SCE Software Configuration Guide

---

Preface

Document Revision History

Audience

Organization

Related Publications

Conventions

Obtaining Documentation

World Wide Web

Documentation CD-ROM

Ordering Documentation

Documentation Feedback

Obtaining Technical Assistance

Cisco.com

Technical Assistance Center

1. General Overview

The Cisco Service Control Concept

Service Control for Broadband Service Providers

Cisco Service Control Capabilities

The SCE Platform

Management and Collection

Network Management

Service Configuration Management

Subscriber Management

Data Collection

2. Command-Line Interface

Getting Help

Authorization and Command Levels (Hierarchy)

CLI Command Hierarchy

CLI Authorization Levels

Prompt Indications

Exiting Modes

Navigating Between Configuration Modes

Entering and Exiting Global Configuration Mode

Interface Configuration Modes

CLI Help Features

Partial Help

Argument Help

The [no] Prefix

Navigational and Shortcut Features

Command History

Keyboard Shortcuts

Tab Completion

FTP User Name and Password

Managing Command Output

Scrolling the Screen Display

Filtering Command Output

Redirecting Command Output to a File

CLI Scripts

3. Operations

Managing Configurations

Viewing Configuration

Removing the Configuration

Saving the Configuration Settings

Recovering a Previous Configuration

Creating a Backup Configuration File

Upgrading SCE Platform Firmware

Configuring Applications

Installing an Application

Monitoring the Operational Status of the SCE Platform

Displaying the SCE Platform Version Information

Displaying the SCE Platform Inventory

Displaying the System Uptime

Rebooting and Shutting Down the SCE Platform

Rebooting the SCE Platform

Shutting Down the SCE Platform

4. Utilities

Setup Utility

Entering the Setup Utility

Multiple entry parameters (Lists)

File-system Operations

Working with Directories

Working with Files

The User Log

The Logging System

Generating a File for Technical Support

5. Configuring the Management Interface and Security

Configuring the Management Ports

Entering Management Interface Configuration Mode

Configuring the Management Port Physical Parameters

Setting the IP Address and Subnet Mask of the Management Interface

Configuring the Management Interface Speed and Duplex Parameters

Specifying the Active Management Port

Configuring the Management Ports for Redundancy

Configuring the Fail-Over Mode

Management Interface Security

Configuring Management Port Security

Monitoring Management Interface IP Filtering

Configuring the Available Interfaces

TACACS+ Authentication, Authorization, and Accounting

Configuring Access Control Lists (ACLs)

Telnet Interface

SSH Server

SNMP Interface

SNMP Configuration and Management

SNMP Protocol

Configuration via SNMP

Security Considerations

SNMP Community Strings

Notifications

CLI

MIBs

MIB-II

ENTITY-MIB

pcube Enterprise MIB

Passwords

Changing Passwords

Encryption

Password Recovery

IP Configuration

IP Routing Table

IP Advertising

Setting the IP Address and Subnet Mask of the Management Interface

Time Clocks and Time Zone

Showing System Time

Setting the Clock

Setting the Calendar

Showing Calendar Time

Setting the Time Zone

Removing Current Time Zone Setting

Configuring Daylight Saving Time

SNTP

Enabling SNTP multicast client

Disabling SNTP multicast client

Enabling SNTP unicast client

Disabling SNTP unicast client

Defining the SNTP unicast update interval

Display SNTP information

Domain Name (DNS) Settings

Name Servers

Domain Name

Host Table

show hosts

Configuring the Management Port Physical Parameters

Configuring the Management Interface Speed and Duplex Parameters

Monitoring the Management Interface

6. Configuring the Line Interface

Line Interfaces

Configuring the Gigabit Ethernet Line Interfaces

Configuring the Fast Ethernet Line Interfaces

Configuring Tunneling Protocols

Selecting the Tunneling Mode

Displaying Tunneling Configuration

Configuring VLAN Translation

VLAN Translation Features and Limitations

Setting the VLAN Translation Constant

Disabling VLAN Translation

Monitoring VLAN Translation

Configuring Traffic Rules and Counters

Traffic Rules

Traffic counters

Configuring Traffic Counters

Configuring Traffic Rules

Managing Traffic Rules and Counters

Configuring TOS Marking

Enabling and Disabling TOS Marking

Modifying the TOS Table

Counting Dropped Packets

Disabling the Hardware Packet Drop

7. Configuring the Connection

Editing the Connection Mode

Monitoring the Connection Mode

Link Mode

Forced Failure

Failure Recovery Mode

SCE Platform/SM Connection

Enabling and Disabling Link Failure Reflection

Enabling and Disabling Link Failure Reflection on All Ports

Link Failure Reflection in Linecard-Aware Mode (SCE 2000 only)

8. Configuring the RDR Formatter

The RDR Formatter

RDR Formatter Destinations

Categories

Priority

Forwarding Modes

Configuring the RDR Formatter

Dynamic Mapping of RDRs to Categories

Displaying RDR Formatter Configuration and Statistics

Disabling the LineCard from Sending RDRs

9. Managing Subscribers

Subscriber Overview

Subscriber Modes in Service Control Solutions

Aging Subscribers

Anonymous Groups and Subscriber Templates

Subscriber Files

Importing/Exporting Subscriber Information

Importing/Exporting Subscribers

Importing/Exporting Subscriber Templates

Removing Subscribers and Templates

Removing Subscribers with Tunnel Mappings

Removing Subscribers by Device

Importing/Exporting Anonymous Groups

Monitoring Subscribers

Monitoring the Subscriber Database

Displaying Subscribers

Displaying Subscriber Information

Displaying Anonymous Subscriber Information

Subscriber Traffic Processor IP Ranges

Subscriber Mapping Modes

Subscriber Mapping Conflicts

Subscriber Rules for TIRs

Configuring TIRs

Removing TIRs and Subscriber Mappings

Importing and Exporting TIRs

Monitoring TIRs

Subscriber Aging

SCE Platform/SM Connection

10. Redundancy and Fail-Over

Terminology and Definitions

Redundant Topologies

In-line Dual Link Redundant Topology

Failure Detection

Link Failure Reflection

Forced Failure

Hot Standby and Fail-over

Hot Standby

Fail-over

Failure in the Cascade Connection

Installing a Cascaded System

Recovery

Replacing the SCE platform (manual recovery)

Reboot only (fully automatic recovery)

CLI Commands for Cascaded Systems

Topology-Related Parameters for Redundant Topologies

Configuring the Connection Mode

Monitoring the System

System Upgrades

Firmware Upgrade (package installation)

Application Upgrade

Simultaneous Upgrade of Firmware and Application

11. Identifying And Preventing Distributed-Denial-Of-Service Attacks

Attack Filtering

Specific Attack Filtering

Attack Detection

Attack Detection Thresholds

Attack Handling

Subscriber Notification

Hardware Filtering

Configuring Attack Detectors

Enabling Specific-IP Detection

Default Attack Detector

Specific Attack Detectors

Sample Attack Detector Configuration

Configuring Subscriber Notifications

Subscriber Notification Ports

Preventing and Forcing Attack Detection

Preventing Attack Filtering

Forcing Attack Filtering

Monitoring Attack Filtering

Viewing the Attack Log

12. Value Added Services (VAS) Traffic Forwarding

VAS Traffic Forwarding Overview

VAS Service Goals

How VAS Traffic Forwarding Works

VAS Traffic Forwarding and SCA BB

VLAN Tags for VAS Traffic Forwarding

Service Flow

Data Flow

Load Balancing

VAS Redundancy

VAS Server Failure

VAS Server Group Failure

Ethernet Switch Failure

Disabling a VAS Server

VAS Status and VAS Health Check

VAS Server States

VAS Traffic Forwarding Topologies

Single SCE Platform, Multiple VAS Servers

Multiple SCE Platforms, Multiple VAS Servers

SNMP Support for VAS

VAS Traffic Forwarding Configuration

Configuring VAS Traffic Forwarding from the SCA BB Console

Configuring VAS Traffic Forwarding

Configuring a VAS Server

Configuring a VAS Server Group

Monitoring VAS Traffic Forwarding

Interactions Between VAS Traffic Forwarding and Other SCE Platform Features

Incompatible SCE Platform Features

VAS Traffic Forwarding and DDoS Processing

VAS Traffic Forwarding and Bandwidth management

VAS over 10G

Data Flow in VAS over 10G Topology

Failover Support

Health Check in VAS over 10G Topology

Configuring VAS over 10G

13. MPLS/VPN Support

Overview of the Service Control Solution for MPLS/VPN Networks

Definitions and Acronyms

What are the Challenges for Service Control for MPLS/VPN Support?

How MPLS/VPN Support Works

Service Control MPLS/VPN Concepts

Service Control MPLS/VPN Requirements

Configuring MPLS/VPN Support

Configuring the SCE Platform for MPLS/VPN Support

Configuring the SM for MPLS/VPN Support

Managing MPLS/VPN Support

Monitoring MPLS/VPN Support via SCE Platform CLI

Managing MPLS/VPN Support via SM CLU

Managing MPLS/VPN Support via SNMP

14. Managing the SCMP

Overview of the SCMP

SCMP Terminology

Deployment Scenarios

SCMP Peer Devices

SCMP Subscriber Management

Configuring the SCMP

Configuring SCMP Parameters

Adding an SCMP Peer Device

Deleting Subscribers Managed by an SCMP Peer Device

Deleting an SCMP Peer Device

Defining the Subscriber ID

Configuring the RADIUS Client

Monitoring the SCMP Environment

Monitoring the SCMP

Monitoring the RADIUS Client

A. Monitoring SCE Platform Utilization

SCE Platform Utilization Indicators

CPU Utilization

Flows Capacity

Subscribers Capacity

Service Loss

Monitoring Service Loss

B. Proprietary MIB Reference

pcube Enterprise MIB

Application MIB Integration

Using this Reference

pcubeModules (1.3.6.1.4.1.5655.2)

pcubeSeMIB (1.3.6.1.4.1.5655.2.3)

pcubeWorkgroup (1.3.6.1.4.1.5655.4)

Notification Types

pcubeSe Objects

Supported Standards

Preface

This preface describes who should read the Cisco Service Control Engine (SCE) Software Configuration Guide, how it is organized, and its document conventions.

Document Revision History

Cisco Service Center Release	Part Number	Publication Date
Release 3.0.5	OL-7827-05	November, 2006

Description of Changes

Added the following new feature:

• Managing the SCMP

The following sections were added or updated to explain various CLI commands that had not previously appeared in this guide:

• Monitoring the Operational Status of the SCE Platform

• Monitoring the Connection Mode

• Link Failure Reflection in Linecard-Aware Mode (SCE 2000 only)

• Removing Subscribers with Tunnel Mappings

• Traffic Rules

Cisco Service Center Release	Part Number	Publication Date
Release 3.0.3	OL-7827-04	May, 2006

Description of Changes

Added the following new features:

• MPLS/VPN Support (including MPLS/VPN-related changes in Managing Subscribers and Configuring Tunneling Protocols).

• Configuring VLAN Translation

• VAS over 10G

The Proprietary MIB Reference was reorganized to reflect reorganization of the pcube Enterprise MIB.

Cisco Service Center Release	Part Number	Publication Date
Release 3.0	OL-7827-03	December, 2005

Description of Changes

Added the following new features:

• Value Added Services (VAS) Traffic Forwarding

• Monitoring SCE Platform Utilization

• Configuring the Management Ports for Redundancy

• Management Interface Security

• TACACS+ Authentication, Authorization and Accounting

• Dynamic Mapping of RDRs to Categories

Cisco Service Center Release	Part Number	Publication Date
Release 2.5.7	OL-7827-02	May, 2005

Description of Changes

Complete reorganization and revision of product documentation.

Audience

This guide is for experienced network administrators who are responsible for configuring and maintaining the SCE platform.

Organization

The major sections of this guide are as follows:

Chapter	Title	Description
Chapter 1	Overview	Overview of SCE platform management.
Chapter 2	Command Line Interface	Detailed explanation of how to use the Cisco SCE Command-line Interface.
Chapter 3	Operations	Explanation of how to manage configurations, install applications and upgrade the system software.
Chapter 4	Utilities	Explanation of the setup wizard and the user log, as well as of file operations.
Chapter 5	Configuring the Management Interface and Security	Explanation of how to configure the various management options: Telnet, SSH, and SNMP. Also how to configure the system time,Domain Name Settings, management IP address, and passwords.
Chapter 6	Configuring the Line Interface	Explanation of how to configure tunneling, TOS marking, and traffic rules.
Chapter 7	Configuring the Connection	Explanation of how to configure the connection mode, link mode, and failure behaviors.
Chapter 8	Configuring the RDR Formatter	Explanation of how to configure the RDR Formatter so that RDRs are sent to the proper destinations.
Chapter 9	Managing Subscribers	Explanation of how to import and export subscriber information and how to monitor subscribers.
Chapter 10	Redundancy and Fail-Over	Explanation of how to configure and manage a redundant system. This chapter applies only to the SCE 2000 platform.
Chapter 11	Identifying And Preventing Distributed-Denial-Of-Service Attacks	Explanation of how to configure attack filtering.
Chapter 12	Value Added Services (VAS) Traffic Forwarding	Explanation of Value Added Services (VAS) and how to configure VAS traffic forwarding.
Chapter 13	MPLS/VPN Support	Explanation of MPLS/VPN support, and how to configure and monitor MPLS/VPN subscribers and support.
Chapter 14	Managing the SCMP	Explanation of Service Control Management Protocol (SCMP), which is a protocol that integrates the SCE platform and the ISG (Intelligent Service Gateway) functionality of the Cisco routers. It also explains how to configure and manage SCMP, SCMP peer devices and the RADIUS client.
Appendix A	Monitoring SCE Platform Utilization	Explanation of how to monitor SCE platforms that are installed in real traffic.
Appendix B	Proprietary MIB Reference	Definition of the proprietary Service Control Enterprise MIB.

Related Publications

Your SCE platform and the software running on it contain extensive features and functionality, which are documented in the following resources:

• For further information regarding the Service Control CLI and a complete listing of all CLI commands, refer to the Cisco Service Control Engine (SCE) CLI Command Reference

• For complete installation information, including initial configuration, refer to the relevant installation guide:

  • Cisco SCE 2000 4xGBE Installation and Configuration Guide

  • Cisco SCE 2000 4/8xFE Installation and Configuration Guide

  • Cisco SCE 1000 2xGBE Installation and Configuration Guide

Note

You can access Cisco software configuration and hardware installation and maintenance documentation on the World Wide Web at Cisco Website URL. Translated documentation is available at the following URL: International Cisco Website

• For initial installation and startup information, refer to the relevant quick start guide:

  • Cisco SCE 2000 4xGBE Quick Start Guide

  • Cisco SCE 2000 4/8xFE Quick Start Guide

  • Cisco SCE 1000 2xGBE Quick Start Guide

• For international agency compliance, safety, and statutory information for wide-area network (WAN) interfaces for the SCE platform, refer to the regulatory and safety information document:

  • Regulatory Compliance and Safety Information for the Cisco Service Control Engine (SCE)

• For installation and configuration of the other components of the Service Control Management Suite refer to:

  • Cisco Service Control Management Suite Subscriber Manager User Guide

  • Cisco Service Control Management Suite Collection Manager User Guide

  • Cisco Service Control Application for Broadband User Guide

  • Cisco Service Control Application Reporter User Guide

• To view Cisco documentation or obtain general information about the documentation, refer to the following sources:

  • Obtaining Documentation

  • The Cisco Information Packet that shipped with your SCE platform.

Conventions

This document uses the following conventions:

Convention	Description
boldface font	Commands and keywords are in boldface.
italic font	Arguments for which you supply values are in italics.
[ ]	Elements in square brackets are optional.
{x | y | z}	Alternative keywords are grouped in braces and separated by vertical bars.
[x | y | z]	Optional alternative keywords are grouped in brackets and separated by vertical bars.
string	A nonquoted set of characters. Do not use quotation marks around the string, or the string will include the quotation marks.
screen font	Terminal sessions and information that the system displays are in screen font.
boldface screen font	Information you must enter is in boldface screen font.
italic screen font	Arguments for which you supply values are in italic screen font.
< >	Nonprinting characters, such as passwords, are in angle brackets.
[ ]	Default responses to system prompts are in square brackets.
!, #	An exclamation point (!) or a pound sign (#) at the beginning of a line of code indicates a comment line.

Note

Means reader take note. Notes contain helpful suggestions or references to materials not covered in this manual.

Caution

Means reader be careful. In this situation, you might do something that could result in equipment damage or loss of data.

Warning

Means reader be warned. In this situation, you might do something that could result in bodily injury.

Obtaining Documentation

The following sections provide sources for obtaining documentation from Cisco Systems.

World Wide Web

You can access the most current Cisco documentation on the World Wide Web at the following sites:

• http://www.cisco.com

• http://www-china.cisco.com

• http://www-europe.cisco.com

Documentation CD-ROM

Cisco documentation and additional literature are available in a CD-ROM package that ships with your product. The Documentation CD-ROM is updated monthly and may be more current than printed documentation. The CD-ROM package is available as a single unit or as an annual subscription.

Ordering Documentation

Cisco documentation is available in the following ways:

• Registered Cisco Direct Customers can order Cisco Product documentation from the networking Products MarketPlace:

  http://www.cisco.com/public/ordsum.html

• Registered Cisco.com users can order the Documentation CD-ROM through the online Subscription Store:

  http://www.cisco.com/pcgi-bin/marketplace/welcome.pl

• Nonregistered Cisco.com users can order documentation through a local account representative by calling Cisco corporate headquarters (California, USA) at 408 526-7208 or, in North America, by calling 800 553-NETS(6387).

Documentation Feedback

If you are reading Cisco product documentation on the World Wide Web, you can submit technical comments electronically. Click Feedback in the toolbar and selectDocumentation. After you complete the form, click Submit to send it to Cisco.

You can e-mail your comments to bug-doc@cisco.com.

To submit your comments by mail, use the response card behind the front cover of your document, or write to the following address:

Attn Document Resource Connection Cisco Systems, Inc. 170 West Tasman Drive San Jose, CA 95134-9883

We appreciate your comments.

Obtaining Technical Assistance

Cisco provides Cisco.com as a starting point for all technical assistance. Customers and partners can obtain documentation, troubleshooting tips, and sample configurations from online tools. For Cisco.com registered users, additional troubleshooting tools are available from the TAC website.

Cisco.com

Cisco.com is the foundation of a suite of interactive, networked services that provides immediate, open access to Cisco information and resources at any time, from anywhere in the world. This highly integrated Internet application is a powerful, easy-to-use tool for doing business with Cisco.

Cisco.com provides a broad range of features and services to help customers and partners streamline business processes and improve productivity. Through Cisco.com, you can find information about Cisco and our networking solutions, services, and programs. In addition, you can resolve technical issues with online technical support, download and test software packages, and order Cisco learning materials and merchandise. Valuable online skill assessment, training, and certification programs are also available.

Customers and partners can self-register on Cisco.com to obtain additional personalized information and services. Registered users can order products, check on the status of an order, access technical support, and view benefits specific to their relationships with Cisco.

To access Cisco.com, go to http://www.cisco.com.

Technical Assistance Center

The Cisco Technical Assistance Center (TAC) website is available to all customers who need technical assistance with a Cisco product or technology that is under warranty or covered by a maintenance contract.

Contacting TAC by Using the Cisco TAC Website

If you have a priority level 3 (P3) or priority level 4 (P4) problem, contact TAC by going to the TAC website http://www.cisco.com/tac.

P3 and P4 level problems are defined as follows:

• P3—Your network is degraded. Network functionality is noticeably impaired, but most business operations continue.

• P4—You need information or assistance on Cisco product capabilities, product installation, or basic product configuration.

In each of the above cases, use the Cisco TAC website to quickly find answers to your questions.

To register for Cisco.com, go to http://tools.cisco.com/RPF/register/register.do.

If you cannot resolve your technical issue by using the TAC online resources, Cisco.com registered users can open a case online by using the TAC Case Open tool at http://www.cisco.com/tac/caseopen.

Contacting TAC by Telephone

If you have a priority level 1 (P1) or priority level 2 (P2) problem, contact TAC by telephone and immediately open a case. To obtain a directory of toll-free numbers for your country, go to http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml.

P1 and P2 level problems are defined as follows:

• P1—Your production network is down, causing a critical impact to business operations if service is not restored quickly. No workaround is available.

• P2—Your production network is severely degraded, affecting significant aspects of your business operations. No workaround is available.

Chapter 1. General Overview

This chapter provides a general overview of the Cisco Service Control solution. It introduces the Cisco Service Control concept and the Service Control capabilities. It also briefly describes the hardware capabilities of the Service Control Engine (SCE) platform and the Cisco specific applications that together compose the total Cisco Service Control solution.

The Cisco Service Control Concept

The Cisco Service Control solution is delivered through a combination of purpose-built hardware and specific software solutions that address various service control challenges faced by service providers. The SCE platform is designed to support classification, analysis, and control of Internet/IP traffic.

Service Control enables service providers to create profitable new revenue streams while capitalizing on their existing infrastructure. With the power of Service Control, service providers have the ability to analyze, charge for, and control IP network traffic at multigigabit wire line speeds. The Cisco Service Control solution also gives service providers the tools they need to identify and target high-margin content-based services and to enable their delivery.

As the downturn in the telecommunications industry has shown, IP service providers’ business models need to be reworked to make them profitable. Having spent billions of dollars to build ever larger data links, providers have incurred massive debts and faced rising costs. At the same time, access and bandwidth have become commodities where prices continually fall and profits disappear. Service providers have realized that they must offer value-added services to derive more revenue from the traffic and services running on their networks. However, capturing real profits from IP services requires more than simply running those services over data links; it requires detailed monitoring and precise, real-time control and awareness of services as they are delivered. Cisco provides Service Control solutions that allow the service provider to bridge this gap.

Service Control for Broadband Service Providers

Service providers of any access technology (DSL, cable, mobile, and so on) targeting residential and business consumers must find new ways to get maximum leverage from their existing infrastructure, while differentiating their offerings with enhanced IP services.

The Cisco Service Control Application for Broadband adds a new layer of service intelligence and control to existing networks that can:

• Report and analyze network traffic at subscriber and aggregate level for capacity planning

• Provide customer-intuitive tiered application services and guarantee application SLAs

• Implement different service levels for different types of customers, content, or applications

• Identify network abusers who are violating the Acceptable Use Policy

• Identify and manage peer-to-peer, NNTP (news) traffic, and spam abusers

• Enforce the Acceptable Use Policy (AUP)

• Integrate Service Control solutions easily with existing network elements and BSS/OSS systems

Cisco Service Control Capabilities

The core of the Cisco Service Control solution is the purpose-built network hardware device: the Service Control Engine (SCE). The core capabilities of the SCE platform, which support a wide range of applications for delivering Service Control solutions, include:

• Subscriber and application awareness—Application-level drilling into IP traffic for real-time understanding and controlling of usage and content at the granularity of a specific subscriber.

  • Subscriber awareness—The ability to map between IP flows and a specific subscriber in order to maintain the state of each subscriber transmitting traffic through the SCE platform and to enforce the appropriate policy on this subscriber’s traffic.

    Subscriber awareness is achieved either through dedicated integrations with subscriber management repositories, such as a DHCP or a Radius server, or via sniffing of Radius or DHCP traffic.

  • Application awareness—The ability to understand and analyze traffic up to the application protocol layer (Layer 7).

    For application protocols implemented using bundled flows (such as FTP, which is implemented using Control and Data flows), the SCE platform understands the bundling connection between the flows and treats them accordingly.

• Application-layer, stateful, real-time traffic control—The ability to perform advanced control functions, including granular BW metering and shaping, quota management, and redirection, using application-layer stateful real-time traffic transaction processing. This requires highly adaptive protocol and application-level intelligence.

• Programmability—The ability to quickly add new protocols and easily adapt to new services and applications in the ever-changing service provider environment. Programmability is achieved using the Cisco Service Modeling Language (SML).

  Programmability allows new services to be deployed quickly and provides an easy upgrade path for network, application, or service growth.

• Robust and flexible back-office integration—The ability to integrate with existing third-party systems at the Service Provider, including provisioning systems, subscriber repositories, billing systems, and OSS systems. The SCE provides a set of open and well-documented APIs that allows a quick and robust integration process.

• Scalable high-performance service engines—The ability to perform all these operations at wire speed.

The SCE Platform

The SCE family of programmable network devices is capable of performing application-layer stateful-flow inspection of IP traffic, and controlling that traffic based on configurable rules. The SCE platform is a purpose-built network device that uses ASIC components and RISC processors to go beyond packet counting and delve deeper into the contents of network traffic. Providing programmable, stateful inspection of bidirectional traffic flows and mapping these flows with user ownership, the SCE platforms provide real-time classification of network usage. This information provides the basis of the SCE platform advanced traffic-control and bandwidth-shaping functionality. Where most bandwidth shaper functionality ends, the SCE platform provides more control and shaping options, including:

• Layer 7 stateful wire-speed packet inspection and classification

• Robust support for over 600 protocols and applications, including:

  • General—HTTP, HTTPS, FTP, TELNET, NNTP, SMTP, POP3, IMAP, WAP, and others

  • P2P file sharing—FastTrack-KazaA, Gnutella, BitTorrent, Winny, Hotline, eDonkey, DirectConnect, Piolet, and others

  • P2P VoIP—Skype, Skinny, DingoTel, and others

  • Streaming and Multimedia—RTSP, SIP, HTTP streaming, RTP/RTCP, and others

• Programmable system core for flexible reporting and bandwidth control

• Transparent network and BSS/OSS integration into existing networks

• Subscriber awareness that relates traffic and usage to specific customers

The following diagram illustrates a common deployment of an SCE platform in a network.

Figure 1.1. SCE Platform in the Network

Management and Collection

The Cisco Service Control solution includes a complete management infrastructure that provides the following management components to manage all aspects of the solution:

• Network management

• Subscriber management

• Service Control management

These management interfaces are designed to comply with common management standards and to integrate easily with existing OSS infrastructure.

Figure 1.2. Service Control Management Infrastructure

Network Management

Cisco provides complete network FCAPS (Fault, Configuration, Accounting, Performance, Security) Management.

Two interfaces are provided for network management:

• Command-line interface (CLI)—Accessible through the Console port or through a Telnet connection, the CLI is used for configuration and security functions.

• SNMP—Provides fault management (via SNMP traps) and performance monitoring functionality.

Service Configuration Management

Service configuration management is the ability to configure the general service definitions of a service control application. A service configuration file containing settings for traffic classification, accounting and reporting, and control is created and applied to an SCE platform. The SCA BB application provides tools to automate the distribution of these configuration files to SCE platforms. This simple, standards-based approach makes it easy to manage multiple devices in a large network.

Service Control provides an easy-to-use GUI to edit and create these files and a complete set of APIs to automate their creation.

Subscriber Management

Where the Cisco Service Control Application for Broadband (SCA BB) enforces different policies on different subscribers and tracks usage on an individual subscriber basis, the Cisco Service Control Management Suite (SCMS) Subscriber Manager (SM) may be used as middleware software for bridging between the OSS and the SCE platforms. Subscriber information is stored in the SM database and can be distributed between multiple platforms according to actual subscriber placement.

The SM provides subscriber awareness by mapping network IDs to subscriber IDs. It can obtain subscriber information using dedicated integration modules that integrate with AAA devices, such as Radius or DHCP servers.

Subscriber information may be obtained in one of two ways:

• Push Mode—The SM pushes subscriber information to the SCE platform automatically upon logon of a subscriber.

• Pull Mode—The SM sends subscriber information to the SCE platform in response to a query from the SCE platform.

Data Collection

The Cisco Service Control solution generates usage data and statistics from the SCE platform and forwards them as Raw Data Records (RDRs), using a simple TCP-based protocol (RDR-Protocol). The Cisco Service Control Management Suite (SCMS) Collection Manager (CM) software implements the collection system, listening in on RDRs from one or more SCE platforms and processing them on the local machine. The data is then stored for analysis and reporting functions, and for the collection and presentation of data to additional OSS systems such as billing.

Chapter 2. Command-Line Interface

This chapter describes how to use the SCE platform Command-Line Interface (CLI), its hierarchical structure, authorization levels and its help features. The Command-Line Interface is one of the SCE platform management interfaces.

Getting Help

To obtain a list of commands that are available for each command mode, enter a question mark (?) at the system prompt. You also can obtain a list of keywords and arguments associated with any command using the context-sensitive help feature.

The following table lists commands you can enter to get help that is specific to a command mode, a command, a keyword, or an argument.

Table 2.1. Getting Help

Command	Purpose
abbreviated-command-entry?	Obtain a list of commands that begin with a particular character string. (Do not leave a space between the command and question mark.)
abbreviated-command-entry<Tab>	Complete a partial command name.
?	List all commands available for a particular command mode.
command ?	List the keywords associated with the specified command. Leave a space between the command and question mark.
command keyword ?	List the arguments associated with the specified keyword. Leave a space between the keyword and question mark.

Authorization and Command Levels (Hierarchy)

When using the CLI there are two important concepts that you must understand in order to navigate:

• Authorization Level — Indicates the level of commands you can execute. A user with a simple authorization level can only view some information in the system, while a higher level administrator can actually make changes to configuration.

  This manual documents commands at the User, Viewer, and Admin authorization level. See CLI Command Hierarchy.

• Command Hierarchy Level — Provides you with a context for initiating commands. Commands are broken down into categories and you can only execute each command within the context of its category. For example, in order to configure parameters related to the Line Card, you need to be within the LineCard Interface Configuration Mode. See CLI Command Hierarchy.

The following sections describe the available Authorization and Command Hierarchy Levels and how to maneuver within them.

The on-screen prompt indicates both your authorization level and your command hierarchy level, as well as the assigned host name. See Prompt Indications.

Note

Throughout the manual, SCE is used as the sample host name.

CLI Command Hierarchy

The set of all CLI commands is grouped in hierarchical order, according to the type of the commands. The first three levels in the hierarchy are the User Exec, Viewer, and Privileged Exec modes. These are non-configuration modes in which the set of available commands enables the monitoring of the SCE platform, file system operations, and other operations that cannot alter the configuration of the SCE platform.

The next levels in the hierarchy are the Global and Interface configuration modes, which hold a set of commands that control the global configuration of the SCE platform and its interfaces. Any of the parameters set by the commands in these modes should be saved in the startup configuration, such that in the case of a reboot, the SCE platform restores the saved configuration.

The following tableshows the available CLI modes.

Table 2.2. CLI Modes

Mode	Description	Level	Prompt indication
User Exec	Initial mode with very limited functionality.	User	SCE>
Viewer	Monitoring (show commands).	Viewer	SCE>
Privileged Exec	General administration; file system manipulations and control of basic parameters that do not change the configuration of the SCE platform.	Admin	SCE#
Global Configuration	Configuration of general system parameters, such as DNS, host name, and time zone.	Admin	SCE(config)#
Management Interface Configuration	Configuration of management interface parameters, such as the Ethernet interface properties and selection of the active port.	Admin	SCE(config if)#
Interface Configuration	Configuration of specific system interface parameters, such as the Line Card, and the Ethernet interfaces.	Admin	SCE(config if)#
Line Configuration	Configuration of Telnet lines, such as an access-list.	Admin	SCE(config-line)#

When you login to the system, you have the User authorization level and enter User Exec mode. Changing the authorization level to Viewer automatically moves you to Viewer mode. In order to move to any of the configuration modes, you must enter commands specific to that mode.

The list of available commands in each mode can be viewed using the question mark ‘?’ at the end of the prompt.

The figure below, illustrates the hierarchical structure of the CLI modes, and the CLI commands used to enter and exit a mode.

Figure 2.1. CLI Command Hierarchy

The following commands are used to enter the different configure interface modes and the Line Configuration Mode:

• E1 interface LineCard 0

• E2 interface Mng 0/1 or 0/2(management port, all platforms)

• E3 interface GigabitEthernet 0/1 or 0/2 (line ports, SCE 1000 platform)

• E3 interface GigabitEthernet 0/1,0/2, 0/3, or 0/4 (line ports, SCE 2000 4xGBE platform)

• E3 interface FastEthernet 0/1,0/2, 0/3, or 0/4 (line ports, SCE 2000 4/8xFE platform)

• E4 line vty 0

Note

Although the system supports up to five concurrent Telnet connections, you cannot configure them separately. This means that any number you enter in the line vty command (0, 1, 2,3 or 4) will act as a 0 and configure all five connections together.

Note

In order for the auto-completion feature to work, when you move from one interface configuration mode to another, you must first exit the current interface configuration mode (as illustrated in the above figure).

Example:

This example illustrates moving into and out of configuration modes as follows:

• Enter global configuration mode

• Configure the SCE platform time zone

• Enter Mng Interface configuration mode for Mng port 1

• Configure the speed of the management interface

• Exit the Mng Interface configuration mode to the global configuration mode

• Enter the LineCard Interface configuration

• Define the link mode.

• Exit LineCard Interface configuration mode to the global configuration mode

• Exit global configuration mode

SCE#configure
SCE(config)#clock timezone PST -10
SCE(config)#interface Mng 0/1
SCE(config if)#speed 100
SCE(config if)#exit
SCE(config)#interface LineCard 0
SCE(config if)#link-mode all-links forwarding
SCE(config if)#exit
SCE(config)#exit
SCE#

CLI Authorization Levels

The SCE platform has four authorization levels, which represent the user access permissions. When you initially connect to the SCE platform, you automatically have the most basic authorization level, that is User, which allows minimum functionality.

In order to monitor the system, you must have Viewer authorization, while in order to perform administrative functions on the SCE platform, you must have Admin or Root authorization. A higher level of authorization is accessed by logging in with appropriate password, as described in the procedures below.

In each authorization level, all the commands of the lower authorization layers are available in addition to commands that are authorized only to the current level.

Note

This manual covers the functions that can be performed by the Admin level user, unless otherwise noted.

The following CLI commands are related to authorization levels:

enable
disable

Each authorization level has a value (number) corresponding to it. When using the CLI commands, use the values, not the name of the level, as shown in the following table.

Table 2.3. Authorization Levels 

Level	Description	Value	Prompt
User	Password required. This level enables basic operational functionality.	0	>
Viewer	Password required. This level enables monitoring functionality. All show commands are available to the Viewer authorization level, with the exception of those that display password information.	5	>
Admin	Password required. For use by general administrators, the Admin authorization level enables configuration and management of the SCE platform.	10	#
Root	Password required. For use by technical field engineers, the Root authorization level enables configuration of all advanced settings, such as debug and disaster recovery. The Root level is used by technical engineers only and is not documented in this manual.	15	#>

To change from User to Viewer level authorization:

1. From the SCE> prompt, type enable 5 and press Enter.

   The system prompts for a password by showing the prompt Password:

2. Type in the password for the Viewer level and press Enter.

   Note that the password is an access-level authorization setting, not an individual user password.

   The system prompt SCE> does not change when you move from User to Viewer level.

A telnet session begins with a request for password, and will not continue until the proper user password is supplied. This enhances the security of the system by not revealing its identity to unauthorized people.

To log in with Admin level authorization:

1. Initiate a telnet connection.

2. A Password: prompt appears. Type in the user level password and press Enter.

   The SCE> prompt appears.

   You now have user level authorization.

3. From the SCE> prompt, type enable 10 and press Enter.

   The system prompts for a password by showing the prompt Password:

4. Type in the password for the Admin level and press Enter.

   Note that the password is an access-level authorization setting, not an individual user password.

   The system prompt changes to SCE# to show you are now in Admin level.

Example:

The following example illustrates how to change the authorization level from User to Admin, and then revert back to Viewer. No password is required for moving to a lower authorization level.

SCE>enable 10
Password:  cisco
SCE#disable
SCE>

Prompt Indications

The on-screen prompt indicates your authorization level, your command hierarchy level, and the assigned host name. The structure of the prompt is: <hostname(mode-indication)level-indication>

Authorization levels are indicated as follows:

This prompt...	Indicates this...
>	indicates User and Viewer levels
#	indicates Admin level
#>	indicates Root level

Command hierarchy levels are indicated as follows:

This command hierarchy...	Is indicated as...
User Exec	SCE>
Privileged Exec	SCE#
Global Configuration	SCE(config)#
Interface Configuration	SCE(config if)#
Line Configuration	SCE(config-line)#

Example:

The prompt MySCE(config if)# indicates:

• The name of the SCE platform is MySCE

• The current CLI mode is Interface configuration mode

• The user has Admin authorization level

Exiting Modes

This section describes how to revert to a previous mode.

• To exit from one authorization level to the previous one, use the disable command.

• To exit from one mode to another with the Admin authorization level (these are the various configuration modes), use the exit command.

To exit from the Privileged Exec mode and revert to the Viewer mode:

• At the SCE# prompt, type disable, and press Enter.

  The SCE> prompt for the Viewer and User Exec mode appears.

To exit from the Global Configuration Mode:

• At the SCE(config)# prompt, type exit, and press Enter.

  The appropriate prompt for the previous level appears.

Example:

The following example shows the system response when you exit the Interface Configuration mode.

SCE(config if)#exit
SCE(config)#

SCE(config)#interface FastEthernet 0/3
SCE(config if)#

SCE(config)#interface GigabitEthernet 0/2
SCE(config if)#

SCEconfig if# do show running-config

SCE(config)#snmp-server c?
Community		contact
SCE(config)#snmp-server c

SCE(config)#snmp-server ?
Community   Define community string
Contact     Set system contact
Enable      Enable the SNMP agent
Host        Set traps destination
Location        Set system location
SCE(config)# snmp-server 

SCE#copy ?
    running-config      Copy running configuration file
    STRING          Source file name
SCE#copy

SCE(config)#snm<Tab>
SCE(config)#snmp-server

The following example displays how the system completes a partial (unique) command for the enable command. Because enable does not require any parameters, the system simply carries out the enable command when the user presses Enter.

SCE>en<Enter>
Password:   
SCE#

SCE#ip ftp password vk
SCE#ip ftp username vk
SCE#copy ftp://@10.1.1.253/h:/config.tmp myconf.txt
connecting 10.1.1.253 (user name vk password vk) to retrieve config.tmp 
SCE#

<command> | include <expression>
<command> | exclude <expression>
<command> | begin <expression>

Following is an example of how to filter the show version command to display only the last part of the output, beginning with the version information.

SCE#  show version begin revision

<command> | redirect <file-name>
<command> | append <file-name>

Following is an example of how to do the following:

Filter the more command to display from a csv subscriber file only the gold package subscribers.

Redirect that output to a file named current_gold_subscribers. The output should not overwrite existing entries in the file, but should be appended to the end of the file.

SCE# more subscribers_10.10.2004 include gold append current_gold_subscribers

script capture
script stop
script print
script run

To create a script:

At the SCE# prompt, type script capture sample1.scr where sample1.scr is the name of the script. 

Perform the actions you want to be included in the script.

Type script stop.

The system saves the script.

Example:

The following is an example of recording a script for upgrading software.

SCE#script capture upgrade.scr
SCE#configure
SCE(config)#boot system new.pkg
Verifying package file...
Package file verified OK.
SCE(config)#exit
SCE#copy running-config startup-config
Writing general configuration file to temporary location...
Extracting files from ‘/tffs0/images/new.pkg’...
Verifying package file...
Package file verified OK.
Device ‘/tffs0/’ has 81154048 bytes free, 21447973 bytes are needed for extraction, all is well.
Extracting files to temp locations...
Renaming temp files...
Extracted OK.
Backing-up general configuration file...
Copy temporary file to final location...
SCE#script stop
SCE# 

SCE#script run upgrade.scr

Chapter 3. Operations

Managing Configurations

The SCE platform uses two configuration files:

Startup configuration — This file contains the non-default configuration as saved by the user. The startup-config file is loaded each time the SCE platform reboots.

Running configuration — This file contains results of configuration commands entered by the user. The running-config file is saved in the SCE volatile memory and is effective only as long as the SCE platform is up and running.

Use the following commands to view and save the configuration files.

You can also recover a previous configuration from a saved configuration file, as well as completely remove all current user configuration.

Viewing Configuration

When you enter configuration commands, it immediately effects the SCE platform operation and configuration. This configuration, referred to as the running-config, is saved in the SCE platform volatile memory and is effective while the SCE platform is up. After reboot, the SCE platform loads the startup-config, which includes the non-default configuration as saved by the user, into the running-config.

The SCE platform provides commands for:

Viewing the running configuration

Viewing the startup configuration

After configuring the SCE platform, you may query for the running configuration using the command show running-config. This command displays the non-default running configuration. To view all SCE platform running configuration, whether it is the default or not, you may use the option all-data in the show running-config command.

To view the running configuration, use the following command:

At the SCE# prompt, type show running-config.

The system shows the running configuration.

SCE#show running-config
#This is a general configuration file (running-config).
#Created on 15:50:56  CET  MON  December  11  2005
#cli-type 1
#version 1

clock timezone CET 1
snmp-server community “public” ro
snmp-server host 10.1.1.253 traps version 1 “public”
interface LineCard 0
connection-mode active
no silent
no shutdown
flow-aging default-timeout UDP 60
interface FastEthernet 0/0
ip address 10.1.5.109 255.255.0.0
interface FastEthernet 0/1
interface FastEthernet 0/2
exit
line vty 0 4
no timeout
exit
SCE#     

Removing the Configuration

You can completely remove all current configuration by removing all configuration files. The following data is deleted by this command:

General configuration files

Application configuration files

Static party DB files

Management agent installed MBeans

Note

After using this command, the SCE platform should be reloaded immediately to ensure that it returns to the 'factory default' state.

To remove the configuration files, use the following command:

At the SCE(config)# prompt, type erase startup-config-all.

All configuration files are removed, including configuration files not explicitly managed by the user, as listed above.

Saving the Configuration Settings

When you make changes to the current running configuration and you want those changes to continue to be valid when the system restarts, you must save the changes before leaving the management session, that is, you must save the running configuration to the startup configuration file.

The SCE platform provides multiple interfaces for the purpose of configuration and management. All interfaces supply an API to the same database of the SCE platform and any configuration made through one interface is reflected through all interfaces. Furthermore, when saving the running configuration to the startup configuration from any management interface, all configuration settings are saved regardless of the management interface used to set the configuration.

To save configuration changes, complete the following steps:

At the SCE# prompt, type show running-config to view the running configuration.

The running configuration is displayed.

Check the displayed configuration to make sure that it is set the way you want. If not, make the changes you want before saving.

Type copy running-config startup-config.

The system saves all running configuration information to the configuration file, which is used when the system reboots.

The configuration file holds all information that is different from the system default in a file called config.txt located in the directory: tffs0:system.

Example:

The following example shows the running configuration file.

SCE#show running-config
#This is a general configuration file (running-config).
#Created on 15:50:56  CET  MON  February  11  2006
#cli-type 1
#version 1

clock timezone CET 1
snmp-server community “public” ro
snmp-server host 10.1.1.253 traps version 1 “public”
interface LineCard 0
connection-mode active
no silent
no shutdown
flow-aging default-timeout UDP 60
interface FastEthernet 0/0
ip address 10.1.5.109 255.255.0.0
interface FastEthernet 0/1

interface FastEthernet 0/2

exit
line vty 0 4
no timeout
exit
SCE#     
SCE#copy running-config startup-config
Writing general configuration file to temporary location...
Backing-up general configuration file...
Copy temporary file to final location...
SCE#

Example:

The following example illustrates how to remove all DNS settings from the running configuration.

SCE(config)#no ip name-server
SCE(config)#

Recovering a Previous Configuration

When you save a new configuration, the system automatically backs up the old configuration in the directory tffs0:system/prevconf/. Up to nine versions of the startup configuration file are saved, namely config.tx1-config.tx9, where config.tx1 is the most recently saved file.

You can view the old startup configuration files using the CLI command more.

Restoring a previous startup configuration means renaming the file so it overwrites the startup configuration (config.txt) file.

To restore a previous startup configuration, complete the following steps: 

At the SCE# prompt, type more tffs0:system/prevconf/config.txt to view the configuration file.

The system displays the configuration information stored in the file.

Read the configuration information to make sure it is the configuration you want to restore.

Note that you cannot undo the configuration restore command.

Type 
copy tffs0:system/prevconf/config.tx1 tffs0:system/config.txt.

The system sets the startup configuration to the configuration from config.tx1.

Example:

The following example displays a saved configuration file and then restores the file to overwrite the current configuration.

SCE#more tffs0:system/prevconf/config.tx1
#This is a general configuration file (running-config).
#Created on 19:36:07 UTC THU February 14 2006

#cli-type 1
#version 1

interface LineCard 0
no silent
no shutdown

interface FastEthernet 0/0
ip address 10.1.5.109 255.255.0.0

interface FastEthernet 0/1

interface FastEthernet 0/2

exit

line vty 0 4
exit
SCE#copy tffs0:system/prevconf/config.tx1 tffs0:system/config.txt
SCE#

Creating a Backup Configuration File

Although a backup of the configuration file is created automatically under certain circumstances, it is useful to be able to explicitly create a backup configuration file.

For example, it can be used in a cascaded solution to copy the configuration from one SCE platform to the other, as follows:

To create a backup configuration file, execute this command on the first SCE platform, specifying an FTP backup file:

copy startup-config backup-file

To upload the backup configuration file to the cascaded SCE platform, execute this command on that SCE platform, specifying the previously created backup file:

copy backup-file startup-config 

The following option is available:

backup-file — The name of the backup configuration file to be created. The file name should be in 8.3 format, that is, there are a maximum of 8 characters before the period and three characters following it.

The backup file may be created via FTP or it may be a local file, as shown in the following examples:

via FTP: ftp://user:pass@host/drive:/dir/bckupcfg.txt

local: /tffs0/bckupcfg.txt

To create a backup configuration file, use the following command:

At the SCE# prompt, type copy startup-config backup-file.

To upload a backup configuration file, use the following command:

At the SCE# prompt, type copy backup-file startup-config .

Example:

The following example shows how to copy the configuration from one SCE platform to another.

On the first SCE platform, enter the following command:

SCE1#copy startup-config ftp://adminuser:mypassword@10.10.10.10/c:/config/bckupcfg.txt
SCE1#

SCE2#copy ftp://adminuser:mypassword@10.10.10.10/c:/config/bckupcfg.txt startup-config
SCE2#

Upgrading SCE Platform Firmware

Cisco distributes upgrades to the software and firmware on the SCE platform. Cisco distributes upgrade software as a file with the extension .pkg that is installed directly from the ftp site without being copied to the disk. This procedure walks you through installation and rebooting of the SCE platform with the new firmware.

To upgrade your SCE platform software, complete the following steps:

Type configure to enter Global Configuration mode.

The SCE prompt changes to SCE(config)#.

Type boot system ftp://<user:password@host/drive:dir/seNum.pkg>, where <seNum.pkg> is the file name on the ftp site.

The boot command verifies that the package is a legal, appropriate update for the SCE platform and that the file was not corrupted. It does not perform an upgrade, but does keep in the system memory that a pkg file is available.

Type exit to leave the Global Configuration mode.

The SCE prompt changes to SCE#.

Type copy running-config startup-config.

This command re-verifies that the package is valid, and extracts the upgrade to the Flash file system.

The system notifies you that it is performing the extraction as follows:

Backing–up configuration file…
Writing configuration file…
Extracting new system image…
Extracted OK.
SCE#

Type reload to reboot the system.

The SCE prompts you for confirmation by asking Are you sure?

Type Y and press Enter.

The system sends the following message and reboots.

the system is about to reboot, this will end your CLI session

Example:

The following example shows the full procedure for performing a software update.

SCE#configure 
SCE(config)# boot system ftp://vk:vk@10.1.1.230/downloads/SENum.pkg
SCE(config)#exit 
SCE#copy running-config startup-config
Backing–up configuration file…
Writing configuration file…
Extracting new system image…
Extracted OK.
SCE#>reload
Are you sure? y
the system is about to reboot, this will end your CLI session

Configuring Applications

The SCE platform can be configured to run with different Service Control applications by installing the appropriate file. All SCE platform application files are pqi files, that is, the filename must end with the pqi extension.

Once a specific Service Control application is installed it can be configured by applying a configuration file. The configuration file is application-specific, and is produced by application-specific means, not covered in this documentation. Configuration files have no specific extension.

Note

These configuration changes are automatically saved to the start-up configuration after execution, and therefore do not appear when the running configuration is displayed (more running-config command).
These configurations cannot be manipulated by changing the system/config.txt file

Installing an Application

Use the following commands to install, uninstall, and upgrade an application. You can use the show pqi file info command before installing or upgrading an application to display the options that are available when installing the pqi file. These options can then be specified in the install orupgrade command as needed.

The documentation of the application will tell the user whether the application is stand-alone (in which case install should be used), or an upgrade to an existing application that is assumed to be installed already (in this case upgrade should be used). Currently all Cisco Service Control applications are stand-alone.

You should always run the pqi uninstall command before installing a new pqi file. This prevents old files from accumulating on the disk.

The following commands are relevant for installing and uninstalling an application:

pqi install file (interface LineCard configuration mode)
pqi uninstall file (interface LineCard configuration mode)
pqi upgrade file (interface LineCard configuration mode)
pqi rollback file  (interface LineCard configuration mode)
show pqi file info (viewer mode)
show pqi last-installed (viewer mode)

To display information about an application file, use the following command:

From the SCE# prompt, type show pqi file filename info and press Enter.

To install an application, use the following command:

From the SCE(config if)# prompt, type pqi install file filename  [options] and press Enter.

The specified pqi file is installed using the installation options specified (if any).

Note that this may take up to 5 minutes.

Note

Always run the pqi uninstall command before installing a new pqi file.

To uninstall an application, use the following command:

From the SCE(config if)# prompt, type pqi uninstall file filename and press Enter.

You must specify the same pqi file that was installed.

Note that this may take up to 5 minutes.

To upgrade an application, use the following command:

From the SCE(config if)# prompt, type pqi upgrade file filename [options] and press Enter.

You must specify the pqi file that was last used for upgrade.

Note that this may take up to 5 minutes.

To undo an upgrade of an application, use the following command:

From the SCE(config if)# prompt, type pqi rollback file filename and press Enter.

The upgrade of the specified pqi file is undone. Note that this may take up to 5 minutes.

To display the last pqi file that was installed, use the following command:

From the SCE# prompt, type show pqi last-installedand press Enter.

Monitoring the Operational Status of the SCE Platform

The following table lists the operational states of the SCE platform. You can monitor the operational status of the SCE platform via:

The Status LED on the SCE front panel

The show system operation-status CLI command

Table 3.1. SCE platform Operational States

To display the current operational status of the SCE platform, use the following command:

From the SCE> prompt, type show system operation-status and press Enter.

Example:

The following example shows how to display the current operational status of the SCE platform.

SCE>show system operation-status
System Operation status is Operational
Port status is:
Link on port #1 is down
Link on port #2 is down

Displaying the SCE Platform Version Information

Use this command to display global static information on the SCE platform, such as software and hardware version, image build time, system uptime, last open packages names and information on the SLI application assigned.

To show the version information for the SCE platform software and hardware, use the following command:

At the SCE# prompt, type show version and press Enter. 

Example:

The following example shows how to display the SCE platform version information.

SCE#show version
System version: Version 3.0.0 Build 240
Build time: Jan 11 2006, 07:34:47
Software version is: Version 2.5.2 Build 240
Hardware information is: 
rx            : 0x0075
dp            : 0x1808
tx            : 0x1708
ff            : 0x0077
cls           : 0x1721
cpld          : 0x0025
Lic           : 0x0176
rev           : G001
Bootrom       : 2.1.0
L2 cache      : Samsung 0.5
lic type      : MFE
optic mode    : MM
Product S/N   : CAT093604K3
Product ID    : SCE2020-4XGBE-MM
Version ID    : V01
Deviation     :
Part number   : 800-26601-01
Revision      : B0
Software revision : G001
LineCard S/N      : CAT09370L1Q
Power Supply type : AC

SML Application information is:
Application file: /tffs0/temp.sli
Application name:
Application help:
Original source file: H:\work\Emb\jrt\V2.5\sml\actions\drop\drop_basic_anyflow.san
Compilation date: Wed, November 12 2006 at 21:25:21
Compiler version: SANc v2.50 Build 32 gcc_codelets=true built on: Tue September 23 2006 09:51:57 AM.;SME plugin v1.1
Default capacity option used.


Logger status: Enabled


Platform: SCE 2000 - 4xGBE
Management agent interface version: SCE Agent 3.0.5 Build 18
Software package file: ftp://vk:vk@10.1.8.22/P:/EMB/LatestVersion/3.0.5/se1000.pkg

SCE 2000 uptime is 21 minutes, 37 seconds
SCE#

Displaying the SCE Platform Inventory

Unique Device Identification (UDI) is a Cisco baseline feature that is supported by all Cisco platforms. This feature allows network administrators to remotely manage the assets in their network by tracing specific devices through either CLI or SNMP. The user can display inventory information for a remote device via either:

Entity MIB (see ENTITY-MIB)

CLI show inventory command

The show inventory CLI command displays the following information:

Device name

Description

Product identifier

Version identifier

Serial number

To display the SCE platform UDI, use the following command:

From the SCE> prompt, type show inventory and press Enter.

Example:

The following example shows how to display the inventory (UDI) of the SCE platform.

SCE>show inventory
NAME: "Chassis",
DESCR: "Cisco SCE 2020 Service Control Engine, Multi Mode, 4-port GE"
PID: SCE2020-4XGBE-MM  , VID: V01, SN: CAT093604K3
SCE>

Displaying the System Uptime

Use this command to see how long the system has been running since the last reboot.

To show the system uptime for the SCE platform, use the following command:

At the SCE# prompt, type show system-uptime and press Enter.

The system shows how long the system has been running since the last reboot.

Example:

The following example shows how to display the system uptime of the SCE platform.

SCE#show system-uptime
SCE uptime is 21 minutes, 37 seconds
SCE#

Rebooting and Shutting Down the SCE Platform

Rebooting the SCE Platform

Rebooting the SCE platform is required after installing a new firmware, in order for that firmware to take effect. There might be other occasions where rebooting the SCE platform is necessary.

Note

When the SCE restarts, it loads the startup configuration, so all changes made in the running configuration will be lost. You are advised to save the running configuration before performing reload, as described in Saving the Configuration Settings.

To reboot your SCE platform, complete the following steps:

At the SCE# prompt, type reload and press Enter.

A confirmation message appears.

Type Y to confirm the reboot request and press Enter.

Example:

The following example shows the commands for system reboot.

SCE# reload
Are you sure? y
the system is about to reboot, this will end your CLI session

Shutting Down the SCE Platform

Shutting down the SCE platform is required before turning the power off. This helps to ensure that non-volatile memory devices in the SCE platform are properly flushed in an orderly manner.

Note

When the SCE platform restarts, it loads the startup configuration, so all changes made in the running configuration will be lost. You are advised to save the running configuration before performing reload, as described in Saving the Configuration Settings.

To shut down your SCE platform, complete the following steps:

Connect to the serial console port (The CON connector on the SCE platform front panel, 9600 baud).

The SCE# prompt appears.

Type reload shutdown.

A confirmation message appears.

Type Y to confirm the shutdown request and press Enter.

Example:

The following example shows the commands for system shutdown.

SCE#reload shutdown
You are about to shut down the system.
The only way to resume system operation after this
is to cycle the power off, and then back on.
Continue? 
y

IT IS NOW SAFE TO TURN THE POWER OFF.

Note

Since the SCE platform can recover from the power-down state only by being physically turned off (or cycling the power), this command can only be executed from the serial CLI console. This limitation helps prevent situations in which a user issues this command from a Telnet session, and then realizes he/she has no physical access to the SCE platform.

Chapter 4. Utilities

Setup Utility

The setup utility is an interactive wizard that guides the user through the basic configuration process. This utility runs automatically upon initial connection to the local terminal. It may also be invoked explicitly via Telnet or via the local terminal to make changes to the system configuration.

The following table lists all the command parameters for the setup utility.

Table 4.1. Setup Command Parameters

Information regarding these parameters can be found in the appropriate sections throughout this guide.

For more information regarding SCE platform topology, and for a step-by-step description of the setup utility, see the Cisco SCE 2000/SCE 1000 Installation and Configuration Guides.

Entering the Setup Utility

To enter the setup utility 

From the SCE# prompt, type setup and press Enter.

The following dialog appears:

                --- System Configuration Dialog ---

At any point you may enter a question mark ‘?’ followed by ‘Enter’ for help.
Use ctrl-C to abort configuration dialog at any prompt.
Use ctrl-Z to jump to the end of the configuration dialog at any prompt.
Default settings are in square brackets ‘[]’.

Would you like to continue with the System Configuration Dialog? [yes/no]: y
system configuration dialog begins.

Multiple entry parameters (Lists)

When explicitly invoked, the setup utility offers the option of multiple entries (lists) for certain parameters.

Several parameters, such as the Access Control Lists, are actually lists containing a number of entries. If these lists are empty (initial configuration) or contain only one entry, they act the same as any scalar parameter, except that you are giving the option of adding additional entries to the list.

If these lists already contain more than one entry, the entire list is displayed, and you are then presented with several options. Following is an excerpt from the SNMP trap manager menu, illustrating how to configure list entries.

To configure a list parameter when more than one entry already exists in the list, complete the following steps:

The entries in the list are displayed.

There are 2 SNMP trap managers in the current configuration as follows:
IP address: 10.10.10.10     Community: private  Version: 1
IP address: 10.11.10.1  Community: pcube    Version: 2c

Three options are presented.

Please choose one of the following options:
1. Leave the running configuration unchanged.
2. Clear the existing lists and configure new ones.
3. Add new entries.

Enter your choice:

You are prompted to continue the setup, depending on the choice you entered:

1. Leave the running configuration unchanged:

The dialog proceeds to the next question. The list remains unchanged.

2. Clear the existing entries and configure new ones:

The dialog prompts you for a new entry in the list.

After completing the first entry, you are asked whether you would like to add another new entry.

Would you like to add another SNMP trap manager? [no]:y

3. Add new entries:

The dialog prompts you for a new entry in the list.

After the completing one entry, you are asked whether you would like add another new entry.

Would you like to add another SNMP trap manager? [no]:y

File-system Operations

The CLI commands include a complete range of file management commands. These commands allow you to create, delete, copy, and display both files and directories.

Note

Regarding disk capacity: While performing disk operations, the user should take care that the addition of new files that are stored on the SCE disk do not cause the disk to exceed 70%.

Working with Directories

The following file-system operations commands are relevant to directories:

cd
delete
dir
mkdir
pwd
rmdir

Creating a Directory

To create a directory, use the following command::

From the SCE# prompt, type mkdir directory-name and press Enter.

Deleting a Directory

There are two different commands for deleting a directory, depending on whether the directory is empty or not.

To delete a directory and all its files and sub-directories, use the following command::

From the SCE# prompt, type delete directory-name /recursiveand press Enter.

To delete an empty directory, use the following command::

From the SCE# prompt, type rmdir directory-name and press Enter.

Changing Directories

To change the path of the current working directory, use the following command::

From the SCE# prompt, type cd new path and press Enter.

Displaying Working Directory

To display the current working directory, use the following command::

From the SCE# prompt, type pwd and press Enter.

Listing Files in Current Directory

You can display a listing of all files in the current working directory. This list may be filtered to include only application files. The listing may also be expanded to include all files in any sub-directories.

To list all the files in the current directory, use the following command::

From the SCE# prompt, type dir and press Enter.

To list all the applications in the current directory, use the following command::

From the SCE# prompt, type dir applications and press Enter.

To include files in all sub-directories in the listing of the current directory, use the following command::

From the SCE# prompt, type dir -r and press Enter.

Working with Files

The following file-system operations commands are relevant to files:

copy
copy-passive
delete
more
rename
unzip

Renaming a File

To rename a file, use the following command:

From the SCE# prompt, type rename current-file-name new-file-name and press Enter.

Deleting a File

To delete a file, use the following command:

From the SCE# prompt, type delete file-name and press Enter.

Copying a File

You can copy a file from the current directory to a different directory.

You can also copy a file (upload/download) to or from an FTP site. In this case, either the source or destination filename must begin with ftp://. To copy a file using passive FTP, use the copy-passive command.

To copy a file, use the following command:

From the SCE# prompt, type copy source-file-name destination-file-name and press Enter.

Example:

The following example copies the local analysis.sli file located in the root directory to the applications directory.

SCE#copy analysis.sli applications/analysis.sli
SCE#

To download a file from an FTP site:

From the SCE#
        prompt, type copy ftp://source destination-file-name and press
        Enter.

To upload a file to an FTP site using Passive FTP, use the following command:

From the SCE# prompt, type copy-passive source-file-name ftp://destination and press Enter.

Example:

The following example uploads the analysis.sli file located on the local flash file system to the host 10.1.1.105, specifying Passive FTP.

SCE#copy-passive /appli/analysis.sli ftp://myname:mypw@10.1.1.105/p:/appli/analysis.sli
SCE#

Displaying File Contents

To display the contents of a file, use the following command:

From the SCE# prompt, type more file-name and press Enter.

Unzipping a File

Use this command to unzip a file. The specified file must be a zip file.

Files are extracted to the current directory.

To unzip a file, use the following command:

From the SCE# prompt, type unzip file-name and press Enter.

The User Log

The user log is an ASCII file that can be viewed in any editor. It contains a record of system events, including startup, shutdown and errors. You can use the Logger to view the user log to determine whether or not the system is functioning properly, as well as for technical support purposes.

The Logging System

Events are logged to one of two log files. After a file reaches maximum capacity, the events logged in that file are then temporarily archived. New events are then automatically logged to the alternate log file. When the second log file reaches maximum capacity, the system then reverts to logging events to the first log file, thus overwriting the temporarily archived information stored in that file.

Basic operations include:

Copying the User Log to an external source

Viewing the User Log

Clearing the User Log

Viewing/clearing the User Log counters

Copying the User Log

You can view the log file by copying it to an external source or to disk. This command copies both log files to the local SCE platform disk or any external host running a FTP server.

To copy the user log to an external source, use the following command:

From the SCE# prompt, type logger get user-log file-name ftp://username:password@ipaddress/path and press Enter.

To copy the user log to an internal location, use the following command:

From the SCE# prompt, type logger get user-log file-name target-filenameand press Enter.

Enabling and Disabling the User Log

By default, the user log is enabled. You can disable the user log by configuring the status of the logger.

To disable the user log, complete the following steps:

From the SCE# prompt, type configure and press Enter.

Type logger device User-File-Log disabled and press Enter. 

To enable the user file log, complete the following steps:

From the SCE# prompt, type configure and press Enter.

Type logger device User-File-Log enabled and press Enter. 

Viewing the User Log Counters

There are two types of log counters:

User log counters — count the number of system events logged from the SCE platform last reboot.

Non-volatile counters — are not cleared during boot time

To view the user log counters for the current session, use the following command:

From the SCE# prompt, type show logger device user-file-log counters and pressEnter.

To view the non-volatile logger counters for both the User log file and the debug log file, use the following command:

From the SCE# prompt, type show logger nv-counters and press Enter.

To view the non-volatile counter for the user-file-log only, use the following command:

From the SCE# prompt, type show logger device user-file-log nv-counters and press Enter.

Viewing the User Log

Note

This command is not recommended when the user log is large. Copy a large log to a file to view it (see Copying the User Log) 

To view the user log, use the following command:

From the SCE# prompt, type more user-log and press Enter.

Clearing the User Log

You can clear the contents of the user log at any time. The user log contains important information regarding the functioning of the system. It is recommended that a copy be made before the log is cleared.

To clear the user log, complete the following steps:

From the SCE# prompt, type clear logger device user-file-log and press Enter.

The system asks Are you sure?

Type Y and press Enter.

The SCE# prompt appears.

Generating a File for Technical Support

In order for technical support to be most effective, the user should provide them with the information contained in the system logs. Use the logger get support-file command to generate a support file for the use of Cisco technical support staff.

To generate a log file for technical support, use the following command:

From the SCE# prompt, type logger get support-file filename and pressEnter.

The support information file is created using the specified filename. This operation may take some time.

Chapter 5. Configuring the Management Interface and Security

The SCE platform is equipped with two RJ-45 management (MNG)ports. These ports provide access from a remote management console to the SCE platform via a LAN.

The two management ports support management interface redundancy, providing the possibility for a backup management link.

In addition to the Layer 1 security of a backup management link, the Service Control platform provides a further management interface security feature; an IP filter that monitors for various types of TCP/IP attacks. This filter can be configured with thresholds rates both for defining an attack and defining the end of an attack. 

Note

The addition of the second management port is reflected in all objects related to it in the SNMP interface.

Perform the following tasks to configure the management interface and management interface security:

Configure the management port:

Physical parameters

Specify active port (if not redundant installation)

Redundancy (if redundant installation)

Configure management interface security 

Enable IP fragment filtering

Configure the permitted and not-permitted IP address monitor

Configuring the Management Ports

Perform the following tasks to configure the management ports:

Configure the IP address and subnet mask (only one IP address for the management interface, not one IP address per port).

Configure physical parameters:

Duplex

Speed

Configure redundant management interface behavior (optional):

Fail-over mode

If fail-over mode is disabled, specify the active port (optional).

To configure the management interface, complete the following steps:

Cable the desired management port, connecting it to the remote management console via the LAN.

Disable the automatic fail-over mode. (See Configuring the Fail-Over Mode.)

Configure the management port physical parameters. (See Configuring the Management Port Physical Parameters.)

To configure the system with management interface redundancy, see Configuring the Management Ports for Redundancy.

Entering Management Interface Configuration Mode

When entering Management Interface Configuration Mode, you must indicate the number of the management port to be configured:

0/1 — Mng port 1

0/2 — Mng port 2

The following Management Interface commands are applied only to the port specified when entering Management Interface Configuration Mode. Therefore, each port must be configured separately:

speed

duplex

The following Management Interface commands are applied to both management ports, regardless of which port had been specified when entering Management Interface Configuration Mode. Therefore, both ports are configured with one command:

ip address

auto-fail-over

To enter Global Configuration Mode, type configure and pressEnter.

The SCE(config)# prompt appears.

Type interface Mng {0/1|0/2} and press Enter.

The SCE(config if)# prompt appears.

Configuring the Management Port Physical Parameters

This interface has a transmission rate of 10 or 100 Mbps and is used for management operations and for transmitting RDRs, which are the output of traffic analysis and management operations.

The procedures for configuring this interface are explained in the following sections:

Setting the IP Address and Subnet Mask of the Management Interface.

Configuring the Speed of the Management Interface

Configuring the Duplex Operation of the Management Interface.

Specifying the Active Management Port: only if both of the following conditions are present:

Fail-over mode is disabled (no automatic switch to the backup port).

Active port = Mng Port 2 (Mng port 1 is the default and therefore does not need to be explicitly specified).

Setting the IP Address and Subnet Mask of the Management Interface

The user must define the IP address of the management interface.

When both management ports are connected, providing a redundant management port, this IP address always acts as a virtual IP address for the currently active management port, regardless of which port is the active port.

The following options are available:

IP address — The IP address of the management interface.

If both management ports are connected, so that a backup management link is available, this IP address will be act as a virtual IP address for the currently active management port, regardless of which physical port is currently active.

subnet mask — subnet mask of the management interface.

Warning

Changing the IP address of the management interface via telnet will result in loss of the telnet connection and inability to reconnect with the interface.

To set the IP address and subnet mask of the Management Interface, use the following command:

From the SCE(config if)# prompt, type ipaddress ip-address subnet-mask and press Enter.

The command might fail if there is a routing table entry that is not part of the new subnet, defined by the new IP address and subnet mask.

Example:

The following example shows how to set the IP address of the SCE platform to 10.1.1.1 and the subnet mask to 255.255.0.0.

SCE(config if)#ip address 10.1.1.1 255.255.0.0

Configuring the Management Interface Speed and Duplex Parameters

This section presents sample procedures that describe how to configure the speed and the duplex of the Management Interface.

Both these parameters must be configured separately for each port.

Configuring the Speed of the Management Interface

The following options are available:

speed — speed in Mbps of the currently selected management port (0/1 or 0/2):

10

100

auto (default) — auto-negotiation (do not force speed on the link)

If the duplex parameter is configured to auto, changing the speed parameter has no effect (see Interface State Relationship to Speed and Duplex).

To configure the speed of the specified management port, use the following command:

From the SCE(config if)# prompt, type speed 10|100|auto and pressEnter.

Example:

The following example shows how to use this command to configure the Management port to 100 Mbps speed.

SCE(config if)#speed 100

Configuring the Duplex Operation of the Management Interface

The following options are available:

duplex — duplex operation of the currently selected management port (0/1 or 0/2):

full

half

auto (default) — auto-negotiation (do not force duplex on the link)

If the speed parameter is configured to auto, changing the duplex parameter has no effect (see Interface State Relationship to Speed and Duplex).

To configure the duplex operation of the specified management port, use the following command:

From the SCE(config if)# prompt, type duplex auto|full|half and press Enter.

Configures the duplex operation of the currently selected management interface to either auto, half duplex, or full duplex.

Example:

The following example shows how to use this command to configure a management port to half duplex mode.

SCE(config if)#duplex half

Table 5.1. Interface State Relationship to Speed and Duplex 

Specifying the Active Management Port

This command explicitly specifies which management port is currently active. Its use varies slightly, depending on whether the management interface is configured as a redundant interface (auto fail-over enabled) or not (auto fail-over disabled)

auto fail-over enabled (automatic mode) — the specified port becomes the currently active port, in effect forcing a fail-over action even if a failure has not occurred.

auto fail-over disabled (manual mode) — the specified port should correspond to the cabled Mng port, which is the only functional port and therefore must be and remain the active management port

Note

This command is a Privileged Exec command, unlike the other commands in this section, which are Mng Interface Configuration commands. If in Mng interface configuration mode, you must exit to the privileged exec mode and see the SCE# prompt displayed



The following options are available:

slot-number/interface-number — The interface number (0/1 or 0/2) of the management port that is specified as the active port.

To specify the active management port, use the following command:

From the SCE# prompt, type Interface Mng {0/1 | 0/2} active-port and press Enter.

Example:

The following example shows how to use this command to configure Mng port 2 as the currently active management port. 

SCE# Interface Mng 0/2 active-port

Configuring the Management Ports for Redundancy

The SCE platform contains two RJ-45 management ports. The two management ports provide the possibility for a redundant management interface, thus ensuring management access to the SCE platform even if there is a failure in one of the management links. If a failure is detected in the active management link, the standby port automatically becomes the new active management port.

Note that both ports must be connected to the management console via a switch. In this way, the IP address of the MNG port is always the same, regardless of which physical port is currently active.

Important information:

Only one port is active at any time.

The same virtual IP address and MAC address are assigned to both ports.

Default — 

Port 1 = active 

Port 2 = standby

The standby port sends no packets to the network and packets from the network are discarded. 

When a problem in the active port is encountered, the standby port automatically becomes the new active port.

Link problem, with switch to standby MNG port, is declared after the link is down for 300 msec.

Service does not revert to the default active port if/when that link recovers. The currently active MNG port remains active until link failure causes a switch to the other MNG port.

To configure the system with management interface redundancy, complete the following steps:

Cable both management ports (Mng 1 and Mng 2), connecting them both to the remote management console via the LAN and via a switch.

Configure the automatic fail-over mode. (See Configuring the Fail-Over Mode.)

Configure the IP address for the management interface. The same IP address will always be assigned to the active management port, regardless of which physical port is currently active. (See Setting the IP Address and Subnet Mask of the Management Interface.)

Configure the speed and duplex for both management ports. (See Configuring Management Interface Speed and Duplex Parameters.)

Configuring the Fail-Over Mode

Use the following command to enable automatic fail-over. The automatic mode must be enabled to support management interface redundancy. This mode automatically switches to the backup management link when a failure is detected in the currently active management link.

This parameter can be configured when in management interface configuration mode for either management port, and is applied to both ports with one command.

The following options are available:

auto/ no auto — Enable or disable automatic fail-over switching mode

Default — auto (automatic mode)

To enable automatic fail-over mode, use the following command:

From the SCE(config if)# prompt, type auto-fail-over and press Enter.

When the automatic fail-over mode is disabled, by default Mng port 1 is the active port. If Mng port 2 will be the active port, it must be explicitly configured as such (see Specifying the Active Management Port.)

To disable automatic fail-over mode:

From the SCE(config if)# prompt, type no auto-fail-over and pressEnter.

Management Interface Security

Management security is defined as the capability of the SCE platform to cope with malicious management conditions that might lead to global service failure. Resiliency to attacks on the management port includes the following features:

The SCE platform remains stable during flooding attack.

The number of TCP/IP stack control protocol vulnerabilities is minimized.

The availability of reporting capabilities on attacks on the management port.

There are two parallel security mechanisms:

Automatic security mechanism — monitors the TCP/IP stack rate at 200 msec intervals and throttles the rate from the device if necessary.

This mechanism always functions and is not user-configurable

User-configurable security mechanism — accomplished via two IP filters at user-configurable intervals:

IP fragment filter — Drops all IP fragment packets

IP filter monitor — Measures the rate of accepted and dropped packets for both permitted and not-permitted IP addresses.

Configuring Management Port Security

The procedure for configuring management port security is explained in the following sections:

Enabling the IP Fragment Filter

Configuring the Permitted and Not-permitted IP Address Filter

Enabling the IP Fragment Filter

Use this command to enable the filtering out of IP fragments.

The following options are available:

enable/disable — Enable or disable IP fragment filtering

Default — disable

To enable IP fragment filtering, use the following command:

From the SCE(config)# prompt, type ip filter fragment enable and press Enter.

To disable IP fragment filtering, use the following command:

From the SCE(config)# prompt, type ip filter fragment disable and press Enter.

Configuring the Permitted and Not-permitted IP Address Monitor

Use this command to configure the limits for permitted and not-permitted IP address transmission rates.

The following options are available:

ip permitted/ip not-permitted — Specifies whether the configured limits apply to permitted or not-permitted IP addresses.

If neither keyword is used, it is assumed that the configured limits apply to both permitted and not-permitted IP addresses.

low rate — lower threshold; the rate in Mbps that indicates the attack is no longer present

Default — 20

high rate — upper threshold; the rate in Mbps that indicates the presence of an attack

Default — 20

burst size — duration of the interval in seconds that the high and low rates must be detected in order for the threshold rate to be considered to have been reached

Default — 10

To configure the permitted and not-permitted IP address monitor limits, use the following command:

From the SCE(config)# prompt, type ip filter monitor {ip_permited | ip_not_permited} low_rate low_rate high_rate high_rate burst burst size and press Enter.

Monitoring Management Interface IP Filtering

Use this command to display the following information for management interface IP filtering. 

IP fragment filter enabled or disabled

configured attack threshold (permitted and not-permitted IP addresses)

configured end of attack threshold (permitted and not-permitted IP addresses)

burst size in seconds  (permitted and not-permitted IP addresses)

To display information relating to the management interface, use the following command:

From the SCE# prompt, type show ip filter and press Enter.

Configuring the Available Interfaces

The system allows you to configure the Telnet and SNMP interfaces according to the manner in which you are planning to manage the SCE platform and the external components of the system. 

TACACS+ Authentication, Authorization, and Accounting

TACACS+ is a security application that provides centralized authentication of users attempting to gain access to a network element. The implementation of TACACS+ protocol allows customers to configure one or more authentication servers for the SCE platform, providing a secure means of managing the SCE platform, as the authentication server will authenticate each user. This then centralizes the authentication database, making it easier for the customers to manage the SCE platform.

TACACS+ services are maintained in a database on a TACACS+ server running, typically, on a UNIX or Windows NT workstation. You must have access to and must configure a TACACS+ server before the configured TACACS+ features on your network element are available.

The TACACS+ protocol provides authentication between the network element and the TACACS+ ACS, and it can also ensure confidentiality, if a key is configured, by encrypting all protocol exchanges between a network element and a TACACS+ server.

The following is a summary of the procedure for configuring TACACS+. All steps are explained in detail in the remainder of this section.

To configure TACACS+ authentication, authorization, and accounting, complete the following steps:

Configure the remote TACACS+ servers.

Configure the remote servers for the protocols, Keep in mind the following guidelines:

Configure the encryption key that the server and client will use

The maximal user privilege level and enable password (password used when executing the enable command) should be provided.

The configuration should always include the root user, giving it the privilege level of 15.

Viewer (privilege level 5) and superuser (privilege level 10) user IDs should be established at this time also.

For complete details on server configuration, refer to the appropriate configuration guide for the particular TACACS+ server that you will be using.

Configure the SCE client to work with TACACS+ server:

hostname of the server

port number

shared encryption key (the configured encryption key must match the encryption key configured on the server in order for the client and server to communicate.)

(Optional) Configure the local database, if used.

add new users

If the local database and TACACS+ are both configured, it is recommended to configure the same user names in both TACACS+ and the local database. This will allow the users to access the SCE platform in case of TACACS+ server failure.

Note

Note

If TACACS+ is used as the login method, the TACACS+ username is used automatically in the enable command. Therefore, it is important to configure the same usernames in both TACACS+ and the local database so that the enablecommand can recognize this username.

specify the password

define the privilege level

Configure the authentication methods on the SCE platform.

login authentication methods

privilege level authorization methods

Review the configuration.

Use the "show running-config" command to view the configuration.

The TACACS+ protocol provides the following three features:

Login authentication

Privilege level authorization

Accounting

Login Authentication

The SCE platform uses the TACACS+ ASCII authentication message for CLI, Telnet and SSH access.

TACACS+ allows an arbitrary conversation to be held between the server and the user until the server receives enough information to authenticate the user. This is usually done by prompting for a username and password combination.

The login and password prompts may be provided by the TACACS+ server, or if the TACACS+ server does not provide the prompts, then the local prompts will be used.

The user log on information (user name and password) is transmitted to the TACACS+ server for authentication. If the TACACS+ server indicates that the user is not authenticated, the user will be re-prompted for the user name and password. The user is re-prompted a user-configurable number of times, after which the failed login attempt is recorded in the SCE platform user log and the telnet session is terminated (unless the user is connected to the console port.)

The SCE platform will eventually receive one of the following responses from the TACACS+ server:

ACCEPT – The user is authenticated and service may begin. 

REJECT – The user has failed to authenticate. The user may be denied further access, or will be prompted to retry the login sequence depending on the TACACS+ server.

ERROR – An error occurred at some time during authentication. This can be either at the server or in the network connection between the server and the SCE platform. If an ERROR response is received, the SCE platform will try to use an alternative method\server for authenticating the user.

CONTINUE – The user is prompted for additional authentication information.

If the server is unavailable, the next authentication method is attempted, as explained in General AAA Fallback and Recovery Mechanism.

Accounting

The TACACS+ accounting supports the following functionality:

Each executed command (the command must be a valid one) will be logged using the TACACS+ accounting mechanism (including login and exit commands).

The command is logged both before and after it is successfully executed.

Each accounting message contains the following:

User name

Current time

Action performed

Command privilege level

TACACS+ accounting is in addition to normal local accounting using the SCE platform dbg log.

Privilege Level Authorization

After a successful login the user is granted a default privilege level of 0, giving the user the ability to execute a limited number of commands. Changing privilege level is done by executing the "enable" command. This command initiates the privilege level authorization mechanism.

Privilege level authorization in the SCE platform is accomplished by the use of an "enable" command authentication request. When a user requests an authorization for a specified privilege level, by using the "enable" command, the SCE platform sends an authentication request to the TACACS+ server specifying the requested privilege level. The SCE platform grants the requested privilege level only after the TACACS+ server does the following:

Authenticates the "enable" command password 

Verifies that the user has sufficient privileges to enter the requested privilege level.

Once the user privilege level has been determined, the user is granted access to a specified set of commands according to the level granted.

As with login authentication, if the server is unavailable, the next authentication method is attempted, as explained in General AAA Fallback and Recovery Mechanism.

General AAA Fallback and Recovery Mechanism

The SCE platform uses a fall-back mechanism in order to maintain service availability in case of an error.

The AAA mechanism in the SCE platform contains several AAA methods that are used to back each other up. The customer may choose the AAA methods that are used and the order in which they are used.

The AAA methods available are:

TACACS+ – AAA is performed by the use of a TACACS+ server, allows authentication, authorization and accounting.

Local – AAA is performed by the use of a local database, allows authentication and authorization.

Enable – AAA is performed by the use of user configured passwords, allows authentication and authorization.

None – no authentication\authorization\accounting is performed.

In the current implementation the order of the methods used isn't configurable but the customer can choose which of the methods are used. The current order is 

TACACS+

Local

Enable 

None

Note

Important: If the server goes to AAA fault, the SCE platform will not be accessible until one of the AAA methods is restored. In order to prevent this, it is advisable to use the "none" method as the last AAA method.

If the SCE platform becomes un-accessible, the shell function "AAA_MethodsReset" will allow the user to delete the current AAA method settings and set the AAA method used to "Enable".

Configuring the SCE Platform TACACS+ Client

The user must configure the remote servers for the TACACS+ protocol. Then the SCE platform TACACS+ client must be configured to work with the TACACS+ servers. The following information must be configured:

TACACS+ server hosts definition — a maximum of three servers is supported.

For each sever host, the following information can be configured:

hostname (required)

port

encryption key

timeout interval

Default encryption key (optional) — A global default encryption key may be defined. This key is defined as the key for any server host for which a key is not explicitly configured when the server host is defined.

If the default encryption key is not configured, a default of no key is assigned to any server for which a key is not explicitly configured.

Default timeout interval (optional) — A global default timeout interval may be defined. This timeout interval is defined as the timeout interval for any server host for which a timeout interval is not explicitly configured when the server host is defined.

If the default timeout interval is not configured, a default of five seconds is assigned to any server for which a timeout interval is not explicitly configured.

The procedures for configuring the SCE platform TACACS+ client are explained in the following sections:

Adding a new TACACS+ Server Host

Removing a TACACS+ Server Host

Configuring the Global Default Key

Configuring the Global Default Timeout

Adding a new TACACS+ Server Host

Use this command to define a new TACACS+ server host that is available to the SCE platform TACACS+ client.

The Service Control solution supports a maximum of three TACACS+ server hosts.

The following options are available:

host-name — name of the server

port # — TACACS+ port number

Default = 49

timeout interval — time in seconds that the server waits for a reply from the server host before timing out

Default = 5 seconds or user-configured global default timeout interval (see Configuring the Global Default Timeout.)

key-string — encryption key that the server and client will use when communicating with each other. Make sure that the specified key is actually configured on the TACACS+ server host.

Default = no key or user-configured global default key (see Configuring the Global Default Key)

To add a new TACACS+ server host, use the following command:

From the SCE(config)# prompt, type tacacs-server host host-name [port port#] [timeout timeout-interval] [key key-string] and press Enter.

Removing a TACACS+ Server Host

Use this command to delete a TACACS+ server host from the system.

The following options are available:

host-name — name of the server to be deleted

To delete a TACACS+ server host, use the following command:

From the SCE(config)# prompt, type no tacacs-server host host-nameand press Enter.

Configuring the Global Default Key

Use this command to define the global default key for the TACACS+ server hosts. This default key can be overridden for a specific TACACS+ server host by explicitly configuring a different key for that TACACS+ server host.

The following options are available:

key-string — default encryption key that all TACACS servers and clients will use when communicating with each other. Make sure that the specified key is actually configured on the TACACS+ server hosts.

Default = no encryption

To define the global default key, use the following command:

From the SCE(config)# prompt, type tacacs-server key key-stringand press Enter.

To clear the global default key, use the following command:

From the SCE(config)# prompt, type no tacacs-server key and press Enter.

No global default key is defined. Each TACACS+ server host may still have a specific key defined. However, any server host that does not have a key explicitly defined (uses the global default key) is now configured to use no key.

Configuring the Global Default Timeout

Use this command to define the global default timeout interval for the TACACS+ server hosts. This default timeout interval can be overridden for a specific TACACS+ server host by explicitly configuring a different timeout interval for that TACACS+ server host.

The following options are available:

timeout interval — default time in seconds that the server waits for a reply from the server host before timing out.

Default = 5 seconds

To define the global default timeout interval, use the following command:

From the SCE(config)# prompt, type tacacs-server timeout timeout-interval and press Enter.

To clear the global default timeout interval, use the following command:

From the SCE(config)# prompt, type no tacacs-server timeout and pressEnter.

No global default timeout interval is defined. Each TACACS+ server host may still have a specific timeout interval defined. However, any server host that does not have a timeout interval explicitly defined (uses the global default timeout interval) is now configured to a five second timeout interval.

Managing the User Database

TACACS+ maintains a local user database. Up to 100 users can be configured in this local database, which includes the following information for all users:

Username

Password — may configured as encrypted or unencrypted

Privilege level

The procedures for managing the local user database are explained in the following sections:

Adding a User

Deleting a User

Defining the User Privilege Level

Adding a User

Use these commands to add a new user to the local database. Up to 100 users may be defined.

The password is defined with the username. There are several password options:

No password — use the nopassword keyword.

Password — Password is saved in clear text format in the local list.

Use the password parameter.

Encrypted password — Password is saved in encrypted (MD5) form in the local list. Use the secret keyword.

Password may be defined by either of the following methods:

Specify a clear text password, which is saved in MD5 encrypted form

Specify an MD5 encryption string, which is saved as the user MD5-encrypted secret password

The following options are available:

name — name of the user to be added

password — a clear text password. May be saved in the local list in either of two formats:

as clear text 

in MD5 encrypted form if the secret keyword is used

encrypted-secret — an MD5 encryption string password

The following keywords are available:

nopassword — There is no password associated with this user

secret — the password is saved in MD5 encrypted form. Use with either of the following keywords to indicate the format of the password as entered in the command:

0 — use with the password option to specify a clear text password that will be saved in MD5 encrypted form

5 = use with the encrypted-secret option to specify an MD5 encryption string that will be saved as the user MD5-encrypted secret password

To add a new user to the local database with a clear text password, use the following command:

From the SCE(config)# prompt, type username name password password and press Enter.

To add a new user to the local database with no password, use the following command:

From the SCE(config)# prompt, type username name nopassword and pressEnter.

To add a new user to the local database with an MD5 encrypted password entered in clear text, use the following command:

From the SCE(config)# prompt, type username name secret 0 password and press Enter.

To add a new user to the local database with an MD5 encrypted password entered as an MD5 encryption string, use the following command:

From the SCE(config)# prompt, type username name secret 5 encrypted-secret and press Enter.

Defining the User Privilege Level

Privilege level authorization in the SCE platform is accomplished by the use of an "enable" command authentication request. When a user requests an authorization for a specified privilege level, by using the "enable" command, the SCE platform sends an authentication request to the TACACS+ server specifying the requested privilege level. The SCE platform grants the requested privilege level only after the TACACS+ server authenticates the"enable" command password and verifies that the user has sufficient privileges the enter the requested privilege level.

Use this command to set the privilege level of the specified user.

The following options are available:

name — name of the user whose privilege level is set

level — the privilege level permitted to the specified user. These levels correspond to the CLI authorization levels, which are entered via the enable command:

0 — User

10 — Admin

15 (default) — Root

To set the privilege level for the specified user, use the following command:

From the SCE(config)# prompt, type username name privilege level and press Enter.

Adding a User with Privilege Level and Password

Use these commands to define a new user, including password and privilege level, in a single command.

Note

In the config files (running config and startup config), this command will appear as two separate commands..



The following options are available:

name — name of the user to be added

password — a clear text password. May be saved in the local list in either of two formats:

as clear text 

in MD5 encrypted form if the secret keyword is used

encrypted-secret — an MD5 encryption string password

level — the privilege level permitted to the specified user. These levels correspond to the CLI authorization levels, which are entered via the enable command:

0 — User

10 — Admin

15 (default) — Root

The following keywords are available:

secret — the password is saved in MD5 encrypted form. Use with either of the following keywords to indicate the format of the password as entered in the command:

0 — use with the password option to specify a clear text password that will be saved in MD5 encrypted form

5 = use with the encrypted-secret option to specify an MD5 encryption string that will be saved as the user MD5-encrypted secret password

To add a new user to the local database, specifying the privilege level and a clear text password, use the following command:

From the SCE(config)# prompt, type username name privilege level password password and press Enter.

To add a new user to the local database, specifying the privilege level and an MD5 encrypted password entered in clear text, use the following command:

From the SCE(config)# prompt, type username name privilege level secret 0 password and press Enter.

To add a new user to the local database, specifying the privilege level and an MD5 encrypted password entered as an MD5 encryption string, use the following command:

From the SCE(config)# prompt, type username name privilege level secret 5 encrypted-secret and press Enter.

Deleting a User

Use these commands to delete a specified user from the local database.

The following options are available:

name — name of the user to be deleted

To delete a user from the local database, use the following command:

From the SCE(config)# prompt, type no username name and press Enter.

Configuring AAA Login Authentication

There are two features to be configured for login authentication:

Maximum number of permitted Telnet login attempts

The authentication methods used at login (see General AAA Fallback and Recovery Mechanism.)

The procedures for configuring login authentication are explained in the following sections:

Configuring Maximum Login Attempts

Configuring the Login Authentication Methods

Configuring Maximum Login Attempts

Use this command to set the maximum number of login attempts that will be permitted before the session is terminated. This is relevant only for Telnet sessions. From the local console, the number of re-tries is unlimited.

The following options are available:

number-of-attempts — The maximum number of login attempts that will be permitted before the telnet session is terminated

Default = three

To configure the maximum number of permitted login attempts, use the following command:

From the SCE(config)# prompt, type aaa authentication attempts login number-of-attempts and press Enter.

Configuring the Login Authentication Methods

You can configure "backup" login authentication methods to be used in the event of failure of the primary login authentication method (see General AAA Fallback and Recovery Mechanism).

Use this command to specify which login authentication methods are to be used, and in what order of preference.

The following options are available:

method — the login authentication methods to be used. You may specify up to four different methods, in the order in which they are to be used.

group tacacs+ — Use TACACS+ authentication.

local — Use the local username database for authentication.

enable (default) — Use the "enable" password for authentication

none — Use no authentication.

To configure login authentication methods, use the following command:

From the SCE(config)# prompt, type aaa authentication login default method1 [method2...] and press Enter.

You may list a maximum of four methods; all four methods explained above. List them in the order of priority.

To delete the login authentication methods list, use the following command:

From the SCE(config)# prompt, type no aaa authentication login default and press Enter.

If the login authentication methods list is deleted, the default login authentication method only (enable password) will be used. TACACS+ authentication will not be used.

Configuring AAA Privilege Level Authorization Methods

As with login authentication, you can configure "backup" privilege level authorization methods to be used in the event of failure of the primary privilege level authorization method (see General AAA Fallback and Recovery Mechanism).

Use this command to specify which privilege level authorization methods are to be used, and in what order of preference.,

The following options are available:

method — the privilege level authorization methods to be used. You may specify up to four different methods, in the order in which they are to be used.

group tacacs+ — Use TACACS+ authentication.

local — Use the local username database for authentication.

enable (default) — Use the "enable" password for authentication

none — Use no authentication.

To configure privilege level authorization methods, use the following command:

From the SCE(config)# prompt, type aaa authentication enable default method1 [method2...] and press Enter.

You may list a maximum of four methods; all four methods explained above. List them in the order of priority.

To delete the privilege level authorization methods list, use the following command:

From the SCE(config)# prompt, type no aaa authentication enable default and press Enter.

If the privilege level authorization methods list is deleted, the default login authentication method only (enable password) will be used. TACACS+ authentication will not be used.

Enabling AAA Accounting

If TACACS+ accounting is enabled, the SCE platform sends an accounting message to the TACACS+ server after every command execution. The accounting message is logged in the TACACS+ server for the use of the network administrator.

Use this command to enable or disable TACACS+ accounting.

By default, TACACS+ accounting is disabled.

The following options are available:

level — The privilege level for which to enable the TACACS+ accounting

To enable TACACS+ accounting for a specified privilege level, use the following command:

From the SCE(config)# prompt, type aaa authentication accounting commands level default stop-start group tacacs+ and press Enter.

The start-stop keyword (required) indicates that the accounting message is sent at the beginning and the end (if the command was successfully executed) of the execution of a CLI command.

To disable TACACS+ accounting for a specified privilege level, use the following command:

From the SCE(config)# prompt, type no aaa authentication accounting commands level default and press Enter.

Monitoring TACACS+ Servers

Use these commands to display statistics for the TACACS+ servers.

Note that, although most show commands are accessible to viewer level users, the 'all' option is available only at the admin level. Use the command 'enable 10' to access the admin level.

To display statistics for all TACACS+ servers, use the following command:

From the SCE# prompt, type show tacacs and press Enter.

To display statistics, including keys and timeouts, for all TACACS+ servers, use the following command:

From the SCE# prompt, type show tacacs all and press Enter.

Monitoring TACACS+ Users

Use this command to display the users in the local database, including passwords.

Note that, although most show commands are accessible to viewer level users, this command is available only at the admin level. Use the command 'enable 10' to access the admin level.

To display the users in the local database, use the following command:

From the SCE# prompt, type show users and press Enter.

Configuring Access Control Lists (ACLs)

The SCE platform can be configured with Access Control Lists (ACLs), which are used to permit or deny incoming connections on any of the management interfaces. An access list is an ordered list of entries, each consisting of an IP address and an optional wildcard “mask” defining an IP address range, and a permit/deny field.

The order of the entries in the list is important. The default action of the first entry that matches the connection is used. If no entry in the Access List matches the connection, or if the Access List is empty, the default action is deny.

Configuration of system access is done in two stages:

Creating an access list. (See Adding Entries to an Access List).

Associating the access list with a management interface. (See Defining the Global Access List and Associating an Access List to Telnet Interface.)

Creating an access list is done entry by entry, from the first to the last.

When the system checks for an IP address on an access list, the system checks each line in the access list for the IP address, starting at the first entry and moving towards the last entry. The first match that is detected (that is, the IP address being checked is found within the IP address range defined by the entry) determines the result, according to the permit/deny flag in the matched entry. If no matching entry is found in the access list, access is denied.

You can create up to 99 access lists. Access lists can be associated with system access on the following levels:

Global (IP) level. If a global list is defined using the ip access-class command, when a request comes in, the SCE platform first checks if there is permission for access from that IP address. If not, the SCE does not respond to the request. Configuring the SCE platform to deny a certain IP address would preclude the option of communicating with that address using any IP-based protocol including Telnet, FTP, ICMP and SNMP. The basic IP interface is low-level, blocking the IP packets before they reach the interfaces.

Interface level. Access to each management interface (Telnet, SNMP, etc.) can be restricted to an access list. Interface-level lists are, by definition, a subset of the Global list defined. If access is denied at the global level, the IP will not be allowed to access using one of the interfaces. Once an access list is associated with a specific management interface, that interface checks the access list to find out if there is permission for a specific external IP address trying to access the management interface.

It is possible to configure several management interfaces to the same access list, if this is the desired behavior of the SCE platform.

If no ACL is associated to a management interface or to the global IP level, access is permitted from all IP addresses.

Note

The SCE Platform will respond to ping commands only from IP addresses that are allowed access. Ping from a non-authorized address will not receive a response from the SCE  unit, as ping uses ICMP protocol

The following commands are relevant to access lists:

access-list
access-class number in
ip access-class
no access-list
no ip access-class
show ip access-class

Adding Entries to an Access List

To add an address to an access list allowing access to a particular address, complete the following steps:

To enter the Global Configuration Mode, type configure and press Enter. 

The SCE(config)# prompt appears.

To configure one IP address type:

access-list number permit x.x.x.x and press Enter where x.x.x.x is the IP address. 

To configure more than one IP address type:

access-list number permit x.x.x.x y.y.y.y and press Enter.

This command configures a range of addresses in the format x.x.x.x y.y.y.y where x.x.x.x specifies the prefix bits common to all IP addresses in the range, and y.y.y.y is a wildcard-bits mask specifying the bits that are ignored. In this notation, ‘0’ means bits to ignore.

Example:

The following example adds an entry to the access list number 1, that permits access only to IP addresses in the range of 10.1.1.0–10.1.1.255. 

SCE(config)#access-list 1 permit 10.1.1.0 0.0.0.255

Removing an Access List

To remove an Access List (with all its entries), use the following command:

From the SCE(config)# prompt, type no access-list number permit/deny, and press Enter.

The Access List and all of its entries are removed.

Defining the Global Access List

To define an Access List as the global list for permitting or denying all traffic to the SCE platform, use the following command:

From the SCE(config)# prompt, type ip access-class number, and press Enter.

Telnet Interface

This section discusses the Telnet interface of the SCE platform. A Telnet session is the most common way to connect to the SCE CLI interface.

You can set the following parameters for the Telnet interface:

Enable/disable the interface

Associate an access list to permit or deny incoming connections. (Access lists)

Timeout for Telnet sessions, that is, if there is no activity on the session, how long the SCE platform waits before automatically cutting off the Telnet connection.

The following commands are relevant to Telnet interface:

access-class number in
line vty
[no] access list
[no] service telnetd
[no] timeout
show line vty access-class in
show line vty timeout

Preventing Telnet Access

You can disable access by Telnet altogether.

To disable Telnet access, use the following command:

From the SCE(config)# prompt, type no service telnetd.

Telnet service is no longer allowed on the SCE platform. Current Telnet sessions are not disconnected, but no new Telnet sessions are allowed.

Associating an Access List to Telnet Interface

To restrict the SCE platform management via Telnet to a specific access list, complete the following steps:

From the SCE(config)# prompt, enter the Line Configuration mode by typing line vty 0.

Type access-class access-list-number in (where access-list-number is an index of an existing access list).

The following example associates the access list  number 1 to the Telnet interface.

SCE#configure
SCE (config)#line vty 0
SCE(config-line)#access-class 1 in

Type exit and press Enter.

This returns you to Global Configuration Mode.

Telnet Timeout

The SCE platform supports timeout of inactive Telnet sessions. The default timeout is 30 minutes.

To configure the timeout for a telnet session when the line is idle, use the following command:

From the SCE(config-line)# prompt, type timeout time, where time is the time in minutes.

SSH Server

A shortcoming of the standard telnet protocol is that it transfers password and data over the net unencrypted, thus compromising security. Where security is a concern, using a Secure Shell (SSH) server rather than telnet is recommended.

An SSH server is similar to a telnet server, but it uses cryptographic techniques that allow it to communicate with any SSH client over an insecure network in a manner which ensures the privacy of the communication. CLI commands are executed over SSH in exactly the same manner as over telnet.

The SSH server supports both the SSH-1 and SSH-2 protocols.

An Access Control List (ACL) can be configured for SSH as for any other management protocol, limiting SSH access to a specific set of IP addresses (see Configuring Access Control Lists).

Key Management

Each SSH server should define a set of keys (DSA2, RSA2 and RSA1) to be used when communicating with various clients. The key sets are pairs of public and private keys. The server publishes the public key while keeping the private key in non-volatile memory, never transmitting it to SSH clients. Note that the keys are kept on the tffs0 file system, which means that a person with knowledge of the ‘enable’ password can access both the private and public keys. The SSH server implementation provides protection against eavesdroppers who can monitor the management communication channels of the SCE platform, but it does not provide protection against a user with knowledge of the ‘enable’ password.

Key management is performed by the user via a special CLI command. A set of keys must be generated at least once before enabling the SSH server.

Size of the encryption key is always 2048 bits.

Managing the SSH Server

Use these commands to manage the SSH server. These commands do the following:

Generate an SSH key set

Enable/disable the SSH server

Assign/remove an ACL to the SSH server

Delete existing SSH keys

Remember that you must generate a set of SSH keys before you enable the SSH server.

To generate a set of SSH keys, use the following command:

From the SCE(config)# prompt, type ip ssh key generate and press Enter.

A new SSH key set is generated and immediately saved to non-volatile memory. (Key set is not part of the configuration file). Key size is always 2048 bits.

To enable the SSH server, use the following command:

From the SCE(config)# prompt, type ip ssh and press Enter.

To disable the SSH server, use the following command:

From the SCE(config)# prompt, type no ip ssh and press Enter.

To assign an ACL to the SSH server, use the following command:

From the SCE(config)# prompt, type ip ssh access-class access-list number and press Enter.

The specified ACL is assigned to the SSH server, so that access the SSH server is limited to the IP addresses defined in the ACL.

To remove the ACL assignment from the SSH server, use the following command:

From the SCE(config)# prompt, type no ip ssh access-class and press Enter.

The ACL assignment is removed from the SSH server, so that any IP address may now access the SSH server.

To delete the existing SSH keys, use the following command:

From the SCE(config)# prompt, type ip ssh key remove and press Enter.

The existing SSH key set is removed from non-volatile memory.

If the SSH server is currently enabled, it will continue to run, since it only reads the keys from non-volatile memory when it is started. However, if the startup-configuration specifies that the SSH server is enabled, the SCE platform will not be able to start the SSH server on startup if the keys have been deleted. To avoid this situation, after executing this command, always do one of the following before the SCE platform is restarted (using reload):

Generate a new set of keys.

Disable the SSH server and save the configuration.

Monitoring the Status of the SSH Server

Use this command to monitor the status of the SSH sever, including current SSH sessions.

This command is a Privileged Exec command. Make sure that you are in Privileged Exec command mode by exiting any other modes, and that the SCE# prompt appears in the command line.

To display the SSH server status, use the following command:

From the SCE# prompt, type show ip ssh and press Enter.

SNMP Interface

To enable the SNMP interface, use the snmp-server command. You can also configure any of the SNMP parameters (hosts, communities, contact, location, and trap destination host). When you enable the SNMP agent, these four parameters are filled in with their most recent values before the agent was disabled. To disable the SNMP interface, use the no snmp-server command.

This section guides you through enabling and disabling the SNMP interface. Complete information on SNMP is found in SNMP Configuration and Management.

The following commands are relevant to enabling and disabling the SNMP interface:

[no] snmp-server
[no] snmp-server community
[no] snmp-server contact
[no] snmp-server host
[no] snmp-server location

Enabling SNMP

To enable SNMP by setting a community string, complete the following commands:

To enter the Global Configuration Mode, at the SCE# prompt, type configure and press Enter.

The SCE(config)# prompt appears.

Type snmp-server community community-string, where the community string is a security string that identifies a community of managers that are able to access the SNMP server.

You must define at least one community string in order to allow SNMP access. For complete information on community strings see Configuring SNMP Community Strings.

Disabling SNMP

To disable SNMP access, use the following command:

From the SCE(config)# prompt, type no snmp-server.

SNMP Configuration and Management

The SCE platform operating system includes a Simple Network Management Protocol (SNMP) agent that supports the following:

RFC 1213 standard (MIB-II)

RFC 2737 standard (ENTITY-MIB version 2)

pcube enterprise MIBs

This section explains how to configure the SNMP agent parameters. It also provides a brief overview of SNMP notifications and the supported MIBs, and explains the order in which the MIB must be loaded.

Note

Throughout this manual, the terms SNMP server and SNMP agent are used interchangeably, as equivalents.

SNMP Protocol

SNMP (Simple Network Management Protocol) is a set of protocols for managing complex networks. SNMP works by sending messages, called protocol data units (PDUs), to different parts of a network. SNMP-compliant devices, called agents, store data about themselves in Management Information Bases (MIBs) and return this data to the SNMP requesters.

SCE platform supports the original SNMP protocol (also known as SNMPv1), and a newer version called Community-based SNMPv2 (also known as SNMPv2C). 

SNMPv1 — is the first version of the Simple Network Management Protocol, as defined in RFCs 1155 and 1157, and is a full Internet standard. SNMPv1 uses a community-based form of security.

SNMPv2c — is the revised protocol, which includes improvements to SNMPv1 in the areas of protocol packet types, transport mappings, and MIB structure elements but using the existing SNMPv1 administration structure. It is defined in RFC 1901, RFC 1905, and RFC 1906.

SCE platform implementation of SNMP supports all MIB II variables, as described in RFC 1213, and defines the SNMP traps using the guidelines described in RFC 1215.

The SNMPv1 and SNMPv2C specifications define the following basic operations that are supported by SCE platform:

Table 5.2. Request Types

Configuration via SNMP

SCE platform supports a limited set of variables that may be configured via SNMP (read-write variables). Setting a variable via SNMP (as via the CLI) takes effect immediately and affects only the running-configuration. To make this configuration stored for next reboots (startup-configuration) the user must specify it explicitly via CLI or via SNMP using the Cisco enterprise MIB objects (see the figure in Cisco Enterprise MIB).

It should be noted also that the SCE platform takes the approach of a single configuration database with multiple interfaces that may change this database. Therefore, activating the copy running-config startup-config command via CLI or SNMP makes permanent all the changes made by either SNMP or CLI.

Security Considerations

By default, the SNMP agent is disabled for both read and write operations. When enabled, SNMP is supported over the management port only (in-band management is not supported).

In addition, the SCE platform supports the option to configure community of managers for read-write accessibility or for read-only accessibility. Furthermore, an ACL (Access List) may be associated with a community to allow SNMP management to a restricted set of managers IP addresses.

SNMP Community Strings

An SNMP community string is a text string that acts like a password to permit access to the agent on the SCE platform. The community string is used to authenticate messages that are sent between the management station (the SNMP manager) and the device (the SNMP agent). The community string is included in every message transmitted between the SNMP manager and the SNMP agent.

Configuring SNMP Community Strings

In order to enable SNMP management, you must configure SNMP community strings to define the relationship between the SNMP manager and the agent.

After receiving an SNMP request, the SNMP agent compares the community string in the request to the community strings that are configured for the agent. The requests are valid under the following circumstances: 

SNMP Get, Get-next, and Get-bulk requests are valid if the community string in the request matches the read-only community. 

SNMP Get, Get-next, Get-bulk and Set requests are valid if the community string in the request matches the agent’s read-write community.

You may specify the following characteristics associated with the community string:

An access list of IP addresses of the SNMP managers permitted to use the community string to gain access to the agent

Read-write or read-only accessibility for the community.

Note

If no access list is configured, all IP addresses can access the agent using the defined community string. For more information about Access Lists, see Configuring Access Control Lists (ACLs)

Note

When defining a community if it is not specified explicitly, the default accessibility is read-only.

The following describes how to configure a community string, as well as how to remove a community string.

To configure a community string:

At the SCE(config)# prompt, type snmp-server community community-string [ro|rw] [acl-number], and press Enter.

The SCE(config)# prompt appears.

If needed, repeat steps 1 to configure additional community strings.

Example:

The following example shows how to configure a community string called “mycommunity” with read-only rights and access list number “1”.

SCE(config)#snmp-server community mycommunity 1

Note

ACL-number is an index to an access list. For further information about access lists, see Configuring Access Control Lists (ACLs)

To remove a community string, use the following command:

At the SCE(config)# prompt, type no snmp-server community community-string, and press Enter.

The community string is removed.

Example:

The following example displays how to remove a community string called “mycommunity”.

SCE(config)#no snmp-server community mycommunity

To display the configured communities, use the following command:

At the SCE# prompt, type show snmp community and press Enter.

The configured SNMP communities appear.

Example:

The following example shows the SNMP communities.

SCE#show snmp community
Community: public, Access Authorization: RO, Access List Index: 1

Notifications

Notifications are unsolicited messages that are generated by the SNMP agent that resides inside the SCE platform when an event occurs. When the Network Management System receives the notification message, it can take suitable actions, such as logging the occurrence or ignoring the signal.

Configuring Notifications

By default, the SCE platform is not configured to send any SNMP notifications. You must define the Network Management System to which the SCE platform should send notifications. (See the table below, Configurable Notifications, for a list of configurable notifications). Whenever one of the events that trigger notifications occurs in the SCE platform, an SNMP notification is sent from the SCE platform to the list of IP addresses that you define.

SCE platform supports two general categories of notifications:

Standard SNMP notifications — As defined in RFC1157 and using the conventions defined in RFC1215.

Proprietary SCE enterprise notifications — As defined in the SCE proprietary MIB (see Notification Types).

After a host or hosts are configured to receive notifications, by default, the SCE platform sends to the host or hosts all the notifications supported by the SCE platform except for the AuthenticationFailure notification. The SCE platform provides the option to enable or disable the sending of this notification, as well as some of the SCE enterprise notifications, explicitly.

SCE platform can be configured to generate either SNMPv1 style or SNMPv2c style notifications. By default, the SCE platforms sends SNMPv1 notifications.

Following are some sample procedures illustrating how to do the following:

Configure hosts (NMS) to which the SNMP agent should send notifications

Enable the SNMP agent to send authentication-failure notifications

Reset all notifications to the default setting

Remove/disable a host (NMS) from receiving notifications

To configure the SCE platform to send notifications to a host (NMS), use the following command:

At the SCE(config)# prompt, type snmp-server host IP-address community-string, and press Enter.

Example:

The following example shows how to configure the SCE platform to send SNMPv1 notifications to several hosts.

SCE(config)#snmp-server host 10.10.10.10 mycommunity
SCE(config)#snmp-server host 20.20.20.20 mycommunity
SCE(config)#snmp-server host 30.30.30.30 mycommunity
SCE(config)#snmp-server host 40.40.40.40 mycommunity