-
Cisco SCE8000 10GBE Software Configuration Guide, Release 3.7.x
-
About this Guide
-
Cisco Service Control Overview
-
Command Line Interface
-
Basic Cisco SCE8000 Platform Operations
-
Utilities
-
Configuring the Management Interface and Security
-
Global Configuration
-
Configuring the Line Interface
-
Configuring the Connection
-
Raw Data Formatting: The RDR Formatter and NetFlow Exporting
-
Managing Subscribers
-
Redundancy and Fail-Over
-
Identifying and Preventing Distributed-Denial-Of-Service Attacks
-
Managing the SCMP
-
Intelligent Traffic Mirroring
-
Cisco Service Control MIBs
-
Monitoring SCE Platform Utilization
-
SCE8000 Licensing Information
-
Feedback
Table Of Contents
Configuring the Management Interface and Security
Management Interface and Security
Configuring the Management Ports
Entering the Management Interface Configuration Mode
Configuring the Management Port Physical Parameters
Setting the IP Address and Subnet Mask of the Management Interface
Configuring the Management Interface Speed and Duplex Parameters
Specifying the Active Management Port
Management Interface Redundancy
Configuring the Management Ports for Redundancy
Configuring the Fail-Over Mode
Monitoring the Management Interface
Configuring Management Interface VLANs
Mapping of VLAN ID to Virtual Gi ID
Configuring VLAN ID Mapping to Virtual Gi ID
Monitoring Mapping of VLAN ID to Virtual ID
TACACS+ Authentication, Authorization, and Accounting
Information about TACACS+ Authentication, Authorization, and Accounting
General AAA Fallback and Recovery Mechanism
Configuring the SCE Platform TACACS+ Client
Adding a New TACACS+ Server Host
Removing a TACACS+ Server Host
Configuring the Global Default Key
Configuring the Global Default Timeout
Adding a New User to the Local Database
Defining the User Privilege Level
Adding a New User with Privilege Level and Password
Configuring AAA Login Authentication
Configuring Maximum Login Attempts
Configuring the AAA Login Authentication Methods
Configuring AAA Privilege Level Authorization Methods
Configuring AAA Command Level Authorization Methods
Displaying Statistics for TACACS+ Servers
Displaying Statistics, Keys and Timeouts for TACACS+ Servers
Configuring Access Control Lists (ACLs)
Assigning an ACL to the Telnet Interface
Removing the ACL Assignment from the Telnet Interface
Configuring the Telnet Timeout
Assigning an ACL to the SSH Server
Removing the ACL Assignment from the SSH Server
Deleting the Existing SSH Keys
Monitoring the Status of the SSH Server
Configuring and Managing the SNMP Interface
How to Enable the SNMP Interface
How to Disable the SNMP Interface
Configuring SNMP Community Strings
Displaying the Configured Community Strings
Configuring SNMP Notifications
Configuring the Management Interface and Security
Revised: September 27, 2012, OL-24150-06Introduction
This chapter describes how to configure the physical management interfaces (ports) as well as the various management interface applications, such as SNMP, SSH, and TACACS+. It also explains how to configure users, passwords, IP configuration, clock and time zone, and domain name settings.
•
Management Interface and Security
•
•
•
•
•
•
•
Management Interface and Security
The SCE8000 platform is equipped with two RJ-45 management ports (Port1 and Port2 on the SCE8000-SCM-E module in slot 1). These ports provide access from a remote management console to the SCE platform via a LAN.
The two management ports support management interface redundancy, providing the possibility for a backup management link.
Note
Note
Perform the following tasks to configure the management interface and management interface security:
•
–
–
–
•
–
Configuring the Management Ports
•
•
•
•
Perform the following tasks to configure the management ports:
•
•
–
–
–
•
–
Step 1
Step 2
Step 3
Entering the Management Interface Configuration Mode
When entering Management Interface Configuration Mode, you must indicate the number of the management port to be configured:
•
•
The following Management Interface commands are applied only to the port specified when entering Management Interface Configuration Mode. Therefore, each port must be configured separately:
•
•
The following Management Interface commands are applied to both management ports, regardless of which port had been specified when entering Management Interface Configuration Mode. Therefore, both ports are configured with one command:
•
•
The GBE management interface is configured as follows:
•
•
Step 1
Enters Global Configuration mode.
The command prompt changes to SCE(config)#.
Step 2
Enters Management Interface Configuration mode.
The command prompt changes to SCE(config if)#
Configuring the Management Port Physical Parameters
This interface has a transmission rate of 10, 100, or 1000 Mbps and is used for management operations and for transmitting RDRs, which are the output of traffic analysis and management operations.
•
•
•
Setting the IP Address and Subnet Mask of the Management Interface
You must define the IP address of the management interface.
When both management ports are connected, providing a redundant management port, this IP address always acts as a virtual IP address for the currently active management port, regardless of which port is the active port.
Options
The following options are available:
•
If both management ports are connected, so that a backup management link is available, this IP address will be act as a virtual IP address for the currently active management port, regardless of which physical port is currently active.
The following IP addresses are used internally by the SCE8000 platform and cannot be assigned to the management interface:
–
–
•
Step 1
From the SCE(config)# prompt, type interface Mng (0/1 | 0/2) and press Enter.
Step 2
The command might fail if there is a routing table entry that is not part of the new subnet defined by the new IP address and subnet mask.
Caution
Note
Setting the IP Address and Subnet Mask of the Management Interface: Example
The following example shows how to set the IP address of the SCE platform to 10.1.1.1 and the subnet mask to 255.255.0.0.
SCE#configSCE(config)#interface mng 0/1SCE(config if)#ip address 10.1.1.1 255.255.0.0Configuring the Management Interface Speed and Duplex Parameters
This section presents sample procedures that describe how to configure the speed and the duplex of the management interface.
Both these parameters must be configured separately for each port.
•
•
•
Interface State Relationship to Speed and Duplex
Table 5-1 summarizes the relationship between the interface state and speed and duplex.
Note
How to Configure the Speed of the Management Interface
Options
The following options are available:
•
–
–
–
If the duplex parameter is configured to auto, changing the speed parameter has no effect.
Step 1
From the SCE(config)# prompt, type interface Mng (0/1 | 0/2) and press Enter.
Step 2
Specify the desired speed option.
Configuring the Speed of the Management Interface: Example
The following example shows how to use this command to configure the Management port to 100 Mbps speed.
SCE#configSCE(config)#interface mng 0/1SCE(config if)#speed 100How to Configure the Duplex Operation of the Management Interface
Options
The following options are available:
•
–
–
–
If the speed parameter is configured to auto, changing the duplex parameter has no effect.
Step 1
From the SCE(config)# prompt, type interface Mng (0/1 | 0/2) and press Enter.
Step 2
Specify the desired duplex option.
Configuring the Duplex Operation of the Management Interface: Example
The following example shows how to use this command to configure the management port to half duplex mode.
SCE#configSCE(config)#interface mng 0/2SCE(config if)#duplex halfSpecifying the Active Management Port
This command explicitly specifies which management port is currently active. Its use varies slightly, depending on whether the management interface is configured as a redundant interface (auto fail-over enabled) or not (auto fail-over disabled).
•
•
Step 1
From the SCE(config)# prompt, type interface Mng (0/1 | 0/2) and press Enter.
Step 2
Specifying the Active Management Port: Example
The following example shows how to use this command to configure Mng port 2 as the currently active management port.
SCE#configSCE(config)#interface mng 0/2SCE(config if)#active-portManagement Interface Redundancy
•
•
The SCE platform contains two RJ-45 management ports. The two management ports provide the possibility for a redundant management interface, thus ensuring management access to the SCE platform even if there is a failure in one of the management links. If a failure is detected in the active management link, the standby port automatically becomes the new active management port.
Note that both ports must be connected to the management console via a switch. In this way, the IP address of the MNG port is always the same, regardless of which physical port is currently active.
Important information:
•
•
•
–
–
•
•
•
•
Configuring the Management Ports for Redundancy
Step 1
Using the switch ensures that the IP address of the MNG port is always the same, regardless of which physical port is currently active
Step 2
See Configuring the Fail-Over Mode.
Step 3
The same IP address will always be assigned to the active management port, regardless of which physical port is currently active.
See Setting the IP Address and Subnet Mask of the Management Interface.
Step 4
See Configuring the Management Interface Speed and Duplex Parameters.
Configuring the Fail-Over Mode
•
•
Use the following command to enable automatic fail-over. The automatic mode must be enabled to support management interface redundancy. This mode automatically switches to the backup management link when a failure is detected in the currently active management link.
This parameter can be configured when in management interface configuration mode for either management port, and is applied to both ports with one command.
Options
The following options are available:
•
–
How to Enable the Automatic Fail-Over Mode
From the SCE(config if)# prompt, type:
How to Disable the Automatic Fail-Over Mode
From the SCE(config if)# prompt, type:
Monitoring the Management Interface
Use this command to display the following information for the management interface.
•
•
•
•
From the SCE# prompt, type:
Configuring Management Interface VLANs
The SCE management network interface is used for various management services such as:
•
•
Management interface VLANS provide a way to distinguish between these management services (Telnet, SSH, SNMP) by using separate VLANs carried over same physical port (see Figure 5-1).
Figure 5-1 Management Interface VLANS
There are two steps in configuring management VLANs:
1.
2.
–
–
–
When a new management VLAN is configured, the device adds a new routing entry in the routing table. So, each configured IP address should be routable from the Cisco SCE.
Here is an example of a sample configuration.
The following are some of the valid IP entries:
•
•
•
If the IP addresses listed above are added, the device creates the following entries in the routing table:
Destination Gateway Genmask Flags Metric Ref Use Iface
10.10.20.0 * 255.255.255.192 U 0 0 0 bond0.120
10.10.30.0 * 255.255.255.192 U 0 0 0 bond0.150
10.10.10.0 * 255.255.255.192 U 0 0 0 bond0.100
The following diagram provides another view of the configured management VLAN:
SUMMARY STEPS
1.
2.
3.
4.
DETAILED STEPS
Monitoring Management VLANs
To monitor managment VLANs, use one or more of the following commands.
These commands are in viewer mode.
Mapping of VLAN ID to Virtual Gi ID
The mapping of VLAN ID to virtual Gi ID feature enables SCE to map the VLAN ID retrieved from the subscriber traffic to a virtual Gi ID; thus, allowing the PCRF to fetch the policy corresponding to the VLAN ID and IP address, and send it to SCE. The physical VLAN ID received from the subscriber side traffic is in the range of 1-4094. This range (1-4094) is mapped to a static virtual ID that is of the range 1-255, and is used by the PCRF server to fetch the policy.
The mapped virtual ID is sent to the PCRF server as part of the CCR-I request. The corresponding policy is sent back to the SCE as part of the CCA answer.
Figure 5-2 Mapping of VLAN ID to Virtual ID
Gi AVP
Table 5-2 defines the Gi AVP that carries the mapped Virtual Gi ID as part of a CCR-I request:
The optional flag (O) is set for TMO-Virtual-Gi-ID and is used in CCR-I. The value type (unsigned integer 32) carries the value of the mapped virtual-ID.
Configuring VLAN ID Mapping to Virtual Gi ID
This section contains the information and instructions to configure and monitor the feature.
Following are the steps for configuring the mapping of VLAN ID to a virtual Gi interface ID.
1.
2.
3.
4.
SUMMARY STEPS
1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
DETAILED STEPS
Monitoring Mapping of VLAN ID to Virtual ID
To monitor mapping of VLAN ID to Virtual ID, use one or more of the following commands.
These commands are in viewer mode.
TACACS+ Authentication, Authorization, and Accounting
•
•
•
•
•
Information about TACACS+ Authentication, Authorization, and Accounting
•
•
TACACS+ is a security application that provides centralized authentication of users attempting to gain access to a network element. The implementation of TACACS+ protocol allows customers to configure one or more authentication servers for the SCE platform, providing a secure means of managing the SCE platform, as the authentication server will authenticate each user. This then centralizes the authentication database, making it easier for the customers to manage the SCE platform.
TACACS+ services are maintained in a database on a TACACS+ server running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network element are available.
The TACACS+ protocol provides authentication between the network element and the TACACS+ ACS, and it can also ensure confidentiality, if a key is configured, by encrypting all protocol exchanges between a network element and a TACACS+ server.
The TACACS+ protocol provides the following three features:
•
•
•
Login Authentication
The SCE platform uses the TACACS+ ASCII authentication message for CLI, Telnet and SSH access.
TACACS+ allows an arbitrary conversation to be held between the server and the user until the server receives enough information to authenticate the user. This is usually done by prompting for a username and password combination.
The login and password prompts may be provided by the TACACS+ server, or if the TACACS+ server does not provide the prompts, then the local prompts will be used.
The user log in information (user name and password) is transmitted to the TACACS+ server for authentication. If the TACACS+ server indicates that the user is not authenticated, the user will be re-prompted for the user name and password. The user is re-prompted a user-configurable number of times, after which the failed login attempt is recorded in the SCE platform user log and the telnet session is terminated (unless the user is connected to the console port.)
The SCE platform will eventually receive one of the following responses from the TACACS+ server:
•
•
•
•
If the server is unavailable, the next authentication method is attempted, as explained in General AAA Fallback and Recovery Mechanism.
Accounting
The TACACS+ accounting supports the following functionality:
•
•
•
–
–
–
–
TACACS+ accounting is in addition to normal local accounting using the SCE platform dbg log.
Privilege Level Authorization
After a successful login the user is granted a default privilege level of 0, giving the user the ability to execute a limited number of commands. Changing privilege level is done by executing the "enable" command. This command initiates the privilege level authorization mechanism.
Privilege level authorization in the SCE platform is accomplished by the use of an "enable" command authentication request. When a user requests an authorization for a specified privilege level, by using the "enable" command, the SCE platform sends an authentication request to the TACACS+ server specifying the requested privilege level. The SCE platform grants the requested privilege level only after the TACACS+ server does the following:
•
•
Once the user privilege level has been determined, the user is granted access to a specified set of commands according to the level granted.
As with login authentication, if the server is unavailable, the next authentication method is attempted, as explained in General AAA Fallback and Recovery Mechanism.
Command Level Authorization
When command level authorization is enabled, each CLI command that is issued must be authorized by the external TACACS server before the system actually executes the command. You can configure the authorization level at which command level authorization is required. For example, you can require command level authorization only at root level.
As with login and privilege level authentication, if the TACACS+ server is unavailable, the regular fall back mechanism will be used.
General AAA Fallback and Recovery Mechanism
The SCE platform uses a fall-back mechanism to maintain service availability in case of an error.
The AAA methods available are:
•
•
•
•
In the current implementation the order of the methods used isn't configurable but the customer can choose which of the methods are used. The current order is:
•
•
•
•
Caution
To run the "AAA_MethodsReset" shell function, complete the following steps:
1. Connect to AUX with username "root"
2. Run the debug shell: scos_xinetd --service debug-shell --on
3. Use Telnet to access the shell: telnet localhost 2301
4. Run the shell function: AAA_MethodsReset
About Configuring TACACS+
The following is a summary of the procedure for configuring TACACS+. All steps are explained in detail in the remainder of this section.
1.
Configure the remote servers for the protocols. Keep in mind the following guidelines
–
–
–
–
1.
2.
–
–
–
3.
–
If the local database and TACACS+ are both configured, it is recommended to configure the same user names in both TACACS+ and the local database. This will allow the users to access the SCE platform in case of TACACS+ server failure.
Note
–
–
4.
–
–
–
5.
Use the " show running-config " command to view the configuration.
Configuring the SCE Platform TACACS+ Client
•
•
•
•
The user must configure the remote servers for the TACACS+ protocol. Then the SCE platform TACACS+ client must be configured to work with the TACACS+ servers. The following information must be configured:
•
For each sever host, the following information can be configured:
–
–
–
–
•
If the default encryption key is not configured, a default of no key is assigned to any server for which a key is not explicitly configured.
•
If the default timeout interval is not configured, a default of five seconds is assigned to any server for which a timeout interval is not explicitly configured.
The procedures for configuring the SCE platform TACACS+ client are explained in the following sections:
•
•
•
•
Adding a New TACACS+ Server Host
Use this command to define a new TACACS+ server host that is available to the SCE platform TACACS+ client.
The Service Control solution supports a maximum of three TACACS+ server hosts.
Options
The following options are available:
•
•
–
•
–
•
–
From the SCE(config)# prompt, type:
tacacs-server host host-name [port portnumber] [timeout timeout-interval] [key key-string]
Define a new TACACS+ server host that is available to the SCE platform TACACS+ client.
Removing a TACACS+ Server Host
Options
The following options are available:
•
From the SCE(config)# prompt, type:
Configuring the Global Default Key
Use this command to define the global default key for the TACACS+ server hosts. This default key can be overridden for a specific TACACS+ server host by explicitly configuring a different key for that TACACS+ server host.
Options
The following options are available:
•
–
To define a global default key, do the following:
From the SCE(config)# prompt, type:
tacacs-server key key-string
Defines the global default key for the TACACS+ server hosts.
To clear a global default key, do the following:
From the SCE(config)# prompt, type:
Configuring the Global Default Timeout
Use this command to define the global default timeout interval for the TACACS+ server hosts. This default timeout interval can be overridden for a specific TACACS+ server host by explicitly configuring a different timeout interval for that TACACS+ server host.
Options
The following options are available:
•
–
To define the global default timeout, do the following:
From the SCE(config)# prompt, type:
To clear the global default timeout, do the following:
From the SCE(config)# prompt, type:
Managing the User Database
TACACS+ maintains a local user database. Up to 100 users can be configured in this local database, which includes the following information for all users:
•
•
•
The procedures for managing the local user database are explained in the following sections:
•
•
•
Adding a New User to the Local Database
Use these commands to add a new user to the local database. Up to 100 users may be defined.
•
•
•
•
Options
The password is defined with the username. There are several password options:
•
•
Use the password parameter.
•
Password may be defined by either of the following methods:
–
–
The following options are available:
•
•
–
–
•
The following keywords are available:
•
•
–
–
How to Add a User with a Clear Text Password
From the SCE(config)# prompt, type:
How to Add a User with No Password
From the SCE(config)# prompt, type:
How to Add a User with an MD5 Encrypted Password Entered in Clear Text
From the SCE(config)# prompt, type:
username name secret 0 password
Adds a user with an MD5 encrypted password entered in clear text.
How to Add a User with an MD5 Encrypted Password Entered as an MD5 Encrypted String
From the SCE(config)# prompt, type:
username name secret 5 encrypted-secret
Adds a user with an MD5 encrypted password entered as an MD5 encrypted string.
Defining the User Privilege Level
Privilege level authorization in the SCE platform is accomplished by the use of an " enable " command authentication request. When a user requests an authorization for a specified privilege level, by using the " enable " command, the SCE platform sends an authentication request to the TACACS+ server specifying the requested privilege level. The SCE platform grants the requested privilege level only after the TACACS+ server authenticates the " enable " command password and verifies that the user has sufficient privileges the enter the requested privilege level.
Options
The following options are available:
•
•
–
–
–
From the SCE(config)# prompt, type:
Adding a New User with Privilege Level and Password
Use these commands to define a new user, including password and privilege level, in a single command.
Note
•
•
Options
The following options are available:
•
•
–
–
–
•
–
–
•
The following keywords are available:
•
–
–
How to Add a User with a Privilege Level and a Clear Text Password
From the SCE(config)# prompt, type:
username name privilege level password password
Adds a user with a privilege level and a clear text password.
How to Add a User with a Privilege Level and an MD5 Encrypted Password Entered in Clear Text
From the SCE(config)# prompt, type:
username name privilege level secret 0 password
Adds a user with a privilege level and an MD5 encrypted password entered in clear text.
How to Add a User with a Privilege Level and an MD5 Encrypted Password Entered as an MD5 Encrypted String
From the SCE(config)# prompt, type:
username name privilege level secret 5 encrypted-secret
Adds a user with a privilege level and an MD5 encrypted password entered as an MD5 encrypted string.
Deleting a User
Options
The following options are available:
•
From the SCE(config)# prompt, type:
Configuring AAA Login Authentication
There are two features to be configured for login authentication:
•
•
The procedures for configuring login authentication are explained in the following sections:
•
•
Configuring Maximum Login Attempts
Use this command to set the maximum number of login attempts that will be permitted before the session is terminated.
Options
The following options are available:
•
This is relevant only for Telnet sessions. From the local console, the number of re-tries is unlimited.
–
From the SCE(config)# prompt, type:
aaa authentication attempts login number-of-attempts
Configures maximum login attempts.
Configuring the AAA Login Authentication Methods
You can configure "backup" login authentication methods to be used if failure of the primary login authentication method (see General AAA Fallback and Recovery Mechanism).
Use this command to specify which login authentication methods are to be used, and in what order of preference.
•
•
Options
The following options are available:
•
–
–
–
–
How to Specify the Login Authentication Methods
From the SCE(config)# prompt, type:
How to Delete the Login Authentication Methods List
From the SCE(config)# prompt, type:
Configuring AAA Privilege Level Authorization Methods
•
•
Options
The following options are available:
•
–
–
–
–
How to Specify AAA Privilege Level Authorization Methods
From the SCE(config)# prompt, type:
How to Delete the AAA Privilege Level Authorization Methods List
From the SCE(config)# prompt, type:
Configuring AAA Command Level Authorization Methods
•
•
Options
The following options are available:
•
•
–
–
How to Specify AAA Command Level Authorization Methods
From the SCE(config)# prompt, type:
How to Delete the AAA Command Level Authorization Methods List
From the SCE(config)# prompt, type:
Configuring AAA Accounting
Use this command to enable or disable TACACS+ accounting.
•
If TACACS+ accounting is enabled, the SCE platform sends an accounting message to the TACACS+ server after every command execution. The accounting message is logged in the TACACS+ server for the use of the network administrator.
By default, TACACS+ accounting is disabled.
Options
The following options are available:
•
How to Enable AAA Accounting
From the SCE(config)# prompt, type:
How to Disable AAA Accounting
From the SCE(config)# prompt, type:
Monitoring TACACS+
•
•
Displaying Statistics for TACACS+ Servers
From the SCE# prompt, type:
Displaying Statistics, Keys and Timeouts for TACACS+ Servers
From the SCE# prompt, type:
Monitoring TACACS+ Users
Use this command to display the users in the local database, including passwords.
From the SCE# prompt, type:
Configuring Access Control Lists (ACLs)
The SCE platform can be configured with Access Control Lists (ACLs), which are used to permit or deny incoming connections on the management interface. An access list is an ordered list of entries, each consisting of an IP address and an optional wildcard "mask" defining an IP address range, and a permit/deny field.
The order of the entries in the list is important. The default action of the first entry that matches the connection is used. If no entry in the Access List matches the connection, or if the Access List is empty, the default action is deny.
Configuration of system access is done in two stages:
1.
2.
Creating an access list is done entry by entry, from the first to the last.
When the system checks for an IP address on an access list, the system checks each line in the ACL for the IP address, starting at the first entry and moving towards the last entry. The first match that is detected (that is, the IP address being checked is found within the IP address range defined by the entry) determines the result, according to the permit/deny flag in the matched entry. If no matching entry is found in the ACL, access is denied.
You can create up to 99 ACLs. ACLs can be associated with system access on the following levels:
•
•
Use the following CLI commands to assign an ACL to the specified management service:
–
–
–
It is possible to configure several management services to the same ACL, if this is the desired behavior of the SCE platform.
If no ACL is associated to a management service or to the global IP level, access is permitted from all IP addresses.
Note
Options
The following options are available:
•
•
•
The following keywords are available:
•
•
Adding Entries to an ACL
Step 1
Enables Global Configuration mode.
Step 2
•
access-list number permit|deny ip-address and press Enter.
•
access-list number permit|deny ip-address/mask and press Enter.
When you add a new entry to an ACL, it is always added to the end of the list.
Adding Entries to an ACL: Example
The following example adds an entry to the access list number 1, that permits access only to IP addresses in the range of 10.1.1.0-10.1.1.255.
SCE(config)#access-list 1 permit 10.1.1.0 0.0.0.255Removing an ACL
Use this command to remove an ACL with all its entries.
From the SCE(config)# prompt, type:
Defining a Global ACL
A global ACL for permits or denies all traffic to the SCE platform.
From the SCE(config)# prompt, type:
ip access-class number
Applies the specified ACL to all traffic attempting to access the SCE platform, rather than to a specific type of traffic, such as Telnet traffic.
Managing the Telnet Interface
•
•
This section discusses the Telnet interface of the SCE platform. A Telnet session is the most common way to connect to the SCE platform CLI interface.
You can set the following parameters for the Telnet interface:
•
•
•
The following commands are relevant to Telnet interface:
•
•
•
•
•
•
•
Preventing Telnet Access
Use this command to disable access by Telnet altogether.
From the SCE(config)# prompt, type:
no service telnetd
Disables access by Telnet.
Current Telnet sessions are not disconnected, but no new Telnet sessions are allowed.
Assigning an ACL to the Telnet Interface
From the SCE(config-line)# prompt, type:
access-class acl-number in
The specified ACL controls access to the Telnet interface.
acl-number is the ID number of an existing ACL.
Assigning an ACL to the Telnet Interface: Example
The following example shows how to assign ACL #1 to the Telnet interface.
SCE#configure SCE(config)#line vty 0 SCE(config-line)#access-class 1 inRemoving the ACL Assignment from the Telnet Interface
From the SCE(config-line)# prompt, type:
no access-class in
Removes the ACL assignment from the Telnet interface, so that any IP address may now access the Telnet interface.
Configuring the Telnet Timeout
The SCE platform supports timeout of inactive Telnet sessions.
Options
The following options are available:
•
–
From the SCE(config-line)# prompt, type:
Configuring the SSH Server
•
The SSH Server
A shortcoming of the standard telnet protocol is that it transfers password and data over the net unencrypted, thus compromising security. Where security is a concern, using a Secure Shell (SSH) server rather than telnet is recommended.
An SSH server is similar to a telnet server, but it uses cryptographic techniques that allow it to communicate with any SSH client over an insecure network in a manner which ensures the privacy of the communication. CLI commands are executed over SSH in exactly the same manner as over telnet.
The SSH server supports both the SSHv1 and SSHv2 protocols. You can disable SSHv1, so that only SSHv2 is running.
The SSH server supports the following encryption ciphers:
•
•
•
•
An ACL can be configured for SSH as for any other management protocol, limiting SSH access to a specific set of IP addresses (see Configuring Access Control Lists (ACLs))
Key Management
Each SSH server should define a set of keys (DSA2, RSA2 and RSA1) to be used when communicating with various clients. The key sets are pairs of public and private keys. The server publishes the public key while keeping the private key in non-volatile memory, never transmitting it to SSH clients. Note that the keys are kept on the tffs0 file system, which means that a person with knowledge of the `enable' password can access both the private and public keys. The SSH server implementation provides protection against eavesdroppers who can monitor the management communication channels of the SCE platform, but it does not provide protection against a user with knowledge of the `enable' password.
Key management is performed by the user via a special CLI command. A set of keys must be generated at least once before enabling the SSH server.
Size of the encryption key is always 2048 bits.
Managing the SSH Server
Use these commands to manage the SSH server. These commands do the following:
•
•
•
•
Generating a Set of SSH Keys
Remember that you must generate a set of SSH keys before you enable the SSH server.
From the SCE(config)# prompt, type:
ip ssh key generate
Generates a new SSH key set and immediately saves it to non-volatile memory. (Key set is not part of the configuration file). Key size is always 2048 bits.
Enabling the SSH Server
SSH allows you to login only when the user password and AAA authentication
are configured.
•
SCE8000(config)# username <username> password <password>
•
SCE8000(config)# aaa authentication login default none
From the SCE(config)# prompt, type:
Disabling the SSH Server
From the SCE(config)# prompt, type:
Running Only SSHv2
Step 1
Step 2
To re-enable SSHv1, use the command ip ssh SSHv1.
Assigning an ACL to the SSH Server
From the SCE(config)# prompt, type:
ip ssh access-class acl-number
The specified ACL controls access to the SSH server.
acl-number is the ID number of an existing ACL
Removing the ACL Assignment from the SSH Server
rom the SCE(config)# prompt, type:
no ip ssh access-class
Removes the ACL assignment from the SSH server, so that any IP address may now access the SSH server.
Deleting the Existing SSH Keys
From the SCE(config)# prompt, type:
If the SSH server is currently enabled, it will continue to run, since it only reads the keys from non-volatile memory when it is started. However, if the startup-configuration specifies that the SSH server is enabled, the SCE platform will not be able to start the SSH server on startup if the keys have been deleted. To avoid this situation, after executing this command, always do one of the following before the SCE platform is restarted (using reload ):
•
•
Monitoring the Status of the SSH Server
Use this command to monitor the status of the SSH sever, including current SSH sessions.
From the SCE> prompt, type:
Configuring and Managing the SNMP Interface
•
•
About the SNMP Interface
This section explains how to configure the SNMP agent parameters. It also provides a brief overview of SNMP notifications and relevant CLI commands.
SNMP Protocol
SNMP (Simple Network Management Protocol) is a set of protocols for managing complex networks. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.
SCE platform supports the original SNMP protocol (also known as SNMPv1), and a newer version called Community-based SNMPv2 (also known as SNMPv2C).
•
•
SCE platform implementation of SNMP supports all MIB II variables, as described in RFC 1213, and defines the SNMP traps using the guidelines described in RFC 1215.
The SNMPv1 and SNMPv2C specifications define the following basic operations that are supported by SCE platform. Table 5-3 lists the request types and descriptions.
Security Considerations
By default, the SNMP agent is disabled for both read and write operations. When enabled, SNMP is supported over the management port only (in-band management is not supported).
In addition, the SCE platform supports the option to configure community of managers for read-write accessibility or for read-only accessibility. Furthermore, an ACL may be associated with the SNMP agent by assigning it to one of the community strings to allow SNMP management to a restricted set of manager IP addresses. If different ACLs are assigned to different community strings, access by all community strings is controlled by all assigned ACLs. Assigning different ACLs to different community strings is not supported
About CLI
•
•
The SCE platform supports the CLI commands that control the operation of the SNMP agent. All the SNMP commands are available in Admin authorization level. The SNMP agent is disabled by default and any SNMP configuration command enables the SNMP agent (except where there is an explicit disable command).
CLI Commands for Configuring SNMP
Following is a list of CLI commands available for configuring SNMP. These are Global Configuration mode commands.
•
•
•
•
•
•
•
CLI Commands for Monitoring SNMP
Following is a list of CLI commands available for monitoring SNMP. These are Viewer mode commands, and are available when the SNMP agent is enabled:
•
•
•
•
•
•
•
•
About MIBs
MIBs (Management Information Bases) are databases of objects that can be monitored by a network management system (NMS). SNMP uses standardized MIB formats that allow any SNMP tools to monitor any device defined by a MIB.
For further information concerning MIBs used by the Cisco SCE8000 platform, see the Cisco Service Control MIBs
Configuration via SNMP
SCE platform supports a limited set of variables that may be configured via SNMP (read-write variables). Setting a variable via SNMP (as via the CLI) takes effect immediately and affects only the running-configuration. To make this configuration stored for next reboots (startup-configuration) the user must specify it explicitly via CLI or via SNMP using the Cisco enterprise MIB objects.
It should be noted also that the SCE platform takes the approach of a single configuration database with multiple interfaces that may change this database. Therefore, executing the copy running-config startup-config command via CLI or SNMP makes permanent all the changes made by either SNMP or CLI.
Enabling the SNMP Interface
Use this command to explicitly enable the SNMP interface.
The SNMP interface is implicitly enabled when any snmp-server command is executed to configure any SNMP parameter. For more information on configuring and managing the SNMP parameters, including hosts, communities, contact, location, and trap destination hosts, see Configuring and Managing the SNMP Interface.
•
•
How to Enable the SNMP Interface
You must define at least one community string to allow SNMP access. For complete information on community strings see Configuring SNMP Community Strings.
From the SCE(config)# prompt, type:
How to Disable the SNMP Interface
From the SCE(config)# prompt, type:
Configuring SNMP Community Strings
•
To enable SNMP management, you must configure SNMP community strings to define the relationship between the SNMP manager and the agent.
After receiving an SNMP request, the SNMP agent compares the community string in the request to the community strings that are configured for the agent. The requests are valid under the following circumstances:
•
•
Defining a Community String
Options
The following options are available:
•
•
Note
If no ACL is specified, all IP addresses can access the SNMP service. For more information about ACLs, see Configuring Access Control Lists (ACLs).
The following keywords are available:
•
•
From the SCE(config)# prompt, type:
Defining a Community String: Example
This example shows how to configure a community string called "mycommunity" with read-only rights. ACL "1" will be assigned to the SNMP server and all configured community strings, not just "mycommunity".
Since read-only is the default, it does not need to be defined explicitly.
SCE(config)#snmp-server community mycommunity 1Removing a Community String
From the SCE(config)# prompt, type:
Removing a Community String: Example
The following example shows how to remove a community string called "mycommunity". If an ACL was assigned to this community string, it is also removed.
SCE(config)#no snmp-server community mycommunityDisplaying the Configured Community Strings
From the SCE> prompt, type:
Displaying the Configured Community Strings: Example
The following example shows how to display the configured SNMP communities.
SCE>show snmp community Community: public, Access Authorization: RO, Access List Index: 1 SCE>Configuring SNMP Notifications
Use these commands to configure:
•
•
Notifications are unsolicited messages that are generated by the SNMP agent that resides inside the SCE platform when an event occurs. When the Network Management System receives the notification message, it can take suitable actions, such as logging the occurrence or ignoring the signal.
By default, the SCE platform is not configured to send any SNMP notifications. You must define the Network Management System to which the SCE platform should send notifications. (See the table below, Configurable Notifications, for a list of configurable notifications). Whenever one of the events that trigger notifications occurs in the SCE platform, an SNMP notification is sent from the SCE platform to the list of IP addresses that you define.
SCE platform supports two general categories of notifications:
•
•
After a host or hosts are configured to receive notifications, by default, the SCE platform sends to the host or hosts all the notifications supported by the SCE platform except for the AuthenticationFailure notification. The SCE platform provides the option to enable or disable the sending of this notification, as well as some of the SCE enterprise notifications, explicitly.
SCE platform can be configured to generate either SNMPv1 style or SNMPv2c style notifications. By default, the SCE platforms sends SNMPv1 notifications.
Following are some sample procedures illustrating how to do the following:
•
•
•
•
•
Defining SNMP Hosts
Use this command to define the hosts that will receive notifications from the SCE platform.
•
•
Options
The following options are available:
•
•
•
–
How to Configure the SCE Platform to Send Notifications to a Host (NMS)
At the SCE(config)# prompt, type:
Configuring the SCE Platform to Send Notifications to Multiple Hosts: Example
The following example shows how to configure the SCE platform to send SNMPv1 notifications to several hosts.
SCE(config)#snmp-server host 10.10.10.10 mycommunity SCE(config)#snmp-server host 20.20.20.20 mycommunity SCE(config)#snmp-server host 30.30.30.30 mycommunity SCE(config)#snmp-server host 40.40.40.40 mycommunityHow to Configure the SCE Platform to Stop Sending Notifications to a Host
At the SCE(config)# prompt, type:
no snmp-server host ip-address
Configures SCE platform to stop sending notifications to a host.
Configuring the SCE Platform to Stop Sending Notifications to a Host: Example
The following example shows how to remove the host with the IP Address: "192.168.0.83".
SCE(config)#no snmp-server host 192.168.0.83Configuring SNMP Traps
Use this command to configure the notifications that will be sent to the defined host.
•
•
•
•
Options
The following options are available:
•
By default, snmp traps are disabled.
snmp trap name — optional parameter that specifies a specific snmp trap that should be enabled or disabled.
Currently the only accepted value for this parameter is Authentication .
•
By default, enterprise traps are enabled.
•
Values: attack, chassis, link-bypass, logger, operational-status, port-operational-status, pull-request-failure, RDR-formatter, session, SNTP, subscriber, system-reset, telnet, vas-traffic-forwarding
Use these parameters as follows:
•
•
•
How to Enable the SNMP Server to Send Authentication Failure Notifications
At the SCE(config)# prompt, type:
snmp-server enable traps snmp authentication
Enables SNMP server to send authentication failure notifications.
How to Enable the SNMP Server to Send All Enterprise Notifications
At the SCE(config)# prompt, type:
snmp-server enable traps enterprise
Enables SNMP server to send all enterprise notifications.
How to Enable the SNMP Server to Send a specific Enterprise Notification
At the SCE(config)# prompt, type:
Enabling the SNMP Server to Send a Specific Enterprise Notification: Example
The following example shows how to configure the SNMP server to send the logger enterprise notification only.
SCE(config)#snmp-server enable traps enterprise loggerHow to Restore All Notifications to the Default Status
At the SCE(config)# prompt, type:
default snmp-server enable traps
Resets all notifications supported by the SCE platform to their default status.
