Configuring the Actual Maximum Number of Subscribers section on page 10 32 This specific command overrides the capacity option configured when loading the application It provides the following options 100K 250K 500K 1M Subscriber Mapping Limits Refer ...

Страница 282: ...ber related information login logout This is required to minimize information loss in case of failover In general the only entity that is allowed to change subscriber information in the standby Cisco SCE platform is the active Cisco SCE platform The standby Cisco SCE platform does not accept any subscriber operations it returns a STANDBY_VIOLATION error instead and it also does not generate any as...

Страница 283: ...p is a specified IP range possibly assigned a subscriber template When an anonymous group is configured the Cisco SCE platform generates anonymous subscribers for that group when it detects traffic with an IP address that is in the specified IP range If a subscriber template has been assigned to the group the anonymous subscribers generated have properties as defined by that template If no subscri...

Страница 284: ...when additional data is desired for each subscriber or subscriber template Refer to the relevant Service Control Application documentation to see if the application defines a different format Subscriber template csv files are application specific Refer to the relevant Service Control Application documentation of the file format Anonymous groups csv files are not application specific Their format i...

Страница 285: ...s In hexadecimal colon notation Example 2001 a d f 64 The valid range is from 32 to 64 packageId The ID of the package to which the subscriber is assigned Here is an example of a subscriber csv file in the default format A comment line sub7 10 1 7 0 24 2001 a d f 64 1 sub8 10 1 11 32 2001 a d d 64 1 sub9 10 2 22 10 2 sub10 2001 a d f 64 2 sub11 10 4 44 10 1 sub12 10 1 11 90 10 3 0 0 16 2 Subscribe...

Страница 286: ...move the pound symbol before the following line smm ssu maindecoder fields name mappings mappings_ipv6 tuneable packageId tuneable upVlin kId tuneable downVlinkId tuneable monitor Step 3 Include a pound symbol before the following line smm ssu maindecoder fields name mappings tuneable packageId tuneable upVlinkId tuneable do wnVlinkId tuneable monitor Step 4 Save the subaware pro file Step 5 From ...

Страница 287: ...e SM GUI or CLU see the Cisco Service Control Subscriber Manager User Guide From the SCE config if prompt type Command Purpose subscriber import csv file filename Imports the subscriber information from the specified file If the information in the imported file is not valid the command will fail during the verification process before it is actually applied subscriber import csv file filename addit...

Страница 288: ...t a Subscriber Template From the SCE config if prompt type How to Export a Subscriber Template From the SCE config if prompt type Command Purpose subscriber template import csv file filename Imports the subscriber template from the specified file Command Purpose subscriber template export csv file filename Exports the subscriber template to the specified file ...

Страница 289: ...e system no subscriber all no subscriber anonymous group all clear interface linecard subscriber anonymous default subscriber template all Use the following commands to remove a specific subscriber or anonymous group from the system no subscriber name no subscriber anonymous group name These subscriber management commands are LineCard interface commands with the exception of the clear interface li...

Страница 290: ...s Subscriber Groups From the SCE config if prompt type How to Remove All the Anonymous Subscribers From the SCE prompt type Command Purpose no subscriber all Removes all introduced subscribers subscriber name specifies the name of the subscriber to be removed Command Purpose no subscriber anonymous group name group name Removes the specified anonymous subscriber group Command Purpose no subscriber...

Страница 291: ...ribers that the SM cannot remove for some reason for example if there is no communication between the SM and the Cisco SCE platform use this command Note Use this command ONLY when the Cisco SCE platform is disconnected from the SM From the SCE config if prompt type How to Remove Subscribers by Device How to Remove Subscribers from the SM page 10 15 How to Remove Subscribers from a Specified SCMP ...

Страница 292: ... 16 Cisco SCE 8000 10GBE Software Configuration Guide OL 30621 02 Chapter 10 Managing Subscribers Removing Subscribers and Templates Command Purpose no subscriber sm all Clears all subscribers from the SM ...

Страница 293: ...nd Templates How to Remove Subscribers from a Specified SCMP Peer Device From the SCE config if prompt type Command Purpose no subscriber scmp name peer device name all Clears all subscribers from the specified SCMP peer device peer device name specifies the name of the SCMP peer device from which to clear the subscribers ...

Страница 294: ...mous Subscriber Groups section on page 10 14 Defining Anonymous Groups Use this command to define an anonymous group assigning the following to the group created group name range of IP addresses subscriber template to be assigned to all subscribers within that IP range optional How to Define an Anonymous Group Options The following options are available group name Name to be assigned to the anonym...

Страница 295: ...onymous Groups Options The following option is available filename Name of the csv file From the SCE config if prompt type Command Purpose subscriber anonymous group import csv file filename Creates anonymous groups by importing anonymous groups from the specified csv file Imported anonymous groups information is added to the existing anonymous groups information It does not overwrite the existing ...

Страница 296: ...ubscribers were introduced to the system Note that these commands are all in Viewer mode Make sure that you are in the proper mode and that the SCE prompt appears in the command line Note also that you must specify linecard 0 in these commands How to Monitor the Subscriber Database How to Display the Subscriber Database Counters page 10 21 Clearing the Subscriber Database Counters page 10 22 Use t...

Страница 297: ...h mappings 0 used out of 249999 max Single non VPN IP mappings 0 Non VPN IP Range mappings 0 IP Range over VPN mappings 0 Single IP over VPN mappings 0 VLAN based VPNs with subscribers 0 used out of 4095 Subscribers with open sessions 243562 Subscribers with TIR mappings 0 Sessions mapped to the default subscriber 2 Peak values Peak number of subscribers with mappings 249999 Peak number occurred a...

Страница 298: ... commands to display subscribers show interface linecard 0 subscriber all names show interface linecard 0 subscriber amount prefix prefix property propertyname equals greater than less than property val show interface linecard 0 subscriber amount prefix prefix show interface linecard 0 subscriber amount suffix suffix show interface linecard 0 subscriber mapping IP iprange VPN vpn name show interfa...

Страница 299: ...ber property page 10 24 How to display the number of subscribers that are greater than or less than a specified value of a subscriber property page 10 24 How to display the number of subscribers that match a specified prefix page 10 25 How to display subscribers that match a specified value of a subscriber property Options The following options are available propertyname Name of the subscriber pro...

Страница 300: ...subscriber property to match property val Value of that subscriber property to match From the SCE prompt type How to display the number of subscribers that are greater than or less than a specified value of a subscriber property Options The following options are available propertyname Name of the subscriber property to match property val Value of that subscriber property to match Command Purpose s...

Страница 301: ...bscribers with no mapping page 10 26 How to display the number of subscribers that are mapped to a specified VLAN ID page 10 27 How to display the number of subscribers with no mapping page 10 27 You can display the subscribers who are mapped to any of the following A specified IP address or range of IP addresses IP addresses intersecting a given IP address or IP range A specified VLAN ID A specif...

Страница 302: ...which to search for the IP address From the SCE prompt type How to display subscribers that are mapped to a specified VLAN ID Options The following options are available VLAN id VLAN ID to match From the SCE prompt type How to display subscribers with no mapping From the SCE prompt type Command Purpose show interface linecard 0 subscriber mapping IP ip range VPN vpn name Displays subscribers that ...

Страница 303: ...criber page 10 28 How to Display OS Counters for a Specified Subscriber page 10 29 You can display the following information about a specified subscriber values of the various subscriber properties mappings IP address or VLAN ID OS counters current number of flows bandwidth Use the following commands to display subscriber information show interface linecard 0 subscriber properties show interface l...

Страница 304: ...CE prompt type How to Display Mappings for a Specified Subscriber Options The following options are available name Subscriber name From the SCE prompt type Command Purpose show interface linecard 0 subscriber properties Displays a listing of subscriber properties Command Purpose show interface linecard 0 subscriber name name Displays complete information for a specified subscriber including all va...

Страница 305: ... page 10 31 You can display the following information regarding the anonymous subscriber groups aging see How to Display Aging for Anonymous Group Subscribers section on page 10 35 currently configured anonymous groups currently configured subscriber templates configuration of a specified anonymous group number of subscribers in a specified anonymous group or in all anonymous groups Use the follow...

Страница 306: ...re available group name Name of the anonymous subscriber group From the SCE prompt type How to Display All Subscribers Currently in Anonymous Groups From the SCE prompt type Command Purpose show interface linecard 0 subscriber templates Display currently configured templates for anonymous groups Command Purpose show interface linecard 0 subscriber anonymous group name group name Displays current c...

Страница 307: ...me Name of the anonymous subscriber group From the SCE prompt type How to Display the Total Number of Subscribers in All Anonymous Groups From the SCE prompt type Command Purpose show interface linecard 0 subscriber amount anonymous name group name Displays the number of subscribers in a specified anonymous group Command Purpose show interface linecard 0 subscriber amount anonymous Displays the to...

Страница 308: ...erride the Configured Capacity Option The default maximum number of subscribers is 250 000 Step 1 If a policy configuration PQB file has been applied on Cisco SCE platform use the SCA BB console to retrieve it and save it before proceeding Step 2 Select the maximum number of subscribers From the SCE config if prompt type subscriber max subscribers 40K 80K 120K 200K and press Enter Step 3 Disable t...

Страница 309: ...ter of all the existing subscribers become 0 The subscribers are automatically deleted when the aging period of each subscriber elapses How to Restore the Configured Capacity Option Step 1 If a policy configuration PQB file has been applied on Cisco SCE platform use the SCA BB console to retrieve it and save it before proceeding Step 2 From the SCE config if prompt type subscriber capacity options...

Страница 310: ... removal of a subscriber when no traffic sessions assigned to it have been detected for a certain amount of time Aging may be enabled or disabled and the aging timeout period in minutes can be specified Aging can be configured separately for introduced subscribers and for anonymous subscribers Use the following commands to configure and monitor aging no subscriber aging subscriber aging timeout sh...

Страница 311: ...ribers Options The following option is available aging time The time interval in minutes after which an inactive subscriber will be aged 2 14400 From the SCE config if prompt type How to Display Aging for Anonymous Group Subscribers From the SCE prompt type Command Purpose no subscriber aging introduced Disables aging for introduced subscribers Command Purpose no subscriber aging anonymous timeout...

Страница 312: ...OL 30621 02 Chapter 10 Managing Subscribers Configuring Subscriber Aging How to Display Aging for Introduced Subscribers From the SCE prompt type Command Purpose show interface linecard 0 subscriber aging introduced Displays aging for introduced subscribers ...

Страница 313: ...ation All the mappings for a specified VPN A listing of all currently logged in VPNs A listing of all currently logged in VPNs that were created automatically How to Display Mappings for a Specified VPN Options The following option is available vpn name The name of the VPN for which to display mappings From the SCE prompt type How to Display a Listing of All VPNs From the SCE prompt type Displayin...

Страница 314: ... Chapter 10 Managing Subscribers Managing VPNs and VPN Subscriber Mappings Command Purpose clear interface linecard 0 VPN automatic Removes all VLAN VPNs that were created automatically by the Cisco SCE platform Only removes VPNs that have no active subscriber mappings ...

Страница 315: ... of Failure of the SM Options The following options are available action The specified action will be performed in case of loss of connection between the Cisco SCE platform and the SM Possible actions are force failure Force failure of Cisco SCE platform The Cisco SCE platform then acts according to the behavior configured for the failure state remove mappings Remove all current subscriber mapping...

Страница 316: ...can also configure the timeout interval the length of time that the SM SCE platform connection is disrupted before a failed connection is recognized and the configured behavior is applied Options The following option is available interval The timeout interval in seconds From the SCE config if prompt type Command Purpose subscriber sm connection failure timeout interval Configures the connection ti...

Страница 317: ... and Failover Revised February 07 2014 OL 30621 02 Introduction Redundancy and Failover page 11 2 Link Failure Reflection page 11 5 Hot Standby and Failover page 11 6 Recovery page 11 11 CLI Commands for Cascaded Systems page 11 13 Configuring Forced Failure page 11 18 System Upgrades page 11 19 ...

Страница 318: ...ology one Cisco SCE platform is active while the second Cisco SCE platform is in standby receiving from the active Cisco SCE platform all subscriber state updates and keep alive messages Primary Secondary The terms Primary and Secondary refer to the default status of a particular Cisco SCE platform The Primary Cisco SCE Platform is active by default while the Secondary device is the default standb...

Страница 319: ... that in a cascaded configuration an external bypass device should be connected only for the traffic ports The cascade ports should be directly connected between the two Cisco SCE 8000 platforms see Figure 11 1 Hardware Bypass The Cisco SCE 8000 platform can support the hardware bypass which bypasses the traffic of the configured static parties created in the hw bypass mode at the hardware SIP mod...

Страница 320: ... be initiated to allow the Cisco SCE platform proper exchange of information between the Cisco SCE platforms and the SM Link failure The system monitors all three types of links for failures Traffic port link failure Traffic cannot flow through the Cisco SCE platform Cascade port link failure Traffic cannot flow between the Cisco SCE platforms through the cascade ports Management port link failure...

Страница 321: ...the corresponding link on the other side is forced down to reflect the failure Link failure reflection is done on the traffic ports When operating in deployments of single Cisco SCE platform with two data links link failure is reflected between the two ports of each link When working with two cascaded Cisco SCE platforms link failure is reflected in two cases Reflection between the traffic ports o...

Страница 322: ...hich it came Since only one Cisco SCE platform processes all traffic at any given time split flows which are caused by asymmetrical routing that exist in the two data links are handled correctly To support subscriber state failover both Cisco SCE platforms hold subscriber states for all parties and subscriber state updates are exchanged between the active Cisco SCE platform and the standby This wa...

Страница 323: ... failed Cisco SCE platform If the failure is in the standby Cisco SCE platform The active Cisco SCE platform continues providing its normal functionality processing the traffic of the two links If the failure is in the active Cisco SCE platform The standby Cisco SCE platform takes over processing the traffic and becomes the active Cisco SCE platform Cutoff Change the link of the failed Cisco SCE p...

Страница 324: ...the on failure configuration is cutoff the SPA modules are disabled when failure occurs The collective behavior of these three components is known as the hardware crash mode and is dependent on the configuration of the on failure parameter of the connection mode command as well as whether the platform is the active or standby platform In the standby platform hardware crash mode behavior is as foll...

Страница 325: ...s modules are not installed traffic is cut off If the standby platform has failed and the on failure configuration is cutoff hardware crash mode behavior in the active platform is as follows The external optical bypass if installed is deactivated traffic is sent to the platform The electrical bypass is disabled cascade ports do not transmit traffic to the standby platform since it is also not oper...

Страница 326: ...e linecard 0 connection mode command Step 7 If you want to start in bypass mode change the link mode to bypass in both Cisco SCE platforms The bypass mode will be applied only to the active Cisco SCE platform See About the Link Mode section on page 8 6 Step 8 Verify the link mode configuration See Monitoring the System section on page 11 14 Use the show interface linecard 0 link mode command Step ...

Страница 327: ...k failure Automatic recovery when link revives Traffic link failure Automatic recovery when link revives Failure in the communications with the SM Automatic by SM decisions after connection is re established Hardware malfunction Manual recovery after replacing the malfunctioning Cisco SCE platform Replacing the Cisco SCE Platform Manual Recovery This is done in two stages first manual installation...

Страница 328: ...the SM Step 3 Copying updated subscriber states from the active Cisco SCE platform to the standby Reboot Only Fully Automatic Recovery Step 1 Reboot of the Cisco SCE platform Step 2 Basic network configurations Step 3 Establishment of inter Cisco SCE platform communication Step 4 Selection of the active Cisco SCE platform Step 5 Synchronization of the recovered Cisco SCE platform with the SM Step ...

Страница 329: ...rameter which identifies the Cisco SCE platform replaces the physically connected link parameter which identified the link This change was required with the introduction of the Cisco SCE 8000 GBE platform which supports multiple links In the Cisco SCE 8000 10GBE the number assigned to the sce id parameter 0 or 1 will be defined as the of number of the physically connected link Note For backwards c...

Страница 330: ...imary The connection mode would be the same as the first and the behavior of the Cisco SCE platform if a failure occurs is external bypass SCE config if connection mode inline cascade sce id 0 priority secondary on failure external bypass Monitoring the System Use the following commands to view the current connection mode and link mode parameters How to View the Current Connection Mode From the SC...

Страница 331: ... SCE show interface linecard 0 sce id slot 0 sce id is 1 How to View the Current Redundancy Status of the Cisco SCE Platform From the SCE prompt type Viewing the Current Redundancy Status of the Cisco SCE Platform Example The following example shows typical output of this command SCE enable 5 Password cisco SCE show interface linecard 0 cascade redundancy status Redundancy status is active How to ...

Страница 332: ...linecard 0 cascade connection status SCE is improperly connected to peer SCE Please verify that each cascade port is connected to the correct port of the peer SCE Note that in the current topology the SCE must be connected to its peer as follows Port 3 2 0 must be connected to port 3 2 0 at peer Port 3 3 0 must be connected to port 3 3 0 at peer SCE The following example shows the output of this c...

Страница 333: ...k to Port Mappings Example The following example shows the link to port mapping SCE enable 5 Password cisco SCE show interface linecard 0 link to port mappings Link Id Upstream Port Out Downstream Port Out 0 0 2 0 1 SCE How to View the Current Link Mode From the SCE prompt type Command Purpose show interface linecard 0 link mode Displays the current link mode ...

Страница 334: ... Failure Use the following commands to force a virtual failure condition and to exit from the failure condition when performing an application upgrade From the SCE config if prompt type Commands Purpose force failure condition Forces the Cisco SCE platform into a virtual failure state no force failure condition Exits from the virtual failure state ...

Страница 335: ... that was not upgraded Firmware Upgrade package installation Step 1 Install package on both Cisco SCE platforms open the package and copy configuration Step 2 Reload the standby Cisco SCE platform Step 3 Wait until the standby finishes synchronizing and is ready to work Step 4 Make sure that the connection mode configurations are correct Step 5 Reload the active Cisco SCE platform Step 6 After the...

Страница 336: ...itched back to active Simultaneous Upgrade of Firmware and Application Step 1 In the standby Cisco SCE platform a Uninstall the application b Upgrade the firmware this includes a reboot c Install the new application Step 2 Force failure in the active Cisco SCE platform This makes the updated Cisco SCE platform the active one and it begins to give the NEW service Step 3 Repeat step 1 for the now st...

Страница 337: ...ion This chapter describes the ability of the Cisco SCE platform to identify and prevent DDoS attacks and the various procedures for configuring and monitoring the Attack Filter Module Attack Filtering and Attack Detection page 12 2 Configuring Attack Detectors page 12 8 Subscriber Notifications page 12 20 Preventing and Forcing Attack Detection page 12 21 Monitoring Attack Filtering page 12 24 ...

Страница 338: ...his mechanism is enabled by default and can be disabled and enabled for each attack type independently There are 32 different attack types 1 TCP flows from a specific IP address on the subscriber side regardless of destination port 2 TCP flows to a specific IP address on the subscriber side regardless of destination port 3 4 Same as 1 and 2 but for the opposite direction subscriber network 5 TCP f...

Страница 339: ...lt detector exists that can be configured with user defined thresholds and action or system defaults may be retained In addition the user can manually override the configured attack detectors to either force or prevent attack filtering in a particular situation Specific IP filtering for selected attack types is enabled with the following parameters These parameters control which of the 32 attack t...

Страница 340: ...ext the system can be configured to notify the subscriber of the fact that he is under an attack or a machine in his network is generating such an attack using HTTP Redirect Alarm The system will generate an SNMP trap each time an attack starts and stops Attack detection and handling are user configurable The remainder of this chapter explains how to configure and monitor attack detection Attack D...

Страница 341: ...andling can be configured as follows Configuring the action Report Attack packets are processed as usual and the occurrence of the attack is reported Block Attack packets are dropped by the Cisco SCE platform and therefore do not reach their destination Regardless of which action is configured two reports are generated for every attack one when the start of an attack is detected and one when the e...

Страница 342: ...t adequately handle an attack the resulting high CPU load will harm the service provided by the Cisco SCE platform normal traffic classification and control An attack that threatens to overwhelm the software will therefore be automatically filtered by the hardware When the hardware is used to filter the attack the software has no knowledge of the attack packets and therefore the following side eff...

Страница 343: ...r configurable However due to the effects of hardware attack filtering on attack reporting it is important to be aware of when hardware processing has been activated and so monitoring of hardware filtering is essential There are two ways to do this see Monitoring Attack Filtering section on page 12 24 Check the HW filter field in the show interface linecard attack filter current attacks command Ch...

Страница 344: ...S requests per second at peak times and so the system should be configured with a suitable threshold for DDoS suspected flows for protocol UDP and direction attack destination A threshold value of 1000 flows second would probably be suitable for the DNS server However this threshold would be unsuitable for almost all other network elements since for them being the destination of such large rate of...

Страница 345: ... from low to high numbers If the IP address is permitted by the ACL specified by the attack detector and a threshold is configured for this attack type then the threshold values specified by this attack detector are used If not the scan continues to the next attack detector If no attack detector matches the IP address protocol combination then the values of the default attack detector are used The...

Страница 346: ...nding on the following options For a selected protocol only For TCP and UDP protocols for only port based or only port less detections For a selected attack direction either for all protocols or for a selected protocol Options The following options are available protocol The specific protocol for which specific IP detection is to be enabled or disabled Default All protocols no protocol specified a...

Страница 347: ...uring the Default Attack Detector Options page 12 12 How to Define the Default Action and Optionally the Default Thresholds page 12 13 How to Reinstate the System Defaults for a Selected Set of Attack Types page 12 13 How to Reinstate the System Defaults for All Attack Types page 12 14 Command Purpose attack filter protocol TCP Enables specific IP detection for the TCP protocol only for all attack...

Страница 348: ... port TCP and UDP protocols only Defines whether the default attack detector applies to port based or port less detections side Defines whether the default attack detector applies to attacks originating at the subscriber or network side action Default action report default Report beginning and end of the attack by writing to the attack log block Block all further flows that are part of this attack...

Страница 349: ... both dual sided all side subscriber network both notify subscriber don t notify subscriber and press Enter Enables or disables subscriber notification by default for the defined attack type The attack type must be defined the same as in Step 1 Step 3 From the SCE config if prompt type attack detector default protocol TCP UDP dest port specific not specific both ICMP other all attack direction sin...

Страница 350: ...a Specific Attack Detector page 12 17 How to Disable All Non default Attack Detectors page 12 18 How to Disable All Attack Detectors page 12 18 Options A specific attack detector may be configured for each possible combination of protocol attack direction and side The Cisco SCE platform supports a maximum of 100 attack detectors Each attack detector is identified by a number 1 100 Each detector ca...

Страница 351: ...her be in a not configured state which is the default or be configured with a specific value action Action report default Report beginning and end of the attack by writing to the attack log block Block all further flows that are part of this attack the Cisco SCE platform drops the packets Thresholds open flows rate Default threshold for rate of open flows suspected flows rate Default threshold for...

Страница 352: ...number protocol TCP UDP dest port specific not specific both ICMP other all attack direction single side source single side destination sing le side both dual sided all side subscriber network both action report block open flows rate number suspected flows rate ratesuspected flows ratio ratio Defines the action of the specified attack detector Command Purpose attack detector number protocol TCP UD...

Страница 353: ...attack detector does not take part in determining the response for attacks of this attack type From the SCE config if prompt type How to Disable a Specific Attack Detector Use the following command to disable a specific attack detector configuring it to use the default action threshold values and subscriber notification for all protocols attack directions and sides From the SCE config if prompt ty...

Страница 354: ...ault protocol ICMP attack direction single side source side both action report open flow rate 1000 suspected flows rate 100 suspected flows ratio 10 and press Enter Configures the default ICMP threshold and action Step 3 From the SCE config if prompt type attack detector 1 access list 3 comment DNS servers and press Enter Enables attack detector 1 and assigns ACL 3 to it Step 4 From the SCE config...

Страница 355: ...Denial of Service Attacks Configuring Attack Detectors Step 7 From the SCE config if prompt type exit and press Enter Exits the linecard interface configuration mode Step 8 Configure ACL 3 which has been assigned to the attack detector SCE config access list 3 permit 10 1 1 10 SCE config access list 3 permit 10 1 1 13 ...

Страница 356: ...cks originating from the subscriber that are configured with block action Such attacks cannot normally be notified to the subscriber using HTTP redirection since all HTTP flows originating from the subscriber are TCP flows and they are therefore blocked along with all other attack flows To enable effective use of HTTP redirect there is a CLI command that prevents blocking of TCP flows originating ...

Страница 357: ...k from the network side The ISP wants to protect the subscriber from this attack by blocking all UDP traffic to the subscriber but unfortunately the Cisco SCE platform did not recognize the attack Alternatively it could be that the attack was recognized but the configured action was report and not block Use the force filter command described below for this type of case The user can use the CLI att...

Страница 358: ...owing commands to configure or remove a force filter setting for or from a specified situation Commands Purpose attack filter dont filter protocol TCP UDP dest port port number not specific ICMP other attack direction single side source single side destination sin gle side both ip ip address dual sided source ip source ip address destination ip dest ip address side subscriber network both Configur...

Страница 359: ... single side destination single side both ip ip address dual sided source ip source ip address destination ip dest ip address side subscriber network both notify subscriber Configures a force filter setting for a specified situation no attack filter force filter protocol TCP UDP dest port port number not specific ICMP other attack direction single side source single side destination single side bo...

Страница 360: ...traffic Attack detected Attack IP info from side side protocol protocol rate1 open flows per second detected rate2 Ddos suspected flows per second detected Action is action If attack was declared as a result of a force filter command Attack Filter Forced forced action IP info from side side protocol protocol Attack forced using a force filter command The format of the attack information string sen...

Страница 361: ...ttack and whether one or two IP addresses were detected from IP address A B C D on IP address A B C D from IP address A B C D to IP address A B C D side subscriber network protocol TCP UDP ICMP other rate1 and rate2 are numbers duration is a number total flows is one of the following strings depending on the attack action If action is block number flows blocked If action is report attack comprised...

Страница 362: ... to monitor attack detection and filtering show interface linecard 0 attack detector show interface linecard 0 attack filter show interface linecard 0 attack filter query show interface linecard 0 attack filter current attacks show interface linecard 0 attack filter don t filter show interface linecard 0 attack filter force filter show interface linecard 0 attack filter subscriber notification por...

Страница 363: ...urce dest TCP sub source dest TCP port net source only Block Yes TCP port net dest only TCP port sub source only Block Yes TCP port sub dest only TCP port net source dest TCP port sub source dest UDP net source only UDP net dest only UDP sub source only UDP sub dest only UDP net source dest UDP sub source dest UDP port net source only UDP port net dest only UDP port sub source only UDP port sub de...

Страница 364: ...source only Report 1000 500 50 No No UDP net dest only Report 1000 500 50 No No UDP sub source only Report 1000 500 50 No No UDP sub dest only Report 1000 500 50 No No UDP net source dest Report 100 50 50 No No UDP sub source dest Report 100 50 50 No No UDP port net source only Report 1000 500 50 No No UDP port net dest only Report 1000 500 50 No No UDP port sub source only Report 1000 500 50 No N...

Страница 365: ...Threshold Values and Actions Use this command to display the configured threshold values and actions a specified IP address and port taking into account the various specific attack detector access list configurations Options In addition to the attack detector options described above the following options are available ip address The IP address for which to display information If attack direction i...

Страница 366: ...net src Report 500 250 50 No No No No other net dst Report 500 250 50 No No No No other sub src Report 500 250 50 No No No No other sub dst Report 500 250 50 No No No No N below a value means that the value is set through attack detector N SCE Example 2 This example shows a query for a single IP address with a specified port SCE show interface linecard 0 attack filter query single sided ip 10 1 1 ...

Страница 367: ... type Command Purpose show interface linecard 0 attack filter query single sided ip ip address dual sided source IP source ip address destination IP dest ip address dest port portnumber current Displays the current counters Command Purpose show interface linecard 0 attack filter current attacks Displays all currently handled attacks Command Purpose show interface linecard 0 attack filter force fil...

Страница 368: ...ewing the Attack Log The Attack Log page 12 32 How to View the Attack Log page 12 33 How to Copy the Attack Log to a File page 12 33 The Attack Log The attack log contains a message for each specific IP detection of attack beginning and attack end Messages are in CSV format The message for detecting attack beginning contains the following data IP address Pair of addresses if detected Protocol Port...

Страница 369: ... file reaches maximum capacity the system then reverts to logging events to the first log file thus overwriting the temporarily archived information stored in that file The following SNMP trap indicates that the attack log is full and a new log file has been opened ST_LINE_ATTACK_LOG_IS_FULL Note When the attack log is large it is not recommended to display it Copy a large log to a file to view it...

Страница 370: ...12 34 Cisco SCE 8000 10GBE Software Configuration Guide OL 30621 02 Chapter 12 Identifying and Preventing Distributed Denial of Service Attacks Monitoring Attack Filtering ...

Страница 371: ...ed February 07 2014 OL 30621 02 Introduction This module provides an overview of the Service Control Management Protocol SCMP capabilities It also explains the various procedures for configuring and monitoring SCMP About SCMP page 13 2 Configuring the SCMP page 13 9 Monitoring the SCMP Environment page 13 17 ...

Страница 372: ...eation Keep alive message interval Protocol version Subscriber Management The SCMP peers can work in either of two introduction modes These introduction modes affect only how and when a session is created on the Cisco SCE platform The SCMP peer provisions the session to the Cisco SCE platform when it is created in the peer device push The Cisco SCE platform queries the SCMP peer regarding unmapped...

Страница 373: ...fier Flow Characterized by several parameters identifiable from the traffic such as source IP address destination IP address source port destination port protocol and in some cases direction SCMP Peer A Cisco device running IOS with the ISG module enabled Identity Key One of the keys that help identify a Session The identity keys that are relevant to the Cisco SCE ISG control bus are IP Address Su...

Страница 374: ...ateway or BRAS terminating a large number of subscribers However note that deploying only one Cisco SCE platform results in a single point of failure which is not generally acceptable in an actual deployment Single ISG Router with Two Cascaded Cisco SCE Platforms 1xISG 2xCisco SCE Figure 13 2 illustrates a deployment using one ISG router with two cascaded Cisco SCE platforms Figure 13 2 Single ISG...

Страница 375: ...orms at the same time Multiple ISG Routers with Two Cascaded Cisco SCE Platforms NxISG 2xCisco SCE Figure 13 3 illustrates a deployment using multiple ISG routers with two cascaded Cisco SCE platforms Figure 13 3 Multiple ISG Routers with Two Cascaded Cisco SCE Platforms Many SPs require an edge platform with MPLS functionality to support L2 and L3 VPN services for business customers with the poss...

Страница 376: ...r efficient control of subscriber flows the same Cisco SCE platform must process both directions of each subscriber flow since the Cisco SCE platform keeps the subscriber context The Cisco 7600 router to which the Cisco SCE platforms are connected acts as a dispatching element distributing subscriber flows between Cisco SCE platforms and guaranteeing that all flows of a specific subscriber will pa...

Страница 377: ...s and Subscriber Templates section on page 10 7 SCMP associates each SCMP peer device with at least one anonymous group SCMP generates subscribers for this anonymous group when it detects traffic from the SCMP peer device that is not mapped to any subscriber SCMP assigns the SCMP peer manager Id to this generated anonymous subscriber If you have assigned a subscriber template to the group the anon...

Страница 378: ...tion SCMP adds the Manager Id field to each subscriber record in the database All SCMP subscriber provisioning operations include the Manager Id parameter for each subscriber SCMP performs synchronizations in the context of the Manager Id SCMP dispatches queries according to the configuration of the anonymous subscriber groups GUID and Subscriber ID The SCMP requires the use of a globally unique i...

Страница 379: ...13 10 Configuring the SCMP Peer Device to Force Each Subscriber to Single Cisco SCE Platform page 13 10 Defining the Keep alive Interval Parameter page 13 11 Defining the Reconnect Interval Parameter page 13 11 Defining the Loss of Sync Timeout Parameter page 13 12 You can configure the following options for the SCMP Enable the SCMP Configure the SCMP peer device to push sessions to the Cisco SCE ...

Страница 380: ...n SCMP peer device it informs the device whether the SCMP is configured to allow each subscriber to be provisioned to only one Cisco SCE platform Use this command to configure the SCMP peer device to verify that each subscriber is provisioned to only one Cisco SCE platform If a subscriber was provisioned to a different Cisco SCE platform the SCMP removes it from the previous Cisco SCE platform and...

Страница 381: ...available interval Interval between keep alive messages from the Cisco SCE platform to the SCMP peer device in seconds Default 5 seconds From the SCE config prompt type Defining the Reconnect Interval Parameter The reconnect interval is the amount of time between attempts by the Cisco SCE platform to reconnect with an SCMP peer The Cisco SCE platform attempts to reconnect to the SCMP peer device a...

Страница 382: ...ine an SCMP Peer Device page 13 12 How to Assign the SCMP Peer Device to an Anonymous Group page 13 13 Adding an SCMP peer device is a two step process 1 Define the device configuring the following parameters device name RADIUS host RADIUS shared secret authorization port number optional accounting port number optional 2 Associate the device with one or more unmapped anonymous groups How to Define...

Страница 383: ...SCMP peer device range optional IP range defined for the anonymous group template optional Group template assigned to the anonymous group peer device name User assigned name of the SCMP peer device From the SCE config if prompt type How to Remove an Anonymous Group from the SCMP Peer Device This command removes the specified anonymous group from the SCMP peer device From the SCE config if prompt t...

Страница 384: ...er anonymous group name group name IP range range template template scmp name peer device name Step 2 Repeat this step for all anonymous groups assigned to the SCMP peer device Step 3 When all anonymous groups have been removed from the device exit LineCard Interface Configuration mode SCE config if exit Step 4 Delete the device SCE config no scmp name peer_device_name Defining the Subscriber ID Y...

Страница 385: ... User Name Default no elements concatenated with the GUID Step 1 Disable the SCMP SCE config no scmp Step 2 Define the subscriber ID SCE config scmp subscriber id append to guid radius attributes Calling Station Id NAS Port Id User Name Calling Station Id NAS Port Id User Name Calling Station Id NAS Port Id User Name Step 3 Enable the SCMP SCE config scmp Configuring the RADIUS Client You can conf...

Страница 386: ... options are available times The maximum number of times the RADIUS client can try unsuccessfully to send a message Default 3 timeout optional Timeout interval for retransmitting a message in seconds Default 1 second From the SCE config prompt type Command Purpose ip radius client retry limit times timeout timeout Configures RADIUS client ...

Страница 387: ...MP peer device page 13 18 How to display the statistics for all SCMP peer devices page 13 18 How to display the statistics for a specified SCMP peer device page 13 19 Use the following commands to monitor the SCMP These commands provide the following information General SCMP configuration Configuration of all currently defined SCMP peer devices Configuration of a specified SCMP peer device Statist...

Страница 388: ...display the configuration for a specified SCMP peer device From the SCE prompt type Example SCE show scmp name isg SCMP Connection isg status 10 56 208 91 auth port 1812 acct port 1813 Connection state Connected Peer protocol version 1 0 Keep alive interval 5 seconds Force single SCE No Send session start Yes Time connected 9 seconds How to display the statistics for all SCMP peer devices From the...

Страница 389: ...nting replies received 20 Subscriber queries sent 0 Subscriber query response recv 0 Request retry exceeded 0 Requests replied with errors 0 Subscriber requests received 50 Subscriber responses sent 50 Failed Requests 0 Keep alive sent 1 Keep alive received 1 Monitoring the RADIUS Client Use the following command to monitor the SCMP RADIUS client This command displays the general configuration of ...

Страница 390: ...13 20 Cisco SCE 8000 10GBE Software Configuration Guide OL 30621 02 Chapter 13 Managing the SCMP Monitoring the SCMP Environment ...

Страница 391: ...r configuring and monitoring the VAS traffic forwarding Information About VAS Traffic Forwarding page 14 2 How VAS Traffic Forwarding Works page 14 3 VAS Redundancy page 14 10 VAS Status and VAS Health Check page 14 12 VAS Traffic Forwarding Topologies page 14 14 SNMP Support for VAS page 14 17 Interactions Between VAS Traffic Forwarding and Other Cisco SCE Platform Features page 14 18 Configuring...

Страница 392: ...e type can be deployed in a group to increase the processing capacity and provide redundancy for each VAS service type The Cisco SCE platform performs subscriber load sharing between the active servers of the same server group It is able to identify the active servers among the defined servers through a dedicated health check mechanism VAS Service Goals The VAS traffic forwarding functionality ena...

Страница 393: ...fic is routed to the VAS servers using VLAN tags to identify the traffic flows Figure 14 1 Typical VAS Traffic Forwarding Installation VAS traffic forwarding guidelines A single Cisco SCE 8000 platform can support up to 64 VAS servers A maximum of 64 Cisco SCE 8000 platforms can be connected A maximum of eight VAS server groups is supported The same VAS server may be used by more than one Cisco SC...

Страница 394: ... these guidelines The VAS services should work in promiscuous mode in Layer 2 and accept packets with any destination MAC address When forwarding traffic back to the network after processing the VAS devices must preserve the original Layer 2 headers containing the MAC addresses and the VLAN tag The VAS devices must not change the MAC addresses destination or source or the VLAN tags The following r...

Страница 395: ...isco SCE platform the Cisco SCE platform removes the VLAN tag it previously added and then forwards the traffic on its original link The VLAN tag for each VAS server is user configured To preserve consistency of the traffic flow the VAS feature requires a unique VLAN tag be configured for each Cisco SCE platform and VAS server combination The VLAN tag has 12 bits divided as follows The lower six b...

Страница 396: ...n in more detail when and how the mapping is changed Non VAS Data Flow page 14 7 VAS Data Flow page 14 7 Data Flow In a deployment using VAS traffic forwarding there are two types of data flows Non VAS flow VAS flow Figure 14 2 depicts the two types of data flows running through a single Cisco SCE platform and a single VAS server Ports are illustrated as two unidirectional half ports RX on the lef...

Страница 397: ...n VAS flow 3 The packet is sent to the network on Port 2 N VAS Data Flow A VAS data flow is slightly more complex than the basic data flow It is received and transmitted in the same manner as the basic non VAS Cisco SCE platform flow but before it is transmitted to its original destination it flows through the VAS server The data flow steps for a VAS flow are 1 A subscriber packet is received at t...

Страница 398: ...erver from the VAS servers within the group is based on the current load on each VAS server The system tries to create an equal subscriber load for all the VAS servers belonging to the same group In some cases a single VAS server may be used by more than one Cisco SCE platform Remember that the Cisco SCE platform performs load balancing only on the traffic that it sends to the VAS server it receiv...

Страница 399: ...ubscriberless mode because the entire traffic load would be carried by only one VAS server per group Tip Use anonymous mode rather than subscriberless mode with VAS traffic forwarding In pull mode the first flow of the subscriber behaves as configured in the anonymous template If no anonymous template is configured such first flows are processed as defined by the default template Therefore the def...

Страница 400: ...1 VAS Server Failure The system monitors the health of a VAS server by periodically checking the connectivity between the Cisco SCE platform and the VAS server When the Cisco SCE platform fails to establish or maintain a connection to the server within a configurable window of time the server is considered to be in Down state When the server is in Down state New logged in subscribers are distribut...

Страница 401: ...When the number of active servers is above the minimum and the state of the group is changed to Active again the configured action on failure is no longer applied to the new flows However to maintain the coherency of the network flows that were blocked or passed are not affected by the change in the state of the server group Ethernet Switch Failure The Ethernet switches are a single point of failu...

Страница 402: ... packets are received by the Cisco SCE platform the VAS server is considered to be alive Failing to receive the packets back from the VAS server within a predefined time window is considered by the Cisco SCE platform as a failure of the VAS server and the server status is changed to Down Health check packets are Carried over UDP flows Contain source and destination IP addresses that can be user co...

Страница 403: ...nfigured to do so Therefore if the connectivity between the VAS server and the Cisco SCE platform is operative the health check packets should reach the Cisco SCE platform safely Alternatively it should be possible to configure the VAS server to pass traffic on specific ports the health check ports In case of a failure the VAS server should drop and not bypass the traffic cut the link so that the ...

Страница 404: ...E platform connected to a single VAS server use a switch between the Cisco SCE platform and the VAS server Single Cisco SCE Platform Multiple VAS Servers In this topology a single Cisco SCE platform forwards VAS traffic to one or more VAS servers through two Ethernet switches Figure 14 3 The two Ethernet switches are necessary to avoid a situation in which a single MAC address has two ports or a s...

Страница 405: ...ing to its VLAN tag the port towards the VAS server should be the only port with this VLAN tag allowed 6 The VAS server processes the packet and either drops or forwards it without changing the VLAN tag 7 The packet is forwarded by the Ethernet switch to the Cisco SCE platform according to its VLAN tag the port towards the Cisco SCE platform should be the only port with this VLAN tag allowed 8 The...

Страница 406: ...y the VLAN tag size The two Ethernet switches route the traffic to the VAS servers The routing is VLAN based The Ethernet switch should be configured to trunk mode with learning disabled The data flow is the same as that for the single Cisco SCE platform to multiple VAS servers topology see Data Flow section on page 14 15 Note The multiple Cisco SCE platforms to multiple VAS servers topology does ...

Страница 407: ...following items in the PCUBE SE MIB proprietary MIB support VAS traffic forwarding Cisco SCE MIB object vasTrafficForwardingGrp Cisco SCE MIB Object type vasServersTable provides information on each VAS server operational status SNMP Trap vasServerOperationalStatusChangeTrap signifies that the agent entity has detected a change in the operational status of a VAS server ...

Страница 408: ...res and modes listed below cannot coexist with VAS mode Line card connection modes receive only receive only cascade inline cascade Link mode other than forwarding All link encapsulation protocols including VLAN MPLS and L2TP Traffic mirroring see Intelligent Traffic Mirroring section on page 14 36 Note If VAS forwarding is enabled Cisco SCE devices do not forward VLAN tagged subscriber traffic re...

Страница 409: ...dification of some Cisco SCE platform bandwidth management capabilities VAS flows are not subject to global bandwidth control The number of global controllers available to regular flows is decreased from 64 to 48 Global Controllers and VAS Flows When VAS traffic forwarding is enabled the global controllers function slightly differently Only 48 global controllers are available Global controllers 49...

Страница 410: ... Application for Broadband User Guide Following is a high level description of the steps in configuring VAS traffic forwarding 1 Configure the Cisco SCE platform define the servers and the server groups configure pseudo IP for the traffic interfaces used for VAS traffic and enable VAS mode 2 Verify the state of the individual VAS servers as well as that of the VAS server groups to make sure all ar...

Страница 411: ...fic forwarding options Enable or disable VAS traffic forwarding Configure the link number on which to transmit VAS traffic necessary only if the VAS servers are connected on Link 0 rather than Link 1 which is the default VAS traffic link Enabling VAS Traffic Forwarding By default VAS traffic forwarding is disabled If VAS traffic forwarding is required you must enable it both from your Cisco SCE de...

Страница 412: ... packets coming back from the VAS servers may be routed to their original destination with the VLAN tag of the VAS server on it Therefore it is also highly recommended to shutdown the line card before you disable the VAS traffic forwarding in the Cisco SCE platform to avoid inconsistency with flows that were already forwarded to the VAS servers Step 1 From the SCA BB console remove all the VAS tab...

Страница 413: ... disabled Health check ports VLAN tag Use the commands in this section to perform these operations for individual VAS servers Enable a specified VAS server Disable a specified VAS server Define the VLAN tag for a specified VAS server Enable or disable the health check for a VAS server Define the source and destination ports to use for the health check Delete all properties for a specified VAS serv...

Страница 414: ...nfig if prompt type How to Restore all VAS Server Properties to Default From the SCE config if prompt type Assigning a VLAN ID to a VAS Server This section contains the following topics How to Configure the VLAN Tag Number for a Specified VAS Server page 14 25 How to Remove the VLAN Tag Number from a Specified VAS Server page 14 25 Command Purpose VAS traffic forwarding VAS server id number enable...

Страница 415: ...no VLAN is the default configuration How to Configure the VLAN Tag Number for a Specified VAS Server From the SCE config if prompt type How to Remove the VLAN Tag Number from a Specified VAS Server From the SCE config if prompt type Configuring the Health Check This section explains how to to enable and disable the Health Check and how to define the ports it should use By default the VAS server he...

Страница 416: ... to group This section contains the following topics How to Enable VAS Server Health Check page 14 26 How to Disable VAS Server Health Check page 14 27 How to Define the UDP Ports to be Used for Health Check page 14 27 How to Remove the UDP Ports Configuration page 14 27 Configuring Pseudo IP Addresses for the Health Check Packets page 14 27 Options The following options are available number The I...

Страница 417: ...or the subscriber side interface Source IP address for health check packets going in the Upstream direction Destination IP address for health check packets going in the Downstream direction Pseudo IP configured for the network side interface Source IP address for health check packets going in the Downstream direction Destination IP address for health check packets going in the Upstream direction N...

Страница 418: ... prompt type How to Delete the Pseudo IP Address From the SCE config if prompt type Configuring a VAS Server Group You may define up to eight VAS server groups Each VAS server group has the following parameters Server Group ID A list of VAS servers attached to this group Failure detection minimum number of active servers required for this group so it will be considered to be Active If the number o...

Страница 419: ... can configure these failure parameters for a specified VAS server group Minimum number of active servers If the number of active servers in the server group goes below this number the group will be in Failure state Failure action The action to be applied to all new flows mapped to this server group while it is Failure state Block all new flows assigned to the failed VAS server group will be block...

Страница 420: ...pe How to Configure the Failure Action for a Specified VAS Server Group From the SCE config if prompt type How to Configure the Failure Action for a Specified VAS Server Group to the Default From the SCE config if prompt type Command Purpose VAS traffic forwarding VAS server group group number failure minimum active servers min number Configures the minimum number of active servers for a specified...

Страница 421: ...nk to Link 0 Step 8 VAS traffic forwarding VAS server id 0 VLAN 600 VAS traffic forwarding VAS server id 1 VLAN 601 VAS traffic forwarding VAS server id 2 VLAN 602 Assign VAS servers 0 2 to VLAN 600 602 respectively Step 9 VAS traffic forwarding VAS server group 0 server id 0 VAS traffic forwarding VAS server group 0 server id 1 VAS traffic forwarding VAS server group 0 server id 2 Map VAS servers...

Страница 422: ...isplay Global VAS Status and Configuration page 14 32 How to Display Operational and Configuration Information for a Specific VAS Server Group page 14 33 How to Display Operational and Configuration Information for All VAS Server Groups page 14 33 How to Display Operational and Configuration Information for a Specific VAS Server page 14 33 How to Display Operational and Configuration Information f...

Страница 423: ...ation for a Specific VAS Server From the SCE prompt type Example SCE show interface linecard 0 VAS traffic forwarding VAS server id 0 VAS server 0 Configured mode enable actual mode enable VLAN 520 server group 3 State UP Health Check configured mode enable status running Health Check source port 63140 destination port 63141 Number of subscribers 0 Command Purpose show interface linecard 0 VAS tra...

Страница 424: ...ived 31028 31027 Good packets received 31028 31027 Error packets received 0 0 Not handled packets 0 0 Average roundtrip in millisecond 0 0 Error packets details Reordered packets 0 0 Bad Length packets 0 0 IP Checksum error packets 0 0 L4 Checksum error packets 0 0 L7 Checksum error packets 0 0 Bad VLAN tag packets 0 0 Bad Device ID packets 0 0 Bad Server ID packets 0 0 Command Purpose show interf...

Страница 425: ...Health Check Counters for All VAS Servers From the SCE prompt type Command Purpose show interface linecard 0 VAS traffic forwarding VAS server id all counters health check Displays health check counters for all VAS servers Command Purpose clear interface linecard 0 VAS traffic forwarding VAS server id id number counters health check Clears the health check counters for a specified VAS server Comma...

Страница 426: ... servers Using Traffic Mirroring for Behavioral Targeting Today Internet advertising is being executed by content providers or publishers in collaboration with ad networks which actually handle the syndication of ads from advertisers to web sites The Cisco Service Control behavioral targeting solution provides the means for service providers to participate in the business of the online advertising...

Страница 427: ...Mirroring Exceptions page 14 38 Cisco SCE Connectivity page 14 39 Traffic Mirroring and Bandwidth Management page 14 41 Traffic Mirroring and SCA BB When traffic mirroring is configured for a certain type of traffic in addition to all its basic functions the SCA BB application decides whether each flow is to be mirrored or not based on L7 classification Traffic mirroring rules are configured throu...

Страница 428: ...e is not mirrored To save in performance on both sides zero payload packets are also not mirrored note that this type of packets have no real value for offline analysis If the VLAN traffic is mirrored Cisco SCE devices replace the VLAN information from the incoming traffic with the VAS configured VLAN information before mirroring the traffic on the VAS port Mirroring the TCP Segmented HTTP GET Pac...

Страница 429: ... egress traffic and the mirrored traffic The direction of the flow is preserved when mirrored so traffic that is received on the subscriber interface on either link is sent over a VLAN on the network interface over this predefined link And traffic that is received on the network interface on either link is sent over a VLAN on the subscriber interface over this predefined link The mirrored traffic ...

Страница 430: ...d sharing 274008 Network Subscribers Network Subscribers Original Traffic Mirrored Traffic Mirrored Traffic leaves the SCE through GBE ports 3 subscriber and 4 network using predefined VLANs Traffic crosses the SCE through link 1 Each server is located on a separate vlan to allow load sharing 274009 Network Subscribers Network Subscribers Original Traffic Mirrored Traffic Mirrored Traffic leaves t...

Страница 431: ...teps in configuring traffic mirroring 1 Configure the Cisco SCE platform define the servers and the server groups 2 Configure which traffic goes to which server group using the SCA BB console Note Additional traffic mirroring configuration and monitoring options are available from the SCA BB Console See the Cisco Service Control Application for Broadband User Guide Note Traffic mirroring is not co...

Страница 432: ...mand Purpose Step 1 configure interface LineCard 0 Enters LineCard Interface configuration mode Step 2 VAS traffic forwarding VAS server id 0 VLAN 640 VAS traffic forwarding VAS server id 1 VLAN 641 VAS traffic forwarding VAS server id 2 VLAN 642 VAS traffic forwarding VAS server id 3 VLAN 643 Assign VAS servers 0 3 to VLAN 640 643 respectively Step 3 VAS traffic forwarding VAS server group 0 serv...

Страница 433: ... compatibility and provide the same information as provided in the past as much as possible This appendix explains how to map the proprietary pcube MIB supported in previous releases to the new MIB structure It points out backward compatible issues and provides mapping guidelines from old MIB or OID group to a new MIB Note These MIB updates are supported on the Cisco SCE 8000 platform only The pcu...

Страница 434: ...nterprise subtree CISCO SCAS BB MIB my Contains SCA BB information handlers PCUBE SE MIB my Contains information about the Cisco SCE platform Table A 2 Newly Added CISCO SERVICE_CONTROL MIBS That Replace pcube MIBs MIB Description CISCO SERVICE CONTROL LINK MIB my Provides information about the status and configuration of links used by service control entities CISCO SERVICE CONTROL RDR MIB my Defi...

Страница 435: ...nes the textual conventions used within Cisco Entity Redundancy MIBs CISCO ENTITY SENSOR MIB my Monitors the values of sensors in the Entity MIB CISCO PROCESS MIB my Provides overall information about the CPU load CISCO QUEUE MIB my Manages interface queuing in Cisco devices CISCO SECURE SHELL MIB my Displays and configures accounting and Secure Shell SSH related features in a device CISCO SYSLOG ...

Страница 436: ...order Before loading any new CISCO SERVICE CONTROL MIB load the following MIBs in this order 1 SNMPv2 SMI my 2 SNMPv2 CONF my 3 SNMPv2 TC my 4 SNMP FRAMEWORK MIB my 5 ENTITY MIB my 6 INET ADDRESS MIB my 7 CISCO SMI my 8 CISCO TC my Loading procedure for standard MIBs and other legacy Cisco MIBs is explained here http tools cisco com Support SNMP do BrowseMIB do local en step 2 ...

Страница 437: ...me pcubeSeMIBpcubeModuleGroup cServiceControlMIB pcubeSeConformance cServiceControlNotifs pcubeSeGroups cServiceControlObjects pcubeSystemGroup ENTITY and ENTITY EXTENTION MIBs pcubeChassisGroup ENTITY and ENTITY EXTENTION MIBs pcuebModuleGroup ENTITY and ENTITY EXTENTION MIBs pcubeLinkGroup CISCO SERVICE CONTROL LINK MIB pcubeDiskGroup HOST RESOURCES MIB pcubeRdrFormatterGroup CISCO SERVICE CONTR...

Страница 438: ...MIB CISCO SCAS BB MIB The information in the pcubeEnageMIB is available from various RDRs and from tables of the Collection Manager database Therefore this MIB has not been replaced by a new Cisco Service Control MIB For information regarding the mapping of the MIB objects to RDRs and the Collection Manager database see Table A 21 on page A 24 ...

Страница 439: ...ateOper entStateTable entStateAlarm 1 3 6 1 2 1 131 1 1 1 3 1 3 6 1 2 1 131 1 1 1 5 other 1 entStateTable entStateOper unknown 1 entStateTable entStateAlarm indeterminate 2 boot 2 entStateTable entStateOper testing 4 entStateTable entStateAlarm unknown 0x80 operational 3 entStateTable entStateOper enabled 3 entStateTable entStateAlarm unknown 0x80 warning 4 entStateTable entStateOper enabled 3 ent...

Страница 440: ...nvironment CLI command pchassisTempAlarm 1 3 6 1 4 1 5655 4 1 2 4 CISCO ENTITY SENSOR MIB Trap is sent Current status available using the show environment CLI command pchassisVoltageAlarm 1 3 6 1 4 1 5655 4 1 2 5 CISCO ENTITY SENSOR MIB Trap is sent Current status available using the show environment CLI command pchassisNumSlots 1 3 6 1 4 1 5655 4 1 2 6 ENTITY MIB The entity MIB shows the number o...

Страница 441: ...ts 1 3 6 1 4 1 5655 4 1 3 1 1 6 ENTITY MIB The number of entries in ENTITY MIB with entPhysicalClass port pmoduleNumLinks 1 3 6 1 4 1 5655 4 1 3 1 1 7 ENTITY MIB The number of entries in ENTITY MIB with entPhysicalClass other pmoduleConnection Mode 1 3 6 1 4 1 5655 4 1 3 1 1 8 Not mapped Use CLI command show interface linecard connection mode pmoduleSerialNumber 1 3 6 1 4 1 5655 4 1 3 1 1 9 ENTITY...

Страница 442: ...1 3 6 1 4 1 5655 4 1 4 1 1 2 entPhysicalIndex 1 3 6 1 2 1 47 1 1 1 1 1 linkAdminModeOnActive 1 3 6 1 4 1 5655 4 1 4 1 1 3 csclLinkStatusAdminModeOnActive 1 3 6 1 4 1 9 9 631 1 2 1 1 linkAdminModeOnFailure 1 3 6 1 4 1 5655 4 1 4 1 1 4 csclLinkStatusAdminModeOnFailure 1 3 6 1 4 1 9 9 631 1 2 1 2 linkOperMode 1 3 6 1 4 1 5655 4 1 4 1 1 5 cscLinkStatusOperMode 1 3 6 1 4 1 9 9 631 1 2 1 3 linkStatusRef...

Страница 443: ...matterDestPort 1 3 6 1 4 1 5655 4 1 6 2 1 2 cServiceControlRDRFormatterDestPort 1 3 6 1 4 1 9 9 637 1 2 1 4 rdrFormatterDestPriority 1 3 6 1 4 1 5655 4 1 6 2 1 3 cServiceControlRDRFormatterDestPriority 1 3 6 1 4 1 9 9 637 1 2 1 5 rdrFormatterDestStatus 1 3 6 1 4 1 5655 4 1 6 2 1 4 cServiceControlRDRFormatterDestStatus 1 3 6 1 4 1 9 9 637 1 2 1 6 rdrFormatterDest ConnectionStatus 1 3 6 1 4 1 5655 4...

Страница 444: ...try 1 3 6 1 4 1 5655 4 1 6 11 1 Available through the CLI rdrFormatterCategory Index 1 3 6 1 4 1 5655 4 1 6 11 1 1 Available through the CLI rdrFormatterCategory Name 1 3 6 1 4 1 5655 4 1 6 11 1 2 Available through the CLI rdrFormatterCategory NumReportsSent 1 3 6 1 4 1 5655 4 1 6 11 1 3 Available through the CLI rdrFormatterCategory NumReportsDiscarded 1 3 6 1 4 1 5655 4 1 6 11 1 4 Available thro...

Страница 445: ...5655 4 1 8 1 1 cServiceControlSubscribersInfoTable 1 3 6 1 4 1 9 9 628 1 2 subscribersInfoEntry 1 3 6 1 4 1 5655 4 1 8 1 1 1 cServiceControlSubscribersInfoEntry 1 3 6 1 4 1 9 9 628 1 2 1 subscribersNumIntroduced 1 3 6 1 4 1 5655 4 1 8 1 11 1 cServiceControlSubscribersNumIntroduced 1 3 6 1 4 1 9 9 628 1 2 1 1 subscribersNumFree 1 3 6 1 4 1 5655 4 1 8 1 1 2 cServiceControlSubscribersNumFree 1 3 6 1 ...

Страница 446: ...lSubscribersNumWithSessions 1 3 6 1 4 1 9 9 628 1 2 1 14 subscribersPropertiesTable 1 3 6 1 4 1 5655 4 1 8 2 Not mapped subscribersPropertiesEntry 1 3 6 1 4 1 5655 4 1 8 2 1 Not mapped spIndex 1 3 6 1 4 1 5655 4 1 8 2 1 1 Not mapped spName 1 3 6 1 4 1 5655 4 1 8 2 1 2 Not mapped spType 1 3 6 1 4 1 5655 4 1 8 2 1 3 Not mapped subscribersPropertiesValueTable 1 3 6 1 4 1 5655 4 1 8 3 Not mapped subsc...

Страница 447: ...NTROL TP STATS MIB cscTpTotalHandledPackets 1 3 6 1 4 1 9 9 634 1 1 1 1 tpTotalNumHandled Flows 1 3 6 1 4 1 5655 4 1 9 1 1 4 CISCO SERVICE CONTROL TP STATS MIB cscTpTotalHandledFlows 1 3 6 1 4 1 9 9 634 1 1 1 2 tpNumActiveFlows 1 3 6 1 4 1 5655 4 1 9 1 1 5 CISCO SERVICE CONTROL TP STATS MIB cscTpActiveFlows 1 3 6 1 4 1 9 9 634 1 1 1 3 tpNumActiveFlowsPeak 1 3 6 1 4 1 5655 4 1 9 1 1 6 Not mapped tp...

Страница 448: ...6 1 4 1 5655 4 1 9 1 1 21 CISCO SERVICE CONTROL TP STATS MIB cscTpTotalFragments 1 3 6 1 4 1 9 9 634 1 1 1 10 tpTotalNum NonIpPackets 1 3 6 1 4 1 5655 4 1 9 1 1 22 CISCO SERVICE CONTROL TP STATS MIB cscTpTotalNonIpPackets 1 3 6 1 4 1 9 9 634 1 1 1 11 tpTotalNumIp CrcErrPackets 1 3 6 1 4 1 5655 4 1 9 1 1 23 CISCO SERVICE CONTROL TP STATS MIB cscTpTotalIpChecksum ErrPackets 1 3 6 1 4 1 9 9 634 1 1 1...

Страница 449: ...Utilization 1 3 6 1 4 1 5655 4 1 9 1 1 38 CISCO SERVICE CONTROL TP STATS MIB cscTpFlowsCapacity Utilization 1 3 6 1 4 1 9 9 634 1 1 1 19 tpFlowsCapacity UtilizationPeak 1 3 6 1 4 1 5655 4 1 9 1 1 39 Not mapped tpFlowsCapacity UtilizationPeakTime 1 3 6 1 4 1 5655 4 1 9 1 1 40 Not mapped tpServiceLoss 1 3 6 1 4 1 5655 4 1 9 1 1 41 CISCO SERVICE CONTROL TP STATS MIB cscTpServiceLoss 1 3 6 1 4 1 9 9 6...

Страница 450: ...assis contains Slot contains Link contains Port 1 3 6 1 2 1 47 1 1 1 1 1 pportOperStatus 1 3 6 1 4 1 5655 4 1 10 1 1 10 ENTITY MIB entPhysicalIndex Defined in ENTITY STATE MIB 1 3 6 1 2 1 47 1 1 1 1 1 Table A 16 txQueuesGrp 1 3 6 1 4 1 5655 4 1 11 pcube Object Name OID New MIB New Object Name OID txQueuesTable 1 3 6 1 4 1 5655 4 1 11 1 CISCO QUEUE MIB cQIfTable and cQStatsTable 1 3 6 1 4 1 9 9 37 ...

Страница 451: ...1 5655 4 1 12 1 1 cscGlobalControllersEntry 1 3 6 1 4 1 9 9 667 0 1 1 globalControllersModuleIndex 1 3 6 1 4 1 5655 4 1 12 1 1 1 Not mapped Provided by entPhysicalIndex globalControllersPortIndex 1 3 6 1 4 1 5655 4 1 12 1 1 2 Not mapped Provided by entityPhyIndex globalControllersIndex 1 3 6 1 4 1 5655 4 1 12 1 1 3 cscGlobalControllersId 1 3 6 1 4 1 9 9 667 0 1 1 2 globalControllersDescription 1 3...

Страница 452: ...apped to CISCO SERVICE CONTROL ATTACK MIB pcube Object Name OID New Object Name OID attackTypeTable 1 3 6 1 4 1 5655 4 1 15 1 cscaTypeTable 1 3 6 1 4 1 9 9 693 1 2 attackTypeEntry 1 3 6 1 4 1 5655 4 1 15 1 1 cscaTypeEntry 1 3 6 1 4 1 9 9 693 1 2 1 attackTypeIndex 1 3 6 1 4 1 5655 4 1 15 1 1 1 cscaTypeIndex 1 3 6 1 4 1 9 9 693 1 2 1 1 attackTypeName 1 3 6 1 4 1 5655 4 1 15 1 1 2 not mapped attackTy...

Страница 453: ...4 1 9 9 117 2 0 2 chassisTempAlarmOn Trap 1 3 6 1 4 1 5655 4 0 5 CISCO ENTITY SENSOR MIB entSensorThresholdNotification entSensorThresholdValue 1 entSensorValue 1 1 3 6 1 4 1 9 9 91 2 0 1 chassisTempAlarmOff Trap 1 3 6 1 4 1 5655 4 0 6 CISCO ENTITY SENSOR MIB entSensorThresholdNotification entSensorThresholdValue 0 entSensorValue 0 1 3 6 1 4 1 9 9 91 2 0 1 chassisVoltageAlarmOn Trap 1 3 6 1 4 1 56...

Страница 454: ...etSessionBadLogin Trap 1 3 6 1 4 1 5655 4 0 17 CISCO TELNET SERVER MIB ctsSessionLoginFailure 1 3 6 1 4 1 9 9 630 0 4 loggerUserLogIsFull Trap 1 3 6 1 4 1 5655 4 0 18 CISCO ENTITY ALARM MIB ceAlarmAsserted ceAlarmCleared 1 3 6 1 4 1 9 9 138 2 0 1 1 3 6 1 4 1 9 9 138 2 0 2 sntpClockDriftWarnTrap 1 3 6 1 4 1 5655 4 0 19 CISCO ENTITY ALARM MIB ceAlarmAsserted ceAlarmCleared 1 3 6 1 4 1 9 9 138 2 0 1 ...

Страница 455: ...IB ceAlarmAsserted ceAlarmCleared 1 3 6 1 4 1 9 9 138 2 0 1 1 3 6 1 4 1 9 9 138 2 0 2 moduleOperStatus ChangeTrap 1 3 6 1 4 1 5655 4 0 34 CISCO ENTITY FRU CONTROL MIB Not mapped 1 3 6 1 4 1 9 9 117 2 0 1 portOperStatusChange Trap 1 3 6 1 4 1 5655 4 0 35 CISCO ENTITY FRU CONTROL MIB entStateOperEnabled or entStateOperDisabled 1 3 6 1 4 1 9 9 117 2 0 1 chassisLineFeedAlarm OnTrap 1 3 6 1 4 1 5655 4 ...

Страница 456: ...6 Not mapped pullRequestRetryFailed Trap 1 3 6 1 4 1 5655 4 0 47 Not mapped For SM connection issues the following notification can be used ceAlarmAsserted ceAlarmCleared For SM connection issues the following OIDs can be used 1 3 6 1 4 1 9 9 138 2 0 1 1 3 6 1 4 1 9 9 138 2 0 2 mplsVpnTotalHW MappingsThreshold ExceededTrap 1 3 6 1 4 1 5655 4 0 48 CISCO ENTITY ALARM MIB ceAlarmAsserted ceAlarmClear...

Страница 457: ...ng subscriberGrp 1 3 6 1 4 1 5655 4 2 4 Subscriber Usage RDRs none 1 3 6 1 4 1 5655 4 2 4 serviceCounterGrp 1 3 6 1 4 1 5655 4 2 5 Service Configuration API or the INI_VALUES DB table none 1 3 6 1 4 1 5655 4 2 5 Table A 21 pcubeEnageMIB 1 3 6 1 4 1 5655 4 2 continued pcube Object Name OID Corresponding RDR Objects not mapped OID ...

Страница 458: ...r ceAlarmDescrSeverity 1 1 3 ceAlarmDescrSeverity 1 2 3 ceAlarmDescrSeverity 1 3 2 ceAlarmDescrSeverity 1 4 4 ceAlarmDescrSeverity 1 5 3 ceAlarmDescrSeverity 1 6 3 ceAlarmDescrSeverity 1 7 3 ceAlarmDescrText octet string ceAlarmDescrText 1 1 Logger user log is full ceAlarmDescrText 1 2 Sntp clock drift warn ceAlarmDescrText 1 3 Module sm connection down ceAlarmDescrText 1 4 Module sm connection up...

Страница 459: ...relative amount of traffic which was bypassed by the Cisco SCE from one side to another without being serviced due to lack of resources either CPU or memory In previous versions it indicated the service loss since last reboot or last time the counters were cleared Release 3 6 0 MIB Updates CISCO PROCESSOR MIB cpmCPUTotalTable Previous to SCOS Release 3 6 0 the cpmCPUTotalTable provided information...

Страница 460: ...DestTable rdrCategoryTable rdrFormatterTable rdrCategoryDest cisco service control subscriber mib subscriberTable subscriberInfoTable cisco service control tp stats mib tpStatsTrafficCounterTable entity state mib entityStateTable Traps rdr active connection rdr no active connection rdr connection up rdr connection down rdr formatterCategoryDisacard rdrCategoryStoppedDiscard userlogFull userLogNotF...

Страница 461: ...ISCO ENTITY SENSOR MIB is read only Thresholds are internally defined and cannot be changed Note Temperature reported for the entities FRUs are a normalized temperature since there is no single temperature reading for an entire FRU Release 3 7 0 MIB Updates SNMP Support for Aggregative Global Controllers In Release 3 7 0 the CISCO SERVICE CONTROLLER MIB has been expanded to provide information reg...

Страница 462: ...P trap cscaGlobalAttackFilterChange 1 3 6 1 4 1 9 9 693 0 2 to notify global attacks If a global attack occurs Cisco SCE sends this trap at the start and stop of the attack The trap includes following components entPhysicalName 1 3 6 1 2 1 47 1 1 1 1 7 Indicates the name of the originating physical entity cscaGlobalAttackType 1 3 6 1 4 1 9 9 693 1 1 10 Indicates the type of the global attack cscaF...

Страница 463: ...be sure that utilization remains at a level that supports reliable and consistent service When the Cisco SCE platform reaches its performance envelopes it activates certain mechanisms that insure that no traffic will be dropped while in this state These mechanisms will prioritize packet handling over service related actions As a result symptoms of service loss might be experienced Following are se...

Страница 464: ...zing of the solution when the CPU utilization exceeds 85 regularly at peak hours Flows Capacity SNMP cscTpFlowsCapacityUtilization available for each Traffic Processor Refer to the cisco service control tp stats MIB for more information CLI command show snmp MIB cisco service control tp stats include cscTpFlowsCapacityUtilization It is advisable to consider sizing of the solution when the flows ca...

Страница 465: ...that the Cisco SCE platform could not detect and filter This is usually measured in seconds Permanent In cases where the Cisco SCE platform is installed in locations where the network traffic does not match its capacity and performance envelopes permanent service loss can occur This is measured in hours Service loss is defined as the ratio of the number of packets that did not receive service as e...

Страница 466: ...B 4 Cisco SCE 8000 10GBE Software Configuration Guide OL 30621 02 Appendix B Monitoring Cisco SCE Platform Utilization Service Loss ...

Страница 467: ...arked as such and if the derived work is incompatible with the protocol description in the RFC file it must be called by a name other than ssh or Secure Shell Tatu continues However I am not implying to give any licenses to any patents or copyrights held by third parties and the software includes parts that are not under my direct control As far as I know all included source code is used in accord...

Страница 468: ...ERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND OR OTHER PARTIES PROVIDE THE PROGRAM AS IS WITHOUT WARRANTY OF ANY KIND EITHER EXPRESSED OR IMPLIED INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE THE ENTIRE RISK AS TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU SHOULD THE PROGRAM PROVE DEFECTIVE YOU ASSUME THE COST OF ALL NE...

Страница 469: ... public domain and distributed with the following license version 3 0 December 2000 Optimised ANSI C code for the Rijndael cipher now AES author Vincent Rijmen vincent rijmen esat kuleuven ac be author Antoon Bosselaers antoon bosselaers esat kuleuven ac be author Paulo Barreto paulo barreto terra com br This code is hereby placed in the public domain THIS SOFTWARE IS PROVIDED BY THE AUTHORS AS IS...

Страница 470: ...name of the University nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS AS IS AND ANY EXPRESS OR IMPLIED WARRANTIES INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO ...

Страница 471: ...arker Gert Doering Jakob Schlyter Jason Downs Juha Yrjölä Michael Stone Networks Associates Technology Inc Solar Designer Todd C Miller Wayne Schroeder William Jones Darren Tucker Sun Microsystems The SCO Group Daniel Walsh 7 Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met 1 Redistributions of source code m...

Страница 472: ...GE 8 Portable OpenSSH contains the following additional licenses a md5crypt c md5crypt h THE BEER WARE LICENSE Revision 42 phk login dknet dk wrote this file As long as you retain this notice you can do whatever you want with this stuff If we meet some day and you think this stuff is worth it you can buy me a beer in return Poul Henning Kamp b snprintf replacement Copyright Patrick Powell 1995 Thi...

Страница 473: ...D FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT INDIRECT INCIDENTAL SPECIAL EXEMPLARY OR CONSEQUENTIAL DAMAGES INCLUDING BUT NOT LIMITED TO PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT...

Страница 474: ... publish distribute distribute with modifications sublicense and or sell copies of the Software and to permit persons to whom the Software is furnished to do so subject to the following conditions The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software THE SOFTWARE IS PROVIDED AS IS WITHOUT WARRANTY OF ANY KIND EXPRESS OR IMPLIE...

Страница 475: ... OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE Part 2 Networks Associates Technology Inc copyright notice BSD Copyright c 2001 2003 Networks Associates Technology Inc All rights reserved Redistribution and use in source and binary forms with or without modification are permitted provided that the following conditions are met Redistributions of source code must retain the above c...

Страница 476: ...NY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 4 Sun Microsystems Inc copyright notice BSD Copyright 2003 Sun Microsystems Inc 4150 Network Circle Santa Clara California 95054 U S A All rights reserved Use is subject to license terms below This distribution may include materials developed by third parties Sun Sun Microsystems the Sun logo and Solaris ...

Страница 477: ...ENT OF SUBSTITUTE GOODS OR SERVICES LOSS OF USE DATA OR PROFITS OR BUSINESS INTERRUPTION HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY WHETHER IN CONTRACT STRICT LIABILITY OR TORT INCLUDING NEGLIGENCE OR OTHERWISE ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE Part 6 Cisco BUPTNIC copyright notice BSD Copyright c 2004 Cisco Inc and Information ...

Страница 478: ...ce the above copyright notice this list of conditions and the following disclaimer in the documentatio n and or other materials provided with the distribution The name of Fabasoft R D Software GmbH Co KG or any of its subsidiaries brand or product names may not be used to endorse or promote products derived from this software without specific prior written permission THIS SOFTWARE IS PROVIDED BY T...

Результаты поиска

Содержание SCE 8000 10GBE

Отзывы:

Похожие инструкции для SCE 8000 10GBE

Бренды по названию

Популярные бренды

Cisco SCE 8000 10GBE, Руководство по настройке программного обеспечения

Результаты поиска

Содержание SCE 8000 10GBE

Отзывы:

Похожие инструкции для SCE 8000 10GBE

Бренды по названию

Популярные бренды